Workaround for key caching in OpenSSL > 1.1.0
Since v.1.1.0 the key caching has been added to OpenSSL. After X.509 had been parsed there is no point in changing of key algorithm as the key had already been decoded and cached result will be returned anyway. (check crypto/x509/x_pubkey.c: X509_PUBKEY_get0())
This commit is contained in:
parent
ba804fa723
commit
a3dfceefc2
32
ssl.c
32
ssl.c
@ -161,6 +161,11 @@ rdssl_cert_to_rkey(RDSSL_CERT * cert, uint32 * key_len)
|
|||||||
int nid;
|
int nid;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
|
const unsigned char *p;
|
||||||
|
int pklen;
|
||||||
|
|
||||||
|
RSA *rsa = NULL;
|
||||||
|
|
||||||
/* By some reason, Microsoft sets the OID of the Public RSA key to
|
/* By some reason, Microsoft sets the OID of the Public RSA key to
|
||||||
the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
|
the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
|
||||||
|
|
||||||
@ -194,10 +199,35 @@ rdssl_cert_to_rkey(RDSSL_CERT * cert, uint32 * key_len)
|
|||||||
|
|
||||||
if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
|
if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
|
||||||
{
|
{
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
logger(Protocol, Debug,
|
logger(Protocol, Debug,
|
||||||
"rdssl_cert_to_key(), re-setting algorithm type to RSA in server certificate");
|
"rdssl_cert_to_key(), re-setting algorithm type to RSA in server certificate");
|
||||||
X509_PUBKEY_set0_param(key, OBJ_nid2obj(NID_rsaEncryption), 0, NULL, NULL, 0);
|
X509_PUBKEY_set0_param(key, OBJ_nid2obj(NID_rsaEncryption), 0, NULL, NULL, 0);
|
||||||
|
#else
|
||||||
|
|
||||||
|
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, key)) {
|
||||||
|
logger(Protocol, Error,
|
||||||
|
"rdssl_cert_to_key(), failed to get algorithm used for public key");
|
||||||
|
rdssl_log_ssl_errors("rdssl_cert_to_key()");
|
||||||
|
|
||||||
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
|
||||||
|
logger(Protocol, Error,
|
||||||
|
"rdssl_cert_to_key(), failed to extract public key from certificate");
|
||||||
|
rdssl_log_ssl_errors("rdssl_cert_to_key()");
|
||||||
|
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
lkey = RSAPublicKey_dup(rsa);
|
||||||
|
*key_len = RSA_size(lkey);
|
||||||
|
return lkey;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
epk = X509_get_pubkey(cert);
|
epk = X509_get_pubkey(cert);
|
||||||
if (NULL == epk)
|
if (NULL == epk)
|
||||||
{
|
{
|
||||||
@ -256,7 +286,7 @@ rdssl_rkey_get_exp_mod(RDSSL_RKEY * rkey, uint8 * exponent, uint32 max_exp_len,
|
|||||||
e = rkey->e;
|
e = rkey->e;
|
||||||
n = rkey->n;
|
n = rkey->n;
|
||||||
#else
|
#else
|
||||||
RSA_get0_key(rkey, &e, &n, NULL);
|
RSA_get0_key(rkey, &n, &e, NULL);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if ((BN_num_bytes(e) > (int) max_exp_len) || (BN_num_bytes(n) > (int) max_mod_len))
|
if ((BN_num_bytes(e) > (int) max_exp_len) || (BN_num_bytes(n) > (int) max_mod_len))
|
||||||
|
Loading…
Reference in New Issue
Block a user