[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Tue Oct 26 22:57:50 UTC 2021
The branch master has been updated
via fd19fc4c2726b08282b8db15f9bace2f04712498 (commit)
via 6187d9eac2738e873d23c0c91f9769333b1bb6af (commit)
from 9dddcd90a1350fa63486cbf3226c3eee79f9aff5 (commit)
- Log -----------------------------------------------------------------
commit fd19fc4c2726b08282b8db15f9bace2f04712498
Author: Matt Caswell <matt at openssl.org>
Date: Mon Oct 25 14:34:38 2021 +0100
Test that a key is usable after an EVP_PKEY_fromdata call
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16911)
commit 6187d9eac2738e873d23c0c91f9769333b1bb6af
Author: Matt Caswell <matt at openssl.org>
Date: Mon Oct 25 13:07:01 2021 +0100
Don't crash encoding a public key with no public key value
If asked to encode an EC_KEY public key, but no public key value is present
in the structure, we should fail rather than crash.
Fixes the crash seen here:
https://mta.openssl.org/pipermail/openssl-users/2021-October/014479.html
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16911)
-----------------------------------------------------------------------
Summary of changes:
.../implementations/encode_decode/encode_key2any.c | 4 ++
test/evp_extra_test.c | 46 +++++++++++++++++-----
2 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c
index f142f2b242..9ee12a9fd4 100644
--- a/providers/implementations/encode_decode/encode_key2any.c
+++ b/providers/implementations/encode_decode/encode_key2any.c
@@ -701,6 +701,10 @@ static int prepare_ec_params(const void *eckey, int nid, int save,
static int ec_spki_pub_to_der(const void *eckey, unsigned char **pder)
{
+ if (EC_KEY_get0_public_key(eckey) == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY);
+ return 0;
+ }
return i2o_ECPublicKey(eckey, pder);
}
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 58c4a590e7..22cc3b3d03 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -679,11 +679,13 @@ err:
}
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
-static int test_fromdata(char *keytype, OSSL_PARAM *params)
+static int test_fromdata(char *keytype, int selection, OSSL_PARAM *params)
{
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL;
int testresult = 0;
+ int ret;
+ BIO *bio = BIO_new(BIO_s_mem());
if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, testpropq)))
goto err;
@@ -695,10 +697,30 @@ static int test_fromdata(char *keytype, OSSL_PARAM *params)
if (!TEST_ptr(pkey))
goto err;
+ /* Check we can use the resulting key */
+ ret = PEM_write_bio_PUBKEY(bio, pkey);
+ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+ if (!TEST_true(ret))
+ goto err;
+ } else {
+ if (!TEST_false(ret))
+ goto err;
+ }
+ ret = PEM_write_bio_PrivateKey_ex(bio, pkey, NULL, NULL, 0, NULL, NULL,
+ testctx, NULL);
+ if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
+ if (!TEST_true(ret))
+ goto err;
+ } else {
+ if (!TEST_false(ret))
+ goto err;
+ }
+
testresult = 1;
err:
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(pctx);
+ BIO_free(bio);
return testresult;
}
@@ -736,7 +758,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata(keytype, params))
+ if (!test_fromdata(keytype, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS, params))
goto err;
OSSL_PARAM_free(params);
params = NULL;
@@ -753,7 +775,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata(keytype, params))
+ if (!test_fromdata(keytype, OSSL_KEYMGMT_SELECT_PRIVATE_KEY, params))
goto err;
OSSL_PARAM_free(params);
params = NULL;
@@ -770,7 +792,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata(keytype, params))
+ if (!test_fromdata(keytype, OSSL_KEYMGMT_SELECT_PUBLIC_KEY, params))
goto err;
OSSL_PARAM_free(params);
params = NULL;
@@ -789,7 +811,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata(keytype, params))
+ if (!test_fromdata(keytype, EVP_PKEY_KEYPAIR, params))
goto err;
ret = 1;
@@ -848,7 +870,7 @@ static int test_EC_priv_pub(void)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata("EC", params))
+ if (!test_fromdata("EC", OSSL_KEYMGMT_SELECT_ALL_PARAMETERS, params))
goto err;
OSSL_PARAM_free(params);
params = NULL;
@@ -865,7 +887,13 @@ static int test_EC_priv_pub(void)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata("EC", params))
+ /*
+ * We indicate only parameters here. The "EVP_PKEY_fromdata" call will do
+ * the private key anyway, but the subsequent PEM_write_bio_PrivateKey_ex
+ * call is expected to fail because PEM_write_bio_PrivateKey_ex does not
+ * support exporting a private EC key without a corresponding public key
+ */
+ if (!test_fromdata("EC", OSSL_KEYMGMT_SELECT_ALL_PARAMETERS, params))
goto err;
OSSL_PARAM_free(params);
params = NULL;
@@ -883,7 +911,7 @@ static int test_EC_priv_pub(void)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata("EC", params))
+ if (!test_fromdata("EC", OSSL_KEYMGMT_SELECT_PUBLIC_KEY, params))
goto err;
OSSL_PARAM_free(params);
params = NULL;
@@ -903,7 +931,7 @@ static int test_EC_priv_pub(void)
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
- if (!test_fromdata("EC", params))
+ if (!test_fromdata("EC", EVP_PKEY_KEYPAIR, params))
goto err;
ret = 1;
More information about the openssl-commits
mailing list