/src/libspdm/os_stub/mbedtlslib/mbedtls/library/x509write.c

Source (jump to first uncovered line)
/*
 *  X.509 internal, common functions for writing
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 */
#include "common.h"
#if defined(MBEDTLS_X509_CSR_WRITE_C) || defined(MBEDTLS_X509_CRT_WRITE_C)

#include "mbedtls/x509_crt.h"
#include "x509_internal.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"

#include <string.h>
#include <stdint.h>

#if defined(MBEDTLS_PEM_WRITE_C)
#include "mbedtls/pem.h"
#endif /* MBEDTLS_PEM_WRITE_C */

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */

#define CHECK_OVERFLOW_ADD(a, b) \
    do                         \
    {                           \
        if (a > SIZE_MAX - (b)) \
        { \
            return MBEDTLS_ERR_X509_BAD_INPUT_DATA; \
        }                            \
        a += b; \
    } while (0)

int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
                                      const mbedtls_x509_san_list *san_list)
{
    int ret = 0;
    const mbedtls_x509_san_list *cur;
    unsigned char *buf;
    unsigned char *p;
    size_t len;
    size_t buflen = 0;

    /* Determine the maximum size of the SubjectAltName list */
    for (cur = san_list; cur != NULL; cur = cur->next) {
        /* Calculate size of the required buffer */
        switch (cur->node.type) {
            case MBEDTLS_X509_SAN_DNS_NAME:
            case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
            case MBEDTLS_X509_SAN_IP_ADDRESS:
            case MBEDTLS_X509_SAN_RFC822_NAME:
                /* length of value for each name entry,
                 * maximum 4 bytes for the length field,
                 * 1 byte for the tag/type.
                 */
                CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
                CHECK_OVERFLOW_ADD(buflen, 4 + 1);
                break;
            case MBEDTLS_X509_SAN_DIRECTORY_NAME:
            {
                const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
                while (chunk != NULL) {
                    // Max 4 bytes for length, +1 for tag,
                    // additional 4 max for length, +1 for tag.
                    // See x509_write_name for more information.
                    CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
                    CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
                    CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
                    chunk = chunk->next;
                }
                CHECK_OVERFLOW_ADD(buflen, 4 + 1);
                break;
            }
            default:
                /* Not supported - return. */
                return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
        }
    }

    /* Add the extra length field and tag */
    CHECK_OVERFLOW_ADD(buflen, 4 + 1);

    /* Allocate buffer */
    buf = mbedtls_calloc(1, buflen);
    if (buf == NULL) {
        return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
    }
    p = buf + buflen;

    /* Write ASN.1-based structure */
    cur = san_list;
    len = 0;
    while (cur != NULL) {
        size_t single_san_len = 0;
        switch (cur->node.type) {
            case MBEDTLS_X509_SAN_DNS_NAME:
            case MBEDTLS_X509_SAN_RFC822_NAME:
            case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
            case MBEDTLS_X509_SAN_IP_ADDRESS:
            {
                const unsigned char *unstructured_name =
                    (const unsigned char *) cur->node.san.unstructured_name.p;
                size_t unstructured_name_len = cur->node.san.unstructured_name.len;

                MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
                                             mbedtls_asn1_write_raw_buffer(
                                                 &p, buf,
                                                 unstructured_name, unstructured_name_len));
                MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len, mbedtls_asn1_write_len(
                                                 &p, buf, unstructured_name_len));
                MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
                                             mbedtls_asn1_write_tag(
                                                 &p, buf,
                                                 MBEDTLS_ASN1_CONTEXT_SPECIFIC | cur->node.type));
            }
            break;
            case MBEDTLS_X509_SAN_DIRECTORY_NAME:
                MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
                                             mbedtls_x509_write_names(&p, buf,
                                                                      (mbedtls_asn1_named_data *) &
                                                                      cur->node
                                                                      .san.directory_name));
                MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
                                             mbedtls_asn1_write_len(&p, buf, single_san_len));
                MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
                                             mbedtls_asn1_write_tag(&p, buf,
                                                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC |
                                                                    MBEDTLS_ASN1_CONSTRUCTED |
                                                                    MBEDTLS_X509_SAN_DIRECTORY_NAME));
                break;
            default:
                /* Error out on an unsupported SAN */
                ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
                goto cleanup;
        }
        cur = cur->next;
        /* check for overflow */
        if (len > SIZE_MAX - single_san_len) {
            ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
            goto cleanup;
        }
        len += single_san_len;
    }

    MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
    MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
                                 mbedtls_asn1_write_tag(&p, buf,
                                                        MBEDTLS_ASN1_CONSTRUCTED |
                                                        MBEDTLS_ASN1_SEQUENCE));

    ret = mbedtls_x509_set_extension(extensions,
                                     MBEDTLS_OID_SUBJECT_ALT_NAME,
                                     MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
                                     0,
                                     buf + buflen - len, len);

    /* If we exceeded the allocated buffer it means that maximum size of the SubjectAltName list
     * was incorrectly calculated and memory is corrupted. */
    if (p < buf) {
        ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
    }
cleanup:
    mbedtls_free(buf);
    return ret;
}

#endif /* MBEDTLS_X509_CSR_WRITE_C || MBEDTLS_X509_CRT_WRITE_C */

Line	Count	Source (jump to first uncovered line)
1		/*
2		* X.509 internal, common functions for writing
3		*
4		* Copyright The Mbed TLS Contributors
5		* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6		*/
7		#include "common.h"
8		#if defined(MBEDTLS_X509_CSR_WRITE_C) \|\| defined(MBEDTLS_X509_CRT_WRITE_C)
9
10		#include "mbedtls/x509_crt.h"
11		#include "x509_internal.h"
12		#include "mbedtls/asn1write.h"
13		#include "mbedtls/error.h"
14		#include "mbedtls/oid.h"
15		#include "mbedtls/platform.h"
16		#include "mbedtls/platform_util.h"
17
18		#include <string.h>
19		#include <stdint.h>
20
21		#if defined(MBEDTLS_PEM_WRITE_C)
22		#include "mbedtls/pem.h"
23		#endif /* MBEDTLS_PEM_WRITE_C */
24
25		#if defined(MBEDTLS_USE_PSA_CRYPTO)
26		#include "psa/crypto.h"
27		#include "mbedtls/psa_util.h"
28		#include "md_psa.h"
29		#endif /* MBEDTLS_USE_PSA_CRYPTO */
30
31		#define CHECK_OVERFLOW_ADD(a, b) \
32	0	do \
33	0	{ \
34	0	if (a > SIZE_MAX - (b)) \
35	0	{ \
36	0	return MBEDTLS_ERR_X509_BAD_INPUT_DATA; \
37	0	} \
38	0	a += b; \
39	0	} while (0)
40
41		int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
42		const mbedtls_x509_san_list *san_list)
43	0	{
44	0	int ret = 0;
45	0	const mbedtls_x509_san_list *cur;
46	0	unsigned char *buf;
47	0	unsigned char *p;
48	0	size_t len;
49	0	size_t buflen = 0;
50
51		/* Determine the maximum size of the SubjectAltName list */
52	0	for (cur = san_list; cur != NULL; cur = cur->next) {
53		/* Calculate size of the required buffer */
54	0	switch (cur->node.type) {
55	0	case MBEDTLS_X509_SAN_DNS_NAME:
56	0	case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
57	0	case MBEDTLS_X509_SAN_IP_ADDRESS:
58	0	case MBEDTLS_X509_SAN_RFC822_NAME:
59		/* length of value for each name entry,
60		* maximum 4 bytes for the length field,
61		* 1 byte for the tag/type.
62		*/
63	0	CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
64	0	CHECK_OVERFLOW_ADD(buflen, 4 + 1);
65	0	break;
66	0	case MBEDTLS_X509_SAN_DIRECTORY_NAME:
67	0	{
68	0	const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
69	0	while (chunk != NULL) {
70		// Max 4 bytes for length, +1 for tag,
71		// additional 4 max for length, +1 for tag.
72		// See x509_write_name for more information.
73	0	CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
74	0	CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
75	0	CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
76	0	chunk = chunk->next;
77	0	}
78	0	CHECK_OVERFLOW_ADD(buflen, 4 + 1);
79	0	break;
80	0	}
81	0	default:
82		/* Not supported - return. */
83	0	return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
84	0	}
85	0	}
86
87		/* Add the extra length field and tag */
88	0	CHECK_OVERFLOW_ADD(buflen, 4 + 1);
89
90		/* Allocate buffer */
91	0	buf = mbedtls_calloc(1, buflen);
92	0	if (buf == NULL) {
93	0	return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
94	0	}
95	0	p = buf + buflen;
96
97		/* Write ASN.1-based structure */
98	0	cur = san_list;
99	0	len = 0;
100	0	while (cur != NULL) {
101	0	size_t single_san_len = 0;
102	0	switch (cur->node.type) {
103	0	case MBEDTLS_X509_SAN_DNS_NAME:
104	0	case MBEDTLS_X509_SAN_RFC822_NAME:
105	0	case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
106	0	case MBEDTLS_X509_SAN_IP_ADDRESS:
107	0	{
108	0	const unsigned char *unstructured_name =
109	0	(const unsigned char *) cur->node.san.unstructured_name.p;
110	0	size_t unstructured_name_len = cur->node.san.unstructured_name.len;
111
112	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
113	0	mbedtls_asn1_write_raw_buffer(
114	0	&p, buf,
115	0	unstructured_name, unstructured_name_len));
116	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len, mbedtls_asn1_write_len(
117	0	&p, buf, unstructured_name_len));
118	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
119	0	mbedtls_asn1_write_tag(
120	0	&p, buf,
121	0	MBEDTLS_ASN1_CONTEXT_SPECIFIC \| cur->node.type));
122	0	}
123	0	break;
124	0	case MBEDTLS_X509_SAN_DIRECTORY_NAME:
125	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
126	0	mbedtls_x509_write_names(&p, buf,
127	0	(mbedtls_asn1_named_data *) &
128	0	cur->node
129	0	.san.directory_name));
130	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
131	0	mbedtls_asn1_write_len(&p, buf, single_san_len));
132	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
133	0	mbedtls_asn1_write_tag(&p, buf,
134	0	MBEDTLS_ASN1_CONTEXT_SPECIFIC \|
135	0	MBEDTLS_ASN1_CONSTRUCTED \|
136	0	MBEDTLS_X509_SAN_DIRECTORY_NAME));
137	0	break;
138	0	default:
139		/* Error out on an unsupported SAN */
140	0	ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
141	0	goto cleanup;
142	0	}
143	0	cur = cur->next;
144		/* check for overflow */
145	0	if (len > SIZE_MAX - single_san_len) {
146	0	ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
147	0	goto cleanup;
148	0	}
149	0	len += single_san_len;
150	0	}
151
152	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
153	0	MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
154	0	mbedtls_asn1_write_tag(&p, buf,
155	0	MBEDTLS_ASN1_CONSTRUCTED \|
156	0	MBEDTLS_ASN1_SEQUENCE));
157
158	0	ret = mbedtls_x509_set_extension(extensions,
159	0	MBEDTLS_OID_SUBJECT_ALT_NAME,
160	0	MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
161	0	0,
162	0	buf + buflen - len, len);
163
164		/* If we exceeded the allocated buffer it means that maximum size of the SubjectAltName list
165		* was incorrectly calculated and memory is corrupted. */
166	0	if (p < buf) {
167	0	ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
168	0	}
169	0	cleanup:
170	0	mbedtls_free(buf);
171	0	return ret;
172	0	}
173
174		#endif /* MBEDTLS_X509_CSR_WRITE_C \|\| MBEDTLS_X509_CRT_WRITE_C */

Coverage Report

Created: 2025-06-13 06:23