Mirrors/u-boot
2
0
Fork 0
mirror of https://github.com/AsahiLinux/u-boot synced 2024-11-28 15:41:40 +00:00
Code Issues Projects Releases Packages Wiki Activity

kwbimage: fixing the issue with proper return code checking

Browse source 
EVP_VerifyFinal would return one of three values:
1 if the data is verified to be correct;
0 if it is incorrect;
-1 if there is any failure in the verification process.

The varification in unpatched version is wrong, since it ignored
the return value of -1.

The bug allows a malformed signature to be treated as a good
signature rather than as an error. This issue affects the
signature checks on DSA ans ECDSA keys used with SSL/TLS.

This issue is similar to CVE-2008-5077, CVE-2009-0021,
CVE-2009-0025, CVE-2009-0046 ~ CVE-2009-0049.

Signed-off-by: Young Xiao <92siuyang@gmail.com>
Signed-off-by: Stefan Roese <sr@denx.de>
This commit is contained in:
Young Xiao 2019-04-17 17:20:24 +08:00 committed by Stefan Roese
parent b4ee6daad7
commit 2251512345
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
tools/kwbimage.c
View file

@ -701,7 +701,7 @@ int kwb_verify(RSA *key, void *data, int datasz, struct sig_v1 *sig,
goto err_ctx;
}
if (!EVP_VerifyFinal(ctx, sig->sig, sizeof(sig->sig), evp_key)) {
if (EVP_VerifyFinal(ctx, sig->sig, sizeof(sig->sig), evp_key) != 1) {
ret = openssl_err("Could not verify signature");
goto err_ctx;
}