From: Pierangelo Masarati Date: Tue, 4 Aug 2009 14:14:17 +0000 (+0000) Subject: be liberal in accepting CL (ITS#6241) X-Git-Tag: ACLCHECK_0~363 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=38fa7e0621d4796356f1510cae0662dafa5fca94;p=openldap be liberal in accepting CL (ITS#6241) --- diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 95d108f6a5..b1e06e7b7f 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -273,18 +273,25 @@ certificateValidate( Syntax *syntax, struct berval *in ) } /* X.509 certificate list validation */ +static int +checkTime( struct berval *in, struct berval *out ); + static int certificateListValidate( Syntax *syntax, struct berval *in ) { BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; ber_tag_t tag; - ber_len_t len; + ber_len_t len, wrapper_len; + char *wrapper_start; + int wrapper_ok = 0; ber_int_t version = SLAP_X509_V1; + struct berval bvdn, bvtu; ber_init2( ber, in, LBER_USE_DER ); - tag = ber_skip_tag( ber, &len ); /* Signed wrapper */ + tag = ber_skip_tag( ber, &wrapper_len ); /* Signed wrapper */ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + wrapper_start = ber->ber_ptr; tag = ber_skip_tag( ber, &len ); /* Sequence */ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; tag = ber_peek_tag( ber, &len ); @@ -297,12 +304,18 @@ certificateListValidate( Syntax *syntax, struct berval *in ) tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; ber_skip_data( ber, len ); - tag = ber_skip_tag( ber, &len ); /* Issuer DN */ + tag = ber_peek_tag( ber, &len ); /* Issuer DN */ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + len = ber_ptrlen( ber ); + bvdn.bv_val = in->bv_val + len; + bvdn.bv_len = in->bv_len - len; + tag = ber_skip_tag( ber, &len ); ber_skip_data( ber, len ); tag = ber_skip_tag( ber, &len ); /* thisUpdate */ /* Time is a CHOICE { UTCTime, GeneralizedTime } */ if ( tag != SLAP_TAG_UTCTIME && tag != SLAP_TAG_GENERALIZEDTIME ) return LDAP_INVALID_SYNTAX; + bvtu.bv_val = (char *)ber->ber_ptr; + bvtu.bv_len = len; ber_skip_data( ber, len ); /* Optional nextUpdate */ tag = ber_skip_tag( ber, &len ); @@ -335,10 +348,42 @@ certificateListValidate( Syntax *syntax, struct berval *in ) /* Signature */ if ( tag != LBER_BITSTRING ) return LDAP_INVALID_SYNTAX; ber_skip_data( ber, len ); + if ( ber->ber_ptr == wrapper_start + wrapper_len ) wrapper_ok = 1; tag = ber_skip_tag( ber, &len ); /* Must be at end now */ /* NOTE: OpenSSL tolerates CL with garbage past the end */ - if ( len || tag != LBER_DEFAULT ) return LDAP_INVALID_SYNTAX; + if ( len || tag != LBER_DEFAULT ) { + struct berval issuer_dn, thisUpdate; + char tubuf[STRLENOF("YYYYmmddHHMMSSZ") + 1]; + int rc; + + if ( ! wrapper_ok ) { + return LDAP_INVALID_SYNTAX; + } + + rc = dnX509normalize( &bvdn, &issuer_dn ); + if ( rc != LDAP_SUCCESS ) { + rc = LDAP_INVALID_SYNTAX; + goto done; + } + + thisUpdate.bv_val = tubuf; + thisUpdate.bv_len = sizeof(tubuf); + if ( checkTime( &bvtu, &thisUpdate ) ) { + rc = LDAP_INVALID_SYNTAX; + goto done; + } + + Debug( LDAP_DEBUG_ANY, + "certificateListValidate issuer=\"%s\", thisUpdate=%s: extra cruft past end of certificateList\n", + issuer_dn.bv_val, thisUpdate.bv_val, 0 ); + +done:; + ber_memfree( issuer_dn.bv_val ); + + return rc; + } + return LDAP_SUCCESS; }