Simplify two weirdly formatted pieces of code in ssl_rsa.c and stop

reaching into the EVP_PKEY struct. ok inoguchi jsing
author: tb <> 2021-11-26 16:40:02 +0000
committer: tb <> 2021-11-26 16:40:02 +0000
commit: 6b08604ab5e3fc8e6db10211d78a155d876da903 (patch)
tree: d20e0e9cb99fd3f42d9c0c3ef025d623f485014e /src
parent: eb64c7bee2160f4a36331f01c39a47cc051d579a (diff)
download: openbsd-6b08604ab5e3fc8e6db10211d78a155d876da903.tar.gz
openbsd-6b08604ab5e3fc8e6db10211d78a155d876da903.tar.bz2
openbsd-6b08604ab5e3fc8e6db10211d78a155d876da903.zip
1 files changed, 25 insertions, 27 deletions
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 1d2f5fc9b4..eb60c2a372 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.35 2021/10/23 16:11:30 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.36 2021/11/26 16:40:02 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -188,19 +188,18 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
                 * Don't check the public/private key, this is mostly
                 * for smart cards.
                 */
-                if ((pkey->type == EVP_PKEY_RSA) &&
+                if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
-                        (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
+                    !(RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK)) {
-;
+                        if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
-                else
+                                X509_free(c->pkeys[i].x509);
-                if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
+                                c->pkeys[i].x509 = NULL;
-                        X509_free(c->pkeys[i].x509);
+                                return 0;
-                        c->pkeys[i].x509 = NULL;
+                        }
-                        return 0;
                }
        }
        EVP_PKEY_free(c->pkeys[i].privatekey);
-        CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+        EVP_PKEY_up_ref(pkey);
        c->pkeys[i].privatekey = pkey;
        c->key = &(c->pkeys[i]);
@@ -363,29 +362,28 @@ ssl_set_cert(CERT *c, X509 *x)
        }
        if (c->pkeys[i].privatekey != NULL) {
-                EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
+                EVP_PKEY *priv_key = c->pkeys[i].privatekey;
+                EVP_PKEY_copy_parameters(pkey, priv_key);
                ERR_clear_error();
                /*
                 * Don't check the public/private key, this is mostly
                 * for smart cards.
                 */
-                if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
+                if (EVP_PKEY_id(priv_key) != EVP_PKEY_RSA ||
-                        (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
+                    !(RSA_flags(EVP_PKEY_get0_RSA(priv_key)) & RSA_METHOD_FLAG_NO_CHECK)) {
-                RSA_METHOD_FLAG_NO_CHECK))
+                        if (!X509_check_private_key(x, priv_key)) {
-;
+                                /*
-                else
+                                 * don't fail for a cert/key mismatch, just free
-                if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
+                                 * current private key (when switching to a
-                        /*
+                                 * different cert & key, first this function
-                         * don't fail for a cert/key mismatch, just free
+                                 * should be used, then ssl_set_pkey.
-                         * current private key (when switching to a different
+                                 */
-                         * cert & key, first this function should be used,
+                                EVP_PKEY_free(c->pkeys[i].privatekey);
-                         * then ssl_set_pkey
+                                c->pkeys[i].privatekey = NULL;
-                         */
+                                ERR_clear_error();
-                        EVP_PKEY_free(c->pkeys[i].privatekey);
+                        }
-                        c->pkeys[i].privatekey = NULL;
-                        /* clear error queue */
-                        ERR_clear_error();
                }
        }
author	tb <>	2021-11-26 16:40:02 +0000
committer	tb <>	2021-11-26 16:40:02 +0000
commit	6b08604ab5e3fc8e6db10211d78a155d876da903 (patch)
tree	d20e0e9cb99fd3f42d9c0c3ef025d623f485014e /src
parent	eb64c7bee2160f4a36331f01c39a47cc051d579a (diff)
download	openbsd-6b08604ab5e3fc8e6db10211d78a155d876da903.tar.gz openbsd-6b08604ab5e3fc8e6db10211d78a155d876da903.tar.bz2 openbsd-6b08604ab5e3fc8e6db10211d78a155d876da903.zip

diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 1d2f5fc9b4..eb60c2a372 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_rsa.c,v 1.35 2021/10/23 16:11:30 tb Exp $ */	1	/* $OpenBSD: ssl_rsa.c,v 1.36 2021/11/26 16:40:02 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -188,19 +188,18 @@ ssl_set_pkey(CERT c, EVP_PKEY pkey)
188	* Don't check the public/private key, this is mostly	188	* Don't check the public/private key, this is mostly
189	* for smart cards.	189	* for smart cards.
190	*/	190	*/
191	if ((pkey->type == EVP_PKEY_RSA) &&	191	if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA \|\|
192	(RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))	192	!(RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK)) {
193	;	193	if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
194	else	194	X509_free(c->pkeys[i].x509);
195	if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {	195	c->pkeys[i].x509 = NULL;
196	X509_free(c->pkeys[i].x509);	196	return 0;
197	c->pkeys[i].x509 = NULL;	197	}
198	return 0;
199	}	198	}
200	}	199	}
201		200
202	EVP_PKEY_free(c->pkeys[i].privatekey);	201	EVP_PKEY_free(c->pkeys[i].privatekey);
203	CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);	202	EVP_PKEY_up_ref(pkey);
204	c->pkeys[i].privatekey = pkey;	203	c->pkeys[i].privatekey = pkey;
205	c->key = &(c->pkeys[i]);	204	c->key = &(c->pkeys[i]);
206		205
@@ -363,29 +362,28 @@ ssl_set_cert(CERT c, X509 x)
363	}	362	}
364		363
365	if (c->pkeys[i].privatekey != NULL) {	364	if (c->pkeys[i].privatekey != NULL) {
366	EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);	365	EVP_PKEY *priv_key = c->pkeys[i].privatekey;
		366
		367	EVP_PKEY_copy_parameters(pkey, priv_key);
367	ERR_clear_error();	368	ERR_clear_error();
368		369
369	/*	370	/*
370	* Don't check the public/private key, this is mostly	371	* Don't check the public/private key, this is mostly
371	* for smart cards.	372	* for smart cards.
372	*/	373	*/
373	if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&	374	if (EVP_PKEY_id(priv_key) != EVP_PKEY_RSA \|\|
374	(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &	375	!(RSA_flags(EVP_PKEY_get0_RSA(priv_key)) & RSA_METHOD_FLAG_NO_CHECK)) {
375	RSA_METHOD_FLAG_NO_CHECK))	376	if (!X509_check_private_key(x, priv_key)) {
376	;	377	/*
377	else	378	* don't fail for a cert/key mismatch, just free
378	if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {	379	* current private key (when switching to a
379	/*	380	* different cert & key, first this function
380	* don't fail for a cert/key mismatch, just free	381	* should be used, then ssl_set_pkey.
381	* current private key (when switching to a different	382	*/
382	* cert & key, first this function should be used,	383	EVP_PKEY_free(c->pkeys[i].privatekey);
383	* then ssl_set_pkey	384	c->pkeys[i].privatekey = NULL;
384	*/	385	ERR_clear_error();
385	EVP_PKEY_free(c->pkeys[i].privatekey);	386	}
386	c->pkeys[i].privatekey = NULL;
387	/* clear error queue */
388	ERR_clear_error();
389	}	387	}
390	}	388	}
391		389