From 61f739868ef33afd7586c90dfda3d0ec2feaeddb Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Wed, 3 Aug 2022 18:04:36 +0200 Subject: [PATCH] FIPS: Fix memory leak in digest_sign self-test Contrary to what the documentation for EVP_DigestSignInit(3) and EVP_DigestVerifyInit(3) says, the EVP_PKEY_CTX created by these functions is not automatically released inside of the FIPS provider due to an #ifndef FIPS_MODULE in evp_md_ctx_reset_ex. Resolves: rhbz#2102535 --- ...se-digest_sign-digest_verify-in-self-test.patch | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch index 1552d55..c7e4731 100644 --- a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +++ b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -247,7 +247,7 @@ index b6d5e8e134..77eec075e6 100644 size_t siglen = sizeof(sig); static const unsigned char dgst[] = { 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -@@ -488,23 +491,22 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) goto err; @@ -279,12 +279,16 @@ index b6d5e8e134..77eec075e6 100644 - if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 - || EVP_PKEY_verify_init(sctx) <= 0 ++ /* sctx is not freed automatically inside the FIPS module */ ++ EVP_PKEY_CTX_free(sctx); ++ sctx = NULL; ++ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); + if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) goto err; -@@ -518,14 +520,15 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, goto err; OSSL_SELF_TEST_oncorrupt_byte(st, sig); @@ -295,10 +299,12 @@ index b6d5e8e134..77eec075e6 100644 err: BN_CTX_free(bnctx); EVP_PKEY_free(pkey); +- EVP_PKEY_CTX_free(kctx); + EVP_MD_free(md); + EVP_MD_CTX_free(ctx); - EVP_PKEY_CTX_free(kctx); -- EVP_PKEY_CTX_free(sctx); ++ /* sctx is not freed automatically inside the FIPS module */ + EVP_PKEY_CTX_free(sctx); ++ EVP_PKEY_CTX_free(kctx); OSSL_PARAM_free(params); OSSL_PARAM_free(params_sig); OSSL_PARAM_BLD_free(bld);