From 802d8c02eaa0aa9cd8d0c6cbd18cd814e6337bc6 Mon Sep 17 00:00:00 2001 From: Thiago Macieira Date: Mon, 24 Aug 2009 11:33:34 +0200 Subject: Fix parsing of Subject Alternate Names in Qt. Simple misuse of QLatin1String. Use QString::fromLatin1 instead and avoid the QByteArray temporary. Reviewed-by: Andreas Aardal Hanssen Tracking: CVE-2009-2700 --- src/network/ssl/qsslcertificate.cpp | 2 +- .../more-certificates/badguy-nul-san.crt | 83 ++++++++++++++++++++++ tests/auto/qsslcertificate/tst_qsslcertificate.cpp | 21 ++++++ 3 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 tests/auto/qsslcertificate/more-certificates/badguy-nul-san.crt diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp index d62c911..b5df35c 100644 --- a/src/network/ssl/qsslcertificate.cpp +++ b/src/network/ssl/qsslcertificate.cpp @@ -377,7 +377,7 @@ QMultiMap QSslCertificate::alternateSubje } const char *altNameStr = reinterpret_cast(q_ASN1_STRING_data(genName->d.ia5)); - const QString altName = QLatin1String(QByteArray(altNameStr, len)); + const QString altName = QString::fromLatin1(altNameStr, len); if (genName->type == GEN_DNS) result.insert(QSsl::DnsEntry, altName); else if (genName->type == GEN_EMAIL) diff --git a/tests/auto/qsslcertificate/more-certificates/badguy-nul-san.crt b/tests/auto/qsslcertificate/more-certificates/badguy-nul-san.crt new file mode 100644 index 0000000..d897c39 --- /dev/null +++ b/tests/auto/qsslcertificate/more-certificates/badguy-nul-san.crt @@ -0,0 +1,83 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, OU=CA, CN=NULL-friendly CA + Validity + Not Before: Aug 4 06:53:05 2009 GMT + Not After : Aug 2 06:53:05 2019 GMT + Subject: CN=www.badguy.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:cd:26:70:96:a9:a6:5d:3e:9c:ed:0f:08:15:5a: + 7c:17:25:68:68:af:13:b9:ad:41:fa:12:54:e2:84: + 72:7d:58:d1:e2:40:42:c1:59:ed:05:3d:aa:10:53: + 70:00:88:3a:77:a0:c0:56:9e:ac:7d:21:2a:71:44: + 51:08:bc:17:07:da:a8:a3:76:dc:51:bc:1b:8a:f6: + 02:1a:55:bf:46:b4:44:6b:27:5e:be:e5:17:8b:56: + b2:c6:82:36:11:83:a8:bf:f7:2f:0d:17:f6:cd:47: + b5:6f:2b:a6:41:b6:8d:33:5f:ea:ea:8b:b1:1a:e2: + 99:38:ff:59:5b:0a:a1:71:13:ca:37:3f:b9:b0:1e: + 91:9a:c8:93:35:0c:4a:e0:9d:f4:d2:61:c7:4e:5b: + 41:0a:7c:31:54:99:db:f5:65:ce:80:d3:c2:02:37: + 64:fd:54:12:7b:ea:ac:85:59:5c:17:e1:2e:f6:d0: + a8:f2:d0:2e:94:59:2f:c2:a6:5f:da:07:de:7b:2e: + 14:07:ed:e4:27:24:37:9d:09:2e:b1:f9:5a:48:b9: + 80:24:43:e6:cb:c7:6e:35:df:d5:69:34:ff:e6:d6: + 9e:e8:76:66:6e:5f:59:01:3c:96:3b:ec:72:0b:3c: + 1e:95:0f:ce:68:13:9c:22:dd:1b:b5:44:28:50:4a: + 05:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 33:15:24:BE:DA:66:3A:06:8B:D9:27:34:3A:AF:62:40:E4:95:66:5D + X509v3 Authority Key Identifier: + keyid:0A:69:39:5F:9D:30:04:18:08:2E:02:0E:E6:EA:9D:B2:26:F6:E2:6A + + X509v3 Subject Alternative Name: + DNS:www.bank.com + Signature Algorithm: sha1WithRSAEncryption + 27:6e:7d:b3:a9:86:52:57:6a:a0:c6:30:6c:1e:94:09:a7:6f: + ad:fe:11:9f:be:32:8d:01:7b:8b:94:66:d7:7c:b6:b1:90:fc: + e4:f5:b6:32:bc:6c:71:23:b1:18:88:d6:47:bc:da:07:c7:5e: + 46:71:3a:e6:40:6e:c1:7f:1d:56:96:70:65:d8:51:a9:dc:9e: + a5:06:00:98:e7:1e:10:bc:82:ba:00:e5:4e:a2:0f:3e:ec:8a: + dd:6f:c6:c9:c1:ec:ed:6d:7c:31:3e:66:87:47:a1:8b:15:3c: + 21:7e:ec:21:78:3d:21:70:72:ba:70:c3:64:f8:1d:4f:d9:d0: + 27:3c:3e:7e:a2:59:ae:be:9a:d3:00:44:a7:72:3a:e3:3f:c8: + 9b:c5:8f:b1:94:fe:00:0f:6e:b8:14:88:f1:03:50:91:51:af: + f0:1e:f7:b8:5a:a4:57:35:2d:f1:ad:c8:ae:dd:29:61:14:7d: + ea:d1:34:80:5c:1b:fd:eb:43:dc:21:6d:c6:44:f9:3b:54:76: + c4:91:5b:ac:a4:8e:72:e7:d8:24:ff:a7:5a:c0:ef:27:c3:d7: + e4:f9:7f:55:8d:0d:30:ec:a2:d9:6d:c8:76:f4:be:94:3d:12: + 32:4a:91:4f:db:c3:e7:76:07:5a:12:97:18:b7:15:00:98:59: + 21:89:3e:35 +-----BEGIN CERTIFICATE----- +MIIDrTCCApWgAwIBAgIBADANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQGEwJHQjES +MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N +eSBDb21wYW55IEx0ZDELMAkGA1UECxMCQ0ExGTAXBgNVBAMTEE5VTEwtZnJpZW5k +bHkgQ0EwHhcNMDkwODA0MDY1MzA1WhcNMTkwODAyMDY1MzA1WjAZMRcwFQYDVQQD +Ew53d3cuYmFkZ3V5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AM0mcJappl0+nO0PCBVafBclaGivE7mtQfoSVOKEcn1Y0eJAQsFZ7QU9qhBTcACI +OnegwFaerH0hKnFEUQi8FwfaqKN23FG8G4r2AhpVv0a0RGsnXr7lF4tWssaCNhGD +qL/3Lw0X9s1HtW8rpkG2jTNf6uqLsRrimTj/WVsKoXETyjc/ubAekZrIkzUMSuCd +9NJhx05bQQp8MVSZ2/VlzoDTwgI3ZP1UEnvqrIVZXBfhLvbQqPLQLpRZL8KmX9oH +3nsuFAft5CckN50JLrH5Wki5gCRD5svHbjXf1Wk0/+bWnuh2Zm5fWQE8ljvscgs8 +HpUPzmgTnCLdG7VEKFBKBX8CAwEAAaOBpDCBoTAJBgNVHRMEAjAAMCwGCWCGSAGG ++EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU +MxUkvtpmOgaL2Sc0Oq9iQOSVZl0wHwYDVR0jBBgwFoAUCmk5X50wBBgILgIO5uqd +sib24mowJgYDVR0RBB8wHYIbd3d3LmJhbmsuY29tAHd3dy5iYWRndXkuY29tMA0G +CSqGSIb3DQEBBQUAA4IBAQAnbn2zqYZSV2qgxjBsHpQJp2+t/hGfvjKNAXuLlGbX +fLaxkPzk9bYyvGxxI7EYiNZHvNoHx15GcTrmQG7Bfx1WlnBl2FGp3J6lBgCY5x4Q +vIK6AOVOog8+7Irdb8bJweztbXwxPmaHR6GLFTwhfuwheD0hcHK6cMNk+B1P2dAn +PD5+olmuvprTAESncjrjP8ibxY+xlP4AD264FIjxA1CRUa/wHve4WqRXNS3xrciu +3SlhFH3q0TSAXBv960PcIW3GRPk7VHbEkVuspI5y59gk/6dawO8nw9fk+X9VjQ0w +7KLZbch29L6UPRIySpFP28PndgdaEpcYtxUAmFkhiT41 +-----END CERTIFICATE----- diff --git a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp index 73d7afd..37ee277 100644 --- a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp +++ b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp @@ -101,6 +101,7 @@ private slots: void certInfo(); void task256066toPem(); void nulInCN(); + void nulInSan(); // ### add tests for certificate bundles (multiple certificates concatenated into a single // structure); both PEM and DER formatted #endif @@ -744,6 +745,26 @@ void tst_QSslCertificate::nulInCN() QCOMPARE(cn, QString::fromLatin1(realCN, sizeof realCN - 1)); } +void tst_QSslCertificate::nulInSan() +{ + QList certList = + QSslCertificate::fromPath(SRCDIR "more-certificates/badguy-nul-san.crt"); + QCOMPARE(certList.size(), 1); + + const QSslCertificate &cert = certList.at(0); + QVERIFY(!cert.isNull()); + + QMultiMap san = cert.alternateSubjectNames(); + QVERIFY(!san.isEmpty()); + + QString dnssan = san.value(QSsl::DnsEntry); + QVERIFY(!dnssan.isEmpty()); + QVERIFY(dnssan != "www.bank.com"); + + static const char realSAN[] = "www.bank.com\0.badguy.com"; + QCOMPARE(dnssan, QString::fromLatin1(realSAN, sizeof realSAN - 1)); +} + #endif // QT_NO_OPENSSL QTEST_MAIN(tst_QSslCertificate) -- cgit v0.12