From fcbbb52b78f966946cbe55f8416c25ab51c07d2d Mon Sep 17 00:00:00 2001 From: Darshan Sen Date: Sat, 15 Jan 2022 20:06:51 +0530 Subject: [PATCH] deps: openssl: cherry-pick 59ccb72 and 1d28ada https://github.com/openssl/openssl/commit/59ccb72cd5cec3b4e312853621e12a68dacdbc7e: ``` commit 59ccb72cd5cec3b4e312853621e12a68dacdbc7e Author: Darshan Sen Date: Fri Jan 14 16:22:41 2022 +0530 Fix invalid malloc failures in PEM_write_bio_PKCS8PrivateKey() When `PEM_write_bio_PKCS8PrivateKey()` was passed an empty passphrase string, `OPENSSL_memdup()` was incorrectly getting used for 0 bytes size allocation, which resulted in malloc failures. Fixes: https://github.com/openssl/openssl/issues/17506 Signed-off-by: Darshan Sen Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17507) ``` https://github.com/openssl/openssl/commit/1d28ada1c39997c10fe5392f4235bbd2bc44b40f: ``` commit 1d28ada1c39997c10fe5392f4235bbd2bc44b40f Author: Darshan Sen Date: Sat Jan 22 17:56:05 2022 +0530 Allow empty passphrase in PEM_write_bio_PKCS8PrivateKey_nid() Signed-off-by: Darshan Sen Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17507) ``` Refs: https://github.com/openssl/openssl/pull/17507 Fixes: https://github.com/nodejs/node/issues/41428 Signed-off-by: Darshan Sen --- deps/openssl/openssl/CHANGES.md | 7 ++++ deps/openssl/openssl/crypto/passphrase.c | 3 +- deps/openssl/openssl/crypto/pem/pem_pk8.c | 2 +- deps/openssl/openssl/crypto/ui/ui_util.c | 2 +- .../openssl/test/evp_pkey_provided_test.c | 39 +++++++++++++++++++ 5 files changed, 50 insertions(+), 3 deletions(-) diff --git a/deps/openssl/openssl/CHANGES.md b/deps/openssl/openssl/CHANGES.md index 43b3bb89d615b8..2fd8e0191eca19 100644 --- a/deps/openssl/openssl/CHANGES.md +++ b/deps/openssl/openssl/CHANGES.md @@ -28,6 +28,13 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod +### Changes between 3.0.0 and 3.0.0+quic [xx XXX xxxx] + + * Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() + to make it possible to use empty passphrase strings. + + *Darshan Sen* + ### Changes between 3.0.0 and 3.0.0+quic [7 Sun 2021] * Add QUIC API support from BoringSSL. diff --git a/deps/openssl/openssl/crypto/passphrase.c b/deps/openssl/openssl/crypto/passphrase.c index d61e2494405ac4..d4ba711968eb74 100644 --- a/deps/openssl/openssl/crypto/passphrase.c +++ b/deps/openssl/openssl/crypto/passphrase.c @@ -41,7 +41,8 @@ int ossl_pw_set_passphrase(struct ossl_passphrase_data_st *data, ossl_pw_clear_passphrase_data(data); data->type = is_expl_passphrase; data->_.expl_passphrase.passphrase_copy = - OPENSSL_memdup(passphrase, passphrase_len); + passphrase_len != 0 ? OPENSSL_memdup(passphrase, passphrase_len) + : OPENSSL_malloc(1); if (data->_.expl_passphrase.passphrase_copy == NULL) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); return 0; diff --git a/deps/openssl/openssl/crypto/pem/pem_pk8.c b/deps/openssl/openssl/crypto/pem/pem_pk8.c index 4742f02fef22c6..60ff09354b8003 100644 --- a/deps/openssl/openssl/crypto/pem/pem_pk8.c +++ b/deps/openssl/openssl/crypto/pem/pem_pk8.c @@ -136,7 +136,7 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, if (enc || (nid != -1)) { if (kstr == NULL) { klen = cb(buf, PEM_BUFSIZE, 1, u); - if (klen <= 0) { + if (klen < 0) { ERR_raise(ERR_LIB_PEM, PEM_R_READ_KEY); goto legacy_end; } diff --git a/deps/openssl/openssl/crypto/ui/ui_util.c b/deps/openssl/openssl/crypto/ui/ui_util.c index 58769d68a3ae4e..871472cd326802 100644 --- a/deps/openssl/openssl/crypto/ui/ui_util.c +++ b/deps/openssl/openssl/crypto/ui/ui_util.c @@ -114,7 +114,7 @@ static int ui_read(UI *ui, UI_STRING *uis) if (len >= 0) result[len] = '\0'; - if (len <= 0) + if (len < 0) return len; if (UI_set_result_ex(ui, uis, result, len) >= 0) return 1; diff --git a/deps/openssl/openssl/test/evp_pkey_provided_test.c b/deps/openssl/openssl/test/evp_pkey_provided_test.c index 8b5c7b34577d51..f58dfc2c2416ee 100644 --- a/deps/openssl/openssl/test/evp_pkey_provided_test.c +++ b/deps/openssl/openssl/test/evp_pkey_provided_test.c @@ -128,6 +128,16 @@ static int compare_with_file(const char *alg, int type, BIO *membio) return ret; } +static int pass_cb(char *buf, int size, int rwflag, void *u) +{ + return 0; +} + +static int pass_cb_error(char *buf, int size, int rwflag, void *u) +{ + return -1; +} + static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk) { BIO *membio = BIO_new(BIO_s_mem()); @@ -140,6 +150,35 @@ static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk) !TEST_true(PEM_write_bio_PrivateKey(bio_out, pk, EVP_aes_256_cbc(), (unsigned char *)"pass", 4, NULL, NULL)) + /* Output zero-length passphrase encrypted private key in PEM form */ + || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + (const char *)~0, 0, + NULL, NULL)) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + NULL, 0, NULL, "")) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + NULL, 0, pass_cb, NULL)) + || !TEST_false(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + NULL, 0, pass_cb_error, + NULL)) +#ifndef OPENSSL_NO_DES + || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + (const char *)~0, 0, NULL, NULL)) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0, + NULL, "")) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0, + pass_cb, NULL)) + || !TEST_false(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0, + pass_cb_error, NULL)) + #endif /* Private key in text form */ || !TEST_int_gt(EVP_PKEY_print_private(membio, pk, 0, NULL), 0) || !TEST_true(compare_with_file(alg, PRIV_TEXT, membio))