-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression: Unable to set EC_KEY private_key to NULL starting in 1.1.1h #18744
Comments
This allows to set EC_KEY's private key to NULL. Fixes openssl#18744.
So, before the patch in #11127, Documentation said and says nothing about being allowed to pass So, questions for OTC:
|
Formally my hold is to let OTC evaluate if the original report describes a regression or not.
As far as the public API is defined, passing NULL returns an error code, so one can say that the API before 1.1.1h did not allow the semantic of passing NULL to unset the private key. On the other hand, if the caller did not check the return value and relied on undocumented inner behavior, one can say this is a regression. |
All those functions explicitly handle being passed NULL as an argument and set the corresponding value to NULL - that is their intent. It didn't happen by accident. BN_dup(NULL) returns NULL and that is not an error - as that is what it should do. Changing long term explicit behaviour like this is one place where things get broken unnecessarily and we should not be backfitting this short of change into a stable release - that was a mistake to backfit it IMHO entirely independent of what you think about what the behaviour should be. EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key all operate the same way and changing one API out of a set of APIs to behave inconsistently was clearly the wrong choice to be making (for backfit or in any other context). Someone wanting to make a behaviour change like that should be explicitly flagging that as a separate PR and discussing the context and the scope - not including it in with other changes. |
OTC: We should revert to the old behaviour on all branches, where passing NULL sets the internal key to NULL and we get a failure result code back |
This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in openssl#18744 (comment) Fixes openssl#18744.
This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in openssl#18744 (comment) Fixes openssl#18744.
This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in openssl#18744 (comment) Fixes openssl#18744.
This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in #18744 (comment) Fixes #18744. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #18941)
This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in #18744 (comment) Fixes #18744. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #18874)
Thanks @dpirotte for reporting this and @robertohueso for the fix. The fix has been merged:
|
This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in openssl/openssl#18744 (comment) Fixes #18744. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#18942)
This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in openssl#18744 (comment) Fixes openssl#18744. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#18942)
OpenSSL 1.1.1h introduces a behavior change wherein one can no longer set an EC_KEY's private_key to NULL.
This behavior changes in 6a01f6f. Based on the original PR (#11127), it appears that this is hardening backported from 3.0.0 that unintentionally introduced a regression.
From 6a01f6f#diff-38a47bf175cde97de2df18870a9ab300366f191a848bdea84def068fe0fde69fR484-R486:
EC_KEY_set_private_key
returns early and never setskey->priv_key
to NULL.The text was updated successfully, but these errors were encountered: