asn1: prevent EOC octets from being in the middle of the content

Encoding with indefinite length form produces an invalid encoding if the
contents array contains an EOC object in the middle. Raise an exception
in that case.

2 files changed, 14 insertions, 0 deletions

diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
index 842c5b54..87342d68 100644
--- a/ext/openssl/ossl_asn1.c
+++ b/ext/openssl/ossl_asn1.c
@@ -1177,6 +1177,11 @@ ossl_asn1cons_to_der(VALUE self)
     for (i = 0; i < RARRAY_LEN(ary); i++) {
 	VALUE item = RARRAY_AREF(ary, i);
 
+	if (indef_len && rb_obj_is_kind_of(item, cASN1EndOfContent)) {
+	    if (i != RARRAY_LEN(ary) - 1)
+		ossl_raise(eASN1Error, "illegal EOC octets in value");
+	}
+
 	item = ossl_to_der_if_possible(item);
 	StringValue(item);
 	rb_str_append(str, item);
diff --git a/test/test_asn1.rb b/test/test_asn1.rb
index 223b11a5..d3945d36 100644
--- a/test/test_asn1.rb
+++ b/test/test_asn1.rb
@@ -345,6 +345,15 @@ class  OpenSSL::TestASN1 < OpenSSL::TestCase
     ])
     expected.indefinite_length = true
     encode_decode_test B(%w{ 30 80 04 01 00 00 00 }), expected
+
+    # OpenSSL::ASN1::EndOfContent can only be at the end
+    obj = OpenSSL::ASN1::Sequence.new([
+      OpenSSL::ASN1::EndOfContent.new,
+      OpenSSL::ASN1::OctetString.new(B(%w{ 00 })),
+      OpenSSL::ASN1::EndOfContent.new,
+    ])
+    obj.indefinite_length = true
+    assert_raise(OpenSSL::ASN1::ASN1Error) { obj.to_der }
   end
 
   def test_set