[openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Thu Oct 21 16:17:31 UTC 2021
The branch OpenSSL_1_1_1-stable has been updated
via 69211b0fce408537bdfec7dd4cc5814b3c4eda8c (commit)
via 3ce10cc8037bb8cdd1b1f383110d76f922b35808 (commit)
from 2f8b8045e6b9a7780873c28c569a8a6388e11306 (commit)
- Log -----------------------------------------------------------------
commit 69211b0fce408537bdfec7dd4cc5814b3c4eda8c
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 15 16:30:45 2021 +0100
Add tests for ENGINE problems
Add some tests which would have caught the issues fixed in the previous
commit related to engine handling.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16860)
commit 3ce10cc8037bb8cdd1b1f383110d76f922b35808
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 15 16:23:31 2021 +0100
Ensure pkey_set_type handles ENGINE references correctly
pkey_set_type should not consume the ENGINE references that may be
passed to it.
Fixes #16757
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16860)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/p_lib.c | 9 ++-
test/evp_extra_test.c | 169 +++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 175 insertions(+), 3 deletions(-)
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 9f1a485a5b..7e262c573b 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -212,10 +212,15 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
}
if (pkey) {
pkey->ameth = ameth;
- pkey->engine = e;
-
pkey->type = pkey->ameth->pkey_id;
pkey->save_type = type;
+# ifndef OPENSSL_NO_ENGINE
+ if (eptr == NULL && e != NULL && !ENGINE_init(e)) {
+ EVPerr(EVP_F_PKEY_SET_TYPE, EVP_R_INITIALIZATION_ERROR);
+ return 0;
+ }
+# endif
+ pkey->engine = e;
}
return 1;
}
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 3eea4b0fba..74b7e0bcb8 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <openssl/aes.h>
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
@@ -19,6 +20,7 @@
#include <openssl/pem.h>
#include <openssl/kdf.h>
#include <openssl/dh.h>
+#include <openssl/engine.h>
#include "testutil.h"
#include "internal/nelem.h"
#include "crypto/evp.h"
@@ -1758,10 +1760,166 @@ static int test_EVP_PKEY_set1_DH(void)
return ret;
}
-#endif
+#endif /* OPENSSL_NO_DH */
+
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
+/* Test we can create a signature keys with an associated ENGINE */
+static int test_signatures_with_engine(int tst)
+{
+ ENGINE *e;
+ const char *engine_id = "dasync";
+ EVP_PKEY *pkey = NULL;
+ const unsigned char badcmackey[] = { 0x00, 0x01 };
+ const unsigned char cmackey[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+ 0x0c, 0x0d, 0x0e, 0x0f
+ };
+ const unsigned char ed25519key[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+ 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+ };
+ const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
+ int testresult = 0;
+ EVP_MD_CTX *ctx = NULL;
+ unsigned char *mac = NULL;
+ size_t maclen = 0;
+ int ret;
+
+ if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
+ return 0;
+
+ if (!TEST_true(ENGINE_init(e))) {
+ ENGINE_free(e);
+ return 0;
+ }
+
+ switch (tst) {
+ case 0:
+ pkey = EVP_PKEY_new_CMAC_key(e, cmackey, sizeof(cmackey),
+ EVP_aes_128_cbc());
+ break;
+ case 1:
+ pkey = EVP_PKEY_new_CMAC_key(e, badcmackey, sizeof(badcmackey),
+ EVP_aes_128_cbc());
+ break;
+ case 2:
+ pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, e, ed25519key,
+ sizeof(ed25519key));
+ break;
+ default:
+ TEST_error("Invalid test case");
+ goto err;
+ }
+ if (tst == 1) {
+ /*
+ * In 1.1.1 CMAC keys will fail to during EVP_PKEY_new_CMAC_key() if the
+ * key is bad. In later versions this isn't detected until later.
+ */
+ if (!TEST_ptr_null(pkey))
+ goto err;
+ } else {
+ if (!TEST_ptr(pkey))
+ goto err;
+ }
+
+ if (tst == 0 || tst == 1) {
+ /*
+ * We stop the test here for tests 0 and 1. The dasync engine doesn't
+ * actually support CMAC in 1.1.1.
+ */
+ testresult = 1;
+ goto err;
+ }
+
+ if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
+ goto err;
+
+ ret = EVP_DigestSignInit(ctx, NULL, tst == 2 ? NULL : EVP_sha256(), NULL,
+ pkey);
+ if (tst == 0) {
+ if (!TEST_true(ret))
+ goto err;
+
+ if (!TEST_true(EVP_DigestSignUpdate(ctx, msg, sizeof(msg)))
+ || !TEST_true(EVP_DigestSignFinal(ctx, NULL, &maclen)))
+ goto err;
+
+ if (!TEST_ptr(mac = OPENSSL_malloc(maclen)))
+ goto err;
+
+ if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen)))
+ goto err;
+ } else {
+ /* We used a bad key. We expect a failure here */
+ if (!TEST_false(ret))
+ goto err;
+ }
+
+ testresult = 1;
+ err:
+ EVP_MD_CTX_free(ctx);
+ OPENSSL_free(mac);
+ EVP_PKEY_free(pkey);
+ ENGINE_finish(e);
+ ENGINE_free(e);
+
+ return testresult;
+}
+
+static int test_cipher_with_engine(void)
+{
+ ENGINE *e;
+ const char *engine_id = "dasync";
+ const unsigned char keyiv[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+ 0x0c, 0x0d, 0x0e, 0x0f
+ };
+ const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
+ int testresult = 0;
+ EVP_CIPHER_CTX *ctx = NULL, *ctx2 = NULL;
+ unsigned char buf[AES_BLOCK_SIZE];
+ int len = 0;
+
+ if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
+ return 0;
+
+ if (!TEST_true(ENGINE_init(e))) {
+ ENGINE_free(e);
+ return 0;
+ }
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+ || !TEST_ptr(ctx2 = EVP_CIPHER_CTX_new()))
+ goto err;
+
+ if (!TEST_true(EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), e, keyiv, keyiv)))
+ goto err;
+
+ /* Copy the ctx, and complete the operation with the new ctx */
+ if (!TEST_true(EVP_CIPHER_CTX_copy(ctx2, ctx)))
+ goto err;
+
+ if (!TEST_true(EVP_EncryptUpdate(ctx2, buf, &len, msg, sizeof(msg)))
+ || !TEST_true(EVP_EncryptFinal_ex(ctx2, buf + len, &len)))
+ goto err;
+
+ testresult = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ EVP_CIPHER_CTX_free(ctx2);
+ ENGINE_finish(e);
+ ENGINE_free(e);
+
+ return testresult;
+}
+#endif /* !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
int setup_tests(void)
{
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
+ ENGINE_load_builtin_engines();
+#endif
ADD_TEST(test_EVP_DigestSignInit);
ADD_TEST(test_EVP_DigestVerifyInit);
ADD_TEST(test_EVP_Enveloped);
@@ -1801,5 +1959,14 @@ int setup_tests(void)
ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
ADD_ALL_TESTS(test_evp_updated_iv, OSSL_NELEM(evp_updated_iv_tests));
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
+# ifndef OPENSSL_NO_EC
+ ADD_ALL_TESTS(test_signatures_with_engine, 3);
+# else
+ ADD_ALL_TESTS(test_signatures_with_engine, 2);
+# endif
+ ADD_TEST(test_cipher_with_engine);
+#endif
+
return 1;
}
More information about the openssl-commits
mailing list