diff options
Diffstat (limited to 'board/cr50/dcrypto/x509.c')
-rw-r--r-- | board/cr50/dcrypto/x509.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/board/cr50/dcrypto/x509.c b/board/cr50/dcrypto/x509.c index a4bcdf2630..2094f8dad4 100644 --- a/board/cr50/dcrypto/x509.c +++ b/board/cr50/dcrypto/x509.c @@ -355,8 +355,8 @@ static size_t asn1_parse_signature_value(const uint8_t **p, size_t *available, * where signatureValue = SIGN(HASH(tbsCertificate)), with SIGN and * HASH specified by signatureAlgorithm. */ -int DCRYPTO_x509_verify(const uint8_t *cert, size_t len, - const struct RSA *ca_pub_key) +enum dcrypto_result DCRYPTO_x509_verify(const uint8_t *cert, size_t len, + const struct RSA *ca_pub_key) { const uint8_t *p = cert; const uint8_t *tbs; @@ -366,32 +366,35 @@ int DCRYPTO_x509_verify(const uint8_t *cert, size_t len, struct sha256_digest digest; + if (!fips_crypto_allowed()) + return DCRYPTO_FAIL; + /* Read Certificate SEQUENCE. */ if (!asn1_parse_certificate(&p, &len)) - return 0; + return DCRYPTO_FAIL; /* Read tbsCertificate SEQUENCE. */ tbs = p; if (!asn1_parse_tbs(&p, &len, &tbs_len)) - return 0; + return DCRYPTO_FAIL; /* Read signatureAlgorithm SEQUENCE. */ if (!asn1_parse_signature_algorithm(&p, &len)) - return 0; + return DCRYPTO_FAIL; /* Read signatureValue BIT STRING. */ if (!asn1_parse_signature_value(&p, &len, &sig, &sig_len)) - return 0; + return DCRYPTO_FAIL; /* Check that the signature length corresponds to the issuer's * public key size. */ if (sig_len != bn_size(&ca_pub_key->N) && sig_len != bn_size(&ca_pub_key->N) + 1) - return 0; + return DCRYPTO_FAIL; /* Check that leading signature bytes (if any) are zero. */ if (sig_len == bn_size(&ca_pub_key->N) + 1) { if (sig[0] != 0) - return 0; + return DCRYPTO_FAIL; sig++; sig_len--; } |