Ensure ASN1 types are checked before use.

Some of these were fixed by LibreSSL in commit aa1f637d45 this fix includes the other fixes in that commit, as well as fixes for others found by a scan for a similar unvalidated access paradigm in the tree. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/29582)
2026-01-18 17:11:31 +01:00 · 2026-01-07 11:29:48 -07:00
parent a62d247888
commit c082649033
3 changed files with 12 additions and 3 deletions
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -196,11 +196,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
    ASN1_BMPSTRING *fname = NULL;
    ASN1_OCTET_STRING *lkid = NULL;

-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+        if (attrib->type != V_ASN1_BMPSTRING)
+            return 0;
        fname = attrib->value.bmpstring;
+    }

-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+        if (attrib->type != V_ASN1_OCTET_STRING)
+            return 0;
        lkid = attrib->value.octet_string;
+    }

    switch (PKCS12_SAFEBAG_get_nid(bag)) {
    case NID_keyBag:
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1229,6 +1229,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
    ASN1_TYPE *astype;
    if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
        return NULL;
+    if (astype->type != V_ASN1_OCTET_STRING)
+        return NULL;
    return astype->value.octet_string;
 }