summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortobhe <>2021-03-13 23:01:49 +0000
committertobhe <>2021-03-13 23:01:49 +0000
commit0c378cc53837d51d2f3a48a028d7726d2a78d8d7 (patch)
tree203add7eba338a639cc64ed6703102a30b3bdce1 /src
parent266aa0aa5323d0e87855e9e761085c9b055a4f10 (diff)
downloadopenbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.tar.gz
openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.tar.bz2
openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.zip
Use EXFLAG_INVALID to handle out of memory and parse errors in
x509v3_cache_extensions(). ok tb@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509/x509_purp.c50
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c6
2 files changed, 45 insertions, 11 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index f2d46658f6..3b8bd6b81c 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_purp.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */ 1/* $OpenBSD: x509_purp.c,v 1.3 2021/03/13 23:01:49 tobhe Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -132,6 +132,8 @@ X509_check_purpose(X509 *x, int id, int ca)
132 CRYPTO_w_lock(CRYPTO_LOCK_X509); 132 CRYPTO_w_lock(CRYPTO_LOCK_X509);
133 x509v3_cache_extensions(x); 133 x509v3_cache_extensions(x);
134 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 134 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
135 if (x->ex_flags & EXFLAG_INVALID)
136 return X509_V_ERR_UNSPECIFIED;
135 } 137 }
136 if (id == -1) 138 if (id == -1)
137 return 1; 139 return 1;
@@ -421,7 +423,12 @@ setup_crldp(X509 *x)
421{ 423{
422 int i; 424 int i;
423 425
424 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); 426 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL);
427 if (x->crldp == NULL && i != -1) {
428 x->ex_flags |= EXFLAG_INVALID;
429 return;
430 }
431
425 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) 432 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
426 setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); 433 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
427} 434}
@@ -449,7 +456,7 @@ x509v3_cache_extensions(X509 *x)
449 x->ex_flags |= EXFLAG_V1; 456 x->ex_flags |= EXFLAG_V1;
450 457
451 /* Handle basic constraints */ 458 /* Handle basic constraints */
452 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { 459 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) {
453 if (bs->ca) 460 if (bs->ca)
454 x->ex_flags |= EXFLAG_CA; 461 x->ex_flags |= EXFLAG_CA;
455 if (bs->pathlen) { 462 if (bs->pathlen) {
@@ -463,10 +470,12 @@ x509v3_cache_extensions(X509 *x)
463 x->ex_pathlen = -1; 470 x->ex_pathlen = -1;
464 BASIC_CONSTRAINTS_free(bs); 471 BASIC_CONSTRAINTS_free(bs);
465 x->ex_flags |= EXFLAG_BCONS; 472 x->ex_flags |= EXFLAG_BCONS;
473 } else if (i != -1) {
474 x->ex_flags |= EXFLAG_INVALID;
466 } 475 }
467 476
468 /* Handle proxy certificates */ 477 /* Handle proxy certificates */
469 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { 478 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
470 if (x->ex_flags & EXFLAG_CA || 479 if (x->ex_flags & EXFLAG_CA ||
471 X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || 480 X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
472 X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { 481 X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
@@ -485,10 +494,12 @@ x509v3_cache_extensions(X509 *x)
485 x->ex_pcpathlen = -1; 494 x->ex_pcpathlen = -1;
486 PROXY_CERT_INFO_EXTENSION_free(pci); 495 PROXY_CERT_INFO_EXTENSION_free(pci);
487 x->ex_flags |= EXFLAG_PROXY; 496 x->ex_flags |= EXFLAG_PROXY;
497 } else if (i != -1) {
498 x->ex_flags |= EXFLAG_INVALID;
488 } 499 }
489 500
490 /* Handle key usage */ 501 /* Handle key usage */
491 if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { 502 if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
492 if (usage->length > 0) { 503 if (usage->length > 0) {
493 x->ex_kusage = usage->data[0]; 504 x->ex_kusage = usage->data[0];
494 if (usage->length > 1) 505 if (usage->length > 1)
@@ -497,9 +508,12 @@ x509v3_cache_extensions(X509 *x)
497 x->ex_kusage = 0; 508 x->ex_kusage = 0;
498 x->ex_flags |= EXFLAG_KUSAGE; 509 x->ex_flags |= EXFLAG_KUSAGE;
499 ASN1_BIT_STRING_free(usage); 510 ASN1_BIT_STRING_free(usage);
511 } else if (i != -1) {
512 x->ex_flags |= EXFLAG_INVALID;
500 } 513 }
514
501 x->ex_xkusage = 0; 515 x->ex_xkusage = 0;
502 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { 516 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL))) {
503 x->ex_flags |= EXFLAG_XKUSAGE; 517 x->ex_flags |= EXFLAG_XKUSAGE;
504 for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { 518 for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
505 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) { 519 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
@@ -538,19 +552,27 @@ x509v3_cache_extensions(X509 *x)
538 } 552 }
539 } 553 }
540 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); 554 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
555 } else if (i != -1) {
556 x->ex_flags |= EXFLAG_INVALID;
541 } 557 }
542 558
543 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { 559 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL))) {
544 if (ns->length > 0) 560 if (ns->length > 0)
545 x->ex_nscert = ns->data[0]; 561 x->ex_nscert = ns->data[0];
546 else 562 else
547 x->ex_nscert = 0; 563 x->ex_nscert = 0;
548 x->ex_flags |= EXFLAG_NSCERT; 564 x->ex_flags |= EXFLAG_NSCERT;
549 ASN1_BIT_STRING_free(ns); 565 ASN1_BIT_STRING_free(ns);
566 } else if (i != -1) {
567 x->ex_flags |= EXFLAG_INVALID;
550 } 568 }
551 569
552 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); 570 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL);
553 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); 571 if (x->skid == NULL && i != -1)
572 x->ex_flags |= EXFLAG_INVALID;
573 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL);
574 if (x->skid == NULL && i != -1)
575 x->ex_flags |= EXFLAG_INVALID;
554 576
555 /* Does subject name match issuer? */ 577 /* Does subject name match issuer? */
556 if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { 578 if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
@@ -561,7 +583,9 @@ x509v3_cache_extensions(X509 *x)
561 x->ex_flags |= EXFLAG_SS; 583 x->ex_flags |= EXFLAG_SS;
562 } 584 }
563 585
564 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); 586 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL);
587 if (x->altname == NULL && i != -1)
588 x->ex_flags |= EXFLAG_INVALID;
565 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); 589 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
566 if (!x->nc && (i != -1)) 590 if (!x->nc && (i != -1))
567 x->ex_flags |= EXFLAG_INVALID; 591 x->ex_flags |= EXFLAG_INVALID;
@@ -626,6 +650,8 @@ X509_check_ca(X509 *x)
626 CRYPTO_w_lock(CRYPTO_LOCK_X509); 650 CRYPTO_w_lock(CRYPTO_LOCK_X509);
627 x509v3_cache_extensions(x); 651 x509v3_cache_extensions(x);
628 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 652 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
653 if (x->ex_flags & EXFLAG_INVALID)
654 return X509_V_ERR_UNSPECIFIED;
629 } 655 }
630 656
631 return check_ca(x); 657 return check_ca(x);
@@ -837,7 +863,11 @@ X509_check_issued(X509 *issuer, X509 *subject)
837 X509_get_issuer_name(subject))) 863 X509_get_issuer_name(subject)))
838 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; 864 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
839 x509v3_cache_extensions(issuer); 865 x509v3_cache_extensions(issuer);
866 if (issuer->ex_flags & EXFLAG_INVALID)
867 return X509_V_ERR_UNSPECIFIED;
840 x509v3_cache_extensions(subject); 868 x509v3_cache_extensions(subject);
869 if (subject->ex_flags & EXFLAG_INVALID)
870 return X509_V_ERR_UNSPECIFIED;
841 871
842 if (subject->akid) { 872 if (subject->akid) {
843 int ret = X509_check_akid(issuer, subject->akid); 873 int ret = X509_check_akid(issuer, subject->akid);
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 3c8369f1f9..9c34e31ee3 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.35 2021/03/12 15:53:38 tb Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.36 2021/03/13 23:01:49 tobhe Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -756,6 +756,10 @@ x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca
756 CRYPTO_w_lock(CRYPTO_LOCK_X509); 756 CRYPTO_w_lock(CRYPTO_LOCK_X509);
757 x509v3_cache_extensions(cert); 757 x509v3_cache_extensions(cert);
758 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 758 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
759 if (cert->ex_flags & EXFLAG_INVALID) {
760 ctx->error = X509_V_ERR_UNSPECIFIED;
761 return 0;
762 }
759 } 763 }
760 764
761 if (ctx->xsc != NULL) 765 if (ctx->xsc != NULL)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-23 00:04:55 +0000