Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Have legacy blake2 EVP structure use base blake2 implementation #22079

Closed
wants to merge 1 commit into from
Closed

Have legacy blake2 EVP structure use base blake2 implementation #22079

wants to merge 1 commit into from
+26 −9

Conversation

levitte
Copy link
Member

@levitte levitte commented Sep 12, 2023

For some reason, the code here was made to got through the provider
specific init functions. This is very very dangerous if the provider
specific functions were to change in any way (such as changes to the
implementation context structure).

Instead, use the init functions from the base blake2 implementations
directly.

@levitte
Have legacy blake2 EVP structure use base blake2 implementation
88673e9 
For some reason, the code here was made to got through the provider
specific init functions.  This is very very dangerous if the provider
specific functions were to change in any way (such as changes to the
implementation context structure).

Instead, use the init functions from the base blake2 implementations
directly.
@levitte levitte added branch: master Merge to master branch approval: review pending This pull request needs review by a committer triaged: bug The issue/pr is/fixes a bug triaged: cleanup The issue/pr deals with cleanup of comments/docs not altering code significantly labels Sep 12, 2023
@t8m t8m added triaged: refactor The issue/pr requests/implements refactoring tests: exempted The PR is exempt from requirements for testing and removed triaged: cleanup The issue/pr deals with cleanup of comments/docs not altering code significantly labels Sep 12, 2023
@paulidale paulidale added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Sep 12, 2023
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Sep 13, 2023
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

@paulidale
Copy link
Contributor

Merged.

@paulidale paulidale closed this Sep 13, 2023
openssl-machine pushed a commit that referenced this pull request Sep 13, 2023
@levitte @paulidale
Have legacy blake2 EVP structure use base blake2 implementation
df9ecd2 
For some reason, the code here was made to got through the provider
specific init functions.  This is very very dangerous if the provider
specific functions were to change in any way (such as changes to the
implementation context structure).

Instead, use the init functions from the base blake2 implementations
directly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from #22079)
@t8m
Copy link
Member

t8m commented Sep 14, 2023

Hmm.. there is a new Coverity issue as a consequence of this. Not sure why - maybe it just made it possible for Coverity to uncover this or it is a false positive, it needs to be investigated.

@levitte levitte deleted the no-blake2-legacy-provider-entanglement branch September 14, 2023 07:06
mattcaswell
mattcaswell reviewed Sep 14, 2023
View reviewed changes
crypto/evp/legacy_blake2.c
{
BLAKE2S_PARAM P;

ossl_blake2s_param_init(&P);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces an uninitialised read in ossl_blake2s_param_init()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Found by coverity)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Argh...

Copy link
Member Author

@levitte levitte Sep 14, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

False positive... ossl_blake2s_param_init() intializes that very structure, it's utter silliness to initialize it before that!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually not a false positive....but a mistake by me putting this comment on the wrong line. It's actually the call to ossl_blake2b_param_init below that is the uninit read.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you perhaps mean ossl_blake2b_init() (i.e. no param)?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No? ossl_blake2b_param_init is called on line 29 in this file and reads the uninitialised P->digest_length value

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix in #22103

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, that hack. Ok. Well, I hope my fix is good enough

wanghao75 pushed a commit to openeuler-mirror/openssl that referenced this pull request Sep 23, 2023
@levitte
Have legacy blake2 EVP structure use base blake2 implementation
789ccf0 
For some reason, the code here was made to got through the provider
specific init functions.  This is very very dangerous if the provider
specific functions were to change in any way (such as changes to the
implementation context structure).

Instead, use the init functions from the base blake2 implementations
directly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl/openssl#22079)

Signed-off-by: fly2x <fly2x@hitls.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattcaswell mattcaswell mattcaswell left review comments

@t8m t8m t8m approved these changes

@paulidale paulidale paulidale approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch tests: exempted The PR is exempt from requirements for testing triaged: bug The issue/pr is/fixes a bug triaged: refactor The issue/pr requests/implements refactoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@levitte @openssl-machine @paulidale @t8m @mattcaswell