From 091bdc416d5056554bb8963054357423165662b7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 16:17:44 +0100 Subject: [PATCH] psa_util: enhance checks on leading zeros in convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 10 ++++++++++ tests/suites/test_suite_psa_crypto_util.data | 12 ++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 7e79b1ce8..674f21b9b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -488,10 +488,20 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return ret; } + /* It's invalid to have MSb set without a leading 0x00 (leading 0x00 is + * checked below). */ + if ((*p & 0x80) != 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + /* Skip possible leading zero */ if ((unpadded_len > 0) && (*p == 0x00)) { p++; unpadded_len--; + /* Only 1 leading zero is allowed, otherwise that's an error. */ + if (*p == 0x00) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } } if (unpadded_len > coordinate_size) { diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index f12a4bb72..568f6c571 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -74,13 +74,13 @@ ECDSA DER -> Raw, 256bit, r with MSb set depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit, Valid r all zeros +ECDSA DER -> Raw, 256bit, Invalid r all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Valid s all zeros +ECDSA DER -> Raw, 256bit, Invalid s all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte depends_on:PSA_WANT_ECC_SECP_K1_256 @@ -98,6 +98,10 @@ ECDSA DER -> Raw, 256bit, Valid 0-length s depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"30440220911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512