x509asn1: improve encodeOID

- return error on zero length input - return error on OOM or doing too large output - fix full 32-bit number support - fix the broken handling of the first and second numbers - support up to 32-bit minus 80 for the second number - a field with a leading 0x80 is now considered an error, since it only works as padding and is then no longer the shortest possible version Add unit tests in 1666 Bonus: removed the last argument to OID2str() as it was always set TRUE. Closes #21003
2026-05-30 06:17:28 +03:00 · 2026-03-19 09:55:46 +01:00 · 2026-03-19 09:55:46 +01:00 · 673e14cd33
commit 673e14cd33
parent ce51fb493c
5 changed files with 285 additions and 30 deletions
--- a/lib/vtls/x509asn1.c
+++ b/lib/vtls/x509asn1.c
@ -417,33 +417,65 @@ static CURLcode utf8asn1str(struct dynbuf *to, int type, const char *from,
 }

 /*
- * Convert an ASN.1 OID into its dotted string representation.
+ * Convert an ASN.1 OID into its dotted string representation. Each field is
+ * limited to unsigned 32-bit values.
+ *
+ * A minor limitation is in the second number, which can be no larger than 32
+ * bits - 80 == 4294967215.
 *
 * Return error code.
+ *
+ * @unittest 1666
 */
-static CURLcode encodeOID(struct dynbuf *store,
-                          const char *beg, const char *end)
+UNITTEST CURLcode encodeOID(struct dynbuf *buf, const char *b, const char *e);
+UNITTEST CURLcode encodeOID(struct dynbuf *store,
+                            const char *beg, const char *end)
 {
-  unsigned int x;
-  unsigned int y;
+  uint32_t x;
+  uint32_t y;
  CURLcode result = CURLE_OK;

-  /* Process the first two numbers. */
-  y = *(const unsigned char *)beg++;
-  x = y / 40;
-  y -= x * 40;
+  if(end <= beg)
+    return CURLE_BAD_FUNCTION_ARGUMENT;

-  result = curlx_dyn_addf(store, "%u.%u", x, y);
+  /* Process the first two numbers. The initial digit cannot be larger than
+     2 */
+  y = *(const unsigned char *)beg++;
+  if(y <= 80)
+    x = y / 40;
+  else
+    x = 2;
+  result = curlx_dyn_addf(store, "%u", x);
+  if(result)
+    return result;
+
+  if(y & 0x80) {
+    uint32_t t = (y & 0x7f); /* the second number */
+    if(!t)
+      /* reject leading 0x80 padding */
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    do {
+      if((t & 0xFE000000) || (beg >= end))
+        return CURLE_BAD_FUNCTION_ARGUMENT;
+      y = *(const unsigned char *)beg++;
+      t = (t << 7) | (y & 0x7F);
+    } while(y & 0x80);
+    y = t;
+  }
+
+  result = curlx_dyn_addf(store, ".%u", y - (x * 40));
  if(result)
    return result;

  /* Process the trailing numbers. */
-  while(beg < end) {
+  while((beg < end) && !result) {
    x = 0;
+    y = 0;
    do {
-      if(x & 0xFF000000)
+      /* 0x80 as the first value is invalid since it only adds padding */
+      if((y & 0x80) && !x)
        return CURLE_BAD_FUNCTION_ARGUMENT;
-      else if(beg == end)
+      else if((x & 0xFE000000) || (beg == end))
        return CURLE_BAD_FUNCTION_ARGUMENT;
      y = *(const unsigned char *)beg++;
      x = (x << 7) | (y & 0x7F);
@ -460,26 +492,22 @@ static CURLcode encodeOID(struct dynbuf *store,
 */

 static CURLcode OID2str(struct dynbuf *store,
-                        const char *beg, const char *end, bool symbolic)
+                        const char *beg, const char *end)
 {
  CURLcode result = CURLE_OK;
  if(beg < end) {
-    if(symbolic) {
-      struct dynbuf buf;
-      curlx_dyn_init(&buf, CURL_X509_STR_MAX);
-      result = encodeOID(&buf, beg, end);
+    struct dynbuf buf;
+    curlx_dyn_init(&buf, CURL_X509_STR_MAX);
+    result = encodeOID(&buf, beg, end);

-      if(!result) {
-        const struct Curl_OID *op = searchOID(curlx_dyn_ptr(&buf));
-        if(op)
-          result = curlx_dyn_add(store, op->textoid);
-        else
-          result = curlx_dyn_add(store, curlx_dyn_ptr(&buf));
-      }
-      curlx_dyn_free(&buf);
+    if(!result) {
+      const struct Curl_OID *op = searchOID(curlx_dyn_ptr(&buf));
+      if(op)
+        result = curlx_dyn_add(store, op->textoid);
+      else
+        result = curlx_dyn_add(store, curlx_dyn_ptr(&buf));
    }
-    else
-      result = encodeOID(store, beg, end);
+    curlx_dyn_free(&buf);
  }
  return result;
 }
@ -647,7 +675,7 @@ static CURLcode ASN1tostr(struct dynbuf *store,
    result = curlx_dyn_addn(store, "", 1);
    break;
  case CURL_ASN1_OBJECT_IDENTIFIER:
-    result = OID2str(store, elem->beg, elem->end, TRUE);
+    result = OID2str(store, elem->beg, elem->end);
    break;
  case CURL_ASN1_UTC_TIME:
    result = UTime2str(store, elem->beg, elem->end);
@ -905,7 +933,7 @@ static CURLcode dumpAlgo(struct dynbuf *store,
    if(!p)
      return CURLE_BAD_FUNCTION_ARGUMENT;
  }
-  return OID2str(store, oid.beg, oid.end, TRUE);
+  return OID2str(store, oid.beg, oid.end);
 }

 /*
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -222,6 +222,7 @@ test1640 test1641 test1642 test1643 \
 \
 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 \
 test1658 test1659 test1660 test1661 test1662 test1663 test1664 test1665 \
+test1666 \
 \
 test1670 test1671 \
 \
--- a/tests/data/test1666
+++ b/tests/data/test1666
@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+unittest
+encodeOID
+x509asn1
+</keywords>
+</info>
+
+# Client-side
+<client>
+<features>
+unittest
+</features>
+<name>
+encodeOID unit tests
+</name>
+</client>
+</testcase>
--- a/tests/unit/Makefile.inc
+++ b/tests/unit/Makefile.inc
@ -41,6 +41,7 @@ TESTS_C = \
  unit1636.c \
  unit1650.c unit1651.c unit1652.c unit1653.c unit1654.c unit1655.c unit1656.c \
  unit1657.c unit1658.c            unit1660.c unit1661.c unit1663.c unit1664.c \
+             unit1666.c \
  unit1979.c unit1980.c \
  unit2600.c unit2601.c unit2602.c unit2603.c unit2604.c unit2605.c \
  unit3200.c                                             unit3205.c \
--- a/tests/unit/unit1666.c
+++ b/tests/unit/unit1666.c
@ -0,0 +1,205 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+#include "unitcheck.h"
+
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_MBEDTLS) || \
+  defined(USE_RUSTLS)
+
+#include "vtls/x509asn1.h"
+#include "vtls/vtls.h"
+
+struct test_1666 {
+  const char *oid;
+  const size_t size;
+  const char *dotted;
+  CURLcode result_exp;
+};
+
+/* the size of the object needs to deduct the null terminator */
+#define OID(x) x, sizeof(x) - 1
+
+static bool test1666(const struct test_1666 *spec, size_t i,
+                     struct dynbuf *dbuf)
+{
+  CURLcode result;
+  const char *oid = spec->oid;
+  bool ok = TRUE;
+
+  curlx_dyn_reset(dbuf);
+  result = encodeOID(dbuf, oid, oid + spec->size);
+  if(result != spec->result_exp) {
+    curl_mfprintf(stderr, "test %zu: expect result %d, got %d\n",
+                  i, spec->result_exp, result);
+    if(!spec->result_exp) {
+      curl_mfprintf(stderr, "test %zu: expected output '%s'\n",
+                    i, spec->dotted);
+    }
+    ok = FALSE;
+  }
+  else if(!result && strcmp(spec->dotted, curlx_dyn_ptr(dbuf))) {
+    curl_mfprintf(stderr,
+                  "test %zu: expected output '%s', got '%s'\n",
+                  i, spec->dotted, curlx_dyn_ptr(dbuf));
+    ok = FALSE;
+  }
+
+  return ok;
+}
+
+static CURLcode test_unit1666(const char *arg)
+{
+  UNITTEST_BEGIN_SIMPLE
+
+  static const struct test_1666 test_specs[] = {
+    { "", 0, "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { "\x81", 0, "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x8F\xFF\xFF\xFF\x7F"), "2.4294967215", CURLE_OK },
+    { OID("\x90\x80\x80\x80\x00"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x88\x80\x80\x80\x4F"), "2.2147483647", CURLE_OK },
+    { OID("\x88\x80\x80\x80\x50"), "2.2147483648", CURLE_OK },
+    { OID("\x88\x80\x80\x80\x51"), "2.2147483649", CURLE_OK },
+    { OID("\x88\x80\x80\x80\x52"), "2.2147483650", CURLE_OK },
+    { OID("\x8F\xFF\xFF\xFF\x7F\x8F\xFF\xFF\xFF\x7F"),
+      "2.4294967215.4294967295", CURLE_OK },
+    { OID("\xB7\x28\x02"), "2.7000.2", CURLE_OK },
+    { OID("\x81\x00"), "2.48", CURLE_OK },
+    { OID("\x81\x00\x01"), "2.48.1", CURLE_OK },
+    { OID("\x81\x00\x02"), "2.48.2", CURLE_OK },
+    { OID("\xC0\x80\x81\x1F"), "2.134217807", CURLE_OK },
+    { OID("\x2b\x06\x01\x04\x01\x82\x37\x15\x14"), "1.3.6.1.4.1.311.21.20",
+      CURLE_OK },
+    { OID("\x2b\x06\x01\x04\x01\x82\x37\x15"), "1.3.6.1.4.1.311.21",
+      CURLE_OK },
+    { OID("\x2b\x06\x01\x04\x01\x82\x37"), "1.3.6.1.4.1.311", CURLE_OK },
+    { OID("\x2b\x06\x01\x04\x01"), "1.3.6.1.4.1", CURLE_OK },
+    { OID("\x2b\x06\x01\x04"), "1.3.6.1.4", CURLE_OK },
+    { OID("\x2b\x06\x01"), "1.3.6.1", CURLE_OK },
+    { OID("\x2b\x06"), "1.3.6", CURLE_OK },
+    { OID("\x2b"), "1.3", CURLE_OK },
+    { OID("\x2c"), "1.4", CURLE_OK },
+    { OID("\x2d"), "1.5", CURLE_OK },
+    { OID("\x2e"), "1.6", CURLE_OK },
+    { OID("\x2f"), "1.7", CURLE_OK },
+    { OID("\x30"), "1.8", CURLE_OK },
+    { OID("\x31"), "1.9", CURLE_OK },
+    { OID("\x32"), "1.10", CURLE_OK },
+    { OID("\x50"), "2.0", CURLE_OK },
+    { OID("\x7f"), "2.47", CURLE_OK },
+    { OID("\xff\x7f"), "2.16303", CURLE_OK },
+    { OID("\xff"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\xff\x80\x01"), "2.2080689", CURLE_OK },
+    { OID("\xff\x80\x80\x01"), "2.266338225", CURLE_OK },
+    { OID("\x80\x80\x80\x80\x01"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\x80\x80\x80\x80\x01"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\x80\x80\x80\x80\x80\x01"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\xff\x7f"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\xff\xff\xff\x7f"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x2b\xff\xff\xff\xff\x7f"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\x80"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\x80\x80"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\x80\x80\x80"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\x80\x80\x80\x80"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x80\x80\x80\x80\x80\x80"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x2b\x06\x01\x04\x01\xee"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x00"), "0.0", CURLE_OK },
+    { OID("\x01"), "0.1", CURLE_OK },
+    { OID("\x02"), "0.2", CURLE_OK },
+    { OID("\x03"), "0.3", CURLE_OK },
+    { OID("\x04"), "0.4", CURLE_OK },
+    { OID("\x05"), "0.5", CURLE_OK },
+    { OID("\x2b\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"),
+      "1.3.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1"
+      ".1.1.1.1.1.1.1.1", CURLE_OK },
+    { OID("\x2b\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64"
+          "\x64\x64\x64\x64\x64\x64\x64\x64\x64\x7f"),
+      "", CURLE_TOO_LARGE },
+    { OID("\x2b\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64"
+          "\x64\x64\x64\x64\x64\x64\x64\x64\x64\x63"),
+      "", CURLE_TOO_LARGE },
+    { OID("\x2b\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64"
+          "\x64\x64\x64\x64\x64\x64\x64\x64\x64\x09"),
+      "", CURLE_TOO_LARGE },
+    { OID("\x2b\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01\x01"),
+      "", CURLE_TOO_LARGE },
+    /* one byte shorter than the previous is just below the limit: */
+    { OID("\x2b\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+          "\x01\x01\x01\x01\x01\x01\x01"),
+      "1.3.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1"
+      ".1.1.1.1.1.1.1.1.1.1.1.1.1.1.1", CURLE_OK },
+    { OID("\x78"), "2.40", CURLE_OK },
+    { OID("\x81\x34"), "2.100", CURLE_OK },
+    { OID("\x2b\x00\x01"), "1.3.0.1", CURLE_OK },
+    { OID("\x2b\x06\x01\x00"), "1.3.6.1.0", CURLE_OK },
+    { OID("\x2b\x8f\xff\xff\xff\x7f"), "1.3.4294967295", CURLE_OK },
+    { OID("\x2b\x81\x00"), "1.3.128", CURLE_OK },
+    { OID("\x2b\x80\x05"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x2b\x80\x80\x01"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+    { OID("\x2b\x06\x81"), "", CURLE_BAD_FUNCTION_ARGUMENT },
+  };
+
+  size_t i;
+  struct dynbuf dbuf;
+  bool all_ok = TRUE;
+
+  /* the real code uses CURL_X509_STR_MAX for maximum size, but we set a
+     smaller one here so that we can test running into the limit a little
+     easier */
+  curlx_dyn_init(&dbuf, 100);
+
+  if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
+    curl_mfprintf(stderr, "curl_global_init() failed\n");
+    return TEST_ERR_MAJOR_BAD;
+  }
+
+  for(i = 0; i < CURL_ARRAYSIZE(test_specs); ++i) {
+    if(!test1666(&test_specs[i], i, &dbuf))
+      all_ok = FALSE;
+  }
+  fail_unless(all_ok, "some tests of encodeOID() failed");
+
+  curlx_dyn_free(&dbuf);
+  curl_global_cleanup();
+
+  UNITTEST_END_SIMPLE
+}
+
+#undef OID
+
+#else
+
+static CURLcode test_unit1666(const char *arg)
+{
+  UNITTEST_BEGIN_SIMPLE
+  puts("not tested since encodeOID() is not built in");
+  UNITTEST_END_SIMPLE
+}
+
+#endif