From bb981c8a2647afbf8b657a44338240501c93406b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20Z=C3=BCger?= <zueger.peter@icloud.com>
Date: Fri, 26 Apr 2024 17:48:57 +0200
Subject: [PATCH] extmod/modtls_mbedtls: Fix key_len passed to
 mbedtls_pk_parse_key.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

mbedtls_pk_parse_key() expects key_len to include the NULL terminator for
PEM data but not for DER encoded data.

Since all PEM data starts with "-----BEGIN" this is used to check if the
data is PEM.

Signed-off-by: Peter Züger <zueger.peter@icloud.com>
---
 extmod/modtls_mbedtls.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c
index 6db6ac1958..73bf797b7f 100644
--- a/extmod/modtls_mbedtls.c
+++ b/extmod/modtls_mbedtls.c
@@ -347,12 +347,17 @@ static MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_set_ciphers_obj, ssl_context_set_ci
 static void ssl_context_load_key(mp_obj_ssl_context_t *self, mp_obj_t key_obj, mp_obj_t cert_obj) {
     size_t key_len;
     const byte *key = (const byte *)mp_obj_str_get_data(key_obj, &key_len);
-    // len should include terminating null
+
+    // len should include terminating null if the data is PEM encoded
+    if ((key_len >= 10) && (memcmp(key, "-----BEGIN", 10) == 0)) {
+        key_len += 1;
+    }
+
     int ret;
     #if MBEDTLS_VERSION_NUMBER >= 0x03000000
-    ret = mbedtls_pk_parse_key(&self->pkey, key, key_len + 1, NULL, 0, mbedtls_ctr_drbg_random, &self->ctr_drbg);
+    ret = mbedtls_pk_parse_key(&self->pkey, key, key_len, NULL, 0, mbedtls_ctr_drbg_random, &self->ctr_drbg);
     #else
-    ret = mbedtls_pk_parse_key(&self->pkey, key, key_len + 1, NULL, 0);
+    ret = mbedtls_pk_parse_key(&self->pkey, key, key_len, NULL, 0);
     #endif
     if (ret != 0) {
         mbedtls_raise_error(MBEDTLS_ERR_PK_BAD_INPUT_DATA); // use general error for all key errors