diff options
| author | tb <> | 2025-07-31 02:02:35 +0000 |
|---|---|---|
| committer | tb <> | 2025-07-31 02:02:35 +0000 |
| commit | 5c9cc2d0035cb59dfcacb47001ca9b8392b3732b (patch) | |
| tree | febd0c4807ef70a818cceffdfb2a38fcacce470d | |
| parent | ec8cce1dd4e99a67543a272dfa89573835b3d118 (diff) | |
| download | openbsd-5c9cc2d0035cb59dfcacb47001ca9b8392b3732b.tar.gz openbsd-5c9cc2d0035cb59dfcacb47001ca9b8392b3732b.tar.bz2 openbsd-5c9cc2d0035cb59dfcacb47001ca9b8392b3732b.zip | |
Plug leaks due to misuse of PKCS7_add_signed_attribute()
set0/add0 functions that can fail are the worst. Without fail this trips
up both users and authors (by and large these are two identical groups
consisting of a single person), resulting in leaks and double frees.
In today's episode of spelunking in the gruesome gore provided by the
PKCS#7 and Time-Stamp protocol "implementations", we fix a couple of
leaks in PKCS7_add_attrib_smimecap() and ESS_add_signing_cert().
We do so by recalling that there is i2d_X509_ALGORS(), so we might
as well put it to use instead of inlining it poorly (aka, without
error checking). Normalize said error checking and ensure ownership
is handled correctly in the usual single-exit idiom.
ESS_add_signing_cert() can also make use of proper i2d handling, so
it's simpler and correct and in the end looks pretty much the same
as PKCS7_add_attrib_smimecap().
ok kenjiro
| -rw-r--r-- | src/lib/libcrypto/pkcs7/pk7_attr.c | 38 | ||||
| -rw-r--r-- | src/lib/libcrypto/ts/ts_rsp_sign.c | 40 |
2 files changed, 52 insertions, 26 deletions
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c index bf775735d9..9a822eaecd 100644 --- a/src/lib/libcrypto/pkcs7/pk7_attr.c +++ b/src/lib/libcrypto/pkcs7/pk7_attr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: pk7_attr.c,v 1.18 2025/07/28 04:29:00 tb Exp $ */ | 1 | /* $OpenBSD: pk7_attr.c,v 1.19 2025/07/31 02:02:35 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -69,15 +69,37 @@ | |||
| 69 | int | 69 | int |
| 70 | PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap) | 70 | PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap) |
| 71 | { | 71 | { |
| 72 | ASN1_STRING *seq; | 72 | ASN1_STRING *seq = NULL; |
| 73 | if (!(seq = ASN1_STRING_new())) { | 73 | unsigned char *data = NULL; |
| 74 | int len = 0; | ||
| 75 | int ret = 0; | ||
| 76 | |||
| 77 | if ((len = i2d_X509_ALGORS(cap, &data)) <= 0) { | ||
| 78 | len = 0; | ||
| 79 | goto err; | ||
| 80 | } | ||
| 81 | |||
| 82 | if ((seq = ASN1_STRING_new()) == NULL) { | ||
| 74 | PKCS7error(ERR_R_MALLOC_FAILURE); | 83 | PKCS7error(ERR_R_MALLOC_FAILURE); |
| 75 | return 0; | 84 | goto err; |
| 76 | } | 85 | } |
| 77 | seq->length = ASN1_item_i2d((ASN1_VALUE *)cap, &seq->data, | 86 | |
| 78 | &X509_ALGORS_it); | 87 | ASN1_STRING_set0(seq, data, len); |
| 79 | return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities, | 88 | data = NULL; |
| 80 | V_ASN1_SEQUENCE, seq); | 89 | len = 0; |
| 90 | |||
| 91 | if (!PKCS7_add_signed_attribute(si, NID_SMIMECapabilities, | ||
| 92 | V_ASN1_SEQUENCE, seq)) | ||
| 93 | goto err; | ||
| 94 | seq = NULL; | ||
| 95 | |||
| 96 | ret = 1; | ||
| 97 | |||
| 98 | err: | ||
| 99 | ASN1_STRING_free(seq); | ||
| 100 | freezero(data, len); | ||
| 101 | |||
| 102 | return ret; | ||
| 81 | } | 103 | } |
| 82 | LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap); | 104 | LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap); |
| 83 | 105 | ||
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index d35f6a7c94..b8cc7e2baf 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ts_rsp_sign.c,v 1.36 2025/05/10 05:54:39 tb Exp $ */ | 1 | /* $OpenBSD: ts_rsp_sign.c,v 1.37 2025/07/31 02:02:35 tb Exp $ */ |
| 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL | 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL |
| 3 | * project 2002. | 3 | * project 2002. |
| 4 | */ | 4 | */ |
| @@ -955,28 +955,32 @@ static int | |||
| 955 | ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) | 955 | ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) |
| 956 | { | 956 | { |
| 957 | ASN1_STRING *seq = NULL; | 957 | ASN1_STRING *seq = NULL; |
| 958 | unsigned char *p, *pp = NULL; | 958 | unsigned char *data = NULL; |
| 959 | int len; | 959 | int len = 0; |
| 960 | int ret = 0; | ||
| 960 | 961 | ||
| 961 | len = i2d_ESS_SIGNING_CERT(sc, NULL); | 962 | if ((len = i2d_ESS_SIGNING_CERT(sc, &data)) <= 0) { |
| 962 | if (!(pp = malloc(len))) { | 963 | len = 0; |
| 963 | TSerror(ERR_R_MALLOC_FAILURE); | ||
| 964 | goto err; | 964 | goto err; |
| 965 | } | 965 | } |
| 966 | p = pp; | 966 | |
| 967 | i2d_ESS_SIGNING_CERT(sc, &p); | 967 | if ((seq = ASN1_STRING_new()) == NULL) |
| 968 | if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) { | ||
| 969 | TSerror(ERR_R_MALLOC_FAILURE); | ||
| 970 | goto err; | 968 | goto err; |
| 971 | } | ||
| 972 | free(pp); | ||
| 973 | pp = NULL; | ||
| 974 | return PKCS7_add_signed_attribute(si, | ||
| 975 | NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq); | ||
| 976 | 969 | ||
| 977 | err: | 970 | ASN1_STRING_set0(seq, data, len); |
| 971 | data = NULL; | ||
| 972 | len = 0; | ||
| 973 | |||
| 974 | if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate, | ||
| 975 | V_ASN1_SEQUENCE, seq)) | ||
| 976 | goto err; | ||
| 977 | seq = NULL; | ||
| 978 | |||
| 979 | ret = 1; | ||
| 980 | |||
| 981 | err: | ||
| 978 | ASN1_STRING_free(seq); | 982 | ASN1_STRING_free(seq); |
| 979 | free(pp); | 983 | freezero(data, len); |
| 980 | 984 | ||
| 981 | return 0; | 985 | return ret; |
| 982 | } | 986 | } |