diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-11-14 14:47:13 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-11-14 17:15:59 +0100 |
| commit | 4b2b878ddd08a6a56ed35b489d161da3cbc16b1f (patch) | |
| tree | 03bab6abdeb4c998385def021081fbb698227627 | |
| parent | 1a82866b24da2e5ed50631a9cc77b912fefec5e5 (diff) | |
| download | gnutls-4b2b878ddd08a6a56ed35b489d161da3cbc16b1f.tar.gz | |
PKCS#5,7 decryption: enforce limits in the support parameter sizes
This allows to detect invalid parameters early rather than later.
Relates #148
| -rw-r--r-- | lib/x509/pkcs7-crypt.c | 38 | ||||
| -rw-r--r-- | lib/x509/privkey_pkcs8_pbes1.c | 5 | ||||
| -rw-r--r-- | lib/x509/x509_int.h | 4 |
3 files changed, 35 insertions, 12 deletions
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c index 4eecc29146..2d2e170bfd 100644 --- a/lib/x509/pkcs7-crypt.c +++ b/lib/x509/pkcs7-crypt.c @@ -647,6 +647,11 @@ read_pbkdf2_params(ASN1_TYPE pasn, } _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); + if (params->salt_size < 0) { + result = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto error; + } + /* read the iteration count */ result = @@ -656,6 +661,12 @@ read_pbkdf2_params(ASN1_TYPE pasn, gnutls_assert(); goto error; } + + if (params->iter_count >= INT_MAX || params->iter_count == 0) { + result = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); /* read the keylength, if it is set. @@ -665,6 +676,12 @@ read_pbkdf2_params(ASN1_TYPE pasn, if (result < 0) { params->key_size = 0; } + + if (params->key_size > MAX_CIPHER_KEY_SIZE) { + result = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto error; + } + _gnutls_hard_log("keyLength: %d\n", params->key_size); len = sizeof(oid); @@ -705,28 +722,29 @@ static int read_pkcs12_kdf_params(ASN1_TYPE pasn, struct pbkdf2_params *params) asn1_read_value(pasn, "salt", params->salt, ¶ms->salt_size); if (result != ASN1_SUCCESS) { gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + return _gnutls_asn2err(result); } + + if (params->salt_size < 0) + return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + _gnutls_hard_log("salt.size: %d\n", params->salt_size); /* read the iteration count */ result = _gnutls_x509_read_uint(pasn, "iterations", ¶ms->iter_count); - if (result < 0) { - gnutls_assert(); - goto error; - } + if (result < 0) + return gnutls_assert_val(result); + + if (params->iter_count >= INT_MAX || params->iter_count == 0) + return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); params->key_size = 0; return 0; - - error: - return result; - } /* Writes the PBE parameters for PKCS-12 schemas. diff --git a/lib/x509/privkey_pkcs8_pbes1.c b/lib/x509/privkey_pkcs8_pbes1.c index d621851365..933363d37c 100644 --- a/lib/x509/privkey_pkcs8_pbes1.c +++ b/lib/x509/privkey_pkcs8_pbes1.c @@ -74,6 +74,11 @@ int _gnutls_read_pbkdf1_params(const uint8_t * data, int data_size, goto error; } + if (kdf_params->iter_count >= INT_MAX || kdf_params->iter_count == 0) { + ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto error; + } + len = sizeof(kdf_params->salt); result = asn1_read_value(pasn, "salt", diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 4fe0e3dc2a..198a69d500 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -116,8 +116,8 @@ typedef struct gnutls_pkcs7_int { struct pbkdf2_params { uint8_t salt[32]; int salt_size; - unsigned int iter_count; - unsigned int key_size; + unsigned iter_count; + unsigned key_size; gnutls_mac_algorithm_t mac; }; |