kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
310db06b79
boringssl/ssl
History
David Benjamin 310db06b79 Don't EVP_PKEY_copy_parameters when configuring cert and key. 
I believe this is a remnant of DSA. The logic strangely fails to check for
failure and then goes out of its way to ERR_clear_error. I believe this is so
that keys that are missing parameters silently move on. This dates to
upstream's dfeab0689f69c0b4bd3480ffd37a9cacc2f17d9c, which is SSLeay 0.9.1b. At
that time, EVP_PKEY_copy_parameters only did anything for DSA. (Now it only
does anything for ECDSA.)

My read is that this comes from DSA in PKIX's "optional domain parameters"
craziness. RFC 3279 says:

   If the DSA domain parameters are omitted from the SubjectPublicKeyInfo
   AlgorithmIdentifier and the CA signed the subject certificate using a
   signature algorithm other than DSA, then the subject's DSA domain parameters
   are distributed by other means.

This was probably part of some weird thing where, if your certificate is
missing parameters, the server would know what to use based on the private key.

(Also this was making the malloc tests unhappy.)

Change-Id: I8d8122a9f50a19e2bbe067f311a8e2d30774935c
Reviewed-on: https://boringssl-review.googlesource.com/3484
Reviewed-by: Adam Langley <agl@google.com>
2015-02-17 21:03:29 +00:00
..
pqueue Fix memory leak in pqueue_test. 2015-02-11 23:18:45 +00:00
test Add some missing error failure checks. 2015-02-17 20:55:56 +00:00
CMakeLists.txt Precompute sorted array for error strings. 2015-02-09 17:35:31 -08:00
d1_both.c Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
d1_clnt.c Add in missing curly braces part 3. 2015-02-11 15:14:46 -08:00
d1_lib.c Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
d1_meth.c Implement SSL_clear with ssl_new and ssl_free. 2015-01-12 22:35:58 +00:00
d1_pkt.c Initialize the record buffers after the handshake check. 2015-02-09 19:49:45 +00:00
d1_srtp.c Store SRTP_PROTECTION_PROFILES as const. 2015-01-14 22:10:08 +00:00
d1_srvr.c Remove server-side HelloVerifyRequest support. 2015-02-17 20:50:08 +00:00
s3_both.c Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
s3_clnt.c Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
s3_enc.c Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
s3_lib.c Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
s3_meth.c Implement SSL_clear with ssl_new and ssl_free. 2015-01-12 22:35:58 +00:00
s3_pkt.c Rename cutthrough to False Start. 2015-02-17 20:51:22 +00:00
s3_srvr.c Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
ssl_algs.c Precompute sorted array for error strings. 2015-02-09 17:35:31 -08:00
ssl_asn1.c Remove SSL_SESSION::cipher_id. 2015-01-14 21:10:55 +00:00
ssl_cert.c Add in missing curly braces part 3. 2015-02-11 15:14:46 -08:00
ssl_ciph.c Add SSL_CIPHER_get_rfc_name. 2015-02-09 17:31:28 -08:00
ssl_lib.c Add some missing error failure checks. 2015-02-17 20:55:56 +00:00
ssl_locl.h Handle failures in ssl3_finish_mac. 2015-02-17 21:01:37 +00:00
ssl_rsa.c Don't EVP_PKEY_copy_parameters when configuring cert and key. 2015-02-17 21:03:29 +00:00
ssl_sess.c Remove server-side HelloVerifyRequest support. 2015-02-17 20:50:08 +00:00
ssl_stat.c Remove server-side HelloVerifyRequest support. 2015-02-17 20:50:08 +00:00
ssl_test.c Fix standalone build on Win64. 2015-02-11 23:13:52 +00:00
ssl_txt.c Add in missing curly braces part 3. 2015-02-11 15:14:46 -08:00
t1_enc.c Add some missing error failure checks. 2015-02-17 20:55:56 +00:00
t1_lib.c Add some missing error failure checks. 2015-02-17 20:55:56 +00:00
t1_reneg.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00