You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2022/04/05 19:09:06 UTC
[trafficserver] branch 9.2.x updated: check return values of openssl api calls (#8758)
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.2.x by this push:
new 452c1ce93 check return values of openssl api calls (#8758)
452c1ce93 is described below
commit 452c1ce938049b0cd55ae3eb0af2e66d645ed8b3
Author: Fei Deng <du...@gmail.com>
AuthorDate: Fri Apr 1 11:24:58 2022 -0500
check return values of openssl api calls (#8758)
(cherry picked from commit 038df407cb25e3388474db8108247b17fe2716fa)
---
iocore/net/TLSSessionResumptionSupport.cc | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/iocore/net/TLSSessionResumptionSupport.cc b/iocore/net/TLSSessionResumptionSupport.cc
index 36cfbb5d0..94ab306c1 100644
--- a/iocore/net/TLSSessionResumptionSupport.cc
+++ b/iocore/net/TLSSessionResumptionSupport.cc
@@ -214,8 +214,12 @@ TLSSessionResumptionSupport::_setSessionInformation(ssl_ticket_key_block *keyblo
{
const ssl_ticket_key_t &most_recent_key = keyblock->keys[0];
memcpy(keyname, most_recent_key.key_name, sizeof(most_recent_key.key_name));
- RAND_bytes(iv, EVP_MAX_IV_LENGTH);
- EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), nullptr, most_recent_key.aes_key, iv);
+ if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) != 1) {
+ return -1;
+ }
+ if (EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), nullptr, most_recent_key.aes_key, iv) != 1) {
+ return -2;
+ }
#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
const OSSL_PARAM params[] = {
OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, const_cast<unsigned char *>(most_recent_key.hmac_secret),
@@ -223,9 +227,13 @@ TLSSessionResumptionSupport::_setSessionInformation(ssl_ticket_key_block *keyblo
OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, mac_param_digest, 0),
OSSL_PARAM_construct_end(),
};
- EVP_MAC_CTX_set_params(hctx, params);
+ if (EVP_MAC_CTX_set_params(hctx, params) != 1) {
+ return -3;
+ }
#else
- HMAC_Init_ex(hctx, most_recent_key.hmac_secret, sizeof(most_recent_key.hmac_secret), evp_md_func, nullptr);
+ if (HMAC_Init_ex(hctx, most_recent_key.hmac_secret, sizeof(most_recent_key.hmac_secret), evp_md_func, nullptr) != 1) {
+ return -3;
+ }
#endif
Debug("ssl_session_ticket", "create ticket for a new session.");
@@ -245,16 +253,22 @@ TLSSessionResumptionSupport::_getSessionInformation(ssl_ticket_key_block *keyblo
{
for (unsigned i = 0; i < keyblock->num_keys; ++i) {
if (memcmp(keyname, keyblock->keys[i].key_name, sizeof(keyblock->keys[i].key_name)) == 0) {
- EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), nullptr, keyblock->keys[i].aes_key, iv);
+ if (EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), nullptr, keyblock->keys[i].aes_key, iv) != 1) {
+ return -2;
+ }
#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
const OSSL_PARAM params[] = {
OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, keyblock->keys[i].hmac_secret, sizeof(keyblock->keys[i].hmac_secret)),
OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, mac_param_digest, 0),
OSSL_PARAM_construct_end(),
};
- EVP_MAC_CTX_set_params(hctx, params);
+ if (EVP_MAC_CTX_set_params(hctx, params) != 1) {
+ return -3;
+ }
#else
- HMAC_Init_ex(hctx, keyblock->keys[i].hmac_secret, sizeof(keyblock->keys[i].hmac_secret), evp_md_func, nullptr);
+ if (HMAC_Init_ex(hctx, keyblock->keys[i].hmac_secret, sizeof(keyblock->keys[i].hmac_secret), evp_md_func, nullptr) != 1) {
+ return -3;
+ }
#endif
Debug("ssl_session_ticket", "verify the ticket for an existing session.");