Merge pull request #838 from gilles-peskine-arm/ecp_max_bits-check-2.16

Backport 2.16: check MBEDTLS_ECP_MAX_BITS
2026-04-10 14:23:42 +02:00 · 2021-06-15 11:12:52 +02:00
parent 1283ed9e3b 5a6549752f
commit 6f4fbb4640
3 changed files with 49 additions and 1 deletions
--- a/ChangeLog.d/ecp_max_bits.txt
+++ b/ChangeLog.d/ecp_max_bits.txt
@@ -0,0 +1,4 @@
+Security
+   * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
+     too small, leading to buffer overflows in ECC operations. Fail the build
+     in such a case.
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -154,6 +154,40 @@ typedef struct mbedtls_ecp_point
 }
 mbedtls_ecp_point;

+/* Determine the minimum safe value of MBEDTLS_ECP_MAX_BITS. */
+#if !defined(MBEDTLS_ECP_C)
+#define MBEDTLS_ECP_MAX_BITS_MIN 0
+/* Note: the curves must be listed in DECREASING size! */
+#elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 521
+#elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 512
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 448
+#elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 384
+#elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 384
+#elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 256
+#elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 256
+#elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 256
+#elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 255
+#elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 225 // n is slightly above 2^224
+#elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 224
+#elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 192
+#elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 192
+#else
+#error "MBEDTLS_ECP_C enabled, but no curve?"
+#endif
+
 #if !defined(MBEDTLS_ECP_ALT)
 /*
 * default mbed TLS elliptic curve arithmetic implementation
@@ -228,7 +262,13 @@ mbedtls_ecp_group;
 * \{
 */

-#if !defined(MBEDTLS_ECP_MAX_BITS)
+#if defined(MBEDTLS_ECP_MAX_BITS)
+
+#if MBEDTLS_ECP_MAX_BITS < MBEDTLS_ECP_MAX_BITS_MIN
+#error "MBEDTLS_ECP_MAX_BITS is smaller than the largest supported curve"
+#endif
+
+#else
 /**
 * The maximum size of the groups, that is, of \c N and \c P.
 */
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -393,6 +393,8 @@ void mbedtls_ecp_curve_info( int id, int tls_id, int size, char * name )
    TEST_ASSERT( by_id == by_name );

    TEST_ASSERT( by_id->bit_size == size );
+    TEST_ASSERT( size <= MBEDTLS_ECP_MAX_BITS );
+    TEST_ASSERT( size <= MBEDTLS_ECP_MAX_BYTES * 8 );
 }
 /* END_CASE */

@@ -750,6 +752,7 @@ void ecp_muladd( int id,
    TEST_EQUAL( 0, mbedtls_ecp_point_write_binary(
                    &grp, &R, MBEDTLS_ECP_PF_UNCOMPRESSED,
                    &len, actual_result, sizeof( actual_result ) ) );
+    TEST_ASSERT( len <= MBEDTLS_ECP_MAX_PT_LEN );

    ASSERT_COMPARE( expected_result->x, expected_result->len,
                    actual_result, len );
@@ -821,6 +824,7 @@ void ecp_write_binary( int id, char * x, char * y, char * z, int format,

    if( ret == 0 )
    {
+        TEST_ASSERT( olen <= MBEDTLS_ECP_MAX_PT_LEN );
        TEST_ASSERT( mbedtls_test_hexcmp( buf, out->x, olen, out->len ) == 0 );
    }