1 files changed, 47 insertions, 8 deletions
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 7fabc4c01993..facbf26bc6bb 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -373,6 +373,9 @@ int rsa_extract_mpi(void *context, size_t hdrlen,
        return 0;
 }
+/* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */
+#define SEQ_TAG_KEYID (ASN1_CONT << 6)
 /*
 * Process certificate extensions that are used to qualify the certificate.
 */
@@ -407,21 +410,57 @@ int x509_process_extension(void *context, size_t hdrlen,
        }
        if (ctx->last_oid == OID_authorityKeyIdentifier) {
+                size_t key_len;
                /* Get hold of the CA key fingerprint */
                if (vlen < 5)
                        return -EBADMSG;
-                if (v[0] != (ASN1_SEQ | (ASN1_CONS << 5)) ||
-                    v[1] != vlen - 2 ||
+                /* Authority Key Identifier must be a Constructed SEQUENCE */
-                    v[2] != (ASN1_CONT << 6) ||
+                if (v[0] != (ASN1_SEQ | (ASN1_CONS << 5)))
-                    v[3] != vlen - 4)
                        return -EBADMSG;
-                v += 4;
-                vlen -= 4;
-                f = kmalloc(vlen * 2 + 1, GFP_KERNEL);
+                /* Authority Key Identifier is not indefinite length */
+                if (unlikely(vlen == ASN1_INDEFINITE_LENGTH))
+                        return -EBADMSG;
+                if (vlen < ASN1_INDEFINITE_LENGTH) {
+                        /* Short Form length */
+                        if (v[1] != vlen - 2 ||
+                            v[2] != SEQ_TAG_KEYID ||
+                            v[3] > vlen - 4)
+                                return -EBADMSG;
+                        key_len = v[3];
+                        v += 4;
+                } else {
+                        /* Long Form length */
+                        size_t seq_len = 0;
+                        size_t sub = v[1] - ASN1_INDEFINITE_LENGTH;
+                        if (sub > 2)
+                                return -EBADMSG;
+                        /* calculate the length from subsequent octets */
+                        v += 2;
+                        for (i = 0; i < sub; i++) {
+                                seq_len <<= 8;
+                                seq_len |= v[i];
+                        }
+                        if (seq_len != vlen - 2 - sub ||
+                            v[sub] != SEQ_TAG_KEYID ||
+                            v[sub + 1] > vlen - 4 - sub)
+                                return -EBADMSG;
+                        key_len = v[sub + 1];
+                        v += (sub + 2);
+                }
+                f = kmalloc(key_len * 2 + 1, GFP_KERNEL);
                if (!f)
                        return -ENOMEM;
-                for (i = 0; i < vlen; i++)
+                for (i = 0; i < key_len; i++)
                        sprintf(f + i * 2, "%02x", v[i]);
                pr_debug("authority   %s\n", f);
                ctx->cert->authority = f;

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7fabc4c01993..facbf26bc6bb 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -373,6 +373,9 @@ int rsa_extract_mpi(void *context, size_t hdrlen,
373	return 0;	373	return 0;
374	}	374	}
375		375
		376	/* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */
		377	#define SEQ_TAG_KEYID (ASN1_CONT << 6)
		378
376	/*	379	/*
377	* Process certificate extensions that are used to qualify the certificate.	380	* Process certificate extensions that are used to qualify the certificate.
378	*/	381	*/
@@ -407,21 +410,57 @@ int x509_process_extension(void *context, size_t hdrlen,
407	}	410	}
408		411
409	if (ctx->last_oid == OID_authorityKeyIdentifier) {	412	if (ctx->last_oid == OID_authorityKeyIdentifier) {
		413	size_t key_len;
		414
410	/* Get hold of the CA key fingerprint */	415	/* Get hold of the CA key fingerprint */
411	if (vlen < 5)	416	if (vlen < 5)
412	return -EBADMSG;	417	return -EBADMSG;
413	if (v[0] != (ASN1_SEQ \| (ASN1_CONS << 5)) \|\|	418
414	v[1] != vlen - 2 \|\|	419	/* Authority Key Identifier must be a Constructed SEQUENCE */
415	v[2] != (ASN1_CONT << 6) \|\|	420	if (v[0] != (ASN1_SEQ \| (ASN1_CONS << 5)))
416	v[3] != vlen - 4)
417	return -EBADMSG;	421	return -EBADMSG;
418	v += 4;
419	vlen -= 4;
420		422
421	f = kmalloc(vlen * 2 + 1, GFP_KERNEL);	423	/* Authority Key Identifier is not indefinite length */
		424	if (unlikely(vlen == ASN1_INDEFINITE_LENGTH))
		425	return -EBADMSG;
		426
		427	if (vlen < ASN1_INDEFINITE_LENGTH) {
		428	/* Short Form length */
		429	if (v[1] != vlen - 2 \|\|
		430	v[2] != SEQ_TAG_KEYID \|\|
		431	v[3] > vlen - 4)
		432	return -EBADMSG;
		433
		434	key_len = v[3];
		435	v += 4;
		436	} else {
		437	/* Long Form length */
		438	size_t seq_len = 0;
		439	size_t sub = v[1] - ASN1_INDEFINITE_LENGTH;
		440
		441	if (sub > 2)
		442	return -EBADMSG;
		443
		444	/* calculate the length from subsequent octets */
		445	v += 2;
		446	for (i = 0; i < sub; i++) {
		447	seq_len <<= 8;
		448	seq_len \|= v[i];
		449	}
		450
		451	if (seq_len != vlen - 2 - sub \|\|
		452	v[sub] != SEQ_TAG_KEYID \|\|
		453	v[sub + 1] > vlen - 4 - sub)
		454	return -EBADMSG;
		455
		456	key_len = v[sub + 1];
		457	v += (sub + 2);
		458	}
		459
		460	f = kmalloc(key_len * 2 + 1, GFP_KERNEL);
422	if (!f)	461	if (!f)
423	return -ENOMEM;	462	return -ENOMEM;
424	for (i = 0; i < vlen; i++)	463	for (i = 0; i < key_len; i++)
425	sprintf(f + i * 2, "%02x", v[i]);	464	sprintf(f + i * 2, "%02x", v[i]);
426	pr_debug("authority %s\n", f);	465	pr_debug("authority %s\n", f);
427	ctx->cert->authority = f;	466	ctx->cert->authority = f;