[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Tue Apr 3 14:57:24 UTC 2018


The branch OpenSSL_1_1_0-stable has been updated
       via  afa2a54bb99e4260100a6abdb72f83f97824f2e7 (commit)
      from  b854bb40364e96eac6239e07ad41292cd4de5a70 (commit)


- Log -----------------------------------------------------------------
commit afa2a54bb99e4260100a6abdb72f83f97824f2e7
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 29 09:17:11 2018 +0100

    Fix a text canonicalisation bug in CMS
    
    Where a CMS detached signature is used with text content the text goes
    through a canonicalisation process first prior to signing or verifying a
    signature. This process strips trailing space at the end of lines, converts
    line terminators to CRLF and removes additional trailing line terminators
    at the end of a file. A bug in the canonicalisation process meant that
    some characters, such as form-feed, were incorrectly treated as whitespace
    and removed. This is contrary to the specification (RFC5485). This fix
    could mean that detached text data signed with an earlier version of
    OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
    signed with a fixed OpenSSL may fail to verify with an earlier version of
    OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
    and use the "-binary" flag (for the "cms" command line application) or set
    the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5791)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                | 17 ++++++++++++++++-
 crypto/asn1/asn_mime.c |  8 +++++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index e15a289..7199f3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,22 @@
 
  Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
 
-  *)
+  *) Fixed a text canonicalisation bug in CMS
+
+     Where a CMS detached signature is used with text content the text goes
+     through a canonicalisation process first prior to signing or verifying a
+     signature. This process strips trailing space at the end of lines, converts
+     line terminators to CRLF and removes additional trailing line terminators
+     at the end of a file. A bug in the canonicalisation process meant that
+     some characters, such as form-feed, were incorrectly treated as whitespace
+     and removed. This is contrary to the specification (RFC5485). This fix
+     could mean that detached text data signed with an earlier version of
+     OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
+     signed with a fixed OpenSSL may fail to verify with an earlier version of
+     OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
+     and use the "-binary" flag (for the "cms" command line application) or set
+     the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
+     [Matt Caswell]
 
  Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
 
diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c
index 84475e9..da0085f 100644
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@@ -969,12 +969,14 @@ static int strip_eol(char *linebuf, int *plen, int flags)
     p = linebuf + len - 1;
     for (p = linebuf + len - 1; len > 0; len--, p--) {
         c = *p;
-        if (c == '\n')
+        if (c == '\n') {
             is_eol = 1;
-        else if (is_eol && flags & SMIME_ASCIICRLF && c < 33)
+        } else if (is_eol && flags & SMIME_ASCIICRLF && c == 32) {
+            /* Strip trailing space on a line; 32 == ASCII for ' ' */
             continue;
-        else if (c != '\r')
+        } else if (c != '\r') {
             break;
+        }
     }
     *plen = len;
     return is_eol;


More information about the openssl-commits mailing list