Fix double-free in e_dasync.c

When the cipher is copied, the inner_cihper_data need to be copied as well, using the EVP_CTRL_COPY method. The EVP_CIPH_CUSTOM_COPY bit needs to be set as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16751)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2021-10-05 21:38:55 +0200
committer: Bernd Edlinger <bernd.edlinger@hotmail.de> 2021-10-07 16:05:53 +0200
commit: 14357a51130510d87fe5f31e45baaf70bd5c9027 (patch)
tree: 29e36d783426695165823c28325c6137709d02c9 /engines
parent: 503eb0e108ca5819dacd5ae171aedd37268654d9 (diff)
1 files changed, 19 insertions, 2 deletions
diff --git a/engines/e_dasync.c b/engines/e_dasync.c
index 07793037df..1f5d4117f2 100644
--- a/engines/e_dasync.c
+++ b/engines/e_dasync.c
@@ -244,7 +244,8 @@ static int bind_dasync(ENGINE *e)
             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc,
                                           EVP_CIPH_FLAG_DEFAULT_ASN1
                                           | EVP_CIPH_CBC_MODE
-                                          | EVP_CIPH_FLAG_PIPELINE)
+                                          | EVP_CIPH_FLAG_PIPELINE
+                                          | EVP_CIPH_CUSTOM_COPY)
             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc,
                                          dasync_aes128_init_key)
             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc,
@@ -270,7 +271,8 @@ static int bind_dasync(ENGINE *e)
                                             EVP_CIPH_CBC_MODE
                                           | EVP_CIPH_FLAG_DEFAULT_ASN1
                                           | EVP_CIPH_FLAG_AEAD_CIPHER
-                                          | EVP_CIPH_FLAG_PIPELINE)
+                                          | EVP_CIPH_FLAG_PIPELINE
+                                          | EVP_CIPH_CUSTOM_COPY)
             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1,
                                          dasync_aes128_cbc_hmac_sha1_init_key)
             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1,
@@ -629,6 +631,21 @@ static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, int type, int arg,
             }
         }
 
+        case EVP_CTRL_COPY:
+        {
+            const EVP_CIPHER *cipher = aeadcapable
+                                       ? EVP_aes_128_cbc_hmac_sha1()
+                                       : EVP_aes_128_cbc();
+            size_t data_size = EVP_CIPHER_impl_ctx_size(cipher);
+            void *cipher_data = OPENSSL_malloc(data_size);
+
+            if (cipher_data == NULL)
+                return 0;
+            memcpy(cipher_data, pipe_ctx->inner_cipher_data, data_size);
+            pipe_ctx->inner_cipher_data = cipher_data;
+            return 1;
+        }
+
         default:
             return 0;
     }
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2021-10-05 21:38:55 +0200
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>	2021-10-07 16:05:53 +0200
commit	14357a51130510d87fe5f31e45baaf70bd5c9027 (patch)
tree	29e36d783426695165823c28325c6137709d02c9 /engines
parent	503eb0e108ca5819dacd5ae171aedd37268654d9 (diff)