Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
openssl-3.27638
openssl-3-CVE-2022-3602_1.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-3-CVE-2022-3602_1.patch of Package openssl-3.27638
From eddcc0de5b31cad2e066b57ce032e943b8b2de70 Mon Sep 17 00:00:00 2001 From: Pauli <pauli@openssl.org> Date: Wed, 19 Oct 2022 10:46:50 +1100 Subject: [PATCH 1/2] Fix CVE in punycode decoder. An off by one error in the punycode decoder allowed for a single unsigned int overwrite of a buffer which could cause a crash and possible code execution. Also fixed the ossl_a2ulabel() function which was broken and also contained a potential buffer overflow, albeit one byte without control of the contents. Added a test case that errors without the CVE fix and passes with it. Fixes CVE-2022-3602. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> --- crypto/punycode.c | 65 +++++----- test/build.info | 6 +- test/punycode_test.c | 220 ++++++++++++++++++++++++++++++++ test/recipes/04-test_punycode.t | 11 ++ 4 files changed, 266 insertions(+), 36 deletions(-) create mode 100644 test/punycode_test.c create mode 100644 test/recipes/04-test_punycode.t Index: openssl-3.0.1/crypto/punycode.c =================================================================== --- openssl-3.0.1.orig/crypto/punycode.c +++ openssl-3.0.1/crypto/punycode.c @@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEn unsigned int bias = initial_bias; size_t processed_in = 0, written_out = 0; unsigned int max_out = *pout_length; - unsigned int basic_count = 0; unsigned int loop; @@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEn n = n + i / (written_out + 1); i %= (written_out + 1); - if (written_out > max_out) + if (written_out >= max_out) return 0; memmove(pDecoded + i + 1, pDecoded + i, - (written_out - i) * sizeof *pDecoded); + (written_out - i) * sizeof(*pDecoded)); pDecoded[i] = n; i++; written_out++; @@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char * */ char *outptr = out; const char *inptr = in; - size_t size = 0; + size_t size = 0, maxsize; int result = 1; - + unsigned int i, j; unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */ - if (out == NULL) + + if (out == NULL) { result = 0; + maxsize = 0; + } else { + maxsize = *outlen; + } + +#define PUSHC(c) \ + do \ + if (size++ < maxsize) \ + *outptr++ = c; \ + else \ + result = 0; \ + while (0) while (1) { char *tmpptr = strchr(inptr, '.'); - size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr); + size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr); if (strncmp(inptr, "xn--", 4) != 0) { - size += delta + 1; - - if (size >= *outlen - 1) - result = 0; - - if (result > 0) { - memcpy(outptr, inptr, delta + 1); - outptr += delta + 1; - } + for (i = 0; i < delta + 1; i++) + PUSHC(inptr[i]); } else { unsigned int bufsize = LABEL_BUF_SIZE; - unsigned int i; if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0) return -1; @@ -286,26 +290,16 @@ int ossl_a2ulabel(const char *in, char * for (i = 0; i < bufsize; i++) { unsigned char seed[6]; size_t utfsize = codepoint2utf8(seed, buf[i]); + if (utfsize == 0) return -1; - size += utfsize; - if (size >= *outlen - 1) - result = 0; - - if (result > 0) { - memcpy(outptr, seed, utfsize); - outptr += utfsize; - } + for (j = 0; j < utfsize; j++) + PUSHC(seed[j]); } - if (tmpptr != NULL) { - *outptr = '.'; - outptr++; - size++; - if (size >= *outlen - 1) - result = 0; - } + if (tmpptr != NULL) + PUSHC('.'); } if (tmpptr == NULL) @@ -313,7 +307,9 @@ int ossl_a2ulabel(const char *in, char * inptr = tmpptr + 1; } +#undef PUSHC + *outlen = size; return result; } @@ -330,9 +326,8 @@ int ossl_a2ucompare(const char *a, const char a_ulabel[LABEL_BUF_SIZE]; size_t a_size = sizeof(a_ulabel); - if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) { + if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) return -1; - } - return (strcmp(a_ulabel, u) == 0) ? 0 : 1; + return strcmp(a_ulabel, u) != 0; } Index: openssl-3.0.1/test/build.info =================================================================== --- openssl-3.0.1.orig/test/build.info +++ openssl-3.0.1/test/build.info @@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}] exptest pbetest \ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ evp_fetch_prov_test evp_libctx_test ossl_store_test \ - v3nametest v3ext \ + v3nametest v3ext punycode_test \ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ evp_fetch_prov_test v3nametest v3ext \ crltest danetest bad_dtls_test lhash_test sparse_array_test \ @@ -285,6 +285,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[pkcs7_test]=../include ../apps/include DEPEND[pkcs7_test]=../libcrypto libtestutil.a + SOURCE[punycode_test]=punycode_test.c + INCLUDE[punycode_test]=../include ../apps/include + DEPEND[punycode_test]=../libcrypto.a libtestutil.a + SOURCE[stack_test]=stack_test.c INCLUDE[stack_test]=../include ../apps/include DEPEND[stack_test]=../libcrypto libtestutil.a Index: openssl-3.0.1/test/punycode_test.c =================================================================== --- /dev/null +++ openssl-3.0.1/test/punycode_test.c @@ -0,0 +1,220 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/crypto.h> + +#include "crypto/punycode.h" +#include "internal/nelem.h" +#include "testutil.h" + + +static const struct puny_test { + unsigned int raw[50]; + const char *encoded; +} puny_cases[] = { + /* Test cases from RFC 3492 */ + { /* Arabic (Egyptian) */ + { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644, + 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F + }, + "egbpdaj6bu4bxfgehfvwxn" + }, + { /* Chinese (simplified) */ + { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587 + }, + "ihqwcrb4cv8a8dqg056pqjye" + }, + { /* Chinese (traditional) */ + { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587 + }, + "ihqwctvzc91f659drss3x8bo0yb" + }, + { /* Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky */ + { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074, + 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D, + 0x0065, 0x0073, 0x006B, 0x0079 + }, + "Proprostnemluvesky-uyb24dma41a" + }, + { /* Hebrew */ + { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8, + 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2, + 0x05D1, 0x05E8, 0x05D9, 0x05EA + }, + "4dbcagdahymbxekheh6e0a7fei0b" + }, + { /* Hindi (Devanagari) */ + { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D, + 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939, + 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947, + 0x0939, 0x0948, 0x0902 + }, + "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd" + }, + { /* Japanese (kanji and hiragana) */ + { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092, + 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B + }, + "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa" + }, + { /* Korean (Hangul syllables) */ + { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774, + 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74, + 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C + }, + "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c" + }, + { /* Russian (Cyrillic) */ + { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E, + 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440, + 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A, + 0x0438 + }, + "b1abfaaepdrnnbgefbaDotcwatmq2g4l" + }, + { /* Spanish */ + { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070, + 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070, + 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061, + 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070, + 0x0061, 0x00F1, 0x006F, 0x006C + }, + "PorqunopuedensimplementehablarenEspaol-fmd56a" + }, + { /* Vietnamese */ + { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B, + 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068, + 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067, + 0x0056, 0x0069, 0x1EC7, 0x0074 + }, + "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g" + }, + { /* Japanese: 3<nen>B<gumi><kinpachi><sensei> */ + { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F + }, + "3B-ww4c5e180e575a65lsy2b" + }, + { /* Japanese: <amuro><namie>-with-SUPER-MONKEYS */ + { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074, + 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D, + 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053 + }, + "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n" + }, + { /* Japanese: Hello-Another-Way-<sorezore><no><basho> */ + { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F, + 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D, + 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240 + }, + "Hello-Another-Way--fc4qua05auwb3674vfr0b" + }, + { /* Japanese: <hitotsu><yane><no><shita>2 */ + { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032 + }, + "2-u9tlzr9756bt3uc0v" + }, + { /* Japanese: Maji<de>Koi<suru>5<byou><mae> */ + { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059, + 0x308B, 0x0035, 0x79D2, 0x524D + }, + "MajiKoi5-783gue6qz075azm5e" + }, + { /* Japanese: <pafii>de<runba> */ + { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0 + }, + "de-jg4avhby1noc0d" + }, + { /* Japanese: <sono><supiido><de> */ + { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067 + }, + "d9juau41awczczp" + }, + { /* -> $1.00 <- */ + { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020, + 0x003C, 0x002D + }, + "-> $1.00 <--" + } +}; + +static int test_punycode(int n) +{ + const struct puny_test *tc = puny_cases + n; + unsigned int buffer[50]; + unsigned int bsize = OSSL_NELEM(buffer); + size_t i; + + if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded), + buffer, &bsize))) + return 0; + for (i = 0; i < sizeof(tc->raw); i++) + if (tc->raw[i] == 0) + break; + if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer), + tc->raw, i * sizeof(*tc->raw))) + return 0; + return 1; +} + +static int test_a2ulabel(void) +{ + char out[50]; + size_t outlen; + + /* + * Test that no buffer correctly returns the true length. + * The punycode being passed in and parsed is malformed but we're not + * verifying that behaviour here. + */ + if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0) + || !TEST_size_t_eq(outlen, 7) + || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)) + return 0; + /* Test that a short input length returns the true length */ + outlen = 1; + if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) + || !TEST_size_t_eq(outlen, 7) + || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) + || !TEST_str_eq(out,"\xc2\x80.b.c")) + return 0; + /* Test for an off by one on the buffer size works */ + outlen = 6; + if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) + || !TEST_size_t_eq(outlen, 7) + || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) + || !TEST_str_eq(out,"\xc2\x80.b.c")) + return 0; + return 1; +} + +static int test_puny_overrun(void) +{ + static const unsigned int out[] = { + 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F + }; + static const char *in = "3B-ww4c5e180e575a65lsy2b"; + unsigned int buf[OSSL_NELEM(out)]; + unsigned int bsize = OSSL_NELEM(buf) - 1; + + if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) { + if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out))) + TEST_error("CRITICAL: buffer overrun detected!"); + return 0; + } + return 1; +} + +int setup_tests(void) +{ + ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases)); + ADD_TEST(test_a2ulabel); + ADD_TEST(test_puny_overrun); + return 1; +} Index: openssl-3.0.1/test/recipes/04-test_punycode.t =================================================================== --- /dev/null +++ openssl-3.0.1/test/recipes/04-test_punycode.t @@ -0,0 +1,11 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test::Simple; + +simple_test("test_punycode", "punycode_test");
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor