TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 48513b8639056eb3b8093842cb197a02e4f5d1e7^! / .
commit48513b8639056eb3b8093842cb197a02e4f5d1e7[log] [tgz]
authorAgathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>Thu Jul 20 16:19:05 2023 +0100
committerAgathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>Tue Aug 22 10:38:16 2023 +0100
tree6bae10fc42a06841511c986cd11d0a9ff66a0939
parent17d5081ffb27e1be0807d52ede3edffdc722482a [diff]
Escape special characters RFC 4514

This escapes special characters according to RFC 4514 in
mbedtls_x509_dn_gets and de-escapes in mbedtls_x509_string_to_names.
This commit does not handle hexpairs.

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>

diff --git a/library/x509.c b/library/x509.c
index ba8d719..2764ba6 100644
--- a/library/x509.c
+++ b/library/x509.c

@@ -855,12 +855,16 @@
             }
 
             c = name->val.p[i];
-            // Special characters requiring escaping, RFC 1779
-            if (c && strchr(",=+<>#;\"\\", c)) {
-                if (j + 1 >= sizeof(s) - 1) {
-                    return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+            // Special characters requiring escaping, RFC 4514 Section 2.4
+            if (c) {
+                if (strchr(",=+<>;\"\\+", c) || 
+                ((i == 0) && strchr("# ", c)) ||
+                ((i == name->val.len-1 ) && (c == ' '))) {
+                    if (j + 1 >= sizeof(s) - 1) {
+                        return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+                    }
+                    s[j++] = '\\';
                 }
-                s[j++] = '\\';
             }
             if (c < 32 || c >= 127) {
                 s[j] = '?';

diff --git a/library/x509_create.c b/library/x509_create.c
index bd772d3..170a6bc 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c

@@ -153,8 +153,8 @@
         if (!in_tag && *c == '\\' && c != end) {
             c++;
 
-            /* Check for valid escaped characters */
-            if (c == end || *c != ',') {
+            /* Check for valid escaped characters in RFC 4514 in Section 3*/
+            if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) {
                 ret = MBEDTLS_ERR_X509_INVALID_NAME;
                 goto exit;
             }

diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 0848550..e50f590 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data

@@ -184,8 +184,17 @@
 X509 String to Names #6 (Escape at end)
 mbedtls_x509_string_to_names:"C=NL, O=Offspark\\":"":MBEDTLS_ERR_X509_INVALID_NAME
 
-X509 String to Names #6 (Invalid, no '=' or ',')
+X509 String to Names #7 (Invalid, no '=' or ',')
 mbedtls_x509_string_to_names:"ABC123":"":MBEDTLS_ERR_X509_INVALID_NAME
 
+X509 String to Names #8 (Escape valid characters)
+mbedtls_x509_string_to_names:"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":0
+
+X509 String to Names #9 (Escape '#' at beginning of string)
+mbedtls_x509_string_to_names:"C=NL, O=#Offspark#, OU=PolarSSL":"C=NL, O=\\#Offspark#, OU=PolarSSL":0
+
+X509 String to Names #10 (Escape ' ' at beginning and end of string)
+mbedtls_x509_string_to_names:"C=NL, O= Off spark , OU=PolarSSL":"C=NL, O=\\ Off spark\\ , OU=PolarSSL":0
+
 Check max serial length
 x509_set_serial_check: