diff -up openssl-1.0.2k/crypto/asn1/asn1_err.c.null-dereference openssl-1.0.2k/crypto/asn1/asn1_err.c

--- openssl-1.0.2k/crypto/asn1/asn1_err.c.null-dereference	2020-12-04 10:08:08.506247597 +0100

+++ openssl-1.0.2k/crypto/asn1/asn1_err.c	2020-12-04 10:12:31.901956486 +0100

@@ -1,6 +1,6 @@

 /* crypto/asn1/asn1_err.c */

 /* ====================================================================

- * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.

+ * Copyright (c) 1999-2020 The OpenSSL Project.  All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -103,6 +103,7 @@ static ERR_STRING_DATA ASN1_str_functs[]

     {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"},

     {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"},

     {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"},

+	{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0), "ASN1_item_ex_i2d"},

     {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"},

     {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"},

     {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"},

@@ -202,6 +203,7 @@ static ERR_STRING_DATA ASN1_str_reasons[

     {ERR_REASON(ASN1_R_AUX_ERROR), "aux error"},

     {ERR_REASON(ASN1_R_BAD_CLASS), "bad class"},

     {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"},

+	{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"},

     {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"},

     {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"},

     {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),

diff -up openssl-1.0.2k/crypto/asn1/asn1.h.null-dereference openssl-1.0.2k/crypto/asn1/asn1.h

--- openssl-1.0.2k/crypto/asn1/asn1.h.null-dereference	2020-12-04 11:00:06.896637900 +0100

+++ openssl-1.0.2k/crypto/asn1/asn1.h	2020-12-04 11:04:47.079562987 +0100

@@ -1202,6 +1202,7 @@ void ERR_load_ASN1_strings(void);

 # define ASN1_F_ASN1_ITEM_DUP                             191

 # define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW                  121

 # define ASN1_F_ASN1_ITEM_EX_D2I                          120

+# define ASN1_F_ASN1_ITEM_EX_I2D                          231

 # define ASN1_F_ASN1_ITEM_I2D_BIO                         192

 # define ASN1_F_ASN1_ITEM_I2D_FP                          193

 # define ASN1_F_ASN1_ITEM_PACK                            198

@@ -1298,6 +1299,7 @@ void ERR_load_ASN1_strings(void);

 # define ASN1_R_AUX_ERROR                                 100

 # define ASN1_R_BAD_CLASS                                 101

 # define ASN1_R_BAD_OBJECT_HEADER                         102

+# define ASN1_R_BAD_TEMPLATE                              230

 # define ASN1_R_BAD_PASSWORD_READ                         103

 # define ASN1_R_BAD_TAG                                   104

 # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH                 214

diff -up openssl-1.0.2k/crypto/asn1/tasn_dec.c.null-dereference openssl-1.0.2k/crypto/asn1/tasn_dec.c

--- openssl-1.0.2k/crypto/asn1/tasn_dec.c.null-dereference	2020-12-04 10:12:42.036057323 +0100

+++ openssl-1.0.2k/crypto/asn1/tasn_dec.c	2020-12-04 10:17:45.685035333 +0100

@@ -223,6 +223,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE *

         break;

     case ASN1_ITYPE_MSTRING:

+        /*

+         * It never makes sense for multi-strings to have implicit tagging, so

+         * if tag != -1, then this looks like an error in the template.

+         */

+        if (tag != -1) {

+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);

+            goto err;

+        }

+

         p = *in;

         /* Just read in tag and class */

         ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,

@@ -240,6 +249,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE *

             ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);

             goto err;

         }

+

         /* Check tag matches bit map */

         if (!(ASN1_tag2bit(otag) & it->utype)) {

             /* If OPTIONAL, assume this is OK */

@@ -316,6 +326,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE *

         goto err;

     case ASN1_ITYPE_CHOICE:

+        /*

+         * It never makes sense for CHOICE types to have implicit tagging, so

+         * if tag != -1, then this looks like an error in the template.

+         */

+        if (tag != -1) {

+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);

+            goto err;

+        }

+

         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))

             goto auxerr;

         if (*pval) {

diff -up openssl-1.0.2k/crypto/asn1/tasn_enc.c.null-dereference openssl-1.0.2k/crypto/asn1/tasn_enc.c

--- openssl-1.0.2k/crypto/asn1/tasn_enc.c.null-dereference	2020-12-04 10:18:30.261472002 +0100

+++ openssl-1.0.2k/crypto/asn1/tasn_enc.c	2020-12-04 10:21:14.310078987 +0100

@@ -151,9 +151,25 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval,

         break;

     case ASN1_ITYPE_MSTRING:

+        /*

+         * It never makes sense for multi-strings to have implicit tagging, so

+         * if tag != -1, then this looks like an error in the template.

+         */

+        if (tag != -1) {

+            ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);

+            return -1;

+        }

         return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);

     case ASN1_ITYPE_CHOICE:

+        /*

+         * It never makes sense for CHOICE types to have implicit tagging, so

+         * if tag != -1, then this looks like an error in the template.

+         */

+        if (tag != -1) {

+            ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);

+            return -1;

+        }

         if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))

             return 0;

         i = asn1_get_choice_selector(pval, it);

diff -up openssl-1.0.2k/crypto/x509v3/v3_genn.c.null-dereference openssl-1.0.2k/crypto/x509v3/v3_genn.c

--- openssl-1.0.2k/crypto/x509v3/v3_genn.c.null-dereference	2020-12-04 10:28:02.374237945 +0100

+++ openssl-1.0.2k/crypto/x509v3/v3_genn.c	2020-12-04 10:36:51.156138263 +0100

@@ -72,8 +72,9 @@ ASN1_SEQUENCE(OTHERNAME) = {

 IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)

 ASN1_SEQUENCE(EDIPARTYNAME) = {

-        ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),

-        ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)

+        /* DirectoryString is a CHOICE type so use explicit tagging */

+        ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),

+        ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)

 } ASN1_SEQUENCE_END(EDIPARTYNAME)

 IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)

@@ -107,6 +108,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_N

                                     (char *)a);

 }

+static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)

+{

+    int res;

+

+    if (a == NULL || b == NULL) {

+        /*

+         * Shouldn't be possible in a valid GENERAL_NAME, but we handle it

+         * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here

+         */

+        return -1;

+    }

+    if (a->nameAssigner == NULL && b->nameAssigner != NULL)

+        return -1;

+    if (a->nameAssigner != NULL && b->nameAssigner == NULL)

+        return 1;

+    /* If we get here then both have nameAssigner set, or both unset */

+    if (a->nameAssigner != NULL) {

+        res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);

+        if (res != 0)

+            return res;

+    }

+    /*

+     * partyName is required, so these should never be NULL. We treat it in

+     * the same way as the a == NULL || b == NULL case above

+     */

+    if (a->partyName == NULL || b->partyName == NULL)

+        return -1;

+

+    return ASN1_STRING_cmp(a->partyName, b->partyName);

+}

+

 /* Returns 0 if they are equal, != 0 otherwise. */

 int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)

 {

@@ -116,8 +148,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE

         return -1;

     switch (a->type) {

     case GEN_X400:

+        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);

+        break;

+

     case GEN_EDIPARTY:

-        result = ASN1_TYPE_cmp(a->d.other, b->d.other);

+        result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);

         break;

     case GEN_OTHERNAME:

@@ -164,8 +199,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAM

 {

     switch (type) {

     case GEN_X400:

+        a->d.x400Address = value;

+        break;

+

     case GEN_EDIPARTY:

-        a->d.other = value;

+        a->d.ediPartyName = value;

         break;

     case GEN_OTHERNAME:

@@ -199,8 +237,10 @@ void *GENERAL_NAME_get0_value(GENERAL_NA

         *ptype = a->type;

     switch (a->type) {

     case GEN_X400:

+        return a->d.x400Address;

+

     case GEN_EDIPARTY:

-        return a->d.other;

+        return a->d.ediPartyName;

     case GEN_OTHERNAME:

         return a->d.otherName;

diff -up openssl-1.0.2k/crypto/x509v3/v3nametest.c.null-dereference openssl-1.0.2k/crypto/x509v3/v3nametest.c

--- openssl-1.0.2k/crypto/x509v3/v3nametest.c.null-dereference	2020-12-04 10:28:02.374237945 +0100

+++ openssl-1.0.2k/crypto/x509v3/v3nametest.c	2020-12-04 10:36:51.156138263 +0100

@@ -321,6 +321,356 @@ static void run_cert(X509 *crt, const ch

     }

 }

+struct gennamedata {

+    const unsigned char der[22];

+    size_t derlen;

+} gennames[] = {

+    {

+        /*

+        * [0] {

+        *   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }

+        *   [0] {

+        *     SEQUENCE {}

+        *   }

+        * }

+        */

+        {

+            0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,

+            0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00

+        },

+        21

+    }, {

+        /*

+        * [0] {

+        *   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }

+        *   [0] {

+        *     [APPLICATION 0] {}

+        *   }

+        * }

+        */

+        {

+            0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,

+            0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00

+        },

+        21

+    }, {

+        /*

+        * [0] {

+        *   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }

+        *   [0] {

+        *     UTF8String { "a" }

+        *   }

+        * }

+        */

+        {

+            0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,

+            0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61

+        },

+        22

+    }, {

+        /*

+        * [0] {

+        *   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 }

+        *   [0] {

+        *     UTF8String { "a" }

+        *   }

+        * }

+        */

+        {

+            0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,

+            0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61

+        },

+        22

+    }, {

+        /*

+        * [0] {

+        *   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }

+        *   [0] {

+        *     UTF8String { "b" }

+        *   }

+        * }

+        */

+        {

+            0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,

+            0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62

+        },

+        22

+    }, {

+        /*

+        * [0] {

+        *   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }

+        *   [0] {

+        *     BOOLEAN { TRUE }

+        *   }

+        * }

+        */

+        {

+            0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,

+            0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff

+        },

+        22

+    }, {

+        /*

+        * [0] {

+        *   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }

+        *   [0] {

+        *     BOOLEAN { FALSE }

+        *   }

+        * }

+        */

+        {

+            0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,

+            0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00

+        },

+        22

+    }, {

+        /* [1 PRIMITIVE] { "a" } */

+        {

+            0x81, 0x01, 0x61

+        },

+        3

+    }, {

+        /* [1 PRIMITIVE] { "b" } */

+        {

+            0x81, 0x01, 0x62

+        },

+        3

+    }, {

+        /* [2 PRIMITIVE] { "a" } */

+        {

+            0x82, 0x01, 0x61

+        },

+        3

+    }, {

+        /* [2 PRIMITIVE] { "b" } */

+        {

+            0x82, 0x01, 0x62

+        },

+        3

+    }, {

+        /*

+        * [4] {

+        *   SEQUENCE {

+        *     SET {

+        *       SEQUENCE {

+        *         # commonName

+        *         OBJECT_IDENTIFIER { 2.5.4.3 }

+        *         UTF8String { "a" }

+        *       }

+        *     }

+        *   }

+        * }

+        */

+        {

+            0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,

+            0x04, 0x03, 0x0c, 0x01, 0x61

+        },

+        16

+    }, {

+        /*

+        * [4] {

+        *   SEQUENCE {

+        *     SET {

+        *       SEQUENCE {

+        *         # commonName

+        *         OBJECT_IDENTIFIER { 2.5.4.3 }

+        *         UTF8String { "b" }

+        *       }

+        *     }

+        *   }

+        * }

+        */

+        {

+            0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,

+            0x04, 0x03, 0x0c, 0x01, 0x62

+        },

+        16

+    }, {

+        /*

+        * [5] {

+        *   [1] {

+        *     UTF8String { "a" }

+        *   }

+        * }

+        */

+        {

+            0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61

+        },

+        7

+    }, {

+        /*

+        * [5] {

+        *   [1] {

+        *     UTF8String { "b" }

+        *   }

+        * }

+        */

+        {

+            0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62

+        },

+        7

+    }, {

+        /*

+        * [5] {

+        *   [0] {

+        *     UTF8String {}

+        *   }

+        *   [1] {

+        *     UTF8String { "a" }

+        *   }

+        * }

+        */

+        {

+            0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61

+        },

+        11

+    }, {

+        /*

+        * [5] {

+        *   [0] {

+        *     UTF8String { "a" }

+        *   }

+        *   [1] {

+        *     UTF8String { "a" }

+        *   }

+        * }

+        */

+        {

+            0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01,

+            0x61

+        },

+        12

+    }, {

+        /*

+        * [5] {

+        *   [0] {

+        *     UTF8String { "b" }

+        *   }

+        *   [1] {

+        *     UTF8String { "a" }

+        *   }

+        * }

+        */

+        {

+            0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01,

+            0x61

+        },

+        12

+    }, {

+        /* [6 PRIMITIVE] { "a" } */

+        {

+            0x86, 0x01, 0x61

+        },

+        3

+    }, {

+        /* [6 PRIMITIVE] { "b" } */

+        {

+            0x86, 0x01, 0x62

+        },

+        3

+    }, {

+        /* [7 PRIMITIVE] { `11111111` } */

+        {

+            0x87, 0x04, 0x11, 0x11, 0x11, 0x11

+        },

+        6

+    }, {

+        /* [7 PRIMITIVE] { `22222222`} */

+        {

+            0x87, 0x04, 0x22, 0x22, 0x22, 0x22

+        },

+        6

+    }, {

+        /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */

+        {

+            0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,

+            0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11

+        },

+        18

+    }, {

+        /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */

+        {

+            0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,

+            0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22

+        },

+        18

+    }, {

+        /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */

+        {

+            0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,

+            0xb7, 0x09, 0x02, 0x01

+        },

+        15

+    }, {

+        /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */

+        {

+            0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,

+            0xb7, 0x09, 0x02, 0x02

+        },

+        15

+    }

+};

+

+#define OSSL_NELEM(x) (sizeof(x)/sizeof((x)[0]))

+

+static int test_GENERAL_NAME_cmp(void)

+{

+    size_t i, j;

+    GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa)

+                                           * OSSL_NELEM(gennames));

+    GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb)

+                                           * OSSL_NELEM(gennames));

+    int testresult = 0;

+

+    if (namesa == NULL || namesb == NULL)

+        goto end;

+

+    for (i = 0; i < OSSL_NELEM(gennames); i++) {

+        const unsigned char *derp = gennames[i].der;

+

+        /*

+         * We create two versions of each GENERAL_NAME so that we ensure when

+         * we compare them they are always different pointers.

+         */

+        namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);

+        derp = gennames[i].der;

+        namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);

+        if (namesa[i] == NULL || namesb[i] == NULL)

+            goto end;

+    }

+

+    /* Every name should be equal to itself and not equal to any others. */

+    for (i = 0; i < OSSL_NELEM(gennames); i++) {

+        for (j = 0; j < OSSL_NELEM(gennames); j++) {

+            if (i == j) {

+                if (GENERAL_NAME_cmp(namesa[i], namesb[j]) != 0)

+                    goto end;

+            } else {

+                if (GENERAL_NAME_cmp(namesa[i], namesb[j]) == 0)

+                    goto end;

+            }

+        }

+    }

+    testresult = 1;

+

+ end:

+    for (i = 0; i < OSSL_NELEM(gennames); i++) {

+        if (namesa != NULL)

+            GENERAL_NAME_free(namesa[i]);

+        if (namesb != NULL)

+            GENERAL_NAME_free(namesb[i]);

+    }

+    OPENSSL_free(namesa);

+    OPENSSL_free(namesb);

+

+    if (!testresult)

+        fprintf(stderr, "test of GENERAL_NAME_cmp failed\n");

+

+    return testresult;

+}

+

+

+

 int main(void)

 {

     const struct set_name_fn *pfn = name_fns;

@@ -342,5 +692,8 @@ int main(void)

         }

         ++pfn;

     }

+

+    errors += !test_GENERAL_NAME_cmp();

+

     return errors > 0 ? 1 : 0;

 }