Skip to content
This repository has been archived by the owner on Sep 29, 2024. It is now read-only.

Commit

Permalink
Fix dangling OSSL_PARAM
Browse files Browse the repository at this point in the history 
Pointing to a deallocated NSString.
  • Loading branch information
@keeshux
keeshux committed Jan 5, 2024
1 parent 138f1ca commit 9bf7b41
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 10 deletions.
24 changes: 17 additions & 7 deletions Sources/CTunnelKitOpenVPNProtocol/CryptoCBC.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ @interface CryptoCBC ()

@property (nonatomic, unsafe_unretained) const EVP_CIPHER *cipher;
@property (nonatomic, unsafe_unretained) const EVP_MD *digest;
@property (nonatomic, unsafe_unretained) const char *cCipherName;
@property (nonatomic, unsafe_unretained) const char *cDigestName;
@property (nonatomic, assign) int cipherKeyLength;
@property (nonatomic, assign) int cipherIVLength;
@property (nonatomic, assign) int hmacKeyLength;
Expand All @@ -75,10 +77,14 @@ - (instancetype)initWithCipherName:(NSString *)cipherName digestName:(NSString *
self = [super init];
if (self) {
if (cipherName) {
self.cipher = EVP_get_cipherbyname([cipherName cStringUsingEncoding:NSASCIIStringEncoding]);
self.cCipherName = calloc([cipherName length] + 1, sizeof(char));
strncpy(self.cCipherName, [cipherName cStringUsingEncoding:NSASCIIStringEncoding], [cipherName length]);
self.cipher = EVP_get_cipherbyname(self.cCipherName);
NSAssert(self.cipher, @"Unknown cipher '%@'", cipherName);
}
self.digest = EVP_get_digestbyname([digestName cStringUsingEncoding:NSASCIIStringEncoding]);
self.cDigestName = calloc([digestName length] + 1, sizeof(char));
strncpy(self.cDigestName, [digestName cStringUsingEncoding:NSASCIIStringEncoding], [digestName length]);
self.digest = EVP_get_digestbyname(self.cDigestName);
NSAssert(self.digest, @"Unknown digest '%@'", digestName);

if (cipherName) {
Expand All @@ -96,7 +102,7 @@ - (instancetype)initWithCipherName:(NSString *)cipherName digestName:(NSString *

self.mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
OSSL_PARAM *macParams = calloc(2, sizeof(OSSL_PARAM));
macParams[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)[digestName cStringUsingEncoding:NSASCIIStringEncoding], 0);
macParams[0] = OSSL_PARAM_construct_utf8_string("digest", self.cDigestName, 0);
macParams[1] = OSSL_PARAM_construct_end();
self.macParams = macParams;

Expand All @@ -115,7 +121,12 @@ - (void)dealloc
free(self.macParams);
bzero(self.bufferDecHMAC, CryptoCBCMaxHMACLength);
free(self.bufferDecHMAC);


if (self.cCipherName) {
free(self.cCipherName);
}
free(self.cDigestName);

self.cipher = NULL;
self.digest = NULL;
}
Expand Down Expand Up @@ -175,7 +186,6 @@ - (BOOL)encryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8
memcpy(outEncrypted, bytes, length);
l1 = (int)length;
}

EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(self.mac);
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_init(ctx, self.hmacKeyEnc.bytes, self.hmacKeyEnc.count, self.macParams);
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_update(ctx, outIV, l1 + l2 + self.cipherIVLength);
Expand Down Expand Up @@ -215,7 +225,7 @@ - (BOOL)decryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8
const uint8_t *encrypted = bytes + self.digestLength + self.cipherIVLength;
size_t l1 = 0, l2 = 0;
int code = 1;

EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(self.mac);
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_init(ctx, self.hmacKeyDec.bytes, self.hmacKeyDec.count, self.macParams);
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_update(ctx, bytes + self.digestLength, length - self.digestLength);
Expand Down Expand Up @@ -249,7 +259,7 @@ - (BOOL)verifyBytes:(const uint8_t *)bytes length:(NSInteger)length flags:(const
{
size_t l1 = 0;
int code = 1;

EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(self.mac);
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_init(ctx, self.hmacKeyDec.bytes, self.hmacKeyDec.count, self.macParams);
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_update(ctx, bytes + self.digestLength, length - self.digestLength);
Expand Down
16 changes: 13 additions & 3 deletions Sources/CTunnelKitOpenVPNProtocol/CryptoCTR.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ @interface CryptoCTR ()

@property (nonatomic, unsafe_unretained) const EVP_CIPHER *cipher;
@property (nonatomic, unsafe_unretained) const EVP_MD *digest;
@property (nonatomic, unsafe_unretained) const char *cCipherName;
@property (nonatomic, unsafe_unretained) const char *cDigestName;
@property (nonatomic, assign) int cipherKeyLength;
@property (nonatomic, assign) int cipherIVLength;
@property (nonatomic, assign) int hmacKeyLength;
Expand All @@ -61,9 +63,14 @@ - (instancetype)initWithCipherName:(NSString *)cipherName digestName:(NSString *

self = [super init];
if (self) {
self.cipher = EVP_get_cipherbyname([cipherName cStringUsingEncoding:NSASCIIStringEncoding]);
self.cCipherName = calloc([cipherName length] + 1, sizeof(char));
strncpy(self.cCipherName, [cipherName cStringUsingEncoding:NSASCIIStringEncoding], [cipherName length]);
self.cipher = EVP_get_cipherbyname(self.cCipherName);
NSAssert(self.cipher, @"Unknown cipher '%@'", cipherName);
self.digest = EVP_get_digestbyname([digestName cStringUsingEncoding:NSASCIIStringEncoding]);

self.cDigestName = calloc([digestName length] + 1, sizeof(char));
strncpy(self.cDigestName, [digestName cStringUsingEncoding:NSASCIIStringEncoding], [digestName length]);
self.digest = EVP_get_digestbyname(self.cDigestName);
NSAssert(self.digest, @"Unknown digest '%@'", digestName);

self.cipherKeyLength = EVP_CIPHER_key_length(self.cipher);
Expand Down Expand Up @@ -94,7 +101,10 @@ - (void)dealloc
free(self.macParams);
bzero(self.bufferDecHMAC, CryptoCTRTagLength);
free(self.bufferDecHMAC);


free(self.cCipherName);
free(self.cDigestName);

self.cipher = NULL;
self.digest = NULL;
}
Expand Down

0 comments on commit 9bf7b41

Please sign in to comment.