mirror of
https://github.com/Dasharo/skiboot.git
synced 2026-03-06 14:50:44 -08:00
Daniel Axtens
1f4d12cf70
This code isn't directly used by skiboot, but it is wrong and potentially insecure so I'm fixing it in case it's used in the future. We pass sizeof(hash) into mbedtls_pk_verify(). However, hash is a pointer, not an array, so rather than passing the length of the hash to verify we'll pass in 8, and only compare the first 8 bytes of the hash rather than all 32. Pass in 0 instead. That tells mbedtls to work out the length based on the hash type. We allocated enough memory for whatever hash type the PKCS#7 message declared so this will be safe. Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Cédric Le Goater <clg@kaod.org>