| Backport of: |
| |
| From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 |
| From: Matt Caswell <matt@openssl.org> |
| Date: Fri, 19 Jan 2024 11:28:58 +0000 |
| Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL |
| |
| PKCS12 structures contain PKCS7 ContentInfo fields. These fields are |
| optional and can be NULL even if the "type" is a valid value. OpenSSL |
| was not properly accounting for this and a NULL dereference can occur |
| causing a crash. |
| |
| CVE-2024-0727 |
| |
| Reviewed-by: Tomas Mraz <tomas@openssl.org> |
| Reviewed-by: Hugo Landau <hlandau@openssl.org> |
| Reviewed-by: Neil Horman <nhorman@openssl.org> |
| (Merged from https://github.com/openssl/openssl/pull/23362) |
| |
| (cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) |
| --- |
| crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ |
| crypto/pkcs12/p12_mutl.c | 5 +++++ |
| crypto/pkcs12/p12_npas.c | 5 +++-- |
| crypto/pkcs7/pk7_mime.c | 7 +++++-- |
| 4 files changed, 31 insertions(+), 4 deletions(-) |
| |
| --- a/crypto/pkcs12/p12_add.c |
| +++ b/crypto/pkcs12/p12_add.c |
| @@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ |
| PKCS12_R_CONTENT_TYPE_NOT_DATA); |
| return NULL; |
| } |
| + |
| + if (p7->d.data == NULL) { |
| + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, |
| + PKCS12_R_DECODE_ERROR); |
| + return NULL; |
| + } |
| + |
| return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); |
| } |
| |
| @@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ |
| { |
| if (!PKCS7_type_is_encrypted(p7)) |
| return NULL; |
| + |
| + if (p7->d.encrypted == NULL) { |
| + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); |
| + return NULL; |
| + } |
| + |
| return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, |
| ASN1_ITEM_rptr(PKCS12_SAFEBAGS), |
| pass, passlen, |
| @@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes |
| PKCS12_R_CONTENT_TYPE_NOT_DATA); |
| return NULL; |
| } |
| + |
| + if (p12->authsafes->d.data == NULL) { |
| + PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, |
| + PKCS12_R_DECODE_ERROR); |
| + return NULL; |
| + } |
| + |
| return ASN1_item_unpack(p12->authsafes->d.data, |
| ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); |
| } |
| --- a/crypto/pkcs12/p12_mutl.c |
| +++ b/crypto/pkcs12/p12_mutl.c |
| @@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c |
| return 0; |
| } |
| |
| + if (p12->authsafes->d.data == NULL) { |
| + PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); |
| + return 0; |
| + } |
| + |
| salt = p12->mac->salt->data; |
| saltlen = p12->mac->salt->length; |
| if (!p12->mac->iter) |
| --- a/crypto/pkcs12/p12_npas.c |
| +++ b/crypto/pkcs12/p12_npas.c |
| @@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons |
| bags = PKCS12_unpack_p7data(p7); |
| } else if (bagnid == NID_pkcs7_encrypted) { |
| bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); |
| - if (!alg_get(p7->d.encrypted->enc_data->algorithm, |
| - &pbe_nid, &pbe_iter, &pbe_saltlen)) |
| + if (p7->d.encrypted == NULL |
| + || !alg_get(p7->d.encrypted->enc_data->algorithm, |
| + &pbe_nid, &pbe_iter, &pbe_saltlen)) |
| goto err; |
| } else { |
| continue; |
| --- a/crypto/pkcs7/pk7_mime.c |
| +++ b/crypto/pkcs7/pk7_mime.c |
| @@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p |
| { |
| STACK_OF(X509_ALGOR) *mdalgs; |
| int ctype_nid = OBJ_obj2nid(p7->type); |
| - if (ctype_nid == NID_pkcs7_signed) |
| + if (ctype_nid == NID_pkcs7_signed) { |
| + if (p7->d.sign == NULL) |
| + return 0; |
| mdalgs = p7->d.sign->md_algs; |
| - else |
| + } else { |
| mdalgs = NULL; |
| + } |
| |
| flags ^= SMIME_OLDMIME; |
| |