You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
184 lines
5.3 KiB
184 lines
5.3 KiB
diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_doit.c |
|
--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-03-18 18:54:10.064871658 +0100 |
|
@@ -272,6 +272,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) |
|
PKCS7_RECIP_INFO *ri=NULL; |
|
ASN1_OCTET_STRING *os=NULL; |
|
|
|
+ if (p7 == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); |
|
+ return NULL; |
|
+ } |
|
+ /* |
|
+ * The content field in the PKCS7 ContentInfo is optional, but that really |
|
+ * only applies to inner content (precisely, detached signatures). |
|
+ * |
|
+ * When reading content, missing outer content is therefore treated as an |
|
+ * error. |
|
+ * |
|
+ * When creating content, PKCS7_content_new() must be called before |
|
+ * calling this method, so a NULL p7->d is always an error. |
|
+ */ |
|
+ if (p7->d.ptr == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); |
|
+ return NULL; |
|
+ } |
|
+ |
|
i=OBJ_obj2nid(p7->type); |
|
p7->state=PKCS7_S_HEADER; |
|
|
|
@@ -433,6 +454,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE |
|
unsigned char *ek = NULL, *tkey = NULL; |
|
int eklen = 0, tkeylen = 0; |
|
|
|
+ if (p7 == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); |
|
+ return NULL; |
|
+ } |
|
+ |
|
+ if (p7->d.ptr == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); |
|
+ return NULL; |
|
+ } |
|
+ |
|
i=OBJ_obj2nid(p7->type); |
|
p7->state=PKCS7_S_HEADER; |
|
|
|
@@ -440,6 +473,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE |
|
{ |
|
case NID_pkcs7_signed: |
|
data_body=PKCS7_get_octet_string(p7->d.sign->contents); |
|
+ if (!PKCS7_is_detached(p7) && data_body == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, |
|
+ PKCS7_R_NO_CONTENT); |
|
+ goto err; |
|
+ } |
|
md_sk=p7->d.sign->md_algs; |
|
break; |
|
case NID_pkcs7_signedAndEnveloped: |
|
@@ -747,6 +786,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) |
|
STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; |
|
ASN1_OCTET_STRING *os=NULL; |
|
|
|
+ if (p7 == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); |
|
+ return 0; |
|
+ } |
|
+ |
|
+ if (p7->d.ptr == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); |
|
+ return 0; |
|
+ } |
|
+ |
|
EVP_MD_CTX_init(&ctx_tmp); |
|
i=OBJ_obj2nid(p7->type); |
|
p7->state=PKCS7_S_HEADER; |
|
@@ -791,6 +842,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) |
|
/* If detached data then the content is excluded */ |
|
if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { |
|
M_ASN1_OCTET_STRING_free(os); |
|
+ os = NULL; |
|
p7->d.sign->contents->d.data = NULL; |
|
} |
|
break; |
|
@@ -801,6 +853,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) |
|
if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) |
|
{ |
|
M_ASN1_OCTET_STRING_free(os); |
|
+ os = NULL; |
|
p7->d.digest->contents->d.data = NULL; |
|
} |
|
break; |
|
@@ -873,23 +926,32 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) |
|
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); |
|
} |
|
|
|
- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) |
|
+ if (!PKCS7_is_detached(p7)) |
|
{ |
|
- char *cont; |
|
- long contlen; |
|
- btmp=BIO_find_type(bio,BIO_TYPE_MEM); |
|
- if (btmp == NULL) |
|
- { |
|
- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); |
|
+ /* |
|
+ * NOTE(emilia): I think we only reach os == NULL here because detached |
|
+ * digested data support is broken. |
|
+ */ |
|
+ if (os == NULL) |
|
goto err; |
|
+ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) |
|
+ { |
|
+ char *cont; |
|
+ long contlen; |
|
+ btmp=BIO_find_type(bio,BIO_TYPE_MEM); |
|
+ if (btmp == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); |
|
+ goto err; |
|
+ } |
|
+ contlen = BIO_get_mem_data(btmp, &cont); |
|
+ /* Mark the BIO read only then we can use its copy of the data |
|
+ * instead of making an extra copy. |
|
+ */ |
|
+ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); |
|
+ BIO_set_mem_eof_return(btmp, 0); |
|
+ ASN1_STRING_set0(os, (unsigned char *)cont, contlen); |
|
} |
|
- contlen = BIO_get_mem_data(btmp, &cont); |
|
- /* Mark the BIO read only then we can use its copy of the data |
|
- * instead of making an extra copy. |
|
- */ |
|
- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); |
|
- BIO_set_mem_eof_return(btmp, 0); |
|
- ASN1_STRING_set0(os, (unsigned char *)cont, contlen); |
|
} |
|
ret=1; |
|
err: |
|
@@ -928,6 +990,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_ |
|
if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) |
|
goto err; |
|
OPENSSL_free(abuf); |
|
+ abuf = NULL; |
|
if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) |
|
goto err; |
|
abuf = OPENSSL_malloc(siglen); |
|
@@ -965,6 +1028,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st |
|
STACK_OF(X509) *cert; |
|
X509 *x509; |
|
|
|
+ if (p7 == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); |
|
+ return 0; |
|
+ } |
|
+ |
|
+ if (p7->d.ptr == NULL) |
|
+ { |
|
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); |
|
+ return 0; |
|
+ } |
|
+ |
|
if (PKCS7_type_is_signed(p7)) |
|
{ |
|
cert=p7->d.sign->cert; |
|
diff -up openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_lib.c |
|
--- openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c 2015-03-18 18:05:58.398767116 +0100 |
|
@@ -459,6 +459,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV |
|
|
|
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) |
|
{ |
|
+ if (p7 == NULL || p7->d.ptr == NULL) |
|
+ return NULL; |
|
if (PKCS7_type_is_signed(p7)) |
|
{ |
|
return(p7->d.sign->signer_info);
|
|
|