Apply patches

2026-04-24 00:00:05 +08:00 · 2020-08-18 13:54:37 +03:00
parent a559b32781
commit 7b1f143822
15 changed files with 212 additions and 18 deletions
@@ -254,38 +254,95 @@ FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name, oid_x520_attr_t, x520_attr, co
 typedef struct {
    mbedtls_oid_descriptor_t    descriptor;
    int                 ext_type;
+    int                 is_supported;
 } oid_x509_ext_t;

 static const oid_x509_ext_t oid_x509_ext[] =
 {
    {
-        { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ),    "id-ce-basicConstraints",   "Basic Constraints" },
-        MBEDTLS_X509_EXT_BASIC_CONSTRAINTS,
+        { ADD_LEN( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),    "id-ce-authorityKeyIdentifier",      "Authority Key Identifier" },
+        MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER, 0,
    },
    {
-        { ADD_LEN( MBEDTLS_OID_KEY_USAGE ),            "id-ce-keyUsage",           "Key Usage" },
-        MBEDTLS_X509_EXT_KEY_USAGE,
+        { ADD_LEN( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),      "id-ce-subjectKeyIdentifier",        "Subject Key Identifier" },
+        MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER, 0,
    },
    {
-        { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ),   "id-ce-extKeyUsage",        "Extended Key Usage" },
-        MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE,
+        { ADD_LEN( MBEDTLS_OID_KEY_USAGE ),                   "id-ce-keyUsage",                    "Key Usage" },
+        MBEDTLS_X509_EXT_KEY_USAGE, 1,
    },
    {
-        { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ),     "id-ce-subjectAltName",     "Subject Alt Name" },
-        MBEDTLS_X509_EXT_SUBJECT_ALT_NAME,
+        { ADD_LEN( MBEDTLS_OID_CERTIFICATE_POLICIES ),        "id-ce-certificatePolicies",         "Certificate Policies" },
+        MBEDTLS_X509_EXT_CERTIFICATE_POLICIES, 0,
    },
    {
-        { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ),         "id-netscape-certtype",     "Netscape Certificate Type" },
-        MBEDTLS_X509_EXT_NS_CERT_TYPE,
+        { ADD_LEN( MBEDTLS_OID_POLICY_MAPPINGS ),             "id-ce-policyMappings",              "Policy Mapping" },
+        MBEDTLS_X509_EXT_POLICY_MAPPINGS, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_ISSUER_ALT_NAME ),             "id-ce-issuerAltName",               "Issuer Alt Name" },
+        MBEDTLS_X509_EXT_ISSUER_ALT_NAME, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS ),     "id-ce-subjectDirectoryAttributes",  "Subject Directory Attributes" },
+        MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ),           "id-ce-basicConstraints",            "Basic Constraints" },
+        MBEDTLS_X509_EXT_BASIC_CONSTRAINTS, 1,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_NAME_CONSTRAINTS ),            "id-ce-nameConstraints",             "Name Constraints" },
+        MBEDTLS_X509_EXT_NAME_CONSTRAINTS, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_POLICY_CONSTRAINTS ),          "id-ce-policyConstraints",           "Policy Constraints" },
+        MBEDTLS_X509_EXT_POLICY_CONSTRAINTS, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ),          "id-ce-extKeyUsage",                 "Extended Key Usage" },
+        MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE, 1
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_CRL_DISTRIBUTION_POINTS ),     "id-ce-cRLDistributionPoints",       "CRL Distribution Points" },
+        MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_INIHIBIT_ANYPOLICY ),          "id-ce-inhibitAnyPolicy",            "Inhibit Any Policy" },
+        MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_FRESHEST_CRL ),                "id-ce-freshestCRL",                 "Freshest CRL" },
+        MBEDTLS_X509_EXT_FRESHEST_CRL, 0,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ),            "id-ce-subjectAltName",              "Subject Alt Name" },
+        MBEDTLS_X509_EXT_SUBJECT_ALT_NAME, 1
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ),                "id-netscape-certtype",              "Netscape Certificate Type" },
+        MBEDTLS_X509_EXT_NS_CERT_TYPE, 1
    },
    {
        { NULL, 0, NULL, NULL },
-        0,
+        0, 0
    },
 };

 FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
-FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
+FN_OID_GET_ATTR2(mbedtls_oid_get_x509_ext_type_supported, oid_x509_ext_t, x509_ext, int, ext_type, int, is_supported)
+
+int mbedtls_oid_get_x509_ext_type( const mbedtls_asn1_buf *oid, int *ext_type )
+{
+    int ret = 0;
+    int is_supported = 0;
+
+    ret = mbedtls_oid_get_x509_ext_type_supported(oid, ext_type, &is_supported);
+    if( is_supported == 0 )
+        ret = MBEDTLS_ERR_OID_NOT_FOUND;
+
+    return( ret );
+}

 static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
 {
@@ -4668,6 +4668,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )

    mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );

+    ssl->session_negotiate->peer_cert->allowed_unsupported_critical_exts =
+        ssl->conf->allowed_unsupported_critical_exts;
+
    i += 3;

    while( i < ssl->in_hslen )
@@ -6626,6 +6629,11 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
 }
 #endif /* MBEDTLS_SSL_RENEGOTIATION */

+void mbedtls_ssl_conf_allow_unsupported_critical_exts( mbedtls_ssl_config *conf, uint32_t exts )
+{
+    conf->allowed_unsupported_critical_exts = exts;
+}
+
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 #if defined(MBEDTLS_SSL_CLI_C)
 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
@@ -564,13 +564,20 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
    /*
     * Parse seconds if present
     */
-    if ( len >= 2 )
+    if ( len >= 2 && **p >= '0' && **p <= '9' )
    {
        CHECK( x509_parse_int( p, 2, &tm->sec ) );
        len -= 2;
    }
    else
+    {
+#if defined(MBEDTLS_RELAXED_X509_DATE)
+	/* if relaxed mode, allow seconds to be absent */
+	tm->sec = 0;
+#else
        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+#endif
+    }

    /*
     * Parse trailing 'Z' if present
@@ -580,6 +587,15 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
        (*p)++;
        len--;
    }
+#if defined(MBEDTLS_RELAXED_X509_DATE)
+    else if ( len == 5 && **p == '+' )
+    {
+	int tz; /* throwaway timezone */
+	(*p)++;
+	CHECK( x509_parse_int( p, 4, &tz ) );
+	return 0;
+    }
+#endif

    /*
     * We should have parsed all characters at this point
@@ -539,6 +539,7 @@ static int x509_get_crt_ext( unsigned char **p,
    int ret;
    size_t len;
    unsigned char *end_ext_data, *end_ext_octet;
+    int is_supported;

    if( *p == end )
        return( 0 );
@@ -593,9 +594,9 @@ static int x509_get_crt_ext( unsigned char **p,
        /*
         * Detect supported extensions
         */
-        ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type );
+        ret = mbedtls_oid_get_x509_ext_type_supported( &extn_oid, &ext_type, &is_supported );

-        if( ret != 0 )
+        if( ( ret != 0 ) || ( is_supported == 0 ) )
        {
            /* No parser found, skip extension */
            *p = end_ext_octet;
@@ -603,6 +604,10 @@ static int x509_get_crt_ext( unsigned char **p,
 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
            if( is_critical )
            {
+                /* Do not fail if extension is found, but unsupported and allowed in runtime */
+                if( ( ret == 0 ) && ( ext_type & crt->allowed_unsupported_critical_exts ) )
+                    continue;
+
                /* Data is marked as critical: fail */
                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
@@ -956,6 +961,7 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *bu

        prev = crt;
        mbedtls_x509_crt_init( crt->next );
+        crt->next->allowed_unsupported_critical_exts = crt->allowed_unsupported_critical_exts;
        crt = crt->next;
    }