diff options
| author | tobhe <> | 2021-03-13 23:01:49 +0000 |
|---|---|---|
| committer | tobhe <> | 2021-03-13 23:01:49 +0000 |
| commit | d14580de7d53e6c9e8f64e58e979f8d959902ad3 (patch) | |
| tree | 203add7eba338a639cc64ed6703102a30b3bdce1 | |
| parent | 7e76288f52757e10eb903fc2ae11c1d20abe6ae5 (diff) | |
| download | openbsd-d14580de7d53e6c9e8f64e58e979f8d959902ad3.tar.gz openbsd-d14580de7d53e6c9e8f64e58e979f8d959902ad3.tar.bz2 openbsd-d14580de7d53e6c9e8f64e58e979f8d959902ad3.zip | |
Use EXFLAG_INVALID to handle out of memory and parse errors in
x509v3_cache_extensions().
ok tb@
| -rw-r--r-- | src/lib/libcrypto/x509/x509_purp.c | 50 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 6 |
2 files changed, 45 insertions, 11 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index f2d46658f6..3b8bd6b81c 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_purp.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */ | 1 | /* $OpenBSD: x509_purp.c,v 1.3 2021/03/13 23:01:49 tobhe Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -132,6 +132,8 @@ X509_check_purpose(X509 *x, int id, int ca) | |||
| 132 | CRYPTO_w_lock(CRYPTO_LOCK_X509); | 132 | CRYPTO_w_lock(CRYPTO_LOCK_X509); |
| 133 | x509v3_cache_extensions(x); | 133 | x509v3_cache_extensions(x); |
| 134 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); | 134 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); |
| 135 | if (x->ex_flags & EXFLAG_INVALID) | ||
| 136 | return X509_V_ERR_UNSPECIFIED; | ||
| 135 | } | 137 | } |
| 136 | if (id == -1) | 138 | if (id == -1) |
| 137 | return 1; | 139 | return 1; |
| @@ -421,7 +423,12 @@ setup_crldp(X509 *x) | |||
| 421 | { | 423 | { |
| 422 | int i; | 424 | int i; |
| 423 | 425 | ||
| 424 | x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); | 426 | x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL); |
| 427 | if (x->crldp == NULL && i != -1) { | ||
| 428 | x->ex_flags |= EXFLAG_INVALID; | ||
| 429 | return; | ||
| 430 | } | ||
| 431 | |||
| 425 | for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) | 432 | for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) |
| 426 | setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); | 433 | setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); |
| 427 | } | 434 | } |
| @@ -449,7 +456,7 @@ x509v3_cache_extensions(X509 *x) | |||
| 449 | x->ex_flags |= EXFLAG_V1; | 456 | x->ex_flags |= EXFLAG_V1; |
| 450 | 457 | ||
| 451 | /* Handle basic constraints */ | 458 | /* Handle basic constraints */ |
| 452 | if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { | 459 | if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { |
| 453 | if (bs->ca) | 460 | if (bs->ca) |
| 454 | x->ex_flags |= EXFLAG_CA; | 461 | x->ex_flags |= EXFLAG_CA; |
| 455 | if (bs->pathlen) { | 462 | if (bs->pathlen) { |
| @@ -463,10 +470,12 @@ x509v3_cache_extensions(X509 *x) | |||
| 463 | x->ex_pathlen = -1; | 470 | x->ex_pathlen = -1; |
| 464 | BASIC_CONSTRAINTS_free(bs); | 471 | BASIC_CONSTRAINTS_free(bs); |
| 465 | x->ex_flags |= EXFLAG_BCONS; | 472 | x->ex_flags |= EXFLAG_BCONS; |
| 473 | } else if (i != -1) { | ||
| 474 | x->ex_flags |= EXFLAG_INVALID; | ||
| 466 | } | 475 | } |
| 467 | 476 | ||
| 468 | /* Handle proxy certificates */ | 477 | /* Handle proxy certificates */ |
| 469 | if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { | 478 | if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { |
| 470 | if (x->ex_flags & EXFLAG_CA || | 479 | if (x->ex_flags & EXFLAG_CA || |
| 471 | X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || | 480 | X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || |
| 472 | X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { | 481 | X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { |
| @@ -485,10 +494,12 @@ x509v3_cache_extensions(X509 *x) | |||
| 485 | x->ex_pcpathlen = -1; | 494 | x->ex_pcpathlen = -1; |
| 486 | PROXY_CERT_INFO_EXTENSION_free(pci); | 495 | PROXY_CERT_INFO_EXTENSION_free(pci); |
| 487 | x->ex_flags |= EXFLAG_PROXY; | 496 | x->ex_flags |= EXFLAG_PROXY; |
| 497 | } else if (i != -1) { | ||
| 498 | x->ex_flags |= EXFLAG_INVALID; | ||
| 488 | } | 499 | } |
| 489 | 500 | ||
| 490 | /* Handle key usage */ | 501 | /* Handle key usage */ |
| 491 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { | 502 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { |
| 492 | if (usage->length > 0) { | 503 | if (usage->length > 0) { |
| 493 | x->ex_kusage = usage->data[0]; | 504 | x->ex_kusage = usage->data[0]; |
| 494 | if (usage->length > 1) | 505 | if (usage->length > 1) |
| @@ -497,9 +508,12 @@ x509v3_cache_extensions(X509 *x) | |||
| 497 | x->ex_kusage = 0; | 508 | x->ex_kusage = 0; |
| 498 | x->ex_flags |= EXFLAG_KUSAGE; | 509 | x->ex_flags |= EXFLAG_KUSAGE; |
| 499 | ASN1_BIT_STRING_free(usage); | 510 | ASN1_BIT_STRING_free(usage); |
| 511 | } else if (i != -1) { | ||
| 512 | x->ex_flags |= EXFLAG_INVALID; | ||
| 500 | } | 513 | } |
| 514 | |||
| 501 | x->ex_xkusage = 0; | 515 | x->ex_xkusage = 0; |
| 502 | if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { | 516 | if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL))) { |
| 503 | x->ex_flags |= EXFLAG_XKUSAGE; | 517 | x->ex_flags |= EXFLAG_XKUSAGE; |
| 504 | for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { | 518 | for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { |
| 505 | switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) { | 519 | switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) { |
| @@ -538,19 +552,27 @@ x509v3_cache_extensions(X509 *x) | |||
| 538 | } | 552 | } |
| 539 | } | 553 | } |
| 540 | sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); | 554 | sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); |
| 555 | } else if (i != -1) { | ||
| 556 | x->ex_flags |= EXFLAG_INVALID; | ||
| 541 | } | 557 | } |
| 542 | 558 | ||
| 543 | if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { | 559 | if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL))) { |
| 544 | if (ns->length > 0) | 560 | if (ns->length > 0) |
| 545 | x->ex_nscert = ns->data[0]; | 561 | x->ex_nscert = ns->data[0]; |
| 546 | else | 562 | else |
| 547 | x->ex_nscert = 0; | 563 | x->ex_nscert = 0; |
| 548 | x->ex_flags |= EXFLAG_NSCERT; | 564 | x->ex_flags |= EXFLAG_NSCERT; |
| 549 | ASN1_BIT_STRING_free(ns); | 565 | ASN1_BIT_STRING_free(ns); |
| 566 | } else if (i != -1) { | ||
| 567 | x->ex_flags |= EXFLAG_INVALID; | ||
| 550 | } | 568 | } |
| 551 | 569 | ||
| 552 | x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); | 570 | x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL); |
| 553 | x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); | 571 | if (x->skid == NULL && i != -1) |
| 572 | x->ex_flags |= EXFLAG_INVALID; | ||
| 573 | x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL); | ||
| 574 | if (x->skid == NULL && i != -1) | ||
| 575 | x->ex_flags |= EXFLAG_INVALID; | ||
| 554 | 576 | ||
| 555 | /* Does subject name match issuer? */ | 577 | /* Does subject name match issuer? */ |
| 556 | if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { | 578 | if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { |
| @@ -561,7 +583,9 @@ x509v3_cache_extensions(X509 *x) | |||
| 561 | x->ex_flags |= EXFLAG_SS; | 583 | x->ex_flags |= EXFLAG_SS; |
| 562 | } | 584 | } |
| 563 | 585 | ||
| 564 | x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); | 586 | x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); |
| 587 | if (x->altname == NULL && i != -1) | ||
| 588 | x->ex_flags |= EXFLAG_INVALID; | ||
| 565 | x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); | 589 | x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); |
| 566 | if (!x->nc && (i != -1)) | 590 | if (!x->nc && (i != -1)) |
| 567 | x->ex_flags |= EXFLAG_INVALID; | 591 | x->ex_flags |= EXFLAG_INVALID; |
| @@ -626,6 +650,8 @@ X509_check_ca(X509 *x) | |||
| 626 | CRYPTO_w_lock(CRYPTO_LOCK_X509); | 650 | CRYPTO_w_lock(CRYPTO_LOCK_X509); |
| 627 | x509v3_cache_extensions(x); | 651 | x509v3_cache_extensions(x); |
| 628 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); | 652 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); |
| 653 | if (x->ex_flags & EXFLAG_INVALID) | ||
| 654 | return X509_V_ERR_UNSPECIFIED; | ||
| 629 | } | 655 | } |
| 630 | 656 | ||
| 631 | return check_ca(x); | 657 | return check_ca(x); |
| @@ -837,7 +863,11 @@ X509_check_issued(X509 *issuer, X509 *subject) | |||
| 837 | X509_get_issuer_name(subject))) | 863 | X509_get_issuer_name(subject))) |
| 838 | return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; | 864 | return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; |
| 839 | x509v3_cache_extensions(issuer); | 865 | x509v3_cache_extensions(issuer); |
| 866 | if (issuer->ex_flags & EXFLAG_INVALID) | ||
| 867 | return X509_V_ERR_UNSPECIFIED; | ||
| 840 | x509v3_cache_extensions(subject); | 868 | x509v3_cache_extensions(subject); |
| 869 | if (subject->ex_flags & EXFLAG_INVALID) | ||
| 870 | return X509_V_ERR_UNSPECIFIED; | ||
| 841 | 871 | ||
| 842 | if (subject->akid) { | 872 | if (subject->akid) { |
| 843 | int ret = X509_check_akid(issuer, subject->akid); | 873 | int ret = X509_check_akid(issuer, subject->akid); |
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 3c8369f1f9..9c34e31ee3 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.35 2021/03/12 15:53:38 tb Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.36 2021/03/13 23:01:49 tobhe Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -756,6 +756,10 @@ x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca | |||
| 756 | CRYPTO_w_lock(CRYPTO_LOCK_X509); | 756 | CRYPTO_w_lock(CRYPTO_LOCK_X509); |
| 757 | x509v3_cache_extensions(cert); | 757 | x509v3_cache_extensions(cert); |
| 758 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); | 758 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); |
| 759 | if (cert->ex_flags & EXFLAG_INVALID) { | ||
| 760 | ctx->error = X509_V_ERR_UNSPECIFIED; | ||
| 761 | return 0; | ||
| 762 | } | ||
| 759 | } | 763 | } |
| 760 | 764 | ||
| 761 | if (ctx->xsc != NULL) | 765 | if (ctx->xsc != NULL) |