pem: reject empty PEM contents
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
diff --git a/library/pem.c b/library/pem.c
index f090f49..a111970 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -244,6 +244,7 @@
#if defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C)
static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len)
{
+ /* input_len > 0 is guaranteed by mbedtls_pem_read_buffer(). */
size_t pad_len = input[input_len - 1];
size_t i;
@@ -412,6 +413,10 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
}
+ if (len == 0) {
+ return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+ }
+
if ((buf = mbedtls_calloc(1, len)) == NULL) {
return MBEDTLS_ERR_PEM_ALLOC_FAILED;
}
diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index df9663b..a900a33 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@@ -22,6 +22,10 @@
PEM read (unencrypted, valid)
mbedtls_pem_read_buffer:"^":"$":"^\nTWJlZCBUTFM=\n$":"":0:"4d62656420544c53"
+PEM read (unencrypted, empty content)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\n\n-----END EC PRIVATE KEY-----":"":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:""
+
PEM read (DES-EDE3-CBC + invalid iv)
depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_DES_C
mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV:""