From: Viktor Dukhovni Date: Sun, 26 Jan 2025 06:02:31 +0000 (+1100) Subject: Clarify docs of EVP_CIPHER*_get_block_size X-Git-Tag: openssl-3.5.0-alpha1~677 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a69288d04aeac4927f092055a74e7d36c5847869;p=thirdparty%2Fopenssl.git Clarify docs of EVP_CIPHER*_get_block_size Also, tolerate NULL input ctx, just like NULL cipher. Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26561) --- diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 7cf8085857a..f7932e23f99 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -371,7 +371,7 @@ int EVP_CIPHER_get_block_size(const EVP_CIPHER *cipher) int EVP_CIPHER_CTX_get_block_size(const EVP_CIPHER_CTX *ctx) { - return EVP_CIPHER_get_block_size(ctx->cipher); + return (ctx == NULL) ? 0 : EVP_CIPHER_get_block_size(ctx->cipher); } int EVP_CIPHER_impl_ctx_size(const EVP_CIPHER *e) diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 1a1e4cf1e43..85bb803e139 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -613,8 +613,11 @@ the tag length has not been set. Return the block size of a cipher when passed an B or B structure. The constant B is also the -maximum block length for all ciphers. A value of 0 is returned if the cipher -has not been properly initialized with a call to B. +maximum block length for all ciphers. +A value of 0 is returned if, with B, the cipher +I is NULL, or, with B, the context +I is NULL or has not been properly initialized with a call to +B. =item EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type() @@ -1360,12 +1363,12 @@ flags. =head1 RETURN VALUES EVP_CIPHER_fetch() returns a pointer to a B for success -and B for failure. +and NULL for failure. EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise. EVP_CIPHER_CTX_new() returns a pointer to a newly created -B for success and B for failure. +B for success and NULL for failure. EVP_CIPHER_CTX_dup() returns a new EVP_CIPHER_CTX if successful or NULL on failure. @@ -1467,7 +1470,7 @@ depending on the mode specified. To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output -parameter I set to B. In this case, on success, the parameter +parameter I set to NULL. In this case, on success, the parameter I is set to the number of bytes authenticated. When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal() @@ -1535,7 +1538,7 @@ few additional requirements and different I values. For CCM mode, the total plaintext or ciphertext length B be passed to EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() with the output -and input parameters (I and I) set to B and the length passed in +and input parameters (I and I) set to NULL and the length passed in the I parameter. The following Is are supported in CCM mode. @@ -1572,7 +1575,7 @@ altered and several additional ctrl operations are supported. To specify any additional authenticated data (AAD) and/or a Nonce, a call to EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made -with the output parameter I set to B. +with the output parameter I set to NULL. RFC5297 states that the Nonce is the last piece of AAD before the actual encrypt/decrypt takes place. The API does not differentiate the Nonce from @@ -1615,7 +1618,7 @@ calls). For SIV mode the taglen must be 16. SIV mode makes two passes over the input data, thus, only one call to EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made -with I set to a non-B value. A call to EVP_DecryptFinal() or +with I set to a non-NULL value. A call to EVP_DecryptFinal() or EVP_CipherFinal() is not required, but will indicate if the update operation succeeded. @@ -1939,6 +1942,10 @@ The EVP_CIPHER_CTX_flags() macro was deprecated in OpenSSL 1.1.0. EVP_CIPHER_CTX_dup() was added in OpenSSL 3.2. +Prior to OpenSSL 3.5, passing a NULL I to +B would result in a NULL pointer dereference, +rather than a 0 return value indicating an error. + =head1 COPYRIGHT Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.