From c27d5f57c494575dcd717c110e2abe04033eb27f Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 23 Oct 2020 09:44:08 -0700 Subject: [PATCH 1/3] check PKCS7 content length is not larger than bundle if not using separate header/footer --- wolfcrypt/src/pkcs7.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index e9ae9c64e..2e8020f58 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -4397,6 +4397,16 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, /* support using header and footer without content */ if (pkiMsg2 && pkiMsg2Sz > 0 && hashBuf && hashSz > 0) { localIdx = 0; + + } else if (pkiMsg2 == NULL && hashBuf == NULL) { + /* header/footer not separate, check content length is + * not larger than total bundle size */ + if ((localIdx + length) > pkiMsgSz) { + WOLFSSL_MSG("Content length detected is larger than " + "total bundle size"); + ret = BUFFER_E; + break; + } } idx = localIdx; } From c0c452b0a157975ff8cd30ce4aa831125127ae70 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 6 Nov 2020 16:36:58 -0700 Subject: [PATCH 2/3] reset content length in PKCS7_VerifySignedData for multiPart OCTET_STRING bundles --- wolfcrypt/src/pkcs7.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 2e8020f58..da6a88308 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -4375,9 +4375,13 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, ret = ASN_PARSE_E; if (ret == 0) { - /* Use single OCTET_STRING directly. */ - if (localIdx - start + length == (word32)contentLen) + /* Use single OCTET_STRING directly, or reset length. */ + if (localIdx - start + length == (word32)contentLen) { multiPart = 0; + } else { + /* reset length to outer OCTET_STRING (contentLen) */ + length = contentLen; + } localIdx = start; } } From 735fb19ea9bc6646f528e66ba5282d9e20458ce4 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 12 Nov 2020 15:44:25 -0700 Subject: [PATCH 3/3] break out on error parsing PKCS#7 SignedData inner OCTET_STRING --- wolfcrypt/src/pkcs7.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index da6a88308..3258a5630 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -4379,11 +4379,17 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, if (localIdx - start + length == (word32)contentLen) { multiPart = 0; } else { - /* reset length to outer OCTET_STRING (contentLen) */ + /* reset length to outer OCTET_STRING for bundle size + * check below */ length = contentLen; } localIdx = start; } + + if (ret != 0) { + /* failed ASN1 parsing during OCTET_STRING checks */ + break; + } } /* get length of content in case of single part */ @@ -4426,7 +4432,10 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, if (!degenerate && !detached && ret != 0) break; - length = 0; /* no content to read */ + /* no content to read */ + length = 0; + contentLen = 0; + pkiMsg2 = pkiMsg; pkiMsg2Sz = pkiMsgSz; }