x509: use libtasn1's strict DER decoding rules in privkey, certificate requests and CRLs

That is, to prevent bugs due to the complexity of the BER decoder. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2018-01-21 11:09:36 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2018-02-04 09:02:07 +0100
commit: 979452bcfad3b409a34a9b252ecbc7e92433724b (patch)
tree: de61b5672686b49654881350b8ea380afa04c61b
parent: c5ab69b16e4dbbd8eababdf8c8424a39a89eded8 (diff)
download: gnutls-979452bcfad3b409a34a9b252ecbc7e92433724b.tar.gz
3 files changed, 12 insertions, 12 deletions
diff --git a/lib/x509/crl.c b/lib/x509/crl.c
index 568b2feddd..53d7270432 100644
--- a/lib/x509/crl.c
+++ b/lib/x509/crl.c
@@ -158,7 +158,7 @@ gnutls_x509_crl_import(gnutls_x509_crl_t crl,
 	crl->expanded = 1;
 
 	result =
-	    asn1_der_decoding(&crl->crl, crl->der.data, crl->der.size, NULL);
+	    _asn1_strict_der_decode(&crl->crl, crl->der.data, crl->der.size, NULL);
 	if (result != ASN1_SUCCESS) {
 		result = _gnutls_asn2err(result);
 		gnutls_assert();
@@ -825,7 +825,7 @@ _get_authority_key_id(gnutls_x509_crl_t cert, ASN1_TYPE * c2,
 		return _gnutls_asn2err(ret);
 	}
 
-	ret = asn1_der_decoding(c2, id.data, id.size, NULL);
+	ret = _asn1_strict_der_decode(c2, id.data, id.size, NULL);
 	_gnutls_free_datum(&id);
 
 	if (ret != ASN1_SUCCESS) {
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 730137300b..46a45c1efb 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -144,7 +144,7 @@ gnutls_x509_crq_import(gnutls_x509_crq_t crq,
 	}
 
 	result =
-	    asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL);
+	    _asn1_strict_der_decode(&crq->crq, _data.data, _data.size, NULL);
 	if (result != ASN1_SUCCESS) {
 		result = _gnutls_asn2err(result);
 		gnutls_assert();
@@ -202,7 +202,7 @@ gnutls_x509_crq_get_private_key_usage_period(gnutls_x509_crq_t crq,
 		goto cleanup;
 	}
 
-	result = asn1_der_decoding(&c2, buf, buf_size, NULL);
+	result = _asn1_strict_der_decode(&c2, buf, buf_size, NULL);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
 		ret = _gnutls_asn2err(result);
@@ -1405,7 +1405,7 @@ gnutls_x509_crq_get_extension_info(gnutls_x509_crq_t crq, int indx,
 		goto out;
 	}
 
-	result = asn1_der_decoding(&c2, extensions, extensions_size, NULL);
+	result = _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
 		asn1_delete_structure(&c2);
@@ -1570,7 +1570,7 @@ gnutls_x509_crq_get_extension_data2(gnutls_x509_crq_t crq,
 		goto cleanup;
 	}
 
-	result = asn1_der_decoding(&c2, extensions, extensions_size, NULL);
+	result = _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
 		ret = _gnutls_asn2err(result);
@@ -1766,7 +1766,7 @@ get_subject_alt_name(gnutls_x509_crq_t crq,
 		return _gnutls_asn2err(result);
 	}
 
-	result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL);
+	result = _asn1_strict_der_decode(&c2, dnsname.data, dnsname.size, NULL);
 	gnutls_free(dnsname.data);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
@@ -2262,7 +2262,7 @@ gnutls_x509_crq_get_key_purpose_oid(gnutls_x509_crq_t crq,
 		return _gnutls_asn2err(result);
 	}
 
-	result = asn1_der_decoding(&c2, prev.data, prev.size, NULL);
+	result = _asn1_strict_der_decode(&c2, prev.data, prev.size, NULL);
 	gnutls_free(prev.data);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
@@ -2369,7 +2369,7 @@ gnutls_x509_crq_set_key_purpose_oid(gnutls_x509_crq_t crq,
 		/* decode it.
 		 */
 		result =
-		    asn1_der_decoding(&c2, prev.data, prev.size, NULL);
+		    _asn1_strict_der_decode(&c2, prev.data, prev.size, NULL);
 		gnutls_free(prev.data);
 		if (result != ASN1_SUCCESS) {
 			gnutls_assert();
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 1252698cac..b2e4079c1e 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -147,7 +147,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key,
 	}
 
 	result =
-	    asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size,
+	    _asn1_strict_der_decode(&pkey_asn, raw_key->data, raw_key->size,
 			      NULL);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
@@ -262,7 +262,7 @@ _gnutls_privkey_decode_ecc_key(ASN1_TYPE* pkey_asn, const gnutls_datum_t * raw_k
 	}
 
 	ret =
-	    asn1_der_decoding(pkey_asn, raw_key->data, raw_key->size,
+	    _asn1_strict_der_decode(pkey_asn, raw_key->data, raw_key->size,
 			      NULL);
 	if (ret != ASN1_SUCCESS) {
 		gnutls_assert();
@@ -369,7 +369,7 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey)
 	pkey->params.algo = GNUTLS_PK_DSA;
 
 	result =
-	    asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size,
+	    _asn1_strict_der_decode(&dsa_asn, raw_key->data, raw_key->size,
 			      NULL);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-01-21 11:09:36 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-02-04 09:02:07 +0100
commit	979452bcfad3b409a34a9b252ecbc7e92433724b (patch)
tree	de61b5672686b49654881350b8ea380afa04c61b
parent	c5ab69b16e4dbbd8eababdf8c8424a39a89eded8 (diff)
download	gnutls-979452bcfad3b409a34a9b252ecbc7e92433724b.tar.gz