jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

FIPS: Fix memory leak in digest_sign self-test

Browse Source 
Contrary to what the documentation for EVP_DigestSignInit(3) and
EVP_DigestVerifyInit(3) says, the EVP_PKEY_CTX created by these
functions is not automatically released inside of the FIPS provider due
to an #ifndef FIPS_MODULE in evp_md_ctx_reset_ex.

Resolves: rhbz#2102535
This commit is contained in:
Clemens Lang 2022-08-03 18:04:36 +02:00
parent 08d6c35051
commit 61f739868e
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
View File

@ -247,7 +247,7 @@ index b6d5e8e134..77eec075e6 100644
size_t siglen = sizeof(sig); size_t siglen = sizeof(sig);
static const unsigned char dgst[] = { static const unsigned char dgst[] = {
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
@@ -488,23 +491,22 @@ static int self_test_sign(const ST_KAT_SIGN *t, @@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
goto err; goto err;
@ -279,12 +279,16 @@ index b6d5e8e134..77eec075e6 100644
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 - if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
- || EVP_PKEY_verify_init(sctx) <= 0 - || EVP_PKEY_verify_init(sctx) <= 0
+ /* sctx is not freed automatically inside the FIPS module */
+ EVP_PKEY_CTX_free(sctx);
+ sctx = NULL;
+
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 + if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
goto err; goto err;
@@ -518,14 +520,15 @@ static int self_test_sign(const ST_KAT_SIGN *t, @@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
goto err; goto err;
OSSL_SELF_TEST_oncorrupt_byte(st, sig); OSSL_SELF_TEST_oncorrupt_byte(st, sig);
@ -295,10 +299,12 @@ index b6d5e8e134..77eec075e6 100644
err: err:
BN_CTX_free(bnctx); BN_CTX_free(bnctx);
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
- EVP_PKEY_CTX_free(kctx);
+ EVP_MD_free(md); + EVP_MD_free(md);
+ EVP_MD_CTX_free(ctx); + EVP_MD_CTX_free(ctx);
EVP_PKEY_CTX_free(kctx); + /* sctx is not freed automatically inside the FIPS module */
- EVP_PKEY_CTX_free(sctx); EVP_PKEY_CTX_free(sctx);
+ EVP_PKEY_CTX_free(kctx);
OSSL_PARAM_free(params); OSSL_PARAM_free(params);
OSSL_PARAM_free(params_sig); OSSL_PARAM_free(params_sig);
OSSL_PARAM_BLD_free(bld); OSSL_PARAM_BLD_free(bld);