PKCS#1 v1.5 decoding: fix empty payload case

2024-11-22 17:05:36 +01:00 · 2018-10-05 18:11:27 +02:00 · 2018-10-05 18:11:27 +02:00 · ec2a5fdee1
commit ec2a5fdee1
parent c5ccd7a1e7
1 changed files with 7 additions and 6 deletions
--- a/library/rsa.c
+++ b/library/rsa.c
@ -1522,9 +1522,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
         * where PS must be at least 8 nonzero bytes. */
        bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;

-        /* Get padding len, but always read till end of buffer
-         * (minus one, for the 00 byte) */
-        for( i = 2; i < ilen - 1; i++ )
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count. */
+        for( i = 2; i < ilen; i++ )
        {
            pad_done  |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
            pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
@ -1536,9 +1536,10 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
         * where PS must be at least 8 bytes with the value 0xFF. */
        bad |= buf[1] ^ MBEDTLS_RSA_SIGN;

-        /* Get padding len, but always read till end of buffer
-         * (minus one, for the 00 byte) */
-        for( i = 2; i < ilen - 1; i++ )
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count.
+         * If there's a non-0xff byte in the padding, the padding is bad. */
+        for( i = 2; i < ilen; i++ )
        {
            pad_done |= if_int( buf[i], 0, 1 );
            pad_count += if_int( pad_done, 0, 1 );