- Better handling of extension parsing

2009-07-27 21:34:45 +00:00 · 2009-07-27 21:34:45 +00:00 · c6ce838d8f
commit c6ce838d8f
parent b3bb6c0c66
2 changed files with 26 additions and 14 deletions
--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -614,7 +614,7 @@ static int x509_get_crt_ext( unsigned char **p,
    int ret, len;
    int is_critical = 1;
    int is_cacert   = 0;
-    unsigned char *end2;
+    unsigned char *end_ext_data, *end_ext_octet;
    if( ( ret = x509_get_ext( p, end, ext ) ) != 0 )
    {
@ -630,6 +630,8 @@ static int x509_get_crt_ext( unsigned char **p,
                ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
        end_ext_data = *p + len;
        if( memcmp( *p, "\x06\x03\x55\x1D\x13", 5 ) != 0 )
        {
            *p += len;
@ -638,11 +640,11 @@ static int x509_get_crt_ext( unsigned char **p,
        *p += 5;
-        if( ( ret = asn1_get_bool( p, end, &is_critical ) ) != 0 &&
+        if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
            ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) )
            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
-        if( ( ret = asn1_get_tag( p, end, &len,
+        if( ( ret = asn1_get_tag( p, end_ext_data, &len,
                ASN1_OCTET_STRING ) ) != 0 )
            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
@ -651,19 +653,23 @@ static int x509_get_crt_ext( unsigned char **p,
         *      cA                      BOOLEAN DEFAULT FALSE,
         *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
         */
-        end2 = *p + len;
+        end_ext_octet = *p + len;
        if( end_ext_octet != end_ext_data )
            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
                    POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-        if( ( ret = asn1_get_tag( p, end2, &len,
+        if( ( ret = asn1_get_tag( p, end_ext_octet, &len,
                ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
-        if( *p == end2 )
+        if( *p == end_ext_octet )
            continue;
-        if( ( ret = asn1_get_bool( p, end2, &is_cacert ) ) != 0 )
+        if( ( ret = asn1_get_bool( p, end_ext_octet, &is_cacert ) ) != 0 )
        {
            if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-                ret = asn1_get_int( p, end2, &is_cacert );
+                ret = asn1_get_int( p, end_ext_octet, &is_cacert );
            if( ret != 0 )
                return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
@ -672,13 +678,13 @@ static int x509_get_crt_ext( unsigned char **p,
                is_cacert  = 1;
        }
-        if( *p == end2 )
+        if( *p == end_ext_octet )
            continue;
-        if( ( ret = asn1_get_int( p, end2, max_pathlen ) ) != 0 )
+        if( ( ret = asn1_get_int( p, end_ext_octet, max_pathlen ) ) != 0 )
            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
-        if( *p != end2 )
+        if( *p != end_ext_octet )
            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
                    POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@ -328,14 +328,20 @@ x509parse_crt:"30818f30818ca0030201028204deadbeef300d06092a864886f70d01010205003
 X509 Certificate ASN1 (TBSCertificate v3, first ext invalid tag)
 x509parse_crt:"30819030818da0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba3043002310000":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG
-X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, tag data missing)
+X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, bool len missing)
-x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30080603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG
+x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30060603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, data missing)
 x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30080603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no octet present)
 x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30d300b30090603551d1301010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet data missing)
 x509parse_crt:"30819c308199a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba311300f300d0603551d130101010403300100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_UNEXPECTED_TAG
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no pathlen)
-x509parse_crt:"30819f30819ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba314301230100603551d130101010403300402010102":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA
+x509parse_crt:"30819f30819ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba314301230100603551d130101010406300402010102":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_OUT_OF_DATA
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet len mismatch)
 x509parse_crt:"3081a230819fa0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba317301530130603551d130101010409300702010102010100":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | POLARSSL_ERR_ASN1_LENGTH_MISMATCH