lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

pem: fix valid data length returned by mbedtls_pem_read_buffer()

Browse Source 
ctx->buflen now returns the amount of valid data in ctx->buf.
Unencrypted buffers were already ok, but encrypted ones were
used to return the length of the encrypted buffer, not the
unencrypted one.
This commit fix this behavior for encrypted buffers.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti
2024-02-08 17:51:00 +01:00
parent b1f6d2ad6f
commit 2653e92a57
2 changed files with 16 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/mbedtls/pem.h
View File

@ -73,11 +73,11 @@ void mbedtls_pem_init(mbedtls_pem_context *ctx);
* \param data source data to look in (must be nul-terminated) * \param data source data to look in (must be nul-terminated)
* \param pwd password for decryption (can be NULL) * \param pwd password for decryption (can be NULL)
* \param pwdlen length of password * \param pwdlen length of password
* \param use_len destination for total length used (set after header is * \param use_len destination for total length used from data buffer. It is
* correctly read, so unless you get * set after header is correctly read, so unless you get
* MBEDTLS_ERR_PEM_BAD_INPUT_DATA or * MBEDTLS_ERR_PEM_BAD_INPUT_DATA or
* MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is * MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
* the length to skip) * the length to skip.
* *
* \note Attempts to check password correctness by verifying if * \note Attempts to check password correctness by verifying if
* the decrypted text starts with an ASN.1 sequence of * the decrypted text starts with an ASN.1 sequence of

20
library/pem.c
View File

@ -17,6 +17,7 @@
#include "mbedtls/cipher.h" #include "mbedtls/cipher.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/asn1.h"
#include <string.h> #include <string.h>
@ -431,15 +432,20 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const
} }
/* /*
* The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3 * The result will be ASN.1 starting with a SEQUENCE tag. Parse it
* length bytes (allow 4 to be sure) in all known use cases. * with ASN.1 functions in order to:
* * - Have an heuristic guess about password mismatches.
* Use that as a heuristic to try to detect password mismatches. * - Update len variable to the amount of valid data inside buf.
*/ */
if (len <= 2 || buf[0] != 0x30 || buf[1] > 0x83) { unsigned char *p = buf;
mbedtls_zeroize_and_free(buf, len); ret = mbedtls_asn1_get_tag(&p, buf + len, &len,
return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH; MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED);
if (ret != 0) {
mbedtls_free(buf);
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
} }
/* Add also the sequence block (tag + len) to the total amount of valid data. */
len += (p - buf);
#else #else
mbedtls_zeroize_and_free(buf, len); mbedtls_zeroize_and_free(buf, len);
return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE; return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;