Guard against PSA generating invalid signature The goal is not to double-check everything PSA does, but to ensure that it anything goes wrong, we fail cleanly rather than by overwriting a buffer.

commit: 29a1325b0d1ea24b3ed9ffd0576a1ed91b48f343 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Nov 16 10:54:54 2018 +0100
committer: Hanno Becker <hanno.becker@arm.com> Thu Nov 22 16:39:39 2018 +0000
tree: 8b81d768d12be9d335583f0edc21d7ccbff15dba
parent: f4427678ae05b451604400db9834017fab570fd4 [diff]
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 301d226..3af17d3 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c

@@ -784,13 +784,18 @@
     memmove( *p, start, len );
 
     /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
-     * Neither r nor s can be 0, so we can assume len > 0 at all times. */
-    while( **p == 0x00 )
+     * Neither r nor s should be 0, but as a failsafe measure, still detect
+     * that rather than overflowing the buffer in case of a PSA error. */
+    while( len > 0 && **p == 0x00 )
     {
         ++(*p);
         --len;
     }
 
+    /* this is only reached if the signature was invalid */
+    if( len == 0 )
+        return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
+
     /* if the msb is 1, ASN.1 requires that we prepend a 0.
      * Neither r nor s can be 0, so we can assume len > 0 at all times. */
     if( **p & 0x80 )
commit	29a1325b0d1ea24b3ed9ffd0576a1ed91b48f343	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Nov 16 10:54:54 2018 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Thu Nov 22 16:39:39 2018 +0000
tree	8b81d768d12be9d335583f0edc21d7ccbff15dba
parent	f4427678ae05b451604400db9834017fab570fd4 [diff]