Squashed commit upgrading to mbedtls-3.6.0
Squash merging branch import/mbedtls-3.6.0
0fc9291f4 ("libmbedtls: bignum: restore mbedtls_mpi_exp_mod() from v3.5.2")
0ef87b1e6 ("libmbedtls: reset minimum rsa key size")
70b079496 ("libmbedtls: adjust use of rsa pk_wrap API")
6cf76464f ("libmbedtls: allow inclusion of arm_neon.h")
27df5c911 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
aa584f9ed ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
523ae957e ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
30bdb1bbf ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
e45cdab62 ("libmbedtls: add SM2 curve")
d2fda4fc2 ("libmbedtls: fix no CRT issue")
ab0eb5515 ("libmbedtls: add interfaces in mbedtls for context memory operation")
7925a6f26 ("libmedtls: mpi_miller_rabin: increase count limit")
8eaf69279 ("libmbedtls: add mbedtls_mpi_init_mempool()")
12e83fc8d ("libmbedtls: make mbedtls_mpi_mont*() available")
f9e261da5 ("mbedtls: configure mbedtls to reach for config")
7b6f378d7 ("mbedtls: remove default include/mbedtls/config.h")
c16331743 ("Import mbedtls-3.6.0")
Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
diff --git a/lib/libmbedtls/mbedtls/library/x509_csr.c b/lib/libmbedtls/mbedtls/library/x509_csr.c
index cd117cb..813d644 100644
--- a/lib/libmbedtls/mbedtls/library/x509_csr.c
+++ b/lib/libmbedtls/mbedtls/library/x509_csr.c
@@ -2,19 +2,7 @@
* X.509 Certificate Signing Request (CSR) parsing
*
* Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/*
* The ITU-T X.509 standard defines a certificate format for PKI.
@@ -32,6 +20,7 @@
#if defined(MBEDTLS_X509_CSR_PARSE_C)
#include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
@@ -73,13 +62,17 @@
* Parse CSR extension requests in DER format
*/
static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
- unsigned char **p, const unsigned char *end)
+ unsigned char **p, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
{
- int ret;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
- unsigned char *end_ext_data;
+ unsigned char *end_ext_data, *end_ext_octet;
+
while (*p < end) {
mbedtls_x509_buf extn_oid = { 0, 0, NULL };
+ int is_critical = 0; /* DEFAULT FALSE */
int ext_type = 0;
/* Read sequence tag */
@@ -100,13 +93,21 @@
extn_oid.p = *p;
*p += extn_oid.len;
+ /* Get optional critical */
+ if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+ (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
/* Data should be octet string type */
if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
- if (*p + len != end_ext_data) {
+ end_ext_octet = *p + len;
+
+ if (end_ext_octet != end_ext_data) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
@@ -116,44 +117,72 @@
*/
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
- if (ret == 0) {
- /* Forbid repeated extensions */
- if ((csr->ext_types & ext_type) != 0) {
+ if (ret != 0) {
+ /* Give the callback (if any) a chance to handle the extension */
+ if (cb != NULL) {
+ ret = cb(p_ctx, csr, &extn_oid, is_critical, *p, end_ext_octet);
+ if (ret != 0 && is_critical) {
+ return ret;
+ }
+ *p = end_ext_octet;
+ continue;
+ }
+
+ /* No parser found, skip extension */
+ *p = end_ext_octet;
+
+ if (is_critical) {
+ /* Data is marked as critical: fail */
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
- MBEDTLS_ERR_ASN1_INVALID_DATA);
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
}
-
- csr->ext_types |= ext_type;
-
- switch (ext_type) {
- case MBEDTLS_X509_EXT_KEY_USAGE:
- /* Parse key usage */
- if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
- &csr->key_usage)) != 0) {
- return ret;
- }
- break;
-
- case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
- /* Parse subject alt name */
- if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
- &csr->subject_alt_names)) != 0) {
- return ret;
- }
- break;
-
- case MBEDTLS_X509_EXT_NS_CERT_TYPE:
- /* Parse netscape certificate type */
- if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
- &csr->ns_cert_type)) != 0) {
- return ret;
- }
- break;
- default:
- break;
- }
+ continue;
}
- *p = end_ext_data;
+
+ /* Forbid repeated extensions */
+ if ((csr->ext_types & ext_type) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_DATA);
+ }
+
+ csr->ext_types |= ext_type;
+
+ switch (ext_type) {
+ case MBEDTLS_X509_EXT_KEY_USAGE:
+ /* Parse key usage */
+ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
+ &csr->key_usage)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+ /* Parse subject alt name */
+ if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
+ &csr->subject_alt_names)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+ /* Parse netscape certificate type */
+ if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
+ &csr->ns_cert_type)) != 0) {
+ return ret;
+ }
+ break;
+ default:
+ /*
+ * If this is a non-critical extension, which the oid layer
+ * supports, but there isn't an x509 parser for it,
+ * skip the extension.
+ */
+ if (is_critical) {
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ } else {
+ *p = end_ext_octet;
+ }
+ }
}
if (*p != end) {
@@ -168,7 +197,9 @@
* Parse CSR attributes in DER format
*/
static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
- const unsigned char *start, const unsigned char *end)
+ const unsigned char *start, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
{
int ret;
size_t len;
@@ -207,7 +238,7 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
- if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) {
+ if ((ret = x509_csr_parse_extensions(csr, p, *p + len, cb, p_ctx)) != 0) {
return ret;
}
@@ -231,8 +262,10 @@
/*
* Parse a CSR in DER format
*/
-int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
- const unsigned char *buf, size_t buflen)
+static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
@@ -296,7 +329,7 @@
}
end = p + len;
- csr->cri.len = end - csr->cri.p;
+ csr->cri.len = (size_t) (end - csr->cri.p);
/*
* Version ::= INTEGER { v1(0) }
@@ -329,7 +362,7 @@
return ret;
}
- csr->subject_raw.len = p - csr->subject_raw.p;
+ csr->subject_raw.len = (size_t) (p - csr->subject_raw.p);
/*
* subjectPKInfo SubjectPublicKeyInfo
@@ -356,7 +389,7 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
}
- if ((ret = x509_csr_parse_attributes(csr, p, p + len)) != 0) {
+ if ((ret = x509_csr_parse_attributes(csr, p, p + len, cb, p_ctx)) != 0) {
mbedtls_x509_csr_free(csr);
return ret;
}
@@ -396,6 +429,26 @@
}
/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, NULL, NULL);
+}
+
+/*
+ * Parse a CSR in DER format with callback for unknown extensions
+ */
+int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, cb, p_ctx);
+}
+
+/*
* Parse a CSR, allowing for PEM or raw DER encoding
*/
int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)
@@ -460,8 +513,7 @@
ret = mbedtls_x509_csr_parse(csr, buf, n);
- mbedtls_platform_zeroize(buf, n);
- mbedtls_free(buf);
+ mbedtls_zeroize_and_free(buf, n);
return ret;
}
@@ -578,8 +630,7 @@
mbedtls_asn1_sequence_free(csr->subject_alt_names.next);
if (csr->raw.p != NULL) {
- mbedtls_platform_zeroize(csr->raw.p, csr->raw.len);
- mbedtls_free(csr->raw.p);
+ mbedtls_zeroize_and_free(csr->raw.p, csr->raw.len);
}
mbedtls_platform_zeroize(csr, sizeof(mbedtls_x509_csr));