PKCS#1 v1.5 Signature Verification End of Padding (0x00) Leniency

relic-toolkit / relic

Code

Other

460 stars 178 forks source link

PKCS#1 v1.5 Signature Verification End of Padding (0x00) Leniency #189

Open yahyazadeh opened 3 years ago

yahyazadeh commented 3 years ago

Hi,

After testing your implementation of PKCS#1 v1.5 Signature Verification, I noticed it fails to check that end of padding is actually 0x00 and it can take any arbitrary value.

I think the issue exists because in pkcs1_pad(), line 356, after peeling off the padding bytes (0xFF...FF), the end of padding here can be any arbitrary byte to get us out of the loop. No signature forgery, just a minor leniency.

--Daniel

dfaranha commented 3 years ago

Hi Daniel,

Thank you for the notification!

I think commit 1c9ea9ed6a5f4fef648eb8700f2924bb21ad10c2 fixes this and enforces the hash length better.

PS: This is old code implementing an old standard that I particularly dislike and can't find the time to rewrite in a better way. I'm strongly considering to just remove it altogether if no one speaks up. :)