Properly validate the length of an encoded BMPString and UniversalString
(CVE-2009-0590) (Closes: #522002)
Kurt Roeckx
14 years ago
1178 | 1178 | #define ASN1_R_BAD_OBJECT_HEADER 102 |
1179 | 1179 | #define ASN1_R_BAD_PASSWORD_READ 103 |
1180 | 1180 | #define ASN1_R_BAD_TAG 104 |
1181 | #define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 | |
1181 | 1182 | #define ASN1_R_BN_LIB 105 |
1182 | 1183 | #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 |
1183 | 1184 | #define ASN1_R_BUFFER_TOO_SMALL 107 |
1257 | 1258 | #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 |
1258 | 1259 | #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 |
1259 | 1260 | #define ASN1_R_UNEXPECTED_EOC 159 |
1261 | #define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 | |
1260 | 1262 | #define ASN1_R_UNKNOWN_FORMAT 160 |
1261 | 1263 | #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 |
1262 | 1264 | #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 |
187 | 187 | {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, |
188 | 188 | {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, |
189 | 189 | {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, |
190 | {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, | |
190 | 191 | {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, |
191 | 192 | {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, |
192 | 193 | {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, |
266 | 267 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, |
267 | 268 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, |
268 | 269 | {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, |
270 | {ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, | |
269 | 271 | {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, |
270 | 272 | {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, |
271 | 273 | {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, |
1011 | 1011 | case V_ASN1_SET: |
1012 | 1012 | case V_ASN1_SEQUENCE: |
1013 | 1013 | default: |
1014 | if (utype == V_ASN1_BMPSTRING && (len & 1)) | |
1015 | { | |
1016 | ASN1err(ASN1_F_ASN1_EX_C2I, | |
1017 | ASN1_R_BMPSTRING_IS_WRONG_LENGTH); | |
1018 | goto err; | |
1019 | } | |
1020 | if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) | |
1021 | { | |
1022 | ASN1err(ASN1_F_ASN1_EX_C2I, | |
1023 | ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); | |
1024 | goto err; | |
1025 | } | |
1014 | 1026 | /* All based on ASN1_STRING and handled the same */ |
1015 | 1027 | if (!*pval) |
1016 | 1028 | { |
0 | openssl (0.9.8g-16) unstable; urgency=high | |
1 | ||
2 | * Properly validate the length of an encoded BMPString and UniversalString | |
3 | (CVE-2009-0590) (Closes: #522002) | |
4 | ||
5 | -- Kurt Roeckx <kurt@roeckx.be> Wed, 01 Apr 2009 22:04:53 +0200 | |
6 | ||
0 | 7 | openssl (0.9.8g-15) unstable; urgency=low |
1 | 8 | |
2 | 9 | * Internal calls to didn't properly check for errors which |