From 3cbeffcb7d4a70858b1c46fe955516b9eab0ef8e Mon Sep 17 00:00:00 2001 From: Lili Quan <13132239506@163.com> Date: Thu, 19 Dec 2019 17:14:20 +0100 Subject: Introduced check to reject certificates with non-digits in time field According to RFC5280 we should reject such certificates. Resolves: #870 Signed-off-by: Lili Quan <13132239506@163.com> --- NEWS | 2 + lib/x509/time.c | 24 +++++--- tests/cert-tests/Makefile.am | 5 +- tests/cert-tests/cert-non-digits-time | 47 +++++++++++++++ .../data/cert-with-non-digits-time-ca.pem | 70 ++++++++++++++++++++++ .../cert-tests/data/cert-with-non-digits-time.pem | 38 ++++++++++++ 6 files changed, 177 insertions(+), 9 deletions(-) create mode 100755 tests/cert-tests/cert-non-digits-time create mode 100644 tests/cert-tests/data/cert-with-non-digits-time-ca.pem create mode 100644 tests/cert-tests/data/cert-with-non-digits-time.pem diff --git a/NEWS b/NEWS index 05833c83ef..cf9deaadbb 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,8 @@ See the end for copying conditions. ** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const. +** libgnutls: Reject certificates with invalid characters in Time fields (#870). + ** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-06). By default this ciphersuite is disabled. One has to add following items to priority strings: diff --git a/lib/x509/time.c b/lib/x509/time.c index daaac7687b..2843d32345 100644 --- a/lib/x509/time.c +++ b/lib/x509/time.c @@ -33,10 +33,11 @@ #include "x509_int.h" #include "extras/hex.h" #include +#include time_t _gnutls_utcTime2gtime(const char *ttime); -/* TIME functions +/* TIME functions * Conversions between generalized or UTC time to time_t * */ @@ -58,7 +59,7 @@ typedef struct fake_tm { * who placed it under public domain: */ -/* The number of days in each month. +/* The number of days in each month. */ static const int MONTHDAYS[] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 @@ -82,7 +83,7 @@ static time_t mktime_utc(const struct fake_tm *tm) /* We do allow some ill-formed dates, but we don't do anything special * with them and our callers really shouldn't pass them to us. Do * explicitly disallow the ones that would cause invalid array accesses - * or other algorithm problems. + * or other algorithm problems. */ if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) return (time_t) - 1; @@ -91,7 +92,7 @@ static time_t mktime_utc(const struct fake_tm *tm) if (tm->tm_sec > 60 || tm->tm_min > 59 || tm->tm_mday > 31 || tm->tm_mday < 1 || tm->tm_hour > 23) return (time_t) - 1; -/* Convert to a time_t. +/* Convert to a time_t. */ for (i = 1970; i < tm->tm_year; i++) result += 365 + ISLEAP(i); @@ -176,13 +177,21 @@ static time_t time2gtime(const char *ttime, int year) time_t _gnutls_utcTime2gtime(const char *ttime) { char xx[3]; - int year; + int year, i; + int len = strlen(ttime); - if (strlen(ttime) < 10) { + if (len < 10) { gnutls_assert(); return (time_t) - 1; } + /* Make sure everything else is digits. */ + for (i = 0; i < len - 1; i++) { + if (c_isdigit(ttime[i])) + continue; + return gnutls_assert_val((time_t)-1); + } xx[2] = 0; + /* get the year */ memcpy(xx, ttime, 2); /* year */ @@ -265,6 +274,7 @@ gtime_to_suitable_time(time_t gtime, char *str_time, size_t str_time_size, unsig *tag = ASN1_TAG_UTCTime; ret = strftime(str_time, str_time_size, "%y%m%d%H%M%SZ", &_tm); } + if (!ret) { gnutls_assert(); return GNUTLS_E_SHORT_MEMORY_BUFFER; @@ -278,7 +288,7 @@ gtime_to_generalTime(time_t gtime, char *str_time, size_t str_time_size) { size_t ret; struct tm _tm; - + if (gtime == (time_t)-1 #if SIZEOF_LONG == 8 || gtime >= 253402210800 diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 5a22e4534e..e0b4b68201 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -97,7 +97,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b \ data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \ data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \ - data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem + data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem \ + data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ @@ -107,7 +108,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \ smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \ key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \ - pkcs8-eddsa certtool-subca + pkcs8-eddsa certtool-subca cert-non-digits-time dist_check_SCRIPTS += key-id ecdsa pkcs8-invalid key-invalid pkcs8-decode pkcs8 pkcs8-eddsa \ certtool-utf8 crq diff --git a/tests/cert-tests/cert-non-digits-time b/tests/cert-tests/cert-non-digits-time new file mode 100755 index 0000000000..28880b87ac --- /dev/null +++ b/tests/cert-tests/cert-non-digits-time @@ -0,0 +1,47 @@ +#!/bin/sh + +# Copyright (C) 2017 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +check_for_datefudge + +# Check whether certificates with non-digits time fields are accepted +datefudge -s "2019-12-19" \ +${VALGRIND}"${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-with-non-digits-time-ca.pem" --infile "${srcdir}/data/cert-with-non-digits-time.pem" +rc=$? + +if test "${rc}" = "0";then + echo "certificate whose notbefore field is a non-digits was accepted" + exit 1 +fi + +exit 0 diff --git a/tests/cert-tests/data/cert-with-non-digits-time-ca.pem b/tests/cert-tests/data/cert-with-non-digits-time-ca.pem new file mode 100644 index 0000000000..722a0b68f5 --- /dev/null +++ b/tests/cert-tests/data/cert-with-non-digits-time-ca.pem @@ -0,0 +1,70 @@ +-----BEGIN CERTIFICATE----- +MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+zANBgkqhkiG9w0BAQsFADBt +MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV +BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm +cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDFaGA82NTY2MDMyMzEyMTIzM1ow +ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD +VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL +bGkxQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDUWAVE +VHGqn3tPc+kJTGwXpsiD+pwu287ibcwa7nlcQ8KyrwbS/7dnhK3Mpz3jjkbk9Zqw +Ju8R5ku9hEsSX3ZW7KQYj+jqVWVnLNlp5j0a1G2fdB7vn0ORtj9GgFAbKn37cXqo +6G2EyQ0NXhpOiwUtQXSnhbMUUJal2jMSaSGSKyyex9lDrZfSzQ164VIvMKz49kPB +Z6EupA0E6QkwZ1a8wGthdhQ3tJrHt0jcmBVpJ5mo9zlvX7ErsK4prXgJvBQR/IRc +YhqYHxsKLq/mgjezNqy/WoPN313HxDG8YETy8m9BKWI5OLBHIr0kahmBFumttlGa +a4rW+w2NZz8jtrnkM8sFSEoegO7xA8JZdO6O3mSedWOiA2zEuT8hQqkSYDSdZxOd +J1u/mdyumLErXquenaMTAHb0lviNc7llZqDKMJ8yfROZwv9PDCs3OBGOttr3MMRT +JHN5f4ZStqx6unV90Rx8QIh8wstG3c/QrJ4lBS+c72A6bMmxLpiTg1+CjG9ntgvC +mspMbVlu710Y7JHcAuq9RSnR0Nv31AGjOZEpKAGpUfzoVf47GYV38VpLskgy0tiA +Tesse5g8rUE9ozwgj6B34qfNdPxCmv6UkLYxU/CLpw2cRKT8hShAO8zDfgmU9262 +ctTdrVU3PsSwMs7F8SlG/9kWq6HgqaBPadCsRwIDAQABo4GkMIGhMB0GA1UdDgQW +BBSSPopRSpZMfPAxCvUPCu4TZmh38DAfBgNVHSMEGDAWgBRyFaB24RFh9c9zf0+D +YA01twtiWjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7BgNV +HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j +b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAJwtzZT7z1eImP8a7GTnfbPYu8k4 +kdbGnWSyrEr8x6UjZQLCa1DXdxKkms84yCW1QM5vdKody/Sz1lvETPeTgpXRLlcO +i/75L+Knz1asfz3D+SO/YCSc/VF27GnkKyjFlt7LUmHuFUQoprpCi12wJ0IJP5D6 +AQarnWuS2AA4op0exLrK1+BonYyqH//QDt5jhUJFEKQVgckHOtVOklHmazplr8bu +JzHz0+C7mDtZbLXoBSgZIFaVCSk4uxsf98QWOxKQURUv8gAhHLOo/QlkyqiiFCaN +1Se0Zp16pegTxs0qS8qY1pLgw4AO56ifG+LcOmYminbAZtApmiOvtxf8JAw5Twc8 +6gLRlq2cv/bY55hZde4uvUzC/Te/zENu9rlv7qQqQ9jS5tiWZjZVqhEt275KymBT +4855pB+8oGb5Xznl6/AzmxUbOmRX1q5bbv+11ZscRtUp3XD3gA5Y5UYBF5UVICcb +zTVUNDgaUjyuXIiF/ZFtbcxX57PfIqKHP3A2XseUhpN3qFSWb29BsTAa7E59s8pL +0m/aftSXF1g/8q0IsHFuZRv4l+eyYWJhwtQTY9TTHnjYJbljcwGtVjYuAfMB+eec +beH0LdKLVbOKlMPySiqy18cKDkwQ1wTPqoZnz5/mKRr5Hpt/RKSe997NjIeuJZl0 +W0ebRMo2T0FNhUhm +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+jANBgkqhkiG9w0BAQsFADBt +MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV +BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm +cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDBaGA85OTk5MTIyMzExMjMzNFow +bTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD +VQQLDAtiZWl5YW5neXVhbjELMAkGA1UEAwwCQ1MxHzAdBgkqhkiG9w0BCQEWEGxq +ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+ +WcvCnpCA78zG1ZkRhiIPjPEmFx3PHaX5f+KYod68qvCqsRGsB4n7rQS2ljFUZ7MY +4GNWtiMZANdWMuOrnkT0sNmtQ1aXWh+6lMUKLr/690SkKMbKU1y6OTfGBntau6em +1djv9Q8fYmapdne3tr5UNTJBvqc5qivWiF98XUQdp8qGKLYfF0NOxkreD6u4Pddo +/6PR5pn+nbgCHkDFmVGL+0DtZzC+K/NQbKpmP4/Zpolf1C5wPpxWPpjDl/yRSctC +qX1G0WGyB8/w/IR94Gx3rDmA/NkZMP+4tXBFVSoz0XJpdNqCtwxCkl6NqLpMN0gp +XrU78ToNnTiUW4zoyIfKBSlXRkPd4srgB8gTO3cHqJkSmzt/gFMnbBP1gNV10R0P +KzbNuV/uIHx5wGYJIW8w9fL8hKrCYcO5Yfq3VDGy9Lr3/5QFYI36oPLIw0cZS/i+ +NyPLYT1TN/o6E8dtnsz1AY+VQyriW44CB6J3tlfrGLigfP81rsaQpcGd+W+0ntyc +cWpzRKwwut3I9CJSGjRuwHfz0n6Fk+Hoj+i+Qv6h/y7+KwqjDMMHIrbieBhUwQbm +Hlyj25IwyvYc6OOBymAyy8pUByAC7QWw4KxogDol6165iAubaupDxkDQXKr/IMmj +pCcTBDmVwhStVBDCD6Lo4HhxDE5a6IA4DSxdWIV2iQIDAQABo4GhMIGeMB0GA1Ud +DgQWBBRyFaB24RFh9c9zf0+DYA01twtiWjAfBgNVHSMEGDAWgBRyFaB24RFh9c9z +f0+DYA01twtiWjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA7BgNV +HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j +b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAFYRDs+WyMwr8rPCkzFHnMK0ePfD +cWc1O1L02foAePXEicrqQwv7JnsikBsx28E0T+mjqFU+7IIq7K+T0ndlEfax96Gi +j3H8zfwAG10JBFMjsFtdo8Hq6Q4CeMu1D83NPhQacZ1lOdCp/ZUdRvlcveeBx5VX +hFel6erfsR+6GX6I0b2Z9qIBKwmpxLcsPkY60RuazvkSf7xAd4eNJ18vzdo55J1c +x6mJK+c5J63a/IW6rjEd2v6URwwlbOyuRSurXoETMxYwuxs7pBnxA3MRU/OWIaCy +fAO+2ao4qn4WNo4oGo1BJBaX+mQJa+NwCw2F+sRqGZ+3ooSq2bjjXrLxiytr4b+o +fUBiCzhZLOGaRubJXlWp39dgLf6mo3ajjYPhTUtlqv0ZfX97C7xEXitNY3Dy9aqe +NnQn2+u2dkzEMTc+zW5i+xkByRhoSXY5AhYDdyd0Qtuk1T8sRs38TJmavr6/H6hv +6FGrmgqFypmsVy1LdRAn80yVBce1t3eWcgVnTND+wSS8mEj9rHS4th4sZbwwpVWJ +Z0cJSFnqSLMh7ZrDyzcKFUhgdU7GxuaACxIbBt3f5pCp1QDKffb3kVG333l/OLqN +2qYOTP6iFf3JpKttNvaSA9Q+GNk4t/8ozZW6lfyz+uDfmQecEgAv/u1s1brMgQo7 +TQ/vJrJvgyxVSgOH +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/cert-with-non-digits-time.pem b/tests/cert-tests/data/cert-with-non-digits-time.pem new file mode 100644 index 0000000000..9927695c7c --- /dev/null +++ b/tests/cert-tests/data/cert-with-non-digits-time.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIFQDCCAyigAwIBAgIRAPABuQ6DmexEq0k9QQaewMUwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD +VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL +bGkxQDE2My5jb20wHhcNICMwMTAxMDEwSTAwWhcNMzUxMjIzMTEyMzM0WjB7MQsw +CQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQswCQYDVQQHDAJUSjEMMAoGA1UECgwD +VEpVMRQwEgYDVQQLDAtiZWl5YW5neXVhbjEMMAoGA1UEAwwDTExRMR8wHQYJKoZI +hvcNAQkBFhBsamZwb3dlckAxNjMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEArXvIlHbQRwFvnLFz2dsnbPBgE8WIDRpIIpRTWJL+pdi/duUcE5Xn +VRNA0lnlYBOl8igItyFudUC4o45xa0Q9Htd8hisbdaHpRpdTRUUpljH9rOOWOyY0 +aqRJ0RrU2ayhJslTH9OBBg1ZaatMYxI2u8Bz1MJrtsCUcvymScT59QAYI17ZAzI5 +ouqUsn3F5BgiU53kdm4ubfKts2su/sUvM9BN03+/p2o/50FanBVrRMHAUs2p65FM +yFtNwqT77ZpO9BZdEOV3KSRJRLbZbELoanMQ0txztznWI6PULTenf8eR24dQscqX +N38Qk+SGwp/lu/6qLN916oY2WFTRGrnCcwIDAQABo4HPMIHMMAkGA1UdEwQCMAAw +HQYDVR0OBBYEFI0Gz1ruYze8+EmA4MZ06BPU0AsiMB8GA1UdIwQYMBaAFJI+ilFK +lkx88DEK9Q8K7hNmaHfwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwQwKAYDVR0RBCEwH4IFYS5jb22CCCouYWMuY29tggZ4ei5j +b22HBH8AAAEwGAYDVR0SBBEwD4INYWJjZXd3cnd0LmNvbTAMBgNVHSQEBTADgAED +MA0GCSqGSIb3DQEBCwUAA4ICAQBvx+Z8r/YjdhvkV5XbnRan25H7afvfg3aFHDGW +q2WxNEKynxvdM9TEQtbQXJrWRj9sXXRohaYxObuAic+gYdTOrsYtk48gENG6GH4s +fxdX92XeWm2wUr0KXKOu+Mvtj/egk0bEMQloZe/tkjeOLAGzrJetXyGtxgIA+/XI +E/AyyNULHYFATZWx/XD0Q1s/VOZttPn6FG4qi5UogM/XqqCQbZ8C/DSj9RltQi02 +IGmr+CCS4Y9ACHq3HT9YfSFMPV+7OwC/fegLadsd2Bk6TwAi+WNs/48M/LATAsnH +MxFV61T/qHuabPNfmlirpe/ooMWEIAoKKvxght4CztYRK5QZA01BBgqePur4wqAw +JeAp0M+bFWEDvt6xRiijmb261WRTM2C5mqnlQFJSdZ6h9MzerBph4Zvl3USXzEMb +hXPSeIIA7TwEWeH3whqP6w6NnmcS94jCgXnmvv9uInSc/CAKz5h2HElLQroP1Mmh ++KnKOAiSQrr0vyuGjZyxebu7E5RWWS//G2FJrG+2WyOAq0rml8HcjWtZu0I54xYq +rk0SKXpUBAvLbXky9rmAM5MinasHDBnUe7zTjlNuathI+5SPJ83PK/d+0HF6zzud +nvjqR+fWa4N/3jZ0DRquE1gEUWkK7jLegPalIZiLW064nfi6j2q6HP8eiyHarnA0 +Mnwt2Q== +-----END CERTIFICATE----- +23sYiex6zj9qXDX7tsiuPs3HIxTXw +dBVaJ01yeo+BlyX4SaxmBRIvtothzDDdXmQ/9MfS8qW85vQV9AcgGRb8fqxIHhwb +FgzeYzpehR0pEAss2XZK9Q3hPLKwX8sewiDy+0tLyYayYtOqeSutaNbSMp17zZZu +x/GScbHUTGEw76nmElECOVw5VQAGpbQSsns0MRp3gtr6XZKA2LUv7eiolwV4i0e5 +zBfb+mUzVBZMVzGJhXyBExl8rx46EkjmfIoblvoipIm0hAN82HE4D6VDb1v695kC +WR7seI3gUBku6KornLFW4sIwNznvlmbOl3cRtOU= +-----END CERTIFICATE----- -- cgit v1.2.1