Secure the testing infrastructure

2025-06-26 22:38:30 +00:00 · 2021-08-07 13:22:35 -07:00 · 2021-08-07 13:22:35 -07:00 · 0cdba6878b
commit 0cdba6878b
parent 1f766a332f
15 changed files with 354 additions and 71 deletions
--- a/third_party/mbedtls/config.h
+++ b/third_party/mbedtls/config.h
@ -64,6 +64,7 @@
 /* key exchange */
 #define MBEDTLS_RSA_C
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #ifndef TINY
 #define MBEDTLS_ECP_C
 #define MBEDTLS_ECDH_C
@ -72,13 +73,12 @@
 #define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 /*#define MBEDTLS_DHM_C*/
 /*#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED*/
 /*#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED*/
 /*#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED*/
-/*#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED*/
 /*#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED*/
-/*#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED*/
 /*#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED*/
 #endif

--- a/third_party/mbedtls/dhm.c
+++ b/third_party/mbedtls/dhm.c
@ -17,6 +17,7 @@
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/calls/calls.h"
 #include "third_party/mbedtls/asn1.h"
+#include "third_party/mbedtls/bignum.h"
 #include "third_party/mbedtls/common.h"
 #include "third_party/mbedtls/dhm.h"
 #include "third_party/mbedtls/error.h"
@ -322,7 +323,7 @@ static int dhm_random_below( mbedtls_mpi *R, const mbedtls_mpi *M,
        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( R, mbedtls_mpi_size( M ), f_rng, p_rng ) );

        while( mbedtls_mpi_cmp_mpi( R, M ) >= 0 )
-            mbedtls_mpi_shift_r( &R, 1 );
+            mbedtls_mpi_shift_r( R, 1 );

        if( count++ > 10 )
            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
--- a/third_party/mbedtls/ssl.h
+++ b/third_party/mbedtls/ssl.h
@ -1419,7 +1419,7 @@ int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *, mbedtls_dhm_context * )
 int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *, const mbedtls_ssl_srtp_profile * );
 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *, unsigned char );
 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *, mbedtls_x509_crt *, mbedtls_pk_context * );
-int mbedtls_ssl_conf_psk( mbedtls_ssl_config *, const unsigned char *, size_t, const unsigned char *,  size_t );
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *, const void *, size_t, const void *, size_t );
 int mbedtls_ssl_context_load( mbedtls_ssl_context *,  const unsigned char *, size_t );
 int mbedtls_ssl_context_save( mbedtls_ssl_context *, unsigned char *, size_t, size_t * );
 int mbedtls_ssl_get_ciphersuite_id( const char * );
--- a/third_party/mbedtls/ssl_ciphersuites.c
+++ b/third_party/mbedtls/ssl_ciphersuites.c
@ -72,16 +72,20 @@ static const uint16_t ciphersuite_preference[] =
 #endif

 #ifdef MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
-    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
-    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+    /* TODO(jart): RFC8442 */
+    /* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, */
+    /* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, */
+    /* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, */
    MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
    MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
-    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
-    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
 #endif
--- a/third_party/mbedtls/ssl_tls.c
+++ b/third_party/mbedtls/ssl_tls.c
@ -4415,8 +4415,8 @@ static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
 * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
 */
 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
-                          const unsigned char *psk, size_t psk_len,
-                          const unsigned char *psk_identity, 
+                          const void *psk, size_t psk_len,
+                          const void *psk_identity,
                          size_t psk_identity_len )
 {
    int ret = MBEDTLS_ERR_THIS_CORRUPTION;