From 0ab5b9392231dc585717e91593cdc7fc0ee9451a Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 29 May 2023 16:30:50 +0200 Subject: [PATCH 1/6] Add support for parsing SAN IP address Signed-off-by: Przemek Stekiel --- library/x509.c | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/library/x509.c b/library/x509.c index 8a4426478d..32846f9cff 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1438,7 +1438,18 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, san_buf, sizeof(*san_buf)); } break; + /* + * IP address + */ + case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_IP_ADDRESS): + { + memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); + san->type = MBEDTLS_X509_SAN_IP_ADDRESS; + memcpy(&san->san.unstructured_name, + san_buf, sizeof(*san_buf)); + } + break; /* * rfc822Name */ @@ -1449,7 +1460,6 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf)); } break; - /* * directoryName */ @@ -1576,27 +1586,47 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, /* * dNSName * RFC822 Name + * iPAddress */ case MBEDTLS_X509_SAN_DNS_NAME: case MBEDTLS_X509_SAN_RFC822_NAME: + case MBEDTLS_X509_SAN_IP_ADDRESS: { const char *dns_name = "dNSName"; const char *rfc822_name = "rfc822Name"; + const char *ip_name = "iPAddress"; + + const char *name = san.type == MBEDTLS_X509_SAN_DNS_NAME ? dns_name : san.type == + MBEDTLS_X509_SAN_RFC822_NAME ? rfc822_name : ip_name; ret = mbedtls_snprintf(p, n, "\n%s %s : ", prefix, - san.type == - MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name); + name); MBEDTLS_X509_SAFE_SNPRINTF; if (san.san.unstructured_name.len >= n) { *p = '\0'; return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } - memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); - p += san.san.unstructured_name.len; - n -= san.san.unstructured_name.len; + if (san.type == MBEDTLS_X509_SAN_IP_ADDRESS) { + int len = 0; + unsigned char *ip = san.san.unstructured_name.p; + // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported + if (san.san.unstructured_name.len == 4) { + len = sprintf(p, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); + } else { + len = sprintf(p, "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X", + ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7], ip[8], + ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15]); + } + p += len; + n -= len; + } else { + memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); + p += san.san.unstructured_name.len; + n -= san.san.unstructured_name.len; + } } break; From 63a4cdd1ebea3e2730b99c4aec4b822462aec3f0 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 29 May 2023 16:35:33 +0200 Subject: [PATCH 2/6] Add test to parse ipV4 and ipV6 addresses Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_x509parse.data | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 36f1df1ba0..15175cfcb2 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -128,7 +128,7 @@ x509_cert_info:"data_files/parse_input/multiple_san.crt":"cert. version \: 3 X509 CRT information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n \n \nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +x509_cert_info:"data_files/parse_input/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n iPAddress \: 192.168.1.1\n iPAddress \: 192.168.69.144\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Subject Alt Name with uniformResourceIdentifier depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 @@ -190,6 +190,10 @@ X509 CRT information Non-ASCII string in issuer name and subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 x509_cert_info:"data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nsubject name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" +X509 CRT information Parsing IPv4 and IPv6 IP names +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_cert_info:"data_files/server5-tricky-ip-san.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nissued on \: 2020-07-23 10\:27\:46\nexpires on \: 2030-07-21 10\:27\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n iPAddress \: 97.98.99.100\n iPAddress \: 6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D\n" + X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_parse_san:"data_files/parse_input/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0 From 093c97d492be691f788fdda06cbebb43ae5c0999 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 2 Jun 2023 10:11:32 +0200 Subject: [PATCH 3/6] Add separate case for ip address Signed-off-by: Przemek Stekiel --- library/x509.c | 57 +++++++++++++++++++++++++++++--------------------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/library/x509.c b/library/x509.c index 32846f9cff..c5741291e9 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1590,46 +1590,55 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, */ case MBEDTLS_X509_SAN_DNS_NAME: case MBEDTLS_X509_SAN_RFC822_NAME: - case MBEDTLS_X509_SAN_IP_ADDRESS: { const char *dns_name = "dNSName"; const char *rfc822_name = "rfc822Name"; - const char *ip_name = "iPAddress"; - - const char *name = san.type == MBEDTLS_X509_SAN_DNS_NAME ? dns_name : san.type == - MBEDTLS_X509_SAN_RFC822_NAME ? rfc822_name : ip_name; ret = mbedtls_snprintf(p, n, "\n%s %s : ", prefix, - name); + san.type == + MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name); MBEDTLS_X509_SAFE_SNPRINTF; if (san.san.unstructured_name.len >= n) { *p = '\0'; return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } - if (san.type == MBEDTLS_X509_SAN_IP_ADDRESS) { - int len = 0; - unsigned char *ip = san.san.unstructured_name.p; - // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported - if (san.san.unstructured_name.len == 4) { - len = sprintf(p, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); - } else { - len = sprintf(p, "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X", - ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7], ip[8], - ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15]); - } - p += len; - n -= len; - } else { - memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); - p += san.san.unstructured_name.len; - n -= san.san.unstructured_name.len; - } + memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); + p += san.san.unstructured_name.len; + n -= san.san.unstructured_name.len; } break; + /* + * iPAddress + */ + case MBEDTLS_X509_SAN_IP_ADDRESS: + { + ret = mbedtls_snprintf(p, n, "\n%s %s : ", + prefix, "iPAddress"); + MBEDTLS_X509_SAFE_SNPRINTF; + if (san.san.unstructured_name.len >= n) { + *p = '\0'; + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + int len = 0; + unsigned char *ip = san.san.unstructured_name.p; + // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported + if (san.san.unstructured_name.len == 4) { + len = sprintf(p, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); + } else if (san.san.unstructured_name.len == 16) { + len = sprintf(p, "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X", + ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7], ip[8], + ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15]); + } else { + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } + p += len; + n -= len; + } + break; /* * directoryName */ From 01cb6eb251943d7ac625d82aff7aa49f71ea2d3b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 5 Jun 2023 16:38:13 +0200 Subject: [PATCH 4/6] Fix parsing of SAN IP (use mbedtls_snprintf, validate buffer length) Signed-off-by: Przemek Stekiel --- library/x509.c | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/library/x509.c b/library/x509.c index c5741291e9..130d4e7397 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1445,9 +1445,13 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, { memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); san->type = MBEDTLS_X509_SAN_IP_ADDRESS; - - memcpy(&san->san.unstructured_name, - san_buf, sizeof(*san_buf)); + // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported + if (san_buf->len == 4 || san_buf->len == 16) { + memcpy(&san->san.unstructured_name, + san_buf, sizeof(*san_buf)); + } else { + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } } break; /* @@ -1574,7 +1578,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix); MBEDTLS_X509_SAFE_SNPRINTF; if (san.san.unstructured_name.len >= n) { - *p = '\0'; + if (n > 0) { + *p = '\0'; + } return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } @@ -1601,7 +1607,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name); MBEDTLS_X509_SAFE_SNPRINTF; if (san.san.unstructured_name.len >= n) { - *p = '\0'; + if (n > 0) { + *p = '\0'; + } return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } @@ -1619,7 +1627,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, prefix, "iPAddress"); MBEDTLS_X509_SAFE_SNPRINTF; if (san.san.unstructured_name.len >= n) { - *p = '\0'; + if (n > 0) { + *p = '\0'; + } return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } @@ -1627,12 +1637,17 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, unsigned char *ip = san.san.unstructured_name.p; // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported if (san.san.unstructured_name.len == 4) { - len = sprintf(p, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); + len = mbedtls_snprintf(p, n, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]); } else if (san.san.unstructured_name.len == 16) { - len = sprintf(p, "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X", - ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7], ip[8], - ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15]); + len = mbedtls_snprintf(p, n, + "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X", + ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], + ip[7], ip[8], ip[9], ip[10], ip[11], ip[12],ip[13], + ip[14], ip[15]); } else { + if (n > 0) { + *p = '\0'; + } return MBEDTLS_ERR_X509_BAD_INPUT_DATA; } p += len; @@ -1654,6 +1669,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, if (ret < 0) { mbedtls_x509_free_subject_alt_name(&san); + if (n > 0) { + *p = '\0'; + } return ret; } From 63973ab80e090d9daabe43125cf6d206f5297789 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 5 Jun 2023 16:39:57 +0200 Subject: [PATCH 5/6] Add test for invalid IP length (+use der format in tests) Signed-off-by: Przemek Stekiel --- tests/data_files/Makefile | 8 +++- ...erver5-tricky-ip-san-malformed-len.crt.der | Bin 0 -> 409 bytes tests/data_files/server5-tricky-ip-san.crt | 11 ------ .../data_files/server5-tricky-ip-san.crt.der | Bin 0 -> 409 bytes tests/suites/test_suite_x509parse.data | 36 ++++++++++-------- 5 files changed, 26 insertions(+), 29 deletions(-) create mode 100644 tests/data_files/server5-tricky-ip-san-malformed-len.crt.der delete mode 100644 tests/data_files/server5-tricky-ip-san.crt create mode 100644 tests/data_files/server5-tricky-ip-san.crt.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 070a8f70f9..63486167a3 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -339,8 +339,12 @@ server5-unsupported_othername.crt: server5.key server5-fan.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS FAN" -set_serial 77 -config $(test_ca_config_file) -extensions fan_cert -days 3650 -sha256 -key server5.key -out $@ -server5-tricky-ip-san.crt: server5.key - $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@ +server5-tricky-ip-san.crt.der: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -outform der -out $@ + +# malformed IP length +server5-tricky-ip-san-malformed-len.crt.der: server5-tricky-ip-san.crt.der + hexdump -ve '1/1 "%.2X"' $< | sed "s/87046162636487106162/87056162636487106162/" | xxd -r -p > $@ server5-directoryname.crt.der: server5.key $(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@ diff --git a/tests/data_files/server5-tricky-ip-san-malformed-len.crt.der b/tests/data_files/server5-tricky-ip-san-malformed-len.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..a26da6ca04cf518827bb11b754cff5a5d6647b42 GIT binary patch literal 409 zcmXqLVw`Hw#AvgCnTe5!iP6`9i;Y98&EuRc3p0~}qan8eCmVAp3!5-gsJEe@0Y8Yt z#lzv7l$xRt;uCBrZy*a2V&)Np2`PjWWhQ4=DtHDc1Uvc}$cghB85@`xm>L=y8yK5K ziSrtRxJFPeHLQp<5N2ZsyP1g*>Ud^Gc4j9A7V|Sw9^7cbZ6vCw$uEyly`Z$&!#{HkWN`Y$Q{vdnBT HW5`SZC1H4O literal 0 HcmV?d00001 diff --git a/tests/data_files/server5-tricky-ip-san.crt b/tests/data_files/server5-tricky-ip-san.crt deleted file mode 100644 index 135830fbec..0000000000 --- a/tests/data_files/server5-tricky-ip-san.crt +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBljCCATygAwIBAgIBTTAKBggqhkjOPQQDAjBBMQswCQYDVQQGEwJVSzERMA8G -A1UECgwITWJlZCBUTFMxHzAdBgNVBAMMFk1iZWQgVExTIFRyaWNreSBJUCBTQU4w -HhcNMjAwNzIzMTAyNzQ2WhcNMzAwNzIxMTAyNzQ2WjBBMQswCQYDVQQGEwJVSzER -MA8GA1UECgwITWJlZCBUTFMxHzAdBgNVBAMMFk1iZWQgVExTIFRyaWNreSBJUCBT -QU4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3zFbZdgkeWnI+x1kt/yBu7nz5 -BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqIwmt3DVXNiioO+gHItO3/oyUw -IzAhBgNVHREEGjAYhwRhYmNkhxBhYmNkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMC -A0gAMEUCIFDc8ZALA/9Zv7dZTWrZOOp/dgPAEJRT+h68nD6KF+XyAiEAs1QqugOo -Dwru0DSEmpYkmj1Keunpd0VopM0joC1cc5A= ------END CERTIFICATE----- diff --git a/tests/data_files/server5-tricky-ip-san.crt.der b/tests/data_files/server5-tricky-ip-san.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..0bd06f845be296a056aba730844d8cb2e4b7f4db GIT binary patch literal 409 zcmXqLVw`Hw#AvgCnTe5!iP6`9i;Y98&EuRc3p0~}qan8eCmVAp3!5-gsJEe@0Y8Yt z#lzv7l$xRt;uCBrZy*a2V&)Np2`PjWWhQ4=DtHDc1Uvc}$cghB85@`xm>L=y8yK5K ziSrtRxJFPeHLQp<5N2ZsyP1g*>Ud^Gc4j9A7V|Sw9^7cbZ6vCw$uEyly`Z$&!#{HkWN`Y$Q{vdnBT HW5`SZB=vZ0 literal 0 HcmV?d00001 diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 15175cfcb2..35ad93eac4 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -191,8 +191,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 x509_cert_info:"data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nsubject name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" X509 CRT information Parsing IPv4 and IPv6 IP names -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_cert_info:"data_files/server5-tricky-ip-san.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nissued on \: 2020-07-23 10\:27\:46\nexpires on \: 2030-07-21 10\:27\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n iPAddress \: 97.98.99.100\n iPAddress \: 6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D\n" +depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_cert_info:"data_files/server5-tricky-ip-san.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nissued on \: 2023-06-05 11\:30\:36\nexpires on \: 2033-06-02 11\:30\:36\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n iPAddress \: 97.98.99.100\n iPAddress \: 6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D\n" X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 @@ -234,6 +234,10 @@ X509 SAN parsing rfc822Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 x509_parse_san:"data_files/parse_input/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0 +X509 CRT information Parsing IP (invalid data) +depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_parse_san:"data_files/server5-tricky-ip-san-malformed-len.crt.der":"":MBEDTLS_ERR_X509_BAD_INPUT_DATA + X509 CRL information #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_crl_info:"data_files/parse_input/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" @@ -1020,32 +1024,32 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification: domain identical to IPv4 in SubjectAltName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"abcd":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"abcd":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: domain identical to IPv6 in SubjectAltName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"abcd.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"abcd.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: matching IPv4 in SubjectAltName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"97.98.99.100":0:0:"":"NULL" +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"97.98.99.100":0:0:"":"NULL" X509 CRT verification: mismatching IPv4 in SubjectAltName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"7.8.9.10":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"7.8.9.10":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: IPv4 with trailing data in SubjectAltName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"97.98.99.100?":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"97.98.99.100?":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: matching IPv6 in SubjectAltName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D":0:0:"":"NULL" +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D":0:0:"":"NULL" X509 CRT verification: mismatching IPv6 in SubjectAltName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"6162\:6364\:\:6F6D":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C +x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"6162\:6364\:\:6F6D":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: matching URI in SubjectAltName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C From 4d3fc216fca8e2c4ec145cf3abef957d6d7da2d3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 6 Jun 2023 11:40:32 +0200 Subject: [PATCH 6/6] Use safe snprintf Signed-off-by: Przemek Stekiel --- library/x509.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/library/x509.c b/library/x509.c index 130d4e7397..6e16c4c27c 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1592,7 +1592,6 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, /* * dNSName * RFC822 Name - * iPAddress */ case MBEDTLS_X509_SAN_DNS_NAME: case MBEDTLS_X509_SAN_RFC822_NAME: @@ -1633,25 +1632,24 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } - int len = 0; unsigned char *ip = san.san.unstructured_name.p; // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported if (san.san.unstructured_name.len == 4) { - len = mbedtls_snprintf(p, n, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]); + ret = mbedtls_snprintf(p, n, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]); + MBEDTLS_X509_SAFE_SNPRINTF; } else if (san.san.unstructured_name.len == 16) { - len = mbedtls_snprintf(p, n, + ret = mbedtls_snprintf(p, n, "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X", ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], - ip[7], ip[8], ip[9], ip[10], ip[11], ip[12],ip[13], + ip[7], ip[8], ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15]); + MBEDTLS_X509_SAFE_SNPRINTF; } else { if (n > 0) { *p = '\0'; } return MBEDTLS_ERR_X509_BAD_INPUT_DATA; } - p += len; - n -= len; } break; /*