diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2003-09-30 12:05:11 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2003-09-30 12:05:11 +0000 |
commit | 3c28bfdc822517fac18c2ce8a2542ae12ff645dc (patch) | |
tree | 982016d31a1721d5a84e6014c74d1fada246721f | |
parent | 4b650cb7314744ea9a89be3512d608b5ae899e4b (diff) | |
download | openssl-new-3c28bfdc822517fac18c2ce8a2542ae12ff645dc.tar.gz |
Fix for ASN1 parsing bugs.
-rw-r--r-- | CHANGES | 10 | ||||
-rw-r--r-- | crypto/asn1/asn1_lib.c | 2 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 2 |
3 files changed, 13 insertions, 1 deletions
@@ -4,6 +4,16 @@ Changes between 0.9.6j and 0.9.6k [xx XXX 2003] + *) Fix various bugs revealed by running the NISCC test suite: + + Stop out of bounds reads in the ASN1 code when presented with + invalid tags (CAN-2003-0543 and CAN-2003-0544). + + If verify callback ignores invalid public key errors don't try to check + certificate signature with the NULL public key. + + [Steve Henson] + *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications. diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index e4a56a926a..6e49624718 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, l<<=7L; l|= *(p++)&0x7f; if (--max == 0) goto err; + if (l > (INT_MAX >> 7L)) goto err; } l<<=7L; l|= *(p++)&0x7f; tag=(int)l; + if (--max == 0) goto err; } else { diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9ad9276ff7..1d14401a8b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -490,7 +490,7 @@ static int internal_verify(X509_STORE_CTX *ctx) ok=(*cb)(0,ctx); if (!ok) goto end; } - if (X509_verify(xs,pkey) <= 0) + else if (X509_verify(xs,pkey) <= 0) { ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert=xs; |