Bug #4324

[ext/openssl] Parsing of incorrect ASN.1 values succeeds

Added by Martin Bosslet about 3 years ago. Updated almost 3 years ago.

[ruby-core:34855]
Status:Closed
Priority:Normal
Assignee:-
Category:ext
Target version:1.9.3
ruby -v:trunk Backport:

Description

=begin
Hi,

I read about this bug of OpenSSL this morning: http://rt.openssl.org/Ticket/Display.html?id=2438
What struck me was the following sentence:

"The ASN1 parser should reject indefinite length primitive encodings as
that is illegal."

I tested whether Ruby (trunk) ASN.1 decoding was also affected:

require 'openssl'
require 'pp'

spec = %w{ 02 80 02 01 01 00 00 }
raw = [spec.join('')].pack('H*')
asn1 = OpenSSL::ASN1.decode(raw)
pp asn1

=>

#

This bug is a direct consequence of the bug in OpenSSL referred to above. Parsing
should fail in this case as primitive values cannot have an infinite length without
having the constructed bits set. ( A correct encoding for the above would be this:
%w{ 22 80 02 01 01 00 00 }) But fortunately this is fixed quite easy.
By applying the appended patch, above script yields this exception:

=>

test.rb:6:in decode': Infinite length for primitive value (OpenSSL::ASN1::ASN1Error)
from test.rb:6:in
'

Regards,
Martin
=end

fix_primitive_inf_length.diff Magnifier (1.25 KB) Martin Bosslet, 01/26/2011 09:35 AM

Associated revisions

Revision 30656
Added by Hiroshi Nakamura about 3 years ago

  • ext/openssl/osslasn1.c (osslasn1_decode0): OpenSSL::ASN1.decode should reject indefinite length primitive encodings as that is illegal. Patch by Martin Bosslet. See #4324.

History

#1 Updated by Hiroshi Nakamura about 3 years ago

  • Status changed from Open to Closed

=begin
Merged at r30656. Thanks.
=end

#2 Updated by Yusuke Endoh about 3 years ago

=begin
Hi,

2011/1/26 Martin Bosslet redmine@ruby-lang.org:

I read about this bug of OpenSSL this morning: http://rt.openssl.org/Ticket/Display.html?id=2438

Thank you for the information.
The URL seems to require authentification, but I managed to read it
by google:

http://rt.openssl.org/Ticket/Display.html?id=2438&user=guest&pass=guest

What struck me was the following sentence:

"The ASN1 parser should reject indefinite length primitive encodings as
that is illegal."

I'm not sure that I understand the problem correctly.

ext/openssl (not openssl itself but Ruby binding) has its own ASN1
parser, and the parser does not follow the spec that openssl assumes
the users to follow, right?

--
Yusuke Endoh mame@tsg.ne.jp

=end

Also available in: Atom PDF