Fix various NULL dereferences in PKCS #12

The PKCS #7 ContentInfo has a mandatory contentType, but the content itself
is OPTIONAL. Various unpacking API assumed presence of the content type is
enough to access members of the content, resulting in crashes.

Reported by Bahaa Naamneh on libressl-security, many thanks

ok jsing

1 files changed, 7 insertions, 3 deletions

diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index f0e6df9eb6..c71ed735ea 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.35 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.36 2024/01/25 13:44:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -115,6 +115,7 @@ PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
 {
         const EVP_MD *md_type;
         HMAC_CTX *hmac = NULL;
+        ASN1_OCTET_STRING *aos;
         unsigned char key[EVP_MAX_MD_SIZE], *salt;
         int saltlen, iter;
         int md_size;
@@ -124,6 +125,10 @@ PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
                 PKCS12error(PKCS12_R_CONTENT_TYPE_NOT_DATA);
                 goto err;
         }
+        if ((aos = PKCS7_get_octet_string(p12->authsafes)) == NULL) {
+                PKCS12error(PKCS12_R_DECODE_ERROR);
+                goto err;
+        }
 
         salt = p12->mac->salt->data;
         saltlen = p12->mac->salt->length;
@@ -155,8 +160,7 @@ PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
                 goto err;
         if (!HMAC_Init_ex(hmac, key, md_size, md_type, NULL))
                 goto err;
-        if (!HMAC_Update(hmac, p12->authsafes->d.data->data,
-            p12->authsafes->d.data->length))
+        if (!HMAC_Update(hmac, aos->data, aos->length))
                 goto err;
         if (!HMAC_Final(hmac, mac, maclen))
                 goto err;