TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 873a202d18915abe1ca15976389768eb3c1e18ba^! / . / library / x509_csr.c
commit873a202d18915abe1ca15976389768eb3c1e18ba[log] [tgz]
authorMatthias Schulz <mschulz@hilscher.com>Tue Oct 17 16:02:20 2023 +0200
committerMatthias Schulz <mschulz@hilscher.com>Tue Oct 17 16:02:20 2023 +0200
treed2a46b10639e6e8d2f9015342ff3e211d1c7f387
parent0ca58e3c1000d067fb28bfb41dc90a1db9308b0d [diff] [blame]
Now handling critical extensions similarly to how its done in x509_get_crt_ext just without the callback function to handle unknown extensions.

Signed-off-by: Matthias Schulz <mschulz@hilscher.com>

diff --git a/library/x509_csr.c b/library/x509_csr.c
index ce4c081..baf2606 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c

@@ -75,13 +75,13 @@
 static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
                                      unsigned char **p, const unsigned char *end)
 {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
     unsigned char *end_ext_data;
-    int critical;
 
     while (*p < end) {
         mbedtls_x509_buf extn_oid = { 0, 0, NULL };
+        int is_critical = 0; /* DEFAULT FALSE */
         int ext_type = 0;
 
         /* Read sequence tag */
@@ -102,8 +102,11 @@
         extn_oid.p = *p;
         *p += extn_oid.len;
 
-        /* Get and ignore optional critical flag */
-        (void)mbedtls_asn1_get_bool(p, end_ext_data, &critical);
+        /* Get optional critical */
+        if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+            (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
 
         /* Data should be octet string type */
         if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
@@ -157,6 +160,12 @@
                 default:
                     break;
             }
+        } else {
+            if (is_critical) {
+                /* Data is marked as critical: fail */
+                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                         MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+            }
         }
         *p = end_ext_data;
     }