From ef12c63de0611099b7fe70e564c6806289a27523 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 13 Sep 2018 20:37:48 +0200
Subject: [PATCH] RSA verification: don't report an invalid padding error

Mbed TLS distinguishes "invalid padding" from "valid padding but the
rest of the signature is invalid". This has little use in practice and
PSA doesn't report this distinction. We just report "invalid
signature".
---
 library/psa_crypto.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 8aa3145bd..0100441ac 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1959,6 +1959,12 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
     {
         return( PSA_ERROR_INVALID_ARGUMENT );
     }
+
+    /* Mbed TLS distinguishes "invalid padding" from "valid padding but
+     * the rest of the signature is invalid". This has little use in
+     * practice and PSA doesn't report this distinction. */
+    if( ret == MBEDTLS_ERR_RSA_INVALID_PADDING )
+        return( PSA_ERROR_INVALID_SIGNATURE );
     return( mbedtls_to_psa_error( ret ) );
 }
 #endif /* MBEDTLS_RSA_C */