[openssl] OpenSSL_1_1_1-stable update

nic.tuv at gmail.com nic.tuv at gmail.com
Tue Jul 7 08:59:08 UTC 2020


The branch OpenSSL_1_1_1-stable has been updated
       via  e1c246bd7682fd1b0fcbba5a224f3cacc1ba278d (commit)
       via  1940c092a52afd8bc919b8faa5f3d51004503f3a (commit)
       via  2797fea7608063f54cf45763d1a7ae60a67dae65 (commit)
      from  a98fa843b8ab00e8f3b966a1f5321aaffe805100 (commit)


- Log -----------------------------------------------------------------
commit e1c246bd7682fd1b0fcbba5a224f3cacc1ba278d
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date:   Sun Jun 28 20:23:29 2020 +0300

    [test][15-test_genec] Improve EC tests with genpkey
    
    Test separately EC parameters and EC key generation.
    
    Some curves only support explicit params encoding.
    
    For some curves we have had cases in which generating the parameters
    under certain conditions failed, while generating and serializing a key
    under the same conditions did not.
    See <https://github.com/openssl/openssl/issues/12306> for more details.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/12308)

commit 1940c092a52afd8bc919b8faa5f3d51004503f3a
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date:   Sat Jun 27 01:42:49 2020 +0300

    [apps/genpkey] exit status should not be 0 on output errors
    
    If the key is to be serialized or printed as text and the framework
    returns an error, the app should signal the failure to the user using
    a non-zero exit status.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/12305)
    
    (cherry picked from commit 466d30c0d7fa861a5fcbaebd2e2010a8c2aea322)

commit 2797fea7608063f54cf45763d1a7ae60a67dae65
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date:   Mon Jun 29 00:53:46 2020 +0300

    [EC][ASN1] Detect missing OID when serializing EC parameters and keys
    
    The following built-in curves do not have an assigned OID:
    
    - Oakley-EC2N-3
    - Oakley-EC2N-4
    
    In general we shouldn't assume that an OID is always available.
    
    This commit detects such cases, raises an error and returns appropriate
    return values so that the condition can be detected and correctly
    handled by the callers, when serializing EC parameters or EC keys with
    the default `ec_param_enc:named_curve`.
    
    Fixes #12306
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12312)

-----------------------------------------------------------------------

Summary of changes:
 apps/genpkey.c               |   6 +-
 crypto/ec/ec_ameth.c         |   9 ++-
 crypto/ec/ec_asn1.c          |  11 +++-
 crypto/ec/ec_err.c           |   3 +-
 crypto/err/openssl.txt       |   1 +
 crypto/pem/pem_lib.c         |   2 +-
 include/openssl/ecerr.h      |   3 +-
 test/recipes/15-test_genec.t | 147 ++++++++++++++++++++++++++++++++++++++++---
 8 files changed, 164 insertions(+), 18 deletions(-)

diff --git a/apps/genpkey.c b/apps/genpkey.c
index 39fa73c91c..e74c74a7a8 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -177,9 +177,12 @@ int genpkey_main(int argc, char **argv)
         goto end;
     }
 
+    ret = 0;
+
     if (rv <= 0) {
         BIO_puts(bio_err, "Error writing key\n");
         ERR_print_errors(bio_err);
+        ret = 1;
     }
 
     if (text) {
@@ -191,11 +194,10 @@ int genpkey_main(int argc, char **argv)
         if (rv <= 0) {
             BIO_puts(bio_err, "Error printing key\n");
             ERR_print_errors(bio_err);
+            ret = 1;
         }
     }
 
-    ret = 0;
-
  end:
     EVP_PKEY_free(pkey);
     EVP_PKEY_CTX_free(ctx);
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index b7b82e54a3..06e2519c20 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -35,7 +35,14 @@ static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key)
         && (nid = EC_GROUP_get_curve_name(group)))
         /* we have a 'named curve' => just set the OID */
     {
-        *ppval = OBJ_nid2obj(nid);
+        ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid);
+
+        if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
+            ASN1_OBJECT_free(asn1obj);
+            ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_OID);
+            return 0;
+        }
+        *ppval = asn1obj;
         *pptype = V_ASN1_OBJECT;
     } else {                    /* explicit parameters */
 
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 006f9a5dea..96e7d83ea7 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -547,9 +547,16 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
          */
         tmp = EC_GROUP_get_curve_name(group);
         if (tmp) {
-            ret->type = 0;
-            if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
+            ASN1_OBJECT *asn1obj = OBJ_nid2obj(tmp);
+
+            if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
+                ASN1_OBJECT_free(asn1obj);
+                ECerr(EC_F_EC_GROUP_GET_ECPKPARAMETERS, EC_R_MISSING_OID);
                 ok = 0;
+            } else {
+                ret->type = 0;
+                ret->value.named_curve = asn1obj;
+            }
         } else
             /* we don't know the nid => ERROR */
             ok = 0;
diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index ce34938232..bfe7422650 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -341,6 +341,7 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
     {ERR_PACK(ERR_LIB_EC, 0, EC_R_LADDER_POST_FAILURE), "ladder post failure"},
     {ERR_PACK(ERR_LIB_EC, 0, EC_R_LADDER_PRE_FAILURE), "ladder pre failure"},
     {ERR_PACK(ERR_LIB_EC, 0, EC_R_LADDER_STEP_FAILURE), "ladder step failure"},
+    {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_OID), "missing OID"},
     {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PARAMETERS), "missing parameters"},
     {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PRIVATE_KEY), "missing private key"},
     {ERR_PACK(ERR_LIB_EC, 0, EC_R_NEED_NEW_SETUP_VALUES),
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index c90df98c29..3ca271beb5 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2165,6 +2165,7 @@ EC_R_KEYS_NOT_SET:140:keys not set
 EC_R_LADDER_POST_FAILURE:136:ladder post failure
 EC_R_LADDER_PRE_FAILURE:153:ladder pre failure
 EC_R_LADDER_STEP_FAILURE:162:ladder step failure
+EC_R_MISSING_OID:167:missing OID
 EC_R_MISSING_PARAMETERS:124:missing parameters
 EC_R_MISSING_PRIVATE_KEY:125:missing private key
 EC_R_NEED_NEW_SETUP_VALUES:157:need new setup values
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 093ba09aeb..4406365ee8 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -332,7 +332,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
         }
     }
 
-    if ((dsize = i2d(x, NULL)) < 0) {
+    if ((dsize = i2d(x, NULL)) <= 0) {
         PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, ERR_R_ASN1_LIB);
         dsize = 0;
         goto err;
diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
index f7b9183456..51738113dc 100644
--- a/include/openssl/ecerr.h
+++ b/include/openssl/ecerr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -243,6 +243,7 @@ int ERR_load_EC_strings(void);
 #  define EC_R_LADDER_POST_FAILURE                         136
 #  define EC_R_LADDER_PRE_FAILURE                          153
 #  define EC_R_LADDER_STEP_FAILURE                         162
+#  define EC_R_MISSING_OID                                 167
 #  define EC_R_MISSING_PARAMETERS                          124
 #  define EC_R_MISSING_PRIVATE_KEY                         125
 #  define EC_R_NEED_NEW_SETUP_VALUES                       157
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
index b778d6f536..1b7ec026fa 100644
--- a/test/recipes/15-test_genec.t
+++ b/test/recipes/15-test_genec.t
@@ -102,10 +102,14 @@ my @binary_curves = qw(
     wap-wsg-idm-ecid-wtls5
     wap-wsg-idm-ecid-wtls10
     wap-wsg-idm-ecid-wtls11
-    Oakley-EC2N-3
-    Oakley-EC2N-4
 );
 
+my @explicit_only_curves = ();
+push(@explicit_only_curves, qw(
+        Oakley-EC2N-3
+        Oakley-EC2N-4
+    )) if !disabled("ec2m");
+
 my @other_curves = ();
 push(@other_curves, 'SM2')
     if !disabled("sm2");
@@ -143,13 +147,27 @@ my @output_formats = ('PEM', 'DER');
 
 plan tests => scalar(@curve_list) * scalar(@params_encodings)
     * (1 + scalar(@output_formats)) # Try listed @output_formats and text output
+    * 2                             # Test generating parameters and keys
     + 1                             # Checking that with no curve it fails
     + 1                             # Checking that with unknown curve it fails
+    + 1                             # Subtest for explicit only curves
     ;
 
+ok(!run(app([ 'openssl', 'genpkey',
+              '-algorithm', 'EC'])),
+   "genpkey EC with no params should fail");
+
+ok(!run(app([ 'openssl', 'genpkey',
+              '-algorithm', 'EC',
+              '-pkeyopt', 'ec_paramgen_curve:bogus_foobar_curve'])),
+   "genpkey EC with unknown curve name should fail");
+
 foreach my $curvename (@curve_list) {
     foreach my $paramenc (@params_encodings) {
-        ok(run(app([ 'openssl', 'genpkey',
+
+        # --- Test generating parameters ---
+
+        ok(run(app([ 'openssl', 'genpkey', '-genparam',
                      '-algorithm', 'EC',
                      '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
                      '-pkeyopt', 'ec_param_enc:'.$paramenc,
@@ -166,14 +184,123 @@ foreach my $curvename (@curve_list) {
                          '-out', $outfile])),
                "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
        }
+
+        # --- Test generating actual keys ---
+
+        ok(run(app([ 'openssl', 'genpkey',
+                     '-algorithm', 'EC',
+                     '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                     '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                     '-text'])),
+           "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+        foreach my $outform (@output_formats) {
+            my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+            ok(run(app([ 'openssl', 'genpkey',
+                         '-algorithm', 'EC',
+                         '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                         '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                         '-outform', $outform,
+                         '-out', $outfile])),
+               "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+       }
     }
 }
 
-ok(!run(app([ 'openssl', 'genpkey',
-              '-algorithm', 'EC'])),
-   "genpkey EC with no params should fail");
+subtest "test curves that only support explicit parameters encoding" => sub {
+    @curve_list = @explicit_only_curves;
 
-ok(!run(app([ 'openssl', 'genpkey',
-              '-algorithm', 'EC',
-              '-pkeyopt', 'ec_paramgen_curve:bogus_foobar_curve'])),
-   "genpkey EC with unknown curve name should fail");
+    plan skip_all => "This test is unsupported under current configuration"
+        if scalar(@curve_list) <= 0;
+
+    plan tests => scalar(@curve_list) * scalar(@params_encodings)
+        * (1 + scalar(@output_formats)) # Try listed @output_formats and text output
+        * 2                             # Test generating parameters and keys
+        ;
+
+    foreach my $curvename (@curve_list) {
+        my $paramenc = "explicit";
+
+        # --- Test generating parameters ---
+
+        ok(run(app([ 'openssl', 'genpkey', '-genparam',
+                     '-algorithm', 'EC',
+                     '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                     '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                     '-text'])),
+           "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+        foreach my $outform (@output_formats) {
+            my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+            ok(run(app([ 'openssl', 'genpkey', '-genparam',
+                         '-algorithm', 'EC',
+                         '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                         '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                         '-outform', $outform,
+                         '-out', $outfile])),
+               "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+       }
+
+        # --- Test generating actual keys ---
+
+        ok(run(app([ 'openssl', 'genpkey',
+                     '-algorithm', 'EC',
+                     '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                     '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                     '-text'])),
+           "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+        foreach my $outform (@output_formats) {
+            my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+            ok(run(app([ 'openssl', 'genpkey',
+                         '-algorithm', 'EC',
+                         '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                         '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                         '-outform', $outform,
+                         '-out', $outfile])),
+               "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+       }
+
+        my $paramenc = "named_curve";
+
+        # --- Test generating parameters ---
+
+        ok(!run(app([ 'openssl', 'genpkey', '-genparam',
+                      '-algorithm', 'EC',
+                      '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                      '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                      '-text'])),
+           "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+        foreach my $outform (@output_formats) {
+            my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+            ok(!run(app([ 'openssl', 'genpkey', '-genparam',
+                          '-algorithm', 'EC',
+                          '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                          '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                          '-outform', $outform,
+                          '-out', $outfile])),
+               "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+       }
+
+        # --- Test generating actual keys ---
+
+        ok(!run(app([ 'openssl', 'genpkey',
+                      '-algorithm', 'EC',
+                      '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                      '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                      '-text'])),
+           "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+        foreach my $outform (@output_formats) {
+            my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+            ok(!run(app([ 'openssl', 'genpkey',
+                          '-algorithm', 'EC',
+                          '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+                          '-pkeyopt', 'ec_param_enc:'.$paramenc,
+                          '-outform', $outform,
+                          '-out', $outfile])),
+               "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+       }
+    }
+};


More information about the openssl-commits mailing list