diff options
| author | doug <> | 2014-12-17 17:51:33 +0000 |
|---|---|---|
| committer | doug <> | 2014-12-17 17:51:33 +0000 |
| commit | 8ee1a1e4a4c52092060a915a644f80202aba054a (patch) | |
| tree | 6b23fc9e20f81f6dc09a6fb3d8bac2a4246a7ab9 /src/lib/libtls/tls_verify.c | |
| parent | 1711181cf04802398af99b3d8ffff8829eb38455 (diff) | |
| download | openbsd-8ee1a1e4a4c52092060a915a644f80202aba054a.tar.gz openbsd-8ee1a1e4a4c52092060a915a644f80202aba054a.tar.bz2 openbsd-8ee1a1e4a4c52092060a915a644f80202aba054a.zip | |
Add size_t to int checks for SSL functions.
libtls accepts size_t for lengths but libssl accepts int. This verifies
that the input does not exceed INT_MAX. It also avoids truncating size_t
when comparing with int and adds printf-style attributes for
tls_set_error().
with input from deraadt@ and tedu@
ok tedu@
Diffstat (limited to 'src/lib/libtls/tls_verify.c')
| -rw-r--r-- | src/lib/libtls/tls_verify.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index 697432c429..4341802b5a 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_verify.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */ | 1 | /* $OpenBSD: tls_verify.c,v 1.6 2014/12/17 17:51:33 doug Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * | 4 | * |
| @@ -115,14 +115,14 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 115 | 115 | ||
| 116 | if (type == GEN_DNS) { | 116 | if (type == GEN_DNS) { |
| 117 | unsigned char *data; | 117 | unsigned char *data; |
| 118 | int format; | 118 | int format, len; |
| 119 | 119 | ||
| 120 | format = ASN1_STRING_type(altname->d.dNSName); | 120 | format = ASN1_STRING_type(altname->d.dNSName); |
| 121 | if (format == V_ASN1_IA5STRING) { | 121 | if (format == V_ASN1_IA5STRING) { |
| 122 | data = ASN1_STRING_data(altname->d.dNSName); | 122 | data = ASN1_STRING_data(altname->d.dNSName); |
| 123 | len = ASN1_STRING_length(altname->d.dNSName); | ||
| 123 | 124 | ||
| 124 | if (ASN1_STRING_length(altname->d.dNSName) != | 125 | if (len < 0 || len != strlen(data)) { |
| 125 | (int)strlen(data)) { | ||
| 126 | tls_set_error(ctx, | 126 | tls_set_error(ctx, |
| 127 | "error verifying host '%s': " | 127 | "error verifying host '%s': " |
| 128 | "NUL byte in subjectAltName, " | 128 | "NUL byte in subjectAltName, " |
| @@ -151,6 +151,14 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 151 | datalen = ASN1_STRING_length(altname->d.iPAddress); | 151 | datalen = ASN1_STRING_length(altname->d.iPAddress); |
| 152 | data = ASN1_STRING_data(altname->d.iPAddress); | 152 | data = ASN1_STRING_data(altname->d.iPAddress); |
| 153 | 153 | ||
| 154 | if (datalen < 0) { | ||
| 155 | tls_set_error(ctx, | ||
| 156 | "Unexpected negative length for an " | ||
| 157 | "IP address: %d", datalen); | ||
| 158 | rv = -2; | ||
| 159 | break; | ||
| 160 | } | ||
| 161 | |||
| 154 | if (datalen == addrlen && | 162 | if (datalen == addrlen && |
| 155 | memcmp(data, &addrbuf, addrlen) == 0) { | 163 | memcmp(data, &addrbuf, addrlen) == 0) { |
| 156 | rv = 0; | 164 | rv = 0; |
| @@ -189,7 +197,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) | |||
| 189 | common_name_len + 1); | 197 | common_name_len + 1); |
| 190 | 198 | ||
| 191 | /* NUL bytes in CN? */ | 199 | /* NUL bytes in CN? */ |
| 192 | if (common_name_len != (int)strlen(common_name)) { | 200 | if (common_name_len != strlen(common_name)) { |
| 193 | tls_set_error(ctx, "error verifying host '%s': " | 201 | tls_set_error(ctx, "error verifying host '%s': " |
| 194 | "NUL byte in Common Name field, " | 202 | "NUL byte in Common Name field, " |
| 195 | "probably a malicious certificate.", host); | 203 | "probably a malicious certificate.", host); |