diff --git a/library/x509_csr.c b/library/x509_csr.c index 1f133e87f5..1ea77fe976 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -78,7 +78,6 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, int ret; size_t len; unsigned char *end_ext_data; - while (*p < end) { mbedtls_x509_buf extn_oid = { 0, 0, NULL }; int ext_type = 0; @@ -86,7 +85,7 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, /* Read sequence tag */ if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } end_ext_data = *p + len; @@ -94,7 +93,7 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, /* Get extension ID */ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len, MBEDTLS_ASN1_OID)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } extn_oid.tag = MBEDTLS_ASN1_OID; @@ -104,11 +103,12 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, /* Data should be octet string type */ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + if (*p + len != end_ext_data) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } /* @@ -116,49 +116,54 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, */ ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type); - if (ret == 0) { - /* Forbid repeated extensions */ - if ((csr->ext_types & ext_type) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; - } + if (ret != 0) { + *p = end_ext_data; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + ret); + } - csr->ext_types |= ext_type; + /* Forbid repeated extensions */ + if ((csr->ext_types & ext_type) != 0) { + return (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_INVALID_DATA)); + } - switch (ext_type) { - case MBEDTLS_X509_EXT_KEY_USAGE: - /* Parse key usage */ - if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, - &csr->key_usage)) != 0) { - return ret; - } - break; + csr->ext_types |= ext_type; - case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: - /* Parse subject alt name */ - if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, - &csr->subject_alt_names)) != 0) { - return ret; - } - break; + switch (ext_type) { + case MBEDTLS_X509_EXT_KEY_USAGE: + /* Parse key usage */ + if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, + &csr->key_usage)) != 0) { + return ret; + } + break; - case MBEDTLS_X509_EXT_NS_CERT_TYPE: - /* Parse netscape certificate type */ - if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, - &csr->ns_cert_type)) != 0) { - return ret; - } - break; - default: - break; - } + case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: + /* Parse subject alt name */ + if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, + &csr->subject_alt_names)) != 0) { + return ret; + } + break; + + case MBEDTLS_X509_EXT_NS_CERT_TYPE: + /* Parse netscape certificate type */ + if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, + &csr->ns_cert_type)) != 0) { + return ret; + } + break; + default: + break; } *p = end_ext_data; } if (*p != end) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } return 0; @@ -180,14 +185,14 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } end_attr_data = *p + len; /* Get attribute ID */ if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len, MBEDTLS_ASN1_OID)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } attr_oid.tag = MBEDTLS_ASN1_OID; @@ -196,24 +201,25 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, /* Check that this is an extension-request attribute */ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) { + if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return ret; } if (*p != end_attr_data) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } } @@ -221,8 +227,8 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, } if (*p != end) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } return 0;