Add missing validity checks to CSR verification #22069

tcarmelveilleux · 2022-08-22T13:50:52Z

Problem

SDK's CSR verification (VerifyCertificateSigningRequest) allowed trailing
garbage past the end of the buffer if the primary SEQUENCE element is OK
and checks-out. This is looser enforcement than some crypto libraries
which expect a CSR to be 100% valid ASN.1 DER and have no unnecessary bytes
or otherwise unparsable bytes.

Fixes #22068

Change overview

Adds validity checks for size and basic format that catches
the problem.
Adds unit tests that use externally generated CSRs to validate
the VerifyCertificateSigningRequest logic, rather than only
relying on round-trips with generation.

Testing

Added new unit tests. Existing unit tests pass
Tested under OpenSSL, BoringSSL and mbedTLS

- SDK's CSR verification (VerifyCertificateSigningRequest) allowed trailing garbage past the end of the buffer if the primary SEQUENCE element is OK and checks-out. This is looser enforcement than some crypto libraries which expect a CSR to be 100% valid ASN.1 DER and have no unnecessary bytes or otherwise unparsable bytes. Fixes project-chip#22068 This PR: - Adds validity checks for size and basic format that catches the problem. - Adds unit tests that use externally generated CSRs to validate the `VerifyCertificateSigningRequest` logic, rather than only relying on round-trips with generation. Testing done: - Added new unit tests. Existing unit tests pass - Tested under OpenSSL, BoringSSL and mbedTLS

github-actions · 2022-08-22T14:20:42Z

PR #22069: Size comparison from a8d12af to 5ce2840

Increases (5 builds for linux, psoc6)

platform	target	config	section	`a8d12af`	`5ce2840`	change
linux	chip-tool-ipv6only	arm64	(read only)	10259132	10259676	544
			.text	`8127428`	8127972	544
psoc6	all-clusters	cy8ckit_062s2_43012	.debug_aranges	111528	111536	8
			.debug_frame	372352	372384	32
			.debug_info	26643194	26644075	881
			.debug_line	`3646641`	3647023	382
			.debug_loc	`3562036`	`3562493`	457
			.debug_ranges	336576	336608	32
			.debug_str	3393852	3393979	127
	all-clusters-minimal	cy8ckit_062s2_43012	.debug_aranges	111000	111008	8
			.debug_frame	375432	375464	32
			.debug_info	26379889	26380770	881
			.debug_line	3667045	3667427	382
			.debug_loc	3549673	3550130	457
			.debug_ranges	335192	335224	32
			.debug_str	3382841	3382968	127
	light	cy8ckit_062s2_43012	.debug_aranges	103168	103176	8
			.debug_frame	345676	345708	32
			.debug_info	21844448	21845327	879
			.debug_line	3238223	3238611	388
			.debug_loc	3249205	`3249753`	548
			.debug_ranges	301032	301064	32
			.debug_str	3188935	`3189062`	127
	lock	cy8ckit_062s2_43012	.debug_aranges	103840	103848	8
			.debug_frame	348500	348532	32
			.debug_info	22199614	22200495	881
			.debug_line	3246909	`3247293`	384
			.debug_loc	3289325	3289828	503
			.debug_ranges	304448	304480	32
			.debug_str	`3216366`	`3216493`	127

Decreases (3 builds for bl602, telink)

platform	target	config	section	`a8d12af`	`5ce2840`	change	% change
bl602	lighting-app	bl602	.text	1051052	1051048	-4	-0.0
telink	light-switch-app	tlsr9518adk80d	text	571316	571314	-2	-0.0
	lighting-app	tlsr9518adk80d	(read/write)	830680	830672	-8	-0.0
			text	589406	589404	-2	-0.0

Full report (32 builds for bl602, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, psoc6, telink)

platform	target	config	section	`a8d12af`	`5ce2840`	change	% change
bl602	lighting-app	bl602	(read/write)	1383866	1383866	0	0.0
			.bss	120258	120258	0	0.0
			.data	4480	4480	0	0.0
			.text	1051052	1051048	-4	-0.0
		bl602+rpc	(read/write)	1429378	1429378	0	0.0
			.bss	127698	127698	0	0.0
			.data	4600	4600	0	0.0
			.text	1082808	1082808	0	0.0
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	673035	673035	0	0.0
			(read/write)	178460	178460	0	0.0
			.bss	74388	74388	0	0.0
			.data	3372	3372	0	0.0
			.rodata	88835	88835	0	0.0
			.text	583884	583884	0	0.0
	all-clusters-minimal-app	LP_CC2652R7	(read only)	637755	637755	0	0.0
			(read/write)	157948	157948	0	0.0
			.bss	73660	73660	0	0.0
			.data	3372	3372	0	0.0
			.rodata	77979	77979	0	0.0
			.text	559452	559452	0	0.0
	lock-ftd	LP_CC2652R7	(read only)	674087	674087	0	0.0
			(read/write)	167608	167608	0	0.0
			.bss	71476	71476	0	0.0
			.data	3296	3296	0	0.0
			.rodata	76671	76671	0	0.0
			.text	596936	596936	0	0.0
	lock-mtd	LP_CC2652R7	(read only)	656839	656839	0	0.0
			(read/write)	180544	180544	0	0.0
			.bss	67164	67164	0	0.0
			.data	3296	3296	0	0.0
			.rodata	101759	101759	0	0.0
			.text	554600	554600	0	0.0
	pump-app	LP_CC2652R7	(read only)	684759	684759	0	0.0
			(read/write)	157744	157744	0	0.0
			.bss	71516	71516	0	0.0
			.data	3296	3296	0	0.0
			.rodata	89959	89959	0	0.0
			.text	594316	594316	0	0.0
	pump-controller-app	LP_CC2652R7	(read only)	669251	669251	0	0.0
			(read/write)	173372	173372	0	0.0
			.bss	71636	71636	0	0.0
			.data	3292	3292	0	0.0
			.rodata	85515	85515	0	0.0
			.text	583256	583256	0	0.0
	shell	LP_CC2652R7	(read only)	665718	665718	0	0.0
			(read/write)	181296	181296	0	0.0
			.bss	76708	76708	0	0.0
			.data	3376	3376	0	0.0
			.rodata	85782	85782	0	0.0
			.text	579620	579620	0	0.0
cyw30739	light	cyw930739m2evb_01	(read/write)	586626	586626	0	0.0
			.app_xip_area	463292	463292	0	0.0
			.bss	65768	65768	0	0.0
			.data	744	744	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	lock	cyw930739m2evb_01	(read/write)	592426	592426	0	0.0
			.app_xip_area	464308	464308	0	0.0
			.bss	70552	70552	0	0.0
			.data	748	748	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	ota-requestor-no-progress-logging	cyw930739m2evb_01	(read/write)	599546	599546	0	0.0
			.app_xip_area	476932	476932	0	0.0
			.bss	65080	65080	0	0.0
			.data	716	716	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
efr32	lighting-app	BRD4161A	(read/write)	1104716	1104716	0	0.0
			.bss	133572	133572	0	0.0
			.data	2072	2072	0	0.0
			.text	969052	969052	0	0.0
		BRD4161A+rpc	(read/write)	967916	967916	0	0.0
			.bss	147572	147572	0	0.0
			.data	2252	2252	0	0.0
			.text	818068	818068	0	0.0
		BRD4161A+rs911x	(read/write)	997968	997968	0	0.0
			.bss	166992	166992	0	0.0
			.data	2056	2056	0	0.0
			.text	828900	828900	0	0.0
	lock-app	BRD4161A+wf200	(read/write)	1147332	1147332	0	0.0
			.bss	150168	150168	0	0.0
			.data	2064	2064	0	0.0
			.text	995080	995080	0	0.0
	window-app	BRD4161A	(read/write)	`1096044`	`1096044`	0	0.0
			.bss	135012	135012	0	0.0
			.data	2096	2096	0	0.0
			.text	958916	958916	0	0.0
esp32	all-clusters-app	c3devkit	(read only)	`1031268`	`1031268`	0	0.0
			(read/write)	1489610	1489610	0	0.0
			.dram0.bss	71136	71136	0	0.0
			.dram0.data	14600	14600	0	0.0
			.flash.rodata	218440	218440	0	0.0
			.flash.text	`1031268`	`1031268`	0	0.0
			.iram0.text	62902	62902	0	0.0
		m5stack	(read only)	1084371	1084371	0	0.0
			(read/write)	491544	491544	0	0.0
			.dram0.bss	76640	76640	0	0.0
			.dram0.data	34144	34144	0	0.0
			.flash.rodata	248764	248764	0	0.0
			.flash.text	1078987	1078987	0	0.0
			.iram0.text	123267	123267	0	0.0
k32w	light	k32w0+release	(read/write)	646676	646676	0	0.0
			.bss	70400	70400	0	0.0
			.data	2068	2068	0	0.0
			.text	571480	571480	0	0.0
	lock	k32w0+release	(read/write)	704212	704212	0	0.0
			.bss	70864	70864	0	0.0
			.data	2076	2076	0	0.0
			.text	628544	628544	0	0.0
linux	chip-tool-ipv6only	arm64	(read only)	10259132	10259676	544	0.0
			(read/write)	699137	699137	0	0.0
			.bss	33297	33297	0	0.0
			.data	3272	3272	0	0.0
			.data.rel.ro	643824	643824	0	0.0
			.dynamic	560	560	0	0.0
			.got	13784	13784	0	0.0
			.init	24	24	0	0.0
			.init_array	192	192	0	0.0
			.rodata	493564	493564	0	0.0
			.text	`8127428`	8127972	544	0.0
	thermostat-no-ble	arm64	(read only)	2357300	2357300	0	0.0
			(read/write)	141825	141825	0	0.0
			.bss	55345	55345	0	0.0
			.data	1672	1672	0	0.0
			.data.rel.ro	75984	75984	0	0.0
			.dynamic	560	560	0	0.0
			.got	5048	5048	0	0.0
			.init	24	24	0	0.0
			.init_array	408	408	0	0.0
			.rodata	140620	140620	0	0.0
			.text	1978960	1978960	0	0.0
mbed	lock-app	CY8CPROTO_062_4343W+release	(read only)	6224	6224	0	0.0
			(read/write)	2454328	2454328	0	0.0
			.bss	215044	215044	0	0.0
			.data	5872	5872	0	0.0
			.text	1416972	1416972	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	(read/write)	1180603	1180603	0	0.0
			bss	143737	143737	0	0.0
			rodata	143356	143356	0	0.0
			text	814672	814672	0	0.0
	all-clusters-minimal-app	nrf52840dk_nrf52840	(read/write)	1159815	1159815	0	0.0
			bss	142964	142964	0	0.0
			rodata	134944	134944	0	0.0
			text	803080	803080	0	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	(read only)	881000	881000	0	0.0
			(read/write)	1700996	1700996	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	149688	149688	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2656	2656	0	0.0
			.debug_abbrev	1217459	1217459	0	0.0
			.debug_aranges	111528	111536	8	0.0
			.debug_frame	372352	372384	32	0.0
			.debug_info	26643194	26644075	881	0.0
			.debug_line	`3646641`	3647023	382	0.0
			.debug_loc	`3562036`	`3562493`	457	0.0
			.debug_ranges	336576	336608	32	0.0
			.debug_str	3393852	3393979	127	0.0
			.heap	881000	881000	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	569346	569346	0	0.0
			.symtab	420416	420416	0	0.0
			.text	1540264	1540264	0	0.0
			.zero.table	8	8	0	0.0
			text	0	0	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	(read only)	881736	881736	0	0.0
			(read/write)	1644204	1644204	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	148952	148952	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2656	2656	0	0.0
			.debug_abbrev	1209298	1209298	0	0.0
			.debug_aranges	111000	111008	8	0.0
			.debug_frame	375432	375464	32	0.0
			.debug_info	26379889	26380770	881	0.0
			.debug_line	3667045	3667427	382	0.0
			.debug_loc	3549673	3550130	457	0.0
			.debug_ranges	335192	335224	32	0.0
			.debug_str	3382841	3382968	127	0.0
			.heap	881736	881736	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	533820	533820	0	0.0
			.symtab	407008	407008	0	0.0
			.text	`1484208`	`1484208`	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	light	cy8ckit_062s2_43012	(read only)	890080	890080	0	0.0
			(read/write)	1561436	1561436	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	140816	140816	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2448	2448	0	0.0
			.debug_abbrev	1043971	1043971	0	0.0
			.debug_aranges	103168	103176	8	0.0
			.debug_frame	345676	345708	32	0.0
			.debug_info	21844448	21845327	879	0.0
			.debug_line	3238223	3238611	388	0.0
			.debug_loc	3249205	`3249753`	548	0.0
			.debug_ranges	301032	301064	32	0.0
			.debug_str	3188935	`3189062`	127	0.0
			.heap	890080	890080	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	467101	467101	0	0.0
			.symtab	374064	374064	0	0.0
			.text	1409784	1409784	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	lock	cy8ckit_062s2_43012	(read only)	885584	885584	0	0.0
			(read/write)	1598724	1598724	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	145296	145296	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2464	2464	0	0.0
			.debug_abbrev	1051147	1051147	0	0.0
			.debug_aranges	103840	103848	8	0.0
			.debug_frame	348500	348532	32	0.0
			.debug_info	22199614	22200495	881	0.0
			.debug_line	3246909	`3247293`	384	0.0
			.debug_loc	3289325	3289828	503	0.0
			.debug_ranges	304448	304480	32	0.0
			.debug_str	`3216366`	`3216493`	127	0.0
			.heap	885584	885584	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	473342	473342	0	0.0
			.symtab	377248	377248	0	0.0
			.text	1442576	1442576	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
telink	light-switch-app	tlsr9518adk80d	(read/write)	808736	808736	0	0.0
			bss	71448	71448	0	0.0
			noinit	43488	43488	0	0.0
			text	571316	571314	-2	-0.0
	lighting-app	tlsr9518adk80d	(read/write)	830680	830672	-8	-0.0
			bss	72304	72304	0	0.0
			noinit	43488	43488	0	0.0
			text	589406	589404	-2	-0.0

src/crypto/CHIPCryptoPAL.h

andy31415 · 2022-08-22T17:16:52Z

/rebase

github-actions · 2022-08-23T01:17:33Z

PR #22069: Size comparison from f6929bb to 45444f7

Increases (11 builds for cc13x2_26x2, esp32, linux, psoc6, telink)

platform	target	config	section	`f6929bb`	`45444f7`	change
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read/write)	178460	178468	8
esp32	all-clusters-app	c3devkit	(read only)	1031270	`1031272`	2
			.flash.text	1031270	`1031272`	2
linux	chip-tool	debug	(read only)	`1087697`	10877649	672
			.text	8807348	8808020	672
	chip-tool-ipv6only	arm64	(read only)	10259132	10259676	544
			.text	`8127428`	8127972	544
	tv-app	debug	(read only)	3181625	3182297	672
			.text	`2732866`	`2733538`	672
	tv-casting-app	debug	(read only)	5502177	5502833	656
			.text	4886354	4887010	656
psoc6	all-clusters	cy8ckit_062s2_43012	.debug_aranges	111528	111536	8
			.debug_frame	372352	372384	32
			.debug_info	26643196	26644076	880
			.debug_line	`3646641`	3647023	382
			.debug_loc	3562039	`3562496`	457
			.debug_ranges	336576	336608	32
			.debug_str	3393852	3393979	127
	all-clusters-minimal	cy8ckit_062s2_43012	.debug_aranges	111000	111008	8
			.debug_frame	375432	375464	32
			.debug_info	26379890	26380771	881
			.debug_line	3667045	3667427	382
			.debug_loc	3549676	3550133	457
			.debug_ranges	335192	335224	32
			.debug_str	3382841	3382968	127
	light	cy8ckit_062s2_43012	.debug_aranges	103168	103176	8
			.debug_frame	345676	345708	32
			.debug_info	21844446	21845328	882
			.debug_line	3238223	3238611	388
			.debug_loc	3249207	3249755	548
			.debug_ranges	301032	301064	32
			.debug_str	3188935	`3189062`	127
	lock	cy8ckit_062s2_43012	.debug_aranges	103840	103848	8
			.debug_frame	348500	348532	32
			.debug_info	22199616	22200496	880
			.debug_line	3246909	`3247293`	384
			.debug_loc	3289327	3289830	503
			.debug_ranges	304448	304480	32
			.debug_str	`3216366`	`3216493`	127
telink	lighting-app	tlsr9518adk80d	text	589408	589410	2

Decreases (2 builds for cc13x2_26x2, nrfconnect)

platform	target	config	section	`f6929bb`	`45444f7`	change	% change
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	673035	673027	-8	-0.0
			.text	583884	583876	-8	-0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	text	814680	814676	-4	-0.0

Full report (43 builds for bl602, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, psoc6, telink)

platform	target	config	section	`f6929bb`	`45444f7`	change	% change
bl602	lighting-app	bl602	(read/write)	1383866	1383866	0	0.0
			.bss	120258	120258	0	0.0
			.data	4480	4480	0	0.0
			.text	1051052	1051052	0	0.0
		bl602+rpc	(read/write)	1429378	1429378	0	0.0
			.bss	127698	127698	0	0.0
			.data	4600	4600	0	0.0
			.text	`1082812`	`1082812`	0	0.0
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	673035	673027	-8	-0.0
			(read/write)	178460	178468	8	0.0
			.bss	74388	74388	0	0.0
			.data	3372	3372	0	0.0
			.rodata	88835	88835	0	0.0
			.text	583884	583876	-8	-0.0
	all-clusters-minimal-app	LP_CC2652R7	(read only)	637755	637755	0	0.0
			(read/write)	157948	157948	0	0.0
			.bss	73660	73660	0	0.0
			.data	3372	3372	0	0.0
			.rodata	77979	77979	0	0.0
			.text	559452	559452	0	0.0
	lock-ftd	LP_CC2652R7	(read only)	674103	674103	0	0.0
			(read/write)	167592	167592	0	0.0
			.bss	71476	71476	0	0.0
			.data	3296	3296	0	0.0
			.rodata	76671	76671	0	0.0
			.text	596952	596952	0	0.0
	lock-mtd	LP_CC2652R7	(read only)	656839	656839	0	0.0
			(read/write)	180544	180544	0	0.0
			.bss	67164	67164	0	0.0
			.data	3296	3296	0	0.0
			.rodata	101759	101759	0	0.0
			.text	554600	554600	0	0.0
	pump-app	LP_CC2652R7	(read only)	684775	684775	0	0.0
			(read/write)	157728	157728	0	0.0
			.bss	71516	71516	0	0.0
			.data	3296	3296	0	0.0
			.rodata	89959	89959	0	0.0
			.text	594332	594332	0	0.0
	pump-controller-app	LP_CC2652R7	(read only)	669267	669267	0	0.0
			(read/write)	173356	173356	0	0.0
			.bss	71636	71636	0	0.0
			.data	3292	3292	0	0.0
			.rodata	85515	85515	0	0.0
			.text	583272	583272	0	0.0
	shell	LP_CC2652R7	(read only)	665718	665718	0	0.0
			(read/write)	181296	181296	0	0.0
			.bss	76708	76708	0	0.0
			.data	3376	3376	0	0.0
			.rodata	85782	85782	0	0.0
			.text	579620	579620	0	0.0
cyw30739	light	cyw930739m2evb_01	(read/write)	586690	586690	0	0.0
			.app_xip_area	463356	463356	0	0.0
			.bss	65768	65768	0	0.0
			.data	744	744	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	lock	cyw930739m2evb_01	(read/write)	592490	592490	0	0.0
			.app_xip_area	464372	464372	0	0.0
			.bss	70552	70552	0	0.0
			.data	748	748	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	ota-requestor-no-progress-logging	cyw930739m2evb_01	(read/write)	599610	599610	0	0.0
			.app_xip_area	476996	476996	0	0.0
			.bss	65080	65080	0	0.0
			.data	716	716	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
efr32	lighting-app	BRD4161A	(read/write)	`1107532`	`1107532`	0	0.0
			.bss	136324	136324	0	0.0
			.data	2072	2072	0	0.0
			.text	969116	969116	0	0.0
		BRD4161A+rpc	(read/write)	970732	970732	0	0.0
			.bss	150324	150324	0	0.0
			.data	2252	2252	0	0.0
			.text	818132	818132	0	0.0
		BRD4161A+rs911x	(read/write)	1000136	1000136	0	0.0
			.bss	169080	169080	0	0.0
			.data	2056	2056	0	0.0
			.text	828980	828980	0	0.0
	lock-app	BRD4161A+wf200	(read/write)	1149356	1149356	0	0.0
			.bss	152160	152160	0	0.0
			.data	2064	2064	0	0.0
			.text	995112	995112	0	0.0
	window-app	BRD4161A	(read/write)	`1098860`	`1098860`	0	0.0
			.bss	137764	137764	0	0.0
			.data	2096	2096	0	0.0
			.text	958980	958980	0	0.0
esp32	all-clusters-app	c3devkit	(read only)	1031270	`1031272`	2	0.0
			(read/write)	1489610	1489610	0	0.0
			.dram0.bss	71136	71136	0	0.0
			.dram0.data	14600	14600	0	0.0
			.flash.rodata	218440	218440	0	0.0
			.flash.text	1031270	`1031272`	2	0.0
			.iram0.text	62902	62902	0	0.0
		m5stack	(read only)	1084387	1084387	0	0.0
			(read/write)	491544	491544	0	0.0
			.dram0.bss	76640	76640	0	0.0
			.dram0.data	34144	34144	0	0.0
			.flash.rodata	248764	248764	0	0.0
			.flash.text	1079003	1079003	0	0.0
			.iram0.text	123267	123267	0	0.0
k32w	light	k32w0+release	(read/write)	646676	646676	0	0.0
			.bss	70400	70400	0	0.0
			.data	2068	2068	0	0.0
			.text	571480	571480	0	0.0
	lock	k32w0+release	(read/write)	704220	704220	0	0.0
			.bss	70864	70864	0	0.0
			.data	2076	2076	0	0.0
			.text	628552	628552	0	0.0
linux	all-clusters-app	debug	(read only)	3038505	3038505	0	0.0
			(read/write)	156024	156024	0	0.0
			.bss	61920	61920	0	0.0
			.data	2096	2096	0	0.0
			.data.rel.ro	85624	85624	0	0.0
			.dynamic	608	608	0	0.0
			.got	4568	4568	0	0.0
			.init	27	27	0	0.0
			.init_array	1168	1168	0	0.0
			.rodata	274667	274667	0	0.0
			.text	`2584690`	`2584690`	0	0.0
	all-clusters-minimal-app	debug	(read only)	2874369	2874369	0	0.0
			(read/write)	147624	147624	0	0.0
			.bss	61152	61152	0	0.0
			.data	2064	2064	0	0.0
			.data.rel.ro	78120	78120	0	0.0
			.dynamic	608	608	0	0.0
			.got	4488	4488	0	0.0
			.init	27	27	0	0.0
			.init_array	1152	1152	0	0.0
			.rodata	274859	274859	0	0.0
			.text	2423138	2423138	0	0.0
	bridge-app	debug+rpc	(read only)	2373017	2373017	0	0.0
			(read/write)	127584	127584	0	0.0
			.bss	50656	50656	0	0.0
			.data	3600	3600	0	0.0
			.data.rel.ro	67464	67464	0	0.0
			.dynamic	608	608	0	0.0
			.got	4392	4392	0	0.0
			.init	27	27	0	0.0
			.init_array	824	824	0	0.0
			.rodata	203496	203496	0	0.0
			.text	2006898	2006898	0	0.0
	chip-tool	debug	(read only)	`1087697`	10877649	672	0.0
			(read/write)	651328	651328	0	0.0
			.bss	25240	25240	0	0.0
			.data	3266	3266	0	0.0
			.data.rel.ro	616312	616312	0	0.0
			.dynamic	608	608	0	0.0
			.got	5096	5096	0	0.0
			.init	27	27	0	0.0
			.init_array	768	768	0	0.0
			.rodata	562901	562901	0	0.0
			.text	8807348	8808020	672	0.0
	chip-tool-ipv6only	arm64	(read only)	10259132	10259676	544	0.0
			(read/write)	699137	699137	0	0.0
			.bss	33297	33297	0	0.0
			.data	3272	3272	0	0.0
			.data.rel.ro	643824	643824	0	0.0
			.dynamic	560	560	0	0.0
			.got	13784	13784	0	0.0
			.init	24	24	0	0.0
			.init_array	192	192	0	0.0
			.rodata	493564	493564	0	0.0
			.text	`8127428`	8127972	544	0.0
	lighting-app	debug+rpc	(read only)	2597033	2597033	0	0.0
			(read/write)	130176	130176	0	0.0
			.bss	49760	49760	0	0.0
			.data	2096	2096	0	0.0
			.data.rel.ro	72360	72360	0	0.0
			.dynamic	608	608	0	0.0
			.got	4392	4392	0	0.0
			.init	27	27	0	0.0
			.init_array	920	920	0	0.0
			.rodata	220304	220304	0	0.0
			.text	2206018	2206018	0	0.0
	lock-app	debug	(read only)	2580945	2580945	0	0.0
			(read/write)	125512	125512	0	0.0
			.bss	48288	48288	0	0.0
			.data	1712	1712	0	0.0
			.data.rel.ro	69512	69512	0	0.0
			.dynamic	608	608	0	0.0
			.got	4464	4464	0	0.0
			.init	27	27	0	0.0
			.init_array	896	896	0	0.0
			.rodata	237360	237360	0	0.0
			.text	`2176930`	`2176930`	0	0.0
	ota-provider-app	debug	(read only)	`2358105`	`2358105`	0	0.0
			(read/write)	118976	118976	0	0.0
			.bss	47808	47808	0	0.0
			.data	1936	1936	0	0.0
			.data.rel.ro	63336	63336	0	0.0
			.dynamic	608	608	0	0.0
			.got	4488	4488	0	0.0
			.init	27	27	0	0.0
			.init_array	760	760	0	0.0
			.rodata	209336	209336	0	0.0
			.text	1985298	1985298	0	0.0
	ota-requestor-app	debug	(read only)	2523385	2523385	0	0.0
			(read/write)	127320	127320	0	0.0
			.bss	50336	50336	0	0.0
			.data	2304	2304	0	0.0
			.data.rel.ro	68728	68728	0	0.0
			.dynamic	608	608	0	0.0
			.got	4480	4480	0	0.0
			.init	27	27	0	0.0
			.init_array	848	848	0	0.0
			.rodata	216160	216160	0	0.0
			.text	2134658	2134658	0	0.0
	shell	debug	(read only)	`2606809`	`2606809`	0	0.0
			(read/write)	142144	142144	0	0.0
			.bss	57832	57832	0	0.0
			.data	1264	1264	0	0.0
			.data.rel.ro	77224	77224	0	0.0
			.dynamic	608	608	0	0.0
			.got	4136	4136	0	0.0
			.init	27	27	0	0.0
			.init_array	1040	1040	0	0.0
			.rodata	234770	234770	0	0.0
			.text	2213618	2213618	0	0.0
	thermostat-no-ble	arm64	(read only)	2357300	2357300	0	0.0
			(read/write)	141825	141825	0	0.0
			.bss	55345	55345	0	0.0
			.data	1672	1672	0	0.0
			.data.rel.ro	75984	75984	0	0.0
			.dynamic	560	560	0	0.0
			.got	5048	5048	0	0.0
			.init	24	24	0	0.0
			.init_array	408	408	0	0.0
			.rodata	140620	140620	0	0.0
			.text	1978960	1978960	0	0.0
	tv-app	debug	(read only)	3181625	3182297	672	0.0
			(read/write)	257968	257968	0	0.0
			.bss	167480	167480	0	0.0
			.data	4736	4736	0	0.0
			.data.rel.ro	79184	79184	0	0.0
			.dynamic	608	608	0	0.0
			.got	4856	4856	0	0.0
			.init	27	27	0	0.0
			.init_array	1072	1072	0	0.0
			.rodata	259016	259016	0	0.0
			.text	`2732866`	`2733538`	672	0.0
	tv-casting-app	debug	(read only)	5502177	5502833	656	0.0
			(read/write)	160464	160464	0	0.0
			.bss	51480	51480	0	0.0
			.data	2432	2432	0	0.0
			.data.rel.ro	100120	100120	0	0.0
			.dynamic	608	608	0	0.0
			.got	4776	4776	0	0.0
			.init	27	27	0	0.0
			.init_array	1040	1040	0	0.0
			.rodata	344209	344209	0	0.0
			.text	4886354	4887010	656	0.0
mbed	lock-app	CY8CPROTO_062_4343W+release	(read only)	6224	6224	0	0.0
			(read/write)	2454328	2454328	0	0.0
			.bss	215044	215044	0	0.0
			.data	5872	5872	0	0.0
			.text	1416972	1416972	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	(read/write)	`1180619`	`1180619`	0	0.0
			bss	143737	143737	0	0.0
			rodata	143356	143356	0	0.0
			text	814680	814676	-4	-0.0
	all-clusters-minimal-app	nrf52840dk_nrf52840	(read/write)	1159815	1159815	0	0.0
			bss	142964	142964	0	0.0
			rodata	134944	134944	0	0.0
			text	803088	803088	0	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	(read only)	881000	881000	0	0.0
			(read/write)	1700996	1700996	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	149688	149688	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2656	2656	0	0.0
			.debug_abbrev	1217459	1217459	0	0.0
			.debug_aranges	111528	111536	8	0.0
			.debug_frame	372352	372384	32	0.0
			.debug_info	26643196	26644076	880	0.0
			.debug_line	`3646641`	3647023	382	0.0
			.debug_loc	3562039	`3562496`	457	0.0
			.debug_ranges	336576	336608	32	0.0
			.debug_str	3393852	3393979	127	0.0
			.heap	881000	881000	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	569346	569346	0	0.0
			.symtab	420416	420416	0	0.0
			.text	1540264	1540264	0	0.0
			.zero.table	8	8	0	0.0
			text	0	0	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	(read only)	881736	881736	0	0.0
			(read/write)	1644204	1644204	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	148952	148952	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2656	2656	0	0.0
			.debug_abbrev	1209298	1209298	0	0.0
			.debug_aranges	111000	111008	8	0.0
			.debug_frame	375432	375464	32	0.0
			.debug_info	26379890	26380771	881	0.0
			.debug_line	3667045	3667427	382	0.0
			.debug_loc	3549676	3550133	457	0.0
			.debug_ranges	335192	335224	32	0.0
			.debug_str	3382841	3382968	127	0.0
			.heap	881736	881736	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	533820	533820	0	0.0
			.symtab	407008	407008	0	0.0
			.text	`1484208`	`1484208`	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	light	cy8ckit_062s2_43012	(read only)	890080	890080	0	0.0
			(read/write)	1561436	1561436	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	140816	140816	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2448	2448	0	0.0
			.debug_abbrev	1043971	1043971	0	0.0
			.debug_aranges	103168	103176	8	0.0
			.debug_frame	345676	345708	32	0.0
			.debug_info	21844446	21845328	882	0.0
			.debug_line	3238223	3238611	388	0.0
			.debug_loc	3249207	3249755	548	0.0
			.debug_ranges	301032	301064	32	0.0
			.debug_str	3188935	`3189062`	127	0.0
			.heap	890080	890080	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	467101	467101	0	0.0
			.symtab	374064	374064	0	0.0
			.text	1409784	1409784	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	lock	cy8ckit_062s2_43012	(read only)	885584	885584	0	0.0
			(read/write)	1598724	1598724	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	145296	145296	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2464	2464	0	0.0
			.debug_abbrev	1051147	1051147	0	0.0
			.debug_aranges	103840	103848	8	0.0
			.debug_frame	348500	348532	32	0.0
			.debug_info	22199616	22200496	880	0.0
			.debug_line	3246909	`3247293`	384	0.0
			.debug_loc	3289327	3289830	503	0.0
			.debug_ranges	304448	304480	32	0.0
			.debug_str	`3216366`	`3216493`	127	0.0
			.heap	885584	885584	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	473342	473342	0	0.0
			.symtab	377248	377248	0	0.0
			.text	1442576	1442576	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
telink	light-switch-app	tlsr9518adk80d	(read/write)	808744	808744	0	0.0
			bss	71448	71448	0	0.0
			noinit	43488	43488	0	0.0
			text	571318	571318	0	0.0
	lighting-app	tlsr9518adk80d	(read/write)	830680	830680	0	0.0
			bss	72304	72304	0	0.0
			noinit	43488	43488	0	0.0
			text	589408	589410	2	0.0

* Add missing validity checks to CSR verification - SDK's CSR verification (VerifyCertificateSigningRequest) allowed trailing garbage past the end of the buffer if the primary SEQUENCE element is OK and checks-out. This is looser enforcement than some crypto libraries which expect a CSR to be 100% valid ASN.1 DER and have no unnecessary bytes or otherwise unparsable bytes. Fixes #22068 This PR: - Adds validity checks for size and basic format that catches the problem. - Adds unit tests that use externally generated CSRs to validate the `VerifyCertificateSigningRequest` logic, rather than only relying on round-trips with generation. Testing done: - Added new unit tests. Existing unit tests pass - Tested under OpenSSL, BoringSSL and mbedTLS * Fix docs typo

* Add missing validity checks to CSR verification - SDK's CSR verification (VerifyCertificateSigningRequest) allowed trailing garbage past the end of the buffer if the primary SEQUENCE element is OK and checks-out. This is looser enforcement than some crypto libraries which expect a CSR to be 100% valid ASN.1 DER and have no unnecessary bytes or otherwise unparsable bytes. Fixes #22068 This PR: - Adds validity checks for size and basic format that catches the problem. - Adds unit tests that use externally generated CSRs to validate the `VerifyCertificateSigningRequest` logic, rather than only relying on round-trips with generation. Testing done: - Added new unit tests. Existing unit tests pass - Tested under OpenSSL, BoringSSL and mbedTLS * Fix docs typo Co-authored-by: Tennessee Carmel-Veilleux <[email protected]> Co-authored-by: Andrei Litvin <[email protected]>

* Add missing validity checks to CSR verification - SDK's CSR verification (VerifyCertificateSigningRequest) allowed trailing garbage past the end of the buffer if the primary SEQUENCE element is OK and checks-out. This is looser enforcement than some crypto libraries which expect a CSR to be 100% valid ASN.1 DER and have no unnecessary bytes or otherwise unparsable bytes. Fixes project-chip#22068 This PR: - Adds validity checks for size and basic format that catches the problem. - Adds unit tests that use externally generated CSRs to validate the `VerifyCertificateSigningRequest` logic, rather than only relying on round-trips with generation. Testing done: - Added new unit tests. Existing unit tests pass - Tested under OpenSSL, BoringSSL and mbedTLS * Fix docs typo

tcarmelveilleux added crypto request sve labels Aug 22, 2022

github-actions bot added efr32 platform labels Aug 22, 2022

pullapprove bot requested review from rgoliver, robszewczyk, saurabhst, selissia, tecimovic, tehampson, turon, vijs, vivien-apple, wbschiller, woody-apple, xylophone21, yufengwangca and yunhanw-google August 22, 2022 13:51

pullapprove bot added the review - pending label Aug 22, 2022

tehampson approved these changes Aug 22, 2022

View reviewed changes

rcasallas-silabs reviewed Aug 22, 2022

View reviewed changes

src/crypto/CHIPCryptoPAL.h Outdated Show resolved Hide resolved

emargolis approved these changes Aug 22, 2022

View reviewed changes

jmartinez-silabs approved these changes Aug 22, 2022

View reviewed changes

pullapprove bot added review - approved and removed review - pending labels Aug 22, 2022

tcarmelveilleux added 2 commits August 22, 2022 20:48

Merge remote-tracking branch 'upstream/master' into validate-csr-length

69ba254

Fix docs typo

45444f7

tcarmelveilleux merged commit 48f87f3 into project-chip:master Aug 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add missing validity checks to CSR verification #22069

Add missing validity checks to CSR verification #22069

tcarmelveilleux commented Aug 22, 2022

github-actions bot commented Aug 22, 2022 •

edited

Loading

andy31415 commented Aug 22, 2022

github-actions bot commented Aug 23, 2022 •

edited

Loading

Add missing validity checks to CSR verification #22069

Add missing validity checks to CSR verification #22069

Conversation

tcarmelveilleux commented Aug 22, 2022

Problem

Change overview

Testing

github-actions bot commented Aug 22, 2022 • edited Loading

andy31415 commented Aug 22, 2022

github-actions bot commented Aug 23, 2022 • edited Loading

github-actions bot commented Aug 22, 2022 •

edited

Loading

github-actions bot commented Aug 23, 2022 •

edited

Loading