New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add NULL check before accessing PKCS7 encrypted algorithm #23632
Conversation
@@ -901,7 +901,11 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass, | |||
} else if (bagnid == NID_pkcs7_encrypted) { | |||
if (options & INFO) { | |||
BIO_printf(bio_err, "PKCS7 Encrypted data: "); | |||
alg_print(p7->d.encrypted->enc_data->algorithm); | |||
if (p7->d.encrypted == NULL) { | |||
BIO_printf(bio_err, "<no data>\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure how to fix this, I've added a check for NULL dereference and the error is then handled in PKCS12_unpack_p7encdata()
, output then looks like:
user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: <no data>
Error outputting keys and certificates
80CB79DB737F0000:error:11800065:PKCS12 routines:PKCS12_unpack_p7encdata:decode error:crypto/pkcs12/p12_add.c:163:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since PKCS12_unpack_p7encdata
is going to be called anyway, how about call it first and then print the algorithm, like:
...
bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
if (bags == NULL)
goto err;
alg_print(p7->d.encrypted->enc_data->algorithm);
....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed as suggested, now the output looks like:
user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
Error outputting keys and certificates
800B080A977F0000:error:11800065:PKCS12 routines:PKCS12_unpack_p7encdata:decode error:crypto/pkcs12/p12_add.c:163:
does this look better now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, actually I'd agree with @t8m that the previous version was already okay.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, reverted the commit to the previous version
I actually like the original patch more than the new one. |
Could you please add a test case? |
Ping...
|
@bernd-edlinger thanks for hint how to add a test case, I added test cases for all 3 bad certificates, as I tested them on my ubuntu (OpenSSL 3.0.3 3), all the bad certificates caused openssl app crash, so rather let have these cases covered:
does the test look ok now? |
Excellent. Thanks. Two things would be still to do.
So could you please squash all the commits (git rebase -i HEAD^^^^) |
ok, I've updated the git history, the commits are now squashed, is this what you wanted? I never did such "black magic" with git commit history, so at least I've learned something new 🙂 |
This pull request is ready to merge |
@lejcik Could you please submit a CLA? https://www.openssl.org/policies/cla.html According to our CLA policy we cannot accept your contribution without that. |
ok, how to do that? is it enough to add I think this is a trivial change category... |
Unfortunately this is not eligible for CLA: trivial. May I ask you to fill in and sign a regular CLA document and e-mail it to us as described on the above linked CLA page? |
Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates
Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632)
Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632) (cherry picked from commit a4cbffc)
Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632) (cherry picked from commit a4cbffc)
Merged to all the active branches. Thank you for your contribution. |
Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632) (cherry picked from commit a4cbffc)
Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632) (cherry picked from commit a4cbffc)
Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#23632) (cherry picked from commit a4cbffc)
Printing content of an invalid test certificate causes application crash, because of NULL dereference: