diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2021-05-05 16:58:37 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2021-05-10 13:23:50 +1000 |
commit | d29d7a7ff22e8e3be1c8bbdb8edd3ab9c72ed021 (patch) | |
tree | 0ccdd13e9d8c5d229523a6317e2ead4568e9a21a /crypto/pem | |
parent | 333b31e3000ff009cdc48bf45d9af687031f7688 (diff) | |
download | openssl-new-d29d7a7ff22e8e3be1c8bbdb8edd3ab9c72ed021.tar.gz |
Fix i2d_PKCS8PrivateKey_nid_bio() regression.
This method ignores the nid and could end up saving out the private key unencrypted
In earlier alpha releases OSSL_num_encoders() returned 0 for this test
case, which then meant that the legacy path was run, and the key was
then correctly encrypted.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15152)
Diffstat (limited to 'crypto/pem')
-rw-r--r-- | crypto/pem/pem_pk8.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c index 86a66b586c..5e28907be3 100644 --- a/crypto/pem/pem_pk8.c +++ b/crypto/pem/pem_pk8.c @@ -93,7 +93,13 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, } } - if (OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) { + /* + * NOTE: There is no attempt to do a EVP_CIPHER_fetch() using the nid, + * since the nid is a PBE algorithm which can't be fetched currently. + * (e.g. NID_pbe_WithSHA1And2_Key_TripleDES_CBC). Just use the legacy + * path if the NID is passed. + */ + if (nid == -1 && OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) { ret = 1; if (enc != NULL) { ret = 0; |