From 1d0fa26428d28339b561d511076aed7276b1aa18 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 6 Dec 2022 14:51:54 +0000
Subject: [PATCH] Ensure ossl_cms_EncryptedContent_init_bio() reports an error
 on no OID

If the cipher being used in ossl_cms_EncryptedContent_init_bio() has no
associated OID then we should report an error rather than continuing on
regardless. Continuing on still ends up failing - but later on and with a
more cryptic error message.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19920)
---
 crypto/cms/cms_enc.c     | 5 +++++
 crypto/cms/cms_err.c     | 2 ++
 crypto/err/openssl.txt   | 2 ++
 include/openssl/cmserr.h | 1 +
 4 files changed, 10 insertions(+)

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index fc490303d4c..6f077b339a8 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -68,7 +68,12 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 
     if (enc) {
         int ivlen;
+
         calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx));
+        if (calg->algorithm == NULL) {
+            CMSerr(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM);
+            goto err;
+        }
         /* Generate a random IV if we need one */
         ivlen = EVP_CIPHER_CTX_iv_length(ctx);
         if (ivlen > 0) {
diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c
index a211f4954ce..408fe13b87d 100644
--- a/crypto/cms/cms_err.c
+++ b/crypto/cms/cms_err.c
@@ -264,6 +264,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM),
     "unsupported compression algorithm"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM),
+    "unsupported content encryption algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_TYPE),
     "unsupported content type"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM),
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 902e97b8435..9f91a4a811e 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2023,6 +2023,8 @@ CMS_R_UNKNOWN_CIPHER:148:unknown cipher
 CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm
 CMS_R_UNKNOWN_ID:150:unknown id
 CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm
+CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\
+	unsupported content encryption algorithm
 CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type
 CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm
 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\
diff --git a/include/openssl/cmserr.h b/include/openssl/cmserr.h
index 7dbc13dc939..d589f592c80 100644
--- a/include/openssl/cmserr.h
+++ b/include/openssl/cmserr.h
@@ -187,6 +187,7 @@ int ERR_load_CMS_strings(void);
 #  define CMS_R_UNKNOWN_DIGEST_ALGORITHM                   149
 #  define CMS_R_UNKNOWN_ID                                 150
 #  define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM          151
+#  define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM   194
 #  define CMS_R_UNSUPPORTED_CONTENT_TYPE                   152
 #  define CMS_R_UNSUPPORTED_KEK_ALGORITHM                  153
 #  define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM       179
-- 
2.47.2