Fix for ASN1 parsing bugs.

diff --git a/CHANGES b/CHANGES
index 0d45a0a152e1db49f8bc423af19b2f77aaaafaf9..07a8402d99453d016f41aca8c42e86dc16effced 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,16 @@
 
  Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]
 
+  *) Fix various bugs revealed by running the NISCC test suite:
+
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+
+     [Steve Henson]
+
   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
      if the server requested one: as stated in TLS 1.0 and SSL 3.0
      specifications.

diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index e4a56a926af79fe5618d81b7cbc5400fe3a9236d..6e49624718e73893ca142b4a27d934bc0d0b86b6 100644 (file)
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
                        l<<=7L;
                        l|= *(p++)&0x7f;
                        if (--max == 0) goto err;
+                       if (l > (INT_MAX >> 7L)) goto err;
                        }
                l<<=7L;
                l|= *(p++)&0x7f;
                tag=(int)l;
+               if (--max == 0) goto err;
                }
        else
                { 

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9ad9276ff76b9bd7ad5c599cab45069e5a0b629a..1d14401a8b416fe1ee6837de15a4bfe6744903c6 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -490,7 +490,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                                ok=(*cb)(0,ctx);
                                if (!ok) goto end;
                                }
-                       if (X509_verify(xs,pkey) <= 0)
+                       else if (X509_verify(xs,pkey) <= 0)
                                {
                                ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
                                ctx->current_cert=xs;