[Skiboot] [PATCH v2 4/5] secvar/backend: redo hash algorithm handling for auth structures
Vasant Hegde
hegdevasant at linux.vnet.ibm.com
Tue Jul 20 19:04:53 AEST 2021
On 6/22/21 6:59 AM, Nayna wrote:
>
> On 6/21/21 4:26 AM, Daniel Axtens wrote:
>> We only handle sha256 hashes in auth structures.
>>
>> In the process of verifying an auth structure, we extract the pkcs7
>> message and we calculate the hopefully-matching hash, which is
>> sha256(name || vendor guid || attributes || timestamp || newcontent)
>> We then verify that the PKCS#7 signature matches that calculated hash.
>>
>> However, at no point do we check that the PKCS#7 hash algorithm is
>> sha256. So if the PKCS#7 message says that it is a signature on a sha512,
>> mbedtls will compare 64 bytes of hash from the signature with 64 bytes
>> from our hash, resulting - if I've got the mbedtls flow correct - in a
>> 32 byte overread.
>
>
.../...
>>
>> [If we ever use a version of mbedtls that supports multiple digests
>> then we should of course review this code again.
>> Arguably multiple digests are also going to need an mbedtls API change,
>> it's difficult to figure out how a hash length value of 0 could be safe.]
>
> I would go with assuming only single signer support now. Multiple signers
> support might need not only hash handling but some other changes also in pkcs7
> code.
>
> Nick and I are going to test the patches.
Did you guys test this series? Any update?
-Vasant
More information about the Skiboot
mailing list