diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c index af184c86af5dbf1d23f210f71af569d2d2da3470..9b40e5384e24fe7852d7e3b5d1ac328079eda4e6 100644 --- a/crypto/pkcs12/p12_add.c +++ b/crypto/pkcs12/p12_add.c @@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) PKCS12_R_CONTENT_TYPE_NOT_DATA); return NULL; } + + if (p7->d.data == NULL) { + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); + return NULL; + } + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); } @@ -132,6 +138,11 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, { if (!PKCS7_type_is_encrypted(p7)) return NULL; + + if (p7->d.encrypted == NULL) { + return NULL; + } + return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen, @@ -159,6 +170,11 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) PKCS12_R_CONTENT_TYPE_NOT_DATA); return NULL; } + if (p12->authsafes->d.data == NULL) { + PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR); + return NULL; + } + return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); } diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 3658003fe5981a9c04c28dc9ecba3d93800d4aea..766c9c1e9dcef9036ef17d2b7f97a2dcb828a4a4 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, return 0; } + if (p12->authsafes->d.data == NULL) { + PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); + return 0; + } + salt = p12->mac->salt->data; saltlen = p12->mac->salt->length; if (!p12->mac->iter) diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index 0334289a89fa07dd23cdb1cae46d1b545a1d652d..130337638dfd21818a6d460ce32961122a249807 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) bags = PKCS12_unpack_p7data(p7); } else if (bagnid == NID_pkcs7_encrypted) { bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); - if (!alg_get(p7->d.encrypted->enc_data->algorithm, - &pbe_nid, &pbe_iter, &pbe_saltlen)) + if (p7->d.encrypted == NULL + || !alg_get(p7->d.encrypted->enc_data->algorithm, + &pbe_nid, &pbe_iter, &pbe_saltlen)) goto err; } else { continue; diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c index 19e6868148b8dfa195e082aa0a284712a9d45ad2..b457108c94beab08324a2f7cf459c447242c8184 100644 --- a/crypto/pkcs7/pk7_mime.c +++ b/crypto/pkcs7/pk7_mime.c @@ -30,10 +30,14 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) { STACK_OF(X509_ALGOR) *mdalgs; int ctype_nid = OBJ_obj2nid(p7->type); - if (ctype_nid == NID_pkcs7_signed) + + if (ctype_nid == NID_pkcs7_signed) { + if (p7->d.sign == NULL) + return 0; mdalgs = p7->d.sign->md_algs; - else + } else { mdalgs = NULL; + } flags ^= SMIME_OLDMIME; diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t index 430df6708217a3f4c7c31a93b85a71108032a110..387fd25ab4572e971741ab5f784f0c50cf3f079f 100644 --- a/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t @@ -9,7 +9,7 @@ use strict; use warnings; -use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_file with/; use OpenSSL::Test::Utils; use Encode; @@ -57,7 +57,7 @@ if (eval { require Win32::API; 1; }) { } $ENV{OPENSSL_WIN32_UTF8}=1; -plan tests => 1; +plan tests => 5; # just see that we can read shibboleth.pfx protected with $pass ok(run(app(["openssl", "pkcs12", "-noout", @@ -65,4 +65,25 @@ ok(run(app(["openssl", "pkcs12", "-noout", "-in", srctop_file("test", "shibboleth.pfx")])), "test_pkcs12"); +# Test some bad pkcs12 files +my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12"); +my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12"); +my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12"); + +with({ exit_checker => sub { return shift == 1; } }, + sub { + ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])), + "test bad pkcs12 file 1"); + + ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:", + "-nomacver"])), + "test bad pkcs12 file 1 (nomacver)"); + + ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])), + "test bad pkcs12 file 2"); + + ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])), + "test bad pkcs12 file 3"); + }); + SetConsoleOutputCP($savedcp) if (defined($savedcp)); diff --git a/test/recipes/80-test_pkcs12_data/bad1.p12 b/test/recipes/80-test_pkcs12_data/bad1.p12 new file mode 100644 index 0000000000000000000000000000000000000000..8f3387c7e356e4aa374729f3f3939343557b9c09 Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/bad1.p12 differ diff --git a/test/recipes/80-test_pkcs12_data/bad2.p12 b/test/recipes/80-test_pkcs12_data/bad2.p12 new file mode 100644 index 0000000000000000000000000000000000000000..113cb6f1cd523e880db869f518e60142dc875115 Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/bad2.p12 differ diff --git a/test/recipes/80-test_pkcs12_data/bad3.p12 b/test/recipes/80-test_pkcs12_data/bad3.p12 new file mode 100644 index 0000000000000000000000000000000000000000..ef86a1d86fb0bc09471ca2596d82e7d521d973a4 Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/bad3.p12 differ