Hi,

I would like to submit a patch to openssl in order to fix this issue. This
patch is fixing a missing error code in the EVP_DecryptFinal_ex function 
which cause the failure of the NodeJS unit test.

During the latest Debian Bug Squashing Party i was working on NodeJS
packaging with Jean Baptiste Favre and trying to fix some issues. We noticed 
a unit test failure (on NodeJS side) because of an unexpected openssl return 
value.

Unit test is simple/test-crypto-stream, and is based on aes-128-cbc
encryption and decryption with two different keys. This test should fail
with the error code :

[TypeError: error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt]

But the latest stable version of openssl returns

[TypeError: error:00000000:lib(0):func(0):reason(0)]

This seems to come from some modification made in the
EVP_DecryptFinal_ex function in the last version bump. When returning 
padding_good, 
the EVPerr is not called before returning zero, leading to an undefined error 
code.

Here attached is a patch fixing this.

I hope this will help, don't hesitate to ask me for more information. 

Please, as it is my first submission let me know if some is wrong in the way to 
do it

Kind regards,

-- 
William                             http://www.wbonnet.net

http://france.debian.net            Association Debian France
http://www.opencsw.org              Community SoftWare for Solaris

diff -Nru openssl-1.0.1j/debian/changelog openssl-1.0.1j/debian/changelog
--- openssl-1.0.1j/debian/changelog	2014-10-15 19:42:52.000000000 +0200
+++ openssl-1.0.1j/debian/changelog	2014-11-16 13:49:49.000000000 +0100
@@ -1,3 +1,11 @@
+openssl (1.0.1j-2) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload
+    - Fix for missing Bad Decrypt error code in EVP_DecryptFinal_ex when padding is not good
+      (Closes #768681)
+
+ -- William Bonnet <wllmb...@gmail.com>  Sun, 16 Nov 2014 13:46:13 +0100
+
 openssl (1.0.1j-1) unstable; urgency=high
 
   * New upstream release
diff -Nru openssl-1.0.1j/debian/patches/EVP_DecryptFinal_ex_missing_EVPerr_call.patch openssl-1.0.1j/debian/patches/EVP_DecryptFinal_ex_missing_EVPerr_call.patch
--- openssl-1.0.1j/debian/patches/EVP_DecryptFinal_ex_missing_EVPerr_call.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1j/debian/patches/EVP_DecryptFinal_ex_missing_EVPerr_call.patch	2014-11-16 13:55:32.000000000 +0100
@@ -0,0 +1,38 @@
+Description: Fix for missing Bad Decrypt error code in EVP_DecryptFinal_ex
+ EVP_DecryptFinal_ex function. When returning padding_good, the EVPerr is
+ not called before returning zero, leading to an undefined error code.
+ .
+ openssl (1.0.1j-2) UNRELEASED; urgency=medium
+ .
+   * Non-maintainer upload
+     - Fix for missing Bad Decrypt error code in EVP_DecryptFinal_ex when padding is not good
+       (Closes #768681)
+Author: William Bonnet <wllmb...@gmail.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: other
+Bug-Debian: https://bugs.debian.org/768681
+
+--- openssl-1.0.1j.orig/crypto/evp/evp_enc.c
++++ openssl-1.0.1j/crypto/evp/evp_enc.c
+@@ -555,6 +555,16 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *
+ 			out[i] = ctx->final[i] & padding_good;
+ 		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
+ 		*outl = padding_good & ((unsigned char)(b - pad));
++
++		/* 
++		 * If the padding_good variable is 0 then a decryption problem occured
++		 * and we have to call EVPerr before returning 0
++		 */
++		if ((padding_good & 1) == 0)
++			{
++				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
++			}
++
+ 		return padding_good & 1;
+ 		}
+ 	else
diff -Nru openssl-1.0.1j/debian/patches/series openssl-1.0.1j/debian/patches/series
--- openssl-1.0.1j/debian/patches/series	2014-10-15 19:34:35.000000000 +0200
+++ openssl-1.0.1j/debian/patches/series	2014-11-16 13:53:21.000000000 +0100
@@ -22,3 +22,4 @@
 openssl_fix_for_x32.patch
 ppc64el.patch
 
+EVP_DecryptFinal_ex_missing_EVPerr_call.patch

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to