mirror of
https://github.com/openssl/openssl.git
synced 2024-11-21 01:15:20 +08:00
73ebaac827
Sometimes the error handling returns an ASN1_STRING
object in *out although that was not passed in by the
caller, and sometimes the error handling deletes the
ASN1_STRING but forgets to clear the *out parameter.
Therefore the caller has no chance to know, if the leaked
object in *out shall be deleted or not.
This may cause a use-after-free error e.g. in asn1_str2type:
==63312==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000073280 at pc 0x7f2652e93b08 bp 0x7ffe0e1951c0 sp 0x7ffe0e1951b0
READ of size 8 at 0x603000073280 thread T0
#0 0x7f2652e93b07 in asn1_string_embed_free crypto/asn1/asn1_lib.c:354
#1 0x7f2652eb521a in asn1_primitive_free crypto/asn1/tasn_fre.c:204
#2 0x7f2652eb50a9 in asn1_primitive_free crypto/asn1/tasn_fre.c:199
#3 0x7f2652eb5b67 in ASN1_item_free crypto/asn1/tasn_fre.c:20
#4 0x7f2652e8e13b in asn1_str2type crypto/asn1/asn1_gen.c:740
#5 0x7f2652e8e13b in generate_v3 crypto/asn1/asn1_gen.c:137
#6 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
#7 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
#8 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
#9 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
#10 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
#11 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
#12 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
#13 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
#14 0x564ed19d5f25 in req_main apps/req.c:806
#15 0x564ed19b8de0 in do_cmd apps/openssl.c:564
#16 0x564ed1985165 in main apps/openssl.c:183
#17 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308
#18 0x564ed1985acd in _start (/home/ed/OPCToolboxV5/Source/Core/OpenSSL/openssl/apps/openssl+0x139acd)
0x603000073280 is located 16 bytes inside of 24-byte region [0x603000073270,0x603000073288)
freed by thread T0 here:
#0 0x7f265413440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x7f265315a429 in CRYPTO_free crypto/mem.c:311
#2 0x7f265315a429 in CRYPTO_free crypto/mem.c:300
#3 0x7f2652e757b9 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:191
#4 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38
#5 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681
#6 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137
#7 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
#8 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
#9 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
#10 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
#11 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
#12 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
#13 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
#14 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
#15 0x564ed19d5f25 in req_main apps/req.c:806
#16 0x564ed19b8de0 in do_cmd apps/openssl.c:564
#17 0x564ed1985165 in main apps/openssl.c:183
#18 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7f2654134808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:221
#2 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:198
#3 0x7f265315a945 in CRYPTO_zalloc crypto/mem.c:236
#4 0x7f2652e939a4 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341
#5 0x7f2652e74e51 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:150
#6 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38
#7 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681
#8 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137
#9 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
#10 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
#11 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
#12 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
#13 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
#14 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
#15 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
#16 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
#17 0x564ed19d5f25 in req_main apps/req.c:806
#18 0x564ed19b8de0 in do_cmd apps/openssl.c:564
#19 0x564ed1985165 in main apps/openssl.c:183
#20 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23138)
354 lines
9.6 KiB
C
354 lines
9.6 KiB
C
/*
|
|
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include "crypto/ctype.h"
|
|
#include "internal/cryptlib.h"
|
|
#include "internal/unicode.h"
|
|
#include <openssl/asn1.h>
|
|
|
|
static int traverse_string(const unsigned char *p, int len, int inform,
|
|
int (*rfunc) (unsigned long value, void *in),
|
|
void *arg);
|
|
static int in_utf8(unsigned long value, void *arg);
|
|
static int out_utf8(unsigned long value, void *arg);
|
|
static int type_str(unsigned long value, void *arg);
|
|
static int cpy_asc(unsigned long value, void *arg);
|
|
static int cpy_bmp(unsigned long value, void *arg);
|
|
static int cpy_univ(unsigned long value, void *arg);
|
|
static int cpy_utf8(unsigned long value, void *arg);
|
|
|
|
/*
|
|
* These functions take a string in UTF8, ASCII or multibyte form and a mask
|
|
* of permissible ASN1 string types. It then works out the minimal type
|
|
* (using the order Numeric < Printable < IA5 < T61 < BMP < Universal < UTF8)
|
|
* and creates a string of the correct type with the supplied data. Yes this is
|
|
* horrible: it has to be :-( The 'ncopy' form checks minimum and maximum
|
|
* size limits too.
|
|
*/
|
|
|
|
int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
|
|
int inform, unsigned long mask)
|
|
{
|
|
return ASN1_mbstring_ncopy(out, in, len, inform, mask, 0, 0);
|
|
}
|
|
|
|
int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
|
|
int inform, unsigned long mask,
|
|
long minsize, long maxsize)
|
|
{
|
|
int str_type;
|
|
int ret;
|
|
char free_out;
|
|
int outform, outlen = 0;
|
|
ASN1_STRING *dest;
|
|
unsigned char *p;
|
|
int nchar;
|
|
int (*cpyfunc) (unsigned long, void *) = NULL;
|
|
if (len == -1)
|
|
len = strlen((const char *)in);
|
|
if (!mask)
|
|
mask = DIRSTRING_TYPE;
|
|
if (len < 0)
|
|
return -1;
|
|
|
|
/* First do a string check and work out the number of characters */
|
|
switch (inform) {
|
|
|
|
case MBSTRING_BMP:
|
|
if (len & 1) {
|
|
ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_BMPSTRING_LENGTH);
|
|
return -1;
|
|
}
|
|
nchar = len >> 1;
|
|
break;
|
|
|
|
case MBSTRING_UNIV:
|
|
if (len & 3) {
|
|
ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
|
|
return -1;
|
|
}
|
|
nchar = len >> 2;
|
|
break;
|
|
|
|
case MBSTRING_UTF8:
|
|
nchar = 0;
|
|
/* This counts the characters and does utf8 syntax checking */
|
|
ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
|
|
if (ret < 0) {
|
|
ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING);
|
|
return -1;
|
|
}
|
|
break;
|
|
|
|
case MBSTRING_ASC:
|
|
nchar = len;
|
|
break;
|
|
|
|
default:
|
|
ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_FORMAT);
|
|
return -1;
|
|
}
|
|
|
|
if ((minsize > 0) && (nchar < minsize)) {
|
|
ERR_raise_data(ERR_LIB_ASN1, ASN1_R_STRING_TOO_SHORT,
|
|
"minsize=%ld", minsize);
|
|
return -1;
|
|
}
|
|
|
|
if ((maxsize > 0) && (nchar > maxsize)) {
|
|
ERR_raise_data(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG,
|
|
"maxsize=%ld", maxsize);
|
|
return -1;
|
|
}
|
|
|
|
/* Now work out minimal type (if any) */
|
|
if (traverse_string(in, len, inform, type_str, &mask) < 0) {
|
|
ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_CHARACTERS);
|
|
return -1;
|
|
}
|
|
|
|
/* Now work out output format and string type */
|
|
outform = MBSTRING_ASC;
|
|
if (mask & B_ASN1_NUMERICSTRING)
|
|
str_type = V_ASN1_NUMERICSTRING;
|
|
else if (mask & B_ASN1_PRINTABLESTRING)
|
|
str_type = V_ASN1_PRINTABLESTRING;
|
|
else if (mask & B_ASN1_IA5STRING)
|
|
str_type = V_ASN1_IA5STRING;
|
|
else if (mask & B_ASN1_T61STRING)
|
|
str_type = V_ASN1_T61STRING;
|
|
else if (mask & B_ASN1_BMPSTRING) {
|
|
str_type = V_ASN1_BMPSTRING;
|
|
outform = MBSTRING_BMP;
|
|
} else if (mask & B_ASN1_UNIVERSALSTRING) {
|
|
str_type = V_ASN1_UNIVERSALSTRING;
|
|
outform = MBSTRING_UNIV;
|
|
} else {
|
|
str_type = V_ASN1_UTF8STRING;
|
|
outform = MBSTRING_UTF8;
|
|
}
|
|
if (!out)
|
|
return str_type;
|
|
if (*out) {
|
|
free_out = 0;
|
|
dest = *out;
|
|
ASN1_STRING_set0(dest, NULL, 0);
|
|
dest->type = str_type;
|
|
} else {
|
|
free_out = 1;
|
|
dest = ASN1_STRING_type_new(str_type);
|
|
if (dest == NULL) {
|
|
ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
|
|
return -1;
|
|
}
|
|
*out = dest;
|
|
}
|
|
/* If both the same type just copy across */
|
|
if (inform == outform) {
|
|
if (!ASN1_STRING_set(dest, in, len)) {
|
|
if (free_out) {
|
|
ASN1_STRING_free(dest);
|
|
*out = NULL;
|
|
}
|
|
ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
|
|
return -1;
|
|
}
|
|
return str_type;
|
|
}
|
|
|
|
/* Work out how much space the destination will need */
|
|
switch (outform) {
|
|
case MBSTRING_ASC:
|
|
outlen = nchar;
|
|
cpyfunc = cpy_asc;
|
|
break;
|
|
|
|
case MBSTRING_BMP:
|
|
outlen = nchar << 1;
|
|
cpyfunc = cpy_bmp;
|
|
break;
|
|
|
|
case MBSTRING_UNIV:
|
|
outlen = nchar << 2;
|
|
cpyfunc = cpy_univ;
|
|
break;
|
|
|
|
case MBSTRING_UTF8:
|
|
outlen = 0;
|
|
traverse_string(in, len, inform, out_utf8, &outlen);
|
|
cpyfunc = cpy_utf8;
|
|
break;
|
|
}
|
|
if ((p = OPENSSL_malloc(outlen + 1)) == NULL) {
|
|
if (free_out) {
|
|
ASN1_STRING_free(dest);
|
|
*out = NULL;
|
|
}
|
|
return -1;
|
|
}
|
|
dest->length = outlen;
|
|
dest->data = p;
|
|
p[outlen] = 0;
|
|
traverse_string(in, len, inform, cpyfunc, &p);
|
|
return str_type;
|
|
}
|
|
|
|
/*
|
|
* This function traverses a string and passes the value of each character to
|
|
* an optional function along with a void * argument.
|
|
*/
|
|
|
|
static int traverse_string(const unsigned char *p, int len, int inform,
|
|
int (*rfunc) (unsigned long value, void *in),
|
|
void *arg)
|
|
{
|
|
unsigned long value;
|
|
int ret;
|
|
while (len) {
|
|
if (inform == MBSTRING_ASC) {
|
|
value = *p++;
|
|
len--;
|
|
} else if (inform == MBSTRING_BMP) {
|
|
value = *p++ << 8;
|
|
value |= *p++;
|
|
len -= 2;
|
|
} else if (inform == MBSTRING_UNIV) {
|
|
value = ((unsigned long)*p++) << 24;
|
|
value |= ((unsigned long)*p++) << 16;
|
|
value |= *p++ << 8;
|
|
value |= *p++;
|
|
len -= 4;
|
|
} else {
|
|
ret = UTF8_getc(p, len, &value);
|
|
if (ret < 0)
|
|
return -1;
|
|
len -= ret;
|
|
p += ret;
|
|
}
|
|
if (rfunc) {
|
|
ret = rfunc(value, arg);
|
|
if (ret <= 0)
|
|
return ret;
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/* Various utility functions for traverse_string */
|
|
|
|
/* Just count number of characters */
|
|
|
|
static int in_utf8(unsigned long value, void *arg)
|
|
{
|
|
int *nchar;
|
|
|
|
if (!is_unicode_valid(value))
|
|
return -2;
|
|
nchar = arg;
|
|
(*nchar)++;
|
|
return 1;
|
|
}
|
|
|
|
/* Determine size of output as a UTF8 String */
|
|
|
|
static int out_utf8(unsigned long value, void *arg)
|
|
{
|
|
int *outlen, len;
|
|
|
|
len = UTF8_putc(NULL, -1, value);
|
|
if (len <= 0)
|
|
return len;
|
|
outlen = arg;
|
|
*outlen += len;
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* Determine the "type" of a string: check each character against a supplied
|
|
* "mask".
|
|
*/
|
|
|
|
static int type_str(unsigned long value, void *arg)
|
|
{
|
|
unsigned long types = *((unsigned long *)arg);
|
|
const int native = value > INT_MAX ? INT_MAX : ossl_fromascii(value);
|
|
|
|
if ((types & B_ASN1_NUMERICSTRING) && !(ossl_isdigit(native)
|
|
|| native == ' '))
|
|
types &= ~B_ASN1_NUMERICSTRING;
|
|
if ((types & B_ASN1_PRINTABLESTRING) && !ossl_isasn1print(native))
|
|
types &= ~B_ASN1_PRINTABLESTRING;
|
|
if ((types & B_ASN1_IA5STRING) && !ossl_isascii(native))
|
|
types &= ~B_ASN1_IA5STRING;
|
|
if ((types & B_ASN1_T61STRING) && (value > 0xff))
|
|
types &= ~B_ASN1_T61STRING;
|
|
if ((types & B_ASN1_BMPSTRING) && (value > 0xffff))
|
|
types &= ~B_ASN1_BMPSTRING;
|
|
if ((types & B_ASN1_UTF8STRING) && !is_unicode_valid(value))
|
|
types &= ~B_ASN1_UTF8STRING;
|
|
if (!types)
|
|
return -1;
|
|
*((unsigned long *)arg) = types;
|
|
return 1;
|
|
}
|
|
|
|
/* Copy one byte per character ASCII like strings */
|
|
|
|
static int cpy_asc(unsigned long value, void *arg)
|
|
{
|
|
unsigned char **p, *q;
|
|
p = arg;
|
|
q = *p;
|
|
*q = (unsigned char)value;
|
|
(*p)++;
|
|
return 1;
|
|
}
|
|
|
|
/* Copy two byte per character BMPStrings */
|
|
|
|
static int cpy_bmp(unsigned long value, void *arg)
|
|
{
|
|
unsigned char **p, *q;
|
|
p = arg;
|
|
q = *p;
|
|
*q++ = (unsigned char)((value >> 8) & 0xff);
|
|
*q = (unsigned char)(value & 0xff);
|
|
*p += 2;
|
|
return 1;
|
|
}
|
|
|
|
/* Copy four byte per character UniversalStrings */
|
|
|
|
static int cpy_univ(unsigned long value, void *arg)
|
|
{
|
|
unsigned char **p, *q;
|
|
p = arg;
|
|
q = *p;
|
|
*q++ = (unsigned char)((value >> 24) & 0xff);
|
|
*q++ = (unsigned char)((value >> 16) & 0xff);
|
|
*q++ = (unsigned char)((value >> 8) & 0xff);
|
|
*q = (unsigned char)(value & 0xff);
|
|
*p += 4;
|
|
return 1;
|
|
}
|
|
|
|
/* Copy to a UTF8String */
|
|
|
|
static int cpy_utf8(unsigned long value, void *arg)
|
|
{
|
|
unsigned char **p;
|
|
int ret;
|
|
p = arg;
|
|
/* We already know there is enough room so pass 0xff as the length */
|
|
ret = UTF8_putc(*p, 0xff, value);
|
|
*p += ret;
|
|
return 1;
|
|
}
|