Skip to content
Snippets Groups Projects
Commit 32ad12b4 authored by Lionel Debieve's avatar Lionel Debieve Committed by Sebastien PASDELOUP
Browse files

fix(stm32mp1): fix missing padding to verify signature


ECDSA signatures can not guarantee the exact 32 bits that must
be given to the hardware. We must check the ASN1 sequence and
adapt the R,S tuple to manage a proper 2 * 32 bytes whatever
the certificate content.

Signed-off-by: default avatarLionel Debieve <lionel.debieve@foss.st.com>
Change-Id: I456c32aa1d081562c2787866894f3be3b6f8cb9d
Reviewed-on: https://gerrit.st.com/c/mpu/oe/st/tf-a/+/252923


Reviewed-by: default avatarCITOOLS <MDG-smet-aci-reviews@list.st.com>
parent d0b16fe1
No related branches found
No related tags found
1 merge request!2Integrate changes of v2.4-stm32mp-r2.1 version from ST
...@@ -288,11 +288,14 @@ static int crypto_verify_signature(void *data_ptr, unsigned int data_len, ...@@ -288,11 +288,14 @@ static int crypto_verify_signature(void *data_ptr, unsigned int data_len,
int ret; int ret;
size_t len; size_t len;
mbedtls_asn1_sequence seq; mbedtls_asn1_sequence seq;
mbedtls_asn1_sequence *cur;
unsigned char *p, *end; unsigned char *p, *end;
int curve_id; int curve_id;
mbedtls_asn1_buf sig_oid, sig_params; mbedtls_asn1_buf sig_oid, sig_params;
mbedtls_md_type_t md_alg; mbedtls_md_type_t md_alg;
mbedtls_pk_type_t pk_alg; mbedtls_pk_type_t pk_alg;
size_t bignum_len = sizeof(sig) / 2U;
unsigned int seq_num = 0U;
/* Get pointers to signature OID and parameters */ /* Get pointers to signature OID and parameters */
p = (unsigned char *)sig_alg; p = (unsigned char *)sig_alg;
...@@ -350,7 +353,7 @@ static int crypto_verify_signature(void *data_ptr, unsigned int data_len, ...@@ -350,7 +353,7 @@ static int crypto_verify_signature(void *data_ptr, unsigned int data_len,
/* We expect only 2 integers (r and s) from the sequence */ /* We expect only 2 integers (r and s) from the sequence */
if (seq.next->next != NULL) { if (seq.next->next != NULL) {
mbedtls_asn1_sequence *cur = seq.next; cur = seq.next;
mbedtls_asn1_sequence *next; mbedtls_asn1_sequence *next;
VERBOSE("%s: nb seq != 2\n", __func__); VERBOSE("%s: nb seq != 2\n", __func__);
...@@ -364,14 +367,37 @@ static int crypto_verify_signature(void *data_ptr, unsigned int data_len, ...@@ -364,14 +367,37 @@ static int crypto_verify_signature(void *data_ptr, unsigned int data_len,
return CRYPTO_ERR_SIGNATURE; return CRYPTO_ERR_SIGNATURE;
} }
/* Integer sequence may (sometime) start with 0x00 as MSB, but we can only /*
* manage exactly 2*32 bytes, we remove this higher byte * ECDSA signatures are composed of a tuple (R,S) where R and S are between 0 and n.
* if there are not 00, we will fail either. * This means that the R and S can have a maximum of 32 each, but can also be smaller.
* Also seen the integer sequence may (sometime) start with 0x00 as MSB, but we can only
* manage exactly 2*32 bytes, we remove this higher byte if there are not 00,
* we will fail either.
*/ */
memcpy(sig, seq.buf.p + seq.buf.len - sizeof(sig) / 2U, sizeof(sig) / 2U); cur = &seq;
memcpy(sig + sizeof(sig) / 2U, memset(sig, 0U, sizeof(sig));
seq.next->buf.p + seq.next->buf.len - sizeof(sig) / 2U,
sizeof(sig) / 2U); while (cur != NULL) {
size_t skip = 0U;
size_t seek = seq_num * bignum_len;
if (cur->buf.len > bignum_len) {
/* Remove extra 0x00 bytes */
skip = cur->buf.len - bignum_len;
} else if (cur->buf.len < bignum_len) {
/* Add padding to match HW required size */
seek += (bignum_len % cur->buf.len);
}
if (seek + cur->buf.len > sizeof(sig) + skip) {
panic();
}
memcpy(sig + seek, cur->buf.p + skip, cur->buf.len - skip);
cur = cur->next;
seq_num++;
}
/* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */ /* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */
mbedtls_free(seq.next); mbedtls_free(seq.next);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment