fix(mbedtls): sign verification issue with invalid Key/Signature
When the verify_signature function is called with the RSASSA_PSS
signature algorithm and a somewhat well-formed public key, invalid
signatures can be incorrectly verified due to this change [1].
This is primarily because of the introduction of the following code,
where a return check is missing before the goto:
if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
rc = pk_bytes_from_subpubkey((unsigned char **) &pk_ptr, &pk_len);
goto end2;
}
This code executes before the call to psa_verify_message. The
unconditional goto end2; branch leads to the immediate return of rc.
If the call to pk_bytes_from_subpubkey succeeds (i.e., the key is
formatted correctly), the signature is verified regardless of its
actual content.
This change [1] was included in the v2.11 release. Therefore, anyone
using this release with the PSA Crypto implementation must apply
this patch to ensure proper signature verification.
[1]: https://review.trustedfirmware.org/plugins/gitiles/TF-A/
trusted-firmware-a/+/55aed7d798f3d48d6aa08d58eb46c4cda318bcfb/drivers/
auth/mbedtls/mbedtls_psa_crypto.c#447
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Reported-by: Ryan Everett <ryan.everett@arm.com>
Change-Id: Ib484d97a04b7a82dd72592c8b5b153d577d01fc9
diff --git a/drivers/auth/mbedtls/mbedtls_psa_crypto.c b/drivers/auth/mbedtls/mbedtls_psa_crypto.c
index 99242e3..2da97dc 100644
--- a/drivers/auth/mbedtls/mbedtls_psa_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_psa_crypto.c
@@ -446,7 +446,9 @@
*/
if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
rc = pk_bytes_from_subpubkey((unsigned char **) &pk_ptr, &pk_len);
- goto end2;
+ if (rc != 0) {
+ goto end2;
+ }
}
/* Get the key_id using import API */