Mirror 1165270e73508b9fb3dfdc0294a5926d56679c75 in other d2i's

Also, fix memory leak in signed_data.c.

diff --git a/src/asn1/asn1c/Certificate.c b/src/asn1/asn1c/Certificate.c
index 7352786eacfeb056edf34658a5600acd2ca7412a..807b890d29a4083a29e7c9e1f47a37a606a9e3b8 100644 (file)
--- a/src/asn1/asn1c/Certificate.c
+++ b/src/asn1/asn1c/Certificate.c
@@ -5,6 +5,7 @@
 #include "extension.h"
 #include "json_util.h"
 #include "libcrypto_util.h"
+#include "log.h"
 
 static json_t *
 validity2json(X509 *x)
@@ -172,7 +173,7 @@ fail:       json_decref(parent);
 json_t *
 Certificate_any2json(ANY_t *ber)
 {
-       const unsigned char *tmp;
+       unsigned char const *origin, *cursor;
        X509 *cert;
        json_t *json;
 
@@ -182,11 +183,14 @@ Certificate_any2json(ANY_t *ber)
         * (https://www.openssl.org/docs/man1.0.2/crypto/d2i_X509_fp.html)
         * We don't want @ber->buf modified, so use a dummy pointer.
         */
-       tmp = (const unsigned char *) ber->buf;
+       origin = (unsigned char const *) ber->buf;
+       cursor = origin;
 
-       cert = d2i_X509(NULL, &tmp, ber->size);
+       cert = d2i_X509(NULL, &cursor, ber->size);
        if (cert == NULL)
                return NULL;
+       if (cursor != origin + ber->size)
+               pr_op_warn("There's trailing garbage after one of the certificates.");
 
        json = x509_to_json(cert);
 

diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c
index 1604ccc5836fae2f8cf67a8884006f63322254cc..41ebf911ebab94214ec7bb3fced2faed9ef1a0b9 100644 (file)
--- a/src/asn1/signed_data.c
+++ b/src/asn1/signed_data.c
@@ -82,7 +82,7 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct ee_cert *ee,
        }
        if (tmp != otmp + cert_encoded->size) {
                error = val_crypto_err("Signed object's 'certificate' element contains trailing garbage");
-               goto end1;
+               goto end2;
        }
 
        x509_name_pr_debug("Issuer", X509_get_issuer_name(cert));

diff --git a/src/object/certificate.c b/src/object/certificate.c
index 50524882c36aa69b21b351c6a55b8ec0f443160e..876eb8354df58e31353739137d1574d64fcd43b3 100644 (file)
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -242,6 +242,35 @@ validate_subject(X509 *cert)
        return error;
 }
 
+static X509_PUBKEY *
+decode_spki(struct tal *tal)
+{
+       X509_PUBKEY *spki = NULL;
+       unsigned char const *origin, *cursor;
+       size_t len;
+
+       fnstack_push(tal_get_file_name(tal));
+       tal_get_spki(tal, &origin, &len);
+       cursor = origin;
+       spki = d2i_X509_PUBKEY(NULL, &cursor, len);
+
+       if (spki == NULL) {
+               op_crypto_err("The public key cannot be decoded.");
+               goto fail;
+       }
+       if (cursor != origin + len) {
+               X509_PUBKEY_free(spki);
+               op_crypto_err("The public key contains trailing garbage.");
+               goto fail;
+       }
+
+       fnstack_pop();
+       return spki;
+
+fail:  fnstack_pop();
+       return NULL;
+}
+
 static int
 root_different_alg_err(void)
 {
@@ -259,10 +288,7 @@ validate_spki(X509_PUBKEY *cert_spki)
 {
        struct validation *state;
        struct tal *tal;
-
        X509_PUBKEY *tal_spki;
-       unsigned char const *_tal_spki;
-       size_t _tal_spki_len;
 
        state = state_retrieve();
 
@@ -288,29 +314,20 @@ validate_spki(X509_PUBKEY *cert_spki)
         * Reminder: "X509_PUBKEY" and "Subject Public Key Info" are synonyms.
         */
 
-       fnstack_push(tal_get_file_name(tal));
-       tal_get_spki(tal, &_tal_spki, &_tal_spki_len);
-       tal_spki = d2i_X509_PUBKEY(NULL, &_tal_spki, _tal_spki_len);
-       fnstack_pop();
-
-       if (tal_spki == NULL) {
-               op_crypto_err("The TAL's public key cannot be decoded");
-               goto fail1;
-       }
+       tal_spki = decode_spki(tal);
+       if (tal_spki == NULL)
+               return -EINVAL;
 
        if (spki_cmp(tal_spki, cert_spki, root_different_alg_err,
-           root_different_pk_err) != 0)
-               goto fail2;
+           root_different_pk_err) != 0) {
+               X509_PUBKEY_free(tal_spki);
+               validation_pubkey_invalid(state);
+               return -EINVAL;
+       }
 
        X509_PUBKEY_free(tal_spki);
        validation_pubkey_valid(state);
        return 0;
-
-fail2:
-       X509_PUBKEY_free(tal_spki);
-fail1:
-       validation_pubkey_invalid(state);
-       return -EINVAL;
 }
 
 /*

diff --git a/src/slurm/slurm_parser.c b/src/slurm/slurm_parser.c
index e03f3d28ceace9fd59b17e0bc058eb32ea5d281e..9c236e095919fb5b1e939b8a218ab5d6d1529f2e 100644 (file)
--- a/src/slurm/slurm_parser.c
+++ b/src/slurm/slurm_parser.c
@@ -262,17 +262,23 @@ set_ski(json_t *object, bool is_assertion, struct slurm_bgpsec *result,
 static int
 validate_router_spki(unsigned char *data, size_t len)
 {
-       unsigned char const *tmp;
+       unsigned char const *origin, *cursor;
        X509_PUBKEY *spki;
        X509_ALGOR *pa;
        ASN1_OBJECT *alg;
        int ok;
        int error;
 
-       tmp = data;
-       spki = d2i_X509_PUBKEY(NULL, &tmp, len);
+       origin = data;
+       cursor = origin;
+
+       spki = d2i_X509_PUBKEY(NULL, &cursor, len);
        if (spki == NULL)
                return op_crypto_err("Not a valid router public key");
+       if (cursor != origin + len) {
+               X509_PUBKEY_free(spki);
+               return op_crypto_err("Router public key contains trailing garbage.");
+       }
 
        ok = X509_PUBKEY_get0_param(&alg, NULL, NULL, &pa, spki);
        if (!ok) {