diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libcrypto/asn1/a_mbstr.c | 18 | ||||
| -rw-r--r-- | src/lib/libcrypto/asn1/a_strex.c | 8 | ||||
| -rw-r--r-- | src/lib/libcrypto/asn1/a_utf8.c | 144 | ||||
| -rw-r--r-- | src/lib/libcrypto/asn1/asn1_locl.h | 11 | 
4 files changed, 88 insertions, 93 deletions
| diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c index 9945ede2ac..ebc7f2681c 100644 --- a/src/lib/libcrypto/asn1/a_mbstr.c +++ b/src/lib/libcrypto/asn1/a_mbstr.c | |||
| @@ -60,6 +60,7 @@ | |||
| 60 | #include <ctype.h> | 60 | #include <ctype.h> | 
| 61 | #include "cryptlib.h" | 61 | #include "cryptlib.h" | 
| 62 | #include <openssl/asn1.h> | 62 | #include <openssl/asn1.h> | 
| 63 | #include "asn1_locl.h" | ||
| 63 | 64 | ||
| 64 | static int traverse_string(const unsigned char *p, int len, int inform, | 65 | static int traverse_string(const unsigned char *p, int len, int inform, | 
| 65 | int (*rfunc)(unsigned long value, void *in), void *arg); | 66 | int (*rfunc)(unsigned long value, void *in), void *arg); | 
| @@ -232,7 +233,11 @@ ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, | |||
| 232 | 233 | ||
| 233 | case MBSTRING_UTF8: | 234 | case MBSTRING_UTF8: | 
| 234 | outlen = 0; | 235 | outlen = 0; | 
| 235 | traverse_string(in, len, inform, out_utf8, &outlen); | 236 | if (traverse_string(in, len, inform, out_utf8, &outlen) < 0) { | 
| 237 | ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, | ||
| 238 | ASN1_R_ILLEGAL_CHARACTERS); | ||
| 239 | return -1; | ||
| 240 | } | ||
| 236 | cpyfunc = cpy_utf8; | 241 | cpyfunc = cpy_utf8; | 
| 237 | break; | 242 | break; | 
| 238 | } | 243 | } | 
| @@ -267,12 +272,17 @@ traverse_string(const unsigned char *p, int len, int inform, | |||
| 267 | } else if (inform == MBSTRING_BMP) { | 272 | } else if (inform == MBSTRING_BMP) { | 
| 268 | value = *p++ << 8; | 273 | value = *p++ << 8; | 
| 269 | value |= *p++; | 274 | value |= *p++; | 
| 275 | /* BMP is explictly defined to not support surrogates */ | ||
| 276 | if (UNICODE_IS_SURROGATE(value)) | ||
| 277 | return -1; | ||
| 270 | len -= 2; | 278 | len -= 2; | 
| 271 | } else if (inform == MBSTRING_UNIV) { | 279 | } else if (inform == MBSTRING_UNIV) { | 
| 272 | value = ((unsigned long)*p++) << 24; | 280 | value = ((unsigned long)*p++) << 24; | 
| 273 | value |= ((unsigned long)*p++) << 16; | 281 | value |= ((unsigned long)*p++) << 16; | 
| 274 | value |= *p++ << 8; | 282 | value |= *p++ << 8; | 
| 275 | value |= *p++; | 283 | value |= *p++; | 
| 284 | if (value > UNICODE_MAX || UNICODE_IS_SURROGATE(value)) | ||
| 285 | return -1; | ||
| 276 | len -= 4; | 286 | len -= 4; | 
| 277 | } else { | 287 | } else { | 
| 278 | ret = UTF8_getc(p, len, &value); | 288 | ret = UTF8_getc(p, len, &value); | 
| @@ -310,9 +320,13 @@ static int | |||
| 310 | out_utf8(unsigned long value, void *arg) | 320 | out_utf8(unsigned long value, void *arg) | 
| 311 | { | 321 | { | 
| 312 | int *outlen; | 322 | int *outlen; | 
| 323 | int ret; | ||
| 313 | 324 | ||
| 314 | outlen = arg; | 325 | outlen = arg; | 
| 315 | *outlen += UTF8_putc(NULL, -1, value); | 326 | ret = UTF8_putc(NULL, -1, value); | 
| 327 | if (ret < 0) | ||
| 328 | return ret; | ||
| 329 | *outlen += ret; | ||
| 316 | return 1; | 330 | return 1; | 
| 317 | } | 331 | } | 
| 318 | 332 | ||
| diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c index 462a4059be..684e933c4f 100644 --- a/src/lib/libcrypto/asn1/a_strex.c +++ b/src/lib/libcrypto/asn1/a_strex.c | |||
| @@ -62,6 +62,7 @@ | |||
| 62 | #include <openssl/crypto.h> | 62 | #include <openssl/crypto.h> | 
| 63 | #include <openssl/x509.h> | 63 | #include <openssl/x509.h> | 
| 64 | #include <openssl/asn1.h> | 64 | #include <openssl/asn1.h> | 
| 65 | #include "asn1_locl.h" | ||
| 65 | 66 | ||
| 66 | #include "charmap.h" | 67 | #include "charmap.h" | 
| 67 | 68 | ||
| @@ -215,11 +216,15 @@ do_buf(unsigned char *buf, int buflen, int type, unsigned char flags, | |||
| 215 | c |= ((unsigned long)*p++) << 16; | 216 | c |= ((unsigned long)*p++) << 16; | 
| 216 | c |= ((unsigned long)*p++) << 8; | 217 | c |= ((unsigned long)*p++) << 8; | 
| 217 | c |= *p++; | 218 | c |= *p++; | 
| 219 | if (c > UNICODE_MAX || UNICODE_IS_SURROGATE(c)) | ||
| 220 | return -1; | ||
| 218 | break; | 221 | break; | 
| 219 | 222 | ||
| 220 | case 2: | 223 | case 2: | 
| 221 | c = ((unsigned long)*p++) << 8; | 224 | c = ((unsigned long)*p++) << 8; | 
| 222 | c |= *p++; | 225 | c |= *p++; | 
| 226 | if (UNICODE_IS_SURROGATE(c)) | ||
| 227 | return -1; | ||
| 223 | break; | 228 | break; | 
| 224 | 229 | ||
| 225 | case 1: | 230 | case 1: | 
| @@ -240,7 +245,10 @@ do_buf(unsigned char *buf, int buflen, int type, unsigned char flags, | |||
| 240 | if (type & BUF_TYPE_CONVUTF8) { | 245 | if (type & BUF_TYPE_CONVUTF8) { | 
| 241 | unsigned char utfbuf[6]; | 246 | unsigned char utfbuf[6]; | 
| 242 | int utflen; | 247 | int utflen; | 
| 248 | |||
| 243 | utflen = UTF8_putc(utfbuf, sizeof utfbuf, c); | 249 | utflen = UTF8_putc(utfbuf, sizeof utfbuf, c); | 
| 250 | if (utflen < 0) | ||
| 251 | return -1; | ||
| 244 | for (i = 0; i < utflen; i++) { | 252 | for (i = 0; i < utflen; i++) { | 
| 245 | /* We don't need to worry about setting orflags correctly | 253 | /* We don't need to worry about setting orflags correctly | 
| 246 | * because if utflen==1 its value will be correct anyway | 254 | * because if utflen==1 its value will be correct anyway | 
| diff --git a/src/lib/libcrypto/asn1/a_utf8.c b/src/lib/libcrypto/asn1/a_utf8.c index c224db4c12..f5e4bec7e0 100644 --- a/src/lib/libcrypto/asn1/a_utf8.c +++ b/src/lib/libcrypto/asn1/a_utf8.c | |||
| @@ -59,11 +59,13 @@ | |||
| 59 | #include <stdio.h> | 59 | #include <stdio.h> | 
| 60 | #include "cryptlib.h" | 60 | #include "cryptlib.h" | 
| 61 | #include <openssl/asn1.h> | 61 | #include <openssl/asn1.h> | 
| 62 | #include "asn1_locl.h" | ||
| 62 | 63 | ||
| 63 | 64 | ||
| 64 | /* UTF8 utilities */ | 65 | /* UTF8 utilities */ | 
| 65 | 66 | ||
| 66 | /* This parses a UTF8 string one character at a time. It is passed a pointer | 67 | /* | 
| 68 | * This parses a UTF8 string one character at a time. It is passed a pointer | ||
| 67 | * to the string and the length of the string. It sets 'value' to the value of | 69 | * to the string and the length of the string. It sets 'value' to the value of | 
| 68 | * the current character. It returns the number of characters read or a | 70 | * the current character. It returns the number of characters read or a | 
| 69 | * negative error code: | 71 | * negative error code: | 
| @@ -88,6 +90,8 @@ UTF8_getc(const unsigned char *str, int len, unsigned long *val) | |||
| 88 | value = *p++ & 0x7f; | 90 | value = *p++ & 0x7f; | 
| 89 | ret = 1; | 91 | ret = 1; | 
| 90 | } else if ((*p & 0xe0) == 0xc0) { | 92 | } else if ((*p & 0xe0) == 0xc0) { | 
| 93 | if (*p < 0xc2) | ||
| 94 | return -2; | ||
| 91 | if (len < 2) | 95 | if (len < 2) | 
| 92 | return -1; | 96 | return -1; | 
| 93 | if ((p[1] & 0xc0) != 0x80) | 97 | if ((p[1] & 0xc0) != 0x80) | 
| @@ -108,8 +112,11 @@ UTF8_getc(const unsigned char *str, int len, unsigned long *val) | |||
| 108 | value |= *p++ & 0x3f; | 112 | value |= *p++ & 0x3f; | 
| 109 | if (value < 0x800) | 113 | if (value < 0x800) | 
| 110 | return -4; | 114 | return -4; | 
| 115 | /* surrogate pair code points are not valid */ | ||
| 116 | if (value >= 0xd800 && value < 0xe000) | ||
| 117 | return -2; | ||
| 111 | ret = 3; | 118 | ret = 3; | 
| 112 | } else if ((*p & 0xf8) == 0xf0) { | 119 | } else if ((*p & 0xf8) == 0xf0 && (*p < 0xf5)) { | 
| 113 | if (len < 4) | 120 | if (len < 4) | 
| 114 | return -1; | 121 | return -1; | 
| 115 | if (((p[1] & 0xc0) != 0x80) || | 122 | if (((p[1] & 0xc0) != 0x80) || | 
| @@ -122,116 +129,71 @@ UTF8_getc(const unsigned char *str, int len, unsigned long *val) | |||
| 122 | value |= *p++ & 0x3f; | 129 | value |= *p++ & 0x3f; | 
| 123 | if (value < 0x10000) | 130 | if (value < 0x10000) | 
| 124 | return -4; | 131 | return -4; | 
| 132 | if (value > UNICODE_MAX) | ||
| 133 | return -2; | ||
| 125 | ret = 4; | 134 | ret = 4; | 
| 126 | } else if ((*p & 0xfc) == 0xf8) { | 135 | } else | 
| 127 | if (len < 5) | 136 | return -2; | 
| 128 | return -1; | 137 | *val = value; | 
| 129 | if (((p[1] & 0xc0) != 0x80) || | ||
| 130 | ((p[2] & 0xc0) != 0x80) || | ||
| 131 | ((p[3] & 0xc0) != 0x80) || | ||
| 132 | ((p[4] & 0xc0) != 0x80)) | ||
| 133 | return -3; | ||
| 134 | value = ((unsigned long)(*p++ & 0x3)) << 24; | ||
| 135 | value |= ((unsigned long)(*p++ & 0x3f)) << 18; | ||
| 136 | value |= ((unsigned long)(*p++ & 0x3f)) << 12; | ||
| 137 | value |= (*p++ & 0x3f) << 6; | ||
| 138 | value |= *p++ & 0x3f; | ||
| 139 | if (value < 0x200000) | ||
| 140 | return -4; | ||
| 141 | ret = 5; | ||
| 142 | } else if ((*p & 0xfe) == 0xfc) { | ||
| 143 | if (len < 6) | ||
| 144 | return -1; | ||
| 145 | if (((p[1] & 0xc0) != 0x80) || | ||
| 146 | ((p[2] & 0xc0) != 0x80) || | ||
| 147 | ((p[3] & 0xc0) != 0x80) || | ||
| 148 | ((p[4] & 0xc0) != 0x80) || | ||
| 149 | ((p[5] & 0xc0) != 0x80)) | ||
| 150 | return -3; | ||
| 151 | value = ((unsigned long)(*p++ & 0x1)) << 30; | ||
| 152 | value |= ((unsigned long)(*p++ & 0x3f)) << 24; | ||
| 153 | value |= ((unsigned long)(*p++ & 0x3f)) << 18; | ||
| 154 | value |= ((unsigned long)(*p++ & 0x3f)) << 12; | ||
| 155 | value |= (*p++ & 0x3f) << 6; | ||
| 156 | value |= *p++ & 0x3f; | ||
| 157 | if (value < 0x4000000) | ||
| 158 | return -4; | ||
| 159 | ret = 6; | ||
| 160 | } else return -2; | ||
| 161 | *val = value; | ||
| 162 | return ret; | 138 | return ret; | 
| 163 | } | 139 | } | 
| 164 | 140 | ||
| 165 | /* This takes a character 'value' and writes the UTF8 encoded value in | 141 | /* This takes a Unicode code point 'value' and writes its UTF-8 encoded form | 
| 166 | * 'str' where 'str' is a buffer containing 'len' characters. Returns | 142 | * in 'str' where 'str' is a buffer of at least length 'len'. If 'str' | 
| 167 | * the number of characters written or -1 if 'len' is too small. 'str' can | 143 | * is NULL, then nothing is written and just the return code is determined. | 
| 168 | * be set to NULL in which case it just returns the number of characters. | 144 | |
| 169 | * It will need at most 6 characters. | 145 | * Returns less than zero on error: | 
| 146 | * -1 if 'str' is not NULL and 'len' is too small | ||
| 147 | * -2 if 'value' is an invalid character (surrogate or out-of-range) | ||
| 148 | * | ||
| 149 | * Otherwise, returns the number of bytes in 'value's encoded form | ||
| 150 | * (i.e., the number of bytes written to 'str' when it's not NULL). | ||
| 151 | * | ||
| 152 | * It will need at most 4 characters. | ||
| 170 | */ | 153 | */ | 
| 171 | 154 | ||
| 172 | int | 155 | int | 
| 173 | UTF8_putc(unsigned char *str, int len, unsigned long value) | 156 | UTF8_putc(unsigned char *str, int len, unsigned long value) | 
| 174 | { | 157 | { | 
| 175 | if (!str) | ||
| 176 | len = 6; /* Maximum we will need */ | ||
| 177 | else if (len <= 0) | ||
| 178 | return -1; | ||
| 179 | if (value < 0x80) { | 158 | if (value < 0x80) { | 
| 180 | if (str) | 159 | if (str != NULL) { | 
| 181 | *str = (unsigned char)value; | 160 | if (len < 1) | 
| 161 | return -1; | ||
| 162 | str[0] = (unsigned char)value; | ||
| 163 | } | ||
| 182 | return 1; | 164 | return 1; | 
| 183 | } | 165 | } | 
| 184 | if (value < 0x800) { | 166 | if (value < 0x800) { | 
| 185 | if (len < 2) | 167 | if (str != NULL) { | 
| 186 | return -1; | 168 | if (len < 2) | 
| 187 | if (str) { | 169 | return -1; | 
| 188 | *str++ = (unsigned char)(((value >> 6) & 0x1f) | 0xc0); | 170 | str[0] = (unsigned char)(((value >> 6) & 0x1f) | 0xc0); | 
| 189 | *str = (unsigned char)((value & 0x3f) | 0x80); | 171 | str[1] = (unsigned char)((value & 0x3f) | 0x80); | 
| 190 | } | 172 | } | 
| 191 | return 2; | 173 | return 2; | 
| 192 | } | 174 | } | 
| 193 | if (value < 0x10000) { | 175 | if (value < 0x10000) { | 
| 194 | if (len < 3) | 176 | if (UNICODE_IS_SURROGATE(value)) | 
| 195 | return -1; | 177 | return -2; | 
| 196 | if (str) { | 178 | if (str != NULL) { | 
| 197 | *str++ = (unsigned char)(((value >> 12) & 0xf) | 0xe0); | 179 | if (len < 3) | 
| 198 | *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); | 180 | return -1; | 
| 199 | *str = (unsigned char)((value & 0x3f) | 0x80); | 181 | str[0] = (unsigned char)(((value >> 12) & 0xf) | 0xe0); | 
| 182 | str[1] = (unsigned char)(((value >> 6) & 0x3f) | 0x80); | ||
| 183 | str[2] = (unsigned char)((value & 0x3f) | 0x80); | ||
| 200 | } | 184 | } | 
| 201 | return 3; | 185 | return 3; | 
| 202 | } | 186 | } | 
| 203 | if (value < 0x200000) { | 187 | if (value <= UNICODE_MAX) { | 
| 204 | if (len < 4) | 188 | if (str != NULL) { | 
| 205 | return -1; | 189 | if (len < 4) | 
| 206 | if (str) { | 190 | return -1; | 
| 207 | *str++ = (unsigned char)(((value >> 18) & 0x7) | 0xf0); | 191 | str[0] = (unsigned char)(((value >> 18) & 0x7) | 0xf0); | 
| 208 | *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); | 192 | str[1] = (unsigned char)(((value >> 12) & 0x3f) | 0x80); | 
| 209 | *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); | 193 | str[2] = (unsigned char)(((value >> 6) & 0x3f) | 0x80); | 
| 210 | *str = (unsigned char)((value & 0x3f) | 0x80); | 194 | str[3] = (unsigned char)((value & 0x3f) | 0x80); | 
| 211 | } | 195 | } | 
| 212 | return 4; | 196 | return 4; | 
| 213 | } | 197 | } | 
| 214 | if (value < 0x4000000) { | 198 | return -2; | 
| 215 | if (len < 5) | ||
| 216 | return -1; | ||
| 217 | if (str) { | ||
| 218 | *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8); | ||
| 219 | *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); | ||
| 220 | *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); | ||
| 221 | *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); | ||
| 222 | *str = (unsigned char)((value & 0x3f) | 0x80); | ||
| 223 | } | ||
| 224 | return 5; | ||
| 225 | } | ||
| 226 | if (len < 6) | ||
| 227 | return -1; | ||
| 228 | if (str) { | ||
| 229 | *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc); | ||
| 230 | *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80); | ||
| 231 | *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); | ||
| 232 | *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); | ||
| 233 | *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); | ||
| 234 | *str = (unsigned char)((value & 0x3f) | 0x80); | ||
| 235 | } | ||
| 236 | return 6; | ||
| 237 | } | 199 | } | 
| diff --git a/src/lib/libcrypto/asn1/asn1_locl.h b/src/lib/libcrypto/asn1/asn1_locl.h index 9fcf0d9530..2c6087bf02 100644 --- a/src/lib/libcrypto/asn1/asn1_locl.h +++ b/src/lib/libcrypto/asn1/asn1_locl.h | |||
| @@ -143,3 +143,14 @@ struct x509_crl_method_st | |||
| 143 | ASN1_INTEGER *ser, X509_NAME *issuer); | 143 | ASN1_INTEGER *ser, X509_NAME *issuer); | 
| 144 | int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk); | 144 | int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk); | 
| 145 | }; | 145 | }; | 
| 146 | |||
| 147 | /* | ||
| 148 | * Unicode codepoint constants | ||
| 149 | */ | ||
| 150 | #define UNICODE_MAX 0x10FFFF | ||
| 151 | #define UNICODE_SURROGATE_MIN 0x00D800 | ||
| 152 | #define UNICODE_SURROGATE_MAX 0x00DFFF | ||
| 153 | |||
| 154 | #define UNICODE_IS_SURROGATE(x) \ | ||
| 155 | ((x) >= UNICODE_SURROGATE_MIN && (x) <= UNICODE_SURROGATE_MAX) | ||
| 156 | |||
