Fix CMP code to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>

crypto/cmp/cmp_hdr.c

@@ -181,7 +181,8 @@ int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text)
         return 0;
 
     return
-        ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data);
+        ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data,
+                                             text->length);
 }
 
 int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr,

crypto/cmp/cmp_local.h

@@ -744,7 +744,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
                                    int only_self_issued);
 STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
 int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
-                                         const char *text);
+                                         const char *text, int len);
 int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
                                     const ASN1_OCTET_STRING *src);
 int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,

crypto/cmp/cmp_msg.c

@@ -758,13 +758,13 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
             goto err;
         msg->body->value.error->errorDetails = ft;
         if (lib != NULL && *lib != '\0'
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib))
+                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1))
             goto err;
         if (reason != NULL && *reason != '\0'
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason))
+                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1))
             goto err;
         if (details != NULL
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
+                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1))
             goto err;
     }
 

crypto/cmp/cmp_status.c

@@ -220,7 +220,8 @@ char *snprint_PKIStatusInfo_parts(int status, int fail_info,
         ADVANCE_BUFFER;
         for (i = 0; i < n_status_strings; i++) {
             text = sk_ASN1_UTF8STRING_value(status_strings, i);
-            printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%s\"%s",
+            printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s",
+                                         ASN1_STRING_length(text),
                                          ASN1_STRING_get0_data(text),
                                          i < n_status_strings - 1 ? ", " : "");
             ADVANCE_BUFFER;

crypto/cmp/cmp_util.c

@@ -221,7 +221,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
 }
 
 int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
-                                         const char *text)
+                                         const char *text, int len)
 {
     ASN1_UTF8STRING *utf8string;
 
@@ -229,7 +229,7 @@ int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
         return 0;
     if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
         return 0;
-    if (!ASN1_STRING_set(utf8string, text, -1))
+    if (!ASN1_STRING_set(utf8string, text, len))
         goto err;
     if (!sk_ASN1_UTF8STRING_push(sk, utf8string))
         goto err;