|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/asn1/asn1_err.c.asn1-recursive openssl-1.0.2k/crypto/asn1/asn1_err.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/asn1/asn1_err.c.asn1-recursive 2017-01-26 14:22:03.000000000 +0100
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/asn1/asn1_err.c 2018-06-18 15:08:18.333412753 +0200
|
|
|
ad56ed |
@@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
|
|
|
ad56ed |
{ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"},
|
|
|
ad56ed |
{ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"},
|
|
|
ad56ed |
{ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"},
|
|
|
ad56ed |
+ {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"},
|
|
|
ad56ed |
{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"},
|
|
|
ad56ed |
{ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"},
|
|
|
ad56ed |
{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"},
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/asn1/asn1.h.asn1-recursive openssl-1.0.2k/crypto/asn1/asn1.h
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/asn1/asn1.h.asn1-recursive 2018-06-18 13:46:23.857127431 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/asn1/asn1.h 2018-06-18 15:07:53.915826715 +0200
|
|
|
ad56ed |
@@ -1365,6 +1365,7 @@ void ERR_load_ASN1_strings(void);
|
|
|
ad56ed |
# define ASN1_R_MSTRING_NOT_UNIVERSAL 139
|
|
|
ad56ed |
# define ASN1_R_MSTRING_WRONG_TAG 140
|
|
|
ad56ed |
# define ASN1_R_NESTED_ASN1_STRING 197
|
|
|
ad56ed |
+# define ASN1_R_NESTED_TOO_DEEP 219
|
|
|
ad56ed |
# define ASN1_R_NON_HEX_CHARACTERS 141
|
|
|
ad56ed |
# define ASN1_R_NOT_ASCII_FORMAT 190
|
|
|
ad56ed |
# define ASN1_R_NOT_ENOUGH_DATA 142
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/asn1/tasn_dec.c.asn1-recursive openssl-1.0.2k/crypto/asn1/tasn_dec.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/asn1/tasn_dec.c.asn1-recursive 2017-01-26 14:22:03.000000000 +0100
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/asn1/tasn_dec.c 2018-06-18 15:14:28.978308482 +0200
|
|
|
ad56ed |
@@ -4,7 +4,7 @@
|
|
|
ad56ed |
* 2000.
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
/* ====================================================================
|
|
|
ad56ed |
- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
|
|
|
ad56ed |
+ * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
|
|
|
ad56ed |
*
|
|
|
ad56ed |
* Redistribution and use in source and binary forms, with or without
|
|
|
ad56ed |
* modification, are permitted provided that the following conditions
|
|
|
ad56ed |
@@ -65,6 +65,14 @@
|
|
|
ad56ed |
#include <openssl/buffer.h>
|
|
|
ad56ed |
#include <openssl/err.h>
|
|
|
ad56ed |
|
|
|
ad56ed |
+/*
|
|
|
ad56ed |
+ * Constructed types with a recursive definition (such as can be found in PKCS7)
|
|
|
ad56ed |
+ * could eventually exceed the stack given malicious input with excessive
|
|
|
ad56ed |
+ * recursion. Therefore we limit the stack depth. This is the maximum number of
|
|
|
ad56ed |
+ * recursive invocations of asn1_item_embed_d2i().
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+#define ASN1_MAX_CONSTRUCTED_NEST 30
|
|
|
ad56ed |
+
|
|
|
ad56ed |
static int asn1_check_eoc(const unsigned char **in, long len);
|
|
|
ad56ed |
static int asn1_find_end(const unsigned char **in, long len, char inf);
|
|
|
ad56ed |
|
|
|
ad56ed |
@@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, i
|
|
|
ad56ed |
static int asn1_template_ex_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
const unsigned char **in, long len,
|
|
|
ad56ed |
const ASN1_TEMPLATE *tt, char opt,
|
|
|
ad56ed |
- ASN1_TLC *ctx);
|
|
|
ad56ed |
+ ASN1_TLC *ctx, int depth);
|
|
|
ad56ed |
static int asn1_template_noexp_d2i(ASN1_VALUE **val,
|
|
|
ad56ed |
const unsigned char **in, long len,
|
|
|
ad56ed |
const ASN1_TEMPLATE *tt, char opt,
|
|
|
ad56ed |
- ASN1_TLC *ctx);
|
|
|
ad56ed |
+ ASN1_TLC *ctx, int depth);
|
|
|
ad56ed |
static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
|
|
|
ad56ed |
const unsigned char **in, long len,
|
|
|
ad56ed |
const ASN1_ITEM *it,
|
|
|
ad56ed |
@@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
{
|
|
|
ad56ed |
ASN1_TLC c;
|
|
|
ad56ed |
asn1_tlc_clear_nc(&c);
|
|
|
ad56ed |
- return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
|
|
|
ad56ed |
+ return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0);
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
|
|
|
ad56ed |
* tag mismatch return -1 to handle OPTIONAL
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
-
|
|
|
ad56ed |
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
|
|
|
ad56ed |
- const ASN1_ITEM *it,
|
|
|
ad56ed |
- int tag, int aclass, char opt, ASN1_TLC *ctx)
|
|
|
ad56ed |
+static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
|
|
|
ad56ed |
+ long len, const ASN1_ITEM *it, int tag, int aclass,
|
|
|
ad56ed |
+ char opt, ASN1_TLC *ctx, int depth)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
const ASN1_TEMPLATE *tt, *errtt = NULL;
|
|
|
ad56ed |
const ASN1_COMPAT_FUNCS *cf;
|
|
|
ad56ed |
@@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
else
|
|
|
ad56ed |
asn1_cb = 0;
|
|
|
ad56ed |
|
|
|
ad56ed |
+ if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
|
|
|
ad56ed |
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP);
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
+
|
|
|
ad56ed |
switch (it->itype) {
|
|
|
ad56ed |
case ASN1_ITYPE_PRIMITIVE:
|
|
|
ad56ed |
if (it->templates) {
|
|
|
ad56ed |
@@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
return asn1_template_ex_d2i(pval, in, len,
|
|
|
ad56ed |
- it->templates, opt, ctx);
|
|
|
ad56ed |
+ it->templates, opt, ctx, depth);
|
|
|
ad56ed |
}
|
|
|
ad56ed |
return asn1_d2i_ex_primitive(pval, in, len, it,
|
|
|
ad56ed |
tag, aclass, opt, ctx);
|
|
|
ad56ed |
@@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* We mark field as OPTIONAL so its absence can be recognised.
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
- ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
|
|
|
ad56ed |
+ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
|
|
|
ad56ed |
/* If field not present, try the next one */
|
|
|
ad56ed |
if (ret == -1)
|
|
|
ad56ed |
continue;
|
|
|
ad56ed |
@@ -444,7 +456,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
* attempt to read in field, allowing each to be OPTIONAL
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
|
|
|
ad56ed |
- ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
|
|
|
ad56ed |
+ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
|
|
|
ad56ed |
+ depth);
|
|
|
ad56ed |
if (!ret) {
|
|
|
ad56ed |
errtt = seqtt;
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
@@ -514,6 +527,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
return 0;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
|
|
|
ad56ed |
+ const ASN1_ITEM *it,
|
|
|
ad56ed |
+ int tag, int aclass, char opt, ASN1_TLC *ctx)
|
|
|
ad56ed |
+{
|
|
|
ad56ed |
+ return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
|
|
|
ad56ed |
+}
|
|
|
ad56ed |
+
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* Templates are handled with two separate functions. One handles any
|
|
|
ad56ed |
* EXPLICIT tag and the other handles the rest.
|
|
|
ad56ed |
@@ -522,7 +542,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
|
ad56ed |
static int asn1_template_ex_d2i(ASN1_VALUE **val,
|
|
|
ad56ed |
const unsigned char **in, long inlen,
|
|
|
ad56ed |
const ASN1_TEMPLATE *tt, char opt,
|
|
|
ad56ed |
- ASN1_TLC *ctx)
|
|
|
ad56ed |
+ ASN1_TLC *ctx, int depth)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
int flags, aclass;
|
|
|
ad56ed |
int ret;
|
|
|
ad56ed |
@@ -557,7 +577,7 @@ static int asn1_template_ex_d2i(ASN1_VAL
|
|
|
ad56ed |
return 0;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
/* We've found the field so it can't be OPTIONAL now */
|
|
|
ad56ed |
- ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
|
|
|
ad56ed |
+ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
|
|
|
ad56ed |
if (!ret) {
|
|
|
ad56ed |
ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
|
|
|
ad56ed |
return 0;
|
|
|
ad56ed |
@@ -581,7 +601,7 @@ static int asn1_template_ex_d2i(ASN1_VAL
|
|
|
ad56ed |
}
|
|
|
ad56ed |
}
|
|
|
ad56ed |
} else
|
|
|
ad56ed |
- return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
|
|
|
ad56ed |
+ return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
|
|
|
ad56ed |
|
|
|
ad56ed |
*in = p;
|
|
|
ad56ed |
return 1;
|
|
|
ad56ed |
@@ -594,7 +614,7 @@ static int asn1_template_ex_d2i(ASN1_VAL
|
|
|
ad56ed |
static int asn1_template_noexp_d2i(ASN1_VALUE **val,
|
|
|
ad56ed |
const unsigned char **in, long len,
|
|
|
ad56ed |
const ASN1_TEMPLATE *tt, char opt,
|
|
|
ad56ed |
- ASN1_TLC *ctx)
|
|
|
ad56ed |
+ ASN1_TLC *ctx, int depth)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
int flags, aclass;
|
|
|
ad56ed |
int ret;
|
|
|
ad56ed |
@@ -665,14 +685,15 @@ static int asn1_template_noexp_d2i(ASN1_
|
|
|
ad56ed |
break;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
skfield = NULL;
|
|
|
ad56ed |
- if (!ASN1_item_ex_d2i(&skfield, &p, len,
|
|
|
ad56ed |
- ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
|
|
|
ad56ed |
+ if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
|
|
|
ad56ed |
+ -1, 0, 0, ctx, depth)) {
|
|
|
ad56ed |
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
|
|
|
ad56ed |
ERR_R_NESTED_ASN1_ERROR);
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
len -= p - q;
|
|
|
ad56ed |
if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
|
|
|
ad56ed |
+ ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item));
|
|
|
ad56ed |
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE);
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -683,9 +704,8 @@ static int asn1_template_noexp_d2i(ASN1_
|
|
|
ad56ed |
}
|
|
|
ad56ed |
} else if (flags & ASN1_TFLG_IMPTAG) {
|
|
|
ad56ed |
/* IMPLICIT tagging */
|
|
|
ad56ed |
- ret = ASN1_item_ex_d2i(val, &p, len,
|
|
|
ad56ed |
- ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
|
|
|
ad56ed |
- ctx);
|
|
|
ad56ed |
+ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
|
|
|
ad56ed |
+ aclass, opt, ctx, depth);
|
|
|
ad56ed |
if (!ret) {
|
|
|
ad56ed |
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
@@ -693,8 +713,9 @@ static int asn1_template_noexp_d2i(ASN1_
|
|
|
ad56ed |
return -1;
|
|
|
ad56ed |
} else {
|
|
|
ad56ed |
/* Nothing special */
|
|
|
ad56ed |
- ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
|
|
|
ad56ed |
- -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
|
|
|
ad56ed |
+ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
|
|
|
ad56ed |
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,
|
|
|
ad56ed |
+ depth);
|
|
|
ad56ed |
if (!ret) {
|
|
|
ad56ed |
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
|
|
|
ad56ed |
goto err;
|