From patchwork Tue May 25 03:34:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1483148 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=RfnNfwZc; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fq0815HRJz9sVb for ; Tue, 25 May 2021 13:34:57 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Fq0814lRGz308T for ; Tue, 25 May 2021 13:34:57 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=RfnNfwZc; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::529; helo=mail-pg1-x529.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=RfnNfwZc; dkim-atps=neutral Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Fq07r6b1Zz305t for ; Tue, 25 May 2021 13:34:48 +1000 (AEST) Received: by mail-pg1-x529.google.com with SMTP id 27so20333461pgy.3 for ; Mon, 24 May 2021 20:34:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=h7rG0lQeMyGQEEPyousihOk9yTefn3nJ+ZUZG2C25e8=; b=RfnNfwZcoJFoIzALWlbYYwf+ye/XbKrpW0Bq8lt4+1q07p1ASfGOybur1UbGSSLhIa ij2LES1JIoaGKHSpN5EfNR1Czg53gM9TPLoLucA4DdpHcXHC0msoN5Xl2jKzmRxEN+CS ZzWGVUa09gzwI6+VXdYfqK8MMe0JXtAw+C4LI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=h7rG0lQeMyGQEEPyousihOk9yTefn3nJ+ZUZG2C25e8=; b=XJXq+EakJuV6DJNLHSaTt8B61GXc04OH+nKEEySk4J/SiVRU32Bqn5jAeIOu6iOT7l SzO5cKWPTIAwNApYqeVYBS8X/DiizTO1kCxaIpcxiIA96Y39LfwbTlG9V37d0YmSvDje Al72lKOBv0dVlpjNsZSzBFqsUVdE9bsJ/+1YaIiz2ZnJ7dnScljF8XE9gMeBtP2kA6pb SFJlm1rV4tfYFmINJuj2RLPhD3IrVcbJENthurOz1PSEsIUJerAaNvpQshb1ZVSZqOU+ gzdDDjIqeKFBiBOUt2r6fAk83S6b3JOp8cvkI8f7JoePam0IoQzEgZUs18bD5Ei/bwrp 32Bw== X-Gm-Message-State: AOAM532NXDZTHfqNg9znyTKXz/7INmt5do6OvWvKx/YM0D3/Bw/hQkT6 i3h3JDtLboDLyJokLt9UPsFtZMhUekE3WQ== X-Google-Smtp-Source: ABdhPJw120McFpuA32vUH4Q2kwJIVbz6J3Xf4WLRXtleTdN3u37+pDDFMwB/upFClvPKKEE3DJW09A== X-Received: by 2002:a63:3704:: with SMTP id e4mr16525217pga.125.1621913686250; Mon, 24 May 2021 20:34:46 -0700 (PDT) Received: from localhost ([101.178.215.23]) by smtp.gmail.com with ESMTPSA id 84sm13110519pgh.87.2021.05.24.20.34.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 May 2021 20:34:46 -0700 (PDT) From: Daniel Axtens To: skiboot@lists.ozlabs.org Date: Tue, 25 May 2021 13:34:25 +1000 Message-Id: <20210525033425.972519-4-dja@axtens.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210525033425.972519-1-dja@axtens.net> References: <20210525033425.972519-1-dja@axtens.net> MIME-Version: 1.0 Subject: [Skiboot] [PATCH 3/3] secvar/pkcs7: fix a wrong sizeof() X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This code isn't directly used by skiboot, but it is wrong and potentially insecure so I'm fixing it in case it's used in the future. We pass sizeof(hash) into mbedtls_pk_verify(). However, hash is a pointer, not an array, so rather than passing the length of the hash to verify we'll pass in 8, and only compare the first 8 bytes of the hash rather than all 32. Pass in 0 instead. That tells mbedtls to work out the length based on the hash type. We allocated enough memory for whatever hash type the PKCS#7 message declared so this will be safe. Signed-off-by: Daniel Axtens --- libstb/crypto/pkcs7/pkcs7.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libstb/crypto/pkcs7/pkcs7.c b/libstb/crypto/pkcs7/pkcs7.c index 4407e201a4cc..3f41ba7acb2e 100644 --- a/libstb/crypto/pkcs7/pkcs7.c +++ b/libstb/crypto/pkcs7/pkcs7.c @@ -538,7 +538,7 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, mbedtls_md( md_info, data, datalen, hash ); - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, sizeof(hash), + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0, pkcs7->signed_data.signers.sig.p, pkcs7->signed_data.signers.sig.len );