CMS, PKCS7, and CRMF: simplify use of `EVP_PKEY_decrypt()` by helper function by DDvO · Pull Request #17354 · openssl/openssl

DDvO · 2021-12-25T12:48:54Z

Part of this has originally been carved out from #15283.

Factor out common decryption pattern involving two calls of EVP_PKEY_decrypt() within libcrypto, where further improvements such as those as discussed in Use of EVP_PKEY_decrypt() should be more secure #17319 can done there, at just one place for all these uses.
ssl/statem/statem_srvr.c: clean up handling of EVP_PKEY_decrypt() outlen
OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(): remove needless constant_time_* and ERR_clear_error() calls, as discussed in Fix spurious error queue entries while loading private keys #15283 (review)
cmp_http.c: Remove obsolete comment w.r.t. ERR_clear_error()

…nction Also remove needless constant_time_* and ERR_clear_error() calls from OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert().

beldmit

LGTM

openssl-machine · 2023-05-30T20:00:18Z

This pull request is ready to merge

Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from #17354)

…nction Also remove needless constant_time_* and ERR_clear_error() calls from OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(). Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from #17354)

DDvO · 2023-05-30T20:09:31Z

Merged - thanks @t8m and @beldmit for the swift approvals.

Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from openssl/openssl#17354)

…nction Also remove needless constant_time_* and ERR_clear_error() calls from OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(). Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from openssl/openssl#17354)

DDvO added triaged: bug The issue/pr is/fixes a bug branch: master Applies to master branch branch: 3.0 Applies to openssl-3.0 branch labels Dec 25, 2021

DDvO mentioned this pull request Dec 25, 2021

Fix spurious error queue entries while loading private keys #15283

Closed

t8m added the branch: 3.1 Applies to openssl-3.1 (EOL) label Oct 24, 2022

cmp_http.c: Remove obsolete comment w.r.t. ERR_clear_error()

706e086

DDvO added triaged: refactor The issue/pr requests/implements refactoring and removed branch: 3.0 Applies to openssl-3.0 branch branch: 3.1 Applies to openssl-3.1 (EOL) triaged: bug The issue/pr is/fixes a bug labels May 28, 2023

DDvO changed the title ~~Fix OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert~~ CMS, PKCS7, and CRMF: simplify use of EVP_PKEY_decrypt() by helper function May 28, 2023

DDvO marked this pull request as ready for review May 28, 2023 20:48

DDvO force-pushed the fix_OSSL_CRMF_get1_encCert branch from 3c0c9f9 to e6eb37c Compare May 28, 2023 20:48

DDvO added approval: review pending This pull request needs review by a committer approval: otc review pending labels May 28, 2023

github-actions bot added the severity: fips change The pull request changes FIPS provider sources label May 28, 2023

DDvO force-pushed the fix_OSSL_CRMF_get1_encCert branch from e6eb37c to cdad657 Compare May 28, 2023 20:54

DDvO added 2 commits May 29, 2023 06:51

ssl/statem_srvr.c: clean up handling of EVP_PKEY_decrypt() outlen

f02ca4e

CMS, PKCS7, and CRMF: simplify use of EVP_PKEY_decrypt() by helper fu…

3447895

…nction Also remove needless constant_time_* and ERR_clear_error() calls from OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert().

DDvO force-pushed the fix_OSSL_CRMF_get1_encCert branch from cdad657 to 3447895 Compare May 29, 2023 04:52

DDvO added the triaged: cleanup The issue/pr deals with cleanup of comments/docs not altering code significantly label May 29, 2023

t8m approved these changes May 29, 2023

View reviewed changes

t8m removed the approval: otc review pending label May 29, 2023

beldmit approved these changes May 29, 2023

View reviewed changes

beldmit added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels May 29, 2023

openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels May 30, 2023

DDvO closed this May 30, 2023

DDvO mentioned this pull request May 30, 2023

Use of EVP_PKEY_decrypt() should be more secure #17319

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CMS, PKCS7, and CRMF: simplify use of `EVP_PKEY_decrypt()` by helper function#17354

CMS, PKCS7, and CRMF: simplify use of `EVP_PKEY_decrypt()` by helper function#17354
DDvO wants to merge 3 commits intoopenssl:masterfrom
siemens:fix_OSSL_CRMF_get1_encCert

DDvO commented Dec 25, 2021 •

edited

Loading

Uh oh!

beldmit left a comment

Uh oh!

openssl-machine commented May 30, 2023

Uh oh!

DDvO commented May 30, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

DDvO commented Dec 25, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

beldmit left a comment

Choose a reason for hiding this comment

Uh oh!

openssl-machine commented May 30, 2023

Uh oh!

DDvO commented May 30, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

DDvO commented Dec 25, 2021 •

edited

Loading