diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 96129be366..28dfa515cd 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -313,11 +313,8 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, * \param crt The certificate being parsed. * \param oid The OID of the extension. * \param critical Whether the extension is critical. - * \param p On entry, \c *p points to the start of the extension value + * \param p Pointer to the start of the extension value * (the content of the OCTET STRING). - * On successful completion, \c *p must point to the - * first byte after the extension value. - * On error, the value of \c *p is not undefined. * \param end End of extension value. * * \note The callback must fail and return a negative error code if @@ -329,7 +326,7 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, typedef int (*mbedtls_x509_crt_ext_cb_t)( mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, - unsigned char **p, + const unsigned char *p, const unsigned char *end ); /** diff --git a/library/x509_crt.c b/library/x509_crt.c index bf06872d4b..6fdee955b7 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -957,8 +957,13 @@ static int x509_get_crt_ext( unsigned char **p, if( ret != 0 ) { /* Give the callback (if any) a chance to handle the extension */ - if( cb != NULL && cb( crt, &extn_oid, is_critical, p, end_ext_octet ) == 0 ) + if( cb != NULL ) { + ret = cb( crt, &extn_oid, is_critical, *p, end_ext_octet ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + *p = end_ext_octet; continue; + } /* No parser found, skip extension */ *p = end_ext_octet;