Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32332

Curl_ossl_md5sum() doesn't check for errors when computing the digest

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-8.9.0.z
    • rhel-8.9.0
    • curl
    • None
    • None
    • Moderate
    • rhel-sst-cs-plumbers
    • ssg_core_services
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      A customer connects to RH repositories through a proxy requiring NTLM authentication.
      When libcurl tries to authenticate, it crashes while computing a MD5 digest, because the system is in FIPS mode.
      Investigation showed that Curl_ossl_md5sum() was not checking return values at all:

      3795 static CURLcode Curl_ossl_md5sum(unsigned char *tmp, /* input */
3796                                  size_t tmplen,
3797                                  unsigned char *md5sum /* output */,
3798                                  size_t unused)
3799 {
3800   EVP_MD_CTX *mdctx;
3801   unsigned int len = 0;
3802   (void) unused;
3803 
3804   mdctx = EVP_MD_CTX_create();
3805   EVP_DigestInit_ex(mdctx, EVP_md5(), NULL);    <<<<< THIS CALL RETURNED AN ERROR
3806   EVP_DigestUpdate(mdctx, tmp, tmplen);         <<<<< CRASHED HERE DUE TO NOT HANDLING PREVIOUS ERROR
3807   EVP_DigestFinal_ex(mdctx, md5sum, &len);
3808   EVP_MD_CTX_destroy(mdctx);
3809   return CURLE_OK;
3810 }

      Because of FIPS mode, an error popped up on line 3805, but that error got ignored, causing a crash to occur because mdctx remained initialized to zero.

      I can reproduce the behavior through crafting a simple reproducer based on above code.
      I could then see that EVP_DigestInit_ex() (openssl library) was returning 0 (failure) bedcause of hitting line 135:

      132         if (FIPS_mode()) {
133             if (!(type->flags & EVP_MD_FLAG_FIPS)
134                 && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
135                 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
136                 return 0;
137             }
138         }

      Please provide the package NVR for which bug is seen:

      libcurl-7.61.1-33.el8_9.5.x86_64

      How reproducible:

      N/A

              jmigacz@redhat.com Jacek Migacz
              rhn-support-rmetrich Renaud Métrich
              Jacek Migacz Jacek Migacz
              Daniel Rusek Daniel Rusek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: