1 files changed, 75 insertions, 37 deletions
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 27113eba50..fb0bd4d045 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -131,7 +131,7 @@ end:
        }
 #endif
-int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
+int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
        {
        X509 *x;
        int ret;
@@ -181,7 +181,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
        {
-        int i;
+        int i,ok=0,bad=0;
        i=ssl_cert_type(NULL,pkey);
        if (i < 0)
@@ -202,18 +202,47 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
                /* Don't check the public/private key, this is mostly
                 * for smart cards. */
                if ((pkey->type == EVP_PKEY_RSA) &&
-                        (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
+                        (RSA_flags(pkey->pkey.rsa) &
-                        ;
+                         RSA_METHOD_FLAG_NO_CHECK))
+                         ok=1;
                else
 #endif
-                if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+                     if (!X509_check_private_key(c->pkeys[i].x509,pkey))
                        {
-                        X509_free(c->pkeys[i].x509);
+                        if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
-                        c->pkeys[i].x509 = NULL;
+                                {
-                        return 0;
+                                i=(i == SSL_PKEY_DH_RSA)?
+                                        SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
+                                if (c->pkeys[i].x509 == NULL)
+                                        ok=1;
+                                else
+                                        {
+                                        if (!X509_check_private_key(
+                                                c->pkeys[i].x509,pkey))
+                                                bad=1;
+                                        else
+                                                ok=1;
+                                        }
+                                }
+                        else
+                                bad=1;
                        }
+                else
+                        ok=1;
+                }
+        else
+                ok=1;
+        if (bad)
+                {
+                X509_free(c->pkeys[i].x509);
+                c->pkeys[i].x509=NULL;
+                return(0);
                }
+        ERR_clear_error(); /* make sure no error from X509_check_private_key()
+                            * is left if we have chosen to ignore it */
        if (c->pkeys[i].privatekey != NULL)
                EVP_PKEY_free(c->pkeys[i].privatekey);
        CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -335,11 +364,6 @@ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
                pkey=PEM_read_bio_PrivateKey(in,NULL,
                        ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
                }
-        else if (type == SSL_FILETYPE_ASN1)
-                {
-                j = ERR_R_ASN1_LIB;
-                pkey = d2i_PrivateKey_bio(in,NULL);
-                }
        else
                {
                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -358,10 +382,10 @@ end:
        }
 #endif
-int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
+int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len)
        {
        int ret;
-        const unsigned char *p;
+        unsigned char *p;
        EVP_PKEY *pkey;
        p=d;
@@ -394,7 +418,7 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
 static int ssl_set_cert(CERT *c, X509 *x)
        {
        EVP_PKEY *pkey;
-        int i;
+        int i,ok=0,bad=0;
        pkey=X509_get_pubkey(x);
        if (pkey == NULL)
@@ -422,23 +446,44 @@ static int ssl_set_cert(CERT *c, X509 *x)
                if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
                        (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
                         RSA_METHOD_FLAG_NO_CHECK))
-                         ;
+                         ok=1;
                else
-#endif /* OPENSSL_NO_RSA */
+#endif
+                {
                if (!X509_check_private_key(x,c->pkeys[i].privatekey))
                        {
-                        /* don't fail for a cert/key mismatch, just free
+                        if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
-                         * current private key (when switching to a different
+                                {
-                         * cert & key, first this function should be used,
+                                i=(i == SSL_PKEY_DH_RSA)?
-                         * then ssl_set_pkey */
+                                        SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
-                        EVP_PKEY_free(c->pkeys[i].privatekey);
-                        c->pkeys[i].privatekey=NULL;
+                                if (c->pkeys[i].privatekey == NULL)
-                        /* clear error queue */
+                                        ok=1;
-                        ERR_clear_error();
+                                else
+                                        {
+                                        if (!X509_check_private_key(x,
+                                                c->pkeys[i].privatekey))
+                                                bad=1;
+                                        else
+                                                ok=1;
+                                        }
+                                }
+                        else
+                                bad=1;
                        }
+                else
+                        ok=1;
+                } /* OPENSSL_NO_RSA */
                }
+        else
+                ok=1;
        EVP_PKEY_free(pkey);
+        if (bad)
+                {
+                EVP_PKEY_free(c->pkeys[i].privatekey);
+                c->pkeys[i].privatekey=NULL;
+                }
        if (c->pkeys[i].x509 != NULL)
                X509_free(c->pkeys[i].x509);
@@ -500,7 +545,7 @@ end:
        }
 #endif
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
        {
        X509 *x;
        int ret;
@@ -595,7 +640,7 @@ end:
        }
 #endif
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
        {
        int ret;
        const unsigned char *p;
@@ -654,11 +699,6 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
                pkey=PEM_read_bio_PrivateKey(in,NULL,
                        ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
                }
-        else if (type == SSL_FILETYPE_ASN1)
-                {
-                j = ERR_R_ASN1_LIB;
-                pkey = d2i_PrivateKey_bio(in,NULL);
-                }
        else
                {
                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -677,11 +717,11 @@ end:
        }
 #endif
-int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
+int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
             long len)
        {
        int ret;
-        const unsigned char *p;
+        unsigned char *p;
        EVP_PKEY *pkey;
        p=d;
@@ -708,8 +748,6 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
        int ret=0;
        X509 *x=NULL;
-        ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
        in=BIO_new(BIO_s_file_internal());
        if (in == NULL)
                {

diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 27113eba50..fb0bd4d045 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c
@@ -131,7 +131,7 @@ end:
131	}	131	}
132	#endif	132	#endif
133		133
134	int SSL_use_certificate_ASN1(SSL ssl, const unsigned char d, int len)	134	int SSL_use_certificate_ASN1(SSL ssl, unsigned char d, int len)
135	{	135	{
136	X509 *x;	136	X509 *x;
137	int ret;	137	int ret;
@@ -181,7 +181,7 @@ int SSL_use_RSAPrivateKey(SSL ssl, RSA rsa)
181		181
182	static int ssl_set_pkey(CERT c, EVP_PKEY pkey)	182	static int ssl_set_pkey(CERT c, EVP_PKEY pkey)
183	{	183	{
184	int i;	184	int i,ok=0,bad=0;
185		185
186	i=ssl_cert_type(NULL,pkey);	186	i=ssl_cert_type(NULL,pkey);
187	if (i < 0)	187	if (i < 0)
@@ -202,18 +202,47 @@ static int ssl_set_pkey(CERT c, EVP_PKEY pkey)
202	/* Don't check the public/private key, this is mostly	202	/* Don't check the public/private key, this is mostly
203	* for smart cards. */	203	* for smart cards. */
204	if ((pkey->type == EVP_PKEY_RSA) &&	204	if ((pkey->type == EVP_PKEY_RSA) &&
205	(RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))	205	(RSA_flags(pkey->pkey.rsa) &
206	;	206	RSA_METHOD_FLAG_NO_CHECK))
		207	ok=1;
207	else	208	else
208	#endif	209	#endif
209	if (!X509_check_private_key(c->pkeys[i].x509,pkey))	210	if (!X509_check_private_key(c->pkeys[i].x509,pkey))
210	{	211	{
211	X509_free(c->pkeys[i].x509);	212	if ((i == SSL_PKEY_DH_RSA) \|\| (i == SSL_PKEY_DH_DSA))
212	c->pkeys[i].x509 = NULL;	213	{
213	return 0;	214	i=(i == SSL_PKEY_DH_RSA)?
		215	SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
		216
		217	if (c->pkeys[i].x509 == NULL)
		218	ok=1;
		219	else
		220	{
		221	if (!X509_check_private_key(
		222	c->pkeys[i].x509,pkey))
		223	bad=1;
		224	else
		225	ok=1;
		226	}
		227	}
		228	else
		229	bad=1;
214	}	230	}
		231	else
		232	ok=1;
		233	}
		234	else
		235	ok=1;
		236
		237	if (bad)
		238	{
		239	X509_free(c->pkeys[i].x509);
		240	c->pkeys[i].x509=NULL;
		241	return(0);
215	}	242	}
216		243
		244	ERR_clear_error(); /* make sure no error from X509_check_private_key()
		245	* is left if we have chosen to ignore it */
217	if (c->pkeys[i].privatekey != NULL)	246	if (c->pkeys[i].privatekey != NULL)
218	EVP_PKEY_free(c->pkeys[i].privatekey);	247	EVP_PKEY_free(c->pkeys[i].privatekey);
219	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);	248	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -335,11 +364,6 @@ int SSL_use_PrivateKey_file(SSL ssl, const char file, int type)
335	pkey=PEM_read_bio_PrivateKey(in,NULL,	364	pkey=PEM_read_bio_PrivateKey(in,NULL,
336	ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);	365	ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
337	}	366	}
338	else if (type == SSL_FILETYPE_ASN1)
339	{
340	j = ERR_R_ASN1_LIB;
341	pkey = d2i_PrivateKey_bio(in,NULL);
342	}
343	else	367	else
344	{	368	{
345	SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);	369	SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -358,10 +382,10 @@ end:
358	}	382	}
359	#endif	383	#endif
360		384
361	int SSL_use_PrivateKey_ASN1(int type, SSL ssl, const unsigned char d, long len)	385	int SSL_use_PrivateKey_ASN1(int type, SSL ssl, unsigned char d, long len)
362	{	386	{
363	int ret;	387	int ret;
364	const unsigned char *p;	388	unsigned char *p;
365	EVP_PKEY *pkey;	389	EVP_PKEY *pkey;
366		390
367	p=d;	391	p=d;
@@ -394,7 +418,7 @@ int SSL_CTX_use_certificate(SSL_CTX ctx, X509 x)
394	static int ssl_set_cert(CERT c, X509 x)	418	static int ssl_set_cert(CERT c, X509 x)
395	{	419	{
396	EVP_PKEY *pkey;	420	EVP_PKEY *pkey;
397	int i;	421	int i,ok=0,bad=0;
398		422
399	pkey=X509_get_pubkey(x);	423	pkey=X509_get_pubkey(x);
400	if (pkey == NULL)	424	if (pkey == NULL)
@@ -422,23 +446,44 @@ static int ssl_set_cert(CERT c, X509 x)
422	if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&	446	if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
423	(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &	447	(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
424	RSA_METHOD_FLAG_NO_CHECK))	448	RSA_METHOD_FLAG_NO_CHECK))
425	;	449	ok=1;
426	else	450	else
427	#endif /* OPENSSL_NO_RSA */	451	#endif
		452	{
428	if (!X509_check_private_key(x,c->pkeys[i].privatekey))	453	if (!X509_check_private_key(x,c->pkeys[i].privatekey))
429	{	454	{
430	/* don't fail for a cert/key mismatch, just free	455	if ((i == SSL_PKEY_DH_RSA) \|\| (i == SSL_PKEY_DH_DSA))
431	* current private key (when switching to a different	456	{
432	* cert & key, first this function should be used,	457	i=(i == SSL_PKEY_DH_RSA)?
433	* then ssl_set_pkey */	458	SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
434	EVP_PKEY_free(c->pkeys[i].privatekey);	459
435	c->pkeys[i].privatekey=NULL;	460	if (c->pkeys[i].privatekey == NULL)
436	/* clear error queue */	461	ok=1;
437	ERR_clear_error();	462	else
		463	{
		464	if (!X509_check_private_key(x,
		465	c->pkeys[i].privatekey))
		466	bad=1;
		467	else
		468	ok=1;
		469	}
		470	}
		471	else
		472	bad=1;
438	}	473	}
		474	else
		475	ok=1;
		476	} /* OPENSSL_NO_RSA */
439	}	477	}
		478	else
		479	ok=1;
440		480
441	EVP_PKEY_free(pkey);	481	EVP_PKEY_free(pkey);
		482	if (bad)
		483	{
		484	EVP_PKEY_free(c->pkeys[i].privatekey);
		485	c->pkeys[i].privatekey=NULL;
		486	}
442		487
443	if (c->pkeys[i].x509 != NULL)	488	if (c->pkeys[i].x509 != NULL)
444	X509_free(c->pkeys[i].x509);	489	X509_free(c->pkeys[i].x509);
@@ -500,7 +545,7 @@ end:
500	}	545	}
501	#endif	546	#endif
502		547
503	int SSL_CTX_use_certificate_ASN1(SSL_CTX ctx, int len, const unsigned char d)	548	int SSL_CTX_use_certificate_ASN1(SSL_CTX ctx, int len, unsigned char d)
504	{	549	{
505	X509 *x;	550	X509 *x;
506	int ret;	551	int ret;
@@ -595,7 +640,7 @@ end:
595	}	640	}
596	#endif	641	#endif
597		642
598	int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX ctx, const unsigned char d, long len)	643	int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX ctx, unsigned char d, long len)
599	{	644	{
600	int ret;	645	int ret;
601	const unsigned char *p;	646	const unsigned char *p;
@@ -654,11 +699,6 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX ctx, const char file, int type)
654	pkey=PEM_read_bio_PrivateKey(in,NULL,	699	pkey=PEM_read_bio_PrivateKey(in,NULL,
655	ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);	700	ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
656	}	701	}
657	else if (type == SSL_FILETYPE_ASN1)
658	{
659	j = ERR_R_ASN1_LIB;
660	pkey = d2i_PrivateKey_bio(in,NULL);
661	}
662	else	702	else
663	{	703	{
664	SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);	704	SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -677,11 +717,11 @@ end:
677	}	717	}
678	#endif	718	#endif
679		719
680	int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX ctx, const unsigned char d,	720	int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX ctx, unsigned char d,
681	long len)	721	long len)
682	{	722	{
683	int ret;	723	int ret;
684	const unsigned char *p;	724	unsigned char *p;
685	EVP_PKEY *pkey;	725	EVP_PKEY *pkey;
686		726
687	p=d;	727	p=d;
@@ -708,8 +748,6 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX ctx, const char file)
708	int ret=0;	748	int ret=0;
709	X509 *x=NULL;	749	X509 *x=NULL;
710		750
711	ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
712
713	in=BIO_new(BIO_s_file_internal());	751	in=BIO_new(BIO_s_file_internal());
714	if (in == NULL)	752	if (in == NULL)
715	{	753	{