summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authordoug <>2014-12-17 17:51:33 +0000
committerdoug <>2014-12-17 17:51:33 +0000
commit0ce257e2480d10d11cd4d46eac3ea6ca49311cf6 (patch)
tree6b23fc9e20f81f6dc09a6fb3d8bac2a4246a7ab9 /src
parentc2e399263206ba62e8c110ac855698bccb450490 (diff)
downloadopenbsd-0ce257e2480d10d11cd4d46eac3ea6ca49311cf6.tar.gz
openbsd-0ce257e2480d10d11cd4d46eac3ea6ca49311cf6.tar.bz2
openbsd-0ce257e2480d10d11cd4d46eac3ea6ca49311cf6.zip
Add size_t to int checks for SSL functions.
libtls accepts size_t for lengths but libssl accepts int. This verifies that the input does not exceed INT_MAX. It also avoids truncating size_t when comparing with int and adds printf-style attributes for tls_set_error(). with input from deraadt@ and tedu@ ok tedu@
Diffstat (limited to '')
-rw-r--r--src/lib/libtls/tls.c23
-rw-r--r--src/lib/libtls/tls_internal.h6
-rw-r--r--src/lib/libtls/tls_verify.c18
3 files changed, 39 insertions, 8 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 6dae066922..0b9f12511d 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ 1/* $OpenBSD: tls.c,v 1.4 2014/12/17 17:51:33 doug Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -18,6 +18,7 @@
18#include <sys/socket.h> 18#include <sys/socket.h>
19 19
20#include <errno.h> 20#include <errno.h>
21#include <limits.h>
21#include <stdlib.h> 22#include <stdlib.h>
22#include <unistd.h> 23#include <unistd.h>
23 24
@@ -110,6 +111,11 @@ tls_configure_keypair(struct tls *ctx)
110 BIO *bio = NULL; 111 BIO *bio = NULL;
111 112
112 if (ctx->config->cert_mem != NULL) { 113 if (ctx->config->cert_mem != NULL) {
114 if (ctx->config->cert_len > INT_MAX) {
115 tls_set_error(ctx, "certificate too long");
116 goto err;
117 }
118
113 if (SSL_CTX_use_certificate_chain(ctx->ssl_ctx, 119 if (SSL_CTX_use_certificate_chain(ctx->ssl_ctx,
114 ctx->config->cert_mem, ctx->config->cert_len) != 1) { 120 ctx->config->cert_mem, ctx->config->cert_len) != 1) {
115 tls_set_error(ctx, "failed to load certificate"); 121 tls_set_error(ctx, "failed to load certificate");
@@ -118,6 +124,11 @@ tls_configure_keypair(struct tls *ctx)
118 cert = NULL; 124 cert = NULL;
119 } 125 }
120 if (ctx->config->key_mem != NULL) { 126 if (ctx->config->key_mem != NULL) {
127 if (ctx->config->key_len > INT_MAX) {
128 tls_set_error(ctx, "key too long");
129 goto err;
130 }
131
121 if ((bio = BIO_new_mem_buf(ctx->config->key_mem, 132 if ((bio = BIO_new_mem_buf(ctx->config->key_mem,
122 ctx->config->key_len)) == NULL) { 133 ctx->config->key_len)) == NULL) {
123 tls_set_error(ctx, "failed to create buffer"); 134 tls_set_error(ctx, "failed to create buffer");
@@ -229,6 +240,11 @@ tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen)
229{ 240{
230 int ret, ssl_err; 241 int ret, ssl_err;
231 242
243 if (buflen > INT_MAX) {
244 tls_set_error(ctx, "buflen too long");
245 return (-1);
246 }
247
232 ret = SSL_read(ctx->ssl_conn, buf, buflen); 248 ret = SSL_read(ctx->ssl_conn, buf, buflen);
233 if (ret > 0) { 249 if (ret > 0) {
234 *outlen = (size_t)ret; 250 *outlen = (size_t)ret;
@@ -252,6 +268,11 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen)
252{ 268{
253 int ret, ssl_err; 269 int ret, ssl_err;
254 270
271 if (buflen > INT_MAX) {
272 tls_set_error(ctx, "buflen too long");
273 return (-1);
274 }
275
255 ret = SSL_write(ctx->ssl_conn, buf, buflen); 276 ret = SSL_write(ctx->ssl_conn, buf, buflen);
256 if (ret > 0) { 277 if (ret > 0) {
257 *outlen = (size_t)ret; 278 *outlen = (size_t)ret;
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index bfd7146d7d..4b250574ef 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.4 2014/12/07 16:56:17 bcook Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.5 2014/12/17 17:51:33 doug Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -67,6 +67,8 @@ int tls_configure_keypair(struct tls *ctx);
67int tls_configure_server(struct tls *ctx); 67int tls_configure_server(struct tls *ctx);
68int tls_configure_ssl(struct tls *ctx); 68int tls_configure_ssl(struct tls *ctx);
69int tls_host_port(const char *hostport, char **host, char **port); 69int tls_host_port(const char *hostport, char **host, char **port);
70int tls_set_error(struct tls *ctx, char *fmt, ...); 70int tls_set_error(struct tls *ctx, char *fmt, ...)
71 __attribute__((__format__ (printf, 2, 3)))
72 __attribute__((__nonnull__ (2)));
71 73
72#endif /* HEADER_TLS_INTERNAL_H */ 74#endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 697432c429..4341802b5a 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_verify.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */ 1/* $OpenBSD: tls_verify.c,v 1.6 2014/12/17 17:51:33 doug Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * 4 *
@@ -115,14 +115,14 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
115 115
116 if (type == GEN_DNS) { 116 if (type == GEN_DNS) {
117 unsigned char *data; 117 unsigned char *data;
118 int format; 118 int format, len;
119 119
120 format = ASN1_STRING_type(altname->d.dNSName); 120 format = ASN1_STRING_type(altname->d.dNSName);
121 if (format == V_ASN1_IA5STRING) { 121 if (format == V_ASN1_IA5STRING) {
122 data = ASN1_STRING_data(altname->d.dNSName); 122 data = ASN1_STRING_data(altname->d.dNSName);
123 len = ASN1_STRING_length(altname->d.dNSName);
123 124
124 if (ASN1_STRING_length(altname->d.dNSName) != 125 if (len < 0 || len != strlen(data)) {
125 (int)strlen(data)) {
126 tls_set_error(ctx, 126 tls_set_error(ctx,
127 "error verifying host '%s': " 127 "error verifying host '%s': "
128 "NUL byte in subjectAltName, " 128 "NUL byte in subjectAltName, "
@@ -151,6 +151,14 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
151 datalen = ASN1_STRING_length(altname->d.iPAddress); 151 datalen = ASN1_STRING_length(altname->d.iPAddress);
152 data = ASN1_STRING_data(altname->d.iPAddress); 152 data = ASN1_STRING_data(altname->d.iPAddress);
153 153
154 if (datalen < 0) {
155 tls_set_error(ctx,
156 "Unexpected negative length for an "
157 "IP address: %d", datalen);
158 rv = -2;
159 break;
160 }
161
154 if (datalen == addrlen && 162 if (datalen == addrlen &&
155 memcmp(data, &addrbuf, addrlen) == 0) { 163 memcmp(data, &addrbuf, addrlen) == 0) {
156 rv = 0; 164 rv = 0;
@@ -189,7 +197,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
189 common_name_len + 1); 197 common_name_len + 1);
190 198
191 /* NUL bytes in CN? */ 199 /* NUL bytes in CN? */
192 if (common_name_len != (int)strlen(common_name)) { 200 if (common_name_len != strlen(common_name)) {
193 tls_set_error(ctx, "error verifying host '%s': " 201 tls_set_error(ctx, "error verifying host '%s': "
194 "NUL byte in Common Name field, " 202 "NUL byte in Common Name field, "
195 "probably a malicious certificate.", host); 203 "probably a malicious certificate.", host);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-28 21:11:49 +0000