-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
digest size not checked when doing a ECDSA sign operation #1474
Comments
Hi @HenrikRosenquistAndersson, Thanks for reporting this, and sorry for the late reply. OP-TEE implements the GlobalPlatform TEE Internal Core API Specification v1.1. My understanding of the spec is that neither What do you think of this patch? Am I missing something? Should we still restrict the hash sizes to the standard ones or is it OK to accept any value? Thanks. |
Yes you are right I have been looking at the v1.1.1 specification where the hash algorithm is described in the ECDSA algorithm. So yes in v1.1 TEE_AsymmetricSignDigest() and TEE_AsymmetricVerifyDigest() shouldn't check the hash length for ECDSA because the hash algorithm isn't described. But for all other algorithms RSASSA, DSA it should be checked because the hash algorithm is mentioned there. The code change looks fine in that sense. I found one side comment when looking at the changed code /*
* Depending on the DSA algorithm (NIST), the digital signature
* output size may be truncated to the size of a key pair
* (Q prime size). Q prime size must be less or equal than the
* hash output length of the hash algorithm involved.
*/
if (data_len > hash_size) {
res = TEE_ERROR_BAD_PARAMETERS;
goto out;
} From reading the comment the DSA signature length could be less than the hash_size. I was just curious since I though it looked strange and wanted to note that even if I don't know DSA. |
As for DSA... I also have a hard time understanding the link between the comment and the code, but removing the special case (and just testing for
I need to take a closer look. |
@jforissier did you manage to follow up on the DSA? |
No, I didn't. |
This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
When executing a ECDSA sign operation (TEE_AsymmetricSignDiges) you are suppose to pass in the sha1 hash of the data to sign.
The length of the hash is not checked in syscall_asymm_operate() and you receive a SUCCESS back with a signature even if you pass in an invalid hash length.
If you then pass in the same hash and invalid hash length and the received signature in TEE_AsymmetricVerifyDigest you get an invalid argument error back. (syscall_asymm_verify() checks that the hash length is valid.)
By the way. The latest Global Platform APIs support ECDSA sign/verify operations with other digests than sha1. Any plans to add support for this?
The text was updated successfully, but these errors were encountered: