[Skiboot] [PATCH v2 5/5] secvar/pkcs7: fix a wrong sizeof()
nnac123 at gmail.com
Wed Jul 21 05:43:35 AEST 2021
On Mon, Jun 21, 2021 at 9:31 PM Nayna <nayna at linux.vnet.ibm.com> wrote:
> On 6/21/21 4:26 AM, Daniel Axtens wrote:
> > This code isn't directly used by skiboot, but it is wrong and potentially
> > insecure so I'm fixing it in case it's used in the future.
> > Pass in 0 instead. That tells mbedtls to work out the length based on the
> > hash type. We allocated enough memory for whatever hash type the PKCS#7
> > message declared so this will be safe.
> > ---
> > libstb/crypto/pkcs7/pkcs7.c | 2 +-
> > - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, sizeof(hash),
> > + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0,
> Just like other function why do not we pass here also hashlen which can
> be calculated by mbedtls_md_get_size( md_info ) ?
I agree with Nayna. The way mbedlts is allowing hashlen to be 0 will
likely change in the future. It seems the maintainers are starting to
prefer their users to know the lengths of the hashes. For example,
It might just be easier in the long run to give the correct hash length.
More information about the Skiboot