The branch master has been updated via d3329973f0ad6cf8065998118c3fb4183003d71a (commit) via dbb72124cdf1ad0dc223cfd570219e9af043ce7f (commit) from e7fb44e7c3f7a37ff83a6b69ba51a738e549bf5c (commit)
- Log ----------------------------------------------------------------- commit d3329973f0ad6cf8065998118c3fb4183003d71a Author: Paul Yang <kaishen...@antfin.com> Date: Thu Sep 26 10:57:23 2019 +0800 Fix a document description in apps/req Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9958) commit dbb72124cdf1ad0dc223cfd570219e9af043ce7f Author: Paul Yang <kaishen...@antfin.com> Date: Sat Sep 21 00:32:57 2019 +0800 Fix a double free issue when signing SM2 cert If the SM2 ID value has not been passed correctly when signing an SM2 certificate/certificate request, a double free occurs. For instance: openssl req -x509 ... -sm2-id 1234567812345678 The '-sm2-id' should not be used in this scenario, while the '-sigopt' is the correct one to use. Documentation has also been updated to make the options more clear. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9958) ----------------------------------------------------------------------- Summary of changes: apps/req.c | 48 ++++++++++++++++++++++++++++++------------------ doc/man1/openssl-req.pod | 8 ++++---- 2 files changed, 34 insertions(+), 22 deletions(-) diff --git a/apps/req.c b/apps/req.c index f11d341c12..1c9672cca1 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1751,15 +1751,19 @@ int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, #endif rv = do_sign_init(mctx, pkey, md, sigopts); - if (rv > 0) + if (rv > 0) { rv = X509_sign_ctx(x, mctx); #ifndef OPENSSL_NO_SM2 - /* only in SM2 case we need to free the pctx explicitly */ - if (ec_pkey_is_sm2(pkey)) { - pctx = EVP_MD_CTX_pkey_ctx(mctx); - EVP_PKEY_CTX_free(pctx); - } + /* + * only in SM2 case we need to free the pctx explicitly + * if do_sign_init() fails, pctx is already freed in it + */ + if (ec_pkey_is_sm2(pkey)) { + pctx = EVP_MD_CTX_pkey_ctx(mctx); + EVP_PKEY_CTX_free(pctx); + } #endif + } EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } @@ -1774,15 +1778,19 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, #endif rv = do_sign_init(mctx, pkey, md, sigopts); - if (rv > 0) + if (rv > 0) { rv = X509_REQ_sign_ctx(x, mctx); #ifndef OPENSSL_NO_SM2 - /* only in SM2 case we need to free the pctx explicitly */ - if (ec_pkey_is_sm2(pkey)) { - pctx = EVP_MD_CTX_pkey_ctx(mctx); - EVP_PKEY_CTX_free(pctx); - } + /* + * only in SM2 case we need to free the pctx explicitly + * if do_sign_init() fails, pctx is already freed in it + */ + if (ec_pkey_is_sm2(pkey)) { + pctx = EVP_MD_CTX_pkey_ctx(mctx); + EVP_PKEY_CTX_free(pctx); + } #endif + } EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } @@ -1797,15 +1805,19 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, #endif rv = do_sign_init(mctx, pkey, md, sigopts); - if (rv > 0) + if (rv > 0) { rv = X509_CRL_sign_ctx(x, mctx); #ifndef OPENSSL_NO_SM2 - /* only in SM2 case we need to free the pctx explicitly */ - if (ec_pkey_is_sm2(pkey)) { - pctx = EVP_MD_CTX_pkey_ctx(mctx); - EVP_PKEY_CTX_free(pctx); - } + /* + * only in SM2 case we need to free the pctx explicitly + * if do_sign_init() fails, no need to double free pctx + */ + if (ec_pkey_is_sm2(pkey)) { + pctx = EVP_MD_CTX_pkey_ctx(mctx); + EVP_PKEY_CTX_free(pctx); + } #endif + } EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } diff --git a/doc/man1/openssl-req.pod b/doc/man1/openssl-req.pod index 4300504f87..7453d5e7e9 100644 --- a/doc/man1/openssl-req.pod +++ b/doc/man1/openssl-req.pod @@ -342,13 +342,13 @@ for key generation operations. =item B<-sm2-id> -Specify the ID string to use when verifying an SM2 certificate. The ID string is -required by the SM2 signature algorithm for signing and verification. +Specify the ID string to use when verifying an SM2 certificate request. The ID +string is required by the SM2 signature algorithm for signing and verification. =item B<-sm2-hex-id> -Specify a binary ID string to use when signing or verifying using an SM2 -certificate. The argument for this option is string of hexadecimal digits. +Specify a binary ID string to use when verifying an SM2 certificate request. The +argument for this option is string of hexadecimal digits. =back