diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2017-11-11 01:08:27 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-11-13 15:34:50 +0900 |
commit | 363f40fb47bef81a784d4cc6feabef345ada9b0f (patch) | |
tree | dfe18253ab54210ceb077409d2360617bead8369 /ext/openssl/ossl_x509crl.c | |
parent | 1425bf543ddcf7280877624532128cdd311f54ab (diff) | |
download | ruby-openssl-363f40fb47bef81a784d4cc6feabef345ada9b0f.tar.gz |
x509cert, x509crl, x509req, ns_spki: check sanity of public keyky/pkey-check-sanity
The pub_encode routine of an EVP_PKEY_ASN1_METHOD seems to assume the
parameters and public key component(s) to be set properly. Calling that,
for example, through X509_set_pubkey(), with an incomplete object may
cause segfault.
Use ossl_pkey_check_public_key() to check that. It doesn't look pretty,
but unfortunately there isn't a generic way to do that with the EVP API.
Something similar applies to the verify routine of an EVP_PKEY_METHOD.
Do the same check before calling *_verify().
Reference: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/83688
Reference: https://bugs.ruby-lang.org/issues/14087
Diffstat (limited to 'ext/openssl/ossl_x509crl.c')
-rw-r--r-- | ext/openssl/ossl_x509crl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index 035025ab..add72c6c 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -366,9 +366,12 @@ static VALUE ossl_x509crl_verify(VALUE self, VALUE key) { X509_CRL *crl; + EVP_PKEY *pkey; GetX509CRL(self, crl); - switch (X509_CRL_verify(crl, GetPKeyPtr(key))) { + pkey = GetPKeyPtr(key); + ossl_pkey_check_public_key(pkey); + switch (X509_CRL_verify(crl, pkey)) { case 1: return Qtrue; case 0: |