mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-30 10:14:15 +01:00
Add test for bounds in X509 DER write funcs
This commit is contained in:
parent
1e5de32473
commit
f527609849
@ -5,8 +5,8 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
|||||||
Security
|
Security
|
||||||
* Fix potential stack corruption in mbedtls_x509write_crt_der() and
|
* Fix potential stack corruption in mbedtls_x509write_crt_der() and
|
||||||
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
||||||
without checking whether there is enough space in the destination. It is
|
without checking whether there is enough space in the destination. The
|
||||||
not triggerable remotely in SSL/TLS.
|
issue cannot be triggered remotely. (found by Jethro Beekman)
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fix an issue that caused valid certificates being rejected whenever an
|
* Fix an issue that caused valid certificates being rejected whenever an
|
||||||
|
@ -16,10 +16,11 @@ void x509_csr_check( char *key_file, char *cert_req_check_file,
|
|||||||
{
|
{
|
||||||
pk_context key;
|
pk_context key;
|
||||||
x509write_csr req;
|
x509write_csr req;
|
||||||
unsigned char buf[4000];
|
unsigned char buf[4096];
|
||||||
unsigned char check_buf[4000];
|
unsigned char check_buf[4000];
|
||||||
int ret;
|
int ret;
|
||||||
size_t olen = 0, pem_len = 0;
|
size_t olen = 0, pem_len = 0;
|
||||||
|
int der_len = -1;
|
||||||
FILE *f;
|
FILE *f;
|
||||||
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
|
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
|
||||||
rnd_pseudo_info rnd_info;
|
rnd_pseudo_info rnd_info;
|
||||||
@ -52,6 +53,17 @@ void x509_csr_check( char *key_file, char *cert_req_check_file,
|
|||||||
TEST_ASSERT( olen >= pem_len - 1 );
|
TEST_ASSERT( olen >= pem_len - 1 );
|
||||||
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
|
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
|
||||||
|
|
||||||
|
der_len = x509write_csr_der( &req, buf, sizeof( buf ),
|
||||||
|
rnd_pseudo_rand, &rnd_info );
|
||||||
|
TEST_ASSERT( der_len >= 0 );
|
||||||
|
|
||||||
|
if( der_len == 0 )
|
||||||
|
goto exit;
|
||||||
|
|
||||||
|
ret = x509write_csr_der( &req, buf, (size_t)( der_len - 1 ),
|
||||||
|
rnd_pseudo_rand, &rnd_info );
|
||||||
|
TEST_ASSERT( ret == POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
x509write_csr_free( &req );
|
x509write_csr_free( &req );
|
||||||
pk_free( &key );
|
pk_free( &key );
|
||||||
@ -68,11 +80,12 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
|
|||||||
{
|
{
|
||||||
pk_context subject_key, issuer_key;
|
pk_context subject_key, issuer_key;
|
||||||
x509write_cert crt;
|
x509write_cert crt;
|
||||||
unsigned char buf[4000];
|
unsigned char buf[4096];
|
||||||
unsigned char check_buf[5000];
|
unsigned char check_buf[5000];
|
||||||
mpi serial;
|
mpi serial;
|
||||||
int ret;
|
int ret;
|
||||||
size_t olen = 0, pem_len = 0;
|
size_t olen = 0, pem_len = 0;
|
||||||
|
int der_len = -1;
|
||||||
FILE *f;
|
FILE *f;
|
||||||
rnd_pseudo_info rnd_info;
|
rnd_pseudo_info rnd_info;
|
||||||
|
|
||||||
@ -125,6 +138,17 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
|
|||||||
TEST_ASSERT( olen >= pem_len - 1 );
|
TEST_ASSERT( olen >= pem_len - 1 );
|
||||||
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
|
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
|
||||||
|
|
||||||
|
der_len = x509write_crt_der( &crt, buf, sizeof( buf ),
|
||||||
|
rnd_pseudo_rand, &rnd_info );
|
||||||
|
TEST_ASSERT( der_len >= 0 );
|
||||||
|
|
||||||
|
if( der_len == 0 )
|
||||||
|
goto exit;
|
||||||
|
|
||||||
|
ret = x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
|
||||||
|
rnd_pseudo_rand, &rnd_info );
|
||||||
|
TEST_ASSERT( ret == POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
x509write_crt_free( &crt );
|
x509write_crt_free( &crt );
|
||||||
pk_free( &issuer_key );
|
pk_free( &issuer_key );
|
||||||
|
Loading…
Reference in New Issue
Block a user