If the SM2 ID value has not been passed correctly when signing an SM2
certificate/certificate request, a double free occurs. For instance:
openssl req -x509 ... -sm2-id
1234567812345678
The '-sm2-id' should not be used in this scenario, while the '-sigopt' is
the correct one to use. Documentation has also been updated to make the
options more clear.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9958)
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
rv = X509_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
rv = X509_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
- /* only in SM2 case we need to free the pctx explicitly */
- if (ec_pkey_is_sm2(pkey)) {
- pctx = EVP_MD_CTX_pkey_ctx(mctx);
- EVP_PKEY_CTX_free(pctx);
- }
+ /*
+ * only in SM2 case we need to free the pctx explicitly
+ * if do_sign_init() fails, pctx is already freed in it
+ */
+ if (ec_pkey_is_sm2(pkey)) {
+ pctx = EVP_MD_CTX_pkey_ctx(mctx);
+ EVP_PKEY_CTX_free(pctx);
+ }
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
rv = X509_REQ_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
rv = X509_REQ_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
- /* only in SM2 case we need to free the pctx explicitly */
- if (ec_pkey_is_sm2(pkey)) {
- pctx = EVP_MD_CTX_pkey_ctx(mctx);
- EVP_PKEY_CTX_free(pctx);
- }
+ /*
+ * only in SM2 case we need to free the pctx explicitly
+ * if do_sign_init() fails, pctx is already freed in it
+ */
+ if (ec_pkey_is_sm2(pkey)) {
+ pctx = EVP_MD_CTX_pkey_ctx(mctx);
+ EVP_PKEY_CTX_free(pctx);
+ }
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
rv = X509_CRL_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
rv = X509_CRL_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
- /* only in SM2 case we need to free the pctx explicitly */
- if (ec_pkey_is_sm2(pkey)) {
- pctx = EVP_MD_CTX_pkey_ctx(mctx);
- EVP_PKEY_CTX_free(pctx);
- }
+ /*
+ * only in SM2 case we need to free the pctx explicitly
+ * if do_sign_init() fails, no need to double free pctx
+ */
+ if (ec_pkey_is_sm2(pkey)) {
+ pctx = EVP_MD_CTX_pkey_ctx(mctx);
+ EVP_PKEY_CTX_free(pctx);
+ }
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
-Specify the ID string to use when verifying an SM2 certificate. The ID string is
-required by the SM2 signature algorithm for signing and verification.
+Specify the ID string to use when verifying an SM2 certificate request. The ID
+string is required by the SM2 signature algorithm for signing and verification.