From d607dd7e5bc5c08854ec0c9baff70ba4a35be36f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 29 May 2017 16:33:20 -0500 Subject: Enlarge _oid2txt buffer to handle larger OIDs (#3612) The OpenSSL manual recommends a buffer size of 80 for OBJ_oid2txt: https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values. But OIDs longer than this occur in real life (e.g. Active Directory makes some very long OIDs). If the length of the stringified OID exceeds the buffer size, allocate a new buffer that is big enough to hold the stringified OID, and re-do the conversion into the new buffer. --- src/cryptography/hazmat/backends/openssl/decode_asn1.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src') diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py index 19df4c8c..282e30f0 100644 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -24,9 +24,23 @@ from cryptography.x509.oid import ( def _obj2txt(backend, obj): # Set to 80 on the recommendation of # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values + # + # But OIDs longer than this occur in real life (e.g. Active + # Directory makes some very long OIDs). So we need to detect + # and properly handle the case where the default buffer is not + # big enough. + # buf_len = 80 buf = backend._ffi.new("char[]", buf_len) + + # 'res' is the number of bytes that *would* be written if the + # buffer is large enough. If 'res' > buf_len - 1, we need to + # alloc a big-enough buffer and go again. res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1) + if res > buf_len - 1: # account for terminating null byte + buf_len = res + 1 + buf = backend._ffi.new("char[]", buf_len) + res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1) backend.openssl_assert(res > 0) return backend._ffi.buffer(buf, res)[:].decode() -- cgit v1.2.3