From 77b03f0e8fd97a57f84294d085e7730de5b4da4c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 1 Mar 2021 16:07:15 +0100 Subject: Improve error reporting in key exchange provider implementations Added some error reporting in dh_exch.c and unified error reporting with it in other key exchange methods. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14367) --- providers/implementations/exchange/dh_exch.c | 14 ++++++++++---- providers/implementations/exchange/ecdh_exch.c | 7 +++++-- providers/implementations/exchange/ecx_exch.c | 4 ++-- 3 files changed, 17 insertions(+), 8 deletions(-) (limited to 'providers/implementations/exchange') diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 2638675da5..7f0fa3295e 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include "prov/providercommon.h" #include "prov/implementations.h" @@ -130,17 +131,20 @@ static int dh_plain_derive(void *vpdhctx, size_t dhsize; const BIGNUM *pub_key = NULL; - /* TODO(3.0): Add errors to stack */ - if (pdhctx->dh == NULL || pdhctx->dhpeer == NULL) + if (pdhctx->dh == NULL || pdhctx->dhpeer == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); return 0; + } dhsize = (size_t)DH_size(pdhctx->dh); if (secret == NULL) { *secretlen = dhsize; return 1; } - if (outlen < dhsize) + if (outlen < dhsize) { + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); return 0; + } DH_get0_key(pdhctx->dhpeer, &pub_key, NULL); if (pdhctx->pad) @@ -167,8 +171,10 @@ static int dh_X9_42_kdf_derive(void *vpdhctx, unsigned char *secret, return 1; } - if (pdhctx->kdf_outlen > outlen) + if (pdhctx->kdf_outlen > outlen) { + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); return 0; + } if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0)) return 0; if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) { diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index 6c24643255..a1b984769e 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "prov/provider_ctx.h" #include "prov/providercommon.h" #include "prov/implementations.h" @@ -408,7 +409,7 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, int key_cofactor_mode; if (pecdhctx->k == NULL || pecdhctx->peerk == NULL) { - ERR_raise(ERR_LIB_PROV, EC_R_KEYS_NOT_SET); + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); return 0; } @@ -486,8 +487,10 @@ int ecdh_X9_63_kdf_derive(void *vpecdhctx, unsigned char *secret, return 1; } - if (pecdhctx->kdf_outlen > outlen) + if (pecdhctx->kdf_outlen > outlen) { + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); return 0; + } if (!ecdh_plain_derive(vpecdhctx, NULL, &stmplen, 0)) return 0; if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) { diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c index 6d4471be3c..17861c0d75 100644 --- a/providers/implementations/exchange/ecx_exch.c +++ b/providers/implementations/exchange/ecx_exch.c @@ -123,7 +123,7 @@ static int ecx_derive(void *vecxctx, unsigned char *secret, size_t *secretlen, if (ecxctx->key == NULL || ecxctx->key->privkey == NULL || ecxctx->peerkey == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); return 0; } @@ -138,7 +138,7 @@ static int ecx_derive(void *vecxctx, unsigned char *secret, size_t *secretlen, return 1; } if (outlen < ecxctx->keylen) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); return 0; } -- cgit v1.2.3