Skip to content

Commit 95992e5

Browse files
michaelpqmichaelpq
committed
pgcrypto: Detect errors with EVP calls from OpenSSL
The following routines are called within pgcrypto when handling digests but there were no checks for failures: - EVP_MD_CTX_size (can fail with -1 as of 3.0.0) - EVP_MD_CTX_block_size (can fail with -1 as of 3.0.0) - EVP_DigestInit_ex - EVP_DigestUpdate - EVP_DigestFinal_ex A set of elog(ERROR) is added by this commit to detect such failures, that should never happen except in the event of a processing failure internal to OpenSSL. Note that it would be possible to use ERR_reason_error_string() to get more context about such errors, but these refer mainly to the internals of OpenSSL, so it is not really obvious how useful that would be. This is left out for simplicity. Per report from Coverity. Thanks to Tom Lane for the discussion. Backpatch-through: 9.5
1 parent 3ea8e66 commit 95992e5

File tree

1 file changed

+16
-5
lines changed

1 file changed

+16
-5
lines changed

contrib/pgcrypto/openssl.c

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -267,40 +267,51 @@ static unsigned
267267
digest_result_size(PX_MD *h)
268268
{
269269
OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
270+
int result = EVP_MD_CTX_size(digest->ctx);
270271

271-
return EVP_MD_CTX_size(digest->ctx);
272+
if (result < 0)
273+
elog(ERROR, "EVP_MD_CTX_size() failed");
274+
275+
return result;
272276
}
273277

274278
static unsigned
275279
digest_block_size(PX_MD *h)
276280
{
277281
OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
282+
int result = EVP_MD_CTX_block_size(digest->ctx);
283+
284+
if (result < 0)
285+
elog(ERROR, "EVP_MD_CTX_block_size() failed");
278286

279-
return EVP_MD_CTX_block_size(digest->ctx);
287+
return result;
280288
}
281289

282290
static void
283291
digest_reset(PX_MD *h)
284292
{
285293
OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
286294

287-
EVP_DigestInit_ex(digest->ctx, digest->algo, NULL);
295+
if (!EVP_DigestInit_ex(digest->ctx, digest->algo, NULL))
296+
elog(ERROR, "EVP_DigestInit_ex() failed");
288297
}
289298

290299
static void
291300
digest_update(PX_MD *h, const uint8 *data, unsigned dlen)
292301
{
293302
OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
294303

295-
EVP_DigestUpdate(digest->ctx, data, dlen);
304+
if (!EVP_DigestUpdate(digest->ctx, data, dlen))
305+
elog(ERROR, "EVP_DigestUpdate() failed");
296306
}
297307

298308
static void
299309
digest_finish(PX_MD *h, uint8 *dst)
300310
{
301311
OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
302312

303-
EVP_DigestFinal_ex(digest->ctx, dst, NULL);
313+
if (!EVP_DigestFinal_ex(digest->ctx, dst, NULL))
314+
elog(ERROR, "EVP_DigestFinal_ex() failed");
304315
}
305316

306317
static void

0 commit comments

Comments
 (0)