From e6d68831a71131b7d92fbea93d3b9cbe10ba2068 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Tue, 20 Mar 2018 09:42:39 +0800 Subject: [PATCH] deps: update mbedTLS to 2.7.0 At the same time rebase patches on top of ne wversion and get rid of fixes that have been merged upstream. Signed-off-by: Antonio Quartulli --- deps/lib-versions | 4 +- ...> 0001-relax-x509-date-format-check.patch} | 24 +- ...ort-for-additional-hmacSHA-algorithm.patch | 8 +- ...f2_hmac-add-unit-tests-for-additiona.patch | 2 +- ...f2_hmac-extend-array-to-accommodate-.patch | 2 +- ...-v2-add-keys-generated-with-PRF-SHA1.patch | 6 +- ...arse-new-PKCS8-v2-keys-with-PRF-SHA1.patch | 10 +- ...ryption-in-pk_parse_pkcs8_encrypted_.patch | 130 -- .../patches/0008-timing-test-patches.patch | 1766 ----------------- ...verflow-in-PSS-signature-verificatio.patch | 139 -- ...buffer-overflow-in-PSS-signature-ver.patch | 108 - ...mum-length-check-for-keys-of-size-8N.patch | 55 - ...rst-byte-check-for-keys-of-size-8N-1.patch | 60 - ...PSS-remove-redundant-check-changelog.patch | 31 - 14 files changed, 35 insertions(+), 2310 deletions(-) rename deps/mbedtls/patches/{0001-mbedtls-relaxed-x509-date-format.patch => 0001-relax-x509-date-format-check.patch} (52%) delete mode 100644 deps/mbedtls/patches/0007-Use-in-place-decryption-in-pk_parse_pkcs8_encrypted_.patch delete mode 100644 deps/mbedtls/patches/0008-timing-test-patches.patch delete mode 100644 deps/mbedtls/patches/0009-RSA-Fix-buffer-overflow-in-PSS-signature-verificatio.patch delete mode 100644 deps/mbedtls/patches/0010-RSA-Fix-another-buffer-overflow-in-PSS-signature-ver.patch delete mode 100644 deps/mbedtls/patches/0011-RSA-PSS-fix-minimum-length-check-for-keys-of-size-8N.patch delete mode 100644 deps/mbedtls/patches/0012-RSA-PSS-fix-first-byte-check-for-keys-of-size-8N-1.patch delete mode 100644 deps/mbedtls/patches/0013-RSA-PSS-remove-redundant-check-changelog.patch diff --git a/deps/lib-versions b/deps/lib-versions index 7e78a6e1..a508af1b 100644 --- a/deps/lib-versions +++ b/deps/lib-versions @@ -4,8 +4,8 @@ export ASIO_CSUM=fa8c3a16dc2163f5b3451f2a14ce95277c971f46700497d4e94af6059c00dc0 export LZ4_VERSION=lz4-1.8.0 export LZ4_CSUM=2ca482ea7a9bb103603108b5a7510b7592b90158c151ff50a28f1ca8389fccf6 -export MBEDTLS_VERSION=mbedtls-2.6.0 -export MBEDTLS_CSUM=99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687 +export MBEDTLS_VERSION=mbedtls-2.7.0 +export MBEDTLS_CSUM=aeb66d6cd43aa1c79c145d15845c655627a7fc30d624148aaafbb6c36d7f55ef export OPENSSL_VERSION=openssl-1.0.2h diff --git a/deps/mbedtls/patches/0001-mbedtls-relaxed-x509-date-format.patch b/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch similarity index 52% rename from deps/mbedtls/patches/0001-mbedtls-relaxed-x509-date-format.patch rename to deps/mbedtls/patches/0001-relax-x509-date-format-check.patch index ec4b84c5..2e5f61a3 100644 --- a/deps/mbedtls/patches/0001-mbedtls-relaxed-x509-date-format.patch +++ b/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch @@ -1,7 +1,18 @@ -diff -urw mbedtls-2.6.0.orig/library/x509.c mbedtls-2.6.0/library/x509.c ---- mbedtls-2.6.0.orig/library/x509.c 2017-11-03 11:46:21.403848065 +0800 -+++ mbedtls-2.6.0/library/x509.c 2017-11-03 11:58:46.259817520 +0800 -@@ -559,13 +559,20 @@ +From 62dd1588a7ec3501edfaf9470cf7a1ca15cb4ba1 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Tue, 20 Mar 2018 09:35:47 +0800 +Subject: [PATCH] relax x509 date format check + +Signed-off-by: Antonio Quartulli +--- + library/x509.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/library/x509.c b/library/x509.c +index 371d6da1..df2cea81 100644 +--- a/library/x509.c ++++ b/library/x509.c +@@ -565,13 +565,20 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen, /* * Parse seconds if present */ @@ -23,7 +34,7 @@ diff -urw mbedtls-2.6.0.orig/library/x509.c mbedtls-2.6.0/library/x509.c /* * Parse trailing 'Z' if present -@@ -575,6 +582,15 @@ +@@ -581,6 +588,15 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen, (*p)++; len--; } @@ -39,3 +50,6 @@ diff -urw mbedtls-2.6.0.orig/library/x509.c mbedtls-2.6.0/library/x509.c /* * We should have parsed all characters at this point +-- +2.16.2 + diff --git a/deps/mbedtls/patches/0002-pkcs5v2-add-support-for-additional-hmacSHA-algorithm.patch b/deps/mbedtls/patches/0002-pkcs5v2-add-support-for-additional-hmacSHA-algorithm.patch index 9d954865..157ff292 100644 --- a/deps/mbedtls/patches/0002-pkcs5v2-add-support-for-additional-hmacSHA-algorithm.patch +++ b/deps/mbedtls/patches/0002-pkcs5v2-add-support-for-additional-hmacSHA-algorithm.patch @@ -1,4 +1,4 @@ -From 4e75bd33172a8a73abfa6a15d442d1f80f466870 Mon Sep 17 00:00:00 2001 +From 56df6d5003b20fa673b67fb06c2ec03a8197c4c2 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Wed, 20 Dec 2017 07:03:55 +0800 Subject: [PATCH] pkcs5v2: add support for additional hmacSHA algorithms @@ -25,10 +25,10 @@ Signed-off-by: Antonio Quartulli 4 files changed, 66 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h -index fcecdafd..d621c075 100644 +index bf2ef5ec..408645ec 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h -@@ -227,6 +227,14 @@ +@@ -228,6 +228,14 @@ #define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */ @@ -43,7 +43,7 @@ index fcecdafd..d621c075 100644 /* * Encryption algorithms */ -@@ -513,6 +521,16 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t +@@ -514,6 +522,16 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND */ int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg ); diff --git a/deps/mbedtls/patches/0003-tests-pkcs5-pbkdf2_hmac-add-unit-tests-for-additiona.patch b/deps/mbedtls/patches/0003-tests-pkcs5-pbkdf2_hmac-add-unit-tests-for-additiona.patch index 1bc222d7..ad46ebbe 100644 --- a/deps/mbedtls/patches/0003-tests-pkcs5-pbkdf2_hmac-add-unit-tests-for-additiona.patch +++ b/deps/mbedtls/patches/0003-tests-pkcs5-pbkdf2_hmac-add-unit-tests-for-additiona.patch @@ -1,4 +1,4 @@ -From 5abb7fb80073bc310a96d5a184694b1e29a19faf Mon Sep 17 00:00:00 2001 +From bb029567d8a2b55e500a85c916a8d22ae9434ab3 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Wed, 31 Jan 2018 23:23:02 +0800 Subject: [PATCH] tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA diff --git a/deps/mbedtls/patches/0004-tests-pkcs5-pbkdf2_hmac-extend-array-to-accommodate-.patch b/deps/mbedtls/patches/0004-tests-pkcs5-pbkdf2_hmac-extend-array-to-accommodate-.patch index 72e2260e..ed67848b 100644 --- a/deps/mbedtls/patches/0004-tests-pkcs5-pbkdf2_hmac-extend-array-to-accommodate-.patch +++ b/deps/mbedtls/patches/0004-tests-pkcs5-pbkdf2_hmac-extend-array-to-accommodate-.patch @@ -1,4 +1,4 @@ -From ea10371f909419d2634a75ef30fab8cd8df71a91 Mon Sep 17 00:00:00 2001 +From d09cecb5f7d1e66476c97a35caee7248930ef425 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Wed, 31 Jan 2018 23:45:09 +0800 Subject: [PATCH] tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer diff --git a/deps/mbedtls/patches/0005-data_files-pkcs8-v2-add-keys-generated-with-PRF-SHA1.patch b/deps/mbedtls/patches/0005-data_files-pkcs8-v2-add-keys-generated-with-PRF-SHA1.patch index c7c3c0aa..9eecc177 100644 --- a/deps/mbedtls/patches/0005-data_files-pkcs8-v2-add-keys-generated-with-PRF-SHA1.patch +++ b/deps/mbedtls/patches/0005-data_files-pkcs8-v2-add-keys-generated-with-PRF-SHA1.patch @@ -1,4 +1,4 @@ -From 8e866133ec2c28a615212d76c85745e5dc2ebd7c Mon Sep 17 00:00:00 2001 +From 4e96327a813d2e1d06dfb7e44caacb400fd8769b Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Thu, 1 Feb 2018 13:54:13 +0800 Subject: [PATCH] data_files/pkcs8-v2: add keys generated with PRF != SHA1 @@ -122,10 +122,10 @@ Signed-off-by: Antonio Quartulli create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile -index f7826d43..fab04ee8 100644 +index d4aed678..7069b4f3 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile -@@ -66,6 +66,574 @@ all_final += server2-sha256.crt +@@ -392,6 +392,574 @@ server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl se diff --git a/deps/mbedtls/patches/0006-tests_suite_pkparse-new-PKCS8-v2-keys-with-PRF-SHA1.patch b/deps/mbedtls/patches/0006-tests_suite_pkparse-new-PKCS8-v2-keys-with-PRF-SHA1.patch index 3fcb8514..b5b16144 100644 --- a/deps/mbedtls/patches/0006-tests_suite_pkparse-new-PKCS8-v2-keys-with-PRF-SHA1.patch +++ b/deps/mbedtls/patches/0006-tests_suite_pkparse-new-PKCS8-v2-keys-with-PRF-SHA1.patch @@ -1,4 +1,4 @@ -From 32b9493a889f7a72eb3f124ffc8dc8a3544b26a8 Mon Sep 17 00:00:00 2001 +From 7ed2575f310fd889fba025aa760f74ec1b41924b Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Thu, 1 Feb 2018 14:03:36 +0800 Subject: [PATCH] tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1 @@ -13,12 +13,12 @@ Signed-off-by: Antonio Quartulli 1 file changed, 576 insertions(+) diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data -index 9c0edbb5..01bc1f03 100644 +index 416f9dfe..1bf06270 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data -@@ -102,6 +102,582 @@ Parse RSA Key #20 (PKCS#8 encrypted v2 PBDFK2 DES) - depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC - pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_des.key":"PolarSSLTest":0 +@@ -362,6 +362,582 @@ Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW) + depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C + pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224) +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC diff --git a/deps/mbedtls/patches/0007-Use-in-place-decryption-in-pk_parse_pkcs8_encrypted_.patch b/deps/mbedtls/patches/0007-Use-in-place-decryption-in-pk_parse_pkcs8_encrypted_.patch deleted file mode 100644 index b24a12a8..00000000 --- a/deps/mbedtls/patches/0007-Use-in-place-decryption-in-pk_parse_pkcs8_encrypted_.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 1ab62937e63f3a4ecbbea9233f68e5afd2a2f229 Mon Sep 17 00:00:00 2001 -From: Hanno Becker -Date: Fri, 25 Aug 2017 13:38:26 +0100 -Subject: [PATCH] Use in-place decryption in pk_parse_pkcs8_encrypted_der - -The stack buffer used to hold the decrypted key in pk_parse_pkcs8_encrypted_der -was statically sized to 2048 bytes, which is not enough for DER encoded 4096bit -RSA keys. - -This commit resolves the problem by performing the key-decryption in-place, -circumventing the introduction of another stack or heap copy of the key. - -There are two situations where pk_parse_pkcs8_encrypted_der is invoked: -1. When processing a PEM-encoded encrypted key in mbedtls_pk_parse_key. - This does not need adaption since the PEM context used to hold the decoded - key is already constructed and owned by mbedtls_pk_parse_key. -2. When processing a DER-encoded encrypted key in mbedtls_pk_parse_key. - In this case, mbedtls_pk_parse_key calls pk_parse_pkcs8_encrypted_der with - the buffer provided by the user, which is declared const. The commit - therefore adds a small code paths making a copy of the keybuffer before - calling pk_parse_pkcs8_encrypted_der. ---- - library/pkparse.c | 35 ++++++++++++++++++++++------------- - 1 file changed, 22 insertions(+), 13 deletions(-) - -diff --git a/library/pkparse.c b/library/pkparse.c -index efdf4374..cf25cdd2 100644 ---- a/library/pkparse.c -+++ b/library/pkparse.c -@@ -936,12 +936,12 @@ static int pk_parse_key_pkcs8_unencrypted_der( - #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) - static int pk_parse_key_pkcs8_encrypted_der( - mbedtls_pk_context *pk, -- const unsigned char *key, size_t keylen, -+ unsigned char *key, size_t keylen, - const unsigned char *pwd, size_t pwdlen ) - { - int ret, decrypted = 0; - size_t len; -- unsigned char buf[2048]; -+ unsigned char *buf; - unsigned char *p, *end; - mbedtls_asn1_buf pbe_alg_oid, pbe_params; - #if defined(MBEDTLS_PKCS12_C) -@@ -949,8 +949,6 @@ static int pk_parse_key_pkcs8_encrypted_der( - mbedtls_md_type_t md_alg; - #endif - -- memset( buf, 0, sizeof( buf ) ); -- - p = (unsigned char *) key; - end = p + keylen; - -@@ -985,8 +983,7 @@ static int pk_parse_key_pkcs8_encrypted_der( - if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) - return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); - -- if( len > sizeof( buf ) ) -- return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); -+ buf = p; - - /* - * Decrypt EncryptedData with appropriate PDE -@@ -1084,7 +1081,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, - if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) - return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); - -- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || -+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || - ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), - pem.buf, pem.buflen ) ) != 0 ) - { -@@ -1116,7 +1113,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, - if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) ) == NULL ) - return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); - -- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || -+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || - ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), - pem.buf, pem.buflen ) ) != 0 ) - { -@@ -1194,12 +1191,24 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, - * error - */ - #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) -- if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, key, keylen, -- pwd, pwdlen ) ) == 0 ) - { -- return( 0 ); -+ unsigned char *key_copy; -+ -+ if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL ) -+ return( MBEDTLS_ERR_PK_ALLOC_FAILED ); -+ -+ memcpy( key_copy, key, keylen ); -+ -+ ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen, -+ pwd, pwdlen ); -+ -+ mbedtls_zeroize( key_copy, keylen ); -+ mbedtls_free( key_copy ); - } - -+ if( ret == 0 ) -+ return( 0 ); -+ - mbedtls_pk_free( pk ); - - if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH ) -@@ -1217,7 +1226,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, - if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) - return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); - -- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || -+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || - ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) ) == 0 ) - { - return( 0 ); -@@ -1230,7 +1239,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, - if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) ) == NULL ) - return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); - -- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || -+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || - ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), key, keylen ) ) == 0 ) - { - return( 0 ); --- -2.16.2 - diff --git a/deps/mbedtls/patches/0008-timing-test-patches.patch b/deps/mbedtls/patches/0008-timing-test-patches.patch deleted file mode 100644 index 59c9e1e9..00000000 --- a/deps/mbedtls/patches/0008-timing-test-patches.patch +++ /dev/null @@ -1,1766 +0,0 @@ -From a0af95f052fa734c662dfe420d3e34e6ed777ed5 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Tue, 10 Oct 2017 20:10:46 +0200 -Subject: [PATCH 01/13] Timing: fix mbedtls_set_alarm(0) on Unix/POSIX - -The POSIX/Unix implementation of mbedtls_set_alarm did not set the -mbedtls_timing_alarmed flag when called with 0, which was inconsistent -with what the documentation implied and with the Windows behavior. ---- - library/timing.c | 6 ++++++ - 2 files changed, 7 insertions(+) - -diff --git a/library/timing.c b/library/timing.c -index a7c7ff0..4576f31 100644 ---- a/library/timing.c -+++ b/library/timing.c -@@ -315,6 +315,12 @@ void mbedtls_set_alarm( int seconds ) - mbedtls_timing_alarmed = 0; - signal( SIGALRM, sighandler ); - alarm( seconds ); -+ if( seconds == 0 ) -+ { -+ /* alarm(0) cancelled any previous pending alarm, but the -+ handler won't fire, so raise the flag straight away. */ -+ mbedtls_timing_alarmed = 1; -+ } - } - - #endif /* _WIN32 && !EFIX64 && !EFI32 */ --- -2.7.4 - - -From a9edc4805b5e73885eb3ca1e9fe905e7321c226a Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Tue, 10 Oct 2017 19:46:45 +0200 -Subject: [PATCH 02/13] timing interface documentation: minor clarifications - ---- - include/mbedtls/timing.h | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/include/mbedtls/timing.h b/include/mbedtls/timing.h -index ae7a713..579de33 100644 ---- a/include/mbedtls/timing.h -+++ b/include/mbedtls/timing.h -@@ -1,7 +1,7 @@ - /** - * \file timing.h - * -- * \brief Portable interface to the CPU cycle counter -+ * \brief Portable interface to timeouts and to the CPU cycle counter - * - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved - * SPDX-License-Identifier: Apache-2.0 -@@ -65,6 +65,9 @@ extern volatile int mbedtls_timing_alarmed; - * \warning This is only a best effort! Do not rely on this! - * In particular, it is known to be unreliable on virtual - * machines. -+ * -+ * \note This value starts at an unspecified origin and -+ * may wrap around. - */ - unsigned long mbedtls_timing_hardclock( void ); - -@@ -73,6 +76,8 @@ unsigned long mbedtls_timing_hardclock( void ); - * - * \param val points to a timer structure - * \param reset if set to 1, the timer is restarted -+ * -+ * \return Elapsed time in ms (before the reset, if there is a reset) - */ - unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset ); - -@@ -80,6 +85,7 @@ unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int - * \brief Setup an alarm clock - * - * \param seconds delay before the "mbedtls_timing_alarmed" flag is set -+ * (must be >=0) - * - * \warning Only one alarm at a time is supported. In a threaded - * context, this means one for the whole process, not one per -@@ -91,11 +97,15 @@ void mbedtls_set_alarm( int seconds ); - * \brief Set a pair of delays to watch - * (See \c mbedtls_timing_get_delay().) - * -- * \param data Pointer to timing data -+ * \param data Pointer to timing data. - * Must point to a valid \c mbedtls_timing_delay_context struct. - * \param int_ms First (intermediate) delay in milliseconds. -+ * The effect if int_ms > fin_ms is unspecified. - * \param fin_ms Second (final) delay in milliseconds. - * Pass 0 to cancel the current delay. -+ * -+ * \note To set a single delay, either use \c mbedtls_timing_set_timer -+ * directly or use this function with int_ms == fin_ms. - */ - void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms ); - -@@ -106,7 +116,7 @@ void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms ); - * \param data Pointer to timing data - * Must point to a valid \c mbedtls_timing_delay_context struct. - * -- * \return -1 if cancelled (fin_ms = 0) -+ * \return -1 if cancelled (fin_ms = 0), - * 0 if none of the delays are passed, - * 1 if only the intermediate delay is passed, - * 2 if the final delay is passed. --- -2.7.4 - - -From d92f0aa3bec86b7b74cd4c7372b9a4b5323b0cfc Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Mon, 16 Oct 2017 19:33:06 +0200 -Subject: [PATCH 03/13] mbedtls_timing_get_timer: don't use uninitialized - memory - -mbedtls_timing_get_timer with reset=1 is called both to initialize a -timer object and to reset an already-initialized object. In an -initial call, the content of the data structure is indeterminate, so -the code should not read from it. This could crash if signed overflows -trap, for example. - -As a consequence, on reset, we can't return the previously elapsed -time as was previously done on Windows. Return 0 as was done on Unix. ---- - include/mbedtls/timing.h | 13 +++++++++++-- - library/timing.c | 45 +++++++++++++++++++++++---------------------- - 3 files changed, 35 insertions(+), 24 deletions(-) - -diff --git a/include/mbedtls/timing.h b/include/mbedtls/timing.h -index 579de33..bfb8579 100644 ---- a/include/mbedtls/timing.h -+++ b/include/mbedtls/timing.h -@@ -75,9 +75,18 @@ unsigned long mbedtls_timing_hardclock( void ); - * \brief Return the elapsed time in milliseconds - * - * \param val points to a timer structure -- * \param reset if set to 1, the timer is restarted -+ * \param reset If 0, query the elapsed time. Otherwise (re)start the timer. - * -- * \return Elapsed time in ms (before the reset, if there is a reset) -+ * \return Elapsed time since the previous reset in ms. When -+ * restarting, this is always 0. -+ * -+ * \note To initialize a timer, call this function with reset=1. -+ * -+ * Determining the elapsed time and resetting the timer is not -+ * atomic on all platforms, so after the sequence -+ * `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 = -+ * get_timer(0) }` the value time1+time2 is only approximately -+ * the delay since the first reset. - */ - unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset ); - -diff --git a/library/timing.c b/library/timing.c -index 4576f31..a6067d0 100644 ---- a/library/timing.c -+++ b/library/timing.c -@@ -244,21 +244,23 @@ volatile int mbedtls_timing_alarmed = 0; - - unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset ) - { -- unsigned long delta; -- LARGE_INTEGER offset, hfreq; - struct _hr_time *t = (struct _hr_time *) val; - -- QueryPerformanceCounter( &offset ); -- QueryPerformanceFrequency( &hfreq ); -- -- delta = (unsigned long)( ( 1000 * -- ( offset.QuadPart - t->start.QuadPart ) ) / -- hfreq.QuadPart ); -- - if( reset ) -+ { - QueryPerformanceCounter( &t->start ); -- -- return( delta ); -+ return( 0 ); -+ } -+ else -+ { -+ unsigned long delta; -+ LARGE_INTEGER now, hfreq; -+ QueryPerformanceCounter( &now ); -+ QueryPerformanceFrequency( &hfreq ); -+ delta = (unsigned long)( ( now.QuadPart - t->start.QuadPart ) * 1000ul -+ / hfreq.QuadPart ); -+ return( delta ); -+ } - } - - /* It's OK to use a global because alarm() is supposed to be global anyway */ -@@ -285,23 +287,22 @@ void mbedtls_set_alarm( int seconds ) - - unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset ) - { -- unsigned long delta; -- struct timeval offset; - struct _hr_time *t = (struct _hr_time *) val; - -- gettimeofday( &offset, NULL ); -- - if( reset ) - { -- t->start.tv_sec = offset.tv_sec; -- t->start.tv_usec = offset.tv_usec; -+ gettimeofday( &t->start, NULL ); - return( 0 ); - } -- -- delta = ( offset.tv_sec - t->start.tv_sec ) * 1000 -- + ( offset.tv_usec - t->start.tv_usec ) / 1000; -- -- return( delta ); -+ else -+ { -+ unsigned long delta; -+ struct timeval now; -+ gettimeofday( &now, NULL ); -+ delta = ( now.tv_sec - t->start.tv_sec ) * 1000ul -+ + ( now.tv_usec - t->start.tv_usec ) / 1000; -+ return( delta ); -+ } - } - - static void sighandler( int signum ) --- -2.7.4 - - -From 0827d5c07d35cb60bcb5b09a06187852c4edd3c9 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Tue, 10 Oct 2017 20:09:26 +0200 -Subject: [PATCH 04/13] Timing self test: print some diagnosis information - -Print some not-very-nice-looking but helpful diagnosis information if -the timing selftest fails. Since the failures tend to be due to heavy -system load that's hard to reproduce, this information is necessary to -understand what's going on. ---- - library/timing.c | 39 ++++++++++++++++++++------------------- - 1 file changed, 20 insertions(+), 19 deletions(-) - -diff --git a/library/timing.c b/library/timing.c -index a6067d0..744e1e7 100644 ---- a/library/timing.c -+++ b/library/timing.c -@@ -385,13 +385,21 @@ static void busy_msleep( unsigned long msec ) - (void) j; - } - --#define FAIL do \ --{ \ -- if( verbose != 0 ) \ -- mbedtls_printf( "failed\n" ); \ -- \ -- return( 1 ); \ --} while( 0 ) -+#define FAIL do \ -+ { \ -+ if( verbose != 0 ) \ -+ { \ -+ mbedtls_printf( "failed at line %d\n", __LINE__ ); \ -+ mbedtls_printf( " cycles=%lu ratio=%lu millisecs=%lu secs=%lu hardfail=%d a=%lu b=%lu\n", \ -+ cycles, ratio, millisecs, secs, hardfail, \ -+ (unsigned long) a, (unsigned long) b ); \ -+ mbedtls_printf( " elapsed(hires)=%lu elapsed(ctx)=%lu status(ctx)=%d\n", \ -+ mbedtls_timing_get_timer( &hires, 0 ), \ -+ mbedtls_timing_get_timer( &ctx.timer, 0 ), \ -+ mbedtls_timing_get_delay( &ctx ) ); \ -+ } \ -+ return( 1 ); \ -+ } while( 0 ) - - /* - * Checkup routine -@@ -401,17 +409,16 @@ static void busy_msleep( unsigned long msec ) - */ - int mbedtls_timing_self_test( int verbose ) - { -- unsigned long cycles, ratio; -- unsigned long millisecs, secs; -- int hardfail; -+ unsigned long cycles = 0, ratio = 0; -+ unsigned long millisecs = 0, secs = 0; -+ int hardfail = 0; - struct mbedtls_timing_hr_time hires; -- uint32_t a, b; -+ uint32_t a = 0, b = 0; - mbedtls_timing_delay_context ctx; - - if( verbose != 0 ) - mbedtls_printf( " TIMING tests note: will take some time!\n" ); - -- - if( verbose != 0 ) - mbedtls_printf( " TIMING test #1 (set_alarm / get_timer): " ); - -@@ -428,12 +435,7 @@ int mbedtls_timing_self_test( int verbose ) - /* For some reason on Windows it looks like alarm has an extra delay - * (maybe related to creating a new thread). Allow some room here. */ - if( millisecs < 800 * secs || millisecs > 1200 * secs + 300 ) -- { -- if( verbose != 0 ) -- mbedtls_printf( "failed\n" ); -- -- return( 1 ); -- } -+ FAIL; - } - - if( verbose != 0 ) -@@ -482,7 +484,6 @@ int mbedtls_timing_self_test( int verbose ) - * On a 4Ghz 32-bit machine the cycle counter wraps about once per second; - * since the whole test is about 10ms, it shouldn't happen twice in a row. - */ -- hardfail = 0; - - hard_test: - if( hardfail > 1 ) --- -2.7.4 - - -From 319ac801a84b899890e797c65b475f01fe560254 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Fri, 15 Dec 2017 14:57:18 +0100 -Subject: [PATCH 05/13] selftest: refactor to separate the list of tests from - the logic - -No behavior change. ---- - programs/test/selftest.c | 318 ++++++++++++++++------------------------------- - 1 file changed, 105 insertions(+), 213 deletions(-) - -diff --git a/programs/test/selftest.c b/programs/test/selftest.c -index 1941ad0..16ff310 100644 ---- a/programs/test/selftest.c -+++ b/programs/test/selftest.c -@@ -107,8 +107,8 @@ static int run_test_snprintf( void ) - * self-test. If this fails, we attempt the test anyway, so no error is passed - * back. - */ --#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C) && \ -- defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY) -+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C) -+#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY) - static void create_entropy_seed_file( void ) - { - int result; -@@ -136,290 +136,182 @@ static void create_entropy_seed_file( void ) - } - #endif - --int main( int argc, char *argv[] ) -+int mbedtls_entropy_self_test_wrapper( int verbose ) - { -- int v, suites_tested = 0, suites_failed = 0; --#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_SELF_TEST) -- unsigned char buf[1000000]; -+#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY) -+ create_entropy_seed_file( ); -+#endif -+ return( mbedtls_entropy_self_test( verbose ) ); -+} - #endif -- void *pointer; -- -- /* -- * The C standard doesn't guarantee that all-bits-0 is the representation -- * of a NULL pointer. We do however use that in our code for initializing -- * structures, which should work on every modern platform. Let's be sure. -- */ -- memset( &pointer, 0, sizeof( void * ) ); -- if( pointer != NULL ) -- { -- mbedtls_printf( "all-bits-zero is not a NULL pointer\n" ); -- mbedtls_exit( MBEDTLS_EXIT_FAILURE ); -- } -- -- /* -- * Make sure we have a snprintf that correctly zero-terminates -- */ -- if( run_test_snprintf() != 0 ) -- { -- mbedtls_printf( "the snprintf implementation is broken\n" ); -- mbedtls_exit( MBEDTLS_EXIT_FAILURE ); -- } -- -- if( argc == 2 && ( strcmp( argv[1], "--quiet" ) == 0 || -- strcmp( argv[1], "-q" ) == 0 ) ) -- { -- v = 0; -- } -- else -- { -- v = 1; -- mbedtls_printf( "\n" ); -- } - - #if defined(MBEDTLS_SELF_TEST) -- - #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) -- mbedtls_memory_buffer_alloc_init( buf, sizeof(buf) ); --#endif -- --#if defined(MBEDTLS_MD2_C) -- if( mbedtls_md2_self_test( v ) != 0 ) -+int mbedtls_memory_buffer_alloc_free_and_self_test( int verbose ) -+{ -+ if( verbose != 0 ) - { -- suites_failed++; -+#if defined(MBEDTLS_MEMORY_DEBUG) -+ mbedtls_memory_buffer_alloc_status( ); -+#endif - } -- suites_tested++; -+ mbedtls_memory_buffer_alloc_free( ); -+ return( mbedtls_memory_buffer_alloc_self_test( verbose ) ); -+} - #endif - -+typedef struct -+{ -+ const char *name; -+ int ( *function )( int ); -+} selftest_t; -+ -+const selftest_t selftests[] = -+{ -+#if defined(MBEDTLS_MD2_C) -+ {"md2", mbedtls_md2_self_test}, -+#endif - #if defined(MBEDTLS_MD4_C) -- if( mbedtls_md4_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"md4", mbedtls_md4_self_test}, - #endif -- - #if defined(MBEDTLS_MD5_C) -- if( mbedtls_md5_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"md5", mbedtls_md5_self_test}, - #endif -- - #if defined(MBEDTLS_RIPEMD160_C) -- if( mbedtls_ripemd160_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"ripemd160", mbedtls_ripemd160_self_test}, - #endif -- - #if defined(MBEDTLS_SHA1_C) -- if( mbedtls_sha1_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"sha1", mbedtls_sha1_self_test}, - #endif -- - #if defined(MBEDTLS_SHA256_C) -- if( mbedtls_sha256_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"sha256", mbedtls_sha256_self_test}, - #endif -- - #if defined(MBEDTLS_SHA512_C) -- if( mbedtls_sha512_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"sha512", mbedtls_sha512_self_test}, - #endif -- - #if defined(MBEDTLS_ARC4_C) -- if( mbedtls_arc4_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"arc4", mbedtls_arc4_self_test}, - #endif -- - #if defined(MBEDTLS_DES_C) -- if( mbedtls_des_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"des", mbedtls_des_self_test}, - #endif -- - #if defined(MBEDTLS_AES_C) -- if( mbedtls_aes_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"aes", mbedtls_aes_self_test}, - #endif -- - #if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C) -- if( mbedtls_gcm_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"gcm", mbedtls_gcm_self_test}, - #endif -- - #if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C) -- if( mbedtls_ccm_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"ccm", mbedtls_ccm_self_test}, - #endif -- - #if defined(MBEDTLS_CMAC_C) -- if( ( mbedtls_cmac_self_test( v ) ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"cmac", mbedtls_cmac_self_test}, - #endif -- - #if defined(MBEDTLS_BASE64_C) -- if( mbedtls_base64_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"base64", mbedtls_base64_self_test}, - #endif -- - #if defined(MBEDTLS_BIGNUM_C) -- if( mbedtls_mpi_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"mpi", mbedtls_mpi_self_test}, - #endif -- - #if defined(MBEDTLS_RSA_C) -- if( mbedtls_rsa_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"rsa", mbedtls_rsa_self_test}, - #endif -- - #if defined(MBEDTLS_X509_USE_C) -- if( mbedtls_x509_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"x509", mbedtls_x509_self_test}, - #endif -- - #if defined(MBEDTLS_XTEA_C) -- if( mbedtls_xtea_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"xtea", mbedtls_xtea_self_test}, - #endif -- - #if defined(MBEDTLS_CAMELLIA_C) -- if( mbedtls_camellia_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"camellia", mbedtls_camellia_self_test}, - #endif -- - #if defined(MBEDTLS_CTR_DRBG_C) -- if( mbedtls_ctr_drbg_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"ctr_drbg", mbedtls_ctr_drbg_self_test}, - #endif -- - #if defined(MBEDTLS_HMAC_DRBG_C) -- if( mbedtls_hmac_drbg_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"hmac_drbg", mbedtls_hmac_drbg_self_test}, - #endif -- - #if defined(MBEDTLS_ECP_C) -- if( mbedtls_ecp_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"ecp", mbedtls_ecp_self_test}, - #endif -- - #if defined(MBEDTLS_ECJPAKE_C) -- if( mbedtls_ecjpake_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"ecjpake", mbedtls_ecjpake_self_test}, - #endif -- - #if defined(MBEDTLS_DHM_C) -- if( mbedtls_dhm_self_test( v ) != 0 ) -- { -- suites_failed++; -- } -- suites_tested++; -+ {"dhm", mbedtls_dhm_self_test}, - #endif -- - #if defined(MBEDTLS_ENTROPY_C) -+ {"entropy", mbedtls_entropy_self_test_wrapper}, -+#endif -+#if defined(MBEDTLS_PKCS5_C) -+ {"pkcs5", mbedtls_pkcs5_self_test}, -+#endif -+/* Slower test after the faster ones */ -+#if defined(MBEDTLS_TIMING_C) -+ {"timing", mbedtls_timing_self_test}, -+#endif -+/* Heap test comes last */ -+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) -+ {"memory_buffer_alloc", mbedtls_memory_buffer_alloc_free_and_self_test}, -+#endif -+ {NULL, NULL} -+}; - --#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY) -- create_entropy_seed_file(); -+int main( int argc, char *argv[] ) -+{ -+ const selftest_t *test; -+ int v, suites_tested = 0, suites_failed = 0; -+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_SELF_TEST) -+ unsigned char buf[1000000]; - #endif -+ void *pointer; - -- if( mbedtls_entropy_self_test( v ) != 0 ) -+ /* -+ * The C standard doesn't guarantee that all-bits-0 is the representation -+ * of a NULL pointer. We do however use that in our code for initializing -+ * structures, which should work on every modern platform. Let's be sure. -+ */ -+ memset( &pointer, 0, sizeof( void * ) ); -+ if( pointer != NULL ) - { -- suites_failed++; -+ mbedtls_printf( "all-bits-zero is not a NULL pointer\n" ); -+ mbedtls_exit( MBEDTLS_EXIT_FAILURE ); - } -- suites_tested++; --#endif - --#if defined(MBEDTLS_PKCS5_C) -- if( mbedtls_pkcs5_self_test( v ) != 0 ) -+ /* -+ * Make sure we have a snprintf that correctly zero-terminates -+ */ -+ if( run_test_snprintf() != 0 ) - { -- suites_failed++; -+ mbedtls_printf( "the snprintf implementation is broken\n" ); -+ mbedtls_exit( MBEDTLS_EXIT_FAILURE ); - } -- suites_tested++; --#endif -- --/* Slow tests last */ - --#if defined(MBEDTLS_TIMING_C) -- if( mbedtls_timing_self_test( v ) != 0 ) -+ if( argc == 2 && ( strcmp( argv[1], "--quiet" ) == 0 || -+ strcmp( argv[1], "-q" ) == 0 ) ) - { -- suites_failed++; -+ v = 0; - } -- suites_tested++; --#endif -- -- if( v != 0 ) -+ else - { --#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG) -- mbedtls_memory_buffer_alloc_status(); --#endif -+ v = 1; -+ mbedtls_printf( "\n" ); - } - -+#if defined(MBEDTLS_SELF_TEST) -+ - #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) -- mbedtls_memory_buffer_alloc_free(); -- if( mbedtls_memory_buffer_alloc_self_test( v ) != 0 ) -+ mbedtls_memory_buffer_alloc_init( buf, sizeof(buf) ); -+#endif -+ -+ for( test = selftests; test->name != NULL; test++ ) - { -- suites_failed++; -+ if( test->function( v ) != 0 ) -+ { -+ suites_failed++; -+ } -+ suites_tested++; - } -- suites_tested++; --#endif - - #else - mbedtls_printf( " MBEDTLS_SELF_TEST not defined.\n" ); --- -2.7.4 - - -From c82fbb4e14faf3ee3006e978d21fb231767a37dc Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Fri, 15 Dec 2017 15:01:27 +0100 -Subject: [PATCH 06/13] selftest: allow running a subset of the tests - -If given command line arguments, interpret them as test names and only -run those tests. ---- - programs/test/selftest.c | 43 ++++++++++++++++++++++++++++++++++++++----- - 2 files changed, 40 insertions(+), 5 deletions(-) - -diff --git a/programs/test/selftest.c b/programs/test/selftest.c -index 16ff310..fc3b0eb 100644 ---- a/programs/test/selftest.c -+++ b/programs/test/selftest.c -@@ -256,10 +256,14 @@ const selftest_t selftests[] = - #endif - {NULL, NULL} - }; -+#endif /* MBEDTLS_SELF_TEST */ - - int main( int argc, char *argv[] ) - { -+#if defined(MBEDTLS_SELF_TEST) - const selftest_t *test; -+#endif /* MBEDTLS_SELF_TEST */ -+ char **argp = argc >= 1 ? argv + 1 : argv; - int v, suites_tested = 0, suites_failed = 0; - #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_SELF_TEST) - unsigned char buf[1000000]; -@@ -287,10 +291,11 @@ int main( int argc, char *argv[] ) - mbedtls_exit( MBEDTLS_EXIT_FAILURE ); - } - -- if( argc == 2 && ( strcmp( argv[1], "--quiet" ) == 0 || -+ if( argc >= 2 && ( strcmp( argv[1], "--quiet" ) == 0 || - strcmp( argv[1], "-q" ) == 0 ) ) - { - v = 0; -+ ++argp; - } - else - { -@@ -304,13 +309,41 @@ int main( int argc, char *argv[] ) - mbedtls_memory_buffer_alloc_init( buf, sizeof(buf) ); - #endif - -- for( test = selftests; test->name != NULL; test++ ) -+ if( *argp != NULL ) -+ { -+ /* Run the specified tests */ -+ for( ; *argp != NULL; argp++ ) -+ { -+ for( test = selftests; test->name != NULL; test++ ) -+ { -+ if( !strcmp( *argp, test->name ) ) -+ { -+ if( test->function( v ) != 0 ) -+ { -+ suites_failed++; -+ } -+ suites_tested++; -+ break; -+ } -+ } -+ if( test->name == NULL ) -+ { -+ mbedtls_printf( " Test suite %s not available -> failed\n\n", *argp ); -+ suites_failed++; -+ } -+ } -+ } -+ else - { -- if( test->function( v ) != 0 ) -+ /* Run all the tests */ -+ for( test = selftests; test->name != NULL; test++ ) - { -- suites_failed++; -+ if( test->function( v ) != 0 ) -+ { -+ suites_failed++; -+ } -+ suites_tested++; - } -- suites_tested++; - } - - #else --- -2.7.4 - - -From ff79d27f5ceb30ea7438f1c172b9a9f80692a18b Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Wed, 20 Dec 2017 18:09:27 +0100 -Subject: [PATCH 07/13] selftest: allow excluding a subset of the tests - -E.g. "selftest -x timing" runs all the self-tests except timing. ---- - programs/test/selftest.c | 49 ++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 37 insertions(+), 12 deletions(-) - -diff --git a/programs/test/selftest.c b/programs/test/selftest.c -index fc3b0eb..72a3734 100644 ---- a/programs/test/selftest.c -+++ b/programs/test/selftest.c -@@ -263,8 +263,10 @@ int main( int argc, char *argv[] ) - #if defined(MBEDTLS_SELF_TEST) - const selftest_t *test; - #endif /* MBEDTLS_SELF_TEST */ -- char **argp = argc >= 1 ? argv + 1 : argv; -- int v, suites_tested = 0, suites_failed = 0; -+ char **argp; -+ int v = 1; /* v=1 for verbose mode */ -+ int exclude_mode = 0; -+ int suites_tested = 0, suites_failed = 0; - #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_SELF_TEST) - unsigned char buf[1000000]; - #endif -@@ -291,17 +293,24 @@ int main( int argc, char *argv[] ) - mbedtls_exit( MBEDTLS_EXIT_FAILURE ); - } - -- if( argc >= 2 && ( strcmp( argv[1], "--quiet" ) == 0 || -- strcmp( argv[1], "-q" ) == 0 ) ) -+ for( argp = argv + ( argc >= 1 ? 1 : argc ); *argp != NULL; ++argp ) - { -- v = 0; -- ++argp; -+ if( strcmp( *argp, "--quiet" ) == 0 || -+ strcmp( *argp, "-q" ) == 0 ) -+ { -+ v = 0; -+ } -+ else if( strcmp( *argp, "--exclude" ) == 0 || -+ strcmp( *argp, "-x" ) == 0 ) -+ { -+ exclude_mode = 1; -+ } -+ else -+ break; - } -- else -- { -- v = 1; -+ -+ if( v != 0 ) - mbedtls_printf( "\n" ); -- } - - #if defined(MBEDTLS_SELF_TEST) - -@@ -309,7 +318,7 @@ int main( int argc, char *argv[] ) - mbedtls_memory_buffer_alloc_init( buf, sizeof(buf) ); - #endif - -- if( *argp != NULL ) -+ if( *argp != NULL && exclude_mode == 0 ) - { - /* Run the specified tests */ - for( ; *argp != NULL; argp++ ) -@@ -335,9 +344,24 @@ int main( int argc, char *argv[] ) - } - else - { -- /* Run all the tests */ -+ /* Run all the tests except excluded ones */ - for( test = selftests; test->name != NULL; test++ ) - { -+ if( exclude_mode ) -+ { -+ char **excluded; -+ for( excluded = argp; *excluded != NULL; ++excluded ) -+ { -+ if( !strcmp( *excluded, test->name ) ) -+ break; -+ } -+ if( *excluded ) -+ { -+ if( v ) -+ mbedtls_printf( " Skip: %s\n", test->name ); -+ continue; -+ } -+ } - if( test->function( v ) != 0 ) - { - suites_failed++; -@@ -347,6 +371,7 @@ int main( int argc, char *argv[] ) - } - - #else -+ (void) exclude_mode; - mbedtls_printf( " MBEDTLS_SELF_TEST not defined.\n" ); - #endif - --- -2.7.4 - - -From 8064bf3adf0298873ed4f6bc0dd89ee6efae3959 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Tue, 10 Oct 2017 19:56:06 +0200 -Subject: [PATCH 08/13] New timing unit tests - -New set of unit tests for the timing module, instead of just running -the selftest function. - -The selftest function sometimes fails on a heavily loaded -machine (such as a typical continuous integration system). Because of -the all-in-one nature of the test and because the exact load pattern -can be hard to reproduce, it is difficult to diagnose failures of CI -runs with selftest. The new tests are more separated and I strove to -point out potential failure modes in comments. - -* mbedtls_timing_hardclock: not tested. This function gives so few - guarantees that there isn't much to test, and it is hard to test - reliably because clock cycles don't easily relate to time in any - remotely portable way. This function isn't used in the library - anyway, it's only there for benchmark programs. -* mbedtls_timing_get_timer: tested by setting a timer and verifying - that it reaches its target, and by verifying that a timer started - later than another always has a smaller elapsed time. -* mbedtls_set_alarm: tested by setting an alarm, busy-waiting for it - and measuring the elapsed time with a timer. -* mbedtls_timing_set_delay, mbedtls_timing_get_delay: tested by - setting a delay object and watching it go through its two delay - values, using a timer to check that the delays are passed at the - expected time. - -The tests pass under light to moderate load, but some of them can be -defeated with sufficiently heavy load. This is unavoidable since the -test process to be effectively suspended for any length of time, -making us think that a timer has gone on for too long. ---- - tests/suites/test_suite_timing.data | 40 ++++- - tests/suites/test_suite_timing.function | 309 +++++++++++++++++++++++++++++++- - 3 files changed, 345 insertions(+), 5 deletions(-) - -diff --git a/tests/suites/test_suite_timing.data b/tests/suites/test_suite_timing.data -index 3ba79a4..02677d1 100644 ---- a/tests/suites/test_suite_timing.data -+++ b/tests/suites/test_suite_timing.data -@@ -1,2 +1,38 @@ --Timing selftest --timing_selftest: -+Timing: basic timer operation -+timing_timer_simple: -+ -+Timing: timer reset -+timing_timer_reset: -+ -+Timing: two parallel timers, delay 0 -+timing_two_timers:0: -+ -+Timing: two parallel timers, delay 100 -+timing_two_timers:100: -+ -+Timing: two parallel timers, delay 1000 -+timing_two_timers:1000: -+ -+Timing: two parallel timers, delay 10000 -+timing_two_timers:10000: -+ -+Timing: delay 0ms, 0ms -+timing_delay:0:0: -+ -+Timing: delay 0ms, 50ms -+timing_delay:0:50: -+ -+Timing: delay 50ms, 50ms -+timing_delay:50:50: -+ -+Timing: delay 50ms, 100ms -+timing_delay:50:100: -+ -+Timing: delay 50ms, 200ms -+timing_delay:50:200: -+ -+Timing: alarm in 0 second -+timing_alarm:0: -+ -+Timing: alarm in 1 second -+timing_alarm:1: -diff --git a/tests/suites/test_suite_timing.function b/tests/suites/test_suite_timing.function -index 5882f85..53e0ac3 100644 ---- a/tests/suites/test_suite_timing.function -+++ b/tests/suites/test_suite_timing.function -@@ -1,5 +1,43 @@ - /* BEGIN_HEADER */ -+ -+/* This test module exercises the timing module. One of the expected failure -+ modes is for timers to never expire, which could lead to an infinite loop. -+ The function timing_timer_simple is protected against this failure mode and -+ checks that timers do expire. Other functions will terminate if their -+ timers do expire. Therefore it is recommended to run timing_timer_simple -+ first and run other test functions only if that timing_timer_simple -+ succeeded. */ -+ -+#include -+ - #include "mbedtls/timing.h" -+ -+/* Wait this many milliseconds for a short timing test. This duration -+ should be large enough that, in practice, if you read the timer -+ value twice in a row, it won't have jumped by that much. */ -+#define TIMING_SHORT_TEST_MS 100 -+ -+/* A loop that waits TIMING_SHORT_TEST_MS must not take more than this many -+ iterations. This value needs to be large enough to accommodate fast -+ platforms (e.g. at 4GHz and 10 cycles/iteration a CPU can run through 20 -+ million iterations in 50ms). The only motivation to keep this value low is -+ to avoid having an infinite loop if the timer functions are not implemented -+ correctly. Ideally this value should be based on the processor speed but we -+ don't have this information! */ -+#define TIMING_SHORT_TEST_ITERATIONS_MAX 1e8 -+ -+/* alarm(0) must fire in no longer than this amount of time. */ -+#define TIMING_ALARM_0_DELAY_MS TIMING_SHORT_TEST_MS -+ -+static int expected_delay_status( uint32_t int_ms, uint32_t fin_ms, -+ unsigned long actual_ms ) -+{ -+ return( fin_ms == 0 ? -1 : -+ actual_ms >= fin_ms ? 2 : -+ actual_ms >= int_ms ? 1 : -+ 0 ); -+} -+ - /* END_HEADER */ - - /* BEGIN_DEPENDENCIES -@@ -7,9 +45,274 @@ - * END_DEPENDENCIES - */ - --/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ --void timing_selftest() -+/* BEGIN_CASE */ -+void timing_timer_simple( ) - { -- TEST_ASSERT( mbedtls_timing_self_test( 1 ) == 0 ); -+ struct mbedtls_timing_hr_time timer; -+ unsigned long millis = 0; -+ unsigned long new_millis = 0; -+ unsigned long iterations = 0; -+ /* Start the timer. */ -+ (void) mbedtls_timing_get_timer( &timer, 1 ); -+ /* Busy-wait loop for a few milliseconds. */ -+ do -+ { -+ new_millis = mbedtls_timing_get_timer( &timer, 0 ); -+ ++iterations; -+ /* Check that the timer didn't go backwards */ -+ TEST_ASSERT( new_millis >= millis ); -+ millis = new_millis; -+ } -+ while( millis < TIMING_SHORT_TEST_MS && -+ iterations <= TIMING_SHORT_TEST_ITERATIONS_MAX ); -+ /* The wait duration should have been large enough for at least a -+ few runs through the loop, even on the slowest realistic platform. */ -+ TEST_ASSERT( iterations >= 2 ); -+ /* The wait duration shouldn't have overflowed the iteration count. */ -+ TEST_ASSERT( iterations < TIMING_SHORT_TEST_ITERATIONS_MAX ); -+ return; -+ -+exit: -+ /* No cleanup needed, but show some diagnostic iterations, because timing -+ problems can be hard to reproduce. */ -+ mbedtls_fprintf( stdout, " Finished with millis=%lu new_millis=%lu get(timer)<=%lu iterations=%lu\n", -+ millis, new_millis, mbedtls_timing_get_timer( &timer, 0 ), -+ iterations ); - } - /* END_CASE */ -+ -+/* BEGIN_CASE */ -+void timing_timer_reset( ) -+{ -+ struct mbedtls_timing_hr_time timer; -+ unsigned long millis = 0; -+ unsigned long iterations = 0; -+ /* Start the timer. Timers are always reset to 0. */ -+ TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 ); -+ /* Busy-wait loop for a few milliseconds */ -+ do -+ { -+ ++iterations; -+ millis = mbedtls_timing_get_timer( &timer, 0 ); -+ } -+ while( millis < TIMING_SHORT_TEST_MS ); -+ -+ /* Reset the timer and check that it has restarted. */ -+ TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 ); -+ /* Read the timer immediately after reset. It should be 0 or close -+ to it. */ -+ TEST_ASSERT( mbedtls_timing_get_timer( &timer, 0 ) < TIMING_SHORT_TEST_MS ); -+ return; -+ -+exit: -+ /* No cleanup needed, but show some diagnostic information, because timing -+ problems can be hard to reproduce. */ -+ mbedtls_fprintf( stdout, " Finished with millis=%lu get(timer)<=%lu iterations=%lu\n", -+ millis, mbedtls_timing_get_timer( &timer, 0 ), -+ iterations ); -+} -+/* END_CASE */ -+ -+/* BEGIN_CASE */ -+void timing_two_timers( int delta ) -+{ -+ struct mbedtls_timing_hr_time timer1, timer2; -+ unsigned long millis1, millis2; -+ -+ /* Start the first timer and wait for a short time. */ -+ (void) mbedtls_timing_get_timer( &timer1, 1 ); -+ do -+ { -+ millis1 = mbedtls_timing_get_timer( &timer1, 0 ); -+ } -+ while( millis1 < TIMING_SHORT_TEST_MS ); -+ -+ /* Do a short busy-wait, so that the difference between timer1 and timer2 -+ doesn't practically always end up being very close to a whole number of -+ milliseconds. */ -+ while( delta > 0 ) -+ --delta; -+ -+ /* Start the second timer and compare it with the first. */ -+ mbedtls_timing_get_timer( &timer2, 1 ); -+ do -+ { -+ millis1 = mbedtls_timing_get_timer( &timer1, 0 ); -+ millis2 = mbedtls_timing_get_timer( &timer2, 0 ); -+ /* The first timer should always be ahead of the first. */ -+ TEST_ASSERT( millis1 > millis2 ); -+ /* The timers shouldn't drift apart, i.e. millis2-millis1 should stay -+ roughly constant, but this is hard to test reliably, especially in -+ a busy environment such as an overloaded continuous integration -+ system, so we don't test it it. */ -+ } -+ while( millis2 < TIMING_SHORT_TEST_MS ); -+ -+ return; -+ -+exit: -+ /* No cleanup needed, but show some diagnostic iterations, because timing -+ problems can be hard to reproduce. */ -+ mbedtls_fprintf( stdout, " Finished with millis1=%lu get(timer1)<=%lu millis2=%lu get(timer2)<=%lu\n", -+ millis1, mbedtls_timing_get_timer( &timer1, 0 ), -+ millis2, mbedtls_timing_get_timer( &timer2, 0 ) ); -+} -+/* END_CASE */ -+ -+/* BEGIN_CASE */ -+void timing_alarm( int seconds ) -+{ -+ struct mbedtls_timing_hr_time timer; -+ unsigned long millis = 0; -+ /* We check that about the desired number of seconds has elapsed. Be -+ slightly liberal with the lower bound, so as to allow platforms where -+ the alarm (with second resolution) and the timer (with millisecond -+ resolution) are based on different clocks. Be very liberal with the -+ upper bound, because the platform might be busy. */ -+ unsigned long millis_min = ( seconds > 0 ? -+ seconds * 900 : -+ 0 ); -+ unsigned long millis_max = ( seconds > 0 ? -+ seconds * 1100 + 400 : -+ TIMING_ALARM_0_DELAY_MS ); -+ unsigned long iterations = 0; -+ -+ /* Set an alarm and count how long it takes with a timer. */ -+ (void) mbedtls_timing_get_timer( &timer, 1 ); -+ mbedtls_set_alarm( seconds ); -+ -+ if( seconds > 0 ) -+ { -+ /* We set the alarm for at least 1 second. It should not have fired -+ immediately, even on a slow and busy platform. */ -+ TEST_ASSERT( !mbedtls_timing_alarmed ); -+ } -+ /* A 0-second alarm should fire quickly, but we don't guarantee that it -+ fires immediately, so mbedtls_timing_alarmed may or may not be set at -+ this point. */ -+ -+ /* Busy-wait until the alarm rings */ -+ do -+ { -+ ++iterations; -+ millis = mbedtls_timing_get_timer( &timer, 0 ); -+ } -+ while( !mbedtls_timing_alarmed && millis <= millis_max ); -+ -+ TEST_ASSERT( mbedtls_timing_alarmed ); -+ TEST_ASSERT( millis >= millis_min ); -+ TEST_ASSERT( millis <= millis_max ); -+ -+ mbedtls_timing_alarmed = 0; -+ return; -+ -+exit: -+ /* Show some diagnostic iterations, because timing -+ problems can be hard to reproduce. */ -+ mbedtls_fprintf( stdout, " Finished with alarmed=%d millis=%lu get(timer)<=%lu iterations=%lu\n", -+ mbedtls_timing_alarmed, -+ millis, mbedtls_timing_get_timer( &timer, 0 ), -+ iterations ); -+ /* Cleanup */ -+ mbedtls_timing_alarmed = 0; -+} -+/* END_CASE */ -+ -+/* BEGIN_CASE */ -+void timing_delay( int int_ms, int fin_ms ) -+{ -+ /* This function assumes that if int_ms is nonzero then it is large -+ enough that we have time to read all timers at least once in an -+ interval of time lasting int_ms milliseconds, and likewise for (fin_ms -+ - int_ms). So don't call it with arguments that are too small. */ -+ -+ mbedtls_timing_delay_context delay; -+ struct mbedtls_timing_hr_time timer; -+ unsigned long delta; /* delay started between timer=0 and timer=delta */ -+ unsigned long before = 0, after = 0; -+ unsigned long iterations = 0; -+ int status = -2; -+ int saw_status_1 = 0; -+ int warn_inconclusive = 0; -+ -+ assert( int_ms >= 0 ); -+ assert( fin_ms >= 0 ); -+ -+ /* Start a reference timer. Program a delay, and verify that the status of -+ the delay is consistent with the time given by the reference timer. */ -+ (void) mbedtls_timing_get_timer( &timer, 1 ); -+ mbedtls_timing_set_delay( &delay, int_ms, fin_ms ); -+ /* Set delta to an upper bound for the interval between the start of timer -+ and the start of delay. Reading timer after starting delay gives us an -+ upper bound for the interval, rounded to a 1ms precision. Since this -+ might have been rounded down, but we need an upper bound, we add 1. */ -+ delta = mbedtls_timing_get_timer( &timer, 0 ) + 1; -+ -+ status = mbedtls_timing_get_delay( &delay ); -+ if( fin_ms == 0 ) -+ { -+ /* Cancelled timer. Just check the correct status for this case. */ -+ TEST_ASSERT( status == -1 ); -+ return; -+ } -+ -+ /* Initially, none of the delays must be passed yet if they're nonzero. -+ This could fail for very small values of int_ms and fin_ms, where "very -+ small" depends how fast and how busy the platform is. */ -+ if( int_ms > 0 ) -+ { -+ TEST_ASSERT( status == 0 ); -+ } -+ else -+ { -+ TEST_ASSERT( status == 1 ); -+ } -+ -+ do -+ { -+ unsigned long delay_min, delay_max; -+ int status_min, status_max; -+ ++iterations; -+ before = mbedtls_timing_get_timer( &timer, 0 ); -+ status = mbedtls_timing_get_delay( &delay ); -+ after = mbedtls_timing_get_timer( &timer, 0 ); -+ /* At a time between before and after, the delay's status was status. -+ Check that this is consistent given that the delay was started -+ between times 0 and delta. */ -+ delay_min = ( before > delta ? before - delta : 0 ); -+ status_min = expected_delay_status( int_ms, fin_ms, delay_min ); -+ delay_max = after; -+ status_max = expected_delay_status( int_ms, fin_ms, delay_max ); -+ TEST_ASSERT( status >= status_min ); -+ TEST_ASSERT( status <= status_max ); -+ if( status == 1 ) -+ saw_status_1 = 1; -+ } -+ while ( before <= fin_ms + delta && status != 2 ); -+ -+ /* Since we've waited at least fin_ms, the delay must have fully -+ expired. */ -+ TEST_ASSERT( status == 2 ); -+ -+ /* If the second delay is more than the first, then there must have been a -+ point in time when the first delay was passed but not the second delay. -+ This could fail for very small values of (fin_ms - int_ms), where "very -+ small" depends how fast and how busy the platform is. In practice, this -+ is the test that's most likely to fail on a heavily loaded machine. */ -+ if( fin_ms > int_ms ) -+ { -+ warn_inconclusive = 1; -+ TEST_ASSERT( saw_status_1 ); -+ } -+ -+ return; -+ -+exit: -+ /* No cleanup needed, but show some diagnostic iterations, because timing -+ problems can be hard to reproduce. */ -+ mbedtls_fprintf( stdout, " Finished with delta=%lu before=%lu after=%lu status=%d iterations=%lu\n", -+ delta, before, after, status, iterations ); -+ if( warn_inconclusive ) -+ mbedtls_fprintf( stdout, " Inconclusive test, try running it on a less heavily loaded machine.\n" ); -+ } -+/* END_CASE */ --- -2.7.4 - - -From 078f1a1512fec6e73f5aa318e68b41165f7d9f07 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Wed, 11 Oct 2017 16:13:13 +0200 -Subject: [PATCH 09/13] Unit test for mbedtls_timing_hardclock - -Do test mbedtls_timing_hardclock. We can't reliably test much about -it, but at least test that it doesn't crash, isn't constant, and -doesn't look completely random. ---- - tests/suites/test_suite_timing.data | 3 +++ - tests/suites/test_suite_timing.function | 42 +++++++++++++++++++++++++++++++++ - 2 files changed, 45 insertions(+) - -diff --git a/tests/suites/test_suite_timing.data b/tests/suites/test_suite_timing.data -index 02677d1..4dddcf7 100644 ---- a/tests/suites/test_suite_timing.data -+++ b/tests/suites/test_suite_timing.data -@@ -36,3 +36,6 @@ timing_alarm:0: - - Timing: alarm in 1 second - timing_alarm:1: -+ -+Timing: hardclock -+timing_hardclock: -diff --git a/tests/suites/test_suite_timing.function b/tests/suites/test_suite_timing.function -index 53e0ac3..71fe7ed 100644 ---- a/tests/suites/test_suite_timing.function -+++ b/tests/suites/test_suite_timing.function -@@ -316,3 +316,45 @@ exit: - mbedtls_fprintf( stdout, " Inconclusive test, try running it on a less heavily loaded machine.\n" ); - } - /* END_CASE */ -+ -+/* BEGIN_CASE */ -+void timing_hardclock( ) -+{ -+ /* We make very few guarantees about mbedtls_timing_hardclock: its rate is -+ platform-dependent, it can wrap around. So there isn't much we can -+ test. But we do at least test that it doesn't crash, stall or return -+ completely nonsensical values. */ -+ -+ struct mbedtls_timing_hr_time timer; -+ unsigned long hardclock0, hardclock1, delta1; -+ -+ hardclock0 = mbedtls_timing_hardclock( ); -+ /* Wait 2ms to ensure a nonzero delay. Since the timer interface has 1ms -+ resolution and unspecified precision, waiting 1ms might be a very small -+ delay that's rounded up. */ -+ (void) mbedtls_timing_get_timer( &timer, 1 ); -+ while( mbedtls_timing_get_timer( &timer, 0 ) < 2 ) -+ /*busy-wait loop*/; -+ hardclock1 = mbedtls_timing_hardclock( ); -+ -+ /* Although the hardclock counter can wrap around, the difference -+ (hardclock1 - hardclock0) is taken modulo the type size, so it is -+ correct as long as the counter only wrapped around at most once. We -+ further require the difference to be nonzero (after a wait of more than -+ 1ms, the counter must have changed), and not to be overly large (after -+ a wait of less than 3ms, plus time lost because other processes were -+ scheduled on the CPU). If the hardclock counter runs at 4GHz, then -+ 1000000000 (which is 1/4 of the counter wraparound on a 32-bit machine) -+ allows 250ms. */ -+ delta1 = hardclock1 - hardclock0; -+ TEST_ASSERT( delta1 > 0 ); -+ TEST_ASSERT( delta1 < 1000000000 ); -+ return; -+ -+exit: -+ /* No cleanup needed, but show some diagnostic iterations, because timing -+ problems can be hard to reproduce. */ -+ mbedtls_fprintf( stdout, " Finished with hardclock=%lu,%lu\n", -+ hardclock0, hardclock1 ); -+} -+/* END_CASE */ --- -2.7.4 - - -From 2a26d620fb4fe186a98e6f4864c658549f4b9913 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Wed, 18 Oct 2017 20:00:32 +0200 -Subject: [PATCH 10/13] Timing unit tests: more protection against infinite - loops - -If timing_timer_simple fails because it detects that timers are likely -to never expire (e.g. going backward or not incrementing), skip all -tests that rely on timers. ---- - tests/suites/test_suite_timing.function | 77 +++++++++++++++++++++++++-------- - 1 file changed, 60 insertions(+), 17 deletions(-) - -diff --git a/tests/suites/test_suite_timing.function b/tests/suites/test_suite_timing.function -index 71fe7ed..1610155 100644 ---- a/tests/suites/test_suite_timing.function -+++ b/tests/suites/test_suite_timing.function -@@ -38,6 +38,14 @@ static int expected_delay_status( uint32_t int_ms, uint32_t fin_ms, - 0 ); - } - -+/* Some conditions in timing_timer_simple suggest that timers are unreliable. -+ Most other test cases rely on timers to terminate, and could loop -+ indefinitely if timers are too broken. So if timing_timer_simple detected a -+ timer that risks not terminating (going backwards, or not reaching the -+ desired count in the alloted clock cycles), set this flag to immediately -+ fail those other tests without running any timers. */ -+static int timers_are_badly_broken = 0; -+ - /* END_HEADER */ - - /* BEGIN_DEPENDENCIES -@@ -73,6 +81,15 @@ void timing_timer_simple( ) - return; - - exit: -+ if( iterations >= TIMING_SHORT_TEST_ITERATIONS_MAX || -+ new_millis < millis ) -+ { -+ /* The timer was very unreliable: it didn't increment and the loop ran -+ out, or it went backwards. Other tests that use timers might go -+ into an infinite loop, so we'll skip them. */ -+ timers_are_badly_broken = 1; -+ } -+ - /* No cleanup needed, but show some diagnostic iterations, because timing - problems can be hard to reproduce. */ - mbedtls_fprintf( stdout, " Finished with millis=%lu new_millis=%lu get(timer)<=%lu iterations=%lu\n", -@@ -87,6 +104,11 @@ void timing_timer_reset( ) - struct mbedtls_timing_hr_time timer; - unsigned long millis = 0; - unsigned long iterations = 0; -+ -+ /* Skip this test if it looks like timers don't work at all, to avoid an -+ infinite loop below. */ -+ TEST_ASSERT( !timers_are_badly_broken ); -+ - /* Start the timer. Timers are always reset to 0. */ - TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 ); - /* Busy-wait loop for a few milliseconds */ -@@ -107,9 +129,10 @@ void timing_timer_reset( ) - exit: - /* No cleanup needed, but show some diagnostic information, because timing - problems can be hard to reproduce. */ -- mbedtls_fprintf( stdout, " Finished with millis=%lu get(timer)<=%lu iterations=%lu\n", -- millis, mbedtls_timing_get_timer( &timer, 0 ), -- iterations ); -+ if( !timers_are_badly_broken ) -+ mbedtls_fprintf( stdout, " Finished with millis=%lu get(timer)<=%lu iterations=%lu\n", -+ millis, mbedtls_timing_get_timer( &timer, 0 ), -+ iterations ); - } - /* END_CASE */ - -@@ -117,7 +140,11 @@ exit: - void timing_two_timers( int delta ) - { - struct mbedtls_timing_hr_time timer1, timer2; -- unsigned long millis1, millis2; -+ unsigned long millis1 = 0, millis2 = 0; -+ -+ /* Skip this test if it looks like timers don't work at all, to avoid an -+ infinite loop below. */ -+ TEST_ASSERT( !timers_are_badly_broken ); - - /* Start the first timer and wait for a short time. */ - (void) mbedtls_timing_get_timer( &timer1, 1 ); -@@ -153,9 +180,10 @@ void timing_two_timers( int delta ) - exit: - /* No cleanup needed, but show some diagnostic iterations, because timing - problems can be hard to reproduce. */ -- mbedtls_fprintf( stdout, " Finished with millis1=%lu get(timer1)<=%lu millis2=%lu get(timer2)<=%lu\n", -- millis1, mbedtls_timing_get_timer( &timer1, 0 ), -- millis2, mbedtls_timing_get_timer( &timer2, 0 ) ); -+ if( !timers_are_badly_broken ) -+ mbedtls_fprintf( stdout, " Finished with millis1=%lu get(timer1)<=%lu millis2=%lu get(timer2)<=%lu\n", -+ millis1, mbedtls_timing_get_timer( &timer1, 0 ), -+ millis2, mbedtls_timing_get_timer( &timer2, 0 ) ); - } - /* END_CASE */ - -@@ -177,6 +205,10 @@ void timing_alarm( int seconds ) - TIMING_ALARM_0_DELAY_MS ); - unsigned long iterations = 0; - -+ /* Skip this test if it looks like timers don't work at all, to avoid an -+ infinite loop below. */ -+ TEST_ASSERT( !timers_are_badly_broken ); -+ - /* Set an alarm and count how long it takes with a timer. */ - (void) mbedtls_timing_get_timer( &timer, 1 ); - mbedtls_set_alarm( seconds ); -@@ -209,10 +241,11 @@ void timing_alarm( int seconds ) - exit: - /* Show some diagnostic iterations, because timing - problems can be hard to reproduce. */ -- mbedtls_fprintf( stdout, " Finished with alarmed=%d millis=%lu get(timer)<=%lu iterations=%lu\n", -- mbedtls_timing_alarmed, -- millis, mbedtls_timing_get_timer( &timer, 0 ), -- iterations ); -+ if( !timers_are_badly_broken ) -+ mbedtls_fprintf( stdout, " Finished with alarmed=%d millis=%lu get(timer)<=%lu iterations=%lu\n", -+ mbedtls_timing_alarmed, -+ millis, mbedtls_timing_get_timer( &timer, 0 ), -+ iterations ); - /* Cleanup */ - mbedtls_timing_alarmed = 0; - } -@@ -228,7 +261,7 @@ void timing_delay( int int_ms, int fin_ms ) - - mbedtls_timing_delay_context delay; - struct mbedtls_timing_hr_time timer; -- unsigned long delta; /* delay started between timer=0 and timer=delta */ -+ unsigned long delta = 0; /* delay started between timer=0 and timer=delta */ - unsigned long before = 0, after = 0; - unsigned long iterations = 0; - int status = -2; -@@ -238,6 +271,10 @@ void timing_delay( int int_ms, int fin_ms ) - assert( int_ms >= 0 ); - assert( fin_ms >= 0 ); - -+ /* Skip this test if it looks like timers don't work at all, to avoid an -+ infinite loop below. */ -+ TEST_ASSERT( !timers_are_badly_broken ); -+ - /* Start a reference timer. Program a delay, and verify that the status of - the delay is consistent with the time given by the reference timer. */ - (void) mbedtls_timing_get_timer( &timer, 1 ); -@@ -310,8 +347,9 @@ void timing_delay( int int_ms, int fin_ms ) - exit: - /* No cleanup needed, but show some diagnostic iterations, because timing - problems can be hard to reproduce. */ -- mbedtls_fprintf( stdout, " Finished with delta=%lu before=%lu after=%lu status=%d iterations=%lu\n", -- delta, before, after, status, iterations ); -+ if( !timers_are_badly_broken ) -+ mbedtls_fprintf( stdout, " Finished with delta=%lu before=%lu after=%lu status=%d iterations=%lu\n", -+ delta, before, after, status, iterations ); - if( warn_inconclusive ) - mbedtls_fprintf( stdout, " Inconclusive test, try running it on a less heavily loaded machine.\n" ); - } -@@ -326,7 +364,11 @@ void timing_hardclock( ) - completely nonsensical values. */ - - struct mbedtls_timing_hr_time timer; -- unsigned long hardclock0, hardclock1, delta1; -+ unsigned long hardclock0 = -1, hardclock1 = -1, delta1 = -1; -+ -+ /* Skip this test if it looks like timers don't work at all, to avoid an -+ infinite loop below. */ -+ TEST_ASSERT( !timers_are_badly_broken ); - - hardclock0 = mbedtls_timing_hardclock( ); - /* Wait 2ms to ensure a nonzero delay. Since the timer interface has 1ms -@@ -354,7 +396,8 @@ void timing_hardclock( ) - exit: - /* No cleanup needed, but show some diagnostic iterations, because timing - problems can be hard to reproduce. */ -- mbedtls_fprintf( stdout, " Finished with hardclock=%lu,%lu\n", -- hardclock0, hardclock1 ); -+ if( !timers_are_badly_broken ) -+ mbedtls_fprintf( stdout, " Finished with hardclock=%lu,%lu\n", -+ hardclock0, hardclock1 ); - } - /* END_CASE */ --- -2.7.4 - - -From 0f59b130a95a9990fb1f00a5f457d4bad0c23d41 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Tue, 17 Oct 2017 19:39:04 +0200 -Subject: [PATCH 11/13] Timing self test: increased tolerance - -mbedtls_timing_self_test fails annoyingly often when running on a busy -machine such as can be expected of a continous integration system. -Increase the tolerances in the delay test, to reduce the chance of -failures that are only due to missing a deadline on a busy machine. ---- - library/timing.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/library/timing.c b/library/timing.c -index 744e1e7..115204d 100644 ---- a/library/timing.c -+++ b/library/timing.c -@@ -450,19 +450,19 @@ int mbedtls_timing_self_test( int verbose ) - { - mbedtls_timing_set_delay( &ctx, a, a + b ); - -- busy_msleep( a - a / 8 ); -+ busy_msleep( a - a / 4 ); - if( mbedtls_timing_get_delay( &ctx ) != 0 ) - FAIL; - -- busy_msleep( a / 4 ); -+ busy_msleep( a / 2 ); - if( mbedtls_timing_get_delay( &ctx ) != 1 ) - FAIL; - -- busy_msleep( b - a / 8 - b / 8 ); -+ busy_msleep( b - a / 4 - b / 4 ); - if( mbedtls_timing_get_delay( &ctx ) != 1 ) - FAIL; - -- busy_msleep( b / 4 ); -+ busy_msleep( b / 2 ); - if( mbedtls_timing_get_delay( &ctx ) != 2 ) - FAIL; - } --- -2.7.4 - - -From 8873bcc4def433aa0edfbe260083f32f04aa097e Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Fri, 27 Oct 2017 18:42:32 +0200 -Subject: [PATCH 12/13] Timing self test: increased duration - -Increase the duration of the self test, otherwise it tends to fail on -a busy machine even with the recently upped tolerance. But run the -loop only once, it's enough for a simple smoke test. ---- - library/timing.c | 30 ++++++++++++------------------ - 2 files changed, 14 insertions(+), 19 deletions(-) - -diff --git a/library/timing.c b/library/timing.c -index 115204d..f0d1a78 100644 ---- a/library/timing.c -+++ b/library/timing.c -@@ -444,28 +444,22 @@ int mbedtls_timing_self_test( int verbose ) - if( verbose != 0 ) - mbedtls_printf( " TIMING test #2 (set/get_delay ): " ); - -- for( a = 200; a <= 400; a += 200 ) - { -- for( b = 200; b <= 400; b += 200 ) -- { -- mbedtls_timing_set_delay( &ctx, a, a + b ); -- -- busy_msleep( a - a / 4 ); -- if( mbedtls_timing_get_delay( &ctx ) != 0 ) -- FAIL; -+ a = 800; -+ b = 400; -+ mbedtls_timing_set_delay( &ctx, a, a + b ); /* T = 0 */ - -- busy_msleep( a / 2 ); -- if( mbedtls_timing_get_delay( &ctx ) != 1 ) -- FAIL; -+ busy_msleep( a - a / 4 ); /* T = a - a/4 */ -+ if( mbedtls_timing_get_delay( &ctx ) != 0 ) -+ FAIL; - -- busy_msleep( b - a / 4 - b / 4 ); -- if( mbedtls_timing_get_delay( &ctx ) != 1 ) -- FAIL; -+ busy_msleep( a / 4 + b / 4 ); /* T = a + b/4 */ -+ if( mbedtls_timing_get_delay( &ctx ) != 1 ) -+ FAIL; - -- busy_msleep( b / 2 ); -- if( mbedtls_timing_get_delay( &ctx ) != 2 ) -- FAIL; -- } -+ busy_msleep( b ); /* T = a + b + b/4 */ -+ if( mbedtls_timing_get_delay( &ctx ) != 2 ) -+ FAIL; - } - - mbedtls_timing_set_delay( &ctx, 0, 0 ); --- -2.7.4 - - -From ada3ee8b9d0dab22714d5de13d9ac9d1cb76cfcd Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Wed, 20 Dec 2017 22:31:17 +0100 -Subject: [PATCH 13/13] Timing self test: shorten redundant tests - -We don't need to test multiple delays in a self-test. -Save 5s of busy-wait. ---- - library/timing.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/library/timing.c b/library/timing.c -index f0d1a78..6df137d 100644 ---- a/library/timing.c -+++ b/library/timing.c -@@ -422,8 +422,9 @@ int mbedtls_timing_self_test( int verbose ) - if( verbose != 0 ) - mbedtls_printf( " TIMING test #1 (set_alarm / get_timer): " ); - -- for( secs = 1; secs <= 3; secs++ ) - { -+ secs = 1; -+ - (void) mbedtls_timing_get_timer( &hires, 1 ); - - mbedtls_set_alarm( (int) secs ); --- -2.7.4 - diff --git a/deps/mbedtls/patches/0009-RSA-Fix-buffer-overflow-in-PSS-signature-verificatio.patch b/deps/mbedtls/patches/0009-RSA-Fix-buffer-overflow-in-PSS-signature-verificatio.patch deleted file mode 100644 index 6619a462..00000000 --- a/deps/mbedtls/patches/0009-RSA-Fix-buffer-overflow-in-PSS-signature-verificatio.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 01d6ae9a77df70d739aa5eea79d219b1feb2a592 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Tue, 17 Oct 2017 19:01:38 +0200 -Subject: [PATCH] RSA: Fix buffer overflow in PSS signature verification - -Fix buffer overflow in RSA-PSS signature verification when the hash is -too large for the key size. Found by Seth Terashima, Qualcomm. - -Added a non-regression test and a positive test with the smallest -permitted key size for a SHA-512 hash. ---- - library/rsa.c | 2 ++ - tests/data_files/rsa512.key | 9 +++++++++ - tests/data_files/rsa521.key | 9 +++++++++ - tests/data_files/rsa522.key | 9 +++++++++ - tests/data_files/rsa528.key | 9 +++++++++ - tests/suites/test_suite_pkcs1_v21.data | 32 ++++++++++++++++++++++++++++++++ - 6 files changed, 70 insertions(+) - create mode 100644 tests/data_files/rsa512.key - create mode 100644 tests/data_files/rsa521.key - create mode 100644 tests/data_files/rsa522.key - create mode 100644 tests/data_files/rsa528.key - -diff --git a/library/rsa.c b/library/rsa.c -index bdd2538c..a4e3ee68 100644 ---- a/library/rsa.c -+++ b/library/rsa.c -@@ -1362,6 +1362,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - - hlen = mbedtls_md_get_size( md_info ); -+ if( siglen < hlen + 2 ) -+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - slen = siglen - hlen - 1; /* Currently length of salt + padding */ - - memset( zeros, 0, 8 ); -diff --git a/tests/data_files/rsa512.key b/tests/data_files/rsa512.key -new file mode 100644 -index 00000000..1fd7987c ---- /dev/null -+++ b/tests/data_files/rsa512.key -@@ -0,0 +1,9 @@ -+-----BEGIN RSA PRIVATE KEY----- -+MIIBOwIBAAJBALB20jJQgW+aqwIwfkUrl/DK51mDabQWJOivx5caWaE4kvZLB+qm -+7JKMFgstbsj50N1bY8izrAdntPZciS9WwQ8CAwEAAQJAKYfNcIoB7II6PQmsrhrU -+Z5dZW3fSKNANX7X/A1DwR0DlF8uZnpWsWbYcRoXX7QjvepZqc54wryhW55Wlm6yI -+AQIhAOJIaLjSpbHjzzcJQ7mylxn2WGIlbJPPzJ9OaFZCZQvxAiEAx6OEAvl6JKa6 -+6a+N2Wvhtcgb4qqR6UHQGJQYGJz5nP8CIAvgoR6ScAAWZRoOcm+c4DGMrLb6H+ji -+T2tNQkzEz2kBAiEAmw34GStU36STpa6RGJ4+tyZN6jWakDVqf7x+HpfFE1cCIQDc -+KzXIxec2taye4OeIa1v4W/MigMmYE9w93Uw/Qi3azA== -+-----END RSA PRIVATE KEY----- -diff --git a/tests/data_files/rsa521.key b/tests/data_files/rsa521.key -new file mode 100644 -index 00000000..0b940aa6 ---- /dev/null -+++ b/tests/data_files/rsa521.key -@@ -0,0 +1,9 @@ -+-----BEGIN RSA PRIVATE KEY----- -+MIIBPQIBAAJCATG2mGDzy5v4XqNY/fK9KZDxt3qA1qT9+BekPdiWvffdJq+KwCN/ -+Um4NM7EFyXH9vU/6ns6Z/EafMez0Kej1YsHDAgMBAAECQCdoYjwdMSHp4kksL5Aa -+0kDc58ni0chy9IgXo+FHjTVmR9DkaZANrwfVvYMJxqYCZo0im1Dw7ZJBUDJQNXnl -+ZokCIRiSk66I24AWa7XGUFvatVwXWi2ACE4QEKqzWQe1mQ24/wIhDHD1TCKpqucA -+XDI+1N7EHs+fN4CfTSWe8FPGiK6q3VM9AiESrKKLi/q011U4KeS8SfR2blDcL2cg -+XFkuQWqxzzLoGOUCIQmgl5E0+Ypwe0zc7NYZFDarf4+ZjqxKQnXCvk0irMHcGQIh -+EVPli6RQb3Gcx7vXJHltzSTno7NElzBDRMBVUlBmVxAJ -+-----END RSA PRIVATE KEY----- -diff --git a/tests/data_files/rsa522.key b/tests/data_files/rsa522.key -new file mode 100644 -index 00000000..18fbe70c ---- /dev/null -+++ b/tests/data_files/rsa522.key -@@ -0,0 +1,9 @@ -+-----BEGIN RSA PRIVATE KEY----- -+MIIBPgIBAAJCAtMCdT492ij0L02fkshkdCDqb7yXwQ+EmLlmqVPzV2mNZYEGDf4y -+yKuY20vFzirN8MHm5ASnWhMoJVDBqjfTzci/AgMBAAECQU05ffxf7uVg74yC9tKg -+qCa746NpMh3OM+HZrUxiOXv0sJMRXNEPD5HNLtgcNY6MI5NYbUvkOXktnFZpxWYP -+TH7BAiEeFJGs5Z6gRd2v/IbYLMFDHgjqho04INGTOvnyI7lGVKUCIRgJM7moFuoM -+UrKTmJK1uOzauWEykCKgc6BGH6TGZoEWkwIhBzQn2v82qO1ydOYGKRk2w2sa+Yd1 -+pH5/kkHqf+m8QjKdAiEQ9eVW+4J30wxD0JyX4b1E/S5UpN5KYNhWX0US+6D3NBsC -+IRxePzdQlutZWg0Cnku3QE1tOLBCFlP7QVVl5FbKcY5H5w== -+-----END RSA PRIVATE KEY----- -diff --git a/tests/data_files/rsa528.key b/tests/data_files/rsa528.key -new file mode 100644 -index 00000000..fd463b54 ---- /dev/null -+++ b/tests/data_files/rsa528.key -@@ -0,0 +1,9 @@ -+-----BEGIN RSA PRIVATE KEY----- -+MIIBRQIBAAJDAOMcJG1GSFmEJh/RdMqz1DVzRGAuzXk8R9vlQlLTe7NQvGNDWbGV -+FVQggORySktnIpG+V8dkj1Finq7yNOhH2ZzGXwIDAQABAkMAsWYyLglQSlwnS4NZ -+L1z4zieTqW3lomWr2+BgxkHbxl2w0Rx4L+Ezp+YK6mhtIQWNkoytPvWJJMS7Jrkg -+agMAHQJBAiIA+F1y5GO0Bv+igsNLXwwtbCqs8hAkavU9W8egt/oDbhzbAiIA6hds -+PZp/s1X7n7dwfmebSs+3vLZFuQfifN8XZLw0CXHNAiEuEzgDQrPdMIN3er96zImI -+rYoUBgabiQ9u/WPFfa4xOU0CIgDDYC089Tfjy72pPgcr2PkpZVhqro5esg/8PI5f -+yxx7TXkCIgCYoE8Y5IxomtL1ub1AQzPe9UyyUGzQB1yWeiloJh6LjxA= -+-----END RSA PRIVATE KEY----- -diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data -index ac16beb8..6d31494e 100644 ---- a/tests/suites/test_suite_pkcs1_v21.data -+++ b/tests/suites/test_suite_pkcs1_v21.data -@@ -787,3 +787,35 @@ RSASSA-PSS Signature verify options #13 (MGF1 alg != MSG hash alg, arg wrong) - depends_on:MBEDTLS_SHA256_C - pkcs1_rsassa_pss_verify_ext:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:MBEDTLS_RSA_SALT_LEN_ANY:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":"7fc506d26ca3b22922a1ce39faaedd273161b82d9443c56f1a034f131ae4a18cae1474271cb4b66a17d9707ca58b0bdbd3c406b7e65bbcc9bbbce94dc45de807b4989b23b3e4db74ca29298137837eb90cc83d3219249bc7d480fceaf075203a86e54c4ecfa4e312e39f8f69d76534089a36ed9049ca9cfd5ab1db1fa75fe5c8":0:MBEDTLS_ERR_RSA_INVALID_PADDING - -+RSASSA-PSS verify ext, 512-bit key, empty salt, good signature -+depends_on:MBEDTLS_SHA256_C -+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":0:0 -+ -+RSASSA-PSS verify ext, 512-bit key, empty salt, bad signature -+depends_on:MBEDTLS_SHA256_C -+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf247":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING -+ -+RSASSA-PSS verify ext, 522-bit key, SHA-512, empty salt, good signature -+depends_on:MBEDTLS_SHA512_C -+pkcs1_rsassa_pss_verify_ext:522:16:"02d302753e3dda28f42f4d9f92c8647420ea6fbc97c10f8498b966a953f357698d6581060dfe32c8ab98db4bc5ce2acdf0c1e6e404a75a13282550c1aa37d3cdc8bf":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"016752ae0b5dfbade6bbd3dd37868d48c8d741f92dca41c360aeda553204c2212a117b1a3d77e0d3f48723503c46e16c8a64de00f1dee3e37e478417452630859486":0:0 -+ -+RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0 -+depends_on:MBEDTLS_SHA512_C -+pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:MBEDTLS_ERR_RSA_INVALID_PADDING -+ -+RSASSA-PSS verify ext, 528-bit key, SHA-512, empty salt, good signature -+depends_on:MBEDTLS_SHA512_C -+pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:0 -+ -+RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0 -+depends_on:MBEDTLS_SHA512_C -+pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:MBEDTLS_ERR_RSA_INVALID_PADDING -+ -+RSASSA-PSS verify ext, 512-bit key, SHA-512 (hash too large) -+depends_on:MBEDTLS_SHA512_C -+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA -+ -+RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature -+depends_on:MBEDTLS_SHA512_C -+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING -+ --- -2.16.2 - diff --git a/deps/mbedtls/patches/0010-RSA-Fix-another-buffer-overflow-in-PSS-signature-ver.patch b/deps/mbedtls/patches/0010-RSA-Fix-another-buffer-overflow-in-PSS-signature-ver.patch deleted file mode 100644 index ffa13226..00000000 --- a/deps/mbedtls/patches/0010-RSA-Fix-another-buffer-overflow-in-PSS-signature-ver.patch +++ /dev/null @@ -1,108 +0,0 @@ -From d85814a0d05cf9f81d00cf25ad89e732bcda0bd5 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Tue, 17 Oct 2017 19:02:13 +0200 -Subject: [PATCH] RSA: Fix another buffer overflow in PSS signature - verification - -Fix buffer overflow in RSA-PSS signature verification when the masking -operation results in an all-zero buffer. This could happen at any key size. ---- - library/rsa.c | 21 +++++++++++---------- - tests/suites/test_suite_pkcs1_v21.data | 4 ++++ - 2 files changed, 15 insertions(+), 10 deletions(-) - -diff --git a/library/rsa.c b/library/rsa.c -index a4e3ee68..f9aec227 100644 ---- a/library/rsa.c -+++ b/library/rsa.c -@@ -1319,10 +1319,11 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - int ret; - size_t siglen; - unsigned char *p; -+ unsigned char *hash_start; - unsigned char result[MBEDTLS_MD_MAX_SIZE]; - unsigned char zeros[8]; - unsigned int hlen; -- size_t slen, msb; -+ size_t observed_salt_len, msb; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; -@@ -1364,7 +1365,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - hlen = mbedtls_md_get_size( md_info ); - if( siglen < hlen + 2 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); -- slen = siglen - hlen - 1; /* Currently length of salt + padding */ -+ hash_start = buf + siglen - hlen - 1; - - memset( zeros, 0, 8 ); - -@@ -1379,6 +1380,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - p++; - siglen -= 1; - } -+ else - if( buf[0] >> ( 8 - siglen * 8 + msb ) ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - -@@ -1389,25 +1391,24 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - return( ret ); - } - -- mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); -+ mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); - - buf[0] &= 0xFF >> ( siglen * 8 - msb ); - -- while( p < buf + siglen && *p == 0 ) -+ while( p < hash_start - 1 && *p == 0 ) - p++; - -- if( p == buf + siglen || -+ if( p == hash_start || - *p++ != 0x01 ) - { - mbedtls_md_free( &md_ctx ); - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); - } - -- /* Actual salt len */ -- slen -= p - buf; -+ observed_salt_len = hash_start - p; - - if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && -- slen != (size_t) expected_salt_len ) -+ observed_salt_len != (size_t) expected_salt_len ) - { - mbedtls_md_free( &md_ctx ); - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); -@@ -1419,12 +1420,12 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, zeros, 8 ); - mbedtls_md_update( &md_ctx, hash, hashlen ); -- mbedtls_md_update( &md_ctx, p, slen ); -+ mbedtls_md_update( &md_ctx, p, observed_salt_len ); - mbedtls_md_finish( &md_ctx, result ); - - mbedtls_md_free( &md_ctx ); - -- if( memcmp( p + slen, result, hlen ) == 0 ) -+ if( memcmp( hash_start, result, hlen ) == 0 ) - return( 0 ); - else - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); -diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data -index 6d31494e..7c202e9c 100644 ---- a/tests/suites/test_suite_pkcs1_v21.data -+++ b/tests/suites/test_suite_pkcs1_v21.data -@@ -819,3 +819,7 @@ RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature - depends_on:MBEDTLS_SHA512_C - pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING - -+RSASSA-PSS verify ext, all-zero padding, automatic salt length -+depends_on:MBEDTLS_SHA256_C -+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING -+ --- -2.16.2 - diff --git a/deps/mbedtls/patches/0011-RSA-PSS-fix-minimum-length-check-for-keys-of-size-8N.patch b/deps/mbedtls/patches/0011-RSA-PSS-fix-minimum-length-check-for-keys-of-size-8N.patch deleted file mode 100644 index 6855924a..00000000 --- a/deps/mbedtls/patches/0011-RSA-PSS-fix-minimum-length-check-for-keys-of-size-8N.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1f7bffd54c78dd140594b7c8474195e2f2f59b85 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Wed, 18 Oct 2017 19:03:42 +0200 -Subject: [PATCH] RSA PSS: fix minimum length check for keys of size 8N+1 - -The check introduced by the previous security fix was off by one. It -fixed the buffer overflow but was not compliant with the definition of -PSS which technically led to accepting some invalid signatures (but -not signatures made without the private key). ---- - library/rsa.c | 7 ++++--- - tests/suites/test_suite_pkcs1_v21.data | 2 +- - 2 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/library/rsa.c b/library/rsa.c -index f9aec227..f25137ab 100644 ---- a/library/rsa.c -+++ b/library/rsa.c -@@ -1363,9 +1363,6 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - - hlen = mbedtls_md_get_size( md_info ); -- if( siglen < hlen + 2 ) -- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); -- hash_start = buf + siglen - hlen - 1; - - memset( zeros, 0, 8 ); - -@@ -1384,6 +1381,10 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - if( buf[0] >> ( 8 - siglen * 8 + msb ) ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - -+ if( siglen < hlen + 2 ) -+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); -+ hash_start = p + siglen - hlen - 1; -+ - mbedtls_md_init( &md_ctx ); - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { -diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data -index 7c202e9c..7785b123 100644 ---- a/tests/suites/test_suite_pkcs1_v21.data -+++ b/tests/suites/test_suite_pkcs1_v21.data -@@ -817,7 +817,7 @@ pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369 - - RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature - depends_on:MBEDTLS_SHA512_C --pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING -+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA - - RSASSA-PSS verify ext, all-zero padding, automatic salt length - depends_on:MBEDTLS_SHA256_C --- -2.16.2 - diff --git a/deps/mbedtls/patches/0012-RSA-PSS-fix-first-byte-check-for-keys-of-size-8N-1.patch b/deps/mbedtls/patches/0012-RSA-PSS-fix-first-byte-check-for-keys-of-size-8N-1.patch deleted file mode 100644 index f7abc6e3..00000000 --- a/deps/mbedtls/patches/0012-RSA-PSS-fix-first-byte-check-for-keys-of-size-8N-1.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 4b9854d025974f6538a9e2df78f3d9758ccca207 Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Thu, 19 Oct 2017 15:23:49 +0200 -Subject: [PATCH] RSA PSS: fix first byte check for keys of size 8N+1 - -For a key of size 8N+1, check that the first byte after applying the -public key operation is 0 (it could have been 1 instead). The code was -incorrectly doing a no-op check instead, which led to invalid -signatures being accepted. Not a security flaw, since you would need the -private key to craft such an invalid signature, but a bug nonetheless. ---- - library/rsa.c | 6 +++--- - tests/suites/test_suite_pkcs1_v21.data | 8 ++++++++ - 2 files changed, 11 insertions(+), 3 deletions(-) - -diff --git a/library/rsa.c b/library/rsa.c -index f25137ab..b54960fb 100644 ---- a/library/rsa.c -+++ b/library/rsa.c -@@ -1371,15 +1371,15 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - */ - msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; - -+ if( buf[0] >> ( 8 - siglen * 8 + msb ) ) -+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); -+ - /* Compensate for boundary condition when applying mask */ - if( msb % 8 == 0 ) - { - p++; - siglen -= 1; - } -- else -- if( buf[0] >> ( 8 - siglen * 8 + msb ) ) -- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - - if( siglen < hlen + 2 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); -diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data -index 7785b123..6258c626 100644 ---- a/tests/suites/test_suite_pkcs1_v21.data -+++ b/tests/suites/test_suite_pkcs1_v21.data -@@ -819,6 +819,14 @@ RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature - depends_on:MBEDTLS_SHA512_C - pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA - -+RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, good signature -+depends_on:MBEDTLS_SHA256_C -+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"41":"009c4941157fa36288e467310b198ab0c615c40963d611ffeef03000549ded809235955ecc57adba44782e9497c004f480ba2b3d58db8335fe0b391075c02c843a6d":0:0 -+ -+RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, flipped-highest-bit signature -+depends_on:MBEDTLS_SHA256_C -+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"41":"00e11a2403df681c44a1f73f014b6c9ad17847d0b673f7c2a801cee208d10ab5792c10cd0cd495a4b331aaa521409fca7cb1b0d978b3a84cd67e28078b98753e9466":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA -+ - RSASSA-PSS verify ext, all-zero padding, automatic salt length - depends_on:MBEDTLS_SHA256_C - pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING --- -2.16.2 - diff --git a/deps/mbedtls/patches/0013-RSA-PSS-remove-redundant-check-changelog.patch b/deps/mbedtls/patches/0013-RSA-PSS-remove-redundant-check-changelog.patch deleted file mode 100644 index cb50d545..00000000 --- a/deps/mbedtls/patches/0013-RSA-PSS-remove-redundant-check-changelog.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f23dcce9e1a12b1895d3bfd190e704f539ddeffb Mon Sep 17 00:00:00 2001 -From: Gilles Peskine -Date: Thu, 19 Oct 2017 17:46:14 +0200 -Subject: [PATCH] RSA PSS: remove redundant check; changelog - -Remove a check introduced in the previous buffer overflow fix with keys of -size 8N+1 which the subsequent fix for buffer start calculations made -redundant. - -Added a changelog entry for the buffer start calculation fix. ---- - library/rsa.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/library/rsa.c b/library/rsa.c -index b54960fb..148f6b34 100644 ---- a/library/rsa.c -+++ b/library/rsa.c -@@ -1399,8 +1399,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - while( p < hash_start - 1 && *p == 0 ) - p++; - -- if( p == hash_start || -- *p++ != 0x01 ) -+ if( *p++ != 0x01 ) - { - mbedtls_md_free( &md_ctx ); - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); --- -2.16.2 -