From 48513b8639056eb3b8093842cb197a02e4f5d1e7 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 20 Jul 2023 16:19:05 +0100 Subject: [PATCH 01/75] Escape special characters RFC 4514 This escapes special characters according to RFC 4514 in mbedtls_x509_dn_gets and de-escapes in mbedtls_x509_string_to_names. This commit does not handle hexpairs. Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 14 +++++++++----- library/x509_create.c | 4 ++-- tests/suites/test_suite_x509write.data | 11 ++++++++++- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/library/x509.c b/library/x509.c index ba8d719606..2764ba6006 100644 --- a/library/x509.c +++ b/library/x509.c @@ -855,12 +855,16 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) } c = name->val.p[i]; - // Special characters requiring escaping, RFC 1779 - if (c && strchr(",=+<>#;\"\\", c)) { - if (j + 1 >= sizeof(s) - 1) { - return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + // Special characters requiring escaping, RFC 4514 Section 2.4 + if (c) { + if (strchr(",=+<>;\"\\+", c) || + ((i == 0) && strchr("# ", c)) || + ((i == name->val.len-1 ) && (c == ' '))) { + if (j + 1 >= sizeof(s) - 1) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + s[j++] = '\\'; } - s[j++] = '\\'; } if (c < 32 || c >= 127) { s[j] = '?'; diff --git a/library/x509_create.c b/library/x509_create.c index bd772d3ac7..170a6bc29c 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -153,8 +153,8 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (!in_tag && *c == '\\' && c != end) { c++; - /* Check for valid escaped characters */ - if (c == end || *c != ',') { + /* Check for valid escaped characters in RFC 4514 in Section 3*/ + if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) { ret = MBEDTLS_ERR_X509_INVALID_NAME; goto exit; } diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 0848550199..e50f590dbc 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -184,8 +184,17 @@ mbedtls_x509_string_to_names:"C=NL, O=Offspark\\a Inc., OU=PolarSSL":"":MBEDTLS_ X509 String to Names #6 (Escape at end) mbedtls_x509_string_to_names:"C=NL, O=Offspark\\":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #6 (Invalid, no '=' or ',') +X509 String to Names #7 (Invalid, no '=' or ',') mbedtls_x509_string_to_names:"ABC123":"":MBEDTLS_ERR_X509_INVALID_NAME +X509 String to Names #8 (Escape valid characters) +mbedtls_x509_string_to_names:"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":0 + +X509 String to Names #9 (Escape '#' at beginning of string) +mbedtls_x509_string_to_names:"C=NL, O=#Offspark#, OU=PolarSSL":"C=NL, O=\\#Offspark#, OU=PolarSSL":0 + +X509 String to Names #10 (Escape ' ' at beginning and end of string) +mbedtls_x509_string_to_names:"C=NL, O= Off spark , OU=PolarSSL":"C=NL, O=\\ Off spark\\ , OU=PolarSSL":0 + Check max serial length x509_set_serial_check: From ef2decbe4aa625e097ebd7baba006be08b707581 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 21 Jul 2023 15:47:47 +0100 Subject: [PATCH 02/75] Escape hexpairs characters RFC 4514 Converts none ascii to escaped hexpairs in mbedtls_x509_dn_gets and interprets hexpairs in mbedtls_x509_string_to_names. Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 21 +++++++++++++++++---- library/x509_create.c | 20 ++++++++++++++++++-- tests/suites/test_suite_x509write.data | 9 +++++++++ 3 files changed, 44 insertions(+), 6 deletions(-) diff --git a/library/x509.c b/library/x509.c index 2764ba6006..5025d774b4 100644 --- a/library/x509.c +++ b/library/x509.c @@ -810,6 +810,12 @@ int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, return 0; } +/* Converts only the 4 least significant bits */ +static char x509_int_to_hexdigit(int i) +{ + return (i < 10) ? (i | 0x30) : ((i - 9) | 0x40); +} + /* * Store the name in printable form into buf; no more * than size characters will be written @@ -857,9 +863,9 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) c = name->val.p[i]; // Special characters requiring escaping, RFC 4514 Section 2.4 if (c) { - if (strchr(",=+<>;\"\\+", c) || - ((i == 0) && strchr("# ", c)) || - ((i == name->val.len-1 ) && (c == ' '))) { + if (strchr(",=+<>;\"\\+", c) || + ((i == 0) && strchr("# ", c)) || + ((i == name->val.len-1) && (c == ' '))) { if (j + 1 >= sizeof(s) - 1) { return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } @@ -867,7 +873,14 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) } } if (c < 32 || c >= 127) { - s[j] = '?'; + if (j + 3 >= sizeof(s) - 1) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + s[j++] = '\\'; + char lowbits = (c & 0x0F); + char highbits = c>>4; + s[j++] = x509_int_to_hexdigit(highbits); + s[j] = x509_int_to_hexdigit(lowbits); } else { s[j] = c; } diff --git a/library/x509_create.c b/library/x509_create.c index 170a6bc29c..9652a20c6d 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -123,6 +123,16 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, return cur; } +static int x509_is_char_hex(char c) +{ + return ('0' <= c && c <= '9') || ('a' <= c && c <= 'f') || ('A' <= c && c <= 'F'); +} + +static int x509_hex_to_int(char c) +{ + return ((c & 0x40) ? (c + 9) : c) & 0x0F; +} + int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name) { int ret = MBEDTLS_ERR_X509_INVALID_NAME; @@ -131,6 +141,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam const char *oid = NULL; const x509_attr_descriptor_t *attr_descr = NULL; int in_tag = 1; + int hexpair = 0; char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; char *d = data; @@ -154,7 +165,11 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam c++; /* Check for valid escaped characters in RFC 4514 in Section 3*/ - if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) { + if (c + 1 < end && x509_is_char_hex(*c) && x509_is_char_hex(*(c+1))) { + hexpair = 1; + *(d++) = (x509_hex_to_int(*c) << 4) + x509_hex_to_int(*(c+1)); + c++; + } else if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) { ret = MBEDTLS_ERR_X509_INVALID_NAME; goto exit; } @@ -182,7 +197,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam ret = 0; } - if (!in_tag && s != c + 1) { + if (!hexpair && !in_tag && s != c + 1) { *(d++) = *c; if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) { @@ -191,6 +206,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } } + hexpair = 0; c++; } diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index e50f590dbc..0987faef2a 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -196,5 +196,14 @@ mbedtls_x509_string_to_names:"C=NL, O=#Offspark#, OU=PolarSSL":"C=NL, O=\\#Offsp X509 String to Names #10 (Escape ' ' at beginning and end of string) mbedtls_x509_string_to_names:"C=NL, O= Off spark , OU=PolarSSL":"C=NL, O=\\ Off spark\\ , OU=PolarSSL":0 +X509 String to Names #11 (Escape ascii hexpairs) +mbedtls_x509_string_to_names:"C=NL, O=Of\\66spark, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 + +X509 String to Names #12 (Escape non-ascii hexpairs) +mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 + +X509 String to Names #13 (Invalid hexpairs) +mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + Check max serial length x509_set_serial_check: From dba8a641fefba60c7c9d3fa17e180453c9eb2e03 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 24 Jul 2023 14:41:34 +0100 Subject: [PATCH 03/75] Add and update tests for x509write and x509parse Due to change in handling non-ascii characters, existing tests had to be updated to handle the new implementation. New tests and certificates are added to test the escaping functionality in edge cases. Signed-off-by: Agathiyan Bragadeesh --- tests/data_files/Makefile | 11 ++++++++++- tests/data_files/server1.hashsymbol.crt | 20 ++++++++++++++++++++ tests/data_files/server1.spaces.crt | 20 ++++++++++++++++++++ tests/suites/test_suite_x509parse.data | 12 ++++++++++-- 4 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 tests/data_files/server1.hashsymbol.crt create mode 100644 tests/data_files/server1.spaces.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index b5f0844c9d..2009ad6699 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1441,6 +1441,11 @@ all_final += server1.req.cert_type_empty parse_input/server1.req.commas.sha256: server1.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL\, Commas,CN=PolarSSL Server 1" md=SHA256 +parse_input/server1.req.hashsymbol.sha256: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=\#PolarSSL,CN=PolarSSL Server 1" md=SHA256 + +parse_input/server1.req.spaces.sha256: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O= PolarSSL ,CN=PolarSSL Server 1" md=SHA256 # server2* server2_pwd_ec = PolarSSLTest @@ -1590,7 +1595,11 @@ server1.der: server1.crt $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ server1.commas.crt: server1.key parse_input/server1.req.commas.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.commas.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ -all_final += server1.crt server1.noauthid.crt parse_input/server1.crt.der server1.commas.crt +server1.hashsymbol.crt: server1.key parse_input/server1.req.hashsymbol.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.hashsymbol.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ +server1.spaces.crt: server1.key parse_input/server1.req.spaces.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.spaces.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ +all_final += server1.crt server1.noauthid.crt parse_input/server1.crt.der server1.commas.crt server1.hashsymbol.crt server1.spaces.crt parse_input/server1.key_usage.crt: parse_input/server1.req.sha256 server1.key_usage.crt: server1.req.sha256 diff --git a/tests/data_files/server1.hashsymbol.crt b/tests/data_files/server1.hashsymbol.crt new file mode 100644 index 0000000000..9db73009dd --- /dev/null +++ b/tests/data_files/server1.hashsymbol.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDESMBAG +A1UECgwJI1BvbGFyU1NMMRowGAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J +v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB +Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl +XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk +65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP +cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA +AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw +HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD +ggEBAJcKcv/Xro61Sxm0GH42pYu7AvtD2b8nynvA8BW9gCHmiIHvHQWNO9NTMuno +1+HdzQVF1JxHC/A/hvXsczxGEc3jVnVeg1fwi8mZ/Fy1XtAVCTA0yJu7JTaaYbg+ +IU2y7Nu36FSOztLpOfHGmwVDoJ1+wCzG/id64hXwJRrHvUfGK4EvIsV97swhk2Do +zSAfDA9N+QNV4zeiF9mLMOpUhCUBq8r41EDqm9lM0wSd3HNen8jwO20F4F1b1dYm +L+bMarvUgHq91f128m2fF3sWNnz4RGoagSI/aOU/AP6Ksq8SUruGHpqrVWLClA6n +EyyTPlNTwYIRCydZt7zlsw1/4h4= +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.spaces.crt b/tests/data_files/server1.spaces.crt new file mode 100644 index 0000000000..b77132a190 --- /dev/null +++ b/tests/data_files/server1.spaces.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA+MQswCQYDVQQGEwJOTDETMBEG +A1UECgwKIFBvbGFyU1NMIDEaMBgGA1UEAwwRUG9sYXJTU0wgU2VydmVyIDEwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUuFWFe +ib+46EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQg2rV +QUN3Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A+G2B +JV8KsVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+rWUs +ZOuVm9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE2y6m +T3Buns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSxAgMB +AAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKm +MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA +A4IBAQBsR3jOFh7uGF5MCvEK8DrSmmvcFJzMmTRp0hCMeb0wEULhrMKeRDIa2yvr +FrHHCUNAk2HjsjJevpCM8f3ibDqecckfbxE2vT9IUCmPrtOWmhQR/Il5TR9FvYns +4BF1KUPRqGUFAXoIN+xKcYdp+myIluGHumM4Bop7tAZ5gg68IV/UJh5RqShxiLgV +rxHzrp6oM1kn199m2wc1Twy2YwcNmfJDSOLV6K4xWjwcc8Eq+rLhuWUs5GNdrSEY +ZjWmF1AlbVVChU3Dl5XOAY8T6+wJst5RIwkf1Fl1TPCZX8FWzGM9HYiYW0cC7cno +IdSS7mVGxNrNe+6/Cu+zfqeiLdN2 +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 7af9de9cf1..a2a43d3823 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -184,11 +184,11 @@ x509_cert_info:"data_files/parse_input/server3.crt":"cert. version \: 3\nser X509 CRT information Bitstring in subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n" +x509_cert_info:"data_files/parse_input/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=\\007101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n" X509 CRT information Non-ASCII string in issuer name and subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nsubject name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" +x509_cert_info:"data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nsubject name \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" X509 CRT information Parsing IPv4 and IPv6 IP names depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C @@ -447,6 +447,14 @@ X509 Get Distinguished Name #5 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 mbedtls_x509_dn_gets:"data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1" +X509 Get Distinguished Name #6 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_dn_gets:"data_files/server1.hashsymbol.crt":"subject":"C=NL, O=\\#PolarSSL, CN=PolarSSL Server 1" + +X509 Get Distinguished Name #7 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_dn_gets:"data_files/server1.spaces.crt":"subject":"C=NL, O=\\ PolarSSL\\ , CN=PolarSSL Server 1" + X509 Get Modified DN #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"Modified":"C=NL, O=Modified, CN=PolarSSL Server 1":0 From 9d2507c81dae277e5f82abf85c8de01a3bef9973 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 24 Jul 2023 16:35:57 +0100 Subject: [PATCH 04/75] Rename x509_int_to_hexdigit to nibble_to_hex_digit Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/library/x509.c b/library/x509.c index 5025d774b4..b8a866ac38 100644 --- a/library/x509.c +++ b/library/x509.c @@ -810,8 +810,7 @@ int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, return 0; } -/* Converts only the 4 least significant bits */ -static char x509_int_to_hexdigit(int i) +static char nibble_to_hex_digit(int i) { return (i < 10) ? (i | 0x30) : ((i - 9) | 0x40); } @@ -879,8 +878,8 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[j++] = '\\'; char lowbits = (c & 0x0F); char highbits = c>>4; - s[j++] = x509_int_to_hexdigit(highbits); - s[j] = x509_int_to_hexdigit(lowbits); + s[j++] = nibble_to_hex_digit(highbits); + s[j] = nibble_to_hex_digit(lowbits); } else { s[j] = c; } From f0e1ac59d863f03a90d7db204f468e3dca4b6e0e Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 24 Jul 2023 16:43:36 +0100 Subject: [PATCH 05/75] Rewrite nibble_to_hex_digit for readability Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509.c b/library/x509.c index b8a866ac38..b36e27a274 100644 --- a/library/x509.c +++ b/library/x509.c @@ -812,7 +812,7 @@ int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, static char nibble_to_hex_digit(int i) { - return (i < 10) ? (i | 0x30) : ((i - 9) | 0x40); + return (i < 10) ? (i + '0') : (i - 10 + 'A'); } /* From 404b4bb9ab3effee68c51b2c3ccf77c7ce95ca88 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 24 Jul 2023 16:56:10 +0100 Subject: [PATCH 06/75] Add x509 tests for upper and lowercase hexpairs Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 0987faef2a..0827f948c2 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -196,13 +196,16 @@ mbedtls_x509_string_to_names:"C=NL, O=#Offspark#, OU=PolarSSL":"C=NL, O=\\#Offsp X509 String to Names #10 (Escape ' ' at beginning and end of string) mbedtls_x509_string_to_names:"C=NL, O= Off spark , OU=PolarSSL":"C=NL, O=\\ Off spark\\ , OU=PolarSSL":0 -X509 String to Names #11 (Escape ascii hexpairs) -mbedtls_x509_string_to_names:"C=NL, O=Of\\66spark, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 +X509 String to Names #11 (Escape ascii hexpairs uppercase encoded) +mbedtls_x509_string_to_names:"C=NL, O=\\4F\\66\\66\\73\\70\\61\\72\\6B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #12 (Escape non-ascii hexpairs) +X509 String to Names #12 (Escape ascii hexpairs lowercase encoded) +mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6b, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 + +X509 String to Names #13 (Escape non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 -X509 String to Names #13 (Invalid hexpairs) +X509 String to Names #14 (Invalid hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME Check max serial length From e119f3c0ea898b9f0338d3fbcaecfd556ec4506b Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 24 Jul 2023 17:21:14 +0100 Subject: [PATCH 07/75] Refactor mbedtls_x509_string_to_names This refactor is to accomodate future support of numericoid/hexstring attributetype value pairs. Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 138 ++++++++++++++++++++++++++++++------------ 1 file changed, 100 insertions(+), 38 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 9652a20c6d..8f27cba534 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -28,6 +28,8 @@ #include +#include "mbedtls/platform.h" + /* Structure linking OIDs for X.509 DN AttributeTypes to their * string representations and default string encodings used by Mbed TLS. */ typedef struct { @@ -35,7 +37,8 @@ typedef struct { * "CN" or "emailAddress". */ size_t name_len; /* Length of 'name', without trailing 0 byte. */ const char *oid; /* String representation of OID of AttributeType, - * as per RFC 5280, Appendix A.1. */ + * as per RFC 5280, Appendix A.1. encoded as per + * X.690 */ int default_tag; /* The default character encoding used for the * given attribute type, e.g. * MBEDTLS_ASN1_UTF8_STRING for UTF-8. */ @@ -123,27 +126,99 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, return cur; } -static int x509_is_char_hex(char c) +static const x509_attr_descriptor_t *x509_attr_descr_from_numericoid(const char *numericoid, size_t numericoid_len) { - return ('0' <= c && c <= '9') || ('a' <= c && c <= 'f') || ('A' <= c && c <= 'F'); + const x509_attr_descriptor_t *cur; + mbedtls_asn1_buf *oid = mbedtls_calloc(1,sizeof(mbedtls_asn1_buf)); + int ret; + + ret = mbedtls_oid_from_numeric_string(oid, numericoid, numericoid_len); + if((ret == MBEDTLS_ERR_X509_ALLOC_FAILED) || (ret == MBEDTLS_ERR_ASN1_INVALID_DATA)) { + return NULL; + } + + for (cur = x509_attrs; cur->oid != NULL; cur++) { + if (sizeof(cur->oid) == oid->len && + strncmp(cur->oid, (const char*) oid->p, oid->len) == 0) { + break; + } + } + + mbedtls_free(oid->p); + if (cur->oid == NULL) { + return NULL; + } + + return cur; } -static int x509_hex_to_int(char c) +static int hex_to_int(char c) { - return ((c & 0x40) ? (c + 9) : c) & 0x0F; + return ('0' <= c && c <= '9') ? (c - '0') : + ('a' <= c && c <= 'f') ? (c - 'a' + 10) : + ('A' <= c && c <= 'F') ? (c - 'A' + 10) : -1; +} + +static int hexpair_to_int(char c1, char c2) +{ + int n1 = hex_to_int(c1); + int n2 = hex_to_int(c2); + if (n1 != -1 && n2 != -1) { + return (n1 << 4) | n2; + } else { + return -1; + } +} + +static int parse_attribute_value_string(const char *s, int len, char *data, int *data_len) { + const char *c = s; + const char *end = c + len; + int hexpair = 0; + char *d = data; + int n; + while(c < end) { + if (*c == '\\') { + c++; + + /* Check for valid escaped characters in RFC 4514 in Section 3*/ + if (c + 1 < end && (n = hexpair_to_int(*c, *(c+1))) != -1) { + hexpair = 1; + *(d++) = n; + c++; + } else if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + } + if (!hexpair) { + *(d++) = *c; + } + if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + + hexpair = 0; + c++; + } + *data_len = d - data; + return 0; +} + +static int parse_attribute_value_ber_encoded(const char *s, int len, char *data, int *data_len) { + return 0; } int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name) { int ret = MBEDTLS_ERR_X509_INVALID_NAME; + int parse_ret = 0; const char *s = name, *c = s; const char *end = s + strlen(s); const char *oid = NULL; const x509_attr_descriptor_t *attr_descr = NULL; int in_tag = 1; - int hexpair = 0; + int numericoid = 0; char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; - char *d = data; + int data_len = 0; /* Clear existing chain if present */ mbedtls_asn1_free_named_data_list(head); @@ -151,34 +226,35 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam while (c <= end) { if (in_tag && *c == '=') { if ((attr_descr = x509_attr_descr_from_name(s, c - s)) == NULL) { - ret = MBEDTLS_ERR_X509_UNKNOWN_OID; - goto exit; + if ((attr_descr = x509_attr_descr_from_numericoid(s, c - s)) == NULL) { + return MBEDTLS_ERR_X509_UNKNOWN_OID; + } else { + numericoid = 1; + } + } else { + numericoid = 0; } oid = attr_descr->oid; s = c + 1; in_tag = 0; - d = data; } - if (!in_tag && *c == '\\' && c != end) { - c++; - - /* Check for valid escaped characters in RFC 4514 in Section 3*/ - if (c + 1 < end && x509_is_char_hex(*c) && x509_is_char_hex(*(c+1))) { - hexpair = 1; - *(d++) = (x509_hex_to_int(*c) << 4) + x509_hex_to_int(*(c+1)); - c++; - } else if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) { - ret = MBEDTLS_ERR_X509_INVALID_NAME; - goto exit; + if(!in_tag && ((*c == ',' && *(c-1) != '\\') || c == end)) { + if(!numericoid) { + if((parse_ret = parse_attribute_value_string(s, c - s, data, &data_len)) != 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + } + if(numericoid) { + if((parse_ret = parse_attribute_value_ber_encoded(s, c - s, data, &data_len)) != 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } } - } else if (!in_tag && (*c == ',' || c == end)) { mbedtls_asn1_named_data *cur = mbedtls_asn1_store_named_data(head, oid, strlen(oid), (unsigned char *) data, - d - data); - + data_len); if (cur == NULL) { return MBEDTLS_ERR_X509_ALLOC_FAILED; } @@ -196,22 +272,8 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam /* Successfully parsed one name, update ret to success */ ret = 0; } - - if (!hexpair && !in_tag && s != c + 1) { - *(d++) = *c; - - if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) { - ret = MBEDTLS_ERR_X509_INVALID_NAME; - goto exit; - } - } - - hexpair = 0; c++; } - -exit: - return ret; } From b73778d8f9e191bc12b9674eef8cb484c777d68b Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 26 Jul 2023 11:55:31 +0100 Subject: [PATCH 08/75] Implement parse_attribute_value_ber_encoded Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 54 ++++++++++++++++++++++++++++++------------- 1 file changed, 38 insertions(+), 16 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 8f27cba534..de3d33fe0f 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -126,20 +126,21 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, return cur; } -static const x509_attr_descriptor_t *x509_attr_descr_from_numericoid(const char *numericoid, size_t numericoid_len) +static const x509_attr_descriptor_t *x509_attr_descr_from_numericoid(const char *numericoid, + size_t numericoid_len) { const x509_attr_descriptor_t *cur; - mbedtls_asn1_buf *oid = mbedtls_calloc(1,sizeof(mbedtls_asn1_buf)); + mbedtls_asn1_buf *oid = mbedtls_calloc(1, sizeof(mbedtls_asn1_buf)); int ret; ret = mbedtls_oid_from_numeric_string(oid, numericoid, numericoid_len); - if((ret == MBEDTLS_ERR_X509_ALLOC_FAILED) || (ret == MBEDTLS_ERR_ASN1_INVALID_DATA)) { - return NULL; + if ((ret == MBEDTLS_ERR_X509_ALLOC_FAILED) || (ret == MBEDTLS_ERR_ASN1_INVALID_DATA)) { + return NULL; } for (cur = x509_attrs; cur->oid != NULL; cur++) { - if (sizeof(cur->oid) == oid->len && - strncmp(cur->oid, (const char*) oid->p, oid->len) == 0) { + if (strlen(cur->oid) == oid->len && + strncmp(cur->oid, (const char *) oid->p, oid->len) == 0) { break; } } @@ -170,13 +171,14 @@ static int hexpair_to_int(char c1, char c2) } } -static int parse_attribute_value_string(const char *s, int len, char *data, int *data_len) { +static int parse_attribute_value_string(const char *s, int len, char *data, int *data_len) +{ const char *c = s; const char *end = c + len; int hexpair = 0; char *d = data; int n; - while(c < end) { + while (c < end) { if (*c == '\\') { c++; @@ -203,7 +205,26 @@ static int parse_attribute_value_string(const char *s, int len, char *data, int return 0; } -static int parse_attribute_value_ber_encoded(const char *s, int len, char *data, int *data_len) { +static int parse_attribute_value_ber_encoded(const char *s, int len, char *data, int *data_len) +{ + const char *c = s; + const char *end = c + len; + char *d = data; + int tag, n; + if ((len < 5) || (*c != '#') || + ((tag = + hexpair_to_int(*(c+1), *(c+2))) == -1) || ((*data_len = hexpair_to_int(*(c+3), *(c+4))) == -1)) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + c += 5; + + while (c < end) { + if ((c + 1 >= end) || (n = hexpair_to_int(*c, *(c+1))) == -1) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + *(d++) = n; + c += 2; + } return 0; } @@ -240,15 +261,16 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam in_tag = 0; } - if(!in_tag && ((*c == ',' && *(c-1) != '\\') || c == end)) { - if(!numericoid) { - if((parse_ret = parse_attribute_value_string(s, c - s, data, &data_len)) != 0) { - return MBEDTLS_ERR_X509_INVALID_NAME; + if (!in_tag && ((*c == ',' && *(c-1) != '\\') || c == end)) { + if (!numericoid) { + if ((parse_ret = parse_attribute_value_string(s, c - s, data, &data_len)) != 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; } } - if(numericoid) { - if((parse_ret = parse_attribute_value_ber_encoded(s, c - s, data, &data_len)) != 0) { - return MBEDTLS_ERR_X509_INVALID_NAME; + if (numericoid) { + if ((parse_ret = + parse_attribute_value_ber_encoded(s, c - s, data, &data_len)) != 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; } } mbedtls_asn1_named_data *cur = From ef299d67355f15744f47e39e89649749bf73db38 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 26 Jul 2023 14:53:04 +0100 Subject: [PATCH 09/75] Add more tests for RFC 4514 Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509parse.data | 2 +- tests/suites/test_suite_x509write.data | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index a2a43d3823..d47ac3c6b4 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -184,7 +184,7 @@ x509_cert_info:"data_files/parse_input/server3.crt":"cert. version \: 3\nser X509 CRT information Bitstring in subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=\\007101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n" +x509_cert_info:"data_files/parse_input/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=#030B0037313031303132323535\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n" X509 CRT information Non-ASCII string in issuer name and subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 0827f948c2..98017d6e72 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -202,11 +202,20 @@ mbedtls_x509_string_to_names:"C=NL, O=\\4F\\66\\66\\73\\70\\61\\72\\6B, OU=Polar X509 String to Names #12 (Escape ascii hexpairs lowercase encoded) mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6b, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #13 (Escape non-ascii hexpairs) +X509 String to Names #13 (Invalid hexpair escape at end of string) +mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + +X509 String to Names #14 (Escape non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 -X509 String to Names #14 (Invalid hexpairs) +X509 String to Names #15 (Invalid hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME +X509 String to Names #16 (Accept numercoid/hexstring) +mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 + +X509 String to Names #17 (Accept numercoid/hexstring, output as bitstring) +mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#03084F6666737061726B, OU=PolarSSL":"C=NL, O=#03084F6666737061726B, OU=PolarSSL":0 + Check max serial length x509_set_serial_check: From ddc720d2090b8dc4a0ad5a2f778dbde1c9ada8f5 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 26 Jul 2023 15:51:49 +0100 Subject: [PATCH 10/75] Add mbedtls_x509_dn_gets hexstring output If the data is a bitstring or an octet string, instead use the hexstring of the BER encoding (RFC 4514 Section 2.4) Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 104 ++++++++++++++++++++++++++++++++++++------------- 1 file changed, 76 insertions(+), 28 deletions(-) diff --git a/library/x509.c b/library/x509.c index b36e27a274..5298693e42 100644 --- a/library/x509.c +++ b/library/x509.c @@ -43,6 +43,10 @@ #include "mbedtls/pem.h" #endif +#if defined(MBEDTLS_ASN1_WRITE_C) +#include "mbedtls/asn1write.h" +#endif + #include "mbedtls/platform.h" #if defined(MBEDTLS_HAVE_TIME) @@ -822,11 +826,16 @@ static char nibble_to_hex_digit(int i) int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i, j, n; + size_t i, j, n, asn1_len_size; + unsigned char asn1_len_buf[5]; + int asn1_len_start; + unsigned char *asn1_len_p; unsigned char c, merge = 0; const mbedtls_x509_name *name; const char *short_name = NULL; + char numericoid[MBEDTLS_X509_MAX_DN_NAME_SIZE]; char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p; + int is_numericoid = 0; memset(s, 0, sizeof(s)); @@ -845,43 +854,82 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) MBEDTLS_X509_SAFE_SNPRINTF; } - ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name); + is_numericoid = (name->val.tag == MBEDTLS_ASN1_BIT_STRING) || (name->val.tag == MBEDTLS_ASN1_OCTET_STRING); - if (ret == 0) { - ret = mbedtls_snprintf(p, n, "%s=", short_name); - } else { - ret = mbedtls_snprintf(p, n, "\?\?="); + if(is_numericoid) { + ret = mbedtls_oid_get_numeric_string(numericoid,MBEDTLS_X509_MAX_DN_NAME_SIZE,&name->oid); + if (ret > 0) { + ret = mbedtls_snprintf(p, n, "%s=", numericoid); + } else { + ret = mbedtls_snprintf(p, n, "\?\?="); + } + MBEDTLS_X509_SAFE_SNPRINTF; } - MBEDTLS_X509_SAFE_SNPRINTF; - - for (i = 0, j = 0; i < name->val.len; i++, j++) { - if (j >= sizeof(s) - 1) { - return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + else { + ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name); + if (ret == 0) { + ret = mbedtls_snprintf(p, n, "%s=", short_name); + } else { + ret = mbedtls_snprintf(p, n, "\?\?="); } + MBEDTLS_X509_SAFE_SNPRINTF; + } - c = name->val.p[i]; - // Special characters requiring escaping, RFC 4514 Section 2.4 - if (c) { - if (strchr(",=+<>;\"\\+", c) || - ((i == 0) && strchr("# ", c)) || - ((i == name->val.len-1) && (c == ' '))) { - if (j + 1 >= sizeof(s) - 1) { - return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; - } - s[j++] = '\\'; - } - } - if (c < 32 || c >= 127) { - if (j + 3 >= sizeof(s) - 1) { + if(is_numericoid) { + s[0] = '#'; + c = name->val.tag; + char lowbits = (c & 0x0F); + char highbits = c>>4; + s[1] = nibble_to_hex_digit(highbits); + s[2] = nibble_to_hex_digit(lowbits); + asn1_len_p = asn1_len_buf+5; + asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p,asn1_len_buf,name->val.len); + asn1_len_start = 5 - asn1_len_size; + for (i = 0, j = 3; i < asn1_len_size + name->val.len; i++, j++) { + if (j + 1 >= sizeof(s) - 1) { return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } - s[j++] = '\\'; + if(i < asn1_len_size) { + c = asn1_len_buf[asn1_len_start+i]; + } + else { + c = name->val.p[i-asn1_len_size]; + } char lowbits = (c & 0x0F); char highbits = c>>4; s[j++] = nibble_to_hex_digit(highbits); s[j] = nibble_to_hex_digit(lowbits); - } else { - s[j] = c; + } + } else { + for (i = 0, j = 0; i < name->val.len; i++, j++) { + if (j >= sizeof(s) - 1) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + + c = name->val.p[i]; + // Special characters requiring escaping, RFC 4514 Section 2.4 + if (c) { + if (strchr(",=+<>;\"\\+", c) || + ((i == 0) && strchr("# ", c)) || + ((i == name->val.len-1) && (c == ' '))) { + if (j + 1 >= sizeof(s) - 1) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + s[j++] = '\\'; + } + } + if (c < 32 || c >= 127) { + if (j + 3 >= sizeof(s) - 1) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + s[j++] = '\\'; + char lowbits = (c & 0x0F); + char highbits = c>>4; + s[j++] = nibble_to_hex_digit(highbits); + s[j] = nibble_to_hex_digit(lowbits); + } else { + s[j] = c; + } } } s[j] = '\0'; From 6cbfae591ace476615344abf08a710de6a5224c0 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 27 Jul 2023 14:34:11 +0100 Subject: [PATCH 11/75] Parse DER tag mbedtls_x509_string_to_names Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 64 +++++++++++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 21 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index de3d33fe0f..b2b6bcddaa 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -30,6 +30,10 @@ #include "mbedtls/platform.h" +#if defined(MBEDTLS_ASN1_PARSE_C) +#include "mbedtls/asn1.h" +#endif + /* Structure linking OIDs for X.509 DN AttributeTypes to their * string representations and default string encodings used by Mbed TLS. */ typedef struct { @@ -171,12 +175,12 @@ static int hexpair_to_int(char c1, char c2) } } -static int parse_attribute_value_string(const char *s, int len, char *data, int *data_len) +static int parse_attribute_value_string(const char *s, int len, unsigned char *data, size_t *data_len) { const char *c = s; const char *end = c + len; int hexpair = 0; - char *d = data; + unsigned char *d = data; int n; while (c < end) { if (*c == '\\') { @@ -205,26 +209,42 @@ static int parse_attribute_value_string(const char *s, int len, char *data, int return 0; } -static int parse_attribute_value_ber_encoded(const char *s, int len, char *data, int *data_len) +static int parse_attribute_value_ber_encoded(const char *s, int len, unsigned char *data, size_t *data_len, int *tag) { const char *c = s; const char *end = c + len; - char *d = data; - int tag, n; - if ((len < 5) || (*c != '#') || - ((tag = - hexpair_to_int(*(c+1), *(c+2))) == -1) || ((*data_len = hexpair_to_int(*(c+3), *(c+4))) == -1)) { - return MBEDTLS_ERR_X509_INVALID_NAME; - } - c += 5; - - while (c < end) { + unsigned char asn1_der_buf[256]; + unsigned char *asn1_der_end; + unsigned char *p; + unsigned char *d; + int n; + /* Converting from hexstring to raw binary so we can use asn1parse.c*/ + if ((len < 5) || (*c != '#')) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + c++; + if((*tag = hexpair_to_int(*c, *(c+1))) == -1) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + c += 2; + p = asn1_der_buf; + for (p = asn1_der_buf; c < end; c += 2) { if ((c + 1 >= end) || (n = hexpair_to_int(*c, *(c+1))) == -1) { return MBEDTLS_ERR_X509_INVALID_NAME; } - *(d++) = n; - c += 2; + *(p++) = n; } + asn1_der_end = p; + + p = asn1_der_buf; + if(mbedtls_asn1_get_len(&p, asn1_der_end, data_len) != 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + + for (d = data; p < asn1_der_end; p++) { + *(d++) = *p; + } + return 0; } @@ -237,9 +257,10 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam const char *oid = NULL; const x509_attr_descriptor_t *attr_descr = NULL; int in_tag = 1; + int tag; int numericoid = 0; - char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; - int data_len = 0; + unsigned char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; + size_t data_len = 0; /* Clear existing chain if present */ mbedtls_asn1_free_named_data_list(head); @@ -264,13 +285,14 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (!in_tag && ((*c == ',' && *(c-1) != '\\') || c == end)) { if (!numericoid) { if ((parse_ret = parse_attribute_value_string(s, c - s, data, &data_len)) != 0) { - return MBEDTLS_ERR_X509_INVALID_NAME; + return parse_ret; } + tag = attr_descr->default_tag; } if (numericoid) { if ((parse_ret = - parse_attribute_value_ber_encoded(s, c - s, data, &data_len)) != 0) { - return MBEDTLS_ERR_X509_INVALID_NAME; + parse_attribute_value_ber_encoded(s, c - s, data, &data_len, &tag)) != 0) { + return parse_ret; } } mbedtls_asn1_named_data *cur = @@ -282,7 +304,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } // set tagType - cur->val.tag = attr_descr->default_tag; + cur->val.tag = tag; while (c < end && *(c + 1) == ' ') { c++; From 0eb6673a8083223bd25e55f3ce10c844a7d0ecc6 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 31 Jul 2023 16:10:07 +0100 Subject: [PATCH 12/75] Add preprocessor config guards Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 6 ++++++ library/x509_create.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/library/x509.c b/library/x509.c index 5298693e42..87f48207fd 100644 --- a/library/x509.c +++ b/library/x509.c @@ -876,12 +876,15 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) } if(is_numericoid) { + #if defined(MBEDTLS_ASN1_WRITE_C) s[0] = '#'; + c = name->val.tag; char lowbits = (c & 0x0F); char highbits = c>>4; s[1] = nibble_to_hex_digit(highbits); s[2] = nibble_to_hex_digit(lowbits); + asn1_len_p = asn1_len_buf+5; asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p,asn1_len_buf,name->val.len); asn1_len_start = 5 - asn1_len_size; @@ -900,6 +903,9 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[j++] = nibble_to_hex_digit(highbits); s[j] = nibble_to_hex_digit(lowbits); } + #else + return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; + #endif } else { for (i = 0, j = 0; i < name->val.len; i++, j++) { if (j >= sizeof(s) - 1) { diff --git a/library/x509_create.c b/library/x509_create.c index b2b6bcddaa..59f1905e18 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -209,6 +209,7 @@ static int parse_attribute_value_string(const char *s, int len, unsigned char *d return 0; } +#if defined(MBEDTLS_ASN1_PARSE_C) static int parse_attribute_value_ber_encoded(const char *s, int len, unsigned char *data, size_t *data_len, int *tag) { const char *c = s; @@ -247,6 +248,7 @@ static int parse_attribute_value_ber_encoded(const char *s, int len, unsigned ch return 0; } +#endif int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name) { @@ -290,10 +292,14 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam tag = attr_descr->default_tag; } if (numericoid) { + #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = parse_attribute_value_ber_encoded(s, c - s, data, &data_len, &tag)) != 0) { return parse_ret; } + #else + return MBEDTLS_ERR_X509_INVALID_NAME; + #endif } mbedtls_asn1_named_data *cur = mbedtls_asn1_store_named_data(head, oid, strlen(oid), From c9d74f3109633c891d8c1691117cf894a423268d Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 31 Jul 2023 17:25:44 +0100 Subject: [PATCH 13/75] Refactor AttributeType in mbedtls_x509_dn_gets Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/library/x509.c b/library/x509.c index 87f48207fd..c5eca2a78e 100644 --- a/library/x509.c +++ b/library/x509.c @@ -833,9 +833,9 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) unsigned char c, merge = 0; const mbedtls_x509_name *name; const char *short_name = NULL; - char numericoid[MBEDTLS_X509_MAX_DN_NAME_SIZE]; + char numericoid[256]; char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p; - int is_numericoid = 0; + int print_hexstring; memset(s, 0, sizeof(s)); @@ -854,28 +854,21 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) MBEDTLS_X509_SAFE_SNPRINTF; } - is_numericoid = (name->val.tag == MBEDTLS_ASN1_BIT_STRING) || (name->val.tag == MBEDTLS_ASN1_OCTET_STRING); + print_hexstring = (name->val.tag == MBEDTLS_ASN1_BIT_STRING) || (name->val.tag == MBEDTLS_ASN1_OCTET_STRING); - if(is_numericoid) { - ret = mbedtls_oid_get_numeric_string(numericoid,MBEDTLS_X509_MAX_DN_NAME_SIZE,&name->oid); - if (ret > 0) { + if ((ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name)) == 0) { + ret = mbedtls_snprintf(p, n, "%s=", short_name); + } else { + if ((ret = mbedtls_oid_get_numeric_string(numericoid,256,&name->oid)) > 0) { ret = mbedtls_snprintf(p, n, "%s=", numericoid); + print_hexstring = 1; } else { ret = mbedtls_snprintf(p, n, "\?\?="); } - MBEDTLS_X509_SAFE_SNPRINTF; - } - else { - ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name); - if (ret == 0) { - ret = mbedtls_snprintf(p, n, "%s=", short_name); - } else { - ret = mbedtls_snprintf(p, n, "\?\?="); - } - MBEDTLS_X509_SAFE_SNPRINTF; } + MBEDTLS_X509_SAFE_SNPRINTF; - if(is_numericoid) { + if(print_hexstring) { #if defined(MBEDTLS_ASN1_WRITE_C) s[0] = '#'; From 4987c8fcb0514b5c053be595c3d02408baa73f66 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 1 Aug 2023 11:10:52 +0100 Subject: [PATCH 14/75] Fix code style on x509.c and x509_create.c Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 14 +++++----- library/x509_create.c | 59 ++++++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 33 deletions(-) diff --git a/library/x509.c b/library/x509.c index c5eca2a78e..82b5af3aad 100644 --- a/library/x509.c +++ b/library/x509.c @@ -854,12 +854,13 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) MBEDTLS_X509_SAFE_SNPRINTF; } - print_hexstring = (name->val.tag == MBEDTLS_ASN1_BIT_STRING) || (name->val.tag == MBEDTLS_ASN1_OCTET_STRING); + print_hexstring = (name->val.tag == MBEDTLS_ASN1_BIT_STRING) || + (name->val.tag == MBEDTLS_ASN1_OCTET_STRING); if ((ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name)) == 0) { ret = mbedtls_snprintf(p, n, "%s=", short_name); } else { - if ((ret = mbedtls_oid_get_numeric_string(numericoid,256,&name->oid)) > 0) { + if ((ret = mbedtls_oid_get_numeric_string(numericoid, 256, &name->oid)) > 0) { ret = mbedtls_snprintf(p, n, "%s=", numericoid); print_hexstring = 1; } else { @@ -868,7 +869,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) } MBEDTLS_X509_SAFE_SNPRINTF; - if(print_hexstring) { + if (print_hexstring) { #if defined(MBEDTLS_ASN1_WRITE_C) s[0] = '#'; @@ -879,16 +880,15 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[2] = nibble_to_hex_digit(lowbits); asn1_len_p = asn1_len_buf+5; - asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p,asn1_len_buf,name->val.len); + asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p, asn1_len_buf, name->val.len); asn1_len_start = 5 - asn1_len_size; for (i = 0, j = 3; i < asn1_len_size + name->val.len; i++, j++) { if (j + 1 >= sizeof(s) - 1) { return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } - if(i < asn1_len_size) { + if (i < asn1_len_size) { c = asn1_len_buf[asn1_len_start+i]; - } - else { + } else { c = name->val.p[i-asn1_len_size]; } char lowbits = (c & 0x0F); diff --git a/library/x509_create.c b/library/x509_create.c index 59f1905e18..80beff2dfe 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -175,7 +175,10 @@ static int hexpair_to_int(char c1, char c2) } } -static int parse_attribute_value_string(const char *s, int len, unsigned char *data, size_t *data_len) +static int parse_attribute_value_string(const char *s, + int len, + unsigned char *data, + size_t *data_len) { const char *c = s; const char *end = c + len; @@ -210,41 +213,45 @@ static int parse_attribute_value_string(const char *s, int len, unsigned char *d } #if defined(MBEDTLS_ASN1_PARSE_C) -static int parse_attribute_value_ber_encoded(const char *s, int len, unsigned char *data, size_t *data_len, int *tag) +static int parse_attribute_value_ber_encoded(const char *s, + int len, + unsigned char *data, + size_t *data_len, + int *tag) { const char *c = s; const char *end = c + len; unsigned char asn1_der_buf[256]; - unsigned char *asn1_der_end; - unsigned char *p; + unsigned char *asn1_der_end; + unsigned char *p; unsigned char *d; int n; - /* Converting from hexstring to raw binary so we can use asn1parse.c*/ - if ((len < 5) || (*c != '#')) { - return MBEDTLS_ERR_X509_INVALID_NAME; - } - c++; - if((*tag = hexpair_to_int(*c, *(c+1))) == -1) { - return MBEDTLS_ERR_X509_INVALID_NAME; - } - c += 2; - p = asn1_der_buf; + /* Converting from hexstring to raw binary so we can use asn1parse.c*/ + if ((len < 5) || (*c != '#')) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + c++; + if ((*tag = hexpair_to_int(*c, *(c+1))) == -1) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + c += 2; + p = asn1_der_buf; for (p = asn1_der_buf; c < end; c += 2) { if ((c + 1 >= end) || (n = hexpair_to_int(*c, *(c+1))) == -1) { return MBEDTLS_ERR_X509_INVALID_NAME; } *(p++) = n; } - asn1_der_end = p; + asn1_der_end = p; - p = asn1_der_buf; - if(mbedtls_asn1_get_len(&p, asn1_der_end, data_len) != 0) { - return MBEDTLS_ERR_X509_INVALID_NAME; - } + p = asn1_der_buf; + if (mbedtls_asn1_get_len(&p, asn1_der_end, data_len) != 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } - for (d = data; p < asn1_der_end; p++) { - *(d++) = *p; - } + for (d = data; p < asn1_der_end; p++) { + *(d++) = *p; + } return 0; } @@ -292,14 +299,14 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam tag = attr_descr->default_tag; } if (numericoid) { - #if defined(MBEDTLS_ASN1_PARSE_C) + #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = parse_attribute_value_ber_encoded(s, c - s, data, &data_len, &tag)) != 0) { return parse_ret; } - #else - return MBEDTLS_ERR_X509_INVALID_NAME; - #endif + #else + return MBEDTLS_ERR_X509_INVALID_NAME; + #endif } mbedtls_asn1_named_data *cur = mbedtls_asn1_store_named_data(head, oid, strlen(oid), From 47cc76f0705ef1fac821c7dccc8f59c74c621c91 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 2 Aug 2023 14:12:44 +0100 Subject: [PATCH 15/75] Update x509 test for numericoid/hexstring output Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509parse.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index d47ac3c6b4..b154db924f 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2381,7 +2381,7 @@ x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b05003 X509 CRT ASN1 (Name with composite RDN) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509parse_crt:"3082029f30820208a00302010202044c20e3bd300d06092a864886f70d01010505003056310b3009060355040613025553310b300906035504080c0243413121301f060355040a0c18496e7465726e6574205769646769747320507479204c74643117301506035504030c0e4672616e6b656e63657274204341301e170d3133303830323135313433375a170d3135303831373035353433315a3081d1310b3009060355040613025553311330110603550408130a57617368696e67746f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311a3018060355040a1311417574686f72697a652e4e6574204c4c43311d301b060355040f131450726976617465204f7267616e697a6174696f6e312a300e06035504051307343336393139313018060355040313117777772e617574686f72697a652e6e6574311630140603550407130d53616e204672616e636973636f30819f300d06092a864886f70d010101050003818d0030818902818100d885c62e209b6ac005c64f0bcfdaac1f2b67a18802f75b08851ff933deed888b7b68a62fcabdb21d4a8914becfeaaa1b7e08a09ffaf9916563586dc95e2877262b0b5f5ec27eb4d754aa6facd1d39d25b38a2372891bacdd3e919f791ed25704e8920e380e5623a38e6a23935978a3aec7a8e761e211d42effa2713e44e7de0b0203010001300d06092a864886f70d010105050003818100092f7424d3f6da4b8553829d958ed1980b9270b42c0d3d5833509a28c66bb207df9f3c51d122065e00b87c08c2730d2745fe1c279d16fae4d53b4bf5bdfa3631fceeb2e772b6b08a3eca5a2e2c687aefd23b4b73bf77ac6099711342cf070b35c6f61333a7cbf613d8dd4bd73e9df34bcd4284b0b4df57c36c450613f11e5dac":"cert. version \: 3\nserial number \: 4C\:20\:E3\:BD\nissuer name \: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Frankencert CA\nsubject name \: C=US, ST=Washington, ??=US, ??=Delaware, O=Authorize.Net LLC, ??=Private Organization, serialNumber=4369191 + CN=www.authorize.net, L=San Francisco\nissued on \: 2013-08-02 15\:14\:37\nexpires on \: 2015-08-17 05\:54\:31\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\n":0 +x509parse_crt:"3082029f30820208a00302010202044c20e3bd300d06092a864886f70d01010505003056310b3009060355040613025553310b300906035504080c0243413121301f060355040a0c18496e7465726e6574205769646769747320507479204c74643117301506035504030c0e4672616e6b656e63657274204341301e170d3133303830323135313433375a170d3135303831373035353433315a3081d1310b3009060355040613025553311330110603550408130a57617368696e67746f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311a3018060355040a1311417574686f72697a652e4e6574204c4c43311d301b060355040f131450726976617465204f7267616e697a6174696f6e312a300e06035504051307343336393139313018060355040313117777772e617574686f72697a652e6e6574311630140603550407130d53616e204672616e636973636f30819f300d06092a864886f70d010101050003818d0030818902818100d885c62e209b6ac005c64f0bcfdaac1f2b67a18802f75b08851ff933deed888b7b68a62fcabdb21d4a8914becfeaaa1b7e08a09ffaf9916563586dc95e2877262b0b5f5ec27eb4d754aa6facd1d39d25b38a2372891bacdd3e919f791ed25704e8920e380e5623a38e6a23935978a3aec7a8e761e211d42effa2713e44e7de0b0203010001300d06092a864886f70d010105050003818100092f7424d3f6da4b8553829d958ed1980b9270b42c0d3d5833509a28c66bb207df9f3c51d122065e00b87c08c2730d2745fe1c279d16fae4d53b4bf5bdfa3631fceeb2e772b6b08a3eca5a2e2c687aefd23b4b73bf77ac6099711342cf070b35c6f61333a7cbf613d8dd4bd73e9df34bcd4284b0b4df57c36c450613f11e5dac":"cert. version \: 3\nserial number \: 4C\:20\:E3\:BD\nissuer name \: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Frankencert CA\nsubject name \: C=US, ST=Washington, 1.3.6.1.4.1.311.60.2.1.3=#13025553, 1.3.6.1.4.1.311.60.2.1.2=#130844656C6177617265, O=Authorize.Net LLC, 2.5.4.15=#131450726976617465204F7267616E697A6174696F6E, serialNumber=4369191 + CN=www.authorize.net, L=San Francisco\nissued on \: 2013-08-02 15\:14\:37\nexpires on \: 2015-08-17 05\:54\:31\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\n":0 X509 CRT ASN1 (Name with PKCS9 email) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 From 0a4b6d88d0367b5cd24171285810f42cfa5bb87c Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 2 Aug 2023 15:05:57 +0100 Subject: [PATCH 16/75] Alter conditions on hexstring output dn_gets Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/x509.c b/library/x509.c index 82b5af3aad..ee1dc704ea 100644 --- a/library/x509.c +++ b/library/x509.c @@ -854,8 +854,9 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) MBEDTLS_X509_SAFE_SNPRINTF; } - print_hexstring = (name->val.tag == MBEDTLS_ASN1_BIT_STRING) || - (name->val.tag == MBEDTLS_ASN1_OCTET_STRING); + print_hexstring = (name->val.tag != MBEDTLS_ASN1_UTF8_STRING) && + (name->val.tag != MBEDTLS_ASN1_PRINTABLE_STRING) && + (name->val.tag != MBEDTLS_ASN1_IA5_STRING); if ((ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name)) == 0) { ret = mbedtls_snprintf(p, n, "%s=", short_name); From a1f5c2d06fa15daf89d26934d4813db2b6c613a2 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 2 Aug 2023 17:08:52 +0100 Subject: [PATCH 17/75] Move declaration of variables in dn_gets to top Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/library/x509.c b/library/x509.c index ee1dc704ea..f3f3c87730 100644 --- a/library/x509.c +++ b/library/x509.c @@ -833,6 +833,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) unsigned char c, merge = 0; const mbedtls_x509_name *name; const char *short_name = NULL; + char lowbits, highbits; char numericoid[256]; char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p; int print_hexstring; @@ -875,8 +876,8 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[0] = '#'; c = name->val.tag; - char lowbits = (c & 0x0F); - char highbits = c>>4; + lowbits = (c & 0x0F); + highbits = c>>4; s[1] = nibble_to_hex_digit(highbits); s[2] = nibble_to_hex_digit(lowbits); @@ -892,8 +893,8 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) } else { c = name->val.p[i-asn1_len_size]; } - char lowbits = (c & 0x0F); - char highbits = c>>4; + lowbits = (c & 0x0F); + highbits = c>>4; s[j++] = nibble_to_hex_digit(highbits); s[j] = nibble_to_hex_digit(lowbits); } @@ -923,8 +924,8 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } s[j++] = '\\'; - char lowbits = (c & 0x0F); - char highbits = c>>4; + lowbits = (c & 0x0F); + highbits = c>>4; s[j++] = nibble_to_hex_digit(highbits); s[j] = nibble_to_hex_digit(lowbits); } else { From f818e01edbff211227fa6aafa3e87db0f82a564c Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 3 Aug 2023 14:37:50 +0100 Subject: [PATCH 18/75] FIx memory leak in x509_attr_descr_from_numericoid; Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/x509_create.c b/library/x509_create.c index 80beff2dfe..8ce3584aee 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -150,6 +150,7 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_numericoid(const char } mbedtls_free(oid->p); + mbedtls_free(oid); if (cur->oid == NULL) { return NULL; } From 39ba121d3a73d8987e6d5010fd9aab5967aac907 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 3 Aug 2023 16:00:15 +0100 Subject: [PATCH 19/75] Fix memory leak in alternative code route If no oid is found, and x509_attr_descr_from_numericoid returns NULL, previously the memory allocated for the oid wasn't freed. Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/x509_create.c b/library/x509_create.c index 8ce3584aee..dd47748ece 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -139,6 +139,8 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_numericoid(const char ret = mbedtls_oid_from_numeric_string(oid, numericoid, numericoid_len); if ((ret == MBEDTLS_ERR_X509_ALLOC_FAILED) || (ret == MBEDTLS_ERR_ASN1_INVALID_DATA)) { + mbedtls_free(oid->p); + mbedtls_free(oid); return NULL; } From 7f639fc7ab054d13d672d13b12102d089772577c Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 4 Aug 2023 14:57:36 +0100 Subject: [PATCH 20/75] Fix Windows x64 build errors with type conversions Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 3 +-- library/x509_create.c | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/library/x509.c b/library/x509.c index f3f3c87730..8145fb815d 100644 --- a/library/x509.c +++ b/library/x509.c @@ -826,9 +826,8 @@ static char nibble_to_hex_digit(int i) int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i, j, n, asn1_len_size; + size_t i, j, n, asn1_len_size, asn1_len_start; unsigned char asn1_len_buf[5]; - int asn1_len_start; unsigned char *asn1_len_p; unsigned char c, merge = 0; const mbedtls_x509_name *name; diff --git a/library/x509_create.c b/library/x509_create.c index dd47748ece..6d11529f9a 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -296,7 +296,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (!in_tag && ((*c == ',' && *(c-1) != '\\') || c == end)) { if (!numericoid) { - if ((parse_ret = parse_attribute_value_string(s, c - s, data, &data_len)) != 0) { + if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { return parse_ret; } tag = attr_descr->default_tag; @@ -304,7 +304,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (numericoid) { #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = - parse_attribute_value_ber_encoded(s, c - s, data, &data_len, &tag)) != 0) { + parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, &tag)) != 0) { return parse_ret; } #else From 97178f231facf559991b6667a7ead953eb21e35e Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 7 Aug 2023 12:19:43 +0100 Subject: [PATCH 21/75] Fix code style in mbedtls_x509_string_to_names Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 6d11529f9a..b82c9973d5 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -296,7 +296,8 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (!in_tag && ((*c == ',' && *(c-1) != '\\') || c == end)) { if (!numericoid) { - if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { + if ((parse_ret = + parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { return parse_ret; } tag = attr_descr->default_tag; @@ -304,7 +305,8 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (numericoid) { #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = - parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, &tag)) != 0) { + parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, + &tag)) != 0) { return parse_ret; } #else From ed88eefe8e72844671ddd608254480e1516730a8 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 13:51:38 +0100 Subject: [PATCH 22/75] Rename in_tag to in_attr_type Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index b82c9973d5..2c91e784d3 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -268,7 +268,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam const char *end = s + strlen(s); const char *oid = NULL; const x509_attr_descriptor_t *attr_descr = NULL; - int in_tag = 1; + int in_attr_type = 1; int tag; int numericoid = 0; unsigned char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; @@ -278,7 +278,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam mbedtls_asn1_free_named_data_list(head); while (c <= end) { - if (in_tag && *c == '=') { + if (in_attr_type && *c == '=') { if ((attr_descr = x509_attr_descr_from_name(s, c - s)) == NULL) { if ((attr_descr = x509_attr_descr_from_numericoid(s, c - s)) == NULL) { return MBEDTLS_ERR_X509_UNKNOWN_OID; @@ -291,10 +291,10 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam oid = attr_descr->oid; s = c + 1; - in_tag = 0; + in_attr_type = 0; } - if (!in_tag && ((*c == ',' && *(c-1) != '\\') || c == end)) { + if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) { if (!numericoid) { if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { @@ -329,7 +329,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } s = c + 1; - in_tag = 1; + in_attr_type = 1; /* Successfully parsed one name, update ret to success */ ret = 0; From ee642d93a8d97876ff5fd1b31efb2b37fca07cfc Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 14:08:27 +0100 Subject: [PATCH 23/75] Format preprocessor conditionals Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 6 +++--- library/x509_create.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/x509.c b/library/x509.c index 8145fb815d..85aaf06e9f 100644 --- a/library/x509.c +++ b/library/x509.c @@ -871,7 +871,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) MBEDTLS_X509_SAFE_SNPRINTF; if (print_hexstring) { - #if defined(MBEDTLS_ASN1_WRITE_C) +#if defined(MBEDTLS_ASN1_WRITE_C) s[0] = '#'; c = name->val.tag; @@ -897,9 +897,9 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[j++] = nibble_to_hex_digit(highbits); s[j] = nibble_to_hex_digit(lowbits); } - #else +#else return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; - #endif +#endif } else { for (i = 0, j = 0; i < name->val.len; i++, j++) { if (j >= sizeof(s) - 1) { diff --git a/library/x509_create.c b/library/x509_create.c index 2c91e784d3..e673be6d06 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -303,15 +303,15 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam tag = attr_descr->default_tag; } if (numericoid) { - #if defined(MBEDTLS_ASN1_PARSE_C) +#if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, &tag)) != 0) { return parse_ret; } - #else +#else return MBEDTLS_ERR_X509_INVALID_NAME; - #endif +#endif } mbedtls_asn1_named_data *cur = mbedtls_asn1_store_named_data(head, oid, strlen(oid), From e18a1789fd80f4c0501e57a91c282cf6db024e07 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 14:12:28 +0100 Subject: [PATCH 24/75] Use MBEDTLS_X509_MAX_DN_NAME_SIZE for buffer size Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index e673be6d06..a666e2d22f 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -224,10 +224,10 @@ static int parse_attribute_value_ber_encoded(const char *s, { const char *c = s; const char *end = c + len; - unsigned char asn1_der_buf[256]; + unsigned char asn1_der_buf[MBEDTLS_X509_MAX_DN_NAME_SIZE]; unsigned char *asn1_der_end; unsigned char *p; - unsigned char *d; + unsigned char *d = data; int n; /* Converting from hexstring to raw binary so we can use asn1parse.c*/ if ((len < 5) || (*c != '#')) { @@ -252,8 +252,8 @@ static int parse_attribute_value_ber_encoded(const char *s, return MBEDTLS_ERR_X509_INVALID_NAME; } - for (d = data; p < asn1_der_end; p++) { - *(d++) = *p; + while (p < asn1_der_end) { + *(d++) = *(p++); } return 0; From 2bf09a61a34e0ef50f77845300f149323cc52db8 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 14:37:00 +0100 Subject: [PATCH 25/75] Fix style on left shift operations Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/x509.c b/library/x509.c index 85aaf06e9f..f44860bfef 100644 --- a/library/x509.c +++ b/library/x509.c @@ -876,7 +876,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) c = name->val.tag; lowbits = (c & 0x0F); - highbits = c>>4; + highbits = c >> 4; s[1] = nibble_to_hex_digit(highbits); s[2] = nibble_to_hex_digit(lowbits); @@ -893,7 +893,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) c = name->val.p[i-asn1_len_size]; } lowbits = (c & 0x0F); - highbits = c>>4; + highbits = c >> 4; s[j++] = nibble_to_hex_digit(highbits); s[j] = nibble_to_hex_digit(lowbits); } @@ -924,7 +924,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) } s[j++] = '\\'; lowbits = (c & 0x0F); - highbits = c>>4; + highbits = c >> 4; s[j++] = nibble_to_hex_digit(highbits); s[j] = nibble_to_hex_digit(lowbits); } else { From 5adffb24882e69c8950963b5a27f7a5df884361e Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 15:50:57 +0100 Subject: [PATCH 26/75] Refactor dn_gets use library function to write tag Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/library/x509.c b/library/x509.c index f44860bfef..e2bb2fd9ca 100644 --- a/library/x509.c +++ b/library/x509.c @@ -826,8 +826,8 @@ static char nibble_to_hex_digit(int i) int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i, j, n, asn1_len_size, asn1_len_start; - unsigned char asn1_len_buf[5]; + size_t i, j, n, asn1_len_size, asn1_tag_size, asn1_tag_len_buf_start; + unsigned char asn1_tag_len_buf[10]; unsigned char *asn1_len_p; unsigned char c, merge = 0; const mbedtls_x509_name *name; @@ -874,28 +874,29 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) #if defined(MBEDTLS_ASN1_WRITE_C) s[0] = '#'; - c = name->val.tag; - lowbits = (c & 0x0F); - highbits = c >> 4; - s[1] = nibble_to_hex_digit(highbits); - s[2] = nibble_to_hex_digit(lowbits); - - asn1_len_p = asn1_len_buf+5; - asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p, asn1_len_buf, name->val.len); - asn1_len_start = 5 - asn1_len_size; - for (i = 0, j = 3; i < asn1_len_size + name->val.len; i++, j++) { + asn1_len_p = asn1_tag_len_buf + 10; + asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len); + asn1_tag_size = mbedtls_asn1_write_tag(&asn1_len_p,asn1_tag_len_buf,name->val.tag); + asn1_tag_len_buf_start = 10 - asn1_len_size - asn1_tag_size; + for (i = 0, j = 1; i < asn1_len_size + asn1_tag_size; i++) { if (j + 1 >= sizeof(s) - 1) { return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } - if (i < asn1_len_size) { - c = asn1_len_buf[asn1_len_start+i]; - } else { - c = name->val.p[i-asn1_len_size]; - } + c = asn1_tag_len_buf[asn1_tag_len_buf_start+i]; lowbits = (c & 0x0F); highbits = c >> 4; s[j++] = nibble_to_hex_digit(highbits); - s[j] = nibble_to_hex_digit(lowbits); + s[j++] = nibble_to_hex_digit(lowbits); + } + for (i = 0; i < name->val.len; i++) { + if (j + 1 >= sizeof(s) - 1) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + c = name->val.p[i]; + lowbits = (c & 0x0F); + highbits = c >> 4; + s[j++] = nibble_to_hex_digit(highbits); + s[j++] = nibble_to_hex_digit(lowbits); } #else return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; From 5ca98485138e48e69d9da92e9484ca67502884d3 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 16:01:03 +0100 Subject: [PATCH 27/75] Reword test in test_suite_x509write Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 98017d6e72..490df804d9 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -214,7 +214,7 @@ mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X X509 String to Names #16 (Accept numercoid/hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #17 (Accept numercoid/hexstring, output as bitstring) +X509 String to Names #17 (Output attributetype as bitstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#03084F6666737061726B, OU=PolarSSL":"C=NL, O=#03084F6666737061726B, OU=PolarSSL":0 Check max serial length From a7f96309255ebf97d0ff3263eec7537a92c04cc1 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 16:03:27 +0100 Subject: [PATCH 28/75] Remove duplicate '+' in comparison string Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 2 +- library/x509_create.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/x509.c b/library/x509.c index e2bb2fd9ca..b487b43cf5 100644 --- a/library/x509.c +++ b/library/x509.c @@ -910,7 +910,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) c = name->val.p[i]; // Special characters requiring escaping, RFC 4514 Section 2.4 if (c) { - if (strchr(",=+<>;\"\\+", c) || + if (strchr(",=+<>;\"\\", c) || ((i == 0) && strchr("# ", c)) || ((i == name->val.len-1) && (c == ' '))) { if (j + 1 >= sizeof(s) - 1) { diff --git a/library/x509_create.c b/library/x509_create.c index a666e2d22f..4c5261113e 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -197,7 +197,7 @@ static int parse_attribute_value_string(const char *s, hexpair = 1; *(d++) = n; c++; - } else if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) { + } else if (c == end || !strchr(" ,=+<>#;\"\\", *c)) { return MBEDTLS_ERR_X509_INVALID_NAME; } } From af70c7dce772076cfa17c0d07c266fae8919a913 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 10 Aug 2023 16:39:23 +0100 Subject: [PATCH 29/75] Write numeric oid directly to buffer mbedtls_oid_get_numeric_string now points to output buffer in dn_gets Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/x509.c b/library/x509.c index b487b43cf5..74b2fd6a12 100644 --- a/library/x509.c +++ b/library/x509.c @@ -833,7 +833,6 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) const mbedtls_x509_name *name; const char *short_name = NULL; char lowbits, highbits; - char numericoid[256]; char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p; int print_hexstring; @@ -861,8 +860,9 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) if ((ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name)) == 0) { ret = mbedtls_snprintf(p, n, "%s=", short_name); } else { - if ((ret = mbedtls_oid_get_numeric_string(numericoid, 256, &name->oid)) > 0) { - ret = mbedtls_snprintf(p, n, "%s=", numericoid); + if ((ret = mbedtls_oid_get_numeric_string(p, n, &name->oid)) > 0) { + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf(p, n, "="); print_hexstring = 1; } else { ret = mbedtls_snprintf(p, n, "\?\?="); From f88bd5ac8657302a42b7c12223aaaaa480b3dde5 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 11 Aug 2023 11:48:26 +0100 Subject: [PATCH 30/75] Accept any valid oid in string_to_names Instead of using x509_attrs, use generic oid conversion. Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 43 +++++++++++++++++++------------------------ 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 4c5261113e..6483b39d3d 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -130,34 +130,27 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, return cur; } -static const x509_attr_descriptor_t *x509_attr_descr_from_numericoid(const char *numericoid, +static char *x509_oid_from_numericoid(const char *numericoid, size_t numericoid_len) { - const x509_attr_descriptor_t *cur; - mbedtls_asn1_buf *oid = mbedtls_calloc(1, sizeof(mbedtls_asn1_buf)); + char *oid; + mbedtls_asn1_buf *oid_buf = mbedtls_calloc(1, sizeof(mbedtls_asn1_buf)); int ret; - ret = mbedtls_oid_from_numeric_string(oid, numericoid, numericoid_len); - if ((ret == MBEDTLS_ERR_X509_ALLOC_FAILED) || (ret == MBEDTLS_ERR_ASN1_INVALID_DATA)) { - mbedtls_free(oid->p); - mbedtls_free(oid); - return NULL; - } - - for (cur = x509_attrs; cur->oid != NULL; cur++) { - if (strlen(cur->oid) == oid->len && - strncmp(cur->oid, (const char *) oid->p, oid->len) == 0) { - break; + ret = mbedtls_oid_from_numeric_string(oid_buf, numericoid, numericoid_len); + if (ret != 0) { + if(ret != MBEDTLS_ERR_ASN1_ALLOC_FAILED) { + mbedtls_free(oid_buf->p); } - } - - mbedtls_free(oid->p); - mbedtls_free(oid); - if (cur->oid == NULL) { + mbedtls_free(oid_buf); return NULL; } - - return cur; + oid = calloc(1, oid_buf->len + 1); + memcpy(oid, oid_buf->p, oid_buf->len); + oid[oid_buf->len + 1] = '\0'; + mbedtls_free(oid_buf->p); + mbedtls_free(oid_buf); + return oid; } static int hex_to_int(char c) @@ -266,7 +259,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam int parse_ret = 0; const char *s = name, *c = s; const char *end = s + strlen(s); - const char *oid = NULL; + char *oid = NULL; const x509_attr_descriptor_t *attr_descr = NULL; int in_attr_type = 1; int tag; @@ -280,16 +273,17 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam while (c <= end) { if (in_attr_type && *c == '=') { if ((attr_descr = x509_attr_descr_from_name(s, c - s)) == NULL) { - if ((attr_descr = x509_attr_descr_from_numericoid(s, c - s)) == NULL) { + if ((oid = x509_oid_from_numericoid(s, c - s)) == NULL) { return MBEDTLS_ERR_X509_UNKNOWN_OID; } else { numericoid = 1; } } else { + oid = malloc(strlen(attr_descr->oid)); + strcpy(oid,attr_descr->oid); numericoid = 0; } - oid = attr_descr->oid; s = c + 1; in_attr_type = 0; } @@ -317,6 +311,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam mbedtls_asn1_store_named_data(head, oid, strlen(oid), (unsigned char *) data, data_len); + mbedtls_free(oid); if (cur == NULL) { return MBEDTLS_ERR_X509_ALLOC_FAILED; } From e59dedbce218c80e519fdddd385536c622f8b094 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 11 Aug 2023 12:07:55 +0100 Subject: [PATCH 31/75] Add test reject null characters in string to names Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 490df804d9..77ac53a0e0 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -205,16 +205,19 @@ mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6b, OU=Polar X509 String to Names #13 (Invalid hexpair escape at end of string) mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #14 (Escape non-ascii hexpairs) +X509 String to Names #14 (Reject escaped null hexpair) +mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + +X509 String to Names #15 (Escape non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 -X509 String to Names #15 (Invalid hexpairs) +X509 String to Names #16 (Invalid hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #16 (Accept numercoid/hexstring) +X509 String to Names #17 (Accept numercoid/hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #17 (Output attributetype as bitstring) +X509 String to Names #18 (Output attributetype as bitstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#03084F6666737061726B, OU=PolarSSL":"C=NL, O=#03084F6666737061726B, OU=PolarSSL":0 Check max serial length From afdb187bbc46930b6c798b52f629eb6e5841e398 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 11 Aug 2023 12:41:33 +0100 Subject: [PATCH 32/75] Add more comprehensive string to name tests Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 77ac53a0e0..23a05966c6 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -170,7 +170,7 @@ X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\\, Inc., OU=PolarSSL":"C=NL, O=Offspark\\, Inc., OU=PolarSSL":0 X509 String to Names #2 -mbedtls_x509_string_to_names:"C=NL, O=Offspark, Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_UNKNOWN_OID +mbedtls_x509_string_to_names:"C=NL, O=Offspark, Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME X509 String to Names #3 (Name precisely 255 bytes) mbedtls_x509_string_to_names:"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345,OU=PolarSSL":"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345, OU=PolarSSL":0 @@ -208,16 +208,22 @@ mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6, OU=PolarS X509 String to Names #14 (Reject escaped null hexpair) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #15 (Escape non-ascii hexpairs) -mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 - -X509 String to Names #16 (Invalid hexpairs) +X509 String to Names #15 (Invalid hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #17 (Accept numercoid/hexstring) +X509 String to Names #16 (Accept numercoid/hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #18 (Output attributetype as bitstring) +X509 String to Names #17 (Odd length hexstring) +mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + +X509 String to Names #18 (Invalid OID) +mbedtls_x509_string_to_names:"C=NL, 10.5.4.10=#0C084F6666737061726, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + +X509 String to Names #19 (Escape non-ascii hexpairs) +mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 + +X509 String to Names #20 (Output attributetype as bitstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#03084F6666737061726B, OU=PolarSSL":"C=NL, O=#03084F6666737061726B, OU=PolarSSL":0 Check max serial length From 17984874afd3d27f06a5eb64fd8672878a748906 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 11 Aug 2023 12:42:03 +0100 Subject: [PATCH 33/75] Change error from unknown oid to invalid name Since the implementation no longer needs to know the oid, it makes more sense for the error message to be an invalid name. Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_create.c b/library/x509_create.c index 6483b39d3d..99115c450e 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -274,7 +274,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (in_attr_type && *c == '=') { if ((attr_descr = x509_attr_descr_from_name(s, c - s)) == NULL) { if ((oid = x509_oid_from_numericoid(s, c - s)) == NULL) { - return MBEDTLS_ERR_X509_UNKNOWN_OID; + return MBEDTLS_ERR_X509_INVALID_NAME; } else { numericoid = 1; } From 957ca0595d616e40af40b17e378281e8e8807295 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 11 Aug 2023 14:58:14 +0100 Subject: [PATCH 34/75] Accept short name/ber encoded data in DNs Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 25 +++++++++++++++++-------- tests/suites/test_suite_x509write.data | 5 ++++- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 99115c450e..6ce15f9fe7 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -289,6 +289,22 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) { +#if defined(MBEDTLS_ASN1_PARSE_C) + if ((parse_ret = + parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, + &tag)) != 0) { + if(numericoid) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + else { + if ((parse_ret = + parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { + return parse_ret; + } + tag = attr_descr->default_tag; + } + } +#else if (!numericoid) { if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { @@ -297,16 +313,9 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam tag = attr_descr->default_tag; } if (numericoid) { -#if defined(MBEDTLS_ASN1_PARSE_C) - if ((parse_ret = - parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, - &tag)) != 0) { - return parse_ret; - } -#else return MBEDTLS_ERR_X509_INVALID_NAME; -#endif } +#endif mbedtls_asn1_named_data *cur = mbedtls_asn1_store_named_data(head, oid, strlen(oid), (unsigned char *) data, diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 23a05966c6..814f8f70c1 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -218,7 +218,10 @@ X509 String to Names #17 (Odd length hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME X509 String to Names #18 (Invalid OID) -mbedtls_x509_string_to_names:"C=NL, 10.5.4.10=#0C084F6666737061726, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME +mbedtls_x509_string_to_names:"C=NL, 10.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + +X509 String to Names #18 (short name and hexstring) +mbedtls_x509_string_to_names:"C=NL, O=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 X509 String to Names #19 (Escape non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 From a953f8ab3642ccb61c2f65e73b02aafbf44cb3ae Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 10:49:26 +0100 Subject: [PATCH 35/75] Remove duplicate test in test_suite_x509write The test for outputing a hexstring representation is actually testing dn_gets, and is tested in test_suite_x509parse. Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 814f8f70c1..880172c1fa 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -226,8 +226,5 @@ mbedtls_x509_string_to_names:"C=NL, O=#0C084F6666737061726B, OU=PolarSSL":"C=NL, X509 String to Names #19 (Escape non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 -X509 String to Names #20 (Output attributetype as bitstring) -mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#03084F6666737061726B, OU=PolarSSL":"C=NL, O=#03084F6666737061726B, OU=PolarSSL":0 - Check max serial length x509_set_serial_check: From a0ba8aab2e5dac2ae81ac217216d59eaf812a015 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 10:58:08 +0100 Subject: [PATCH 36/75] Add test for non ascii x509 subject name Signed-off-by: Agathiyan Bragadeesh --- tests/data_files/Makefile | 7 ++++++- tests/data_files/server1.asciichars.crt | 20 ++++++++++++++++++++ tests/suites/test_suite_x509parse.data | 4 ++++ 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/server1.asciichars.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 2009ad6699..c41b559a17 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1446,6 +1446,9 @@ parse_input/server1.req.hashsymbol.sha256: server1.key parse_input/server1.req.spaces.sha256: server1.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O= PolarSSL ,CN=PolarSSL Server 1" md=SHA256 + +parse_input/server1.req.asciichars.sha256: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=极地SSL,CN=PolarSSL Server 1" md=SHA256 # server2* server2_pwd_ec = PolarSSLTest @@ -1599,7 +1602,9 @@ server1.hashsymbol.crt: server1.key parse_input/server1.req.hashsymbol.sha256 $( $(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.hashsymbol.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ server1.spaces.crt: server1.key parse_input/server1.req.spaces.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.spaces.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ -all_final += server1.crt server1.noauthid.crt parse_input/server1.crt.der server1.commas.crt server1.hashsymbol.crt server1.spaces.crt +server1.asciichars.crt: server1.key parse_input/server1.req.asciichars.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.asciichars.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ +all_final += server1.crt server1.noauthid.crt parse_input/server1.crt.der server1.commas.crt server1.hashsymbol.crt server1.spaces.crt server1.asciichars.crt parse_input/server1.key_usage.crt: parse_input/server1.req.sha256 server1.key_usage.crt: server1.req.sha256 diff --git a/tests/data_files/server1.asciichars.crt b/tests/data_files/server1.asciichars.crt new file mode 100644 index 0000000000..824e46e06c --- /dev/null +++ b/tests/data_files/server1.asciichars.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDESMBAG +A1UECgwJ5p6B5ZywU1NMMRowGAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J +v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB +Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl +XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk +65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP +cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA +AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw +HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD +ggEBAHqJLYmgkQ6yqml3PZM6iwbmo+lZLyDEPFpl/thHZm5LI8TTYOeU+wMAZ6KI +VumyjZxypmLF2MiiJ2f3zQooU7H1waAcTpsafTuD6RRYdthYYxs1L9gCm1ZT2Ga8 +fgn3wrugPLUrtSM/TkTj6F4XkSlluzZpEKsSYLSoyde+uQgdbtR+3Tc+3oU8xBMM +N6uq4VQC49avIQkI+598E3vKrjGGt3l2a1Ts1qvXWjo9mpJW5GM4e1zfogKnc8XQ +K1hYQ39wL42l9Hijwre85O0PSBfbNOv1BPSDm8das3VNzGsUIz8InkAKAKCKwxG6 +BCw3D/CE8s6DCnpb+eK1sVJwZ4E= +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index b154db924f..e1db7178b3 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -455,6 +455,10 @@ X509 Get Distinguished Name #7 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 mbedtls_x509_dn_gets:"data_files/server1.spaces.crt":"subject":"C=NL, O=\\ PolarSSL\\ , CN=PolarSSL Server 1" +X509 Get Distinguished Name #8 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_dn_gets:"data_files/server1.asciichars.crt":"subject":"C=NL, O=\\E6\\9E\\81\\E5\\9C\\B0SSL, CN=PolarSSL Server 1" + X509 Get Modified DN #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"Modified":"C=NL, O=Modified, CN=PolarSSL Server 1":0 From cab79188ca063d79e6cb8bd429e0ad6a2e3b9263 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 10:59:36 +0100 Subject: [PATCH 37/75] Remove redundant tests in test_suite_x509write Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 28 ++++++++++---------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 880172c1fa..fb0abd4a5f 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -187,43 +187,37 @@ mbedtls_x509_string_to_names:"C=NL, O=Offspark\\":"":MBEDTLS_ERR_X509_INVALID_NA X509 String to Names #7 (Invalid, no '=' or ',') mbedtls_x509_string_to_names:"ABC123":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #8 (Escape valid characters) +X509 String to Names #8 (Escaped valid characters) mbedtls_x509_string_to_names:"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":0 -X509 String to Names #9 (Escape '#' at beginning of string) -mbedtls_x509_string_to_names:"C=NL, O=#Offspark#, OU=PolarSSL":"C=NL, O=\\#Offspark#, OU=PolarSSL":0 - -X509 String to Names #10 (Escape ' ' at beginning and end of string) -mbedtls_x509_string_to_names:"C=NL, O= Off spark , OU=PolarSSL":"C=NL, O=\\ Off spark\\ , OU=PolarSSL":0 - -X509 String to Names #11 (Escape ascii hexpairs uppercase encoded) +X509 String to Names #9 (Escaped ascii hexpairs uppercase encoded) mbedtls_x509_string_to_names:"C=NL, O=\\4F\\66\\66\\73\\70\\61\\72\\6B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #12 (Escape ascii hexpairs lowercase encoded) +X509 String to Names #10 (Escaped ascii hexpairs lowercase encoded) mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6b, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #13 (Invalid hexpair escape at end of string) +X509 String to Names #11 (Invalid hexpair escape at end of string) mbedtls_x509_string_to_names:"C=NL, O=\\4f\\66\\66\\73\\70\\61\\72\\6, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #14 (Reject escaped null hexpair) +X509 String to Names #12 (Reject escaped null hexpair) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #15 (Invalid hexpairs) +X509 String to Names #13 (Invalid hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #16 (Accept numercoid/hexstring) +X509 String to Names #14 (Accept numercoid/hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #17 (Odd length hexstring) +X509 String to Names #15 (Odd length hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #18 (Invalid OID) +X509 String to Names #16 (Invalid OID) mbedtls_x509_string_to_names:"C=NL, 10.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #18 (short name and hexstring) +X509 String to Names #17 (short name and hexstring) mbedtls_x509_string_to_names:"C=NL, O=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #19 (Escape non-ascii hexpairs) +X509 String to Names #18 (Escape non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 Check max serial length From bdf20a0d555e50077d8cc83cf506d7b0913f5576 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 15:26:03 +0100 Subject: [PATCH 38/75] Alter MBEDTLS_ASN1_IS_STRING_TAG macro Signed-off-by: Agathiyan Bragadeesh --- include/mbedtls/asn1.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 002c8dee06..6dfc551cc2 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -103,8 +103,7 @@ (1u << MBEDTLS_ASN1_T61_STRING) | \ (1u << MBEDTLS_ASN1_IA5_STRING) | \ (1u << MBEDTLS_ASN1_UNIVERSAL_STRING) | \ - (1u << MBEDTLS_ASN1_PRINTABLE_STRING) | \ - (1u << MBEDTLS_ASN1_BIT_STRING))) != 0)) + (1u << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0)) /* * Bit masks for each of the components of an ASN.1 tag as specified in From 01e9392c3f28f3055e45a07f9f7c322283388d9f Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 15:29:49 +0100 Subject: [PATCH 39/75] Add malformatted DER test for string_to_names Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index fb0abd4a5f..7b8d083ccc 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -208,16 +208,19 @@ mbedtls_x509_string_to_names:"C=NL, O=Of\\flspark, OU=PolarSSL":"":MBEDTLS_ERR_X X509 String to Names #14 (Accept numercoid/hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #15 (Odd length hexstring) +X509 String to Names #15 (Odd length DER hexstring) mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C084F6666737061726, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #16 (Invalid OID) +X509 String to Names #16 (Length mismatch DER hexstring) +mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#0C0B4F6666737061726B, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + +X509 String to Names #17 (Invalid OID) mbedtls_x509_string_to_names:"C=NL, 10.5.4.10=#0C084F6666737061726B, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME -X509 String to Names #17 (short name and hexstring) +X509 String to Names #18 (short name and hexstring) mbedtls_x509_string_to_names:"C=NL, O=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #18 (Escape non-ascii hexpairs) +X509 String to Names #19 (Escape non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 Check max serial length From 9caaa6d967cb5a2ae4dac243ee3e3c0a30ed16f8 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 15:38:39 +0100 Subject: [PATCH 40/75] Reject escaped null hexpairs in DNs Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/x509_create.c b/library/x509_create.c index 6ce15f9fe7..500f21306c 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -187,6 +187,9 @@ static int parse_attribute_value_string(const char *s, /* Check for valid escaped characters in RFC 4514 in Section 3*/ if (c + 1 < end && (n = hexpair_to_int(*c, *(c+1))) != -1) { + if(n == 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } hexpair = 1; *(d++) = n; c++; From ea3e83f36a119f94d2098e4f8db1cd7454e1bdd2 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 15:44:47 +0100 Subject: [PATCH 41/75] Amend test in test_suite_x509write Needed since we now reject escaped null hexpairs in strings Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 7b8d083ccc..2c6f59eeaf 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -220,8 +220,8 @@ mbedtls_x509_string_to_names:"C=NL, 10.5.4.10=#0C084F6666737061726B, OU=PolarSSL X509 String to Names #18 (short name and hexstring) mbedtls_x509_string_to_names:"C=NL, O=#0C084F6666737061726B, OU=PolarSSL":"C=NL, O=Offspark, OU=PolarSSL":0 -X509 String to Names #19 (Escape non-ascii hexpairs) -mbedtls_x509_string_to_names:"C=NL, O=Of\\00spark, OU=PolarSSL":"C=NL, O=Of\\00spark, OU=PolarSSL":0 +X509 String to Names #19 (Accept non-ascii hexpairs) +mbedtls_x509_string_to_names:"C=NL, O=Of\\CCspark, OU=PolarSSL":"C=NL, O=Of\\CCspark, OU=PolarSSL":0 Check max serial length x509_set_serial_check: From af3e548c77397f9e3ad340589a0fee54c6e057d1 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 16:25:03 +0100 Subject: [PATCH 42/75] Make MBEDTLS_ASN1_IS_STRING_TAG to take signed int Since mbedtls_asn1_buf uses a signed int for tags. Signed-off-by: Agathiyan Bragadeesh --- include/mbedtls/asn1.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 6dfc551cc2..4eabea0435 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -97,13 +97,13 @@ /* Slightly smaller way to check if tag is a string tag * compared to canonical implementation. */ #define MBEDTLS_ASN1_IS_STRING_TAG(tag) \ - ((tag) < 32u && ( \ - ((1u << (tag)) & ((1u << MBEDTLS_ASN1_BMP_STRING) | \ - (1u << MBEDTLS_ASN1_UTF8_STRING) | \ - (1u << MBEDTLS_ASN1_T61_STRING) | \ - (1u << MBEDTLS_ASN1_IA5_STRING) | \ - (1u << MBEDTLS_ASN1_UNIVERSAL_STRING) | \ - (1u << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0)) + ((tag) < 32 && ( \ + ((1 << (tag)) & ((1 << MBEDTLS_ASN1_BMP_STRING) | \ + (1 << MBEDTLS_ASN1_UTF8_STRING) | \ + (1 << MBEDTLS_ASN1_T61_STRING) | \ + (1 << MBEDTLS_ASN1_IA5_STRING) | \ + (1 << MBEDTLS_ASN1_UNIVERSAL_STRING) | \ + (1 << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0)) /* * Bit masks for each of the components of an ASN.1 tag as specified in From eb55867520c2cd67932c888b81d06d9f2bcc2d28 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 16:31:11 +0100 Subject: [PATCH 43/75] Fix code style Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 2 +- library/x509_create.c | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/library/x509.c b/library/x509.c index 74b2fd6a12..62bc39b21e 100644 --- a/library/x509.c +++ b/library/x509.c @@ -876,7 +876,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) asn1_len_p = asn1_tag_len_buf + 10; asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len); - asn1_tag_size = mbedtls_asn1_write_tag(&asn1_len_p,asn1_tag_len_buf,name->val.tag); + asn1_tag_size = mbedtls_asn1_write_tag(&asn1_len_p, asn1_tag_len_buf, name->val.tag); asn1_tag_len_buf_start = 10 - asn1_len_size - asn1_tag_size; for (i = 0, j = 1; i < asn1_len_size + asn1_tag_size; i++) { if (j + 1 >= sizeof(s) - 1) { diff --git a/library/x509_create.c b/library/x509_create.c index 500f21306c..66f680643b 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -131,7 +131,7 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, } static char *x509_oid_from_numericoid(const char *numericoid, - size_t numericoid_len) + size_t numericoid_len) { char *oid; mbedtls_asn1_buf *oid_buf = mbedtls_calloc(1, sizeof(mbedtls_asn1_buf)); @@ -139,7 +139,7 @@ static char *x509_oid_from_numericoid(const char *numericoid, ret = mbedtls_oid_from_numeric_string(oid_buf, numericoid, numericoid_len); if (ret != 0) { - if(ret != MBEDTLS_ERR_ASN1_ALLOC_FAILED) { + if (ret != MBEDTLS_ERR_ASN1_ALLOC_FAILED) { mbedtls_free(oid_buf->p); } mbedtls_free(oid_buf); @@ -187,7 +187,7 @@ static int parse_attribute_value_string(const char *s, /* Check for valid escaped characters in RFC 4514 in Section 3*/ if (c + 1 < end && (n = hexpair_to_int(*c, *(c+1))) != -1) { - if(n == 0) { + if (n == 0) { return MBEDTLS_ERR_X509_INVALID_NAME; } hexpair = 1; @@ -283,7 +283,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } } else { oid = malloc(strlen(attr_descr->oid)); - strcpy(oid,attr_descr->oid); + strcpy(oid, attr_descr->oid); numericoid = 0; } @@ -294,14 +294,14 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) { #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = - parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, - &tag)) != 0) { - if(numericoid) { + parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, + &tag)) != 0) { + if (numericoid) { return MBEDTLS_ERR_X509_INVALID_NAME; - } - else { + } else { if ((parse_ret = - parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { + parse_attribute_value_string(s, (int) (c - s), data, + &data_len)) != 0) { return parse_ret; } tag = attr_descr->default_tag; From f826d1113e30577dd5c662cacc92e1369b8cf37f Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 14 Aug 2023 16:32:22 +0100 Subject: [PATCH 44/75] Reject null bytes in DER encoded values in DNs Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/x509_create.c b/library/x509_create.c index 66f680643b..8a648e3813 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -239,6 +239,9 @@ static int parse_attribute_value_ber_encoded(const char *s, if ((c + 1 >= end) || (n = hexpair_to_int(*c, *(c+1))) == -1) { return MBEDTLS_ERR_X509_INVALID_NAME; } + if (MBEDTLS_ASN1_IS_STRING_TAG(*tag) && n == 0) { + return MBEDTLS_ERR_X509_INVALID_NAME; + } *(p++) = n; } asn1_der_end = p; From 55d93192b1601f01ba0aa3bc2cd4034afefe6c87 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 15 Aug 2023 15:05:03 +0100 Subject: [PATCH 45/75] Fix oid memory leak Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/library/x509_create.c b/library/x509_create.c index 8a648e3813..0f1b8d0e59 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -285,7 +285,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam numericoid = 1; } } else { - oid = malloc(strlen(attr_descr->oid)); + oid = calloc(1, strlen(attr_descr->oid)); strcpy(oid, attr_descr->oid); numericoid = 0; } @@ -300,11 +300,13 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, &tag)) != 0) { if (numericoid) { + mbedtls_free(oid); return MBEDTLS_ERR_X509_INVALID_NAME; } else { if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { + mbedtls_free(oid); return parse_ret; } tag = attr_descr->default_tag; @@ -314,11 +316,13 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (!numericoid) { if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { + mbedtls_free(oid); return parse_ret; } tag = attr_descr->default_tag; } if (numericoid) { + mbedtls_free(oid); return MBEDTLS_ERR_X509_INVALID_NAME; } #endif @@ -327,6 +331,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam (unsigned char *) data, data_len); mbedtls_free(oid); + oid = NULL; if (cur == NULL) { return MBEDTLS_ERR_X509_ALLOC_FAILED; } @@ -346,6 +351,9 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } c++; } + if (oid != NULL) { + mbedtls_free(oid); + } return ret; } From 4294ccc608eaecffe3f78d5271e9de1159ce03b2 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 15 Aug 2023 16:32:00 +0100 Subject: [PATCH 46/75] Use mbedtls_calloc instead of calloc Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 0f1b8d0e59..46ffc9c8de 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -145,7 +145,7 @@ static char *x509_oid_from_numericoid(const char *numericoid, mbedtls_free(oid_buf); return NULL; } - oid = calloc(1, oid_buf->len + 1); + oid = mbedtls_calloc(1, oid_buf->len + 1); memcpy(oid, oid_buf->p, oid_buf->len); oid[oid_buf->len + 1] = '\0'; mbedtls_free(oid_buf->p); @@ -285,7 +285,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam numericoid = 1; } } else { - oid = calloc(1, strlen(attr_descr->oid)); + oid = mbedtls_calloc(1, strlen(attr_descr->oid)); strcpy(oid, attr_descr->oid); numericoid = 0; } From fb94702762ec71cf2a7a6cb13c6aff13190a4b1f Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 15 Aug 2023 16:32:42 +0100 Subject: [PATCH 47/75] Add catch for alloc error x509_oid_from_numericoid Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/x509_create.c b/library/x509_create.c index 46ffc9c8de..9d40db095a 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -146,6 +146,11 @@ static char *x509_oid_from_numericoid(const char *numericoid, return NULL; } oid = mbedtls_calloc(1, oid_buf->len + 1); + if(oid == NULL) { + mbedtls_free(oid_buf->p); + mbedtls_free(oid_buf); + return MBEDTLS_ERR_X509_ALLOC_FAILED; + } memcpy(oid, oid_buf->p, oid_buf->len); oid[oid_buf->len + 1] = '\0'; mbedtls_free(oid_buf->p); From 12b9d7040e90570a4622ca323a9e7634d52bab44 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 15 Aug 2023 17:42:33 +0100 Subject: [PATCH 48/75] Remove x509_oid_from_numericoid Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 51 ++++++++++--------------------------------- 1 file changed, 12 insertions(+), 39 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 9d40db095a..daf17a6dfe 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -130,34 +130,6 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, return cur; } -static char *x509_oid_from_numericoid(const char *numericoid, - size_t numericoid_len) -{ - char *oid; - mbedtls_asn1_buf *oid_buf = mbedtls_calloc(1, sizeof(mbedtls_asn1_buf)); - int ret; - - ret = mbedtls_oid_from_numeric_string(oid_buf, numericoid, numericoid_len); - if (ret != 0) { - if (ret != MBEDTLS_ERR_ASN1_ALLOC_FAILED) { - mbedtls_free(oid_buf->p); - } - mbedtls_free(oid_buf); - return NULL; - } - oid = mbedtls_calloc(1, oid_buf->len + 1); - if(oid == NULL) { - mbedtls_free(oid_buf->p); - mbedtls_free(oid_buf); - return MBEDTLS_ERR_X509_ALLOC_FAILED; - } - memcpy(oid, oid_buf->p, oid_buf->len); - oid[oid_buf->len + 1] = '\0'; - mbedtls_free(oid_buf->p); - mbedtls_free(oid_buf); - return oid; -} - static int hex_to_int(char c) { return ('0' <= c && c <= '9') ? (c - '0') : @@ -270,7 +242,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam int parse_ret = 0; const char *s = name, *c = s; const char *end = s + strlen(s); - char *oid = NULL; + mbedtls_asn1_buf oid = { .p = NULL, .len = 0, .tag = 5 }; const x509_attr_descriptor_t *attr_descr = NULL; int in_attr_type = 1; int tag; @@ -284,14 +256,15 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam while (c <= end) { if (in_attr_type && *c == '=') { if ((attr_descr = x509_attr_descr_from_name(s, c - s)) == NULL) { - if ((oid = x509_oid_from_numericoid(s, c - s)) == NULL) { + if ((mbedtls_oid_from_numeric_string(&oid, s, c - s)) != 0) { return MBEDTLS_ERR_X509_INVALID_NAME; } else { numericoid = 1; } } else { - oid = mbedtls_calloc(1, strlen(attr_descr->oid)); - strcpy(oid, attr_descr->oid); + oid.len = strlen(attr_descr->oid); + oid.p = mbedtls_calloc(1, oid.len); + memcpy(oid.p, attr_descr->oid, oid.len); numericoid = 0; } @@ -305,13 +278,13 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, &tag)) != 0) { if (numericoid) { - mbedtls_free(oid); + mbedtls_free(oid.p); return MBEDTLS_ERR_X509_INVALID_NAME; } else { if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { - mbedtls_free(oid); + mbedtls_free(oid.p); return parse_ret; } tag = attr_descr->default_tag; @@ -332,11 +305,11 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } #endif mbedtls_asn1_named_data *cur = - mbedtls_asn1_store_named_data(head, oid, strlen(oid), + mbedtls_asn1_store_named_data(head, (char *) oid.p, oid.len, (unsigned char *) data, data_len); - mbedtls_free(oid); - oid = NULL; + mbedtls_free(oid.p); + oid.p = NULL; if (cur == NULL) { return MBEDTLS_ERR_X509_ALLOC_FAILED; } @@ -356,8 +329,8 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } c++; } - if (oid != NULL) { - mbedtls_free(oid); + if (oid.p != NULL) { + mbedtls_free(oid.p); } return ret; } From ba386ec23ea2a6894c27f9c7f858afdc1c2a98c6 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 16 Aug 2023 11:31:17 +0100 Subject: [PATCH 49/75] Remove magic number for null tag Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_create.c b/library/x509_create.c index daf17a6dfe..dba76a990e 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -242,7 +242,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam int parse_ret = 0; const char *s = name, *c = s; const char *end = s + strlen(s); - mbedtls_asn1_buf oid = { .p = NULL, .len = 0, .tag = 5 }; + mbedtls_asn1_buf oid = { .p = NULL, .len = 0, .tag = MBEDTLS_ASN1_NULL }; const x509_attr_descriptor_t *attr_descr = NULL; int in_attr_type = 1; int tag; From 07f472a88bcde3695886da927a44454f2b003217 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 16:29:39 +0100 Subject: [PATCH 50/75] Add corruption detected return when writing asn1 Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/x509.c b/library/x509.c index 62bc39b21e..18e6a18de9 100644 --- a/library/x509.c +++ b/library/x509.c @@ -875,8 +875,14 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[0] = '#'; asn1_len_p = asn1_tag_len_buf + 10; - asn1_len_size = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len); - asn1_tag_size = mbedtls_asn1_write_tag(&asn1_len_p, asn1_tag_len_buf, name->val.tag); + if((ret = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len)) < 0) { + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } + asn1_len_size = ret; + if((ret = mbedtls_asn1_write_tag(&asn1_len_p, asn1_tag_len_buf, name->val.tag)) < 0) { + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } + asn1_tag_size = ret; asn1_tag_len_buf_start = 10 - asn1_len_size - asn1_tag_size; for (i = 0, j = 1; i < asn1_len_size + asn1_tag_size; i++) { if (j + 1 >= sizeof(s) - 1) { From f3b9724dcde58ebcd61c87b40c38702ed5be16f9 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 16:37:11 +0100 Subject: [PATCH 51/75] Remove questionable use of macro. MBEDTLS_X509_SAFE_SNPRINTF was used after mbedtls_oid_get_numeric_string so instead we have expanded the macro and kept the relevant code. Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/x509.c b/library/x509.c index 18e6a18de9..446bf249a8 100644 --- a/library/x509.c +++ b/library/x509.c @@ -861,7 +861,8 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) ret = mbedtls_snprintf(p, n, "%s=", short_name); } else { if ((ret = mbedtls_oid_get_numeric_string(p, n, &name->oid)) > 0) { - MBEDTLS_X509_SAFE_SNPRINTF; + n -= ret; + p += ret; ret = mbedtls_snprintf(p, n, "="); print_hexstring = 1; } else { From 8aa74ab6a9c820ba44469f293c954cdaaafc9292 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 16:42:27 +0100 Subject: [PATCH 52/75] Add return for buffer too small when reading OIDs Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/x509.c b/library/x509.c index 446bf249a8..f574055e10 100644 --- a/library/x509.c +++ b/library/x509.c @@ -865,7 +865,10 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) p += ret; ret = mbedtls_snprintf(p, n, "="); print_hexstring = 1; - } else { + } else if (ret == MBEDTLS_ERR_OID_BUF_TOO_SMALL) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + else { ret = mbedtls_snprintf(p, n, "\?\?="); } } From d9d79bb74bd54b2d71dd82cc4951e6ef173e0251 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 16:43:58 +0100 Subject: [PATCH 53/75] Rename parse_attribute_value_ber_encoded Now renamed to parse_attribute_value_der_encoded to be consistent with names elsewhere Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index dba76a990e..77f50667ae 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -189,7 +189,7 @@ static int parse_attribute_value_string(const char *s, } #if defined(MBEDTLS_ASN1_PARSE_C) -static int parse_attribute_value_ber_encoded(const char *s, +static int parse_attribute_value_der_encoded(const char *s, int len, unsigned char *data, size_t *data_len, @@ -275,7 +275,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) { #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = - parse_attribute_value_ber_encoded(s, (int) (c - s), data, &data_len, + parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, &tag)) != 0) { if (numericoid) { mbedtls_free(oid.p); From 022f86f108890c14f2cb7e821a1bcdcec29f7f13 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 16:56:04 +0100 Subject: [PATCH 54/75] Prevent output of escaped null characters dn gets Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/x509.c b/library/x509.c index f574055e10..42839e8f80 100644 --- a/library/x509.c +++ b/library/x509.c @@ -919,7 +919,10 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) c = name->val.p[i]; // Special characters requiring escaping, RFC 4514 Section 2.4 - if (c) { + if (c == '\0') { + return MBEDTLS_ERR_X509_INVALID_NAME; + } + else { if (strchr(",=+<>;\"\\", c) || ((i == 0) && strchr("# ", c)) || ((i == name->val.len-1) && (c == ' '))) { From 4606bf3f38286777e2f8b725f2d3129e960ba0b9 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 17:29:18 +0100 Subject: [PATCH 55/75] Refactor reading AttributeValue in dn gets Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 77f50667ae..475d2ba377 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -273,14 +273,23 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) { + if (*s == '#') { #if defined(MBEDTLS_ASN1_PARSE_C) - if ((parse_ret = - parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, - &tag)) != 0) { - if (numericoid) { + if ((parse_ret = + parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, + &tag)) != 0) { mbedtls_free(oid.p); return MBEDTLS_ERR_X509_INVALID_NAME; - } else { + } +#else + return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE +#endif + } else { + if(numericoid) { + mbedtls_free(oid.p); + return MBEDTLS_ERR_X509_INVALID_NAME; + } + else { if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { @@ -290,20 +299,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam tag = attr_descr->default_tag; } } -#else - if (!numericoid) { - if ((parse_ret = - parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { - mbedtls_free(oid); - return parse_ret; - } - tag = attr_descr->default_tag; - } - if (numericoid) { - mbedtls_free(oid); - return MBEDTLS_ERR_X509_INVALID_NAME; - } -#endif + mbedtls_asn1_named_data *cur = mbedtls_asn1_store_named_data(head, (char *) oid.p, oid.len, (unsigned char *) data, From 15df01240d339a0bf897b49854b966fd117db91a Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 17:50:00 +0100 Subject: [PATCH 56/75] Fix code style Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 10 ++++------ library/x509_create.c | 11 +++++------ 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/library/x509.c b/library/x509.c index 42839e8f80..40da61d068 100644 --- a/library/x509.c +++ b/library/x509.c @@ -867,8 +867,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) print_hexstring = 1; } else if (ret == MBEDTLS_ERR_OID_BUF_TOO_SMALL) { return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; - } - else { + } else { ret = mbedtls_snprintf(p, n, "\?\?="); } } @@ -879,11 +878,11 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[0] = '#'; asn1_len_p = asn1_tag_len_buf + 10; - if((ret = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len)) < 0) { + if ((ret = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len)) < 0) { return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } asn1_len_size = ret; - if((ret = mbedtls_asn1_write_tag(&asn1_len_p, asn1_tag_len_buf, name->val.tag)) < 0) { + if ((ret = mbedtls_asn1_write_tag(&asn1_len_p, asn1_tag_len_buf, name->val.tag)) < 0) { return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } asn1_tag_size = ret; @@ -921,8 +920,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) // Special characters requiring escaping, RFC 4514 Section 2.4 if (c == '\0') { return MBEDTLS_ERR_X509_INVALID_NAME; - } - else { + } else { if (strchr(",=+<>;\"\\", c) || ((i == 0) && strchr("# ", c)) || ((i == name->val.len-1) && (c == ' '))) { diff --git a/library/x509_create.c b/library/x509_create.c index 475d2ba377..677b568454 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -276,20 +276,19 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam if (*s == '#') { #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = - parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, - &tag)) != 0) { + parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, + &tag)) != 0) { mbedtls_free(oid.p); return MBEDTLS_ERR_X509_INVALID_NAME; - } + } #else return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE #endif } else { - if(numericoid) { + if (numericoid) { mbedtls_free(oid.p); return MBEDTLS_ERR_X509_INVALID_NAME; - } - else { + } else { if ((parse_ret = parse_attribute_value_string(s, (int) (c - s), data, &data_len)) != 0) { From 4c7d7bf583ffb7cde2d568d465e6565bb4d21b21 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 23 Aug 2023 11:28:30 +0100 Subject: [PATCH 57/75] Add guard for empty AttributeValue Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/x509_create.c b/library/x509_create.c index 677b568454..63894a590f 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -273,7 +273,10 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) { - if (*s == '#') { + if (s >= end) { + mbedtls_free(oid.p); + return MBEDTLS_ERR_X509_INVALID_NAME; + } else if (*s == '#') { #if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, From 457ac84f0129b8e37cc179d5afb7255048cfba9e Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 23 Aug 2023 11:35:26 +0100 Subject: [PATCH 58/75] Refactor previous fix Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_create.c b/library/x509_create.c index 63894a590f..91957cc733 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -273,7 +273,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) { - if (s >= end) { + if (s == c) { mbedtls_free(oid.p); return MBEDTLS_ERR_X509_INVALID_NAME; } else if (*s == '#') { From de84f9d67adff28c92e9e2ccc94e21424537ddc0 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 23 Aug 2023 11:44:04 +0100 Subject: [PATCH 59/75] Add test for rejecting empty AttributeValue Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 2c6f59eeaf..2240d82de4 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -223,5 +223,8 @@ mbedtls_x509_string_to_names:"C=NL, O=#0C084F6666737061726B, OU=PolarSSL":"C=NL, X509 String to Names #19 (Accept non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\CCspark, OU=PolarSSL":"C=NL, O=Of\\CCspark, OU=PolarSSL":0 +X509 String to Names #20 (Reject empty AttributeValue) +mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME + Check max serial length x509_set_serial_check: From 733766bc71b9cf7865e9c50b0e251ac6f20769e4 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 23 Aug 2023 15:43:07 +0100 Subject: [PATCH 60/75] Remove trailing whitespace in data file. Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 2240d82de4..f755565eca 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -224,7 +224,7 @@ X509 String to Names #19 (Accept non-ascii hexpairs) mbedtls_x509_string_to_names:"C=NL, O=Of\\CCspark, OU=PolarSSL":"C=NL, O=Of\\CCspark, OU=PolarSSL":0 X509 String to Names #20 (Reject empty AttributeValue) -mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME +mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME Check max serial length x509_set_serial_check: From 7d20138385941cb742ed5bef8731345e604061a8 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 23 Aug 2023 15:45:37 +0100 Subject: [PATCH 61/75] Add Changelog entry for DN changes Signed-off-by: Agathiyan Bragadeesh --- ChangeLog.d/extend-distinguished-names.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/extend-distinguished-names.txt diff --git a/ChangeLog.d/extend-distinguished-names.txt b/ChangeLog.d/extend-distinguished-names.txt new file mode 100644 index 0000000000..b148424cf3 --- /dev/null +++ b/ChangeLog.d/extend-distinguished-names.txt @@ -0,0 +1,3 @@ +Features + * Accept arbitrary AttributeType and AttributeValue in certificate + Distinguished Names using RFC 4514 syntax. From ef6abd4062c3d51531a182b5f1ca55f4606c169d Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 30 Aug 2023 15:49:24 +0100 Subject: [PATCH 62/75] Add blank lines after variable declarations Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/x509_create.c b/library/x509_create.c index 91957cc733..9fdd48305b 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -158,6 +158,7 @@ static int parse_attribute_value_string(const char *s, int hexpair = 0; unsigned char *d = data; int n; + while (c < end) { if (*c == '\\') { c++; @@ -202,6 +203,7 @@ static int parse_attribute_value_der_encoded(const char *s, unsigned char *p; unsigned char *d = data; int n; + /* Converting from hexstring to raw binary so we can use asn1parse.c*/ if ((len < 5) || (*c != '#')) { return MBEDTLS_ERR_X509_INVALID_NAME; From e9d1c8e1ebd11cce154d357d85bfebe92c5d451c Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 30 Aug 2023 15:50:12 +0100 Subject: [PATCH 63/75] Reword and reformat comments Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 9fdd48305b..4c982d1f4f 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -163,7 +163,7 @@ static int parse_attribute_value_string(const char *s, if (*c == '\\') { c++; - /* Check for valid escaped characters in RFC 4514 in Section 3*/ + /* Check for valid escaped characters as per RFC 4514 Section 3 */ if (c + 1 < end && (n = hexpair_to_int(*c, *(c+1))) != -1) { if (n == 0) { return MBEDTLS_ERR_X509_INVALID_NAME; @@ -204,7 +204,7 @@ static int parse_attribute_value_der_encoded(const char *s, unsigned char *d = data; int n; - /* Converting from hexstring to raw binary so we can use asn1parse.c*/ + /* Converting from hexstring to raw binary so we can use asn1parse.c */ if ((len < 5) || (*c != '#')) { return MBEDTLS_ERR_X509_INVALID_NAME; } From 1aece47e8ccf5db290b24e0ccb5459e7279247f2 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 30 Aug 2023 16:04:16 +0100 Subject: [PATCH 64/75] Make hexpair_to_int take a char pointer Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 4c982d1f4f..b83fcd9e08 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -137,10 +137,11 @@ static int hex_to_int(char c) ('A' <= c && c <= 'F') ? (c - 'A' + 10) : -1; } -static int hexpair_to_int(char c1, char c2) +static int hexpair_to_int(const char *hexpair) { - int n1 = hex_to_int(c1); - int n2 = hex_to_int(c2); + int n1 = hex_to_int(*hexpair); + int n2 = hex_to_int(*(hexpair + 1)); + if (n1 != -1 && n2 != -1) { return (n1 << 4) | n2; } else { @@ -164,7 +165,7 @@ static int parse_attribute_value_string(const char *s, c++; /* Check for valid escaped characters as per RFC 4514 Section 3 */ - if (c + 1 < end && (n = hexpair_to_int(*c, *(c+1))) != -1) { + if (c + 1 < end && (n = hexpair_to_int(c)) != -1) { if (n == 0) { return MBEDTLS_ERR_X509_INVALID_NAME; } @@ -209,13 +210,13 @@ static int parse_attribute_value_der_encoded(const char *s, return MBEDTLS_ERR_X509_INVALID_NAME; } c++; - if ((*tag = hexpair_to_int(*c, *(c+1))) == -1) { + if ((*tag = hexpair_to_int(c)) == -1) { return MBEDTLS_ERR_X509_INVALID_NAME; } c += 2; p = asn1_der_buf; for (p = asn1_der_buf; c < end; c += 2) { - if ((c + 1 >= end) || (n = hexpair_to_int(*c, *(c+1))) == -1) { + if ((c + 1 >= end) || (n = hexpair_to_int(c)) == -1) { return MBEDTLS_ERR_X509_INVALID_NAME; } if (MBEDTLS_ASN1_IS_STRING_TAG(*tag) && n == 0) { From de02ee268ea0a884f4796acbcc2b6abb9a46d1cd Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 30 Aug 2023 16:12:57 +0100 Subject: [PATCH 65/75] Refactor parse_attribute_value_string Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index b83fcd9e08..307e8be4ce 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -141,7 +141,7 @@ static int hexpair_to_int(const char *hexpair) { int n1 = hex_to_int(*hexpair); int n2 = hex_to_int(*(hexpair + 1)); - + if (n1 != -1 && n2 != -1) { return (n1 << 4) | n2; } else { @@ -154,13 +154,12 @@ static int parse_attribute_value_string(const char *s, unsigned char *data, size_t *data_len) { - const char *c = s; - const char *end = c + len; - int hexpair = 0; + const char *c; + const char *end = s + len; unsigned char *d = data; int n; - while (c < end) { + for (c = s; c < end; c++) { if (*c == '\\') { c++; @@ -169,22 +168,19 @@ static int parse_attribute_value_string(const char *s, if (n == 0) { return MBEDTLS_ERR_X509_INVALID_NAME; } - hexpair = 1; *(d++) = n; c++; + continue; } else if (c == end || !strchr(" ,=+<>#;\"\\", *c)) { return MBEDTLS_ERR_X509_INVALID_NAME; } } - if (!hexpair) { - *(d++) = *c; - } + + *(d++) = *c; + if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) { return MBEDTLS_ERR_X509_INVALID_NAME; } - - hexpair = 0; - c++; } *data_len = d - data; return 0; From 52af0d08b4c1a3bc254bbcf2380f1b6e04b28317 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 30 Aug 2023 16:22:54 +0100 Subject: [PATCH 66/75] Fix unsafe behaviour in MBEDTLS_ASN1_IS_STRING_TAG Signed-off-by: Agathiyan Bragadeesh --- include/mbedtls/asn1.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 4eabea0435..3242699e72 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -96,14 +96,14 @@ /* Slightly smaller way to check if tag is a string tag * compared to canonical implementation. */ -#define MBEDTLS_ASN1_IS_STRING_TAG(tag) \ - ((tag) < 32 && ( \ - ((1 << (tag)) & ((1 << MBEDTLS_ASN1_BMP_STRING) | \ - (1 << MBEDTLS_ASN1_UTF8_STRING) | \ - (1 << MBEDTLS_ASN1_T61_STRING) | \ - (1 << MBEDTLS_ASN1_IA5_STRING) | \ - (1 << MBEDTLS_ASN1_UNIVERSAL_STRING) | \ - (1 << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0)) +#define MBEDTLS_ASN1_IS_STRING_TAG(tag) \ + ((unsigned int) (tag) < 32u && ( \ + ((1u << (tag)) & ((1u << MBEDTLS_ASN1_BMP_STRING) | \ + (1u << MBEDTLS_ASN1_UTF8_STRING) | \ + (1u << MBEDTLS_ASN1_T61_STRING) | \ + (1u << MBEDTLS_ASN1_IA5_STRING) | \ + (1u << MBEDTLS_ASN1_UNIVERSAL_STRING) | \ + (1u << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0)) /* * Bit masks for each of the components of an ASN.1 tag as specified in From a2423debcc7175a0e5450ced386283276e95ea1a Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 30 Aug 2023 16:24:31 +0100 Subject: [PATCH 67/75] Fix code style Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 307e8be4ce..1da1587878 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -158,7 +158,7 @@ static int parse_attribute_value_string(const char *s, const char *end = s + len; unsigned char *d = data; int n; - + for (c = s; c < end; c++) { if (*c == '\\') { c++; @@ -175,9 +175,9 @@ static int parse_attribute_value_string(const char *s, return MBEDTLS_ERR_X509_INVALID_NAME; } } - + *(d++) = *c; - + if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) { return MBEDTLS_ERR_X509_INVALID_NAME; } @@ -200,7 +200,7 @@ static int parse_attribute_value_der_encoded(const char *s, unsigned char *p; unsigned char *d = data; int n; - + /* Converting from hexstring to raw binary so we can use asn1parse.c */ if ((len < 5) || (*c != '#')) { return MBEDTLS_ERR_X509_INVALID_NAME; From 86dc08599bf0dc99b41cb497ae5c865a4f5d42a1 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 4 Sep 2023 14:53:30 +0100 Subject: [PATCH 68/75] Add asn1 write tag and len to x509 use c config Signed-off-by: Agathiyan Bragadeesh --- include/mbedtls/asn1write.h | 5 +++++ library/asn1write.c | 4 +++- library/x509.c | 6 ------ 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 3c5072c018..6fe57c8f0e 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -48,6 +48,7 @@ extern "C" { #endif +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) /** * \brief Write a length field in ASN.1 format. * @@ -76,7 +77,9 @@ int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start, */ int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsigned char tag); +#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */ +#if defined(MBEDTLS_ASN1_WRITE_C) /** * \brief Write raw buffer data. * @@ -393,4 +396,6 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data * } #endif +#endif /* MBEDTLS_ASN1_WRITE_C */ + #endif /* MBEDTLS_ASN1_WRITE_H */ diff --git a/library/asn1write.c b/library/asn1write.c index c65d9370e2..4123ac3c10 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -19,7 +19,7 @@ #include "common.h" -#if defined(MBEDTLS_ASN1_WRITE_C) +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) #include "mbedtls/asn1write.h" #include "mbedtls/error.h" @@ -102,7 +102,9 @@ int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsign return 1; } +#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */ +#if defined(MBEDTLS_ASN1_WRITE_C) int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start, const unsigned char *buf, size_t size) { diff --git a/library/x509.c b/library/x509.c index 40da61d068..c1d6bd485c 100644 --- a/library/x509.c +++ b/library/x509.c @@ -43,9 +43,7 @@ #include "mbedtls/pem.h" #endif -#if defined(MBEDTLS_ASN1_WRITE_C) #include "mbedtls/asn1write.h" -#endif #include "mbedtls/platform.h" @@ -874,7 +872,6 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) MBEDTLS_X509_SAFE_SNPRINTF; if (print_hexstring) { -#if defined(MBEDTLS_ASN1_WRITE_C) s[0] = '#'; asn1_len_p = asn1_tag_len_buf + 10; @@ -907,9 +904,6 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) s[j++] = nibble_to_hex_digit(highbits); s[j++] = nibble_to_hex_digit(lowbits); } -#else - return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; -#endif } else { for (i = 0, j = 0; i < name->val.len; i++, j++) { if (j >= sizeof(s) - 1) { From fca0861e8eb24e67cc08d3c25b970866252d3abc Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 4 Sep 2023 15:45:37 +0100 Subject: [PATCH 69/75] Add asn1 get tag and len to x509 create config Signed-off-by: Agathiyan Bragadeesh --- include/mbedtls/asn1.h | 6 ++++++ library/asn1parse.c | 4 +++- library/x509_create.c | 8 -------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 3242699e72..825020fe33 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -209,6 +209,7 @@ typedef struct mbedtls_asn1_named_data { } mbedtls_asn1_named_data; +#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) /** * \brief Get the length of an ASN.1 element. * Updates the pointer to immediately behind the length. @@ -271,6 +272,9 @@ int mbedtls_asn1_get_tag(unsigned char **p, * \return An ASN.1 error code if the input does not start with * a valid ASN.1 BOOLEAN. */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ + +#if defined(MBEDTLS_ASN1_PARSE_C) int mbedtls_asn1_get_bool(unsigned char **p, const unsigned char *end, int *val); @@ -645,4 +649,6 @@ void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name); } #endif +#endif /* MBEDTLS_ASN1_PARSE_C */ + #endif /* asn1.h */ diff --git a/library/asn1parse.c b/library/asn1parse.c index d257ef4383..edc4c698ff 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -19,7 +19,7 @@ #include "common.h" -#if defined(MBEDTLS_ASN1_PARSE_C) +#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) #include "mbedtls/asn1.h" #include "mbedtls/platform_util.h" @@ -114,7 +114,9 @@ int mbedtls_asn1_get_tag(unsigned char **p, return mbedtls_asn1_get_len(p, end, len); } +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ +#if defined(MBEDTLS_ASN1_PARSE_C) int mbedtls_asn1_get_bool(unsigned char **p, const unsigned char *end, int *val) diff --git a/library/x509_create.c b/library/x509_create.c index 1da1587878..6ef33b0336 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -30,9 +30,7 @@ #include "mbedtls/platform.h" -#if defined(MBEDTLS_ASN1_PARSE_C) #include "mbedtls/asn1.h" -#endif /* Structure linking OIDs for X.509 DN AttributeTypes to their * string representations and default string encodings used by Mbed TLS. */ @@ -186,7 +184,6 @@ static int parse_attribute_value_string(const char *s, return 0; } -#if defined(MBEDTLS_ASN1_PARSE_C) static int parse_attribute_value_der_encoded(const char *s, int len, unsigned char *data, @@ -233,7 +230,6 @@ static int parse_attribute_value_der_encoded(const char *s, return 0; } -#endif int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name) { @@ -276,16 +272,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam mbedtls_free(oid.p); return MBEDTLS_ERR_X509_INVALID_NAME; } else if (*s == '#') { -#if defined(MBEDTLS_ASN1_PARSE_C) if ((parse_ret = parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, &tag)) != 0) { mbedtls_free(oid.p); return MBEDTLS_ERR_X509_INVALID_NAME; } -#else - return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -#endif } else { if (numericoid) { mbedtls_free(oid.p); From 4ce9ac8463da24796cd504e1cc65bcb756c51452 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 4 Sep 2023 16:18:26 +0100 Subject: [PATCH 70/75] Add round trip tests for x509 RDNs Signed-off-by: Agathiyan Bragadeesh --- tests/suites/test_suite_x509write.data | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index f755565eca..37679c1539 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -226,5 +226,14 @@ mbedtls_x509_string_to_names:"C=NL, O=Of\\CCspark, OU=PolarSSL":"C=NL, O=Of\\CCs X509 String to Names #20 (Reject empty AttributeValue) mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME +X509 Round trip test (Escaped characters) +mbedtls_x509_string_to_names:"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":0 + +X509 Round trip test (hexstring output for non string input) +mbedtls_x509_string_to_names:"C=NL, 2.5.4.10=#03084F6666737061726B, OU=PolarSSL":"C=NL, O=#03084F6666737061726B, OU=PolarSSL":0 + +X509 Round trip test (numercoid hexstring output for unknown OID) +mbedtls_x509_string_to_names:"C=NL, 2.5.4.10.234.532=#0C084F6666737061726B, OU=PolarSSL":"C=NL, 2.5.4.10.234.532=#0C084F6666737061726B, OU=PolarSSL":0 + Check max serial length x509_set_serial_check: From d34c4262da1a33b462c813b9712796105cadfe30 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 8 Sep 2023 11:09:50 +0100 Subject: [PATCH 71/75] Move conditionals to keep doxygen with function Signed-off-by: Agathiyan Bragadeesh --- include/mbedtls/asn1.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 825020fe33..c7aae0ff87 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -256,7 +256,9 @@ int mbedtls_asn1_get_len(unsigned char **p, int mbedtls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len, int tag); +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ +#if defined(MBEDTLS_ASN1_PARSE_C) /** * \brief Retrieve a boolean ASN.1 tag and its value. * Updates the pointer to immediately behind the full tag. @@ -272,9 +274,6 @@ int mbedtls_asn1_get_tag(unsigned char **p, * \return An ASN.1 error code if the input does not start with * a valid ASN.1 BOOLEAN. */ -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ - -#if defined(MBEDTLS_ASN1_PARSE_C) int mbedtls_asn1_get_bool(unsigned char **p, const unsigned char *end, int *val); From c34804dea2afd10c6dba10e349caefbdf7e0b0e1 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 8 Sep 2023 11:32:19 +0100 Subject: [PATCH 72/75] Fix bug with checking max dn length with hexpairs Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 6ef33b0336..cb9fd69967 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -168,13 +168,16 @@ static int parse_attribute_value_string(const char *s, } *(d++) = n; c++; - continue; - } else if (c == end || !strchr(" ,=+<>#;\"\\", *c)) { + } else if (c < end && strchr(" ,=+<>#;\"\\", *c)) { + *(d++) = *c; + } else { return MBEDTLS_ERR_X509_INVALID_NAME; } } + else { + *(d++) = *c; + } - *(d++) = *c; if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) { return MBEDTLS_ERR_X509_INVALID_NAME; From 706a1c3c3f90583d8d2b4f73cfe5dbae7bc01ecb Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Fri, 8 Sep 2023 12:04:41 +0100 Subject: [PATCH 73/75] Fix code style Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index cb9fd69967..eff36d5f1f 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -173,8 +173,7 @@ static int parse_attribute_value_string(const char *s, } else { return MBEDTLS_ERR_X509_INVALID_NAME; } - } - else { + } else { *(d++) = *c; } From c7959b22c6aa5d196ba229cc461ca147e6632454 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 12 Sep 2023 17:54:43 +0100 Subject: [PATCH 74/75] Remove magic number in x509.c Signed-off-by: Agathiyan Bragadeesh --- library/x509.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/library/x509.c b/library/x509.c index c1d6bd485c..790decf226 100644 --- a/library/x509.c +++ b/library/x509.c @@ -825,7 +825,8 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i, j, n, asn1_len_size, asn1_tag_size, asn1_tag_len_buf_start; - unsigned char asn1_tag_len_buf[10]; + /* 6 is enough as our asn1 write functions only write one byte for the tag and at most five bytes for the length*/ + unsigned char asn1_tag_len_buf[6]; unsigned char *asn1_len_p; unsigned char c, merge = 0; const mbedtls_x509_name *name; @@ -874,7 +875,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) if (print_hexstring) { s[0] = '#'; - asn1_len_p = asn1_tag_len_buf + 10; + asn1_len_p = asn1_tag_len_buf + sizeof(asn1_tag_len_buf); if ((ret = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len)) < 0) { return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } @@ -883,7 +884,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } asn1_tag_size = ret; - asn1_tag_len_buf_start = 10 - asn1_len_size - asn1_tag_size; + asn1_tag_len_buf_start = sizeof(asn1_tag_len_buf) - asn1_len_size - asn1_tag_size; for (i = 0, j = 1; i < asn1_len_size + asn1_tag_size; i++) { if (j + 1 >= sizeof(s) - 1) { return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; From a72ea814d8c3cec481813ee118a4b84b7137e63d Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 12 Sep 2023 17:57:09 +0100 Subject: [PATCH 75/75] Remove double blank line in x509_create.c Signed-off-by: Agathiyan Bragadeesh --- library/x509_create.c | 1 - 1 file changed, 1 deletion(-) diff --git a/library/x509_create.c b/library/x509_create.c index eff36d5f1f..1c489a3ca5 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -177,7 +177,6 @@ static int parse_attribute_value_string(const char *s, *(d++) = *c; } - if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) { return MBEDTLS_ERR_X509_INVALID_NAME; }