[openssl] master update

Dr. Paul Dale pauli at openssl.org
Tue Aug 31 10:48:03 UTC 2021


The branch master has been updated
       via  59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d (commit)
       via  c7f8edfc1186a48463c14cfdc7f70456cbcb1cda (commit)
      from  5595058714832bdff03604c881cf44f91c14b5fc (commit)


- Log -----------------------------------------------------------------
commit 59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 26 10:03:51 2021 +0100

    Add a test for verifying an email with a bad othername type
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16443)

commit c7f8edfc1186a48463c14cfdc7f70456cbcb1cda
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 26 09:43:50 2021 +0100

    Ensure that we check the ASN.1 type of an "otherName" before using it
    
    We should not assume that the type of an ASN.1 value is UTF8String as
    expected. We must actually check it, otherwise we could get a NULL ptr
    deref, or worse memory errors.
    
    Reported by David Benjamin.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16443)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/v3_utl.c            | 17 ++++++++++++-----
 test/recipes/25-test_eai_data.t | 14 ++++++++++++--
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 5c63d2d9d8..a70917a39b 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -901,12 +901,19 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
                 if (OBJ_obj2nid(gen->d.otherName->type_id) ==
                     NID_id_on_SmtpUTF8Mailbox) {
                     san_present = 1;
-                    cstr = gen->d.otherName->value->value.utf8string;
 
-                    /* Positive on success, negative on error! */
-                    if ((rv = do_check_string(cstr, 0, equal, flags,
-                                              chk, chklen, peername)) != 0)
-                        break;
+                    /*
+                     * If it is not a UTF8String then that is unexpected and we
+                     * treat it as no match
+                     */
+                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
+                        cstr = gen->d.otherName->value->value.utf8string;
+
+                        /* Positive on success, negative on error! */
+                        if ((rv = do_check_string(cstr, 0, equal, flags,
+                                                chk, chklen, peername)) != 0)
+                            break;
+                    }
                 } else
                     continue;
             } else {
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
index 8aebf5d621..522982ddfb 100644
--- a/test/recipes/25-test_eai_data.t
+++ b/test/recipes/25-test_eai_data.t
@@ -12,7 +12,7 @@ use warnings;
 
 use File::Spec;
 use OpenSSL::Test::Utils;
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_file with/;
 
 setup("test_eai_data");
 
@@ -21,7 +21,7 @@ setup("test_eai_data");
 #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
 #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
 
-plan tests => 11;
+plan tests => 12;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 my $folder = "test/recipes/25-test_eai_data";
@@ -60,3 +60,13 @@ ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile"
 ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
 ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem,  $ascii_pem])));
 
+#Check that we get the expected failure return code
+with({ exit_checker => sub { return shift == 2; } },
+     sub {
+        ok(run(app(["openssl", "verify", "-CAfile",
+                    srctop_file("test", "certs", "bad-othername-namec.pem"),
+                    "-partial_chain", "-no_check_time", "-verify_email",
+                    'foo at example.com',
+                    srctop_file("test", "certs", "bad-othername-namec.pem")])));
+     });
+


More information about the openssl-commits mailing list