[PATCH] fips: Fix memory leaks in FIPS mode

Clemens Lang cllang at redhat.com
Fri Feb 11 16:55:24 CET 2022 

* cipher/pubkey.c (_gcry_pk_sign_md): Fix memory leak in FIPS mode when
  used with SHA1
* tests/basic.c (check_one_cipher_core): Add missing free in error code
  triggered in FIPS mode
* tests/dsa-rfc6979.c (check_dsa_rfc6979): Likewise
* tests/pubkey.c (check_x931_derived_key): Likewise

--

Signed-off-by: Clemens Lang <cllang at redhat.com>
---
 cipher/pubkey.c     | 5 ++++-
 tests/basic.c       | 1 +
 tests/dsa-rfc6979.c | 2 ++
 tests/pubkey.c      | 1 +
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/cipher/pubkey.c b/cipher/pubkey.c
index 7fdb7771..8deeced6 100644
--- a/cipher/pubkey.c
+++ b/cipher/pubkey.c
@@ -516,7 +516,10 @@ _gcry_pk_sign_md (gcry_sexp_t *r_sig, const char *tmpl, gcry_md_hd_t hd_orig,
       algo = _gcry_md_get_algo (hd);
 
       if (fips_mode () && algo == GCRY_MD_SHA1)
-        return GPG_ERR_DIGEST_ALGO;
+        {
+          _gcry_md_close (hd);
+          return GPG_ERR_DIGEST_ALGO;
+        }
 
       digest = _gcry_md_read (hd, 0);
     }
diff --git a/tests/basic.c b/tests/basic.c
index 32be7c2f..a0ad33eb 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -11047,6 +11047,7 @@ check_one_cipher_core (int algo, int mode, int flags,
       if (!err)
         fail ("pass %d, algo %d, mode %d, gcry_cipher_encrypt is expected to "
               "fail in FIPS mode: %s\n", pass, algo, mode, gpg_strerror (err));
+      gcry_cipher_close (hd);
       goto err_out_free;
     }
   if (err)
diff --git a/tests/dsa-rfc6979.c b/tests/dsa-rfc6979.c
index cd68cd25..79b25c3d 100644
--- a/tests/dsa-rfc6979.c
+++ b/tests/dsa-rfc6979.c
@@ -943,6 +943,8 @@ check_dsa_rfc6979 (void)
         {
           if (!err)
             fail ("signing should not work in FIPS mode: %s\n", gpg_strerror (err));
+          gcry_sexp_release (data);
+          gcry_sexp_release (seckey);
           continue;
         }
       if (err)
diff --git a/tests/pubkey.c b/tests/pubkey.c
index c5510d05..b352490b 100644
--- a/tests/pubkey.c
+++ b/tests/pubkey.c
@@ -1035,6 +1035,7 @@ check_x931_derived_key (int what)
     if (in_fips_mode && nbits < 2048)
       {
         info("RSA key test with %d bits skipped in fips mode\n", nbits);
+        gcry_sexp_release (key_spec);
         goto leave;
       }
   }
-- 
2.34.1

More information about the Gcrypt-devel mailing list