Merge branch 'main' into ocsp-tighten-url-parsing

Author: prasden

crypto/evp_extra/p_kem_asn1.c

@@ -86,7 +86,14 @@ static int kem_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out,
   return 1;
 }
 
+// kem_cmp_parameters returns 1 if |a| and |b| hold populated KEM keys with
+// the same KEM NID, 0 if their NIDs differ, or -2 if either operand is
+// missing its key or parameters. The tri-state return aligns with the
+// |EVP_PKEY_cmp| convention (1 = equal, 0 = not equal, negative = error).
 static int kem_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) {
+  if (a == NULL || b == NULL) {
+    return -2;
+  }
   const KEM_KEY *a_key = a->pkey.kem_key;
   const KEM_KEY *b_key = b->pkey.kem_key;
   if (a_key == NULL || b_key == NULL) {

crypto/evp_extra/p_pqdsa_asn1.c

@@ -137,13 +137,42 @@ static int pqdsa_pub_encode(CBB *out, const EVP_PKEY *pkey) {
   return 1;
 }
 
+// pqdsa_cmp_parameters returns 1 if |a| and |b| hold populated PQDSA keys
+// with the same ML-DSA NID, 0 if their NIDs differ, or -2 if either operand
+// is missing its key or parameters. The tri-state return aligns with the
+// |EVP_PKEY_cmp| convention (1 = equal, 0 = not equal, negative = error).
+static int pqdsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) {
+  if (a == NULL || b == NULL) {
+    return -2;
+  }
+  const PQDSA_KEY *a_key = a->pkey.pqdsa_key;
+  const PQDSA_KEY *b_key = b->pkey.pqdsa_key;
+  if (a_key == NULL || b_key == NULL) {
+    return -2;
+  }
+
+  const PQDSA *a_pqdsa = a_key->pqdsa;
+  const PQDSA *b_pqdsa = b_key->pqdsa;
+  if (a_pqdsa == NULL || b_pqdsa == NULL) {
+    return -2;
+  }
+
+  return a_pqdsa->nid == b_pqdsa->nid;
+}
+
 static int pqdsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
-  PQDSA_KEY *a_key = a->pkey.pqdsa_key;
-  PQDSA_KEY *b_key = b->pkey.pqdsa_key;
+  int ret = pqdsa_cmp_parameters(a, b);
+  if (ret <= 0) {
+    return ret;
+  }
 
-  return OPENSSL_memcmp(a_key->public_key,
-                        b_key->public_key,
-                        a->pkey.pqdsa_key->pqdsa->public_key_len) == 0;
+  const PQDSA_KEY *a_key = a->pkey.pqdsa_key;
+  const PQDSA_KEY *b_key = b->pkey.pqdsa_key;
+  if (a_key->public_key == NULL || b_key->public_key == NULL) {
+    return -2;
+  }
+  return OPENSSL_memcmp(a_key->public_key, b_key->public_key,
+                        a_key->pqdsa->public_key_len) == 0;
 }
 
 static int pqdsa_priv_decode(EVP_PKEY *out, CBS *oid, CBS *params, CBS *key, CBS *pubkey) {

crypto/ocsp/ocsp_server.c

@@ -65,14 +65,33 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) {
   return 1;
 }
 
+// ocsp_respid_clear frees any previously-installed content of |respid| using
+// the destructor matching the current |respid->type|, so callers can install
+// a new value without leaking or triggering a type-confused free.
+static void ocsp_respid_clear(OCSP_RESPID *respid) {
+  switch (respid->type) {
+    case V_OCSP_RESPID_NAME:
+      X509_NAME_free(respid->value.byName);
+      respid->value.byName = NULL;
+      break;
+    case V_OCSP_RESPID_KEY:
+      ASN1_OCTET_STRING_free(respid->value.byKey);
+      respid->value.byKey = NULL;
+      break;
+  }
+}
+
 static int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert) {
   GUARD_PTR(respid);
   GUARD_PTR(cert);
-  if (!X509_NAME_set(&respid->value.byName, X509_get_subject_name(cert))) {
+
+  X509_NAME *byName = X509_NAME_dup(X509_get_subject_name(cert));
+  if (byName == NULL) {
     return 0;
   }
-
+  ocsp_respid_clear(respid);
   respid->type = V_OCSP_RESPID_NAME;
+  respid->value.byName = byName;
   return 1;
 }
 
@@ -95,6 +114,7 @@ static int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) {
     ASN1_OCTET_STRING_free(byKey);
     return 0;
   }
+  ocsp_respid_clear(respid);
   respid->type = V_OCSP_RESPID_KEY;
   respid->value.byKey = byKey;
 

crypto/ocsp/ocsp_test.cc

@@ -1293,6 +1293,38 @@ TEST(OCSPResponseSignTestExtended, OCSPResponseSign) {
                               pkey.get(), EVP_sha256(), additional_cert.get(),
                               OCSP_NOCERTS));
   EXPECT_EQ((int)sk_X509_num(basic_response.get()->certs), 0);
+
+  // Regression: re-signing the same |OCSP_BASICRESP| through any sequence of
+  // |OCSP_RESPID_KEY| flag combinations must not leak or free the prior
+  // responderId union arm through the wrong destructor. ASAN should flag any
+  // misuse.
+  basic_response.reset(OCSP_BASICRESP_new());
+  ASSERT_TRUE(basic_response);
+  EXPECT_TRUE(OCSP_basic_sign(basic_response.get(), signer_cert.get(),
+                              pkey.get(), EVP_sha256(), additional_cert.get(),
+                              0));
+  EXPECT_EQ(basic_response.get()->tbsResponseData->responderId->type,
+            V_OCSP_RESPID_NAME);
+  EXPECT_TRUE(OCSP_basic_sign(basic_response.get(), signer_cert.get(),
+                              pkey.get(), EVP_sha256(), additional_cert.get(),
+                              OCSP_RESPID_KEY));
+  EXPECT_EQ(basic_response.get()->tbsResponseData->responderId->type,
+            V_OCSP_RESPID_KEY);
+  EXPECT_TRUE(OCSP_basic_sign(basic_response.get(), signer_cert.get(),
+                              pkey.get(), EVP_sha256(), additional_cert.get(),
+                              OCSP_RESPID_KEY));
+  EXPECT_EQ(basic_response.get()->tbsResponseData->responderId->type,
+            V_OCSP_RESPID_KEY);
+  EXPECT_TRUE(OCSP_basic_sign(basic_response.get(), signer_cert.get(),
+                              pkey.get(), EVP_sha256(), additional_cert.get(),
+                              0));
+  EXPECT_EQ(basic_response.get()->tbsResponseData->responderId->type,
+            V_OCSP_RESPID_NAME);
+  EXPECT_TRUE(OCSP_basic_sign(basic_response.get(), signer_cert.get(),
+                              pkey.get(), EVP_sha256(), additional_cert.get(),
+                              0));
+  EXPECT_EQ(basic_response.get()->tbsResponseData->responderId->type,
+            V_OCSP_RESPID_NAME);
 }
 
 static const char extended_good_http_request_hdr[] =

crypto/pem/pem_lib.c

@@ -269,12 +269,12 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
         callback = PEM_def_callback;
       }
       pass_len = (*callback)(buf, PEM_BUFSIZE, 1, u);
-      if (pass_len < 0) {
-        OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
-        goto err;
-      }
       pass = (const unsigned char *)buf;
     }
+    if (pass_len < 0) {
+      OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
+      goto err;
+    }
     assert(iv_len <= sizeof(iv));
     AWSLC_ABORT_IF_NOT_ONE(RAND_bytes(iv, iv_len));  // Generate a salt
 

crypto/pem/pem_test.cc

@@ -132,6 +132,7 @@ TEST(PEMTest, WriteReadRSAPem) {
   ASSERT_TRUE(write_bio);
   const EVP_CIPHER* cipher = EVP_get_cipherbynid(NID_aes_256_cbc);
   ASSERT_TRUE(cipher);
+  EXPECT_FALSE(PEM_write_bio_RSAPrivateKey(write_bio.get(), rsa.get(), cipher, (unsigned char*)SECRET, -1, nullptr, nullptr));
   ASSERT_TRUE(PEM_write_bio_RSAPrivateKey(write_bio.get(), rsa.get(), cipher, (unsigned char*)SECRET, (int)BUF_strnlen(SECRET, 256), nullptr, nullptr));
 
   const uint8_t* content;