From: Chenghai Huang <huangchenghai2@huawei.com> 1.When the group fails to be obtained, dh is null. In this case, accessing dh->meth will causes a memory error. 2.If the EVP_MD_CTX resources fail to be applied for, the EVP_MD_CTX resources do not need to be released. 3.After the ecx_key resource is released, the value of this parameter is set to NULL to prevent subsequent access to empty memory. 4.Add the validation of the input parameter of eckey. Otherwise, a memory error may occurs in EC_KEY_get0_group(). 5.Use BN_CTX_start and BN_CTX_free to complete the BN getting process. 6.Modify the length check to ensure that the copy does not overflow. Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com> Signed-off-by: JiangShui Yang <yangjiangshui@h-partners.com> --- src/uadk_ec.c | 2 ++ src/uadk_prov_dh.c | 26 ++++++++++++++------------ src/uadk_prov_ecdsa.c | 2 +- src/uadk_prov_ecx.c | 5 +++-- src/uadk_prov_pkey.c | 5 +++++ 5 files changed, 25 insertions(+), 15 deletions(-) diff --git a/src/uadk_ec.c b/src/uadk_ec.c index f9ca847..bd82036 100644 --- a/src/uadk_ec.c +++ b/src/uadk_ec.c @@ -951,6 +951,7 @@ static int ecdh_create_key(EC_KEY *eckey) return 0; } + BN_CTX_start(ctx); order = BN_CTX_get(ctx); if (!order) { fprintf(stderr, "failed to allocate order\n"); @@ -971,6 +972,7 @@ static int ecdh_create_key(EC_KEY *eckey) free_order: BN_clear(order); free_ctx: + BN_CTX_end(ctx); BN_CTX_free(ctx); return ret; } diff --git a/src/uadk_prov_dh.c b/src/uadk_prov_dh.c index e6984be..c81776c 100644 --- a/src/uadk_prov_dh.c +++ b/src/uadk_prov_dh.c @@ -1132,18 +1132,22 @@ static DH *uadk_prov_dh_gen_params_with_group(PROV_DH_KEYMGMT_CTX *gctx, FFC_PAR } group = ossl_ffc_uid_to_dh_named_group(gctx->group_nid); - if (group) { - dh = ossl_dh_new_ex(gctx->libctx); - if (dh == NULL) { - fprintf(stderr, "failed to get dh from libctx\n"); - return NULL; - } - dh->meth = DH_get_default_method(); - ossl_ffc_named_group_set(&dh->params, group); - dh->params.nid = ossl_ffc_named_group_get_uid(group); - dh->dirty_cnt++; + if (!group) { + fprintf(stderr, "failed to get dh named group\n"); + return NULL; + } + + dh = ossl_dh_new_ex(gctx->libctx); + if (dh == NULL) { + fprintf(stderr, "failed to get dh from libctx\n"); + return NULL; } + dh->meth = DH_get_default_method(); + ossl_ffc_named_group_set(&dh->params, group); + dh->params.nid = ossl_ffc_named_group_get_uid(group); + dh->dirty_cnt++; + *ffc = ossl_dh_get0_params(dh); if (*ffc == NULL) { fprintf(stderr, "failed to gen ffc params\n"); @@ -1151,8 +1155,6 @@ static DH *uadk_prov_dh_gen_params_with_group(PROV_DH_KEYMGMT_CTX *gctx, FFC_PAR return NULL; } - dh->meth = DH_get_default_method(); - return dh; } diff --git a/src/uadk_prov_ecdsa.c b/src/uadk_prov_ecdsa.c index 7ea5567..ab80357 100644 --- a/src/uadk_prov_ecdsa.c +++ b/src/uadk_prov_ecdsa.c @@ -871,7 +871,7 @@ static int ecdsa_digest_singverify_init(void *vctx, const char *mdname, void *ec if (!ctx->mdctx) { ctx->mdctx = EVP_MD_CTX_new(); if (!ctx->mdctx) - goto err; + return UADK_P_FAIL; } ret = EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params); diff --git a/src/uadk_prov_ecx.c b/src/uadk_prov_ecx.c index 51f048f..a15c66d 100644 --- a/src/uadk_prov_ecx.c +++ b/src/uadk_prov_ecx.c @@ -787,6 +787,7 @@ uninit_iot: uadk_prov_ecx_keygen_uninit_iot(gctx->sess, &req); free_prikey: uadk_prov_ecx_free_prikey(*ecx_key); + *ecx_key = NULL; return ret; } @@ -1125,7 +1126,7 @@ static void uadk_prov_ecx_pad_out_key(unsigned char *dst, unsigned char *src, switch (type) { case ECX_KEY_TYPE_X448: - if (len != X448_KEYLEN) { + if (len <= X448_KEYLEN) { memcpy(x448_pad_key, src, len); memcpy(dst, x448_pad_key, X448_KEYLEN); } else { @@ -1133,7 +1134,7 @@ static void uadk_prov_ecx_pad_out_key(unsigned char *dst, unsigned char *src, } break; case ECX_KEY_TYPE_X25519: - if (len != X25519_KEYLEN) { + if (len <= X25519_KEYLEN) { memcpy(x25519_pad_key, src, len); memcpy(dst, x25519_pad_key, X25519_KEYLEN); } else { diff --git a/src/uadk_prov_pkey.c b/src/uadk_prov_pkey.c index a7817d2..3c67c06 100644 --- a/src/uadk_prov_pkey.c +++ b/src/uadk_prov_pkey.c @@ -304,6 +304,11 @@ handle_t uadk_prov_ecc_alloc_sess(const EC_KEY *eckey, const char *alg) int ret, key_bits; handle_t sess; + if (!eckey) { + fprintf(stderr, "input eckey is NULL\n"); + return (handle_t)0; + } + uadk_prov_init_dtb_param(¶m, buff, 0, UADK_ECC_MAX_KEY_BYTES, UADK_ECC_CV_PARAM_NUM); -- 2.33.0