pk.c: Ensure min hash_len in pk_hashlen_helper #4561
Conversation
mpg
added
bug
Community
needs-review
|
@nick-child-ibm Thank you for your contribution! As @mpg mentioned, this issue is similar to #3990, but don't worry it is in a parallel API and the two fixes won't interfere with each other. |
|
@yanesca Thanks for reaching out! I am guessing we should probably make sure that all |
|
@nick-child-ibm That is correct. Your PR is already an improvement to what we have, but as you said, ideally we would return an error if the hash length and the hash algorithm are not consistent. |
nick-child-ibm
force-pushed
the
hash_len_devel
branch
2 times, most recently
from
ee13467 to
d61ef48
Compare
|
Rebased to require that the user supplied |
|
Added commit to allow tests to pass by not using MBEDTLS_MD_MAX_SIZE as |
I think reading pass the end of a buffer is absolutely a bug. It could at least cause a crash or worse (buffer over-read comes with a risk of leaking secret data, though in that case I think we're fine). So I think this should be backported. Currently the two active branches are Could you create those backports? |
mpg
added
needs-backports
nick-child-ibm
force-pushed
the
hash_len_devel
branch
from
04382c3 to
8bc2abe
Compare
|
Rebase adds changelog |
The function `pk_hashlen_helper` exists to ensure a valid hash_len is used in pk_verify and pk_sign functions. This function has been used to adjust to the corrsponding hash_len if the user passes in 0 for the hash_len argument based on the md algorithm given. If the user does not pass in 0 as the hash_len, then it is not adjusted. This is problematic if the user gives a hash_len and hash buffer that is less than the associated length of the md algorithm. This error would go unchecked and eventually lead to buffer overread when given to specific pk_sign/verify functions, since they both ignore the hash_len argument if md_alg is not MBEDTLS_MD_NONE. This commit, adds a conditional to `pk_hashlen_helper` so that an error is thrown if the user specifies a hash_length (not 0) and it is not eqaul to the expected for the associated message digest algorithm. This aligns better with the api documentation where it states "If hash_len is 0, then the length associated with md_alg is used instead, or an error returned if it is invalid" Signed-off-by: Nick Child <nick.child@ibm.com> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
In order to for tests to pass from the previous commit (which it mandatory for all pk verify/sign functions to be given a hash_len that is exactly equal to the message digest length of md_alg) the hash_len that is supplied to the fucntion cannot be MBEDTLS_MD_MAX_SIZE. This would result in all tests failing. Since the md alg for all of these funtions are SHA256, we can use mbedtls functions to get the required length of a SHA256 digest (32 bytes). Then that number can be used for allocating the hash buffer. Signed-off-by: Nick Child <nick.child@ibm.com>
nick-child-ibm
force-pushed
the
hash_len_devel
branch
from
8bc2abe to
c157b56
Compare
|
Rebase fixes changelog space at EOL |
|
Closing since covered by #4707 |
Hello,
This Pull Request is to patch an area of confusion on
pk_signandpk_verifyfunctions. Both take in an argumenthash_len, in the API docs, it is noted that:I have run into issues where I passed the incorrect value to hash_len and never ran into any "errors". I am sure most users are smarter than I and won't make such foolish mistakes but I do believe that either the documentation or function should be updated to match the other. In this PR, I have added a commit that makes the
pk_verify/signbehave as specified by the API docs.Currently, the
hash_lenargs in these functions are behaving more so like the description inrsa...verify/signdocumentation. here it lists thathashlen:If this is intentional than I think it could be worth updating the documentation of
pk_verify/sign. If not, then ifhash_lenis passed in as not zero then I believe it should at least be examined to be a valid hash length for the given hash algorithm. In the later called functions, ifmd_algis notMD_NONE, thehash_lenis overwritten anyway. So, if the user passed in ahash_lenthat is less than the associated md, an error should be returned in order to avoid invalid reads by reaching the end of the buffer.I hope this is useful in some way.
I would like to thank @naynajain for bringing this to my attention and helping me out.
Notes:
test_suite_pkif we throw errors if thehash_lenis NOT EQUAL to the expected. This is because these test suites allocate and useMBEDTLS_MD_MAX_SIZEas their hash lengths.rsa...verify/sign()functions called by the->verify/sign_func()function pointers, they all seem to overwrite thehash_lenso it may be worth removing*hash_len = mbedtls_md_get_size( md_info );inpk_hashlen_helper. I did not remove it in this PR since I do not know the behavior of other functions pointed to by->verify/sign_func()and it is a very unimportant thing to change.Description
From commit message:
Status
READY
Requires Backporting
Not sure if reading past a buffer can be considered a bug so probably not.
NO
Migrations
NO
Steps to test or reproduce
Run valgrind on any
mbedtls_pk_verify/readcommand where the following conditions for arguments are met:md_algis an actual hash function (notMBEDTLS_MD_NONE)hash_lenis less thanmd_algs associated lengthhashis only allocated to havehash_lenbytes