1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
From e3d4fe2be3bda0d9acc985a6cd67efe249d8326c Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Fri, 5 May 2017 09:01:08 +0200
Subject: [PATCH] asn1-parser: Fix CHOICE parsing
Also fixes the application in the x509 plugin and the parsing of
nameConstraints, which doesn't require a loop.
Fixes: CVE-2017-9023
---
src/libstrongswan/asn1/asn1_parser.c | 70 +++++++++++++++---
src/libstrongswan/asn1/asn1_parser.h | 27 +++----
src/libstrongswan/plugins/x509/x509_cert.c | 115 +++++++++++++++--------------
3 files changed, 135 insertions(+), 77 deletions(-)
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index e7b7a428d9a2..4d5f799b73a9 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -1,8 +1,7 @@
/*
* Copyright (C) 2006 Martin Will
- * Copyright (C) 2000-2008 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2000-2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -76,12 +75,18 @@ struct private_asn1_parser_t {
* Current parsing pointer for each level
*/
chunk_t blobs[ASN1_MAX_LEVEL + 2];
+
+ /**
+ * Parsing a CHOICE on the current level ?
+ */
+ bool choice[ASN1_MAX_LEVEL + 2];
+
};
METHOD(asn1_parser_t, iterate, bool,
private_asn1_parser_t *this, int *objectID, chunk_t *object)
{
- chunk_t *blob, *blob1;
+ chunk_t *blob, *blob1, blob_ori;
u_char *start_ptr;
u_int level;
asn1Object_t obj;
@@ -97,7 +102,7 @@ METHOD(asn1_parser_t, iterate, bool,
return FALSE;
}
- if (obj.flags & ASN1_END) /* end of loop or option found */
+ if (obj.flags & ASN1_END) /* end of loop or choice or option found */
{
if (this->loopAddr[obj.level] && this->blobs[obj.level+1].len > 0)
{
@@ -106,13 +111,42 @@ METHOD(asn1_parser_t, iterate, bool,
}
else
{
- this->loopAddr[obj.level] = 0; /* exit loop or option*/
+ this->loopAddr[obj.level] = 0; /* exit loop */
+
+ if (obj.flags & ASN1_CHOICE) /* end of choices */
+ {
+ if (this->choice[obj.level+1])
+ {
+ DBG1(DBG_ASN, "L%d - %s: incorrect choice encoding",
+ this->level0 + obj.level, obj.name);
+ this->success = FALSE;
+ goto end;
+ }
+ }
+
+ if (obj.flags & ASN1_CH) /* end of choice */
+ {
+ /* parsed a valid choice */
+ this->choice[obj.level] = FALSE;
+
+ /* advance to end of choices */
+ do
+ {
+ this->line++;
+ }
+ while (!((this->objects[this->line].flags & ASN1_END) &&
+ (this->objects[this->line].flags & ASN1_CHOICE) &&
+ (this->objects[this->line].level == obj.level-1)));
+ this->line--;
+ }
+
goto end;
}
}
level = this->level0 + obj.level;
blob = this->blobs + obj.level;
+ blob_ori = *blob;
blob1 = blob + 1;
start_ptr = blob->ptr;
@@ -129,7 +163,6 @@ METHOD(asn1_parser_t, iterate, bool,
}
/* handle ASN.1 options */
-
if ((obj.flags & ASN1_OPT)
&& (blob->len == 0 || *start_ptr != obj.type))
{
@@ -144,7 +177,6 @@ METHOD(asn1_parser_t, iterate, bool,
}
/* an ASN.1 object must possess at least a tag and length field */
-
if (blob->len < 2)
{
DBG1(DBG_ASN, "L%d - %s: ASN.1 object smaller than 2 octets",
@@ -167,8 +199,16 @@ METHOD(asn1_parser_t, iterate, bool,
blob->ptr += blob1->len;
blob->len -= blob1->len;
- /* return raw ASN.1 object without prior type checking */
+ /* handle ASN.1 choice without explicit context encoding */
+ if ((obj.flags & ASN1_CHOICE) && obj.type == ASN1_EOC)
+ {
+ DBG2(DBG_ASN, "L%d - %s:", level, obj.name);
+ this->choice[obj.level+1] = TRUE;
+ *blob1 = blob_ori;
+ goto end;
+ }
+ /* return raw ASN.1 object without prior type checking */
if (obj.flags & ASN1_RAW)
{
DBG2(DBG_ASN, "L%d - %s:", level, obj.name);
@@ -209,6 +249,18 @@ METHOD(asn1_parser_t, iterate, bool,
}
}
+ /* In case of a "CHOICE" start to scan for exactly one valid choice */
+ if (obj.flags & ASN1_CHOICE)
+ {
+ if (blob1->len == 0)
+ {
+ DBG1(DBG_ASN, "L%d - %s: contains no choice", level, obj.name);
+ this->success = FALSE;
+ goto end;
+ }
+ this->choice[obj.level+1] = TRUE;
+ }
+
if (obj.flags & ASN1_OBJ)
{
object->ptr = start_ptr;
diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h
index 0edc22c2378c..2ee1e892fc16 100644
--- a/src/libstrongswan/asn1/asn1_parser.h
+++ b/src/libstrongswan/asn1/asn1_parser.h
@@ -1,8 +1,7 @@
/*
* Copyright (C) 2006 Martin Will
- * Copyright (C) 2000-2008 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2000-2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -32,15 +31,17 @@
/**
* Definition of ASN.1 flags
*/
-#define ASN1_NONE 0x00
-#define ASN1_DEF 0x01
-#define ASN1_OPT 0x02
-#define ASN1_LOOP 0x04
-#define ASN1_END 0x08
-#define ASN1_OBJ 0x10
-#define ASN1_BODY 0x20
-#define ASN1_RAW 0x40
-#define ASN1_EXIT 0x80
+#define ASN1_NONE 0x0000
+#define ASN1_DEF 0x0001
+#define ASN1_OPT 0x0002
+#define ASN1_LOOP 0x0004
+#define ASN1_CHOICE 0x0008
+#define ASN1_CH 0x0010
+#define ASN1_END 0x0020
+#define ASN1_OBJ 0x0040
+#define ASN1_BODY 0x0080
+#define ASN1_RAW 0x0100
+#define ASN1_EXIT 0x0200
typedef struct asn1Object_t asn1Object_t;
@@ -51,7 +52,7 @@ struct asn1Object_t{
u_int level;
const u_char *name;
asn1_t type;
- u_char flags;
+ uint16_t flags;
};
typedef struct asn1_parser_t asn1_parser_t;
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index b3d90c5f61ef..f9573e953cbf 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2,10 +2,10 @@
* Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
* Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
* Copyright (C) 2002 Mario Strasser
- * Copyright (C) 2000-2006 Andreas Steffen
+ * Copyright (C) 2000-2017 Andreas Steffen
* Copyright (C) 2006-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -789,20 +789,20 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0,
* ASN.1 definition of crlDistributionPoints
*/
static const asn1Object_t crlDistributionPointsObjects[] = {
- { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
- { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
- { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
- { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
- { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
- { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
+ { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_CHOICE }, /* 2 */
+ { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
+ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 4 */
+ { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
+ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 6 */
+ { 2, "end opt/choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 7 */
+ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
+ { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
};
#define CRL_DIST_POINTS 1
#define CRL_DIST_POINTS_FULLNAME 3
@@ -910,14 +910,13 @@ end:
* ASN.1 definition of nameConstraints
*/
static const asn1Object_t nameConstraintsObjects[] = {
- { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
{ 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
{ 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
{ 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
{ 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
#define NAME_CONSTRAINT_PERMITTED 2
@@ -974,25 +973,27 @@ end:
* ASN.1 definition of a certificatePolicies extension
*/
static const asn1Object_t certificatePoliciesObject[] = {
- { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
- { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
- { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
- { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
- { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
- { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
- { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */
- { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
+ { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
+ { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
+ { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
+ { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
+ { 4, "qualifier", ASN1_EOC, ASN1_CHOICE }, /* 6 */
+ { 5, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 7 */
+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 8 */
+ { 5, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 9 */
+ { 6, "explicitText", ASN1_EOC, ASN1_RAW }, /* 10 */
+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 11 */
+ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 12 */
+ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 13 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 14 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
};
-#define CERT_POLICY_ID 2
-#define CERT_POLICY_QUALIFIER_ID 5
-#define CERT_POLICY_CPS_URI 6
-#define CERT_POLICY_EXPLICIT_TEXT 9
+#define CERT_POLICY_ID 2
+#define CERT_POLICY_QUALIFIER_ID 5
+#define CERT_POLICY_CPS_URI 7
+#define CERT_POLICY_EXPLICIT_TEXT 10
/**
* Parse certificatePolicies
@@ -1157,27 +1158,31 @@ static bool parse_policyConstraints(chunk_t blob, int level0,
* ASN.1 definition of ipAddrBlocks according to RFC 3779
*/
static const asn1Object_t ipAddrBlocksObjects[] = {
- { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
- { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
- { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
- { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
- { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
- { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
- { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
- { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
+ { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
+ { 2, "ipAddressChoice", ASN1_EOC, ASN1_CHOICE }, /* 3 */
+ { 3, "inherit", ASN1_NULL, ASN1_OPT }, /* 4 */
+ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 5 */
+ { 3, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 6 */
+ { 4, "addressOrRange", ASN1_EOC, ASN1_CHOICE }, /* 7 */
+ { 5, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 8 */
+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 9 */
+ { 5, "addressRange", ASN1_SEQUENCE, ASN1_OPT }, /* 10 */
+ { 6, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 11 */
+ { 6, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 12 */
+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 13 */
+ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 14 */
+ { 3, "end loop/choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 15 */
+ { 2, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 16 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 17 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
};
#define IP_ADDR_BLOCKS_FAMILY 2
-#define IP_ADDR_BLOCKS_INHERIT 3
-#define IP_ADDR_BLOCKS_PREFIX 6
-#define IP_ADDR_BLOCKS_MIN 9
-#define IP_ADDR_BLOCKS_MAX 10
+#define IP_ADDR_BLOCKS_INHERIT 4
+#define IP_ADDR_BLOCKS_PREFIX 8
+#define IP_ADDR_BLOCKS_MIN 11
+#define IP_ADDR_BLOCKS_MAX 12
static bool check_address_object(ts_type_t ts_type, chunk_t object)
{
--
1.9.1
|
