[openssl] master update

tomas at openssl.org tomas at openssl.org
Mon Jan 17 15:26:14 UTC 2022


The branch master has been updated
       via  59d3fd1cc8c938daa6384783a7e5847d6f5201f7 (commit)
       via  3b53f88c008d288e86d2bbdc0c4e2d16c29fcee8 (commit)
       via  f58bb2dd00c3004552c5c1e8d0f2c1390c004cf8 (commit)
      from  144316d276adf5b8172316f7bc20b372b8e31ac8 (commit)


- Log -----------------------------------------------------------------
commit 59d3fd1cc8c938daa6384783a7e5847d6f5201f7
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Jan 13 19:02:31 2022 +0100

    dhtest: Add testcase for EVP_PKEY_CTX_set_dh_nid
    
    And a negative testcase for EVP_PKEY_CTX_set_dhx_rfc5114
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17498)

commit 3b53f88c008d288e86d2bbdc0c4e2d16c29fcee8
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Jan 13 19:01:33 2022 +0100

    Do not call ossl_ffc_name_to_dh_named_group with NULL argument
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17498)

commit f58bb2dd00c3004552c5c1e8d0f2c1390c004cf8
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Jan 13 19:00:13 2022 +0100

    Properly return error on EVP_PKEY_CTX_set_dh_nid and EVP_PKEY_CTX_set_dhx_rfc5114
    
    Fixes #17485
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17498)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/ctrl_params_translate.c           | 23 +++++++++++++++++------
 crypto/ffc/ffc_backend.c                     |  1 +
 providers/implementations/keymgmt/dh_kmgmt.c |  1 +
 test/dhtest.c                                | 28 ++++++++++++++++++++++++++++
 4 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index c4589f1416..2deb1d9b47 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -1004,8 +1004,11 @@ static int fix_dh_nid(enum state state,
         return 0;
 
     if (state == PRE_CTRL_TO_PARAMS) {
-        ctx->p2 = (char *)ossl_ffc_named_group_get_name
-            (ossl_ffc_uid_to_dh_named_group(ctx->p1));
+        if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name
+             (ossl_ffc_uid_to_dh_named_group(ctx->p1))) == NULL) {
+            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE);
+            return 0;
+        }
         ctx->p1 = 0;
     }
 
@@ -1028,16 +1031,24 @@ static int fix_dh_nid5114(enum state state,
 
     switch (state) {
     case PRE_CTRL_TO_PARAMS:
-        ctx->p2 = (char *)ossl_ffc_named_group_get_name
-            (ossl_ffc_uid_to_dh_named_group(ctx->p1));
+        if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name
+             (ossl_ffc_uid_to_dh_named_group(ctx->p1))) == NULL) {
+            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE);
+            return 0;
+        }
+
         ctx->p1 = 0;
         break;
 
     case PRE_CTRL_STR_TO_PARAMS:
         if (ctx->p2 == NULL)
             return 0;
-        ctx->p2 = (char *)ossl_ffc_named_group_get_name
-            (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2)));
+        if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name
+             (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2)))) == NULL) {
+            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE);
+            return 0;
+        }
+
         ctx->p1 = 0;
         break;
 
diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c
index b227186934..b387f966cc 100644
--- a/crypto/ffc/ffc_backend.c
+++ b/crypto/ffc/ffc_backend.c
@@ -37,6 +37,7 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[])
         const DH_NAMED_GROUP *group = NULL;
 
         if (prm->data_type != OSSL_PARAM_UTF8_STRING
+            || prm->data == NULL
             || (group = ossl_ffc_name_to_dh_named_group(prm->data)) == NULL
             || !ossl_ffc_named_group_set_pqg(ffc, group))
 #endif
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 98eb882e3f..ab8ef3ac52 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -532,6 +532,7 @@ static int dh_gen_common_set_params(void *genctx, const OSSL_PARAM params[])
         const DH_NAMED_GROUP *group = NULL;
 
         if (p->data_type != OSSL_PARAM_UTF8_STRING
+            || p->data == NULL
             || (group = ossl_ffc_name_to_dh_named_group(p->data)) == NULL
             || ((gctx->group_nid =
                  ossl_ffc_named_group_get_uid(group)) == NID_undef)) {
diff --git a/test/dhtest.c b/test/dhtest.c
index c24bae4a82..3973a4b79d 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -744,6 +744,33 @@ static int dh_rfc5114_fix_nid_test(void)
     /* Tested function is called here */
     if (!TEST_int_eq(EVP_PKEY_CTX_set_dhx_rfc5114(paramgen_ctx, 3), 1))
         goto err;
+    /* Negative test */
+    if (!TEST_int_eq(EVP_PKEY_CTX_set_dhx_rfc5114(paramgen_ctx, 99), 0))
+        goto err;
+    /* If we're still running then the test passed. */
+    ok = 1;
+err:
+    EVP_PKEY_CTX_free(paramgen_ctx);
+    return ok;
+}
+
+static int dh_set_dh_nid_test(void)
+{
+    int ok = 0;
+    EVP_PKEY_CTX *paramgen_ctx;
+
+    /* Run the test. Success is any time the test does not cause a SIGSEGV interrupt */
+    paramgen_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
+    if (!TEST_ptr(paramgen_ctx))
+        goto err;
+    if (!TEST_int_eq(EVP_PKEY_paramgen_init(paramgen_ctx), 1))
+        goto err;
+    /* Tested function is called here */
+    if (!TEST_int_eq(EVP_PKEY_CTX_set_dh_nid(paramgen_ctx, NID_ffdhe2048), 1))
+        goto err;
+    /* Negative test */
+    if (!TEST_int_eq(EVP_PKEY_CTX_set_dh_nid(paramgen_ctx, NID_secp521r1), 0))
+        goto err;
     /* If we're still running then the test passed. */
     ok = 1;
 err:
@@ -898,6 +925,7 @@ int setup_tests(void)
     ADD_TEST(dh_get_nid);
     ADD_TEST(dh_load_pkcs3_namedgroup_privlen_test);
     ADD_TEST(dh_rfc5114_fix_nid_test);
+    ADD_TEST(dh_set_dh_nid_test);
 #endif
     return 1;
 }


More information about the openssl-commits mailing list