Stop PKCS7_verify() core dumping with unknown public

key algorithms and leaking if the signature verify fails.
2025-01-18 13:44:20 +08:00 · 2001-02-24 01:38:56 +00:00 · 2001-02-24 01:38:56 +00:00 · db4a465974
commit db4a465974
parent 3cdc8ad07a
3 changed files with 15 additions and 8 deletions
--- a/5
+++ b/5
@ -3,6 +3,11 @@

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

+  *) Avoid coredump with unsupported or invalid public keys by checking if
+     X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
+     PKCS7_verify() fails with non detached data.
+     [Steve Henson]
+
  *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
     OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
     ID to be generated from the issuer certificate alone which can then be
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@ -764,6 +764,11 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");

 	os=si->enc_digest;
 	pkey = X509_get_pubkey(x509);
+	if (!pkey)
+		{
+		ret = -1;
+		goto err;
+		}
 	if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();

 	i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 	PKCS7_SIGNER_INFO *si;
 	X509_STORE_CTX cert_ctx;
 	char buf[4096];
-	int i, j=0, k;
+	int i, j=0, k, ret = 0;
 	BIO *p7bio;
 	BIO *tmpout;

@ -258,18 +258,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 		}
 	}

-	sk_X509_free(signers);
-	if(indata) BIO_pop(p7bio);
-	BIO_free_all(p7bio);
-
-	return 1;
+	ret = 1;

 	err:

+	if(indata) BIO_pop(p7bio);
+	BIO_free_all(p7bio);
 	sk_X509_free(signers);
-	BIO_free(p7bio);

-	return 0;
+	return ret;
 }

 STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)