From 12843c2837778b1f47ebbd9ca3de68f6c07e2634 Mon Sep 17 00:00:00 2001
From: Bence Mali <bence.mali@tresorit.com>
Date: Sun, 3 Mar 2024 00:31:17 +0100
Subject: [PATCH 1/2] length and null checks in en/decaps

---
 oqsprov/oqs_kem.c | 66 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 60 insertions(+), 6 deletions(-)

diff --git a/oqsprov/oqs_kem.c b/oqsprov/oqs_kem.c
index 76780a16..5607c7cf 100644
--- a/oqsprov/oqs_kem.c
+++ b/oqsprov/oqs_kem.c
@@ -116,13 +116,41 @@ static int oqs_qs_kem_encaps_keyslot(void *vpkemctx, unsigned char *out,
         OQS_KEM_PRINTF("OQS Warning: OQS_KEM not initialized\n");
         return -1;
     }
-    *outlen = kem_ctx->length_ciphertext;
-    *secretlen = kem_ctx->length_shared_secret;
+    if (pkemctx->kem->comp_pubkey[keyslot] == NULL) {
+        OQS_KEM_PRINTF("OQS Warning: public key is NULL\n");
+        return -1;
+    }
     if (out == NULL || secret == NULL) {
-        OQS_KEM_PRINTF3("KEM returning lengths %ld and %ld\n", *outlen,
-                        *secretlen);
+        if (outlen != NULL) {
+            *outlen = kem_ctx->length_ciphertext;
+        }
+        if (secretlen != NULL) {
+            *secretlen = kem_ctx->length_shared_secret;
+        }
+        OQS_KEM_PRINTF3("KEM returning lengths %ld and %ld\n",
+                        kem_ctx->length_ciphertext,
+                        kem_ctx->length_shared_secret);
         return 1;
     }
+    if (outlen == NULL) {
+        OQS_KEM_PRINTF("OQS Warning: outlen is NULL\n");
+        return -1;
+    }
+    if (secretlen == NULL) {
+        OQS_KEM_PRINTF("OQS Warning: secretlen is NULL\n");
+        return -1;
+    }
+    if (*outlen < kem_ctx->length_ciphertext) {
+        OQS_KEM_PRINTF("OQS Warning: out buffer too small\n");
+        return -1;
+    }
+    if (*secretlen < kem_ctx->length_shared_secret) {
+        OQS_KEM_PRINTF("OQS Warning: secret buffer too small\n");
+        return -1;
+    }
+    *outlen = kem_ctx->length_ciphertext;
+    *secretlen = kem_ctx->length_shared_secret;
+
     return OQS_SUCCESS
            == OQS_KEM_encaps(kem_ctx, out, secret,
                              pkemctx->kem->comp_pubkey[keyslot]);
@@ -140,9 +168,35 @@ static int oqs_qs_kem_decaps_keyslot(void *vpkemctx, unsigned char *out,
         OQS_KEM_PRINTF("OQS Warning: OQS_KEM not initialized\n");
         return -1;
     }
-    *outlen = kem_ctx->length_shared_secret;
-    if (out == NULL)
+    if (pkemctx->kem->comp_privkey[keyslot] == NULL) {
+        OQS_KEM_PRINTF("OQS Warning: private key is NULL\n");
+        return -1;
+    }
+    if (out == NULL) {
+        if (outlen != NULL) {
+            *outlen = kem_ctx->length_shared_secret;
+        }
+        OQS_KEM_PRINTF2("KEM returning length %ld\n",
+                        kem_ctx->length_shared_secret);
         return 1;
+    }
+    if (inlen != kem_ctx->length_ciphertext) {
+        OQS_KEM_PRINTF("OQS Warning: wrong input length\n");
+        return 0;
+    }
+    if (in == NULL) {
+        OQS_KEM_PRINTF("OQS Warning: in is NULL\n");
+        return -1;
+    }
+    if (outlen == NULL) {
+        OQS_KEM_PRINTF("OQS Warning: outlen is NULL\n");
+        return -1;
+    }
+    if (*outlen < kem_ctx->length_shared_secret) {
+        OQS_KEM_PRINTF("OQS Warning: out buffer too small\n");
+        return -1;
+    }
+    *outlen = kem_ctx->length_shared_secret;
 
     return OQS_SUCCESS
            == OQS_KEM_decaps(kem_ctx, out, in,

From aabc7df740135e9544b5966e69828b9bcf04579e Mon Sep 17 00:00:00 2001
From: Bence Mali <bence.mali@tresorit.com>
Date: Mon, 4 Mar 2024 09:12:42 +0100
Subject: [PATCH 2/2] more null checking

---
 oqsprov/oqs_kem.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/oqsprov/oqs_kem.c b/oqsprov/oqs_kem.c
index 5607c7cf..a56150d4 100644
--- a/oqsprov/oqs_kem.c
+++ b/oqsprov/oqs_kem.c
@@ -116,7 +116,8 @@ static int oqs_qs_kem_encaps_keyslot(void *vpkemctx, unsigned char *out,
         OQS_KEM_PRINTF("OQS Warning: OQS_KEM not initialized\n");
         return -1;
     }
-    if (pkemctx->kem->comp_pubkey[keyslot] == NULL) {
+    if (pkemctx->kem->comp_pubkey == NULL
+        || pkemctx->kem->comp_pubkey[keyslot] == NULL) {
         OQS_KEM_PRINTF("OQS Warning: public key is NULL\n");
         return -1;
     }
@@ -168,7 +169,8 @@ static int oqs_qs_kem_decaps_keyslot(void *vpkemctx, unsigned char *out,
         OQS_KEM_PRINTF("OQS Warning: OQS_KEM not initialized\n");
         return -1;
     }
-    if (pkemctx->kem->comp_privkey[keyslot] == NULL) {
+    if (pkemctx->kem->comp_privkey == NULL
+        || pkemctx->kem->comp_privkey[keyslot] == NULL) {
         OQS_KEM_PRINTF("OQS Warning: private key is NULL\n");
         return -1;
     }