cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1289 ASN1_STRING string validation in ssluse.c

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Sat, 19 Oct 2013 21:08:42 +0000

I disagree. The fault could also easily just be a bug in a generator or a human error somewhere. I don't think the only single imaginable explanation is "under attack" - or even if it were I'm not sure it'd warrant a different action! 

---
** [bugs:#1289] ASN1_STRING string validation in ssluse.c**
**Status:** pending-invalid
**Created:** Sun Oct 13, 2013 09:00 AM UTC by Jeffrey Walton
**Last Updated:** Sun Oct 13, 2013 08:43 PM UTC
**Owner:** Daniel Stenberg
        // From ssluse.c, around line 1095
        const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
        size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
        switch(target) {
        case GEN_DNS: /* name/pattern comparison */
          /* The OpenSSL man page explicitly says: "In general it cannot be
             assumed that the data returned by ASN1_STRING_data() is null
             terminated or does not contain embedded nulls." But also that
             "The actual format of the data will depend on the actual string
             type itself: for example for and IA5String the data will be ASCII"
             Gisle researched the OpenSSL sources:
             "I checked the 0.9.6 and 0.9.8 sources before my patch and
             it always 0-terminates an IA5String."
          */
          if((altlen == strlen(altptr)) &&
             /* if this isn't true, there was an embedded zero in the name
                string and we cannot match it. */
             Curl_cert_hostcheck(altptr, conn->host.name))
            matched = 1;
          else
            ...
The check above on the ASN1_STRING length is weak at best. If a certificate is encountered in the field such that `altlen != strlen(altptr)`, then you are probably dealing with malicious input, and the attacker's input should simply be rejected. Don't process it anymore.
"Breaking SSL with null characters" and "More Tricks For Defeating SSL".
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2013-10-19

These mail archives are generated by hypermail.

donate! Page updated May 06, 2013.
web site info

File upload with ASP.NET