diff options
| author | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2016-09-26 21:12:37 +0000 |
|---|---|---|
| committer | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2016-09-26 21:12:37 +0000 |
| commit | 34ba756911bd8282d9391bc44d1625f3e3435139 (patch) | |
| tree | 8e3d1c1eb2542d4648ff3e26779b204710291fdd | |
| parent | df0731d81c9fe1a14903b29c31efb2bbf88ecc1b (diff) | |
| download | neon-34ba756911bd8282d9391bc44d1625f3e3435139.tar.gz | |
* src/ne_openssl.c (ne__ssl_clicert_exkey_import): Rewrite to be
OpenSSL 1.1 compatible. Catch non-RSA keys early.
git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1975 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
| -rw-r--r-- | src/ne_openssl.c | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/src/ne_openssl.c b/src/ne_openssl.c index 30fb1e9..c96f50f 100644 --- a/src/ne_openssl.c +++ b/src/ne_openssl.c @@ -73,6 +73,7 @@ typedef const unsigned char ne_d2i_uchar; #define EVP_MD_CTX_new() ne_calloc(sizeof(EVP_MD_CTX)) #define EVP_MD_CTX_free(ctx) ne_free(ctx) #define EVP_MD_CTX_reset EVP_MD_CTX_cleanup +#define EVP_PKEY_get0_RSA(evp) (evp->pkey.rsa) #endif struct ne_ssl_dname_s { @@ -933,8 +934,8 @@ ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, ne_ssl_client_cert *cc; ne_d2i_uchar *p; X509 *x5; - RSA *pk; - EVP_PKEY *epk, *tpk; + EVP_PKEY *pubkey, *privkey; + RSA *rsa; p = der; x5 = d2i_X509(NULL, &p, der_len); /* p is incremented */ @@ -942,24 +943,28 @@ ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, ERR_clear_error(); return NULL; } + + pubkey = X509_get_pubkey(x5); + if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) { + X509_free(x5); + NE_DEBUG(NE_DBG_SSL, "ssl: Only RSA private keys are supported via PKCS#11.\n"); + return NULL; + } + + /* Duplicate the public parameters of the RSA key. */ + rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pubkey)); + /* Done with the copied public key. */ + EVP_PKEY_free(pubkey); - pk = RSA_new(); - RSA_set_method(pk, method); - epk = EVP_PKEY_new(); - EVP_PKEY_assign_RSA(epk, pk); + /* Switch to using customer RSA_METHOD for RSA object. */ + RSA_set_method(rsa, method); + /* Set up new EVP_PKEY. */ + privkey = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(privkey, rsa); - /* It is necessary to initialize pk->n otherwise OpenSSL will barf - * later calling RSA_size() on this RSA structure. - * X509_get_pubkey() forces the relevant RSA parameters to be - * extracted from the certificate. */ - tpk = X509_get_pubkey(x5); - pk->n = BN_dup(tpk->pkey.rsa->n); - EVP_PKEY_free(tpk); - cc = ne_calloc(sizeof *cc); - cc->decrypted = 1; - cc->pkey = epk; + cc->pkey = privkey; populate_cert(&cc->cert, x5); |