[openssl] master update

Dr. Paul Dale pauli at openssl.org
Fri Dec 17 03:40:06 UTC 2021


The branch master has been updated
       via  27f7f527652e403177335eb2e3ba1ff6df13f193 (commit)
       via  ad2fcee1632d3f21a37e8e108d4c0dcf9099686d (commit)
      from  dd2fcc1f7c44c5fb5aa2d33aecdc699c7018ce01 (commit)


- Log -----------------------------------------------------------------
commit 27f7f527652e403177335eb2e3ba1ff6df13f193
Author: Pauli <pauli at openssl.org>
Date:   Tue Dec 14 11:08:00 2021 +1100

    Add test case to verify that the use after free issue is fixed.
    
    Test case based on reproducer by Guido Vranken.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17263)

commit ad2fcee1632d3f21a37e8e108d4c0dcf9099686d
Author: Pauli <pauli at openssl.org>
Date:   Mon Dec 13 12:16:18 2021 +1100

    evp: address a use after free state when using HMAC and MD copy.
    
    Fixes #17261
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17263)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/digest.c |  3 ++-
 test/hmactest.c     | 31 +++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 7ebb2e3235..322cfe7646 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -521,7 +521,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
         if (out->fetched_digest != NULL)
             EVP_MD_free(out->fetched_digest);
         *out = *in;
-        return 1;
+        goto clone_pkey;
     }
 
     if (in->digest->prov == NULL
@@ -552,6 +552,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
         }
     }
 
+ clone_pkey:
     /* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */
     EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
 #ifndef FIPS_MODULE
diff --git a/test/hmactest.c b/test/hmactest.c
index 63954a1183..8f5bf32f87 100644
--- a/test/hmactest.c
+++ b/test/hmactest.c
@@ -245,6 +245,36 @@ err:
     return ret;
 }
 
+static int test_hmac_copy_uninited(void)
+{
+    const unsigned char key[24] = {0};
+    const unsigned char ct[166] = {0};
+    EVP_PKEY *pkey = NULL;
+    EVP_MD_CTX *ctx = NULL;
+    EVP_MD_CTX *ctx_tmp = NULL;
+    int res = 0;
+
+    if (!TEST_ptr(ctx = EVP_MD_CTX_new())
+            || !TEST_ptr(pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
+                                                     key, sizeof(key)))
+            || !TEST_true(EVP_DigestSignInit(ctx, NULL, EVP_sha1(), NULL, pkey))
+            || !TEST_ptr(ctx_tmp = EVP_MD_CTX_new())
+            || !TEST_true(EVP_MD_CTX_copy(ctx_tmp, ctx)))
+        goto err;
+    EVP_MD_CTX_free(ctx);
+    ctx = ctx_tmp;
+    ctx_tmp = NULL;
+
+    if (!TEST_true(EVP_DigestSignUpdate(ctx, ct, sizeof(ct))))
+        goto err;
+    res = 1;
+ err:
+    EVP_MD_CTX_free(ctx);
+    EVP_MD_CTX_free(ctx_tmp);
+    EVP_PKEY_free(pkey);
+    return res;
+}
+
 # ifndef OPENSSL_NO_MD5
 static char *pt(unsigned char *md, unsigned int len)
 {
@@ -266,6 +296,7 @@ int setup_tests(void)
     ADD_TEST(test_hmac_bad);
     ADD_TEST(test_hmac_run);
     ADD_TEST(test_hmac_copy);
+    ADD_TEST(test_hmac_copy_uninited);
     return 1;
 }
 


More information about the openssl-commits mailing list