The branch master has been updated
via 5c107243877121f84037a5aaf19457f87458e8ed (commit)
from 46eee7104d77f9d303e06a398febdc60fd014d33 (commit)
- Log -----------------------------------------------------------------
commit 5c107243877121f84037a5aaf19457f87458e8ed
Author: Shane Lontis <[email protected]>
Date: Mon Apr 12 11:19:21 2021 +1000
Add some additional NULL checks to prevent segfaults.
Fixes #14809
PR #14752 attempted to pass the libctx, propq in a few places related to
X509 signing. There were a few places that needed additional NULL checks so
that they behavethe same as they did before.
OCSP_basic_sign() was changed to call EVP_DigestSignInit_ex() which passed
the parameter EVP_MD_name(dgst). Since dgst can be NULL EVP_MD_name() was
segfaulting.
Adding an additional NULL check EVP_MD_name() resolves this issue.
The other NULL checks are required to produce errors rather than
segfaults if the certificate is NULL.
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14826)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/evp_lib.c | 2 ++
crypto/ocsp/ocsp_srv.c | 4 ++++
crypto/x509/x_crl.c | 6 +++---
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index a707285c91..6c578bd8ba 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -701,6 +701,8 @@ const char *EVP_MD_description(const EVP_MD *md)
const char *EVP_MD_name(const EVP_MD *md)
{
+ if (md == NULL)
+ return NULL;
if (md->prov != NULL)
return evp_first_name(md->prov, md->name_id);
#ifndef FIPS_MODULE
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 4187446e1c..1475bb0f7e 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -278,6 +278,8 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509
*cert,
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
{
+ if (cert == NULL)
+ return 0;
return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
}
@@ -319,5 +321,7 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert,
OSSL_LIB_CTX *libctx,
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
{
+ if (cert == NULL)
+ return 0;
return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
}
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 4b90e5b756..d77746a2b2 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -393,9 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED
**ret, X509 *x)
static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
{
- return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
- &crl->sig_alg, &crl->signature, &crl->crl,
NULL,
- r, crl->libctx, crl->propq));
+ return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+ &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+ r, crl->libctx, crl->propq);
}
static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
