kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't EVP_PKEY_copy_parameters when configuring cert and key.

Browse Source 
I believe this is a remnant of DSA. The logic strangely fails to check for
failure and then goes out of its way to ERR_clear_error. I believe this is so
that keys that are missing parameters silently move on. This dates to
upstream's dfeab0689f69c0b4bd3480ffd37a9cacc2f17d9c, which is SSLeay 0.9.1b. At
that time, EVP_PKEY_copy_parameters only did anything for DSA. (Now it only
does anything for ECDSA.)

My read is that this comes from DSA in PKIX's "optional domain parameters"
craziness. RFC 3279 says:

   If the DSA domain parameters are omitted from the SubjectPublicKeyInfo
   AlgorithmIdentifier and the CA signed the subject certificate using a
   signature algorithm other than DSA, then the subject's DSA domain parameters
   are distributed by other means.

This was probably part of some weird thing where, if your certificate is
missing parameters, the server would know what to use based on the private key.

(Also this was making the malloc tests unhappy.)

Change-Id: I8d8122a9f50a19e2bbe067f311a8e2d30774935c
Reviewed-on: https://boringssl-review.googlesource.com/3484
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-02-16 21:06:04 -05:00 committed by Adam Langley
parent fbdfefb76e
commit 310db06b79
1 changed files with 0 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ssl/ssl_rsa.c
View File

@ -182,12 +182,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) {
}
if (c->pkeys[i].x509 != NULL) {
EVP_PKEY *pktmp;
pktmp = X509_get_pubkey(c->pkeys[i].x509);
EVP_PKEY_copy_parameters(pktmp, pkey);
EVP_PKEY_free(pktmp);
ERR_clear_error();
/* Sanity-check that the private key and the certificate match, unless the
* key is opaque (in case of, say, a smartcard). */
if (!EVP_PKEY_is_opaque(pkey) &&
@ -375,9 +369,6 @@ static int ssl_set_cert(CERT *c, X509 *x) {
}
if (c->pkeys[i].privatekey != NULL) {
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
/* Sanity-check that the private key and the certificate match, unless the
* key is opaque (in case of, say, a smartcard). */
if (!EVP_PKEY_is_opaque(c->pkeys[i].privatekey) &&