[openssl-dev] [openssl.org #4320] [Patch] OpenSSL 1.1.0-pre3: "unable to load Key" error in PEM_get_EVP_CIPHER_INFO()
Rainer Jung via RT
rt at openssl.org
Wed Feb 17 18:21:12 UTC 2016
Change
https://github.com/openssl/openssl/commit/33a6d5a0e565e08758bcb6af456ec657c3a7a76a
introduced a bug in crypto/pem/pem_lib.c function
PEM_get_EVP_CIPHER_INFO(). One line was removed that is actually needed.
The following patch fixes it:
--- crypto/pem/pem_lib.c 2016-02-15 19:08:07.000000000 +0100
+++ crypto/pem/pem_lib.c 2016-02-17 18:45:14.092815000 +0100
@@ -537,6 +537,7 @@
*header = '\0';
cipher->cipher = enc = EVP_get_cipherbyname(dekinfostart);
*header = c;
+ header++;
if (enc == NULL) {
PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,
PEM_R_UNSUPPORTED_ENCRYPTION);
While you are at it, the following is a small improvement which is used
in similar ways close to this place:
--- crypto/pem/pem_lib.c.orig 2016-02-17 18:45:14.092815000 +0100
+++ crypto/pem/pem_lib.c 2016-02-17 19:15:19.901402000 +0100
@@ -509,6 +509,7 @@
PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_NOT_ENCRYPTED);
return (0);
}
+ header += 9;
for (; (*header != '\n') && (*header != '\0'); header++) ;
if (*header == '\0') {
PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_SHORT_HEADER);
How to reproduce the bug:
OpenSSL> dsaparam -out dsa-test 2048
Generating DSA parameters, 2048 bit long prime
This could take some time
...
OpenSSL> gendsa -out dsa-test.pem -aes128 dsa-test
Generating DSA key, 2048 bits
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
OpenSSL> dsa -in dsa-test.pem -text
read DSA key
unable to load Private Key
4280523828:error:09065067:PEM routines:load_iv:bad iv chars:pem_lib.c:568:
unable to load Key
error in dsa
The same happens e.g. when using -des or -des3 instead of -aes128.
Without incrementing the header pointer, the parsing of the line
DEK-Info: AES-128-CBC,CBFAADAF91039DF800391FB382CAC3B9
proceeds at the comma, instead of the hex string and bombs out.
Thanks and Regards,
Rainer
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4320
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list