Merge branch 'mbedtls-1.3'
diff --git a/ChangeLog b/ChangeLog
index 00a771e..f23aee6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,9 +28,14 @@
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration POLARSSL_PEM_WRITE_C is not defined. Found
by inestlerode. #559.
+ * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
+ data structure until after error checks are successful. Found by
+ subramanyam-c. #622
* Fix documentation and implementation missmatch for function arguments of
mbedtls_gcm_finish(). Found by cmiatpaar. #602
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
+ * Fix check for validity of date when parsing in mbedtls_x509_get_time().
+ Found by subramanyam-c. #626
* Fix missing return code check after call to md_init_ctx() that could
result in usage of invalid md_ctx in rsa_rsaes_oaep_encrypt(),
rsa_rsaes_oaep_decrypt(), rsa_rsassa_pss_sign() and
diff --git a/library/x509.c b/library/x509.c
index 0d54beb..e671fab 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -76,6 +76,7 @@
#endif
#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
/*
* CertificateSerialNumber ::= INTEGER
@@ -489,6 +490,33 @@
return 0;
}
+static int x509_date_is_valid(const x509_time *time)
+{
+ int ret = POLARSSL_ERR_X509_INVALID_DATE;
+
+ CHECK_RANGE( 0, 9999, time->year );
+ CHECK_RANGE( 0, 23, time->hour );
+ CHECK_RANGE( 0, 59, time->min );
+ CHECK_RANGE( 0, 59, time->sec );
+
+ switch( time->mon )
+ {
+ case 1: case 3: case 5: case 7: case 8: case 10: case 12:
+ CHECK_RANGE( 1, 31, time->day );
+ break;
+ case 4: case 6: case 9: case 11:
+ CHECK_RANGE( 1, 30, time->day );
+ break;
+ case 2:
+ CHECK_RANGE( 1, 28 + (time->year % 4 == 0), time->day );
+ break;
+ default:
+ return( ret );
+ }
+
+ return( 0 );
+}
+
/*
* Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4) field.
*/
@@ -618,16 +646,18 @@
{
int ret;
size_t len;
+ int tag_type;
if( ( end - *p ) < 1 )
return( POLARSSL_ERR_X509_INVALID_SIGNATURE +
POLARSSL_ERR_ASN1_OUT_OF_DATA );
- sig->tag = **p;
+ tag_type = **p;
if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret );
+ sig->tag = tag_type;
sig->len = len;
sig->p = *p;
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index b6c3bdb..b289fc9 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1463,3 +1463,39 @@
X509 File parse (trailing spaces, OK)
depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509parse_crt_file:"data_files/server7_trailing_space.crt":0
+
+X509 Get time (UTC no issues)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0
+
+X509 Get time (Generalized Time no issues)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_GENERALIZED_TIME:"99991231235959Z":0:9999:12:31:23:59:59
+
+X509 Get time (UTC year without leap day)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"490229121212Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC year with leap day)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"000229121212Z":0:2000:2:29:12:12:12
+
+X509 Get time (UTC invalid day of month #1)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"000132121212Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid day of month #2)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"001131121212Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid hour)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"001130241212Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid min)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"001130236012Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid sec)
+depends_on:POLARSSL_X509_USE_C
+x509_get_time:ASN1_UTC_TIME:"001130235960Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 18837c5..eee8241 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1,4 +1,5 @@
/* BEGIN_HEADER */
+#include "polarssl/x509.h"
#include "polarssl/x509_crt.h"
#include "polarssl/x509_crl.h"
#include "polarssl/x509_csr.h"
@@ -594,6 +595,39 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_X509_USE_C */
+void x509_get_time( int tag, char *time_str, int ret,
+ int year, int mon, int day,
+ int hour, int min, int sec )
+{
+ x509_time time;
+ unsigned char buf[17];
+ unsigned char* start = buf;
+ unsigned char* end = buf;
+
+ memset( &time, 0x00, sizeof( time ) );
+ *end = (unsigned char)tag; end++;
+ if( tag == ASN1_UTC_TIME )
+ *end = 13;
+ else
+ *end = 15;
+ end++;
+ memcpy( end, time_str, (size_t)*(end - 1) );
+ end += *(end - 1);
+
+ TEST_ASSERT( x509_get_time( &start, end, &time ) == ret );
+ if( ret == 0 )
+ {
+ TEST_ASSERT( year == time.year );
+ TEST_ASSERT( mon == time.mon );
+ TEST_ASSERT( day == time.day );
+ TEST_ASSERT( hour == time.hour );
+ TEST_ASSERT( min == time.min );
+ TEST_ASSERT( sec == time.sec );
+ }
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_RSASSA_PSS_SUPPORT */
void x509_parse_rsassa_pss_params( char *hex_params, int params_tag,
int ref_msg_md, int ref_mgf_md,