mirror of
https://github.com/openssl/openssl.git
synced 2024-12-03 05:41:46 +08:00
fc52ae8c4b
Whenever we set a private key in libssl, we first found the certificate that matched the key algorithm. Then we copied the key parameters from the private key into the public key for the certficate before finally checking that the private key matched the public key in the certificate. This makes no sense! Part of checking the private key is to make sure that the parameters match. It seems that this code has been present since SSLeay. Perhaps at some point it made sense to do this - but it doesn't any more. We remove that piece of code altogether. The previous code also had the undocumented side effect of removing the certificate if the key didn't match. This makes sense if you've just overwritten the parameters in the certificate with bad values - but doesn't seem to otherwise. I've also removed that error logic. Due to issue #13893, the public key associated with the certificate is always a legacy key. EVP_PKEY_copy_parameters will downgrade the "from" key to legacy if the target is legacy, so this means that in libssl all private keys were always downgraded to legacy when they are first set in the SSL/SSL_CTX. Removing the EVP_PKEY_copy_parameters code has the added benefit of removing that downgrade. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13899) |
||
---|---|---|
.. | ||
record | ||
statem | ||
bio_ssl.c | ||
build.info | ||
d1_lib.c | ||
d1_msg.c | ||
d1_srtp.c | ||
ktls.c | ||
methods.c | ||
pqueue.c | ||
s3_cbc.c | ||
s3_enc.c | ||
s3_lib.c | ||
s3_msg.c | ||
ssl_asn1.c | ||
ssl_cert_table.h | ||
ssl_cert.c | ||
ssl_ciph.c | ||
ssl_conf.c | ||
ssl_err_legacy.c | ||
ssl_err.c | ||
ssl_init.c | ||
ssl_lib.c | ||
ssl_local.h | ||
ssl_mcnf.c | ||
ssl_rsa_legacy.c | ||
ssl_rsa.c | ||
ssl_sess.c | ||
ssl_stat.c | ||
ssl_txt.c | ||
ssl_utst.c | ||
sslerr.h | ||
t1_enc.c | ||
t1_lib.c | ||
t1_trce.c | ||
tls13_enc.c | ||
tls_depr.c | ||
tls_srp.c |