1 files changed, 37 insertions, 75 deletions
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index fb0bd4d045..27113eba50 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -131,7 +131,7 @@ end:
        }
 #endif
-int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
+int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
        {
        X509 *x;
        int ret;
@@ -181,7 +181,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
        {
-        int i,ok=0,bad=0;
+        int i;
        i=ssl_cert_type(NULL,pkey);
        if (i < 0)
@@ -202,47 +202,18 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
                /* Don't check the public/private key, this is mostly
                 * for smart cards. */
                if ((pkey->type == EVP_PKEY_RSA) &&
-                        (RSA_flags(pkey->pkey.rsa) &
+                        (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
-                         RSA_METHOD_FLAG_NO_CHECK))
+                        ;
-                         ok=1;
                else
 #endif
-                     if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+                if (!X509_check_private_key(c->pkeys[i].x509,pkey))
                        {
-                        if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
+                        X509_free(c->pkeys[i].x509);
-                                {
+                        c->pkeys[i].x509 = NULL;
-                                i=(i == SSL_PKEY_DH_RSA)?
+                        return 0;
-                                        SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
-                                if (c->pkeys[i].x509 == NULL)
-                                        ok=1;
-                                else
-                                        {
-                                        if (!X509_check_private_key(
-                                                c->pkeys[i].x509,pkey))
-                                                bad=1;
-                                        else
-                                                ok=1;
-                                        }
-                                }
-                        else
-                                bad=1;
                        }
-                else
-                        ok=1;
-                }
-        else
-                ok=1;
-        if (bad)
-                {
-                X509_free(c->pkeys[i].x509);
-                c->pkeys[i].x509=NULL;
-                return(0);
                }
-        ERR_clear_error(); /* make sure no error from X509_check_private_key()
-                            * is left if we have chosen to ignore it */
        if (c->pkeys[i].privatekey != NULL)
                EVP_PKEY_free(c->pkeys[i].privatekey);
        CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -364,6 +335,11 @@ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
                pkey=PEM_read_bio_PrivateKey(in,NULL,
                        ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
                }
+        else if (type == SSL_FILETYPE_ASN1)
+                {
+                j = ERR_R_ASN1_LIB;
+                pkey = d2i_PrivateKey_bio(in,NULL);
+                }
        else
                {
                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -382,10 +358,10 @@ end:
        }
 #endif
-int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len)
+int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
        {
        int ret;
-        unsigned char *p;
+        const unsigned char *p;
        EVP_PKEY *pkey;
        p=d;
@@ -418,7 +394,7 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
 static int ssl_set_cert(CERT *c, X509 *x)
        {
        EVP_PKEY *pkey;
-        int i,ok=0,bad=0;
+        int i;
        pkey=X509_get_pubkey(x);
        if (pkey == NULL)
@@ -446,44 +422,23 @@ static int ssl_set_cert(CERT *c, X509 *x)
                if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
                        (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
                         RSA_METHOD_FLAG_NO_CHECK))
-                         ok=1;
+                         ;
                else
-#endif
+#endif /* OPENSSL_NO_RSA */
-                {
                if (!X509_check_private_key(x,c->pkeys[i].privatekey))
                        {
-                        if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
+                        /* don't fail for a cert/key mismatch, just free
-                                {
+                         * current private key (when switching to a different
-                                i=(i == SSL_PKEY_DH_RSA)?
+                         * cert & key, first this function should be used,
-                                        SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
+                         * then ssl_set_pkey */
+                        EVP_PKEY_free(c->pkeys[i].privatekey);
-                                if (c->pkeys[i].privatekey == NULL)
+                        c->pkeys[i].privatekey=NULL;
-                                        ok=1;
+                        /* clear error queue */
-                                else
+                        ERR_clear_error();
-                                        {
-                                        if (!X509_check_private_key(x,
-                                                c->pkeys[i].privatekey))
-                                                bad=1;
-                                        else
-                                                ok=1;
-                                        }
-                                }
-                        else
-                                bad=1;
                        }
-                else
-                        ok=1;
-                } /* OPENSSL_NO_RSA */
                }
-        else
-                ok=1;
        EVP_PKEY_free(pkey);
-        if (bad)
-                {
-                EVP_PKEY_free(c->pkeys[i].privatekey);
-                c->pkeys[i].privatekey=NULL;
-                }
        if (c->pkeys[i].x509 != NULL)
                X509_free(c->pkeys[i].x509);
@@ -545,7 +500,7 @@ end:
        }
 #endif
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
        {
        X509 *x;
        int ret;
@@ -640,7 +595,7 @@ end:
        }
 #endif
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
        {
        int ret;
        const unsigned char *p;
@@ -699,6 +654,11 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
                pkey=PEM_read_bio_PrivateKey(in,NULL,
                        ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
                }
+        else if (type == SSL_FILETYPE_ASN1)
+                {
+                j = ERR_R_ASN1_LIB;
+                pkey = d2i_PrivateKey_bio(in,NULL);
+                }
        else
                {
                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -717,11 +677,11 @@ end:
        }
 #endif
-int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
+int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
             long len)
        {
        int ret;
-        unsigned char *p;
+        const unsigned char *p;
        EVP_PKEY *pkey;
        p=d;
@@ -748,6 +708,8 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
        int ret=0;
        X509 *x=NULL;
+        ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
        in=BIO_new(BIO_s_file_internal());
        if (in == NULL)
                {

diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index fb0bd4d045..27113eba50 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c
@@ -131,7 +131,7 @@ end:
131	}	131	}
132	#endif	132	#endif
133		133
134	int SSL_use_certificate_ASN1(SSL ssl, unsigned char d, int len)	134	int SSL_use_certificate_ASN1(SSL ssl, const unsigned char d, int len)
135	{	135	{
136	X509 *x;	136	X509 *x;
137	int ret;	137	int ret;
@@ -181,7 +181,7 @@ int SSL_use_RSAPrivateKey(SSL ssl, RSA rsa)
181		181
182	static int ssl_set_pkey(CERT c, EVP_PKEY pkey)	182	static int ssl_set_pkey(CERT c, EVP_PKEY pkey)
183	{	183	{
184	int i,ok=0,bad=0;	184	int i;
185		185
186	i=ssl_cert_type(NULL,pkey);	186	i=ssl_cert_type(NULL,pkey);
187	if (i < 0)	187	if (i < 0)
@@ -202,47 +202,18 @@ static int ssl_set_pkey(CERT c, EVP_PKEY pkey)
202	/* Don't check the public/private key, this is mostly	202	/* Don't check the public/private key, this is mostly
203	* for smart cards. */	203	* for smart cards. */
204	if ((pkey->type == EVP_PKEY_RSA) &&	204	if ((pkey->type == EVP_PKEY_RSA) &&
205	(RSA_flags(pkey->pkey.rsa) &	205	(RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
206	RSA_METHOD_FLAG_NO_CHECK))	206	;
207	ok=1;
208	else	207	else
209	#endif	208	#endif
210	if (!X509_check_private_key(c->pkeys[i].x509,pkey))	209	if (!X509_check_private_key(c->pkeys[i].x509,pkey))
211	{	210	{
212	if ((i == SSL_PKEY_DH_RSA) \|\| (i == SSL_PKEY_DH_DSA))	211	X509_free(c->pkeys[i].x509);
213	{	212	c->pkeys[i].x509 = NULL;
214	i=(i == SSL_PKEY_DH_RSA)?	213	return 0;
215	SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
216
217	if (c->pkeys[i].x509 == NULL)
218	ok=1;
219	else
220	{
221	if (!X509_check_private_key(
222	c->pkeys[i].x509,pkey))
223	bad=1;
224	else
225	ok=1;
226	}
227	}
228	else
229	bad=1;
230	}	214	}
231	else
232	ok=1;
233	}
234	else
235	ok=1;
236
237	if (bad)
238	{
239	X509_free(c->pkeys[i].x509);
240	c->pkeys[i].x509=NULL;
241	return(0);
242	}	215	}
243		216
244	ERR_clear_error(); /* make sure no error from X509_check_private_key()
245	* is left if we have chosen to ignore it */
246	if (c->pkeys[i].privatekey != NULL)	217	if (c->pkeys[i].privatekey != NULL)
247	EVP_PKEY_free(c->pkeys[i].privatekey);	218	EVP_PKEY_free(c->pkeys[i].privatekey);
248	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);	219	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -364,6 +335,11 @@ int SSL_use_PrivateKey_file(SSL ssl, const char file, int type)
364	pkey=PEM_read_bio_PrivateKey(in,NULL,	335	pkey=PEM_read_bio_PrivateKey(in,NULL,
365	ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);	336	ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
366	}	337	}
		338	else if (type == SSL_FILETYPE_ASN1)
		339	{
		340	j = ERR_R_ASN1_LIB;
		341	pkey = d2i_PrivateKey_bio(in,NULL);
		342	}
367	else	343	else
368	{	344	{
369	SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);	345	SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -382,10 +358,10 @@ end:
382	}	358	}
383	#endif	359	#endif
384		360
385	int SSL_use_PrivateKey_ASN1(int type, SSL ssl, unsigned char d, long len)	361	int SSL_use_PrivateKey_ASN1(int type, SSL ssl, const unsigned char d, long len)
386	{	362	{
387	int ret;	363	int ret;
388	unsigned char *p;	364	const unsigned char *p;
389	EVP_PKEY *pkey;	365	EVP_PKEY *pkey;
390		366
391	p=d;	367	p=d;
@@ -418,7 +394,7 @@ int SSL_CTX_use_certificate(SSL_CTX ctx, X509 x)
418	static int ssl_set_cert(CERT c, X509 x)	394	static int ssl_set_cert(CERT c, X509 x)
419	{	395	{
420	EVP_PKEY *pkey;	396	EVP_PKEY *pkey;
421	int i,ok=0,bad=0;	397	int i;
422		398
423	pkey=X509_get_pubkey(x);	399	pkey=X509_get_pubkey(x);
424	if (pkey == NULL)	400	if (pkey == NULL)
@@ -446,44 +422,23 @@ static int ssl_set_cert(CERT c, X509 x)
446	if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&	422	if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
447	(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &	423	(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
448	RSA_METHOD_FLAG_NO_CHECK))	424	RSA_METHOD_FLAG_NO_CHECK))
449	ok=1;	425	;
450	else	426	else
451	#endif	427	#endif /* OPENSSL_NO_RSA */
452	{
453	if (!X509_check_private_key(x,c->pkeys[i].privatekey))	428	if (!X509_check_private_key(x,c->pkeys[i].privatekey))
454	{	429	{
455	if ((i == SSL_PKEY_DH_RSA) \|\| (i == SSL_PKEY_DH_DSA))	430	/* don't fail for a cert/key mismatch, just free
456	{	431	* current private key (when switching to a different
457	i=(i == SSL_PKEY_DH_RSA)?	432	* cert & key, first this function should be used,
458	SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;	433	* then ssl_set_pkey */
459		434	EVP_PKEY_free(c->pkeys[i].privatekey);
460	if (c->pkeys[i].privatekey == NULL)	435	c->pkeys[i].privatekey=NULL;
461	ok=1;	436	/* clear error queue */
462	else	437	ERR_clear_error();
463	{
464	if (!X509_check_private_key(x,
465	c->pkeys[i].privatekey))
466	bad=1;
467	else
468	ok=1;
469	}
470	}
471	else
472	bad=1;
473	}	438	}
474	else
475	ok=1;
476	} /* OPENSSL_NO_RSA */
477	}	439	}
478	else
479	ok=1;
480		440
481	EVP_PKEY_free(pkey);	441	EVP_PKEY_free(pkey);
482	if (bad)
483	{
484	EVP_PKEY_free(c->pkeys[i].privatekey);
485	c->pkeys[i].privatekey=NULL;
486	}
487		442
488	if (c->pkeys[i].x509 != NULL)	443	if (c->pkeys[i].x509 != NULL)
489	X509_free(c->pkeys[i].x509);	444	X509_free(c->pkeys[i].x509);
@@ -545,7 +500,7 @@ end:
545	}	500	}
546	#endif	501	#endif
547		502
548	int SSL_CTX_use_certificate_ASN1(SSL_CTX ctx, int len, unsigned char d)	503	int SSL_CTX_use_certificate_ASN1(SSL_CTX ctx, int len, const unsigned char d)
549	{	504	{
550	X509 *x;	505	X509 *x;
551	int ret;	506	int ret;
@@ -640,7 +595,7 @@ end:
640	}	595	}
641	#endif	596	#endif
642		597
643	int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX ctx, unsigned char d, long len)	598	int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX ctx, const unsigned char d, long len)
644	{	599	{
645	int ret;	600	int ret;
646	const unsigned char *p;	601	const unsigned char *p;
@@ -699,6 +654,11 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX ctx, const char file, int type)
699	pkey=PEM_read_bio_PrivateKey(in,NULL,	654	pkey=PEM_read_bio_PrivateKey(in,NULL,
700	ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);	655	ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
701	}	656	}
		657	else if (type == SSL_FILETYPE_ASN1)
		658	{
		659	j = ERR_R_ASN1_LIB;
		660	pkey = d2i_PrivateKey_bio(in,NULL);
		661	}
702	else	662	else
703	{	663	{
704	SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);	664	SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -717,11 +677,11 @@ end:
717	}	677	}
718	#endif	678	#endif
719		679
720	int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX ctx, unsigned char d,	680	int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX ctx, const unsigned char d,
721	long len)	681	long len)
722	{	682	{
723	int ret;	683	int ret;
724	unsigned char *p;	684	const unsigned char *p;
725	EVP_PKEY *pkey;	685	EVP_PKEY *pkey;
726		686
727	p=d;	687	p=d;
@@ -748,6 +708,8 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX ctx, const char file)
748	int ret=0;	708	int ret=0;
749	X509 *x=NULL;	709	X509 *x=NULL;
750		710
		711	ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
		712
751	in=BIO_new(BIO_s_file_internal());	713	in=BIO_new(BIO_s_file_internal());
752	if (in == NULL)	714	if (in == NULL)
753	{	715	{