diff options
| author | Neil Horman <nhorman@openssl.org> | 2023-12-09 13:40:01 -0500 |
|---|---|---|
| committer | Neil Horman <nhorman@openssl.org> | 2024-01-25 08:27:53 -0500 |
| commit | 6f22bcd631ab622c2436bc5b299ba2677c388375 (patch) | |
| tree | e62244a2a0e8f491ab3e3b582928dbc6383f7abf /doc | |
| parent | ff78d94b131d7bb3b761509d3ce0dd864b1420e3 (diff) | |
| download | openssl-6f22bcd631ab622c2436bc5b299ba2677c388375.tar.gz | |
Add appropriate NULL checks in EVP_CIPHER api
The EVP_CIPHER api currently assumes that calls made into several APIs
have already initalized the cipher in a given context via a call to
EVP_CipherInit[_ex[2]]. If that hasnt been done, instead of an error,
the result is typically a SIGSEGV.
Correct that by adding missing NULL checks in the apropriate apis prior
to using ctx->cipher
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22995)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man3/EVP_EncryptInit.pod | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 955340b94d..fef8d1aa1f 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -488,7 +488,9 @@ EVP_CIPHER_free(). Return the NID of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure. The actual NID value is an internal value which may not have a -corresponding OBJECT IDENTIFIER. +corresponding OBJECT IDENTIFIER. NID_undef is returned in the event that the +nid is unknown or if the cipher has not been properly initalized via a call to +B<EVP_CipherInit>. =item EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags() @@ -525,8 +527,10 @@ length to any value other than the fixed value is an error. =item EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length() Return the IV length of a cipher when passed an B<EVP_CIPHER> or -B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV. -The constant B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers. +B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV, if +the cipher has not yet been initalized within the B<EVP_CIPHER_CTX>, or if the +passed cipher is NULL. The constant B<EVP_MAX_IV_LENGTH> is the maximum IV +length for all ciphers. =item EVP_CIPHER_CTX_get_tag_length() @@ -538,7 +542,8 @@ the tag length has not been set. Return the block size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_BLOCK_LENGTH> is also the -maximum block length for all ciphers. +maximum block length for all ciphers. A value of 0 is returned if the cipher +has not been properly initalized with a call to B<EVP_CipherInit>. =item EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type() @@ -580,7 +585,7 @@ B<EVP_CIPHER>. Returns the B<EVP_CIPHER> structure when passed an B<EVP_CIPHER_CTX> structure. EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to -the caller. +the caller. Both functions return NULL on error. =item EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode() @@ -616,7 +621,8 @@ Sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will typically include any parameters and an IV. The cipher IV (if any) must be set when this call is made. This call should be made before the cipher is actually "used" (before any EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). -This function may fail if the cipher does not have any ASN1 support. +This function may fail if the cipher does not have any ASN1 support, or if an +uninitialized cipher is passed to it. =item EVP_CIPHER_asn1_to_param() @@ -1248,8 +1254,9 @@ EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success. EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure. EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success. -EVP_Cipher() returns 1 on success or 0 on failure, if the flag -B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher. +EVP_Cipher() returns 1 on success and <= 0 on failure, if the flag +B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher, or if the cipher has +not been initalized via a call to B<EVP_CipherInit_ex2>. EVP_Cipher() returns the number of bytes written to I<out> for encryption / decryption, or the number of bytes authenticated in a call specifying AAD for an AEAD cipher, if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the cipher. @@ -1262,7 +1269,7 @@ return an B<EVP_CIPHER> structure or NULL on error. EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid() return a NID. EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size() return the -block size. +block size, or 0 on error. EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length() return the key length. |