Bug 1095118 - Add ASN.1 GTest for non-DER complaint lengths, r=ttaubert
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Wed, 22 Mar 2017 09:42:40 +0100
changeset 13244 73eac4c4656c4850d8ce0bed21fea48b2f61b0fa
parent 13243 d8efc3d7a72f7080c9a86bc678a096f559aea2a4
child 13245 b4c3f3a08273d2031850c955b579c28988d09e72
push id2112
push userfranziskuskiefer@gmail.com
push dateThu, 23 Mar 2017 14:25:52 +0000
reviewersttaubert
bugs1095118
Bug 1095118 - Add ASN.1 GTest for non-DER complaint lengths, r=ttaubert Differential Revision: https://nss-review.dev.mozaws.net/D268
gtests/der_gtest/der_gtest.gyp
gtests/der_gtest/der_quickder_unittest.cc
gtests/der_gtest/manifest.mn
--- a/gtests/der_gtest/der_gtest.gyp
+++ b/gtests/der_gtest/der_gtest.gyp
@@ -8,16 +8,17 @@
   ],
   'targets': [
     {
       'target_name': 'der_gtest',
       'type': 'executable',
       'sources': [
         'der_getint_unittest.cc',
         'der_private_key_import_unittest.cc',
+        'der_quickder_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
         '<(DEPTH)/lib/util/util.gyp:nssutil3',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
         '<(DEPTH)/lib/nss/nss.gyp:nss3',
new file mode 100644
--- /dev/null
+++ b/gtests/der_gtest/der_quickder_unittest.cc
@@ -0,0 +1,80 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdint.h>
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+#include "nss.h"
+#include "prerror.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "secitem.h"
+
+namespace nss_test {
+
+class QuickDERTest : public ::testing::Test,
+                     public ::testing::WithParamInterface<SECItem> {};
+
+static const uint8_t kNullTag = 0x05;
+static const uint8_t kLongLength = 0x80;
+
+// Length of zero wrongly encoded as 0x80 instead of 0x00.
+static uint8_t kOverlongLength_0_0[] = {kNullTag, kLongLength | 0};
+
+// Length of zero wrongly encoded as { 0x81, 0x00 } instead of 0x00.
+static uint8_t kOverlongLength_1_0[] = {kNullTag, kLongLength | 1, 0x00};
+
+// Length of zero wrongly encoded as:
+//
+//     { 0x90, <arbitrary junk of 12 bytes>,
+//       0x00, 0x00, 0x00, 0x00 }
+//
+// instead of 0x00. Note in particular that if there is an integer overflow
+// then the arbitrary junk is likely get left-shifted away, as long as there
+// are at least sizeof(length) bytes following it. This would be a good way to
+// smuggle arbitrary input into DER-encoded data in a way that an non-careful
+// parser would ignore.
+static uint8_t kOverlongLength_16_0[] = {kNullTag, kLongLength | 0x10,
+                                         0x11,     0x22,
+                                         0x33,     0x44,
+                                         0x55,     0x66,
+                                         0x77,     0x88,
+                                         0x99,     0xAA,
+                                         0xBB,     0xCC,
+                                         0x00,     0x00,
+                                         0x00,     0x00};
+
+static const SECItem kInvalidDER[] = {
+    {siBuffer, kOverlongLength_0_0, sizeof(kOverlongLength_0_0)},
+    {siBuffer, kOverlongLength_1_0, sizeof(kOverlongLength_1_0)},
+    {siBuffer, kOverlongLength_16_0, sizeof(kOverlongLength_16_0)},
+};
+
+TEST_P(QuickDERTest, InvalidLengths) {
+  const SECItem& original_input(GetParam());
+
+  ScopedSECItem copy_of_input(SECITEM_AllocItem(nullptr, nullptr, 0U));
+  ASSERT_TRUE(copy_of_input);
+  ASSERT_EQ(SECSuccess,
+            SECITEM_CopyItem(nullptr, copy_of_input.get(), &original_input));
+
+  PORTCheapArenaPool pool;
+  PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
+  ScopedSECItem parsed_value(SECITEM_AllocItem(nullptr, nullptr, 0U));
+  ASSERT_TRUE(parsed_value);
+  ASSERT_EQ(SECFailure, SEC_QuickDERDecodeItem(&pool.arena, parsed_value.get(),
+                                               SEC_ASN1_SUB(SEC_NullTemplate),
+                                               copy_of_input.get()));
+  ASSERT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+  PORT_DestroyCheapArena(&pool);
+}
+
+INSTANTIATE_TEST_CASE_P(QuickderTestsInvalidLengths, QuickDERTest,
+                        testing::ValuesIn(kInvalidDER));
+
+}  // namespace nss_test
--- a/gtests/der_gtest/manifest.mn
+++ b/gtests/der_gtest/manifest.mn
@@ -4,16 +4,17 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       der_getint_unittest.cc \
       der_private_key_import_unittest.cc \
+      der_quickder_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
             -I$(CORE_DEPTH)/gtests/common \
             -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = nspr nss libdbm gtest