Skip to content

Commit 0398bc2

Browse files
nhormant8m
nhorman
authored and
t8m
committed
Fix a key repointing in various ciphers
In the dupctx fixups I missed a pointer that needed to be repointed to the surrounding structures AES_KEY structure for the sm4/aes/aria ccm/gcm variants. This caused a colliding use of the key and possible use after free issues. Fixes #22076 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #23102)
1 parent f9163ef commit 0398bc2

3 files changed

Lines changed: 21 additions & 3 deletions

File tree

providers/implementations/ciphers/cipher_aes_gcm.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,16 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits)
3737
static void *aes_gcm_dupctx(void *provctx)
3838
{
3939
PROV_AES_GCM_CTX *ctx = provctx;
40+
PROV_AES_GCM_CTX *dctx = NULL;
4041

4142
if (ctx == NULL)
4243
return NULL;
43-
return OPENSSL_memdup(ctx, sizeof(*ctx));
44+
45+
dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
46+
if (dctx != NULL && dctx->base.gcm.key != NULL)
47+
dctx->base.gcm.key = &dctx->ks.ks;
48+
49+
return dctx;
4450
}
4551

4652
static OSSL_FUNC_cipher_freectx_fn aes_gcm_freectx;

providers/implementations/ciphers/cipher_aria_ccm.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,16 @@ static void *aria_ccm_newctx(void *provctx, size_t keybits)
3131
static void *aria_ccm_dupctx(void *provctx)
3232
{
3333
PROV_ARIA_CCM_CTX *ctx = provctx;
34+
PROV_ARIA_CCM_CTX *dctx = NULL;
3435

3536
if (ctx == NULL)
3637
return NULL;
37-
return OPENSSL_memdup(ctx, sizeof(*ctx));
38+
39+
dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
40+
if (dctx != NULL && dctx->base.ccm_ctx.key != NULL)
41+
dctx->base.ccm_ctx.key = &dctx->ks.ks;
42+
43+
return dctx;
3844
}
3945

4046
static void aria_ccm_freectx(void *vctx)

providers/implementations/ciphers/cipher_aria_gcm.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,10 +30,16 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits)
3030
static void *aria_gcm_dupctx(void *provctx)
3131
{
3232
PROV_ARIA_GCM_CTX *ctx = provctx;
33+
PROV_ARIA_GCM_CTX *dctx = NULL;
3334

3435
if (ctx == NULL)
3536
return NULL;
36-
return OPENSSL_memdup(ctx, sizeof(*ctx));
37+
38+
dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
39+
if (dctx != NULL && dctx->base.gcm.key != NULL)
40+
dctx->base.gcm.key = &dctx->ks.ks;
41+
42+
return dctx;
3743
}
3844

3945
static OSSL_FUNC_cipher_freectx_fn aria_gcm_freectx;

0 commit comments

Comments
 (0)