mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
fc52ae8c4b
openssl/ssl
History
Matt Caswell fc52ae8c4b Don't copy parameters on setting a key in libssl 
Whenever we set a private key in libssl, we first found the certificate
that matched the key algorithm. Then we copied the key parameters from the
private key into the public key for the certficate before finally checking
that the private key matched the public key in the certificate. This makes
no sense! Part of checking the private key is to make sure that the
parameters match. It seems that this code has been present since SSLeay.
Perhaps at some point it made sense to do this - but it doesn't any more.

We remove that piece of code altogether. The previous code also had the
undocumented side effect of removing the certificate if the key didn't
match. This makes sense if you've just overwritten the parameters in the
certificate with bad values - but doesn't seem to otherwise. I've also
removed that error logic.

Due to issue #13893, the public key associated with the certificate is
always a legacy key. EVP_PKEY_copy_parameters will downgrade the "from"
key to legacy if the target is legacy, so this means that in libssl all
private keys were always downgraded to legacy when they are first set
in the SSL/SSL_CTX. Removing the EVP_PKEY_copy_parameters code has the
added benefit of removing that downgrade.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13899)
2021-01-22 09:30:53 +00:00
..
record Ensure DTLS free functions can handle NULL 2021-01-08 10:26:26 +00:00
statem Update SERVER_HELLO_MAX_LENGTH 2021-01-18 09:06:34 +00:00
bio_ssl.c
build.info
d1_lib.c Ensure DTLS free functions can handle NULL 2021-01-08 10:26:26 +00:00
d1_msg.c Update copyright year 2020-11-26 14:18:57 +00:00
d1_srtp.c
ktls.c ktls: Initial support for ChaCha20-Poly1305 2021-01-20 18:05:41 +01:00
methods.c
pqueue.c Update copyright year 2020-11-26 14:18:57 +00:00
s3_cbc.c
s3_enc.c Clean away extraneous library specific FETCH_FAILED reason codes 2021-01-12 19:02:11 +01:00
s3_lib.c Adding TLS group name retrieval 2021-01-08 17:04:46 +00:00
s3_msg.c Update copyright year 2020-11-26 14:18:57 +00:00
ssl_asn1.c Update copyright year 2020-11-26 14:18:57 +00:00
ssl_cert_table.h
ssl_cert.c Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 2021-01-13 09:09:36 +01:00
ssl_ciph.c Remove extra space. 2021-01-07 17:38:56 +01:00
ssl_conf.c
ssl_err_legacy.c
ssl_err.c Clean away extraneous library specific FETCH_FAILED reason codes 2021-01-12 19:02:11 +01:00
ssl_init.c
ssl_lib.c replace 'unsigned const char' with 'const unsigned char' 2021-01-09 00:20:16 +02:00
ssl_local.h Adding TLS group name retrieval 2021-01-08 17:04:46 +00:00
ssl_mcnf.c
ssl_rsa_legacy.c
ssl_rsa.c Don't copy parameters on setting a key in libssl 2021-01-22 09:30:53 +00:00
ssl_sess.c
ssl_stat.c
ssl_txt.c
ssl_utst.c
sslerr.h Update copyright year 2020-11-26 14:18:57 +00:00
t1_enc.c Clean away extraneous library specific FETCH_FAILED reason codes 2021-01-12 19:02:11 +01:00
t1_lib.c Adding TLS group name retrieval 2021-01-08 17:04:46 +00:00
t1_trce.c
tls13_enc.c Clean away extraneous library specific FETCH_FAILED reason codes 2021-01-12 19:02:11 +01:00
tls_depr.c
tls_srp.c