From c6ce838d8f6eaa4672048ce05c6761aceda2891e Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Mon, 27 Jul 2009 21:34:45 +0000 Subject: [PATCH] - Better handling of extension parsing --- library/x509parse.c | 28 ++++++++++++++++---------- tests/suites/test_suite_x509parse.data | 12 ++++++++--- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/library/x509parse.c b/library/x509parse.c index 56fd809af..47aae2a38 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -614,7 +614,7 @@ static int x509_get_crt_ext( unsigned char **p, int ret, len; int is_critical = 1; int is_cacert = 0; - unsigned char *end2; + unsigned char *end_ext_data, *end_ext_octet; if( ( ret = x509_get_ext( p, end, ext ) ) != 0 ) { @@ -630,6 +630,8 @@ static int x509_get_crt_ext( unsigned char **p, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret ); + end_ext_data = *p + len; + if( memcmp( *p, "\x06\x03\x55\x1D\x13", 5 ) != 0 ) { *p += len; @@ -638,11 +640,11 @@ static int x509_get_crt_ext( unsigned char **p, *p += 5; - if( ( ret = asn1_get_bool( p, end, &is_critical ) ) != 0 && + if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 && ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) ) return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret ); - if( ( ret = asn1_get_tag( p, end, &len, + if( ( ret = asn1_get_tag( p, end_ext_data, &len, ASN1_OCTET_STRING ) ) != 0 ) return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret ); @@ -651,19 +653,23 @@ static int x509_get_crt_ext( unsigned char **p, * cA BOOLEAN DEFAULT FALSE, * pathLenConstraint INTEGER (0..MAX) OPTIONAL } */ - end2 = *p + len; + end_ext_octet = *p + len; + + if( end_ext_octet != end_ext_data ) + return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); - if( ( ret = asn1_get_tag( p, end2, &len, + if( ( ret = asn1_get_tag( p, end_ext_octet, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret ); - if( *p == end2 ) + if( *p == end_ext_octet ) continue; - if( ( ret = asn1_get_bool( p, end2, &is_cacert ) ) != 0 ) + if( ( ret = asn1_get_bool( p, end_ext_octet, &is_cacert ) ) != 0 ) { if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) - ret = asn1_get_int( p, end2, &is_cacert ); + ret = asn1_get_int( p, end_ext_octet, &is_cacert ); if( ret != 0 ) return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret ); @@ -672,13 +678,13 @@ static int x509_get_crt_ext( unsigned char **p, is_cacert = 1; } - if( *p == end2 ) + if( *p == end_ext_octet ) continue; - if( ( ret = asn1_get_int( p, end2, max_pathlen ) ) != 0 ) + if( ( ret = asn1_get_int( p, end_ext_octet, max_pathlen ) ) != 0 ) return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret ); - if( *p != end2 ) + if( *p != end_ext_octet ) return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 99454c6b5..ff1b9edf5 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -328,14 +328,20 @@ x509parse_crt:"30818f30818ca0030201028204deadbeef300d06092a864886f70d01010205003 X509 Certificate ASN1 (TBSCertificate v3, first ext invalid tag) x509parse_crt:"30819030818da0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba3043002310000":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG -X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, tag data missing) -x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30080603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG +X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, bool len missing) +x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30060603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, data missing) +x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30080603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no octet present) +x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30d300b30090603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet data missing) x509parse_crt:"30819c308199a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba311300f300d0603551d130101010403300100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no pathlen) -x509parse_crt:"30819f30819ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba314301230100603551d130101010403300402010102":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA +x509parse_crt:"30819f30819ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba314301230100603551d130101010406300402010102":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet len mismatch) x509parse_crt:"3081a230819fa0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba317301530130603551d130101010409300702010102010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_LENGTH_MISMATCH