- Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error

This commit is contained in:
Paul Bakker 2011-12-04 12:24:18 +00:00
parent a17bcc3033
commit 6c0ceb3f9a
15 changed files with 210 additions and 116 deletions

View File

@ -35,6 +35,9 @@ Changes
* Changed the used random function pointer to more flexible format. Renamed
havege_rand() to havege_random() to prevent mistakes. Lots of changes as
a consequence in library code and programs
* Added permissive certificate parsing to x509parse_crt() and
x509parse_crtfile(). With permissive parsing the parsing does not stop on
encountering a parse-error
Bugfix
* Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes

View File

@ -58,7 +58,7 @@
#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
#define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 /**< Unsupported RSA key version */
#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 /**< Invalid RSA key tag or value. */
#define POLARSSL_ERR_X509_POINT_ERROR -0x2980 /**< Not used. */
#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 /**< Format not recognized as DER or PEM. */
#define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x2A00 /**< Not used. */
/* \} name */
@ -220,6 +220,17 @@
#define EXT_NS_CERT_TYPE (1 << 16)
/*
* Storage format identifiers
* Recognized formats: PEM and DER
*/
#define X509_FORMAT_DER 1
#define X509_FORMAT_PEM 2
#define X509_NON_PERMISSIVE 0
#define X509_PERMISSIVE 1
/**
* \addtogroup x509_module
* \{ */
@ -409,27 +420,34 @@ extern "C" {
/** \ingroup x509_module */
/**
* \brief Parse one or more certificates and add them
* to the chained list
* to the chained list. With permissive parsing enabled
* all certificates that cannot be parsed are ignored.
* If none complete correctly, the first error is returned.
*
* \param chain points to the start of the chain
* \param buf buffer holding the certificate data
* \param buflen size of the buffer
* \param permissive X509_PERMISSIVE or X509_NON_PERMISSIVE
*
* \return 0 if successful, or a specific X509 or PEM error code
*/
int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen,
int permissive );
/** \ingroup x509_module */
/**
* \brief Load one or more certificates and add them
* to the chained list
* to the chained list. With permissive parsing enabled
* all certificates that cannot be parsed are ignored.
* If none complete correctly, the first error is returned.
*
* \param chain points to the start of the chain
* \param path filename to read the certificates from
* \param permissive X509_PERMISSIVE or X509_NON_PERMISSIVE
*
* \return 0 if successful, or a specific X509 or PEM error code
*/
int x509parse_crtfile( x509_cert *chain, const char *path );
int x509parse_crtfile( x509_cert *chain, const char *path, int permissive );
/** \ingroup x509_module */
/**

View File

@ -297,8 +297,8 @@ void error_strerror( int ret, char *buf, size_t buflen )
snprintf( buf, buflen, "X509 - Unsupported RSA key version" );
if( use_ret == -(POLARSSL_ERR_X509_KEY_INVALID_FORMAT) )
snprintf( buf, buflen, "X509 - Invalid RSA key tag or value" );
if( use_ret == -(POLARSSL_ERR_X509_POINT_ERROR) )
snprintf( buf, buflen, "X509 - Not used" );
if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) )
snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
if( use_ret == -(POLARSSL_ERR_X509_VALUE_TO_LENGTH) )
snprintf( buf, buflen, "X509 - Not used" );
#endif /* POLARSSL_X509_PARSE_C */

View File

@ -345,6 +345,8 @@ void pem_free( pem_context *ctx )
if( ctx->info )
free( ctx->info );
memset( ctx, 0, sizeof( pem_context ) );
}
#endif

View File

@ -1401,7 +1401,8 @@ int ssl_parse_certificate( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
}
ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n,
X509_NON_PERMISSIVE );
if( ret != 0 )
{
SSL_DEBUG_RET( 1, " x509parse_crt", ret );

View File

@ -1006,20 +1006,13 @@ static int x509_get_sig_alg( const x509_buf *sig_oid, int *sig_alg )
}
/*
* Parse one or more certificates and add them to the chained list
* Parse and fill a single X.509 certificate in DER format
*/
int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen )
int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen )
{
int ret;
size_t len;
unsigned char *p, *end;
x509_cert *crt;
#if defined(POLARSSL_PEM_C)
pem_context pem;
size_t use_len;
#endif
crt = chain;
/*
* Check for valid input
@ -1027,59 +1020,6 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen )
if( crt == NULL || buf == NULL )
return( 1 );
while( crt->version != 0 && crt->next != NULL )
crt = crt->next;
/*
* Add new certificate on the end of the chain if needed.
*/
if ( crt->version != 0 && crt->next == NULL)
{
crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
if( crt->next == NULL )
{
x509_free( crt );
return( 1 );
}
crt = crt->next;
memset( crt, 0, sizeof( x509_cert ) );
}
#if defined(POLARSSL_PEM_C)
pem_init( &pem );
ret = pem_read_buffer( &pem,
"-----BEGIN CERTIFICATE-----",
"-----END CERTIFICATE-----",
buf, NULL, 0, &use_len );
if( ret == 0 )
{
/*
* Was PEM encoded
*/
buflen -= use_len;
buf += use_len;
/*
* Steal PEM buffer
*/
p = pem.buf;
pem.buf = NULL;
len = pem.buflen;
pem_free( &pem );
}
else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
{
pem_free( &pem );
return( ret );
}
else
{
/*
* nope, copy the raw DER data
*/
p = (unsigned char *) malloc( len = buflen );
if( p == NULL )
@ -1088,17 +1028,6 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen )
memcpy( p, buf, buflen );
buflen = 0;
}
#else
p = (unsigned char *) malloc( len = buflen );
if( p == NULL )
return( 1 );
memcpy( p, buf, buflen );
buflen = 0;
#endif
crt->raw.p = p;
crt->raw.len = len;
@ -1324,23 +1253,154 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen )
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
}
if( buflen > 0 )
return( 0 );
}
/*
* Parse one or more PEM certificates from a buffer and add them to the chained list
*/
int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen,
int permissive )
{
int ret, success = 0, first_error = 0;
x509_cert *crt, *prev = NULL;
int buf_format = X509_FORMAT_DER;
crt = chain;
/*
* Check for valid input
*/
if( crt == NULL || buf == NULL )
return( 1 );
while( crt->version != 0 && crt->next != NULL )
{
prev = crt;
crt = crt->next;
}
/*
* Add new certificate on the end of the chain if needed.
*/
if ( crt->version != 0 && crt->next == NULL)
{
crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
if( crt->next == NULL )
{
x509_free( crt );
return( 1 );
}
prev = crt;
crt = crt->next;
memset( crt, 0, sizeof( x509_cert ) );
return( x509parse_crt( crt, buf, buflen ) );
}
/*
* Determine buffer content. Buffer contains either one DER certificate or
* one or more PEM certificates.
*/
#if defined(POLARSSL_PEM_C)
if( strstr( (char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
buf_format = X509_FORMAT_PEM;
#endif
if( buf_format == X509_FORMAT_DER )
return x509parse_crt_der( crt, buf, buflen );
#if defined(POLARSSL_PEM_C)
if( buf_format == X509_FORMAT_PEM )
{
pem_context pem;
while( buflen > 0 )
{
size_t use_len;
pem_init( &pem );
ret = pem_read_buffer( &pem,
"-----BEGIN CERTIFICATE-----",
"-----END CERTIFICATE-----",
buf, NULL, 0, &use_len );
if( ret == 0 )
{
/*
* Was PEM encoded
*/
buflen -= use_len;
buf += use_len;
}
else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
{
pem_free( &pem );
if( first_error == 0 )
first_error = ret;
continue;
}
else
break;
ret = x509parse_crt_der( crt, pem.buf, pem.buflen );
pem_free( &pem );
if( ret != 0 )
{
/*
* quit parsing on a memory error or if in non-permissive parsing mode
*/
if( ret == 1 || permissive != 1 )
{
if( prev )
prev->next = NULL;
if( crt != chain )
free( crt );
return( ret );
}
if( first_error == 0 )
first_error = ret;
memset( crt, 0, sizeof( x509_cert ) );
continue;
}
success = 1;
/*
* Add new certificate to the list
*/
crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
if( crt->next == NULL )
return( 1 );
prev = crt;
crt = crt->next;
memset( crt, 0, sizeof( x509_cert ) );
}
}
#endif
if( crt->version == 0 )
{
if( prev )
prev->next = NULL;
if( crt != chain )
free( crt );
}
if( success )
return( 0 );
else if( first_error )
return( first_error );
else
return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT );
}
/*
@ -1667,7 +1727,7 @@ int load_file( const char *path, unsigned char **buf, size_t *n )
/*
* Load one or more certificates and add them to the chained list
*/
int x509parse_crtfile( x509_cert *chain, const char *path )
int x509parse_crtfile( x509_cert *chain, const char *path, int permissive )
{
int ret;
size_t n;
@ -1676,7 +1736,7 @@ int x509parse_crtfile( x509_cert *chain, const char *path )
if ( load_file( path, &buf, &n ) )
return( 1 );
ret = x509parse_crt( chain, buf, n );
ret = x509parse_crt( chain, buf, n, permissive );
memset( buf, 0, n + 1 );
free( buf );
@ -3099,7 +3159,7 @@ int x509_self_test( int verbose )
memset( &clicert, 0, sizeof( x509_cert ) );
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
strlen( test_cli_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
if( verbose != 0 )
@ -3111,7 +3171,7 @@ int x509_self_test( int verbose )
memset( &cacert, 0, sizeof( x509_cert ) );
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
strlen( test_ca_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
if( verbose != 0 )

View File

@ -224,12 +224,12 @@ int main( int argc, char *argv[] )
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_file ) )
ret = x509parse_crtfile( &cacert, opt.ca_file );
ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
strlen( test_ca_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;
@ -254,12 +254,12 @@ int main( int argc, char *argv[] )
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
ret = x509parse_crtfile( &clicert, opt.crt_file );
ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
strlen( test_cli_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;

View File

@ -230,7 +230,7 @@ int main( int argc, char *argv[] )
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
strlen( test_srv_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
@ -238,7 +238,7 @@ int main( int argc, char *argv[] )
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
strlen( test_ca_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );

View File

@ -476,12 +476,12 @@ int main( int argc, char *argv[] )
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_file ) )
ret = x509parse_crtfile( &cacert, opt.ca_file );
ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
strlen( test_ca_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;
@ -506,12 +506,12 @@ int main( int argc, char *argv[] )
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
ret = x509parse_crtfile( &clicert, opt.crt_file );
ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
strlen( test_cli_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;

View File

@ -216,7 +216,7 @@ int main( int argc, char *argv[] )
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
strlen( test_srv_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
@ -224,7 +224,7 @@ int main( int argc, char *argv[] )
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
strlen( test_ca_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );

View File

@ -100,7 +100,7 @@ int main( int argc, char *argv[] )
* Alternatively, you may load the CA certificates from a .pem or
* .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
*/
ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt" );
ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt", X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crtfile returned %d\n\n", ret );
@ -148,7 +148,7 @@ int main( int argc, char *argv[] )
printf( " . Loading the client certificate %s...", name );
fflush( stdout );
ret = x509parse_crtfile( &clicert, name );
ret = x509parse_crtfile( &clicert, name, X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );

View File

@ -203,7 +203,7 @@ static int ssl_test( struct options *opt )
goto exit;
#else
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
strlen( test_srv_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " ! x509parse_crt returned %d\n\n", ret );
@ -211,7 +211,7 @@ static int ssl_test( struct options *opt )
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
strlen( test_ca_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " ! x509parse_crt returned %d\n\n", ret );

View File

@ -47,6 +47,7 @@
#define DFL_SERVER_NAME "localhost"
#define DFL_SERVER_PORT 4433
#define DFL_DEBUG_LEVEL 0
#define DFL_PERMISSIVE 0
/*
* global options
@ -58,6 +59,7 @@ struct options
char *server_name; /* hostname of the server (client only) */
int server_port; /* port on which the ssl service runs */
int debug_level; /* level of debugging */
int permissive; /* permissive parsing */
} opt;
void my_debug( void *ctx, int level, const char *str )
@ -77,6 +79,7 @@ void my_debug( void *ctx, int level, const char *str )
" server_name=%%s default: localhost\n" \
" server_port=%%d default: 4433\n" \
" debug_level=%%d default: 0 (disabled)\n" \
" permissive=%%d default: 0 (disabled)\n" \
"\n"
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_HAVEGE_C) || \
@ -128,6 +131,7 @@ int main( int argc, char *argv[] )
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.permissive = DFL_PERMISSIVE;
for( i = 1; i < argc; i++ )
{
@ -169,6 +173,12 @@ int main( int argc, char *argv[] )
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "permissive" ) == 0 )
{
opt.permissive = atoi( q );
if( opt.permissive < 0 || opt.permissive > 1 )
goto usage;
}
else
goto usage;
}
@ -185,7 +195,7 @@ int main( int argc, char *argv[] )
printf( "\n . Loading the certificate(s) ..." );
fflush( stdout );
ret = x509parse_crtfile( &crt, opt.filename );
ret = x509parse_crtfile( &crt, opt.filename, opt.permissive );
if( ret != 0 )
{

View File

@ -35,7 +35,7 @@ debug_print_crt:crt_file:file:line:prefix:result_str
ssl_set_dbg(&ssl, string_debug, &buffer);
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
debug_print_crt( &ssl, 0, {file}, {line}, {prefix}, &crt);
TEST_ASSERT( strcmp( buffer.buf, {result_str} ) == 0 );

View File

@ -38,7 +38,7 @@ x509_cert_info:crt_file:result_str
memset( &crt, 0, sizeof( x509_cert ) );
memset( buf, 0, 2000 );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
res = x509parse_cert_info( buf, 2000, "", &crt );
TEST_ASSERT( res != -1 );
@ -81,8 +81,8 @@ x509_verify:crt_file:ca_file:crl_file:cn_name:result:flags:verify_callback
memset( &ca, 0, sizeof( x509_cert ) );
memset( &crl, 0, sizeof( x509_crl ) );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
TEST_ASSERT( x509parse_crtfile( &ca, {ca_file} ) == 0 );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
TEST_ASSERT( x509parse_crtfile( &ca, {ca_file}, X509_NON_PERMISSIVE ) == 0 );
TEST_ASSERT( x509parse_crlfile( &crl, {crl_file} ) == 0 );
res = x509parse_verify( &crt, &ca, &crl, {cn_name}, &flags, {verify_callback}, NULL );
@ -102,7 +102,7 @@ x509_dn_gets:crt_file:entity:result_str
memset( &crt, 0, sizeof( x509_cert ) );
memset( buf, 0, 2000 );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
res = x509parse_dn_gets( buf, 2000, &crt.{entity} );
TEST_ASSERT( res != -1 );
@ -119,7 +119,7 @@ x509_time_expired:crt_file:entity:result
memset( &crt, 0, sizeof( x509_cert ) );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
TEST_ASSERT( x509parse_time_expired( &crt.{entity} ) == {result} );
}
END_CASE
@ -176,7 +176,7 @@ x509parse_crt:crt_data:result_str:result
data_len = unhexify( buf, {crt_data} );
TEST_ASSERT( x509parse_crt( &crt, buf, data_len ) == ( {result} ) );
TEST_ASSERT( x509parse_crt( &crt, buf, data_len, X509_NON_PERMISSIVE ) == ( {result} ) );
if( ( {result} ) == 0 )
{
res = x509parse_cert_info( (char *) output, 2000, "", &crt );