[openssl-commits] [openssl] master update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Sat Jul 29 12:56:40 UTC 2017


The branch master has been updated
       via  0443b1171da43696a2cd67cfcb0624be1e3ee25b (commit)
       via  02fd47c8b0930dff9b188fd13bfb9da5e59444a8 (commit)
      from  03883e7e168b0f5ef52a516eeb86346b767e0298 (commit)


- Log -----------------------------------------------------------------
commit 0443b1171da43696a2cd67cfcb0624be1e3ee25b
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Sat Jul 29 12:23:00 2017 +0200

    Add some test coverage for PEM_read_bio_PrivateKey
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4047)

commit 02fd47c8b0930dff9b188fd13bfb9da5e59444a8
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Sat Jul 29 12:19:29 2017 +0200

    Clean password buffer on stack for PEM_read_bio_PrivateKey
    and d2i_PKCS8PrivateKey_bio before it goes out of scope.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4047)

-----------------------------------------------------------------------

Summary of changes:
 crypto/pem/pem_pk8.c         | 1 +
 crypto/pem/pem_pkey.c        | 1 +
 test/recipes/90-test_store.t | 6 +++++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
index 993c595..5caad9f 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -131,6 +131,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
     }
     p8inf = PKCS8_decrypt(p8, psbuf, klen);
     X509_SIG_free(p8);
+    OPENSSL_cleanse(psbuf, klen);
     if (!p8inf)
         return NULL;
     ret = EVP_PKCS82PKEY(p8inf);
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 9356501..42ec933 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -67,6 +67,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
         }
         p8inf = PKCS8_decrypt(p8, psbuf, klen);
         X509_SIG_free(p8);
+        OPENSSL_cleanse(psbuf, klen);
         if (!p8inf)
             goto p8err;
         ret = EVP_PKCS82PKEY(p8inf);
diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t
index 699a67e..12ad951 100644
--- a/test/recipes/90-test_store.t
+++ b/test/recipes/90-test_store.t
@@ -74,7 +74,7 @@ my $n = (3 * scalar @noexist_files)
     + (4 * scalar @generated_files)
     + (scalar keys %generated_file_files)
     + (scalar @noexist_file_files)
-    + 3;
+    + 4;
 
 plan tests => $n;
 
@@ -83,6 +83,10 @@ indir "store_$$" => sub {
     {
         skip "failed initialisation", $n unless init();
 
+        # test PEM_read_bio_PrivateKey
+        ok(run(app(["openssl", "rsa", "-in", "rsa-key-pkcs8-pbes2-sha256.pem",
+                    "-passin", "pass:password"])));
+
         foreach (@noexist_files) {
             my $file = srctop_file($_);
             ok(!run(app(["openssl", "storeutl", $file])));


More information about the openssl-commits mailing list