ASCII NUL in certificate fields
Seth Arnold
seth.arnold at canonical.com
Fri Feb 28 04:20:18 UTC 2014
Hello, I'm curious if nginx has made the same mistake as CVE-2009-2408 in
the ngx_ssl_get_subject_dn() and ngx_ssl_get_issuer_dn() functions:
Note in the following copy-and-pastes the { /* void */ } for loops. That
should find the end of an ASCII string but if a certificate has 0x00 bytes
encoded in the fields, nginx may copy only a small portion of the string.
Am I overlooking something?
Thanks
ngx_int_t
ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
char *p;
size_t len;
X509 *cert;
X509_NAME *name;
s->len = 0;
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
return NGX_OK;
}
name = X509_get_subject_name(cert);
if (name == NULL) {
X509_free(cert);
return NGX_ERROR;
}
p = X509_NAME_oneline(name, NULL, 0);
for (len = 0; p[len]; len++) { /* void */ }
s->len = len;
s->data = ngx_pnalloc(pool, len);
if (s->data == NULL) {
OPENSSL_free(p);
X509_free(cert);
return NGX_ERROR;
}
ngx_memcpy(s->data, p, len);
OPENSSL_free(p);
X509_free(cert);
return NGX_OK;
}
ngx_int_t
ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
char *p;
size_t len;
X509 *cert;
X509_NAME *name;
s->len = 0;
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
return NGX_OK;
}
name = X509_get_issuer_name(cert);
if (name == NULL) {
X509_free(cert);
return NGX_ERROR;
}
p = X509_NAME_oneline(name, NULL, 0);
for (len = 0; p[len]; len++) { /* void */ }
s->len = len;
s->data = ngx_pnalloc(pool, len);
if (s->data == NULL) {
OPENSSL_free(p);
X509_free(cert);
return NGX_ERROR;
}
ngx_memcpy(s->data, p, len);
OPENSSL_free(p);
X509_free(cert);
return NGX_OK;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140227/98a85dab/attachment.bin>
More information about the nginx-devel
mailing list