Revert disablement of the encoding cache

Without the cache, we verify CRL signatures on bytes that have been pulled through d2i_ -> i2d_, this can cause reordering, which in turn invalidates the signature. for example if in the original CRL revocation entries were sorted by date instead of ascending serial number order. There are probably multiple things we can do here, but they will need careful consideration and planning. OK jsing@
author: job <> 2023-04-30 16:46:49 +0000
committer: job <> 2023-04-30 16:46:49 +0000
commit: f31a437549264c66096a997ee2e4d7b4afecefb1 (patch)
tree: ad7b978bb12f503e60d7814271c73dd39bc8d116
parent: b84d7c53fec2427d8d237f4cef51f1aeb76d4cf7 (diff)
download: openbsd-f31a437549264c66096a997ee2e4d7b4afecefb1.tar.gz
openbsd-f31a437549264c66096a997ee2e4d7b4afecefb1.tar.bz2
openbsd-f31a437549264c66096a997ee2e4d7b4afecefb1.zip
2 files changed, 17 insertions, 4 deletions
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index ac59cc7e21..8964d467c2 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.85 2023/04/28 17:59:53 job Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.86 2023/04/30 16:46:49 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -736,7 +736,7 @@ static int
 asn1_item_d2i_sequence(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it,
    int tag_number, int tag_class, int optional, int depth)
 {
-        CBS cbs_seq, cbs_seq_content;
+        CBS cbs_seq, cbs_seq_content, cbs_object;
        int constructed, indefinite, optional_field;
        const ASN1_TEMPLATE *errat = NULL;
        const ASN1_TEMPLATE *seqat, *at;
@@ -878,9 +878,14 @@ asn1_item_d2i_sequence(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it,
                ASN1_template_free(pseqval, seqat);
        }
-        if (!CBS_skip(cbs, CBS_offset(&cbs_seq)))
+        if (!CBS_get_bytes(cbs, &cbs_object, CBS_offset(&cbs_seq)))
                goto err;
+        if (!asn1_enc_save(&aseq, &cbs_object, it)) {
+                ASN1error(ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
        if (asn1_cb != NULL && !asn1_cb(ASN1_OP_D2I_POST, &aseq, it, NULL)) {
                ASN1error(ASN1_R_AUX_ERROR);
                goto err;
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
index 430e8e1e8e..bbe8a2e949 100644
--- a/src/lib/libcrypto/asn1/tasn_enc.c
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_enc.c,v 1.30 2023/04/28 17:59:53 job Exp $ */
+/* $OpenBSD: tasn_enc.c,v 1.31 2023/04/30 16:46:49 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -210,6 +210,14 @@ ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
                /* fall through */
        case ASN1_ITYPE_SEQUENCE:
+                i = asn1_enc_restore(&seqcontlen, out, pval, it);
+                /* An error occurred */
+                if (i < 0)
+                        return 0;
+                /* We have a valid cached encoding... */
+                if (i > 0)
+                        return seqcontlen;
+                /* Otherwise carry on */
                seqcontlen = 0;
                /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
                if (tag == -1) {
author	job <>	2023-04-30 16:46:49 +0000
committer	job <>	2023-04-30 16:46:49 +0000
commit	f31a437549264c66096a997ee2e4d7b4afecefb1 (patch)
tree	ad7b978bb12f503e60d7814271c73dd39bc8d116
parent	b84d7c53fec2427d8d237f4cef51f1aeb76d4cf7 (diff)
download	openbsd-f31a437549264c66096a997ee2e4d7b4afecefb1.tar.gz openbsd-f31a437549264c66096a997ee2e4d7b4afecefb1.tar.bz2 openbsd-f31a437549264c66096a997ee2e4d7b4afecefb1.zip