zephyr
/
mcuboot
mirror of https://github.com/zephyrproject-rtos/mcuboot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

bootutil: ecdsa P-256: Fix handling of sizes 

The ECDSA signature is written as two DER-encoded INTEGERS.  Although
the values are always 256 bits, the encoding ends up being variable
length, because the encoding is signed, and therefore needs an extra
zero byte to keep the number positive.  This means that the length can
vary by up to two bytes.

The 'newt' tool handles this for signature by allowing space for the
largest encoding, and padding with one or two zeros.  However, the
bootutil image check code insists that the length is exact, resulting in
a decoding error on about 3/4 signatures.

Fix this by only verifying that we have at least enough payload to hold
the signature.  There are later checks that will fail if the integers
themselves are too large.
This commit is contained in:
David Brown 2017-01-27 17:35:14 -07:00
parent f8a8bb926e
commit baff96ff23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
boot/bootutil/src/image_ec256.c
View File

@ -122,7 +122,7 @@ tinycrypt_decode_sig(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
if (rc) {
return -1;
}
if (cp + len != end) {
if (cp + len > end) {
return -2;
}
rc = tinycrypt_read_bigint(r, &cp, end);