The branch OpenSSL_1_1_1-stable has been updated via 176eb406691f14d560cf7619365830a4d033ee28 (commit) from cf94e8430f3cd7c17f62b74443d16347b4b97ac8 (commit)
- Log ----------------------------------------------------------------- commit 176eb406691f14d560cf7619365830a4d033ee28 Author: Richard Levitte <levi...@openssl.org> Date: Mon May 11 09:14:11 2020 +0200 Fix d2i_PrivateKey() to work as documented d2i_PrivateKey() is documented to return keys of the type given as first argument |type|, unconditionally. Most specifically, the manual says this: > An error occurs if the decoded key does not match type. However, when faced of a PKCS#8 wrapped key, |type| was ignored, which may lead to unexpected results. (cherry picked from commit b2952366dd0248bf35c83e1736cd203033a22378) Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11888) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/d2i_pr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 6ec0107380..ac1a8c429a 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -56,6 +56,8 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, goto err; EVP_PKEY_free(ret); ret = tmp; + if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret)) + goto err; } else { ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); goto err;