[openssl] master update
tomas at openssl.org
tomas at openssl.org
Mon Jan 17 15:26:14 UTC 2022
The branch master has been updated
via 59d3fd1cc8c938daa6384783a7e5847d6f5201f7 (commit)
via 3b53f88c008d288e86d2bbdc0c4e2d16c29fcee8 (commit)
via f58bb2dd00c3004552c5c1e8d0f2c1390c004cf8 (commit)
from 144316d276adf5b8172316f7bc20b372b8e31ac8 (commit)
- Log -----------------------------------------------------------------
commit 59d3fd1cc8c938daa6384783a7e5847d6f5201f7
Author: Tomas Mraz <tomas at openssl.org>
Date: Thu Jan 13 19:02:31 2022 +0100
dhtest: Add testcase for EVP_PKEY_CTX_set_dh_nid
And a negative testcase for EVP_PKEY_CTX_set_dhx_rfc5114
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17498)
commit 3b53f88c008d288e86d2bbdc0c4e2d16c29fcee8
Author: Tomas Mraz <tomas at openssl.org>
Date: Thu Jan 13 19:01:33 2022 +0100
Do not call ossl_ffc_name_to_dh_named_group with NULL argument
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17498)
commit f58bb2dd00c3004552c5c1e8d0f2c1390c004cf8
Author: Tomas Mraz <tomas at openssl.org>
Date: Thu Jan 13 19:00:13 2022 +0100
Properly return error on EVP_PKEY_CTX_set_dh_nid and EVP_PKEY_CTX_set_dhx_rfc5114
Fixes #17485
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17498)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/ctrl_params_translate.c | 23 +++++++++++++++++------
crypto/ffc/ffc_backend.c | 1 +
providers/implementations/keymgmt/dh_kmgmt.c | 1 +
test/dhtest.c | 28 ++++++++++++++++++++++++++++
4 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index c4589f1416..2deb1d9b47 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -1004,8 +1004,11 @@ static int fix_dh_nid(enum state state,
return 0;
if (state == PRE_CTRL_TO_PARAMS) {
- ctx->p2 = (char *)ossl_ffc_named_group_get_name
- (ossl_ffc_uid_to_dh_named_group(ctx->p1));
+ if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name
+ (ossl_ffc_uid_to_dh_named_group(ctx->p1))) == NULL) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE);
+ return 0;
+ }
ctx->p1 = 0;
}
@@ -1028,16 +1031,24 @@ static int fix_dh_nid5114(enum state state,
switch (state) {
case PRE_CTRL_TO_PARAMS:
- ctx->p2 = (char *)ossl_ffc_named_group_get_name
- (ossl_ffc_uid_to_dh_named_group(ctx->p1));
+ if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name
+ (ossl_ffc_uid_to_dh_named_group(ctx->p1))) == NULL) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE);
+ return 0;
+ }
+
ctx->p1 = 0;
break;
case PRE_CTRL_STR_TO_PARAMS:
if (ctx->p2 == NULL)
return 0;
- ctx->p2 = (char *)ossl_ffc_named_group_get_name
- (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2)));
+ if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name
+ (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2)))) == NULL) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE);
+ return 0;
+ }
+
ctx->p1 = 0;
break;
diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c
index b227186934..b387f966cc 100644
--- a/crypto/ffc/ffc_backend.c
+++ b/crypto/ffc/ffc_backend.c
@@ -37,6 +37,7 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[])
const DH_NAMED_GROUP *group = NULL;
if (prm->data_type != OSSL_PARAM_UTF8_STRING
+ || prm->data == NULL
|| (group = ossl_ffc_name_to_dh_named_group(prm->data)) == NULL
|| !ossl_ffc_named_group_set_pqg(ffc, group))
#endif
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 98eb882e3f..ab8ef3ac52 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -532,6 +532,7 @@ static int dh_gen_common_set_params(void *genctx, const OSSL_PARAM params[])
const DH_NAMED_GROUP *group = NULL;
if (p->data_type != OSSL_PARAM_UTF8_STRING
+ || p->data == NULL
|| (group = ossl_ffc_name_to_dh_named_group(p->data)) == NULL
|| ((gctx->group_nid =
ossl_ffc_named_group_get_uid(group)) == NID_undef)) {
diff --git a/test/dhtest.c b/test/dhtest.c
index c24bae4a82..3973a4b79d 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -744,6 +744,33 @@ static int dh_rfc5114_fix_nid_test(void)
/* Tested function is called here */
if (!TEST_int_eq(EVP_PKEY_CTX_set_dhx_rfc5114(paramgen_ctx, 3), 1))
goto err;
+ /* Negative test */
+ if (!TEST_int_eq(EVP_PKEY_CTX_set_dhx_rfc5114(paramgen_ctx, 99), 0))
+ goto err;
+ /* If we're still running then the test passed. */
+ ok = 1;
+err:
+ EVP_PKEY_CTX_free(paramgen_ctx);
+ return ok;
+}
+
+static int dh_set_dh_nid_test(void)
+{
+ int ok = 0;
+ EVP_PKEY_CTX *paramgen_ctx;
+
+ /* Run the test. Success is any time the test does not cause a SIGSEGV interrupt */
+ paramgen_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
+ if (!TEST_ptr(paramgen_ctx))
+ goto err;
+ if (!TEST_int_eq(EVP_PKEY_paramgen_init(paramgen_ctx), 1))
+ goto err;
+ /* Tested function is called here */
+ if (!TEST_int_eq(EVP_PKEY_CTX_set_dh_nid(paramgen_ctx, NID_ffdhe2048), 1))
+ goto err;
+ /* Negative test */
+ if (!TEST_int_eq(EVP_PKEY_CTX_set_dh_nid(paramgen_ctx, NID_secp521r1), 0))
+ goto err;
/* If we're still running then the test passed. */
ok = 1;
err:
@@ -898,6 +925,7 @@ int setup_tests(void)
ADD_TEST(dh_get_nid);
ADD_TEST(dh_load_pkcs3_namedgroup_privlen_test);
ADD_TEST(dh_rfc5114_fix_nid_test);
+ ADD_TEST(dh_set_dh_nid_test);
#endif
return 1;
}
More information about the openssl-commits
mailing list