diff options
author | Richard Levitte <levitte@openssl.org> | 2020-05-11 09:14:11 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2020-05-12 06:48:47 +0200 |
commit | b2952366dd0248bf35c83e1736cd203033a22378 (patch) | |
tree | a057c8393fcee475d54a6fa0165511b4bb518a19 | |
parent | 885a2a399dcf25860f471e59af43db2917c39335 (diff) | |
download | openssl-new-b2952366dd0248bf35c83e1736cd203033a22378.tar.gz |
Fix d2i_PrivateKey_ex() to work as documented
d2i_PrivateKey(), and thereby d2i_PrivateKey_ex(), is documented to
return keys of the type given as first argument |type|, unconditionally.
Most specifically, the manual says this:
> An error occurs if the decoded key does not match type.
However, when faced of a PKCS#8 wrapped key, |type| was ignored, which
may lead to unexpected results.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11787)
-rw-r--r-- | crypto/asn1/d2i_pr.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index c7346f5424..3ddc56d408 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -58,6 +58,8 @@ EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp, goto err; EVP_PKEY_free(ret); ret = tmp; + if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret)) + goto err; } else { ASN1err(0, ERR_R_ASN1_LIB); goto err; |