From: Alan T. DeKok Date: Sun, 17 May 2026 12:40:57 +0000 (-0400) Subject: update DER decoder to allow specifying a root DA to start from X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76e9c8de44aa2fd4bb76e9e5c4a3708eaeba6262;p=thirdparty%2Ffreeradius-server.git update DER decoder to allow specifying a root DA to start from --- diff --git a/src/lib/tls/pairs.c b/src/lib/tls/pairs.c index 36f235654d3..4fa71237698 100644 --- a/src/lib/tls/pairs.c +++ b/src/lib/tls/pairs.c @@ -207,7 +207,10 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c fr_tls_log(request, "Failed retrieving certificate"); return -1; } - der_ctx.tmp_ctx = talloc_new(ctx); + der_ctx = (fr_der_decode_ctx_t) { + .tmp_ctx = talloc_new(ctx), + .root = attr_der_certificate, + }; cert_der = cd = talloc_array(der_ctx.tmp_ctx, uint8_t, der_len); i2d_X509(cert, &cd); fr_pair_list_init(&tmp_list); diff --git a/src/protocols/der/decode.c b/src/protocols/der/decode.c index 35c2683f41c..a96417dcb9c 100644 --- a/src/protocols/der/decode.c +++ b/src/protocols/der/decode.c @@ -2688,10 +2688,10 @@ static ssize_t fr_der_decode_proto(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t void *proto_ctx) { fr_dbuff_t our_in = FR_DBUFF_TMP(data, data_len); + fr_der_decode_ctx_t *der_ctx = proto_ctx; + fr_dict_attr_t const *parent = der_ctx->root; - fr_dict_attr_t const *parent = fr_dict_root(dict_der); - - if (unlikely(parent == fr_dict_root(dict_der))) { + if (!parent || (parent == fr_dict_root(dict_der))) { fr_strerror_printf_push("Invalid dictionary. DER decoding requires a specific dictionary."); return -1; } @@ -2727,14 +2727,15 @@ static ssize_t decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t * Test points */ static int decode_test_ctx(void **out, TALLOC_CTX *ctx, UNUSED fr_dict_t const *dict, - UNUSED fr_dict_attr_t const *root_da) + fr_dict_attr_t const *root_da) { fr_der_decode_ctx_t *test_ctx; test_ctx = talloc_zero(ctx, fr_der_decode_ctx_t); if (!test_ctx) return -1; - test_ctx->tmp_ctx = talloc_new(test_ctx); + test_ctx->tmp_ctx = talloc_new(test_ctx); + test_ctx->root = root_da; *out = test_ctx; diff --git a/src/protocols/der/der.h b/src/protocols/der/der.h index a0bc24a6e60..04c065c1f46 100644 --- a/src/protocols/der/der.h +++ b/src/protocols/der/der.h @@ -117,6 +117,7 @@ typedef struct { typedef struct { TALLOC_CTX *tmp_ctx; //!< ctx under which temporary data will be allocated + fr_dict_attr_t const *root; //!< where to start decoding from } fr_der_decode_ctx_t; static inline fr_der_attr_flags_t const *fr_der_attr_flags(fr_dict_attr_t const *da)