From e9e4a2a6fd33d8fc21b00cfc9816a3dd3fef47fe Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Thu, 8 Dec 2022 15:23:50 -0500 Subject: [PATCH] fix(auth): only accept v3 X.509 certificates v1 and v2 are forbidden as at least one extension is required. Instead of actually parsing the version number, just compare it with a hard-coded string. Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1 Signed-off-by: Demi Marie Obenour --- drivers/auth/mbedtls/mbedtls_x509_parser.c | 26 +++++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c index 993ef1264..49bc008ed 100644 --- a/drivers/auth/mbedtls/mbedtls_x509_parser.c +++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c @@ -146,6 +146,21 @@ static int cert_parse(void *img, unsigned int img_len) size_t len; unsigned char *p, *end, *crt_end; mbedtls_asn1_buf sig_alg1, sig_alg2; + /* + * The unique ASN.1 DER encoding of [0] EXPLICIT INTEGER { v3(2} }. + */ + static const char v3[] = { + /* The outer CONTEXT SPECIFIC 0 tag */ + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0, + /* The number bytes used to encode the inner INTEGER */ + 3, + /* The tag of the inner INTEGER */ + MBEDTLS_ASN1_INTEGER, + /* The number of bytes needed to represent 2 */ + 1, + /* The actual value 2 */ + 2, + }; p = (unsigned char *)img; len = img_len; @@ -181,15 +196,14 @@ static int cert_parse(void *img, unsigned int img_len) tbs.len = end - tbs.p; /* - * Version ::= INTEGER { v1(0), v2(1), v3(2) } + * Version ::= [0] EXPLICIT INTEGER { v1(0), v2(1), v3(2) } + * -- only v3 accepted */ - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 0); - if (ret != 0) { + if (((end - p) <= (ptrdiff_t)sizeof(v3)) || + (memcmp(p, v3, sizeof(v3)) != 0)) { return IMG_PARSER_ERR_FORMAT; } - p += len; + p += sizeof(v3); /* * CertificateSerialNumber ::= INTEGER -- 2.39.5