[openssl-dev] [openssl.org #4380] [PATCH] Missing Sanity Checks for EVP_PKEY_new() in OpenSSL-1.0.2g

Bill Parker via RT rt at openssl.org
Sat Mar 5 21:34:58 UTC 2016 

Hello All,

In reviewing code in directory 'crypto/evp', file 'pmeth_gn.c', in
function 'EVP_PKEY_keygen()', there is a call to EVP_PKEY_new() which
is not checked for a return value of NULL, indicating failure.

This test is done in function 'EVP_PKEY_paramgen()', but looks like it
was left out in function 'EVP_PKEY_keygen()' it would appear.

The patch file below should address/correct this issue:

--- pmeth_gn.c.orig     2016-03-05 06:15:29.530259070 -0800
+++ pmeth_gn.c  2016-03-05 06:18:17.940663167 -0800
@@ -152,6 +152,11 @@
     if (!*ppkey)
         *ppkey = EVP_PKEY_new();

+    if (*ppkey == NULL) {
+       EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE);
+       return -1;
+    }
+
     ret = ctx->pmeth->keygen(ctx, *ppkey);
     if (ret <= 0) {
         EVP_PKEY_free(*ppkey);

=======================================================================

In directory 'engines/ccgost', file 'gost94_keyx.c', there is a
call to 'EVP_PKEY_new()' which are not checked for a return value of
NULL, indicating failure.

The patch file below should address/correct this issue:

--- gost94_keyx.c.orig  2016-03-05 06:25:00.168784292 -0800
+++ gost94_keyx.c       2016-03-05 06:27:47.325028991 -0800
@@ -126,6 +126,8 @@
         key_is_ephemeral = 1;
         if (out) {
             mykey = EVP_PKEY_new();
+           if (!mykey)
+               goto memerr;
             EVP_PKEY_assign(mykey, EVP_PKEY_base_id(pubk), DSA_new());
             EVP_PKEY_copy_parameters(mykey, pubk);
             if (!gost_sign_keygen(EVP_PKEY_get0(mykey))) {

=======================================================================

In directory 'engines/ccgost', file 'gost2001_keyx.c', there is a
call to 'EVP_PKEY_new()' which are not checked for a return value of
NULL, indicating failure.

The patch file below should address/correct this issue:

--- gost2001_keyx.c.orig        2016-03-05 06:29:48.056373325 -0800
+++ gost2001_keyx.c     2016-03-05 06:30:23.400865428 -0800
@@ -147,6 +147,8 @@
         key_is_ephemeral = 1;
         if (out) {
             sec_key = EVP_PKEY_new();
+           if (!sec_key)
+               goto memerr;
             EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new());
             EVP_PKEY_copy_parameters(sec_key, pubk);
             if (!gost2001_keygen(EVP_PKEY_get0(sec_key))) {


=======================================================================

Bill Parker (wp02855 at gmail dot com)

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4380
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pmeth_gn.c.patch
Type: application/octet-stream
Size: 385 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160305/e40da9f6/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gost94_keyx.c.patch
Type: application/octet-stream
Size: 439 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160305/e40da9f6/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gost2001_keyx.c.patch
Type: application/octet-stream
Size: 455 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160305/e40da9f6/attachment-0002.obj>

More information about the openssl-dev mailing list