Home Explore Help
Register Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Browse Source

Merge pull request #4391 from JacobBarthelmeh/Sniffer

add sanity check on buffer size
John Safranek 2 years ago
parent
3503be2c13 f06414903c
commit
4380e8b94a
2 changed files with 52 additions and 0 deletions
Split View Show Diff Stats
  1. 15 0
      wolfcrypt/src/asn.c
  2. 37 0
      wolfcrypt/test/test.c

+ 15 - 0
wolfcrypt/src/asn.c
View File 

@@ -26838,6 +26838,9 @@ static int DecodeAsymKey(const byte* input, word32* inOutIdx, word32 inSz,
 
         endKeyIdx = *inOutIdx;
 
     }
 
 
+    if ((word32)privSz > *privKeyLen)
 
+        return BUFFER_E;
 
+
 
     if (endKeyIdx == (int)*inOutIdx) {
 
         *privKeyLen = privSz;
 
         XMEMCPY(privKey, priv, *privKeyLen);
 
@@ -26845,6 +26848,10 @@ static int DecodeAsymKey(const byte* input, word32* inOutIdx, word32 inSz,
 
             *pubKeyLen = 0;
 
     }
 
     else {
 
+        if (pubKeyLen == NULL) {
 
+            return BAD_FUNC_ARG;
 
+        }
 
+
 
         if (GetASNHeader(input, ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1,
 
                          inOutIdx, &length, inSz) < 0) {
 
             return ASN_PARSE_E;
 
@@ -26852,6 +26859,10 @@ static int DecodeAsymKey(const byte* input, word32* inOutIdx, word32 inSz,
 
         if (GetOctetString(input, inOutIdx, &pubSz, inSz) < 0) {
 
             return ASN_PARSE_E;
 
         }
 
+
 
+        if ((word32)pubSz > *pubKeyLen)
 
+            return BUFFER_E;
 
+
 
         pub = input + *inOutIdx;
 
         *inOutIdx += pubSz;
 
 
@@ -26949,6 +26960,10 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz,
 
     if (ret != 0)
 
         return ret;
 
 
+    /* check that the value found is not too large for pubKey buffer */
 
+    if (inSz - *inOutIdx > *pubKeyLen)
 
+        return ASN_PARSE_E;
 
+
 
     /* This is the raw point data compressed or uncompressed. */
 
     *pubKeyLen = inSz - *inOutIdx;
 
     XMEMCPY(pubKey, input + *inOutIdx, *pubKeyLen);

+ 37 - 0
wolfcrypt/test/test.c
View File 

@@ -26042,6 +26042,20 @@ WOLFSSL_TEST_SUBROUTINE int ed25519_test(void)
 
         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
 
         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
 
     };
 
+    static byte badPrivateEd25519[] = {
 
+        0x30,0x52,0x02,0x01,0x00,0x30,0x05,0x06,
 
+        0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
 
+        0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
 
+        0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
 
+        0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
 
+        0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60,
 
+        0xa1,0x22,0x04,0x21,0xd7,0x5a,0x98,0x01, /* octet len 0x20 -> 0x21 */
 
+        0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
 
+        0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
 
+        0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
 
+        0xf7,0x07,0x51,0x1a,
 
+        0x00  /* add additional bytes to make the pubkey bigger  */
 
+    };
 
     static byte publicEd25519[] = {
 
         0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65,
 
         0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01,
 
@@ -26050,6 +26064,17 @@ WOLFSSL_TEST_SUBROUTINE int ed25519_test(void)
 
         0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
 
         0xf7,0x07,0x51,0x1a
 
     };
 
+
 
+    /* size has been altered to catch if sanity check is done */
 
+    static byte badPublicEd25519[] = {
 
+        0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65,
 
+        0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01,
 
+        0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
 
+        0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
 
+        0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
 
+        0xf7,0x07,0x51,0x1a,
 
+        0x00 /* add an additional byte to make the pubkey appear bigger */
 
+    };
 
     static byte privPubEd25519[] = {
 
         0x30,0x52,0x02,0x01,0x00,0x30,0x05,0x06,
 
         0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
 
@@ -26182,10 +26207,22 @@ WOLFSSL_TEST_SUBROUTINE int ed25519_test(void)
 
                                    sizeof(privateEd25519)) != 0)
 
         return -11121;
 
 
+    idx = 0;
 
+    if (wc_Ed25519PrivateKeyDecode(badPrivateEd25519, &idx, &key3,
 
+                                   sizeof(badPrivateEd25519)) == 0)
 
+        return -11122;
 
+
 
     if (wc_ed25519_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3)
 
                 != BAD_FUNC_ARG)
 
         return -11131;
 
 
+
 
+    /* try with a buffer size that is too large */
 
+    idx = 0;
 
+    if (wc_Ed25519PublicKeyDecode(badPublicEd25519, &idx, &key3,
 
+                                  sizeof(badPublicEd25519)) == 0)
 
+        return -11140;
 
+
 
     idx = 0;
 
     if (wc_Ed25519PublicKeyDecode(publicEd25519, &idx, &key3,
 
                                   sizeof(publicEd25519)) != 0)