summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLili Quan <13132239506@163.com>2019-12-19 17:14:20 +0100
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2019-12-19 19:58:06 +0100
commit3cbeffcb7d4a70858b1c46fe955516b9eab0ef8e (patch)
treec49278bc3dc205c38ffbe09a5db856aad2eecc40
parent8d81203c987e717031a6ecfa0a25983f4471d3fc (diff)
downloadgnutls-3cbeffcb7d4a70858b1c46fe955516b9eab0ef8e.tar.gz
Introduced check to reject certificates with non-digits in time field
According to RFC5280 we should reject such certificates. Resolves: #870 Signed-off-by: Lili Quan <13132239506@163.com>
Diffstat
-rw-r--r--NEWS2
-rw-r--r--lib/x509/time.c24
-rw-r--r--tests/cert-tests/Makefile.am5
-rwxr-xr-xtests/cert-tests/cert-non-digits-time47
-rw-r--r--tests/cert-tests/data/cert-with-non-digits-time-ca.pem70
-rw-r--r--tests/cert-tests/data/cert-with-non-digits-time.pem38
6 files changed, 177 insertions, 9 deletions
diff --git a/NEWS b/NEWS
index 05833c83ef..cf9deaadbb 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,8 @@ See the end for copying conditions.
** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
with gnutls_ocsp_req_t but const.
+** libgnutls: Reject certificates with invalid characters in Time fields (#870).
+
** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
draft-smyshlyaev-tls12-gost-suites-06).
By default this ciphersuite is disabled. One has to add following items to priority strings:
diff --git a/lib/x509/time.c b/lib/x509/time.c
index daaac7687b..2843d32345 100644
--- a/lib/x509/time.c
+++ b/lib/x509/time.c
@@ -33,10 +33,11 @@
#include "x509_int.h"
#include "extras/hex.h"
#include <common.h>
+#include <c-ctype.h>
time_t _gnutls_utcTime2gtime(const char *ttime);
-/* TIME functions
+/* TIME functions
* Conversions between generalized or UTC time to time_t
*
*/
@@ -58,7 +59,7 @@ typedef struct fake_tm {
* who placed it under public domain:
*/
-/* The number of days in each month.
+/* The number of days in each month.
*/
static const int MONTHDAYS[] = {
31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
@@ -82,7 +83,7 @@ static time_t mktime_utc(const struct fake_tm *tm)
/* We do allow some ill-formed dates, but we don't do anything special
* with them and our callers really shouldn't pass them to us. Do
* explicitly disallow the ones that would cause invalid array accesses
- * or other algorithm problems.
+ * or other algorithm problems.
*/
if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970)
return (time_t) - 1;
@@ -91,7 +92,7 @@ static time_t mktime_utc(const struct fake_tm *tm)
if (tm->tm_sec > 60 || tm->tm_min > 59 || tm->tm_mday > 31 || tm->tm_mday < 1 || tm->tm_hour > 23)
return (time_t) - 1;
-/* Convert to a time_t.
+/* Convert to a time_t.
*/
for (i = 1970; i < tm->tm_year; i++)
result += 365 + ISLEAP(i);
@@ -176,13 +177,21 @@ static time_t time2gtime(const char *ttime, int year)
time_t _gnutls_utcTime2gtime(const char *ttime)
{
char xx[3];
- int year;
+ int year, i;
+ int len = strlen(ttime);
- if (strlen(ttime) < 10) {
+ if (len < 10) {
gnutls_assert();
return (time_t) - 1;
}
+ /* Make sure everything else is digits. */
+ for (i = 0; i < len - 1; i++) {
+ if (c_isdigit(ttime[i]))
+ continue;
+ return gnutls_assert_val((time_t)-1);
+ }
xx[2] = 0;
+
/* get the year
*/
memcpy(xx, ttime, 2); /* year */
@@ -265,6 +274,7 @@ gtime_to_suitable_time(time_t gtime, char *str_time, size_t str_time_size, unsig
*tag = ASN1_TAG_UTCTime;
ret = strftime(str_time, str_time_size, "%y%m%d%H%M%SZ", &_tm);
}
+
if (!ret) {
gnutls_assert();
return GNUTLS_E_SHORT_MEMORY_BUFFER;
@@ -278,7 +288,7 @@ gtime_to_generalTime(time_t gtime, char *str_time, size_t str_time_size)
{
size_t ret;
struct tm _tm;
-
+
if (gtime == (time_t)-1
#if SIZEOF_LONG == 8
|| gtime >= 253402210800
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 5a22e4534e..e0b4b68201 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -97,7 +97,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b \
data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \
data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \
- data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem
+ data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem \
+ data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem
dist_check_SCRIPTS = pathlen aki invalid-sig email \
pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
@@ -107,7 +108,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \
pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \
smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \
key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \
- pkcs8-eddsa certtool-subca
+ pkcs8-eddsa certtool-subca cert-non-digits-time
dist_check_SCRIPTS += key-id ecdsa pkcs8-invalid key-invalid pkcs8-decode pkcs8 pkcs8-eddsa \
certtool-utf8 crq
diff --git a/tests/cert-tests/cert-non-digits-time b/tests/cert-tests/cert-non-digits-time
new file mode 100755
index 0000000000..28880b87ac
--- /dev/null
+++ b/tests/cert-tests/cert-non-digits-time
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CERTTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+check_for_datefudge
+
+# Check whether certificates with non-digits time fields are accepted
+datefudge -s "2019-12-19" \
+${VALGRIND}"${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-with-non-digits-time-ca.pem" --infile "${srcdir}/data/cert-with-non-digits-time.pem"
+rc=$?
+
+if test "${rc}" = "0";then
+ echo "certificate whose notbefore field is a non-digits was accepted"
+ exit 1
+fi
+
+exit 0
diff --git a/tests/cert-tests/data/cert-with-non-digits-time-ca.pem b/tests/cert-tests/data/cert-with-non-digits-time-ca.pem
new file mode 100644
index 0000000000..722a0b68f5
--- /dev/null
+++ b/tests/cert-tests/data/cert-with-non-digits-time-ca.pem
@@ -0,0 +1,70 @@
+-----BEGIN CERTIFICATE-----
+MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+zANBgkqhkiG9w0BAQsFADBt
+MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
+BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
+cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDFaGA82NTY2MDMyMzEyMTIzM1ow
+ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
+VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL
+bGkxQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDUWAVE
+VHGqn3tPc+kJTGwXpsiD+pwu287ibcwa7nlcQ8KyrwbS/7dnhK3Mpz3jjkbk9Zqw
+Ju8R5ku9hEsSX3ZW7KQYj+jqVWVnLNlp5j0a1G2fdB7vn0ORtj9GgFAbKn37cXqo
+6G2EyQ0NXhpOiwUtQXSnhbMUUJal2jMSaSGSKyyex9lDrZfSzQ164VIvMKz49kPB
+Z6EupA0E6QkwZ1a8wGthdhQ3tJrHt0jcmBVpJ5mo9zlvX7ErsK4prXgJvBQR/IRc
+YhqYHxsKLq/mgjezNqy/WoPN313HxDG8YETy8m9BKWI5OLBHIr0kahmBFumttlGa
+a4rW+w2NZz8jtrnkM8sFSEoegO7xA8JZdO6O3mSedWOiA2zEuT8hQqkSYDSdZxOd
+J1u/mdyumLErXquenaMTAHb0lviNc7llZqDKMJ8yfROZwv9PDCs3OBGOttr3MMRT
+JHN5f4ZStqx6unV90Rx8QIh8wstG3c/QrJ4lBS+c72A6bMmxLpiTg1+CjG9ntgvC
+mspMbVlu710Y7JHcAuq9RSnR0Nv31AGjOZEpKAGpUfzoVf47GYV38VpLskgy0tiA
+Tesse5g8rUE9ozwgj6B34qfNdPxCmv6UkLYxU/CLpw2cRKT8hShAO8zDfgmU9262
+ctTdrVU3PsSwMs7F8SlG/9kWq6HgqaBPadCsRwIDAQABo4GkMIGhMB0GA1UdDgQW
+BBSSPopRSpZMfPAxCvUPCu4TZmh38DAfBgNVHSMEGDAWgBRyFaB24RFh9c9zf0+D
+YA01twtiWjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7BgNV
+HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j
+b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAJwtzZT7z1eImP8a7GTnfbPYu8k4
+kdbGnWSyrEr8x6UjZQLCa1DXdxKkms84yCW1QM5vdKody/Sz1lvETPeTgpXRLlcO
+i/75L+Knz1asfz3D+SO/YCSc/VF27GnkKyjFlt7LUmHuFUQoprpCi12wJ0IJP5D6
+AQarnWuS2AA4op0exLrK1+BonYyqH//QDt5jhUJFEKQVgckHOtVOklHmazplr8bu
+JzHz0+C7mDtZbLXoBSgZIFaVCSk4uxsf98QWOxKQURUv8gAhHLOo/QlkyqiiFCaN
+1Se0Zp16pegTxs0qS8qY1pLgw4AO56ifG+LcOmYminbAZtApmiOvtxf8JAw5Twc8
+6gLRlq2cv/bY55hZde4uvUzC/Te/zENu9rlv7qQqQ9jS5tiWZjZVqhEt275KymBT
+4855pB+8oGb5Xznl6/AzmxUbOmRX1q5bbv+11ZscRtUp3XD3gA5Y5UYBF5UVICcb
+zTVUNDgaUjyuXIiF/ZFtbcxX57PfIqKHP3A2XseUhpN3qFSWb29BsTAa7E59s8pL
+0m/aftSXF1g/8q0IsHFuZRv4l+eyYWJhwtQTY9TTHnjYJbljcwGtVjYuAfMB+eec
+beH0LdKLVbOKlMPySiqy18cKDkwQ1wTPqoZnz5/mKRr5Hpt/RKSe997NjIeuJZl0
+W0ebRMo2T0FNhUhm
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+jANBgkqhkiG9w0BAQsFADBt
+MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
+BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
+cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDBaGA85OTk5MTIyMzExMjMzNFow
+bTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
+VQQLDAtiZWl5YW5neXVhbjELMAkGA1UEAwwCQ1MxHzAdBgkqhkiG9w0BCQEWEGxq
+ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+
+WcvCnpCA78zG1ZkRhiIPjPEmFx3PHaX5f+KYod68qvCqsRGsB4n7rQS2ljFUZ7MY
+4GNWtiMZANdWMuOrnkT0sNmtQ1aXWh+6lMUKLr/690SkKMbKU1y6OTfGBntau6em
+1djv9Q8fYmapdne3tr5UNTJBvqc5qivWiF98XUQdp8qGKLYfF0NOxkreD6u4Pddo
+/6PR5pn+nbgCHkDFmVGL+0DtZzC+K/NQbKpmP4/Zpolf1C5wPpxWPpjDl/yRSctC
+qX1G0WGyB8/w/IR94Gx3rDmA/NkZMP+4tXBFVSoz0XJpdNqCtwxCkl6NqLpMN0gp
+XrU78ToNnTiUW4zoyIfKBSlXRkPd4srgB8gTO3cHqJkSmzt/gFMnbBP1gNV10R0P
+KzbNuV/uIHx5wGYJIW8w9fL8hKrCYcO5Yfq3VDGy9Lr3/5QFYI36oPLIw0cZS/i+
+NyPLYT1TN/o6E8dtnsz1AY+VQyriW44CB6J3tlfrGLigfP81rsaQpcGd+W+0ntyc
+cWpzRKwwut3I9CJSGjRuwHfz0n6Fk+Hoj+i+Qv6h/y7+KwqjDMMHIrbieBhUwQbm
+Hlyj25IwyvYc6OOBymAyy8pUByAC7QWw4KxogDol6165iAubaupDxkDQXKr/IMmj
+pCcTBDmVwhStVBDCD6Lo4HhxDE5a6IA4DSxdWIV2iQIDAQABo4GhMIGeMB0GA1Ud
+DgQWBBRyFaB24RFh9c9zf0+DYA01twtiWjAfBgNVHSMEGDAWgBRyFaB24RFh9c9z
+f0+DYA01twtiWjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA7BgNV
+HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j
+b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAFYRDs+WyMwr8rPCkzFHnMK0ePfD
+cWc1O1L02foAePXEicrqQwv7JnsikBsx28E0T+mjqFU+7IIq7K+T0ndlEfax96Gi
+j3H8zfwAG10JBFMjsFtdo8Hq6Q4CeMu1D83NPhQacZ1lOdCp/ZUdRvlcveeBx5VX
+hFel6erfsR+6GX6I0b2Z9qIBKwmpxLcsPkY60RuazvkSf7xAd4eNJ18vzdo55J1c
+x6mJK+c5J63a/IW6rjEd2v6URwwlbOyuRSurXoETMxYwuxs7pBnxA3MRU/OWIaCy
+fAO+2ao4qn4WNo4oGo1BJBaX+mQJa+NwCw2F+sRqGZ+3ooSq2bjjXrLxiytr4b+o
+fUBiCzhZLOGaRubJXlWp39dgLf6mo3ajjYPhTUtlqv0ZfX97C7xEXitNY3Dy9aqe
+NnQn2+u2dkzEMTc+zW5i+xkByRhoSXY5AhYDdyd0Qtuk1T8sRs38TJmavr6/H6hv
+6FGrmgqFypmsVy1LdRAn80yVBce1t3eWcgVnTND+wSS8mEj9rHS4th4sZbwwpVWJ
+Z0cJSFnqSLMh7ZrDyzcKFUhgdU7GxuaACxIbBt3f5pCp1QDKffb3kVG333l/OLqN
+2qYOTP6iFf3JpKttNvaSA9Q+GNk4t/8ozZW6lfyz+uDfmQecEgAv/u1s1brMgQo7
+TQ/vJrJvgyxVSgOH
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/cert-with-non-digits-time.pem b/tests/cert-tests/data/cert-with-non-digits-time.pem
new file mode 100644
index 0000000000..9927695c7c
--- /dev/null
+++ b/tests/cert-tests/data/cert-with-non-digits-time.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIFQDCCAyigAwIBAgIRAPABuQ6DmexEq0k9QQaewMUwDQYJKoZIhvcNAQELBQAw
+ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
+VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL
+bGkxQDE2My5jb20wHhcNICMwMTAxMDEwSTAwWhcNMzUxMjIzMTEyMzM0WjB7MQsw
+CQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQswCQYDVQQHDAJUSjEMMAoGA1UECgwD
+VEpVMRQwEgYDVQQLDAtiZWl5YW5neXVhbjEMMAoGA1UEAwwDTExRMR8wHQYJKoZI
+hvcNAQkBFhBsamZwb3dlckAxNjMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEArXvIlHbQRwFvnLFz2dsnbPBgE8WIDRpIIpRTWJL+pdi/duUcE5Xn
+VRNA0lnlYBOl8igItyFudUC4o45xa0Q9Htd8hisbdaHpRpdTRUUpljH9rOOWOyY0
+aqRJ0RrU2ayhJslTH9OBBg1ZaatMYxI2u8Bz1MJrtsCUcvymScT59QAYI17ZAzI5
+ouqUsn3F5BgiU53kdm4ubfKts2su/sUvM9BN03+/p2o/50FanBVrRMHAUs2p65FM
+yFtNwqT77ZpO9BZdEOV3KSRJRLbZbELoanMQ0txztznWI6PULTenf8eR24dQscqX
+N38Qk+SGwp/lu/6qLN916oY2WFTRGrnCcwIDAQABo4HPMIHMMAkGA1UdEwQCMAAw
+HQYDVR0OBBYEFI0Gz1ruYze8+EmA4MZ06BPU0AsiMB8GA1UdIwQYMBaAFJI+ilFK
+lkx88DEK9Q8K7hNmaHfwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwQwKAYDVR0RBCEwH4IFYS5jb22CCCouYWMuY29tggZ4ei5j
+b22HBH8AAAEwGAYDVR0SBBEwD4INYWJjZXd3cnd0LmNvbTAMBgNVHSQEBTADgAED
+MA0GCSqGSIb3DQEBCwUAA4ICAQBvx+Z8r/YjdhvkV5XbnRan25H7afvfg3aFHDGW
+q2WxNEKynxvdM9TEQtbQXJrWRj9sXXRohaYxObuAic+gYdTOrsYtk48gENG6GH4s
+fxdX92XeWm2wUr0KXKOu+Mvtj/egk0bEMQloZe/tkjeOLAGzrJetXyGtxgIA+/XI
+E/AyyNULHYFATZWx/XD0Q1s/VOZttPn6FG4qi5UogM/XqqCQbZ8C/DSj9RltQi02
+IGmr+CCS4Y9ACHq3HT9YfSFMPV+7OwC/fegLadsd2Bk6TwAi+WNs/48M/LATAsnH
+MxFV61T/qHuabPNfmlirpe/ooMWEIAoKKvxght4CztYRK5QZA01BBgqePur4wqAw
+JeAp0M+bFWEDvt6xRiijmb261WRTM2C5mqnlQFJSdZ6h9MzerBph4Zvl3USXzEMb
+hXPSeIIA7TwEWeH3whqP6w6NnmcS94jCgXnmvv9uInSc/CAKz5h2HElLQroP1Mmh
++KnKOAiSQrr0vyuGjZyxebu7E5RWWS//G2FJrG+2WyOAq0rml8HcjWtZu0I54xYq
+rk0SKXpUBAvLbXky9rmAM5MinasHDBnUe7zTjlNuathI+5SPJ83PK/d+0HF6zzud
+nvjqR+fWa4N/3jZ0DRquE1gEUWkK7jLegPalIZiLW064nfi6j2q6HP8eiyHarnA0
+Mnwt2Q==
+-----END CERTIFICATE-----
+23sYiex6zj9qXDX7tsiuPs3HIxTXw
+dBVaJ01yeo+BlyX4SaxmBRIvtothzDDdXmQ/9MfS8qW85vQV9AcgGRb8fqxIHhwb
+FgzeYzpehR0pEAss2XZK9Q3hPLKwX8sewiDy+0tLyYayYtOqeSutaNbSMp17zZZu
+x/GScbHUTGEw76nmElECOVw5VQAGpbQSsns0MRp3gtr6XZKA2LUv7eiolwV4i0e5
+zBfb+mUzVBZMVzGJhXyBExl8rx46EkjmfIoblvoipIm0hAN82HE4D6VDb1v695kC
+WR7seI3gUBku6KornLFW4sIwNznvlmbOl3cRtOU=
+-----END CERTIFICATE-----
View Lorry Controller Status