On 27/02/2014 12:40, steffan.kar...@fox-it.com wrote:
Hi,
The attached patches add support for PolarSSL 1.3. These patches are for
master only, as they drop support for PolarSSL 1.2. Supporting both versions
would require a lot of #ifdef's, so I opted for dropping 1.2.
Along with PolarSSL 1.3 comes support for AES-NI and elliptic curve crypto.
PolarSSL requires no specific initialization for EC crypto; everything just
works out-of-the-box.
Just tested this on server side -- works great so far.
But I scanned the patch and noticed this:
sig_len = ctx->signature_length;
if ( (SIZE_MAX - hashlen) > asn_len || (hashlen + asn_len) > sig_len )
return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
I'm not sure I understand the (SIZE_MAX - hashlen) > asn_len part.
Wouldn't this always be true for reasonable values of hashlen and asn_len?
And the *p++ lines below, I assume that the buffer's size is
ctx->signature_length? Maybe add some comments about buffer-sizing
assumptions?
James