summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Matveev <stargrave@stargrave.org>2020-04-13 11:12:22 +0300
committerSergey Matveev <stargrave@stargrave.org>2020-04-13 12:09:44 +0300
commit35c86385b3c8d004e3b5efea7aa2b95e7608309b (patch)
tree5c4a3e05f4a666e15960966476c43419fa9b7061
parent858cfc57f01b2b31b707fb4f808319ab877003dc (diff)
downloadpyderasn-35c86385b3c8d004e3b5efea7aa2b95e7608309b.tar.xz
Long tag form must not contain zero byte
-rw-r--r--VERSION2
-rw-r--r--doc/install.rst12
-rw-r--r--doc/news.rst7
-rwxr-xr-xpyderasn.py4
-rw-r--r--tests/test_pyderasn.py7
5 files changed, 24 insertions, 8 deletions
diff --git a/VERSION b/VERSION
index 38abeb2..25b629b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.6
+7.7
diff --git a/doc/install.rst b/doc/install.rst
index eb9c266..b74a184 100644
--- a/doc/install.rst
+++ b/doc/install.rst
@@ -4,11 +4,11 @@ Install
Preferable way is to :ref:`download <download>` tarball with the
signature from `official website <http://pyderasn.cypherpunks.ru/>`__::
- $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.6.tar.xz
- $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.6.tar.xz.sig
- $ gpg --verify pyderasn-7.6.tar.xz.sig pyderasn-7.6.tar.xz
- $ xz --decompress --stdout pyderasn-7.6.tar.xz | tar xf -
- $ cd pyderasn-7.6
+ $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.7.tar.xz
+ $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.7.tar.xz.sig
+ $ gpg --verify pyderasn-7.7.tar.xz.sig pyderasn-7.7.tar.xz
+ $ xz --decompress --stdout pyderasn-7.7.tar.xz | tar xf -
+ $ cd pyderasn-7.7
$ python setup.py install
# or copy pyderasn.py (+six.py, possibly termcolor.py) to your PYTHONPATH
@@ -21,7 +21,7 @@ You can also find it mirrored on :ref:`download <download>` page.
You could use pip (**no** OpenPGP authentication is performed!) with PyPI::
$ cat > requirements.txt <<EOF
- pyderasn==7.6 --hash=sha256:TO-BE-FILLED
+ pyderasn==7.7 --hash=sha256:TO-BE-FILLED
six==1.14.0 --hash=sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a
EOF
$ pip install --requirement requirements.txt
diff --git a/doc/news.rst b/doc/news.rst
index d328660..7d523e8 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,6 +1,13 @@
News
====
+.. _release7.7:
+
+7.7
+---
+* Strictly check that tag's long encoded form does not contain leading zero
+ (X.690 8.1.2.4.2 (c))
+
.. _release7.6:
7.6
diff --git a/pyderasn.py b/pyderasn.py
index 15ca386..df0eb8f 100755
--- a/pyderasn.py
+++ b/pyderasn.py
@@ -1201,7 +1201,7 @@ except ImportError: # pragma: no cover
def colored(what, *args, **kwargs):
return what
-__version__ = "7.6"
+__version__ = "7.7"
__all__ = (
"agg_octet_string",
@@ -1558,6 +1558,8 @@ def tag_strip(data):
raise DecodeError("unfinished tag")
if indexbytes(data, i) & 0x80 == 0:
break
+ if i > 1 and indexbytes(data, 1) & 0x7F == 0:
+ raise DecodeError("leading zero byte in tag value")
i += 1
return data[:i], i, data[i:]
diff --git a/tests/test_pyderasn.py b/tests/test_pyderasn.py
index 9a38fdd..fcf8781 100644
--- a/tests/test_pyderasn.py
+++ b/tests/test_pyderasn.py
@@ -276,6 +276,13 @@ class TestTagCoder(TestCase):
with self.assertRaises(DecodeError):
len_decode(octets)
+ @given(tag_classes, tag_forms, integers(min_value=31))
+ def test_leading_zero_byte(self, klass, form, num):
+ raw = tag_encode(klass=klass, form=form, num=num)
+ raw = b"".join((raw[:1], b"\x80", raw[1:]))
+ with assertRaisesRegex(self, DecodeError, "leading zero byte"):
+ tag_strip(raw)
+
class TestLenCoder(TestCase):
@settings(max_examples=LONG_TEST_MAX_EXAMPLES)