diff options
| author | tb <> | 2024-12-26 14:10:48 +0000 |
|---|---|---|
| committer | tb <> | 2024-12-26 14:10:48 +0000 |
| commit | ebda9abb68eb926f45d2aa1487bf8bc7bde24dcb (patch) | |
| tree | 33bf09ee8b1dbbd1ec4b648e57ef806f2687bbcd | |
| parent | be2f68fff5adbeaa409fe574baefba9174d3d0e0 (diff) | |
| download | openbsd-ebda9abb68eb926f45d2aa1487bf8bc7bde24dcb.tar.gz openbsd-ebda9abb68eb926f45d2aa1487bf8bc7bde24dcb.tar.bz2 openbsd-ebda9abb68eb926f45d2aa1487bf8bc7bde24dcb.zip | |
Plug a bunch of leaks in the PKCS 12 code
The competition whether the code or the standard it implements is worse
is still ongoing, and still has two strong competitors...
ok jsing
| -rw-r--r-- | src/usr.bin/openssl/pkcs12.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c index 69e230eff9..1407a96e03 100644 --- a/src/usr.bin/openssl/pkcs12.c +++ b/src/usr.bin/openssl/pkcs12.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: pkcs12.c,v 1.28 2024/08/22 12:14:33 tb Exp $ */ | 1 | /* $OpenBSD: pkcs12.c,v 1.29 2024/12/26 14:10:48 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project. | 3 | * project. |
| 4 | */ | 4 | */ |
| @@ -653,8 +653,16 @@ pkcs12_main(int argc, char **argv) | |||
| 653 | cfg.certfile, FORMAT_PEM, NULL, | 653 | cfg.certfile, FORMAT_PEM, NULL, |
| 654 | "certificates from certfile")) == NULL) | 654 | "certificates from certfile")) == NULL) |
| 655 | goto export_end; | 655 | goto export_end; |
| 656 | while (sk_X509_num(morecerts) > 0) | 656 | while (sk_X509_num(morecerts) > 0) { |
| 657 | sk_X509_push(certs, sk_X509_shift(morecerts)); | 657 | X509 *cert = sk_X509_shift(morecerts); |
| 658 | |||
| 659 | if (!sk_X509_push(certs, cert)) { | ||
| 660 | X509_free(cert); | ||
| 661 | sk_X509_pop_free(morecerts, X509_free); | ||
| 662 | goto export_end; | ||
| 663 | } | ||
| 664 | } | ||
| 665 | |||
| 658 | sk_X509_free(morecerts); | 666 | sk_X509_free(morecerts); |
| 659 | } | 667 | } |
| 660 | 668 | ||
| @@ -678,11 +686,18 @@ pkcs12_main(int argc, char **argv) | |||
| 678 | 686 | ||
| 679 | if (vret == X509_V_OK) { | 687 | if (vret == X509_V_OK) { |
| 680 | /* Exclude verified certificate */ | 688 | /* Exclude verified certificate */ |
| 681 | for (i = 1; i < sk_X509_num(chain2); i++) | 689 | X509_free(sk_X509_shift(chain2)); |
| 682 | sk_X509_push(certs, sk_X509_value( | 690 | |
| 683 | chain2, i)); | 691 | while (sk_X509_num(chain2) > 0) { |
| 684 | /* Free first certificate */ | 692 | X509 *cert = sk_X509_shift(chain2); |
| 685 | X509_free(sk_X509_value(chain2, 0)); | 693 | |
| 694 | if (!sk_X509_push(certs, cert)) { | ||
| 695 | X509_free(cert); | ||
| 696 | sk_X509_pop_free(chain2, | ||
| 697 | X509_free); | ||
| 698 | goto export_end; | ||
| 699 | } | ||
| 700 | } | ||
| 686 | sk_X509_free(chain2); | 701 | sk_X509_free(chain2); |
| 687 | } else { | 702 | } else { |
| 688 | if (vret != X509_V_ERR_UNSPECIFIED) | 703 | if (vret != X509_V_ERR_UNSPECIFIED) |
| @@ -692,6 +707,7 @@ pkcs12_main(int argc, char **argv) | |||
| 692 | vret)); | 707 | vret)); |
| 693 | else | 708 | else |
| 694 | ERR_print_errors(bio_err); | 709 | ERR_print_errors(bio_err); |
| 710 | sk_X509_pop_free(chain2, X509_free); | ||
| 695 | goto export_end; | 711 | goto export_end; |
| 696 | } | 712 | } |
| 697 | } | 713 | } |