[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Richard Levitte
levitte at openssl.org
Tue Aug 7 05:59:46 UTC 2018
The branch OpenSSL_1_0_2-stable has been updated
via f72a7ce8bc0a5c0866c6a848a7f54854d67aeba2 (commit)
from 29d8bda90ce824263317eae5354388f79844dd51 (commit)
- Log -----------------------------------------------------------------
commit f72a7ce8bc0a5c0866c6a848a7f54854d67aeba2
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Aug 7 06:21:43 2018 +0200
Make EVP_PKEY_asn1_new() stricter with its input
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6881)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 5 +++++
crypto/asn1/ameth_lib.c | 12 ++++++++++++
2 files changed, 17 insertions(+)
diff --git a/CHANGES b/CHANGES
index b8e2f86..4f24046 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,11 @@
Changes between 1.0.2o and 1.0.2p [xx XXX xxxx]
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
*) Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c
index 43ddebb..8f49071 100644
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -305,6 +305,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
} else
ameth->info = NULL;
+ /*
+ * One of the following must be true:
+ *
+ * pem_str == NULL AND ASN1_PKEY_ALIAS is set
+ * pem_str != NULL AND ASN1_PKEY_ALIAS is clear
+ *
+ * Anything else is an error and may lead to a corrupt ASN1 method table
+ */
+ if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
+ || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
+ goto err;
+
if (pem_str) {
ameth->pem_str = BUF_strdup(pem_str);
if (!ameth->pem_str)
More information about the openssl-commits
mailing list