-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 3: x25519 a decode from and then encode to a pem file corrupts the key if fips base provider is used #21493
Labels
branch: master
Merge to master branch
severity: regression
The issue/pr is a regression from previous released version
triaged: bug
The issue/pr is/fixes a bug
Comments
This was referenced Jul 19, 2023
paulidale
added
branch: master
Merge to master branch
triaged: bug
The issue/pr is/fixes a bug
severity: regression
The issue/pr is a regression from previous released version
and removed
issue: bug report
The issue was opened to report a bug
labels
Jul 19, 2023
t8m
added a commit
to t8m/openssl
that referenced
this issue
Jul 21, 2023
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes openssl#21493
Wow, thank you for the PR! I will try the fixes, and will let you know the result here! |
openssl-machine
pushed a commit
that referenced
this issue
Aug 4, 2023
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes #21493 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Todd Short <[email protected]> (Merged from #21519) (cherry picked from commit 2acb0d3)
openssl-machine
pushed a commit
that referenced
this issue
Aug 4, 2023
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes #21493 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Todd Short <[email protected]> (Merged from #21519) (cherry picked from commit 2acb0d3) (cherry picked from commit 137ba05)
This was referenced Aug 8, 2023
xl32
pushed a commit
to xl32/openssl
that referenced
this issue
Sep 29, 2023
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes openssl#21493 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Todd Short <[email protected]> (Merged from openssl#21519) (cherry picked from commit 2acb0d3) (cherry picked from commit 137ba05)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
branch: master
Merge to master branch
severity: regression
The issue/pr is a regression from previous released version
triaged: bug
The issue/pr is/fixes a bug
This issue ticket is for the x25519 crypto version of another issue with ed25519 crypto: #20758 (comment). As the issue with the ed25519 has a difficulty to reproduce with OpenSSL master branch, and includes another issue. So, I created this issue ticket not to mix the 2 issues. And as we can reproduce this issue with the x25519 crypto file on the master branch (OpenSSL 3.2.0.dev), it's more convenient to debug and fix it.
I checked this issue on the current latest master branch
8c34367e434c6b9555f21cc4fc77a18d6ef84a85
. The x25519 crypto is approved in the FIPS case in the master branch as a reference.Summary
When reading a x25519 crypto public key pem file, then encoding and decoding it in FIPS case with "base" and "fips" providers, the decoded text is different from the original one in only FIPS case.
Reproducing steps
I prepared the reproducing program whose repository name was previously "report-openssl-fips-ed25519" and used in the #20758.
Prepare the x25519 public key pem file.
Compile the reproducing program with the targeting OpenSSL.
Non-FIPS case
The decoded text is the same with the original PEM file. This is ok.
FIPS case
The decode text is different from the original PEM file. This is not ok.
The text was updated successfully, but these errors were encountered: