[openssl] openssl-3.0 update
tomas at openssl.org
tomas at openssl.org
Wed Jan 26 16:23:27 UTC 2022
The branch openssl-3.0 has been updated
via 09894bacc035fb4c68acfc3dd2798ad999eb3275 (commit)
via 481709cd4d9ad5b77f1550fd23b169934ff8e2b6 (commit)
from 27ee6e252d04b587e98228c81ecc3e62a34bae26 (commit)
- Log -----------------------------------------------------------------
commit 09894bacc035fb4c68acfc3dd2798ad999eb3275
Author: Darshan Sen <raisinten at gmail.com>
Date: Sat Jan 22 17:56:05 2022 +0530
Allow empty passphrase in PEM_write_bio_PKCS8PrivateKey_nid()
Signed-off-by: Darshan Sen <raisinten at gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17507)
(cherry picked from commit 1d28ada1c39997c10fe5392f4235bbd2bc44b40f)
commit 481709cd4d9ad5b77f1550fd23b169934ff8e2b6
Author: Darshan Sen <raisinten at gmail.com>
Date: Fri Jan 14 16:22:41 2022 +0530
Fix invalid malloc failures in PEM_write_bio_PKCS8PrivateKey()
When `PEM_write_bio_PKCS8PrivateKey()` was passed an empty passphrase
string, `OPENSSL_memdup()` was incorrectly getting used for 0 bytes size
allocation, which resulted in malloc failures.
Fixes: https://github.com/openssl/openssl/issues/17506
Signed-off-by: Darshan Sen <raisinten at gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17507)
(cherry picked from commit 59ccb72cd5cec3b4e312853621e12a68dacdbc7e)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 5 ++++-
crypto/passphrase.c | 3 ++-
crypto/pem/pem_pk8.c | 2 +-
crypto/ui/ui_util.c | 2 +-
test/evp_pkey_provided_test.c | 39 +++++++++++++++++++++++++++++++++++++++
5 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index a0ef0cdcfa..50002e0af6 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,7 +30,10 @@ breaking changes, and mappings for the large list of deprecated functions.
### Changes between 3.0.1 and 3.0.2 [xx XXX xxxx]
- * none yet
+ * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty
+ passphrase strings.
+
+ *Darshan Sen*
### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
diff --git a/crypto/passphrase.c b/crypto/passphrase.c
index cb1bc66958..830872953a 100644
--- a/crypto/passphrase.c
+++ b/crypto/passphrase.c
@@ -41,7 +41,8 @@ int ossl_pw_set_passphrase(struct ossl_passphrase_data_st *data,
ossl_pw_clear_passphrase_data(data);
data->type = is_expl_passphrase;
data->_.expl_passphrase.passphrase_copy =
- OPENSSL_memdup(passphrase, passphrase_len);
+ passphrase_len != 0 ? OPENSSL_memdup(passphrase, passphrase_len)
+ : OPENSSL_malloc(1);
if (data->_.expl_passphrase.passphrase_copy == NULL) {
ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
return 0;
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
index 4742f02fef..60ff09354b 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -136,7 +136,7 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
if (enc || (nid != -1)) {
if (kstr == NULL) {
klen = cb(buf, PEM_BUFSIZE, 1, u);
- if (klen <= 0) {
+ if (klen < 0) {
ERR_raise(ERR_LIB_PEM, PEM_R_READ_KEY);
goto legacy_end;
}
diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c
index 58769d68a3..871472cd32 100644
--- a/crypto/ui/ui_util.c
+++ b/crypto/ui/ui_util.c
@@ -114,7 +114,7 @@ static int ui_read(UI *ui, UI_STRING *uis)
if (len >= 0)
result[len] = '\0';
- if (len <= 0)
+ if (len < 0)
return len;
if (UI_set_result_ex(ui, uis, result, len) >= 0)
return 1;
diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c
index cf4d8e1294..b4a77f8500 100644
--- a/test/evp_pkey_provided_test.c
+++ b/test/evp_pkey_provided_test.c
@@ -128,6 +128,16 @@ static int compare_with_file(const char *alg, int type, BIO *membio)
return ret;
}
+static int pass_cb(char *buf, int size, int rwflag, void *u)
+{
+ return 0;
+}
+
+static int pass_cb_error(char *buf, int size, int rwflag, void *u)
+{
+ return -1;
+}
+
static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk)
{
BIO *membio = BIO_new(BIO_s_mem());
@@ -140,6 +150,35 @@ static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk)
!TEST_true(PEM_write_bio_PrivateKey(bio_out, pk, EVP_aes_256_cbc(),
(unsigned char *)"pass", 4,
NULL, NULL))
+ /* Output zero-length passphrase encrypted private key in PEM form */
+ || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
+ EVP_aes_256_cbc(),
+ (const char *)~0, 0,
+ NULL, NULL))
+ || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
+ EVP_aes_256_cbc(),
+ NULL, 0, NULL, ""))
+ || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
+ EVP_aes_256_cbc(),
+ NULL, 0, pass_cb, NULL))
+ || !TEST_false(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
+ EVP_aes_256_cbc(),
+ NULL, 0, pass_cb_error,
+ NULL))
+#ifndef OPENSSL_NO_DES
+ || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid(
+ bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+ (const char *)~0, 0, NULL, NULL))
+ || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid(
+ bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0,
+ NULL, ""))
+ || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid(
+ bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0,
+ pass_cb, NULL))
+ || !TEST_false(PEM_write_bio_PKCS8PrivateKey_nid(
+ bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0,
+ pass_cb_error, NULL))
+#endif
/* Private key in text form */
|| !TEST_int_gt(EVP_PKEY_print_private(membio, pk, 0, NULL), 0)
|| !TEST_true(compare_with_file(alg, PRIV_TEXT, membio))
More information about the openssl-commits
mailing list