diff options
author | James Muir <james@openssl.org> | 2023-10-14 19:36:57 -0400 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-10-18 16:51:43 +0200 |
commit | 33e18be32e626d938d1687410e77c3e2d8d2f9bf (patch) | |
tree | 52a90ad17bd7bbeca5499458319d88530bbcdd64 | |
parent | d6304236252a19966424fbb1bf3b20874fab06af (diff) | |
download | openssl-33e18be32e626d938d1687410e77c3e2d8d2f9bf.tar.gz |
cms encrypt, better OBJ_nid2obj() return check
Fixes #22225
In OBJ_nid2obj(), if the NID does not have an OID, then a pointer to
the special "undefined" ASN1_OBJECT is returned. Check for the
undefined-ASN1_OBJECT and return an error. Also, add a test for this
in 80-test_cms.t.
Testing:
#!/bin/bash -x
shopt -s expand_aliases
alias openssl="LD_LIBRARY_PATH=~/git/openssl ~/git/openssl/apps/openssl"
echo "This is a confidential message. It should be encrypted." > msg.txt
## this should fail b/c there is no OID for aes-256-ctr
openssl cms -encrypt -in msg.txt -aes-256-ctr -out msg.txt.cms -recip demos/cms/signer.pem
echo $?
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22392)
(cherry picked from commit bd160912dcc5e39bcdc925d9aa6538f20e37ad16)
-rw-r--r-- | crypto/cms/cms_enc.c | 2 | ||||
-rw-r--r-- | test/recipes/80-test_cms.t | 13 |
2 files changed, 13 insertions, 2 deletions
diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index f7007c1231..9143433986 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -81,7 +81,7 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, if (enc) { calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_get_type(ctx)); - if (calg->algorithm == NULL) { + if (calg->algorithm == NULL || calg->algorithm->nid == NID_undef) { ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); goto err; } diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index f99ae8327e..be77923313 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 17; +plan tests => 18; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1008,3 +1008,14 @@ with({ exit_checker => sub { return shift == 3; } }, "issue#21986"); } }); + +# Test for problem reported in #22225 +with({ exit_checker => sub { return shift == 3; } }, + sub { + ok(run(app(['openssl', 'cms', '-encrypt', + '-in', srctop_file("test", "smcont.txt"), + '-aes-256-ctr', '-recip', + catfile($smdir, "smec1.pem"), + ])), + "Check for failure when cipher does not have an assigned OID (issue#22225)"); + }); |