Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a text canonicalisation bug in CMS #5790

Closed
wants to merge 1 commit into from
Closed

Fix a text canonicalisation bug in CMS #5790

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
22 changes: 21 additions & 1 deletion CHANGES
View file
Open in desktop
Expand Up @@ -290,7 +290,27 @@
issues, has been replaced to always returns NULL.
[Rich Salz]

Changes between 1.1.0g and 1.1.0h [xx XXX xxxx]

Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]

*) Fixed a text canonicalisation bug in CMS

Where a CMS detatched signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detatched text data signed with an earlier version of
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'detatched'... maybe a quick spell checking round?

OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
[Matt Caswell]

Changes between 1.1.0g and 1.1.0h [27 Mar 2018]

*) Constructed ASN.1 types with a recursive definition could exceed the stack

Expand Down
8 changes: 5 additions & 3 deletions crypto/asn1/asn_mime.c
View file
Open in desktop
Expand Up @@ -953,12 +953,14 @@ static int strip_eol(char *linebuf, int *plen, int flags)

for (p = linebuf + len - 1; len > 0; len--, p--) {
c = *p;
if (c == '\n')
if (c == '\n') {
is_eol = 1;
else if (is_eol && flags & SMIME_ASCIICRLF && c < 33)
} else if (is_eol && flags & SMIME_ASCIICRLF && c == 32) {
/* Strip trailing space on a line; 32 == ASCII for ' ' */
continue;
else if (c != '\r')
} else if (c != '\r') {
break;
}
}
*plen = len;
return is_eol;
Expand Down