[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Wed Sep 14 09:24:57 UTC 2016


The branch OpenSSL_1_1_0-stable has been updated
       via  9496cf577ec4543a6db67092e784c1096a6424fc (commit)
      from  f7358595369fe08c26c95d37394f16be503524cf (commit)


- Log -----------------------------------------------------------------
commit 9496cf577ec4543a6db67092e784c1096a6424fc
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Sep 8 14:32:27 2016 +0100

    Add some sanity checks around usage of t_fromb64()
    
    The internal SRP function t_fromb64() converts from base64 to binary. It
    does not validate that the size of the destination is sufficiently large -
    that is up to the callers. In some places there was such a check, but not
    in others.
    
    Add an argument to t_fromb64() to provide the size of the destination
    buffer and validate that we don't write too much data. Also add some sanity
    checks to the callers where appropriate.
    
    With thanks to Shi Lei for reporting this issue.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 73f0df8331910d6726d45ecaab12bd93cc48b4e2)

-----------------------------------------------------------------------

Summary of changes:
 crypto/srp/srp_vfy.c | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 73ea4e6..188fad2 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -30,7 +30,7 @@ static char b64table[] =
 /*
  * Convert a base64 string into raw byte array representation.
  */
-static int t_fromb64(unsigned char *a, const char *src)
+static int t_fromb64(unsigned char *a, size_t alen, const char *src)
 {
     char *loc;
     int i, j;
@@ -39,6 +39,9 @@ static int t_fromb64(unsigned char *a, const char *src)
     while (*src && (*src == ' ' || *src == '\t' || *src == '\n'))
         ++src;
     size = strlen(src);
+    if (alen > INT_MAX || size > (int)alen)
+        return -1;
+
     i = 0;
     while (i < size) {
         loc = strchr(b64table, src[i]);
@@ -181,13 +184,25 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
     unsigned char tmp[MAX_LEN];
     int len;
 
-    if (strlen(s) > MAX_LEN || strlen(v) > MAX_LEN)
+    vinfo->v = NULL;
+    vinfo->s = NULL;
+
+    len = t_fromb64(tmp, sizeof(tmp), v);
+    if (len < 0)
         return 0;
-    len = t_fromb64(tmp, v);
     if (NULL == (vinfo->v = BN_bin2bn(tmp, len, NULL)))
         return 0;
-    len = t_fromb64(tmp, s);
-    return ((vinfo->s = BN_bin2bn(tmp, len, NULL)) != NULL);
+    len = t_fromb64(tmp, sizeof(tmp), s);
+    if (len < 0)
+        goto err;
+    vinfo->s = BN_bin2bn(tmp, len, NULL);
+    if (vinfo->s == NULL)
+        goto err;
+    return 1;
+ err:
+    BN_free(vinfo->v);
+    vinfo->v = NULL;
+    return 0;
 }
 
 static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v)
@@ -257,10 +272,13 @@ static SRP_gN_cache *SRP_gN_new_init(const char *ch)
     if (newgN == NULL)
         return NULL;
 
+    len = t_fromb64(tmp, sizeof(tmp), ch);
+    if (len < 0)
+        goto err;
+
     if ((newgN->b64_bn = OPENSSL_strdup(ch)) == NULL)
         goto err;
 
-    len = t_fromb64(tmp, ch);
     if ((newgN->bn = BN_bin2bn(tmp, len, NULL)))
         return newgN;
 
@@ -539,11 +557,11 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
         goto err;
 
     if (N) {
-        if ((len = t_fromb64(tmp, N)) == 0)
+        if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0)
             goto err;
         N_bn_alloc = BN_bin2bn(tmp, len, NULL);
         N_bn = N_bn_alloc;
-        if ((len = t_fromb64(tmp, g)) == 0)
+        if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0)
             goto err;
         g_bn_alloc = BN_bin2bn(tmp, len, NULL);
         g_bn = g_bn_alloc;
@@ -563,7 +581,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
 
         s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
     } else {
-        if ((len = t_fromb64(tmp2, *salt)) == 0)
+        if ((len = t_fromb64(tmp2, sizeof(tmp2), *salt)) <= 0)
             goto err;
         s = BN_bin2bn(tmp2, len, NULL);
     }


More information about the openssl-commits mailing list