From 979452bcfad3b409a34a9b252ecbc7e92433724b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 21 Jan 2018 11:09:36 +0100 Subject: x509: use libtasn1's strict DER decoding rules in privkey, certificate requests and CRLs That is, to prevent bugs due to the complexity of the BER decoder. Signed-off-by: Nikos Mavrogiannopoulos --- lib/x509/crl.c | 4 ++-- lib/x509/crq.c | 14 +++++++------- lib/x509/privkey.c | 6 +++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/x509/crl.c b/lib/x509/crl.c index 568b2feddd..53d7270432 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -158,7 +158,7 @@ gnutls_x509_crl_import(gnutls_x509_crl_t crl, crl->expanded = 1; result = - asn1_der_decoding(&crl->crl, crl->der.data, crl->der.size, NULL); + _asn1_strict_der_decode(&crl->crl, crl->der.data, crl->der.size, NULL); if (result != ASN1_SUCCESS) { result = _gnutls_asn2err(result); gnutls_assert(); @@ -825,7 +825,7 @@ _get_authority_key_id(gnutls_x509_crl_t cert, ASN1_TYPE * c2, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(c2, id.data, id.size, NULL); + ret = _asn1_strict_der_decode(c2, id.data, id.size, NULL); _gnutls_free_datum(&id); if (ret != ASN1_SUCCESS) { diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 730137300b..46a45c1efb 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -144,7 +144,7 @@ gnutls_x509_crq_import(gnutls_x509_crq_t crq, } result = - asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); + _asn1_strict_der_decode(&crq->crq, _data.data, _data.size, NULL); if (result != ASN1_SUCCESS) { result = _gnutls_asn2err(result); gnutls_assert(); @@ -202,7 +202,7 @@ gnutls_x509_crq_get_private_key_usage_period(gnutls_x509_crq_t crq, goto cleanup; } - result = asn1_der_decoding(&c2, buf, buf_size, NULL); + result = _asn1_strict_der_decode(&c2, buf, buf_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -1405,7 +1405,7 @@ gnutls_x509_crq_get_extension_info(gnutls_x509_crq_t crq, int indx, goto out; } - result = asn1_der_decoding(&c2, extensions, extensions_size, NULL); + result = _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&c2); @@ -1570,7 +1570,7 @@ gnutls_x509_crq_get_extension_data2(gnutls_x509_crq_t crq, goto cleanup; } - result = asn1_der_decoding(&c2, extensions, extensions_size, NULL); + result = _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -1766,7 +1766,7 @@ get_subject_alt_name(gnutls_x509_crq_t crq, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); + result = _asn1_strict_der_decode(&c2, dnsname.data, dnsname.size, NULL); gnutls_free(dnsname.data); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -2262,7 +2262,7 @@ gnutls_x509_crq_get_key_purpose_oid(gnutls_x509_crq_t crq, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, prev.data, prev.size, NULL); + result = _asn1_strict_der_decode(&c2, prev.data, prev.size, NULL); gnutls_free(prev.data); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -2369,7 +2369,7 @@ gnutls_x509_crq_set_key_purpose_oid(gnutls_x509_crq_t crq, /* decode it. */ result = - asn1_der_decoding(&c2, prev.data, prev.size, NULL); + _asn1_strict_der_decode(&c2, prev.data, prev.size, NULL); gnutls_free(prev.data); if (result != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 1252698cac..b2e4079c1e 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -147,7 +147,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, } result = - asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(&pkey_asn, raw_key->data, raw_key->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -262,7 +262,7 @@ _gnutls_privkey_decode_ecc_key(ASN1_TYPE* pkey_asn, const gnutls_datum_t * raw_k } ret = - asn1_der_decoding(pkey_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(pkey_asn, raw_key->data, raw_key->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); @@ -369,7 +369,7 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) pkey->params.algo = GNUTLS_PK_DSA; result = - asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, + _asn1_strict_der_decode(&dsa_asn, raw_key->data, raw_key->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); -- cgit v1.2.1