diff options
| author | doug <> | 2015-03-15 22:52:17 +0000 |
|---|---|---|
| committer | doug <> | 2015-03-15 22:52:17 +0000 |
| commit | 09abc5bf0229b90d3588a393613e09d669ec3581 (patch) | |
| tree | 01ebe7687db1cbf2e70dbdb4cc39085a746ed078 | |
| parent | 2d03a31822d6ba85150d11917bead7662359a267 (diff) | |
| download | openbsd-09abc5bf0229b90d3588a393613e09d669ec3581.tar.gz openbsd-09abc5bf0229b90d3588a393613e09d669ec3581.tar.bz2 openbsd-09abc5bf0229b90d3588a393613e09d669ec3581.zip | |
Avoid a NULL pointer deref when X509_get_pubkey() returns NULL.
A NULL pointer could be dereferenced when X509_REQ_set_pubkey() calls
X509_PUBKEY_set() with pktmp.
OpenSSL says it's the fix for CVE-2015-0288, but there aren't any public
details yet to confirm. Either way, we should fix this.
Based on OpenSSL commit 28a00bcd8e318da18031b2ac8778c64147cd54f9
and BoringSSL commit 9d102ddbc0f6ed835ed12272a3d8a627d6a8e728.
"looks sane" beck@
ok miod@, bcook@
| -rw-r--r-- | src/lib/libcrypto/x509/x509_req.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/x509/x509_req.c | 6 |
2 files changed, 8 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c index 452ce0a512..8813f372cc 100644 --- a/src/lib/libcrypto/x509/x509_req.c +++ b/src/lib/libcrypto/x509/x509_req.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_req.c,v 1.16 2014/09/28 10:50:33 miod Exp $ */ | 1 | /* $OpenBSD: x509_req.c,v 1.17 2015/03/15 22:52:17 doug Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -94,7 +94,9 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) | |||
| 94 | if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) | 94 | if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) |
| 95 | goto err; | 95 | goto err; |
| 96 | 96 | ||
| 97 | pktmp = X509_get_pubkey(x); | 97 | if ((pktmp = X509_get_pubkey(x)) == NULL) |
| 98 | goto err; | ||
| 99 | |||
| 98 | i = X509_REQ_set_pubkey(ret, pktmp); | 100 | i = X509_REQ_set_pubkey(ret, pktmp); |
| 99 | EVP_PKEY_free(pktmp); | 101 | EVP_PKEY_free(pktmp); |
| 100 | if (!i) | 102 | if (!i) |
diff --git a/src/lib/libssl/src/crypto/x509/x509_req.c b/src/lib/libssl/src/crypto/x509/x509_req.c index 452ce0a512..8813f372cc 100644 --- a/src/lib/libssl/src/crypto/x509/x509_req.c +++ b/src/lib/libssl/src/crypto/x509/x509_req.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_req.c,v 1.16 2014/09/28 10:50:33 miod Exp $ */ | 1 | /* $OpenBSD: x509_req.c,v 1.17 2015/03/15 22:52:17 doug Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -94,7 +94,9 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) | |||
| 94 | if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) | 94 | if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) |
| 95 | goto err; | 95 | goto err; |
| 96 | 96 | ||
| 97 | pktmp = X509_get_pubkey(x); | 97 | if ((pktmp = X509_get_pubkey(x)) == NULL) |
| 98 | goto err; | ||
| 99 | |||
| 98 | i = X509_REQ_set_pubkey(ret, pktmp); | 100 | i = X509_REQ_set_pubkey(ret, pktmp); |
| 99 | EVP_PKEY_free(pktmp); | 101 | EVP_PKEY_free(pktmp); |
| 100 | if (!i) | 102 | if (!i) |