-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix EVP_PKEY_get_size()
doc and error handling
#22459
Fix EVP_PKEY_get_size()
doc and error handling
#22459
Conversation
BTW, looks like providers that implement the gettable Is this due to a bug of the specific provider or of the underlying OpenSSL provider support? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quite possibly provider support assuming the function is implemented...
Thanks for the swift approvals.
@paulidale I assume your comment was meant in response to my question:
@ all, I'd find it weird that a provider implementing parameter getter functionality Yet for instance
fails if In such use cases, both the cms and pkcs7 libs attempt to set the |
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
Oh, meanwhile backporting includes 3.2 |
Aargh... that removal of the 3.0 label was uintended. I've botched something. |
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #22459)
…ry on failure Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #22459)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #22459)
Merged to 3.2 and master. Thank you. This did not merge cleanly to 3.0 or 3.1, you may wish to open another PR. |
if (size <= 0) { | ||
ERR_raise(ERR_LIB_EVP, EVP_R_UNKNOWN_BITS); | ||
return 0; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Errrrrrr.... documentation says:
RETURN VALUES
EVP_PKEY_get_size(), EVP_PKEY_get_bits() and EVP_PKEY_get_security_bits() return a positive number, or 0 if this size isn't available.
To me, that indicates that zero is not an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To me, the doc is kind of ambiguous whether it is an error if the size isn't available.
And reality is, callers of EVP_PKEY_get_size()
are simply too sloppy.
Just have a look at the output of grep -A 2 -r EVP_PKEY_get_size providers apps crypto test|fgrep .c
.
Also in crypto/
and apps/
, the 0 return value is in most cases not checked at all!
Instead, typically OPENSSL_malloc()
is called immediately with the value obtained,
this if it is 0, a misleading malloc failure is on the error stack, not indicating an issue with getting the size.
And in those few cases where a 0 return value is checked, no error is put on the queue when bailing out.
This was the motivation for coming up with this PR -
namely because callers in practice expect that any needed ERR_raise()
is done by the function itself.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl/openssl#22459) Signed-off-by: fly2x <fly2x@hitls.org>
…ry on failure Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl/openssl#22459) Signed-off-by: fly2x <fly2x@hitls.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl/openssl#22459) Signed-off-by: fly2x <fly2x@hitls.org>
Attempting to use a provider that does not implement
OSSL_PKEY_PARAM_MAX_SIZE
fails on CMS/PKCS7/SMIME signing with the
-noattr
option,while not even an error queue entry is provided.
This PR fixes the documentation to point out
EVP_PKEY_get_size
andOSSL_PKEY_PARAM_MAX_SIZE
(an the same for two similar pairs of functions and parameters)OSSL_PKEY_PARAM_MAX_SIZE
for supporting some (e.g, CMS) use cases.It also fixes the error handling and reporting on failure of
EVP_PKEY_get_size()
and friends.