]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 46eee71)
Add some additional NULL checks to prevent segfaults.
authorShane Lontis <shane.lontis@oracle.com>
Mon, 12 Apr 2021 01:19:21 +0000 (11:19 +1000)
committerShane Lontis <shane.lontis@oracle.com>
Wed, 14 Apr 2021 06:05:00 +0000 (16:05 +1000)
Fixes #14809

PR #14752 attempted to pass the libctx, propq in a few places related to
X509 signing. There were a few places that needed additional NULL checks so that they behavethe same as they did before.

OCSP_basic_sign() was changed to call EVP_DigestSignInit_ex() which passed the parameter EVP_MD_name(dgst). Since dgst can be NULL EVP_MD_name() was segfaulting.
Adding an additional NULL check EVP_MD_name() resolves this issue.

The other NULL checks are required to produce errors rather than
segfaults if the certificate is NULL.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14826)

crypto/evp/evp_lib.c patch | blob | blame | history
crypto/ocsp/ocsp_srv.c patch | blob | blame | history
crypto/x509/x_crl.c patch | blob | blame | history

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index a707285c91a6e6e4aee928287ff580032629c55c..6c578bd8ba9c15e279b8df762947ae866f89d6d4 100644 (file)
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -701,6 +701,8 @@ const char *EVP_MD_description(const EVP_MD *md)
 
 const char *EVP_MD_name(const EVP_MD *md)
 {
+    if (md == NULL)
+        return NULL;
     if (md->prov != NULL)
         return evp_first_name(md->prov, md->name_id);
 #ifndef FIPS_MODULE
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 4187446e1cff7da59431a9281c410ac3de86d824..1475bb0f7e4b7d2e0dfd1612b23011b5f3ed34b3 100644 (file)
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -278,6 +278,8 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
 
 int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
 {
+    if (cert == NULL)
+        return 0;
     return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
 }
 
@@ -319,5 +321,7 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
 
 int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
 {
+    if (cert == NULL)
+        return 0;
     return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
 }
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 4b90e5b7563b056ea0b426f04abe3df94c1c0bb5..d77746a2b2d7756051f6e385dfca08984e95d394 100644 (file)
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -393,9 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
 
 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
-    return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
-                                &crl->sig_alg, &crl->signature, &crl->crl, NULL,
-                                r, crl->libctx, crl->propq));
+    return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+                               &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+                               r, crl->libctx, crl->propq);
 }
 
 static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
A mirror of the official openssl repository