Add NULL check before accessing PKCS7 encrypted algorithm #23632

lejcik · 2024-02-19T20:48:58Z

Printing content of an invalid test certificate causes application crash, because of NULL dereference:

user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: Segmentation fault (core dumped)

lejcik · 2024-02-19T20:51:58Z

apps/pkcs12.c

@@ -901,7 +901,11 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
        } else if (bagnid == NID_pkcs7_encrypted) {
            if (options & INFO) {
                BIO_printf(bio_err, "PKCS7 Encrypted data: ");
-                alg_print(p7->d.encrypted->enc_data->algorithm);
+                if (p7->d.encrypted == NULL) {
+                    BIO_printf(bio_err, "<no data>\n");


not sure how to fix this, I've added a check for NULL dereference and the error is then handled in PKCS12_unpack_p7encdata(), output then looks like:

user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: <no data> Error outputting keys and certificates 80CB79DB737F0000:error:11800065:PKCS12 routines:PKCS12_unpack_p7encdata:decode error:crypto/pkcs12/p12_add.c:163:

Since PKCS12_unpack_p7encdata is going to be called anyway, how about call it first and then print the algorithm, like:

... bags = PKCS12_unpack_p7encdata(p7, pass, passlen); if (bags == NULL) goto err; alg_print(p7->d.encrypted->enc_data->algorithm); ....

fixed as suggested, now the output looks like:

user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 Error outputting keys and certificates 800B080A977F0000:error:11800065:PKCS12 routines:PKCS12_unpack_p7encdata:decode error:crypto/pkcs12/p12_add.c:163:

does this look better now?

Well, actually I'd agree with @t8m that the previous version was already okay.

ok, reverted the commit to the previous version

t8m · 2024-02-22T07:33:28Z

I actually like the original patch more than the new one.

bernd-edlinger · 2024-02-22T11:29:47Z

Could you please add a test case?

bernd-edlinger · 2024-03-05T17:29:23Z

Could you please add a test case?

Ping...
Note: that is not difficult at all:

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 817b0bf064..c524e57fef 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
 }
 $ENV{OPENSSL_WIN32_UTF8}=1;
 
-plan tests => 28;
+plan tests => 29;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -187,6 +187,10 @@ with({ exit_checker => sub { return shift == 1; } },
         ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])),
            "test bad pkcs12 file 2");
 
+        ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:",
+                    "-info"])),
+           "test bad pkcs12 file 2 (info)");
+
         ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])),
            "test bad pkcs12 file 3");
      });

lejcik · 2024-03-07T22:37:17Z

@bernd-edlinger thanks for hint how to add a test case,

I added test cases for all 3 bad certificates, as I tested them on my ubuntu (OpenSSL 3.0.3 3), all the bad certificates caused openssl app crash, so rather let have these cases covered:

# openssl pkcs12 -in bad1.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
Segmentation fault
#
# openssl pkcs12 -in bad2.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: Segmentation fault
#
# openssl pkcs12 -in bad3.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
Segmentation fault

does the test look ok now?

bernd-edlinger · 2024-03-08T05:23:00Z

does the test look ok now?

Excellent. Thanks.

Two things would be still to do.

It would be good to remove the reverted commit
completely.
More importantly the CLA-check is failing with the last commit,
that is funny because the first two commits had a CLA on file.
The difference is how the Author's e-mail address is spelled.

So could you please squash all the commits (git rebase -i HEAD^^^^)
remove the second and third commits from the list list
and change the last commit from pick to squash.
Then do a force-push (git push -f)

lejcik · 2024-03-10T12:29:51Z

ok, I've updated the git history, the commits are now squashed, is this what you wanted?

I never did such "black magic" with git commit history, so at least I've learned something new 🙂

openssl-machine · 2024-03-13T12:00:12Z

This pull request is ready to merge

t8m · 2024-03-13T16:14:58Z

@lejcik Could you please submit a CLA? https://www.openssl.org/policies/cla.html According to our CLA policy we cannot accept your contribution without that.

lejcik · 2024-03-13T17:39:34Z

ok, how to do that? is it enough to add CLA: trivial line into the commit description, and do push -f ?

I think this is a trivial change category...

t8m · 2024-03-13T18:22:14Z

Unfortunately this is not eligible for CLA: trivial.

May I ask you to fill in and sign a regular CLA document and e-mail it to us as described on the above linked CLA page?

Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates

Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632)

Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632) (cherry picked from commit a4cbffc)

t8m · 2024-03-25T17:29:38Z

Merged to all the active branches. Thank you for your contribution.

Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23632) (cherry picked from commit a4cbffc)

Printing content of an invalid test certificate causes application crash, because of NULL dereference: user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: Segmentation fault (core dumped) Added test cases for pkcs12 bad certificates Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#23632) (cherry picked from commit a4cbffc)

lejcik commented Feb 19, 2024

View reviewed changes

openssl-machine added the hold: cla required The contributor needs to submit a license agreement label Mar 7, 2024

lejcik force-pushed the master branch from f993aef to b5b13ea Compare March 10, 2024 12:07

openssl-machine removed the hold: cla required The contributor needs to submit a license agreement label Mar 10, 2024

lejcik force-pushed the master branch from b6803be to 9d97811 Compare March 10, 2024 12:27

bernd-edlinger approved these changes Mar 10, 2024

View reviewed changes

bernd-edlinger removed the approval: review pending This pull request needs review by a committer label Mar 10, 2024

t8m approved these changes Mar 12, 2024

View reviewed changes

t8m added approval: done This pull request has the required number of approvals tests: present The PR has suitable tests present and removed tests: exempted The PR is exempt from requirements for testing approval: otc review pending This pull request needs review by an OTC member labels Mar 12, 2024

openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Mar 13, 2024

t8m closed this Mar 13, 2024

t8m reopened this Mar 13, 2024

t8m added the hold: cla required The contributor needs to submit a license agreement label Mar 13, 2024

levitte mentioned this pull request Mar 14, 2024

The CLA checker doesn't handle multiline From: openssl/omc-tools#29

Open

lejcik force-pushed the master branch from 9d97811 to cfcf8aa Compare March 22, 2024 12:15

lejcik closed this Mar 22, 2024

lejcik reopened this Mar 22, 2024

openssl-machine removed the hold: cla required The contributor needs to submit a license agreement label Mar 22, 2024

t8m added the branch: 3.3 Merge to openssl-3.3 label Mar 25, 2024

t8m closed this Mar 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add NULL check before accessing PKCS7 encrypted algorithm #23632

Add NULL check before accessing PKCS7 encrypted algorithm #23632

lejcik commented Feb 19, 2024

lejcik Feb 19, 2024

InfoHunter Feb 20, 2024

lejcik Feb 21, 2024

bernd-edlinger Mar 5, 2024

lejcik Mar 7, 2024

t8m commented Feb 22, 2024

bernd-edlinger commented Feb 22, 2024

bernd-edlinger commented Mar 5, 2024

lejcik commented Mar 7, 2024

bernd-edlinger commented Mar 8, 2024

lejcik commented Mar 10, 2024 •

edited

openssl-machine commented Mar 13, 2024

t8m commented Mar 13, 2024

lejcik commented Mar 13, 2024

t8m commented Mar 13, 2024

t8m commented Mar 25, 2024

Add NULL check before accessing PKCS7 encrypted algorithm #23632

Add NULL check before accessing PKCS7 encrypted algorithm #23632

Conversation

lejcik commented Feb 19, 2024

lejcik Feb 19, 2024

Choose a reason for hiding this comment

InfoHunter Feb 20, 2024

Choose a reason for hiding this comment

lejcik Feb 21, 2024

Choose a reason for hiding this comment

bernd-edlinger Mar 5, 2024

Choose a reason for hiding this comment

lejcik Mar 7, 2024

Choose a reason for hiding this comment

t8m commented Feb 22, 2024

bernd-edlinger commented Feb 22, 2024

bernd-edlinger commented Mar 5, 2024

lejcik commented Mar 7, 2024

bernd-edlinger commented Mar 8, 2024

lejcik commented Mar 10, 2024 • edited

openssl-machine commented Mar 13, 2024

t8m commented Mar 13, 2024

lejcik commented Mar 13, 2024

t8m commented Mar 13, 2024

t8m commented Mar 25, 2024

lejcik commented Mar 10, 2024 •

edited