From 59782d147580956a0751bd975eab5a7736a72baf Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 12 Nov 2020 08:45:03 +0100 Subject: _gnutls_x509_read_value: don't count terminating null byte for OIDs Signed-off-by: Nikos Mavrogiannopoulos Co-authored-by: Daiki Ueno --- NEWS | 6 ++++++ lib/x509/common.c | 19 +++++++++++++++---- lib/x509/ocsp.c | 9 ++++++++- lib/x509/ocsp_output.c | 6 +++--- lib/x509/x509.c | 6 ------ 5 files changed, 32 insertions(+), 14 deletions(-) diff --git a/NEWS b/NEWS index a1be62decf..9a67952c1e 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,12 @@ See the end for copying conditions. output the complete path to the trusted root during certificate chain verification (#1012) +** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the + terminating null bytes, while the data field is null terminated. + The affected API functions are: gnutls_ocsp_req_get_extension, + gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension + (#805). + ** API and ABI modifications: gnutls_x509_trust_list_set_getissuer_function: Added gnutls_x509_trust_list_get_ptr: Added diff --git a/lib/x509/common.c b/lib/x509/common.c index a1f6d62e13..9f21bb6967 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -692,7 +692,7 @@ x509_read_value(ASN1_TYPE c, const char *root, } if (etype == ASN1_ETYPE_BIT_STRING) { - len = (len + 7)/8; + len = (len + 7) / 8; } tmp = gnutls_malloc((size_t) len + 1); @@ -710,10 +710,21 @@ x509_read_value(ASN1_TYPE c, const char *root, goto cleanup; } - if (etype == ASN1_ETYPE_BIT_STRING) { - ret->size = (len+7) / 8; - } else { + switch (etype) { + case ASN1_ETYPE_BIT_STRING: + ret->size = (len + 7) / 8; + break; + case ASN1_ETYPE_OBJECT_ID: + if (len > 0) { + ret->size = len - 1; + } else { + result = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); + goto cleanup; + } + break; + default: ret->size = (unsigned) len; + break; } } else { ret->size = 0; diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index caa511e9db..6823c24563 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -324,7 +324,7 @@ gnutls_ocsp_resp_import2(gnutls_ocsp_resp_t resp, } #define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - if (resp->response_type_oid.size == sizeof(OCSP_BASIC) + if (resp->response_type_oid.size == sizeof(OCSP_BASIC) - 1 && memcmp(resp->response_type_oid.data, OCSP_BASIC, resp->response_type_oid.size) == 0) { @@ -795,6 +795,8 @@ gnutls_ocsp_req_add_cert(gnutls_ocsp_req_t req, * The caller needs to deallocate memory by calling gnutls_free() on * @oid->data and @data->data. * + * Since 3.7.0 @oid->size does not account for the terminating null byte. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error code is returned. If you have reached the last * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will @@ -1088,6 +1090,9 @@ int gnutls_ocsp_resp_get_status(gnutls_ocsp_resp_const_t resp) * Otherwise gnutls_ocsp_resp_import() will decode the basic OCSP * response part and the caller need not worry about that aspect. * + * Since 3.7.0 @response_type_oid->size does not account for the terminating + * null byte. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ @@ -1669,6 +1674,8 @@ gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_const_t resp, * The caller needs to deallocate memory by calling gnutls_free() on * @oid->data and @data->data. * + * Since 3.7.0 @oid->size does not account for the terminating null byte. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error code is returned. If you have reached the last * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will diff --git a/lib/x509/ocsp_output.c b/lib/x509/ocsp_output.c index 7f31e583b2..4e7219767e 100644 --- a/lib/x509/ocsp_output.c +++ b/lib/x509/ocsp_output.c @@ -109,7 +109,7 @@ static void print_req(gnutls_buffer_st * str, gnutls_ocsp_req_const_t req) if (indx == 0) adds(str, "\tExtensions:\n"); - if (oid.size == sizeof(GNUTLS_OCSP_NONCE) && + if (oid.size == sizeof(GNUTLS_OCSP_NONCE) - 1 && memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { gnutls_datum_t nonce; unsigned int ncrit; @@ -254,7 +254,7 @@ print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_const_t resp, adds(str, "\tResponse Type: "); #define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - if (oid.size == sizeof(OCSP_BASIC) + if (oid.size == sizeof(OCSP_BASIC) - 1 && memcmp(oid.data, OCSP_BASIC, oid.size) == 0) { adds(str, "Basic OCSP Response\n"); gnutls_free(oid.data); @@ -473,7 +473,7 @@ print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_const_t resp, continue; } - if (oid.size == sizeof(GNUTLS_OCSP_NONCE) && + if (oid.size == sizeof(GNUTLS_OCSP_NONCE) - 1 && memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { gnutls_datum_t nonce; unsigned int ncrit; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index c713f857a0..71a543e56d 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -1776,12 +1776,6 @@ _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name, return ret; } - if (type == GNUTLS_SAN_REGISTERED_ID && tmp.size > 0) { - /* see #805; OIDs contain the null termination byte */ - assert(tmp.data[tmp.size-1] == 0); - tmp.size--; - } - /* _gnutls_x509_read_value() null terminates */ dname->size = tmp.size; dname->data = tmp.data; -- cgit v1.2.1