diff -Naur openswan-2.6.32-orig/include/asn1.h openswan-2.6.32/include/asn1.h
--- openswan-2.6.32-orig/include/asn1.h 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/include/asn1.h 2013-04-24 13:11:05.799140126 -0400
@@ -84,8 +84,10 @@
#define ASN1_BODY 0x20
#define ASN1_RAW 0x40
-#define ASN1_INVALID_LENGTH 0xffffffff
+#define ASN1_INVALID_LENGTH (~(size_t) 0) /* largest size_t */
+#define ASN1_MAX_LEN (1U << (8*3)) /* don't handle objects with length greater than this */
+#define ASN1_MAX_LEN_LEN 4 /* no coded length takes more than 4 bytes. */
/* definition of an ASN.1 object */
diff -Naur openswan-2.6.32-orig/include/id.h openswan-2.6.32/include/id.h
--- openswan-2.6.32-orig/include/id.h 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/include/id.h 2013-04-24 13:11:05.799140126 -0400
@@ -46,7 +46,7 @@
extern const struct id *resolve_myid(const struct id *id);
extern void set_myFQDN(void);
-extern err_t atoid(char *src, struct id *id, bool myid_ok);
+extern err_t atoid(char *src, struct id *id, bool myid_ok, bool oe_only);
extern void iptoid(const ip_address *ip, struct id *id);
extern unsigned char* temporary_cyclic_buffer(void);
extern int idtoa(const struct id *id, char *dst, size_t dstlen);
diff -Naur openswan-2.6.32-orig/lib/libopenswan/id.c openswan-2.6.32/lib/libopenswan/id.c
--- openswan-2.6.32-orig/lib/libopenswan/id.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/lib/libopenswan/id.c 2013-04-24 13:11:05.799140126 -0400
@@ -57,27 +57,29 @@
/* Convert textual form of id into a (temporary) struct id.
* Note that if the id is to be kept, unshare_id_content will be necessary.
+ * This function should be split into parts so the boolean arguments can be
+ * removed -- Paul
*/
err_t
-atoid(char *src, struct id *id, bool myid_ok)
+atoid(char *src, struct id *id, bool myid_ok, bool oe_only)
{
err_t ugh = NULL;
*id = empty_id;
- if (myid_ok && streq("%myid", src))
+ if (!oe_only && myid_ok && streq("%myid", src))
{
id->kind = ID_MYID;
}
- else if (streq("%fromcert", src))
+ else if (!oe_only && streq("%fromcert", src))
{
id->kind = ID_FROMCERT;
}
- else if (streq("%none", src))
+ else if (!oe_only && streq("%none", src))
{
id->kind = ID_NONE;
}
- else if (strchr(src, '=') != NULL)
+ else if (!oe_only && strchr(src, '=') != NULL)
{
/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
id->kind = ID_DER_ASN1_DN;
@@ -111,7 +113,7 @@
{
if (*src == '@')
{
- if (*(src+1) == '#')
+ if (!oe_only && *(src+1) == '#')
{
/* if there is a second specifier (#) on the line
* we interprete this as ID_KEY_ID
@@ -122,7 +124,7 @@
ugh = ttodata(src+2, 0, 16, (char *)id->name.ptr
, strlen(src), &id->name.len);
}
- else if (*(src+1) == '~')
+ else if (!oe_only && *(src+1) == '~')
{
/* if there is a second specifier (~) on the line
* we interprete this as a binary ID_DER_ASN1_DN
@@ -133,7 +135,7 @@
ugh = ttodata(src+2, 0, 16, (char *)id->name.ptr
, strlen(src), &id->name.len);
}
- else if (*(src+1) == '[')
+ else if (!oe_only && *(src+1) == '[')
{
/* if there is a second specifier ([) on the line
* we interprete this as a text ID_KEY_ID, and we remove
diff -Naur openswan-2.6.32-orig/lib/libopenswan/secrets.c openswan-2.6.32/lib/libopenswan/secrets.c
--- openswan-2.6.32-orig/lib/libopenswan/secrets.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/lib/libopenswan/secrets.c 2013-04-24 13:11:05.800140140 -0400
@@ -1299,7 +1299,7 @@
}
else
{
- ugh = atoid(flp->tok, &id, FALSE);
+ ugh = atoid(flp->tok, &id, FALSE, FALSE);
}
if (ugh != NULL)
diff -Naur openswan-2.6.32-orig/lib/libopenswan/x509dn.c openswan-2.6.32/lib/libopenswan/x509dn.c
--- openswan-2.6.32-orig/lib/libopenswan/x509dn.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/lib/libopenswan/x509dn.c 2013-04-24 13:11:05.801140153 -0400
@@ -476,7 +476,7 @@
{"TCGID" , {oid_TCGID, 12}, ASN1_PRINTABLESTRING}
};
-#define X501_RDN_ROOF 24
+#define X501_RDN_ROOF elemsof(x501rdns)
/* Maximum length of ASN.1 distinquished name */
#define ASN1_BUF_LEN 512
@@ -746,11 +746,11 @@
UNKNOWN_OID = 4
} state_t;
- u_char oid_len_buf[3];
- u_char name_len_buf[3];
- u_char rdn_seq_len_buf[3];
- u_char rdn_set_len_buf[3];
- u_char dn_seq_len_buf[3];
+ u_char oid_len_buf[ASN1_MAX_LEN_LEN];
+ u_char name_len_buf[ASN1_MAX_LEN_LEN];
+ u_char rdn_seq_len_buf[ASN1_MAX_LEN_LEN];
+ u_char rdn_set_len_buf[ASN1_MAX_LEN_LEN];
+ u_char dn_seq_len_buf[ASN1_MAX_LEN_LEN];
chunk_t asn1_oid_len = { oid_len_buf, 0 };
chunk_t asn1_name_len = { name_len_buf, 0 };
@@ -768,7 +768,7 @@
err_t ugh = NULL;
- u_char *dn_ptr = dn->ptr + 4;
+ u_char *dn_ptr = dn->ptr + 1 + ASN1_MAX_LEN_LEN; /* leave room for prefix */
state_t state = SEARCH_OID;
@@ -841,25 +841,37 @@
code_asn1_length(rdn_set_len, &asn1_rdn_set_len);
/* encode the relative distinguished name */
- *dn_ptr++ = ASN1_SET;
- chunkcpy(dn_ptr, asn1_rdn_set_len);
- *dn_ptr++ = ASN1_SEQUENCE;
- chunkcpy(dn_ptr, asn1_rdn_seq_len);
- *dn_ptr++ = ASN1_OID;
- chunkcpy(dn_ptr, asn1_oid_len);
- chunkcpy(dn_ptr, x501rdns[pos].oid);
- /* encode the ASN.1 character string type of the name */
- *dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING
- && !is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type;
- chunkcpy(dn_ptr, asn1_name_len);
- chunkcpy(dn_ptr, name);
-
- /* accumulate the length of the distinguished name sequence */
- dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len;
-
- /* reset name and change state */
- name = empty_chunk;
- state = SEARCH_OID;
+ if (IDTOA_BUF < dn_ptr - dn->ptr
+ + 1 + asn1_rdn_set_len.len /* set */
+ + 1 + asn1_rdn_seq_len.len /* sequence */
+ + 1 + asn1_oid_len.len + x501rdns[pos].oid.len /* oid len, oid */
+ + 1 + asn1_name_len.len + name.len /* type name */
+ ) {
+ /* no room! */
+ ugh = "DN is too big";
+ state = UNKNOWN_OID;
+ /* I think that it is safe to continue (but perhaps pointless) */
+ } else {
+ *dn_ptr++ = ASN1_SET;
+ chunkcpy(dn_ptr, asn1_rdn_set_len);
+ *dn_ptr++ = ASN1_SEQUENCE;
+ chunkcpy(dn_ptr, asn1_rdn_seq_len);
+ *dn_ptr++ = ASN1_OID;
+ chunkcpy(dn_ptr, asn1_oid_len);
+ chunkcpy(dn_ptr, x501rdns[pos].oid);
+ /* encode the ASN.1 character string type of the name */
+ *dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING
+ && !is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type;
+ chunkcpy(dn_ptr, asn1_name_len);
+ chunkcpy(dn_ptr, name);
+
+ /* accumulate the length of the distinguished name sequence */
+ dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len;
+
+ /* reset name and change state */
+ name = empty_chunk;
+ state = SEARCH_OID;
+ }
}
break;
case UNKNOWN_OID:
@@ -867,9 +879,10 @@
}
} while (*src++ != '\0');
- /* complete the distinguished name sequence*/
- code_asn1_length(dn_seq_len, &asn1_dn_seq_len);
- dn->ptr += 3 - asn1_dn_seq_len.len;
+ /* complete the distinguished name sequence: prefix it with ASN1_SEQUENCE and length */
+
+ code_asn1_length((size_t)dn_seq_len, &asn1_dn_seq_len);
+ dn->ptr += ASN1_MAX_LEN_LEN + 1 - 1 - asn1_dn_seq_len.len;
dn->len = 1 + asn1_dn_seq_len.len + dn_seq_len;
dn_ptr = dn->ptr;
*dn_ptr++ = ASN1_SEQUENCE;
diff -Naur openswan-2.6.32-orig/programs/pluto/connections.c openswan-2.6.32/programs/pluto/connections.c
--- openswan-2.6.32-orig/programs/pluto/connections.c 2013-04-24 13:10:30.520656796 -0400
+++ openswan-2.6.32/programs/pluto/connections.c 2013-04-24 13:11:05.802140167 -0400
@@ -891,7 +891,7 @@
}
else
{
- err_t ugh = atoid(src->id, &dst->id, TRUE);
+ err_t ugh = atoid(src->id, &dst->id, TRUE, FALSE);
if (ugh != NULL)
{
diff -Naur openswan-2.6.32-orig/programs/pluto/dnskey.c openswan-2.6.32/programs/pluto/dnskey.c
--- openswan-2.6.32-orig/programs/pluto/dnskey.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/programs/pluto/dnskey.c 2013-04-24 13:11:05.803140181 -0400
@@ -289,8 +289,12 @@
if (*p == '@')
{
/* gateway specification in this record is @FQDN */
- err_t ugh = atoid(p, gw_id, FALSE);
+ if(strspn(p," ") >= IDTOA_BUF) {
+ return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": ID too large for IDTOA_BUF");
+ }
+
+ err_t ugh = atoid(p, gw_id, FALSE, TRUE); /* only run OE related parts of atoid() */
if (ugh != NULL)
return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": %s"
, ugh);
diff -Naur openswan-2.6.32-orig/programs/pluto/myid.c openswan-2.6.32/programs/pluto/myid.c
--- openswan-2.6.32-orig/programs/pluto/myid.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/programs/pluto/myid.c 2013-04-24 13:11:05.803140181 -0400
@@ -103,7 +103,7 @@
if (idstr != NULL)
{
struct id id;
- err_t ugh = atoid(idstr, &id, FALSE);
+ err_t ugh = atoid(idstr, &id, FALSE, FALSE);
if (ugh != NULL)
{
diff -Naur openswan-2.6.32-orig/programs/pluto/rcv_whack.c openswan-2.6.32/programs/pluto/rcv_whack.c
--- openswan-2.6.32-orig/programs/pluto/rcv_whack.c 2013-04-24 13:10:30.392655041 -0400
+++ openswan-2.6.32/programs/pluto/rcv_whack.c 2013-04-24 13:11:05.803140181 -0400
@@ -243,7 +243,7 @@
key_add_request(const struct whack_message *msg)
{
struct id keyid;
- err_t ugh = atoid(msg->keyid, &keyid, FALSE);
+ err_t ugh = atoid(msg->keyid, &keyid, FALSE, FALSE);
if (ugh != NULL)
{
diff -Naur openswan-2.6.32-orig/programs/showhostkey/showhostkey.c openswan-2.6.32/programs/showhostkey/showhostkey.c
--- openswan-2.6.32-orig/programs/showhostkey/showhostkey.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32/programs/showhostkey/showhostkey.c 2013-04-24 13:11:05.804140194 -0400
@@ -208,7 +208,7 @@
struct secret *s;
err_t e;
- e = atoid(idname, &id, FALSE);
+ e = atoid(idname, &id, FALSE, FALSE);
if(e) {
printf("%s: key '%s' is invalid\n", progname, idname);
exit(4);
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
e8916e5cb6487118130934db089d8fa5
>
files
>
35
