Merge branch 'mbedtls-1.3-restricted'
diff --git a/ChangeLog b/ChangeLog
index 446397f..3c7a423 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,12 @@
= mbed TLS 1.3.x branch released xxxx-xx-xx
Bugfix
+ * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
+ the input string in PEM format to extract the different components. Found
+ by Eyal Itkin.
+ * Fix unused variable/function compilation warnings in pem.c and x509_csr.c
+ that are reported when building mbed TLS with a config.h that does not
+ define POLARSSL_PEM_PARSE_C. Found by omnium21. #562
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
@@ -11,9 +17,6 @@
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
- * Fix unused variable/function compilation warnings in pem.c and x509_csr.c
- that are reported when building mbed TLS with a config.h that does not
- define POLARSSL_PEM_PARSE_C. Found by omnium21. #562
= mbed TLS 1.3.18 branch 2016-10-17
diff --git a/library/pem.c b/library/pem.c
index ac83116..b2c16c2 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -250,7 +250,7 @@
enc = 0;
- if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+ if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
{
#if defined(POLARSSL_MD5_C) && defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C) )
@@ -263,22 +263,22 @@
#if defined(POLARSSL_DES_C)
- if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+ if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
{
enc_alg = POLARSSL_CIPHER_DES_EDE3_CBC;
s1 += 23;
- if( pem_get_iv( s1, pem_iv, 8 ) != 0 )
+ if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
s1 += 16;
}
- else if( memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+ else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
{
enc_alg = POLARSSL_CIPHER_DES_CBC;
s1 += 18;
- if( pem_get_iv( s1, pem_iv, 8) != 0 )
+ if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
s1 += 16;
@@ -286,9 +286,11 @@
#endif /* POLARSSL_DES_C */
#if defined(POLARSSL_AES_C)
- if( memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+ if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
{
- if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+ if( s2 - s1 < 22 )
+ return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
+ else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
enc_alg = POLARSSL_CIPHER_AES_128_CBC;
else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
enc_alg = POLARSSL_CIPHER_AES_192_CBC;
@@ -298,7 +300,7 @@
return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
s1 += 22;
- if( pem_get_iv( s1, pem_iv, 16 ) != 0 )
+ if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
s1 += 32;
@@ -317,7 +319,7 @@
( POLARSSL_AES_C || POLARSSL_DES_C ) */
}
- if( s1 == s2 )
+ if( s1 >= s2 )
return( POLARSSL_ERR_PEM_INVALID_DATA );
len = 0;
diff --git a/tests/scripts/generate_code.pl b/tests/scripts/generate_code.pl
index 078e82d..e13a2d0 100755
--- a/tests/scripts/generate_code.pl
+++ b/tests/scripts/generate_code.pl
@@ -139,7 +139,7 @@
$param_defs .= " char *param$i = params[$i];\n";
$param_checks .= " if( verify_string( ¶m$i ) != 0 ) return( 2 );\n";
push @dispatch_params, "param$i";
- $mapping_regex .= ":[^:\n]+";
+ $mapping_regex .= ":(?:\\\\.|[^:\n])+";
}
else
{
diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index 311ea9c..b5f63e5 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@@ -15,3 +15,12 @@
PEM write (exactly two lines + 1)
pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n"
+
+PEM read (DES-EDE3-CBC + invalid iv)
+pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":POLARSSL_ERR_PEM_INVALID_ENC_IV
+
+PEM read (DES-CBC + invalid iv)
+pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":POLARSSL_ERR_PEM_INVALID_ENC_IV
+
+PEM read (unknown encryption algorithm)
+pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG
diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function
index f8aab47..e0b7679 100644
--- a/tests/suites/test_suite_pem.function
+++ b/tests/suites/test_suite_pem.function
@@ -3,12 +3,7 @@
#include "polarssl/pem.h"
/* END_HEADER */
-/* BEGIN_DEPENDENCIES
- * depends_on:POLARSSL_PEM_WRITE_C
- * END_DEPENDENCIES
- */
-
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_PEM_WRITE_C */
void pem_write_buffer( char *start, char *end, char *buf_str, char *result_str )
{
unsigned char buf[5000];
@@ -38,3 +33,20 @@
polarssl_free( check_buf );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_AES_C:POLARSSL_DES_C:POLARSSL_MD5_C:POLARSSL_CIPHER_MODE_CBC */
+void pem_read_buffer( char *header, char *footer, char *data, int ret )
+{
+ pem_context ctx;
+ size_t use_len = 0;
+
+ pem_init( &ctx );
+
+ TEST_ASSERT( pem_read_buffer( &ctx, header, footer,
+ (const unsigned char *)data, NULL, 0,
+ &use_len ) == ret );
+
+exit:
+ pem_free( &ctx );
+}
+/* END_CASE */