- Better checking for reading over buffer boundaries

- Zeroize altSubjectName chain memory before use
This commit is contained in:
Paul Bakker 2012-08-23 10:49:55 +00:00
parent 9195662a4c
commit 535e97dbab
2 changed files with 22 additions and 13 deletions

View File

@ -45,6 +45,7 @@ Bugfix
* Handle encryption with private key and decryption with public key as per * Handle encryption with private key and decryption with public key as per
RFC 2313 RFC 2313
* Handle empty certificate subject names * Handle empty certificate subject names
* Prevent reading over buffer boundaries on X509 certificate parsing
Security Security
* Fixed potential memory corruption on miscrafted client messages (found by * Fixed potential memory corruption on miscrafted client messages (found by

View File

@ -878,6 +878,7 @@ static int x509_get_subject_alt_name( unsigned char **p,
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
POLARSSL_ERR_ASN1_MALLOC_FAILED ); POLARSSL_ERR_ASN1_MALLOC_FAILED );
memset( cur->next, 0, sizeof( asn1_sequence ) );
cur = cur->next; cur = cur->next;
} }
} }
@ -1355,7 +1356,8 @@ int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen )
return( ret ); return( ret );
} }
if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 ) if( crt->sig_oid1.len != crt->sig_oid2.len ||
memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
{ {
x509_free( crt ); x509_free( crt );
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH ); return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@ -1776,7 +1778,8 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen )
return( ret ); return( ret );
} }
if( memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ) if( crl->sig_oid1.len != crl->sig_oid2.len ||
memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
{ {
x509_crl_free( crl ); x509_crl_free( crl );
return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH ); return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@ -2530,7 +2533,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
SAFE_SNPRINTF(); SAFE_SNPRINTF();
} }
if( memcmp( name->oid.p, OID_X520, 2 ) == 0 ) if( name->oid.len == 3 &&
memcmp( name->oid.p, OID_X520, 2 ) == 0 )
{ {
switch( name->oid.p[2] ) switch( name->oid.p[2] )
{ {
@ -2559,7 +2563,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
} }
SAFE_SNPRINTF(); SAFE_SNPRINTF();
} }
else if( memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 ) else if( name->oid.len == 9 &&
memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
{ {
switch( name->oid.p[8] ) switch( name->oid.p[8] )
{ {
@ -3071,8 +3076,8 @@ int x509_wildcard_verify( const char *cn, x509_buf *name )
if( cn_idx == 0 ) if( cn_idx == 0 )
return( 0 ); return( 0 );
if( memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 && if( strlen( cn ) - cn_idx == name->len - 1 &&
strlen( cn ) - cn_idx == name->len - 1 ) memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
{ {
return( 1 ); return( 1 );
} }
@ -3114,11 +3119,12 @@ int x509parse_verify( x509_cert *crt,
while( cur != NULL ) while( cur != NULL )
{ {
if( memcmp( cn, cur->buf.p, cn_len ) == 0 && if( cur->buf.len == cn_len &&
cur->buf.len == cn_len ) memcmp( cn, cur->buf.p, cn_len ) == 0 )
break; break;
if( memcmp( cur->buf.p, "*.", 2 ) == 0 && if( cur->buf.len > 2 &&
memcmp( cur->buf.p, "*.", 2 ) == 0 &&
x509_wildcard_verify( cn, &cur->buf ) ) x509_wildcard_verify( cn, &cur->buf ) )
break; break;
@ -3132,13 +3138,15 @@ int x509parse_verify( x509_cert *crt,
{ {
while( name != NULL ) while( name != NULL )
{ {
if( memcmp( name->oid.p, OID_CN, 3 ) == 0 ) if( name->oid.len == 3 &&
memcmp( name->oid.p, OID_CN, 3 ) == 0 )
{ {
if( memcmp( name->val.p, cn, cn_len ) == 0 && if( name->val.len == cn_len &&
name->val.len == cn_len ) memcmp( name->val.p, cn, cn_len ) == 0 )
break; break;
if( memcmp( name->val.p, "*.", 2 ) == 0 && if( name->val.len > 2 &&
memcmp( name->val.p, "*.", 2 ) == 0 &&
x509_wildcard_verify( cn, &name->val ) ) x509_wildcard_verify( cn, &name->val ) )
break; break;
} }