diff options
| author | Daniel Bevenius <daniel.bevenius@gmail.com> | 2021-04-28 10:30:13 +0200 |
|---|---|---|
| committer | Benjamin Kaduk <kaduk@mit.edu> | 2021-05-09 11:31:52 -0700 |
| commit | 8be513ae46765ab4c4c3e244640652c24633288d (patch) | |
| tree | a0460643401c3cb4b30815fd7ee913c378a94d8c /providers/implementations/encode_decode | |
| parent | f7f0632b01cf16efccb133e395cf115c194bd003 (diff) | |
Mark pop/clear error stack in der2key_decode_p8
This commit sets the error mark before calling d2i_X509_SIG
and clear it if that function call is successful.
The motivation for this is that if d2i_X509_SIG returns NULL then the
else clause will be entered and d2i_PKCS8_PRIV_KEY_INFO will be
called. If d2i_X509_SIG raised any errors those error will be on the
error stack when d2i_PKCS8_PRIV_KEY_INFO gets called, and even if it
returns successfully those errors will still be on the error stack.
We ran into this issue when upgrading Node.js to 3.0.0-alpha15.
More details can be found in the ref links below.
Refs: https://github.com/nodejs/node/issues/38373
Refs: https://github.com/danbev/learning-libcrypto/blob/master/notes/wrong-tag-issue2.md
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15067)
Diffstat (limited to 'providers/implementations/encode_decode')
| -rw-r--r-- | providers/implementations/encode_decode/decode_der2key.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 73acf527c1..01c050ccb0 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -124,10 +124,13 @@ static void *der2key_decode_p8(const unsigned char **input_der, ctx->flag_fatal = 0; + ERR_set_mark(); if ((p8 = d2i_X509_SIG(NULL, input_der, input_der_len)) != NULL) { char pbuf[PEM_BUFSIZE]; size_t plen = 0; + ERR_clear_last_mark(); + if (!pw_cb(pbuf, sizeof(pbuf), &plen, NULL, pw_cbarg)) ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PASSPHRASE); else @@ -136,6 +139,8 @@ static void *der2key_decode_p8(const unsigned char **input_der, ctx->flag_fatal = 1; X509_SIG_free(p8); } else { + /* Pop any errors that might have been raised by d2i_X509_SIG. */ + ERR_pop_to_mark(); p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, input_der, input_der_len); } if (p8inf != NULL |