mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-12-01 08:59:33 +00:00
kwbimage: fixing the issue with proper return code checking
EVP_VerifyFinal would return one of three values: 1 if the data is verified to be correct; 0 if it is incorrect; -1 if there is any failure in the verification process. The varification in unpatched version is wrong, since it ignored the return value of -1. The bug allows a malformed signature to be treated as a good signature rather than as an error. This issue affects the signature checks on DSA ans ECDSA keys used with SSL/TLS. This issue is similar to CVE-2008-5077, CVE-2009-0021, CVE-2009-0025, CVE-2009-0046 ~ CVE-2009-0049. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Stefan Roese <sr@denx.de>
This commit is contained in:
parent
b4ee6daad7
commit
2251512345
1 changed files with 1 additions and 1 deletions
|
@ -701,7 +701,7 @@ int kwb_verify(RSA *key, void *data, int datasz, struct sig_v1 *sig,
|
|||
goto err_ctx;
|
||||
}
|
||||
|
||||
if (!EVP_VerifyFinal(ctx, sig->sig, sizeof(sig->sig), evp_key)) {
|
||||
if (EVP_VerifyFinal(ctx, sig->sig, sizeof(sig->sig), evp_key) != 1) {
|
||||
ret = openssl_err("Could not verify signature");
|
||||
goto err_ctx;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue