Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/134160/?format=api
{ "id": 134160, "url": "http://patches.dpdk.org/api/patches/134160/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20231113131623.1485483-1-ciara.power@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20231113131623.1485483-1-ciara.power@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20231113131623.1485483-1-ciara.power@intel.com", "date": "2023-11-13T13:16:23", "name": "[v3] crypto/openssl: fix asym memory leaks", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "dd2b924fddfaf62851e423130478ace1642b4896", "submitter": { "id": 978, "url": "http://patches.dpdk.org/api/people/978/?format=api", "name": "Power, Ciara", "email": "ciara.power@intel.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20231113131623.1485483-1-ciara.power@intel.com/mbox/", "series": [ { "id": 30270, "url": "http://patches.dpdk.org/api/series/30270/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=30270", "date": "2023-11-13T13:16:23", "name": "[v3] crypto/openssl: fix asym memory leaks", "version": 3, "mbox": "http://patches.dpdk.org/series/30270/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/134160/comments/", "check": "warning", "checks": "http://patches.dpdk.org/api/patches/134160/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 7DFF54331B;\n\tMon, 13 Nov 2023 14:16:31 +0100 (CET)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id ED673402F0;\n\tMon, 13 Nov 2023 14:16:30 +0100 (CET)", "from mgamail.intel.com (mgamail.intel.com [192.55.52.115])\n by mails.dpdk.org (Postfix) with ESMTP id D3D5A402AE;\n Mon, 13 Nov 2023 14:16:28 +0100 (CET)", "from orsmga008.jf.intel.com ([10.7.209.65])\n by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 13 Nov 2023 05:16:27 -0800", "from silpixa00400355.ir.intel.com (HELO\n silpixa00400355.ger.corp.intel.com) ([10.237.222.80])\n by orsmga008.jf.intel.com with ESMTP; 13 Nov 2023 05:16:25 -0800" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1699881389; x=1731417389;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=sI+LTcbzAJUwrTlGBKYSA4XIKmCa0rGAJ6vzGEjjOzs=;\n b=ZgbfOlZbTemeg5fo2NHnOJqNTRduoa+yUYHYNE7s1hiVfmNKWPaVf7vV\n hRbTMizx6IqTYJ6jq4xToLRMSC6XgkNopfWDEPUTyK/bixDkR7lo8tJMG\n Bt5cSuSxviMA4HL4Y+yptMKiOyR7HrNwxjWZH4tImT1WpuG2KrwKFm2gR\n HhSzLXdulRwEbDp3n7Bgbfde2WJD2iKLEaH03Lrc8nw9bpBEgRnqzjhE7\n x2aT2IAPRlbdluOIbCLpjEfwK5Z3aOgHuc8mosZG+p7vIqqi+KVNTLsdg\n 0PG52yMddHkxmDnkSUjjvklVceFDWzoNXbGgphM1umpoUG8+ru1ebDrbB A==;", "X-IronPort-AV": [ "E=McAfee;i=\"6600,9927,10893\"; a=\"390237885\"", "E=Sophos;i=\"6.03,299,1694761200\"; d=\"scan'208\";a=\"390237885\"", "E=McAfee;i=\"6600,9927,10893\"; a=\"793436803\"", "E=Sophos;i=\"6.03,299,1694761200\"; d=\"scan'208\";a=\"793436803\"" ], "X-ExtLoop1": "1", "From": "Ciara Power <ciara.power@intel.com>", "To": "dev@dpdk.org", "Cc": "gakhil@marvell.com, Ciara Power <ciara.power@intel.com>, kai.ji@intel.com,\n gmuthukrishn@marvell.com, sunila.sahu@caviumnetworks.com, stable@dpdk.org", "Subject": "[PATCH v3] crypto/openssl: fix asym memory leaks", "Date": "Mon, 13 Nov 2023 13:16:23 +0000", "Message-Id": "<20231113131623.1485483-1-ciara.power@intel.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20231103154516.3456536-1-ciara.power@intel.com>", "References": "<20231103154516.3456536-1-ciara.power@intel.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "Numerous memory leaks were detected by ASAN\nin the OpenSSL PMD asymmetric code path.\n\nThese are now fixed to free all variables allocated\nby OpenSSL functions such as BN_bin2bn and\nOSSL_PARAM_BLD_new.\n\nSome need to exist until the op is processed,\nfor example the BIGNUMs associated with DSA.\nThe pointers for these are added to the private\nasym session so they can be accessed later when calling free.\n\nSome cases need to be treated differently if OpenSSL < 3.0.\nIt has slightly different handling of memory, as functions such as\nRSA_set0_key() take over memory management of values,\nso the caller should not free the values.\n\nFixes: 4c7ae22f1f83 (\"crypto/openssl: update DSA routine with 3.0 EVP API\")\nFixes: c794b40c9258 (\"crypto/openssl: update DH routine with 3.0 EVP API\")\nFixes: 3b7d638fb11f (\"crypto/openssl: support asymmetric SM2\")\nFixes: ac42813a0a7c (\"crypto/openssl: add DH and DSA asym operations\")\nFixes: d7bd42f6db19 (\"crypto/openssl: update RSA routine with 3.0 EVP API\")\nFixes: ad149f93093e (\"crypto/openssl: fix memory leaks in asym ops\")\nCc: kai.ji@intel.com\nCc: gmuthukrishn@marvell.com\nCc: sunila.sahu@caviumnetworks.com\nCc: stable@dpdk.org\n\nSigned-off-by: Ciara Power <ciara.power@intel.com>\nAcked-by: Kai Ji <kai.ji@intel.com>\n\n---\nv2: Added a few more fixes for OpenSSL < 3.0 cases.\nv3: Fixed long line.\n---\n drivers/crypto/openssl/openssl_pmd_private.h | 6 ++\n drivers/crypto/openssl/rte_openssl_pmd.c | 1 +\n drivers/crypto/openssl/rte_openssl_pmd_ops.c | 99 +++++++++++++-------\n 3 files changed, 74 insertions(+), 32 deletions(-)", "diff": "diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h\nindex 1edb669dfd..334912d335 100644\n--- a/drivers/crypto/openssl/openssl_pmd_private.h\n+++ b/drivers/crypto/openssl/openssl_pmd_private.h\n@@ -190,6 +190,8 @@ struct openssl_asym_session {\n \t\tstruct dh {\n \t\t\tDH *dh_key;\n \t\t\tuint32_t key_op;\n+\t\t\tBIGNUM *p;\n+\t\t\tBIGNUM *g;\n #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n \t\t\tOSSL_PARAM_BLD * param_bld;\n \t\t\tOSSL_PARAM_BLD *param_bld_peer;\n@@ -199,6 +201,10 @@ struct openssl_asym_session {\n \t\t\tDSA *dsa;\n #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n \t\t\tOSSL_PARAM_BLD * param_bld;\n+\t\t\tBIGNUM *p;\n+\t\t\tBIGNUM *g;\n+\t\t\tBIGNUM *q;\n+\t\t\tBIGNUM *priv_key;\n #endif\n \t\t} s;\n \t\tstruct {\ndiff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c\nindex 9d463520ff..e8cb09defc 100644\n--- a/drivers/crypto/openssl/rte_openssl_pmd.c\n+++ b/drivers/crypto/openssl/rte_openssl_pmd.c\n@@ -1960,6 +1960,7 @@ process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,\n \t\tOSSL_PARAM_free(params);\n \tEVP_PKEY_CTX_free(key_ctx);\n \tEVP_PKEY_CTX_free(dsa_ctx);\n+\tEVP_PKEY_free(pkey);\n \treturn ret;\n }\n \ndiff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c\nindex db5579bdb1..b16baaa08f 100644\n--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c\n+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c\n@@ -1032,7 +1032,7 @@ static int openssl_set_asym_session_parameters(\n \t\t}\n \t\tasym_session->u.r.rsa = rsa;\n \t\tasym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;\n-\t\tret = 0;\n+\t\tbreak;\n #endif\n err_rsa:\n \t\tBN_clear_free(n);\n@@ -1106,22 +1106,22 @@ static int openssl_set_asym_session_parameters(\n \t}\n \tcase RTE_CRYPTO_ASYM_XFORM_DH:\n \t{\n-\t\tBIGNUM *p = NULL;\n-\t\tBIGNUM *g = NULL;\n+\t\tDH *dh = NULL;\n+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n+\t\tBIGNUM **p = &asym_session->u.dh.p;\n+\t\tBIGNUM **g = &asym_session->u.dh.g;\n \n-\t\tp = BN_bin2bn((const unsigned char *)\n+\t\t*p = BN_bin2bn((const unsigned char *)\n \t\t\t\txform->dh.p.data,\n \t\t\t\txform->dh.p.length,\n-\t\t\t\tp);\n-\t\tg = BN_bin2bn((const unsigned char *)\n+\t\t\t\t*p);\n+\t\t*g = BN_bin2bn((const unsigned char *)\n \t\t\t\txform->dh.g.data,\n \t\t\t\txform->dh.g.length,\n-\t\t\t\tg);\n-\t\tif (!p || !g)\n+\t\t\t\t*g);\n+\t\tif (!*p || !*g)\n \t\t\tgoto err_dh;\n \n-\t\tDH *dh = NULL;\n-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n \t\tOSSL_PARAM_BLD *param_bld = NULL;\n \t\tparam_bld = OSSL_PARAM_BLD_new();\n \t\tif (!param_bld) {\n@@ -1131,9 +1131,9 @@ static int openssl_set_asym_session_parameters(\n \t\tif ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,\n \t\t\t\t\t\"group\", \"ffdhe2048\", 0))\n \t\t\t|| (!OSSL_PARAM_BLD_push_BN(param_bld,\n-\t\t\t\t\tOSSL_PKEY_PARAM_FFC_P, p))\n+\t\t\t\t\tOSSL_PKEY_PARAM_FFC_P, *p))\n \t\t\t|| (!OSSL_PARAM_BLD_push_BN(param_bld,\n-\t\t\t\t\tOSSL_PKEY_PARAM_FFC_G, g))) {\n+\t\t\t\t\tOSSL_PKEY_PARAM_FFC_G, *g))) {\n \t\t\tOSSL_PARAM_BLD_free(param_bld);\n \t\t\tgoto err_dh;\n \t\t}\n@@ -1148,9 +1148,9 @@ static int openssl_set_asym_session_parameters(\n \t\tif ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,\n \t\t\t\t\t\"group\", \"ffdhe2048\", 0))\n \t\t\t|| (!OSSL_PARAM_BLD_push_BN(param_bld_peer,\n-\t\t\t\t\tOSSL_PKEY_PARAM_FFC_P, p))\n+\t\t\t\t\tOSSL_PKEY_PARAM_FFC_P, *p))\n \t\t\t|| (!OSSL_PARAM_BLD_push_BN(param_bld_peer,\n-\t\t\t\t\tOSSL_PKEY_PARAM_FFC_G, g))) {\n+\t\t\t\t\tOSSL_PKEY_PARAM_FFC_G, *g))) {\n \t\t\tOSSL_PARAM_BLD_free(param_bld);\n \t\t\tOSSL_PARAM_BLD_free(param_bld_peer);\n \t\t\tgoto err_dh;\n@@ -1159,6 +1159,20 @@ static int openssl_set_asym_session_parameters(\n \t\tasym_session->u.dh.param_bld = param_bld;\n \t\tasym_session->u.dh.param_bld_peer = param_bld_peer;\n #else\n+\t\tBIGNUM *p = NULL;\n+\t\tBIGNUM *g = NULL;\n+\n+\t\tp = BN_bin2bn((const unsigned char *)\n+\t\t\t\txform->dh.p.data,\n+\t\t\t\txform->dh.p.length,\n+\t\t\t\tp);\n+\t\tg = BN_bin2bn((const unsigned char *)\n+\t\t\t\txform->dh.g.data,\n+\t\t\t\txform->dh.g.length,\n+\t\t\t\tg);\n+\t\tif (!p || !g)\n+\t\t\tgoto err_dh;\n+\n \t\tdh = DH_new();\n \t\tif (dh == NULL) {\n \t\t\tOPENSSL_LOG(ERR,\n@@ -1177,40 +1191,47 @@ static int openssl_set_asym_session_parameters(\n \n err_dh:\n \t\tOPENSSL_LOG(ERR, \" failed to set dh params\\n\");\n+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n+\t\tBN_free(*p);\n+\t\tBN_free(*g);\n+#else\n \t\tBN_free(p);\n \t\tBN_free(g);\n+#endif\n \t\treturn -1;\n \t}\n \tcase RTE_CRYPTO_ASYM_XFORM_DSA:\n \t{\n #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n-\t\tBIGNUM *p = NULL, *g = NULL;\n-\t\tBIGNUM *q = NULL, *priv_key = NULL;\n+\t\tBIGNUM **p = &asym_session->u.s.p;\n+\t\tBIGNUM **g = &asym_session->u.s.g;\n+\t\tBIGNUM **q = &asym_session->u.s.q;\n+\t\tBIGNUM **priv_key = &asym_session->u.s.priv_key;\n \t\tBIGNUM *pub_key = NULL;\n \t\tOSSL_PARAM_BLD *param_bld = NULL;\n \n-\t\tp = BN_bin2bn((const unsigned char *)\n+\t\t*p = BN_bin2bn((const unsigned char *)\n \t\t\t\txform->dsa.p.data,\n \t\t\t\txform->dsa.p.length,\n-\t\t\t\tp);\n+\t\t\t\t*p);\n \n-\t\tg = BN_bin2bn((const unsigned char *)\n+\t\t*g = BN_bin2bn((const unsigned char *)\n \t\t\t\txform->dsa.g.data,\n \t\t\t\txform->dsa.g.length,\n-\t\t\t\tg);\n+\t\t\t\t*g);\n \n-\t\tq = BN_bin2bn((const unsigned char *)\n+\t\t*q = BN_bin2bn((const unsigned char *)\n \t\t\t\txform->dsa.q.data,\n \t\t\t\txform->dsa.q.length,\n-\t\t\t\tq);\n-\t\tif (!p || !q || !g)\n+\t\t\t\t*q);\n+\t\tif (!*p || !*q || !*g)\n \t\t\tgoto err_dsa;\n \n-\t\tpriv_key = BN_bin2bn((const unsigned char *)\n+\t\t*priv_key = BN_bin2bn((const unsigned char *)\n \t\t\t\txform->dsa.x.data,\n \t\t\t\txform->dsa.x.length,\n-\t\t\t\tpriv_key);\n-\t\tif (priv_key == NULL)\n+\t\t\t\t*priv_key);\n+\t\tif (*priv_key == NULL)\n \t\t\tgoto err_dsa;\n \n \t\tparam_bld = OSSL_PARAM_BLD_new();\n@@ -1219,10 +1240,11 @@ static int openssl_set_asym_session_parameters(\n \t\t\tgoto err_dsa;\n \t\t}\n \n-\t\tif (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p)\n-\t\t\t|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)\n-\t\t\t|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q)\n-\t\t\t|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) {\n+\t\tif (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, *p)\n+\t\t\t|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, *g)\n+\t\t\t|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, *q)\n+\t\t\t|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,\n+\t\t\t*priv_key)) {\n \t\t\tOSSL_PARAM_BLD_free(param_bld);\n \t\t\tOPENSSL_LOG(ERR, \"failed to allocate resources\\n\");\n \t\t\tgoto err_dsa;\n@@ -1286,17 +1308,24 @@ static int openssl_set_asym_session_parameters(\n \t\tif (ret) {\n \t\t\tDSA_free(dsa);\n \t\t\tOPENSSL_LOG(ERR, \"Failed to set keys\\n\");\n-\t\t\treturn -1;\n+\t\t\tgoto err_dsa;\n \t\t}\n \t\tasym_session->u.s.dsa = dsa;\n \t\tasym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;\n \t\tbreak;\n #endif\n err_dsa:\n+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n+\t\tBN_free(*p);\n+\t\tBN_free(*q);\n+\t\tBN_free(*g);\n+\t\tBN_free(*priv_key);\n+#else\n \t\tBN_free(p);\n \t\tBN_free(q);\n \t\tBN_free(g);\n \t\tBN_free(priv_key);\n+#endif\n \t\tBN_free(pub_key);\n \t\treturn -1;\n \t}\n@@ -1307,7 +1336,7 @@ static int openssl_set_asym_session_parameters(\n \t\tOSSL_PARAM_BLD *param_bld = NULL;\n \t\tOSSL_PARAM *params = NULL;\n \t\tBIGNUM *pkey_bn = NULL;\n-\t\tuint8_t pubkey[64];\n+\t\tuint8_t pubkey[65];\n \t\tsize_t len = 0;\n \t\tint ret = -1;\n \n@@ -1462,11 +1491,17 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)\n \t\tif (sess->u.dh.dh_key)\n \t\t\tDH_free(sess->u.dh.dh_key);\n #endif\n+\t\tBN_clear_free(sess->u.dh.p);\n+\t\tBN_clear_free(sess->u.dh.g);\n \t\tbreak;\n \tcase RTE_CRYPTO_ASYM_XFORM_DSA:\n #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n \t\tOSSL_PARAM_BLD_free(sess->u.s.param_bld);\n \t\tsess->u.s.param_bld = NULL;\n+\t\tBN_clear_free(sess->u.s.p);\n+\t\tBN_clear_free(sess->u.s.q);\n+\t\tBN_clear_free(sess->u.s.g);\n+\t\tBN_clear_free(sess->u.s.priv_key);\n #else\n \t\tif (sess->u.s.dsa)\n \t\t\tDSA_free(sess->u.s.dsa);\n", "prefixes": [ "v3" ] }