From e14137a86ccdc934607ab4030a8ff14864806475 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:32:20 +0000 Subject: [PATCH 01/22] digests: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/digests/. - p_scossl_shake_set_ctx_params: check ctx and params for NULL - p_scossl_cshake_set_ctx_params: check ctx and params for NULL - p_scossl_cshake_settable_ctx_params: tolerate NULL ctx - p_scossl_digest_get_state_internal: check ctx and params for NULL - p_scossl_digest_set_state_internal: check ctx and params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../src/digests/p_scossl_cshake.c | 15 ++++++++++++++ .../src/digests/p_scossl_digest_generic.c | 20 +++++++++++++++++++ SymCryptProvider/src/digests/p_scossl_shake.c | 10 ++++++++++ 3 files changed, 45 insertions(+) diff --git a/SymCryptProvider/src/digests/p_scossl_cshake.c b/SymCryptProvider/src/digests/p_scossl_cshake.c index b3f58389..3f47be89 100644 --- a/SymCryptProvider/src/digests/p_scossl_cshake.c +++ b/SymCryptProvider/src/digests/p_scossl_cshake.c @@ -296,6 +296,16 @@ static SCOSSL_STATUS p_scossl_cshake_set_ctx_params(_Inout_ SCOSSL_CSHAKE_CTX *c { const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, SCOSSL_DIGEST_PARAM_FUNCTION_NAME_STRING)) != NULL) { if (ctx->xofState != SCOSSL_XOF_STATE_INIT) @@ -344,6 +354,11 @@ static SCOSSL_STATUS p_scossl_cshake_set_ctx_params(_Inout_ SCOSSL_CSHAKE_CTX *c static const OSSL_PARAM *p_scossl_cshake_settable_ctx_params(_In_ SCOSSL_CSHAKE_CTX *ctx, ossl_unused void *provctx) { + if (ctx == NULL) + { + return p_scossl_cshake_settable_ctx_param_types; + } + return ctx->xofState == SCOSSL_XOF_STATE_INIT ? p_scossl_cshake_settable_ctx_param_types : p_scossl_cshake_settable_ctx_param_types_initialized; } diff --git a/SymCryptProvider/src/digests/p_scossl_digest_generic.c b/SymCryptProvider/src/digests/p_scossl_digest_generic.c index 59045653..8c57f921 100644 --- a/SymCryptProvider/src/digests/p_scossl_digest_generic.c +++ b/SymCryptProvider/src/digests/p_scossl_digest_generic.c @@ -44,6 +44,16 @@ static SCOSSL_STATUS p_scossl_digest_get_state_internal(_In_ SCOSSL_DIGEST_CTX * BYTE pbExportBlob[SCOSSL_MAX_STATE_EXPORT_BLOB_SIZE]; OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate(params, SCOSSL_DIGEST_PARAM_STATE)) != NULL) { pExportFunc(ctx->pState, pbExportBlob); @@ -67,6 +77,16 @@ static SCOSSL_STATUS p_scossl_digest_set_state_internal(_In_ SCOSSL_DIGEST_CTX * SYMCRYPT_ERROR scError; const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, SCOSSL_DIGEST_PARAM_STATE)) != NULL) { if (!OSSL_PARAM_get_octet_string_ptr(p, (void *)&pbImportBlob, &cbImportBlob)) diff --git a/SymCryptProvider/src/digests/p_scossl_shake.c b/SymCryptProvider/src/digests/p_scossl_shake.c index 98cd8810..4da2c154 100644 --- a/SymCryptProvider/src/digests/p_scossl_shake.c +++ b/SymCryptProvider/src/digests/p_scossl_shake.c @@ -19,6 +19,16 @@ static SCOSSL_STATUS p_scossl_shake_set_ctx_params(_Inout_ SCOSSL_DIGEST_CTX *ct { const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN)) != NULL && !OSSL_PARAM_get_size_t(p, &ctx->xofLen)) { From b5e02c48c0281f7855b6fbd71669734b5d11382e Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:33:30 +0000 Subject: [PATCH 02/22] mac: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/macs/. - p_scossl_hmac_set_ctx_params: check ctx and params for NULL - p_scossl_cmac_set_ctx_params: check ctx and params for NULL - p_scossl_kmac_set_ctx_params: check ctx and params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- SymCryptProvider/src/mac/p_scossl_cmac.c | 10 ++++++++++ SymCryptProvider/src/mac/p_scossl_hmac.c | 10 ++++++++++ SymCryptProvider/src/mac/p_scossl_kmac.c | 10 ++++++++++ 3 files changed, 30 insertions(+) diff --git a/SymCryptProvider/src/mac/p_scossl_cmac.c b/SymCryptProvider/src/mac/p_scossl_cmac.c index 0024c125..198103c9 100644 --- a/SymCryptProvider/src/mac/p_scossl_cmac.c +++ b/SymCryptProvider/src/mac/p_scossl_cmac.c @@ -88,6 +88,16 @@ static SCOSSL_STATUS p_scossl_cmac_set_ctx_params(_Inout_ SCOSSL_MAC_CTX *ctx, _ { const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CIPHER)) != NULL) { SCOSSL_STATUS success; diff --git a/SymCryptProvider/src/mac/p_scossl_hmac.c b/SymCryptProvider/src/mac/p_scossl_hmac.c index 364d245d..04344268 100644 --- a/SymCryptProvider/src/mac/p_scossl_hmac.c +++ b/SymCryptProvider/src/mac/p_scossl_hmac.c @@ -147,6 +147,16 @@ static SCOSSL_STATUS p_scossl_hmac_set_ctx_params(_Inout_ SCOSSL_MAC_CTX *ctx, _ SCOSSL_STATUS ret = SCOSSL_FAILURE; const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_DIGEST)) != NULL) { OPENSSL_free(ctx->mdName); diff --git a/SymCryptProvider/src/mac/p_scossl_kmac.c b/SymCryptProvider/src/mac/p_scossl_kmac.c index 7083f820..ff00ee2a 100644 --- a/SymCryptProvider/src/mac/p_scossl_kmac.c +++ b/SymCryptProvider/src/mac/p_scossl_kmac.c @@ -216,6 +216,16 @@ static SCOSSL_STATUS p_scossl_kmac_set_ctx_params(_Inout_ SCOSSL_KMAC_CTX *ctx, SYMCRYPT_ERROR scError; const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL && !OSSL_PARAM_get_int(p, &ctx->xofMode)) { From 6b88dad9eea87f1ef894e887e6589a6bbf73f97f Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:35:07 +0000 Subject: [PATCH 03/22] kdf: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/kdfs/. - p_scossl_hkdf_set_ctx_params: check ctx and params for NULL - p_scossl_tls13kdf_set_ctx_params: check ctx and params for NULL - p_scossl_kbkdf_set_ctx_params: check ctx and params for NULL - p_scossl_pbkdf2_set_ctx_params: check ctx and params for NULL - p_scossl_srtpkdf_set_ctx_params: check ctx and params for NULL - p_scossl_sshkdf_set_ctx_params: check ctx and params for NULL - p_scossl_sskdf_set_ctx_params: check ctx and params for NULL - p_scossl_tls1prf_set_ctx_params: check ctx and params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- SymCryptProvider/src/kdf/p_scossl_hkdf.c | 20 ++++++++++++++++++++ SymCryptProvider/src/kdf/p_scossl_kbkdf.c | 10 ++++++++++ SymCryptProvider/src/kdf/p_scossl_pbkdf2.c | 10 ++++++++++ SymCryptProvider/src/kdf/p_scossl_srtpkdf.c | 10 ++++++++++ SymCryptProvider/src/kdf/p_scossl_sshkdf.c | 10 ++++++++++ SymCryptProvider/src/kdf/p_scossl_sskdf.c | 10 ++++++++++ SymCryptProvider/src/kdf/p_scossl_tls1prf.c | 10 ++++++++++ 7 files changed, 80 insertions(+) diff --git a/SymCryptProvider/src/kdf/p_scossl_hkdf.c b/SymCryptProvider/src/kdf/p_scossl_hkdf.c index 86e570fb..5a68cdf3 100644 --- a/SymCryptProvider/src/kdf/p_scossl_hkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_hkdf.c @@ -209,6 +209,16 @@ SCOSSL_STATUS p_scossl_hkdf_set_ctx_params(_Inout_ SCOSSL_PROV_HKDF_CTX *ctx, co SIZE_T cbInfo; const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { int mode = -1; @@ -330,6 +340,16 @@ SCOSSL_STATUS p_scossl_tls13kdf_set_ctx_params(_Inout_ SCOSSL_PROV_HKDF_CTX *ctx { const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if (!p_scossl_hkdf_set_ctx_params(ctx, params)) return SCOSSL_FAILURE; diff --git a/SymCryptProvider/src/kdf/p_scossl_kbkdf.c b/SymCryptProvider/src/kdf/p_scossl_kbkdf.c index 9c3eb06f..3c4d42e9 100644 --- a/SymCryptProvider/src/kdf/p_scossl_kbkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_kbkdf.c @@ -257,6 +257,16 @@ static SCOSSL_STATUS p_scossl_kbkdf_set_ctx_params(_Inout_ SCOSSL_PROV_KBKDF_CTX SCOSSL_STATUS ret = SCOSSL_FAILURE; const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { if (!p_scossl_kbkdf_get_octet_string(p, &ctx->pbKey, &ctx->cbKey)) diff --git a/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c b/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c index b055f4d0..fd67a3d3 100644 --- a/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c +++ b/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c @@ -234,6 +234,16 @@ SCOSSL_STATUS p_scossl_pbkdf2_set_ctx_params(_Inout_ SCOSSL_PROV_PBKDF2_CTX *ctx SCOSSL_STATUS ret = SCOSSL_FAILURE; const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) { int pkcs5; diff --git a/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c b/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c index 1d6866c9..271155ca 100644 --- a/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c @@ -218,6 +218,16 @@ static SCOSSL_STATUS p_scossl_srtpkdf_set_ctx_params(_Inout_ SCOSSL_PROV_SRTPKDF { const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { PBYTE pbKey; diff --git a/SymCryptProvider/src/kdf/p_scossl_sshkdf.c b/SymCryptProvider/src/kdf/p_scossl_sshkdf.c index 31a64729..50169a8e 100644 --- a/SymCryptProvider/src/kdf/p_scossl_sshkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_sshkdf.c @@ -191,6 +191,16 @@ SCOSSL_STATUS p_scossl_sshkdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSHKDF_CTX *ctx { const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { PCSYMCRYPT_HASH symcryptHashAlg = NULL; diff --git a/SymCryptProvider/src/kdf/p_scossl_sskdf.c b/SymCryptProvider/src/kdf/p_scossl_sskdf.c index e8a6a1b9..f6b5aaf3 100644 --- a/SymCryptProvider/src/kdf/p_scossl_sskdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_sskdf.c @@ -288,6 +288,16 @@ SCOSSL_STATUS p_scossl_sskdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSKDF_CTX *ctx, EVP_MD *md = NULL; SCOSSL_STATUS ret = SCOSSL_FAILURE; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL || // Shared secret may be set by OSSL_KDF_PARAM_KEY instead (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) diff --git a/SymCryptProvider/src/kdf/p_scossl_tls1prf.c b/SymCryptProvider/src/kdf/p_scossl_tls1prf.c index 22191a5a..4d38bfc2 100644 --- a/SymCryptProvider/src/kdf/p_scossl_tls1prf.c +++ b/SymCryptProvider/src/kdf/p_scossl_tls1prf.c @@ -172,6 +172,16 @@ SCOSSL_STATUS p_scossl_tls1prf_set_ctx_params(_Inout_ SCOSSL_PROV_TLS1_PRF_CTX * SIZE_T cbSeed; SCOSSL_STATUS ret = SCOSSL_FAILURE; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { PCSYMCRYPT_MAC symcryptHmacAlg = NULL; From 4d1cbd1c8fa44e9d0a0bc0c8b3bf13284d7ba288 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:36:23 +0000 Subject: [PATCH 04/22] ciphers: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/ciphers/. - p_scossl_aes_generic_set_ctx_params: check ctx and params for NULL - p_scossl_aes_gcm_set_ctx_params: check ctx and params for NULL - p_scossl_aes_ccm_set_ctx_params: check ctx and params for NULL - p_scossl_aes_xts_set_ctx_params: check ctx and params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- SymCryptProvider/src/ciphers/p_scossl_aes.c | 10 +++++++++ .../src/ciphers/p_scossl_aes_aead.c | 22 +++++++++++++++++++ .../src/ciphers/p_scossl_aes_xts.c | 10 +++++++++ 3 files changed, 42 insertions(+) diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes.c b/SymCryptProvider/src/ciphers/p_scossl_aes.c index e56908c3..5f7699ce 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes.c @@ -748,6 +748,16 @@ static SCOSSL_STATUS p_scossl_aes_generic_set_ctx_params(_Inout_ SCOSSL_AES_CTX { const OSSL_PARAM *p = NULL; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING)) != NULL) { unsigned int pad; diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c index 821f11ec..965994bd 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c @@ -249,6 +249,17 @@ static SCOSSL_STATUS p_scossl_aes_gcm_get_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_CTX *ctx, _In_ const OSSL_PARAM params[]) { const OSSL_PARAM *p = NULL; + + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN); if (p != NULL) { @@ -509,6 +520,17 @@ static SCOSSL_STATUS p_scossl_aes_ccm_get_ctx_params(_In_ SCOSSL_CIPHER_CCM_CTX static SCOSSL_STATUS p_scossl_aes_ccm_set_ctx_params(_Inout_ SCOSSL_CIPHER_CCM_CTX *ctx, _In_ const OSSL_PARAM params[]) { const OSSL_PARAM *p = NULL; + + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN); if (p != NULL) { diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c b/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c index 4d44f485..59e33b13 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c @@ -244,6 +244,16 @@ static SCOSSL_STATUS p_scossl_aes_xts_set_ctx_params(_Inout_ SCOSSL_AES_XTS_CTX { const OSSL_PARAM *p = NULL; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); if (p != NULL) { From d1116bf0029aa2706bebead2b3c7ff54646589da Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:37:06 +0000 Subject: [PATCH 05/22] kem: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/kem/. - p_scossl_mlkem_set_ctx_params: check params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- SymCryptProvider/src/kem/p_scossl_mlkem.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/SymCryptProvider/src/kem/p_scossl_mlkem.c b/SymCryptProvider/src/kem/p_scossl_mlkem.c index fe577d39..147087a1 100644 --- a/SymCryptProvider/src/kem/p_scossl_mlkem.c +++ b/SymCryptProvider/src/kem/p_scossl_mlkem.c @@ -291,6 +291,11 @@ static SCOSSL_STATUS p_scossl_mlkem_set_ctx_params(_In_ SCOSSL_MLKEM_CTX *ctx, _ return SCOSSL_FAILURE; } + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if (ctx->operation == EVP_PKEY_OP_ENCAPSULATE && (p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_IKME)) != NULL) { From 192d8723ad998d9bb50496f15a32e23637625fa4 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:37:44 +0000 Subject: [PATCH 06/22] keyexch: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/exchange/. - p_scossl_dh_set_ctx_params: check ctx and params for NULL - p_scossl_kdf_keyexch_set_ctx_params: check ctx and params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- SymCryptProvider/src/keyexch/p_scossl_dh.c | 10 ++++++++++ SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/SymCryptProvider/src/keyexch/p_scossl_dh.c b/SymCryptProvider/src/keyexch/p_scossl_dh.c index 00ab7fea..db4d5e57 100644 --- a/SymCryptProvider/src/keyexch/p_scossl_dh.c +++ b/SymCryptProvider/src/keyexch/p_scossl_dh.c @@ -335,6 +335,16 @@ static SCOSSL_STATUS p_scossl_dh_set_ctx_params(_Inout_ SCOSSL_DH_CTX *ctx, _In_ SCOSSL_STATUS ret = SCOSSL_FAILURE; const OSSL_PARAM *p = NULL; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD)) != NULL) { unsigned int pad; diff --git a/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c b/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c index 9ec83ffa..a9d55220 100644 --- a/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c +++ b/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c @@ -166,6 +166,16 @@ static SCOSSL_STATUS p_scossl_kdf_keyexch_derive(_In_ SCOSSL_KDF_KEYEXCH_CTX *ct static SCOSSL_STATUS p_scossl_kdf_keyexch_set_ctx_params(_Inout_ SCOSSL_KDF_KEYEXCH_CTX *ctx, _In_ const OSSL_PARAM params[]) { + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + return ctx->kdfFns->setCtxParams(ctx->kdfCtx, params); } From 359b4e1976b7f6cc2ef1bb8dbd3ef8bc79413193 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:38:17 +0000 Subject: [PATCH 07/22] asymcipher: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/asymciphers/. - p_scossl_rsa_cipher_get_ctx_params: check ctx for NULL - p_scossl_rsa_cipher_set_ctx_params: check ctx and params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../src/asymcipher/p_scossl_rsa_cipher.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c b/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c index 0b1d6f7f..07bfc5bd 100644 --- a/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c +++ b/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c @@ -246,6 +246,11 @@ static SCOSSL_STATUS p_scossl_rsa_cipher_get_ctx_params(_In_ SCOSSL_RSA_CIPHER_C { OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_PAD_MODE)) != NULL) { int i = 0; @@ -307,6 +312,16 @@ static SCOSSL_STATUS p_scossl_rsa_cipher_set_ctx_params(_Inout_ SCOSSL_RSA_CIPHE const OSSL_PARAM *param_propq; const char *mdName, *mdProps; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_PAD_MODE)) != NULL) { // Padding mode may be passed as legacy NID or string, and is From 4bd6aaed00b9ab111f965f3c65f873a00f6c9017 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:39:10 +0000 Subject: [PATCH 08/22] signature: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/signature/. - p_scossl_rsa_set_ctx_params: check ctx and params for NULL - p_scossl_rsa_get_ctx_params: check ctx for NULL - p_scossl_ecdsa_set_ctx_params: check ctx and params for NULL - p_scossl_ecdsa_get_ctx_params: check ctx for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../src/signature/p_scossl_ecdsa_signature.c | 15 +++++++++++++++ .../src/signature/p_scossl_rsa_signature.c | 15 +++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c b/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c index f455901a..573f477f 100644 --- a/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c +++ b/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c @@ -339,6 +339,16 @@ static SCOSSL_STATUS p_scossl_ecdsa_set_ctx_params(_Inout_ SCOSSL_ECDSA_CTX *ctx const OSSL_PARAM *param_propq; const char *mdname, *mdprops; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL) { if (!OSSL_PARAM_get_utf8_string_ptr(p, &mdname)) @@ -401,6 +411,11 @@ static const OSSL_PARAM *p_scossl_ecdsa_gettable_ctx_params(ossl_unused void *ct static SCOSSL_STATUS p_scossl_ecdsa_get_ctx_params(_In_ SCOSSL_ECDSA_CTX *ctx, _Inout_ OSSL_PARAM params[]) { + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + if (params == NULL) { return SCOSSL_SUCCESS; diff --git a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c index 43d0783f..5032cd57 100644 --- a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c +++ b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c @@ -439,6 +439,16 @@ static SCOSSL_STATUS p_scossl_rsa_set_ctx_params(_Inout_ SCOSSL_RSA_SIGN_CTX *ct const OSSL_PARAM *p; const char *mdName, *mdProps; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL) { EVP_MD *md = NULL; @@ -807,6 +817,11 @@ static ASN1_STRING *p_scossl_rsa_pss_params_to_asn1_sequence(_In_ SCOSSL_RSA_SIG static SCOSSL_STATUS p_scossl_rsa_get_ctx_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx, _Inout_ OSSL_PARAM params[]) { + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + if (params == NULL) { return SCOSSL_SUCCESS; From fbfe7dbfa24309ba42663ee05d53da5e09cdcab9 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 17:41:20 +0000 Subject: [PATCH 09/22] keymgmt: add missing NULL parameter checks Mirror NULL-parameter checks performed by the OpenSSL default provider in providers/implementations/keymgmt/. - p_scossl_rsa_keygen_set_params: check genCtx and params for NULL - p_scossl_dh_keygen_set_params: check genCtx and params for NULL - p_scossl_dh_keymgmt_set_params: check ctx and params for NULL - p_scossl_ecc_keygen_set_params: check genCtx and params for NULL - p_scossl_ecc_keymgmt_set_params: check keyCtx and params for NULL - p_scossl_mlkem_keymgmt_set_params: check keyCtx and params for NULL - p_scossl_mlkem_hybrid_keymgmt_set_params: check keyCtx and params for NULL Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../src/keymgmt/p_scossl_dh_keymgmt.c | 20 ++++++++++++++ .../src/keymgmt/p_scossl_ecc_keymgmt.c | 27 +++++++++++++++++-- .../keymgmt/p_scossl_mlkem_hybrid_keymgmt.c | 10 +++++++ .../src/keymgmt/p_scossl_mlkem_keymgmt.c | 10 +++++++ .../src/keymgmt/p_scossl_rsa_keymgmt.c | 10 +++++++ 5 files changed, 75 insertions(+), 2 deletions(-) diff --git a/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c index b0dacb33..57807e23 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c @@ -423,6 +423,16 @@ static SCOSSL_STATUS p_scossl_dh_keygen_set_params(_Inout_ SCOSSL_DH_KEYGEN_CTX BOOL groupSetByParams; const OSSL_PARAM *p; + if (genCtx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE)) != NULL) { const char *ffcTypeName; @@ -599,6 +609,16 @@ static SCOSSL_STATUS p_scossl_dh_keymgmt_set_params(_In_ SCOSSL_PROV_DH_KEY_CTX { const OSSL_PARAM *p; + if (ctx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { SYMCRYPT_ERROR scError; diff --git a/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c index 5681b523..3a23ce5f 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c @@ -115,6 +115,16 @@ static SCOSSL_STATUS p_scossl_ecc_keygen_set_params(_Inout_ SCOSSL_ECC_KEYGEN_CT { const OSSL_PARAM *p; + if (genCtx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME)) != NULL) { EC_GROUP *ecGroup = EC_GROUP_new_from_params(params, genCtx->libctx, NULL); @@ -525,10 +535,23 @@ static SCOSSL_STATUS p_scossl_ecc_keymgmt_set_params(_Inout_ SCOSSL_ECC_KEY_CTX BN_CTX *bnCtx = NULL; EC_POINT *ecPoint = NULL; SCOSSL_STATUS ret = SCOSSL_FAILURE; - SYMCRYPT_NUMBER_FORMAT numFormat = keyCtx->isX25519 ? SYMCRYPT_NUMBER_FORMAT_LSB_FIRST : SYMCRYPT_NUMBER_FORMAT_MSB_FIRST; - SYMCRYPT_ECPOINT_FORMAT pointFormat = keyCtx->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : SYMCRYPT_ECPOINT_FORMAT_XY; + SYMCRYPT_NUMBER_FORMAT numFormat; + SYMCRYPT_ECPOINT_FORMAT pointFormat; const OSSL_PARAM *p; + if (keyCtx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + + numFormat = keyCtx->isX25519 ? SYMCRYPT_NUMBER_FORMAT_LSB_FIRST : SYMCRYPT_NUMBER_FORMAT_MSB_FIRST; + pointFormat = keyCtx->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : SYMCRYPT_ECPOINT_FORMAT_XY; + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { SIZE_T encodedLen; diff --git a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c index fd6ac059..073868a8 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c @@ -301,6 +301,16 @@ static SCOSSL_STATUS p_scossl_mlkem_hybrid_keymgmt_set_params(_Inout_ SCOSSL_MLK { const OSSL_PARAM *p; + if (keyCtx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { PCBYTE pbKey; diff --git a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c index d662ab04..b830c709 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c @@ -314,6 +314,16 @@ static SCOSSL_STATUS p_scossl_mlkem_keymgmt_set_params(_Inout_ SCOSSL_MLKEM_KEY_ { const OSSL_PARAM *p; + if (keyCtx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { PCBYTE pbKey; diff --git a/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c index c70fb6b3..caf879ed 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c @@ -282,6 +282,16 @@ static SCOSSL_STATUS p_scossl_rsa_keygen_set_params(_Inout_ SCOSSL_RSA_KEYGEN_CT { const OSSL_PARAM *p; + if (genCtx == NULL) + { + return SCOSSL_FAILURE; + } + + if (params == NULL) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL) { UINT32 nBitsOfModulus; From e98ef12665cbebdb5ede2e8871db3e64076e35a0 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 21:04:02 +0000 Subject: [PATCH 10/22] Clean up asym cipher --- SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c b/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c index 07bfc5bd..96dfa96a 100644 --- a/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c +++ b/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c @@ -248,6 +248,7 @@ static SCOSSL_STATUS p_scossl_rsa_cipher_get_ctx_params(_In_ SCOSSL_RSA_CIPHER_C if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } @@ -314,14 +315,10 @@ static SCOSSL_STATUS p_scossl_rsa_cipher_set_ctx_params(_Inout_ SCOSSL_RSA_CIPHE if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_PAD_MODE)) != NULL) { // Padding mode may be passed as legacy NID or string, and is From 812f21b72a1468213e200f06ffdf23f08ceb17d3 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 21:10:08 +0000 Subject: [PATCH 11/22] Cleanup AES AEAD Co-authored-by: Copilot --- .../src/ciphers/p_scossl_aes_aead.c | 137 ++++++++++-------- 1 file changed, 75 insertions(+), 62 deletions(-) diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c index 965994bd..15fbf81f 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c @@ -161,40 +161,50 @@ static const OSSL_PARAM *p_scossl_aes_gcm_settable_ctx_params(ossl_unused void * static SCOSSL_STATUS p_scossl_aes_gcm_get_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_CTX *ctx, _Inout_ OSSL_PARAM params[]) { - OSSL_PARAM *p = NULL; + OSSL_PARAM *p; - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->keylen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->ivlen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->taglen)) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->taglen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tlsAadSet ? EVP_GCM_TLS_TAG_LEN : 0)) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->tlsAadSet ? EVP_GCM_TLS_TAG_LEN : 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); - if (p != NULL) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV)) != NULL) { if (p->data_size < ctx->ivlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return SCOSSL_FAILURE; } + if (!OSSL_PARAM_set_octet_string(p, ctx->iv != NULL ? (const void*)ctx->iv : "", ctx->ivlen) && !OSSL_PARAM_set_octet_ptr(p, ctx->iv != NULL ? (const void*)ctx->iv : "", ctx->ivlen)) { @@ -202,14 +212,15 @@ static SCOSSL_STATUS p_scossl_aes_gcm_get_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); - if (p != NULL) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV)) != NULL) { if (p->data_size < ctx->ivlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return SCOSSL_FAILURE; } + if (!OSSL_PARAM_set_octet_string(p, ctx->iv != NULL ? (const void*)ctx->iv : "", ctx->ivlen) && !OSSL_PARAM_set_octet_ptr(p, ctx->iv != NULL ? (const void*)ctx->iv : "", ctx->ivlen)) { @@ -217,8 +228,8 @@ static SCOSSL_STATUS p_scossl_aes_gcm_get_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG); - if (p != NULL) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG)) != NULL) { if (p->data_size == 0 || p->data_size > SCOSSL_GCM_MAX_TAG_LENGTH || @@ -227,14 +238,15 @@ static SCOSSL_STATUS p_scossl_aes_gcm_get_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return SCOSSL_FAILURE; } + if (!OSSL_PARAM_set_octet_string(p, &ctx->tag, p->data_size)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN); - if (p != NULL && + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN)) != NULL && (p->data == NULL || p->data_type != OSSL_PARAM_OCTET_STRING || !scossl_aes_gcm_iv_gen(ctx, p->data, p->data_size))) @@ -248,20 +260,15 @@ static SCOSSL_STATUS p_scossl_aes_gcm_get_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_CTX *ctx, _In_ const OSSL_PARAM params[]) { - const OSSL_PARAM *p = NULL; + const OSSL_PARAM *p; if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN); - if (p != NULL) + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN)) != NULL) { size_t ivlen; @@ -278,8 +285,7 @@ static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C } } - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG); - if (p != NULL) + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -293,8 +299,8 @@ static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD); - if (p != NULL) + + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -308,8 +314,8 @@ static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED); - if (p != NULL) + + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -323,8 +329,8 @@ static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV); - if (p != NULL) + + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -443,40 +449,50 @@ static const OSSL_PARAM *p_scossl_aes_ccm_settable_ctx_params(ossl_unused void * static SCOSSL_STATUS p_scossl_aes_ccm_get_ctx_params(_In_ SCOSSL_CIPHER_CCM_CTX *ctx, _Inout_ OSSL_PARAM params[]) { - OSSL_PARAM *p = NULL; + OSSL_PARAM *p; - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->keylen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->ivlen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->taglen)) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->taglen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tlsAadSet ? ctx->taglen : 0)) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD)) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->tlsAadSet ? ctx->taglen : 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); - if (p != NULL) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV)) != NULL) { if (p->data_size < ctx->ivlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return SCOSSL_FAILURE; } + if (!OSSL_PARAM_set_octet_string(p, &ctx->iv, ctx->ivlen) && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) { @@ -484,14 +500,15 @@ static SCOSSL_STATUS p_scossl_aes_ccm_get_ctx_params(_In_ SCOSSL_CIPHER_CCM_CTX return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); - if (p != NULL) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV)) != NULL) { if (p->data_size < ctx->ivlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return SCOSSL_FAILURE; } + if (!OSSL_PARAM_set_octet_string(p, &ctx->iv, ctx->ivlen) && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) { @@ -499,14 +516,15 @@ static SCOSSL_STATUS p_scossl_aes_ccm_get_ctx_params(_In_ SCOSSL_CIPHER_CCM_CTX return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG); - if (p != NULL) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV)) != NULL) { if (p->data_size < ctx->taglen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return SCOSSL_FAILURE; } + if (!OSSL_PARAM_set_octet_string(p, &ctx->tag, ctx->taglen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); @@ -519,20 +537,15 @@ static SCOSSL_STATUS p_scossl_aes_ccm_get_ctx_params(_In_ SCOSSL_CIPHER_CCM_CTX static SCOSSL_STATUS p_scossl_aes_ccm_set_ctx_params(_Inout_ SCOSSL_CIPHER_CCM_CTX *ctx, _In_ const OSSL_PARAM params[]) { - const OSSL_PARAM *p = NULL; + const OSSL_PARAM *p; if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN); - if (p != NULL) + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN)) != NULL) { size_t ivlen; @@ -548,8 +561,8 @@ static SCOSSL_STATUS p_scossl_aes_ccm_set_ctx_params(_Inout_ SCOSSL_CIPHER_CCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG); - if (p != NULL) + + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -563,8 +576,8 @@ static SCOSSL_STATUS p_scossl_aes_ccm_set_ctx_params(_Inout_ SCOSSL_CIPHER_CCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD); - if (p != NULL) + + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -578,8 +591,8 @@ static SCOSSL_STATUS p_scossl_aes_ccm_set_ctx_params(_Inout_ SCOSSL_CIPHER_CCM_C return SCOSSL_FAILURE; } } - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED); - if (p != NULL) + + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { From 2105df3027eff6a546c61bb1ee1bf3aa836c7715 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 21:30:11 +0000 Subject: [PATCH 12/22] Cleanup ciphers Co-authored-by: Copilot --- ScosslCommon/src/scossl_aes_aead.c | 10 +++- SymCryptProvider/src/ciphers/p_scossl_aes.c | 19 +++--- .../src/ciphers/p_scossl_aes_aead.c | 12 +++- .../src/ciphers/p_scossl_aes_xts.c | 60 +++++++++++++------ 4 files changed, 72 insertions(+), 29 deletions(-) diff --git a/ScosslCommon/src/scossl_aes_aead.c b/ScosslCommon/src/scossl_aes_aead.c index b48bfe58..ce44188d 100644 --- a/ScosslCommon/src/scossl_aes_aead.c +++ b/ScosslCommon/src/scossl_aes_aead.c @@ -56,6 +56,7 @@ SCOSSL_STATUS scossl_aes_gcm_init_key(SCOSSL_CIPHER_GCM_CTX *ctx, return SCOSSL_FAILURE; } } + if (key != NULL) { scError = SymCryptGcmExpandKey(&ctx->key, SymCryptAesBlockCipher, key, keylen); @@ -64,6 +65,7 @@ SCOSSL_STATUS scossl_aes_gcm_init_key(SCOSSL_CIPHER_GCM_CTX *ctx, return SCOSSL_FAILURE; } } + return SCOSSL_SUCCESS; } @@ -299,7 +301,7 @@ SCOSSL_STATUS scossl_aes_gcm_set_iv_len(SCOSSL_CIPHER_GCM_CTX *ctx, size_t ivlen if (ivlen != ctx->ivlen) { ctx->ivlen = ivlen; - + if (ctx->iv != NULL) { OPENSSL_free(ctx->iv); @@ -455,7 +457,7 @@ SCOSSL_STATUS scossl_aes_ccm_init_key(SCOSSL_CIPHER_CCM_CTX *ctx, ctx->ccmStage = SCOSSL_CCM_STAGE_INIT; ctx->cbData = 0; - if (iv) + if (iv != NULL) { if (!scossl_aes_ccm_set_iv_len(ctx, ivlen)) { @@ -466,7 +468,8 @@ SCOSSL_STATUS scossl_aes_ccm_init_key(SCOSSL_CIPHER_CCM_CTX *ctx, memcpy(ctx->iv, iv, ctx->ivlen); ctx->ivSet = 1; } - if (key) + + if (key != NULL) { scError = SymCryptAesExpandKey(&ctx->key, key, keylen); if (scError != SYMCRYPT_NO_ERROR) @@ -474,6 +477,7 @@ SCOSSL_STATUS scossl_aes_ccm_init_key(SCOSSL_CIPHER_CCM_CTX *ctx, return SCOSSL_FAILURE; } } + return SCOSSL_SUCCESS; } diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes.c b/SymCryptProvider/src/ciphers/p_scossl_aes.c index 5f7699ce..c809a0ee 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes.c @@ -74,6 +74,9 @@ static void p_scossl_aes_generic_freectx(SCOSSL_AES_CTX *ctx) static SCOSSL_AES_CTX *p_scossl_aes_generic_dupctx(SCOSSL_AES_CTX *ctx) { + if (ctx == NULL) + return NULL; + SCOSSL_COMMON_ALIGNED_ALLOC(copyCtx, OPENSSL_malloc, SCOSSL_AES_CTX); if (copyCtx != NULL) { @@ -702,7 +705,13 @@ SCOSSL_STATUS p_scossl_aes_generic_get_params(_Inout_ OSSL_PARAM params[], static SCOSSL_STATUS p_scossl_aes_generic_get_ctx_params(_In_ SCOSSL_AES_CTX *ctx, _Inout_ OSSL_PARAM params[]) { - OSSL_PARAM *p = NULL; + OSSL_PARAM *p; + + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN)) != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) @@ -746,18 +755,14 @@ static SCOSSL_STATUS p_scossl_aes_generic_get_ctx_params(_In_ SCOSSL_AES_CTX *ct static SCOSSL_STATUS p_scossl_aes_generic_set_ctx_params(_Inout_ SCOSSL_AES_CTX *ctx, _In_ const OSSL_PARAM params[]) { - const OSSL_PARAM *p = NULL; + const OSSL_PARAM *p; if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING)) != NULL) { unsigned int pad; diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c index 15fbf81f..d21b846f 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c @@ -63,6 +63,9 @@ static void p_scossl_aes_gcm_freectx(_Inout_ SCOSSL_CIPHER_GCM_CTX *ctx) static SCOSSL_CIPHER_GCM_CTX *p_scossl_aes_gcm_dupctx(_In_ SCOSSL_CIPHER_GCM_CTX *ctx) { + if (ctx == NULL) + return NULL; + SCOSSL_COMMON_ALIGNED_ALLOC(copy_ctx, OPENSSL_malloc, SCOSSL_CIPHER_GCM_CTX); if (copy_ctx != NULL) { @@ -81,6 +84,7 @@ static SCOSSL_CIPHER_GCM_CTX *p_scossl_aes_gcm_dupctx(_In_ SCOSSL_CIPHER_GCM_CTX } SymCryptGcmKeyCopy(&ctx->key, ©_ctx->key); } + return copy_ctx; } @@ -89,7 +93,7 @@ static SCOSSL_STATUS p_scossl_aes_gcm_init_internal(_Inout_ SCOSSL_CIPHER_GCM_CT _In_reads_bytes_opt_(ivlen) const unsigned char *iv, size_t ivlen, _In_ const OSSL_PARAM params[]) { - if (key && keylen != ctx->keylen) + if (key != NULL && keylen != ctx->keylen) { return SCOSSL_FAILURE; } @@ -353,6 +357,9 @@ static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C */ static SCOSSL_CIPHER_CCM_CTX *p_scossl_aes_ccm_dupctx(_In_ SCOSSL_CIPHER_CCM_CTX *ctx) { + if (ctx == NULL) + return NULL; + SCOSSL_COMMON_ALIGNED_ALLOC(copy_ctx, OPENSSL_malloc, SCOSSL_CIPHER_CCM_CTX); if (copy_ctx != NULL) { @@ -364,6 +371,7 @@ static SCOSSL_CIPHER_CCM_CTX *p_scossl_aes_ccm_dupctx(_In_ SCOSSL_CIPHER_CCM_CTX copy_ctx->state = ctx->state; copy_ctx->state.pExpandedKey = ©_ctx->key; } + return copy_ctx; } @@ -377,7 +385,7 @@ static SCOSSL_STATUS p_scossl_aes_ccm_init_internal(_Inout_ SCOSSL_CIPHER_CCM_CT _In_reads_bytes_opt_(ivlen) const unsigned char *iv, size_t ivlen, _In_ const OSSL_PARAM params[]) { - if (key && keylen != ctx->keylen) + if (key != NULL && keylen != ctx->keylen) { return SCOSSL_FAILURE; } diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c b/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c index 59e33b13..e8750b6e 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c @@ -51,6 +51,9 @@ static SCOSSL_AES_XTS_CTX *p_scossl_aes_xts_newctx_internal(size_t keylen) static SCOSSL_AES_XTS_CTX *p_scossl_aes_xts_dupctx(SCOSSL_AES_XTS_CTX *ctx) { + if (ctx == NULL) + return NULL; + SCOSSL_COMMON_ALIGNED_ALLOC(copy_ctx, OPENSSL_malloc, SCOSSL_AES_XTS_CTX); if (copy_ctx != NULL) { @@ -125,6 +128,12 @@ static SCOSSL_STATUS p_scossl_aes_xts_skey_encrypt_init(_Inout_ SCOSSL_AES_XTS_C _In_reads_bytes_opt_(ivlen) const unsigned char *iv, size_t ivlen, _In_ const OSSL_PARAM params[]) { + if (skey == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + return p_scossl_aes_xts_init_internal(ctx, 1, skey->pbKey, skey->cbKey, iv, ivlen, params); } @@ -132,6 +141,12 @@ static SCOSSL_STATUS p_scossl_aes_xts_skey_decrypt_init(_Inout_ SCOSSL_AES_XTS_C _In_reads_bytes_opt_(ivlen) const unsigned char *iv, size_t ivlen, _In_ const OSSL_PARAM params[]) { + if (skey == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + return p_scossl_aes_xts_init_internal(ctx, 0, skey->pbKey, skey->cbKey, iv, ivlen, params); } @@ -139,6 +154,12 @@ static SCOSSL_STATUS p_scossl_aes_xts_cipher(SCOSSL_AES_XTS_CTX *ctx, _Out_writes_bytes_(*outl) unsigned char *out, _Out_ size_t *outl, size_t outsize, _In_reads_bytes_(inl) const unsigned char *in, size_t inl) { + if (out == NULL || in == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if (inl < SYMCRYPT_AES_BLOCK_SIZE) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH); @@ -207,55 +228,58 @@ static const OSSL_PARAM *p_scossl_aes_xts_settable_ctx_params(ossl_unused void * static SCOSSL_STATUS p_scossl_aes_xts_get_ctx_params(_In_ SCOSSL_AES_XTS_CTX *ctx, _Inout_ OSSL_PARAM params[]) { - OSSL_PARAM *p = NULL; + OSSL_PARAM *p; - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + + if (p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN) != NULL && + !OSSL_PARAM_set_size_t(p, ctx->keylen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, SCOSSL_XTS_TWEAK_LENGTH)) + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN)) != NULL && + !OSSL_PARAM_set_size_t(p, SCOSSL_XTS_TWEAK_LENGTH)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); - if (p != NULL && + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV)) != NULL && !OSSL_PARAM_set_octet_ptr(p, &ctx->tweak, SCOSSL_XTS_TWEAK_LENGTH) && !OSSL_PARAM_set_octet_string(p, &ctx->tweak, SCOSSL_XTS_TWEAK_LENGTH)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); - if (p != NULL && + + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV)) != NULL && !OSSL_PARAM_set_octet_ptr(p, &ctx->tweak, SCOSSL_XTS_TWEAK_LENGTH) && !OSSL_PARAM_set_octet_string(p, &ctx->tweak, SCOSSL_XTS_TWEAK_LENGTH)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } + return SCOSSL_SUCCESS; } static SCOSSL_STATUS p_scossl_aes_xts_set_ctx_params(_Inout_ SCOSSL_AES_XTS_CTX *ctx, _In_ const OSSL_PARAM params[]) { - const OSSL_PARAM *p = NULL; + const OSSL_PARAM *p; if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - - p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); - if (p != NULL) + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN)) != NULL) { size_t keylen; @@ -264,11 +288,13 @@ static SCOSSL_STATUS p_scossl_aes_xts_set_ctx_params(_Inout_ SCOSSL_AES_XTS_CTX ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return SCOSSL_FAILURE; } + if (keylen != ctx->keylen) { return SCOSSL_FAILURE; } } + return SCOSSL_SUCCESS; } From 42776e098a6fc7f4dabd99f63bc951ca71882a4a Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Fri, 1 May 2026 21:48:20 +0000 Subject: [PATCH 13/22] Cleanup digests Co-authored-by: Copilot --- SymCryptProvider/src/digests/p_scossl_cshake.c | 9 ++++----- .../src/digests/p_scossl_digest_common.c | 3 +++ .../src/digests/p_scossl_digest_generic.c | 12 ++---------- SymCryptProvider/src/digests/p_scossl_shake.c | 6 +----- 4 files changed, 10 insertions(+), 20 deletions(-) diff --git a/SymCryptProvider/src/digests/p_scossl_cshake.c b/SymCryptProvider/src/digests/p_scossl_cshake.c index 3f47be89..c7e757bb 100644 --- a/SymCryptProvider/src/digests/p_scossl_cshake.c +++ b/SymCryptProvider/src/digests/p_scossl_cshake.c @@ -130,6 +130,9 @@ static SCOSSL_CSHAKE_CTX *p_scossl_cshake_dupctx(_In_ SCOSSL_CSHAKE_CTX *ctx) { SCOSSL_STATUS status = SCOSSL_FAILURE; + if (ctx == NULL) + return NULL; + SCOSSL_COMMON_ALIGNED_ALLOC(copyCtx, OPENSSL_zalloc, SCOSSL_CSHAKE_CTX); if (copyCtx != NULL) @@ -298,14 +301,10 @@ static SCOSSL_STATUS p_scossl_cshake_set_ctx_params(_Inout_ SCOSSL_CSHAKE_CTX *c if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, SCOSSL_DIGEST_PARAM_FUNCTION_NAME_STRING)) != NULL) { if (ctx->xofState != SCOSSL_XOF_STATE_INIT) diff --git a/SymCryptProvider/src/digests/p_scossl_digest_common.c b/SymCryptProvider/src/digests/p_scossl_digest_common.c index 53a8fdd7..282ed770 100644 --- a/SymCryptProvider/src/digests/p_scossl_digest_common.c +++ b/SymCryptProvider/src/digests/p_scossl_digest_common.c @@ -36,6 +36,9 @@ void p_scossl_digest_freectx(SCOSSL_DIGEST_CTX *ctx) _Use_decl_annotations_ SCOSSL_DIGEST_CTX *p_scossl_digest_dupctx(SCOSSL_DIGEST_CTX *ctx) { + if (ctx == NULL) + return NULL; + SCOSSL_DIGEST_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_DIGEST_CTX)); if (copyCtx != NULL) diff --git a/SymCryptProvider/src/digests/p_scossl_digest_generic.c b/SymCryptProvider/src/digests/p_scossl_digest_generic.c index 8c57f921..524e9ee1 100644 --- a/SymCryptProvider/src/digests/p_scossl_digest_generic.c +++ b/SymCryptProvider/src/digests/p_scossl_digest_generic.c @@ -46,14 +46,10 @@ static SCOSSL_STATUS p_scossl_digest_get_state_internal(_In_ SCOSSL_DIGEST_CTX * if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate(params, SCOSSL_DIGEST_PARAM_STATE)) != NULL) { pExportFunc(ctx->pState, pbExportBlob); @@ -79,14 +75,10 @@ static SCOSSL_STATUS p_scossl_digest_set_state_internal(_In_ SCOSSL_DIGEST_CTX * if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, SCOSSL_DIGEST_PARAM_STATE)) != NULL) { if (!OSSL_PARAM_get_octet_string_ptr(p, (void *)&pbImportBlob, &cbImportBlob)) diff --git a/SymCryptProvider/src/digests/p_scossl_shake.c b/SymCryptProvider/src/digests/p_scossl_shake.c index 4da2c154..83669bdd 100644 --- a/SymCryptProvider/src/digests/p_scossl_shake.c +++ b/SymCryptProvider/src/digests/p_scossl_shake.c @@ -21,14 +21,10 @@ static SCOSSL_STATUS p_scossl_shake_set_ctx_params(_Inout_ SCOSSL_DIGEST_CTX *ct if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN)) != NULL && !OSSL_PARAM_get_size_t(p, &ctx->xofLen)) { From 6a7f21cea7529f444e5b8b78dc686af8e2f3ce3b Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Sat, 2 May 2026 00:22:26 +0000 Subject: [PATCH 14/22] Cleanup kdf Co-authored-by: Copilot --- SymCryptProvider/src/kdf/p_scossl_hkdf.c | 19 ++++++---- SymCryptProvider/src/kdf/p_scossl_kbkdf.c | 19 ++++++---- SymCryptProvider/src/kdf/p_scossl_pbkdf2.c | 18 ++++++---- SymCryptProvider/src/kdf/p_scossl_srtpkdf.c | 19 ++++++---- SymCryptProvider/src/kdf/p_scossl_sshkdf.c | 20 +++++++---- SymCryptProvider/src/kdf/p_scossl_sskdf.c | 40 ++++++++++++--------- SymCryptProvider/src/kdf/p_scossl_tls1prf.c | 18 ++++++---- 7 files changed, 99 insertions(+), 54 deletions(-) diff --git a/SymCryptProvider/src/kdf/p_scossl_hkdf.c b/SymCryptProvider/src/kdf/p_scossl_hkdf.c index 5a68cdf3..955dd161 100644 --- a/SymCryptProvider/src/kdf/p_scossl_hkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_hkdf.c @@ -73,7 +73,12 @@ void p_scossl_hkdf_freectx(_Inout_ SCOSSL_PROV_HKDF_CTX *ctx) SCOSSL_PROV_HKDF_CTX *p_scossl_hkdf_dupctx(_In_ SCOSSL_PROV_HKDF_CTX *ctx) { - SCOSSL_PROV_HKDF_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_HKDF_CTX)); + SCOSSL_PROV_HKDF_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_HKDF_CTX)); if (copyCtx != NULL) { if ((copyCtx->hkdfCtx = scossl_hkdf_dupctx(ctx->hkdfCtx)) == NULL || @@ -115,6 +120,12 @@ SCOSSL_STATUS p_scossl_hkdf_get_ctx_params(_In_ SCOSSL_PROV_HKDF_CTX *ctx, _Inou { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { SIZE_T cbResult; @@ -211,14 +222,10 @@ SCOSSL_STATUS p_scossl_hkdf_set_ctx_params(_Inout_ SCOSSL_PROV_HKDF_CTX *ctx, co if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { int mode = -1; diff --git a/SymCryptProvider/src/kdf/p_scossl_kbkdf.c b/SymCryptProvider/src/kdf/p_scossl_kbkdf.c index 3c4d42e9..7839b4e5 100644 --- a/SymCryptProvider/src/kdf/p_scossl_kbkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_kbkdf.c @@ -83,7 +83,12 @@ static void p_scossl_kbkdf_freectx(_Inout_ SCOSSL_PROV_KBKDF_CTX *ctx) static SCOSSL_PROV_KBKDF_CTX *p_scossl_kbkdf_dupctx(_In_ SCOSSL_PROV_KBKDF_CTX *ctx) { - SCOSSL_PROV_KBKDF_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_KBKDF_CTX)); + SCOSSL_PROV_KBKDF_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_KBKDF_CTX)); if (copyCtx != NULL) { *copyCtx = *ctx; @@ -225,6 +230,12 @@ static SCOSSL_STATUS p_scossl_kbkdf_get_ctx_params(ossl_unused void *ctx, _Inout { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, SIZE_MAX)) { @@ -259,14 +270,10 @@ static SCOSSL_STATUS p_scossl_kbkdf_set_ctx_params(_Inout_ SCOSSL_PROV_KBKDF_CTX if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { if (!p_scossl_kbkdf_get_octet_string(p, &ctx->pbKey, &ctx->cbKey)) diff --git a/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c b/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c index fd67a3d3..da38d1f7 100644 --- a/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c +++ b/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c @@ -77,8 +77,12 @@ void p_scossl_pbkdf2_freectx(_Inout_ SCOSSL_PROV_PBKDF2_CTX *ctx) SCOSSL_PROV_PBKDF2_CTX *p_scossl_pbkdf2_dupctx(_In_ SCOSSL_PROV_PBKDF2_CTX *ctx) { SCOSSL_STATUS status = SCOSSL_FAILURE; + SCOSSL_PROV_PBKDF2_CTX *copyCtx; - SCOSSL_PROV_PBKDF2_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_PBKDF2_CTX)); + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_PBKDF2_CTX)); if (copyCtx != NULL) { copyCtx->libctx = ctx->libctx; @@ -218,6 +222,12 @@ SCOSSL_STATUS p_scossl_pbkdf2_get_ctx_params(ossl_unused void *ctx, _Inout_ OSSL { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, SIZE_MAX)) { @@ -236,14 +246,10 @@ SCOSSL_STATUS p_scossl_pbkdf2_set_ctx_params(_Inout_ SCOSSL_PROV_PBKDF2_CTX *ctx if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) { int pkcs5; diff --git a/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c b/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c index 271155ca..77ceb9ae 100644 --- a/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c @@ -90,7 +90,12 @@ static SCOSSL_PROV_SRTPKDF_CTX *p_scossl_srtpkdf_dupctx(_In_ SCOSSL_PROV_SRTPKDF { SYMCRYPT_ERROR scError; SCOSSL_STATUS status = SCOSSL_FAILURE; - SCOSSL_PROV_SRTPKDF_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_SRTPKDF_CTX)); + SCOSSL_PROV_SRTPKDF_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_SRTPKDF_CTX)); if (copyCtx != NULL) { @@ -204,6 +209,12 @@ static SCOSSL_STATUS p_scossl_srtpkdf_get_ctx_params(ossl_unused void *ctx, _Ino { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, SIZE_MAX)) { @@ -220,14 +231,10 @@ static SCOSSL_STATUS p_scossl_srtpkdf_set_ctx_params(_Inout_ SCOSSL_PROV_SRTPKDF if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { PBYTE pbKey; diff --git a/SymCryptProvider/src/kdf/p_scossl_sshkdf.c b/SymCryptProvider/src/kdf/p_scossl_sshkdf.c index 50169a8e..33252ca9 100644 --- a/SymCryptProvider/src/kdf/p_scossl_sshkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_sshkdf.c @@ -64,7 +64,7 @@ void p_scossl_sshkdf_freectx(_Inout_ SCOSSL_PROV_SSHKDF_CTX *ctx) { if (ctx == NULL) return; - + OPENSSL_free(ctx->mdName); scossl_sshkdf_freectx(ctx->sshkdfCtx); OPENSSL_free(ctx); @@ -73,8 +73,12 @@ void p_scossl_sshkdf_freectx(_Inout_ SCOSSL_PROV_SSHKDF_CTX *ctx) SCOSSL_PROV_SSHKDF_CTX *p_scossl_sshkdf_dupctx(_In_ SCOSSL_PROV_SSHKDF_CTX *ctx) { SCOSSL_STATUS status = SCOSSL_FAILURE; + SCOSSL_PROV_SSHKDF_CTX *copyCtx; + + if (ctx == NULL) + return NULL; - SCOSSL_PROV_SSHKDF_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_SSHKDF_CTX)); + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_SSHKDF_CTX)); if (copyCtx != NULL) { if ((copyCtx->sshkdfCtx = scossl_sshkdf_dupctx(ctx->sshkdfCtx)) == NULL) @@ -134,6 +138,12 @@ SCOSSL_STATUS p_scossl_sshkdf_get_ctx_params(_In_ SCOSSL_PROV_SSHKDF_CTX *ctx, _ { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, SIZE_MAX)) { @@ -193,14 +203,10 @@ SCOSSL_STATUS p_scossl_sshkdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSHKDF_CTX *ctx if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { PCSYMCRYPT_HASH symcryptHashAlg = NULL; diff --git a/SymCryptProvider/src/kdf/p_scossl_sskdf.c b/SymCryptProvider/src/kdf/p_scossl_sskdf.c index f6b5aaf3..665fb9f0 100644 --- a/SymCryptProvider/src/kdf/p_scossl_sskdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_sskdf.c @@ -19,7 +19,7 @@ typedef struct { SIZE_T cbSalt; PBYTE pbInfo; SIZE_T cbInfo; - + BOOL isSaltExpanded; SYMCRYPT_SSKDF_MAC_EXPANDED_SALT expandedSalt; @@ -74,8 +74,12 @@ void p_scossl_sskdf_freectx(_Inout_ SCOSSL_PROV_SSKDF_CTX *ctx) SCOSSL_PROV_SSKDF_CTX *p_scossl_sskdf_dupctx(_In_ SCOSSL_PROV_SSKDF_CTX *ctx) { SCOSSL_STATUS status = SCOSSL_FAILURE; + SCOSSL_PROV_SSKDF_CTX *copyCtx; + + if (ctx == NULL) + return NULL; - SCOSSL_PROV_SSKDF_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_SSKDF_CTX)); + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_SSKDF_CTX)); if (copyCtx != NULL) { if (ctx->pbSecret != NULL) @@ -162,7 +166,7 @@ SCOSSL_STATUS p_scossl_sskdf_derive(_In_ SCOSSL_PROV_SSKDF_CTX *ctx, if (ctx->mac != NULL) { if (!ctx->isSaltExpanded) - { + { PCSYMCRYPT_MAC pcSymCryptMacAlgorithm = NULL; if (EVP_MAC_is_a(ctx->mac, OSSL_MAC_NAME_HMAC)) { @@ -171,7 +175,7 @@ SCOSSL_STATUS p_scossl_sskdf_derive(_In_ SCOSSL_PROV_SSKDF_CTX *ctx, ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE; } - + pcSymCryptMacAlgorithm = scossl_get_symcrypt_hmac_algorithm(ctx->mdnid); } if (EVP_MAC_is_a(ctx->mac, OSSL_MAC_NAME_KMAC128)) @@ -182,8 +186,8 @@ SCOSSL_STATUS p_scossl_sskdf_derive(_In_ SCOSSL_PROV_SSKDF_CTX *ctx, { pcSymCryptMacAlgorithm = SymCryptKmac256Algorithm; } - - + + if (pcSymCryptMacAlgorithm == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE); @@ -194,7 +198,7 @@ SCOSSL_STATUS p_scossl_sskdf_derive(_In_ SCOSSL_PROV_SSKDF_CTX *ctx, &ctx->expandedSalt, pcSymCryptMacAlgorithm, ctx->pbSalt, ctx->cbSalt); - + if (scError != SYMCRYPT_NO_ERROR) { SCOSSL_PROV_LOG_SYMCRYPT_ERROR("SymCryptSskdfMacExpandSalt failed", scError); @@ -254,6 +258,12 @@ SCOSSL_STATUS p_scossl_sskdf_get_ctx_params(_In_ SCOSSL_PROV_SSKDF_CTX *ctx, _In { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { SIZE_T cbResult = 0; @@ -264,7 +274,7 @@ SCOSSL_STATUS p_scossl_sskdf_get_ctx_params(_In_ SCOSSL_PROV_SSKDF_CTX *ctx, _In } else if (ctx->pHash != NULL) { - cbResult = SymCryptHashResultSize(ctx->pHash); + cbResult = SymCryptHashResultSize(ctx->pHash); } else { @@ -290,17 +300,13 @@ SCOSSL_STATUS p_scossl_sskdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSKDF_CTX *ctx, if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL || // Shared secret may be set by OSSL_KDF_PARAM_KEY instead - (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) + (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { OPENSSL_secure_free(ctx->pbSecret); ctx->cbSecret = 0; @@ -321,7 +327,7 @@ SCOSSL_STATUS p_scossl_sskdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSKDF_CTX *ctx, goto cleanup; } } - + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { OPENSSL_free(ctx->pbSalt); @@ -337,7 +343,7 @@ SCOSSL_STATUS p_scossl_sskdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSKDF_CTX *ctx, } if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL) - { + { PBYTE pbCur = NULL; SIZE_T cbCur = 0; SIZE_T cbInfoMax = 0; @@ -391,7 +397,7 @@ SCOSSL_STATUS p_scossl_sskdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSKDF_CTX *ctx, if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { const char *mdName; - + ctx->pHash = NULL; ctx->isSaltExpanded = FALSE; diff --git a/SymCryptProvider/src/kdf/p_scossl_tls1prf.c b/SymCryptProvider/src/kdf/p_scossl_tls1prf.c index 4d38bfc2..c052e835 100644 --- a/SymCryptProvider/src/kdf/p_scossl_tls1prf.c +++ b/SymCryptProvider/src/kdf/p_scossl_tls1prf.c @@ -55,8 +55,12 @@ void p_scossl_tls1prf_freectx(_Inout_ SCOSSL_PROV_TLS1_PRF_CTX *ctx) SCOSSL_PROV_TLS1_PRF_CTX *p_scossl_tls1prf_dupctx(_In_ SCOSSL_PROV_TLS1_PRF_CTX *ctx) { SCOSSL_STATUS status = SCOSSL_FAILURE; + SCOSSL_PROV_TLS1_PRF_CTX *copyCtx; - SCOSSL_PROV_TLS1_PRF_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_TLS1_PRF_CTX)); + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_PROV_TLS1_PRF_CTX)); if (copyCtx != NULL) { if ((copyCtx->tls1prfCtx = scossl_tls1prf_dupctx(ctx->tls1prfCtx)) == NULL) @@ -132,6 +136,12 @@ SCOSSL_STATUS p_scossl_tls1prf_get_ctx_params(_In_ SCOSSL_PROV_TLS1_PRF_CTX *ctx { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, SIZE_MAX)) { @@ -174,14 +184,10 @@ SCOSSL_STATUS p_scossl_tls1prf_set_ctx_params(_Inout_ SCOSSL_PROV_TLS1_PRF_CTX * if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { PCSYMCRYPT_MAC symcryptHmacAlg = NULL; From 05c92b8a99ebe78ab5488ec76612b795149435da Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Sat, 2 May 2026 00:24:36 +0000 Subject: [PATCH 15/22] Cleanup kem Co-authored-by: Copilot --- SymCryptProvider/src/kem/p_scossl_mlkem.c | 13 +++++++------ SymCryptProvider/src/kem/p_scossl_mlkem_hybrid.c | 7 ++++++- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/SymCryptProvider/src/kem/p_scossl_mlkem.c b/SymCryptProvider/src/kem/p_scossl_mlkem.c index 147087a1..d3be2dc4 100644 --- a/SymCryptProvider/src/kem/p_scossl_mlkem.c +++ b/SymCryptProvider/src/kem/p_scossl_mlkem.c @@ -72,7 +72,12 @@ static void p_scossl_mlkem_freectx(_Inout_ SCOSSL_MLKEM_CTX *ctx) static SCOSSL_MLKEM_CTX *p_scossl_mlkem_dupctx(_In_ SCOSSL_MLKEM_CTX *ctx) { - SCOSSL_MLKEM_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_MLKEM_CTX)); + SCOSSL_MLKEM_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_MLKEM_CTX)); if (copyCtx != NULL) { @@ -288,14 +293,10 @@ static SCOSSL_STATUS p_scossl_mlkem_set_ctx_params(_In_ SCOSSL_MLKEM_CTX *ctx, _ if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if (ctx->operation == EVP_PKEY_OP_ENCAPSULATE && (p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_IKME)) != NULL) { diff --git a/SymCryptProvider/src/kem/p_scossl_mlkem_hybrid.c b/SymCryptProvider/src/kem/p_scossl_mlkem_hybrid.c index 90bcfa30..c753cab1 100644 --- a/SymCryptProvider/src/kem/p_scossl_mlkem_hybrid.c +++ b/SymCryptProvider/src/kem/p_scossl_mlkem_hybrid.c @@ -53,7 +53,12 @@ static void p_scossl_mlkem_hybrid_freectx(_Inout_ SCOSSL_MLKEM_HYBRID_CTX *ctx) static SCOSSL_MLKEM_HYBRID_CTX *p_scossl_mlkem_hybrid_dupctx(_In_ SCOSSL_MLKEM_HYBRID_CTX *ctx) { - SCOSSL_MLKEM_HYBRID_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_MLKEM_HYBRID_CTX)); + SCOSSL_MLKEM_HYBRID_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_MLKEM_HYBRID_CTX)); if (copyCtx != NULL) { From 9a7f0feb238d538ba7f63aff64cd4b37abe1af86 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Sat, 2 May 2026 00:29:10 +0000 Subject: [PATCH 16/22] Cleanup keyexch Co-authored-by: Copilot --- SymCryptProvider/src/keyexch/p_scossl_dh.c | 23 +++++++++----- SymCryptProvider/src/keyexch/p_scossl_ecdh.c | 7 ++++- .../src/keyexch/p_scossl_kdf_keyexch.c | 31 +++++++++++++++---- 3 files changed, 46 insertions(+), 15 deletions(-) diff --git a/SymCryptProvider/src/keyexch/p_scossl_dh.c b/SymCryptProvider/src/keyexch/p_scossl_dh.c index db4d5e57..ffed74d1 100644 --- a/SymCryptProvider/src/keyexch/p_scossl_dh.c +++ b/SymCryptProvider/src/keyexch/p_scossl_dh.c @@ -93,7 +93,12 @@ static void p_scossl_dh_freectx(_In_ SCOSSL_DH_CTX *ctx) static SCOSSL_DH_CTX *p_scossl_dh_dupctx(_In_ SCOSSL_DH_CTX *ctx) { - SCOSSL_DH_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_DH_CTX)); + SCOSSL_DH_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_DH_CTX)); if (copyCtx != NULL) { *copyCtx = *ctx; @@ -333,18 +338,14 @@ static SCOSSL_STATUS p_scossl_dh_set_ctx_params(_Inout_ SCOSSL_DH_CTX *ctx, _In_ char *mdProps = NULL; EVP_MD *md = NULL; SCOSSL_STATUS ret = SCOSSL_FAILURE; - const OSSL_PARAM *p = NULL; + const OSSL_PARAM *p; if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD)) != NULL) { unsigned int pad; @@ -473,7 +474,13 @@ static const OSSL_PARAM *p_scossl_dh_ctx_settable_params(ossl_unused void *ctx, static SCOSSL_STATUS p_scossl_dh_get_ctx_params(_In_ SCOSSL_DH_CTX *ctx, _Inout_ OSSL_PARAM params[]) { - OSSL_PARAM *p = NULL; + OSSL_PARAM *p; + + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } if ((p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_PAD)) != NULL && !OSSL_PARAM_set_uint(p, ctx->pad)) diff --git a/SymCryptProvider/src/keyexch/p_scossl_ecdh.c b/SymCryptProvider/src/keyexch/p_scossl_ecdh.c index 303ad63d..6aec902f 100644 --- a/SymCryptProvider/src/keyexch/p_scossl_ecdh.c +++ b/SymCryptProvider/src/keyexch/p_scossl_ecdh.c @@ -40,7 +40,12 @@ void p_scossl_ecdh_freectx(SCOSSL_ECDH_CTX *ctx) _Use_decl_annotations_ SCOSSL_ECDH_CTX *p_scossl_ecdh_dupctx(SCOSSL_ECDH_CTX *ctx) { - SCOSSL_ECDH_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_ECDH_CTX)); + SCOSSL_ECDH_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_ECDH_CTX)); if (copyCtx != NULL) { *copyCtx = *ctx; diff --git a/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c b/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c index a9d55220..84717ff7 100644 --- a/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c +++ b/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c @@ -95,7 +95,12 @@ static void p_scossl_kdf_keyexch_freectx(_In_ SCOSSL_KDF_KEYEXCH_CTX *ctx) static SCOSSL_KDF_KEYEXCH_CTX *p_scossl_kdf_keyexch_dupctx(_In_ SCOSSL_KDF_KEYEXCH_CTX *ctx) { - SCOSSL_KDF_KEYEXCH_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_KDF_KEYEXCH_CTX)); + SCOSSL_KDF_KEYEXCH_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_KDF_KEYEXCH_CTX)); if (copyCtx != NULL) { @@ -168,29 +173,43 @@ static SCOSSL_STATUS p_scossl_kdf_keyexch_set_ctx_params(_Inout_ SCOSSL_KDF_KEYE { if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - return ctx->kdfFns->setCtxParams(ctx->kdfCtx, params); } static const OSSL_PARAM *p_scossl_kdf_keyexch_ctx_settable_params(_In_ SCOSSL_KDF_KEYEXCH_CTX *ctx, _In_ SCOSSL_PROVCTX *provctx) { + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } + return ctx->kdfFns->settableCtxParams(ctx->kdfCtx, provctx); } static SCOSSL_STATUS p_scossl_kdf_keyexch_get_ctx_params(_In_ SCOSSL_KDF_KEYEXCH_CTX *ctx, _Inout_ OSSL_PARAM params[]) { + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + return ctx->kdfFns->getCtxParams(ctx->kdfCtx, params); } static const OSSL_PARAM *p_scossl_kdf_keyexch_ctx_gettable_params(_In_ SCOSSL_KDF_KEYEXCH_CTX *ctx, _In_ SCOSSL_PROVCTX *provctx) { + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } + return ctx->kdfFns->gettableCtxParams(ctx->kdfCtx, provctx); } From 6a3823e9fa335b00249d9e25ca4a9b4874726f60 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Sat, 2 May 2026 00:40:44 +0000 Subject: [PATCH 17/22] Cleanup keymgmt Co-authored-by: Copilot --- .../src/keymgmt/p_scossl_dh_keymgmt.c | 37 ++++++++++++------- .../src/keymgmt/p_scossl_ecc_keymgmt.c | 27 ++++++++------ .../keymgmt/p_scossl_mlkem_hybrid_keymgmt.c | 18 ++++++--- .../src/keymgmt/p_scossl_mlkem_keymgmt.c | 24 +++++++++--- .../src/keymgmt/p_scossl_rsa_keymgmt.c | 26 +++++++++---- SymCryptProvider/src/p_scossl_ecc.c | 5 ++- 6 files changed, 92 insertions(+), 45 deletions(-) diff --git a/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c index 57807e23..ce4c8cbc 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_dh_keymgmt.c @@ -119,8 +119,12 @@ static SCOSSL_PROV_DH_KEY_CTX *p_scossl_dh_keymgmt_new_ctx(_In_ SCOSSL_PROVCTX * static SCOSSL_PROV_DH_KEY_CTX *p_scossl_dh_keymgmt_dup_key_ctx(_In_ const SCOSSL_PROV_DH_KEY_CTX *ctx, ossl_unused int selection) { - SCOSSL_PROV_DH_KEY_CTX *copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_DH_KEY_CTX)); + SCOSSL_PROV_DH_KEY_CTX *copyCtx; + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_malloc(sizeof(SCOSSL_PROV_DH_KEY_CTX)); if (copyCtx != NULL) { *copyCtx = *ctx; @@ -425,14 +429,10 @@ static SCOSSL_STATUS p_scossl_dh_keygen_set_params(_Inout_ SCOSSL_DH_KEYGEN_CTX if (genCtx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE)) != NULL) { const char *ffcTypeName; @@ -611,14 +611,10 @@ static SCOSSL_STATUS p_scossl_dh_keymgmt_set_params(_In_ SCOSSL_PROV_DH_KEY_CTX if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { SYMCRYPT_ERROR scError; @@ -947,8 +943,17 @@ static SCOSSL_STATUS p_scossl_dh_keymgmt_get_key_params(_In_ SCOSSL_DH_KEY_CTX * static SCOSSL_STATUS p_scossl_dh_keymgmt_get_params(_In_ SCOSSL_PROV_DH_KEY_CTX *ctx, _Inout_ OSSL_PARAM params[]) { OSSL_PARAM *p; - int pubKeyBits = p_scossl_dh_pubkey_bits(ctx); - int privKeyBits = p_scossl_dh_privkey_bits(ctx); + int pubKeyBits; + int privKeyBits; + + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + + pubKeyBits = p_scossl_dh_pubkey_bits(ctx); + privKeyBits = p_scossl_dh_privkey_bits(ctx); if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL && (pubKeyBits < 0 || !OSSL_PARAM_set_int(p, pubKeyBits))) @@ -1042,6 +1047,12 @@ static BOOL p_scossl_dh_keymgmt_match(_In_ SCOSSL_PROV_DH_KEY_CTX *ctx1, _In_ SC SIZE_T cbPublicKey = 0; SYMCRYPT_ERROR scError; + if (ctx1 == NULL || ctx2 == NULL || + ctx1->keyCtx == NULL || ctx2->keyCtx == NULL) + { + goto cleanup; + } + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { if (!ctx1->keyCtx->initialized || !ctx2->keyCtx->initialized) diff --git a/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c index 3a23ce5f..8ecb829e 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_ecc_keymgmt.c @@ -117,14 +117,10 @@ static SCOSSL_STATUS p_scossl_ecc_keygen_set_params(_Inout_ SCOSSL_ECC_KEYGEN_CT if (genCtx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME)) != NULL) { EC_GROUP *ecGroup = EC_GROUP_new_from_params(params, genCtx->libctx, NULL); @@ -374,6 +370,12 @@ static SCOSSL_STATUS p_scossl_ecc_keymgmt_get_params(_In_ SCOSSL_ECC_KEY_CTX *ke SCOSSL_STATUS ret = SCOSSL_FAILURE; OSSL_PARAM *p; + if (keyCtx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL && !OSSL_PARAM_set_uint32(p, p_scossl_ecc_get_max_result_size(keyCtx, FALSE))) { @@ -541,14 +543,10 @@ static SCOSSL_STATUS p_scossl_ecc_keymgmt_set_params(_Inout_ SCOSSL_ECC_KEY_CTX if (keyCtx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - numFormat = keyCtx->isX25519 ? SYMCRYPT_NUMBER_FORMAT_LSB_FIRST : SYMCRYPT_NUMBER_FORMAT_MSB_FIRST; pointFormat = keyCtx->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : SYMCRYPT_ECPOINT_FORMAT_XY; @@ -724,7 +722,14 @@ static BOOL p_scossl_ecc_keymgmt_match(_In_ SCOSSL_ECC_KEY_CTX *keyCtx1, _In_ SC SIZE_T cbPrivateKey = 0; SIZE_T cbPublicKey = 0; SYMCRYPT_ERROR scError; - SYMCRYPT_ECPOINT_FORMAT pointFormat = keyCtx1->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : SYMCRYPT_ECPOINT_FORMAT_XY; + SYMCRYPT_ECPOINT_FORMAT pointFormat; + + if (keyCtx1 == NULL || keyCtx2 == NULL) + { + goto cleanup; + } + + pointFormat = keyCtx1->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : SYMCRYPT_ECPOINT_FORMAT_XY; if (keyCtx1->initialized != keyCtx2->initialized || keyCtx1->isX25519 != keyCtx2->isX25519) diff --git a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c index 073868a8..957b7b4a 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_hybrid_keymgmt.c @@ -86,8 +86,12 @@ static SCOSSL_MLKEM_HYBRID_KEY_CTX *p_scossl_mlkem_hybrid_keymgmt_dup_key_ctx(_I SYMCRYPT_MLKEMKEY_FORMAT format = SYMCRYPT_MLKEMKEY_FORMAT_NULL; SYMCRYPT_ERROR scError = SYMCRYPT_NO_ERROR; SCOSSL_STATUS status = SCOSSL_FAILURE; - SCOSSL_MLKEM_HYBRID_KEY_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_MLKEM_HYBRID_KEY_CTX)); + SCOSSL_MLKEM_HYBRID_KEY_CTX *copyCtx; + if (keyCtx == NULL) + return NULL; + + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_MLKEM_HYBRID_KEY_CTX)); if (copyCtx != NULL) { copyCtx->provCtx = keyCtx->provCtx; @@ -303,14 +307,10 @@ static SCOSSL_STATUS p_scossl_mlkem_hybrid_keymgmt_set_params(_Inout_ SCOSSL_MLK if (keyCtx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { PCBYTE pbKey; @@ -423,6 +423,12 @@ static SCOSSL_STATUS p_scossl_mlkem_hybrid_keymgmt_get_params(_In_ SCOSSL_MLKEM_ SYMCRYPT_ERROR scError = SYMCRYPT_NO_ERROR; OSSL_PARAM *p; + if (keyCtx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL && !OSSL_PARAM_set_int(p, p_scossl_mlkem_get_bits(keyCtx->mlkemParams))) { diff --git a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c index b830c709..66ebcc14 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c @@ -87,8 +87,12 @@ static SCOSSL_MLKEM_KEY_CTX *p_scossl_mlkem_keymgmt_dup_key_ctx(_In_ const SCOSS SYMCRYPT_MLKEMKEY_FORMAT format = SYMCRYPT_MLKEMKEY_FORMAT_NULL; SYMCRYPT_ERROR scError = SYMCRYPT_NO_ERROR; SCOSSL_STATUS status = SCOSSL_FAILURE; - SCOSSL_MLKEM_KEY_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_MLKEM_KEY_CTX)); + SCOSSL_MLKEM_KEY_CTX *copyCtx; + if (keyCtx == NULL) + return NULL; + + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_MLKEM_KEY_CTX)); if (copyCtx != NULL) { copyCtx->provCtx = keyCtx->provCtx; @@ -157,6 +161,12 @@ static SCOSSL_STATUS p_scossl_mlkem_keygen_set_params(_Inout_ SCOSSL_MLKEM_KEYGE { const OSSL_PARAM *p; + if (genCtx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ML_KEM_SEED)) != NULL) { PBYTE pbSeed = genCtx->abSeed; @@ -316,14 +326,10 @@ static SCOSSL_STATUS p_scossl_mlkem_keymgmt_set_params(_Inout_ SCOSSL_MLKEM_KEY_ if (keyCtx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { PCBYTE pbKey; @@ -463,6 +469,12 @@ static SCOSSL_STATUS p_scossl_mlkem_keymgmt_get_params(_In_ SCOSSL_MLKEM_KEY_CTX SYMCRYPT_ERROR scError = SYMCRYPT_NO_ERROR; OSSL_PARAM *p; + if (keyCtx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL && !OSSL_PARAM_set_int(p, p_scossl_mlkem_get_bits(keyCtx->mlkemParams))) { diff --git a/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c index caf879ed..e8d1bf07 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c @@ -229,7 +229,8 @@ static SCOSSL_PROV_RSA_KEY_CTX *p_scossl_rsa_keymgmt_dup_ctx(_In_ const SCOSSL_P SCOSSL_PROV_RSA_KEY_CTX *copyCtx; BOOL includePrivate = (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0; - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) + if (keyCtx == NULL || + (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) { return NULL; } @@ -284,14 +285,10 @@ static SCOSSL_STATUS p_scossl_rsa_keygen_set_params(_Inout_ SCOSSL_RSA_KEYGEN_CT if (genCtx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL) { UINT32 nBitsOfModulus; @@ -917,6 +914,12 @@ static SCOSSL_STATUS p_scossl_rsa_keymgmt_get_params(_In_ SCOSSL_PROV_RSA_KEY_CT { OSSL_PARAM *p; + if (keyCtx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL && !OSSL_PARAM_set_uint32(p, SymCryptRsakeyModulusBits(keyCtx->key))) { @@ -963,7 +966,7 @@ static const OSSL_PARAM *p_scossl_rsa_keymgmt_gettable_params(ossl_unused void * static BOOL p_scossl_rsa_keymgmt_has(_In_ SCOSSL_PROV_RSA_KEY_CTX *keyCtx, int selection) { BOOL ret = TRUE; - if (keyCtx->key == NULL) + if (keyCtx == NULL || keyCtx->key == NULL) { return FALSE; } @@ -985,8 +988,15 @@ static BOOL p_scossl_rsa_keymgmt_match(_In_ SCOSSL_PROV_RSA_KEY_CTX *keyCtx1, _I PBYTE pbPrivateExponent1 = NULL; PBYTE pbPrivateExponent2 = NULL; SYMCRYPT_ERROR scError; + UINT32 cbModulus; + + if (keyCtx1 == NULL || keyCtx2 == NULL || + keyCtx1->key == NULL || keyCtx2->key == NULL) + { + goto cleanup; + } - UINT32 cbModulus = SymCryptRsakeySizeofModulus(keyCtx1->key); + cbModulus = SymCryptRsakeySizeofModulus(keyCtx1->key); if (cbModulus != SymCryptRsakeySizeofModulus(keyCtx2->key)) { diff --git a/SymCryptProvider/src/p_scossl_ecc.c b/SymCryptProvider/src/p_scossl_ecc.c index 704c7803..cbe017e0 100644 --- a/SymCryptProvider/src/p_scossl_ecc.c +++ b/SymCryptProvider/src/p_scossl_ecc.c @@ -54,9 +54,12 @@ SCOSSL_ECC_KEY_CTX *p_scossl_ecc_dup_ctx(SCOSSL_ECC_KEY_CTX *keyCtx, int selecti SCOSSL_STATUS success = SCOSSL_FAILURE; SYMCRYPT_ECPOINT_FORMAT pointFormat = keyCtx->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : SYMCRYPT_ECPOINT_FORMAT_XY; SYMCRYPT_ERROR scError = SYMCRYPT_NO_ERROR; + SCOSSL_ECC_KEY_CTX *copyCtx; - SCOSSL_ECC_KEY_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_ECC_KEY_CTX)); + if (keyCtx == NULL) + return NULL; + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_ECC_KEY_CTX)); if (copyCtx != NULL) { copyCtx->isX25519 = keyCtx->isX25519; From 92f2cc532c1588e2f924b82a91147c3c58610966 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Mon, 4 May 2026 16:00:19 +0000 Subject: [PATCH 18/22] Cleanup mac Co-authored-by: Copilot --- ScosslCommon/src/scossl_mac.c | 3 +++ SymCryptProvider/src/mac/p_scossl_cmac.c | 12 +++++++----- SymCryptProvider/src/mac/p_scossl_hmac.c | 12 +++++++----- SymCryptProvider/src/mac/p_scossl_kmac.c | 15 ++++++++++----- 4 files changed, 27 insertions(+), 15 deletions(-) diff --git a/ScosslCommon/src/scossl_mac.c b/ScosslCommon/src/scossl_mac.c index 66b5814f..15385cd1 100644 --- a/ScosslCommon/src/scossl_mac.c +++ b/ScosslCommon/src/scossl_mac.c @@ -86,6 +86,9 @@ SCOSSL_MAC_CTX *scossl_mac_dupctx(SCOSSL_MAC_CTX *ctx) SCOSSL_STATUS success = SCOSSL_FAILURE; SCOSSL_MAC_CTX *copyCtx = NULL; + if (ctx == NULL) + return NULL; + if ((copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_MAC_CTX))) != NULL) { if (ctx->pbKey != NULL) diff --git a/SymCryptProvider/src/mac/p_scossl_cmac.c b/SymCryptProvider/src/mac/p_scossl_cmac.c index 198103c9..8669fe01 100644 --- a/SymCryptProvider/src/mac/p_scossl_cmac.c +++ b/SymCryptProvider/src/mac/p_scossl_cmac.c @@ -67,6 +67,12 @@ static SCOSSL_STATUS p_scossl_cmac_get_ctx_params(_In_ SCOSSL_MAC_CTX *ctx, _Ino { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, ctx->pMac == NULL ? 0 : ctx->pMac->resultSize)) { @@ -90,14 +96,10 @@ static SCOSSL_STATUS p_scossl_cmac_set_ctx_params(_Inout_ SCOSSL_MAC_CTX *ctx, _ if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CIPHER)) != NULL) { SCOSSL_STATUS success; diff --git a/SymCryptProvider/src/mac/p_scossl_hmac.c b/SymCryptProvider/src/mac/p_scossl_hmac.c index 04344268..e16998f7 100644 --- a/SymCryptProvider/src/mac/p_scossl_hmac.c +++ b/SymCryptProvider/src/mac/p_scossl_hmac.c @@ -58,6 +58,12 @@ static SCOSSL_STATUS p_scossl_hmac_get_ctx_params(_In_ SCOSSL_MAC_CTX *ctx, _Ino { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, ctx->pMac == NULL ? 0 : ctx->pMac->resultSize)) { @@ -149,14 +155,10 @@ static SCOSSL_STATUS p_scossl_hmac_set_ctx_params(_Inout_ SCOSSL_MAC_CTX *ctx, _ if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_DIGEST)) != NULL) { OPENSSL_free(ctx->mdName); diff --git a/SymCryptProvider/src/mac/p_scossl_kmac.c b/SymCryptProvider/src/mac/p_scossl_kmac.c index ff00ee2a..bfcdd193 100644 --- a/SymCryptProvider/src/mac/p_scossl_kmac.c +++ b/SymCryptProvider/src/mac/p_scossl_kmac.c @@ -92,6 +92,9 @@ static void p_scossl_kmac_freectx(_Inout_ SCOSSL_KMAC_CTX *ctx) static SCOSSL_KMAC_CTX *p_scossl_kmac_dupctx(_In_ SCOSSL_KMAC_CTX *ctx) { + if (ctx == NULL) + return NULL; + SCOSSL_COMMON_ALIGNED_ALLOC(copyCtx, OPENSSL_zalloc, SCOSSL_KMAC_CTX); if (copyCtx == NULL) @@ -194,6 +197,12 @@ static SCOSSL_STATUS p_scossl_kmac_get_ctx_params(_In_ SCOSSL_KMAC_CTX *ctx, _In { OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, ctx->cbOutput)) { @@ -218,14 +227,10 @@ static SCOSSL_STATUS p_scossl_kmac_set_ctx_params(_Inout_ SCOSSL_KMAC_CTX *ctx, if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL && !OSSL_PARAM_get_int(p, &ctx->xofMode)) { From 27cea8d9e702dddb02836eb55ce6315ae68ff7a0 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Mon, 4 May 2026 16:46:08 +0000 Subject: [PATCH 19/22] Cleanup signature Co-authored-by: Copilot --- .../src/signature/p_scossl_ecdsa_signature.c | 48 ++++++------ .../src/signature/p_scossl_rsa_signature.c | 76 +++++++++++-------- 2 files changed, 72 insertions(+), 52 deletions(-) diff --git a/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c b/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c index 573f477f..bdaa703e 100644 --- a/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c +++ b/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c @@ -77,7 +77,12 @@ static void p_scossl_ecdsa_freectx(SCOSSL_ECDSA_CTX *ctx) static SCOSSL_ECDSA_CTX *p_scossl_ecdsa_dupctx(_In_ SCOSSL_ECDSA_CTX *ctx) { - SCOSSL_ECDSA_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_ECDSA_CTX)); + SCOSSL_ECDSA_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_ECDSA_CTX)); if (copyCtx != NULL) { if ((ctx->propq != NULL && ((copyCtx->propq = OPENSSL_strdup(ctx->propq)) == NULL)) || @@ -330,7 +335,12 @@ static int p_scossl_ecdsa_digest_verify_final(_In_ SCOSSL_ECDSA_CTX *ctx, static const OSSL_PARAM *p_scossl_ecdsa_settable_ctx_params(_In_ SCOSSL_ECDSA_CTX *ctx, ossl_unused void *provctx) { - return ctx->allowMdUpdates ? p_scossl_ecdsa_ctx_settable_param_types : p_scossl_ecdsa_ctx_settable_param_types_no_digest; + if (ctx == NULL || ctx->allowMdUpdates) + { + return p_scossl_ecdsa_ctx_settable_param_types; + } + + return p_scossl_ecdsa_ctx_settable_param_types_no_digest; } static SCOSSL_STATUS p_scossl_ecdsa_set_ctx_params(_Inout_ SCOSSL_ECDSA_CTX *ctx, _In_ const OSSL_PARAM params[]) @@ -341,14 +351,10 @@ static SCOSSL_STATUS p_scossl_ecdsa_set_ctx_params(_Inout_ SCOSSL_ECDSA_CTX *ctx if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL) { if (!OSSL_PARAM_get_utf8_string_ptr(p, &mdname)) @@ -411,20 +417,16 @@ static const OSSL_PARAM *p_scossl_ecdsa_gettable_ctx_params(ossl_unused void *ct static SCOSSL_STATUS p_scossl_ecdsa_get_ctx_params(_In_ SCOSSL_ECDSA_CTX *ctx, _Inout_ OSSL_PARAM params[]) { + OSSL_PARAM *p; + X509_ALGOR *x509Alg = NULL; + SCOSSL_STATUS ret = SCOSSL_FAILURE; + if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - - OSSL_PARAM *p; - X509_ALGOR *x509Alg = NULL; - SCOSSL_STATUS ret = SCOSSL_FAILURE; - if ((p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL ? "" : EVP_MD_get0_name(ctx->md))) { @@ -531,9 +533,9 @@ static SCOSSL_STATUS p_scossl_ecdsa_get_ctx_params(_In_ SCOSSL_ECDSA_CTX *ctx, _ static const OSSL_PARAM *p_scossl_ecdsa_gettable_ctx_md_params(_In_ SCOSSL_ECDSA_CTX *ctx) { - if (ctx->md == NULL) + if (ctx == NULL || ctx->md == NULL) { - return SCOSSL_FAILURE; + return NULL; } return EVP_MD_gettable_ctx_params(ctx->md); @@ -541,8 +543,9 @@ static const OSSL_PARAM *p_scossl_ecdsa_gettable_ctx_md_params(_In_ SCOSSL_ECDSA static SCOSSL_STATUS p_scossl_ecdsa_get_ctx_md_params(_In_ SCOSSL_ECDSA_CTX *ctx, _Inout_ OSSL_PARAM *params) { - if (ctx->mdctx == NULL) + if (ctx == NULL || ctx->mdctx == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE; } @@ -551,9 +554,9 @@ static SCOSSL_STATUS p_scossl_ecdsa_get_ctx_md_params(_In_ SCOSSL_ECDSA_CTX *ctx static const OSSL_PARAM *p_scossl_ecdsa_settable_ctx_md_params(_In_ SCOSSL_ECDSA_CTX *ctx) { - if (ctx->md == NULL) + if (ctx == NULL || ctx->md == NULL) { - return SCOSSL_FAILURE; + return NULL; } return EVP_MD_settable_ctx_params(ctx->md); @@ -561,8 +564,9 @@ static const OSSL_PARAM *p_scossl_ecdsa_settable_ctx_md_params(_In_ SCOSSL_ECDSA static SCOSSL_STATUS p_scossl_ecdsa_set_ctx_md_params(_In_ SCOSSL_ECDSA_CTX *ctx, _In_ const OSSL_PARAM params[]) { - if (ctx->mdctx == NULL) + if (ctx == NULL || ctx->mdctx == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE; } diff --git a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c index 5032cd57..23143f1e 100644 --- a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c +++ b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c @@ -117,7 +117,12 @@ static void p_scossl_rsa_freectx(SCOSSL_RSA_SIGN_CTX *ctx) static SCOSSL_RSA_SIGN_CTX *p_scossl_rsa_dupctx(_In_ SCOSSL_RSA_SIGN_CTX *ctx) { - SCOSSL_RSA_SIGN_CTX *copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_RSA_SIGN_CTX)); + SCOSSL_RSA_SIGN_CTX *copyCtx; + + if (ctx == NULL) + return NULL; + + copyCtx = OPENSSL_zalloc(sizeof(SCOSSL_RSA_SIGN_CTX)); if (copyCtx != NULL) { if ((ctx->propq != NULL && ((copyCtx->propq = OPENSSL_strdup(ctx->propq)) == NULL)) || @@ -225,7 +230,7 @@ static SCOSSL_STATUS p_scossl_rsa_sign(_In_ SCOSSL_RSA_SIGN_CTX *ctx, _Out_writes_bytes_(*siglen) unsigned char *sig, _Out_ size_t *siglen, size_t sigsize, _In_reads_bytes_(tbslen) const unsigned char *tbs, size_t tbslen) { - int mdnid = ctx->mdInfo == NULL ? NID_undef : ctx->mdInfo->id; + int mdnid; SCOSSL_STATUS ret = SCOSSL_FAILURE; if (ctx == NULL || ctx->keyCtx == NULL) @@ -243,9 +248,11 @@ static SCOSSL_STATUS p_scossl_rsa_sign(_In_ SCOSSL_RSA_SIGN_CTX *ctx, if (sig != NULL && sigsize < SymCryptRsakeySizeofModulus(ctx->keyCtx->key)) { ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); - goto err; + return SCOSSL_FAILURE; } + mdnid = ctx->mdInfo == NULL ? NID_undef : ctx->mdInfo->id; + switch (ctx->padding) { case RSA_PKCS1_PADDING: @@ -280,7 +287,7 @@ static SCOSSL_STATUS p_scossl_rsa_verify(_In_ SCOSSL_RSA_SIGN_CTX *ctx, _In_reads_bytes_(siglen) const unsigned char *sig, size_t siglen, _In_reads_bytes_(tbslen) const unsigned char *tbs, size_t tbslen) { - int mdnid = ctx->mdInfo == NULL ? NID_undef : ctx->mdInfo->id; + int mdnid; if (ctx == NULL || ctx->keyCtx == NULL) { @@ -294,6 +301,8 @@ static SCOSSL_STATUS p_scossl_rsa_verify(_In_ SCOSSL_RSA_SIGN_CTX *ctx, return SCOSSL_FAILURE; } + mdnid = ctx->mdInfo == NULL ? NID_undef : ctx->mdInfo->id; + switch (ctx->padding) { case RSA_PKCS1_PADDING: @@ -381,8 +390,9 @@ static SCOSSL_STATUS p_scossl_rsa_digest_verify_init(_In_ SCOSSL_RSA_SIGN_CTX *c static SCOSSL_STATUS p_scossl_rsa_digest_signverify_update(_In_ SCOSSL_RSA_SIGN_CTX *ctx, _In_reads_bytes_(datalen) const unsigned char *data, size_t datalen) { - if (ctx->mdctx == NULL) + if (ctx == NULL || ctx->mdctx == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE; } @@ -396,9 +406,10 @@ static SCOSSL_STATUS p_scossl_rsa_digest_sign_final(_In_ SCOSSL_RSA_SIGN_CTX *ct BYTE digest[EVP_MAX_MD_SIZE]; unsigned int cbDigest = 0; - if (ctx->mdctx == NULL) + if (ctx == NULL || ctx->mdctx == NULL) { - return ret; + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); + return SCOSSL_FAILURE; } // If sig is NULL, this is a size fetch, and the digest does not need to be computed @@ -417,8 +428,9 @@ static SCOSSL_STATUS p_scossl_rsa_digest_verify_final(_In_ SCOSSL_RSA_SIGN_CTX * BYTE digest[EVP_MAX_MD_SIZE]; unsigned int cbDigest = 0; - if (ctx->mdctx == NULL) + if (ctx == NULL || ctx->mdctx == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE; } @@ -431,7 +443,12 @@ static SCOSSL_STATUS p_scossl_rsa_digest_verify_final(_In_ SCOSSL_RSA_SIGN_CTX * static const OSSL_PARAM *p_scossl_rsa_settable_ctx_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx, ossl_unused void *provctx) { - return ctx->allowMdUpdates ? p_scossl_rsa_sig_ctx_settable_param_types : p_scossl_rsa_sig_ctx_settable_param_types_no_digest; + if (ctx == NULL || ctx->allowMdUpdates) + { + return p_scossl_rsa_sig_ctx_settable_param_types; + } + + return p_scossl_rsa_sig_ctx_settable_param_types_no_digest; } static SCOSSL_STATUS p_scossl_rsa_set_ctx_params(_Inout_ SCOSSL_RSA_SIGN_CTX *ctx, _In_ const OSSL_PARAM params[]) @@ -441,14 +458,10 @@ static SCOSSL_STATUS p_scossl_rsa_set_ctx_params(_Inout_ SCOSSL_RSA_SIGN_CTX *ct if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); return SCOSSL_FAILURE; } - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - if ((p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL) { EVP_MD *md = NULL; @@ -712,7 +725,12 @@ static SCOSSL_STATUS p_scossl_rsa_set_ctx_params(_Inout_ SCOSSL_RSA_SIGN_CTX *ct static const OSSL_PARAM *p_scossl_rsa_gettable_ctx_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx, ossl_unused void *provctx) { - return ctx->padding == RSA_PKCS1_PSS_PADDING ? p_scossl_rsa_pss_sig_ctx_gettable_param_types : p_scossl_rsa_sig_ctx_gettable_param_types; + if (ctx == NULL || ctx->padding == RSA_PKCS1_PSS_PADDING) + { + return p_scossl_rsa_pss_sig_ctx_gettable_param_types; + } + + return p_scossl_rsa_sig_ctx_gettable_param_types; } static ASN1_STRING *p_scossl_rsa_pss_params_to_asn1_sequence(_In_ SCOSSL_RSA_SIGN_CTX *ctx) @@ -817,21 +835,17 @@ static ASN1_STRING *p_scossl_rsa_pss_params_to_asn1_sequence(_In_ SCOSSL_RSA_SIG static SCOSSL_STATUS p_scossl_rsa_get_ctx_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx, _Inout_ OSSL_PARAM params[]) { - if (ctx == NULL) - { - return SCOSSL_FAILURE; - } - - if (params == NULL) - { - return SCOSSL_SUCCESS; - } - OSSL_PARAM *p; ASN1_STRING *pval = NULL; X509_ALGOR *x509Alg = NULL; SCOSSL_STATUS ret = SCOSSL_FAILURE; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->mdInfo == NULL ? "" : ctx->mdInfo->ptr)) { @@ -1041,9 +1055,9 @@ static SCOSSL_STATUS p_scossl_rsa_get_ctx_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx, static const OSSL_PARAM *p_scossl_rsa_gettable_ctx_md_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx) { - if (ctx->md == NULL) + if (ctx == NULL || ctx->md == NULL) { - return SCOSSL_FAILURE; + return NULL; } return EVP_MD_gettable_ctx_params(ctx->md); @@ -1051,8 +1065,9 @@ static const OSSL_PARAM *p_scossl_rsa_gettable_ctx_md_params(_In_ SCOSSL_RSA_SIG static SCOSSL_STATUS p_scossl_rsa_get_ctx_md_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx, _Inout_ OSSL_PARAM *params) { - if (ctx->mdctx == NULL) + if (ctx == NULL || ctx->mdctx == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE; } @@ -1061,9 +1076,9 @@ static SCOSSL_STATUS p_scossl_rsa_get_ctx_md_params(_In_ SCOSSL_RSA_SIGN_CTX *ct static const OSSL_PARAM *p_scossl_rsa_settable_ctx_md_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx) { - if (ctx->md == NULL) + if (ctx == NULL || ctx->md == NULL) { - return SCOSSL_FAILURE; + return NULL; } return EVP_MD_settable_ctx_params(ctx->md); @@ -1073,6 +1088,7 @@ static SCOSSL_STATUS p_scossl_rsa_set_ctx_md_params(_In_ SCOSSL_RSA_SIGN_CTX *ct { if (ctx->mdctx == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE; } From 143ce525d2365c82c577e6a1e357bc0e77458eaf Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Mon, 4 May 2026 18:59:53 +0000 Subject: [PATCH 20/22] Cleanup encode Co-authored-by: Copilot --- SymCryptProvider/src/encoder/p_scossl_encode_common.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/SymCryptProvider/src/encoder/p_scossl_encode_common.c b/SymCryptProvider/src/encoder/p_scossl_encode_common.c index c9615ae4..380299ae 100644 --- a/SymCryptProvider/src/encoder/p_scossl_encode_common.c +++ b/SymCryptProvider/src/encoder/p_scossl_encode_common.c @@ -46,6 +46,12 @@ SCOSSL_STATUS p_scossl_encode_set_ctx_params(SCOSSL_ENCODE_CTX *ctx, const OSSL_ { const OSSL_PARAM *p; + if (ctx == NULL) + { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); + return SCOSSL_FAILURE; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_ENCODER_PARAM_CIPHER)) != NULL) { OSSL_LIB_CTX *libctx = ctx->provctx == NULL ? NULL : ctx->provctx->libctx; From e6a73987b87e3d0e1e2e1bc19a374db67c15648b Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Mon, 4 May 2026 20:43:33 +0000 Subject: [PATCH 21/22] Add NULL param check to set_ctx_param functions Co-authored-by: Copilot --- SymCryptProvider/inc/p_scossl_base.h.in | 12 +++++------ .../src/asymcipher/p_scossl_rsa_cipher.c | 5 +++++ SymCryptProvider/src/ciphers/p_scossl_aes.c | 5 +++++ .../src/ciphers/p_scossl_aes_aead.c | 11 ++++++++++ .../src/ciphers/p_scossl_aes_xts.c | 10 ++++++--- .../src/digests/p_scossl_cshake.c | 7 +++++++ .../src/digests/p_scossl_digest_common.c | 9 +++++--- SymCryptProvider/src/digests/p_scossl_shake.c | 7 ++++++- .../src/encoder/p_scossl_encode_common.c | 5 +++++ SymCryptProvider/src/kdf/p_scossl_hkdf.c | 7 ++++++- SymCryptProvider/src/kdf/p_scossl_kbkdf.c | 5 +++++ SymCryptProvider/src/kdf/p_scossl_pbkdf2.c | 5 +++++ SymCryptProvider/src/kdf/p_scossl_srtpkdf.c | 8 +++++-- SymCryptProvider/src/kdf/p_scossl_sshkdf.c | 9 ++++++-- SymCryptProvider/src/kdf/p_scossl_sskdf.c | 5 +++++ SymCryptProvider/src/kdf/p_scossl_tls1prf.c | 5 +++++ SymCryptProvider/src/kem/p_scossl_mlkem.c | 5 +++++ SymCryptProvider/src/keyexch/p_scossl_dh.c | 5 +++++ .../src/keyexch/p_scossl_kdf_keyexch.c | 5 +++++ SymCryptProvider/src/mac/p_scossl_cmac.c | 5 +++++ SymCryptProvider/src/mac/p_scossl_hmac.c | 5 +++++ SymCryptProvider/src/mac/p_scossl_kmac.c | 7 ++++++- SymCryptProvider/src/p_scossl_base.c | 21 ------------------- SymCryptProvider/src/p_scossl_rand.c | 17 ++++++++------- .../src/signature/p_scossl_ecdsa_signature.c | 5 +++++ .../src/signature/p_scossl_rsa_signature.c | 7 +++++-- 26 files changed, 148 insertions(+), 49 deletions(-) diff --git a/SymCryptProvider/inc/p_scossl_base.h.in b/SymCryptProvider/inc/p_scossl_base.h.in index f9985cb5..6af52fa2 100644 --- a/SymCryptProvider/inc/p_scossl_base.h.in +++ b/SymCryptProvider/inc/p_scossl_base.h.in @@ -34,12 +34,12 @@ static const OSSL_PARAM p_scossl_param_types[] = { OSSL_PARAM_int(OSSL_PROV_PARAM_STATUS, NULL), OSSL_PARAM_END}; -// EVP_MD_CTX_dup is a helpful function for the provider, but was not added until OpenSSL 3.1 -// This function is copied from 3.1 to allow its use when the provider is built against 3.0 -#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 -EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in); - -#endif // OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 +// Helper function from the default provider that that is used by get/set +// parameter functions to avoid iterating through an empty parameter array. +static inline BOOL p_scossl_is_params_empty(_In_ const OSSL_PARAM params[]) +{ + return params == NULL || params->key == NULL; +} #ifdef __cplusplus } diff --git a/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c b/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c index 96dfa96a..dd930993 100644 --- a/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c +++ b/SymCryptProvider/src/asymcipher/p_scossl_rsa_cipher.c @@ -319,6 +319,11 @@ static SCOSSL_STATUS p_scossl_rsa_cipher_set_ctx_params(_Inout_ SCOSSL_RSA_CIPHE return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_PAD_MODE)) != NULL) { // Padding mode may be passed as legacy NID or string, and is diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes.c b/SymCryptProvider/src/ciphers/p_scossl_aes.c index c809a0ee..b1da0721 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes.c @@ -763,6 +763,11 @@ static SCOSSL_STATUS p_scossl_aes_generic_set_ctx_params(_Inout_ SCOSSL_AES_CTX return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING)) != NULL) { unsigned int pad; diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c index d21b846f..865b419b 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c @@ -7,6 +7,7 @@ #include #include "scossl_aes_aead.h" +#include "p_scossl_base.h" #include "p_scossl_aes.h" #include "p_scossl_skey.h" @@ -272,6 +273,11 @@ static SCOSSL_STATUS p_scossl_aes_gcm_set_ctx_params(_Inout_ SCOSSL_CIPHER_GCM_C return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN)) != NULL) { size_t ivlen; @@ -553,6 +559,11 @@ static SCOSSL_STATUS p_scossl_aes_ccm_set_ctx_params(_Inout_ SCOSSL_CIPHER_CCM_C return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN)) != NULL) { size_t ivlen; diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c b/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c index e8750b6e..e5bb893c 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_xts.c @@ -2,11 +2,10 @@ // Copyright (c) Microsoft Corporation. Licensed under the MIT license. // -#include -#include #include #include "scossl_helpers.h" +#include "p_scossl_base.h" #include "p_scossl_aes.h" #include "p_scossl_skey.h" @@ -236,7 +235,7 @@ static SCOSSL_STATUS p_scossl_aes_xts_get_ctx_params(_In_ SCOSSL_AES_XTS_CTX *ct return SCOSSL_FAILURE; } - if (p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN) != NULL && + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN)) != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); @@ -279,6 +278,11 @@ static SCOSSL_STATUS p_scossl_aes_xts_set_ctx_params(_Inout_ SCOSSL_AES_XTS_CTX return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN)) != NULL) { size_t keylen; diff --git a/SymCryptProvider/src/digests/p_scossl_cshake.c b/SymCryptProvider/src/digests/p_scossl_cshake.c index c7e757bb..4f5cad81 100644 --- a/SymCryptProvider/src/digests/p_scossl_cshake.c +++ b/SymCryptProvider/src/digests/p_scossl_cshake.c @@ -7,6 +7,7 @@ #include "scossl_provider.h" #include "p_scossl_digest_common.h" +#include "p_scossl_base.h" #ifdef __cplusplus extern "C" { @@ -279,6 +280,7 @@ static SCOSSL_STATUS p_scossl_cshake_256_digest(ossl_unused void *prov_ctx, { return p_scossl_cshake_digest(&SymCryptCShake256Algorithm, in, inl, out, outl, outlen); } + static SCOSSL_STATUS p_scossl_cshake_128_get_params(_Inout_ OSSL_PARAM params[]) { return p_scossl_digest_get_params(params, @@ -305,6 +307,11 @@ static SCOSSL_STATUS p_scossl_cshake_set_ctx_params(_Inout_ SCOSSL_CSHAKE_CTX *c return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, SCOSSL_DIGEST_PARAM_FUNCTION_NAME_STRING)) != NULL) { if (ctx->xofState != SCOSSL_XOF_STATE_INIT) diff --git a/SymCryptProvider/src/digests/p_scossl_digest_common.c b/SymCryptProvider/src/digests/p_scossl_digest_common.c index 282ed770..7c216007 100644 --- a/SymCryptProvider/src/digests/p_scossl_digest_common.c +++ b/SymCryptProvider/src/digests/p_scossl_digest_common.c @@ -1,11 +1,9 @@ // // Copyright (c) Microsoft Corporation. Licensed under the MIT license. // - -#include -#include #include +#include "p_scossl_base.h" #include "digests/p_scossl_digest_common.h" #ifdef __cplusplus @@ -76,6 +74,11 @@ SCOSSL_STATUS p_scossl_digest_get_params(OSSL_PARAM params[], size_t size, size_ { OSSL_PARAM *p; + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, size)) { diff --git a/SymCryptProvider/src/digests/p_scossl_shake.c b/SymCryptProvider/src/digests/p_scossl_shake.c index 83669bdd..052642e5 100644 --- a/SymCryptProvider/src/digests/p_scossl_shake.c +++ b/SymCryptProvider/src/digests/p_scossl_shake.c @@ -2,9 +2,9 @@ // Copyright (c) Microsoft Corporation. Licensed under the MIT license. // -#include #include +#include "p_scossl_base.h" #include "digests/p_scossl_digest_common.h" #ifdef __cplusplus @@ -25,6 +25,11 @@ static SCOSSL_STATUS p_scossl_shake_set_ctx_params(_Inout_ SCOSSL_DIGEST_CTX *ct return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN)) != NULL && !OSSL_PARAM_get_size_t(p, &ctx->xofLen)) { diff --git a/SymCryptProvider/src/encoder/p_scossl_encode_common.c b/SymCryptProvider/src/encoder/p_scossl_encode_common.c index 380299ae..23a256ee 100644 --- a/SymCryptProvider/src/encoder/p_scossl_encode_common.c +++ b/SymCryptProvider/src/encoder/p_scossl_encode_common.c @@ -52,6 +52,11 @@ SCOSSL_STATUS p_scossl_encode_set_ctx_params(SCOSSL_ENCODE_CTX *ctx, const OSSL_ return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_ENCODER_PARAM_CIPHER)) != NULL) { OSSL_LIB_CTX *libctx = ctx->provctx == NULL ? NULL : ctx->provctx->libctx; diff --git a/SymCryptProvider/src/kdf/p_scossl_hkdf.c b/SymCryptProvider/src/kdf/p_scossl_hkdf.c index 955dd161..d1af1f91 100644 --- a/SymCryptProvider/src/kdf/p_scossl_hkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_hkdf.c @@ -226,6 +226,11 @@ SCOSSL_STATUS p_scossl_hkdf_set_ctx_params(_Inout_ SCOSSL_PROV_HKDF_CTX *ctx, co return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { int mode = -1; @@ -352,7 +357,7 @@ SCOSSL_STATUS p_scossl_tls13kdf_set_ctx_params(_Inout_ SCOSSL_PROV_HKDF_CTX *ctx return SCOSSL_FAILURE; } - if (params == NULL) + if (p_scossl_is_params_empty(params)) { return SCOSSL_SUCCESS; } diff --git a/SymCryptProvider/src/kdf/p_scossl_kbkdf.c b/SymCryptProvider/src/kdf/p_scossl_kbkdf.c index 7839b4e5..8a1cb527 100644 --- a/SymCryptProvider/src/kdf/p_scossl_kbkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_kbkdf.c @@ -274,6 +274,11 @@ static SCOSSL_STATUS p_scossl_kbkdf_set_ctx_params(_Inout_ SCOSSL_PROV_KBKDF_CTX return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { if (!p_scossl_kbkdf_get_octet_string(p, &ctx->pbKey, &ctx->cbKey)) diff --git a/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c b/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c index da38d1f7..61e90970 100644 --- a/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c +++ b/SymCryptProvider/src/kdf/p_scossl_pbkdf2.c @@ -250,6 +250,11 @@ SCOSSL_STATUS p_scossl_pbkdf2_set_ctx_params(_Inout_ SCOSSL_PROV_PBKDF2_CTX *ctx return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) { int pkcs5; diff --git a/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c b/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c index 77ceb9ae..08bfce58 100644 --- a/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_srtpkdf.c @@ -2,11 +2,10 @@ // Copyright (c) Microsoft Corporation. Licensed under the MIT license. // -#include #include -#include "scossl_helpers.h" #include "scossl_provider.h" +#include "p_scossl_base.h" #ifdef __cplusplus extern "C" { @@ -235,6 +234,11 @@ static SCOSSL_STATUS p_scossl_srtpkdf_set_ctx_params(_Inout_ SCOSSL_PROV_SRTPKDF return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { PBYTE pbKey; diff --git a/SymCryptProvider/src/kdf/p_scossl_sshkdf.c b/SymCryptProvider/src/kdf/p_scossl_sshkdf.c index 33252ca9..cc2720a0 100644 --- a/SymCryptProvider/src/kdf/p_scossl_sshkdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_sshkdf.c @@ -147,8 +147,8 @@ SCOSSL_STATUS p_scossl_sshkdf_get_ctx_params(_In_ SCOSSL_PROV_SSHKDF_CTX *ctx, _ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL && !OSSL_PARAM_set_size_t(p, SIZE_MAX)) { - ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); - return SCOSSL_FAILURE; + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return SCOSSL_FAILURE; } if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_DIGEST)) != NULL && @@ -207,6 +207,11 @@ SCOSSL_STATUS p_scossl_sshkdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSHKDF_CTX *ctx return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { PCSYMCRYPT_HASH symcryptHashAlg = NULL; diff --git a/SymCryptProvider/src/kdf/p_scossl_sskdf.c b/SymCryptProvider/src/kdf/p_scossl_sskdf.c index 665fb9f0..30ab7f3a 100644 --- a/SymCryptProvider/src/kdf/p_scossl_sskdf.c +++ b/SymCryptProvider/src/kdf/p_scossl_sskdf.c @@ -304,6 +304,11 @@ SCOSSL_STATUS p_scossl_sskdf_set_ctx_params(_Inout_ SCOSSL_PROV_SSKDF_CTX *ctx, return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL || // Shared secret may be set by OSSL_KDF_PARAM_KEY instead (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) diff --git a/SymCryptProvider/src/kdf/p_scossl_tls1prf.c b/SymCryptProvider/src/kdf/p_scossl_tls1prf.c index c052e835..c0fd923d 100644 --- a/SymCryptProvider/src/kdf/p_scossl_tls1prf.c +++ b/SymCryptProvider/src/kdf/p_scossl_tls1prf.c @@ -188,6 +188,11 @@ SCOSSL_STATUS p_scossl_tls1prf_set_ctx_params(_Inout_ SCOSSL_PROV_TLS1_PRF_CTX * return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { PCSYMCRYPT_MAC symcryptHmacAlg = NULL; diff --git a/SymCryptProvider/src/kem/p_scossl_mlkem.c b/SymCryptProvider/src/kem/p_scossl_mlkem.c index d3be2dc4..418c7f2b 100644 --- a/SymCryptProvider/src/kem/p_scossl_mlkem.c +++ b/SymCryptProvider/src/kem/p_scossl_mlkem.c @@ -297,6 +297,11 @@ static SCOSSL_STATUS p_scossl_mlkem_set_ctx_params(_In_ SCOSSL_MLKEM_CTX *ctx, _ return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if (ctx->operation == EVP_PKEY_OP_ENCAPSULATE && (p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_IKME)) != NULL) { diff --git a/SymCryptProvider/src/keyexch/p_scossl_dh.c b/SymCryptProvider/src/keyexch/p_scossl_dh.c index ffed74d1..1d069965 100644 --- a/SymCryptProvider/src/keyexch/p_scossl_dh.c +++ b/SymCryptProvider/src/keyexch/p_scossl_dh.c @@ -346,6 +346,11 @@ static SCOSSL_STATUS p_scossl_dh_set_ctx_params(_Inout_ SCOSSL_DH_CTX *ctx, _In_ return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD)) != NULL) { unsigned int pad; diff --git a/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c b/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c index 84717ff7..221e36ad 100644 --- a/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c +++ b/SymCryptProvider/src/keyexch/p_scossl_kdf_keyexch.c @@ -177,6 +177,11 @@ static SCOSSL_STATUS p_scossl_kdf_keyexch_set_ctx_params(_Inout_ SCOSSL_KDF_KEYE return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + return ctx->kdfFns->setCtxParams(ctx->kdfCtx, params); } diff --git a/SymCryptProvider/src/mac/p_scossl_cmac.c b/SymCryptProvider/src/mac/p_scossl_cmac.c index 8669fe01..445da4e6 100644 --- a/SymCryptProvider/src/mac/p_scossl_cmac.c +++ b/SymCryptProvider/src/mac/p_scossl_cmac.c @@ -100,6 +100,11 @@ static SCOSSL_STATUS p_scossl_cmac_set_ctx_params(_Inout_ SCOSSL_MAC_CTX *ctx, _ return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CIPHER)) != NULL) { SCOSSL_STATUS success; diff --git a/SymCryptProvider/src/mac/p_scossl_hmac.c b/SymCryptProvider/src/mac/p_scossl_hmac.c index e16998f7..6f61de0a 100644 --- a/SymCryptProvider/src/mac/p_scossl_hmac.c +++ b/SymCryptProvider/src/mac/p_scossl_hmac.c @@ -159,6 +159,11 @@ static SCOSSL_STATUS p_scossl_hmac_set_ctx_params(_Inout_ SCOSSL_MAC_CTX *ctx, _ return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_DIGEST)) != NULL) { OPENSSL_free(ctx->mdName); diff --git a/SymCryptProvider/src/mac/p_scossl_kmac.c b/SymCryptProvider/src/mac/p_scossl_kmac.c index bfcdd193..15fcac0d 100644 --- a/SymCryptProvider/src/mac/p_scossl_kmac.c +++ b/SymCryptProvider/src/mac/p_scossl_kmac.c @@ -3,8 +3,8 @@ // #include "p_scossl_kmac.h" +#include "p_scossl_base.h" -#include #include #ifdef __cplusplus @@ -231,6 +231,11 @@ static SCOSSL_STATUS p_scossl_kmac_set_ctx_params(_Inout_ SCOSSL_KMAC_CTX *ctx, return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL && !OSSL_PARAM_get_int(p, &ctx->xofMode)) { diff --git a/SymCryptProvider/src/p_scossl_base.c b/SymCryptProvider/src/p_scossl_base.c index e092410a..31a266ae 100644 --- a/SymCryptProvider/src/p_scossl_base.c +++ b/SymCryptProvider/src/p_scossl_base.c @@ -882,27 +882,6 @@ SCOSSL_STATUS OSSL_provider_init(_In_ const OSSL_CORE_HANDLE *handle, return ret; } -#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 -EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) -{ - EVP_MD_CTX *out = EVP_MD_CTX_new(); - - if (out != NULL && !EVP_MD_CTX_copy_ex(out, in)) { - EVP_MD_CTX_free(out); - out = NULL; - } - return out; -} - -#if OPENSSL_VERSION_PATCH < 4 -int OPENSSL_strcasecmp(const char *s1, const char *s2) -{ - return strcasecmp(s1, s2); -} -#endif // OPENSSL_VERSION_PATCH < 4 - -#endif // OPENSSL_VERSION_MINOR == 0 - #ifdef __cplusplus } #endif \ No newline at end of file diff --git a/SymCryptProvider/src/p_scossl_rand.c b/SymCryptProvider/src/p_scossl_rand.c index 318df6b0..bb2aafd6 100644 --- a/SymCryptProvider/src/p_scossl_rand.c +++ b/SymCryptProvider/src/p_scossl_rand.c @@ -7,6 +7,7 @@ #include #include "scossl_helpers.h" +#include "p_scossl_base.h" #define SCOSSL_DRBG_STRENGTH 256 #define SCOSSL_DRBG_MAX_REQUEST_SIZE (1 << 16) @@ -101,23 +102,25 @@ static const OSSL_PARAM *p_scossl_rand_gettable_ctx_params(ossl_unused void *ctx static SCOSSL_STATUS p_scossl_rand_get_ctx_params(ossl_unused void *ctx, _Inout_ OSSL_PARAM params[]) { - OSSL_PARAM *p = NULL; + OSSL_PARAM *p; // State managed by symcrypt module - p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE); - if (p != NULL && !OSSL_PARAM_set_int(p, 1)) + if ((p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE)) != NULL && + !OSSL_PARAM_set_int(p, 1)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH); - if (p != NULL && !OSSL_PARAM_set_uint(p, SCOSSL_DRBG_STRENGTH)) + + if ((p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH)) != NULL && + !OSSL_PARAM_set_uint(p, SCOSSL_DRBG_STRENGTH)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } - p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); - if (p != NULL && !OSSL_PARAM_set_size_t(p, SCOSSL_DRBG_MAX_REQUEST_SIZE)) + + if ((p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST)) != NULL && + !OSSL_PARAM_set_size_t(p, SCOSSL_DRBG_MAX_REQUEST_SIZE)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; diff --git a/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c b/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c index bdaa703e..c3d7915b 100644 --- a/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c +++ b/SymCryptProvider/src/signature/p_scossl_ecdsa_signature.c @@ -355,6 +355,11 @@ static SCOSSL_STATUS p_scossl_ecdsa_set_ctx_params(_Inout_ SCOSSL_ECDSA_CTX *ctx return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL) { if (!OSSL_PARAM_get_utf8_string_ptr(p, &mdname)) diff --git a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c index 23143f1e..eb1b8d0a 100644 --- a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c +++ b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c @@ -2,8 +2,6 @@ // Copyright (c) Microsoft Corporation. Licensed under the MIT license. // -#include -#include #include #include @@ -462,6 +460,11 @@ static SCOSSL_STATUS p_scossl_rsa_set_ctx_params(_Inout_ SCOSSL_RSA_SIGN_CTX *ct return SCOSSL_FAILURE; } + if (p_scossl_is_params_empty(params)) + { + return SCOSSL_SUCCESS; + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST)) != NULL) { EVP_MD *md = NULL; From 6ce1ab03df076442ea3f6923e205aa802c429a11 Mon Sep 17 00:00:00 2001 From: Maxwell Moyer-McKee Date: Tue, 5 May 2026 00:08:41 +0000 Subject: [PATCH 22/22] PR comments --- SymCryptProvider/src/ciphers/p_scossl_aes_aead.c | 2 +- SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c | 6 +++--- SymCryptProvider/src/p_scossl_ecc.c | 4 +++- SymCryptProvider/src/signature/p_scossl_rsa_signature.c | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c index 865b419b..5ca685eb 100644 --- a/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c +++ b/SymCryptProvider/src/ciphers/p_scossl_aes_aead.c @@ -531,7 +531,7 @@ static SCOSSL_STATUS p_scossl_aes_ccm_get_ctx_params(_In_ SCOSSL_CIPHER_CCM_CTX } } - if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV)) != NULL) + if ((p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG)) != NULL) { if (p->data_size < ctx->taglen) { diff --git a/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c b/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c index e8d1bf07..08c77a48 100644 --- a/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c +++ b/SymCryptProvider/src/keymgmt/p_scossl_rsa_keymgmt.c @@ -921,21 +921,21 @@ static SCOSSL_STATUS p_scossl_rsa_keymgmt_get_params(_In_ SCOSSL_PROV_RSA_KEY_CT } if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL && - !OSSL_PARAM_set_uint32(p, SymCryptRsakeyModulusBits(keyCtx->key))) + (keyCtx->key == NULL || !OSSL_PARAM_set_uint32(p, SymCryptRsakeyModulusBits(keyCtx->key)))) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL && - !OSSL_PARAM_set_int(p, p_scossl_rsa_get_security_bits(keyCtx->key))) + (keyCtx->key == NULL || !OSSL_PARAM_set_int(p, p_scossl_rsa_get_security_bits(keyCtx->key)))) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; } if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL && - !OSSL_PARAM_set_uint32(p, SymCryptRsakeySizeofModulus(keyCtx->key))) + (keyCtx->key == NULL || !OSSL_PARAM_set_uint32(p, SymCryptRsakeySizeofModulus(keyCtx->key)))) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return SCOSSL_FAILURE; diff --git a/SymCryptProvider/src/p_scossl_ecc.c b/SymCryptProvider/src/p_scossl_ecc.c index cbe017e0..94d306a1 100644 --- a/SymCryptProvider/src/p_scossl_ecc.c +++ b/SymCryptProvider/src/p_scossl_ecc.c @@ -52,7 +52,7 @@ SCOSSL_ECC_KEY_CTX *p_scossl_ecc_dup_ctx(SCOSSL_ECC_KEY_CTX *keyCtx, int selecti SIZE_T cbPublicKey = 0; SIZE_T cbPrivateKey = 0; SCOSSL_STATUS success = SCOSSL_FAILURE; - SYMCRYPT_ECPOINT_FORMAT pointFormat = keyCtx->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : SYMCRYPT_ECPOINT_FORMAT_XY; + SYMCRYPT_ECPOINT_FORMAT pointFormat; SYMCRYPT_ERROR scError = SYMCRYPT_NO_ERROR; SCOSSL_ECC_KEY_CTX *copyCtx; @@ -77,6 +77,8 @@ SCOSSL_ECC_KEY_CTX *p_scossl_ecc_dup_ctx(SCOSSL_ECC_KEY_CTX *keyCtx, int selecti if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 && keyCtx->initialized) { + pointFormat = keyCtx->isX25519 ? SYMCRYPT_ECPOINT_FORMAT_X : (SYMCRYPT_ECPOINT_FORMAT)keyCtx->conversionFormat; + if (copyCtx->curve == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET); diff --git a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c index eb1b8d0a..24b3252d 100644 --- a/SymCryptProvider/src/signature/p_scossl_rsa_signature.c +++ b/SymCryptProvider/src/signature/p_scossl_rsa_signature.c @@ -1089,7 +1089,7 @@ static const OSSL_PARAM *p_scossl_rsa_settable_ctx_md_params(_In_ SCOSSL_RSA_SIG static SCOSSL_STATUS p_scossl_rsa_set_ctx_md_params(_In_ SCOSSL_RSA_SIGN_CTX *ctx, _In_ const OSSL_PARAM params[]) { - if (ctx->mdctx == NULL) + if (ctx == NULL || ctx->mdctx == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return SCOSSL_FAILURE;