commit 8aff4ef274688be38423820091895a2f30187f28
author Valerio Setti <valerio.setti@nordicsemi.no> Fri Feb 16 14:31:51 2024 +0100
committer Valerio Setti <valerio.setti@nordicsemi.no> Fri Feb 16 15:26:08 2024 +0100
tree 4392756b142e70b6dde87cb6911a6e14906f892c
parent 0f286d5453488acbc0ae2191ea80f1156eabbbb4

test_suite_pem: add more test cases for invalid padding data

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

library/pem.c

diff --git a/library/pem.c b/library/pem.c
index a111970..3f01d3b 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -463,7 +463,7 @@
          * mismatches. */
         ret = pem_check_pkcs_padding(buf, len, &len);
         if (ret != 0) {
-            mbedtls_free(buf);
+            mbedtls_zeroize_and_free(buf, len);
             return ret;
         }
 

tests/suites/test_suite_pem.data

diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index a900a33..e3bb7e4 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@@ -78,3 +78,17 @@
 PEM read (Invalid padding data for AES-128-CBC)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
 mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n333hxynfxEdXrSHQfIabxQ==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:""
+
+# Padding data (0x11) is larger than AES block size (16).
+# Generated with:
+#   echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x11\x11\x11\x11\x11" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad
+PEM read (AES-128-CBC, padding data is larger than AES block length)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n5wA/XVXHuMsQAAOGFQmK0g==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:""
+
+# Padding data (0x9) is larger than AES block size (8).
+# Generated with:
+#   echo -n -e "\x68\x65\x6c\x6c\x6f\x09\x09\x09" | openssl des-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad
+PEM read (DES-CBC, padding data is larger than DES block length)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,3132333435363738\n\n6a+B2WineBM=\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:""