commit 565b52bb727a81b82ad07a9bcca5ca033b554a24
author Nicola Di Lieto <nicola.dilieto@gmail.com> Fri May 29 22:46:56 2020 +0200
committer Nicola Di Lieto <nicola.dilieto@gmail.com> Fri May 29 23:09:47 2020 +0200
tree d20b091276459dab277f7a0bd72f4b3f89e8a2f4
parent 5659e7e8896186fcae67af773708059894e60772

mbedtls_x509_crt_parse_der_with_ext_cb improvement

Continue parsing when the callback fails to parse a non critical
exception. Also document the behaviour more extensively and pass
the callback error code to the caller unaltered.

See https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432630548
and https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432630968

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>

include/mbedtls/x509_crt.h

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 296b472..9a9b397 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -317,9 +317,14 @@
  * \param p        Pointer to the start of the extension value
  *                 (the content of the OCTET STRING).
  * \param end      End of extension value.
-  *
- * \note           The callback must fail and return a negative error code if
- *                 it can not parse or does not support the extension.
+ *
+ * \note           The callback must fail and return a negative error code
+ *                 if it can not parse or does not support the extension.
+ *                 When the callback fails to parse a critical extension
+ *                 mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ *                 When the callback fails to parse a non critical extension
+ *                 mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ *                 the extension and continues parsing.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
@@ -358,6 +363,11 @@
  *                   certificate extension.
  *                   The callback must return a negative error code if it
  *                   does not know how to handle such an extension.
+ *                   When the callback fails to parse a critical extension
+ *                   mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ *                   When the callback fails to parse a non critical extension
+ *                   mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ *                   the extension and continues parsing.
  *
  * \return           \c 0 if successful.
  * \return           A negative error code on failure.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 99d3be2..490b524 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -961,8 +961,8 @@
             if( cb != NULL )
             {
                 ret = cb( p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet );
-                if( ret != 0 )
-                    return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+                if( ret != 0 && is_critical )
+                    return( ret );
                 *p = end_ext_octet;
                 continue;
             }