From b2313918523eaf298fd259ed202230bbb8a411a2 Mon Sep 17 00:00:00 2001 From: DongHun Kwak Date: Thu, 23 Dec 2021 10:55:55 +0900 Subject: [PATCH] Imported Upstream version 1.3.4 --- ChangeLog | 43 +++++++++++++++ Makefile.am | 14 +++++ Makefile.in | 15 ++++++ NEWS | 13 +++++ build-aux/config.guess | 143 ++++++++++++++++++++++++++++++------------------- build-aux/config.sub | 36 ++++++++----- config.h.in | 3 ++ configure | 54 +++++++++++++------ configure.ac | 20 +++++-- doc/ksba.info | 8 +-- doc/stamp-vti | 4 +- doc/version.texi | 4 +- src/ber-help.c | 6 +++ src/cert.c | 28 +++++++++- src/dn.c | 5 +- src/keyinfo.c | 34 +++++++++--- src/name.c | 2 +- src/ocsp.c | 2 + tests/cert-basic.c | 3 +- 19 files changed, 324 insertions(+), 113 deletions(-) diff --git a/ChangeLog b/ChangeLog index 11ea2e0..3892fcc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,46 @@ +2016-05-03 Werner Koch + + Release 1.3.4. + * configure.ac: Set LT version to C19/A11/R5. + + Update config.{guess,sub} to 2016-04-02 and 2016-03-30. + * build-aux/config.guess: Update. + * build-aux/config.sub: Update. + + Create an SWDB file during "make distcheck" + * Makefile.am (distcheck-hook): New. + + Fix an undefined return value in ksba_cert_get_digest_algo. + * src/cert.c (ksba_cert_get_digest_algo): Set ALGO in the error case. + * tests/cert-basic.c (one_file): Take care of printf which does not + handle NULL for %s + + Fix an OOB read access in _ksba_dn_to_str. + * src/dn.c (append_utf8_value): Use a straightforward check to fix an + off-by-one. + + Fix possible read access beyond the buffer. + * src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check. + * src/cert.c (ksba_cert_get_cert_policies): Check TLV given length + against buffer length. + (ksba_cert_get_ext_key_usages): Ditto. + * src/ocsp.c (parse_asntime_into_isotime): Ditto. + +2015-10-28 Werner Koch + + Add more curves to the name->OID table. + * src/keyinfo.c (curve_names): Add more curves. + + Fix lookup of ECC OIDs by name. + * src/keyinfo.c (get_ecc_curve_oid): Fix obviously never tested table + lookup. + +2015-08-25 Werner Koch + + Add configure option --enable-build-timestamp. + * configure.ac (BUILD_TIMESTAMP): Set to "" by default. Add + ac_define_unquoted. + 2015-04-10 Werner Koch Release 1.3.3. diff --git a/Makefile.am b/Makefile.am index 0f492aa..f16e128 100644 --- a/Makefile.am +++ b/Makefile.am @@ -41,6 +41,20 @@ SUBDIRS = m4 gl src ${tests} doc dist-hook: gen-ChangeLog +distcheck-hook: + set -e; ( \ + pref="#+macro: $$(echo $(PACKAGE_NAME)|tr '-' '_')_" ;\ + reldate="$$(date -u +%Y-%m-%d)" ;\ + echo "$${pref}ver $(PACKAGE_VERSION)" ;\ + echo "$${pref}date $${reldate}" ;\ + list='$(DIST_ARCHIVES)'; for i in $$list; do \ + case "$$i" in *.tar.bz2) \ + echo "$${pref}size $$(wc -c <$$i|awk '{print int($$1/1024)}')k" ;\ + echo "$${pref}sha1 $$(sha1sum <$$i|cut -d' ' -f1)" ;\ + echo "$${pref}sha2 $$(sha256sum <$$i|cut -d' ' -f1)" ;;\ + esac;\ + done ) | tee $(distdir).swdb + gen_start_date = 2011-12-01T00:00:00 .PHONY: gen-ChangeLog diff --git a/Makefile.in b/Makefile.in index b1cffd6..dd54de4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -680,6 +680,7 @@ distcheck: dist test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ + && $(MAKE) $(AM_MAKEFLAGS) distcheck-hook \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build \ && ../configure \ @@ -864,6 +865,20 @@ uninstall-am: dist-hook: gen-ChangeLog + +distcheck-hook: + set -e; ( \ + pref="#+macro: $$(echo $(PACKAGE_NAME)|tr '-' '_')_" ;\ + reldate="$$(date -u +%Y-%m-%d)" ;\ + echo "$${pref}ver $(PACKAGE_VERSION)" ;\ + echo "$${pref}date $${reldate}" ;\ + list='$(DIST_ARCHIVES)'; for i in $$list; do \ + case "$$i" in *.tar.bz2) \ + echo "$${pref}size $$(wc -c <$$i|awk '{print int($$1/1024)}')k" ;\ + echo "$${pref}sha1 $$(sha1sum <$$i|cut -d' ' -f1)" ;\ + echo "$${pref}sha2 $$(sha256sum <$$i|cut -d' ' -f1)" ;;\ + esac;\ + done ) | tee $(distdir).swdb .PHONY: gen-ChangeLog gen-ChangeLog: if test -d $(top_srcdir)/.git; then \ diff --git a/NEWS b/NEWS index 693f8ef..3b9abb0 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,16 @@ +Noteworthy changes in version 1.3.4 (2016-05-03) [C19/A11/R4] +------------------------------------------------ + + * Fixed two OOB read access bugs which could be used to force a DoS. + + * Fixed a crash due to faulty curve OID lookup code. + + * Synced the list of supported curves with those of Libgcrypt. + + * New configure option --enable-build-timestamp; a build timestamp is + not anymore used by default. + + Noteworthy changes in version 1.3.3 (2015-04-10) [C19/A11/R4] ------------------------------------------------ diff --git a/build-aux/config.guess b/build-aux/config.guess index dbfb978..0967f2a 100755 --- a/build-aux/config.guess +++ b/build-aux/config.guess @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2015-01-01' +timestamp='2016-04-02' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ timestamp='2015-01-01' # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -168,20 +168,27 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" - UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ + /sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || \ + echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; + earmv*) + arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` + machine=${arch}${endian}-unknown + ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in - arm*|i386|m68k|ns32k|sh3*|sparc|vax) + arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ @@ -197,6 +204,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in os=netbsd ;; esac + # Determine ABI tags. + case "${UNAME_MACHINE_ARCH}" in + earm*) + expr='s/^earmv[0-9]/-eabi/;s/eb$//' + abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` + ;; + esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need @@ -207,13 +221,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}" + echo "${machine}-${os}${release}${abi}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` @@ -223,6 +237,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -235,6 +253,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; + *:Sortix:*:*) + echo ${UNAME_MACHINE}-unknown-sortix + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -251,42 +272,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; + UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; + UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; + UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; + UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; + UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; + UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; + UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; + UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; + UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 @@ -359,16 +380,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build - SUN_ARCH="i386" + SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then - SUN_ARCH="x86_64" + SUN_ARCH=x86_64 fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` @@ -393,7 +414,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} @@ -618,13 +639,13 @@ EOF sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi @@ -663,11 +684,11 @@ EOF exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = "hppa2.0w" ] + if [ ${HP_ARCH} = hppa2.0w ] then eval $set_cc_for_build @@ -680,12 +701,12 @@ EOF # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then - HP_ARCH="hppa2.0w" + HP_ARCH=hppa2.0w else - HP_ARCH="hppa64" + HP_ARCH=hppa64 fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} @@ -790,14 +811,14 @@ EOF echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) @@ -879,7 +900,7 @@ EOF exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix @@ -902,7 +923,7 @@ EOF EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) @@ -933,6 +954,9 @@ EOF crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; + e2k:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -945,6 +969,9 @@ EOF ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; + k1om:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -1021,7 +1048,7 @@ EOF echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} @@ -1100,7 +1127,7 @@ EOF # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that + # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; @@ -1249,6 +1276,9 @@ EOF SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; @@ -1262,9 +1292,9 @@ EOF UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in @@ -1286,7 +1316,7 @@ EOF exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then + if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi @@ -1317,7 +1347,7 @@ EOF # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = "386"; then + if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" @@ -1359,7 +1389,7 @@ EOF echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos @@ -1370,6 +1400,9 @@ EOF x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; esac cat >&2 <. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libksba' PACKAGE_TARNAME='libksba' -PACKAGE_VERSION='1.3.3' -PACKAGE_STRING='libksba 1.3.3' +PACKAGE_VERSION='1.3.4' +PACKAGE_STRING='libksba 1.3.4' PACKAGE_BUGREPORT='http://bugs.gnupg.org' PACKAGE_URL='' @@ -636,8 +636,8 @@ ac_subst_vars='am__EXEEXT_FALSE am__EXEEXT_TRUE LTLIBOBJS LIBOBJS -BUILD_FILEVERSION BUILD_TIMESTAMP +BUILD_FILEVERSION BUILD_REVISION CROSS_COMPILING_FALSE CROSS_COMPILING_TRUE @@ -801,6 +801,7 @@ enable_ld_version_script with_libgpg_error_prefix with_gpg_error_prefix enable_valgrind_tests +enable_build_timestamp ' ac_precious_vars='build_alias host_alias @@ -1354,7 +1355,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libksba 1.3.3 to adapt to many kinds of systems. +\`configure' configures libksba 1.3.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1424,7 +1425,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libksba 1.3.3:";; + short | recursive ) echo "Configuration of libksba 1.3.4:";; esac cat <<\_ACEOF @@ -1451,6 +1452,9 @@ Optional Features: enable/disable use of linker version script. (default is system dependent) --enable-valgrind-tests run self tests under valgrind + --enable-build-timestamp + set an explicit build timestamp for reproducibility. + (default is the current time in ISO-8601 format) Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1548,7 +1552,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libksba configure 1.3.3 +libksba configure 1.3.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2154,7 +2158,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libksba $as_me 1.3.3, which was +It was created by libksba $as_me 1.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2510,7 +2514,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu # Please remember to document interface changes in the NEWS file. LIBKSBA_LT_CURRENT=19 LIBKSBA_LT_AGE=11 -LIBKSBA_LT_REVISION=4 +LIBKSBA_LT_REVISION=5 #------------------- # If the API is changed in an incompatible way: increment the next counter. KSBA_CONFIG_API_VERSION=1 @@ -3038,7 +3042,7 @@ fi # Define the identity of the package. PACKAGE='libksba' - VERSION='1.3.3' + VERSION='1.3.4' cat >>confdefs.h <<_ACEOF @@ -14895,14 +14899,12 @@ fi # Generate extended version information for W32. if test "$have_w32_system" = yes; then - BUILD_TIMESTAMP=`date --iso-8601=minutes` BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'` - BUILD_FILEVERSION="${BUILD_FILEVERSION}46190" + BUILD_FILEVERSION="${BUILD_FILEVERSION}14994" fi - -BUILD_REVISION="b46ea28" +BUILD_REVISION="3a92e8c" cat >>confdefs.h <<_ACEOF @@ -14910,6 +14912,24 @@ cat >>confdefs.h <<_ACEOF _ACEOF +# Check whether --enable-build-timestamp was given. +if test "${enable_build_timestamp+set}" = set; then : + enableval=$enable_build_timestamp; if test "$enableval" = "yes"; then + BUILD_TIMESTAMP=`date -u +%Y-%m-%dT%H:%M+0000 2>/dev/null || date` + else + BUILD_TIMESTAMP="$enableval" + fi +else + BUILD_TIMESTAMP="" +fi + + + +cat >>confdefs.h <<_ACEOF +#define BUILD_TIMESTAMP "$BUILD_TIMESTAMP" +_ACEOF + + ac_config_files="$ac_config_files Makefile m4/Makefile gl/Makefile src/Makefile src/ksba-config src/versioninfo.rc tests/Makefile doc/Makefile" @@ -15467,7 +15487,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libksba $as_me 1.3.3, which was +This file was extended by libksba $as_me 1.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15533,7 +15553,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libksba config.status 1.3.3 +libksba config.status 1.3.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -17529,7 +17549,7 @@ fi echo " Libksba v${VERSION} has been configured as follows: - Revision: b46ea28 (46190) + Revision: 3a92e8c (14994) Platform: $host " diff --git a/configure.ac b/configure.ac index 9b83206..7cdcf19 100644 --- a/configure.ac +++ b/configure.ac @@ -30,7 +30,7 @@ min_automake_version="1.14" m4_define([mym4_package],[libksba]) m4_define([mym4_major], [1]) m4_define([mym4_minor], [3]) -m4_define([mym4_micro], [3]) +m4_define([mym4_micro], [4]) # Below is m4 magic to extract and compute the git revision number, # the decimalized short revision number, a beta version string and a @@ -52,7 +52,7 @@ AC_INIT([mym4_package],[mym4_version], [http://bugs.gnupg.org]) # Please remember to document interface changes in the NEWS file. LIBKSBA_LT_CURRENT=19 LIBKSBA_LT_AGE=11 -LIBKSBA_LT_REVISION=4 +LIBKSBA_LT_REVISION=5 #------------------- # If the API is changed in an incompatible way: increment the next counter. KSBA_CONFIG_API_VERSION=1 @@ -380,20 +380,32 @@ AM_CONDITIONAL(CROSS_COMPILING, test x$cross_compiling != xno) # Generate extended version information for W32. if test "$have_w32_system" = yes; then - BUILD_TIMESTAMP=`date --iso-8601=minutes` changequote(,)dnl BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'` changequote([,])dnl BUILD_FILEVERSION="${BUILD_FILEVERSION}mym4_revision_dec" fi AC_SUBST(BUILD_REVISION) -AC_SUBST(BUILD_TIMESTAMP) AC_SUBST(BUILD_FILEVERSION) BUILD_REVISION="mym4_revision" AC_SUBST(BUILD_REVISION) AC_DEFINE_UNQUOTED(BUILD_REVISION, "$BUILD_REVISION", [GIT commit id revision used to build this package]) +AC_ARG_ENABLE([build-timestamp], + AC_HELP_STRING([--enable-build-timestamp], + [set an explicit build timestamp for reproducibility. + (default is the current time in ISO-8601 format)]), + [if test "$enableval" = "yes"; then + BUILD_TIMESTAMP=`date -u +%Y-%m-%dT%H:%M+0000 2>/dev/null || date` + else + BUILD_TIMESTAMP="$enableval" + fi], + [BUILD_TIMESTAMP=""]) +AC_SUBST(BUILD_TIMESTAMP) +AC_DEFINE_UNQUOTED(BUILD_TIMESTAMP, "$BUILD_TIMESTAMP", + [The time this package was configured for a build]) + AC_CONFIG_FILES([ Makefile diff --git a/doc/ksba.info b/doc/ksba.info index 3764330..d3bf952 100644 --- a/doc/ksba.info +++ b/doc/ksba.info @@ -8,8 +8,8 @@ END-INFO-DIR-ENTRY This file documents the KSBA library to access X.509 and CMS data structures. - This is edition 1.3.3, last updated 15 March 2013, of 'The KSBA -Reference Manual', for Version 1.3.3. + This is edition 1.3.4, last updated 15 March 2013, of 'The KSBA +Reference Manual', for Version 1.3.4. Copyright (C) 2002, 2003, 2004 g10 Code GmbH @@ -25,8 +25,8 @@ File: ksba.info, Node: Top, Next: Introduction, Up: (dir) Main Menu ********* -This is edition 1.3.3, last updated 15 March 2013, of 'The KSBA -Reference Manual', for Version 1.3.3 of the KSBA library. +This is edition 1.3.4, last updated 15 March 2013, of 'The KSBA +Reference Manual', for Version 1.3.4 of the KSBA library. Copyright (C) 2002, 2003, 2004 g10 Code GmbH diff --git a/doc/stamp-vti b/doc/stamp-vti index df3fb66..4a06fa8 100644 --- a/doc/stamp-vti +++ b/doc/stamp-vti @@ -1,4 +1,4 @@ @set UPDATED 15 March 2013 @set UPDATED-MONTH March 2013 -@set EDITION 1.3.3 -@set VERSION 1.3.3 +@set EDITION 1.3.4 +@set VERSION 1.3.4 diff --git a/doc/version.texi b/doc/version.texi index df3fb66..4a06fa8 100644 --- a/doc/version.texi +++ b/doc/version.texi @@ -1,4 +1,4 @@ @set UPDATED 15 March 2013 @set UPDATED-MONTH March 2013 -@set EDITION 1.3.3 -@set VERSION 1.3.3 +@set EDITION 1.3.4 +@set VERSION 1.3.4 diff --git a/src/ber-help.c b/src/ber-help.c index f6a6692..87109f3 100644 --- a/src/ber-help.c +++ b/src/ber-help.c @@ -285,9 +285,15 @@ _ksba_ber_parse_tl (unsigned char const **buffer, size_t *size, ti->buf[ti->nhdr++] = c; len |= c & 0xff; } + /* Sanity check for the length: This is done so that we can take + * the value for malloc plus some additional bytes without + * risking an overflow. */ + if (len > (1 << 30)) + return gpg_error (GPG_ERR_BAD_BER); ti->length = len; } + /* Without this kludge some example certs can't be parsed */ if (ti->class == CLASS_UNIVERSAL && !ti->tag) ti->length = 0; diff --git a/src/cert.c b/src/cert.c index 7f19dc1..dc97f83 100644 --- a/src/cert.c +++ b/src/cert.c @@ -464,7 +464,10 @@ ksba_cert_get_digest_algo (ksba_cert_t cert) n = _ksba_asn_find_node (cert->root, "Certificate.signatureAlgorithm"); if (!n || n->off == -1) - err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); + { + algo = NULL; + err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); + } else err = _ksba_parse_algorithm_identifier (cert->image + n->off, n->nhdr + n->len, &nread, &algo); @@ -1335,9 +1338,15 @@ ksba_cert_get_cert_policies (ksba_cert_t cert, char **r_policies) err = gpg_error (GPG_ERR_NOT_DER_ENCODED); goto leave; } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } if (!ti.length) { - err = gpg_error (GPG_ERR_INV_CERT_OBJ); /* no empty inner SEQ */ + /* We do not accept an empty inner SEQ */ + err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } if (ti.nhdr+ti.length > seqlen) @@ -1356,6 +1365,11 @@ ksba_cert_get_cert_policies (ksba_cert_t cert, char **r_policies) err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } if (ti.nhdr+ti.length > seqseqlen) { err = gpg_error (GPG_ERR_BAD_BER); @@ -1458,6 +1472,16 @@ ksba_cert_get_ext_key_usages (ksba_cert_t cert, char **result) err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } + if (ti.ndef) + { + err = gpg_error (GPG_ERR_NOT_DER_ENCODED); + goto leave; + } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } suboid = ksba_oid_to_str (der, ti.length); if (!suboid) diff --git a/src/dn.c b/src/dn.c index d207bf0..cea18a1 100644 --- a/src/dn.c +++ b/src/dn.c @@ -332,11 +332,8 @@ append_utf8_value (const unsigned char *value, size_t length, } else { - if (n+nmore > length) - nmore = length - n; /* Oops, encoding to short */ - tmp[0] = *s++; n++; - for (i=1; i <= nmore; i++) + for (i=1; n < length && i <= nmore; i++) { if ( (*s & 0xc0) != 0x80) break; /* Invalid encoding - let the next cycle detect this. */ diff --git a/src/keyinfo.c b/src/keyinfo.c index 02dc7ae..265b475 100644 --- a/src/keyinfo.c +++ b/src/keyinfo.c @@ -230,19 +230,30 @@ static const struct const char *name; } curve_names[] = { + { "1.3.6.1.4.1.3029.1.5.1", "Curve25519" }, + { "1.3.6.1.4.1.11591.15.1", "Ed25519" }, + { "1.2.840.10045.3.1.1", "NIST P-192" }, + { "1.2.840.10045.3.1.1", "nistp192" }, { "1.2.840.10045.3.1.1", "prime192v1" }, { "1.2.840.10045.3.1.1", "secp192r1" }, - { "1.3.132.0.33", "secp224r1" }, + { "1.3.132.0.33", "NIST P-224" }, + { "1.3.132.0.33", "nistp224" }, + { "1.3.132.0.33", "secp224r1" }, - { "1.2.840.10045.3.1.7", "NIST P-256", }, + { "1.2.840.10045.3.1.7", "NIST P-256" }, + { "1.2.840.10045.3.1.7", "nistp256" }, { "1.2.840.10045.3.1.7", "prime256v1" }, { "1.2.840.10045.3.1.7", "secp256r1" }, - { "1.3.132.0.34", "secp384r1" }, + { "1.3.132.0.34", "NIST P-384" }, + { "1.3.132.0.34", "nistp384" }, + { "1.3.132.0.34", "secp384r1" }, - { "1.3.132.0.35", "secp521r1" }, + { "1.3.132.0.35", "NIST P-521" }, + { "1.3.132.0.35", "nistp521" }, + { "1.3.132.0.35", "secp521r1" }, { "1.3.36.3.3.2.8.1.1.1" , "brainpoolP160r1" }, { "1.3.36.3.3.2.8.1.1.3" , "brainpoolP192r1" }, @@ -252,6 +263,15 @@ static const struct { "1.3.36.3.3.2.8.1.1.11", "brainpoolP384r1" }, { "1.3.36.3.3.2.8.1.1.13", "brainpoolP512r1" }, + + { "1.2.643.2.2.35.1", "GOST2001-CryptoPro-A" }, + { "1.2.643.2.2.35.2", "GOST2001-CryptoPro-B" }, + { "1.2.643.2.2.35.3", "GOST2001-CryptoPro-C" }, + { "1.2.643.7.1.2.1.2.1", "GOST2012-tc26-A" }, + { "1.2.643.7.1.2.1.2.2", "GOST2012-tc26-B" }, + + { "1.3.132.0.10", "secp256k1" }, + { NULL, NULL} }; @@ -322,10 +342,10 @@ get_ecc_curve_oid (const unsigned char *buf, size_t buflen, size_t *r_oidlen) if (buflen == strlen (curve_names[i].name) && !memcmp (buf, curve_names[i].name, buflen)) break; - if (curve_names[i].oid) + if (!curve_names[i].oid) return NULL; /* Not found. */ - buf = curve_names[i].name; - buflen = strlen (curve_names[i].name); + buf = curve_names[i].oid; + buflen = strlen (curve_names[i].oid); } if (_ksba_oid_from_buf (buf, buflen, &der_oid, r_oidlen)) diff --git a/src/name.c b/src/name.c index c734199..371fc41 100644 --- a/src/name.c +++ b/src/name.c @@ -113,7 +113,7 @@ _ksba_name_new_from_der (ksba_name_t *r_name, *r_name = NULL; - /* count and check for encoding errors - we won;t do this again + /* Count and check for encoding errors - we won't do this again during the second pass */ der = image; derlen = imagelen; diff --git a/src/ocsp.c b/src/ocsp.c index 85679bb..c053b18 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -231,6 +231,8 @@ parse_asntime_into_isotime (unsigned char const **buf, size_t *len, && (ti.tag == TYPE_UTC_TIME || ti.tag == TYPE_GENERALIZED_TIME) && !ti.is_constructed) ) err = gpg_error (GPG_ERR_INV_OBJ); + else if (ti.length > *len) + err = gpg_error (GPG_ERR_INV_BER); else if (!(err = _ksba_asntime_to_iso (*buf, ti.length, ti.tag == TYPE_UTC_TIME, isotime))) parse_skip (buf, len, &ti); diff --git a/tests/cert-basic.c b/tests/cert-basic.c index 91b394e..4d460bc 100644 --- a/tests/cert-basic.c +++ b/tests/cert-basic.c @@ -448,7 +448,8 @@ one_file (const char *fname) oid = ksba_cert_get_digest_algo (cert); s = get_oid_desc (oid); - printf (" hash algo.: %s%s%s%s\n", oid, s?" (":"",s?s:"",s?")":""); + printf (" hash algo.: %s%s%s%s\n", + oid?oid:"(null)", s?" (":"",s?s:"",s?")":""); /* Under Windows the _ksba_keyinfo_from_sexp are not exported. */ #ifndef __WIN32 -- 2.7.4