[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Wed, 07 Sep 2016 10:57:37 -0700 

The branch OpenSSL_1_0_2-stable has been updated
       via  8195a8691108d89fbb0dd11599154067009d10d6 (commit)
      from  3f1014960353af29a05a7b5dac40afd30d4f9bb3 (commit)


- Log -----------------------------------------------------------------
commit 8195a8691108d89fbb0dd11599154067009d10d6
Author: David Woodhouse <david.woodho...@intel.com>
Date:   Wed Sep 7 16:53:18 2016 +0100

    Avoid EVP_PKEY_cmp() crash on EC keys without public component
    
    Some hardware devices don't provide the public EC_POINT data. The only
    way for X509_check_private_key() to validate that the key matches a
    given certificate is to actually perform a sign operation and then
    verify it using the public key in the certificate.
    
    Maybe that can come later, as discussed in issue 1532. But for now let's
    at least make it fail gracefully and not crash.
    
    GH: 1532
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    Reviewed-by: Rich Salz <rs...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1547)
    (cherry picked from commit 92ed7fa575a80955f3bb6efefca9bf576a953586)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_ameth.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 61a97f6..d089af7 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -224,6 +224,8 @@ static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY 
*b)
     const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec);
     const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec),
         *pb = EC_KEY_get0_public_key(b->pkey.ec);
+    if (group == NULL || pa == NULL || pb == NULL)
+        return -2;
     r = EC_POINT_cmp(group, pa, pb, NULL);
     if (r == 0)
         return 1;
@@ -394,6 +396,8 @@ static int ec_cmp_parameters(const EVP_PKEY *a, const 
EVP_PKEY *b)
 {
     const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec),
         *group_b = EC_KEY_get0_group(b->pkey.ec);
+    if (group_a == NULL || group_b == NULL)
+        return -2;
     if (EC_GROUP_cmp(group_a, group_b, NULL))
         return 0;
     else
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to