From fc8226eb27a966dea7671434acf5d63f8a4dbf10 Mon Sep 17 00:00:00 2001 From: Yuxiang Cao Date: Mon, 21 Aug 2023 16:08:35 -0700 Subject: [PATCH 1/2] fix: verify empty candidate cert chain - Verify empty candidate cert chain - Add other necessary empty List check --- .travis.yml | 1 + Cargo.lock | 2 +- mbedtls/Cargo.toml | 2 +- mbedtls/src/ssl/config.rs | 3 +++ mbedtls/src/ssl/context.rs | 2 +- mbedtls/src/x509/certificate.rs | 31 +++++++++++++++++++++++++++++++ 6 files changed, 38 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index d95c727c7..2d753222c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,6 +6,7 @@ branches: - trying # Not really necessary, just to get a green badge on “master” - master + - v0.9 language: rust os: linux dist: focal diff --git a/Cargo.lock b/Cargo.lock index b41aef3a2..ee149113f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -497,7 +497,7 @@ checksum = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08" [[package]] name = "mbedtls" -version = "0.9.1" +version = "0.9.2" dependencies = [ "async-stream", "bit-vec", diff --git a/mbedtls/Cargo.toml b/mbedtls/Cargo.toml index e3a45c506..61ca28004 100644 --- a/mbedtls/Cargo.toml +++ b/mbedtls/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "mbedtls" -version = "0.9.1" +version = "0.9.2" authors = ["Jethro Beekman "] build = "build.rs" edition = "2018" diff --git a/mbedtls/src/ssl/config.rs b/mbedtls/src/ssl/config.rs index 966affd95..29747b639 100644 --- a/mbedtls/src/ssl/config.rs +++ b/mbedtls/src/ssl/config.rs @@ -306,6 +306,9 @@ impl Config { } pub fn push_cert(&mut self, own_cert: Arc>, own_pk: Arc) -> Result<()> { + if own_cert.is_empty() { + return Err(Error::SslBadInputData); + } // Need to ensure own_cert/pk_key outlive the config. self.own_cert.push(own_cert.clone()); self.own_pk.push(own_pk.clone()); diff --git a/mbedtls/src/ssl/context.rs b/mbedtls/src/ssl/context.rs index 5cacd0282..015848afb 100644 --- a/mbedtls/src/ssl/context.rs +++ b/mbedtls/src/ssl/context.rs @@ -583,7 +583,7 @@ impl HandshakeContext { key: Arc, ) -> Result<()> { // mbedtls_ssl_set_hs_own_cert does not check for NULL handshake. - if self.inner.handshake as *const _ == ::core::ptr::null() { + if self.inner.handshake as *const _ == ::core::ptr::null() || chain.is_empty() { return Err(Error::SslBadInputData); } diff --git a/mbedtls/src/x509/certificate.rs b/mbedtls/src/x509/certificate.rs index e60c3bbe6..280121923 100644 --- a/mbedtls/src/x509/certificate.rs +++ b/mbedtls/src/x509/certificate.rs @@ -229,6 +229,9 @@ impl Certificate { where F: VerifyCallback + 'static, { + if chain.is_empty() { + return Err(Error::X509BadInputData); + } let (f_vrfy, p_vrfy): (Option _>, _) = if let Some(cb) = cb.as_ref() { (Some(x509::verify_callback::), cb as *const _ as *mut c_void) @@ -1420,6 +1423,34 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M assert!(crate::tests::TestTrait::>::new().impls_trait(), "MbedtlsList should be Sync"); } + #[test] + fn empty_cert_chain_test() { + const C_CERT: &'static str = concat!(include_str!("../../tests/data/certificate.crt"), "\0"); + const C_ROOT: &'static str = concat!(include_str!("../../tests/data/root.crt"), "\0"); + + let mut certs = MbedtlsList::new(); + certs.push(Certificate::from_pem(&C_CERT.as_bytes()).unwrap()); + let mut roots = MbedtlsList::new(); + roots.push(Certificate::from_pem(&C_ROOT.as_bytes()).unwrap()); + + assert!(Certificate::verify(&certs, &roots, None, None).is_ok()); + + let empty_certs = MbedtlsList::new(); + + assert_eq!( + Certificate::verify(&certs, &empty_certs, None, None).unwrap_err(), + Error::X509CertVerifyFailed + ); + assert_eq!( + Certificate::verify(&empty_certs, &empty_certs, None, None).unwrap_err(), + Error::X509BadInputData + ); + assert_eq!( + Certificate::verify(&empty_certs, &roots, None, None).unwrap_err(), + Error::X509BadInputData + ); + } + #[test] fn empty_crl_test() { const C_CERT: &'static str = concat!(include_str!("../../tests/data/certificate.crt"), "\0"); From 0eeea4eb6d1aa1ecc593374f215d0954960e58d7 Mon Sep 17 00:00:00 2001 From: Yuxiang Cao Date: Tue, 29 Aug 2023 21:06:45 -0700 Subject: [PATCH 2/2] ci: fix Travis CI --- .travis.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2d753222c..2914142ce 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,6 @@ branches: - trying # Not really necessary, just to get a green badge on “master” - master - - v0.9 language: rust os: linux dist: focal @@ -19,20 +18,30 @@ addons: - clang-11 - cmake - qemu-user +before_script: + - printenv + - whereis clang && clang --version + # remove clang-16 path from PATH + - export PATH=$(echo $PATH | sed -e 's|:/usr/local/clang-16.0.0/bin||') + # setup clang-11 as default clang + - sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-11 100 + - whereis clang && clang --version rust: - stable env: - jobs: - # Matrix build of 3 targets against Rust stable - - TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true - - TARGET=aarch64-unknown-linux-musl - - TARGET=x86_64-fortanix-unknown-sgx global: - RUST_BACKTRACE=1 jobs: include: - # Test additional Rust toolchains on x86_64 - - rust: beta - - rust: nightly + - env: TARGET=x86_64-fortanix-unknown-sgx + rust: stable + - env: TARGET=aarch64-unknown-linux-musl + rust: stable + - env: TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true + rust: nightly + - env: TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true + rust: beta + - env: TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true + rust: stable script: - ./ct.sh