Merge remote-tracking branch 'upstream-restricted/pr/459' into development-restricted-proposed

2018-03-14 18:13:47 +00:00 · 2018-03-14 18:13:47 +00:00 · 24b2d6fb6d
commit 24b2d6fb6d
parent 8e4ff12909 22797fcc57
4 changed files with 25 additions and 9 deletions
--- a/2
+++ b/2
@ -65,6 +65,8 @@ Bugfix
     could cause a key exchange to fail on valid data.
   * Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under
     MBEDTLS_DEPRECATED_REMOVED. #1388
+   * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
+     Found through fuzz testing.

 Changes
   * Fix tag lengths and value ranges in the documentation of CCM encryption.
--- a/library/pkparse.c
+++ b/library/pkparse.c
@ -181,6 +181,10 @@ static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
 {
    int ret;

+    if ( end - *p < 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
    /* Tag may be either OID or SEQUENCE */
    params->tag = **p;
    if( params->tag != MBEDTLS_ASN1_OID
--- a/tests/suites/test_suite_pkparse.data
+++ b/tests/suites/test_suite_pkparse.data
@ -1053,22 +1053,32 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256K1_ENABLED:MB
 pk_parse_keyfile_ec:"data_files/ec_prv.specdom.der":"NULL":0

 Key ASN1 (Incorrect first tag)
-pk_parse_key_rsa:"":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+pk_parse_key:"":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT

 Key ASN1 (RSAPrivateKey, incorrect version tag)
-pk_parse_key_rsa:"300100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_RSA_C
+pk_parse_key:"300100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT

 Key ASN1 (RSAPrivateKey, version tag missing)
-pk_parse_key_rsa:"3000":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_RSA_C
+pk_parse_key:"3000":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT

 Key ASN1 (RSAPrivateKey, invalid version)
-pk_parse_key_rsa:"3003020101":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_RSA_C
+pk_parse_key:"3003020101":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT

 Key ASN1 (RSAPrivateKey, correct version, incorrect tag)
-pk_parse_key_rsa:"300402010000":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_RSA_C
+pk_parse_key:"300402010000":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT

 Key ASN1 (RSAPrivateKey, values present, length mismatch)
-pk_parse_key_rsa:"301c02010002010102010102010102010102010102010102010102010100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_RSA_C
+pk_parse_key:"301c02010002010102010102010102010102010102010102010102010100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT

 Key ASN1 (RSAPrivateKey, values present, check_privkey fails)
-pk_parse_key_rsa:"301b020100020102020101020101020101020101020101020101020101":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_RSA_C
+pk_parse_key:"301b020100020102020101020101020101020101020101020101020101":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
+Key ASN1 (ECPrivateKey, empty parameters)
+depends_on:MBEDTLS_ECP_C
+pk_parse_key:"30070201010400a000":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@ -113,8 +113,8 @@ exit:
 }
 /* END_CASE */

-/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_parse_key_rsa( char *key_data, char *result_str, int result )
+/* BEGIN_CASE */
+void pk_parse_key( char *key_data, char *result_str, int result )
 {
    mbedtls_pk_context pk;
    unsigned char buf[2000];