44 lines
1.6 KiB
Diff
44 lines
1.6 KiB
Diff
From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001
|
|
From: Matt Caswell <matt@openssl.org>
|
|
Date: Wed, 10 Feb 2021 16:10:36 +0000
|
|
Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash()
|
|
|
|
The OpenSSL public API function X509_issuer_and_serial_hash() attempts
|
|
to create a unique hash value based on the issuer and serial number data
|
|
contained within an X509 certificate. However it fails to correctly
|
|
handle any errors that may occur while parsing the issuer field (which
|
|
might occur if the issuer field is maliciously constructed). This may
|
|
subsequently result in a NULL pointer deref and a crash leading to a
|
|
potential denial of service attack.
|
|
|
|
The function X509_issuer_and_serial_hash() is never directly called by
|
|
OpenSSL itself so applications are only vulnerable if they use this
|
|
function directly and they use it on certificates that may have been
|
|
obtained from untrusted sources.
|
|
|
|
CVE-2021-23841
|
|
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0)
|
|
---
|
|
crypto/x509/x509_cmp.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
|
|
index c9d8933..a964bbf 100644
|
|
--- a/crypto/x509/x509_cmp.c
|
|
+++ b/crypto/x509/x509_cmp.c
|
|
@@ -39,6 +39,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
|
|
if (ctx == NULL)
|
|
goto err;
|
|
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
|
|
+ if (f == NULL)
|
|
+ goto err;
|
|
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
|
|
goto err;
|
|
if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
|
|
--
|
|
1.8.3.1
|
|
|