- Better checking for reading over buffer boundaries
- Zeroize altSubjectName chain memory before use
This commit is contained in:
Paul Bakker
parent
9195662a4c
commit
535e97dbab
2 changed files with 22 additions and 13 deletions
|
|
@ -45,6 +45,7 @@ Bugfix
|
||||||
* Handle encryption with private key and decryption with public key as per
|
* Handle encryption with private key and decryption with public key as per
|
||||||
RFC 2313
|
RFC 2313
|
||||||
* Handle empty certificate subject names
|
* Handle empty certificate subject names
|
||||||
|
* Prevent reading over buffer boundaries on X509 certificate parsing
|
||||||
|
|
||||||
Security
|
Security
|
||||||
* Fixed potential memory corruption on miscrafted client messages (found by
|
* Fixed potential memory corruption on miscrafted client messages (found by
|
||||||
|
|
|
||||||
|
|
@ -878,6 +878,7 @@ static int x509_get_subject_alt_name( unsigned char **p,
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
|
||||||
POLARSSL_ERR_ASN1_MALLOC_FAILED );
|
POLARSSL_ERR_ASN1_MALLOC_FAILED );
|
||||||
|
|
||||||
|
memset( cur->next, 0, sizeof( asn1_sequence ) );
|
||||||
cur = cur->next;
|
cur = cur->next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -1355,7 +1356,8 @@ int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
|
if( crt->sig_oid1.len != crt->sig_oid2.len ||
|
||||||
|
memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
|
||||||
{
|
{
|
||||||
x509_free( crt );
|
x509_free( crt );
|
||||||
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
||||||
|
|
@ -1776,7 +1778,8 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
|
if( crl->sig_oid1.len != crl->sig_oid2.len ||
|
||||||
|
memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
|
||||||
{
|
{
|
||||||
x509_crl_free( crl );
|
x509_crl_free( crl );
|
||||||
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
|
||||||
|
|
@ -2530,7 +2533,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
|
||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
}
|
}
|
||||||
|
|
||||||
if( memcmp( name->oid.p, OID_X520, 2 ) == 0 )
|
if( name->oid.len == 3 &&
|
||||||
|
memcmp( name->oid.p, OID_X520, 2 ) == 0 )
|
||||||
{
|
{
|
||||||
switch( name->oid.p[2] )
|
switch( name->oid.p[2] )
|
||||||
{
|
{
|
||||||
|
|
@ -2559,7 +2563,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
|
||||||
}
|
}
|
||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
}
|
}
|
||||||
else if( memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
|
else if( name->oid.len == 9 &&
|
||||||
|
memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
|
||||||
{
|
{
|
||||||
switch( name->oid.p[8] )
|
switch( name->oid.p[8] )
|
||||||
{
|
{
|
||||||
|
|
@ -3071,8 +3076,8 @@ int x509_wildcard_verify( const char *cn, x509_buf *name )
|
||||||
if( cn_idx == 0 )
|
if( cn_idx == 0 )
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
|
||||||
if( memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 &&
|
if( strlen( cn ) - cn_idx == name->len - 1 &&
|
||||||
strlen( cn ) - cn_idx == name->len - 1 )
|
memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
|
||||||
{
|
{
|
||||||
return( 1 );
|
return( 1 );
|
||||||
}
|
}
|
||||||
|
|
@ -3114,11 +3119,12 @@ int x509parse_verify( x509_cert *crt,
|
||||||
|
|
||||||
while( cur != NULL )
|
while( cur != NULL )
|
||||||
{
|
{
|
||||||
if( memcmp( cn, cur->buf.p, cn_len ) == 0 &&
|
if( cur->buf.len == cn_len &&
|
||||||
cur->buf.len == cn_len )
|
memcmp( cn, cur->buf.p, cn_len ) == 0 )
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if( memcmp( cur->buf.p, "*.", 2 ) == 0 &&
|
if( cur->buf.len > 2 &&
|
||||||
|
memcmp( cur->buf.p, "*.", 2 ) == 0 &&
|
||||||
x509_wildcard_verify( cn, &cur->buf ) )
|
x509_wildcard_verify( cn, &cur->buf ) )
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|
@ -3132,13 +3138,15 @@ int x509parse_verify( x509_cert *crt,
|
||||||
{
|
{
|
||||||
while( name != NULL )
|
while( name != NULL )
|
||||||
{
|
{
|
||||||
if( memcmp( name->oid.p, OID_CN, 3 ) == 0 )
|
if( name->oid.len == 3 &&
|
||||||
|
memcmp( name->oid.p, OID_CN, 3 ) == 0 )
|
||||||
{
|
{
|
||||||
if( memcmp( name->val.p, cn, cn_len ) == 0 &&
|
if( name->val.len == cn_len &&
|
||||||
name->val.len == cn_len )
|
memcmp( name->val.p, cn, cn_len ) == 0 )
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if( memcmp( name->val.p, "*.", 2 ) == 0 &&
|
if( name->val.len > 2 &&
|
||||||
|
memcmp( name->val.p, "*.", 2 ) == 0 &&
|
||||||
x509_wildcard_verify( cn, &name->val ) )
|
x509_wildcard_verify( cn, &name->val ) )
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue