Skip to content

Commit

Permalink
Add length check during verify cert chain
Browse files Browse the repository at this point in the history
Resolve DMTF#2701

Signed-off-by: Ray Wang <[email protected]>
  • Loading branch information
rw8896 authored and jyao1 committed Jun 13, 2024
1 parent 2f0da8f commit 076c740
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 1 deletion.
12 changes: 12 additions & 0 deletions os_stub/cryptlib_mbedtls/pk/x509.c
Original file line number Diff line number Diff line change
Expand Up @@ -712,11 +712,19 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
&tmp_ptr, cert_chain + cert_chain_length, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) {
if (current_cert < cert_chain + cert_chain_length) {
verify_flag = false;
}
break;
}

current_cert_len = asn1_len + (tmp_ptr - current_cert);

if (current_cert + current_cert_len > cert_chain + cert_chain_length) {
verify_flag = false;
break;
}

if (libspdm_x509_verify_cert(current_cert, current_cert_len,
preceding_cert,
preceding_cert_len) == false) {
Expand Down Expand Up @@ -799,6 +807,10 @@ bool libspdm_x509_get_cert_from_cert_chain(const uint8_t *cert_chain,
}

current_cert_len = asn1_len + (tmp_ptr - current_cert);
if (current_cert + current_cert_len > cert_chain + cert_chain_length) {
return false;
}

current_index++;

if (current_index == cert_index) {
Expand Down
7 changes: 7 additions & 0 deletions os_stub/cryptlib_openssl/pk/x509.c
Original file line number Diff line number Diff line change
Expand Up @@ -2074,13 +2074,20 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
(int *)&asn1_tag, (int *)&obj_class,
(long)(cert_chain_length + cert_chain - tmp_ptr));
if (asn1_tag != V_ASN1_SEQUENCE || ret & OPENSSL_ASN1_ERROR_MASK) {
if (current_cert < cert_chain + cert_chain_length) {
verify_flag = false;
}
break;
}


/* Calculate current_cert length;*/

current_cert_len = tmp_ptr - current_cert + length;
if (current_cert + current_cert_len > cert_chain + cert_chain_length) {
verify_flag = false;
break;
}


/* Verify current_cert with preceding cert;*/
Expand Down
2 changes: 1 addition & 1 deletion unit_test/test_crypt/x509_verify.c
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ bool libspdm_validate_crypt_x509(char *Path, size_t len)
status = libspdm_x509_verify_cert_chain((const uint8_t *)test_ca_cert, test_ca_cert_len,
(const uint8_t *)test_ca_cert,
test_ca_cert_len + 1);
if (!status) {
if (status) {
libspdm_my_print("[Fail]\n");
goto cleanup;
} else {
Expand Down
31 changes: 31 additions & 0 deletions unit_test/test_spdm_crypt/test_spdm_crypt.c
Original file line number Diff line number Diff line change
Expand Up @@ -480,6 +480,7 @@ void libspdm_test_crypt_spdm_x509_set_cert_certificate_check_ex(void **state)
false,
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_true(status);

status = libspdm_x509_set_cert_certificate_check_ex(file_buffer, file_buffer_size,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048,
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
Expand Down Expand Up @@ -538,6 +539,13 @@ void libspdm_test_crypt_spdm_verify_cert_chain_data_ex(void **state)
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_true(status);

status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size + 1,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048,
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
true,
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_false(status);

status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048,
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
Expand All @@ -557,6 +565,13 @@ void libspdm_test_crypt_spdm_verify_cert_chain_data_ex(void **state)
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_true(status);

status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size + 1,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256,
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
false,
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_false(status);

status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256,
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
Expand Down Expand Up @@ -589,6 +604,14 @@ void libspdm_test_crypt_spdm_verify_certificate_chain_buffer_ex(void **state)
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_true(status);

status = libspdm_verify_certificate_chain_buffer_ex(
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048,
data,data_size + 1,
true,
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_false(status);

status = libspdm_verify_certificate_chain_buffer_ex(
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048,
Expand All @@ -614,6 +637,14 @@ void libspdm_test_crypt_spdm_verify_certificate_chain_buffer_ex(void **state)
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_true(status);

status = libspdm_verify_certificate_chain_buffer_ex(
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256,
data,data_size + 1,
false,
SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT);
assert_false(status);

status = libspdm_verify_certificate_chain_buffer_ex(
SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,
SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256,
Expand Down

0 comments on commit 076c740

Please sign in to comment.