Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing validity checks to CSR verification #22092

Merged
merged 2 commits into from
Aug 24, 2022
Merged

Add missing validity checks to CSR verification #22092

merged 2 commits into from
Aug 24, 2022

Conversation

woody-apple
Copy link
Contributor

Problem

  • SDK's CSR verification (VerifyCertificateSigningRequest) allowed trailing
    garbage past the end of the buffer if the primary SEQUENCE element is OK
    and checks-out. This is looser enforcement than some crypto libraries
    which expect a CSR to be 100% valid ASN.1 DER and have no unnecessary bytes
    or otherwise unparsable bytes.

Fixes #22068

Change overview

  • Adds validity checks for size and basic format that catches
    the problem.
  • Adds unit tests that use externally generated CSRs to validate
    the VerifyCertificateSigningRequest logic, rather than only
    relying on round-trips with generation.

Testing

  • Added new unit tests. Existing unit tests pass
  • Tested under OpenSSL, BoringSSL and mbedTLS

@tcarmelveilleux @web-flow
Add missing validity checks to CSR verification (#22069)
6e57432 
* Add missing validity checks to CSR verification

- SDK's CSR verification (VerifyCertificateSigningRequest) allowed trailing
  garbage past the end of the buffer if the primary SEQUENCE element is OK
  and checks-out. This is looser enforcement than some crypto libraries
  which expect a CSR to be 100% valid ASN.1 DER and have no unnecessary bytes
  or otherwise unparsable bytes.

Fixes #22068

This PR:
- Adds validity checks for size and basic format that catches
  the problem.
- Adds unit tests that use externally generated CSRs to validate
  the `VerifyCertificateSigningRequest` logic, rather than only
  relying on round-trips with generation.

Testing done:
- Added new unit tests. Existing unit tests pass
- Tested under OpenSSL, BoringSSL and mbedTLS

* Fix docs typo
@github-actions
Copy link

github-actions bot commented Aug 23, 2022
edited
Loading

PR #22092: Size comparison from 7d42483 to 6e57432

Increases (4 builds for cc13x2_26x2, linux, nrfconnect)
platform target config section 7d42483 6e57432 change % change
cc13x2_26x2 all-clusters-minimal-app LP_CC2652R7 (read only) 637755 637763 8 0.0
.text 559452 559460 8 0.0
pump-app LP_CC2652R7 (read/write) 157768 157776 8 0.0
linux chip-tool-ipv6only arm64 (read only) 10245244 1024578 544 0.0
.text 8115220 8115764 544 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1180051 1180067 16 0.0
text 814080 814084 4 0.0
Decreases (2 builds for cc13x2_26x2, telink)
platform target config section 7d42483 6e57432 change % change
cc13x2_26x2 pump-app LP_CC2652R7 (read only) 684767 684759 -8 -0.0
.text 594324 594316 -8 -0.0
telink light-switch-app tlsr9518adk80d text 571348 571346 -2 -0.0
Full report (32 builds for bl602, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, telink)
platform target config section 7d42483 6e57432 change % change
bl602 lighting-app bl602 (read/write) 1383882 1383882 0 0.0
.bss 120290 120290 0 0.0
.data 4480 4480 0 0.0
.text 1051032 1051032 0 0.0
bl602+rpc (read/write) 1429394 1429394 0 0.0
.bss 127730 127730 0 0.0
.data 4600 4600 0 0.0
.text 1082792 1082792 0 0.0
cc13x2_26x2 all-clusters-app LP_CC2652R7 (read only) 672379 672379 0 0.0
(read/write) 179132 179132 0 0.0
.bss 74404 74404 0 0.0
.data 3372 3372 0 0.0
.rodata 88747 88747 0 0.0
.text 583316 583316 0 0.0
all-clusters-minimal-app LP_CC2652R7 (read only) 637755 637763 8 0.0
(read/write) 157980 157980 0 0.0
.bss 73692 73692 0 0.0
.data 3372 3372 0 0.0
.rodata 77979 77979 0 0.0
.text 559452 559460 8 0.0
lock-ftd LP_CC2652R7 (read only) 674095 674095 0 0.0
(read/write) 167632 167632 0 0.0
.bss 71508 71508 0 0.0
.data 3296 3296 0 0.0
.rodata 76671 76671 0 0.0
.text 596944 596944 0 0.0
lock-mtd LP_CC2652R7 (read only) 656839 656839 0 0.0
(read/write) 180576 180576 0 0.0
.bss 67196 67196 0 0.0
.data 3296 3296 0 0.0
.rodata 101759 101759 0 0.0
.text 554600 554600 0 0.0
pump-app LP_CC2652R7 (read only) 684767 684759 -8 -0.0
(read/write) 157768 157776 8 0.0
.bss 71548 71548 0 0.0
.data 3296 3296 0 0.0
.rodata 89959 89959 0 0.0
.text 594324 594316 -8 -0.0
pump-controller-app LP_CC2652R7 (read only) 669259 669259 0 0.0
(read/write) 173396 173396 0 0.0
.bss 71668 71668 0 0.0
.data 3292 3292 0 0.0
.rodata 85515 85515 0 0.0
.text 583264 583264 0 0.0
shell LP_CC2652R7 (read only) 665062 665062 0 0.0
(read/write) 181968 181968 0 0.0
.bss 76724 76724 0 0.0
.data 3376 3376 0 0.0
.rodata 85694 85694 0 0.0
.text 579052 579052 0 0.0
cyw30739 light cyw930739m2evb_01 (read/write) 586070 586070 0 0.0
.app_xip_area 462704 462704 0 0.0
.bss 65800 65800 0 0.0
.data 744 744 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
lock cyw930739m2evb_01 (read/write) 591886 591886 0 0.0
.app_xip_area 463736 463736 0 0.0
.bss 70584 70584 0 0.0
.data 748 748 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
ota-requestor-no-progress-logging cyw930739m2evb_01 (read/write) 599026 599026 0 0.0
.app_xip_area 476380 476380 0 0.0
.bss 65112 65112 0 0.0
.data 716 716 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
efr32 lighting-app BRD4161A (read/write) 1101124 1101124 0 0.0
.bss 133404 133404 0 0.0
.data 2068 2068 0 0.0
.text 965628 965628 0 0.0
BRD4161A+rpc (read/write) 1155392 1155392 0 0.0
.bss 150092 150092 0 0.0
.data 2280 2280 0 0.0
.text 1003000 1003000 0 0.0
BRD4161A+rs911x (read/write) 990264 990264 0 0.0
.bss 162728 162728 0 0.0
.data 2056 2056 0 0.0
.text 825460 825460 0 0.0
lock-app BRD4161A+wf200 (read/write) 1139828 1139828 0 0.0
.bss 145904 145904 0 0.0
.data 2064 2064 0 0.0
.text 991840 991840 0 0.0
window-app BRD4161A (read/write) 1092580 1092580 0 0.0
.bss 134844 134844 0 0.0
.data 2096 2096 0 0.0
.text 955620 955620 0 0.0
esp32 all-clusters-app c3devkit (read only) 1029982 1029982 0 0.0
(read/write) 1488674 1488674 0 0.0
.dram0.bss 70864 70864 0 0.0
.dram0.data 14600 14600 0 0.0
.flash.rodata 217776 217776 0 0.0
.flash.text 1029982 1029982 0 0.0
.iram0.text 62902 62902 0 0.0
m5stack (read only) 1083331 1083331 0 0.0
(read/write) 490632 490632 0 0.0
.dram0.bss 76376 76376 0 0.0
.dram0.data 34144 34144 0 0.0
.flash.rodata 248116 248116 0 0.0
.flash.text 1077947 1077947 0 0.0
.iram0.text 123267 123267 0 0.0
k32w light k32w0+release (read/write) 645476 645476 0 0.0
.bss 70232 70232 0 0.0
.data 2044 2044 0 0.0
.text 570472 570472 0 0.0
lock k32w0+release (read/write) 703028 703028 0 0.0
.bss 70704 70704 0 0.0
.data 2052 2052 0 0.0
.text 627544 627544 0 0.0
linux chip-tool-ipv6only arm64 (read only) 10245244 1024578 544 0.0
(read/write) 698689 698689 0 0.0
.bss 33297 33297 0 0.0
.data 3272 3272 0 0.0
.data.rel.ro 643392 643392 0 0.0
.dynamic 560 560 0 0.0
.got 13768 13768 0 0.0
.init 24 24 0 0.0
.init_array 192 192 0 0.0
.rodata 492924 492924 0 0.0
.text 8115220 8115764 544 0.0
thermostat-no-ble arm64 (read only) 2356996 2356996 0 0.0
(read/write) 141825 141825 0 0.0
.bss 55345 55345 0 0.0
.data 1672 1672 0 0.0
.data.rel.ro 75984 75984 0 0.0
.dynamic 560 560 0 0.0
.got 5048 5048 0 0.0
.init 24 24 0 0.0
.init_array 408 408 0 0.0
.rodata 140524 140524 0 0.0
.text 1978752 1978752 0 0.0
mbed lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2454328 2454328 0 0.0
.bss 215076 215076 0 0.0
.data 5872 5872 0 0.0
.text 1416972 1416972 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1180051 1180067 16 0.0
bss 143759 143759 0 0.0
rodata 143268 143268 0 0.0
text 814080 814084 4 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 (read/write) 1159927 1159927 0 0.0
bss 142996 142996 0 0.0
rodata 134944 134944 0 0.0
text 803072 803072 0 0.0
p6 all-clusters-app default (read only) 880984 880984 0 0.0
(read/write) 1699348 1699348 0 0.0
.bss 149704 149704 0 0.0
.data 2656 2656 0 0.0
.text 1538600 1538600 0 0.0
all-clusters-minimal-app default (read only) 881704 881704 0 0.0
(read/write) 1643356 1643356 0 0.0
.bss 148984 148984 0 0.0
.data 2656 2656 0 0.0
.text 1483328 1483328 0 0.0
light-app default (read only) 890048 890048 0 0.0
(read/write) 1560644 1560644 0 0.0
.bss 140848 140848 0 0.0
.data 2448 2448 0 0.0
.text 1408960 1408960 0 0.0
lock-app default (read only) 885552 885552 0 0.0
(read/write) 1597924 1597924 0 0.0
.bss 145328 145328 0 0.0
.data 2464 2464 0 0.0
.text 1441744 1441744 0 0.0
telink light-switch-app tlsr9518adk80d (read/write) 808800 808800 0 0.0
bss 71480 71480 0 0.0
noinit 43488 43488 0 0.0
text 571348 571346 -2 -0.0
lighting-app tlsr9518adk80d (read/write) 830744 830744 0 0.0
bss 72336 72336 0 0.0
noinit 43488 43488 0 0.0
text 589438 589438 0 0.0

@github-actions
Copy link

github-actions bot commented Aug 24, 2022
edited
Loading

PR #22092: Size comparison from bdbcb40 to 0dc3108

Increases (1 build for cc13x2_26x2)
platform target config section bdbcb40 0dc3108 change % change
cc13x2_26x2 lock-mtd LP_CC2652R7 (read/write) 180576 180584 8 0.0
Decreases (1 build for cc13x2_26x2)
platform target config section bdbcb40 0dc3108 change % change
cc13x2_26x2 lock-mtd LP_CC2652R7 (read only) 656839 656831 -8 -0.0
.text 554600 554592 -8 -0.0
Full report (12 builds for cc13x2_26x2, esp32, mbed, nrfconnect)
platform target config section bdbcb40 0dc3108 change % change
cc13x2_26x2 all-clusters-app LP_CC2652R7 (read only) 672379 672379 0 0.0
(read/write) 179132 179132 0 0.0
.bss 74404 74404 0 0.0
.data 3372 3372 0 0.0
.rodata 88747 88747 0 0.0
.text 583316 583316 0 0.0
all-clusters-minimal-app LP_CC2652R7 (read only) 637763 637763 0 0.0
(read/write) 157980 157980 0 0.0
.bss 73692 73692 0 0.0
.data 3372 3372 0 0.0
.rodata 77979 77979 0 0.0
.text 559460 559460 0 0.0
lock-ftd LP_CC2652R7 (read only) 674095 674095 0 0.0
(read/write) 167632 167632 0 0.0
.bss 71508 71508 0 0.0
.data 3296 3296 0 0.0
.rodata 76671 76671 0 0.0
.text 596944 596944 0 0.0
lock-mtd LP_CC2652R7 (read only) 656839 656831 -8 -0.0
(read/write) 180576 180584 8 0.0
.bss 67196 67196 0 0.0
.data 3296 3296 0 0.0
.rodata 101759 101759 0 0.0
.text 554600 554592 -8 -0.0
pump-app LP_CC2652R7 (read only) 684767 684767 0 0.0
(read/write) 157768 157768 0 0.0
.bss 71548 71548 0 0.0
.data 3296 3296 0 0.0
.rodata 89959 89959 0 0.0
.text 594324 594324 0 0.0
pump-controller-app LP_CC2652R7 (read only) 669259 669259 0 0.0
(read/write) 173396 173396 0 0.0
.bss 71668 71668 0 0.0
.data 3292 3292 0 0.0
.rodata 85515 85515 0 0.0
.text 583264 583264 0 0.0
shell LP_CC2652R7 (read only) 665062 665062 0 0.0
(read/write) 181968 181968 0 0.0
.bss 76724 76724 0 0.0
.data 3376 3376 0 0.0
.rodata 85694 85694 0 0.0
.text 579052 579052 0 0.0
esp32 all-clusters-app c3devkit (read only) 1029982 1029982 0 0.0
(read/write) 1488674 1488674 0 0.0
.dram0.bss 70864 70864 0 0.0
.dram0.data 14600 14600 0 0.0
.flash.rodata 217776 217776 0 0.0
.flash.text 1029982 1029982 0 0.0
.iram0.text 62902 62902 0 0.0
m5stack (read only) 1083331 1083331 0 0.0
(read/write) 490632 490632 0 0.0
.dram0.bss 76376 76376 0 0.0
.dram0.data 34144 34144 0 0.0
.flash.rodata 248116 248116 0 0.0
.flash.text 1077947 1077947 0 0.0
.iram0.text 123267 123267 0 0.0
mbed lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2454328 2454328 0 0.0
.bss 215076 215076 0 0.0
.data 5872 5872 0 0.0
.text 1416972 1416972 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1180067 1180067 0 0.0
bss 143759 143759 0 0.0
rodata 143268 143268 0 0.0
text 814084 814084 0 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 (read/write) 1159927 1159927 0 0.0
bss 142996 142996 0 0.0
rodata 134944 134944 0 0.0
text 803072 803072 0 0.0

@woody-apple woody-apple merged commit 1ef4eef into sve-2 Aug 24, 2022
@woody-apple woody-apple deleted the cherry-pick-48f87f3ce2b3b8457af63f8e68dbf3f1e42ae219 branch August 24, 2022 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
crypto efr32 platform sve cherry pick
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woody-apple @tcarmelveilleux @andy31415