[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Fri Feb 19 09:30:51 UTC 2021


The branch master has been updated
       via  eabb3014165a1319ceb8a69cc135feb99f288293 (commit)
      from  576892d78f80cf9a169e7f766319c843e430f378 (commit)


- Log -----------------------------------------------------------------
commit eabb3014165a1319ceb8a69cc135feb99f288293
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Wed Feb 17 13:13:51 2021 +1000

    Fix DH ASN1 decode so that it detects named groups.
    
    The dh->nid was not being set if the loaded p,g matched an inbuilt named
    group for "DH".
    
    NOTE: The "DHX" related path already worked since it calls DH_set0_pqg()
    (which does the name group check).
    
    This bug was detected when new tests were added for dh5114 groups, combined
    with the no-cache tests i.e. loading+import+export set the nid,
    but just loading did not.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14207)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dh/dh_asn1.c                                |  4 ++--
 test/recipes/20-test_dhparam_check.t               | 24 +++++++++++++++++++++-
 .../valid/dh_ffdhe2048.pem                         |  8 ++++++++
 .../valid/dhx_ffdhe2048.pem                        | 13 ++++++++++++
 4 files changed, 46 insertions(+), 3 deletions(-)
 create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
 create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem

diff --git a/crypto/dh/dh_asn1.c b/crypto/dh/dh_asn1.c
index 81899de5d6..68013219e7 100644
--- a/crypto/dh/dh_asn1.c
+++ b/crypto/dh/dh_asn1.c
@@ -19,6 +19,7 @@
 #include "dh_local.h"
 #include <openssl/objects.h>
 #include <openssl/asn1t.h>
+#include "crypto/dh.h"
 
 /* Override the default free and new methods */
 static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -38,6 +39,7 @@ static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
         DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
         DH_set_flags(dh, DH_FLAG_TYPE_DH);
+        dh_cache_named_group(dh);
         dh->dirty_cnt++;
     }
     return 1;
@@ -88,8 +90,6 @@ int i2d_int_dhx(const int_dhx942_dh *a, unsigned char **pp);
 
 IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(int_dhx942_dh, DHxparams, int_dhx)
 
-/* Application public function: read in X9.42 DH parameters into DH structure */
-
 DH *d2i_DHxparams(DH **a, const unsigned char **pp, long length)
 {
     FFC_PARAMS *params;
diff --git a/test/recipes/20-test_dhparam_check.t b/test/recipes/20-test_dhparam_check.t
index 2f1dec1f10..f3882ad2b3 100644
--- a/test/recipes/20-test_dhparam_check.t
+++ b/test/recipes/20-test_dhparam_check.t
@@ -56,13 +56,17 @@ mkdir -p $TESTDIR
 ./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q224_t1862.pem
 ./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q256_t1862.pem
 
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt group:ffdhe2048 -out $TESTDIR/dh_ffdhe2048.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt group:ffdhe2048 -out $TESTDIR/dhx_ffdhe2048.pem
+
+
 =cut
 
 my @valid = glob(data_file("valid", "*.pem"));
 my @invalid = glob(data_file("invalid", "*.pem"));
 
 my $num_tests = scalar @valid + scalar @invalid;
-plan tests => 2 * $num_tests;
+plan tests => 2 + 2 * $num_tests;
 
 foreach (@valid) {
     ok(run(app([qw{openssl dhparam -noout -check -in}, $_])));
@@ -73,3 +77,21 @@ foreach (@invalid) {
     ok(!run(app([qw{openssl dhparam -noout -check -in}, $_])));
     ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_])));
 }
+
+my $tmpfile = 'out.txt';
+
+sub contains {
+    my $expected = shift;
+    my $found = 0;
+    open(my $in, '<', $tmpfile) or die "Could not open file $tmpfile";
+    while(<$in>) {
+        $found = 1 if m/$expected/; # output must include $expected
+    }
+    close $in;
+    return $found;
+}
+
+# Check that if we load dh params with only a 'p' and 'g' that it detects
+# that this is actually a valid named group.
+ok(run(app([qw{openssl pkeyparam -text -in}, data_file("valid/dh_ffdhe2048.pem")], stdout => $tmpfile)));
+ok(contains("ffdhe2048"))
diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
new file mode 100644
index 0000000000..24260bf846
--- /dev/null
+++ b/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8=
+-----END DH PARAMETERS-----
diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem
new file mode 100644
index 0000000000..5a30fa003d
--- /dev/null
+++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem
@@ -0,0 +1,13 @@
+-----BEGIN X9.42 DH PARAMETERS-----
+MIICDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgKCAQB//////////9b8KixRXaVN
+V+4rEBOennjsXOLB5xabStTwmyCKMhn95knO5xJNn3y+l/GxsYY67HtA2QFXYjC9
+ae+Paur+srCSGfqPr4M3aEKxsqqe9o152quJrz+r5JrMJ4Y4cHNFu/FTRO159/Q5
+DvisUJtW85qYVmUnpB08vV4FWMFZkn2w6IRUpdlkcf3ctW1bsGv6NA6noVHvHKb6
+Vyt287G5XYyFg9PkdwU2uE8BfnDm+/F2YBoCZpQaF7DIuX9OdMLB/8cniRl3eUDB
+4f8djaY31rmd2v5eF2EQAuLHeMG+i0HZY3mlE2DZd/1ENaEcMJQuS///////////
+-----END X9.42 DH PARAMETERS-----


More information about the openssl-commits mailing list