[GNUnet-SVN] [gnurl] 217/256: openssl: only verify RSA private key if su

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 217/256: openssl: only verify RSA private key if su

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 217/256: openssl: only verify RSA private key if supported
Date:	Fri, 06 Oct 2017 19:45:08 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit fa9482ab0907dfacd0fb619add2dbf41de2d8c9c
Author: Dirk Feytons <address@hidden>
AuthorDate: Thu Sep 21 09:57:32 2017 +0200

    openssl: only verify RSA private key if supported
    
    In some cases the RSA key does not support verifying it because it's
    located on a smart card, an engine wants to hide it, ...
    Check the flags on the key before trying to verify it.
    OpenSSL does the same thing internally; see ssl/ssl_rsa.c
    
    Closes #1904
---
 lib/vtls/openssl.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 786f6c09a..4253160aa 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -549,6 +549,7 @@ int cert_stuff(struct connectdata *conn,
 {
   struct Curl_easy *data = conn->data;
   char error_buffer[256];
+  bool check_privkey = TRUE;
 
   int file_type = do_file_type(cert_type);
 
@@ -836,17 +837,32 @@ int cert_stuff(struct connectdata *conn,
       EVP_PKEY_free(pktmp);
     }
 
+#ifndef OPENSSL_NO_RSA
+    {
+      /* If RSA is used, don't check the private key if its flags indicate
+       * it doesn't support it. */
+      EVP_PKEY *priv_key = SSL_get_privatekey(ssl);
+      if(EVP_PKEY_id(priv_key) == EVP_PKEY_RSA) {
+        RSA *rsa = EVP_PKEY_get1_RSA(priv_key);
+        if(RSA_flags(rsa) & RSA_METHOD_FLAG_NO_CHECK)
+          check_privkey = FALSE;
+        RSA_free(rsa); /* Decrement reference count */
+      }
+    }
+#endif
+
     SSL_free(ssl);
 
     /* If we are using DSA, we can copy the parameters from
      * the private key */
 
-
-    /* Now we know that a key and cert have been set against
-     * the SSL context */
-    if(!SSL_CTX_check_private_key(ctx)) {
-      failf(data, "Private key does not match the certificate public key");
-      return 0;
+    if(check_privkey == TRUE) {
+      /* Now we know that a key and cert have been set against
+       * the SSL context */
+      if(!SSL_CTX_check_private_key(ctx)) {
+        failf(data, "Private key does not match the certificate public key");
+        return 0;
+      }
     }
   }
   return 1;

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 121/256: Curl_base64_encode: always call with a real data handle., (continued)
- [GNUnet-SVN] [gnurl] 121/256: Curl_base64_encode: always call with a real data handle., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 153/256: curl.h: use lower case curl_mime* as for all public symbols, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 171/256: http-proxy: when not doing CONNECT, that phase is done immediately, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 175/256: configure: check for C++ compiler after C, to make it non-fatal, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 72/256: axtls: reorder functions topologically, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 165/256: HISTORY: added some recent items, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 132/256: tool_formparse: fix some trivial warnings, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 35/256: mailmap: de-duplify some git authors, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 221/256: imap: quote atoms properly when escaping characters, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 219/256: vtls: provide curl_global_sslset() even in non-SSL builds, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 217/256: openssl: only verify RSA private key if supported, gnunet <=
- [GNUnet-SVN] [gnurl] 59/256: darwinssl: handle long strings in TLS certs, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 73/256: schannel: reorder functions topologically, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 69/256: vtls: move sha256sum into the Curl_ssl struct, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 195/256: rtsp: Segfault in rtsp.c when using WRITEDATA, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 253/256: build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 30/256: metalink: adjust source code style, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 149/256: docs/curl_mime_*.3: added examples, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 93/256: configure: allow setting the default SSL backend, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 224/256: metalink: fix NSS issue in MultiSSL builds, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 198/256: non-ascii: use iconv() with 'char **' argument, gnunet, 2017/10/06

Prev by Date: [GNUnet-SVN] [gnurl] 219/256: vtls: provide curl_global_sslset() even in non-SSL builds
Next by Date: [GNUnet-SVN] [gnurl] 59/256: darwinssl: handle long strings in TLS certs
Previous by thread: [GNUnet-SVN] [gnurl] 219/256: vtls: provide curl_global_sslset() even in non-SSL builds
Next by thread: [GNUnet-SVN] [gnurl] 59/256: darwinssl: handle long strings in TLS certs
Index(es):
- Date
- Thread