- **assigned_to**: Daniel Stenberg

---
** [bugs:#1289] ASN1_STRING string validation in ssluse.c**
**Status:** open
**Created:** Sun Oct 13, 2013 09:00 AM UTC by Jeffrey Walton
**Last Updated:** Sun Oct 13, 2013 09:00 AM UTC
**Owner:** Daniel Stenberg
        // From ssluse.c, around line 1095
        const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
        size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
        switch(target) {
        case GEN_DNS: /* name/pattern comparison */
          /* The OpenSSL man page explicitly says: "In general it cannot be
             assumed that the data returned by ASN1_STRING_data() is null
             terminated or does not contain embedded nulls." But also that
             "The actual format of the data will depend on the actual string
             type itself: for example for and IA5String the data will be ASCII"
             Gisle researched the OpenSSL sources:
             "I checked the 0.9.6 and 0.9.8 sources before my patch and
             it always 0-terminates an IA5String."
          */
          if((altlen == strlen(altptr)) &&
             /* if this isn't true, there was an embedded zero in the name
                string and we cannot match it. */
             Curl_cert_hostcheck(altptr, conn->host.name))
            matched = 1;
          else
            ...
The check above on the ASN1_STRING length is weak at best. If a certificate is encountered in the field such that `altlen != strlen(altptr)`, then you are probably dealing with malicious input, and the attacker's input should simply be rejected. Don't process it anymore.
"Breaking SSL with null characters" and "More Tricks For Defeating SSL".
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.