From 4c832213202b52bd2b6efa7d5625c85c81a19002 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 7 May 2025 23:05:12 +0200 Subject: [PATCH] Replace MBEDTLS_ERR_OID_NOT_FOUND with MBEDTLS_ERR_X509_UNKNOWN_OID Replace the non-X.509-named error code `MBEDTLS_ERR_OID_NOT_FOUND` with `MBEDTLS_ERR_X509_UNKNOWN_OID`, which already exists and is currently not used for anything. Public functions in X.509 propagate this error code, so it needs to have a public name. Remove the definition of `MBEDTLS_ERR_OID_NOT_FOUND` in `x509_oid.h`, then ``` git grep -l MBEDTLS_ERR_OID_NOT_FOUND | xargs perl -i -pe 's/\bMBEDTLS_ERR_OID_NOT_FOUND\b/MBEDTLS_ERR_X509_UNKNOWN_OID/g' ``` Signed-off-by: Gilles Peskine --- library/ssl_tls.c | 2 +- library/ssl_tls13_generic.c | 2 +- library/x509.c | 2 +- library/x509_oid.c | 10 +++++----- library/x509_oid.h | 19 ++++++++----------- tests/suites/test_suite_x509_oid.function | 8 ++++---- tests/suites/test_suite_x509parse.data | 10 +++++----- 7 files changed, 25 insertions(+), 28 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0c992bf010..519b5b4a2b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7016,7 +7016,7 @@ static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ switch (ret) { case 0: /*ok*/ - case MBEDTLS_ERR_OID_NOT_FOUND: + case MBEDTLS_ERR_X509_UNKNOWN_OID: /* Ignore certificate with an unknown algorithm: maybe a prior certificate was already trusted. */ break; diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 70175e0d60..44525dd153 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -505,7 +505,7 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, switch (ret) { case 0: /*ok*/ break; - case MBEDTLS_ERR_OID_NOT_FOUND: + case MBEDTLS_ERR_X509_UNKNOWN_OID: /* Ignore certificate with an unknown algorithm: maybe a prior certificate was already trusted. */ break; diff --git a/library/x509.c b/library/x509.c index fe4e3e3afe..54275ebce0 100644 --- a/library/x509.c +++ b/library/x509.c @@ -314,7 +314,7 @@ int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, /* Only MFG1 is recognised for now */ if (MBEDTLS_OID_CMP(MBEDTLS_OID_MGF1, &alg_id) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE, - MBEDTLS_ERR_OID_NOT_FOUND); + MBEDTLS_ERR_X509_UNKNOWN_OID); } /* Parse HashAlgorithm */ diff --git a/library/x509_oid.c b/library/x509_oid.c index 0a5da54cf5..3517ee3841 100644 --- a/library/x509_oid.c +++ b/library/x509_oid.c @@ -66,7 +66,7 @@ int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1) \ { \ const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid); \ - if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND; \ + if (data == NULL) return MBEDTLS_ERR_X509_UNKNOWN_OID; \ *ATTR1 = data->descriptor.ATTR1; \ return 0; \ } @@ -80,7 +80,7 @@ int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1) \ { \ const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid); \ - if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND; \ + if (data == NULL) return MBEDTLS_ERR_X509_UNKNOWN_OID; \ *ATTR1 = data->ATTR1; \ return 0; \ } @@ -95,7 +95,7 @@ ATTR2_TYPE * ATTR2) \ { \ const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid); \ - if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND; \ + if (data == NULL) return MBEDTLS_ERR_X509_UNKNOWN_OID; \ *(ATTR1) = data->ATTR1; \ *(ATTR2) = data->ATTR2; \ return 0; \ @@ -117,7 +117,7 @@ } \ cur++; \ } \ - return MBEDTLS_ERR_OID_NOT_FOUND; \ + return MBEDTLS_ERR_X509_UNKNOWN_OID; \ } /* @@ -138,7 +138,7 @@ } \ cur++; \ } \ - return MBEDTLS_ERR_OID_NOT_FOUND; \ + return MBEDTLS_ERR_X509_UNKNOWN_OID; \ } /* diff --git a/library/x509_oid.h b/library/x509_oid.h index 46cfd54adc..6b2da9895a 100644 --- a/library/x509_oid.h +++ b/library/x509_oid.h @@ -19,9 +19,6 @@ #include "mbedtls/md.h" -/** OID is not found. */ -#define MBEDTLS_ERR_OID_NOT_FOUND -0x002E - /* * Maximum number of OID components allowed */ @@ -459,7 +456,7 @@ typedef struct { * \param oid OID to use * \param ext_type place to store the extension type * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_x509_ext_type(const mbedtls_asn1_buf *oid, int *ext_type); @@ -470,7 +467,7 @@ int mbedtls_x509_oid_get_x509_ext_type(const mbedtls_asn1_buf *oid, int *ext_typ * \param oid OID to use * \param short_name place to store the string pointer * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char **short_name); @@ -481,7 +478,7 @@ int mbedtls_x509_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char * \param md_alg place to store message digest algorithm * \param pk_alg place to store public key algorithm * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_sig_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg); @@ -492,7 +489,7 @@ int mbedtls_x509_oid_get_sig_alg(const mbedtls_asn1_buf *oid, * \param oid OID to use * \param desc place to store string pointer * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char **desc); @@ -504,7 +501,7 @@ int mbedtls_x509_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char ** * \param oid place to store ASN.1 OID string pointer * \param olen length of the OID * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, const char **oid, size_t *olen); @@ -515,7 +512,7 @@ int mbedtls_x509_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_typ * \param oid OID to use * \param md_alg place to store message digest algorithm * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg); @@ -526,7 +523,7 @@ int mbedtls_x509_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t * * \param oid OID to use * \param desc place to store string pointer * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_extended_key_usage(const mbedtls_asn1_buf *oid, const char **desc); #endif @@ -537,7 +534,7 @@ int mbedtls_x509_oid_get_extended_key_usage(const mbedtls_asn1_buf *oid, const c * \param oid OID to use * \param desc place to store string pointer * - * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_certificate_policies(const mbedtls_asn1_buf *oid, const char **desc); diff --git a/tests/suites/test_suite_x509_oid.function b/tests/suites/test_suite_x509_oid.function index 8273a71519..f10c68dc54 100644 --- a/tests/suites/test_suite_x509_oid.function +++ b/tests/suites/test_suite_x509_oid.function @@ -23,7 +23,7 @@ void oid_get_certificate_policies(data_t *oid, char *result_str) ret = mbedtls_x509_oid_get_certificate_policies(&asn1_buf, &desc); if (strlen(result_str) == 0) { - TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND); + TEST_ASSERT(ret == MBEDTLS_ERR_X509_UNKNOWN_OID); } else { TEST_ASSERT(ret == 0); TEST_ASSERT(strcmp((char *) desc, result_str) == 0); @@ -44,7 +44,7 @@ void oid_get_extended_key_usage(data_t *oid, char *result_str) ret = mbedtls_x509_oid_get_extended_key_usage(&asn1_buf, &desc); if (strlen(result_str) == 0) { - TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND); + TEST_ASSERT(ret == MBEDTLS_ERR_X509_UNKNOWN_OID); } else { TEST_ASSERT(ret == 0); TEST_ASSERT(strcmp((char *) desc, result_str) == 0); @@ -65,7 +65,7 @@ void oid_get_x509_extension(data_t *oid, int exp_type) ret = mbedtls_x509_oid_get_x509_ext_type(&ext_oid, &ext_type); if (exp_type == 0) { - TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND); + TEST_ASSERT(ret == MBEDTLS_ERR_X509_UNKNOWN_OID); } else { TEST_ASSERT(ret == 0); TEST_ASSERT(ext_type == exp_type); @@ -87,7 +87,7 @@ void oid_get_md_alg_id(data_t *oid, int exp_md_id) ret = mbedtls_x509_oid_get_md_alg(&md_oid, &md_id); if (exp_md_id < 0) { - TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND); + TEST_ASSERT(ret == MBEDTLS_ERR_X509_UNKNOWN_OID); TEST_ASSERT(md_id == 0); } else { TEST_ASSERT(ret == 0); diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 6a04ff0f5e..c7c465b7e6 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1386,11 +1386,11 @@ x509parse_crt:"307f3075a0030201008204deadbeef30020601300c310a3008060013045465737 X509 CRT ASN1 (TBS, inv AlgID, OID empty) depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C -x509parse_crt:"307f3075a0030201008204deadbeef30020600300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff30020600030200ff":"":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, MBEDTLS_ERR_OID_NOT_FOUND) +x509parse_crt:"307f3075a0030201008204deadbeef30020600300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff30020600030200ff":"":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, MBEDTLS_ERR_X509_UNKNOWN_OID) X509 CRT ASN1 (TBS, inv AlgID, OID unknown) depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C -x509parse_crt:"3081873079a0030201008204deadbeef30060604deadbeef300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff30060604deadbeef030200ff":"":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, MBEDTLS_ERR_OID_NOT_FOUND) +x509parse_crt:"3081873079a0030201008204deadbeef30060604deadbeef300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff30060604deadbeef030200ff":"":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, MBEDTLS_ERR_X509_UNKNOWN_OID) X509 CRT ASN1 (TBS, inv AlgID, param inv length encoding) depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C @@ -2845,7 +2845,7 @@ X509 RSASSA-PSS parameters ASN1 (HashAlg with parameters) x509_parse_rsassa_pss_params:"a00f300d06096086480165030402013000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_ASN1_INVALID_DATA) X509 RSASSA-PSS parameters ASN1 (HashAlg unknown OID) -x509_parse_rsassa_pss_params:"a00d300b06096086480165030402ff":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_OID_NOT_FOUND) +x509_parse_rsassa_pss_params:"a00d300b06096086480165030402ff":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_X509_UNKNOWN_OID) X509 RSASSA-PSS parameters ASN1 (good, MGAlg = MGF1-SHA256) depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256 @@ -2866,7 +2866,7 @@ X509 RSASSA-PSS parameters ASN1 (MGAlg AlgId wrong len #1) x509_parse_rsassa_pss_params:"a11a301906092a864886f70d010108300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_ASN1_OUT_OF_DATA) X509 RSASSA-PSS parameters ASN1 (MGAlg OID != MGF1) -x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010109300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE, MBEDTLS_ERR_OID_NOT_FOUND) +x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010109300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE, MBEDTLS_ERR_X509_UNKNOWN_OID) X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong tag) x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108310b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) @@ -2881,7 +2881,7 @@ X509 RSASSA-PSS parameters ASN1 (MGAlg.params.alg not an OID) x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108300b0709608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) X509 RSASSA-PSS parameters ASN1 (MGAlg.params.alg unknown OID) -x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108300b06096086480165030402ff":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_OID_NOT_FOUND) +x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108300b06096086480165030402ff":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, MBEDTLS_ERR_X509_UNKNOWN_OID) X509 RSASSA-PSS parameters ASN1 (MGAlg.params.params NULL) depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256