diff options
author | Richard Levitte <levitte@openssl.org> | 2020-10-04 16:34:31 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2020-11-18 23:38:34 +0100 |
commit | d7e498ac55f12bc2f4e7f948cbb8de2e3eeafc74 (patch) | |
tree | 755ca6bcbcd3b85d0371713d754b26f4a9d70250 /ssl | |
parent | b24d6c335d3beb431f8f9847623d4db39ae1f96b (diff) |
Deprecate RSA harder
This deprecates all functions that deal with the types RSA and RSA_METHOD
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13096)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/build.info | 2 | ||||
-rw-r--r-- | ssl/ssl_local.h | 1 | ||||
-rw-r--r-- | ssl/ssl_rsa.c | 171 | ||||
-rw-r--r-- | ssl/ssl_rsa_legacy.c | 180 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 3 | ||||
-rw-r--r-- | ssl/statem/statem_lib.c | 1 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 1 |
7 files changed, 185 insertions, 174 deletions
diff --git a/ssl/build.info b/ssl/build.info index 36755819dd..4efd9d02cc 100644 --- a/ssl/build.info +++ b/ssl/build.info @@ -35,7 +35,7 @@ SOURCE[../libssl]=\ statem/statem.c record/ssl3_record_tls13.c record/tls_pad.c \ tls_depr.c $KTLSSRC IF[{- !$disabled{'deprecated-3.0'} -}] - SOURCE[../libssl]=s3_cbc.c + SOURCE[../libssl]=s3_cbc.c ssl_rsa_legacy.c ENDIF DEFINE[../libssl]=$AESDEF diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index a14d97b8e9..3b76084831 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -21,7 +21,6 @@ # include <openssl/buffer.h> # include <openssl/comp.h> # include <openssl/bio.h> -# include <openssl/rsa.h> # include <openssl/dsa.h> # include <openssl/err.h> # include <openssl/ssl.h> diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 17e10eef6a..bfdd5ff43d 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -115,34 +115,6 @@ int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) return ret; } -#ifndef OPENSSL_NO_RSA -int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) -{ - EVP_PKEY *pkey; - int ret; - - if (rsa == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - if ((pkey = EVP_PKEY_new()) == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); - return 0; - } - - RSA_up_ref(rsa); - if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { - RSA_free(rsa); - EVP_PKEY_free(pkey); - return 0; - } - - ret = ssl_set_pkey(ssl->cert, pkey); - EVP_PKEY_free(pkey); - return ret; -} -#endif - static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { size_t i; @@ -180,64 +152,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) return 1; } -#ifndef OPENSSL_NO_RSA -int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) -{ - int j, ret = 0; - BIO *in; - RSA *rsa = NULL; - - in = BIO_new(BIO_s_file()); - if (in == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - rsa = d2i_RSAPrivateKey_bio(in, NULL); - } else if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - rsa = PEM_read_bio_RSAPrivateKey(in, NULL, - ssl->default_passwd_callback, - ssl->default_passwd_callback_userdata); - } else { - ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE); - goto end; - } - if (rsa == NULL) { - ERR_raise(ERR_LIB_SSL, j); - goto end; - } - ret = SSL_use_RSAPrivateKey(ssl, rsa); - RSA_free(rsa); - end: - BIO_free(in); - return ret; -} - -int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) -{ - int ret; - const unsigned char *p; - RSA *rsa; - - p = d; - if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB); - return 0; - } - - ret = SSL_use_RSAPrivateKey(ssl, rsa); - RSA_free(rsa); - return ret; -} -#endif /* !OPENSSL_NO_RSA */ - int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { int ret; @@ -445,91 +359,6 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) return ret; } -#ifndef OPENSSL_NO_RSA -int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) -{ - int ret; - EVP_PKEY *pkey; - - if (rsa == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - if ((pkey = EVP_PKEY_new()) == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); - return 0; - } - - RSA_up_ref(rsa); - if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { - RSA_free(rsa); - EVP_PKEY_free(pkey); - return 0; - } - - ret = ssl_set_pkey(ctx->cert, pkey); - EVP_PKEY_free(pkey); - return ret; -} - -int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) -{ - int j, ret = 0; - BIO *in; - RSA *rsa = NULL; - - in = BIO_new(BIO_s_file()); - if (in == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - rsa = d2i_RSAPrivateKey_bio(in, NULL); - } else if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - rsa = PEM_read_bio_RSAPrivateKey(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - } else { - ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE); - goto end; - } - if (rsa == NULL) { - ERR_raise(ERR_LIB_SSL, j); - goto end; - } - ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); - RSA_free(rsa); - end: - BIO_free(in); - return ret; -} - -int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, - long len) -{ - int ret; - const unsigned char *p; - RSA *rsa; - - p = d; - if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB); - return 0; - } - - ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); - RSA_free(rsa); - return ret; -} -#endif /* !OPENSSL_NO_RSA */ - int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { if (pkey == NULL) { diff --git a/ssl/ssl_rsa_legacy.c b/ssl/ssl_rsa_legacy.c new file mode 100644 index 0000000000..49cd7a3bba --- /dev/null +++ b/ssl/ssl_rsa_legacy.c @@ -0,0 +1,180 @@ +/* + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* We need to use the deprecated RSA low level calls */ +#define OPENSSL_SUPPRESS_DEPRECATED + +#include <openssl/err.h> +#include <openssl/rsa.h> +#include <openssl/ssl.h> + +int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) +{ + EVP_PKEY *pkey; + int ret; + + if (rsa == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + if ((pkey = EVP_PKEY_new()) == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); + return 0; + } + + RSA_up_ref(rsa); + if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { + RSA_free(rsa); + EVP_PKEY_free(pkey); + return 0; + } + + ret = SSL_use_PrivateKey(ssl, pkey); + EVP_PKEY_free(pkey); + return ret; +} + +int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) +{ + int j, ret = 0; + BIO *in; + RSA *rsa = NULL; + + in = BIO_new(BIO_s_file()); + if (in == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); + goto end; + } + + if (BIO_read_filename(in, file) <= 0) { + ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB); + goto end; + } + if (type == SSL_FILETYPE_ASN1) { + j = ERR_R_ASN1_LIB; + rsa = d2i_RSAPrivateKey_bio(in, NULL); + } else if (type == SSL_FILETYPE_PEM) { + j = ERR_R_PEM_LIB; + rsa = PEM_read_bio_RSAPrivateKey(in, NULL, + SSL_get_default_passwd_cb(ssl), + SSL_get_default_passwd_cb_userdata(ssl)); + } else { + ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE); + goto end; + } + if (rsa == NULL) { + ERR_raise(ERR_LIB_SSL, j); + goto end; + } + ret = SSL_use_RSAPrivateKey(ssl, rsa); + RSA_free(rsa); + end: + BIO_free(in); + return ret; +} + +int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) +{ + int ret; + const unsigned char *p; + RSA *rsa; + + p = d; + if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB); + return 0; + } + + ret = SSL_use_RSAPrivateKey(ssl, rsa); + RSA_free(rsa); + return ret; +} + +int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) +{ + int ret; + EVP_PKEY *pkey; + + if (rsa == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + if ((pkey = EVP_PKEY_new()) == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); + return 0; + } + + RSA_up_ref(rsa); + if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { + RSA_free(rsa); + EVP_PKEY_free(pkey); + return 0; + } + + ret = SSL_CTX_use_PrivateKey(ctx, pkey); + EVP_PKEY_free(pkey); + return ret; +} + +int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) +{ + int j, ret = 0; + BIO *in; + RSA *rsa = NULL; + + in = BIO_new(BIO_s_file()); + if (in == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); + goto end; + } + + if (BIO_read_filename(in, file) <= 0) { + ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB); + goto end; + } + if (type == SSL_FILETYPE_ASN1) { + j = ERR_R_ASN1_LIB; + rsa = d2i_RSAPrivateKey_bio(in, NULL); + } else if (type == SSL_FILETYPE_PEM) { + j = ERR_R_PEM_LIB; + rsa = PEM_read_bio_RSAPrivateKey(in, NULL, + SSL_CTX_get_default_passwd_cb(ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx)); + } else { + ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE); + goto end; + } + if (rsa == NULL) { + ERR_raise(ERR_LIB_SSL, j); + goto end; + } + ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); + RSA_free(rsa); + end: + BIO_free(in); + return ret; +} + +int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, + long len) +{ + int ret; + const unsigned char *p; + RSA *rsa; + + p = d; + if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB); + return 0; + } + + ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); + RSA_free(rsa); + return ret; +} diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 5b7b7cd5f5..277998f954 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -20,6 +20,7 @@ #include <openssl/evp.h> #include <openssl/md5.h> #include <openssl/dh.h> +#include <openssl/rsa.h> #include <openssl/bn.h> #include <openssl/engine.h> #include <openssl/trace.h> @@ -2824,7 +2825,7 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) } pkey = X509_get0_pubkey(s->session->peer); - if (EVP_PKEY_get0_RSA(pkey) == NULL) { + if (!EVP_PKEY_is_a(pkey, "RSA")) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 2dd3bf1fbc..0773b42e0e 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -18,6 +18,7 @@ #include <openssl/buffer.h> #include <openssl/objects.h> #include <openssl/evp.h> +#include <openssl/rsa.h> #include <openssl/x509.h> #include <openssl/trace.h> diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index c478c5a7e8..16bd24d103 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -20,6 +20,7 @@ #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/dh.h> +#include <openssl/rsa.h> #include <openssl/bn.h> #include <openssl/md5.h> #include <openssl/trace.h> |