[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Matt Caswell
matt at openssl.org
Mon Jan 22 10:18:35 UTC 2018
The branch OpenSSL_1_1_0-stable has been updated
via 462163e91a6f06e8bf0791a01f6e0a1897ad2081 (commit)
via f2982ad79c9eeac4d8ee4225056f971eadf9302b (commit)
from 42999a230f893d63a17dd9aca4f8df5c860fc836 (commit)
- Log -----------------------------------------------------------------
commit 462163e91a6f06e8bf0791a01f6e0a1897ad2081
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jan 19 14:48:45 2018 +0000
Don't crash on a missing Subject in index.txt
An index.txt entry which has an empty Subject name field will cause ca
to crash. Therefore check it when we load it to make sure its not empty.
Fixes #5109
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5114)
(cherry picked from commit 1e05c6d07ff963107286d028f6778d2ccc863a9a)
commit f2982ad79c9eeac4d8ee4225056f971eadf9302b
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jan 19 14:34:56 2018 +0000
Don't allow an empty Subject when creating a Certificate
Misconfiguration (e.g. an empty policy section in the config file) can
lead to an empty Subject. Since certificates should have unique Subjects
this should not be allowed.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5114)
(cherry picked from commit e505f1e86874acfd98826d64c53bf2ddfd9c1399)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/apps/ca.c b/apps/ca.c
index 2648549..633f6e3 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -666,6 +666,10 @@ end_of_options:
goto end;
}
}
+ if (pp[DB_name][0] == '\0') {
+ BIO_printf(bio_err, "entry %d: bad Subject\n", i + 1);
+ goto end;
+ }
}
if (verbose) {
TXT_DB_write(bio_out, db->db);
@@ -1405,6 +1409,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
"The Subject's Distinguished Name is as follows\n");
name = X509_REQ_get_subject_name(req);
+ if (X509_NAME_entry_count(name) == 0) {
+ BIO_printf(bio_err, "Error: The supplied Subject is empty\n");
+ goto end;
+ }
for (i = 0; i < X509_NAME_entry_count(name); i++) {
ne = X509_NAME_get_entry(name, i);
str = X509_NAME_ENTRY_get_data(ne);
@@ -1570,6 +1578,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto end;
}
+ if (X509_NAME_entry_count(subject) == 0) {
+ BIO_printf(bio_err,
+ "Error: After applying policy the Subject is empty\n");
+ goto end;
+ }
+
if (verbose)
BIO_printf(bio_err,
"The subject name appears to be ok, checking data base for clashes\n");
More information about the openssl-commits
mailing list