DRBG and HKDF stack overflow

[franziskuskiefer]

Ed25519 can't be used on messages of 1MB or larger on Windows and 8MB on macOS/Linux. The code tries to allocate memory that fits the message on the stack, which doesn't work messages of these sizes.

https://github.com/project-everest/hacl-star/blob/db532a99428c09cc4c474746bc46381fe78c59a0/dist/gcc-compatible/Hacl_Ed25519.c#L1221-L1224

https://github.com/project-everest/hacl-star/blob/db532a99428c09cc4c474746bc46381fe78c59a0/dist/msvc-compatible/Hacl_Ed25519.c#L1221-L1224

For some reason KRML_CHECK_SIZE doesn't fail as expected but the memory allocation actually fails with an overflow, which appears to be a bug in kremlin.

thread 'main' has overflowed its stack

(signal: 11, SIGSEGV: invalid memory reference

@polubelova how about using a streaming API for the hashing instead? That's probably better than putting the message on the heap. @protz KRML_CHECK_SIZE appears to be for heap allocations rather than stack but is used to guard stack allocations in hacl. We either need another CHECK_SIZE or change this to check for stack allocation limits.

[karthikbhargavan]

I think there should be a streaming API for signing/verification. Copying the message is not the right way to do this.

On 23 May 2021, at 10:50, Franziskus Kiefer @.***> wrote:

Ed25519 can't be used on messages of 1MB or larger on Windows and 8MB on macOS/Linux. The code tries to allocate memory that fits the message on the stack, which doesn't work messages of these sizes.

https://github.com/project-everest/hacl-star/blob/db532a99428c09cc4c474746bc46381fe78c59a0/dist/gcc-compatible/Hacl_Ed25519.c#L1221-L1224 https://github.com/project-everest/hacl-star/blob/db532a99428c09cc4c474746bc46381fe78c59a0/dist/gcc-compatible/Hacl_Ed25519.c#L1221-L1224 https://github.com/project-everest/hacl-star/blob/db532a99428c09cc4c474746bc46381fe78c59a0/dist/msvc-compatible/Hacl_Ed25519.c#L1221-L1224 https://github.com/project-everest/hacl-star/blob/db532a99428c09cc4c474746bc46381fe78c59a0/dist/msvc-compatible/Hacl_Ed25519.c#L1221-L1224 For some reason KRML_CHECK_SIZE doesn't fail as expected but the memory allocation actually fails with an overflow, which appears to be a bug in kremlin.

thread 'main' has overflowed its stack

(signal: 11, SIGSEGV: invalid memory reference

@polubelova https://github.com/polubelova how about using a streaming API for the hashing instead? That's probably better than putting the message on the heap. @protz https://github.com/protz KRML_CHECK_SIZE appears to be for heap allocations rather than stack but is used to guard stack allocations in hacl. We either need another CHECK_SIZE or change this to check for stack allocation limits.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/project-everest/hacl-star/issues/446, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABFUVSZSPP3KNXOQ35E3WMDTPC6UTANCNFSM45LPXG4A.

[franziskuskiefer]

HKDF has a similar issue, trying to allocate memory of the size of info on the stack.

https://github.com/project-everest/hacl-star/blob/43796f8827d3ef9232ef8cd75046431ff89b3327/dist/ccf/EverCrypt_HKDF.c#L41

[franziskuskiefer]

DRBG is another instance of the same issue https://github.com/project-everest/hacl-star/blob/36eeec7cc2ff1f6f652a9cabb047c87da364378b/dist/c89-compatible/Hacl_HMAC_DRBG.c#L197-L200