[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Thu Oct 8 15:54:42 UTC 2020


The branch master has been updated
       via  d00bd4e452e846a610284fe2be3e9358153251e7 (commit)
      from  13c5ec569ea9286ff18e019fb2d53be64829c62c (commit)


- Log -----------------------------------------------------------------
commit d00bd4e452e846a610284fe2be3e9358153251e7
Author: Daniel Bevenius <daniel.bevenius at gmail.com>
Date:   Mon Oct 5 08:14:29 2020 +0200

    Set mark and pop error in d2i_PrivateKey_ex
    
    This commit sets the error mark before calling old_priv_decode and if
    old_priv_decode returns false, and if EVP_PKCS82PKEY is successful, the
    errors are popped to the previously set mark.
    
    The motivation for this is an issue we found when linking Node.js
    against OpenSSL 3.0. Details can be found in the link below and the
    test case provided in this commit attempts cover this.
    
    Refs: https://github.com/danbev/learning-libcrypto#asn1-wrong-tag-issue
    Refs: https://github.com/nodejs/node/issues/29817
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13073)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/d2i_pr.c   | 13 +++++++++++--
 test/evp_extra_test2.c | 23 +++++++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c
index 838ce25b90..b478112349 100644
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -45,6 +45,7 @@ EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp,
         goto err;
     }
 
+    ERR_set_mark();
     if (!ret->ameth->old_priv_decode ||
         !ret->ameth->old_priv_decode(ret, &p, length)) {
         if (ret->ameth->priv_decode != NULL
@@ -52,20 +53,28 @@ EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp,
             EVP_PKEY *tmp;
             PKCS8_PRIV_KEY_INFO *p8 = NULL;
             p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length);
-            if (p8 == NULL)
+            if (p8 == NULL) {
+                ERR_clear_last_mark();
                 goto err;
+            }
             tmp = EVP_PKCS82PKEY_ex(p8, libctx, propq);
             PKCS8_PRIV_KEY_INFO_free(p8);
-            if (tmp == NULL)
+            if (tmp == NULL) {
+                ERR_clear_last_mark();
                 goto err;
+            }
             EVP_PKEY_free(ret);
             ret = tmp;
+            ERR_pop_to_mark();
             if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret))
                 goto err;
         } else {
+            ERR_clear_last_mark();
             ASN1err(0, ERR_R_ASN1_LIB);
             goto err;
         }
+    } else {
+      ERR_clear_last_mark();
     }
     *pp = p;
     if (a != NULL)
diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c
index 63380f878a..0667a82647 100644
--- a/test/evp_extra_test2.c
+++ b/test/evp_extra_test2.c
@@ -15,6 +15,7 @@
  */
 
 #include <openssl/evp.h>
+#include <openssl/pem.h>
 #include <openssl/provider.h>
 #include "testutil.h"
 #include "internal/nelem.h"
@@ -248,6 +249,27 @@ static int test_alternative_default(void)
     return ok;
 }
 
+static int test_d2i_PrivateKey_ex(void) {
+    int ok;
+    OSSL_PROVIDER *provider;
+    BIO *key_bio;
+    EVP_PKEY* pkey;
+    ok = 0;
+
+    provider = OSSL_PROVIDER_load(NULL, "default");
+    key_bio = BIO_new_mem_buf((&keydata[0])->kder, (&keydata)[0]->size);
+
+    ok = TEST_ptr(pkey = PEM_read_bio_PrivateKey(key_bio, NULL, NULL, NULL));
+    TEST_int_eq(ERR_peek_error(), 0);
+    test_openssl_errors();
+
+    EVP_PKEY_free(pkey);
+    BIO_free(key_bio);
+    OSSL_PROVIDER_unload(provider);
+
+    return ok;
+}
+
 int setup_tests(void)
 {
     mainctx = OPENSSL_CTX_new();
@@ -264,6 +286,7 @@ int setup_tests(void)
 
     ADD_TEST(test_alternative_default);
     ADD_ALL_TESTS(test_d2i_AutoPrivateKey_ex, OSSL_NELEM(keydata));
+    ADD_TEST(test_d2i_PrivateKey_ex);
 
     return 1;
 }


More information about the openssl-commits mailing list