Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

1 files changed, 4 insertions, 2 deletions

diff --git a/src/regress/lib/libssl/bytestring/bytestringtest.c b/src/regress/lib/libssl/bytestring/bytestringtest.c
index 8269151127..7ae9397a35 100644
--- a/src/regress/lib/libssl/bytestring/bytestringtest.c
+++ b/src/regress/lib/libssl/bytestring/bytestringtest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bytestringtest.c,v 1.3 2015/02/16 06:48:17 doug Exp $ */
+/*      $OpenBSD: bytestringtest.c,v 1.4 2015/04/25 15:28:47 doug Exp $ */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -607,8 +607,10 @@ static const ASN1_INVALID_UINT64_TEST kAsn1InvalidUint64Tests[] = {
         {"\x02\x00", 2},
         /* Negative number. */
         {"\x02\x01\x80", 3},
-        /* Overflow */
+        /* Overflow. */
         {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11},
+        /* Leading zeros. */
+        {"\x02\x02\x00\x01", 4},
 };
 
 static int