mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 04:02:15 +02:00
deps: update mbedTLS to 2.7.0
At the same time rebase patches on top of ne wversion and get rid of fixes that have been merged upstream. Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This commit is contained in:
parent
59de63fa65
commit
e6d68831a7
4
deps/lib-versions
vendored
4
deps/lib-versions
vendored
@ -4,8 +4,8 @@ export ASIO_CSUM=fa8c3a16dc2163f5b3451f2a14ce95277c971f46700497d4e94af6059c00dc0
|
|||||||
export LZ4_VERSION=lz4-1.8.0
|
export LZ4_VERSION=lz4-1.8.0
|
||||||
export LZ4_CSUM=2ca482ea7a9bb103603108b5a7510b7592b90158c151ff50a28f1ca8389fccf6
|
export LZ4_CSUM=2ca482ea7a9bb103603108b5a7510b7592b90158c151ff50a28f1ca8389fccf6
|
||||||
|
|
||||||
export MBEDTLS_VERSION=mbedtls-2.6.0
|
export MBEDTLS_VERSION=mbedtls-2.7.0
|
||||||
export MBEDTLS_CSUM=99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687
|
export MBEDTLS_CSUM=aeb66d6cd43aa1c79c145d15845c655627a7fc30d624148aaafbb6c36d7f55ef
|
||||||
|
|
||||||
export OPENSSL_VERSION=openssl-1.0.2h
|
export OPENSSL_VERSION=openssl-1.0.2h
|
||||||
|
|
||||||
|
@ -1,7 +1,18 @@
|
|||||||
diff -urw mbedtls-2.6.0.orig/library/x509.c mbedtls-2.6.0/library/x509.c
|
From 62dd1588a7ec3501edfaf9470cf7a1ca15cb4ba1 Mon Sep 17 00:00:00 2001
|
||||||
--- mbedtls-2.6.0.orig/library/x509.c 2017-11-03 11:46:21.403848065 +0800
|
From: Antonio Quartulli <antonio@openvpn.net>
|
||||||
+++ mbedtls-2.6.0/library/x509.c 2017-11-03 11:58:46.259817520 +0800
|
Date: Tue, 20 Mar 2018 09:35:47 +0800
|
||||||
@@ -559,13 +559,20 @@
|
Subject: [PATCH] relax x509 date format check
|
||||||
|
|
||||||
|
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
|
||||||
|
---
|
||||||
|
library/x509.c | 18 +++++++++++++++++-
|
||||||
|
1 file changed, 17 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/library/x509.c b/library/x509.c
|
||||||
|
index 371d6da1..df2cea81 100644
|
||||||
|
--- a/library/x509.c
|
||||||
|
+++ b/library/x509.c
|
||||||
|
@@ -565,13 +565,20 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
|
||||||
/*
|
/*
|
||||||
* Parse seconds if present
|
* Parse seconds if present
|
||||||
*/
|
*/
|
||||||
@ -23,7 +34,7 @@ diff -urw mbedtls-2.6.0.orig/library/x509.c mbedtls-2.6.0/library/x509.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Parse trailing 'Z' if present
|
* Parse trailing 'Z' if present
|
||||||
@@ -575,6 +582,15 @@
|
@@ -581,6 +588,15 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
|
||||||
(*p)++;
|
(*p)++;
|
||||||
len--;
|
len--;
|
||||||
}
|
}
|
||||||
@ -39,3 +50,6 @@ diff -urw mbedtls-2.6.0.orig/library/x509.c mbedtls-2.6.0/library/x509.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* We should have parsed all characters at this point
|
* We should have parsed all characters at this point
|
||||||
|
--
|
||||||
|
2.16.2
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 4e75bd33172a8a73abfa6a15d442d1f80f466870 Mon Sep 17 00:00:00 2001
|
From 56df6d5003b20fa673b67fb06c2ec03a8197c4c2 Mon Sep 17 00:00:00 2001
|
||||||
From: Antonio Quartulli <antonio@openvpn.net>
|
From: Antonio Quartulli <antonio@openvpn.net>
|
||||||
Date: Wed, 20 Dec 2017 07:03:55 +0800
|
Date: Wed, 20 Dec 2017 07:03:55 +0800
|
||||||
Subject: [PATCH] pkcs5v2: add support for additional hmacSHA algorithms
|
Subject: [PATCH] pkcs5v2: add support for additional hmacSHA algorithms
|
||||||
@ -25,10 +25,10 @@ Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
|
|||||||
4 files changed, 66 insertions(+), 5 deletions(-)
|
4 files changed, 66 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
|
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
|
||||||
index fcecdafd..d621c075 100644
|
index bf2ef5ec..408645ec 100644
|
||||||
--- a/include/mbedtls/oid.h
|
--- a/include/mbedtls/oid.h
|
||||||
+++ b/include/mbedtls/oid.h
|
+++ b/include/mbedtls/oid.h
|
||||||
@@ -227,6 +227,14 @@
|
@@ -228,6 +228,14 @@
|
||||||
|
|
||||||
#define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
|
#define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
|
||||||
|
|
||||||
@ -43,7 +43,7 @@ index fcecdafd..d621c075 100644
|
|||||||
/*
|
/*
|
||||||
* Encryption algorithms
|
* Encryption algorithms
|
||||||
*/
|
*/
|
||||||
@@ -513,6 +521,16 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t
|
@@ -514,6 +522,16 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t
|
||||||
* \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
|
* \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
|
||||||
*/
|
*/
|
||||||
int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg );
|
int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg );
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 5abb7fb80073bc310a96d5a184694b1e29a19faf Mon Sep 17 00:00:00 2001
|
From bb029567d8a2b55e500a85c916a8d22ae9434ab3 Mon Sep 17 00:00:00 2001
|
||||||
From: Antonio Quartulli <antonio@openvpn.net>
|
From: Antonio Quartulli <antonio@openvpn.net>
|
||||||
Date: Wed, 31 Jan 2018 23:23:02 +0800
|
Date: Wed, 31 Jan 2018 23:23:02 +0800
|
||||||
Subject: [PATCH] tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA
|
Subject: [PATCH] tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From ea10371f909419d2634a75ef30fab8cd8df71a91 Mon Sep 17 00:00:00 2001
|
From d09cecb5f7d1e66476c97a35caee7248930ef425 Mon Sep 17 00:00:00 2001
|
||||||
From: Antonio Quartulli <a@unstable.cc>
|
From: Antonio Quartulli <a@unstable.cc>
|
||||||
Date: Wed, 31 Jan 2018 23:45:09 +0800
|
Date: Wed, 31 Jan 2018 23:45:09 +0800
|
||||||
Subject: [PATCH] tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer
|
Subject: [PATCH] tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 8e866133ec2c28a615212d76c85745e5dc2ebd7c Mon Sep 17 00:00:00 2001
|
From 4e96327a813d2e1d06dfb7e44caacb400fd8769b Mon Sep 17 00:00:00 2001
|
||||||
From: Antonio Quartulli <antonio@openvpn.net>
|
From: Antonio Quartulli <antonio@openvpn.net>
|
||||||
Date: Thu, 1 Feb 2018 13:54:13 +0800
|
Date: Thu, 1 Feb 2018 13:54:13 +0800
|
||||||
Subject: [PATCH] data_files/pkcs8-v2: add keys generated with PRF != SHA1
|
Subject: [PATCH] data_files/pkcs8-v2: add keys generated with PRF != SHA1
|
||||||
@ -122,10 +122,10 @@ Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
|
|||||||
create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem
|
create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem
|
||||||
|
|
||||||
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
|
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
|
||||||
index f7826d43..fab04ee8 100644
|
index d4aed678..7069b4f3 100644
|
||||||
--- a/tests/data_files/Makefile
|
--- a/tests/data_files/Makefile
|
||||||
+++ b/tests/data_files/Makefile
|
+++ b/tests/data_files/Makefile
|
||||||
@@ -66,6 +66,574 @@ all_final += server2-sha256.crt
|
@@ -392,6 +392,574 @@ server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl se
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 32b9493a889f7a72eb3f124ffc8dc8a3544b26a8 Mon Sep 17 00:00:00 2001
|
From 7ed2575f310fd889fba025aa760f74ec1b41924b Mon Sep 17 00:00:00 2001
|
||||||
From: Antonio Quartulli <antonio@openvpn.net>
|
From: Antonio Quartulli <antonio@openvpn.net>
|
||||||
Date: Thu, 1 Feb 2018 14:03:36 +0800
|
Date: Thu, 1 Feb 2018 14:03:36 +0800
|
||||||
Subject: [PATCH] tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
|
Subject: [PATCH] tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
|
||||||
@ -13,12 +13,12 @@ Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
|
|||||||
1 file changed, 576 insertions(+)
|
1 file changed, 576 insertions(+)
|
||||||
|
|
||||||
diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data
|
diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data
|
||||||
index 9c0edbb5..01bc1f03 100644
|
index 416f9dfe..1bf06270 100644
|
||||||
--- a/tests/suites/test_suite_pkparse.data
|
--- a/tests/suites/test_suite_pkparse.data
|
||||||
+++ b/tests/suites/test_suite_pkparse.data
|
+++ b/tests/suites/test_suite_pkparse.data
|
||||||
@@ -102,6 +102,582 @@ Parse RSA Key #20 (PKCS#8 encrypted v2 PBDFK2 DES)
|
@@ -362,6 +362,582 @@ Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW)
|
||||||
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
|
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
|
||||||
pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_des.key":"PolarSSLTest":0
|
pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
|
||||||
|
|
||||||
+Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224)
|
+Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224)
|
||||||
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
|
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
|
||||||
|
@ -1,130 +0,0 @@
|
|||||||
From 1ab62937e63f3a4ecbbea9233f68e5afd2a2f229 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hanno Becker <hanno.becker@arm.com>
|
|
||||||
Date: Fri, 25 Aug 2017 13:38:26 +0100
|
|
||||||
Subject: [PATCH] Use in-place decryption in pk_parse_pkcs8_encrypted_der
|
|
||||||
|
|
||||||
The stack buffer used to hold the decrypted key in pk_parse_pkcs8_encrypted_der
|
|
||||||
was statically sized to 2048 bytes, which is not enough for DER encoded 4096bit
|
|
||||||
RSA keys.
|
|
||||||
|
|
||||||
This commit resolves the problem by performing the key-decryption in-place,
|
|
||||||
circumventing the introduction of another stack or heap copy of the key.
|
|
||||||
|
|
||||||
There are two situations where pk_parse_pkcs8_encrypted_der is invoked:
|
|
||||||
1. When processing a PEM-encoded encrypted key in mbedtls_pk_parse_key.
|
|
||||||
This does not need adaption since the PEM context used to hold the decoded
|
|
||||||
key is already constructed and owned by mbedtls_pk_parse_key.
|
|
||||||
2. When processing a DER-encoded encrypted key in mbedtls_pk_parse_key.
|
|
||||||
In this case, mbedtls_pk_parse_key calls pk_parse_pkcs8_encrypted_der with
|
|
||||||
the buffer provided by the user, which is declared const. The commit
|
|
||||||
therefore adds a small code paths making a copy of the keybuffer before
|
|
||||||
calling pk_parse_pkcs8_encrypted_der.
|
|
||||||
---
|
|
||||||
library/pkparse.c | 35 ++++++++++++++++++++++-------------
|
|
||||||
1 file changed, 22 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/library/pkparse.c b/library/pkparse.c
|
|
||||||
index efdf4374..cf25cdd2 100644
|
|
||||||
--- a/library/pkparse.c
|
|
||||||
+++ b/library/pkparse.c
|
|
||||||
@@ -936,12 +936,12 @@ static int pk_parse_key_pkcs8_unencrypted_der(
|
|
||||||
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
|
|
||||||
static int pk_parse_key_pkcs8_encrypted_der(
|
|
||||||
mbedtls_pk_context *pk,
|
|
||||||
- const unsigned char *key, size_t keylen,
|
|
||||||
+ unsigned char *key, size_t keylen,
|
|
||||||
const unsigned char *pwd, size_t pwdlen )
|
|
||||||
{
|
|
||||||
int ret, decrypted = 0;
|
|
||||||
size_t len;
|
|
||||||
- unsigned char buf[2048];
|
|
||||||
+ unsigned char *buf;
|
|
||||||
unsigned char *p, *end;
|
|
||||||
mbedtls_asn1_buf pbe_alg_oid, pbe_params;
|
|
||||||
#if defined(MBEDTLS_PKCS12_C)
|
|
||||||
@@ -949,8 +949,6 @@ static int pk_parse_key_pkcs8_encrypted_der(
|
|
||||||
mbedtls_md_type_t md_alg;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- memset( buf, 0, sizeof( buf ) );
|
|
||||||
-
|
|
||||||
p = (unsigned char *) key;
|
|
||||||
end = p + keylen;
|
|
||||||
|
|
||||||
@@ -985,8 +983,7 @@ static int pk_parse_key_pkcs8_encrypted_der(
|
|
||||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
|
|
||||||
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
|
|
||||||
|
|
||||||
- if( len > sizeof( buf ) )
|
|
||||||
- return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
|
|
||||||
+ buf = p;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Decrypt EncryptedData with appropriate PDE
|
|
||||||
@@ -1084,7 +1081,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
|
|
||||||
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
|
|
||||||
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
|
|
||||||
|
|
||||||
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
|
|
||||||
pem.buf, pem.buflen ) ) != 0 )
|
|
||||||
{
|
|
||||||
@@ -1116,7 +1113,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
|
|
||||||
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) ) == NULL )
|
|
||||||
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
|
|
||||||
|
|
||||||
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
|
|
||||||
pem.buf, pem.buflen ) ) != 0 )
|
|
||||||
{
|
|
||||||
@@ -1194,12 +1191,24 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
|
|
||||||
* error
|
|
||||||
*/
|
|
||||||
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
|
|
||||||
- if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, key, keylen,
|
|
||||||
- pwd, pwdlen ) ) == 0 )
|
|
||||||
{
|
|
||||||
- return( 0 );
|
|
||||||
+ unsigned char *key_copy;
|
|
||||||
+
|
|
||||||
+ if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
|
|
||||||
+ return( MBEDTLS_ERR_PK_ALLOC_FAILED );
|
|
||||||
+
|
|
||||||
+ memcpy( key_copy, key, keylen );
|
|
||||||
+
|
|
||||||
+ ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
|
|
||||||
+ pwd, pwdlen );
|
|
||||||
+
|
|
||||||
+ mbedtls_zeroize( key_copy, keylen );
|
|
||||||
+ mbedtls_free( key_copy );
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if( ret == 0 )
|
|
||||||
+ return( 0 );
|
|
||||||
+
|
|
||||||
mbedtls_pk_free( pk );
|
|
||||||
|
|
||||||
if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
|
|
||||||
@@ -1217,7 +1226,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
|
|
||||||
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
|
|
||||||
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
|
|
||||||
|
|
||||||
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) ) == 0 )
|
|
||||||
{
|
|
||||||
return( 0 );
|
|
||||||
@@ -1230,7 +1239,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
|
|
||||||
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) ) == NULL )
|
|
||||||
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
|
|
||||||
|
|
||||||
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
|
|
||||||
( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), key, keylen ) ) == 0 )
|
|
||||||
{
|
|
||||||
return( 0 );
|
|
||||||
--
|
|
||||||
2.16.2
|
|
||||||
|
|
1766
deps/mbedtls/patches/0008-timing-test-patches.patch
vendored
1766
deps/mbedtls/patches/0008-timing-test-patches.patch
vendored
File diff suppressed because it is too large
Load Diff
@ -1,139 +0,0 @@
|
|||||||
From 01d6ae9a77df70d739aa5eea79d219b1feb2a592 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
||||||
Date: Tue, 17 Oct 2017 19:01:38 +0200
|
|
||||||
Subject: [PATCH] RSA: Fix buffer overflow in PSS signature verification
|
|
||||||
|
|
||||||
Fix buffer overflow in RSA-PSS signature verification when the hash is
|
|
||||||
too large for the key size. Found by Seth Terashima, Qualcomm.
|
|
||||||
|
|
||||||
Added a non-regression test and a positive test with the smallest
|
|
||||||
permitted key size for a SHA-512 hash.
|
|
||||||
---
|
|
||||||
library/rsa.c | 2 ++
|
|
||||||
tests/data_files/rsa512.key | 9 +++++++++
|
|
||||||
tests/data_files/rsa521.key | 9 +++++++++
|
|
||||||
tests/data_files/rsa522.key | 9 +++++++++
|
|
||||||
tests/data_files/rsa528.key | 9 +++++++++
|
|
||||||
tests/suites/test_suite_pkcs1_v21.data | 32 ++++++++++++++++++++++++++++++++
|
|
||||||
6 files changed, 70 insertions(+)
|
|
||||||
create mode 100644 tests/data_files/rsa512.key
|
|
||||||
create mode 100644 tests/data_files/rsa521.key
|
|
||||||
create mode 100644 tests/data_files/rsa522.key
|
|
||||||
create mode 100644 tests/data_files/rsa528.key
|
|
||||||
|
|
||||||
diff --git a/library/rsa.c b/library/rsa.c
|
|
||||||
index bdd2538c..a4e3ee68 100644
|
|
||||||
--- a/library/rsa.c
|
|
||||||
+++ b/library/rsa.c
|
|
||||||
@@ -1362,6 +1362,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
hlen = mbedtls_md_get_size( md_info );
|
|
||||||
+ if( siglen < hlen + 2 )
|
|
||||||
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
slen = siglen - hlen - 1; /* Currently length of salt + padding */
|
|
||||||
|
|
||||||
memset( zeros, 0, 8 );
|
|
||||||
diff --git a/tests/data_files/rsa512.key b/tests/data_files/rsa512.key
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..1fd7987c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data_files/rsa512.key
|
|
||||||
@@ -0,0 +1,9 @@
|
|
||||||
+-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
+MIIBOwIBAAJBALB20jJQgW+aqwIwfkUrl/DK51mDabQWJOivx5caWaE4kvZLB+qm
|
|
||||||
+7JKMFgstbsj50N1bY8izrAdntPZciS9WwQ8CAwEAAQJAKYfNcIoB7II6PQmsrhrU
|
|
||||||
+Z5dZW3fSKNANX7X/A1DwR0DlF8uZnpWsWbYcRoXX7QjvepZqc54wryhW55Wlm6yI
|
|
||||||
+AQIhAOJIaLjSpbHjzzcJQ7mylxn2WGIlbJPPzJ9OaFZCZQvxAiEAx6OEAvl6JKa6
|
|
||||||
+6a+N2Wvhtcgb4qqR6UHQGJQYGJz5nP8CIAvgoR6ScAAWZRoOcm+c4DGMrLb6H+ji
|
|
||||||
+T2tNQkzEz2kBAiEAmw34GStU36STpa6RGJ4+tyZN6jWakDVqf7x+HpfFE1cCIQDc
|
|
||||||
+KzXIxec2taye4OeIa1v4W/MigMmYE9w93Uw/Qi3azA==
|
|
||||||
+-----END RSA PRIVATE KEY-----
|
|
||||||
diff --git a/tests/data_files/rsa521.key b/tests/data_files/rsa521.key
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..0b940aa6
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data_files/rsa521.key
|
|
||||||
@@ -0,0 +1,9 @@
|
|
||||||
+-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
+MIIBPQIBAAJCATG2mGDzy5v4XqNY/fK9KZDxt3qA1qT9+BekPdiWvffdJq+KwCN/
|
|
||||||
+Um4NM7EFyXH9vU/6ns6Z/EafMez0Kej1YsHDAgMBAAECQCdoYjwdMSHp4kksL5Aa
|
|
||||||
+0kDc58ni0chy9IgXo+FHjTVmR9DkaZANrwfVvYMJxqYCZo0im1Dw7ZJBUDJQNXnl
|
|
||||||
+ZokCIRiSk66I24AWa7XGUFvatVwXWi2ACE4QEKqzWQe1mQ24/wIhDHD1TCKpqucA
|
|
||||||
+XDI+1N7EHs+fN4CfTSWe8FPGiK6q3VM9AiESrKKLi/q011U4KeS8SfR2blDcL2cg
|
|
||||||
+XFkuQWqxzzLoGOUCIQmgl5E0+Ypwe0zc7NYZFDarf4+ZjqxKQnXCvk0irMHcGQIh
|
|
||||||
+EVPli6RQb3Gcx7vXJHltzSTno7NElzBDRMBVUlBmVxAJ
|
|
||||||
+-----END RSA PRIVATE KEY-----
|
|
||||||
diff --git a/tests/data_files/rsa522.key b/tests/data_files/rsa522.key
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..18fbe70c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data_files/rsa522.key
|
|
||||||
@@ -0,0 +1,9 @@
|
|
||||||
+-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
+MIIBPgIBAAJCAtMCdT492ij0L02fkshkdCDqb7yXwQ+EmLlmqVPzV2mNZYEGDf4y
|
|
||||||
+yKuY20vFzirN8MHm5ASnWhMoJVDBqjfTzci/AgMBAAECQU05ffxf7uVg74yC9tKg
|
|
||||||
+qCa746NpMh3OM+HZrUxiOXv0sJMRXNEPD5HNLtgcNY6MI5NYbUvkOXktnFZpxWYP
|
|
||||||
+TH7BAiEeFJGs5Z6gRd2v/IbYLMFDHgjqho04INGTOvnyI7lGVKUCIRgJM7moFuoM
|
|
||||||
+UrKTmJK1uOzauWEykCKgc6BGH6TGZoEWkwIhBzQn2v82qO1ydOYGKRk2w2sa+Yd1
|
|
||||||
+pH5/kkHqf+m8QjKdAiEQ9eVW+4J30wxD0JyX4b1E/S5UpN5KYNhWX0US+6D3NBsC
|
|
||||||
+IRxePzdQlutZWg0Cnku3QE1tOLBCFlP7QVVl5FbKcY5H5w==
|
|
||||||
+-----END RSA PRIVATE KEY-----
|
|
||||||
diff --git a/tests/data_files/rsa528.key b/tests/data_files/rsa528.key
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..fd463b54
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data_files/rsa528.key
|
|
||||||
@@ -0,0 +1,9 @@
|
|
||||||
+-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
+MIIBRQIBAAJDAOMcJG1GSFmEJh/RdMqz1DVzRGAuzXk8R9vlQlLTe7NQvGNDWbGV
|
|
||||||
+FVQggORySktnIpG+V8dkj1Finq7yNOhH2ZzGXwIDAQABAkMAsWYyLglQSlwnS4NZ
|
|
||||||
+L1z4zieTqW3lomWr2+BgxkHbxl2w0Rx4L+Ezp+YK6mhtIQWNkoytPvWJJMS7Jrkg
|
|
||||||
+agMAHQJBAiIA+F1y5GO0Bv+igsNLXwwtbCqs8hAkavU9W8egt/oDbhzbAiIA6hds
|
|
||||||
+PZp/s1X7n7dwfmebSs+3vLZFuQfifN8XZLw0CXHNAiEuEzgDQrPdMIN3er96zImI
|
|
||||||
+rYoUBgabiQ9u/WPFfa4xOU0CIgDDYC089Tfjy72pPgcr2PkpZVhqro5esg/8PI5f
|
|
||||||
+yxx7TXkCIgCYoE8Y5IxomtL1ub1AQzPe9UyyUGzQB1yWeiloJh6LjxA=
|
|
||||||
+-----END RSA PRIVATE KEY-----
|
|
||||||
diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
index ac16beb8..6d31494e 100644
|
|
||||||
--- a/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
+++ b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
@@ -787,3 +787,35 @@ RSASSA-PSS Signature verify options #13 (MGF1 alg != MSG hash alg, arg wrong)
|
|
||||||
depends_on:MBEDTLS_SHA256_C
|
|
||||||
pkcs1_rsassa_pss_verify_ext:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:MBEDTLS_RSA_SALT_LEN_ANY:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":"7fc506d26ca3b22922a1ce39faaedd273161b82d9443c56f1a034f131ae4a18cae1474271cb4b66a17d9707ca58b0bdbd3c406b7e65bbcc9bbbce94dc45de807b4989b23b3e4db74ca29298137837eb90cc83d3219249bc7d480fceaf075203a86e54c4ecfa4e312e39f8f69d76534089a36ed9049ca9cfd5ab1db1fa75fe5c8":0:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
|
|
||||||
+RSASSA-PSS verify ext, 512-bit key, empty salt, good signature
|
|
||||||
+depends_on:MBEDTLS_SHA256_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":0:0
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 512-bit key, empty salt, bad signature
|
|
||||||
+depends_on:MBEDTLS_SHA256_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf247":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 522-bit key, SHA-512, empty salt, good signature
|
|
||||||
+depends_on:MBEDTLS_SHA512_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:522:16:"02d302753e3dda28f42f4d9f92c8647420ea6fbc97c10f8498b966a953f357698d6581060dfe32c8ab98db4bc5ce2acdf0c1e6e404a75a13282550c1aa37d3cdc8bf":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"016752ae0b5dfbade6bbd3dd37868d48c8d741f92dca41c360aeda553204c2212a117b1a3d77e0d3f48723503c46e16c8a64de00f1dee3e37e478417452630859486":0:0
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0
|
|
||||||
+depends_on:MBEDTLS_SHA512_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 528-bit key, SHA-512, empty salt, good signature
|
|
||||||
+depends_on:MBEDTLS_SHA512_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:0
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0
|
|
||||||
+depends_on:MBEDTLS_SHA512_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 512-bit key, SHA-512 (hash too large)
|
|
||||||
+depends_on:MBEDTLS_SHA512_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature
|
|
||||||
+depends_on:MBEDTLS_SHA512_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
+
|
|
||||||
--
|
|
||||||
2.16.2
|
|
||||||
|
|
@ -1,108 +0,0 @@
|
|||||||
From d85814a0d05cf9f81d00cf25ad89e732bcda0bd5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
||||||
Date: Tue, 17 Oct 2017 19:02:13 +0200
|
|
||||||
Subject: [PATCH] RSA: Fix another buffer overflow in PSS signature
|
|
||||||
verification
|
|
||||||
|
|
||||||
Fix buffer overflow in RSA-PSS signature verification when the masking
|
|
||||||
operation results in an all-zero buffer. This could happen at any key size.
|
|
||||||
---
|
|
||||||
library/rsa.c | 21 +++++++++++----------
|
|
||||||
tests/suites/test_suite_pkcs1_v21.data | 4 ++++
|
|
||||||
2 files changed, 15 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/library/rsa.c b/library/rsa.c
|
|
||||||
index a4e3ee68..f9aec227 100644
|
|
||||||
--- a/library/rsa.c
|
|
||||||
+++ b/library/rsa.c
|
|
||||||
@@ -1319,10 +1319,11 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
int ret;
|
|
||||||
size_t siglen;
|
|
||||||
unsigned char *p;
|
|
||||||
+ unsigned char *hash_start;
|
|
||||||
unsigned char result[MBEDTLS_MD_MAX_SIZE];
|
|
||||||
unsigned char zeros[8];
|
|
||||||
unsigned int hlen;
|
|
||||||
- size_t slen, msb;
|
|
||||||
+ size_t observed_salt_len, msb;
|
|
||||||
const mbedtls_md_info_t *md_info;
|
|
||||||
mbedtls_md_context_t md_ctx;
|
|
||||||
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
|
|
||||||
@@ -1364,7 +1365,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
hlen = mbedtls_md_get_size( md_info );
|
|
||||||
if( siglen < hlen + 2 )
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
- slen = siglen - hlen - 1; /* Currently length of salt + padding */
|
|
||||||
+ hash_start = buf + siglen - hlen - 1;
|
|
||||||
|
|
||||||
memset( zeros, 0, 8 );
|
|
||||||
|
|
||||||
@@ -1379,6 +1380,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
p++;
|
|
||||||
siglen -= 1;
|
|
||||||
}
|
|
||||||
+ else
|
|
||||||
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
@@ -1389,25 +1391,24 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
return( ret );
|
|
||||||
}
|
|
||||||
|
|
||||||
- mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
|
|
||||||
+ mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
|
|
||||||
|
|
||||||
buf[0] &= 0xFF >> ( siglen * 8 - msb );
|
|
||||||
|
|
||||||
- while( p < buf + siglen && *p == 0 )
|
|
||||||
+ while( p < hash_start - 1 && *p == 0 )
|
|
||||||
p++;
|
|
||||||
|
|
||||||
- if( p == buf + siglen ||
|
|
||||||
+ if( p == hash_start ||
|
|
||||||
*p++ != 0x01 )
|
|
||||||
{
|
|
||||||
mbedtls_md_free( &md_ctx );
|
|
||||||
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Actual salt len */
|
|
||||||
- slen -= p - buf;
|
|
||||||
+ observed_salt_len = hash_start - p;
|
|
||||||
|
|
||||||
if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
|
|
||||||
- slen != (size_t) expected_salt_len )
|
|
||||||
+ observed_salt_len != (size_t) expected_salt_len )
|
|
||||||
{
|
|
||||||
mbedtls_md_free( &md_ctx );
|
|
||||||
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
|
|
||||||
@@ -1419,12 +1420,12 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
mbedtls_md_starts( &md_ctx );
|
|
||||||
mbedtls_md_update( &md_ctx, zeros, 8 );
|
|
||||||
mbedtls_md_update( &md_ctx, hash, hashlen );
|
|
||||||
- mbedtls_md_update( &md_ctx, p, slen );
|
|
||||||
+ mbedtls_md_update( &md_ctx, p, observed_salt_len );
|
|
||||||
mbedtls_md_finish( &md_ctx, result );
|
|
||||||
|
|
||||||
mbedtls_md_free( &md_ctx );
|
|
||||||
|
|
||||||
- if( memcmp( p + slen, result, hlen ) == 0 )
|
|
||||||
+ if( memcmp( hash_start, result, hlen ) == 0 )
|
|
||||||
return( 0 );
|
|
||||||
else
|
|
||||||
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
|
|
||||||
diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
index 6d31494e..7c202e9c 100644
|
|
||||||
--- a/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
+++ b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
@@ -819,3 +819,7 @@ RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature
|
|
||||||
depends_on:MBEDTLS_SHA512_C
|
|
||||||
pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
|
|
||||||
+RSASSA-PSS verify ext, all-zero padding, automatic salt length
|
|
||||||
+depends_on:MBEDTLS_SHA256_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
+
|
|
||||||
--
|
|
||||||
2.16.2
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From 1f7bffd54c78dd140594b7c8474195e2f2f59b85 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
||||||
Date: Wed, 18 Oct 2017 19:03:42 +0200
|
|
||||||
Subject: [PATCH] RSA PSS: fix minimum length check for keys of size 8N+1
|
|
||||||
|
|
||||||
The check introduced by the previous security fix was off by one. It
|
|
||||||
fixed the buffer overflow but was not compliant with the definition of
|
|
||||||
PSS which technically led to accepting some invalid signatures (but
|
|
||||||
not signatures made without the private key).
|
|
||||||
---
|
|
||||||
library/rsa.c | 7 ++++---
|
|
||||||
tests/suites/test_suite_pkcs1_v21.data | 2 +-
|
|
||||||
2 files changed, 5 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/library/rsa.c b/library/rsa.c
|
|
||||||
index f9aec227..f25137ab 100644
|
|
||||||
--- a/library/rsa.c
|
|
||||||
+++ b/library/rsa.c
|
|
||||||
@@ -1363,9 +1363,6 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
hlen = mbedtls_md_get_size( md_info );
|
|
||||||
- if( siglen < hlen + 2 )
|
|
||||||
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
- hash_start = buf + siglen - hlen - 1;
|
|
||||||
|
|
||||||
memset( zeros, 0, 8 );
|
|
||||||
|
|
||||||
@@ -1384,6 +1381,10 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
+ if( siglen < hlen + 2 )
|
|
||||||
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
+ hash_start = p + siglen - hlen - 1;
|
|
||||||
+
|
|
||||||
mbedtls_md_init( &md_ctx );
|
|
||||||
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
|
|
||||||
{
|
|
||||||
diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
index 7c202e9c..7785b123 100644
|
|
||||||
--- a/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
+++ b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
@@ -817,7 +817,7 @@ pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369
|
|
||||||
|
|
||||||
RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature
|
|
||||||
depends_on:MBEDTLS_SHA512_C
|
|
||||||
-pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
|
|
||||||
|
|
||||||
RSASSA-PSS verify ext, all-zero padding, automatic salt length
|
|
||||||
depends_on:MBEDTLS_SHA256_C
|
|
||||||
--
|
|
||||||
2.16.2
|
|
||||||
|
|
@ -1,60 +0,0 @@
|
|||||||
From 4b9854d025974f6538a9e2df78f3d9758ccca207 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
||||||
Date: Thu, 19 Oct 2017 15:23:49 +0200
|
|
||||||
Subject: [PATCH] RSA PSS: fix first byte check for keys of size 8N+1
|
|
||||||
|
|
||||||
For a key of size 8N+1, check that the first byte after applying the
|
|
||||||
public key operation is 0 (it could have been 1 instead). The code was
|
|
||||||
incorrectly doing a no-op check instead, which led to invalid
|
|
||||||
signatures being accepted. Not a security flaw, since you would need the
|
|
||||||
private key to craft such an invalid signature, but a bug nonetheless.
|
|
||||||
---
|
|
||||||
library/rsa.c | 6 +++---
|
|
||||||
tests/suites/test_suite_pkcs1_v21.data | 8 ++++++++
|
|
||||||
2 files changed, 11 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/library/rsa.c b/library/rsa.c
|
|
||||||
index f25137ab..b54960fb 100644
|
|
||||||
--- a/library/rsa.c
|
|
||||||
+++ b/library/rsa.c
|
|
||||||
@@ -1371,15 +1371,15 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
*/
|
|
||||||
msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
|
|
||||||
|
|
||||||
+ if( buf[0] >> ( 8 - siglen * 8 + msb ) )
|
|
||||||
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
+
|
|
||||||
/* Compensate for boundary condition when applying mask */
|
|
||||||
if( msb % 8 == 0 )
|
|
||||||
{
|
|
||||||
p++;
|
|
||||||
siglen -= 1;
|
|
||||||
}
|
|
||||||
- else
|
|
||||||
- if( buf[0] >> ( 8 - siglen * 8 + msb ) )
|
|
||||||
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
if( siglen < hlen + 2 )
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
index 7785b123..6258c626 100644
|
|
||||||
--- a/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
+++ b/tests/suites/test_suite_pkcs1_v21.data
|
|
||||||
@@ -819,6 +819,14 @@ RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature
|
|
||||||
depends_on:MBEDTLS_SHA512_C
|
|
||||||
pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
|
|
||||||
|
|
||||||
+RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, good signature
|
|
||||||
+depends_on:MBEDTLS_SHA256_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"41":"009c4941157fa36288e467310b198ab0c615c40963d611ffeef03000549ded809235955ecc57adba44782e9497c004f480ba2b3d58db8335fe0b391075c02c843a6d":0:0
|
|
||||||
+
|
|
||||||
+RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, flipped-highest-bit signature
|
|
||||||
+depends_on:MBEDTLS_SHA256_C
|
|
||||||
+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"41":"00e11a2403df681c44a1f73f014b6c9ad17847d0b673f7c2a801cee208d10ab5792c10cd0cd495a4b331aaa521409fca7cb1b0d978b3a84cd67e28078b98753e9466":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
|
|
||||||
+
|
|
||||||
RSASSA-PSS verify ext, all-zero padding, automatic salt length
|
|
||||||
depends_on:MBEDTLS_SHA256_C
|
|
||||||
pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING
|
|
||||||
--
|
|
||||||
2.16.2
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From f23dcce9e1a12b1895d3bfd190e704f539ddeffb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
||||||
Date: Thu, 19 Oct 2017 17:46:14 +0200
|
|
||||||
Subject: [PATCH] RSA PSS: remove redundant check; changelog
|
|
||||||
|
|
||||||
Remove a check introduced in the previous buffer overflow fix with keys of
|
|
||||||
size 8N+1 which the subsequent fix for buffer start calculations made
|
|
||||||
redundant.
|
|
||||||
|
|
||||||
Added a changelog entry for the buffer start calculation fix.
|
|
||||||
---
|
|
||||||
library/rsa.c | 3 +--
|
|
||||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/library/rsa.c b/library/rsa.c
|
|
||||||
index b54960fb..148f6b34 100644
|
|
||||||
--- a/library/rsa.c
|
|
||||||
+++ b/library/rsa.c
|
|
||||||
@@ -1399,8 +1399,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|
||||||
while( p < hash_start - 1 && *p == 0 )
|
|
||||||
p++;
|
|
||||||
|
|
||||||
- if( p == hash_start ||
|
|
||||||
- *p++ != 0x01 )
|
|
||||||
+ if( *p++ != 0x01 )
|
|
||||||
{
|
|
||||||
mbedtls_md_free( &md_ctx );
|
|
||||||
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
|
|
||||||
--
|
|
||||||
2.16.2
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user