Ensure ASN1 types are checked before use.

bob-beck · jogme · commit eeee3cbd4d68 · 2026-01-13T12:13:38.000+01:00
Some of these were fixed by LibreSSL in commit openbsd/src@aa1f637 this fix includes the other fixes in that commit, as well as fixes for others found by a scan for a similar unvalidated access paradigm in the tree. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #29582)
diff --git a/apps/s_client.c b/apps/s_client.c
@@ -2892,8 +2892,9 @@ int s_client_main(int argc, char **argv)
             goto end;
         }
         atyp = ASN1_generate_nconf(genstr, cnf);
-        if (atyp == NULL) {
+        if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
             NCONF_free(cnf);
+            ASN1_TYPE_free(atyp);
             BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
             goto end;
         }
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
@@ -196,11 +196,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
     ASN1_BMPSTRING *fname = NULL;
     ASN1_OCTET_STRING *lkid = NULL;
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+        if (attrib->type != V_ASN1_BMPSTRING)
+            return 0;
         fname = attrib->value.bmpstring;
+    }
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+        if (attrib->type != V_ASN1_OCTET_STRING)
+            return 0;
         lkid = attrib->value.octet_string;
+    }
 
     switch (PKCS12_SAFEBAG_get_nid(bag)) {
     case NID_keyBag:
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
@@ -1178,6 +1178,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
     ASN1_TYPE *astype;
     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
         return NULL;
+    if (astype->type != V_ASN1_OCTET_STRING)
+        return NULL;
     return astype->value.octet_string;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2892,8 +2892,9 @@ int s_client_main(int argc, char **argv)`
`2892`	`2892`	`goto end;`
`2893`	`2893`	`}`
`2894`	`2894`	`atyp = ASN1_generate_nconf(genstr, cnf);`
`2895`		`- if (atyp == NULL) {`
	`2895`	`+ if (atyp == NULL \|\| atyp->type != V_ASN1_SEQUENCE) {`
`2896`	`2896`	`NCONF_free(cnf);`
	`2897`	`+ ASN1_TYPE_free(atyp);`
`2897`	`2898`	`BIO_printf(bio_err, "ASN1_generate_nconf failed\n");`
`2898`	`2899`	`goto end;`
`2899`	`2900`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1178,6 +1178,8 @@ ASN1_OCTET_STRING PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) sk)`
`1178`	`1178`	`ASN1_TYPE *astype;`
`1179`	`1179`	`if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)`
`1180`	`1180`	`return NULL;`
	`1181`	`+ if (astype->type != V_ASN1_OCTET_STRING)`
	`1182`	`+ return NULL;`
`1181`	`1183`	`return astype->value.octet_string;`
`1182`	`1184`	`}`
`1183`	`1185`