[openssl-dev] [openssl.org #4320] [Patch] OpenSSL 1.1.0-pre3: "unable to load Key" error in PEM_get_EVP_CIPHER_INFO()
Rainer Jung
rainer.jung at kippdata.de
Wed Feb 17 23:15:02 UTC 2016
Am 17.02.2016 um 19:51 schrieb Salz, Rich:
>
>> *header = c;
>> + header++;
>
> Header isn't used after that assignment. How does this line change anything?
The call to load_iv() that occurs next, has as its first argument
header_pp which is a pointer to header:
char **header_pp = &header;
Inside load_iv() this pointer is named fromp and is immediately being
dereferenced:
from = *fromp;
so "from" is an alias to "header", it contains the same address as
"header". When being dereferenced, "from" will return the same char,
that "header" points to.
Now in load_iv() "from" is used to iterate over the IV hex chars:
for (i = 0; i < num; i++) {
if ((*from >= '0') && (*from <= '9'))
v = *from - '0';
else if ((*from >= 'A') && (*from <= 'F'))
v = *from - 'A' + 10;
else if ((*from >= 'a') && (*from <= 'f'))
v = *from - 'a' + 10;
else {
PEMerr(PEM_F_LOAD_IV, PEM_R_BAD_IV_CHARS);
return (0);
}
from++;
to[i / 2] |= v << (long)((!(i & 1)) * 4);
}
Since *from == *header == ',' at the beginning of the loop, this bombs.
"header" needs to be incremented to actually point to the beginning of
the IV.
I hope this is understandable. It took me a moment as well to
understand, how "from" in load_iv() relates to "header" in
PEM_get_EVP_CIPHER_INFO().
I checked the patch with the reproduction case before posting and also
added some debug logging to the "from" loop to double check.
Regards,
Rainer
More information about the openssl-dev
mailing list