zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openssl/test/recipes/25-test_eai_data/kdc.sh
Viktor Dukhovni 0890cd13d4 Avoid type errors in EAI-related name check logic. 
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.

The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.

The code in question was lightly refactored with the intent to make it more
obviously correct.

Fixes CVE-2024-6119

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2024-09-03 11:58:40 +02:00

42 lines
1.7 KiB
Bash
Executable File
Raw Blame History

#! /usr/bin/env bash
# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
# should likewise lead to ASAN issues with email name checks.
rm -f root-key.pem root-cert.pem
openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
-x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
exts=$(
printf "%s\n%s\n%s\n%s = " \
"subjectKeyIdentifier = hash" \
"authorityKeyIdentifier = keyid" \
"basicConstraints = CA:false" \
"subjectAltName"
printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
printf "%s, " "email:joe@example.com"
printf "%s\n" "DNS:mx1.example.com"
printf "[kdc_princ_name]\n"
printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
printf "[kdc_principal_seq]\n"
printf "name_type = EXP:0, INTEGER:1\n"
printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
printf "[kdc_principal_components]\n"
printf "princ1 = GeneralString:krbtgt\n"
printf "princ2 = GeneralString:TEST.EXAMPLE\n"
)
printf "%s\n" "$exts"
openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
-subj "/CN=TEST.EXAMPLE" |
openssl x509 -req -out kdc-cert.pem \
-CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
-set_serial 2 -days 36524 \
-extfile <(printf "%s\n" "$exts")
Reference in New Issue View Git Blame Copy Permalink