Use X509_ALGOR_set_evp_md() in CMS_add1_signer()

Contrary to X509_ALGOR_set_md() this allows for error checking. Avoid local complications by freeing in the exit path and use a const version of X509_ALGOR for walking a STACK_OF() to avoid a bad free. Clean up includes ok jsing
author: tb <> 2023-10-18 07:30:49 +0000
committer: tb <> 2023-10-18 07:30:49 +0000
commit: 8e27400f3be8740bb959238b66aa047cb43bfd4a (patch)
tree: 891c04b5acb4fc33249481dffcf149fb653a2c15 /src
parent: 46c5c914ea23794d946df13aad0d291d383c1765 (diff)
download: openbsd-8e27400f3be8740bb959238b66aa047cb43bfd4a.tar.gz
openbsd-8e27400f3be8740bb959238b66aa047cb43bfd4a.tar.bz2
openbsd-8e27400f3be8740bb959238b66aa047cb43bfd4a.zip
1 files changed, 24 insertions, 16 deletions
diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c
index 245822971b..5f472311d0 100644
--- a/src/lib/libcrypto/cms/cms_sd.c
+++ b/src/lib/libcrypto/cms/cms_sd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_sd.c,v 1.28 2023/09/11 09:29:30 tb Exp $ */
+/* $OpenBSD: cms_sd.c,v 1.29 2023/10/18 07:30:49 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -52,18 +52,22 @@
 * ====================================================================
 */
+#include <stdlib.h>
 #include <string.h>
-#include "cryptlib.h"
+#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
+#include <openssl/bio.h>
-#include <openssl/pem.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
 #include <openssl/err.h>
+#include <openssl/evp.h>
 #include <openssl/cms.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include "asn1_local.h"
 #include "cms_local.h"
-#include "asn1/asn1_local.h"
+#include "evp_local.h"
-#include "evp/evp_local.h"
+#include "x509_local.h"
 /* CMS SignedData Utilities */
@@ -279,7 +283,7 @@ CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk,
 {
        CMS_SignedData *sd;
        CMS_SignerInfo *si = NULL;
-        X509_ALGOR *alg;
+        X509_ALGOR *alg = NULL;
        int i, type;
        if (!X509_check_private_key(signer, pk)) {
@@ -337,26 +341,29 @@ CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk,
                goto err;
        }
-        X509_ALGOR_set_md(si->digestAlgorithm, md);
+        if (!X509_ALGOR_set_evp_md(si->digestAlgorithm, md))
+                goto err;
        /* See if digest is present in digestAlgorithms */
        for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {
+                const X509_ALGOR *x509_alg;
                const ASN1_OBJECT *aoid;
-                alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
-                X509_ALGOR_get0(&aoid, NULL, NULL, alg);
+                x509_alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
+                X509_ALGOR_get0(&aoid, NULL, NULL, x509_alg);
                if (OBJ_obj2nid(aoid) == EVP_MD_type(md))
                        break;
        }
        if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) {
-                alg = X509_ALGOR_new();
+                if ((alg = X509_ALGOR_new()) == NULL)
-                if (alg == NULL)
+                        goto merr;
+                if (!X509_ALGOR_set_evp_md(alg, md))
                        goto merr;
-                X509_ALGOR_set_md(alg, md);
                if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) {
-                        X509_ALGOR_free(alg);
                        goto merr;
                }
+                alg = NULL;
        }
        if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0))
@@ -422,6 +429,7 @@ CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk,
        CMSerror(ERR_R_MALLOC_FAILURE);
 err:
        ASN1_item_free((ASN1_VALUE *)si, &CMS_SignerInfo_it);
+        X509_ALGOR_free(alg);
        return NULL;
 }
author	tb <>	2023-10-18 07:30:49 +0000
committer	tb <>	2023-10-18 07:30:49 +0000
commit	8e27400f3be8740bb959238b66aa047cb43bfd4a (patch)
tree	891c04b5acb4fc33249481dffcf149fb653a2c15 /src
parent	46c5c914ea23794d946df13aad0d291d383c1765 (diff)
download	openbsd-8e27400f3be8740bb959238b66aa047cb43bfd4a.tar.gz openbsd-8e27400f3be8740bb959238b66aa047cb43bfd4a.tar.bz2 openbsd-8e27400f3be8740bb959238b66aa047cb43bfd4a.zip

diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c index 245822971b..5f472311d0 100644 --- a/src/lib/libcrypto/cms/cms_sd.c +++ b/src/lib/libcrypto/cms/cms_sd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_sd.c,v 1.28 2023/09/11 09:29:30 tb Exp $ */	1	/* $OpenBSD: cms_sd.c,v 1.29 2023/10/18 07:30:49 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -52,18 +52,22 @@
52	* ====================================================================	52	* ====================================================================
53	*/	53	*/
54		54
		55	#include <stdlib.h>
55	#include <string.h>	56	#include <string.h>
56		57
57	#include "cryptlib.h"	58	#include <openssl/asn1.h>
58	#include <openssl/asn1t.h>	59	#include <openssl/bio.h>
59	#include <openssl/pem.h>
60	#include <openssl/x509.h>
61	#include <openssl/x509v3.h>
62	#include <openssl/err.h>	60	#include <openssl/err.h>
		61	#include <openssl/evp.h>
63	#include <openssl/cms.h>	62	#include <openssl/cms.h>
		63	#include <openssl/objects.h>
		64	#include <openssl/x509.h>
		65	#include <openssl/x509v3.h>
		66
		67	#include "asn1_local.h"
64	#include "cms_local.h"	68	#include "cms_local.h"
65	#include "asn1/asn1_local.h"	69	#include "evp_local.h"
66	#include "evp/evp_local.h"	70	#include "x509_local.h"
67		71
68	/* CMS SignedData Utilities */	72	/* CMS SignedData Utilities */
69		73
@@ -279,7 +283,7 @@ CMS_add1_signer(CMS_ContentInfo cms, X509 signer, EVP_PKEY *pk,
279	{	283	{
280	CMS_SignedData *sd;	284	CMS_SignedData *sd;
281	CMS_SignerInfo *si = NULL;	285	CMS_SignerInfo *si = NULL;
282	X509_ALGOR *alg;	286	X509_ALGOR *alg = NULL;
283	int i, type;	287	int i, type;
284		288
285	if (!X509_check_private_key(signer, pk)) {	289	if (!X509_check_private_key(signer, pk)) {
@@ -337,26 +341,29 @@ CMS_add1_signer(CMS_ContentInfo cms, X509 signer, EVP_PKEY *pk,
337	goto err;	341	goto err;
338	}	342	}
339		343
340	X509_ALGOR_set_md(si->digestAlgorithm, md);	344	if (!X509_ALGOR_set_evp_md(si->digestAlgorithm, md))
		345	goto err;
341		346
342	/* See if digest is present in digestAlgorithms */	347	/* See if digest is present in digestAlgorithms */
343	for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {	348	for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {
		349	const X509_ALGOR *x509_alg;
344	const ASN1_OBJECT *aoid;	350	const ASN1_OBJECT *aoid;
345	alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i);	351
346	X509_ALGOR_get0(&aoid, NULL, NULL, alg);	352	x509_alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
		353	X509_ALGOR_get0(&aoid, NULL, NULL, x509_alg);
347	if (OBJ_obj2nid(aoid) == EVP_MD_type(md))	354	if (OBJ_obj2nid(aoid) == EVP_MD_type(md))
348	break;	355	break;
349	}	356	}
350		357
351	if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) {	358	if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) {
352	alg = X509_ALGOR_new();	359	if ((alg = X509_ALGOR_new()) == NULL)
353	if (alg == NULL)	360	goto merr;
		361	if (!X509_ALGOR_set_evp_md(alg, md))
354	goto merr;	362	goto merr;
355	X509_ALGOR_set_md(alg, md);
356	if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) {	363	if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) {
357	X509_ALGOR_free(alg);
358	goto merr;	364	goto merr;
359	}	365	}
		366	alg = NULL;
360	}	367	}
361		368
362	if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0))	369	if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0))
@@ -422,6 +429,7 @@ CMS_add1_signer(CMS_ContentInfo cms, X509 signer, EVP_PKEY *pk,
422	CMSerror(ERR_R_MALLOC_FAILURE);	429	CMSerror(ERR_R_MALLOC_FAILURE);
423	err:	430	err:
424	ASN1_item_free((ASN1_VALUE *)si, &CMS_SignerInfo_it);	431	ASN1_item_free((ASN1_VALUE *)si, &CMS_SignerInfo_it);
		432	X509_ALGOR_free(alg);
425		433
426	return NULL;	434	return NULL;
427	}	435	}