fix(mbedtls/port): Check signature hash length before using ECDSA hardware

Harshal5 · Harshal5 · commit 331fd7f79fc7 · 2024-09-05T16:27:58.000+05:30
diff --git a/components/mbedtls/port/ecdsa/ecdsa_alt.c b/components/mbedtls/port/ecdsa/ecdsa_alt.c
@@ -674,7 +674,7 @@ int __wrap_mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
                          const mbedtls_mpi *r,
                          const mbedtls_mpi *s)
 {
-    if (grp->id == MBEDTLS_ECP_DP_SECP192R1 || grp->id == MBEDTLS_ECP_DP_SECP256R1) {
+    if ((grp->id == MBEDTLS_ECP_DP_SECP192R1 || grp->id == MBEDTLS_ECP_DP_SECP256R1) && blen == ECDSA_SHA_LEN) {
         return esp_ecdsa_verify(grp, buf, blen, Q, r, s);
     } else {
         return __real_mbedtls_ecdsa_verify(grp, buf, blen, Q, r, s);

Original file line number	Diff line number	Diff line change
`@@ -674,7 +674,7 @@ int __wrap_mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,`
`674`	`674`	`const mbedtls_mpi *r,`
`675`	`675`	`const mbedtls_mpi *s)`
`676`	`676`	`{`
`677`		`- if (grp->id == MBEDTLS_ECP_DP_SECP192R1 \|\| grp->id == MBEDTLS_ECP_DP_SECP256R1) {`
	`677`	`+ if ((grp->id == MBEDTLS_ECP_DP_SECP192R1 \|\| grp->id == MBEDTLS_ECP_DP_SECP256R1) && blen == ECDSA_SHA_LEN) {`
`678`	`678`	`return esp_ecdsa_verify(grp, buf, blen, Q, r, s);`
`679`	`679`	`} else {`
`680`	`680`	`return __real_mbedtls_ecdsa_verify(grp, buf, blen, Q, r, s);`