Properly validate the length of an encoded BMPString and UniversalString
(CVE-2009-0590) (Closes: #522002)
Kurt Roeckx
14 years ago
| 1178 | 1178 | #define ASN1_R_BAD_OBJECT_HEADER 102 |
| 1179 | 1179 | #define ASN1_R_BAD_PASSWORD_READ 103 |
| 1180 | 1180 | #define ASN1_R_BAD_TAG 104 |
| 1181 | #define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 | |
| 1181 | 1182 | #define ASN1_R_BN_LIB 105 |
| 1182 | 1183 | #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 |
| 1183 | 1184 | #define ASN1_R_BUFFER_TOO_SMALL 107 |
| 1257 | 1258 | #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 |
| 1258 | 1259 | #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 |
| 1259 | 1260 | #define ASN1_R_UNEXPECTED_EOC 159 |
| 1261 | #define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 | |
| 1260 | 1262 | #define ASN1_R_UNKNOWN_FORMAT 160 |
| 1261 | 1263 | #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 |
| 1262 | 1264 | #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 |
| 187 | 187 | {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, |
| 188 | 188 | {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, |
| 189 | 189 | {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, |
| 190 | {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, | |
| 190 | 191 | {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, |
| 191 | 192 | {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, |
| 192 | 193 | {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, |
| 266 | 267 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, |
| 267 | 268 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, |
| 268 | 269 | {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, |
| 270 | {ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, | |
| 269 | 271 | {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, |
| 270 | 272 | {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, |
| 271 | 273 | {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, |
| 1011 | 1011 | case V_ASN1_SET: |
| 1012 | 1012 | case V_ASN1_SEQUENCE: |
| 1013 | 1013 | default: |
| 1014 | if (utype == V_ASN1_BMPSTRING && (len & 1)) | |
| 1015 | { | |
| 1016 | ASN1err(ASN1_F_ASN1_EX_C2I, | |
| 1017 | ASN1_R_BMPSTRING_IS_WRONG_LENGTH); | |
| 1018 | goto err; | |
| 1019 | } | |
| 1020 | if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) | |
| 1021 | { | |
| 1022 | ASN1err(ASN1_F_ASN1_EX_C2I, | |
| 1023 | ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); | |
| 1024 | goto err; | |
| 1025 | } | |
| 1014 | 1026 | /* All based on ASN1_STRING and handled the same */ |
| 1015 | 1027 | if (!*pval) |
| 1016 | 1028 | { |
| 0 | openssl (0.9.8g-16) unstable; urgency=high | |
| 1 | ||
| 2 | * Properly validate the length of an encoded BMPString and UniversalString | |
| 3 | (CVE-2009-0590) (Closes: #522002) | |
| 4 | ||
| 5 | -- Kurt Roeckx <kurt@roeckx.be> Wed, 01 Apr 2009 22:04:53 +0200 | |
| 6 | ||
| 0 | 7 | openssl (0.9.8g-15) unstable; urgency=low |
| 1 | 8 | |
| 2 | 9 | * Internal calls to didn't properly check for errors which |