mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 16:05:43 +01:00
Merge pull request #734 from gilles-peskine-arm/x509parse_crl-empty_entry-2.16
Backport 2.16: Fix buffer overflow in x509_get_entries (oss-fuzz 24123)
This commit is contained in:
commit
4ca60502d8
4
ChangeLog.d/x509parse_crl-empty_entry.txt
Normal file
4
ChangeLog.d/x509parse_crl-empty_entry.txt
Normal file
@ -0,0 +1,4 @@
|
||||
Security
|
||||
* Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
|
||||
Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
|
||||
for pinpointing the problematic code.
|
@ -285,13 +285,13 @@ static int x509_get_entries( unsigned char **p,
|
||||
size_t len2;
|
||||
const unsigned char *end2;
|
||||
|
||||
cur_entry->raw.tag = **p;
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
|
||||
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
cur_entry->raw.tag = **p;
|
||||
cur_entry->raw.p = *p;
|
||||
cur_entry->raw.len = len2;
|
||||
end2 = *p + len2;
|
||||
|
@ -1336,10 +1336,60 @@ X509 CRL ASN1 (TBSCertList, sig present, len mismatch)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"305d3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e05000302000100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
|
||||
|
||||
# 305c
|
||||
# 3047 tbsCertList TBSCertList
|
||||
# 020100 version INTEGER OPTIONAL
|
||||
# 300d signatureAlgorithm AlgorithmIdentifi
|
||||
# 06092a864886f70d01010e
|
||||
# 0500
|
||||
# 300f issuer Name
|
||||
# 310d300b0603550403130441424344
|
||||
# 170c303930313031303030303030 thisUpdate Time
|
||||
# 3014 revokedCertificates
|
||||
# 3012 entry 1
|
||||
# 8202abcd userCertificate CertificateSerialNum
|
||||
# 170c303831323331323335393539 revocationDate Time
|
||||
# 300d signatureAlgorithm AlgorithmIdentifi
|
||||
# 06092a864886f70d01010e
|
||||
# 0500
|
||||
# 03020001 signatureValue BIT STRING
|
||||
# The subsequent TBSCertList negative tests remove or modify some elements.
|
||||
X509 CRL ASN1 (TBSCertList, sig present)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nserial number\: AB\:CD revocation date\: 2008-12-31 23\:59\:59\nsigned using \: RSA with SHA-224\n":0
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, signatureValue missing)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"30583047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e0500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, signatureAlgorithm missing)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"30493047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, single empty entry at end)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"30373035020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c30393031303130303030303030023000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, good entry then empty entry at end)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"304b3049020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301630128202abcd170c3038313233313233353935393000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, missing time in entry)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"304e3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, missing time in entry at end)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"303b3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, invalid tag for time in entry)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd190c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, invalid tag for serial)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128402abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CRL ASN1 (TBSCertList, no entries)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509parse_crl:"30463031020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nsigned using \: RSA with SHA-224\n":0
|
||||
|
Loading…
Reference in New Issue
Block a user