Commit 78066157 authored by Mark Andrews's avatar Mark Andrews
Browse files

Address bugs in opensslrsa_tofile

1) if 'key->external' is set we just need to call
   dst__privstruct_writefile
2) the cleanup of 'bufs' was incorrect as 'i' doesn't reflect the
   the current index into 'bufs'.  Use a simple for loop.

This review was triggered by Coverity reporting a buffer overrun
on 'bufs'.
parent 573a5858
Pipeline #86498 failed with stages
in 18 minutes and 37 seconds
...@@ -811,7 +811,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -811,7 +811,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
if (key->external) { if (key->external) {
priv.nelements = 0; priv.nelements = 0;
DST_RET(dst__privstruct_writefile(key, &priv, directory)); return (dst__privstruct_writefile(key, &priv, directory));
} }
pkey = key->keydata.pkey; pkey = key->keydata.pkey;
...@@ -855,6 +855,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -855,6 +855,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
if (d != NULL) { if (d != NULL) {
priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT; priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
priv.elements[i].length = BN_num_bytes(d); priv.elements[i].length = BN_num_bytes(d);
INSIST(i < ARRAY_SIZE(bufs));
bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
BN_bn2bin(d, bufs[i]); BN_bn2bin(d, bufs[i]);
priv.elements[i].data = bufs[i]; priv.elements[i].data = bufs[i];
...@@ -864,6 +865,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -864,6 +865,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
if (p != NULL) { if (p != NULL) {
priv.elements[i].tag = TAG_RSA_PRIME1; priv.elements[i].tag = TAG_RSA_PRIME1;
priv.elements[i].length = BN_num_bytes(p); priv.elements[i].length = BN_num_bytes(p);
INSIST(i < ARRAY_SIZE(bufs));
bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
BN_bn2bin(p, bufs[i]); BN_bn2bin(p, bufs[i]);
priv.elements[i].data = bufs[i]; priv.elements[i].data = bufs[i];
...@@ -873,6 +875,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -873,6 +875,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
if (q != NULL) { if (q != NULL) {
priv.elements[i].tag = TAG_RSA_PRIME2; priv.elements[i].tag = TAG_RSA_PRIME2;
priv.elements[i].length = BN_num_bytes(q); priv.elements[i].length = BN_num_bytes(q);
INSIST(i < ARRAY_SIZE(bufs));
bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
BN_bn2bin(q, bufs[i]); BN_bn2bin(q, bufs[i]);
priv.elements[i].data = bufs[i]; priv.elements[i].data = bufs[i];
...@@ -882,6 +885,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -882,6 +885,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
if (dmp1 != NULL) { if (dmp1 != NULL) {
priv.elements[i].tag = TAG_RSA_EXPONENT1; priv.elements[i].tag = TAG_RSA_EXPONENT1;
priv.elements[i].length = BN_num_bytes(dmp1); priv.elements[i].length = BN_num_bytes(dmp1);
INSIST(i < ARRAY_SIZE(bufs));
bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
BN_bn2bin(dmp1, bufs[i]); BN_bn2bin(dmp1, bufs[i]);
priv.elements[i].data = bufs[i]; priv.elements[i].data = bufs[i];
...@@ -891,6 +895,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -891,6 +895,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
if (dmq1 != NULL) { if (dmq1 != NULL) {
priv.elements[i].tag = TAG_RSA_EXPONENT2; priv.elements[i].tag = TAG_RSA_EXPONENT2;
priv.elements[i].length = BN_num_bytes(dmq1); priv.elements[i].length = BN_num_bytes(dmq1);
INSIST(i < ARRAY_SIZE(bufs));
bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
BN_bn2bin(dmq1, bufs[i]); BN_bn2bin(dmq1, bufs[i]);
priv.elements[i].data = bufs[i]; priv.elements[i].data = bufs[i];
...@@ -900,6 +905,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -900,6 +905,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
if (iqmp != NULL) { if (iqmp != NULL) {
priv.elements[i].tag = TAG_RSA_COEFFICIENT; priv.elements[i].tag = TAG_RSA_COEFFICIENT;
priv.elements[i].length = BN_num_bytes(iqmp); priv.elements[i].length = BN_num_bytes(iqmp);
INSIST(i < ARRAY_SIZE(bufs));
bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
BN_bn2bin(iqmp, bufs[i]); BN_bn2bin(iqmp, bufs[i]);
priv.elements[i].data = bufs[i]; priv.elements[i].data = bufs[i];
...@@ -926,7 +932,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { ...@@ -926,7 +932,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
ret = dst__privstruct_writefile(key, &priv, directory); ret = dst__privstruct_writefile(key, &priv, directory);
err: err:
while (i--) { for (i = 0; i < ARRAY_SIZE(bufs); i++) {
if (bufs[i] != NULL) { if (bufs[i] != NULL) {
isc_mem_put(key->mctx, bufs[i], isc_mem_put(key->mctx, bufs[i],
priv.elements[i].length); priv.elements[i].length);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment