diff options
| -rw-r--r-- | .lgtm.yml | 14 | ||||
| -rw-r--r-- | bootstrap.conf | 6 | ||||
| -rw-r--r-- | fuzz/gnutls_x509_crl_parser_fuzzer.repro/698e01fdc3f9a4c402424302768da75f2464a63f | bin | 0 -> 554 bytes | |||
| -rw-r--r-- | fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 | bin | 0 -> 830 bytes | |||
| -rw-r--r-- | lib/gnutls_int.h | 28 | ||||
| -rw-r--r-- | lib/hello_ext.c | 2 | ||||
| -rw-r--r-- | lib/hello_ext.h | 4 | ||||
| -rw-r--r-- | lib/x509/common.c | 20 | ||||
| -rw-r--r-- | lib/x509/common.h | 2 | ||||
| -rw-r--r-- | lib/x509/crl.c | 13 | ||||
| -rw-r--r-- | lib/x509/ocsp.c | 31 | ||||
| -rw-r--r-- | lib/x509/output.c | 24 | ||||
| -rw-r--r-- | lib/x509/x509.c | 19 | ||||
| -rw-r--r-- | tests/cert-tests/data/crl-demo3.pem | 2 |
14 files changed, 62 insertions, 103 deletions
@@ -2,15 +2,9 @@ extraction: cpp: configure: command: + - sed 's/--with-tests/--without-tests/g' -i bootstrap.conf - "./bootstrap --no-git --skip-po --no-bootstrap-sync --gnulib-srcdir=gnulib" - - "wget -O nettle-master.zip https://git.lysator.liu.se/nettle/nettle/-/archive/master/nettle-master.zip?foo=`date +%Y%m%d`" - - "unzip nettle-master.zip" - - "mv nettle-master nettle" - - "cd nettle" - - "bash .bootstrap" - - "./configure --enable-mini-gmp --disable-documentation" - - "make" - - "cd .." - - "PKG_CONFIG_PATH=\"`pwd`/nettle\" LDFLAGS=\"-L`pwd`/nettle\" ./configure --disable-tests --disable-doc" + - "./configure --disable-tests --disable-doc --disable-gtk-doc --disable-dependency-tracking" index: - build_command: "LD_LIBRARY_PATH=\"`pwd`/nettle/.lib\" make" + build_command: + - "make -j4" diff --git a/bootstrap.conf b/bootstrap.conf index f47b81aa68..9216ab6cf3 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -28,7 +28,7 @@ required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/ # Reproduce by: gnulib-tool --import --local-dir=gl/override --lib=libgnu --source-base=gl --m4-base=gl/m4 --doc-base=doc --tests-base=gl/tests --aux-dir=build-aux --with-tests --avoid=alignof-tests --avoid=lock-tests --avoid=lseek-tests --lgpl=2 --no-conditional-dependencies --libtool --macro-prefix=gl --no-vc-files alloca byteswap c-ctype extensions func gendocs getline gettext-h gettimeofday hash-pjw-bare havelib intprops lib-msvc-compat lib-symbol-versions maintainer-makefile manywarnings memmem-simple minmax netdb netinet_in pmccabe2html read-file secure_getenv snprintf stdint strcase strndup strtok_r strverscmp sys_socket sys_stat time_r unistd vasprintf vsnprintf warnings gnulib_modules=" -alloca byteswap c-ctype c-strcase extensions func gendocs getline gettext-h gettimeofday hash hash-pjw-bare havelib arpa_inet inet_ntop inet_pton intprops lib-msvc-compat lib-symbol-versions maintainer-makefile manywarnings memmem-simple minmax netdb netinet_in pmccabe2html read-file secure_getenv setsockopt snprintf stdint strcase strdup-posix strndup strtok_r strverscmp sys_socket sys_stat sys_types time_r unistd valgrind-tests vasprintf vsnprintf warnings +alloca byteswap c-ctype c-strcase extensions func gendocs getline gettext-h gettimeofday hash hash-pjw-bare havelib arpa_inet inet_ntop inet_pton intprops lib-msvc-compat lib-symbol-versions maintainer-makefile manywarnings memmem-simple minmax netdb netinet_in pmccabe2html read-file secure_getenv setsockopt snprintf stdint strcase strdup-posix strndup strtok_r strverscmp sys_socket sys_stat sys_types time_r unistd valgrind-tests vasprintf verify vsnprintf warnings " unistring_modules=" @@ -93,9 +93,9 @@ bootstrap_post_import_hook () # sed -i 's/malloc-posix//g' ${GNULIB_SRCDIR}/modules/$i # done - ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=lib/unistring/override --lib=libunistring --source-base=lib/unistring --m4-base=lib/unistring/m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --lgpl=3orGPLv2 --no-conditional-dependencies --libtool --macro-prefix=unistring ${unistring_modules} + ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=lib/unistring/override --lib=libunistring --source-base=lib/unistring --m4-base=lib/unistring/m4 --doc-base=doc --aux-dir=build-aux --lgpl=3orGPLv2 --no-conditional-dependencies --libtool --without-tests --macro-prefix=unistring ${unistring_modules} - ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=src/gl/override --lib=libgnu_gpl --source-base=src/gl --m4-base=src/gl/m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --no-conditional-dependencies --libtool --macro-prefix=ggl --no-vc-files ${src_modules} + ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=src/gl/override --lib=libgnu_gpl --source-base=src/gl --m4-base=src/gl/m4 --doc-base=doc --aux-dir=build-aux --no-conditional-dependencies --libtool --macro-prefix=ggl --without-tests --no-vc-files ${src_modules} # git -C ${GNULIB_SRCDIR} reset --hard diff --git a/fuzz/gnutls_x509_crl_parser_fuzzer.repro/698e01fdc3f9a4c402424302768da75f2464a63f b/fuzz/gnutls_x509_crl_parser_fuzzer.repro/698e01fdc3f9a4c402424302768da75f2464a63f Binary files differnew file mode 100644 index 0000000000..9cc53a3e7d --- /dev/null +++ b/fuzz/gnutls_x509_crl_parser_fuzzer.repro/698e01fdc3f9a4c402424302768da75f2464a63f diff --git a/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 Binary files differnew file mode 100644 index 0000000000..4fe047d3c3 --- /dev/null +++ b/fuzz/gnutls_x509_crq_parser_fuzzer.repro/609921afff38ec5b52feb7e17aa3035bdce0e0d3 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index d9d851be62..4ea8159979 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -146,7 +146,7 @@ typedef int ssize_t; /* TLS Extensions */ /* we can receive up to MAX_EXT_TYPES extensions. */ -#define MAX_EXT_TYPES 32 +#define MAX_EXT_TYPES 64 /* TLS-internal extension (will be parsed after a ciphersuite is selected). * This amends the gnutls_ext_parse_type_t. Not exported yet to allow more refining @@ -358,22 +358,24 @@ typedef enum extensions_t { GNUTLS_EXTENSION_MAX /* not real extension - used for iterators */ } extensions_t; -#define GNUTLS_EXTENSION_MAX_VALUE 31 -#define ext_track_t uint32_t +#define GNUTLS_EXTENSION_MAX_VALUE 63 +#define ext_track_t uint64_t -#if GNUTLS_EXTENSION_MAX >= GNUTLS_EXTENSION_MAX_VALUE -# error over limit -#endif +#include <verify.h> -#if GNUTLS_EXTENSION_MAX >= MAX_EXT_TYPES -# error over limit -#endif +verify(GNUTLS_EXTENSION_MAX < GNUTLS_EXTENSION_MAX_VALUE); +verify(GNUTLS_EXTENSION_MAX < MAX_EXT_TYPES); -/* we must provide at least 16 extensions for users to register */ -#if GNUTLS_EXTENSION_MAX_VALUE - GNUTLS_EXTENSION_MAX < 16 -# error not enough extension types; increase GNUTLS_EXTENSION_MAX_VALUE, MAX_EXT_TYPES and used_exts type -#endif +/* we must provide at least 16 extensions for users to register; + * increase GNUTLS_EXTENSION_MAX_VALUE, MAX_EXT_TYPES and used_exts + * type if this fails + */ +verify(GNUTLS_EXTENSION_MAX_VALUE - GNUTLS_EXTENSION_MAX >= 16); +/* The 'verify' symbol from <verify.h> is used extensively in the + * code; undef it to avoid clash + */ +#undef verify typedef enum { CIPHER_STREAM, CIPHER_BLOCK, CIPHER_AEAD } cipher_type_t; diff --git a/lib/hello_ext.c b/lib/hello_ext.c index 0c6c0dca01..1df1506e0b 100644 --- a/lib/hello_ext.c +++ b/lib/hello_ext.c @@ -520,7 +520,7 @@ int _gnutls_hello_ext_pack(gnutls_session_t session, gnutls_buffer_st *packed) BUFFER_APPEND_NUM(packed, 0); for (i = 0; i <= GNUTLS_EXTENSION_MAX_VALUE; i++) { - if (session->internals.used_exts & (1U << i)) { + if (session->internals.used_exts & ((ext_track_t)1 << i)) { ext = gid_to_ext_entry(session, i); if (ext == NULL) diff --git a/lib/hello_ext.h b/lib/hello_ext.h index 38b28ae069..a7b921875d 100644 --- a/lib/hello_ext.h +++ b/lib/hello_ext.h @@ -160,7 +160,7 @@ typedef struct hello_ext_entry_st { inline static unsigned _gnutls_hello_ext_is_present(gnutls_session_t session, extensions_t id) { - if (session->internals.used_exts & (1U << id)) + if (session->internals.used_exts & ((ext_track_t)1 << id)) return 1; return 0; @@ -184,7 +184,7 @@ unsigned _gnutls_hello_ext_save(gnutls_session_t session, return 0; } - session->internals.used_exts |= (1U << id); + session->internals.used_exts |= ((ext_track_t)1 << id); return 1; } diff --git a/lib/x509/common.c b/lib/x509/common.c index 4939d07d2b..fbc7cc975f 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1926,3 +1926,23 @@ gnutls_gost_paramset_t gnutls_oid_to_gost_paramset(const char *oid) else return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); } + +int _gnutls_x509_get_version(ASN1_TYPE root, const char *name) +{ + uint8_t version[8]; + int len, result; + + len = sizeof(version); + result = asn1_read_value(root, name, version, &len); + if (result != ASN1_SUCCESS) { + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (len != 1 || version[0] >= 0x80) + return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); + + return (int) version[0] + 1; +} diff --git a/lib/x509/common.h b/lib/x509/common.h index 498ccc4e97..54ded21188 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -264,6 +264,8 @@ int _gnutls_x509_decode_ext(const gnutls_datum_t *der, gnutls_x509_ext_st *out); int _gnutls_x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert, gnutls_datum_t * rpubkey); +int _gnutls_x509_get_version(ASN1_TYPE root, const char *name); + int x509_crt_to_raw_pubkey(gnutls_x509_crt_t crt, gnutls_datum_t * rpubkey); diff --git a/lib/x509/crl.c b/lib/x509/crl.c index 82deb5e60a..76d90925e8 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -484,23 +484,12 @@ gnutls_x509_crl_get_signature(gnutls_x509_crl_t crl, **/ int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl) { - uint8_t version[8]; - int len, result; - if (crl == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } - len = sizeof(version); - if ((result = - asn1_read_value(crl->crl, "tbsCertList.version", version, - &len)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return (int) version[0] + 1; + return _gnutls_x509_get_version(crl->crl, "tbsCertList.version"); } /** diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index 38df56ef1c..caa511e9db 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -456,25 +456,12 @@ int gnutls_ocsp_resp_export2(gnutls_ocsp_resp_const_t resp, gnutls_datum_t * dat **/ int gnutls_ocsp_req_get_version(gnutls_ocsp_req_const_t req) { - uint8_t version[8]; - int len, ret; - if (req == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } - len = sizeof(version); - ret = - asn1_read_value(req->req, "tbsRequest.version", version, &len); - if (ret != ASN1_SUCCESS) { - if (ret == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - return (int) version[0] + 1; + return _gnutls_x509_get_version(req->req, "tbsRequest.version"); } /** @@ -1153,26 +1140,12 @@ gnutls_ocsp_resp_get_response(gnutls_ocsp_resp_const_t resp, **/ int gnutls_ocsp_resp_get_version(gnutls_ocsp_resp_const_t resp) { - uint8_t version[8]; - int len, ret; - if (resp == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } - len = sizeof(version); - ret = - asn1_read_value(resp->resp, "tbsResponseData.version", version, - &len); - if (ret != ASN1_SUCCESS) { - if (ret == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - return (int) version[0] + 1; + return _gnutls_x509_get_version(resp->resp, "tbsResponseData.version"); } /** diff --git a/lib/x509/output.c b/lib/x509/output.c index 1e605d8fb6..8084b92b29 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -1282,12 +1282,12 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type, return; } + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; if (err < 0) { - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; addf(str, "error: get_extension_info: %s\n", gnutls_strerror(err)); - continue; + break; } if (i == 0) @@ -2204,9 +2204,7 @@ print_crl(gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned) /* Version. */ { int version = gnutls_x509_crl_get_version(crl); - if (version == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - adds(str, _("\tVersion: 1 (default)\n")); - else if (version < 0) + if (version < 0) addf(str, "error: get_version: %s\n", gnutls_strerror(version)); else @@ -2291,14 +2289,13 @@ print_crl(gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned) oid, &sizeof_oid, &critical); + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; if (err < 0) { - if (err == - GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; addf(str, "error: get_extension_info: %s\n", gnutls_strerror(err)); - continue; + break; } if (i == 0) @@ -2662,14 +2659,13 @@ print_crq(gnutls_buffer_st * str, gnutls_x509_crq_t cert, gnutls_x509_crq_get_attribute_info(cert, i, oid, &sizeof_oid); + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; if (err < 0) { - if (err == - GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; addf(str, "error: get_extension_info: %s\n", gnutls_strerror(err)); - continue; + break; } if (i == 0) diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 57c7182894..2091f3ae64 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -1177,29 +1177,12 @@ gnutls_x509_crt_get_signature(gnutls_x509_crt_t cert, **/ int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert) { - uint8_t version[8]; - int len, result; - if (cert == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } - len = sizeof(version); - if ((result = - asn1_read_value(cert->cert, "tbsCertificate.version", version, - &len)) != ASN1_SUCCESS) { - - if (result == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (len != 1 || version[0] >= 0x80) - return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR); - - return (int) version[0] + 1; + return _gnutls_x509_get_version(cert->cert, "tbsCertificate.version"); } /** diff --git a/tests/cert-tests/data/crl-demo3.pem b/tests/cert-tests/data/crl-demo3.pem index 1e04338c67..a91b1f905a 100644 --- a/tests/cert-tests/data/crl-demo3.pem +++ b/tests/cert-tests/data/crl-demo3.pem @@ -1,5 +1,5 @@ X.509 Certificate Revocation List Information: - Version: 1 (default) + Version: 1 Issuer: OU=VeriSign Commercial Software Publishers CA,O=VeriSign\, Inc.,L=Internet Update dates: Issued: Wed Mar 08 09:00:11 UTC 2017 |