3 files changed, 54 insertions, 31 deletions
diff --git a/src/lib/libcrypto/x509/vpm_int.h b/src/lib/libcrypto/x509/vpm_int.h
index 6c8061c847..7fc9fef761 100644
--- a/src/lib/libcrypto/x509/vpm_int.h
+++ b/src/lib/libcrypto/x509/vpm_int.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: vpm_int.h,v 1.3 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: vpm_int.h,v 1.4 2018/04/06 07:08:20 beck Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 2013.
@@ -69,6 +69,7 @@ struct X509_VERIFY_PARAM_ID_st {
        size_t emaillen;
        unsigned char *ip;          /* If not NULL IP address to match */
        size_t iplen;               /* Length of IP address */
+        int poisoned;
 };
 __END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c8ccae5029..8392f509e7 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.68 2018/02/22 17:11:30 jsing Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.69 2018/04/06 07:08:20 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -182,10 +182,13 @@ check_id_error(X509_STORE_CTX *ctx, int errcode)
 static int
 check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
 {
-        size_t i;
+        size_t i, n;
-        size_t n = sk_OPENSSL_STRING_num(id->hosts);
        char *name;
+        if (id->poisoned)
+                return 0;
+        n = sk_OPENSSL_STRING_num(id->hosts);
        free(id->peername);
        id->peername = NULL;
@@ -205,6 +208,10 @@ check_id(X509_STORE_CTX *ctx)
        X509_VERIFY_PARAM_ID *id = vpm->id;
        X509 *x = ctx->cert;
+        if (id->poisoned)
+                if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
+                        return 0;
        if (id->hosts && check_hosts(x, id) <= 0) {
                if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
                        return 0;
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 0897137697..baebcf7bca 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.17 2018/03/22 15:54:46 beck Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.18 2018/04/06 07:08:20 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -125,7 +125,7 @@ sk_deep_copy(void *sk_void, void *copy_func_void, void *free_func_void)
 }
 static int
-int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
+x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
    const char *name, size_t namelen)
 {
        char *copy;
@@ -134,7 +134,6 @@ int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
                namelen = strlen(name);
        /*
         * Refuse names with embedded NUL bytes.
-         * XXX: Do we need to push an error onto the error stack?
         */
        if (name && memchr(name, '\0', namelen))
                return 0;
@@ -197,6 +196,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
        free(paramid->ip);
        paramid->ip = NULL;
        paramid->iplen = 0;
+        paramid->poisoned = 0;
 }
 X509_VERIFY_PARAM *
@@ -367,24 +367,28 @@ X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from)
 }
 static int
-int_x509_param_set1(char **pdest, size_t *pdestlen,  const char *src,
+x509_param_set1_internal(char **pdest, size_t *pdestlen,  const char *src,
-    size_t srclen)
+    size_t srclen, int nonul)
 {
        char *tmp;
-        if (src) {
-                if (srclen == 0) {
+        if (src == NULL)
-                        if ((tmp = strdup(src)) == NULL)
+                return 0;
-                                return 0;
-                        srclen = strlen(src);
+        if (srclen == 0) {
-                } else {
+                srclen = strlen(src);
-                        if ((tmp = malloc(srclen)) == NULL)
+                if (srclen == 0)
-                                return 0;
+                        return 0;
-                        memcpy(tmp, src, srclen);
+                if ((tmp = strdup(src)) == NULL)
-                }
+                        return 0;
        } else {
-                tmp = NULL;
+                if (nonul && memchr(src, '\0', srclen))
-                srclen = 0;
+                        return 0;
+                if ((tmp = malloc(srclen)) == NULL)
+                        return 0;
+                memcpy(tmp, src, srclen);
        }
        if (*pdest)
                free(*pdest);
        *pdest = tmp;
@@ -505,14 +509,20 @@ int
 X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
    const char *name, size_t namelen)
 {
-        return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen);
+        if (x509_param_set_hosts_internal(param->id, SET_HOST, name, namelen))
+                return 1;
+        param->id->poisoned = 1;
+        return 0;
 }
 int
 X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
    const char *name, size_t namelen)
 {
-        return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen);
+        if (x509_param_set_hosts_internal(param->id, ADD_HOST, name, namelen))
+                return 1;
+        param->id->poisoned = 1;
+        return 0;
 }
 void
@@ -531,18 +541,25 @@ int
 X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,  const char *email,
    size_t emaillen)
 {
-        return int_x509_param_set1(&param->id->email, &param->id->emaillen,
+        if (x509_param_set1_internal(&param->id->email, &param->id->emaillen,
-            email, emaillen);
+            email, emaillen, 1))
+                return 1;
+        param->id->poisoned = 1;
+        return 0;
 }
 int
 X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip,
    size_t iplen)
 {
-        if (iplen != 0 && iplen != 4 && iplen != 16)
+        if (iplen != 4 && iplen != 16)
-                return 0;
+                goto err;
-        return int_x509_param_set1((char **)&param->id->ip, &param->id->iplen,
+        if (x509_param_set1_internal((char **)&param->id->ip, &param->id->iplen,
-            (char *)ip, iplen);
+                (char *)ip, iplen, 0))
+                return 1;
+ err:
+        param->id->poisoned = 1;
+        return 0;
 }
 int
@@ -552,8 +569,6 @@ X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
        size_t iplen;
        iplen = (size_t)a2i_ipadd(ipout, ipasc);
-        if (iplen == 0)
-                return 0;
        return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
 }

diff --git a/src/lib/libcrypto/x509/vpm_int.h b/src/lib/libcrypto/x509/vpm_int.h index 6c8061c847..7fc9fef761 100644 --- a/src/lib/libcrypto/x509/vpm_int.h +++ b/src/lib/libcrypto/x509/vpm_int.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: vpm_int.h,v 1.3 2016/12/21 15:49:29 jsing Exp $ */	1	/* $OpenBSD: vpm_int.h,v 1.4 2018/04/06 07:08:20 beck Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4	* 2013.	4	* 2013.
@@ -69,6 +69,7 @@ struct X509_VERIFY_PARAM_ID_st {
69	size_t emaillen;	69	size_t emaillen;
70	unsigned char ip; / If not NULL IP address to match */	70	unsigned char ip; / If not NULL IP address to match */
71	size_t iplen; /* Length of IP address */	71	size_t iplen; /* Length of IP address */
		72	int poisoned;
72	};	73	};
73		74
74	__END_HIDDEN_DECLS	75	__END_HIDDEN_DECLS


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index c8ccae5029..8392f509e7 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.68 2018/02/22 17:11:30 jsing Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.69 2018/04/06 07:08:20 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -182,10 +182,13 @@ check_id_error(X509_STORE_CTX *ctx, int errcode)
182	static int	182	static int
183	check_hosts(X509 x, X509_VERIFY_PARAM_ID id)	183	check_hosts(X509 x, X509_VERIFY_PARAM_ID id)
184	{	184	{
185	size_t i;	185	size_t i, n;
186	size_t n = sk_OPENSSL_STRING_num(id->hosts);
187	char *name;	186	char *name;
188		187
		188	if (id->poisoned)
		189	return 0;
		190
		191	n = sk_OPENSSL_STRING_num(id->hosts);
189	free(id->peername);	192	free(id->peername);
190	id->peername = NULL;	193	id->peername = NULL;
191		194
@@ -205,6 +208,10 @@ check_id(X509_STORE_CTX *ctx)
205	X509_VERIFY_PARAM_ID *id = vpm->id;	208	X509_VERIFY_PARAM_ID *id = vpm->id;
206	X509 *x = ctx->cert;	209	X509 *x = ctx->cert;
207		210
		211	if (id->poisoned)
		212	if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
		213	return 0;
		214
208	if (id->hosts && check_hosts(x, id) <= 0) {	215	if (id->hosts && check_hosts(x, id) <= 0) {
209	if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))	216	if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
210	return 0;	217	return 0;


diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c index 0897137697..baebcf7bca 100644 --- a/src/lib/libcrypto/x509/x509_vpm.c +++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vpm.c,v 1.17 2018/03/22 15:54:46 beck Exp $ */	1	/* $OpenBSD: x509_vpm.c,v 1.18 2018/04/06 07:08:20 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2004.	3	* project 2004.
4	*/	4	*/
@@ -125,7 +125,7 @@ sk_deep_copy(void sk_void, void copy_func_void, void *free_func_void)
125	}	125	}
126		126
127	static int	127	static int
128	int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,	128	x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
129	const char *name, size_t namelen)	129	const char *name, size_t namelen)
130	{	130	{
131	char *copy;	131	char *copy;
@@ -134,7 +134,6 @@ int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
134	namelen = strlen(name);	134	namelen = strlen(name);
135	/*	135	/*
136	* Refuse names with embedded NUL bytes.	136	* Refuse names with embedded NUL bytes.
137	* XXX: Do we need to push an error onto the error stack?
138	*/	137	*/
139	if (name && memchr(name, '\0', namelen))	138	if (name && memchr(name, '\0', namelen))
140	return 0;	139	return 0;
@@ -197,6 +196,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
197	free(paramid->ip);	196	free(paramid->ip);
198	paramid->ip = NULL;	197	paramid->ip = NULL;
199	paramid->iplen = 0;	198	paramid->iplen = 0;
		199	paramid->poisoned = 0;
200	}	200	}
201		201
202	X509_VERIFY_PARAM *	202	X509_VERIFY_PARAM *
@@ -367,24 +367,28 @@ X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM to, const X509_VERIFY_PARAM from)
367	}	367	}
368		368
369	static int	369	static int
370	int_x509_param_set1(char *pdest, size_t pdestlen, const char *src,	370	x509_param_set1_internal(char *pdest, size_t pdestlen, const char *src,
371	size_t srclen)	371	size_t srclen, int nonul)
372	{	372	{
373	char *tmp;	373	char *tmp;
374	if (src) {	374
375	if (srclen == 0) {	375	if (src == NULL)
376	if ((tmp = strdup(src)) == NULL)	376	return 0;
377	return 0;	377
378	srclen = strlen(src);	378	if (srclen == 0) {
379	} else {	379	srclen = strlen(src);
380	if ((tmp = malloc(srclen)) == NULL)	380	if (srclen == 0)
381	return 0;	381	return 0;
382	memcpy(tmp, src, srclen);	382	if ((tmp = strdup(src)) == NULL)
383	}	383	return 0;
384	} else {	384	} else {
385	tmp = NULL;	385	if (nonul && memchr(src, '\0', srclen))
386	srclen = 0;	386	return 0;
		387	if ((tmp = malloc(srclen)) == NULL)
		388	return 0;
		389	memcpy(tmp, src, srclen);
387	}	390	}
		391
388	if (*pdest)	392	if (*pdest)
389	free(*pdest);	393	free(*pdest);
390	*pdest = tmp;	394	*pdest = tmp;
@@ -505,14 +509,20 @@ int
505	X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,	509	X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
506	const char *name, size_t namelen)	510	const char *name, size_t namelen)
507	{	511	{
508	return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen);	512	if (x509_param_set_hosts_internal(param->id, SET_HOST, name, namelen))
		513	return 1;
		514	param->id->poisoned = 1;
		515	return 0;
509	}	516	}
510		517
511	int	518	int
512	X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,	519	X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
513	const char *name, size_t namelen)	520	const char *name, size_t namelen)
514	{	521	{
515	return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen);	522	if (x509_param_set_hosts_internal(param->id, ADD_HOST, name, namelen))
		523	return 1;
		524	param->id->poisoned = 1;
		525	return 0;
516	}	526	}
517		527
518	void	528	void
@@ -531,18 +541,25 @@ int
531	X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM param, const char email,	541	X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM param, const char email,
532	size_t emaillen)	542	size_t emaillen)
533	{	543	{
534	return int_x509_param_set1(&param->id->email, &param->id->emaillen,	544	if (x509_param_set1_internal(&param->id->email, &param->id->emaillen,
535	email, emaillen);	545	email, emaillen, 1))
		546	return 1;
		547	param->id->poisoned = 1;
		548	return 0;
536	}	549	}
537		550
538	int	551	int
539	X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM param, const unsigned char ip,	552	X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM param, const unsigned char ip,
540	size_t iplen)	553	size_t iplen)
541	{	554	{
542	if (iplen != 0 && iplen != 4 && iplen != 16)	555	if (iplen != 4 && iplen != 16)
543	return 0;	556	goto err;
544	return int_x509_param_set1((char **)&param->id->ip, &param->id->iplen,	557	if (x509_param_set1_internal((char **)&param->id->ip, &param->id->iplen,
545	(char *)ip, iplen);	558	(char *)ip, iplen, 0))
		559	return 1;
		560	err:
		561	param->id->poisoned = 1;
		562	return 0;
546	}	563	}
547		564
548	int	565	int
@@ -552,8 +569,6 @@ X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM param, const char ipasc)
552	size_t iplen;	569	size_t iplen;
553		570
554	iplen = (size_t)a2i_ipadd(ipout, ipasc);	571	iplen = (size_t)a2i_ipadd(ipout, ipasc);
555	if (iplen == 0)
556	return 0;
557	return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);	572	return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
558	}	573	}
559		574