Merge fix for IOTSSL-474 PKCS12 Overflow

Fix stack buffer overflow in PKCS12

ChangeLog

@@ -4,10 +4,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 Security
    * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
-     overflow of the hostname or session ticket. (Found by Guido Vranken).
+     overflow of the hostname or session ticket. Found by Guido Vranken.
    * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
      once in the same handhake and mbedtls_ssl_conf_psk() was used.
      Found and patch provided by Guido Vranken. Cannot be forced remotely.
+   * Fix stack buffer overflow in pkcs12 decryption (used by
+     mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
+     Found by Guido Vranken. Not triggerable remotely.
 
 Changes
    * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure

library/pkcs12.c

@@ -86,6 +86,8 @@ static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params,
     return( 0 );
 }
 
+#define PKCS12_MAX_PWDLEN 128
+
 static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
                                      const unsigned char *pwd,  size_t pwdlen,
                                      unsigned char *key, size_t keylen,
@@ -94,7 +96,10 @@ static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_ty
     int ret, iterations;
     mbedtls_asn1_buf salt;
     size_t i;
-    unsigned char unipwd[258];
+    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+    if( pwdlen > PKCS12_MAX_PWDLEN )
+        return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
 
     memset( &salt, 0, sizeof(mbedtls_asn1_buf) );
     memset( &unipwd, 0, sizeof(unipwd) );
@@ -125,6 +130,8 @@ static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_ty
     return( 0 );
 }
 
+#undef PKCS12_MAX_PWDLEN
+
 int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
                              const unsigned char *pwd,  size_t pwdlen,
                              const unsigned char *data, size_t len,