lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-08 17:42:09 +03:00
Code Activity

Merge pull request #6882 from AndrzejKurek/x509_san_parsing_testing-dev

Browse Source 
X.509: Fix bug in SAN parsing and enhance negative testing
This commit is contained in:
Gilles Peskine
2023-02-10 15:05:32 +01:00
committed by GitHub
parent a22749e749 7dcdc132d5
commit b8531c4b0b
3 changed files with 177 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
library/x509.c
View File

@@ -1156,11 +1156,6 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
if (p + len >= end) {
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
@@ -1168,11 +1163,21 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (end != p + len) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (end != p + len) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
@@ -1181,11 +1186,6 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
other_name->value.hardware_module_name.oid.p = p;
other_name->value.hardware_module_name.oid.len = len;
if (p + len >= end) {
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
@@ -1197,8 +1197,6 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
other_name->value.hardware_module_name.val.len = len;
p += len;
if (p != end) {
mbedtls_platform_zeroize(other_name,
sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
@@ -1238,8 +1236,6 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len, tag_len;
mbedtls_asn1_buf *buf;
unsigned char tag;
mbedtls_asn1_sequence *cur = subject_alt_name;
/* Get main sequence tag */
@@ -1255,15 +1251,20 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
while (*p < end) {
mbedtls_x509_subject_alternative_name dummy_san_buf;
mbedtls_x509_buf tmp_san_buf;
memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
tag = **p;
tmp_san_buf.tag = **p;
(*p)++;
if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
tmp_san_buf.p = *p;
tmp_san_buf.len = tag_len;
if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
@@ -1272,7 +1273,7 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
/*
* Check that the SAN is structured correctly.
*/
ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf);
ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &dummy_san_buf);
/*
* In case the extension is malformed, return an error,
* and clear the allocated sequences.
@@ -1299,11 +1300,8 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
cur = cur->next;
}
buf = &(cur->buf);
buf->tag = tag;
buf->p = *p;
buf->len = tag_len;
*p += buf->len;
cur->buf = tmp_san_buf;
*p += tmp_san_buf.len;
}
/* Set final sequence entry's next pointer to NULL */