From c691147ec19c4cc7e84eee7bfaf0bbd81936058c Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Wed, 3 Nov 2021 12:53:26 +0000 Subject: Fix two bugs in X509_REQ_add_extensions_nid(3) that i noticed while documneting the function: * missing return value check for ASN1_item_i2d(3) and * missing return value check for OBJ_nid2obj(3). In the function X509_REQ_add_extensions_nid(3), merge everything that is worth merging from the OpenSSL 1.1.1 branch, which is still under a free license; that's mostly parts of the commit 9b0a4531 Mar 14 23:48:47 2015 +0000 (containing the bugfix, even though the OpenSSL commit message did not mention the bugs) and some minor stylistic changes from 0f113f3e and 26a7d938. While here, use i2d_X509_EXTENSIONS(3) instead of the layer-violating call to ASN1_item_i2d(3), and include a few stylistic tweaks from tb@. OK tb@, and jsing@ agreed on the general direction. --- lib/libcrypto/x509/x509_req.c | 45 +++++++++++++------------------------------ 1 file changed, 13 insertions(+), 32 deletions(-) (limited to 'lib') diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c index 556e32b317b..cbf731cc5a0 100644 --- a/lib/libcrypto/x509/x509_req.c +++ b/lib/libcrypto/x509/x509_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_req.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_req.c,v 1.25 2021/11/03 12:53:25 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -232,46 +232,27 @@ X509_REQ_get_extensions(X509_REQ *req) ext->value.sequence->length, &X509_EXTENSIONS_it); } -/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs - * in case we want to create a non standard one. +/* + * Add a STACK_OF extensions to a certificate request: allow alternative OIDs + * in case we want to create a non-standard one. */ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, int nid) { - ASN1_TYPE *at = NULL; - X509_ATTRIBUTE *attr = NULL; + unsigned char *ext = NULL; + int extlen; + int rv; - if (!(at = ASN1_TYPE_new()) || - !(at->value.sequence = ASN1_STRING_new())) - goto err; + extlen = i2d_X509_EXTENSIONS(exts, &ext); + if (extlen <= 0) + return 0; - at->type = V_ASN1_SEQUENCE; - /* Generate encoding of extensions */ - at->value.sequence->length = ASN1_item_i2d((ASN1_VALUE *)exts, - &at->value.sequence->data, &X509_EXTENSIONS_it); - if (!(attr = X509_ATTRIBUTE_new())) - goto err; - if (!(attr->value.set = sk_ASN1_TYPE_new_null())) - goto err; - if (!sk_ASN1_TYPE_push(attr->value.set, at)) - goto err; - at = NULL; - attr->single = 0; - attr->object = OBJ_nid2obj(nid); - if (!req->req_info->attributes) { - if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) - goto err; - } - if (!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) - goto err; - return 1; + rv = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen); + free(ext); -err: - X509_ATTRIBUTE_free(attr); - ASN1_TYPE_free(at); - return 0; + return rv; } /* This is the normal usage: use the "official" OID */ -- cgit v1.2.3