The branch master has been updated
via 59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d (commit)
via c7f8edfc1186a48463c14cfdc7f70456cbcb1cda (commit)
from 5595058714832bdff03604c881cf44f91c14b5fc (commit)
- Log -----------------------------------------------------------------
commit 59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d
Author: Matt Caswell <[email protected]>
Date: Thu Aug 26 10:03:51 2021 +0100
Add a test for verifying an email with a bad othername type
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16443)
commit c7f8edfc1186a48463c14cfdc7f70456cbcb1cda
Author: Matt Caswell <[email protected]>
Date: Thu Aug 26 09:43:50 2021 +0100
Ensure that we check the ASN.1 type of an "otherName" before using it
We should not assume that the type of an ASN.1 value is UTF8String as
expected. We must actually check it, otherwise we could get a NULL ptr
deref, or worse memory errors.
Reported by David Benjamin.
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16443)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_utl.c | 17 ++++++++++++-----
test/recipes/25-test_eai_data.t | 14 ++++++++++++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 5c63d2d9d8..a70917a39b 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -901,12 +901,19 @@ static int do_x509_check(X509 *x, const char *chk, size_t
chklen,
if (OBJ_obj2nid(gen->d.otherName->type_id) ==
NID_id_on_SmtpUTF8Mailbox) {
san_present = 1;
- cstr = gen->d.otherName->value->value.utf8string;
- /* Positive on success, negative on error! */
- if ((rv = do_check_string(cstr, 0, equal, flags,
- chk, chklen, peername)) != 0)
- break;
+ /*
+ * If it is not a UTF8String then that is unexpected and we
+ * treat it as no match
+ */
+ if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
+ cstr = gen->d.otherName->value->value.utf8string;
+
+ /* Positive on success, negative on error! */
+ if ((rv = do_check_string(cstr, 0, equal, flags,
+ chk, chklen, peername)) != 0)
+ break;
+ }
} else
continue;
} else {
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
index 8aebf5d621..522982ddfb 100644
--- a/test/recipes/25-test_eai_data.t
+++ b/test/recipes/25-test_eai_data.t
@@ -12,7 +12,7 @@ use warnings;
use File::Spec;
use OpenSSL::Test::Utils;
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_file with/;
setup("test_eai_data");
@@ -21,7 +21,7 @@ setup("test_eai_data");
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile
test/recipes/25-test_eai_data/utf8_chain.pem
test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile
test/recipes/25-test_eai_data/ascii_chain.pem
test/recipes/25-test_eai_data/utf8_leaf.pem
-plan tests => 11;
+plan tests => 12;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my $folder = "test/recipes/25-test_eai_data";
@@ -60,3 +60,13 @@ ok(run(app(["openssl", "verify", "-nameopt", "utf8",
"-no_check_time", "-CAfile"
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time",
"-CAfile", $ascii_chain_pem, $utf8_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time",
"-CAfile", $utf8_chain_pem, $ascii_pem])));
+#Check that we get the expected failure return code
+with({ exit_checker => sub { return shift == 2; } },
+ sub {
+ ok(run(app(["openssl", "verify", "-CAfile",
+ srctop_file("test", "certs", "bad-othername-namec.pem"),
+ "-partial_chain", "-no_check_time", "-verify_email",
+ '[email protected]',
+ srctop_file("test", "certs",
"bad-othername-namec.pem")])));
+ });
+
