Fix P384 signature and public key encoding
Use BN_bn2bin_padded when working with a fixed size buffer. Otherwise
the encoded values leak the content of uninitialized memory and the
decode assumes an incorrect size.
Test: Certificate verification unit tests no longer flake
Change-Id: Ib5147c0b4e34226b3f09813f53c371150cf7726e
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/162996
Reviewed-by: Andrew Scull <ascull@google.com>
Pigweed-Auto-Submit: Darren Krahn <dkrahn@google.com>
Commit-Queue: Auto-Submit <auto-submit@pigweed-service-accounts.iam.gserviceaccount.com>
diff --git a/src/boringssl_ecdsa_utils.c b/src/boringssl_ecdsa_utils.c
index 0c7b4a1..876e87f 100644
--- a/src/boringssl_ecdsa_utils.c
+++ b/src/boringssl_ecdsa_utils.c
@@ -179,14 +179,13 @@
if (1 != EC_POINT_get_affine_coordinates_GFp(group, publicKey, x, y, NULL)) {
goto out;
}
- if (BN_num_bytes(x) > P384_PRIVATE_KEY_SIZE) {
+ if (1 != BN_bn2bin_padded(&public_key[0], P384_PUBLIC_KEY_SIZE / 2, x)) {
goto out;
}
- BN_bn2bin(x, &public_key[0]);
- if (BN_num_bytes(y) > P384_PRIVATE_KEY_SIZE) {
+ if (1 != BN_bn2bin_padded(&public_key[P384_PUBLIC_KEY_SIZE / 2],
+ P384_PUBLIC_KEY_SIZE / 2, y)) {
goto out;
}
- BN_bn2bin(y, &public_key[P384_PRIVATE_KEY_SIZE]);
ret = 1;
out:
@@ -224,15 +223,13 @@
if (!sig) {
goto out;
}
-
- if (BN_num_bytes(sig->r) > P384_PRIVATE_KEY_SIZE) {
+ if (1 != BN_bn2bin_padded(&signature[0], P384_SIGNATURE_SIZE / 2, sig->r)) {
goto out;
}
- BN_bn2bin(sig->r, &signature[0]);
- if (BN_num_bytes(sig->s) > P384_PRIVATE_KEY_SIZE) {
+ if (1 != BN_bn2bin_padded(&signature[P384_SIGNATURE_SIZE / 2],
+ P384_SIGNATURE_SIZE / 2, sig->s)) {
goto out;
}
- BN_bn2bin(sig->s, &signature[P384_PRIVATE_KEY_SIZE]);
ret = 1;
out:
