diff options
| author | Job Snijders <job@sobornost.net> | 2024-02-21 22:26:50 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-02-25 09:17:41 +0100 |
| commit | eadd8c4727b703049e4d2764751cb04f3108434d (patch) | |
| tree | abcf29b5404084d6b13362654658e7d94d3ea230 /test/asn1_decode_test.c | |
| parent | apps/engine: add EC to list of capabilities (diff) | |
| download | openssl-eadd8c4727b703049e4d2764751cb04f3108434d.tar.xz openssl-eadd8c4727b703049e4d2764751cb04f3108434d.zip | |
Add appropriate lower bound checks for GeneralizedTime and UTCTime
ITU-T X.690 / ISO/IEC 8825-1 section 11.7 and section 11.8
impose specific constraints on how GeneralizedTime and UTCTime
can be encoded in BER/CER/DER. Following from these constraints
a minimum length can be derived.
Checking the length in this context can potentially help prevent
applications from interpreting an invalid GeneralizedTime as a
valid UTCTime.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23483)
Diffstat (limited to 'test/asn1_decode_test.c')
| -rw-r--r-- | test/asn1_decode_test.c | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/test/asn1_decode_test.c b/test/asn1_decode_test.c index 9c676d3dcc..f112dd7034 100644 --- a/test/asn1_decode_test.c +++ b/test/asn1_decode_test.c @@ -11,6 +11,7 @@ #include <string.h> #include <openssl/rand.h> +#include <openssl/asn1.h> #include <openssl/asn1t.h> #include <openssl/obj_mac.h> #include "internal/numbers.h" @@ -161,6 +162,56 @@ static int test_uint64(void) return 1; } +/* GeneralizedTime underflow *********************************************** */ + +static int test_gentime(void) +{ + /* Underflowing GeneralizedTime 161208193400Z (YYMMDDHHMMSSZ) */ + const unsigned char der[] = { + 0x18, 0x0d, 0x31, 0x36, 0x31, 0x32, 0x30, 0x38, 0x31, + 0x39, 0x33, 0x34, 0x30, 0x30, 0x5a, + }; + const unsigned char *p; + int der_len, rc = 1; + ASN1_GENERALIZEDTIME *gentime; + + p = der; + der_len = sizeof(der); + gentime = d2i_ASN1_GENERALIZEDTIME(NULL, &p, der_len); + + if (!TEST_ptr_null(gentime)) + rc = 0; /* fail */ + + ASN1_GENERALIZEDTIME_free(gentime); + return rc; +} + +/* UTCTime underflow ******************************************************* */ + +static int test_utctime(void) +{ + /* Underflowing UTCTime 0205104700Z (MMDDHHMMSSZ) */ + const unsigned char der[] = { + 0x17, 0x0b, 0x30, 0x32, 0x30, 0x35, 0x31, 0x30, + 0x34, 0x37, 0x30, 0x30, 0x5a, + }; + const unsigned char *p; + int der_len, rc = 1; + ASN1_UTCTIME *utctime; + + p = der; + der_len = sizeof(der); + utctime = d2i_ASN1_UTCTIME(NULL, &p, der_len); + + if (!TEST_ptr_null(utctime)) + rc = 0; /* fail */ + + ASN1_UTCTIME_free(utctime); + return rc; +} + +/* Invalid template ******************************************************** */ + typedef struct { ASN1_STRING *invalidDirString; } INVALIDTEMPLATE; @@ -229,6 +280,8 @@ int setup_tests(void) ADD_TEST(test_uint32); ADD_TEST(test_int64); ADD_TEST(test_uint64); + ADD_TEST(test_gentime); + ADD_TEST(test_utctime); ADD_TEST(test_invalid_template); ADD_TEST(test_reuse_asn1_object); return 1; |