asn1: prevent EOC octets from being in the middle of the content

rhenium · rhenium · commit 1d202b077dce · 2017-07-23T15:14:43.000+09:00
Encoding with indefinite length form produces an invalid encoding if the
contents array contains an EOC object in the middle. Raise an exception
in that case.
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
@@ -1177,6 +1177,11 @@ ossl_asn1cons_to_der(VALUE self)
     for (i = 0; i < RARRAY_LEN(ary); i++) {
 	VALUE item = RARRAY_AREF(ary, i);
 
+	if (indef_len && rb_obj_is_kind_of(item, cASN1EndOfContent)) {
+	    if (i != RARRAY_LEN(ary) - 1)
+		ossl_raise(eASN1Error, "illegal EOC octets in value");
+	}
+
 	item = ossl_to_der_if_possible(item);
 	StringValue(item);
 	rb_str_append(str, item);
diff --git a/test/test_asn1.rb b/test/test_asn1.rb
@@ -345,6 +345,15 @@ def test_sequence
     ])
     expected.indefinite_length = true
     encode_decode_test B(%w{ 30 80 04 01 00 00 00 }), expected
+
+    # OpenSSL::ASN1::EndOfContent can only be at the end
+    obj = OpenSSL::ASN1::Sequence.new([
+      OpenSSL::ASN1::EndOfContent.new,
+      OpenSSL::ASN1::OctetString.new(B(%w{ 00 })),
+      OpenSSL::ASN1::EndOfContent.new,
+    ])
+    obj.indefinite_length = true
+    assert_raise(OpenSSL::ASN1::ASN1Error) { obj.to_der }
   end
 
   def test_set
