From 76e6dd4974483acbe964bdb000c16a61459f0c81 Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Wed, 3 Nov 2021 14:36:21 +0000 Subject: Fix five bugs in X509_REQ_to_X509(3): * memory leak in X509_set_subject_name(ret, X509_NAME_dup(xn)); * memory leak in X509_set_issuer_name(ret, X509_NAME_dup(xn)); * memory leak in X509_set_pubkey(ret, X509_REQ_get_pubkey(r)); * missing return value check of X509_REQ_get_pubkey(r); * missing return value check of X509_set_pubkey(...); Some of these bugs have survived for twenty-five years. I noticed the first two bugs while documenting the function, then found that a commit in the OpenSSL 1.1.1 branch, which is still under a free license, fixed all of them in 2016. In the function X509_REQ_to_X509(3), merge everything worth merging from OpenSSL 1.1.1, in particular the relevant parts of: * 222561fe Apr 30 17:33:59 2015 -0400 (err: label cleanup) * 0517538d Mar 17 00:15:48 2016 +0100 (the bugfix) * c5137473 Apr 3 23:37:32 2016 +0200 (code simplification) While here, delete some commented out code that is wrong in multiple ways and untouched since the SSLeay era. One code tweak for readability by tb@, and OK tb@. --- src/lib/libcrypto/x509/x509_r2x.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c index 143d0f1aa0..b3b8aa75ed 100644 --- a/src/lib/libcrypto/x509/x509_r2x.c +++ b/src/lib/libcrypto/x509/x509_r2x.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_r2x.c,v 1.12 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_r2x.c,v 1.13 2021/11/03 14:36:21 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,6 +74,7 @@ X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) X509 *ret = NULL; X509_CINF *xi = NULL; X509_NAME *xn; + EVP_PKEY *pubkey; if ((ret = X509_new()) == NULL) { X509error(ERR_R_MALLOC_FAILURE); @@ -88,14 +89,12 @@ X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) goto err; if (!ASN1_INTEGER_set(xi->version, 2)) goto err; -/* xi->extensions=ri->attributes; <- bad, should not ever be done - ri->attributes=NULL; */ } xn = X509_REQ_get_subject_name(r); - if (X509_set_subject_name(ret, X509_NAME_dup(xn)) == 0) + if (X509_set_subject_name(ret, xn) == 0) goto err; - if (X509_set_issuer_name(ret, X509_NAME_dup(xn)) == 0) + if (X509_set_issuer_name(ret, xn) == 0) goto err; if (X509_gmtime_adj(xi->validity->notBefore, 0) == NULL) @@ -104,14 +103,16 @@ X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) (long)60 * 60 * 24 * days) == NULL) goto err; - X509_set_pubkey(ret, X509_REQ_get_pubkey(r)); + if ((pubkey = X509_REQ_get0_pubkey(r)) == NULL) + goto err; + if (!X509_set_pubkey(ret, pubkey)) + goto err; if (!X509_sign(ret, pkey, EVP_md5())) goto err; - if (0) { + return ret; + err: - X509_free(ret); - ret = NULL; - } - return (ret); + X509_free(ret); + return NULL; } -- cgit v1.2.3-55-g6feb