[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Wed Apr 14 06:07:28 UTC 2021
The branch master has been updated
via 5c107243877121f84037a5aaf19457f87458e8ed (commit)
from 46eee7104d77f9d303e06a398febdc60fd014d33 (commit)
- Log -----------------------------------------------------------------
commit 5c107243877121f84037a5aaf19457f87458e8ed
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Mon Apr 12 11:19:21 2021 +1000
Add some additional NULL checks to prevent segfaults.
Fixes #14809
PR #14752 attempted to pass the libctx, propq in a few places related to
X509 signing. There were a few places that needed additional NULL checks so that they behavethe same as they did before.
OCSP_basic_sign() was changed to call EVP_DigestSignInit_ex() which passed the parameter EVP_MD_name(dgst). Since dgst can be NULL EVP_MD_name() was segfaulting.
Adding an additional NULL check EVP_MD_name() resolves this issue.
The other NULL checks are required to produce errors rather than
segfaults if the certificate is NULL.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14826)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/evp_lib.c | 2 ++
crypto/ocsp/ocsp_srv.c | 4 ++++
crypto/x509/x_crl.c | 6 +++---
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index a707285c91..6c578bd8ba 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -701,6 +701,8 @@ const char *EVP_MD_description(const EVP_MD *md)
const char *EVP_MD_name(const EVP_MD *md)
{
+ if (md == NULL)
+ return NULL;
if (md->prov != NULL)
return evp_first_name(md->prov, md->name_id);
#ifndef FIPS_MODULE
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 4187446e1c..1475bb0f7e 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -278,6 +278,8 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
{
+ if (cert == NULL)
+ return 0;
return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
}
@@ -319,5 +321,7 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
{
+ if (cert == NULL)
+ return 0;
return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
}
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 4b90e5b756..d77746a2b2 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -393,9 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
{
- return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
- &crl->sig_alg, &crl->signature, &crl->crl, NULL,
- r, crl->libctx, crl->propq));
+ return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+ &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+ r, crl->libctx, crl->propq);
}
static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
More information about the openssl-commits
mailing list