busybox/networking
Ivan Abrea 5cb4f9081f tls: fix to handle X.509 v1 certificates correctly
The syntax of public key certificates can be found in RFC 5280 section
4.1. The relevant part of the syntax is the following:

  TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    ... remaining fields omitted ...
  }

The version field has a default value of v1. RFC 5280 section 4.1.2.1
says the following:

  If only basic fields are present, the version SHOULD be 1 (the value
  is omitted from the certificate as the default value); however, the
  version MAY be 2 or 3.

To help detect if the version field is present or not, the type of the
version field has an explicit tag of [0]. Due to this tag, if the
version field is present, its encoding will have an identifier octet
that is distinct from that of the serialNumber field.

ITU-T X.690 specifies how a value of such a type should be encoded with
DER. There is a PDF of X.690 freely available from ITU-T. X.690 section
8.1.2 specifies the format of identifier octets which is the first
component of every encoded value. Identifier octets encode the tag of a
type. Bits 8 and 7 encode the tag class. Bit 6 will be 0 if the encoding
is primitive and 1 if the encoding is constructed. Bits 5 to 1 encode
the tag number.

X.690 section 8.14 specifies what the identifier octet should be for
explicitly tagged types. Section 8.14.3 says if implicit tagging is not
used, then the encoding shall be constructed. The version field uses
explicit tagging and not implicit tagging, so its encoding will be
constructed. This means bit 6 of the identifier octet should be 1.

X.690 section 8.14 and Annex A provide examples. Note from their
examples that the notation for tags could look like [APPLICATION 2]
where both the tag class and tag number are given. For this example, the
tag class is 1 (application) and the tag number is 2. For notation like
[0] where the tag class is omitted and only the tag number is given, the
tag class will be context-specific.

Putting this all together, the identifier octet for the DER encoding of
the version field should have a tag class of 2 (context-specific), bit 6
as 1 (constructed), and a tag number of 0.

Signed-off-by: Ivan Abrea <ivan@algosolutions.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-06-24 20:05:24 +02:00
..
libiproute ioctl(SIOCGIFINDEX) does not require clearing of entire ifr 2018-03-27 23:55:43 +02:00
ssl_helper
ssl_helper-wolfssl
udhcp udhcpc: remove code which requires server ID to be on local network 2018-06-21 17:38:14 +02:00
arp.c config: deindent all help texts 2017-07-21 09:50:55 +02:00
arping.c arping: code shrink 2018-02-11 21:16:24 +01:00
brctl.c brctl: make it NOEXEC 2017-08-06 20:14:02 +02:00
Config.src restore documentation on the build config language 2018-06-06 15:16:48 +02:00
dnsd.c config: deindent all help texts 2017-07-21 09:50:55 +02:00
ether-wake.c getopt32: remove opt_complementary 2017-08-08 21:55:02 +02:00
ftpd.c ftpd: allow -A if !FTPD_AUTHENTICATION as well 2018-04-07 14:18:42 +02:00
ftpgetput.c wget,ftpd: shorten and reuse strings 2018-04-07 13:22:52 +02:00
hostname.c regularize format of source file headers, no code changes 2017-09-18 16:28:43 +02:00
httpd_helpers.sh
httpd_indexcgi.c
httpd_post_upload.cgi
httpd_ssi.c
httpd.c httpd: do not default to Content-type: application/octet-stream 2018-04-07 01:13:30 +02:00
ifconfig.c networking/interface.c: get rid of global "smallint interface_opt_a" 2018-03-05 17:46:17 +01:00
ifenslave.c getopt32: remove applet_long_options 2017-08-08 17:09:40 +02:00
ifplugd.c ifplugd: close signal race 2018-04-29 13:46:49 +02:00
ifupdown.c ifupdown: do not fail if interface disappears during ifdown 2018-03-28 00:02:52 +02:00
inetd.c inetd,mount: add comment with example of flags to build with libtirpc 2018-02-13 18:20:28 +01:00
interface.c networking/interface.c: get rid of global data 2018-03-05 18:30:33 +01:00
ip.c remove stray newline in "iplink --help" 2018-03-08 16:06:18 +01:00
ipcalc.c getopt32: remove opt_complementary 2017-08-08 21:55:02 +02:00
isrv_identd.c libbb: new option FEATURE_ETC_SERVICES: if off, /etc/services reads often avoided 2018-04-17 12:43:54 +02:00
isrv.c Spelling fixes in comments, documentation, tests and examples 2017-04-17 16:13:32 +02:00
isrv.h
Kbuild.src
nameif.c regularize format of source file headers, no code changes 2017-09-18 16:28:43 +02:00
nbd-client.c regularize format of source file headers, no code changes 2017-09-18 16:28:43 +02:00
nc_bloaty.c nc: fix the !NC_SERVER configuration 2018-05-24 16:38:40 +02:00
nc.c whitespace and comment format fixes, no code changes 2017-10-05 15:19:25 +02:00
netstat.c netstat: produce numeric-ip output for non-resolved names 2018-03-27 23:28:53 +02:00
nslookup.c nslookup: simplify make_ptr 2018-04-15 20:04:57 +02:00
ntpd.c ntpd: deprecate IPTOS_LOWDELAY in favor of IPTOS_DSCP_AF21 2018-06-24 20:03:55 +02:00
ntpd.diff
parse_pasv_epsv.c fix a thinko in parse_pasv_epsv.c 2018-02-06 17:11:15 +01:00
ping.c ping: don't call monotonic_us twice per sending the ping 2018-02-13 23:53:24 +01:00
pscan.c getopt32: remove opt_complementary 2017-08-08 21:55:02 +02:00
route.c ioctl(SIOCGIFINDEX) does not require clearing of entire ifr 2018-03-27 23:55:43 +02:00
slattach.c getopt32: remove opt_complementary 2017-08-08 21:55:02 +02:00
ssl_client.c ssl_client: fix option parsing 2018-03-20 11:41:51 +01:00
tc.c ip: fix crash in "ip neigh show" 2018-02-08 08:42:37 +01:00
tcpudp_perhost.c tcpudp: shrink per-host rate-limiting code 2018-02-27 13:03:44 +01:00
tcpudp_perhost.h tcpudp: shrink per-host rate-limiting code 2018-02-27 13:03:44 +01:00
tcpudp.c tcpsvd: fix fallout from opt_complementary removal 2018-03-11 23:02:50 +01:00
telnet.c libbb: new option FEATURE_ETC_SERVICES: if off, /etc/services reads often avoided 2018-04-17 12:43:54 +02:00
telnetd.c getopt32: remove opt_complementary 2017-08-08 21:55:02 +02:00
telnetd.ctrlSQ.patch
telnetd.IAC_test.sh
tftp.c randomconfig fixes 2017-12-31 17:30:02 +01:00
tls_aes.c Move get_unaligned_le32() macros to platform.h 2017-07-15 20:22:25 +02:00
tls_aes.h tls: fold AES CBC en/decryption into single functions 2017-02-04 16:23:49 +01:00
tls_pstm_montgomery_reduce.c tls: remove last int16 local variables in pstm code 2017-07-15 17:19:38 +02:00
tls_pstm_mul_comba.c tls: remove last int16 local variables in pstm code 2017-07-15 17:19:38 +02:00
tls_pstm_sqr_comba.c tls: remove last int16 local variables in pstm code 2017-07-15 17:19:38 +02:00
tls_pstm.c tls: remove last int16 local variables in pstm code 2017-07-15 17:19:38 +02:00
tls_pstm.h tls: avoid using int16 in pstm code 2017-04-03 21:53:29 +02:00
tls_rsa.c
tls_rsa.h
tls_symmetric.h tls: set TLS_DEBUG to 0; placate a gcc indentation warning 2017-01-23 01:15:13 +01:00
tls.c tls: fix to handle X.509 v1 certificates correctly 2018-06-24 20:05:24 +02:00
tls.h tls: fix pstm asm constraint problem 2017-07-15 17:13:08 +02:00
traceroute.c Fix build failures if MAXHOSTNAMELEN or MAXPATHLEN is not defined 2017-10-31 15:59:19 +01:00
tunctl.c getopt32: remove opt_complementary 2017-08-08 21:55:02 +02:00
vconfig.c regularize format of source file headers, no code changes 2017-09-18 16:28:43 +02:00
wget.c wget: emit a message that certificate verification is not implemented 2018-05-28 14:36:26 +02:00
whois.c regularize format of source file headers, no code changes 2017-09-18 16:28:43 +02:00
zcip.c whitespace and comment format fixes, no code changes 2017-10-05 15:19:25 +02:00