diff options
| author | Jens Wiklander <jens.wiklander@linaro.org> | 2020-09-09 16:05:17 +0200 |
|---|---|---|
| committer | Jérôme Forissier <jerome@forissier.org> | 2020-10-01 14:51:18 +0200 |
| commit | 68c68bce76a64a07ba92ec4eecb9f8df24671bac (patch) | |
| tree | e08f40298c61d2ad10d4441583b7158b14770d34 /core/tee/tee_svc_cryp.c | |
| parent | b9416909794c36c55f30037dafae0e8a8e780599 (diff) | |
core: syscall_asymm_verify(): accurate DSA parameter check
A comment in syscall_asymm_verify() reads:
"Depending on the DSA algorithm (NIST), the digital signature output
size may be truncated to the size of a key pair (Q prime size). Q prime
size must be less or equal than the hash output length of the hash
algorithm involved."
Instead of just assuming that Q size is small when data length is
smaller than the hash, check that it's the case also. Don't allow data
length smaller than both hash size and Q size.
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'core/tee/tee_svc_cryp.c')
| -rw-r--r-- | core/tee/tee_svc_cryp.c | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c index c97b41fc..52d6c780 100644 --- a/core/tee/tee_svc_cryp.c +++ b/core/tee/tee_svc_cryp.c @@ -3873,15 +3873,38 @@ TEE_Result syscall_asymm_verify(unsigned long state, res = tee_alg_get_digest_size(hash_algo, &hash_size); if (res != TEE_SUCCESS) break; - /* - * Depending on the DSA algorithm (NIST), the digital signature - * output size may be truncated to the size of a key pair - * (Q prime size). Q prime size must be less or equal than the - * hash output length of the hash algorithm involved. - */ - if (data_len > hash_size) { - res = TEE_ERROR_BAD_PARAMETERS; - break; + + if (data_len != hash_size) { + struct dsa_public_key *key = o->attr; + + /* + * Depending on the DSA algorithm (NIST), the + * digital signature output size may be truncated + * to the size of a key pair (Q prime size). Q + * prime size must be less or equal than the hash + * output length of the hash algorithm involved. + * + * We're checking here in order to be able to + * return this particular error code, which will + * cause TEE_AsymmetricVerifyDigest() to panic as + * required by GP. crypto_acipher_dsa_verify() is + * implemented in the glue layer of the crypto + * library and it might be a bit harder to catch + * this particular case there or lead to duplicated + * code in different crypto glue layers. + * + * The GP spec says that we SHOULD panic if + * data_len != hash_size, but that would break a + * few of the DSA tests in xtest where the + * hash_size is larger than possible data_len. So + * the compromise is in case data_len != hash_size + * check that it's not smaller than what makes + * sense. + */ + if (data_len != crypto_bignum_num_bytes(key->q)) { + res = TEE_ERROR_BAD_PARAMETERS; + break; + } } res = crypto_acipher_dsa_verify(cs->algo, o->attr, data, data_len, sig, sig_len); |