Skip to content

Commit

Permalink
deps: openssl: cherry-pick 59ccb72 and 1d28ada
Browse files Browse the repository at this point in the history 
openssl/openssl@59ccb72:

```
commit 59ccb72cd5cec3b4e312853621e12a68dacdbc7e
Author: Darshan Sen <raisinten@gmail.com>
Date:   Fri Jan 14 16:22:41 2022 +0530

    Fix invalid malloc failures in PEM_write_bio_PKCS8PrivateKey()

    When `PEM_write_bio_PKCS8PrivateKey()` was passed an empty passphrase
    string, `OPENSSL_memdup()` was incorrectly getting used for 0 bytes size
    allocation, which resulted in malloc failures.

    Fixes: openssl/openssl#17506

    Signed-off-by: Darshan Sen <raisinten@gmail.com>

    Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    Reviewed-by: Paul Dale <pauli@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from openssl/openssl#17507)
```

openssl/openssl@1d28ada:

```
commit 1d28ada1c39997c10fe5392f4235bbd2bc44b40f
Author: Darshan Sen <raisinten@gmail.com>
Date:   Sat Jan 22 17:56:05 2022 +0530

    Allow empty passphrase in PEM_write_bio_PKCS8PrivateKey_nid()

    Signed-off-by: Darshan Sen <raisinten@gmail.com>

    Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    Reviewed-by: Paul Dale <pauli@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from openssl/openssl#17507)
```

Refs: openssl/openssl#17507
Fixes: nodejs#41428
Signed-off-by: Darshan Sen <raisinten@gmail.com>
  • Loading branch information
@RaisinTen
RaisinTen committed Mar 13, 2022
1 parent dde2f78 commit fcbbb52
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 3 deletions.
7 changes: 7 additions & 0 deletions deps/openssl/openssl/CHANGES.md
View file
Expand Up @@ -28,6 +28,13 @@ breaking changes, and mappings for the large list of deprecated functions.

[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

### Changes between 3.0.0 and 3.0.0+quic [xx XXX xxxx]

* Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid()
to make it possible to use empty passphrase strings.

*Darshan Sen*

### Changes between 3.0.0 and 3.0.0+quic [7 Sun 2021]

* Add QUIC API support from BoringSSL.
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/crypto/passphrase.c
View file
Expand Up @@ -41,7 +41,8 @@ int ossl_pw_set_passphrase(struct ossl_passphrase_data_st *data,
ossl_pw_clear_passphrase_data(data);
data->type = is_expl_passphrase;
data->_.expl_passphrase.passphrase_copy =
OPENSSL_memdup(passphrase, passphrase_len);
passphrase_len != 0 ? OPENSSL_memdup(passphrase, passphrase_len)
: OPENSSL_malloc(1);
if (data->_.expl_passphrase.passphrase_copy == NULL) {
ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
return 0;
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/crypto/pem/pem_pk8.c
View file
Expand Up @@ -136,7 +136,7 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
if (enc || (nid != -1)) {
if (kstr == NULL) {
klen = cb(buf, PEM_BUFSIZE, 1, u);
if (klen <= 0) {
if (klen < 0) {
ERR_raise(ERR_LIB_PEM, PEM_R_READ_KEY);
goto legacy_end;
}
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/crypto/ui/ui_util.c
View file
Expand Up @@ -114,7 +114,7 @@ static int ui_read(UI *ui, UI_STRING *uis)

if (len >= 0)
result[len] = '\0';
if (len <= 0)
if (len < 0)
return len;
if (UI_set_result_ex(ui, uis, result, len) >= 0)
return 1;
Expand Down
39 changes: 39 additions & 0 deletions deps/openssl/openssl/test/evp_pkey_provided_test.c
View file
Expand Up @@ -128,6 +128,16 @@ static int compare_with_file(const char *alg, int type, BIO *membio)
return ret;
}

static int pass_cb(char *buf, int size, int rwflag, void *u)
{
return 0;
}

static int pass_cb_error(char *buf, int size, int rwflag, void *u)
{
return -1;
}

static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk)
{
BIO *membio = BIO_new(BIO_s_mem());
Expand All @@ -140,6 +150,35 @@ static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk)
!TEST_true(PEM_write_bio_PrivateKey(bio_out, pk, EVP_aes_256_cbc(),
(unsigned char *)"pass", 4,
NULL, NULL))
/* Output zero-length passphrase encrypted private key in PEM form */
|| !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
EVP_aes_256_cbc(),
(const char *)~0, 0,
NULL, NULL))
|| !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
EVP_aes_256_cbc(),
NULL, 0, NULL, ""))
|| !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
EVP_aes_256_cbc(),
NULL, 0, pass_cb, NULL))
|| !TEST_false(PEM_write_bio_PKCS8PrivateKey(bio_out, pk,
EVP_aes_256_cbc(),
NULL, 0, pass_cb_error,
NULL))
#ifndef OPENSSL_NO_DES
|| !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid(
bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
(const char *)~0, 0, NULL, NULL))
|| !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid(
bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0,
NULL, ""))
|| !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid(
bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0,
pass_cb, NULL))
|| !TEST_false(PEM_write_bio_PKCS8PrivateKey_nid(
bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0,
pass_cb_error, NULL))
#endif
/* Private key in text form */
|| !TEST_int_gt(EVP_PKEY_print_private(membio, pk, 0, NULL), 0)
|| !TEST_true(compare_with_file(alg, PRIV_TEXT, membio))
Expand Down

0 comments on commit fcbbb52

Please sign in to comment.