Correct EVP_PKEY ownership: soter_verify_rsa

cossacklabs · Sep 20, 2019 · 74271f9 · 74271f9
1 parent 878191a
commit 74271f9
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 52 deletions.
diff --git a/src/soter/boringssl/soter_verify_rsa.c b/src/soter/boringssl/soter_verify_rsa.c
@@ -29,54 +29,67 @@ soter_status_t soter_verify_init_rsa_pss_pkcs8(soter_sign_ctx_t* ctx,
                                                const void* public_key,
                                                const size_t public_key_length)
 {
-    /* pkey_ctx init */
-    EVP_PKEY* pkey;
+    soter_status_t err = SOTER_FAIL;
+    EVP_PKEY* pkey = NULL;
+    EVP_PKEY_CTX* md_pkey_ctx = NULL;
+
     pkey = EVP_PKEY_new();
     if (!pkey) {
         return SOTER_NO_MEMORY;
     }
+
     if (!EVP_PKEY_set_type(pkey, EVP_PKEY_RSA)) {
-        EVP_PKEY_free(pkey);
-        return SOTER_FAIL;
+        goto free_pkey;
     }
+
     ctx->pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL);
     if (!(ctx->pkey_ctx)) {
-        EVP_PKEY_free(pkey);
-        return SOTER_FAIL;
+        err = SOTER_NO_MEMORY;
+        goto free_pkey;
     }
+
     if (private_key && private_key_length != 0) {
-        if (soter_rsa_import_key(pkey, private_key, private_key_length) != SOTER_SUCCESS) {
-            soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-            return SOTER_FAIL;
+        err = soter_rsa_import_key(pkey, private_key, private_key_length);
+        if (err != SOTER_SUCCESS) {
+            goto free_pkey_ctx;
         }
     }
     if (public_key && public_key_length != 0) {
-        if (soter_rsa_import_key(pkey, public_key, public_key_length) != SOTER_SUCCESS) {
-            soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-            return SOTER_FAIL;
+        err = soter_rsa_import_key(pkey, public_key, public_key_length);
+        if (err != SOTER_SUCCESS) {
+            goto free_pkey_ctx;
         }
     }
 
-    /*md_ctx init*/
     ctx->md_ctx = EVP_MD_CTX_create();
     if (!(ctx->md_ctx)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_NO_MEMORY;
+        err = SOTER_NO_MEMORY;
+        goto free_pkey_ctx;
     }
-    EVP_PKEY_CTX* md_pkey_ctx = NULL;
+
+    /* md_pkey_ctx is owned by ctx->md_ctx */
     if (!EVP_DigestVerifyInit(ctx->md_ctx, &md_pkey_ctx, EVP_sha256(), NULL, pkey)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_FAIL;
+        goto free_md_ctx;
     }
     if (!EVP_PKEY_CTX_set_rsa_padding(md_pkey_ctx, RSA_PKCS1_PSS_PADDING)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_FAIL;
+        goto free_md_ctx;
     }
     if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(md_pkey_ctx, -2)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_FAIL;
+        goto free_md_ctx;
     }
+
+    EVP_PKEY_free(pkey);
     return SOTER_SUCCESS;
+
+free_md_ctx:
+    EVP_MD_CTX_destroy(ctx->md_ctx);
+    ctx->md_ctx = NULL;
+free_pkey_ctx:
+    EVP_PKEY_CTX_free(ctx->pkey_ctx);
+    ctx->pkey_ctx = NULL;
+free_pkey:
+    EVP_PKEY_free(pkey);
+    return err;
 }
 
 soter_status_t soter_verify_update_rsa_pss_pkcs8(soter_sign_ctx_t* ctx,
@@ -115,12 +128,8 @@ soter_status_t soter_verify_cleanup_rsa_pss_pkcs8(soter_sign_ctx_t* ctx)
         return SOTER_INVALID_PARAMETER;
     }
     if (ctx->pkey_ctx) {
-        EVP_PKEY* pkey = EVP_PKEY_CTX_get0_pkey(ctx->pkey_ctx);
         EVP_PKEY_CTX_free(ctx->pkey_ctx);
         ctx->pkey_ctx = NULL;
-        if (pkey) {
-            EVP_PKEY_free(pkey);
-        }
     }
     if (ctx->md_ctx) {
         EVP_MD_CTX_destroy(ctx->md_ctx);

diff --git a/src/soter/openssl/soter_verify_rsa.c b/src/soter/openssl/soter_verify_rsa.c
@@ -29,54 +29,67 @@ soter_status_t soter_verify_init_rsa_pss_pkcs8(soter_sign_ctx_t* ctx,
                                                const void* public_key,
                                                const size_t public_key_length)
 {
-    /* pkey_ctx init */
-    EVP_PKEY* pkey;
+    soter_status_t err = SOTER_FAIL;
+    EVP_PKEY* pkey = NULL;
+    EVP_PKEY_CTX* md_pkey_ctx = NULL;
+
     pkey = EVP_PKEY_new();
     if (!pkey) {
         return SOTER_NO_MEMORY;
     }
+
     if (!EVP_PKEY_set_type(pkey, EVP_PKEY_RSA)) {
-        EVP_PKEY_free(pkey);
-        return SOTER_FAIL;
+        goto free_pkey;
     }
+
     ctx->pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL);
     if (!(ctx->pkey_ctx)) {
-        EVP_PKEY_free(pkey);
-        return SOTER_FAIL;
+        err = SOTER_NO_MEMORY;
+        goto free_pkey;
     }
+
     if (private_key && private_key_length != 0) {
-        if (soter_rsa_import_key(pkey, private_key, private_key_length) != SOTER_SUCCESS) {
-            soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-            return SOTER_FAIL;
+        err = soter_rsa_import_key(pkey, private_key, private_key_length);
+        if (err != SOTER_SUCCESS) {
+            goto free_pkey_ctx;
         }
     }
     if (public_key && public_key_length != 0) {
-        if (soter_rsa_import_key(pkey, public_key, public_key_length) != SOTER_SUCCESS) {
-            soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-            return SOTER_FAIL;
+        err = soter_rsa_import_key(pkey, public_key, public_key_length);
+        if (err != SOTER_SUCCESS) {
+            goto free_pkey_ctx;
         }
     }
 
-    /*md_ctx init*/
     ctx->md_ctx = EVP_MD_CTX_create();
     if (!(ctx->md_ctx)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_NO_MEMORY;
+        err = SOTER_NO_MEMORY;
+        goto free_pkey_ctx;
     }
-    EVP_PKEY_CTX* md_pkey_ctx = NULL;
+
+    /* md_pkey_ctx is owned by ctx->md_ctx */
     if (!EVP_DigestVerifyInit(ctx->md_ctx, &md_pkey_ctx, EVP_sha256(), NULL, pkey)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_FAIL;
+        goto free_md_ctx;
     }
     if (!EVP_PKEY_CTX_set_rsa_padding(md_pkey_ctx, RSA_PKCS1_PSS_PADDING)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_FAIL;
+        goto free_md_ctx;
     }
     if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(md_pkey_ctx, -2)) {
-        soter_verify_cleanup_rsa_pss_pkcs8(ctx);
-        return SOTER_FAIL;
+        goto free_md_ctx;
     }
+
+    EVP_PKEY_free(pkey);
     return SOTER_SUCCESS;
+
+free_md_ctx:
+    EVP_MD_CTX_destroy(ctx->md_ctx);
+    ctx->md_ctx = NULL;
+free_pkey_ctx:
+    EVP_PKEY_CTX_free(ctx->pkey_ctx);
+    ctx->pkey_ctx = NULL;
+free_pkey:
+    EVP_PKEY_free(pkey);
+    return err;
 }
 
 soter_status_t soter_verify_update_rsa_pss_pkcs8(soter_sign_ctx_t* ctx,
@@ -115,10 +128,6 @@ soter_status_t soter_verify_cleanup_rsa_pss_pkcs8(soter_sign_ctx_t* ctx)
         return SOTER_INVALID_PARAMETER;
     }
     if (ctx->pkey_ctx) {
-        EVP_PKEY* pkey = EVP_PKEY_CTX_get0_pkey(ctx->pkey_ctx);
-        if (pkey) {
-            EVP_PKEY_free(pkey);
-        }
         EVP_PKEY_CTX_free(ctx->pkey_ctx);
         ctx->pkey_ctx = NULL;
     }