Calls to the OpenSSL EVP API are not being error-checked in the SHA2 code. We should be using the OQS_OPENSSL_GUARD macro here.
|
static void do_hash(uint8_t *output, const uint8_t *input, size_t inplen, const EVP_MD *md) { |
|
EVP_MD_CTX *mdctx; |
|
unsigned int outlen; |
|
mdctx = OSSL_FUNC(EVP_MD_CTX_new)(); |
|
OQS_EXIT_IF_NULLPTR(mdctx, "OpenSSL"); |
|
OSSL_FUNC(EVP_DigestInit_ex)(mdctx, md, NULL); |
|
OSSL_FUNC(EVP_DigestUpdate)(mdctx, input, inplen); |
|
OSSL_FUNC(EVP_DigestFinal_ex)(mdctx, output, &outlen); |
|
OSSL_FUNC(EVP_MD_CTX_free)(mdctx); |
|
} |
We could also use the macro here instead of error-checking manually:
|
/* Create and initialise the context */ |
|
if (!(ctx = OSSL_FUNC(EVP_CIPHER_CTX_new)())) { |
|
handleErrors(); |
|
} |
|
|
|
if (1 != OSSL_FUNC(EVP_EncryptInit_ex)(ctx, oqs_aes_256_ecb(), NULL, key, NULL)) { |
|
handleErrors(); |
|
} |
|
|
|
if (1 != OSSL_FUNC(EVP_EncryptUpdate)(ctx, buffer, &len, ctr, 16)) { |
|
handleErrors(); |
|
} |
Reported by @trailofbits in Week 1 of their audit of liboqs.