Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: pem parsing should allow single dashes in comments #4787

Merged
merged 3 commits into from
Sep 26, 2024
Merged

fix: pem parsing should allow single dashes in comments #4787

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5e2c272
fix: pem parsing should allow single dashes in comments
lrstewart Sep 19, 2024
537abb2
Add test with real trust store
lrstewart Sep 25, 2024
f1b1d55
Merge branch 'main' into pem_fix
lrstewart Sep 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 16 additions & 11 deletions stuffer/s2n_stuffer_pem.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@
#include "stuffer/s2n_stuffer.h"
#include "utils/s2n_safety.h"

#define S2N_PEM_DELIMTER_CHAR '-'
#define S2N_PEM_DELIMITER_MIN_COUNT 1
#define S2N_PEM_DELIMITER_CHAR '-'
#define S2N_PEM_DELIMITER_TOKEN "--"
#define S2N_PEM_DELIMITER_MIN_COUNT 2
#define S2N_PEM_DELIMITER_MAX_COUNT 64
#define S2N_PEM_BEGIN_TOKEN "BEGIN "
#define S2N_PEM_END_TOKEN "END "
Expand All @@ -36,11 +37,15 @@
static int s2n_stuffer_pem_read_encapsulation_line(struct s2n_stuffer *pem, const char *encap_marker,
const char *keyword)
{
/* Skip any number of Chars until a "-" is reached */
POSIX_GUARD(s2n_stuffer_skip_to_char(pem, S2N_PEM_DELIMTER_CHAR));
/* Skip any number of Chars until a "--" is reached.
* We use "--" instead of "-" to account for dashes that appear in comments.
* We do not accept comments that contain "--".
*/
POSIX_GUARD(s2n_stuffer_skip_read_until(pem, S2N_PEM_DELIMITER_TOKEN));
POSIX_GUARD(s2n_stuffer_rewind_read(pem, strlen(S2N_PEM_DELIMITER_TOKEN)));
goatgoose marked this conversation as resolved.
Show resolved Hide resolved

/* Ensure between 1 and 64 '-' chars at start of line */
POSIX_GUARD(s2n_stuffer_skip_expected_char(pem, S2N_PEM_DELIMTER_CHAR, S2N_PEM_DELIMITER_MIN_COUNT,
/* Ensure between 2 and 64 '-' chars at start of line. */
POSIX_GUARD(s2n_stuffer_skip_expected_char(pem, S2N_PEM_DELIMITER_CHAR, S2N_PEM_DELIMITER_MIN_COUNT,
S2N_PEM_DELIMITER_MAX_COUNT, NULL));

/* Ensure next string in stuffer is "BEGIN " or "END " */
Expand All @@ -49,18 +54,18 @@ static int s2n_stuffer_pem_read_encapsulation_line(struct s2n_stuffer *pem, cons
/* Ensure next string is stuffer is the keyword (Eg "CERTIFICATE", "PRIVATE KEY", etc) */
POSIX_GUARD(s2n_stuffer_read_expected_str(pem, keyword));

/* Ensure between 1 and 64 '-' chars at end of line */
POSIX_GUARD(s2n_stuffer_skip_expected_char(pem, S2N_PEM_DELIMTER_CHAR, S2N_PEM_DELIMITER_MIN_COUNT,
/* Ensure between 2 and 64 '-' chars at end of line */
POSIX_GUARD(s2n_stuffer_skip_expected_char(pem, S2N_PEM_DELIMITER_CHAR, S2N_PEM_DELIMITER_MIN_COUNT,
goatgoose marked this conversation as resolved.
Show resolved Hide resolved
S2N_PEM_DELIMITER_MAX_COUNT, NULL));

/* Check for missing newline between dashes case: "-----END CERTIFICATE----------BEGIN CERTIFICATE-----" */
if (strncmp(encap_marker, S2N_PEM_END_TOKEN, strlen(S2N_PEM_END_TOKEN)) == 0
&& s2n_stuffer_peek_check_for_str(pem, S2N_PEM_BEGIN_TOKEN) == S2N_SUCCESS) {
/* Rewind stuffer by 1 byte before BEGIN, so that next read will find the dash before the BEGIN */
POSIX_GUARD(s2n_stuffer_rewind_read(pem, 1));
/* Rewind stuffer by 2 bytes before BEGIN, so that next read will find the dashes before the BEGIN */
POSIX_GUARD(s2n_stuffer_rewind_read(pem, S2N_PEM_DELIMITER_MIN_COUNT));
}

/* Skip newlines and other whitepsace that may be after the dashes */
/* Skip newlines and other whitespace that may be after the dashes */
return s2n_stuffer_skip_whitespace(pem, NULL);
}

Expand Down
2 changes: 1 addition & 1 deletion tests/cbmc/proofs/s2n_stuffer_certificate_from_pem/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,6 @@ REMOVE_FUNCTION_BODY += s2n_add_overflow
UNWINDSET += strlen.0:5 # size of S2N_PEM_PKCS1_RSA_PRIVATE_KEY
UNWINDSET += strncmp.0:5 # size of S2N_PEM_END_TOKEN
UNWINDSET += __CPROVER_file_local_s2n_stuffer_pem_c_s2n_stuffer_pem_read_contents.11:$(call addone,$(MAX_BLOB_SIZE))
UNWINDSET += s2n_stuffer_skip_to_char.3:$(call addone,$(MAX_BLOB_SIZE))
UNWINDSET += s2n_stuffer_skip_read_until.10:$(call addone,$(MAX_BLOB_SIZE))

include ../Makefile.common
2 changes: 1 addition & 1 deletion tests/cbmc/proofs/s2n_stuffer_dhparams_from_pem/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,6 @@ REMOVE_FUNCTION_BODY += s2n_add_overflow
UNWINDSET += strlen.0:5 # size of S2N_PEM_PKCS1_RSA_PRIVATE_KEY
UNWINDSET += strncmp.0:5 # size of S2N_PEM_END_TOKEN
UNWINDSET += __CPROVER_file_local_s2n_stuffer_pem_c_s2n_stuffer_pem_read_contents.11:$(call addone,$(MAX_BLOB_SIZE))
UNWINDSET += s2n_stuffer_skip_to_char.3:$(call addone,$(MAX_BLOB_SIZE))
UNWINDSET += s2n_stuffer_skip_read_until.10:$(call addone,$(MAX_BLOB_SIZE))

include ../Makefile.common
1 change: 1 addition & 0 deletions tests/cbmc/proofs/s2n_stuffer_private_key_from_pem/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,6 @@ UNWINDSET += strlen.0:5 # size of S2N_PEM_PKCS1_RSA_PRIVATE_KEY
UNWINDSET += strncmp.0:5 # size of S2N_PEM_END_TOKEN
UNWINDSET += __CPROVER_file_local_s2n_stuffer_pem_c_s2n_stuffer_pem_read_contents.11:$(call addone,$(MAX_BLOB_SIZE))
UNWINDSET += s2n_stuffer_skip_to_char.0:$(call addone,$(MAX_BLOB_SIZE))
UNWINDSET += s2n_stuffer_skip_read_until.10:$(call addone,$(MAX_BLOB_SIZE))

include ../Makefile.common
6 changes: 3 additions & 3 deletions tests/pems/rsa_2048_weird_dashes_cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
-BEGIN CERTIFICATE-
--BEGIN CERTIFICATE--
MIICrTCCAZUCAn3VMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNVBAMME3MyblRlc3RJ
bnRlcm1lZGlhdGUwIBcNMTYwMzMwMTg1NzQzWhgPMjExNjAzMDYxODU3NDNaMBgx
FjAUBgNVBAMMDXMyblRlc3RTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
Expand All @@ -14,7 +14,7 @@ jxUvy7UQvXrPqaHbODrHe+7f7r1YCzerujiP5SSHphY3GQq88KemfFczp/4GnYas
sE50OYe7DQcB4zvnxmAXp51JIN4ooktUU9oKIM5y2cgEWdmJzeqPANYxf0ZIPlTg
ETknKw1Dzf8wlK5mFbbG4LPQh1mkDVcwQV3ogG6kGMRa7neH+6SFkNpAKuPCoje4
NAE+WQ5ve1wk7nIRTQwDAF4=
-END CERTIFICATE-
--END CERTIFICATE--
-----------------------BEGIN CERTIFICATE------------------------
MIIDKTCCAhGgAwIBAgICVxYwDQYJKoZIhvcNAQEFBQAwFjEUMBIGA1UEAwwLczJu
VGVzdFJvb3QwIBcNMTYwMzMwMTg1NzA5WhgPMjExNjAzMDYxODU3MDlaMB4xHDAa
Expand All @@ -33,7 +33,7 @@ kNhs5xYprdU82AqcaWwEd0kDrhC5rEvs6fj1J0NKmmhbovYxuDboj0a7If7HEqX0
NizyU3M3JONPZgadchZ+F5DosatF1Bpt/gsQRy383IogQ0/FS+juHCCc4VIUemuk
YY1J8o5XdrGWrPBBiudTWqCobe+N541b+YLWbajT5UKzvSqJmcqpPTniJGc9eZxc
z3cCNd3cKa9bK51stEnQSlA7PQXYs3K+TD3EmSn/G2x6Hmfr7lrpbIhEaD+y
-END CERTIFICATE--BEGIN CERTIFICATE-
--END CERTIFICATE--BEGIN CERTIFICATE--
MIIDATCCAemgAwIBAgIJANDUkH+UYdz1MA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC3MyblRlc3RSb290MCAXDTE2MDMzMDE4NTYzOVoYDzIxMTYwMzA2MTg1NjM5
WjAWMRQwEgYDVQQDDAtzMm5UZXN0Um9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
Expand Down
Loading
Loading