signature/ecdsa_sig.c: Add checks for the EVP_MD_get_size()

Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: edd3b7a ("Add ECDSA to providers") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23947)
openssl · Apr 9, 2024 · df0ee35 · df0ee35
1 parent 4feb4a2
commit df0ee35
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
@@ -227,7 +227,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
 {
     EVP_MD *md = NULL;
     size_t mdname_len;
-    int md_nid, sha1_allowed;
+    int md_nid, sha1_allowed, md_size;
     WPACKET pkt;
 
     if (mdname == NULL)
@@ -247,6 +247,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
                        "%s could not be fetched", mdname);
         return 0;
     }
+    md_size = EVP_MD_get_size(md);
+    if (md_size <= 0) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                       "%s has invalid md size %d", mdname, md_size);
+        EVP_MD_free(md);
+        return 0;
+    }
     sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
                                                     sha1_allowed);
@@ -282,7 +289,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
     WPACKET_cleanup(&pkt);
     ctx->mdctx = NULL;
     ctx->md = md;
-    ctx->mdsize = EVP_MD_get_size(ctx->md);
+    ctx->mdsize = (size_t)md_size;
     OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
 
     return 1;