From d5e0a933b3e6e0ff43e6d46982b93605a5eadf05 Mon Sep 17 00:00:00 2001 From: Juan Castillo Date: Tue, 10 Mar 2015 15:18:55 +0000 Subject: [PATCH] TBB: replace assert() with runtime checks in PolarSSL module Using assert() to check the length of keys and hashes included in a certificate is not a safe approach because assert() only applies to debug builds. A malformed certificate could exploit security flaws in release binaries due to buffer overflows. This patch replaces assert() with runtime checkings in the PolarSSL authentication module, so malformed certificates can not cause a memory overflow. Change-Id: I42ba912020595752c806cbd242fe3c74077d993b --- common/auth/polarssl/polarssl.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/common/auth/polarssl/polarssl.c b/common/auth/polarssl/polarssl.c index 82c8b331..b55a7fc6 100644 --- a/common/auth/polarssl/polarssl.c +++ b/common/auth/polarssl/polarssl.c @@ -32,7 +32,6 @@ #include -#include #include #include #include @@ -267,7 +266,11 @@ static int check_bl2_cert(unsigned char *buf, size_t len) goto error; } - assert(sz == SHA256_DER_BYTES); + if (sz != SHA256_DER_BYTES) { + ERROR("Wrong BL2 hash size: %lu\n", sz); + err = 1; + goto error; + } memcpy(sha_bl2, p, SHA256_DER_BYTES); error: @@ -324,7 +327,11 @@ static int check_trusted_key_cert(unsigned char *buf, size_t len) goto error; } - assert(tz_world_pk_len <= RSA_PUB_DER_MAX_BYTES); + if (tz_world_pk_len > RSA_PUB_DER_MAX_BYTES) { + ERROR("Wrong RSA key size: %lu\n", tz_world_pk_len); + err = 1; + goto error; + } memcpy(tz_world_pk, p, tz_world_pk_len); /* Extract Non-Trusted World key from extensions */ @@ -335,7 +342,11 @@ static int check_trusted_key_cert(unsigned char *buf, size_t len) goto error; } - assert(tz_world_pk_len <= RSA_PUB_DER_MAX_BYTES); + if (ntz_world_pk_len > RSA_PUB_DER_MAX_BYTES) { + ERROR("Wrong RSA key size: %lu\n", ntz_world_pk_len); + err = 1; + goto error; + } memcpy(ntz_world_pk, p, ntz_world_pk_len); error: @@ -392,7 +403,11 @@ static int check_bl3x_key_cert(const unsigned char *buf, size_t len, goto error; } - assert(sz <= RSA_PUB_DER_MAX_BYTES); + if (sz > RSA_PUB_DER_MAX_BYTES) { + ERROR("Wrong RSA key size: %lu\n", sz); + err = 1; + goto error; + } memcpy(s_key, p, sz); *s_key_len = sz; @@ -446,7 +461,11 @@ static int check_bl3x_cert(unsigned char *buf, size_t len, goto error; } - assert(sz == SHA256_DER_BYTES); + if (sz != SHA256_DER_BYTES) { + ERROR("Wrong image hash length: %lu\n", sz); + err = 1; + goto error; + } memcpy(sha, p, SHA256_DER_BYTES); error: -- 2.30.2