Hi Jarkko,
On 2/21/22 9:49 AM, Jarkko Sakkinen wrote:
On Mon, Feb 07, 2022 at 07:43:27PM +0800, Tianjia Zhang wrote:
The signature verification of SM2 needs to add the Za value and
recalculate sig->digest, which requires the detection of the pkey_algo
in public_key_verify_signature(). As Eric Biggers said, the pkey_algo
field in sig is attacker-controlled and should be use pkey->pkey_algo
instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it
will also cause signature verification failure.
The software_key_determine_akcipher() already forces the algorithms
are matched, so the SM3 algorithm is enforced in the SM2 signature,
although this has been checked, we still avoid using any algorithm
information in the signature as input.
Reported-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Signed-off-by: Tianjia Zhang <tianjia.zhang@xxxxxxxxxxxxxxxxx>
---
crypto/asymmetric_keys/public_key.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index a603ee8afdb8..ea9a5501f87e 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -309,7 +309,8 @@ static int cert_sig_digest_update(const struct public_key_signature *sig,
if (ret)
return ret;
- tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
+ /* SM2 signatures always use the SM3 hash algorithm */
+ tfm = crypto_alloc_shash("sm3", 0, 0);
Why not simply fail when sig->hash_algo != "sm3"?
BR, Jarkko
This series of Eric's patch 2/2 has done this check.
Best regards,
Tianjia
