diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-01-16 10:47:18 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-02-04 09:02:04 +0100 |
commit | c5ab69b16e4dbbd8eababdf8c8424a39a89eded8 (patch) | |
tree | 080d719fedcf8f1dbf0641ff65d05a97582914b3 | |
parent | 3c36781885296e96cf9feac547be663e01652013 (diff) | |
download | gnutls-c5ab69b16e4dbbd8eababdf8c8424a39a89eded8.tar.gz |
x509: use libtasn1's strict DER decoding rules in certificates and OCSP
That is, to prevent bugs due to the complexity of the BER decoder.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/common.c | 4 | ||||
-rw-r--r-- | lib/x509/common.h | 11 | ||||
-rw-r--r-- | lib/x509/dn.c | 8 | ||||
-rw-r--r-- | lib/x509/extensions.c | 4 | ||||
-rw-r--r-- | lib/x509/mpi.c | 2 | ||||
-rw-r--r-- | lib/x509/ocsp.c | 10 | ||||
-rw-r--r-- | lib/x509/x509.c | 6 | ||||
-rw-r--r-- | lib/x509/x509_ext.c | 28 | ||||
-rw-r--r-- | m4/hooks.m4 | 2 |
9 files changed, 43 insertions, 32 deletions
diff --git a/lib/x509/common.c b/lib/x509/common.c index 7413aea5ee..12c1edac02 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -375,10 +375,10 @@ decode_complex_string(const struct oid_to_string *oentry, void *value, } if ((result = - asn1_der_decoding(&tmpasn, value, value_size, + _asn1_strict_der_decode(&tmpasn, value, value_size, asn1_err)) != ASN1_SUCCESS) { gnutls_assert(); - _gnutls_debug_log("asn1_der_decoding: %s\n", asn1_err); + _gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err); asn1_delete_structure(&tmpasn); return _gnutls_asn2err(result); } diff --git a/lib/x509/common.h b/lib/x509/common.h index 72d08c6290..ad07ee14d2 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -234,4 +234,15 @@ int x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert, int x509_crt_to_raw_pubkey(gnutls_x509_crt_t crt, gnutls_datum_t * rpubkey); +inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider, + int len, char *errorDescription) +{ +#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME +# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER +#else +# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER +#endif + return asn1_der_decoding2(element, ider, &len, _ASN1_DER_FLAGS, errorDescription); +} + #endif diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 12220c1f16..cfe3864f19 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -787,7 +787,7 @@ int gnutls_x509_dn_import(gnutls_x509_dn_t dn, const gnutls_datum_t * data) int result; char err[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - result = asn1_der_decoding((ASN1_TYPE *) & dn, + result = _asn1_strict_der_decode((ASN1_TYPE *) & dn, data->data, data->size, err); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ @@ -851,7 +851,7 @@ gnutls_x509_rdn_get(const gnutls_datum_t * idn, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + result = _asn1_strict_der_decode(&dn, idn->data, idn->size, NULL); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ gnutls_assert(); @@ -905,7 +905,7 @@ gnutls_x509_rdn_get_by_oid(const gnutls_datum_t * idn, const char *oid, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + result = _asn1_strict_der_decode(&dn, idn->data, idn->size, NULL); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ gnutls_assert(); @@ -959,7 +959,7 @@ gnutls_x509_rdn_get_oid(const gnutls_datum_t * idn, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + result = _asn1_strict_der_decode(&dn, idn->data, idn->size, NULL); if (result != ASN1_SUCCESS) { /* couldn't decode DER */ gnutls_assert(); diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 05c015e8e2..3f674d8a77 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -565,7 +565,7 @@ _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq, if (extensions_size > 0) { result = - asn1_der_decoding(&c2, extensions, extensions_size, + _asn1_strict_der_decode(&c2, extensions, extensions_size, NULL); gnutls_free(extensions); if (result != ASN1_SUCCESS) { @@ -626,7 +626,7 @@ _gnutls_x509_ext_extract_number(uint8_t * number, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + result = _asn1_strict_der_decode(&ext, extnValue, extnValueLen, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&ext); diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 87f885fd16..1c17961cbc 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -45,7 +45,7 @@ int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out) return _gnutls_asn2err(result); } - result = asn1_der_decoding(&spk, der, dersize, NULL); + result = _asn1_strict_der_decode(&spk, der, dersize, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index f05e4507b2..2d2288121b 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -186,7 +186,7 @@ gnutls_ocsp_req_import(gnutls_ocsp_req_t req, const gnutls_datum_t * data) } if (req->init) { - /* Any earlier asn1_der_decoding will modify the ASN.1 + /* Any earlier _asn1_strict_der_decode will modify the ASN.1 structure, so we need to replace it with a fresh structure. */ asn1_delete_structure(&req->req); @@ -200,7 +200,7 @@ gnutls_ocsp_req_import(gnutls_ocsp_req_t req, const gnutls_datum_t * data) } req->init = 1; - ret = asn1_der_decoding(&req->req, data->data, data->size, NULL); + ret = _asn1_strict_der_decode(&req->req, data->data, data->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(ret); @@ -233,7 +233,7 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp, } if (resp->init != 0) { - /* Any earlier asn1_der_decoding will modify the ASN.1 + /* Any earlier _asn1_strict_der_decode will modify the ASN.1 structure, so we need to replace it with a fresh structure. */ asn1_delete_structure(&resp->resp); @@ -261,7 +261,7 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp, } resp->init = 1; - ret = asn1_der_decoding(&resp->resp, data->data, data->size, NULL); + ret = _asn1_strict_der_decode(&resp->resp, data->data, data->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(ret); @@ -294,7 +294,7 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp, } ret = - asn1_der_decoding(&resp->basicresp, resp->der.data, resp->der.size, + _asn1_strict_der_decode(&resp->basicresp, resp->der.data, resp->der.size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); diff --git a/lib/x509/x509.c b/lib/x509/x509.c index abac2a8dba..2749016bb6 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -292,7 +292,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, } if (cert->expanded) { - /* Any earlier asn1_der_decoding will modify the ASN.1 + /* Any earlier _asn1_strict_der_decode will modify the ASN.1 structure, so we need to replace it with a fresh structure. */ result = crt_reinit(cert); @@ -305,7 +305,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, cert->expanded = 1; result = - asn1_der_decoding(&cert->cert, cert->der.data, cert->der.size, NULL); + _asn1_strict_der_decode(&cert->cert, cert->der.data, cert->der.size, NULL); if (result != ASN1_SUCCESS) { result = _gnutls_asn2err(result); gnutls_assert(); @@ -3832,7 +3832,7 @@ gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t crt, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(&c2, aia.data, aia.size, NULL); + ret = _asn1_strict_der_decode(&c2, aia.data, aia.size, NULL); /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */ _gnutls_free_datum(&aia); if (ret != ASN1_SUCCESS) { diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c index ed0ad1d149..e07e3c5f2d 100644 --- a/lib/x509/x509_ext.c +++ b/lib/x509/x509_ext.c @@ -236,7 +236,7 @@ int gnutls_x509_ext_import_subject_alt_names(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -382,7 +382,7 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -587,7 +587,7 @@ int gnutls_x509_ext_import_subject_key_id(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -875,7 +875,7 @@ int gnutls_x509_ext_import_authority_key_id(const gnutls_datum_t * ext, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(ret); @@ -1075,7 +1075,7 @@ int gnutls_x509_ext_import_key_usage(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&c2); @@ -1175,7 +1175,7 @@ int gnutls_x509_ext_import_private_key_usage_period(const gnutls_datum_t * ext, goto cleanup; } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -1281,7 +1281,7 @@ int gnutls_x509_ext_import_basic_constraints(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -1424,7 +1424,7 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -1580,7 +1580,7 @@ static int decode_user_notice(const void *data, size_t size, goto cleanup; } - ret = asn1_der_decoding(&c2, data, size, NULL); + ret = _asn1_strict_der_decode(&c2, data, size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = GNUTLS_E_PARSING_ERROR; @@ -1796,7 +1796,7 @@ int gnutls_x509_ext_import_policies(const gnutls_datum_t * ext, goto cleanup; } - ret = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(ret); @@ -2296,7 +2296,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -2710,7 +2710,7 @@ int gnutls_x509_ext_import_aia(const gnutls_datum_t * ext, return _gnutls_asn2err(ret); } - ret = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (ret != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(ret); @@ -2933,7 +2933,7 @@ int gnutls_x509_ext_import_key_purposes(const gnutls_datum_t * ext, return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, ext->data, ext->size, NULL); + result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); @@ -3069,7 +3069,7 @@ int _gnutls_x509_decode_ext(const gnutls_datum_t *der, gnutls_x509_ext_st *out) return _gnutls_asn2err(result); } - result = asn1_der_decoding(&c2, der->data, der->size, NULL); + result = _asn1_strict_der_decode(&c2, der->data, der->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); diff --git a/m4/hooks.m4 b/m4/hooks.m4 index 14dbd0dfbc..fe167af583 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -113,7 +113,7 @@ AC_MSG_ERROR([[ included_libtasn1=$withval, included_libtasn1=no) if test "$included_libtasn1" = "no"; then - PKG_CHECK_MODULES(LIBTASN1, [libtasn1 >= 3.9], [], [included_libtasn1=yes]) + PKG_CHECK_MODULES(LIBTASN1, [libtasn1 >= 4.0], [], [included_libtasn1=yes]) if test "$included_libtasn1" = yes; then AC_MSG_WARN([[ *** |