Add safety checks to PKCS12_SAFEBAG_get0_bag*() functions

Fixes #26655

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29128)

(cherry picked from commit 7776744a5912ac9346bf04bf60570b149243eb33)

diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index 04ef0b74edef4ab0eecf600a539ad192c660f3a6..c7ecfb24391d7518cee574e3025ad9730697a000 100644 (file)
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -74,11 +74,20 @@ int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
 
 const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag)
 {
+    int btype = PKCS12_SAFEBAG_get_nid(bag);
+
+    if (btype != NID_certBag && btype != NID_crlBag && btype != NID_secretBag)
+        return NULL;
     return bag->value.bag->type;
 }
 
 const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag)
 {
+    int vtype = PKCS12_SAFEBAG_get_bag_nid(bag);
+
+    if (vtype == -1 || vtype == NID_x509Certificate || vtype == NID_x509Crl
+        || vtype == NID_sdsiCertificate)
+        return NULL;
     return bag->value.bag->value.other;
 }