mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-03 05:41:46 +08:00
Code Issues Packages Projects Releases Wiki Activity

crypto/cmp: Prevent misleading errors in case x509v3_cache_extensions() fails

Browse Source 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
This commit is contained in:
Dr. David von Oheimb 2020-08-12 19:16:03 +02:00
parent ab28b59064
commit 2300083887
2 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
crypto/cmp/cmp_ctx.c
View File

@ -12,6 +12,7 @@
#include <openssl/trace.h>
#include <openssl/bio.h>
#include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */
#include "crypto/x509.h" /* for x509v3_cache_extensions() */
#include "cmp_local.h"
@ -579,6 +580,8 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \
return 1; \
}
#define X509_invalid(cert) (!x509v3_cache_extensions(cert))
#define EVP_PKEY_invalid(key) 0
#define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \
int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
{ \
@ -587,6 +590,11 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
return 0; \
} \
\
/* prevent misleading error later on malformed cert or provider issue */ \
if (val != NULL && TYPE##_invalid(val)) { \
CMPerr(0, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
return 0; \
} \
if (val != NULL && !TYPE##_up_ref(val)) \
return 0; \
TYPE##_free(ctx->FIELD); \

12
crypto/cmp/cmp_vfy.c
View File

@ -24,12 +24,7 @@
DEFINE_STACK_OF(X509)
/*-
* Verify a message protected by signature according to section 5.1.3.3
* (sha1+RSA/DSA or any other algorithm supported by OpenSSL).
*
* Returns 1 on successful validation and 0 otherwise.
*/
/* Verify a message protected by signature according to RFC section 5.1.3.3 */
static int verify_signature(const OSSL_CMP_CTX *cmp_ctx,
const OSSL_CMP_MSG *msg, X509 *cert)
{
@ -304,6 +299,11 @@ static int cert_acceptable(const OSSL_CMP_CTX *ctx,
if (!check_kid(ctx, X509_get0_subject_key_id(cert), msg->header->senderKID))
return 0;
/* prevent misleading error later in case x509v3_cache_extensions() fails */
if (!x509v3_cache_extensions(cert)) {
ossl_cmp_warn(ctx, "cert appears to be invalid");
return 0;
}
if (!verify_signature(ctx, msg, cert)) {
ossl_cmp_warn(ctx, "msg signature verification failed");
return 0;