zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openssl/test/recipes/25-test_eai_data.t
Viktor Dukhovni 0890cd13d4 Avoid type errors in EAI-related name check logic. 
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.

The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.

The code in question was lightly refactored with the intent to make it more
obviously correct.

Fixes CVE-2024-6119

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2024-09-03 11:58:40 +02:00

83 lines
4.2 KiB
Perl
Raw Blame History

#! /usr/bin/env perl
# Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file with/;
setup("test_eai_data");
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
plan tests => 16;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my $folder = "test/recipes/25-test_eai_data";
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
my $out;
my $outcnt = 0;
sub outname {
$outcnt++;
return "sanout-$outcnt.tmp";
}
$out = outname();
ok(run(app(["openssl", "x509", "-ext", "subjectAltName", "-in", $ascii_pem, "-noout", "-out", $out])));
is(cmp_text($out, srctop_file($folder, "san.ascii")), 0, 'Comparing othername for ASCII domain');
$out = outname();
ok(run(app(["openssl", "x509", "-ext", "subjectAltName", "-in", $utf8_pem, "-noout", "-out", $out])));
is(cmp_text($out, srctop_file($folder, "san.utf8")), 0, 'Comparing othername for IDN domain');
SKIP: {
skip "Unicode tests disabled on MingW", 2 if $^O =~ /^msys$/;
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", "学生\@elementary.school.example.com", "-CAfile", $ascii_chain_pem, $ascii_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", "医生\@大学.example.com", "-CAfile", $utf8_chain_pem, $utf8_pem])));
}
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
#Check that we get the expected failure return code
with({ exit_checker => sub { return shift == 2; } },
sub {
ok(run(app(["openssl", "verify", "-CAfile",
srctop_file("test", "certs", "bad-othername-namec.pem"),
"-partial_chain", "-no_check_time", "-verify_email",
'foo@example.com',
srctop_file("test", "certs", "bad-othername-namec.pem")])));
});
Reference in New Issue View Git Blame Copy Permalink