From 72bd4e4d6a691c409cef03f1b40d320d22dae36a Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 4 Feb 2022 10:32:17 -0500 Subject: [PATCH 1/3] Add accessor to get buf from mbedtls_pem_context Co-authored-by: Gilles Peskine Signed-off-by: Glenn Strauss --- ChangeLog.d/mbedtls_pem_get_der.txt | 2 ++ include/mbedtls/pem.h | 28 ++++++++++++++++++++++++++++ tests/suites/test_suite_pem.function | 9 +++++++++ 3 files changed, 39 insertions(+) create mode 100644 ChangeLog.d/mbedtls_pem_get_der.txt diff --git a/ChangeLog.d/mbedtls_pem_get_der.txt b/ChangeLog.d/mbedtls_pem_get_der.txt new file mode 100644 index 0000000000..b03b058dc8 --- /dev/null +++ b/ChangeLog.d/mbedtls_pem_get_der.txt @@ -0,0 +1,2 @@ +Features + * Add accessor to get the raw buffer pointer from a PEM context. diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index a2b73f8cf1..c75a1246ad 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -27,6 +27,11 @@ #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + /** * \name PEM Error codes * These error codes are returned in case of errors reading the @@ -96,6 +101,10 @@ void mbedtls_pem_init( mbedtls_pem_context *ctx ); * the decrypted text starts with an ASN.1 sequence of * appropriate length * + * \note \c mbedtls_pem_free must be called on PEM context before + * the PEM context can be reused in another call to + * \c mbedtls_pem_read_buffer + * * \return 0 on success, or a specific PEM error code */ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer, @@ -103,6 +112,25 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const const unsigned char *pwd, size_t pwdlen, size_t *use_len ); +/** + * \brief Get the pointer to the decoded binary data in a PEM context. + * + * \param ctx PEM context to access. + * \param buflen On success, this will contain the length of the binary data. + * This must be a valid (non-null) pointer. + * + * \return A pointer to the decoded binary data. + * + * \note The returned pointer remains valid only until \p ctx is + modified or freed. + */ +static inline const unsigned char *mbedtls_pem_get_buffer( mbedtls_pem_context *ctx, size_t *buflen ) +{ + *buflen = ctx->MBEDTLS_PRIVATE(buflen); + return( ctx->MBEDTLS_PRIVATE(buf) ); +} + + /** * \brief PEM context memory freeing * diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function index 947f1fb25d..b3d4810b9a 100644 --- a/tests/suites/test_suite_pem.function +++ b/tests/suites/test_suite_pem.function @@ -40,12 +40,21 @@ void mbedtls_pem_read_buffer( char *header, char *footer, char *data, int ret; size_t use_len = 0; size_t pwd_len = strlen( pwd ); + const unsigned char *buf; mbedtls_pem_init( &ctx ); ret = mbedtls_pem_read_buffer( &ctx, header, footer, (unsigned char *)data, (unsigned char *)pwd, pwd_len, &use_len ); TEST_ASSERT( ret == res ); + if( ret != 0 ) + goto exit; + + TEST_EQUAL( use_len, ctx.buflen ); + use_len = 0; + buf = mbedtls_pem_get_buffer( &ctx, &use_len ); + TEST_ASSERT( buf == ctx.buf ); + TEST_EQUAL( use_len, ctx.buflen ); exit: mbedtls_pem_free( &ctx ); From 33ab075f45f52e89792e1c6f6b2be52241bce85c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Feb 2022 12:47:00 +0100 Subject: [PATCH 2/3] Add success case for pem_read testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently all cases were negative, so the block that exercised mbedtls_pem_get_der() would never be reached. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_pem.data | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index 77546c586b..a42fe36c0b 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -16,6 +16,9 @@ mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102 PEM write (exactly two lines + 1) mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n" +PEM read (unencrypted, valid) +mbedtls_pem_read_buffer:"^":"$":"^\nTWJlZCBUTFM=\n$":"":0 + PEM read (DES-EDE3-CBC + invalid iv) mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV From 1df23b903f7708ac24cf7c5bd1d57515d98d7bd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Feb 2022 12:59:10 +0100 Subject: [PATCH 3/3] Check the result of PEM decoding MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_pem.data | 14 +++++++------- tests/suites/test_suite_pem.function | 7 +++---- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index a42fe36c0b..59884e548f 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -17,25 +17,25 @@ PEM write (exactly two lines + 1) mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n" PEM read (unencrypted, valid) -mbedtls_pem_read_buffer:"^":"$":"^\nTWJlZCBUTFM=\n$":"":0 +mbedtls_pem_read_buffer:"^":"$":"^\nTWJlZCBUTFM=\n$":"":0:"4d62656420544c53" PEM read (DES-EDE3-CBC + invalid iv) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV:"" PEM read (DES-CBC + invalid iv) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV:"" PEM read (unknown encryption algorithm) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":"pwd":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":"pwd":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG:"" PEM read (malformed PEM DES-CBC) depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:"" PEM read (malformed PEM DES-EDE3-CBC) depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:"" PEM read (malformed PEM AES-128-CBC) depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:"" diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function index b3d4810b9a..bf5ac738a2 100644 --- a/tests/suites/test_suite_pem.function +++ b/tests/suites/test_suite_pem.function @@ -34,7 +34,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_AES_C:MBEDTLS_DES_C:MBEDTLS_MD5_C:MBEDTLS_CIPHER_MODE_CBC */ void mbedtls_pem_read_buffer( char *header, char *footer, char *data, - char *pwd, int res ) + char *pwd, int res, data_t *out ) { mbedtls_pem_context ctx; int ret; @@ -50,11 +50,10 @@ void mbedtls_pem_read_buffer( char *header, char *footer, char *data, if( ret != 0 ) goto exit; - TEST_EQUAL( use_len, ctx.buflen ); use_len = 0; buf = mbedtls_pem_get_buffer( &ctx, &use_len ); - TEST_ASSERT( buf == ctx.buf ); - TEST_EQUAL( use_len, ctx.buflen ); + TEST_EQUAL( use_len, out->len ); + TEST_ASSERT( memcmp( out->x, buf, out->len ) == 0 ); exit: mbedtls_pem_free( &ctx );