[openssl-dev] [openssl.org #3837] Bug in SSL_CTX_check_private_key?
Viktor Dukhovni
openssl-users at dukhovni.org
Wed May 6 16:10:49 UTC 2015
On Wed, May 06, 2015 at 05:58:31PM +0200, Dmitry Belyavsky via RT wrote:
> It seems to me there is a bug in the SSL_CTX_check_private_key function.
>
> The function ignores RSA_METHOD_FLAG_NO_CHECK flag and always tries to
> check public/private key match.
I think that's deliberate and correct. When an application calls
SSL_CTX_check_private_key(), the key should be checked. Nothing
in libssl calls this function, it is provided to applications that
want to explicitly check the key.
The fact that this flag is algorithm specific is also odd, if it
is useful for RSA, it should be useful for ECDSA, etc. It seems
rather an odd feature.
> The only place in real code where this function is used is in
> the set_cert_key_stuff function, just after the calls
> to SSL_CTX_use_certificate and SSL_CTX_use_PrivateKey, which carefully
> process the flag.
That's application code (for openssl(1)).
> I would like to suggest a small patch providing the necessary check for
> RSA_METHOD_FLAG_NO_CHECK here.
I am not convinced this change is correct. The function would then
not do what it is supposed to do. The flag suppresses implicit
checks only, but suppressing explicit checks seems unexpected.
--
Viktor.
More information about the openssl-dev
mailing list