diff options
author | Job Snijders <job@sobornost.net> | 2024-02-21 21:26:50 +0000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-02-25 09:17:41 +0100 |
commit | eadd8c4727b703049e4d2764751cb04f3108434d (patch) | |
tree | abcf29b5404084d6b13362654658e7d94d3ea230 /test | |
parent | 5d70f11823e3d8b7214a1e094b8a4f744ad396f5 (diff) |
Add appropriate lower bound checks for GeneralizedTime and UTCTime
ITU-T X.690 / ISO/IEC 8825-1 section 11.7 and section 11.8
impose specific constraints on how GeneralizedTime and UTCTime
can be encoded in BER/CER/DER. Following from these constraints
a minimum length can be derived.
Checking the length in this context can potentially help prevent
applications from interpreting an invalid GeneralizedTime as a
valid UTCTime.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23483)
Diffstat (limited to 'test')
-rw-r--r-- | test/asn1_decode_test.c | 53 | ||||
-rw-r--r-- | test/asn1_time_test.c | 6 | ||||
-rw-r--r-- | test/x509_time_test.c | 8 |
3 files changed, 61 insertions, 6 deletions
diff --git a/test/asn1_decode_test.c b/test/asn1_decode_test.c index 9c676d3dcc..f112dd7034 100644 --- a/test/asn1_decode_test.c +++ b/test/asn1_decode_test.c @@ -11,6 +11,7 @@ #include <string.h> #include <openssl/rand.h> +#include <openssl/asn1.h> #include <openssl/asn1t.h> #include <openssl/obj_mac.h> #include "internal/numbers.h" @@ -161,6 +162,56 @@ static int test_uint64(void) return 1; } +/* GeneralizedTime underflow *********************************************** */ + +static int test_gentime(void) +{ + /* Underflowing GeneralizedTime 161208193400Z (YYMMDDHHMMSSZ) */ + const unsigned char der[] = { + 0x18, 0x0d, 0x31, 0x36, 0x31, 0x32, 0x30, 0x38, 0x31, + 0x39, 0x33, 0x34, 0x30, 0x30, 0x5a, + }; + const unsigned char *p; + int der_len, rc = 1; + ASN1_GENERALIZEDTIME *gentime; + + p = der; + der_len = sizeof(der); + gentime = d2i_ASN1_GENERALIZEDTIME(NULL, &p, der_len); + + if (!TEST_ptr_null(gentime)) + rc = 0; /* fail */ + + ASN1_GENERALIZEDTIME_free(gentime); + return rc; +} + +/* UTCTime underflow ******************************************************* */ + +static int test_utctime(void) +{ + /* Underflowing UTCTime 0205104700Z (MMDDHHMMSSZ) */ + const unsigned char der[] = { + 0x17, 0x0b, 0x30, 0x32, 0x30, 0x35, 0x31, 0x30, + 0x34, 0x37, 0x30, 0x30, 0x5a, + }; + const unsigned char *p; + int der_len, rc = 1; + ASN1_UTCTIME *utctime; + + p = der; + der_len = sizeof(der); + utctime = d2i_ASN1_UTCTIME(NULL, &p, der_len); + + if (!TEST_ptr_null(utctime)) + rc = 0; /* fail */ + + ASN1_UTCTIME_free(utctime); + return rc; +} + +/* Invalid template ******************************************************** */ + typedef struct { ASN1_STRING *invalidDirString; } INVALIDTEMPLATE; @@ -229,6 +280,8 @@ int setup_tests(void) ADD_TEST(test_uint32); ADD_TEST(test_int64); ADD_TEST(test_uint64); + ADD_TEST(test_gentime); + ADD_TEST(test_utctime); ADD_TEST(test_invalid_template); ADD_TEST(test_reuse_asn1_object); return 1; diff --git a/test/asn1_time_test.c b/test/asn1_time_test.c index aa1aa79ebb..0daf88b203 100644 --- a/test/asn1_time_test.c +++ b/test/asn1_time_test.c @@ -101,6 +101,10 @@ static struct testdata tbl_testdata_pos[] = { { "1970010100000AZ", V_ASN1_GENERALIZEDTIME, V_ASN1_GENERALIZEDTIME, 0, 0, 0, 0, }, { "700101000000X", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 0, 0, 0, 0, }, { "19700101000000X", V_ASN1_GENERALIZEDTIME, V_ASN1_GENERALIZEDTIME, 0, 0, 0, 0, }, + { "209912312359Z", V_ASN1_GENERALIZEDTIME, V_ASN1_GENERALIZEDTIME, 0, 0, 0, 0, }, + { "199912310000Z", V_ASN1_GENERALIZEDTIME, V_ASN1_GENERALIZEDTIME, 0, 0, 0, 0, }, + { "9912312359Z", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 0, 0, 0, 0, }, + { "9912310000Z", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 0, 0, 0, 0, }, { "19700101000000Z", V_ASN1_GENERALIZEDTIME, V_ASN1_UTCTIME, 1, 0, -1, 1, }, /* Epoch begins */ { "700101000000Z", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 1, 0, -1, 1, }, /* ditto */ { "20380119031407Z", V_ASN1_GENERALIZEDTIME, V_ASN1_UTCTIME, 1, 0x7FFFFFFF, 1, 1, }, /* Max 32bit time_t */ @@ -111,9 +115,7 @@ static struct testdata tbl_testdata_pos[] = { { "19701006121456Z", V_ASN1_GENERALIZEDTIME, V_ASN1_UTCTIME, 1, 24063296, -1, 1, }, { "701006121456Z", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 1, 24063296, -1, 1, }, { "19991231000000Z", V_ASN1_GENERALIZEDTIME, V_ASN1_UTCTIME, 1, 946598400, 0, 1, }, /* Match baseline */ - { "199912310000Z", V_ASN1_GENERALIZEDTIME, V_ASN1_UTCTIME, 1, 946598400, 0, 1, }, /* In various flavors */ { "991231000000Z", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 1, 946598400, 0, 1, }, - { "9912310000Z", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 1, 946598400, 0, 1, }, { "9912310000+0000", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 1, 946598400, 0, 1, }, { "199912310000+0000", V_ASN1_GENERALIZEDTIME, V_ASN1_UTCTIME, 1, 946598400, 0, 1, }, { "9912310000-0000", V_ASN1_UTCTIME, V_ASN1_UTCTIME, 1, 946598400, 0, 1, }, diff --git a/test/x509_time_test.c b/test/x509_time_test.c index 9fa9297cf3..b6aad699b5 100644 --- a/test/x509_time_test.c +++ b/test/x509_time_test.c @@ -490,7 +490,7 @@ static const struct { "Jul 31 22:20:50 2017 GMT"), /* Generalized Time, no seconds */ construct_asn1_time("201707312220Z", V_ASN1_GENERALIZEDTIME, - "Jul 31 22:20:00 2017 GMT"), + "Bad time value"), /* Generalized Time, fractional seconds (3 digits) */ construct_asn1_time("20170731222050.123Z", V_ASN1_GENERALIZEDTIME, "Jul 31 22:20:50.123 2017 GMT"), @@ -505,7 +505,7 @@ static const struct { "Jul 31 22:20:50 2017 GMT"), /* UTC Time, no seconds */ construct_asn1_time("1707312220Z", V_ASN1_UTCTIME, - "Jul 31 22:20:00 2017 GMT"), + "Bad time value"), }; static const struct { @@ -517,7 +517,7 @@ static const struct { "2017-07-31 22:20:50Z"), /* Generalized Time, no seconds */ construct_asn1_time("201707312220Z", V_ASN1_GENERALIZEDTIME, - "2017-07-31 22:20:00Z"), + "Bad time value"), /* Generalized Time, fractional seconds (3 digits) */ construct_asn1_time("20170731222050.123Z", V_ASN1_GENERALIZEDTIME, "2017-07-31 22:20:50.123Z"), @@ -532,7 +532,7 @@ static const struct { "2017-07-31 22:20:50Z"), /* UTC Time, no seconds */ construct_asn1_time("1707312220Z", V_ASN1_UTCTIME, - "2017-07-31 22:20:00Z"), + "Bad time value"), }; static int test_x509_time_print_rfc_822(int idx) |