Fix for ASN1 parsing bugs.
This commit is contained in:
Dr. Stephen Henson
10
CHANGES
10
CHANGES
@@ -4,6 +4,16 @@
|
|||||||
|
|
||||||
Changes between 0.9.6j and 0.9.6k [xx XXX 2003]
|
Changes between 0.9.6j and 0.9.6k [xx XXX 2003]
|
||||||
|
|
||||||
|
*) Fix various bugs revealed by running the NISCC test suite:
|
||||||
|
|
||||||
|
Stop out of bounds reads in the ASN1 code when presented with
|
||||||
|
invalid tags (CAN-2003-0543 and CAN-2003-0544).
|
||||||
|
|
||||||
|
If verify callback ignores invalid public key errors don't try to check
|
||||||
|
certificate signature with the NULL public key.
|
||||||
|
|
||||||
|
[Steve Henson]
|
||||||
|
|
||||||
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
|
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
|
||||||
if the server requested one: as stated in TLS 1.0 and SSL 3.0
|
if the server requested one: as stated in TLS 1.0 and SSL 3.0
|
||||||
specifications.
|
specifications.
|
||||||
|
|||||||
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
|
|||||||
l<<=7L;
|
l<<=7L;
|
||||||
l|= *(p++)&0x7f;
|
l|= *(p++)&0x7f;
|
||||||
if (--max == 0) goto err;
|
if (--max == 0) goto err;
|
||||||
|
if (l > (INT_MAX >> 7L)) goto err;
|
||||||
}
|
}
|
||||||
l<<=7L;
|
l<<=7L;
|
||||||
l|= *(p++)&0x7f;
|
l|= *(p++)&0x7f;
|
||||||
tag=(int)l;
|
tag=(int)l;
|
||||||
|
if (--max == 0) goto err;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -490,7 +490,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
|
|||||||
ok=(*cb)(0,ctx);
|
ok=(*cb)(0,ctx);
|
||||||
if (!ok) goto end;
|
if (!ok) goto end;
|
||||||
}
|
}
|
||||||
if (X509_verify(xs,pkey) <= 0)
|
else if (X509_verify(xs,pkey) <= 0)
|
||||||
{
|
{
|
||||||
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
|
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
|
||||||
ctx->current_cert=xs;
|
ctx->current_cert=xs;
|
||||||
|
|||||||
Reference in New Issue
Block a user