Changeset 40246 in project


Ignore:
Timestamp:
07/01/21 21:58:09 (4 weeks ago)
Author:
Vasilij Schneidermann
Message:

openssl: Avoid silent context failures

Location:
release/5/openssl/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • release/5/openssl/trunk/openssl.cipher.scm

    r40245 r40246  
    151151    (set-finalizer! (make-cipher-context ctx #f) cipher-context-free!)))
    152152
     153(define (cipher-context-unwrap! context)
     154  (let ((ctx (cipher-context-ptr context)))
     155    (when (not ctx)
     156      (openssl-type-error 'cipher-context-unwrap! "valid context pointer"))
     157    ctx))
     158
    153159(define (cipher-context-reset! context)
    154   (and-let* ((ctx (cipher-context-ptr context)))
     160  (let ((ctx (cipher-context-unwrap! context)))
    155161    (ERR_clear_error)
    156162    (when (not (EVP_CIPHER_CTX_reset ctx))
    157163      (openssl-error 'cipher-context-reset!))
     164    (cipher-context-tag-length-set! context #f)
    158165    (void)))
    159166
     
    177184  (define (ccm-cipher? ctx)
    178185    (bitwise-and (EVP_CIPHER_CTX_flags ctx) EVP_CIPH_CCM_MODE))
    179   (and-let* ((ctx (cipher-context-ptr context)))
     186  (let ((ctx (cipher-context-unwrap! context))
     187        (key-length (or effective-key-length (blob-size key)))
     188        (iv-length (and iv (blob-size iv))))
    180189    (ERR_clear_error)
    181190    (when (not (EVP_CipherInit_ex ctx cipher #f #f #f (mode->flag mode)))
    182191      (openssl-error 'cipher-context-init! (list cipher mode)))
    183     (let ((key-length (or effective-key-length (blob-size key)))
    184           (iv-length (and iv (blob-size iv))))
    185       (when (> key-length (blob-size key))
    186         (openssl-type-error "effective key length <= key size" key-length (blob-size key)))
    187       (when (not (EVP_CIPHER_CTX_set_key_length ctx key-length))
    188         (openssl-error 'cipher-context-init! (list key-length effective-key-length)))
    189       (when (and iv-length (not (<= (EVP_CIPHER_CTX_iv_length ctx) iv-length)))
    190         (openssl-type-error 'cipher-context-init! "sufficient iv length" iv-length))
    191       (when effective-iv-length
    192         (when (not (aead-cipher? ctx))
    193           (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
    194         (when (> effective-iv-length max-iv-length)
    195           (openssl-type-error 'cipher-context-init! "integer <= 16" effective-iv-length))
    196         (when (not (EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_AEAD_SET_IVLEN effective-iv-length #f))
    197           (openssl-error 'cipher-context-init! (list effective-iv-length))))
    198       (when (and expected-tag tag-length)
    199         (when (not (aead-cipher? ctx))
    200           (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
    201         (when (not (eqv? mode 'decrypt))
    202           (openssl-type-error 'cipher-context-init! "decrypt mode" mode))
    203         (when (not tag-length)
    204           (openssl-type-error 'cipher-context-init! "tag length"))
    205         (when (> tag-length (blob-size expected-tag))
    206           (openssl-type-error 'cipher-context-init! "tag shorter than tag length"))
    207         (when (not (EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_AEAD_SET_TAG tag-length expected-tag))
    208           (openssl-error 'cipher-context-init! (list expected-tag tag-length))))
    209       (when (and (not expected-tag) tag-length)
    210         (when (not (aead-cipher? ctx))
    211           (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
    212         (when (not (eqv? mode 'encrypt))
    213           (openssl-type-error 'cipher-context-init! "encrypt mode" mode))
    214         (when (> tag-length max-iv-length)
    215           (openssl-type-error 'cipher-context-init! "integer <= 16" tag-length))
    216         (when (not (EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_AEAD_SET_TAG tag-length #f))
    217           (openssl-error 'cipher-context-init! (list tag-length)))
    218         (cipher-context-tag-length-set! context tag-length))
    219       (when (not (EVP_CipherInit_ex ctx #f #f key iv -1))
    220         (openssl-error 'cipher-context-init! (list cipher key iv)))
    221       (when message-length
    222         (when (not (ccm-cipher? ctx))
    223           (openssl-type-error 'cipher-context-init! "CCM cipher mode" (cipher-name cipher)))
    224         ;; https://github.com/pyca/cryptography/blob/0034926f2cca02258f50e9faccb90ec344790159/src/cryptography/hazmat/backends/openssl/aead.py#L108
    225         ;; https://github.com/pyca/cryptography/blob/0034926f2cca02258f50e9faccb90ec344790159/src/cryptography/hazmat/backends/openssl/aead.py#L77
    226         (let-location ((_length int))
    227           (when (not (EVP_CipherUpdate ctx #f (location _length) #f message-length))
    228             (openssl-error 'cipher-context-init! (list message-length)))))
    229       (when auth-data
    230         (when (not (aead-cipher? ctx))
    231           (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
    232         (let-location ((_length int))
    233           (when (not (EVP_CipherUpdate ctx #f (location _length) auth-data (blob-size auth-data)))
    234             (openssl-error 'cipher-context-init! (list auth-data (blob-size auth-data))))))
    235       (EVP_CIPHER_CTX_set_padding ctx padding)
    236       (void))))
     192    (when (> key-length (blob-size key))
     193      (openssl-type-error "effective key length <= key size" key-length (blob-size key)))
     194    (when (not (EVP_CIPHER_CTX_set_key_length ctx key-length))
     195      (openssl-error 'cipher-context-init! (list key-length effective-key-length)))
     196    (when (and iv-length (not (<= (EVP_CIPHER_CTX_iv_length ctx) iv-length)))
     197      (openssl-type-error 'cipher-context-init! "sufficient iv length" iv-length))
     198    (when effective-iv-length
     199      (when (not (aead-cipher? ctx))
     200        (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
     201      (when (> effective-iv-length max-iv-length)
     202        (openssl-type-error 'cipher-context-init! "integer <= 16" effective-iv-length))
     203      (when (not (EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_AEAD_SET_IVLEN effective-iv-length #f))
     204        (openssl-error 'cipher-context-init! (list effective-iv-length))))
     205    (when (and expected-tag tag-length)
     206      (when (not (aead-cipher? ctx))
     207        (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
     208      (when (not (eqv? mode 'decrypt))
     209        (openssl-type-error 'cipher-context-init! "decrypt mode" mode))
     210      (when (not tag-length)
     211        (openssl-type-error 'cipher-context-init! "tag length"))
     212      (when (> tag-length (blob-size expected-tag))
     213        (openssl-type-error 'cipher-context-init! "tag shorter than tag length"))
     214      (when (not (EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_AEAD_SET_TAG tag-length expected-tag))
     215        (openssl-error 'cipher-context-init! (list expected-tag tag-length))))
     216    (when (and (not expected-tag) tag-length)
     217      (when (not (aead-cipher? ctx))
     218        (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
     219      (when (not (eqv? mode 'encrypt))
     220        (openssl-type-error 'cipher-context-init! "encrypt mode" mode))
     221      (when (> tag-length max-iv-length)
     222        (openssl-type-error 'cipher-context-init! "integer <= 16" tag-length))
     223      (when (not (EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_AEAD_SET_TAG tag-length #f))
     224        (openssl-error 'cipher-context-init! (list tag-length)))
     225      (cipher-context-tag-length-set! context tag-length))
     226    (when (not (EVP_CipherInit_ex ctx #f #f key iv -1))
     227      (openssl-error 'cipher-context-init! (list cipher key iv)))
     228    (when message-length
     229      (when (not (ccm-cipher? ctx))
     230        (openssl-type-error 'cipher-context-init! "CCM cipher mode" (cipher-name cipher)))
     231      ;; https://github.com/pyca/cryptography/blob/0034926f2cca02258f50e9faccb90ec344790159/src/cryptography/hazmat/backends/openssl/aead.py#L108
     232      ;; https://github.com/pyca/cryptography/blob/0034926f2cca02258f50e9faccb90ec344790159/src/cryptography/hazmat/backends/openssl/aead.py#L77
     233      (let-location ((_length int))
     234        (when (not (EVP_CipherUpdate ctx #f (location _length) #f message-length))
     235          (openssl-error 'cipher-context-init! (list message-length)))))
     236    (when auth-data
     237      (when (not (aead-cipher? ctx))
     238        (openssl-type-error 'cipher-context-init! "AEAD cipher" (cipher-name cipher)))
     239      (let-location ((_length int))
     240        (when (not (EVP_CipherUpdate ctx #f (location _length) auth-data (blob-size auth-data)))
     241          (openssl-error 'cipher-context-init! (list auth-data (blob-size auth-data))))))
     242    (EVP_CIPHER_CTX_set_padding ctx padding)
     243    (void)))
    237244
    238245(define (cipher-context-update! context blob)
    239   (and-let* ((ctx (cipher-context-ptr context))
    240              (buf (make-blob (+ (blob-size blob) max-block-length))))
     246  (let ((ctx (cipher-context-unwrap! context))
     247        (buf (make-blob (+ (blob-size blob) max-block-length))))
    241248    (ERR_clear_error)
    242249    (let-location ((buf-length int))
     
    248255
    249256(define (cipher-context-final! context)
    250   (and-let* ((ctx (cipher-context-ptr context))
    251              (buf (make-blob max-block-length)))
     257  (let ((ctx (cipher-context-unwrap! context))
     258        (buf (make-blob max-block-length)))
    252259    (ERR_clear_error)
    253260    (let-location ((buf-length int))
     
    259266
    260267(define (cipher-context-get-tag context)
    261   (and-let* ((ctx (cipher-context-ptr context)))
     268  (let ((ctx (cipher-context-unwrap! context)))
    262269    (ERR_clear_error)
    263270    (when (not (aead-cipher? ctx))
  • release/5/openssl/trunk/openssl.digest.scm

    r40228 r40246  
    126126    (set-finalizer! (make-digest-context ctx) digest-context-free!)))
    127127
     128(define (digest-context-unwrap! context)
     129  (let ((ctx (digest-context-ptr context)))
     130    (when (not ctx)
     131      (openssl-type-error 'digest-context-unwrap! "valid context pointer"))
     132    ctx))
     133
    128134(define (digest-context-reset! context)
    129   (and-let* ((ctx (digest-context-ptr context)))
     135  (let ((ctx (digest-context-unwrap! context)))
    130136    (ERR_clear_error)
    131137    (when (not (EVP_MD_CTX_reset ctx))
     
    134140
    135141(define (digest-context-init! context digest #!key (oneshot #f))
    136   (and-let* ((ctx (digest-context-ptr context)))
     142  (let ((ctx (digest-context-unwrap! context)))
    137143    (ERR_clear_error)
    138144    (when (not (EVP_DigestInit_ex ctx digest #f))
     
    143149
    144150(define (digest-context-update! context blob)
    145   (and-let* ((ctx (digest-context-ptr context))
    146              (size (blob-size blob)))
     151  (let ((ctx (digest-context-unwrap! context))
     152        (size (blob-size blob)))
    147153    (ERR_clear_error)
    148154    (when (not (EVP_DigestUpdate ctx blob size))
     
    151157
    152158(define (digest-context-final! context)
    153   (and-let* ((ctx (digest-context-ptr context))
    154              (blob (make-blob max-digest-size)))
     159  (let ((ctx (digest-context-unwrap! context))
     160        (blob (make-blob max-digest-size)))
    155161    (ERR_clear_error)
    156162    (let-location ((size int))
    157       (when (not (EVP_DigestFinal_ex (digest-context-ptr context) blob (location size)))
     163      (when (not (EVP_DigestFinal_ex ctx blob (location size)))
    158164        (openssl-error 'digest-context-final!))
    159165      (let ((str (make-string size)))
  • release/5/openssl/trunk/tests/cipher-test.scm

    r40245 r40246  
    2828    (let* ((plaintext (blob->string (cipher-context-update! ctx (string->blob ciphertext))))
    2929           (plaintext (string-append (blob->string (cipher-context-final! ctx)))))
    30       (test "Low level API roundtrip" plaintext "secret"))))
     30      (test "Low level API roundtrip" plaintext "secret")))
     31  (cipher-context-free! ctx)
     32  (test-error "Error when accessing freed context" (cipher-context-init! ctx aes-128-ecb key iv)))
    3133
    3234(test "Port API roundtrip"
  • release/5/openssl/trunk/tests/digest-test.scm

    r40245 r40246  
    2525  (digest-context-update! ctx (make-blob 0))
    2626  (test "Resetting the context works" "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42\x7e" (digest-context-final! ctx))
    27   (digest-context-free! ctx))
     27  (digest-context-free! ctx)
     28  (test-error "Error when accessing freed context" (digest-context-init! ctx md5)))
    2829
    2930(test "Port API works"
Note: See TracChangeset for help on using the changeset viewer.