[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Mon May 10 03:26:56 UTC 2021
The branch master has been updated
via d29d7a7ff22e8e3be1c8bbdb8edd3ab9c72ed021 (commit)
from 333b31e3000ff009cdc48bf45d9af687031f7688 (commit)
- Log -----------------------------------------------------------------
commit d29d7a7ff22e8e3be1c8bbdb8edd3ab9c72ed021
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Wed May 5 16:58:37 2021 +1000
Fix i2d_PKCS8PrivateKey_nid_bio() regression.
This method ignores the nid and could end up saving out the private key unencrypted
In earlier alpha releases OSSL_num_encoders() returned 0 for this test
case, which then meant that the legacy path was run, and the key was
then correctly encrypted.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15152)
-----------------------------------------------------------------------
Summary of changes:
crypto/pem/pem_pk8.c | 8 +++++++-
test/evp_extra_test2.c | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
index 86a66b586c..5e28907be3 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -93,7 +93,13 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
}
}
- if (OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) {
+ /*
+ * NOTE: There is no attempt to do a EVP_CIPHER_fetch() using the nid,
+ * since the nid is a PBE algorithm which can't be fetched currently.
+ * (e.g. NID_pbe_WithSHA1And2_Key_TripleDES_CBC). Just use the legacy
+ * path if the NID is passed.
+ */
+ if (nid == -1 && OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) {
ret = 1;
if (enc != NULL) {
ret = 0;
diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c
index 6d5303ab9d..2e5861c77f 100644
--- a/test/evp_extra_test2.c
+++ b/test/evp_extra_test2.c
@@ -290,6 +290,40 @@ done:
return ret;
}
+#ifndef OPENSSL_NO_DES
+static int test_pkcs8key_nid_bio(void)
+{
+ int ret;
+ const int nid = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ static const char pwd[] = "PASSWORD";
+ EVP_PKEY *pkey = NULL, *pkey_dec = NULL;
+ BIO *in = NULL, *enc_bio = NULL;
+ char *enc_data = NULL;
+ long enc_datalen = 0;
+ OSSL_PROVIDER *provider = NULL;
+
+ ret = TEST_ptr(provider = OSSL_PROVIDER_load(NULL, "default"))
+ && TEST_ptr(enc_bio = BIO_new(BIO_s_mem()))
+ && TEST_ptr(in = BIO_new_mem_buf(kExampleRSAKeyPKCS8,
+ sizeof(kExampleRSAKeyPKCS8)))
+ && TEST_ptr(pkey = d2i_PrivateKey_ex_bio(in, NULL, NULL, NULL))
+ && TEST_int_eq(i2d_PKCS8PrivateKey_nid_bio(enc_bio, pkey, nid,
+ pwd, sizeof(pwd) - 1,
+ NULL, NULL), 1)
+ && TEST_int_gt(enc_datalen = BIO_get_mem_data(enc_bio, &enc_data), 0)
+ && TEST_ptr(pkey_dec = d2i_PKCS8PrivateKey_bio(enc_bio, NULL, NULL,
+ (void *)pwd))
+ && TEST_true(EVP_PKEY_eq(pkey, pkey_dec));
+
+ EVP_PKEY_free(pkey_dec);
+ EVP_PKEY_free(pkey);
+ BIO_free(in);
+ BIO_free(enc_bio);
+ OSSL_PROVIDER_unload(provider);
+ return ret;
+}
+#endif /* OPENSSL_NO_DES */
+
static int test_alternative_default(void)
{
OSSL_LIB_CTX *oldctx;
@@ -727,6 +761,9 @@ int setup_tests(void)
ADD_TEST(test_pkey_todata_null);
ADD_TEST(test_pkey_export_null);
ADD_TEST(test_pkey_export);
+#ifndef OPENSSL_NO_DES
+ ADD_TEST(test_pkcs8key_nid_bio);
+#endif
return 1;
}
More information about the openssl-commits
mailing list