Fix to restore --enable-asn=original. Fixes for building with ASN original (old). Add the new limit checks for alt names and subtree to the old ASN code.

2024-07-24 08:28:25 -07:00 · 2024-07-24 08:28:25 -07:00 · 007f9ea39d
commit 007f9ea39d
parent d0782a97ce
2 changed files with 20 additions and 5 deletions
--- a/configure.ac
+++ b/configure.ac
@ -4762,10 +4762,10 @@ else
    fi
    if test "$ENABLED_ASN" = "yes"; then
        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_TEMPLATE"
+    elif test "$ENABLED_ASN" == "original"; then
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ORIGINAL"
    else
-        if test "$ENABLED_ASN" != "original"; then
-            AC_MSG_ERROR([Invalid asn option. Valid are: template or original. Seen: $ENABLED_ASN.])
-        fi
+        AC_MSG_ERROR([Invalid asn option. Valid are: template or original. Seen: $ENABLED_ASN.])
    fi

    # turn off ASN if leanpsk on
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -6920,7 +6920,7 @@ int ToTraditionalInline_ex2(const byte* input, word32* inOutIdx, word32 sz,

    if (tag == ASN_OBJECT_ID) {
        if ((*algId == ECDSAk) && (eccOid != NULL)) {
-            if (GetObjectId(input, &idx, eccOid, oidCurveType, maxIdx) < 0)
+            if (GetObjectId(input, &idx, eccOid, oidCurveType, sz) < 0)
                return ASN_PARSE_E;
        }
        else {
@ -18590,6 +18590,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
 #ifndef WOLFSSL_ASN_TEMPLATE
    word32 idx = 0;
    int length = 0;
+    word32 numNames = 0;

    WOLFSSL_ENTER("DecodeAltNames");

@ -18622,8 +18623,13 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
            return BUFFER_E;
        }

-        current_byte = input[idx++];
+        numNames++;
+        if (numNames > WOLFSSL_MAX_ALT_NAMES) {
+            WOLFSSL_MSG("\tToo many subject alternative names");
+            return ASN_ALT_NAME_E;
+        }

+        current_byte = input[idx++];
        length--;

        /* Save DNS Type names in the altNames list. */
@ -20153,6 +20159,7 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
 #ifndef WOLFSSL_ASN_TEMPLATE
    word32 idx = 0;
    int ret = 0;
+    word32 cnt = 0;

    (void)heap;

@ -20161,6 +20168,14 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
        word32 nameIdx;
        byte b, bType;

+        if (limit > 0) {
+            cnt++;
+            if (cnt > limit) {
+                WOLFSSL_MSG("too many name constraints");
+                return ASN_NAME_INVALID_E;
+            }
+        }
+
        if (GetSequence(input, &idx, &seqLength, sz) < 0) {
            WOLFSSL_MSG("\tfail: should be a SEQUENCE");
            return ASN_PARSE_E;