diff --git a/library/spdm_crypt_lib/libspdm_crypt_cert.c b/library/spdm_crypt_lib/libspdm_crypt_cert.c index f555245b266..f06b9babfad 100644 --- a/library/spdm_crypt_lib/libspdm_crypt_cert.c +++ b/library/spdm_crypt_lib/libspdm_crypt_cert.c @@ -1051,6 +1051,9 @@ bool libspdm_x509_common_certificate_check(const uint8_t *cert, size_t cert_size size_t cert_version; size_t value; void *context; + const uint8_t *tmp_cert; + size_t tmp_cert_size; + if (cert == NULL || cert_size == 0) { return false; @@ -1061,6 +1064,21 @@ bool libspdm_x509_common_certificate_check(const uint8_t *cert, size_t cert_size end_cert_from_len = 64; end_cert_to_len = 64; + /* 0. check certificate size */ + status = libspdm_x509_get_cert_from_cert_chain(cert, cert_size, 0, &tmp_cert, &tmp_cert_size); + if (!status) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, + "!!! CommonCertificateCheck - FAIL (get certificate failed)!!!\n")); + goto cleanup; + } + if (tmp_cert_size != cert_size) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, + "!!! CommonCertificateCheck - FAIL (size %d != expectd size %d)!!!\n", + cert_size, tmp_cert_size)); + status = false; + goto cleanup; + } + /* 1. version*/ cert_version = 0; status = libspdm_x509_get_version(cert, cert_size, &cert_version); diff --git a/os_stub/cryptlib_mbedtls/pk/x509.c b/os_stub/cryptlib_mbedtls/pk/x509.c index d8fedb005cb..57e579a8b35 100644 --- a/os_stub/cryptlib_mbedtls/pk/x509.c +++ b/os_stub/cryptlib_mbedtls/pk/x509.c @@ -712,11 +712,18 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l &tmp_ptr, cert_chain + cert_chain_length, &asn1_len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); if (ret != 0) { + if (current_cert < cert_chain + cert_chain_length) + verify_flag = false; break; } current_cert_len = asn1_len + (tmp_ptr - current_cert); + if (current_cert + current_cert_len > cert_chain + cert_chain_length) { + verify_flag = false; + break; + } + if (libspdm_x509_verify_cert(current_cert, current_cert_len, preceding_cert, preceding_cert_len) == false) { diff --git a/os_stub/cryptlib_openssl/pk/x509.c b/os_stub/cryptlib_openssl/pk/x509.c index f74f0f2a1c4..bf82dc7f0fc 100644 --- a/os_stub/cryptlib_openssl/pk/x509.c +++ b/os_stub/cryptlib_openssl/pk/x509.c @@ -2074,6 +2074,8 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l (int *)&asn1_tag, (int *)&obj_class, (long)(cert_chain_length + cert_chain - tmp_ptr)); if (asn1_tag != V_ASN1_SEQUENCE || ret & OPENSSL_ASN1_ERROR_MASK) { + if (current_cert < cert_chain + cert_chain_length) + verify_flag = false; break; } @@ -2081,6 +2083,10 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l /* Calculate current_cert length;*/ current_cert_len = tmp_ptr - current_cert + length; + if (current_cert + current_cert_len > cert_chain + cert_chain_length) { + verify_flag = false; + break; + } /* Verify current_cert with preceding cert;*/ diff --git a/unit_test/test_crypt/x509_verify.c b/unit_test/test_crypt/x509_verify.c index 7c15a4560ec..be6a73427e5 100644 --- a/unit_test/test_crypt/x509_verify.c +++ b/unit_test/test_crypt/x509_verify.c @@ -189,7 +189,7 @@ bool libspdm_validate_crypt_x509(char *Path, size_t len) status = libspdm_x509_verify_cert_chain((const uint8_t *)test_ca_cert, test_ca_cert_len, (const uint8_t *)test_ca_cert, test_ca_cert_len + 1); - if (!status) { + if (status) { libspdm_my_print("[Fail]\n"); goto cleanup; } else { diff --git a/unit_test/test_spdm_crypt/test_spdm_crypt.c b/unit_test/test_spdm_crypt/test_spdm_crypt.c index 59a30dd7ba2..b8a0afe7790 100644 --- a/unit_test/test_spdm_crypt/test_spdm_crypt.c +++ b/unit_test/test_spdm_crypt/test_spdm_crypt.c @@ -468,6 +468,14 @@ void libspdm_test_crypt_spdm_x509_set_cert_certificate_check_ex(void **state) false, SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); assert_true(status); + + status = libspdm_x509_set_cert_certificate_check_ex(file_buffer, file_buffer_size + 1, + SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048, + SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256, + false, + SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); + assert_false(status); + status = libspdm_x509_set_cert_certificate_check_ex(file_buffer, file_buffer_size, SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048, SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256, @@ -487,6 +495,13 @@ void libspdm_test_crypt_spdm_x509_set_cert_certificate_check_ex(void **state) SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); assert_true(status); + status = libspdm_x509_set_cert_certificate_check_ex(file_buffer, file_buffer_size + 1, + SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256, + SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256, + true, + SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); + assert_false(status); + status = libspdm_x509_set_cert_certificate_check_ex(file_buffer, file_buffer_size, SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256, SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256, @@ -526,6 +541,13 @@ void libspdm_test_crypt_spdm_verify_cert_chain_data_ex(void **state) SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); assert_true(status); + status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size + 1, + SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048, + SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256, + true, + SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); + assert_false(status); + status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size, SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048, SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256, @@ -545,6 +567,13 @@ void libspdm_test_crypt_spdm_verify_cert_chain_data_ex(void **state) SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); assert_true(status); + status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size + 1, + SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256, + SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256, + false, + SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT); + assert_false(status); + status = libspdm_verify_cert_chain_data_ex(file_buffer, file_buffer_size, SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256, SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256,