[openssl] master update

tomas at openssl.org tomas at openssl.org
Mon Dec 6 15:39:06 UTC 2021


The branch master has been updated
       via  a44eb8421d0e84c069a5fa55ced796878e6b0966 (commit)
       via  c22b6592135bfba95a315e438ac7bfc6db461407 (commit)
       via  28257d60577932e66934096d0ee8a5dfaca1191e (commit)
       via  baa88d9d170b95fd6f177b3e5f8d8818e024a55d (commit)
      from  3dbf82438004b31258627f324841476c4f586c19 (commit)


- Log -----------------------------------------------------------------
commit a44eb8421d0e84c069a5fa55ced796878e6b0966
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Dec 2 22:08:25 2021 +0100

    test_rsa: Test for PVK format conversion
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17181)

commit c22b6592135bfba95a315e438ac7bfc6db461407
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Dec 2 22:07:38 2021 +0100

    key_to_type_specific_pem_bio_cb: Use passphrase callback from the arguments
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17181)

commit 28257d60577932e66934096d0ee8a5dfaca1191e
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Dec 2 22:06:36 2021 +0100

    PVK decoder: prompt for PVK passphrase and not PEM
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17181)

commit baa88d9d170b95fd6f177b3e5f8d8818e024a55d
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Dec 2 22:04:21 2021 +0100

    Fix pvk encoder to properly query for the passphrase
    
    The passphrase callback data was not properly initialized.
    
    Fixes #17054
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17181)

-----------------------------------------------------------------------

Summary of changes:
 crypto/passphrase.c                                  | 15 +++++++++++++--
 include/internal/passphrase.h                        |  1 +
 .../implementations/encode_decode/decode_pvk2key.c   |  2 +-
 .../implementations/encode_decode/encode_key2any.c   |  2 +-
 .../implementations/encode_decode/encode_key2ms.c    | 12 +++++++-----
 test/recipes/15-test_rsa.t                           | 20 +++++++++++++++++---
 test/recipes/tconversion.pl                          |  6 ++++--
 7 files changed, 44 insertions(+), 14 deletions(-)

diff --git a/crypto/passphrase.c b/crypto/passphrase.c
index fb8ea1deb1..d61e249440 100644
--- a/crypto/passphrase.c
+++ b/crypto/passphrase.c
@@ -296,7 +296,8 @@ int ossl_pw_get_passphrase(char *pass, size_t pass_size, size_t *pass_len,
     return ret;
 }
 
-int ossl_pw_pem_password(char *buf, int size, int rwflag, void *userdata)
+static int ossl_pw_get_password(char *buf, int size, int rwflag,
+                                void *userdata, const char *info)
 {
     size_t password_len = 0;
     OSSL_PARAM params[] = {
@@ -304,13 +305,23 @@ int ossl_pw_pem_password(char *buf, int size, int rwflag, void *userdata)
         OSSL_PARAM_END
     };
 
-    params[0].data = "PEM";
+    params[0].data = (void *)info;
     if (ossl_pw_get_passphrase(buf, (size_t)size, &password_len, params,
                                rwflag, userdata))
         return (int)password_len;
     return -1;
 }
 
+int ossl_pw_pem_password(char *buf, int size, int rwflag, void *userdata)
+{
+    return ossl_pw_get_password(buf, size, rwflag, userdata, "PEM");
+}
+
+int ossl_pw_pvk_password(char *buf, int size, int rwflag, void *userdata)
+{
+    return ossl_pw_get_password(buf, size, rwflag, userdata, "PVK");
+}
+
 int ossl_pw_passphrase_callback_enc(char *pass, size_t pass_size,
                                     size_t *pass_len,
                                     const OSSL_PARAM params[], void *arg)
diff --git a/include/internal/passphrase.h b/include/internal/passphrase.h
index ee0be9b128..54d997b0d9 100644
--- a/include/internal/passphrase.h
+++ b/include/internal/passphrase.h
@@ -114,6 +114,7 @@ int ossl_pw_get_passphrase(char *pass, size_t pass_size, size_t *pass_len,
  */
 
 pem_password_cb ossl_pw_pem_password;
+pem_password_cb ossl_pw_pvk_password;
 /* One callback for encoding (verification prompt) and one for decoding */
 OSSL_PASSPHRASE_CALLBACK ossl_pw_passphrase_callback_enc;
 OSSL_PASSPHRASE_CALLBACK ossl_pw_passphrase_callback_dec;
diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c
index 30b42d2097..32206fe84d 100644
--- a/providers/implementations/encode_decode/decode_pvk2key.c
+++ b/providers/implementations/encode_decode/decode_pvk2key.c
@@ -100,7 +100,7 @@ static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
         if (!ossl_pw_set_ossl_passphrase_cb(&pwdata, pw_cb, pw_cbarg))
             goto end;
 
-        key = ctx->desc->read_private_key(in, ossl_pw_pem_password, &pwdata,
+        key = ctx->desc->read_private_key(in, ossl_pw_pvk_password, &pwdata,
                                           PROV_LIBCTX_OF(ctx->provctx), NULL);
 
         /*
diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c
index 7c9716bca9..ae15a5db46 100644
--- a/providers/implementations/encode_decode/encode_key2any.c
+++ b/providers/implementations/encode_decode/encode_key2any.c
@@ -401,7 +401,7 @@ static int key_to_type_specific_pem_bio_cb(BIO *out, const void *key,
 {
     return
         PEM_ASN1_write_bio(k2d, pemname, out, key, ctx->cipher,
-                           NULL, 0, ossl_pw_pem_password, &ctx->pwdata) > 0;
+                           NULL, 0, cb, cbarg) > 0;
 }
 
 static int key_to_type_specific_pem_priv_bio(BIO *out, const void *key,
diff --git a/providers/implementations/encode_decode/encode_key2ms.c b/providers/implementations/encode_decode/encode_key2ms.c
index 3933a0d420..81528fefb6 100644
--- a/providers/implementations/encode_decode/encode_key2ms.c
+++ b/providers/implementations/encode_decode/encode_key2ms.c
@@ -47,8 +47,7 @@ static int write_msblob(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout,
 }
 
 static int write_pvk(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout,
-                     EVP_PKEY *pkey,
-                     OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+                     EVP_PKEY *pkey)
 {
     BIO *out = NULL;
     int ret = 0;
@@ -56,7 +55,7 @@ static int write_pvk(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout,
 
     out = ossl_bio_new_from_core_bio(ctx->provctx, cout);
     ret = i2b_PVK_bio_ex(out, pkey, ctx->pvk_encr_level,
-                         ossl_pw_pem_password, &ctx->pwdata, libctx, NULL);
+                         ossl_pw_pvk_password, &ctx->pwdata, libctx, NULL);
     BIO_free(out);
 
     return ret;
@@ -81,6 +80,7 @@ static void key2ms_freectx(void *vctx)
 {
     struct key2ms_ctx_st *ctx = vctx;
 
+    ossl_pw_clear_passphrase_data(&ctx->pwdata);
     OPENSSL_free(ctx);
 }
 
@@ -154,8 +154,10 @@ static int key2pvk_encode(void *vctx, const void *key, int selection,
     if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0)
         return 0;                /* Error */
 
-    if ((pkey = EVP_PKEY_new()) != NULL && set1_key(pkey, key))
-        ok = write_pvk(ctx, cout, pkey, pw_cb, pw_cbarg);
+    if ((pkey = EVP_PKEY_new()) != NULL && set1_key(pkey, key)
+        && (pw_cb == NULL
+            || ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, pw_cb, pw_cbarg)))
+        ok = write_pvk(ctx, cout, pkey);
     EVP_PKEY_free(pkey);
     return ok;
 }
diff --git a/test/recipes/15-test_rsa.t b/test/recipes/15-test_rsa.t
index 301368b69b..420a57f8c1 100644
--- a/test/recipes/15-test_rsa.t
+++ b/test/recipes/15-test_rsa.t
@@ -16,7 +16,7 @@ use OpenSSL::Test::Utils;
 
 setup("test_rsa");
 
-plan tests => 10;
+plan tests => 12;
 
 require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
 
@@ -32,7 +32,7 @@ sub run_rsa_tests {
     ok(run(app([ 'openssl', $cmd, '-check', '-in', srctop_file('test', 'testrsa.pem'), '-noout'])),
            "$cmd -check" );
 
-     SKIP: {
+    SKIP: {
          skip "Skipping $cmd conversion test", 3
              if disabled("rsa");
 
@@ -47,7 +47,7 @@ sub run_rsa_tests {
          };
     }
 
-     SKIP: {
+    SKIP: {
          skip "Skipping msblob conversion test", 1
              if disabled($cmd) || $cmd eq 'pkey';
 
@@ -57,4 +57,18 @@ sub run_rsa_tests {
                           -args => ["rsa", "-pubin", "-pubout"] );
          };
     }
+    SKIP: {
+         skip "Skipping PVK conversion test", 1
+             if disabled($cmd) || $cmd eq 'pkey' || disabled("rc4")
+                || disabled ("legacy");
+
+         subtest "$cmd conversions -- private key" => sub {
+             tconversion( -type => 'pvk', -prefix => "$cmd-pvk",
+                          -in => srctop_file("test", "testrsa.pem"),
+                          -args => ["rsa", "-passin", "pass:testpass",
+                                    "-passout", "pass:testpass",
+                                    "-provider", "default",
+                                    "-provider", "legacy"] );
+         };
+    }
 }
diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl
index f60954c0ba..063be620a3 100644
--- a/test/recipes/tconversion.pl
+++ b/test/recipes/tconversion.pl
@@ -19,6 +19,7 @@ my %conversionforms = (
     # specific test types as key.
     "*"		=> [ "d", "p" ],
     "msb"	=> [ "d", "p", "msblob" ],
+    "pvk"	=> [ "d", "p", "pvk" ],
     );
 sub tconversion {
     my %opts = @_;
@@ -45,8 +46,9 @@ sub tconversion {
 	+ $n			# initial conversions from p to all forms (A)
 	+ $n*$n			# conversion from result of A to all forms (B)
 	+ 1			# comparing original test file to p form of A
-	+ $n*($n-1);		# comparing first conversion to each fom in A with B
+	+ $n*($n-1);		# comparing first conversion to each form in A with B
     $totaltests-- if ($testtype eq "p7d"); # no comparison of original test file
+    $totaltests -= $n if ($testtype eq "pvk"); # no comparisons of the pvk form
     plan tests => $totaltests;
 
     my @cmd = ("openssl", @openssl_args);
@@ -91,7 +93,7 @@ sub tconversion {
       }
 
       foreach my $to (@conversionforms) {
-	  next if $to eq "d";
+	  next if $to eq "d" or $to eq "pvk";
 	  foreach my $from (@conversionforms) {
 	      is(cmp_text("$prefix-f.$to", "$prefix-ff.$from$to"), 0,
 		 "comparing $to to $from$to");


More information about the openssl-commits mailing list