diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-28 16:14:14 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-30 20:49:44 +0200 |
commit | 66066e1bba041459c2f879666b79e4a2158f5905 (patch) | |
tree | 3ad2f2014c9a05cd720746fe601dc6500c8b6946 /crypto | |
parent | 9032c2c11b2f14dcdbd253b470abc595a07a6c51 (diff) |
Prune low-level ASN.1 parse errors from error queue in der2key_decode() etc.
Also adds error output tests on loading key files with unsupported algorithms to 30-test_evp.t
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/ec/ec_ameth.c | 17 | ||||
-rw-r--r-- | crypto/encode_decode/decoder_lib.c | 15 | ||||
-rw-r--r-- | crypto/evp/evp_pkey.c | 4 | ||||
-rw-r--r-- | crypto/store/store_result.c | 1 | ||||
-rw-r--r-- | crypto/x509/x_pubkey.c | 12 |
5 files changed, 27 insertions, 22 deletions
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index b586a43539..3312faa336 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -172,10 +172,8 @@ static int eckey_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) eckey = eckey_type2param(ptype, pval, libctx, propq); - if (!eckey) { - ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB); + if (!eckey) return 0; - } /* We have parameters now set public key */ if (!o2i_ECPublicKey(&eckey, &p, pklen)) { @@ -224,22 +222,19 @@ static int eckey_priv_decode_with_libctx(EVP_PKEY *pkey, X509_ALGOR_get0(NULL, &ptype, &pval, palg); eckey = eckey_type2param(ptype, pval, libctx, propq); - if (eckey == NULL) - goto ecliberr; + goto err; /* We have parameters now set private key */ if (!d2i_ECPrivateKey(&eckey, &p, pklen)) { ECerr(0, EC_R_DECODE_ERROR); - goto ecerr; + goto err; } EVP_PKEY_assign_EC_KEY(pkey, eckey); return 1; - ecliberr: - ECerr(0, ERR_R_EC_LIB); - ecerr: + err: EC_KEY_free(eckey); return 0; } @@ -472,10 +467,8 @@ static int old_ec_priv_decode(EVP_PKEY *pkey, { EC_KEY *ec; - if ((ec = d2i_ECPrivateKey(NULL, pder, derlen)) == NULL) { - ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR); + if ((ec = d2i_ECPrivateKey(NULL, pder, derlen)) == NULL) return 0; - } EVP_PKEY_assign_EC_KEY(pkey, ec); return 1; } diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 0bc772e43b..0411da41f4 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -11,6 +11,9 @@ #include <openssl/bio.h> #include <openssl/params.h> #include <openssl/provider.h> +#include <openssl/evperr.h> +#include <openssl/ecerr.h> +#include <openssl/x509err.h> #include "internal/passphrase.h" #include "crypto/decoder.h" #include "encoder_local.h" @@ -424,7 +427,7 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) BIO *bio = data->bio; long loc; size_t i; - int ok = 0; + int err, ok = 0; /* For recursions */ struct decoder_process_data_st new_data; @@ -532,6 +535,16 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) &new_data.ctx->pwdata); if (ok) break; + err = ERR_peek_last_error(); + if ((ERR_GET_LIB(err) == ERR_LIB_EVP + && ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM) +#ifndef OPENSSL_NO_EC + || (ERR_GET_LIB(err) == ERR_LIB_EC + && ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP) +#endif + || (ERR_GET_LIB(err) == ERR_LIB_X509 + && ERR_GET_REASON(err) == X509_R_UNSUPPORTED_ALGORITHM)) + break; /* fatal error; preserve it on the error queue and stop */ } end: diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index f31d1d68f8..45666a2c42 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -41,10 +41,8 @@ EVP_PKEY *EVP_PKCS82PKEY_with_libctx(const PKCS8_PRIV_KEY_INFO *p8, } if (pkey->ameth->priv_decode_with_libctx != NULL) { - if (!pkey->ameth->priv_decode_with_libctx(pkey, p8, libctx, propq)) { - EVPerr(0, EVP_R_PRIVATE_KEY_DECODE_ERROR); + if (!pkey->ameth->priv_decode_with_libctx(pkey, p8, libctx, propq)) goto error; - } } else if (pkey->ameth->priv_decode != NULL) { if (!pkey->ameth->priv_decode(pkey, p8)) { EVPerr(0, EVP_R_PRIVATE_KEY_DECODE_ERROR); diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index c3f21eedad..363d25adbf 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -88,6 +88,7 @@ static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **, \ if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \ && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE \ + || ERR_GET_REASON(err) == ASN1_R_NO_MATCHING_CHOICE_TYPE \ || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) \ ERR_pop_to_mark(); \ else \ diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index a4d3c9fa5e..d63a33e301 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -41,12 +41,12 @@ static int x509_pubkey_decode(EVP_PKEY **pk, const X509_PUBKEY *key); static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { + X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; + if (operation == ASN1_OP_FREE_POST) { - X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); } else if (operation == ASN1_OP_D2I_POST) { /* Attempt to decode public key and cache in pubkey structure. */ - X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); pubkey->pkey = NULL; /* @@ -55,8 +55,10 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, * will return an appropriate error. */ ERR_set_mark(); - if (x509_pubkey_decode(&pubkey->pkey, pubkey) == -1) + if (x509_pubkey_decode(&pubkey->pkey, pubkey) == -1) { + ERR_clear_last_mark(); return 0; + } ERR_pop_to_mark(); } return 1; @@ -180,10 +182,8 @@ static int x509_pubkey_decode(EVP_PKEY **ppkey, const X509_PUBKEY *key) * future we could have different return codes for decode * errors and fatal errors such as malloc failure. */ - if (!pkey->ameth->pub_decode(pkey, key)) { - X509err(X509_F_X509_PUBKEY_DECODE, X509_R_PUBLIC_KEY_DECODE_ERROR); + if (!pkey->ameth->pub_decode(pkey, key)) goto error; - } } else { X509err(X509_F_X509_PUBKEY_DECODE, X509_R_METHOD_NOT_SUPPORTED); goto error; |