[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Fri Feb 19 09:30:51 UTC 2021
The branch master has been updated
via eabb3014165a1319ceb8a69cc135feb99f288293 (commit)
from 576892d78f80cf9a169e7f766319c843e430f378 (commit)
- Log -----------------------------------------------------------------
commit eabb3014165a1319ceb8a69cc135feb99f288293
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Wed Feb 17 13:13:51 2021 +1000
Fix DH ASN1 decode so that it detects named groups.
The dh->nid was not being set if the loaded p,g matched an inbuilt named
group for "DH".
NOTE: The "DHX" related path already worked since it calls DH_set0_pqg()
(which does the name group check).
This bug was detected when new tests were added for dh5114 groups, combined
with the no-cache tests i.e. loading+import+export set the nid,
but just loading did not.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14207)
-----------------------------------------------------------------------
Summary of changes:
crypto/dh/dh_asn1.c | 4 ++--
test/recipes/20-test_dhparam_check.t | 24 +++++++++++++++++++++-
.../valid/dh_ffdhe2048.pem | 8 ++++++++
.../valid/dhx_ffdhe2048.pem | 13 ++++++++++++
4 files changed, 46 insertions(+), 3 deletions(-)
create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem
diff --git a/crypto/dh/dh_asn1.c b/crypto/dh/dh_asn1.c
index 81899de5d6..68013219e7 100644
--- a/crypto/dh/dh_asn1.c
+++ b/crypto/dh/dh_asn1.c
@@ -19,6 +19,7 @@
#include "dh_local.h"
#include <openssl/objects.h>
#include <openssl/asn1t.h>
+#include "crypto/dh.h"
/* Override the default free and new methods */
static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -38,6 +39,7 @@ static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
DH_set_flags(dh, DH_FLAG_TYPE_DH);
+ dh_cache_named_group(dh);
dh->dirty_cnt++;
}
return 1;
@@ -88,8 +90,6 @@ int i2d_int_dhx(const int_dhx942_dh *a, unsigned char **pp);
IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(int_dhx942_dh, DHxparams, int_dhx)
-/* Application public function: read in X9.42 DH parameters into DH structure */
-
DH *d2i_DHxparams(DH **a, const unsigned char **pp, long length)
{
FFC_PARAMS *params;
diff --git a/test/recipes/20-test_dhparam_check.t b/test/recipes/20-test_dhparam_check.t
index 2f1dec1f10..f3882ad2b3 100644
--- a/test/recipes/20-test_dhparam_check.t
+++ b/test/recipes/20-test_dhparam_check.t
@@ -56,13 +56,17 @@ mkdir -p $TESTDIR
./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q224_t1862.pem
./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q256_t1862.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt group:ffdhe2048 -out $TESTDIR/dh_ffdhe2048.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt group:ffdhe2048 -out $TESTDIR/dhx_ffdhe2048.pem
+
+
=cut
my @valid = glob(data_file("valid", "*.pem"));
my @invalid = glob(data_file("invalid", "*.pem"));
my $num_tests = scalar @valid + scalar @invalid;
-plan tests => 2 * $num_tests;
+plan tests => 2 + 2 * $num_tests;
foreach (@valid) {
ok(run(app([qw{openssl dhparam -noout -check -in}, $_])));
@@ -73,3 +77,21 @@ foreach (@invalid) {
ok(!run(app([qw{openssl dhparam -noout -check -in}, $_])));
ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_])));
}
+
+my $tmpfile = 'out.txt';
+
+sub contains {
+ my $expected = shift;
+ my $found = 0;
+ open(my $in, '<', $tmpfile) or die "Could not open file $tmpfile";
+ while(<$in>) {
+ $found = 1 if m/$expected/; # output must include $expected
+ }
+ close $in;
+ return $found;
+}
+
+# Check that if we load dh params with only a 'p' and 'g' that it detects
+# that this is actually a valid named group.
+ok(run(app([qw{openssl pkeyparam -text -in}, data_file("valid/dh_ffdhe2048.pem")], stdout => $tmpfile)));
+ok(contains("ffdhe2048"))
diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
new file mode 100644
index 0000000000..24260bf846
--- /dev/null
+++ b/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8=
+-----END DH PARAMETERS-----
diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem
new file mode 100644
index 0000000000..5a30fa003d
--- /dev/null
+++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem
@@ -0,0 +1,13 @@
+-----BEGIN X9.42 DH PARAMETERS-----
+MIICDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgKCAQB//////////9b8KixRXaVN
+V+4rEBOennjsXOLB5xabStTwmyCKMhn95knO5xJNn3y+l/GxsYY67HtA2QFXYjC9
+ae+Paur+srCSGfqPr4M3aEKxsqqe9o152quJrz+r5JrMJ4Y4cHNFu/FTRO159/Q5
+DvisUJtW85qYVmUnpB08vV4FWMFZkn2w6IRUpdlkcf3ctW1bsGv6NA6noVHvHKb6
+Vyt287G5XYyFg9PkdwU2uE8BfnDm+/F2YBoCZpQaF7DIuX9OdMLB/8cniRl3eUDB
+4f8djaY31rmd2v5eF2EQAuLHeMG+i0HZY3mlE2DZd/1ENaEcMJQuS///////////
+-----END X9.42 DH PARAMETERS-----
More information about the openssl-commits
mailing list