Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[17099] Fix chain of trust issues #3294

Merged
merged 7 commits into from
Feb 15, 2023
Merged

[17099] Fix chain of trust issues #3294

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8167f72
Refs #17099. Added malicious permissions file.
MiguelCompany Feb 10, 2023
235e829
Refs #17099. Added regression test.
MiguelCompany Feb 10, 2023
86dbee2
Refs #17099. Put common code on auxiliary method.
MiguelCompany Feb 13, 2023
c6cc232
Refs #17099. Fix issue.
MiguelCompany Feb 13, 2023
0414a90
Refs #17099. Uncrustify and comment.
MiguelCompany Feb 14, 2023
21c80b8
Refs #17099. Check input before allocating output.
MiguelCompany Feb 14, 2023
c72eb06
Refs #17099. Improve error messages.
MiguelCompany Feb 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 54 additions & 57 deletions src/cpp/security/accesscontrol/Permissions.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,46 @@ static bool rfc2253_string_compare(
}

// Auxiliary functions
static BIO* load_and_verify_document(
X509_STORE* store,
BIO* in,
SecurityException& exception)
{
BIO* out = nullptr;

assert(nullptr != store);
assert(nullptr != in);

BIO* indata = nullptr;
PKCS7* p7 = SMIME_read_PKCS7(in, &indata);
if (nullptr == p7)
{
exception = _SecurityException_("Cannot read as PKCS7 the file ");
EduPonz marked this conversation as resolved.
Show resolved Hide resolved
return nullptr;
EduPonz marked this conversation as resolved.
Show resolved Hide resolved
}

out = BIO_new(BIO_s_mem());
if (nullptr == out)
{
exception = _SecurityException_("Cannot allocate output BIO");
}
else if (!PKCS7_verify(p7, nullptr, store, indata, out, PKCS7_TEXT))
{
exception = _SecurityException_("Failed verification of the file ");
BIO_free(out);
out = nullptr;
}

PKCS7_free(p7);

if (indata != nullptr)
{
BIO_free(indata);
}

return out;
}

static X509_STORE* load_permissions_ca(
const std::string& permissions_ca,
bool& there_are_crls,
Expand Down Expand Up @@ -374,34 +414,9 @@ static BIO* load_signed_file(
if (file.size() >= 7 && file.compare(0, 7, "file://") == 0)
{
BIO* in = BIO_new_file(file.substr(7).c_str(), "r");

if (in != nullptr)
{
BIO* indata = nullptr;
PKCS7* p7 = SMIME_read_PKCS7(in, &indata);

if (p7 != nullptr)
{
out = BIO_new(BIO_s_mem());
if (!PKCS7_verify(p7, nullptr, store, indata, out, PKCS7_TEXT))
{
exception = _SecurityException_(std::string("Failed verification of the file ") + file);
BIO_free(out);
out = nullptr;
}

PKCS7_free(p7);
}
else
{
exception = _SecurityException_(std::string("Cannot read as PKCS7 the file ") + file);
}

if (indata != nullptr)
{
BIO_free(indata);
}

out = load_and_verify_document(store, in, exception);
BIO_free(in);
}
else
Expand Down Expand Up @@ -506,57 +521,39 @@ static bool verify_permissions_file(
if (permissions_file.size() <= static_cast<size_t>(std::numeric_limits<int>::max()))
{
BIO* permissions_buf = BIO_new_mem_buf(permissions_file.data(), static_cast<int>(permissions_file.size()));

if (permissions_buf != nullptr)
{
BIO* indata = nullptr;
PKCS7* p7 = SMIME_read_PKCS7(permissions_buf, &indata);

if (p7 != nullptr)
BIO* out = load_and_verify_document(local_handle->store_, permissions_buf, exception);
if (nullptr != out)
{
BIO* out = BIO_new(BIO_s_mem());
if (PKCS7_verify(p7, nullptr, local_handle->store_, indata, out, PKCS7_TEXT))
{
BUF_MEM* ptr = nullptr;
BIO_get_mem_ptr(out, &ptr);
BUF_MEM* ptr = nullptr;
BIO_get_mem_ptr(out, &ptr);

if (ptr != nullptr)
if (ptr != nullptr)
{
PermissionsParser parser;
if ((returned_value = parser.parse_stream(ptr->data, ptr->length)) == true)
{
PermissionsParser parser;
if ((returned_value = parser.parse_stream(ptr->data, ptr->length)) == true)
{
parser.swap(permissions);
returned_value = true;
}
else
{
exception = _SecurityException_(std::string(
"Malformed permissions file ") + permissions_file);
}
parser.swap(permissions);
returned_value = true;
}
else
{
exception = _SecurityException_("OpenSSL library cannot retrieve mem ptr from file.");
exception = _SecurityException_(std::string(
"Malformed permissions file ") + permissions_file);
}
}
else
{
exception = _SecurityException_("Failed verification of the permissions file");
exception = _SecurityException_("OpenSSL library cannot retrieve mem ptr from file.");
}

BIO_free(out);
PKCS7_free(p7);
}
else
{
exception = _SecurityException_("Cannot read as PKCS7 the permissions file.");
}

if (indata != nullptr)
{
BIO_free(indata);
}

BIO_free(permissions_buf);
}
}
Expand Down