Fixed buffer overflow in private key decoding (wrong buffer length used in size check).

[BearSSL] / src / x509 / x509_minimal.c
diff --git a/src/x509/x509_minimal.c b/src/x509/x509_minimal.c

index a8283e3..6103c08 100644 (file)
--- a/src/x509/x509_minimal.c
+++ b/src/x509/x509_minimal.c
@@ -200,20 +200,6 @@ void br_x509_minimal_run(void *t0ctx);
   *  then validation is reported as failed.
   */
  
   *  then validation is reported as failed.
   */
  
-#ifndef BR_USE_UNIX_TIME
-#if defined __unix__ || defined __linux__ \
-       || defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \
-       || (defined __APPLE__ && defined __MACH__)
-#define BR_USE_UNIX_TIME   1
-#endif
-#endif
-
-#ifndef BR_USE_WIN32_TIME
-#if defined _WIN32 || defined _WIN64
-#define BR_USE_WIN32_TIME   1
-#endif
-#endif
-
  #if BR_USE_UNIX_TIME
  #include <time.h>
  #endif
  #if BR_USE_UNIX_TIME
  #include <time.h>
  #endif
@@ -249,7 +235,7 @@ xm_start_chain(const br_x509_class **ctx, const char *server_name)
         br_x509_minimal_context *cc;
         size_t u;
  
         br_x509_minimal_context *cc;
         size_t u;
  
-       cc = (br_x509_minimal_context *)ctx;
+       cc = (br_x509_minimal_context *)(void *)ctx;
         for (u = 0; u < cc->num_name_elts; u ++) {
                 cc->name_elts[u].status = 0;
                 cc->name_elts[u].buf[0] = 0;
         for (u = 0; u < cc->num_name_elts; u ++) {
                 cc->name_elts[u].status = 0;
                 cc->name_elts[u].buf[0] = 0;
@@ -272,7 +258,7 @@ xm_start_cert(const br_x509_class **ctx, uint32_t length)
  {
         br_x509_minimal_context *cc;
  
  {
         br_x509_minimal_context *cc;
  
-       cc = (br_x509_minimal_context *)ctx;
+       cc = (br_x509_minimal_context *)(void *)ctx;
         if (cc->err != 0) {
                 return;
         }
         if (cc->err != 0) {
                 return;
         }
@@ -288,7 +274,7 @@ xm_append(const br_x509_class **ctx, const unsigned char *buf, size_t len)
  {
         br_x509_minimal_context *cc;
  
  {
         br_x509_minimal_context *cc;
  
-       cc = (br_x509_minimal_context *)ctx;
+       cc = (br_x509_minimal_context *)(void *)ctx;
         if (cc->err != 0) {
                 return;
         }
         if (cc->err != 0) {
                 return;
         }
@@ -302,7 +288,7 @@ xm_end_cert(const br_x509_class **ctx)
  {
         br_x509_minimal_context *cc;
  
  {
         br_x509_minimal_context *cc;
  
-       cc = (br_x509_minimal_context *)ctx;
+       cc = (br_x509_minimal_context *)(void *)ctx;
         if (cc->err == 0 && cc->cert_length != 0) {
                 cc->err = BR_ERR_X509_TRUNCATED;
         }
         if (cc->err == 0 && cc->cert_length != 0) {
                 cc->err = BR_ERR_X509_TRUNCATED;
         }
@@ -314,7 +300,7 @@ xm_end_chain(const br_x509_class **ctx)
  {
         br_x509_minimal_context *cc;
  
  {
         br_x509_minimal_context *cc;
  
-       cc = (br_x509_minimal_context *)ctx;
+       cc = (br_x509_minimal_context *)(void *)ctx;
         if (cc->err == 0) {
                 if (cc->num_certs == 0) {
                         cc->err = BR_ERR_X509_EMPTY_CHAIN;
         if (cc->err == 0) {
                 if (cc->num_certs == 0) {
                         cc->err = BR_ERR_X509_EMPTY_CHAIN;
@@ -332,14 +318,14 @@ xm_get_pkey(const br_x509_class *const *ctx, unsigned *usages)
  {
         br_x509_minimal_context *cc;
  
  {
         br_x509_minimal_context *cc;
  
-       cc = (br_x509_minimal_context *)ctx;
+       cc = (br_x509_minimal_context *)(void *)ctx;
         if (cc->err == BR_ERR_X509_OK
                 || cc->err == BR_ERR_X509_NOT_TRUSTED)
         {
                 if (usages != NULL) {
                         *usages = cc->key_usages;
                 }
         if (cc->err == BR_ERR_X509_OK
                 || cc->err == BR_ERR_X509_NOT_TRUSTED)
         {
                 if (usages != NULL) {
                         *usages = cc->key_usages;
                 }
-               return &((br_x509_minimal_context *)ctx)->pkey;
+               return &((br_x509_minimal_context *)(void *)ctx)->pkey;
         } else {
                 return NULL;
         }
         } else {
                 return NULL;
         }
@@ -356,7 +342,7 @@ const br_x509_class br_x509_minimal_vtable = {
         xm_get_pkey
  };
  
         xm_get_pkey
  };
  
-#define CTX   ((br_x509_minimal_context *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))
+#define CTX   ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))
  #define CONTEXT_NAME   br_x509_minimal_context
  
  #define DNHASH_LEN   ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK)
  #define CONTEXT_NAME   br_x509_minimal_context
  
  #define DNHASH_LEN   ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK)
@@ -717,7 +703,7 @@ static const unsigned char t0_codeblock[] = {
         0x76, 0x00, 0x00, 0x01, 0x00, 0x30, 0x31, 0x0B, 0x42, 0x00, 0x00, 0x01,
         0x81, 0x70, 0x00, 0x00, 0x01, 0x82, 0x0D, 0x00, 0x00, 0x01, 0x82, 0x22,
         0x00, 0x00, 0x01, 0x82, 0x05, 0x00, 0x00, 0x01, 0x03, 0x33, 0x01, 0x03,
         0x76, 0x00, 0x00, 0x01, 0x00, 0x30, 0x31, 0x0B, 0x42, 0x00, 0x00, 0x01,
         0x81, 0x70, 0x00, 0x00, 0x01, 0x82, 0x0D, 0x00, 0x00, 0x01, 0x82, 0x22,
         0x00, 0x00, 0x01, 0x82, 0x05, 0x00, 0x00, 0x01, 0x03, 0x33, 0x01, 0x03,
-       0x33, 0x00, 0x00, 0x25, 0x01, 0x83, 0xFB, 0x50, 0x01, 0x83, 0xFD, 0x5F,
+       0x33, 0x00, 0x00, 0x25, 0x01, 0x83, 0xFB, 0x50, 0x01, 0x83, 0xFB, 0x6F,
         0x72, 0x06, 0x04, 0x24, 0x01, 0x00, 0x00, 0x25, 0x01, 0x83, 0xB0, 0x00,
         0x01, 0x83, 0xBF, 0x7F, 0x72, 0x06, 0x04, 0x24, 0x01, 0x00, 0x00, 0x01,
         0x83, 0xFF, 0x7F, 0x15, 0x01, 0x83, 0xFF, 0x7E, 0x0D, 0x00
         0x72, 0x06, 0x04, 0x24, 0x01, 0x00, 0x00, 0x25, 0x01, 0x83, 0xB0, 0x00,
         0x01, 0x83, 0xBF, 0x7F, 0x72, 0x06, 0x04, 0x24, 0x01, 0x00, 0x00, 0x01,
         0x83, 0xFF, 0x7F, 0x15, 0x01, 0x83, 0xFF, 0x7E, 0x0D, 0x00
@@ -1444,7 +1430,7 @@ br_x509_minimal_run(void *t0ctx)
                                 /* get16 */
  
         uint32_t addr = T0_POP();
                                 /* get16 */
  
         uint32_t addr = T0_POP();
-       T0_PUSH(*(uint16_t *)((unsigned char *)CTX + addr));
+       T0_PUSH(*(uint16_t *)(void *)((unsigned char *)CTX + addr));
  
                                 }
                                 break;
  
                                 }
                                 break;
@@ -1452,7 +1438,7 @@ br_x509_minimal_run(void *t0ctx)
                                 /* get32 */
  
         uint32_t addr = T0_POP();
                                 /* get32 */
  
         uint32_t addr = T0_POP();
-       T0_PUSH(*(uint32_t *)((unsigned char *)CTX + addr));
+       T0_PUSH(*(uint32_t *)(void *)((unsigned char *)CTX + addr));
  
                                 }
                                 break;
  
                                 }
                                 break;
@@ -1606,7 +1592,7 @@ br_x509_minimal_run(void *t0ctx)
                                 /* set16 */
  
         uint32_t addr = T0_POP();
                                 /* set16 */
  
         uint32_t addr = T0_POP();
-       *(uint16_t *)((unsigned char *)CTX + addr) = T0_POP();
+       *(uint16_t *)(void *)((unsigned char *)CTX + addr) = T0_POP();
  
                                 }
                                 break;
  
                                 }
                                 break;
@@ -1614,7 +1600,7 @@ br_x509_minimal_run(void *t0ctx)
                                 /* set32 */
  
         uint32_t addr = T0_POP();
                                 /* set32 */
  
         uint32_t addr = T0_POP();
-       *(uint32_t *)((unsigned char *)CTX + addr) = T0_POP();
+       *(uint32_t *)(void *)((unsigned char *)CTX + addr) = T0_POP();
  
                                 }
                                 break;
  
                                 }
                                 break;