[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Wed Jul 5 20:38:09 UTC 2017 

The branch master has been updated
       via  11d66064f36e6968faffb48a2cfd58cbe37eff0c (commit)
      from  c8feba723a33e15201009d716d9ead02e653dfe6 (commit)


- Log -----------------------------------------------------------------
commit 11d66064f36e6968faffb48a2cfd58cbe37eff0c
Author: Richard Levitte <levitte at openssl.org>
Date:   Wed Jul 5 20:54:08 2017 +0200

    STORE 'file' scheme loader: fix try_decode_params() to check ambiguity
    
    The way try_decode_params works in raw more, it would take the first ASN1
    that could decode and return a STORE_INFO with the resulting EVP_PKEY.
    This change has it go through all the matching ASN1 methods and properly
    check if there's more than one match, i.e. an ambiguity.
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3863)

-----------------------------------------------------------------------

Summary of changes:
 crypto/store/loader_file.c | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c
index ebcad03..5b0ca97 100644
--- a/crypto/store/loader_file.c
+++ b/crypto/store/loader_file.c
@@ -480,12 +480,13 @@ static OSSL_STORE_INFO *try_decode_params(const char *pem_name,
         *matchcount = 1;
     }
 
-    if ((pkey = EVP_PKEY_new()) == NULL) {
-        OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
-        return NULL;
-    }
-
     if (slen > 0) {
+        if ((pkey = EVP_PKEY_new()) == NULL) {
+            OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
+            return NULL;
+        }
+
+
         if (EVP_PKEY_set_type_str(pkey, pem_name, slen)
             && (ameth = EVP_PKEY_get0_asn1(pkey)) != NULL
             && ameth->param_decode != NULL
@@ -493,22 +494,37 @@ static OSSL_STORE_INFO *try_decode_params(const char *pem_name,
             ok = 1;
     } else {
         int i;
+        EVP_PKEY *tmp_pkey = NULL;
 
         for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
             const unsigned char *tmp_blob = blob;
 
+            if (tmp_pkey == NULL && (tmp_pkey = EVP_PKEY_new()) == NULL) {
+                OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
+                break;
+            }
+
             ameth = EVP_PKEY_asn1_get0(i);
             if (ameth->pkey_flags & ASN1_PKEY_ALIAS)
                 continue;
-            if (EVP_PKEY_set_type(pkey, ameth->pkey_id)
-                && (ameth = EVP_PKEY_get0_asn1(pkey)) != NULL
+
+            if (EVP_PKEY_set_type(tmp_pkey, ameth->pkey_id)
+                && (ameth = EVP_PKEY_get0_asn1(tmp_pkey)) != NULL
                 && ameth->param_decode != NULL
-                && ameth->param_decode(pkey, &tmp_blob, len)) {
+                && ameth->param_decode(tmp_pkey, &tmp_blob, len)) {
+                if (pkey != NULL)
+                    EVP_PKEY_free(tmp_pkey);
+                else
+                    pkey = tmp_pkey;
+                tmp_pkey = NULL;
                 (*matchcount)++;
-                ok = 1;
-                break;
             }
         }
+
+        EVP_PKEY_free(tmp_pkey);
+        if (*matchcount == 1) {
+            ok = 1;
+        }
     }
 
     if (ok)

More information about the openssl-commits mailing list