[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Fri Feb 8 10:08:15 UTC 2019 

The branch OpenSSL_1_1_1-stable has been updated
       via  25ca718150cef41e1c1d9c2c8c58e2b1e2cad3fa (commit)
       via  3dbec21b4603eb0fde6cd97202d8a374415e1da8 (commit)
      from  ee774d5d3cb38455e8c9d4d73612bf6eebdfa335 (commit)


- Log -----------------------------------------------------------------
commit 25ca718150cef41e1c1d9c2c8c58e2b1e2cad3fa
Author: Todd Short <tshort at akamai.com>
Date:   Wed Feb 6 09:28:22 2019 -0500

    Update d2i_PrivateKey documentation
    
    Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8168)
    
    (cherry picked from commit 1980ce45d6bdd2b57df7003d6b56b5df560b9064)

commit 3dbec21b4603eb0fde6cd97202d8a374415e1da8
Author: Todd Short <tshort at akamai.com>
Date:   Mon Feb 4 16:04:11 2019 -0500

    Fix d2i_PublicKey() for EC keys
    
    o2i_ECPublicKey() requires an EC_KEY structure filled with an EC_GROUP.
    
    o2i_ECPublicKey() is called by d2i_PublicKey(). In order to fulfill the
    o2i_ECPublicKey()'s requirement, d2i_PublicKey() needs to be called with
    an EVP_PKEY with an EC_KEY containing an EC_GROUP.
    
    However, the call to EVP_PKEY_set_type() frees any existing key structure
    inside the EVP_PKEY, thus freeing the EC_KEY with the EC_GROUP that
    o2i_ECPublicKey() needs.
    
    This means you can't d2i_PublicKey() for an EC key...
    
    The fix is to check to see if the type is already set appropriately, and
    if so, not call EVP_PKEY_set_type().
    
    Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8168)
    
    (cherry picked from commit 2aa2beb06cc25c1f8accdc3d87b946205becfd86)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/d2i_pu.c        |  2 +-
 doc/man3/d2i_PrivateKey.pod | 18 +++++++++++-------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/crypto/asn1/d2i_pu.c b/crypto/asn1/d2i_pu.c
index 9452e08..778114d 100644
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -32,7 +32,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
     } else
         ret = *a;
 
-    if (!EVP_PKEY_set_type(ret, type)) {
+    if (type != EVP_PKEY_id(ret) && !EVP_PKEY_set_type(ret, type)) {
         ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_EVP_LIB);
         goto err;
     }
diff --git a/doc/man3/d2i_PrivateKey.pod b/doc/man3/d2i_PrivateKey.pod
index 13415d5..4e3f20f 100644
--- a/doc/man3/d2i_PrivateKey.pod
+++ b/doc/man3/d2i_PrivateKey.pod
@@ -50,15 +50,19 @@ If the B<*a> is not NULL when calling d2i_PrivateKey() or d2i_AutoPrivateKey()
 (i.e. an existing structure is being reused) and the key format is PKCS#8
 then B<*a> will be freed and replaced on a successful call.
 
+To decode a key with type B<EVP_PKEY_EC>, d2i_PublicKey() requires B<*a> to be
+a non-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper
+EC_GROUP.
+
 =head1 RETURN VALUES
 
-d2i_PrivateKey() and d2i_AutoPrivateKey() return a valid B<EVP_KEY> structure
-or B<NULL> if an error occurs. The error code can be obtained by calling
-L<ERR_get_error(3)>.
+The d2i_PrivateKey(), d2i_AutoPrivateKey(), d2i_PrivateKey_bio(), d2i_PrivateKey_fp(),
+and d2i_PublicKey() functions return a valid B<EVP_KEY> structure or B<NULL> if an
+error occurs. The error code can be obtained by calling L<ERR_get_error(3)>.
 
-i2d_PrivateKey() returns the number of bytes successfully encoded or a
-negative value if an error occurs. The error code can be obtained by calling
-L<ERR_get_error(3)>.
+i2d_PrivateKey() and i2d_PublicKey() return the number of bytes successfully
+encoded or a negative value if an error occurs. The error code can be obtained
+by calling L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
@@ -67,7 +71,7 @@ L<d2i_PKCS8PrivateKey_bio(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

More information about the openssl-commits mailing list