diff options
author | Clemens Lang via Gcrypt-devel <gcrypt-devel@lists.gnupg.org> | 2022-02-11 16:55:24 +0100 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-02-14 15:17:44 +0900 |
commit | a60f8e43dd1b02adf7d1fd54c2e1d27564dd12c1 (patch) | |
tree | b763463b3593e56cdeb82faafa2512987fe8800a | |
parent | 23345eac14d200720a650f6a542fe0c49bea1315 (diff) | |
download | libgcrypt-a60f8e43dd1b02adf7d1fd54c2e1d27564dd12c1.tar.gz |
fips: Fix memory leaks in FIPS mode
* cipher/pubkey.c (_gcry_pk_sign_md): Fix memory leak in FIPS mode when
used with SHA1
* tests/basic.c (check_one_cipher_core): Add missing free in error code
triggered in FIPS mode
* tests/dsa-rfc6979.c (check_dsa_rfc6979): Likewise
* tests/pubkey.c (check_x931_derived_key): Likewise
--
Cherry-picked the master commit of:
7fc5d33e74164519edcd8127a35cc21228d2727f
Signed-off-by: Clemens Lang <cllang@redhat.com>
-rw-r--r-- | cipher/pubkey.c | 5 | ||||
-rw-r--r-- | tests/basic.c | 1 | ||||
-rw-r--r-- | tests/dsa-rfc6979.c | 2 | ||||
-rw-r--r-- | tests/pubkey.c | 1 |
4 files changed, 8 insertions, 1 deletions
diff --git a/cipher/pubkey.c b/cipher/pubkey.c index 7fdb7771..8deeced6 100644 --- a/cipher/pubkey.c +++ b/cipher/pubkey.c @@ -516,7 +516,10 @@ _gcry_pk_sign_md (gcry_sexp_t *r_sig, const char *tmpl, gcry_md_hd_t hd_orig, algo = _gcry_md_get_algo (hd); if (fips_mode () && algo == GCRY_MD_SHA1) - return GPG_ERR_DIGEST_ALGO; + { + _gcry_md_close (hd); + return GPG_ERR_DIGEST_ALGO; + } digest = _gcry_md_read (hd, 0); } diff --git a/tests/basic.c b/tests/basic.c index 32be7c2f..a0ad33eb 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -11047,6 +11047,7 @@ check_one_cipher_core (int algo, int mode, int flags, if (!err) fail ("pass %d, algo %d, mode %d, gcry_cipher_encrypt is expected to " "fail in FIPS mode: %s\n", pass, algo, mode, gpg_strerror (err)); + gcry_cipher_close (hd); goto err_out_free; } if (err) diff --git a/tests/dsa-rfc6979.c b/tests/dsa-rfc6979.c index cd68cd25..79b25c3d 100644 --- a/tests/dsa-rfc6979.c +++ b/tests/dsa-rfc6979.c @@ -943,6 +943,8 @@ check_dsa_rfc6979 (void) { if (!err) fail ("signing should not work in FIPS mode: %s\n", gpg_strerror (err)); + gcry_sexp_release (data); + gcry_sexp_release (seckey); continue; } if (err) diff --git a/tests/pubkey.c b/tests/pubkey.c index c5510d05..b352490b 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -1035,6 +1035,7 @@ check_x931_derived_key (int what) if (in_fips_mode && nbits < 2048) { info("RSA key test with %d bits skipped in fips mode\n", nbits); + gcry_sexp_release (key_spec); goto leave; } } |