store/store_lib.c: Add the checks for the EVP_MD_CTX_get_size()

Add the checks for the return value of EVP_MD_CTX_get_size() before explicitly cast them to size_t to avoid the integer overflow. Fixes: fac8673 ("STORE: Add the possibility to search for specific information") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #23955)
openssl · Apr 1, 2024 · 18a30b5 · 18a30b5
1 parent 15e06b1
commit 18a30b5
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
@@ -933,15 +933,20 @@ OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD *digest,
                                                         *bytes, size_t len)
 {
     OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
+    int md_size;
 
     if (search == NULL)
         return NULL;
 
-    if (digest != NULL && len != (size_t)EVP_MD_get_size(digest)) {
+    md_size = EVP_MD_get_size(digest);
+    if (md_size <= 0)
+        return NULL;
+
+    if (digest != NULL && len != (size_t)md_size) {
         ERR_raise_data(ERR_LIB_OSSL_STORE,
                        OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST,
                        "%s size is %d, fingerprint size is %zu",
-                       EVP_MD_get0_name(digest), EVP_MD_get_size(digest), len);
+                       EVP_MD_get0_name(digest), md_size, len);
         OPENSSL_free(search);
         return NULL;
     }