[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Viktor Dukhovni
viktor at openssl.org
Wed Sep 2 14:02:39 UTC 2015
The branch OpenSSL_1_0_2-stable has been updated
via 40d5689458593aeca0d1a7f3591f7ccb48e459ac (commit)
via 39c76ceb2d3e51eaff95e04d6e4448f685718f8d (commit)
from 0a1682d8b53a61732877edf015438ecd7965bc21 (commit)
- Log -----------------------------------------------------------------
commit 40d5689458593aeca0d1a7f3591f7ccb48e459ac
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Tue Sep 1 21:59:08 2015 -0400
Cleaner handling of "cnid" in do_x509_check
Avoid using cnid = 0, use NID_undef instead, and return early instead
of trying to find an instance of that in the subject DN.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(cherry picked from commit fffc2faeb2b5cad4516cc624352d445284aa7522)
commit 39c76ceb2d3e51eaff95e04d6e4448f685718f8d
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Tue Sep 1 21:47:12 2015 -0400
Better handling of verify param id peername field
Initialize pointers in param id by the book (explicit NULL assignment,
rather than just memset 0).
In x509_verify_param_zero() set peername to NULL after freeing it.
In x509_vfy.c's internal check_hosts(), avoid potential leak of
possibly already non-NULL peername. This is only set when a check
succeeds, so don't need to do this repeatedly in the loop.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(cherry picked from commit a0724ef1c9b9e2090bdd96b784f492b6a3952957)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vfy.c | 4 ++++
crypto/x509/x509_vpm.c | 15 +++++++++++----
crypto/x509v3/v3_utl.c | 10 +++++++---
3 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7bac197..ab94948 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -753,6 +753,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
int n = sk_OPENSSL_STRING_num(id->hosts);
char *name;
+ if (id->peername != NULL) {
+ OPENSSL_free(id->peername);
+ id->peername = NULL;
+ }
for (i = 0; i < n; ++i) {
name = sk_OPENSSL_STRING_value(id->hosts, i);
if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 1ea0c69..592a8a5 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -155,6 +155,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
}
if (paramid->peername)
OPENSSL_free(paramid->peername);
+ paramid->peername = NULL;
if (paramid->email) {
OPENSSL_free(paramid->email);
paramid->email = NULL;
@@ -165,7 +166,6 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
paramid->ip = NULL;
paramid->iplen = 0;
}
-
}
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
@@ -176,13 +176,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
param = OPENSSL_malloc(sizeof *param);
if (!param)
return NULL;
- paramid = OPENSSL_malloc(sizeof *paramid);
+ memset(param, 0, sizeof(*param));
+
+ paramid = OPENSSL_malloc(sizeof(*paramid));
if (!paramid) {
OPENSSL_free(param);
return NULL;
}
- memset(param, 0, sizeof *param);
- memset(paramid, 0, sizeof *paramid);
+ memset(paramid, 0, sizeof(*paramid));
+ /* Exotic platforms may have non-zero bit representation of NULL */
+ paramid->hosts = NULL;
+ paramid->peername = NULL;
+ paramid->email = NULL;
+ paramid->ip = NULL;
+
param->id = paramid;
x509_verify_param_zero(param);
return param;
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index bdd7b95..4d1ecc5 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -926,7 +926,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
GENERAL_NAMES *gens = NULL;
X509_NAME *name = NULL;
int i;
- int cnid;
+ int cnid = NID_undef;
int alt_type;
int san_present = 0;
int rv = 0;
@@ -949,7 +949,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
else
equal = equal_wildcard;
} else {
- cnid = 0;
alt_type = V_ASN1_OCTET_STRING;
equal = equal_case;
}
@@ -980,11 +979,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
GENERAL_NAMES_free(gens);
if (rv != 0)
return rv;
- if (!cnid
+ if (cnid == NID_undef
|| (san_present
&& !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
return 0;
}
+
+ /* We're done if CN-ID is not pertinent */
+ if (cnid == NID_undef)
+ return 0;
+
i = -1;
name = X509_get_subject_name(x);
while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
More information about the openssl-commits
mailing list