[Skiboot] [PATCH v2 5/5] secvar/pkcs7: fix a wrong sizeof()
Nick Child
nnac123 at gmail.com
Wed Jul 21 05:43:35 AEST 2021
On Mon, Jun 21, 2021 at 9:31 PM Nayna <nayna at linux.vnet.ibm.com> wrote:
>
>
> On 6/21/21 4:26 AM, Daniel Axtens wrote:
> > This code isn't directly used by skiboot, but it is wrong and potentially
> > insecure so I'm fixing it in case it's used in the future.
> >
> > Pass in 0 instead. That tells mbedtls to work out the length based on the
> > hash type. We allocated enough memory for whatever hash type the PKCS#7
> > message declared so this will be safe.
> > ---
> > libstb/crypto/pkcs7/pkcs7.c | 2 +-
> > - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, sizeof(hash),
> > + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0,
>
> Just like other function why do not we pass here also hashlen which can
> be calculated by mbedtls_md_get_size( md_info ) ?
>
I agree with Nayna. The way mbedlts is allowing hashlen to be 0 will
likely change in the future. It seems the maintainers are starting to
prefer their users to know the lengths of the hashes. For example,
https://github.com/ARMmbed/mbedtls/pull/4665#discussion_r652142328 .
It might just be easier in the long run to give the correct hash length.
Best,
Nick Child
More information about the Skiboot
mailing list