Skip to content

Commit

Permalink
Merge #3192
Browse files Browse the repository at this point in the history 
3192: Update upstream mbedTLS patches backported to v2.16 r=mingweishih a=CodeMonkeyLeet

- Add 0001-Avoid-stack-allocation-of-large-memory-buffers.patch from upstream [mbedTLS PR #3464](Mbed-TLS/mbedtls#3464).
- Replace 0001-Patch-x509_write_crt.c-for-attestedTLS.patch with patch from upstream mbedTLS 0001-Backport-2632-code-changes-to-2.16.patch. This contains commits 6ad3fd1, 4063ad2 and 67d4259 from [mbedTLS PR #2632](Mbed-TLS/mbedtls#2632).
- Apply the upstream changes to 3rdparty/mbedtls.

Fixes #3170

Signed-off-by: Simon Leet <[email protected]>

Co-authored-by: Simon Leet <[email protected]>
  • Loading branch information
@oeciteam
oeciteam and Simon Leet committed Jun 29, 2020
2 parents 2aafc33 + 5848adb commit cf548a0
Show file tree
Hide file tree
Showing 6 changed files with 913 additions and 346 deletions.
242 changes: 242 additions & 0 deletions 3rdparty/mbedtls/0001-Avoid-stack-allocation-of-large-memory-buffers.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,242 @@
From 2da3b74f8cdea7c22eb48e74332dc42b800a68e8 Mon Sep 17 00:00:00 2001
From: Doru Gucea <[email protected]>
Date: Fri, 14 Dec 2018 21:08:35 +0200
Subject: [PATCH] Avoid stack-allocation of large memory buffers

Using a stack-buffer with a size > 2K could easily produce a stack
overflow for an embedded device which has a limited stack size.
This commit dynamically allocates the large CSR buffer.

This commit avoids using a temporary buffer for storing the OIDs.
A single buffer is used:
a) OIDs are written backwards starting with the end of the buffer;
b) OIDs are memmove'd to the beginning of the buffer;
c) signature over this OIDs is computed and written backwards from the
end of the buffer;
d) the two memory regions are compacted.

Signed-off-by: Doru Gucea <[email protected]>
---
3rdparty/mbedtls/mbedtls/library/x509write_csr.c | 146 ++++++++++++++++++++++++++++------------
1 file changed, 102 insertions(+), 44 deletions(-)

diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_csr.c b/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
index d1b0716c9..ac5eaaa4a 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
@@ -81,6 +81,14 @@
#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
#endif

+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc calloc
+#define mbedtls_free free
+#endif
+
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
{
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
@@ -187,71 +195,85 @@ int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
return( 0 );
}

-int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng )
+static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx,
+ unsigned char *buf,
+ size_t size,
+ unsigned char *sig,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
const char *sig_oid;
size_t sig_oid_len = 0;
unsigned char *c, *c2;
unsigned char hash[64];
- unsigned char sig[SIGNATURE_MAX_SIZE];
- unsigned char tmp_buf[2048];
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;

- /*
- * Prepare data to be signed in tmp_buf
- */
- c = tmp_buf + sizeof( tmp_buf );
+ /* Write the CSR backwards starting from the end of buf */
+ c = buf + size;

- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, buf,
+ ctx->extensions ) );

if( len )
{
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
-
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SET ) );
-
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
- MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
-
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) );
+
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_oid(
+ &c, buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
+ MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
+
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
}

- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );

MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
- tmp_buf, c - tmp_buf ) );
+ buf, c - buf ) );
c -= pub_len;
len += pub_len;

/*
* Subject ::= Name
*/
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
+ ctx->subject ) );

/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 0 ) );

- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );

/*
- * Prepare signature
+ * Sign the written CSR data into the sig buffer
+ * Note: hash errors can happen only after an internal error
*/
ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
if( ret != 0 )
@@ -271,32 +293,68 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
return( MBEDTLS_ERR_X509_INVALID_ALG );

if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
- &sig_oid, &sig_oid_len ) ) != 0 )
+ &sig_oid, &sig_oid_len ) ) != 0 )
{
return( ret );
}

/*
- * Write data to output buffer
+ * Move the written CSR data to the start of buf to create space for
+ * writing the signature into buf.
*/
- c2 = buf + size;
- MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
- sig_oid, sig_oid_len, sig, sig_len ) );
+ memmove( buf, c, len );

- if( len > (size_t)( c2 - buf ) )
- return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+ /*
+ * Write sig and its OID into buf backwards from the end of buf.
+ * Note: mbedtls_x509_write_sig will check for c2 - ( buf + len ) < sig_len
+ * and return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if needed.
+ */
+ c2 = buf + size;
+ MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len,
+ mbedtls_x509_write_sig( &c2, buf + len, sig_oid, sig_oid_len,
+ sig, sig_len ) );

+ /*
+ * Compact the space between the CSR data and signature by moving the
+ * CSR data to the start of the signature.
+ */
c2 -= len;
- memcpy( c2, c, len );
+ memmove( c2, buf, len );

+ /* ASN encode the total size and tag the CSR data with it. */
len += sig_and_oid_len;
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c2, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+ /* Zero the unused bytes at the start of buf */
+ memset( buf, 0, c2 - buf);

return( (int) len );
}

+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf,
+ size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
+{
+ int ret;
+ unsigned char *sig;
+
+ if( ( sig = mbedtls_calloc( 1, SIGNATURE_MAX_SIZE ) ) == NULL )
+ {
+ return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+ }
+
+ ret = x509write_csr_der_internal( ctx, buf, size, sig, f_rng, p_rng );
+
+ mbedtls_free( sig );
+
+ return( ret );
+}
+
#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"

--
2.17.1
Loading

0 comments on commit cf548a0

Please sign in to comment.