On 06/10/2021 06:46, Suji wrote:
Hi,
I am getting an issue with EVP_PKEY_new_CMAC_key while using Engine as
an argument. It was a negative test case, passed an invalid key length.
It hits the error, and when the application exits , it gets a
segmentation fault.
From my analysis, the scenario seems like this. When the call happens
engine reference count e-funct_ref increases by 1 (CMAC_CTX_new) but
when this error occurs it is decreased by 2 (EVP_PKEY_free and
CMAC_CTX_free). When the application exits it again tries for
EVP_PKEY_free and this issue happens.The call never reaches the engine,
as it is an error case.
It seems a bug to me, as one of these EVP_PKEY_free should be avoided.
Any analysis on this?
This looks like a bug to me. It seems to me that the internal function
pkey_set_type() is consuming the ENGINE reference when it should not do
so. This means when we come to free things up, we free up one too many
references.
I've raised an issue for it here:
https://github.com/openssl/openssl/issues/16757
Matt
