From 873a202d18915abe1ca15976389768eb3c1e18ba Mon Sep 17 00:00:00 2001
From: Matthias Schulz <mschulz@hilscher.com>
Date: Tue, 17 Oct 2023 16:02:20 +0200
Subject: [PATCH] Now handling critical extensions similarly to how its done in
 x509_get_crt_ext just without the callback function to handle unknown
 extensions.

Signed-off-by: Matthias Schulz <mschulz@hilscher.com>
---
 library/x509_csr.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/library/x509_csr.c b/library/x509_csr.c
index ce4c081e39..baf260664a 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -75,13 +75,13 @@ static int x509_csr_get_version(unsigned char **p,
 static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
                                      unsigned char **p, const unsigned char *end)
 {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
     unsigned char *end_ext_data;
-    int critical;
 
     while (*p < end) {
         mbedtls_x509_buf extn_oid = { 0, 0, NULL };
+        int is_critical = 0; /* DEFAULT FALSE */
         int ext_type = 0;
 
         /* Read sequence tag */
@@ -102,8 +102,11 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
         extn_oid.p = *p;
         *p += extn_oid.len;
 
-        /* Get and ignore optional critical flag */
-        (void)mbedtls_asn1_get_bool(p, end_ext_data, &critical);
+        /* Get optional critical */
+        if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+            (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
 
         /* Data should be octet string type */
         if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
@@ -157,6 +160,12 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
                 default:
                     break;
             }
+        } else {
+            if (is_critical) {
+                /* Data is marked as critical: fail */
+                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                         MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+            }
         }
         *p = end_ext_data;
     }