97 lines
3.6 KiB
Diff
97 lines
3.6 KiB
Diff
From 56e8fe0b4efbf582e40ae91319727c9d176c5e1e Mon Sep 17 00:00:00 2001
|
|
From: Norman Ashley <nashley@cisco.com>
|
|
Date: Fri, 10 Jul 2020 19:01:32 -0400
|
|
Subject: [PATCH 071/147] Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP
|
|
sign
|
|
|
|
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK.
|
|
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
|
|
because the X509_check_private_key() can fail.
|
|
|
|
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c
|
|
as a common place to check. Checks in ssl_rsa.c were removed.
|
|
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/12419)
|
|
---
|
|
crypto/rsa/rsa_ameth.c | 9 +++++++++
|
|
ssl/ssl_rsa.c | 26 --------------------------
|
|
2 files changed, 9 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
|
index 6692a51..cc686fc 100644
|
|
--- a/crypto/rsa/rsa_ameth.c
|
|
+++ b/crypto/rsa/rsa_ameth.c
|
|
@@ -118,6 +118,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
|
|
|
|
static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
|
|
{
|
|
+ /*
|
|
+ * Don't check the public/private key, this is mostly for smart
|
|
+ * cards.
|
|
+ */
|
|
+ if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
|
|
+ || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
|
|
|| BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
|
|
return 0;
|
|
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
|
|
index b969352..51abd27 100644
|
|
--- a/ssl/ssl_rsa.c
|
|
+++ b/ssl/ssl_rsa.c
|
|
@@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
|
|
EVP_PKEY_copy_parameters(pktmp, pkey);
|
|
ERR_clear_error();
|
|
|
|
-#ifndef OPENSSL_NO_RSA
|
|
- /*
|
|
- * Don't check the public/private key, this is mostly for smart
|
|
- * cards.
|
|
- */
|
|
- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
|
|
- && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
|
|
- else
|
|
-#endif
|
|
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
|
|
X509_free(c->pkeys[i].x509);
|
|
c->pkeys[i].x509 = NULL;
|
|
@@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
|
|
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
|
|
ERR_clear_error();
|
|
|
|
-#ifndef OPENSSL_NO_RSA
|
|
- /*
|
|
- * Don't check the public/private key, this is mostly for smart
|
|
- * cards.
|
|
- */
|
|
- if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
|
|
- && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
|
|
- RSA_METHOD_FLAG_NO_CHECK) ;
|
|
- else
|
|
-#endif /* OPENSSL_NO_RSA */
|
|
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
|
|
/*
|
|
* don't fail for a cert/key mismatch, just free current private
|
|
@@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr
|
|
EVP_PKEY_copy_parameters(pubkey, privatekey);
|
|
} /* else both have parameters */
|
|
|
|
- /* Copied from ssl_set_cert/pkey */
|
|
-#ifndef OPENSSL_NO_RSA
|
|
- if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
|
|
- ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))
|
|
- /* no-op */ ;
|
|
- else
|
|
-#endif
|
|
/* check that key <-> cert match */
|
|
if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
|
|
SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
|
|
--
|
|
1.8.3.1
|
|
|