diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-16 12:52:09 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-24 14:34:56 +0200 |
commit | 29844ea5b3d2b7240d99b043a0d82cb177f0762d (patch) | |
tree | 1cb0954dd516bb5a640876fa64d59ff6fe53d51d /providers | |
parent | 50eb2a507732b4d32879709dbfa335ccb542f676 (diff) | |
download | openssl-new-29844ea5b3d2b7240d99b043a0d82cb177f0762d.tar.gz |
Prune low-level ASN.1 parse errors from error queue in decoder_process()
Fixes #12840
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
Diffstat (limited to 'providers')
-rw-r--r-- | providers/implementations/encode_decode/decode_der2key.c | 17 | ||||
-rw-r--r-- | providers/implementations/storemgmt/file_store_der2obj.c | 17 |
2 files changed, 31 insertions, 3 deletions
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 011f05803d..f75faf2d11 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -165,10 +165,11 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, long new_der_len; EVP_PKEY *pkey = NULL; void *key = NULL; - int ok = 0; + int err, ok = 0; + ERR_set_mark(); if (!read_der(ctx->provctx, cin, &der, &der_len)) - return 0; + goto err; /* * Opportunistic attempt to decrypt. If it doesn't work, we try to @@ -192,6 +193,18 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, derp = der; pkey = d2i_KeyParams(ctx->desc->type, NULL, &derp, der_len); } + err: + /* + * Prune low-level ASN.1 parse errors from error queue, assuming that + * this is called by decoder_process() in a loop trying several formats. + */ + err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) == ERR_LIB_ASN1 + && (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG + || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); if (pkey != NULL) { /* diff --git a/providers/implementations/storemgmt/file_store_der2obj.c b/providers/implementations/storemgmt/file_store_der2obj.c index c7388a9d14..6613c8b5f2 100644 --- a/providers/implementations/storemgmt/file_store_der2obj.c +++ b/providers/implementations/storemgmt/file_store_der2obj.c @@ -27,6 +27,8 @@ #include <openssl/core_object.h> #include <openssl/bio.h> #include <openssl/buffer.h> +#include <openssl/err.h> +#include <openssl/asn1err.h> #include <openssl/params.h> #include "internal/asn1.h" #include "prov/bio.h" @@ -85,8 +87,21 @@ static int der2obj_decode(void *provctx, OSSL_CORE_BIO *cin, */ BIO *in = (BIO *)cin; BUF_MEM *mem = NULL; - int ok = (asn1_d2i_read_bio(in, &mem) >= 0); + int err, ok; + ERR_set_mark(); + ok = (asn1_d2i_read_bio(in, &mem) >= 0); + /* + * Prune low-level ASN.1 parse errors from error queue, assuming that + * this is called by decoder_process() in a loop trying several formats. + */ + err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) == ERR_LIB_ASN1 + && (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG + || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); if (ok) { OSSL_PARAM params[3]; int object_type = OSSL_OBJECT_UNKNOWN; |