Add parameter validation to SHA-1

This commit is contained in:
Andres Amaya Garcia 2018-12-09 19:12:19 +00:00 committed by Hanno Becker
parent af0c6cb9e0
commit f7c43b3145
3 changed files with 27 additions and 0 deletions

View File

@ -41,6 +41,8 @@ API Changes
mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
* Extend ECDH interface to enable alternative implementations. * Extend ECDH interface to enable alternative implementations.
* Add validation checks for input parameters to functions in the SHA-1
module.
New deprecations New deprecations
* Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update

View File

@ -42,6 +42,7 @@
/* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */ /* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED -0x0035 /**< SHA-1 hardware accelerator failed */ #define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED -0x0035 /**< SHA-1 hardware accelerator failed */
#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA -0x0073 /**< Invalid input data. */
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {

View File

@ -71,8 +71,15 @@
} }
#endif #endif
#define MBEDTLS_SHA1_VALIDATE_RET(cond) \
MBEDTLS_VALIDATE_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, cond )
#define MBEDTLS_SHA1_VALIDATE(cond) MBEDTLS_VALIDATE( cond )
void mbedtls_sha1_init( mbedtls_sha1_context *ctx ) void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
{ {
MBEDTLS_SHA1_VALIDATE( ctx != NULL );
memset( ctx, 0, sizeof( mbedtls_sha1_context ) ); memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
} }
@ -87,6 +94,9 @@ void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
void mbedtls_sha1_clone( mbedtls_sha1_context *dst, void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
const mbedtls_sha1_context *src ) const mbedtls_sha1_context *src )
{ {
MBEDTLS_SHA1_VALIDATE( dst != NULL );
MBEDTLS_SHA1_VALIDATE( src != NULL );
*dst = *src; *dst = *src;
} }
@ -95,6 +105,8 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
*/ */
int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx ) int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx )
{ {
MBEDTLS_SHA1_VALIDATE_RET( ctx != NULL );
ctx->total[0] = 0; ctx->total[0] = 0;
ctx->total[1] = 0; ctx->total[1] = 0;
@ -120,6 +132,9 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
{ {
uint32_t temp, W[16], A, B, C, D, E; uint32_t temp, W[16], A, B, C, D, E;
MBEDTLS_SHA1_VALIDATE_RET( ctx != NULL );
MBEDTLS_SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
GET_UINT32_BE( W[ 0], data, 0 ); GET_UINT32_BE( W[ 0], data, 0 );
GET_UINT32_BE( W[ 1], data, 4 ); GET_UINT32_BE( W[ 1], data, 4 );
GET_UINT32_BE( W[ 2], data, 8 ); GET_UINT32_BE( W[ 2], data, 8 );
@ -297,6 +312,9 @@ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
if( ilen == 0 ) if( ilen == 0 )
return( 0 ); return( 0 );
MBEDTLS_SHA1_VALIDATE_RET( ctx != NULL );
MBEDTLS_SHA1_VALIDATE_RET( input != NULL );
left = ctx->total[0] & 0x3F; left = ctx->total[0] & 0x3F;
fill = 64 - left; fill = 64 - left;
@ -352,6 +370,9 @@ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
uint32_t used; uint32_t used;
uint32_t high, low; uint32_t high, low;
MBEDTLS_SHA1_VALIDATE_RET( ctx != NULL );
MBEDTLS_SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
/* /*
* Add padding: 0x80 then 0x00 until 8 bytes remain for the length * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
*/ */
@ -420,6 +441,9 @@ int mbedtls_sha1_ret( const unsigned char *input,
int ret; int ret;
mbedtls_sha1_context ctx; mbedtls_sha1_context ctx;
MBEDTLS_SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
MBEDTLS_SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
mbedtls_sha1_init( &ctx ); mbedtls_sha1_init( &ctx );
if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 ) if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )