1 files changed, 47 insertions, 37 deletions
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index e1c075f15a..e39d960780 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.57 2024/11/30 10:01:31 tb Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.61 2025/07/27 07:06:41 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,11 +60,11 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -981,8 +981,8 @@ PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
        X509_STORE_CTX_cleanup(ctx);
        return PKCS7_signatureVerify(bio, p7, si, x509);
 err:
-        
        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_dataVerify);
@@ -1067,8 +1067,10 @@ PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509)
                        ret = -1;
                        goto err;
                }
-                if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
+                if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) {
+                        free(abuf);
                        goto err;
+                }
                free(abuf);
        }
@@ -1206,43 +1208,51 @@ PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk)
 LCRYPTO_ALIAS(PKCS7_set_attributes);
 static int
-add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value)
+add_attribute(STACK_OF(X509_ATTRIBUTE) **in_sk, int nid, int atrtype, void *value)
 {
-        X509_ATTRIBUTE *attr = NULL;
+        STACK_OF(X509_ATTRIBUTE) *sk;
+        X509_ATTRIBUTE *old_attr = NULL, *new_attr = NULL;
+        int need_pop = 0;
+        int i;
-        if (*sk == NULL) {
+        if ((sk = *in_sk) == NULL)
-                *sk = sk_X509_ATTRIBUTE_new_null();
+                sk = sk_X509_ATTRIBUTE_new_null();
-                if (*sk == NULL)
+        if (sk == NULL)
-                        return 0;
+                goto err;
-new_attrib:
-                if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value)))
+        /* Replace an already existing attribute with the given nid. */
-                        return 0;
+        for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
-                if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
+                old_attr = sk_X509_ATTRIBUTE_value(sk, i);
-                        X509_ATTRIBUTE_free(attr);
+                if(OBJ_obj2nid(old_attr->object) == nid)
-                        return 0;
+                        break;
-                }
-        } else {
-                int i;
-                for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
-                        attr = sk_X509_ATTRIBUTE_value(*sk, i);
-                        if (OBJ_obj2nid(attr->object) == nid) {
-                                X509_ATTRIBUTE_free(attr);
-                                attr = X509_ATTRIBUTE_create(nid, atrtype,
-                                    value);
-                                if (attr == NULL)
-                                        return 0;
-                                if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
-                                        X509_ATTRIBUTE_free(attr);
-                                        return 0;
-                                }
-                                goto end;
-                        }
-                }
-                goto new_attrib;
        }
-end:
+        /* If there is none, make room for the new one, so _set() succeeds. */
+        if (i == sk_X509_ATTRIBUTE_num(sk)) {
+                old_attr = NULL;
+                if (sk_X509_ATTRIBUTE_push(sk, NULL) <= 0)
+                        goto err;
+                need_pop = 1;
+        }
+        /* On success, new_attr owns value. */
+        if ((new_attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
+                goto err;
+        X509_ATTRIBUTE_free(old_attr);
+        (void)sk_X509_ATTRIBUTE_set(sk, i, new_attr);
+        *in_sk = sk;
        return 1;
+ err:
+        if (need_pop)
+                (void)sk_X509_ATTRIBUTE_pop(sk);
+        if (*in_sk != sk)
+                sk_X509_ATTRIBUTE_pop_free(sk, X509_ATTRIBUTE_free);
+        return 0;
 }
 int

diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c index e1c075f15a..e39d960780 100644 --- a/src/lib/libcrypto/pkcs7/pk7_doit.c +++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pk7_doit.c,v 1.57 2024/11/30 10:01:31 tb Exp $ */	1	/* $OpenBSD: pk7_doit.c,v 1.61 2025/07/27 07:06:41 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -60,11 +60,11 @@
60	#include <stdlib.h>	60	#include <stdlib.h>
61	#include <string.h>	61	#include <string.h>
62		62
63	#include <openssl/err.h>
64	#include <openssl/objects.h>	63	#include <openssl/objects.h>
65	#include <openssl/x509.h>	64	#include <openssl/x509.h>
66	#include <openssl/x509v3.h>	65	#include <openssl/x509v3.h>
67		66
		67	#include "err_local.h"
68	#include "evp_local.h"	68	#include "evp_local.h"
69	#include "x509_local.h"	69	#include "x509_local.h"
70		70
@@ -981,8 +981,8 @@ PKCS7_dataVerify(X509_STORE cert_store, X509_STORE_CTX ctx, BIO *bio,
981	X509_STORE_CTX_cleanup(ctx);	981	X509_STORE_CTX_cleanup(ctx);
982		982
983	return PKCS7_signatureVerify(bio, p7, si, x509);	983	return PKCS7_signatureVerify(bio, p7, si, x509);
		984
984	err:	985	err:
985
986	return ret;	986	return ret;
987	}	987	}
988	LCRYPTO_ALIAS(PKCS7_dataVerify);	988	LCRYPTO_ALIAS(PKCS7_dataVerify);
@@ -1067,8 +1067,10 @@ PKCS7_signatureVerify(BIO bio, PKCS7 p7, PKCS7_SIGNER_INFO si, X509 x509)
1067	ret = -1;	1067	ret = -1;
1068	goto err;	1068	goto err;
1069	}	1069	}
1070	if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))	1070	if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) {
		1071	free(abuf);
1071	goto err;	1072	goto err;
		1073	}
1072		1074
1073	free(abuf);	1075	free(abuf);
1074	}	1076	}
@@ -1206,43 +1208,51 @@ PKCS7_set_attributes(PKCS7_SIGNER_INFO p7si, STACK_OF(X509_ATTRIBUTE) sk)
1206	LCRYPTO_ALIAS(PKCS7_set_attributes);	1208	LCRYPTO_ALIAS(PKCS7_set_attributes);
1207		1209
1208	static int	1210	static int
1209	add_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid, int atrtype, void value)	1211	add_attribute(STACK_OF(X509_ATTRIBUTE) *in_sk, int nid, int atrtype, void value)
1210	{	1212	{
1211	X509_ATTRIBUTE *attr = NULL;	1213	STACK_OF(X509_ATTRIBUTE) *sk;
		1214	X509_ATTRIBUTE old_attr = NULL, new_attr = NULL;
		1215	int need_pop = 0;
		1216	int i;
1212		1217
1213	if (*sk == NULL) {	1218	if ((sk = *in_sk) == NULL)
1214	*sk = sk_X509_ATTRIBUTE_new_null();	1219	sk = sk_X509_ATTRIBUTE_new_null();
1215	if (*sk == NULL)	1220	if (sk == NULL)
1216	return 0;	1221	goto err;
1217	new_attrib:	1222
1218	if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value)))	1223	/* Replace an already existing attribute with the given nid. */
1219	return 0;	1224	for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
1220	if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {	1225	old_attr = sk_X509_ATTRIBUTE_value(sk, i);
1221	X509_ATTRIBUTE_free(attr);	1226	if(OBJ_obj2nid(old_attr->object) == nid)
1222	return 0;	1227	break;
1223	}
1224	} else {
1225	int i;
1226
1227	for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
1228	attr = sk_X509_ATTRIBUTE_value(*sk, i);
1229	if (OBJ_obj2nid(attr->object) == nid) {
1230	X509_ATTRIBUTE_free(attr);
1231	attr = X509_ATTRIBUTE_create(nid, atrtype,
1232	value);
1233	if (attr == NULL)
1234	return 0;
1235	if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
1236	X509_ATTRIBUTE_free(attr);
1237	return 0;
1238	}
1239	goto end;
1240	}
1241	}
1242	goto new_attrib;
1243	}	1228	}
1244	end:	1229
		1230	/* If there is none, make room for the new one, so _set() succeeds. */
		1231	if (i == sk_X509_ATTRIBUTE_num(sk)) {
		1232	old_attr = NULL;
		1233	if (sk_X509_ATTRIBUTE_push(sk, NULL) <= 0)
		1234	goto err;
		1235	need_pop = 1;
		1236	}
		1237
		1238	/* On success, new_attr owns value. */
		1239	if ((new_attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
		1240	goto err;
		1241
		1242	X509_ATTRIBUTE_free(old_attr);
		1243	(void)sk_X509_ATTRIBUTE_set(sk, i, new_attr);
		1244
		1245	*in_sk = sk;
		1246
1245	return 1;	1247	return 1;
		1248
		1249	err:
		1250	if (need_pop)
		1251	(void)sk_X509_ATTRIBUTE_pop(sk);
		1252	if (*in_sk != sk)
		1253	sk_X509_ATTRIBUTE_pop_free(sk, X509_ATTRIBUTE_free);
		1254
		1255	return 0;
1246	}	1256	}
1247		1257
1248	int	1258	int