Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:as_python3_module
qatengine
Fix-buffer-overflow-issue-with-SHA3-and-ECX.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File Fix-buffer-overflow-issue-with-SHA3-and-ECX.patch of Package qatengine
commit cab65f33127d97039506dd3cf15f5e27212fa02d Author: Yogaraj Alamenda <yogarajx.alamenda@intel.com> Date: Mon Oct 3 18:05:08 2022 +0530 Fix buffer overflow issue with SHA3 and ECX. - Fix memcpy with correct bufferlen in case of SHA-3 - Fix ECX reverse_bytes to reverse based on input sizes. Signed-off-by: Yogaraj Alamenda <yogarajx.alamenda@intel.com> diff -Bubp QAT_Engine-0.6.10.orig/qat_hw_ecx.c QAT_Engine-0.6.10/qat_hw_ecx.c --- a/qat_hw_ecx.c +++ b/qat_hw_ecx.c @@ -94,22 +94,26 @@ typedef struct { unsigned char *privkey; } ECX_KEY; -static inline int reverse_bytes(unsigned char *tobuffer, - unsigned char *frombuffer, unsigned int size) +static inline int reverse_bytes(unsigned char *tobuffer, unsigned char *frombuffer, + unsigned int tosize, unsigned int fromsize) { int i = 0; - int tobuffer_frombuffer_length_diff = 0; - if (tobuffer == NULL || frombuffer == NULL ) { - WARN("Either tobuffer or frombuffer is NULL %d\n", size); + if (tobuffer == NULL || frombuffer == NULL) { + WARN("Either tobuffer or frombuffer is NULL \n"); return 0; } - if (X448_KEYLEN == size) - tobuffer_frombuffer_length_diff = X448_DATA_KEY_DIFF; - for (i = 0; i < size; i++) { - tobuffer[i] = frombuffer[size - 1 - i + tobuffer_frombuffer_length_diff]; + if (fromsize == X448_KEYLEN) + i = 8; /* Adds zeros at the begining for 64 byte alignment */ + + /* Reverse bytes and copy to dest buffer */ + for (; i < tosize; i++) { + tobuffer[i] = frombuffer[--fromsize]; + if (fromsize <=0) + break; } + return 1; } @@ -243,7 +247,7 @@ int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ct goto err; } pubkey = key->pubkey; - privkey = key->privkey = OPENSSL_secure_zalloc(qat_keylen); + privkey = key->privkey = OPENSSL_secure_zalloc(keylen); if (privkey == NULL) { WARN("Cannot allocate privkey.\n"); QATerr(QAT_F_QAT_PKEY_ECX_KEYGEN, ERR_R_MALLOC_FAILURE); @@ -276,7 +280,7 @@ int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ct qat_ecx_op_data->curveType = is_ecx_448 ? CPA_CY_EC_MONTEDWDS_CURVE448_TYPE : CPA_CY_EC_MONTEDWDS_CURVE25519_TYPE; - if (0 == reverse_bytes(qat_ecx_op_data->k.pData, privkey, qat_keylen)) { + if (0 == reverse_bytes(qat_ecx_op_data->k.pData, privkey, qat_keylen, keylen)) { WARN("Failed to reverse bytes for submission of data to QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_KEYGEN, ERR_R_INTERNAL_ERROR); goto err; @@ -433,7 +437,7 @@ int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ct qat_cleanup_op_done(&op_done); - if (0 == reverse_bytes(pubkey, pXk->pData, keylen)) { + if (0 == reverse_bytes(pubkey, pXk->pData, keylen, qat_keylen)) { WARN("Failed to reverse bytes for data received from QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_KEYGEN, ERR_R_INTERNAL_ERROR); goto err; @@ -529,7 +533,6 @@ int qat_pkey_ecx_derive25519(EVP_PKEY_CT CpaBoolean multiplyStatus = CPA_TRUE; CpaFlatBuffer *pXk = NULL; const unsigned char *privkey, *pubkey; - Cpa8U dataLenInBytes = X25519_KEYLEN; op_done_t op_done; int qatPerformOpRetries = 0; int iMsgRetry = getQatMsgRetryCount(); @@ -561,7 +564,7 @@ int qat_pkey_ecx_derive25519(EVP_PKEY_CT return 0; if (key == NULL) { - *keylen = dataLenInBytes; + *keylen = X25519_KEYLEN; return 1; } @@ -575,21 +578,21 @@ int qat_pkey_ecx_derive25519(EVP_PKEY_CT } memset(qat_ecx_op_data, 0, sizeof(CpaCyEcMontEdwdsPointMultiplyOpData)); - qat_ecx_op_data->k.pData = (Cpa8U *)qaeCryptoMemAlloc(dataLenInBytes, __FILE__, __LINE__); + qat_ecx_op_data->k.pData = (Cpa8U *)qaeCryptoMemAlloc(X25519_KEYLEN, __FILE__, __LINE__); if (qat_ecx_op_data->k.pData == NULL) { WARN("Failure to allocate k.pData.\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE25519, ERR_R_MALLOC_FAILURE); goto err; } - qat_ecx_op_data->k.dataLenInBytes = (Cpa32U)dataLenInBytes; + qat_ecx_op_data->k.dataLenInBytes = X25519_KEYLEN; - qat_ecx_op_data->x.pData = (Cpa8U *)qaeCryptoMemAlloc(dataLenInBytes, __FILE__, __LINE__); + qat_ecx_op_data->x.pData = (Cpa8U *)qaeCryptoMemAlloc(X25519_KEYLEN, __FILE__, __LINE__); if (qat_ecx_op_data->x.pData == NULL) { WARN("Failure to allocate x.pData.\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE25519, ERR_R_MALLOC_FAILURE); goto err; } - qat_ecx_op_data->x.dataLenInBytes = (Cpa32U)dataLenInBytes; + qat_ecx_op_data->x.dataLenInBytes = X25519_KEYLEN; pXk = (CpaFlatBuffer *)OPENSSL_zalloc(sizeof(CpaFlatBuffer)); if (NULL == pXk) { @@ -597,24 +600,26 @@ int qat_pkey_ecx_derive25519(EVP_PKEY_CT QATerr(QAT_F_QAT_PKEY_ECX_DERIVE25519, ERR_R_MALLOC_FAILURE); goto err; } - pXk->pData = (Cpa8U *)qaeCryptoMemAlloc(dataLenInBytes, __FILE__, __LINE__); + pXk->pData = (Cpa8U *)qaeCryptoMemAlloc(X25519_KEYLEN, __FILE__, __LINE__); if (NULL == pXk->pData) { WARN("Failed to allocate memory for pXk data\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE25519, ERR_R_MALLOC_FAILURE); goto err; } - pXk->dataLenInBytes = dataLenInBytes; + pXk->dataLenInBytes = X25519_KEYLEN; qat_ecx_op_data->generator = CPA_FALSE; qat_ecx_op_data->curveType = CPA_CY_EC_MONTEDWDS_CURVE25519_TYPE; - if (0 == reverse_bytes(qat_ecx_op_data->k.pData, (unsigned char *)privkey, dataLenInBytes)) { + if (0 == reverse_bytes(qat_ecx_op_data->k.pData, (unsigned char *)privkey, + X25519_KEYLEN, X25519_KEYLEN)) { WARN("Failed to reverse bytes for submission of data to QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE25519, ERR_R_INTERNAL_ERROR); goto err; } - if (0 == reverse_bytes(qat_ecx_op_data->x.pData,(unsigned char *)pubkey, dataLenInBytes)) { + if (0 == reverse_bytes(qat_ecx_op_data->x.pData,(unsigned char *)pubkey, + X25519_KEYLEN, X25519_KEYLEN)) { WARN("Failed to reverse bytes for submission of data to QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE25519, ERR_R_INTERNAL_ERROR); goto err; @@ -770,20 +775,20 @@ int qat_pkey_ecx_derive25519(EVP_PKEY_CT qat_cleanup_op_done(&op_done); - if (0 == reverse_bytes(key, pXk->pData, dataLenInBytes)) { + if (0 == reverse_bytes(key, pXk->pData, X25519_KEYLEN, X25519_KEYLEN)) { WARN("Failed to reverse bytes for data received from QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE25519, ERR_R_INTERNAL_ERROR); goto err; } - *keylen = (size_t)dataLenInBytes; + *keylen = X25519_KEYLEN; ret = 1; err: /* Clean the memory. */ if (pXk != NULL) { if (pXk->pData != NULL) { - OPENSSL_cleanse(pXk->pData, dataLenInBytes); + OPENSSL_cleanse(pXk->pData, X25519_KEYLEN); qaeCryptoMemFreeNonZero(pXk->pData); } OPENSSL_free(pXk); @@ -791,11 +796,11 @@ err: if (NULL != qat_ecx_op_data) { if (qat_ecx_op_data->k.pData != NULL) { - OPENSSL_cleanse(qat_ecx_op_data->k.pData, dataLenInBytes); + OPENSSL_cleanse(qat_ecx_op_data->k.pData, X25519_KEYLEN); qaeCryptoMemFreeNonZero(qat_ecx_op_data->k.pData); } if (qat_ecx_op_data->x.pData != NULL) { - OPENSSL_cleanse(qat_ecx_op_data->x.pData, dataLenInBytes); + OPENSSL_cleanse(qat_ecx_op_data->x.pData, X25519_KEYLEN); qaeCryptoMemFreeNonZero(qat_ecx_op_data->x.pData); } qaeCryptoMemFreeNonZero(qat_ecx_op_data); @@ -900,13 +905,15 @@ int qat_pkey_ecx_derive448(EVP_PKEY_CTX qat_ecx_op_data->generator = CPA_FALSE; qat_ecx_op_data->curveType = CPA_CY_EC_MONTEDWDS_CURVE448_TYPE; - if (0 == reverse_bytes(qat_ecx_op_data->k.pData, (unsigned char *)privkey, QAT_X448_DATALEN)) { + if (0 == reverse_bytes(qat_ecx_op_data->k.pData, (unsigned char *)privkey, + QAT_X448_DATALEN, X448_KEYLEN)) { WARN("Failed to reverse bytes for submission of data to QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE448, ERR_R_INTERNAL_ERROR); goto err; } - if (0 == reverse_bytes(qat_ecx_op_data->x.pData, (unsigned char *)pubkey, QAT_X448_DATALEN)) { + if (0 == reverse_bytes(qat_ecx_op_data->x.pData, (unsigned char *)pubkey, + QAT_X448_DATALEN, X448_KEYLEN)) { WARN("Failed to reverse bytes for submission of data to QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE448, ERR_R_INTERNAL_ERROR); goto err; @@ -1062,7 +1069,7 @@ int qat_pkey_ecx_derive448(EVP_PKEY_CTX qat_cleanup_op_done(&op_done); - if (0 == reverse_bytes(key, pXk->pData, X448_KEYLEN)) { + if (0 == reverse_bytes(key, pXk->pData, X448_KEYLEN, QAT_X448_DATALEN)) { WARN("Failed to reverse bytes for data received from QAT driver\n"); QATerr(QAT_F_QAT_PKEY_ECX_DERIVE448, ERR_R_INTERNAL_ERROR); goto err; --- a/qat_hw_sha3.c +++ b/qat_hw_sha3.c @@ -757,7 +757,7 @@ static int qat_sha3_update(EVP_MD_CTX *c sha3_ctx->md_size = EVP_MD_CTX_size(ctx); /* Allocate buffer for HASH operation. */ buffer_len = len + sha3_ctx->digest_size ; - sha3_ctx->src_buffer[0].pData = qaeCryptoMemAlloc( buffer_len , __FILE__, __LINE__); + sha3_ctx->src_buffer[0].pData = qaeCryptoMemAlloc(buffer_len, __FILE__, __LINE__); if ((sha3_ctx->src_buffer[0].pData) == NULL) { WARN("Unable to allocate memory for buffer for sha3 hash.\n"); @@ -765,9 +765,11 @@ static int qat_sha3_update(EVP_MD_CTX *c goto err; } + memset(sha3_ctx->src_buffer[0].pData, 0, buffer_len); + sha3_ctx->dst_buffer[0].pData = sha3_ctx->src_buffer[0].pData; - memcpy(sha3_ctx->src_buffer[0].pData, in, buffer_len); + memcpy(sha3_ctx->src_buffer[0].pData, in, len); tlv = qat_check_create_local_variables(); if (NULL == tlv) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
