Add test for bounds in X509 DER write funcs

This commit is contained in:
Andres AG 2016-09-07 11:09:44 +01:00 committed by Simon Butcher
parent 60dbc93831
commit e0af995f12
2 changed files with 28 additions and 4 deletions

View file

@ -5,8 +5,8 @@ mbed TLS ChangeLog (Sorted per branch, date)
Security Security
* Fix potential stack corruption in mbedtls_x509write_crt_der() and * Fix potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. It is without checking whether there is enough space in the destination. The
not triggerable remotely in SSL/TLS. issue cannot be triggered remotely.
Features Features
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by

View file

@ -16,10 +16,11 @@ void x509_csr_check( char *key_file, char *cert_req_check_file,
{ {
mbedtls_pk_context key; mbedtls_pk_context key;
mbedtls_x509write_csr req; mbedtls_x509write_csr req;
unsigned char buf[4000]; unsigned char buf[4096];
unsigned char check_buf[4000]; unsigned char check_buf[4000];
int ret; int ret;
size_t olen = 0, pem_len = 0; size_t olen = 0, pem_len = 0;
int der_len = -1;
FILE *f; FILE *f;
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
rnd_pseudo_info rnd_info; rnd_pseudo_info rnd_info;
@ -52,6 +53,17 @@ void x509_csr_check( char *key_file, char *cert_req_check_file,
TEST_ASSERT( olen >= pem_len - 1 ); TEST_ASSERT( olen >= pem_len - 1 );
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ),
rnd_pseudo_rand, &rnd_info );
TEST_ASSERT( der_len >= 0 );
if( der_len == 0 )
goto exit;
ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len - 1 ),
rnd_pseudo_rand, &rnd_info );
TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
exit: exit:
mbedtls_x509write_csr_free( &req ); mbedtls_x509write_csr_free( &req );
mbedtls_pk_free( &key ); mbedtls_pk_free( &key );
@ -68,11 +80,12 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
{ {
mbedtls_pk_context subject_key, issuer_key; mbedtls_pk_context subject_key, issuer_key;
mbedtls_x509write_cert crt; mbedtls_x509write_cert crt;
unsigned char buf[4000]; unsigned char buf[4096];
unsigned char check_buf[5000]; unsigned char check_buf[5000];
mbedtls_mpi serial; mbedtls_mpi serial;
int ret; int ret;
size_t olen = 0, pem_len = 0; size_t olen = 0, pem_len = 0;
int der_len = -1;
FILE *f; FILE *f;
rnd_pseudo_info rnd_info; rnd_pseudo_info rnd_info;
@ -125,6 +138,17 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
TEST_ASSERT( olen >= pem_len - 1 ); TEST_ASSERT( olen >= pem_len - 1 );
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
rnd_pseudo_rand, &rnd_info );
TEST_ASSERT( der_len >= 0 );
if( der_len == 0 )
goto exit;
ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
rnd_pseudo_rand, &rnd_info );
TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
exit: exit:
mbedtls_x509write_crt_free( &crt ); mbedtls_x509write_crt_free( &crt );
mbedtls_pk_free( &issuer_key ); mbedtls_pk_free( &issuer_key );