185 lines
5.3 KiB
Diff
185 lines
5.3 KiB
Diff
diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
|
|
--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-03-18 18:54:10.064871658 +0100
|
|
@@ -272,6 +272,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
|
|
PKCS7_RECIP_INFO *ri=NULL;
|
|
ASN1_OCTET_STRING *os=NULL;
|
|
|
|
+ if (p7 == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
|
|
+ return NULL;
|
|
+ }
|
|
+ /*
|
|
+ * The content field in the PKCS7 ContentInfo is optional, but that really
|
|
+ * only applies to inner content (precisely, detached signatures).
|
|
+ *
|
|
+ * When reading content, missing outer content is therefore treated as an
|
|
+ * error.
|
|
+ *
|
|
+ * When creating content, PKCS7_content_new() must be called before
|
|
+ * calling this method, so a NULL p7->d is always an error.
|
|
+ */
|
|
+ if (p7->d.ptr == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
i=OBJ_obj2nid(p7->type);
|
|
p7->state=PKCS7_S_HEADER;
|
|
|
|
@@ -433,6 +454,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
|
unsigned char *ek = NULL, *tkey = NULL;
|
|
int eklen = 0, tkeylen = 0;
|
|
|
|
+ if (p7 == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (p7->d.ptr == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
i=OBJ_obj2nid(p7->type);
|
|
p7->state=PKCS7_S_HEADER;
|
|
|
|
@@ -440,6 +473,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
|
{
|
|
case NID_pkcs7_signed:
|
|
data_body=PKCS7_get_octet_string(p7->d.sign->contents);
|
|
+ if (!PKCS7_is_detached(p7) && data_body == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE,
|
|
+ PKCS7_R_NO_CONTENT);
|
|
+ goto err;
|
|
+ }
|
|
md_sk=p7->d.sign->md_algs;
|
|
break;
|
|
case NID_pkcs7_signedAndEnveloped:
|
|
@@ -747,6 +786,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
|
STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
|
|
ASN1_OCTET_STRING *os=NULL;
|
|
|
|
+ if (p7 == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (p7->d.ptr == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
EVP_MD_CTX_init(&ctx_tmp);
|
|
i=OBJ_obj2nid(p7->type);
|
|
p7->state=PKCS7_S_HEADER;
|
|
@@ -791,6 +842,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
|
/* If detached data then the content is excluded */
|
|
if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
|
|
M_ASN1_OCTET_STRING_free(os);
|
|
+ os = NULL;
|
|
p7->d.sign->contents->d.data = NULL;
|
|
}
|
|
break;
|
|
@@ -801,6 +853,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
|
if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
|
|
{
|
|
M_ASN1_OCTET_STRING_free(os);
|
|
+ os = NULL;
|
|
p7->d.digest->contents->d.data = NULL;
|
|
}
|
|
break;
|
|
@@ -873,23 +926,32 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
|
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
|
|
}
|
|
|
|
- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
|
|
+ if (!PKCS7_is_detached(p7))
|
|
{
|
|
- char *cont;
|
|
- long contlen;
|
|
- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
|
|
- if (btmp == NULL)
|
|
- {
|
|
- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
|
|
+ /*
|
|
+ * NOTE(emilia): I think we only reach os == NULL here because detached
|
|
+ * digested data support is broken.
|
|
+ */
|
|
+ if (os == NULL)
|
|
goto err;
|
|
+ if (!(os->flags & ASN1_STRING_FLAG_NDEF))
|
|
+ {
|
|
+ char *cont;
|
|
+ long contlen;
|
|
+ btmp=BIO_find_type(bio,BIO_TYPE_MEM);
|
|
+ if (btmp == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
|
|
+ goto err;
|
|
+ }
|
|
+ contlen = BIO_get_mem_data(btmp, &cont);
|
|
+ /* Mark the BIO read only then we can use its copy of the data
|
|
+ * instead of making an extra copy.
|
|
+ */
|
|
+ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
|
|
+ BIO_set_mem_eof_return(btmp, 0);
|
|
+ ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
|
|
}
|
|
- contlen = BIO_get_mem_data(btmp, &cont);
|
|
- /* Mark the BIO read only then we can use its copy of the data
|
|
- * instead of making an extra copy.
|
|
- */
|
|
- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
|
|
- BIO_set_mem_eof_return(btmp, 0);
|
|
- ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
|
|
}
|
|
ret=1;
|
|
err:
|
|
@@ -928,6 +990,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_
|
|
if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
|
|
goto err;
|
|
OPENSSL_free(abuf);
|
|
+ abuf = NULL;
|
|
if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
|
|
goto err;
|
|
abuf = OPENSSL_malloc(siglen);
|
|
@@ -965,6 +1028,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st
|
|
STACK_OF(X509) *cert;
|
|
X509 *x509;
|
|
|
|
+ if (p7 == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (p7->d.ptr == NULL)
|
|
+ {
|
|
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if (PKCS7_type_is_signed(p7))
|
|
{
|
|
cert=p7->d.sign->cert;
|
|
diff -up openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_lib.c
|
|
--- openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c 2015-03-18 18:05:58.398767116 +0100
|
|
@@ -459,6 +459,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
|
|
|
|
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
|
|
{
|
|
+ if (p7 == NULL || p7->d.ptr == NULL)
|
|
+ return NULL;
|
|
if (PKCS7_type_is_signed(p7))
|
|
{
|
|
return(p7->d.sign->signer_info);
|