[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

[Matt Caswell]

The branch OpenSSL_1_1_0-stable has been updated
       via  9d4167241c8fa15b3ae77651109aac7fa66ac17b (commit)
      from  1e8cb18d499604c1766bfcec23a358888eaf6551 (commit)


- Log -----------------------------------------------------------------
commit 9d4167241c8fa15b3ae77651109aac7fa66ac17b
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Jul 2 14:09:03 2018 +0100

    Don't create an invalid CertificateRequest
    
    We should validate that the various fields we put into the
    CertificateRequest are not too long. Otherwise we will construct an
    invalid message.
    
    Fixes #6609
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6628)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_locl.h           |  2 ++
 ssl/statem/statem_srvr.c | 15 +++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f5b03df..374fa0e 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -164,6 +164,8 @@
                            (c)[1]=(unsigned char)(((l)>> 8)&0xff), \
                            (c)[2]=(unsigned char)(((l)    )&0xff)),(c)+=3)
 
+# define SSL_MAX_2_BYTE_LEN     (0xffff)
+
 /*
  * DTLS version numbers are strange because they're inverted. Except for
  * DTLS1_BAD_VER, which should be considered "lower" than the rest.
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 10301f1..378eae2 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2006,6 +2006,11 @@ int tls_construct_certificate_request(SSL *s)
         const unsigned char *psigs;
         unsigned char *etmp = p;
         nl = tls12_get_psigalgs(s, 1, &psigs);
+        if (nl > SSL_MAX_2_BYTE_LEN) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+                   SSL_R_LENGTH_TOO_LONG);
+            goto err;
+        }
         /* Skip over length for now */
         p += 2;
         nl = tls12_copy_sigalgs(s, p, psigs, nl);
@@ -2025,6 +2030,11 @@ int tls_construct_certificate_request(SSL *s)
         for (i = 0; i < sk_X509_NAME_num(sk); i++) {
             name = sk_X509_NAME_value(sk, i);
             j = i2d_X509_NAME(name, NULL);
+            if (j > SSL_MAX_2_BYTE_LEN) {
+                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+                       SSL_R_LENGTH_TOO_LONG);
+                goto err;
+            }
             if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
                 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_BUF_LIB);
                 goto err;
@@ -2034,6 +2044,11 @@ int tls_construct_certificate_request(SSL *s)
             i2d_X509_NAME(name, &p);
             n += 2 + j;
             nl += 2 + j;
+            if (nl > SSL_MAX_2_BYTE_LEN) {
+                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+                       SSL_R_LENGTH_TOO_LONG);
+                goto err;
+            }
         }
     }
     /* else no CA names */