Merge pull request #5992 from larsewi/secret

larsewi · web-flow · commit 6e7aec409204 · 2025-12-18T10:34:27.000+01:00
ENT-13591: Fixed buffer overflow in cf-secret when using multiple keys of different sizes
diff --git a/cf-secret/cf-secret.c b/cf-secret/cf-secret.c
@@ -343,13 +343,13 @@ static bool RSAEncrypt(Seq *rsa_keys, const char *input_path, const char *output
 
     const EVP_CIPHER *cipher = EVP_aes_256_cbc();
     EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
-    const int key_size = EVP_PKEY_size((EVP_PKEY*) SeqAt(evp_keys, 0));
 
     /* This sequence and the 'enc_key_sizes' array are both populated by the
      * EVP_SealInit() call below. */
     Seq *enc_keys = SeqNew(n_keys, free);
     for (size_t i = 0; i < n_keys; i++)
     {
+        const int key_size = EVP_PKEY_size((EVP_PKEY*) SeqAt(evp_keys, i));
         SeqAppend(enc_keys, xmalloc(key_size));
     }
     int enc_key_sizes[n_keys];

Original file line number	Diff line number	Diff line change
`@@ -343,13 +343,13 @@ static bool RSAEncrypt(Seq rsa_keys, const char input_path, const char *output`
`343`	`343`
`344`	`344`	`const EVP_CIPHER *cipher = EVP_aes_256_cbc();`
`345`	`345`	`EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();`
`346`		`- const int key_size = EVP_PKEY_size((EVP_PKEY*) SeqAt(evp_keys, 0));`
`347`	`346`
`348`	`347`	`/* This sequence and the 'enc_key_sizes' array are both populated by the`
`349`	`348`	`* EVP_SealInit() call below. */`
`350`	`349`	`Seq *enc_keys = SeqNew(n_keys, free);`
`351`	`350`	`for (size_t i = 0; i < n_keys; i++)`
`352`	`351`	`{`
	`352`	`+ const int key_size = EVP_PKEY_size((EVP_PKEY*) SeqAt(evp_keys, i));`
`353`	`353`	`SeqAppend(enc_keys, xmalloc(key_size));`
`354`	`354`	`}`
`355`	`355`	`int enc_key_sizes[n_keys];`