[openssl] master update

kaishen.yy at antfin.com kaishen.yy at antfin.com
Sun Sep 29 01:57:11 UTC 2019 

The branch master has been updated
       via  d3329973f0ad6cf8065998118c3fb4183003d71a (commit)
       via  dbb72124cdf1ad0dc223cfd570219e9af043ce7f (commit)
      from  e7fb44e7c3f7a37ff83a6b69ba51a738e549bf5c (commit)


- Log -----------------------------------------------------------------
commit d3329973f0ad6cf8065998118c3fb4183003d71a
Author: Paul Yang <kaishen.yy at antfin.com>
Date:   Thu Sep 26 10:57:23 2019 +0800

    Fix a document description in apps/req
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/9958)

commit dbb72124cdf1ad0dc223cfd570219e9af043ce7f
Author: Paul Yang <kaishen.yy at antfin.com>
Date:   Sat Sep 21 00:32:57 2019 +0800

    Fix a double free issue when signing SM2 cert
    
    If the SM2 ID value has not been passed correctly when signing an SM2
    certificate/certificate request, a double free occurs. For instance:
    
      openssl req -x509 ... -sm2-id 1234567812345678
    
    The '-sm2-id' should not be used in this scenario, while the '-sigopt' is
    the correct one to use. Documentation has also been updated to make the
    options more clear.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/9958)

-----------------------------------------------------------------------

Summary of changes:
 apps/req.c               | 48 ++++++++++++++++++++++++++++++------------------
 doc/man1/openssl-req.pod |  8 ++++----
 2 files changed, 34 insertions(+), 22 deletions(-)

diff --git a/apps/req.c b/apps/req.c
index f11d341c12..1c9672cca1 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -1751,15 +1751,19 @@ int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
 #endif
 
     rv = do_sign_init(mctx, pkey, md, sigopts);
-    if (rv > 0)
+    if (rv > 0) {
         rv = X509_sign_ctx(x, mctx);
 #ifndef OPENSSL_NO_SM2
-    /* only in SM2 case we need to free the pctx explicitly */
-    if (ec_pkey_is_sm2(pkey)) {
-        pctx = EVP_MD_CTX_pkey_ctx(mctx);
-        EVP_PKEY_CTX_free(pctx);
-    }
+        /*
+         * only in SM2 case we need to free the pctx explicitly
+         * if do_sign_init() fails, pctx is already freed in it
+         */
+        if (ec_pkey_is_sm2(pkey)) {
+            pctx = EVP_MD_CTX_pkey_ctx(mctx);
+            EVP_PKEY_CTX_free(pctx);
+        }
 #endif
+    }
     EVP_MD_CTX_free(mctx);
     return rv > 0 ? 1 : 0;
 }
@@ -1774,15 +1778,19 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
 #endif
 
     rv = do_sign_init(mctx, pkey, md, sigopts);
-    if (rv > 0)
+    if (rv > 0) {
         rv = X509_REQ_sign_ctx(x, mctx);
 #ifndef OPENSSL_NO_SM2
-    /* only in SM2 case we need to free the pctx explicitly */
-    if (ec_pkey_is_sm2(pkey)) {
-        pctx = EVP_MD_CTX_pkey_ctx(mctx);
-        EVP_PKEY_CTX_free(pctx);
-    }
+        /*
+         * only in SM2 case we need to free the pctx explicitly
+         * if do_sign_init() fails, pctx is already freed in it
+         */
+        if (ec_pkey_is_sm2(pkey)) {
+            pctx = EVP_MD_CTX_pkey_ctx(mctx);
+            EVP_PKEY_CTX_free(pctx);
+        }
 #endif
+    }
     EVP_MD_CTX_free(mctx);
     return rv > 0 ? 1 : 0;
 }
@@ -1797,15 +1805,19 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
 #endif
 
     rv = do_sign_init(mctx, pkey, md, sigopts);
-    if (rv > 0)
+    if (rv > 0) {
         rv = X509_CRL_sign_ctx(x, mctx);
 #ifndef OPENSSL_NO_SM2
-    /* only in SM2 case we need to free the pctx explicitly */
-    if (ec_pkey_is_sm2(pkey)) {
-        pctx = EVP_MD_CTX_pkey_ctx(mctx);
-        EVP_PKEY_CTX_free(pctx);
-    }
+        /*
+         * only in SM2 case we need to free the pctx explicitly
+         * if do_sign_init() fails, no need to double free pctx
+         */
+        if (ec_pkey_is_sm2(pkey)) {
+            pctx = EVP_MD_CTX_pkey_ctx(mctx);
+            EVP_PKEY_CTX_free(pctx);
+        }
 #endif
+    }
     EVP_MD_CTX_free(mctx);
     return rv > 0 ? 1 : 0;
 }
diff --git a/doc/man1/openssl-req.pod b/doc/man1/openssl-req.pod
index 4300504f87..7453d5e7e9 100644
--- a/doc/man1/openssl-req.pod
+++ b/doc/man1/openssl-req.pod
@@ -342,13 +342,13 @@ for key generation operations.
 
 =item B<-sm2-id>
 
-Specify the ID string to use when verifying an SM2 certificate. The ID string is
-required by the SM2 signature algorithm for signing and verification.
+Specify the ID string to use when verifying an SM2 certificate request. The ID
+string is required by the SM2 signature algorithm for signing and verification.
 
 =item B<-sm2-hex-id>
 
-Specify a binary ID string to use when signing or verifying using an SM2
-certificate. The argument for this option is string of hexadecimal digits.
+Specify a binary ID string to use when verifying an SM2 certificate request. The
+argument for this option is string of hexadecimal digits.
 
 =back

More information about the openssl-commits mailing list