diff options
author | Norman Ashley <nashley@cisco.com> | 2020-07-10 19:01:32 -0400 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-09-21 11:29:52 +0200 |
commit | 56e8fe0b4efbf582e40ae91319727c9d176c5e1e (patch) | |
tree | 5175e5940e86afeec3f2d4e6e9ef9266ee6684cc | |
parent | fdcddd9357fcda1f0507fda0307d94e8244f2b51 (diff) |
Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12419)
-rw-r--r-- | crypto/rsa/rsa_ameth.c | 9 | ||||
-rw-r--r-- | ssl/ssl_rsa.c | 26 |
2 files changed, 9 insertions, 26 deletions
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 6692a51ed8..cc686fcbda 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -118,6 +118,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { + /* + * Don't check the public/private key, this is mostly for smart + * cards. + */ + if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) + || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) { + return 1; + } + if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) return 0; diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index b9693527b3..51abd27e27 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) EVP_PKEY_copy_parameters(pktmp, pkey); ERR_clear_error(); -#ifndef OPENSSL_NO_RSA - /* - * Don't check the public/private key, this is mostly for smart - * cards. - */ - if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA - && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ; - else -#endif if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { X509_free(c->pkeys[i].x509); c->pkeys[i].x509 = NULL; @@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x) EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); ERR_clear_error(); -#ifndef OPENSSL_NO_RSA - /* - * Don't check the public/private key, this is mostly for smart - * cards. - */ - if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA - && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) & - RSA_METHOD_FLAG_NO_CHECK) ; - else -#endif /* OPENSSL_NO_RSA */ if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { /* * don't fail for a cert/key mismatch, just free current private @@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr EVP_PKEY_copy_parameters(pubkey, privatekey); } /* else both have parameters */ - /* Copied from ssl_set_cert/pkey */ -#ifndef OPENSSL_NO_RSA - if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) && - ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK))) - /* no-op */ ; - else -#endif /* check that key <-> cert match */ if (EVP_PKEY_cmp(pubkey, privatekey) != 1) { SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH); |