[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Wed Sep 2 13:53:55 UTC 2015 

The branch master has been updated
       via  fffc2faeb2b5cad4516cc624352d445284aa7522 (commit)
       via  a0724ef1c9b9e2090bdd96b784f492b6a3952957 (commit)
      from  246b52f39aac36d1f4bc705c27c6354cb67041f4 (commit)


- Log -----------------------------------------------------------------
commit fffc2faeb2b5cad4516cc624352d445284aa7522
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Sep 1 21:59:08 2015 -0400

    Cleaner handling of "cnid" in do_x509_check
    
    Avoid using cnid = 0, use NID_undef instead, and return early instead
    of trying to find an instance of that in the subject DN.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit a0724ef1c9b9e2090bdd96b784f492b6a3952957
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Sep 1 21:47:12 2015 -0400

    Better handling of verify param id peername field
    
    Initialize pointers in param id by the book (explicit NULL assignment,
    rather than just memset 0).
    
    In x509_verify_param_zero() set peername to NULL after freeing it.
    
    In x509_vfy.c's internal check_hosts(), avoid potential leak of
    possibly already non-NULL peername.  This is only set when a check
    succeeds, so don't need to do this repeatedly in the loop.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c |  4 ++++
 crypto/x509/x509_vpm.c | 10 +++++++++-
 crypto/x509v3/v3_utl.c | 10 +++++++---
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7d770c5..45d53a0 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -767,6 +767,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
     int n = sk_OPENSSL_STRING_num(id->hosts);
     char *name;
 
+    if (id->peername != NULL) {
+        OPENSSL_free(id->peername);
+        id->peername = NULL;
+    }
     for (i = 0; i < n; ++i) {
         name = sk_OPENSSL_STRING_value(id->hosts, i);
         if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 5d8c5f8..eedc217 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -148,6 +148,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
     sk_OPENSSL_STRING_pop_free(paramid->hosts, str_free);
     paramid->hosts = NULL;
     OPENSSL_free(paramid->peername);
+    paramid->peername = NULL;
     OPENSSL_free(paramid->email);
     paramid->email = NULL;
     paramid->emaillen = 0;
@@ -164,13 +165,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
     param = OPENSSL_malloc(sizeof(*param));
     if (!param)
         return NULL;
+    memset(param, 0, sizeof(*param));
+
     paramid = OPENSSL_malloc(sizeof(*paramid));
     if (!paramid) {
         OPENSSL_free(param);
         return NULL;
     }
-    memset(param, 0, sizeof(*param));
     memset(paramid, 0, sizeof(*paramid));
+    /* Exotic platforms may have non-zero bit representation of NULL */
+    paramid->hosts = NULL;
+    paramid->peername = NULL;
+    paramid->email = NULL;
+    paramid->ip = NULL;
+
     param->id = paramid;
     x509_verify_param_zero(param);
     return param;
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 15029f9..6494d83 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -921,7 +921,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
     GENERAL_NAMES *gens = NULL;
     X509_NAME *name = NULL;
     int i;
-    int cnid;
+    int cnid = NID_undef;
     int alt_type;
     int san_present = 0;
     int rv = 0;
@@ -944,7 +944,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         else
             equal = equal_wildcard;
     } else {
-        cnid = 0;
         alt_type = V_ASN1_OCTET_STRING;
         equal = equal_case;
     }
@@ -975,11 +974,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         GENERAL_NAMES_free(gens);
         if (rv != 0)
             return rv;
-        if (!cnid
+        if (cnid == NID_undef
             || (san_present
                 && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
             return 0;
     }
+
+    /* We're done if CN-ID is not pertinent */
+    if (cnid == NID_undef)
+        return 0;
+
     i = -1;
     name = X509_get_subject_name(x);
     while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {

More information about the openssl-commits mailing list