crypto: ensure crypto initialization works #11614
Conversation
Make sure that context initialization during hash setup works to avoid going forward with the risk of a null pointer dereference. Reported-by: Philippe Antoine on HackerOne
| { | ||
| md4_init(ctx); | ||
| return CURLE_OK; | ||
| return 1; |
There was a problem hiding this comment.
@danielgustafsson I've changed MD4_Init prototype because it has to match backends that provide that function such as OpenSSL. See here
Another way to do it would be the way we do for md5 and sha256 where for every backend we define a CURLcode my_md4_init that either wraps MD4_Init or does whatever the alternative MD4 init procedure.
Also, I am not sure about this one above, I cannot find anything about GnuTLS md4_init in documentation. If it returns a code then this will need to be changed.
There was a problem hiding this comment.
GnuTLS uses nettle for crypto. nettle's md4_init function does not return anything:
https://git.lysator.liu.se/nettle/nettle/-/blob/master/md4.c#L58-74
|
Thanks for the awesome assistance here @jay! |
|
Thanks Daniel, this was merged, right ? |
|
Correct, "closed this in 22eb989" shows the commit which closed this PR when it was merged. |
Make sure that context initialization during hash setup works to avoid going forward with the risk of a null pointer dereference. Reported-by: Philippe Antoine on HackerOne Assisted-by: Jay Satiro Assisted-by: Daniel Stenberg Closes curl#11614
Make sure that context initialization during hash setup works to avoid going forward with the risk of a null pointer dereference.
Reported-by: Philippe Antoine on HackerOne
Replaces #10733