From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Thu, 8 Dec 2022 20:24:27 +0000 (-0500)
Subject: fix(auth): require bit strings to have no unused bits
X-Git-Tag: baikal/aarch64/sdk5.10~1^2~287^2~2
X-Git-Url: https://git.baikalelectronics.ru/?a=commitdiff_plain;h=8816dbb3819e626d14e1bb9702f6446cb80e26f0;p=arm-tf.git

fix(auth): require bit strings to have no unused bits

This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.

Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---

diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 244f1c95e..87f280c13 100644
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -281,7 +281,8 @@ static int cert_parse(void *img, unsigned int img_len)
 	}
 	p += len;
 
-	ret = mbedtls_asn1_get_tag(&p, pk_end, &len, MBEDTLS_ASN1_BIT_STRING);
+	/* Key is a BIT STRING and must use all bytes in SubjectPublicKeyInfo */
+	ret = mbedtls_asn1_get_bitstring_null(&p, pk_end, &len);
 	if ((ret != 0) || (p + len != pk_end)) {
 		return IMG_PARSER_ERR_FORMAT;
 	}
@@ -422,7 +423,7 @@ static int cert_parse(void *img, unsigned int img_len)
 	 * signatureValue       BIT STRING
 	 */
 	signature.p = p;
-	ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_BIT_STRING);
+	ret = mbedtls_asn1_get_bitstring_null(&p, end, &len);
 	if (ret != 0) {
 		return IMG_PARSER_ERR_FORMAT;
 	}