Skip to content

Commit

Permalink
Added CanCastTo() Macros in the OpenSSL Crypto Library Implementation. (
Browse files Browse the repository at this point in the history
#18161)

* Added CanCastTo() Macros in the OpenSSL Crypto Library Implementation.

* fixed typo
  • Loading branch information
emargolis authored May 7, 2022
1 parent fde9077 commit 11587f5
Showing 1 changed file with 22 additions and 8 deletions.
30 changes: 22 additions & 8 deletions src/crypto/CHIPCryptoPALOpenSSL.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,7 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u
HMAC_CTX * mac_ctx = HMAC_CTX_new();
VerifyOrExit(mac_ctx != nullptr, error = CHIP_ERROR_INTERNAL);

VerifyOrExit(CanCastTo<int>(key_length), error = CHIP_ERROR_INVALID_ARGUMENT);
error_openssl = HMAC_Init_ex(mac_ctx, Uint8::to_const_uchar(key), static_cast<int>(key_length), EVP_sha256(), nullptr);
VerifyOrExit(error_openssl == 1, error = CHIP_ERROR_INTERNAL);

Expand Down Expand Up @@ -1112,8 +1113,9 @@ P256Keypair::~P256Keypair()
CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length)
{
ERR_clear_error();
CHIP_ERROR error = CHIP_NO_ERROR;
int result = 0;
CHIP_ERROR error = CHIP_NO_ERROR;
int result = 0;
int csr_length_local = 0;

X509_REQ * x509_req = X509_REQ_new();
EVP_PKEY * evp_pkey = nullptr;
Expand Down Expand Up @@ -1152,6 +1154,10 @@ CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t &
result = X509_REQ_sign(x509_req, evp_pkey, EVP_sha256());
VerifyOrExit(result > 0, error = CHIP_ERROR_INTERNAL);

csr_length_local = i2d_X509_REQ(x509_req, nullptr);
VerifyOrExit(csr_length_local >= 0, error = CHIP_ERROR_INTERNAL);
VerifyOrExit(CanCastTo<size_t>(csr_length_local), error = CHIP_ERROR_BUFFER_TOO_SMALL);
VerifyOrExit(static_cast<size_t>(csr_length_local) <= csr_length, error = CHIP_ERROR_BUFFER_TOO_SMALL);
csr_length = static_cast<size_t>(i2d_X509_REQ(x509_req, &out_csr));

exit:
Expand Down Expand Up @@ -1530,11 +1536,11 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root

result = CertificateChainValidationResult::kInternalFrameworkError;

VerifyOrReturnError(rootCertificate != nullptr && rootCertificateLen != 0,
VerifyOrReturnError(rootCertificate != nullptr && rootCertificateLen != 0 && CanCastTo<long>(rootCertificateLen),
(result = CertificateChainValidationResult::kRootArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
VerifyOrReturnError(caCertificate != nullptr && caCertificateLen != 0,
VerifyOrReturnError(caCertificate != nullptr && caCertificateLen != 0 && CanCastTo<long>(caCertificateLen),
(result = CertificateChainValidationResult::kICAArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
VerifyOrReturnError(leafCertificate != nullptr && leafCertificateLen != 0,
VerifyOrReturnError(leafCertificate != nullptr && leafCertificateLen != 0 && CanCastTo<long>(leafCertificateLen),
(result = CertificateChainValidationResult::kLeafArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));

store = X509_STORE_new();
Expand Down Expand Up @@ -1592,7 +1598,9 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & referenceCertificate, c
ASN1_TIME * tbeNotAfterTime = nullptr;
int result = 0;

VerifyOrReturnError(!referenceCertificate.empty() && !toBeEvaluatedCertificate.empty(), CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(!referenceCertificate.empty() && CanCastTo<long>(referenceCertificate.size()) &&
!toBeEvaluatedCertificate.empty() && CanCastTo<long>(toBeEvaluatedCertificate.size()),
CHIP_ERROR_INVALID_ARGUMENT);

x509ReferenceCertificate = d2i_X509(nullptr, &pReferenceCertificate, static_cast<long>(referenceCertificate.size()));
VerifyOrExit(x509ReferenceCertificate != nullptr, error = CHIP_ERROR_NO_MEMORY);
Expand Down Expand Up @@ -1629,7 +1637,7 @@ CHIP_ERROR IsCertificateValidAtCurrentTime(const ByteSpan & certificate)
ASN1_TIME * time = nullptr;
int result = 0;

VerifyOrReturnError(!certificate.empty(), CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(!certificate.empty() && CanCastTo<long>(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT);

x509Certificate = d2i_X509(nullptr, &pCertificate, static_cast<long>(certificate.size()));
VerifyOrExit(x509Certificate != nullptr, error = CHIP_ERROR_NO_MEMORY);
Expand Down Expand Up @@ -1665,6 +1673,8 @@ CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256P
unsigned char ** ppPubkey = &pPubkey;
int pkeyLen;

VerifyOrReturnError(!certificate.empty() && CanCastTo<long>(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT);

x509certificate = d2i_X509(nullptr, ppCertificate, static_cast<long>(certificate.size()));
VerifyOrExit(x509certificate != nullptr, err = CHIP_ERROR_NO_MEMORY);

Expand Down Expand Up @@ -1695,13 +1705,15 @@ CHIP_ERROR ExtractKIDFromX509Cert(bool isSKID, const ByteSpan & certificate, Mut
const unsigned char ** ppCertificate = &pCertificate;
const ASN1_OCTET_STRING * kidString = nullptr;

VerifyOrReturnError(!certificate.empty() && CanCastTo<long>(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT);

x509certificate = d2i_X509(nullptr, ppCertificate, static_cast<long>(certificate.size()));
VerifyOrExit(x509certificate != nullptr, err = CHIP_ERROR_NO_MEMORY);

kidString = isSKID ? X509_get0_subject_key_id(x509certificate) : X509_get0_authority_key_id(x509certificate);
VerifyOrExit(kidString != nullptr, err = CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrExit(kidString->length <= static_cast<int>(kid.size()), err = CHIP_ERROR_BUFFER_TOO_SMALL);
VerifyOrExit(CanCastTo<size_t>(kidString->length), err = CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrExit(static_cast<size_t>(kidString->length) <= kid.size(), err = CHIP_ERROR_BUFFER_TOO_SMALL);

memcpy(kid.data(), kidString->data, static_cast<size_t>(kidString->length));

Expand Down Expand Up @@ -1738,6 +1750,8 @@ CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCe
int x509EntryCountIdx = 0;
AttestationCertVidPid vidpidFromCN;

VerifyOrReturnError(!certificate.empty() && CanCastTo<long>(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT);

x509certificate = d2i_X509(nullptr, &pCertificate, static_cast<long>(certificate.size()));
VerifyOrExit(x509certificate != nullptr, err = CHIP_ERROR_NO_MEMORY);

Expand Down

0 comments on commit 11587f5

Please sign in to comment.