[openssl] OpenSSL_1_1_1-stable update

Richard Levitte levitte at openssl.org
Fri May 22 07:03:21 UTC 2020

The branch OpenSSL_1_1_1-stable has been updated
       via  176eb406691f14d560cf7619365830a4d033ee28 (commit)
      from  cf94e8430f3cd7c17f62b74443d16347b4b97ac8 (commit)

- Log -----------------------------------------------------------------
commit 176eb406691f14d560cf7619365830a4d033ee28
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon May 11 09:14:11 2020 +0200

    Fix d2i_PrivateKey() to work as documented
    d2i_PrivateKey() is documented to return keys of the type given as
    first argument |type|, unconditionally.  Most specifically, the manual
    says this:
    > An error occurs if the decoded key does not match type.
    However, when faced of a PKCS#8 wrapped key, |type| was ignored, which
    may lead to unexpected results.
    (cherry picked from commit b2952366dd0248bf35c83e1736cd203033a22378)
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/11888)


Summary of changes:
 crypto/asn1/d2i_pr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c
index 6ec0107380..ac1a8c429a 100644
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -56,6 +56,8 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
                 goto err;
             ret = tmp;
+            if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret))
+                goto err;
         } else {
             ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
             goto err;

More information about the openssl-commits mailing list