[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Dr. Stephen Henson steve at openssl.org
Fri Apr 29 19:02:44 UTC 2016


The branch OpenSSL_1_0_2-stable has been updated
       via  9b08619cb45e75541809b1154c90e1a00450e537 (commit)
       via  66e731ab09f2c652d0e179df3df10d069b407604 (commit)
       via  65cb92f4da37a3895437f0c9940ee0bcf9f28c8a (commit)
      from  4436299296cc10c6d6611b066b4b73dc0bdae1a6 (commit)


- Log -----------------------------------------------------------------
commit 9b08619cb45e75541809b1154c90e1a00450e537
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Apr 28 19:45:44 2016 +0100

    Add checks to X509_NAME_oneline()
    
    Sanity check field lengths and sums to avoid potential overflows and reject
    excessively large X509_NAME structures.
    
    Issue reported by Guido Vranken.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 77076dc944f76e821e4eae3a6563b853ce00c0ed)
    
    Conflicts:
    	crypto/x509/x509_err.c
    	crypto/x509/x509_obj.c

commit 66e731ab09f2c652d0e179df3df10d069b407604
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Apr 28 13:09:27 2016 +0100

    Sanity check buffer length.
    
    Reject zero length buffers passed to X509_NAME_onelne().
    
    Issue reported by Guido Vranken.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit b33d1141b6dcce947708b984c5e9e91dad3d675d)

commit 65cb92f4da37a3895437f0c9940ee0bcf9f28c8a
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Apr 28 12:55:29 2016 +0100

    Add size limit to X509_NAME structure.
    
    This adds an explicit limit to the size of an X509_NAME structure. Some
    part of OpenSSL (e.g. TLS) already effectively limit the size due to
    restrictions on certificate size.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 295f3a24919157e2f9021d0b1709353710ad63db)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/x_name.c   | 11 +++++++++++
 crypto/x509/x509.h     |  1 +
 crypto/x509/x509_err.c |  1 +
 crypto/x509/x509_obj.c | 21 +++++++++++++++++++--
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
index 737c426..a858c29 100644
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -66,6 +66,13 @@
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
 DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
 
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
 static int x509_name_ex_d2i(ASN1_VALUE **val,
                             const unsigned char **in, long len,
                             const ASN1_ITEM *it,
@@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
     int i, j, ret;
     STACK_OF(X509_NAME_ENTRY) *entries;
     X509_NAME_ENTRY *entry;
+    if (len > X509_NAME_MAX) {
+        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+        return 0;
+    }
     q = p;
 
     /* Get internal representation of Name */
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 99337b8..fc613ce 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void);
 # define X509_R_LOADING_CERT_DIR                          103
 # define X509_R_LOADING_DEFAULTS                          104
 # define X509_R_METHOD_NOT_SUPPORTED                      124
+# define X509_R_NAME_TOO_LONG                             134
 # define X509_R_NEWER_CRL_NOT_NEWER                       132
 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY              105
 # define X509_R_NO_CRL_NUMBER                             130
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index 43cde18..1e779fe 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -151,6 +151,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
     {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},
     {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},
     {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},
+    {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},
     {ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"},
     {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),
      "no cert set for us to verify"},
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index d317f3a..f7daac2 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -63,6 +63,13 @@
 #include <openssl/x509.h>
 #include <openssl/buffer.h>
 
+/*
+ * Limit to ensure we don't overflow: much greater than
+ * anything enountered in practice.
+ */
+
+#define NAME_ONELINE_MAX    (1024 * 1024)
+
 char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 {
     X509_NAME_ENTRY *ne;
@@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
             goto err;
         b->data[0] = '\0';
         len = 200;
+    } else if (len == 0) {
+        return NULL;
     }
     if (a == NULL) {
         if (b) {
@@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 
         type = ne->value->type;
         num = ne->value->length;
+        if (num > NAME_ONELINE_MAX) {
+            X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+            goto end;
+        }
         q = ne->value->data;
 #ifdef CHARSET_EBCDIC
         if (type == V_ASN1_GENERALSTRING ||
@@ -154,6 +167,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 
         lold = l;
         l += 1 + l1 + 1 + l2;
+        if (l > NAME_ONELINE_MAX) {
+            X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+            goto end;
+        }
         if (b != NULL) {
             if (!BUF_MEM_grow(b, l + 1))
                 goto err;
@@ -206,7 +223,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
     return (p);
  err:
     X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);
-    if (b != NULL)
-        BUF_MEM_free(b);
+ end:
+    BUF_MEM_free(b);
     return (NULL);
 }


More information about the openssl-commits mailing list