[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Dr. Stephen Henson
steve at openssl.org
Fri Apr 29 19:02:44 UTC 2016
The branch OpenSSL_1_0_2-stable has been updated
via 9b08619cb45e75541809b1154c90e1a00450e537 (commit)
via 66e731ab09f2c652d0e179df3df10d069b407604 (commit)
via 65cb92f4da37a3895437f0c9940ee0bcf9f28c8a (commit)
from 4436299296cc10c6d6611b066b4b73dc0bdae1a6 (commit)
- Log -----------------------------------------------------------------
commit 9b08619cb45e75541809b1154c90e1a00450e537
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Apr 28 19:45:44 2016 +0100
Add checks to X509_NAME_oneline()
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.
Issue reported by Guido Vranken.
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit 77076dc944f76e821e4eae3a6563b853ce00c0ed)
Conflicts:
crypto/x509/x509_err.c
crypto/x509/x509_obj.c
commit 66e731ab09f2c652d0e179df3df10d069b407604
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Apr 28 13:09:27 2016 +0100
Sanity check buffer length.
Reject zero length buffers passed to X509_NAME_onelne().
Issue reported by Guido Vranken.
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit b33d1141b6dcce947708b984c5e9e91dad3d675d)
commit 65cb92f4da37a3895437f0c9940ee0bcf9f28c8a
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Apr 28 12:55:29 2016 +0100
Add size limit to X509_NAME structure.
This adds an explicit limit to the size of an X509_NAME structure. Some
part of OpenSSL (e.g. TLS) already effectively limit the size due to
restrictions on certificate size.
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit 295f3a24919157e2f9021d0b1709353710ad63db)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/x_name.c | 11 +++++++++++
crypto/x509/x509.h | 1 +
crypto/x509/x509_err.c | 1 +
crypto/x509/x509_obj.c | 21 +++++++++++++++++++--
4 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
index 737c426..a858c29 100644
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -66,6 +66,13 @@
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
static int x509_name_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_ITEM *it,
@@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
int i, j, ret;
STACK_OF(X509_NAME_ENTRY) *entries;
X509_NAME_ENTRY *entry;
+ if (len > X509_NAME_MAX) {
+ ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+ return 0;
+ }
q = p;
/* Get internal representation of Name */
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 99337b8..fc613ce 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void);
# define X509_R_LOADING_CERT_DIR 103
# define X509_R_LOADING_DEFAULTS 104
# define X509_R_METHOD_NOT_SUPPORTED 124
+# define X509_R_NAME_TOO_LONG 134
# define X509_R_NEWER_CRL_NOT_NEWER 132
# define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
# define X509_R_NO_CRL_NUMBER 130
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index 43cde18..1e779fe 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -151,6 +151,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
{ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},
{ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},
{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},
+ {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},
{ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"},
{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),
"no cert set for us to verify"},
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index d317f3a..f7daac2 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -63,6 +63,13 @@
#include <openssl/x509.h>
#include <openssl/buffer.h>
+/*
+ * Limit to ensure we don't overflow: much greater than
+ * anything enountered in practice.
+ */
+
+#define NAME_ONELINE_MAX (1024 * 1024)
+
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{
X509_NAME_ENTRY *ne;
@@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
goto err;
b->data[0] = '\0';
len = 200;
+ } else if (len == 0) {
+ return NULL;
}
if (a == NULL) {
if (b) {
@@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type = ne->value->type;
num = ne->value->length;
+ if (num > NAME_ONELINE_MAX) {
+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
q = ne->value->data;
#ifdef CHARSET_EBCDIC
if (type == V_ASN1_GENERALSTRING ||
@@ -154,6 +167,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
lold = l;
l += 1 + l1 + 1 + l2;
+ if (l > NAME_ONELINE_MAX) {
+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1))
goto err;
@@ -206,7 +223,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
return (p);
err:
X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);
- if (b != NULL)
- BUF_MEM_free(b);
+ end:
+ BUF_MEM_free(b);
return (NULL);
}
More information about the openssl-commits
mailing list