Merge pull request #10212 from ColtonWilley/fix-skid-overflow-and-null-checks

Harden X509 DER length handling in wolfSSL_X509_get_der and wolfSSL_i2d_X509
This commit is contained in:
David Garske
2026-06-08 15:01:14 -07:00
committed by GitHub
3 changed files with 72 additions and 2 deletions
+5 -1
View File
@@ -4523,6 +4523,10 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
if (x509 == NULL || x509->derCert == NULL || outSz == NULL)
return NULL;
if (x509->derCert->length > (word32)INT_MAX) {
return NULL;
}
*outSz = (int)x509->derCert->length;
return x509->derCert->buffer;
}
@@ -8836,7 +8840,7 @@ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out)
}
der = wolfSSL_X509_get_der(x509, &derSz);
if (der == NULL) {
if (der == NULL || derSz <= 0) {
WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E);
return MEMORY_E;
}
+61 -1
View File
@@ -72,6 +72,67 @@ int test_wolfSSL_i2d_X509(void)
return EXPECT_RESULT();
}
int test_wolfSSL_X509_get_der_length_guards(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA)
const unsigned char* cert_buf = server_cert_der_2048;
X509* cert = NULL;
int derSz = 0;
word32 origLen = 0;
ExpectNotNull(d2i_X509(&cert, &cert_buf, sizeof_server_cert_der_2048));
ExpectNotNull(cert);
ExpectNotNull(cert->derCert);
if (EXPECT_SUCCESS()) {
origLen = cert->derCert->length;
cert->derCert->length = ((word32)INT_MAX) + 1U;
ExpectNull(wolfSSL_X509_get_der(cert, &derSz));
cert->derCert->length = origLen;
}
X509_free(cert);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_i2d_X509_der_length_guards(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA)
const unsigned char* cert_buf = server_cert_der_2048;
unsigned char buf[4] = { 0x11, 0x22, 0x33, 0x44 };
const unsigned char origBuf[4] = { 0x11, 0x22, 0x33, 0x44 };
unsigned char* callerOut = buf;
X509* cert = NULL;
word32 origLen = 0;
ExpectNotNull(d2i_X509(&cert, &cert_buf, sizeof_server_cert_der_2048));
ExpectNotNull(cert);
ExpectNotNull(cert->derCert);
if (EXPECT_SUCCESS()) {
origLen = cert->derCert->length;
cert->derCert->length = ((word32)INT_MAX) + 1U;
ExpectIntEQ(i2d_X509(cert, &callerOut), MEMORY_E);
ExpectPtrEq(callerOut, buf);
ExpectIntEQ(XMEMCMP(buf, origBuf, sizeof(buf)), 0);
cert->derCert->length = 0;
ExpectIntEQ(i2d_X509(cert, &callerOut), MEMORY_E);
ExpectPtrEq(callerOut, buf);
ExpectIntEQ(XMEMCMP(buf, origBuf, sizeof(buf)), 0);
cert->derCert->length = origLen;
}
X509_free(cert);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_PEM_read_X509(void)
{
EXPECT_DECLS;
@@ -244,4 +305,3 @@ int test_wolfSSL_PEM_write_bio_X509(void)
#endif
return EXPECT_RESULT();
}
+6
View File
@@ -25,11 +25,17 @@
#include <tests/api/api_decl.h>
int test_wolfSSL_i2d_X509(void);
int test_wolfSSL_X509_get_der_length_guards(void);
int test_wolfSSL_i2d_X509_der_length_guards(void);
int test_wolfSSL_PEM_read_X509(void);
int test_wolfSSL_PEM_write_bio_X509(void);
#define TEST_OSSL_X509_IO_DECLS \
TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_i2d_X509), \
TEST_DECL_GROUP("ossl_x509_io", \
test_wolfSSL_X509_get_der_length_guards), \
TEST_DECL_GROUP("ossl_x509_io", \
test_wolfSSL_i2d_X509_der_length_guards), \
TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_PEM_read_X509), \
TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_PEM_write_bio_X509)