From: Nikos Mavrogiannopoulos Date: Mon, 9 Mar 2015 21:19:33 +0000 (+0100) Subject: x509: use libtasn1's strict DER decoding rules in network obtained structures X-Git-Tag: gnutls_3_4_0~213 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5691dc3e4331000765c694bc101b445a80c0a9e2;p=thirdparty%2Fgnutls.git x509: use libtasn1's strict DER decoding rules in network obtained structures --- diff --git a/lib/x509/common.c b/lib/x509/common.c index 55400bfc57..321fa7d7f4 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -375,10 +375,10 @@ decode_complex_string(const struct oid_to_string *oentry, void *value, } if ((result = - asn1_der_decoding(&tmpasn, value, value_size, + _asn1_strict_der_decode(&tmpasn, value, value_size, asn1_err)) != ASN1_SUCCESS) { gnutls_assert(); - _gnutls_debug_log("asn1_der_decoding: %s\n", asn1_err); + _gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err); asn1_delete_structure(&tmpasn); return _gnutls_asn2err(result); } diff --git a/lib/x509/common.h b/lib/x509/common.h index 388831bf3b..ceeb58b6b2 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -244,4 +244,10 @@ gnutls_x509_crt_t *_gnutls_sort_clist(gnutls_x509_crt_t int _gnutls_check_if_sorted(gnutls_x509_crt_t * crt, int nr); +inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider, + int len, char *errorDescription) +{ + return asn1_der_decoding2(element, ider, &len, ASN1_DECODE_FLAG_STRICT_DER, errorDescription); +} + #endif diff --git a/lib/x509/crl.c b/lib/x509/crl.c index d658e966e7..3b70d92819 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -158,7 +158,7 @@ gnutls_x509_crl_import(gnutls_x509_crl_t crl, crl->expanded = 1; result = - asn1_der_decoding(&crl->crl, crl->der.data, crl->der.size, NULL); + _asn1_strict_der_decode(&crl->crl, crl->der.data, crl->der.size, NULL); if (result != ASN1_SUCCESS) { result = _gnutls_asn2err(result); gnutls_assert(); @@ -825,7 +825,7 @@ _get_authority_key_id(gnutls_x509_crl_t cert, ASN1_TYPE * c2, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(c2, id.data, id.size, NULL); + ret = _asn1_strict_der_decode(c2, id.data, id.size, NULL); _gnutls_free_datum(&id); if (ret != ASN1_SUCCESS) { diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 95d7842153..a6be6a5d82 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -144,7 +144,7 @@ gnutls_x509_crq_import(gnutls_x509_crq_t crq, } result = - asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); + _asn1_strict_der_decode(&crq->crq, _data.data, _data.size, NULL); if (result != ASN1_SUCCESS) { result = _gnutls_asn2err(result); gnutls_assert(); @@ -221,7 +221,7 @@ gnutls_x509_crq_get_private_key_usage_period(gnutls_x509_crq_t crq, goto cleanup; } - result = asn1_der_decoding(&c2, buf, buf_size, NULL); + result = _asn1_strict_der_decode(&c2, buf, buf_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -1424,7 +1424,7 @@ gnutls_x509_crq_get_extension_info(gnutls_x509_crq_t crq, int indx, goto out; } - result = asn1_der_decoding(&c2, extensions, extensions_size, NULL); + result = _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&c2); @@ -1589,7 +1589,7 @@ gnutls_x509_crq_get_extension_data2(gnutls_x509_crq_t crq, goto cleanup; } - result = asn1_der_decoding(&c2, extensions, extensions_size, NULL); + result = _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -1785,7 +1785,7 @@ get_subject_alt_name(gnutls_x509_crq_t crq, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); + result = _asn1_strict_der_decode(&c2, dnsname.data, dnsname.size, NULL); gnutls_free(dnsname.data); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -2281,7 +2281,7 @@ gnutls_x509_crq_get_key_purpose_oid(gnutls_x509_crq_t crq, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, prev.data, prev.size, NULL); + result = _asn1_strict_der_decode(&c2, prev.data, prev.size, NULL); gnutls_free(prev.data); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -2388,7 +2388,7 @@ gnutls_x509_crq_set_key_purpose_oid(gnutls_x509_crq_t crq, /* decode it. */ result = - asn1_der_decoding(&c2, prev.data, prev.size, NULL); + _asn1_strict_der_decode(&c2, prev.data, prev.size, NULL); gnutls_free(prev.data); if (result != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 140071a1db..7d71abcbe7 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -788,7 +788,7 @@ int gnutls_x509_dn_import(gnutls_x509_dn_t dn, const gnutls_datum_t * data) int result; char err[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - result = asn1_der_decoding((ASN1_TYPE *) & dn, + result = _asn1_strict_der_decode((ASN1_TYPE *) & dn, data->data, data->size, err); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ @@ -852,7 +852,7 @@ gnutls_x509_rdn_get(const gnutls_datum_t * idn, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + result = _asn1_strict_der_decode(&dn, idn->data, idn->size, NULL); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ gnutls_assert(); @@ -906,7 +906,7 @@ gnutls_x509_rdn_get_by_oid(const gnutls_datum_t * idn, const char *oid, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + result = _asn1_strict_der_decode(&dn, idn->data, idn->size, NULL); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ gnutls_assert(); @@ -960,7 +960,7 @@ gnutls_x509_rdn_get_oid(const gnutls_datum_t * idn, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + result = _asn1_strict_der_decode(&dn, idn->data, idn->size, NULL); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ gnutls_assert(); diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 05c015e8e2..3f674d8a77 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -565,7 +565,7 @@ _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq, if (extensions_size > 0) { result = - asn1_der_decoding(&c2, extensions, extensions_size, + _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL); gnutls_free(extensions); if (result != ASN1_SUCCESS) { @@ -626,7 +626,7 @@ _gnutls_x509_ext_extract_number(uint8_t * number, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + result = _asn1_strict_der_decode(&ext, extnValue, extnValueLen, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&ext); diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index e5b9dddf8b..fe6cfc537d 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -45,7 +45,7 @@ int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out) return _gnutls_asn2err(result); } - result = asn1_der_decoding(&spk, der, dersize, NULL); + result = _asn1_strict_der_decode(&spk, der, dersize, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index aa4784d32e..937d38a93f 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -186,7 +186,7 @@ gnutls_ocsp_req_import(gnutls_ocsp_req_t req, const gnutls_datum_t * data) } if (req->init) { - /* Any earlier asn1_der_decoding will modify the ASN.1 + /* Any earlier _asn1_strict_der_decode will modify the ASN.1 structure, so we need to replace it with a fresh structure. */ asn1_delete_structure(&req->req); @@ -200,7 +200,7 @@ gnutls_ocsp_req_import(gnutls_ocsp_req_t req, const gnutls_datum_t * data) } req->init = 1; - ret = asn1_der_decoding(&req->req, data->data, data->size, NULL); + ret = _asn1_strict_der_decode(&req->req, data->data, data->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(ret); @@ -233,7 +233,7 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp, } if (resp->init != 0) { - /* Any earlier asn1_der_decoding will modify the ASN.1 + /* Any earlier _asn1_strict_der_decode will modify the ASN.1 structure, so we need to replace it with a fresh structure. */ asn1_delete_structure(&resp->resp); @@ -261,7 +261,7 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp, } resp->init = 1; - ret = asn1_der_decoding(&resp->resp, data->data, data->size, NULL); + ret = _asn1_strict_der_decode(&resp->resp, data->data, data->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(ret); @@ -294,7 +294,7 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp, } ret = - asn1_der_decoding(&resp->basicresp, resp->der.data, resp->der.size, + _asn1_strict_der_decode(&resp->basicresp, resp->der.data, resp->der.size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 85c95192e5..e05d977319 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -148,7 +148,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, } result = - asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(&pkey_asn, raw_key->data, raw_key->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -263,7 +263,7 @@ _gnutls_privkey_decode_ecc_key(ASN1_TYPE* pkey_asn, const gnutls_datum_t * raw_k } ret = - asn1_der_decoding(pkey_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(pkey_asn, raw_key->data, raw_key->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); @@ -370,7 +370,7 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) pkey->params.algo = GNUTLS_PK_DSA; result = - asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(&dsa_asn, raw_key->data, raw_key->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index c18067fa7d..0065ae1d6b 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -852,7 +852,7 @@ read_pkcs_schema_params(schema_id * schema, const char *password, /* Decode the parameters. */ result = - asn1_der_decoding(&pbes2_asn, data, data_size, NULL); + _asn1_strict_der_decode(&pbes2_asn, data, data_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -911,7 +911,7 @@ read_pkcs_schema_params(schema_id * schema, const char *password, /* Decode the parameters. */ result = - asn1_der_decoding(&pbes2_asn, data, data_size, NULL); + _asn1_strict_der_decode(&pbes2_asn, data, data_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -1078,7 +1078,7 @@ int pkcs8_key_info(const gnutls_datum_t * raw_key, } result = - asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(&pkcs8_asn, raw_key->data, raw_key->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -1168,7 +1168,7 @@ pkcs8_key_decode(const gnutls_datum_t * raw_key, } result = - asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(&pkcs8_asn, raw_key->data, raw_key->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -1351,7 +1351,7 @@ decode_private_key_info(const gnutls_datum_t * der, goto error; } - result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); + result = _asn1_strict_der_decode(&pkcs8_asn, der->data, der->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -1576,7 +1576,7 @@ read_pbkdf2_params(ASN1_TYPE pbes2_asn, } result = - asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], + _asn1_strict_der_decode(&pbkdf2_asn, &der->data[params_start], params_len, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -1764,7 +1764,7 @@ read_pbe_enc_params(ASN1_TYPE pbes2_asn, } result = - asn1_der_decoding(&pbe_asn, &der->data[params_start], + _asn1_strict_der_decode(&pbe_asn, &der->data[params_start], params_len, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/x509.c b/lib/x509/x509.c index d0371b8713..a8cd8a9a01 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -295,7 +295,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, } if (cert->expanded) { - /* Any earlier asn1_der_decoding will modify the ASN.1 + /* Any earlier _asn1_strict_der_decode will modify the ASN.1 structure, so we need to replace it with a fresh structure. */ result = crt_reinit(cert); @@ -308,7 +308,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, cert->expanded = 1; result = - asn1_der_decoding(&cert->cert, cert->der.data, cert->der.size, NULL); + _asn1_strict_der_decode(&cert->cert, cert->der.data, cert->der.size, NULL); if (result != ASN1_SUCCESS) { result = _gnutls_asn2err(result); gnutls_assert(); @@ -3667,7 +3667,7 @@ gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t crt, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(&c2, aia.data, aia.size, NULL); + ret = _asn1_strict_der_decode(&c2, aia.data, aia.size, NULL); /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */ _gnutls_free_datum(&aia); if (ret != ASN1_SUCCESS) { diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c index 058a2a4595..c1f0f2d8cb 100644 --- a/lib/x509/x509_ext.c +++ b/lib/x509/x509_ext.c @@ -236,7 +236,7 @@ int gnutls_x509_ext_import_subject_alt_names(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -382,7 +382,7 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -587,7 +587,7 @@ int gnutls_x509_ext_import_subject_key_id(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -875,7 +875,7 @@ int gnutls_x509_ext_import_authority_key_id(const gnutls_datum_t * ext, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(ret); @@ -1075,7 +1075,7 @@ int gnutls_x509_ext_import_key_usage(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&c2); @@ -1175,7 +1175,7 @@ int gnutls_x509_ext_import_private_key_usage_period(const gnutls_datum_t * ext, goto cleanup; } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -1281,7 +1281,7 @@ int gnutls_x509_ext_import_basic_constraints(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -1423,7 +1423,7 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -1580,7 +1580,7 @@ static int decode_user_notice(const void *data, size_t size, goto cleanup; } - ret = asn1_der_decoding(&c2, data, size, NULL); + ret = _asn1_strict_der_decode(&c2, data, size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = GNUTLS_E_PARSING_ERROR; @@ -1796,7 +1796,7 @@ int gnutls_x509_ext_import_policies(const gnutls_datum_t * ext, goto cleanup; } - ret = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(ret); @@ -2296,7 +2296,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -2709,7 +2709,7 @@ int gnutls_x509_ext_import_aia(const gnutls_datum_t * ext, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(ret); @@ -2932,7 +2932,7 @@ int gnutls_x509_ext_import_key_purposes(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -3068,7 +3068,7 @@ int _gnutls_x509_decode_ext(const gnutls_datum_t *der, gnutls_x509_ext_st *out) return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, der->data, der->size, NULL); + result = _asn1_strict_der_decode(&c2, der->data, der->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result);