[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Wed Apr 14 06:07:28 UTC 2021


The branch master has been updated
       via  5c107243877121f84037a5aaf19457f87458e8ed (commit)
      from  46eee7104d77f9d303e06a398febdc60fd014d33 (commit)


- Log -----------------------------------------------------------------
commit 5c107243877121f84037a5aaf19457f87458e8ed
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Mon Apr 12 11:19:21 2021 +1000

    Add some additional NULL checks to prevent segfaults.
    
    Fixes #14809
    
    PR #14752 attempted to pass the libctx, propq in a few places related to
    X509 signing. There were a few places that needed additional NULL checks so that they behavethe same as they did before.
    
    OCSP_basic_sign() was changed to call EVP_DigestSignInit_ex() which passed the parameter EVP_MD_name(dgst). Since dgst can be NULL EVP_MD_name() was segfaulting.
    Adding an additional NULL check EVP_MD_name() resolves this issue.
    
    The other NULL checks are required to produce errors rather than
    segfaults if the certificate is NULL.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14826)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/evp_lib.c   | 2 ++
 crypto/ocsp/ocsp_srv.c | 4 ++++
 crypto/x509/x_crl.c    | 6 +++---
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index a707285c91..6c578bd8ba 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -701,6 +701,8 @@ const char *EVP_MD_description(const EVP_MD *md)
 
 const char *EVP_MD_name(const EVP_MD *md)
 {
+    if (md == NULL)
+        return NULL;
     if (md->prov != NULL)
         return evp_first_name(md->prov, md->name_id);
 #ifndef FIPS_MODULE
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 4187446e1c..1475bb0f7e 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -278,6 +278,8 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
 
 int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
 {
+    if (cert == NULL)
+        return 0;
     return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
 }
 
@@ -319,5 +321,7 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
 
 int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
 {
+    if (cert == NULL)
+        return 0;
     return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
 }
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 4b90e5b756..d77746a2b2 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -393,9 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
 
 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
-    return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
-                                &crl->sig_alg, &crl->signature, &crl->crl, NULL,
-                                r, crl->libctx, crl->propq));
+    return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+                               &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+                               r, crl->libctx, crl->propq);
 }
 
 static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,


More information about the openssl-commits mailing list