pem: check data padding in DES/AES decrypted buffers

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-06 03:40:04 +00:00 · 2024-02-12 11:01:37 +01:00 · 2024-02-12 11:01:37 +01:00 · 095e1ac71c
commit 095e1ac71c
parent 4ade8ee5b9
2 changed files with 44 additions and 7 deletions
--- a/library/pem.c
+++ b/library/pem.c
@ -241,6 +241,28 @@ exit:
 }
 #endif /* MBEDTLS_AES_C */

+#if defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C)
+static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len)
+{
+    size_t pad_len = input[input_len - 1];
+    size_t i;
+
+    if (pad_len > input_len) {
+        return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+    }
+
+    *data_len = input_len - pad_len;
+
+    for (i = *data_len; i < input_len; i++) {
+        if (input[i] != pad_len) {
+            return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+        }
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_DES_C || MBEDTLS_AES_C */
+
 #endif /* PEM_RFC1421 */

 int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer,
@ -431,21 +453,36 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const
            return ret;
        }

+        /* Check PKCS padding and update data length based on padding info.
+         * This can be used to detect invalid padding data and password
+         * mismatches. */
+        ret = pem_check_pkcs_padding(buf, len, &len);
+        if (ret != 0) {
+            mbedtls_free(buf);
+            return ret;
+        }
+
        /*
-         * The result will be ASN.1 starting with a SEQUENCE tag. Parse it
-         * with ASN.1 functions in order to:
-         * - Have an heuristic guess about password mismatches.
-         * - Update len variable to the amount of valid data inside buf.
+         * In RFC1421 PEM is used as container for DER (ASN.1) content so we
+         * can use ASN.1 functions to parse the main SEQUENCE tag and to get its
+         * length.
         */
        unsigned char *p = buf;
-        ret = mbedtls_asn1_get_tag(&p, buf + len, &len,
+        size_t sequence_len;
+        ret = mbedtls_asn1_get_tag(&p, buf + len, &sequence_len,
                                   MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED);
        if (ret != 0) {
            mbedtls_free(buf);
            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
        }
        /* Add also the sequence block (tag + len) to the total amount of valid data. */
-        len += (p - buf);
+        sequence_len += (p - buf);
+
+        /* Ensure that the reported SEQUENCE length matches the data len (i.e. no
+         * trailing garbage data). */
+        if (len != sequence_len) {
+            return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+        }
 #else
        mbedtls_zeroize_and_free(buf, len);
        return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;
--- a/tests/suites/test_suite_pkparse.data
+++ b/tests/suites/test_suite_pkparse.data
@ -8,7 +8,7 @@ pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLTest":0

 Parse RSA Key #3 (Wrong password)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
-pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PEM_BAD_INPUT_DATA

 Parse RSA Key #4 (DES Encrypted)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC