[openssl] OpenSSL_1_1_1-stable update

tomas at openssl.org tomas at openssl.org
Fri Apr 23 14:12:38 UTC 2021 

The branch OpenSSL_1_1_1-stable has been updated
       via  ccfe5ec8fe6c36e10aea373d44dcf04f65d94ef0 (commit)
       via  fff6d5966d00a9e2cb5270e0f7e49abbfce0c9bf (commit)
      from  1636de49219fd9ee11c91015f9c079c45aaf57c6 (commit)


- Log -----------------------------------------------------------------
commit ccfe5ec8fe6c36e10aea373d44dcf04f65d94ef0
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Apr 22 12:45:39 2021 +0200

    Correct the return value on match and mismatch for MAC pkeys
    
    Fixes #14147
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14982)

commit fff6d5966d00a9e2cb5270e0f7e49abbfce0c9bf
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Apr 22 11:16:37 2021 +0200

    Test that EVP_PKEY_cmp() returns 1 when comparing a key to itself
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14982)

-----------------------------------------------------------------------

Summary of changes:
 crypto/hmac/hm_ameth.c           |  3 ++-
 crypto/poly1305/poly1305_ameth.c |  2 +-
 crypto/siphash/siphash_ameth.c   |  2 +-
 test/evp_extra_test.c            | 11 ++++++++++-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c
index 638f61b586..2477bd2e6a 100644
--- a/crypto/hmac/hm_ameth.c
+++ b/crypto/hmac/hm_ameth.c
@@ -47,7 +47,8 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 
 static int hmac_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
 {
-    return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b));
+    /* the ameth pub_cmp must return 1 on match, 0 on mismatch */
+    return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)) == 0;
 }
 
 static int hmac_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv,
diff --git a/crypto/poly1305/poly1305_ameth.c b/crypto/poly1305/poly1305_ameth.c
index 0c8a91dc79..3736959355 100644
--- a/crypto/poly1305/poly1305_ameth.c
+++ b/crypto/poly1305/poly1305_ameth.c
@@ -43,7 +43,7 @@ static int poly1305_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 
 static int poly1305_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
 {
-    return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b));
+    return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)) == 0;
 }
 
 static int poly1305_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv,
diff --git a/crypto/siphash/siphash_ameth.c b/crypto/siphash/siphash_ameth.c
index 2da6dfec80..68331ab4c4 100644
--- a/crypto/siphash/siphash_ameth.c
+++ b/crypto/siphash/siphash_ameth.c
@@ -44,7 +44,7 @@ static int siphash_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 
 static int siphash_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
 {
-    return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b));
+    return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)) == 0;
 }
 
 static int siphash_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv,
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index a74f6332ac..f7ee73e6e2 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -818,10 +818,14 @@ static struct keys_st {
 } keys[] = {
     {
         EVP_PKEY_HMAC, "0123456789", NULL
+#ifndef OPENSSL_NO_POLY1305
     }, {
         EVP_PKEY_POLY1305, "01234567890123456789012345678901", NULL
+#endif
+#ifndef OPENSSL_NO_SIPHASH
     }, {
         EVP_PKEY_SIPHASH, "0123456789012345", NULL
+#endif
     },
 #ifndef OPENSSL_NO_EC
     {
@@ -851,18 +855,22 @@ static int test_set_get_raw_keys_int(int tst, int pub)
     EVP_PKEY *pkey;
 
     /* Check if this algorithm supports public keys */
-    if (keys[tst].pub == NULL)
+    if (pub && keys[tst].pub == NULL)
         return 1;
 
     memset(buf, 0, sizeof(buf));
 
     if (pub) {
+#ifndef OPENSSL_NO_EC
         inlen = strlen(keys[tst].pub);
         in = (unsigned char *)keys[tst].pub;
         pkey = EVP_PKEY_new_raw_public_key(keys[tst].type,
                                            NULL,
                                            in,
                                            inlen);
+#else
+        return 1;
+#endif
     } else {
         inlen = strlen(keys[tst].priv);
         in = (unsigned char *)keys[tst].priv;
@@ -873,6 +881,7 @@ static int test_set_get_raw_keys_int(int tst, int pub)
     }
 
     if (!TEST_ptr(pkey)
+            || !TEST_int_eq(EVP_PKEY_cmp(pkey, pkey), 1)
             || (!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, NULL, &len)))
             || (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, NULL, &len)))
             || !TEST_true(len == inlen)

More information about the openssl-commits mailing list