diff options
| author | mark <mark> | 2003-11-04 11:30:36 +0000 |
|---|---|---|
| committer | mark <mark> | 2003-11-04 11:30:36 +0000 |
| commit | 23571cba018c2d8f14493bda78a9ff3040f54d24 (patch) | |
| tree | 530e45b6d36fb6a482bf31aa9577213214eba9a2 | |
| parent | 7d1e05d47288693675df823987861cb37407a6cd (diff) | |
| download | openssl-OpenSSL_0_9_6l.tar.gz | |
Stop bug triggering large recursion when presented withOpenSSL_0_9_6l
certain ASN.1 tags (CAN-2003-0851)
| -rw-r--r-- | CHANGES | 8 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | STATUS | 3 | ||||
| -rw-r--r-- | crypto/asn1/a_bytes.c | 78 | ||||
| -rw-r--r-- | crypto/opensslv.h | 4 | ||||
| -rw-r--r-- | openssl.spec | 2 |
7 files changed, 45 insertions, 56 deletions
@@ -2,9 +2,13 @@ OpenSSL CHANGES _______________ - Changes between 0.9.6k and 0.9.6l [xx XXX XXXX] + Changes between 0.9.6k and 0.9.6l [04 Nov 2003] - *) + *) Fix additional bug revealed by the NISCC test suite: + + Stop bug triggering large recursion when presented with + certain ASN.1 tags (CAN-2003-0851) + [Steve Henson] Changes between 0.9.6j and 0.9.6k [30 Sep 2003] @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.6k and OpenSSL 0.9.6l: + + o Security: fix ASN1 bug leading to large recursion + Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k: o Security: fix various ASN1 parsing bugs. @@ -1,5 +1,5 @@ - OpenSSL 0.9.6k 30 Sep 2003 + OpenSSL 0.9.6l 04 Nov 2003 Copyright (c) 1998-2003 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -1,6 +1,6 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2003/09/30 12:09:11 $ + ______________ $Date: 2003/11/04 11:30:38 $ DEVELOPMENT STATE @@ -9,6 +9,7 @@ o OpenSSL 0.9.7b: Released on April 10th, 2003 o OpenSSL 0.9.7a: Released on February 19th, 2003 o OpenSSL 0.9.7: Released on December 31st, 2002 + o OpenSSL 0.9.6l: Released on November 4th, 2003 o OpenSSL 0.9.6k: Released on September 30th, 2003 o OpenSSL 0.9.6j: Released on April 10th, 2003 o OpenSSL 0.9.6i: Released on February 19th, 2003 diff --git a/crypto/asn1/a_bytes.c b/crypto/asn1/a_bytes.c index 6bfa98334..6595255cf 100644 --- a/crypto/asn1/a_bytes.c +++ b/crypto/asn1/a_bytes.c @@ -58,36 +58,24 @@ #include <stdio.h> #include "cryptlib.h" -#include "asn1_mac.h" - -/* ASN1err(ASN1_F_D2I_ASN1_TYPE_BYTES,ASN1_R_WRONG_TYPE); - * ASN1err(ASN1_F_ASN1_COLLATE_PRIMATIVE,ASN1_R_WRONG_TAG); - */ +#include <openssl/asn1_mac.h> static unsigned long tag2bit[32]={ 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */ B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,/* tags 4- 7 */ B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 8-11 */ -B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 12-15 */ +B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */ 0, 0, B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,0, 0,B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING, B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, }; -#ifndef NOPROTO -static int asn1_collate_primative(ASN1_STRING *a, ASN1_CTX *c); -#else -static int asn1_collate_primative(); -#endif - -/* type is a 'bitmap' of acceptable string types to be accepted. +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c); +/* type is a 'bitmap' of acceptable string types. */ -ASN1_STRING *d2i_ASN1_type_bytes(a, pp, length, type) -ASN1_STRING **a; -unsigned char **pp; -long length; -int type; +ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp, + long length, int type) { ASN1_STRING *ret=NULL; unsigned char *p,*s; @@ -123,7 +111,7 @@ int type; if (len != 0) { - s=(unsigned char *)Malloc((int)len+1); + s=(unsigned char *)OPENSSL_malloc((int)len+1); if (s == NULL) { i=ERR_R_MALLOC_FAILURE; @@ -136,7 +124,7 @@ int type; else s=NULL; - if (ret->data != NULL) Free((char *)ret->data); + if (ret->data != NULL) OPENSSL_free(ret->data); ret->length=(int)len; ret->data=s; ret->type=tag; @@ -150,11 +138,7 @@ err: return(NULL); } -int i2d_ASN1_bytes(a, pp, tag, xclass) -ASN1_STRING *a; -unsigned char **pp; -int tag; -int xclass; +int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass) { int ret,r,constructed; unsigned char *p; @@ -180,12 +164,8 @@ int xclass; return(r); } -ASN1_STRING *d2i_ASN1_bytes(a, pp, length, Ptag, Pclass) -ASN1_STRING **a; -unsigned char **pp; -long length; -int Ptag; -int Pclass; +ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length, + int Ptag, int Pclass) { ASN1_STRING *ret=NULL; unsigned char *p,*s; @@ -221,11 +201,14 @@ int Pclass; c.pp=pp; c.p=p; c.inf=inf; - c.slen=len; + if (inf & 1) + c.slen = length - (p - *pp); + else + c.slen=len; c.tag=Ptag; c.xclass=Pclass; c.max=(length == 0)?0:(p+length); - if (!asn1_collate_primative(ret,&c)) + if (!asn1_collate_primitive(ret,&c)) goto err; else { @@ -238,8 +221,8 @@ int Pclass; { if ((ret->length < len) || (ret->data == NULL)) { - if (ret->data != NULL) Free((char *)ret->data); - s=(unsigned char *)Malloc((int)len); + if (ret->data != NULL) OPENSSL_free(ret->data); + s=(unsigned char *)OPENSSL_malloc((int)len + 1); if (s == NULL) { i=ERR_R_MALLOC_FAILURE; @@ -249,12 +232,13 @@ int Pclass; else s=ret->data; memcpy(s,p,(int)len); + s[len] = '\0'; p+=len; } else { s=NULL; - if (ret->data != NULL) Free((char *)ret->data); + if (ret->data != NULL) OPENSSL_free(ret->data); } ret->length=(int)len; @@ -273,13 +257,11 @@ err: } -/* We are about to parse 0..n d2i_ASN1_bytes objects, we are to collapes - * them into the one struture that is then returned */ +/* We are about to parse 0..n d2i_ASN1_bytes objects, we are to collapse + * them into the one structure that is then returned */ /* There have been a few bug fixes for this function from * Paul Keogh <paul.keogh@sse.ie>, many thanks to him */ -static int asn1_collate_primative(a,c) -ASN1_STRING *a; -ASN1_CTX *c; +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c) { ASN1_STRING *os=NULL; BUF_MEM b; @@ -300,8 +282,7 @@ ASN1_CTX *c; { if (c->inf & 1) { - c->eos=ASN1_check_infinite_end(&c->p, - (long)(c->max-c->p)); + c->eos=ASN1_check_infinite_end(&c->p, c->slen); if (c->eos) break; } else @@ -310,7 +291,7 @@ ASN1_CTX *c; } c->q=c->p; - if (d2i_ASN1_bytes(&os,&c->p,c->max-c->p,c->tag,c->xclass) + if (d2i_ASN1_bytes(&os,&c->p,c->slen,c->tag,c->xclass) == NULL) { c->error=ERR_R_ASN1_LIB; @@ -323,22 +304,21 @@ ASN1_CTX *c; goto err; } memcpy(&(b.data[num]),os->data,os->length); - if (!(c->inf & 1)) - c->slen-=(c->p-c->q); + c->slen-=(c->p-c->q); num+=os->length; } if (!asn1_Finish(c)) goto err; a->length=num; - if (a->data != NULL) Free(a->data); + if (a->data != NULL) OPENSSL_free(a->data); a->data=(unsigned char *)b.data; if (os != NULL) ASN1_STRING_free(os); return(1); err: - ASN1err(ASN1_F_ASN1_COLLATE_PRIMATIVE,c->error); + ASN1err(ASN1_F_ASN1_COLLATE_PRIMITIVE,c->error); if (os != NULL) ASN1_STRING_free(os); - if (b.data != NULL) Free(b.data); + if (b.data != NULL) OPENSSL_free(b.data); return(0); } diff --git a/crypto/opensslv.h b/crypto/opensslv.h index af820c6a4..e5a70060a 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009060c0L -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6l-dev xx XXX XXXX" +#define OPENSSL_VERSION_NUMBER 0x009060cfL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6l 04 Nov 2003" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl.spec b/openssl.spec index 8c1f863fc..c93b917df 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 6 -%define librev k +%define librev l Release: 1 %define openssldir /var/ssl |