yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'iotssl-629-der-trailing-bytes'

Browse source 
Fixes bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer following DER certificates to be included in the raw representation.
This commit is contained in:
Simon Butcher 2016-03-12 23:28:26 +00:00
commit 4b852db299
11 changed files with 76 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ChangeLog
View file

@ -14,6 +14,8 @@ Bugfix
* Fix an issue that caused valid certificates to be rejected whenever an * Fix an issue that caused valid certificates to be rejected whenever an
expired or not yet valid certificate was parsed before a valid certificate expired or not yet valid certificate was parsed before a valid certificate
in the trusted certificate list. in the trusted certificate list.
* Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer after DER certificates to be included in the raw representation.
Changes Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,

23
library/x509_crt.c
View file

@ -677,14 +677,9 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char *
if( crt == NULL || buf == NULL ) if( crt == NULL || buf == NULL )
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
p = mbedtls_calloc( 1, len = buflen ); // Use the original buffer until we figure out actual length
if( p == NULL ) p = (unsigned char*) buf;
return( MBEDTLS_ERR_X509_ALLOC_FAILED ); len = buflen;
memcpy( p, buf, buflen );
crt->raw.p = p;
crt->raw.len = len;
end = p + len; end = p + len;
/* /*
@ -708,6 +703,18 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char *
} }
crt_end = p + len; crt_end = p + len;
// Create and populate a new buffer for the raw field
crt->raw.len = crt_end - buf;
crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
if( p == NULL )
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
memcpy( p, buf, crt->raw.len );
// Direct pointers to the new buffer
p += crt->raw.len - len;
end = crt_end = p + len;
/* /*
* TBSCertificate ::= SEQUENCE { * TBSCertificate ::= SEQUENCE {
*/ */

BIN
tests/data_files/server5-der0.crt Normal file
View file

Binary file not shown.

BIN
tests/data_files/server5-der1a.crt Normal file
View file

Binary file not shown.

BIN
tests/data_files/server5-der1b.crt Normal file
View file

Binary file not shown.

BIN
tests/data_files/server5-der2.crt Normal file
View file

Binary file not shown.

BIN
tests/data_files/server5-der4.crt Normal file
View file

Binary file not shown.

BIN
tests/data_files/server5-der8.crt Normal file
View file

Binary file not shown.

BIN
tests/data_files/server5-der9.crt Normal file
View file

Binary file not shown.

58
tests/ssl-opt.sh
View file

@ -1559,6 +1559,64 @@ run_test "Renego ext: gnutls client unsafe, server break legacy" \
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension" -S "server hello, secure renegotiation extension"
# Tests for silently dropping trailing extra bytes in .der certificates
requires_gnutls
run_test "DER format: no trailing bytes" \
"$P_SRV crt_file=data_files/server5-der0.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
0 \
-c "Handshake was completed" \
requires_gnutls
run_test "DER format: with a trailing zero byte" \
"$P_SRV crt_file=data_files/server5-der1a.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
0 \
-c "Handshake was completed" \
requires_gnutls
run_test "DER format: with a trailing random byte" \
"$P_SRV crt_file=data_files/server5-der1b.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
0 \
-c "Handshake was completed" \
requires_gnutls
run_test "DER format: with 2 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der2.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
0 \
-c "Handshake was completed" \
requires_gnutls
run_test "DER format: with 4 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der4.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
0 \
-c "Handshake was completed" \
requires_gnutls
run_test "DER format: with 8 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der8.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
0 \
-c "Handshake was completed" \
requires_gnutls
run_test "DER format: with 9 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der9.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
0 \
-c "Handshake was completed" \
# Tests for auth_mode # Tests for auth_mode
run_test "Authentication: server badcert, client required" \ run_test "Authentication: server badcert, client required" \

2
tests/suites/test_suite_x509parse.data
View file

@ -771,7 +771,7 @@ X509 Certificate ASN1 (Incorrect first tag)
x509parse_crt:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT x509parse_crt:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT
X509 Certificate ASN1 (Correct first tag, data length does not match) X509 Certificate ASN1 (Correct first tag, data length does not match)
x509parse_crt:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG x509parse_crt:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 Certificate ASN1 (Correct first tag, no more data) X509 Certificate ASN1 (Correct first tag, no more data)
x509parse_crt:"3000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA x509parse_crt:"3000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA