From 91a0c44ce856cb0d94b55c55c576f808718d6be0 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Thu, 13 Feb 2025 13:45:32 -0500 Subject: [PATCH] enforce only int64 integers. that's all the decoder/encoder can handle right now --- share/dictionary/der/dictionary.common | 4 ++-- share/dictionary/der/dictionary.extensions | 4 ++-- share/dictionary/der/dictionary.rfc2986 | 2 +- share/dictionary/der/dictionary.rfc5280 | 2 +- src/protocols/der/base.c | 18 ++++++++++++++++++ 5 files changed, 24 insertions(+), 6 deletions(-) diff --git a/share/dictionary/der/dictionary.common b/share/dictionary/der/dictionary.common index dc085e6cb1..4bdbaf0282 100644 --- a/share/dictionary/der/dictionary.common +++ b/share/dictionary/der/dictionary.common @@ -42,9 +42,9 @@ END DirectoryName DEFINE GeneralSubtree sequence BEGIN GeneralSubtree DEFINE base sequence clone=GeneralName -DEFINE minimum integer option=0,has_default +DEFINE minimum int64 option=0,has_default VALUE minimum DEFAULT 0 -DEFINE maximum integer option=1 +DEFINE maximum int64 option=1 END GeneralSubtree DEFINE Name sequence diff --git a/share/dictionary/der/dictionary.extensions b/share/dictionary/der/dictionary.extensions index cf46c417e5..35e7d185a8 100644 --- a/share/dictionary/der/dictionary.extensions +++ b/share/dictionary/der/dictionary.extensions @@ -78,7 +78,7 @@ ATTRIBUTE basicConstraints 2.5.29.19 sequence is_oid_leaf BEGIN 2.5.29.19 DEFINE cA boolean has_default VALUE cA DEFAULT false -DEFINE pathLenConstraint integer +DEFINE pathLenConstraint int64 END 2.5.29.19 ATTRIBUTE nameConstraints 2.5.29.30 sequence is_oid_leaf @@ -192,4 +192,4 @@ DEFINE cRLIssuer group ref=GeneralName,subtype=sequence,sequence_of=choice END distributionPoint -ATTRIBUTE inhibitAnyPolicy 2.5.29.54 integer is_oid_leaf +ATTRIBUTE inhibitAnyPolicy 2.5.29.54 int64 is_oid_leaf diff --git a/share/dictionary/der/dictionary.rfc2986 b/share/dictionary/der/dictionary.rfc2986 index ad17b0d1f4..85c6a36da2 100644 --- a/share/dictionary/der/dictionary.rfc2986 +++ b/share/dictionary/der/dictionary.rfc2986 @@ -7,7 +7,7 @@ BEGIN CertificateRequest DEFINE certificationRequestInfo tlv BEGIN certificationRequestInfo -DEFINE version integer +DEFINE version int64 DEFINE subject tlv BEGIN subject diff --git a/share/dictionary/der/dictionary.rfc5280 b/share/dictionary/der/dictionary.rfc5280 index 8a09fc4151..d57c1c9ea9 100644 --- a/share/dictionary/der/dictionary.rfc5280 +++ b/share/dictionary/der/dictionary.rfc5280 @@ -9,7 +9,7 @@ DEFINE tbsCertificate tlv BEGIN tbsCertificate DEFINE version tlv class=context-specific,tagnum=0,subtype=sequence BEGIN version -DEFINE VersionNum integer +DEFINE VersionNum int64 END version DEFINE serialNumber octets tagnum=2 DEFINE signature group ref=OID-Tree,is_pair diff --git a/src/protocols/der/base.c b/src/protocols/der/base.c index 06a32fe895..89569901a9 100644 --- a/src/protocols/der/base.c +++ b/src/protocols/der/base.c @@ -418,6 +418,24 @@ static bool attr_valid(fr_dict_attr_t *da) return false; } + /* + * The DER encoder / decoder assume that all pairs are FR_TYPE_INT64. + * + * The "on the wire" DER data has variable-sized encoding for integers, + * and drops leading zeros. + * + * For consistency, we disallow data types which the + * encoder/decoder don't handle. Except for data types + * in structs, because the struct encoder/decoder takes + * care of those. + */ + if (fr_type_is_integer_except_bool(da->type) && (da->type != FR_TYPE_INT64) && + (da->type != FR_TYPE_DATE) && (da->type != FR_TYPE_TIME_DELTA) && + (da->parent->type != FR_TYPE_STRUCT)) { + fr_strerror_printf("Only 'int64' is supported by DER"); + return false; + } + return true; } -- 2.47.3