From 58790919c1ea3c620420d1307e89b398a2c61911 Mon Sep 17 00:00:00 2001 From: cameronrich Date: Wed, 19 Nov 2014 10:13:31 +0000 Subject: [PATCH] * Added check to get_asn1_length() to limit the number of octets and to not allow overflow. * Changed a few copyright dates to add a bit of new polish :-) git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@239 9a5d90b5-6617-0410-8a86-bb477d3ed2e3 --- crypto/crypto.h | 2 +- crypto/rsa.c | 4 ++-- ssl/asn1.c | 12 ++++++++---- ssl/crypto_misc.h | 2 +- ssl/x509.c | 2 +- 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/crypto/crypto.h b/crypto/crypto.h index df11e923a..3ec2e7af6 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, Cameron Rich + * Copyright (c) 2007-2014, Cameron Rich * * All rights reserved. * diff --git a/crypto/rsa.c b/crypto/rsa.c index 8f06cf896..efe939ddf 100644 --- a/crypto/rsa.c +++ b/crypto/rsa.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, Cameron Rich + * Copyright (c) 2007-2014, Cameron Rich * * All rights reserved. * @@ -189,7 +189,7 @@ int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, pad_count++; } - /* check separator byte - and padding must be 8 or more bytes */ + /* check separator byte 0x00 - and padding must be 8 or more bytes */ if (i == byte_size || pad_count < 8) return -1; diff --git a/ssl/asn1.c b/ssl/asn1.c index 3d6e23055..3d4c0beba 100644 --- a/ssl/asn1.c +++ b/ssl/asn1.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, Cameron Rich + * Copyright (c) 2007-2014, Cameron Rich * * All rights reserved. * @@ -40,7 +40,7 @@ #include "crypto.h" #include "crypto_misc.h" -/* Must be an RSA algorithm with either SHA1 or MD5 for verifying to work */ +/* Must be an RSA algorithm with either SHA1/SHA256/MD5 for verifying to work */ static const uint8_t sig_oid_prefix[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01 @@ -64,9 +64,10 @@ static const uint8_t sig_subject_alt_name[] = /* CN, O, OU */ static const uint8_t g_dn_types[] = { 3, 10, 11 }; -int get_asn1_length(const uint8_t *buf, int *offset) +uint32_t get_asn1_length(const uint8_t *buf, int *offset) { - int len, i; + int i; + uint32_t len; if (!(buf[*offset] & 0x80)) /* short form */ { @@ -75,6 +76,9 @@ int get_asn1_length(const uint8_t *buf, int *offset) else /* long form */ { int length_bytes = buf[(*offset)++]&0x7f; + if (length_bytes > 4) /* limit number of bytes */ + return 0; + len = 0; for (i = 0; i < length_bytes; i++) { diff --git a/ssl/crypto_misc.h b/ssl/crypto_misc.h index bc681117b..be7607941 100644 --- a/ssl/crypto_misc.h +++ b/ssl/crypto_misc.h @@ -128,7 +128,7 @@ const char * x509_display_error(int error); #define SIG_TYPE_SHA1 0x05 #define SIG_TYPE_SHA256 0x0b -int get_asn1_length(const uint8_t *buf, int *offset); +uint32_t get_asn1_length(const uint8_t *buf, int *offset); int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx); int asn1_next_obj(const uint8_t *buf, int *offset, int obj_type); int asn1_skip_obj(const uint8_t *buf, int *offset, int obj_type); diff --git a/ssl/x509.c b/ssl/x509.c index 815f83ac0..63af7653f 100644 --- a/ssl/x509.c +++ b/ssl/x509.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, Cameron Rich + * Copyright (c) 2007-2014, Cameron Rich * * All rights reserved. *