fixup! Add appropriate NULL checks in EVP_CIPHER api

openssl · Jan 11, 2024 · e5270c5 · e5270c5
1 parent 9702f25
commit e5270c5
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 23 deletions.
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
@@ -331,7 +331,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
 
     if (enc != NULL) {
         objstr = EVP_CIPHER_get0_name(enc);
-        if (objstr == NULL || EVP_CIPHER_get_iv_length(enc) > (int)sizeof(iv)
+        if (objstr == NULL || EVP_CIPHER_get_iv_length(enc) == (int)sizeof(iv)
                    /*
                     * Check "Proc-Type: 4,Encrypted\nDEK-Info: objstr,hex-iv\n"
                     * fits into buf
@@ -551,10 +551,6 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
         return 0;
     }
     ivlen = EVP_CIPHER_get_iv_length(enc);
-    if (ivlen < 0) {
-        ERR_raise(ERR_LIB_PEM, PEM_R_CIPHER_IS_NULL);
-        return 0;
-    }
     if (ivlen > 0 && *header++ != ',') {
         ERR_raise(ERR_LIB_PEM, PEM_R_MISSING_DEK_IV);
         return 0;

diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
@@ -485,7 +485,7 @@ EVP_CIPHER_free().
 Return the NID of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
 structure.  The actual NID value is an internal value which may not have a
 corresponding OBJECT IDENTIFIER.  NID_undef is returned in the event that the
-nid is unknown of if the cipher has not been properly initalized via a call to
+nid is unknown or if the cipher has not been properly initalized via a call to
 B<EVP_CipherInit>.
 
 =item EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags()
@@ -523,7 +523,7 @@ length to any value other than the fixed value is an error.
 =item EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length()
 
 Return the IV length of a cipher when passed an B<EVP_CIPHER> or
-B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV, or if
+B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV, if
 the cipher has not yet been initalized within the B<EVP_CIPHER_CTX>, or if the
 passed cipher is NULL.  The constant B<EVP_MAX_IV_LENGTH> is the maximum IV
 length for all ciphers.
@@ -618,7 +618,7 @@ typically include any parameters and an IV. The cipher IV (if any) must be set
 when this call is made. This call should be made before the cipher is actually
 "used" (before any EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example).
 This function may fail if the cipher does not have any ASN1 support, or if an
-uninitalized cipher is passed to it.
+uninitialized cipher is passed to it.
 
 =item EVP_CIPHER_asn1_to_param()
 
@@ -1252,7 +1252,7 @@ EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
 
 EVP_Cipher() returns 1 on success and <= 0 on failure, if the flag
 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher, or if the cipher has
-not been initalized via a call to B<EVP_CipherInint>.
+not been initalized via a call to B<EVP_CipherInint_ex2>.
 EVP_Cipher() returns the number of bytes written to I<out> for encryption / decryption, or
 the number of bytes authenticated in a call specifying AAD for an AEAD cipher, if the flag
 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the cipher.

diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
@@ -3491,7 +3491,7 @@ static int test_evp_iv_aes(int idx)
         goto err;
     ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
 
-    if (!TEST_int_ge(ivlen, 0))
+    if (!TEST_int_gt(ivlen, 0))
         goto err;
 
     if (!TEST_mem_eq(init_iv, ivlen, oiv, ivlen)
@@ -3606,7 +3606,7 @@ static int test_evp_iv_des(int idx)
         goto err;
     ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
 
-    if (!TEST_int_ge(ivlen, 0))
+    if (!TEST_int_gt(ivlen, 0))
         goto err;
 
     if (!TEST_mem_eq(init_iv, ivlen, oiv, ivlen)

diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
@@ -78,28 +78,23 @@ static int test_evp_cipher_api_safety(void)
 
     ctx = EVP_CIPHER_CTX_new();
 
-    if (!TEST_ptr(ctx)) {
-        TEST_info("Unable to allocate cipher context");
+    if (!TEST_ptr(ctx))
         goto err;
-    }
 
     /*
      * Ensure that EVP_CIPHER_get_block_size returns 0
      * if we haven't initalized the cipher in this context
      */
-    if (!TEST_int_eq(EVP_CIPHER_CTX_get_block_size(ctx), 0)) {
-        TEST_info("EVP_CIPHER_get_block_size returns non-zero");
+    if (!TEST_int_eq(EVP_CIPHER_CTX_get_block_size(ctx), 0))
         goto err_free;
-    }
 
     /*
-     * Ensure that EVP_CIPHER_get_iv_length returns 0 
+     * Ensure that EVP_CIPHER_get_iv_length returns 0
      * if we haven't initalized the cipher in this context
      */
-    if (!TEST_int_eq(EVP_CIPHER_CTX_get_iv_length(ctx), 0)) {
-        TEST_info("EVP_CIPHER_get_iv_length did not return 0");
+    if (!TEST_int_eq(EVP_CIPHER_CTX_get_iv_length(ctx), 0))
         goto err_free;
-    }
+
     ret = 1;
 err_free:
     EVP_CIPHER_CTX_free(ctx);
@@ -474,9 +469,11 @@ static int test_cipher_reinit_partialupdate(int test_id)
     if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
         goto err;
 
-    in_len = EVP_CIPHER_get_block_size(cipher) / 2;
-    if (!TEST_int_ge(in_len, 0))
+    in_len = EVP_CIPHER_get_block_size(cipher);
+    if (!TEST_int_gt(in_len, 0))
         goto err;
+    if (in_len > 1)
+        in_len /= 2;
 
     /* skip any ciphers that don't allow partial updates */
     if (((EVP_CIPHER_get_flags(cipher)