| Backport of: |
| |
| From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001 |
| From: Matt Caswell <matt@openssl.org> |
| Date: Wed, 10 Feb 2021 16:10:36 +0000 |
| Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash() |
| |
| The OpenSSL public API function X509_issuer_and_serial_hash() attempts |
| to create a unique hash value based on the issuer and serial number data |
| contained within an X509 certificate. However it fails to correctly |
| handle any errors that may occur while parsing the issuer field (which |
| might occur if the issuer field is maliciously constructed). This may |
| subsequently result in a NULL pointer deref and a crash leading to a |
| potential denial of service attack. |
| |
| The function X509_issuer_and_serial_hash() is never directly called by |
| OpenSSL itself so applications are only vulnerable if they use this |
| function directly and they use it on certificates that may have been |
| obtained from untrusted sources. |
| |
| CVE-2021-23841 |
| |
| Reviewed-by: Richard Levitte <levitte@openssl.org> |
| Reviewed-by: Paul Dale <pauli@openssl.org> |
| (cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) |
| --- |
| crypto/x509/x509_cmp.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/crypto/x509/x509_cmp.c |
| +++ b/crypto/x509/x509_cmp.c |
| @@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_has |
| |
| EVP_MD_CTX_init(&ctx); |
| f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); |
| + if (f == NULL) |
| + goto err; |
| if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) |
| goto err; |
| if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f))) |
