[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
Dr. Stephen Henson
steve at openssl.org
Fri Apr 29 19:02:44 UTC 2016
The branch OpenSSL_1_0_1-stable has been updated
via 1c81a59503af23fa109e346c973e99c66222bf11 (commit)
via 0b34cf82238e19f61effe10a4f0db609798b522d (commit)
via 53d6c14befdf0414f658e663a0e7a4cf6382588f (commit)
from 6dfa55ab2fbd9a0f45c3ce088b1dd61800fb03d3 (commit)
- Log -----------------------------------------------------------------
commit 1c81a59503af23fa109e346c973e99c66222bf11
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Apr 28 19:45:44 2016 +0100
Add checks to X509_NAME_oneline()
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.
Issue reported by Guido Vranken.
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit 9b08619cb45e75541809b1154c90e1a00450e537)
Conflicts:
crypto/x509/x509.h
crypto/x509/x509_err.c
commit 0b34cf82238e19f61effe10a4f0db609798b522d
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Apr 28 13:09:27 2016 +0100
Sanity check buffer length.
Reject zero length buffers passed to X509_NAME_onelne().
Issue reported by Guido Vranken.
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit b33d1141b6dcce947708b984c5e9e91dad3d675d)
commit 53d6c14befdf0414f658e663a0e7a4cf6382588f
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Apr 28 12:55:29 2016 +0100
Add size limit to X509_NAME structure.
This adds an explicit limit to the size of an X509_NAME structure. Some
part of OpenSSL (e.g. TLS) already effectively limit the size due to
restrictions on certificate size.
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit 295f3a24919157e2f9021d0b1709353710ad63db)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/x_name.c | 11 +++++++++++
crypto/x509/x509.h | 1 +
crypto/x509/x509_err.c | 1 +
crypto/x509/x509_obj.c | 21 +++++++++++++++++++--
4 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
index 737c426..a858c29 100644
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -66,6 +66,13 @@
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
static int x509_name_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_ITEM *it,
@@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
int i, j, ret;
STACK_OF(X509_NAME_ENTRY) *entries;
X509_NAME_ENTRY *entry;
+ if (len > X509_NAME_MAX) {
+ ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+ return 0;
+ }
q = p;
/* Get internal representation of Name */
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index a491174..bd600de 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -1281,6 +1281,7 @@ void ERR_load_X509_strings(void);
# define X509_R_LOADING_CERT_DIR 103
# define X509_R_LOADING_DEFAULTS 104
# define X509_R_METHOD_NOT_SUPPORTED 124
+# define X509_R_NAME_TOO_LONG 134
# define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
# define X509_R_PUBLIC_KEY_DECODE_ERROR 125
# define X509_R_PUBLIC_KEY_ENCODE_ERROR 126
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index 61a19f7..a2b8b7f 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -145,6 +145,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
{ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},
{ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},
{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},
+ {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},
{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),
"no cert set for us to verify"},
{ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR), "public key decode error"},
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index d317f3a..f7daac2 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -63,6 +63,13 @@
#include <openssl/x509.h>
#include <openssl/buffer.h>
+/*
+ * Limit to ensure we don't overflow: much greater than
+ * anything enountered in practice.
+ */
+
+#define NAME_ONELINE_MAX (1024 * 1024)
+
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{
X509_NAME_ENTRY *ne;
@@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
goto err;
b->data[0] = '\0';
len = 200;
+ } else if (len == 0) {
+ return NULL;
}
if (a == NULL) {
if (b) {
@@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type = ne->value->type;
num = ne->value->length;
+ if (num > NAME_ONELINE_MAX) {
+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
q = ne->value->data;
#ifdef CHARSET_EBCDIC
if (type == V_ASN1_GENERALSTRING ||
@@ -154,6 +167,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
lold = l;
l += 1 + l1 + 1 + l2;
+ if (l > NAME_ONELINE_MAX) {
+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1))
goto err;
@@ -206,7 +223,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
return (p);
err:
X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);
- if (b != NULL)
- BUF_MEM_free(b);
+ end:
+ BUF_MEM_free(b);
return (NULL);
}
More information about the openssl-commits
mailing list