Browse Source

Fix CMP code to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
master
Matt Caswell 10 months ago
parent
commit
95f8c1e142
5 changed files with 10 additions and 8 deletions
  1. +2
    -1
      crypto/cmp/cmp_hdr.c
  2. +1
    -1
      crypto/cmp/cmp_local.h
  3. +3
    -3
      crypto/cmp/cmp_msg.c
  4. +2
    -1
      crypto/cmp/cmp_status.c
  5. +2
    -2
      crypto/cmp/cmp_util.c

+ 2
- 1
crypto/cmp/cmp_hdr.c View File

@ -181,7 +181,8 @@ int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text)
return 0;
return
ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data);
ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data,
text->length);
}
int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr,


+ 1
- 1
crypto/cmp/cmp_local.h View File

@ -744,7 +744,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
int only_self_issued);
STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
const char *text);
const char *text, int len);
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src);
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,


+ 3
- 3
crypto/cmp/cmp_msg.c View File

@ -758,13 +758,13 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
goto err;
msg->body->value.error->errorDetails = ft;
if (lib != NULL && *lib != '\0'
&& !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib))
&& !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1))
goto err;
if (reason != NULL && *reason != '\0'
&& !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason))
&& !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1))
goto err;
if (details != NULL
&& !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
&& !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1))
goto err;
}


+ 2
- 1
crypto/cmp/cmp_status.c View File

@ -220,7 +220,8 @@ char *snprint_PKIStatusInfo_parts(int status, int fail_info,
ADVANCE_BUFFER;
for (i = 0; i < n_status_strings; i++) {
text = sk_ASN1_UTF8STRING_value(status_strings, i);
printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%s\"%s",
printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s",
ASN1_STRING_length(text),
ASN1_STRING_get0_data(text),
i < n_status_strings - 1 ? ", " : "");
ADVANCE_BUFFER;


+ 2
- 2
crypto/cmp/cmp_util.c View File

@ -221,7 +221,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
}
int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
const char *text)
const char *text, int len)
{
ASN1_UTF8STRING *utf8string;
@ -229,7 +229,7 @@ int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
return 0;
if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
return 0;
if (!ASN1_STRING_set(utf8string, text, -1))
if (!ASN1_STRING_set(utf8string, text, len))
goto err;
if (!sk_ASN1_UTF8STRING_push(sk, utf8string))
goto err;


Loading…
Cancel
Save