From effb5582dd34b3cbbe723180bab3116d1be274a4 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Wed, 7 Sep 2016 11:09:44 +0100 Subject: [PATCH] Add test for bounds in X509 DER write funcs --- ChangeLog | 4 ++-- tests/suites/test_suite_x509write.function | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 422f33a98..46af548e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,8 +5,8 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Fix potential stack corruption in mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der() when the signature is copied to the buffer - without checking whether there is enough space in the destination. It is - not triggerable remotely in SSL/TLS. + without checking whether there is enough space in the destination. The + issue cannot be triggered remotely. Bugfix * Fix an issue that caused valid certificates being rejected whenever an diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index c3773ba54..512083794 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -52,6 +52,10 @@ void x509_csr_check( char *key_file, char *cert_req_check_file, TEST_ASSERT( olen >= pem_len - 1 ); TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); + ret = mbedtls_x509write_csr_der( &req, buf, pem_len / 2, + rnd_pseudo_rand, &rnd_info ); + TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + exit: mbedtls_x509write_csr_free( &req ); mbedtls_pk_free( &key ); @@ -125,6 +129,10 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( olen >= pem_len - 1 ); TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); + ret = mbedtls_x509write_crt_der( &crt, buf, pem_len / 2, + rnd_pseudo_rand, &rnd_info ); + TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + exit: mbedtls_x509write_crt_free( &crt ); mbedtls_pk_free( &issuer_key );