STORE 'file' scheme loader: fix try_decode_params() to check ambiguity

The way try_decode_params works in raw more, it would take the first ASN1 that could decode and return a STORE_INFO with the resulting EVP_PKEY. This change has it go through all the matching ASN1 methods and properly check if there's more than one match, i.e. an ambiguity. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3863)
2025-02-17 14:32:04 +08:00 · 2017-07-05 20:54:08 +02:00 · 2017-07-05 20:54:08 +02:00 · 11d66064f3
commit 11d66064f3
parent c8feba723a
1 changed files with 26 additions and 10 deletions
--- a/crypto/store/loader_file.c
+++ b/crypto/store/loader_file.c
@ -480,12 +480,13 @@ static OSSL_STORE_INFO *try_decode_params(const char *pem_name,
        *matchcount = 1;
    }

-    if ((pkey = EVP_PKEY_new()) == NULL) {
-        OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
-        return NULL;
-    }
-
    if (slen > 0) {
+        if ((pkey = EVP_PKEY_new()) == NULL) {
+            OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
+            return NULL;
+        }
+
+
        if (EVP_PKEY_set_type_str(pkey, pem_name, slen)
            && (ameth = EVP_PKEY_get0_asn1(pkey)) != NULL
            && ameth->param_decode != NULL
@ -493,22 +494,37 @@ static OSSL_STORE_INFO *try_decode_params(const char *pem_name,
            ok = 1;
    } else {
        int i;
+        EVP_PKEY *tmp_pkey = NULL;

        for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
            const unsigned char *tmp_blob = blob;

+            if (tmp_pkey == NULL && (tmp_pkey = EVP_PKEY_new()) == NULL) {
+                OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
+                break;
+            }
+
            ameth = EVP_PKEY_asn1_get0(i);
            if (ameth->pkey_flags & ASN1_PKEY_ALIAS)
                continue;
-            if (EVP_PKEY_set_type(pkey, ameth->pkey_id)
-                && (ameth = EVP_PKEY_get0_asn1(pkey)) != NULL
+
+            if (EVP_PKEY_set_type(tmp_pkey, ameth->pkey_id)
+                && (ameth = EVP_PKEY_get0_asn1(tmp_pkey)) != NULL
                && ameth->param_decode != NULL
-                && ameth->param_decode(pkey, &tmp_blob, len)) {
+                && ameth->param_decode(tmp_pkey, &tmp_blob, len)) {
+                if (pkey != NULL)
+                    EVP_PKEY_free(tmp_pkey);
+                else
+                    pkey = tmp_pkey;
+                tmp_pkey = NULL;
                (*matchcount)++;
-                ok = 1;
-                break;
            }
        }
+
+        EVP_PKEY_free(tmp_pkey);
+        if (*matchcount == 1) {
+            ok = 1;
+        }
    }

    if (ok)