diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2021-04-12 11:19:21 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2021-04-14 16:05:00 +1000 |
| commit | 5c107243877121f84037a5aaf19457f87458e8ed (patch) | |
| tree | 8b3ef6e620890f5c1cb4ec1e1cdad9ca74c9888e /crypto | |
| parent | 46eee7104d77f9d303e06a398febdc60fd014d33 (diff) | |
Add some additional NULL checks to prevent segfaults.
Fixes #14809
PR #14752 attempted to pass the libctx, propq in a few places related to
X509 signing. There were a few places that needed additional NULL checks so that they behavethe same as they did before.
OCSP_basic_sign() was changed to call EVP_DigestSignInit_ex() which passed the parameter EVP_MD_name(dgst). Since dgst can be NULL EVP_MD_name() was segfaulting.
Adding an additional NULL check EVP_MD_name() resolves this issue.
The other NULL checks are required to produce errors rather than
segfaults if the certificate is NULL.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14826)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/evp/evp_lib.c | 2 | ||||
| -rw-r--r-- | crypto/ocsp/ocsp_srv.c | 4 | ||||
| -rw-r--r-- | crypto/x509/x_crl.c | 6 |
3 files changed, 9 insertions, 3 deletions
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index a707285c91..6c578bd8ba 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -701,6 +701,8 @@ const char *EVP_MD_description(const EVP_MD *md) const char *EVP_MD_name(const EVP_MD *md) { + if (md == NULL) + return NULL; if (md->prov != NULL) return evp_first_name(md->prov, md->name_id); #ifndef FIPS_MODULE diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index 4187446e1c..1475bb0f7e 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -278,6 +278,8 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) { + if (cert == NULL) + return 0; return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq); } @@ -319,5 +321,7 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx, int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) { + if (cert == NULL) + return 0; return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq); } diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index 4b90e5b756..d77746a2b2 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -393,9 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r) { - return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO), - &crl->sig_alg, &crl->signature, &crl->crl, NULL, - r, crl->libctx, crl->propq)); + return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO), + &crl->sig_alg, &crl->signature, &crl->crl, NULL, + r, crl->libctx, crl->propq); } static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm, |