diff options
| author | Daiki Ueno <ueno@gnu.org> | 2020-11-19 12:37:09 +0000 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2020-11-19 12:37:09 +0000 |
| commit | 9f5dcddcaa6e89c3d0f9446fb7f2733f2933c3d9 (patch) | |
| tree | a50b3f8753285333aac73f6133fee656166463b9 | |
| parent | 586c28d8ace9148ab01fa8ddbd63e73265611597 (diff) | |
| parent | 59782d147580956a0751bd975eab5a7736a72baf (diff) | |
| download | gnutls-9f5dcddcaa6e89c3d0f9446fb7f2733f2933c3d9.tar.gz | |
Merge branch 'wip/dueno/ocsp-oid' into 'master'
_gnutls_x509_read_value: don't count terminating null byte for OIDs
Closes #805
See merge request gnutls/gnutls!1358
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | lib/x509/common.c | 19 | ||||
| -rw-r--r-- | lib/x509/ocsp.c | 9 | ||||
| -rw-r--r-- | lib/x509/ocsp_output.c | 6 | ||||
| -rw-r--r-- | lib/x509/x509.c | 6 |
5 files changed, 32 insertions, 14 deletions
@@ -16,6 +16,12 @@ See the end for copying conditions. output the complete path to the trusted root during certificate chain verification (#1012) +** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the + terminating null bytes, while the data field is null terminated. + The affected API functions are: gnutls_ocsp_req_get_extension, + gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension + (#805). + ** API and ABI modifications: gnutls_x509_trust_list_set_getissuer_function: Added gnutls_x509_trust_list_get_ptr: Added diff --git a/lib/x509/common.c b/lib/x509/common.c index a1f6d62e13..9f21bb6967 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -692,7 +692,7 @@ x509_read_value(ASN1_TYPE c, const char *root, } if (etype == ASN1_ETYPE_BIT_STRING) { - len = (len + 7)/8; + len = (len + 7) / 8; } tmp = gnutls_malloc((size_t) len + 1); @@ -710,10 +710,21 @@ x509_read_value(ASN1_TYPE c, const char *root, goto cleanup; } - if (etype == ASN1_ETYPE_BIT_STRING) { - ret->size = (len+7) / 8; - } else { + switch (etype) { + case ASN1_ETYPE_BIT_STRING: + ret->size = (len + 7) / 8; + break; + case ASN1_ETYPE_OBJECT_ID: + if (len > 0) { + ret->size = len - 1; + } else { + result = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); + goto cleanup; + } + break; + default: ret->size = (unsigned) len; + break; } } else { ret->size = 0; diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index caa511e9db..6823c24563 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -324,7 +324,7 @@ gnutls_ocsp_resp_import2(gnutls_ocsp_resp_t resp, } #define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - if (resp->response_type_oid.size == sizeof(OCSP_BASIC) + if (resp->response_type_oid.size == sizeof(OCSP_BASIC) - 1 && memcmp(resp->response_type_oid.data, OCSP_BASIC, resp->response_type_oid.size) == 0) { @@ -795,6 +795,8 @@ gnutls_ocsp_req_add_cert(gnutls_ocsp_req_t req, * The caller needs to deallocate memory by calling gnutls_free() on * @oid->data and @data->data. * + * Since 3.7.0 @oid->size does not account for the terminating null byte. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error code is returned. If you have reached the last * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will @@ -1088,6 +1090,9 @@ int gnutls_ocsp_resp_get_status(gnutls_ocsp_resp_const_t resp) * Otherwise gnutls_ocsp_resp_import() will decode the basic OCSP * response part and the caller need not worry about that aspect. * + * Since 3.7.0 @response_type_oid->size does not account for the terminating + * null byte. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ @@ -1669,6 +1674,8 @@ gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_const_t resp, * The caller needs to deallocate memory by calling gnutls_free() on * @oid->data and @data->data. * + * Since 3.7.0 @oid->size does not account for the terminating null byte. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error code is returned. If you have reached the last * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will diff --git a/lib/x509/ocsp_output.c b/lib/x509/ocsp_output.c index 7f31e583b2..4e7219767e 100644 --- a/lib/x509/ocsp_output.c +++ b/lib/x509/ocsp_output.c @@ -109,7 +109,7 @@ static void print_req(gnutls_buffer_st * str, gnutls_ocsp_req_const_t req) if (indx == 0) adds(str, "\tExtensions:\n"); - if (oid.size == sizeof(GNUTLS_OCSP_NONCE) && + if (oid.size == sizeof(GNUTLS_OCSP_NONCE) - 1 && memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { gnutls_datum_t nonce; unsigned int ncrit; @@ -254,7 +254,7 @@ print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_const_t resp, adds(str, "\tResponse Type: "); #define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - if (oid.size == sizeof(OCSP_BASIC) + if (oid.size == sizeof(OCSP_BASIC) - 1 && memcmp(oid.data, OCSP_BASIC, oid.size) == 0) { adds(str, "Basic OCSP Response\n"); gnutls_free(oid.data); @@ -473,7 +473,7 @@ print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_const_t resp, continue; } - if (oid.size == sizeof(GNUTLS_OCSP_NONCE) && + if (oid.size == sizeof(GNUTLS_OCSP_NONCE) - 1 && memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { gnutls_datum_t nonce; unsigned int ncrit; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index e9e5423da2..93468801e8 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -1776,12 +1776,6 @@ _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name, return ret; } - if (type == GNUTLS_SAN_REGISTERED_ID && tmp.size > 0) { - /* see #805; OIDs contain the null termination byte */ - assert(tmp.data[tmp.size-1] == 0); - tmp.size--; - } - /* _gnutls_x509_read_value() null terminates */ dname->size = tmp.size; dname->data = tmp.data; |