diff --git a/ChangeLog b/ChangeLog index 381988af9..a8db52bc3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,8 @@ Bugfix * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len. * Calling pk_debug() on an RSA-alt key would segfault. * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys. + * Potential buffer overwrite in pem_write_buffer() because of low length + indication (found by Thijs Alkemade) = PolarSSL 1.3.5 released on 2014-03-26 Features diff --git a/library/pem.c b/library/pem.c index 2c9d10d25..1cc23ba8d 100644 --- a/library/pem.c +++ b/library/pem.c @@ -382,10 +382,11 @@ int pem_write_buffer( const char *header, const char *footer, { int ret; unsigned char *encode_buf, *c, *p = buf; - size_t len = 0, use_len = 0; - size_t add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1; + size_t len = 0, use_len = 0, add_len = 0; base64_encode( NULL, &use_len, der_data, der_len ); + add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1; + if( use_len + add_len > buf_len ) { *olen = use_len + add_len; diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index d5b0512dd..0460c63fa 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -75,6 +75,7 @@ add_test_suite(md) add_test_suite(mdx) add_test_suite(mpi) add_test_suite(pbkdf2) +add_test_suite(pem) add_test_suite(pkcs1_v21) add_test_suite(pkcs5) add_test_suite(pk) diff --git a/tests/Makefile b/tests/Makefile index 57cac3b31..ce458ca07 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -58,6 +58,7 @@ APPS = test_suite_aes.ecb test_suite_aes.cbc \ test_suite_hmac_drbg.pr \ test_suite_md test_suite_mdx \ test_suite_mpi test_suite_pbkdf2 \ + test_suite_pem \ test_suite_pkcs1_v21 test_suite_pkcs5 \ test_suite_pkparse test_suite_pkwrite \ test_suite_pk \ @@ -321,6 +322,10 @@ test_suite_pbkdf2: test_suite_pbkdf2.c $(DEP) echo " CC $@.c" $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ +test_suite_pem: test_suite_pem.c $(DEP) + echo " CC $@.c" + $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ + test_suite_pkcs1_v21: test_suite_pkcs1_v21.c $(DEP) echo " CC $@.c" $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 1c508098c..95a924f9a 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -1,6 +1,14 @@ #include #include +#if defined(POLARSSL_PLATFORM_C) +#include "polarssl/platform.h" +#else +#define polarssl_printf printf +#define polarssl_malloc malloc +#define polarssl_free free +#endif + static int test_errors = 0; SUITE_PRE_DEP diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data new file mode 100644 index 000000000..311ea9c15 --- /dev/null +++ b/tests/suites/test_suite_pem.data @@ -0,0 +1,17 @@ +Standard PEM write +pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8=\n-----END TEST-----\n" + +PEM write (zero data) +pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"":"-----START TEST-----\n-----END TEST-----\n" + +PEM write (one byte) +pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"00":"-----START TEST-----\nAA==\n-----END TEST-----\n" + +PEM write (more than line size) +pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8=\n-----END TEST-----\n" + +PEM write (exactly two lines) +pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\n-----END TEST-----\n" + +PEM write (exactly two lines + 1) +pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n" diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function new file mode 100644 index 000000000..42d977990 --- /dev/null +++ b/tests/suites/test_suite_pem.function @@ -0,0 +1,38 @@ +/* BEGIN_HEADER */ +#include +#include +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:POLARSSL_PEM_WRITE_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void pem_write_buffer( char *start, char *end, char *buf_str, char *result_str ) +{ + unsigned char buf[5000]; + unsigned char *check_buf; + int ret; + size_t buf_len, olen = 0, olen2 = 0; + + memset( buf, 0, sizeof( buf ) ); + + buf_len = unhexify( buf, buf_str ); + + ret = pem_write_buffer( start, end, buf, buf_len, NULL, 0, &olen ); + TEST_ASSERT( ret == POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL ); + + check_buf = (unsigned char *) polarssl_malloc( olen ); + TEST_ASSERT( check_buf != NULL ); + + memset( check_buf, 0, olen ); + ret = pem_write_buffer( start, end, buf, buf_len, check_buf, olen, &olen2 ); + + TEST_ASSERT( olen2 <= olen ); + TEST_ASSERT( olen > strlen( (char*) result_str ) ); + TEST_ASSERT( ret == 0 ); + TEST_ASSERT( strncmp( (char *) check_buf, (char *) result_str, olen ) == 0 ); + polarssl_free( check_buf ); +} +/* END_CASE */