[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Viktor Dukhovni viktor at openssl.org
Wed Sep 2 14:02:39 UTC 2015 

The branch OpenSSL_1_0_2-stable has been updated
       via  40d5689458593aeca0d1a7f3591f7ccb48e459ac (commit)
       via  39c76ceb2d3e51eaff95e04d6e4448f685718f8d (commit)
      from  0a1682d8b53a61732877edf015438ecd7965bc21 (commit)


- Log -----------------------------------------------------------------
commit 40d5689458593aeca0d1a7f3591f7ccb48e459ac
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Sep 1 21:59:08 2015 -0400

    Cleaner handling of "cnid" in do_x509_check
    
    Avoid using cnid = 0, use NID_undef instead, and return early instead
    of trying to find an instance of that in the subject DN.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit fffc2faeb2b5cad4516cc624352d445284aa7522)

commit 39c76ceb2d3e51eaff95e04d6e4448f685718f8d
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Sep 1 21:47:12 2015 -0400

    Better handling of verify param id peername field
    
    Initialize pointers in param id by the book (explicit NULL assignment,
    rather than just memset 0).
    
    In x509_verify_param_zero() set peername to NULL after freeing it.
    
    In x509_vfy.c's internal check_hosts(), avoid potential leak of
    possibly already non-NULL peername.  This is only set when a check
    succeeds, so don't need to do this repeatedly in the loop.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    
    (cherry picked from commit a0724ef1c9b9e2090bdd96b784f492b6a3952957)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c |  4 ++++
 crypto/x509/x509_vpm.c | 15 +++++++++++----
 crypto/x509v3/v3_utl.c | 10 +++++++---
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7bac197..ab94948 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -753,6 +753,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
     int n = sk_OPENSSL_STRING_num(id->hosts);
     char *name;
 
+    if (id->peername != NULL) {
+        OPENSSL_free(id->peername);
+        id->peername = NULL;
+    }
     for (i = 0; i < n; ++i) {
         name = sk_OPENSSL_STRING_value(id->hosts, i);
         if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 1ea0c69..592a8a5 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -155,6 +155,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
     }
     if (paramid->peername)
         OPENSSL_free(paramid->peername);
+    paramid->peername = NULL;
     if (paramid->email) {
         OPENSSL_free(paramid->email);
         paramid->email = NULL;
@@ -165,7 +166,6 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
         paramid->ip = NULL;
         paramid->iplen = 0;
     }
-
 }
 
 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
@@ -176,13 +176,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
     param = OPENSSL_malloc(sizeof *param);
     if (!param)
         return NULL;
-    paramid = OPENSSL_malloc(sizeof *paramid);
+    memset(param, 0, sizeof(*param));
+
+    paramid = OPENSSL_malloc(sizeof(*paramid));
     if (!paramid) {
         OPENSSL_free(param);
         return NULL;
     }
-    memset(param, 0, sizeof *param);
-    memset(paramid, 0, sizeof *paramid);
+    memset(paramid, 0, sizeof(*paramid));
+    /* Exotic platforms may have non-zero bit representation of NULL */
+    paramid->hosts = NULL;
+    paramid->peername = NULL;
+    paramid->email = NULL;
+    paramid->ip = NULL;
+
     param->id = paramid;
     x509_verify_param_zero(param);
     return param;
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index bdd7b95..4d1ecc5 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -926,7 +926,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
     GENERAL_NAMES *gens = NULL;
     X509_NAME *name = NULL;
     int i;
-    int cnid;
+    int cnid = NID_undef;
     int alt_type;
     int san_present = 0;
     int rv = 0;
@@ -949,7 +949,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         else
             equal = equal_wildcard;
     } else {
-        cnid = 0;
         alt_type = V_ASN1_OCTET_STRING;
         equal = equal_case;
     }
@@ -980,11 +979,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         GENERAL_NAMES_free(gens);
         if (rv != 0)
             return rv;
-        if (!cnid
+        if (cnid == NID_undef
             || (san_present
                 && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
             return 0;
     }
+
+    /* We're done if CN-ID is not pertinent */
+    if (cnid == NID_undef)
+        return 0;
+
     i = -1;
     name = X509_get_subject_name(x);
     while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {

More information about the openssl-commits mailing list