-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix PRE_PARAMS_TO_CTRL translation #20226
Fix PRE_PARAMS_TO_CTRL translation #20226
Conversation
…Y_CTRL_EC_PARAMGEN_CURVE_NID. - ctx->p2 should be passed by address to OSSL_PARAM_get_utf8_string so that the resulting utf8 string can be copied in it. - ctx->ctrl_cmd should be set to EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID in fix_ec_paramgen_curve_nid, otherwise the next call to EVP_PKEY_CTX_ctrl in evp_pkey_ctx_setget_params_to_ctrl will fail: it calls pkey_ec_ctrl, and since ctx->ctrl_cmd is 0, it fails with -2 and raises EVP_R_COMMAND_NOT_SUPPORTED.
I had a similar problem with TLS and an EC engine loaded, where the following error was reported:
The problem was happening with the curl library and preloading our EC engine. This patch solved this problem but I fear that we are leaking the memory allocated by This leak was fixed by adding the OPENSSL_free call as shown in this diff:
|
@myrkr That makes sense, thanks. openssl/crypto/evp/ctrl_params_translate.c Lines 895 to 909 in ae08ed0
What do you think about this ? |
Some functions (including |
I think we're only interested in the case where For example, for
|
… default_fixup_args.
I've added code that frees the memory allocated in |
This PR has the label 'hold: cla required' and is stale: it has not been updated in 30 days. Note that this PR may be automatically closed in the future if no CLA is provided. For CLA help see https://www.openssl.org/policies/cla.html |
This PR has the label 'hold: cla required' and is stale: it has not been updated in 61 days. Note that this PR may be automatically closed in the future if no CLA is provided. For CLA help see https://www.openssl.org/policies/cla.html |
@ElMostafaIdrassi Can you please complete & submit the contributor license agreement form so this pull request can get merged? This fix is essential to my workflow. |
@dylanweber Sure, I believe I can do that during this week, but we still need someone to review the changes. |
CLA was signed, can someone please review this PR ? |
case OSSL_PARAM_UTF8_STRING: | ||
return OSSL_PARAM_get_utf8_string(ctx->params, | ||
ctx->p2, ctx->sz); | ||
(char **)&ctx->p2, ctx->sz); | ||
case OSSL_PARAM_OCTET_STRING: | ||
return OSSL_PARAM_get_octet_string(ctx->params, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I wonder, why doesn't OSSL_PARAM_OCTET_STRING
get the same treatment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, and I could totally be wrong, but it seems to me that the reason why OSSL_PARAM_OCTET_STRING
does not get the same treatment (but should) is because all the translations related to it in evp_pkey_ctx_translations
do no have a fix_up_args
function (they are all NULL
), unlike OSSL_PARAM_UTF8_STRING
. Therefore, default_fixup_args
is never called for OSSL_PARAM_OCTET_STRING
and the case where ctx->p2
is NULL
never happens for OSSL_PARAM_OCTET_STRING
, unlike OSSL_PARAM_UTF8_STRING
.
I think that if there was a translation for OSSL_PARAM_OCTET_STRING
that had a non NULL fix_up_args
which called default_fixup_args
, we'd be getting the same errors as the ctx->p2
is not passed by address, meaning the fix up function would not be able to allocate it properly.
As a side note, if you look for OSSL_PARAM_get_octet_string
/ OSSL_PARAM_get_utf8_string
invocations in openssl code, you'll see that they always get called with the variable in question being passed via it address in val
, unlike default_fixup_args
where ctx->p2
is getting passed via its value. This is why I went for the same thing in here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Point is that conceptually, there's not much difference between OSSL_PARAM_OCTET_STRING and OSSL_PARAM_UTF8_STRING. They both indicate strings, the only "real" difference being their intent, and how they are normally displayed to humans.
Thanks for the detailed feedback, though. It's possible that I missed a detail in addressing between different callbacks when I put together this module. (like I said, it is a tricky module that takes a lot of historical cases into account)
I understand that there's something that didn't work quite right... but it seems to me that this solution creates an allocation for one case, and forces all other cases to discard an allocation they never needed. Doesn't look quite right. Mind you, this translation module is tricky, 'cause it seems that some ctrl functions were a bit of special cases. It shows. I wonder, do you have a small program that demonstrates the issue and that you'd be willing to share? I'd like to have a closer look at what's going on. |
Thank you |
I may actually have an alternative fix that's a bit less invasive. Are you willing to try it out, @ElMostafaIdrassi? |
Closing this in favor of #20780. |
This PR fixes #20161.
It does that by addressing the following issues:
ctx->p2
isNULL
and is passed by value instead of by address toOSSL_PARAM_get_utf8_string
. As a result,get_string_internal
returns0
, leading to failure. By passingctx->p2
by address,get_string_internal
will allocate the needed string and makectx->p2
point to it. Also, worth noting that the next call toOBJ_sn2nid
infix_ec_paramgen_curve_nid
expects aconst char *
as argument, which means thatctx->p2
is expected to be achar *
.ctx->ctrl_cmd
is0
inevp_pkey_ctx_setget_params_to_ctrl
, As a result, the next call toEVP_PKEY_CTX_ctrl
will fail: it callspkey_ec_ctrl
, and sincectx->ctrl_cmd
is0
, it fails with-2
and raisesEVP_R_COMMAND_NOT_SUPPORTED
. By setting it toEVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID
infix_ec_paramgen_curve_nid
, the call toEVP_PKEY_CTX_ctrl
will succeed as expected.