From 719d297e9fbdbb4305f3fa90d86cc63fe7137e93 Mon Sep 17 00:00:00 2001 From: Steffen Jaeckel Date: Fri, 13 Apr 2018 09:42:47 +0200 Subject: [PATCH] Merge pull request #373 from libtom/fix/der-recursion-limit implement DER recursion limit (cherry picked from commit af67321bf3cde1a470c679e459ebb8189e38c9bd) --- src/headers/tomcrypt_custom.h | 7 +++++++ src/misc/crypt/crypt.c | 1 + src/misc/crypt/crypt_constants.c | 4 ++++ .../der/sequence/der_decode_sequence_flexi.c | 13 +++++++++++- tests/common.h | 2 ++ tests/der_test.c | 21 +++++++++++++++++++ 6 files changed, 47 insertions(+), 1 deletion(-) diff --git a/src/headers/tomcrypt_custom.h b/src/headers/tomcrypt_custom.h index 80b9957..2d5cfec 100644 --- a/src/headers/tomcrypt_custom.h +++ b/src/headers/tomcrypt_custom.h @@ -472,6 +472,13 @@ #endif #endif +#if defined(LTC_DER) + #ifndef LTC_DER_MAX_RECURSION + /* Maximum recursion limit when processing nested ASN.1 types. */ + #define LTC_DER_MAX_RECURSION 30 + #endif +#endif + #if defined(LTC_MECC) || defined(LTC_MRSA) || defined(LTC_MDSA) || defined(LTC_MKAT) /* Include the MPI functionality? (required by the PK algorithms) */ #define LTC_MPI diff --git a/src/misc/crypt/crypt.c b/src/misc/crypt/crypt.c index 8cecb32..e5149b0 100644 --- a/src/misc/crypt/crypt.c +++ b/src/misc/crypt/crypt.c @@ -398,6 +398,7 @@ const char *crypt_build_settings = #endif #if defined(LTC_DER) " DER " + " " NAME_VALUE(LTC_DER_MAX_RECURSION) " " #endif #if defined(LTC_PKCS_1) " PKCS#1 " diff --git a/src/misc/crypt/crypt_constants.c b/src/misc/crypt/crypt_constants.c index a7418d5..1c71862 100644 --- a/src/misc/crypt/crypt_constants.c +++ b/src/misc/crypt/crypt_constants.c @@ -111,6 +111,7 @@ static const crypt_constant _crypt_constants[] = { #ifdef LTC_DER /* DER handling */ + {"LTC_DER", 1}, _C_STRINGIFY(LTC_ASN1_EOL), _C_STRINGIFY(LTC_ASN1_BOOLEAN), _C_STRINGIFY(LTC_ASN1_INTEGER), @@ -132,6 +133,9 @@ static const crypt_constant _crypt_constants[] = { _C_STRINGIFY(LTC_ASN1_CONSTRUCTED), _C_STRINGIFY(LTC_ASN1_CONTEXT_SPECIFIC), _C_STRINGIFY(LTC_ASN1_GENERALIZEDTIME), + _C_STRINGIFY(LTC_DER_MAX_RECURSION), +#else + {"LTC_DER", 0}, #endif #ifdef LTC_CTR_MODE diff --git a/src/pk/asn1/der/sequence/der_decode_sequence_flexi.c b/src/pk/asn1/der/sequence/der_decode_sequence_flexi.c index 142ef95..5577129 100644 --- a/src/pk/asn1/der/sequence/der_decode_sequence_flexi.c +++ b/src/pk/asn1/der/sequence/der_decode_sequence_flexi.c @@ -79,7 +79,7 @@ static int _new_element(ltc_asn1_list **l) */ int der_decode_sequence_flexi(const unsigned char *in, unsigned long *inlen, ltc_asn1_list **out) { - ltc_asn1_list *l; + ltc_asn1_list *l, *t; unsigned long err, type, len, totlen, data_offset; void *realloc_tmp; @@ -407,6 +407,17 @@ int der_decode_sequence_flexi(const unsigned char *in, unsigned long *inlen, ltc l->child->parent = l; } + t = l; + len_len = 0; + while((t != NULL) && (t->child != NULL)) { + len_len++; + t = t->child; + } + if (len_len > LTC_DER_MAX_RECURSION) { + err = CRYPT_PK_ASN1_ERROR; + goto error; + } + break; case 0x80: /* Context-specific */ diff --git a/tests/common.h b/tests/common.h index 410db1e..f2d8dca 100644 --- a/tests/common.h +++ b/tests/common.h @@ -16,9 +16,11 @@ extern prng_state yarrow_prng; #ifdef LTC_VERBOSE #define DO(x) do { fprintf(stderr, "%s:\n", #x); run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0) #define DOX(x, str) do { fprintf(stderr, "%s - %s:\n", #x, (str)); run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0) +#define SHOULD_FAIL(x) do { fprintf(stderr, "%s:\n", #x); run_cmd((x) != CRYPT_OK ? CRYPT_OK : CRYPT_FAIL_TESTVECTOR, __LINE__, __FILE__, #x, NULL); } while (0) #else #define DO(x) do { run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0) #define DOX(x, str) do { run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0) +#define SHOULD_FAIL(x) do { run_cmd((x) != CRYPT_OK ? CRYPT_OK : CRYPT_FAIL_TESTVECTOR, __LINE__, __FILE__, #x, NULL); } while (0) #endif void run_cmd(int res, int line, const char *file, const char *cmd, const char *algorithm); diff --git a/tests/der_test.c b/tests/der_test.c index 6dab424..a6859e8 100644 --- a/tests/der_test.c +++ b/tests/der_test.c @@ -1094,6 +1094,25 @@ static int der_choice_test(void) } +static void _der_recursion_limit(void) +{ + int failed = 0; + unsigned int n; + unsigned long integer = 123, s; + ltc_asn1_list seqs[LTC_DER_MAX_RECURSION + 2], dummy[1], *flexi; + unsigned char buf[2048]; + LTC_SET_ASN1(dummy, 0, LTC_ASN1_SHORT_INTEGER, &integer, 1); + LTC_SET_ASN1(seqs, LTC_DER_MAX_RECURSION + 1, LTC_ASN1_SEQUENCE, dummy, 1); + for (n = 0; n < LTC_DER_MAX_RECURSION + 1; ++n) { + LTC_SET_ASN1(seqs, LTC_DER_MAX_RECURSION - n, LTC_ASN1_SEQUENCE, &seqs[LTC_DER_MAX_RECURSION - n + 1], 1); + } + s = sizeof(buf); + DO(der_encode_sequence(seqs, 1, buf, &s)); + DO(der_decode_sequence(buf, s, seqs, 1)); + SHOULD_FAIL(der_decode_sequence_flexi(buf, &s, &flexi)); + if (failed) exit(EXIT_FAILURE); +} + int der_test(void) { unsigned long x, y, z, zz, oid[2][32]; @@ -1126,6 +1145,8 @@ int der_test(void) unsigned char utf8_buf[32]; wchar_t utf8_out[32]; + + _der_recursion_limit(); der_cacert_test(); DO(mp_init_multi(&a, &b, &c, &d, &e, &f, &g, NULL));