From: Nicola Tuveri Date: Mon, 9 Nov 2020 20:35:28 +0000 (+0200) Subject: [apps/pkey] Return error on failed `-[pub]check` X-Git-Tag: openssl-3.0.0-alpha11~156 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed37336b6383cacbcbb8f6b1334eba0ad43530d5;p=thirdparty%2Fopenssl.git [apps/pkey] Return error on failed `-[pub]check` Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) --- diff --git a/CHANGES.md b/CHANGES.md index 94bf750ffc1..ec815915a2e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,12 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck` + switches: a validation failure triggers an early exit, returning a failure + exit status to the parent process. + + *Nicola Tuveri* + * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() to ignore unknown ciphers. diff --git a/apps/pkey.c b/apps/pkey.c index 65988a8fc2f..67dc8c012c3 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -82,6 +82,7 @@ int pkey_main(int argc, char **argv) BIO *in = NULL, *out = NULL; ENGINE *e = NULL; EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; const EVP_CIPHER *cipher = NULL; char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; char *passinarg = NULL, *passoutarg = NULL, *prog; @@ -231,7 +232,6 @@ int pkey_main(int argc, char **argv) if (check || pub_check) { int r; - EVP_PKEY_CTX *ctx; ctx = EVP_PKEY_CTX_new(pkey, e); if (ctx == NULL) { @@ -260,8 +260,8 @@ int pkey_main(int argc, char **argv) ERR_reason_error_string(err)); ERR_get_error(); /* remove err from error stack */ } + goto end; } - EVP_PKEY_CTX_free(ctx); } if (!noout) { @@ -313,6 +313,7 @@ int pkey_main(int argc, char **argv) end: if (ret != 0) ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); release_engine(e); BIO_free_all(out);