From de27a112cf673d9479d096ce4a9ac17f9d280434 Mon Sep 17 00:00:00 2001 From: James Pace Date: Fri, 27 Jan 2023 02:23:40 +0000 Subject: [PATCH] Add fix suggested in sros2 bug report. As stated in: https://github.com/OpenDDS/OpenDDS/pull/3992#issue-1548228907 "Implement the suggestion in ros2/sros2#282. Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document. This, in turn, requires the use of the certs parameter to PKCS7_verify. PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified." Fixes: https://github.com/eclipse-cyclonedds/cyclonedds/issues/1546 Related to: https://github.com/ros2/sros2/issues/282 Signed-off-by: James Pace --- .../access_control/src/access_control_utils.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.c b/src/security/builtin_plugins/access_control/src/access_control_utils.c index d9819d25db..8280a86f2b 100644 --- a/src/security/builtin_plugins/access_control/src/access_control_utils.c +++ b/src/security/builtin_plugins/access_control/src/access_control_utils.c @@ -234,7 +234,7 @@ static bool PKCS7_document_from_data(const char *data, size_t len, PKCS7 **p7, B static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbio, DDS_Security_SecurityException *ex) { bool result = false; - X509_STORE *store = NULL; + STACK_OF(X509) *certStack = NULL; assert(p7); assert(cert); @@ -243,18 +243,18 @@ static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbi if ((*outbio = BIO_new(BIO_s_mem())) == NULL) DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": "); - else if ((store = X509_STORE_new()) == NULL) + else if ((certStack = sk_X509_new_null()) == NULL) DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": "); else { - X509_STORE_add_cert(store, cert); - if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1) + sk_X509_push(certStack, cert); + if (PKCS7_verify(p7, certStack, NULL, inbio, *outbio, PKCS7_TEXT | PKCS7_NOVERIFY | PKCS7_NOINTERN) != 1) DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": "); else result = true; } - if (store) - X509_STORE_free(store); + if (certStack) + sk_X509_free(certStack); if (!result && *outbio) { BIO_free(*outbio);