Tolerate PKCS#8 DSA format with negative private key.

2010-01-22 20:17:30 +00:00 · 2010-01-22 20:17:30 +00:00 · 1699389a46
commit 1699389a46
parent ad8ee3d7d1
5 changed files with 19 additions and 1 deletions
--- a/3
+++ b/3
@ -4,6 +4,9 @@

 Changes between 0.9.8m (?) and 1.0.0  [xx XXX xxxx]

+  *) Tolerate yet another broken PKCS#8 key format: private key value negative.
+     [Steve Henson]
+
  *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
     output hashes compatible with older versions of OpenSSL.
     [Willy Weisz <weisz@vcpc.univie.ac.at>]
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@ -403,6 +403,10 @@ int MAIN(int argc, char **argv)
 			BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
 			break;

+			case PKCS8_NEG_PRIVKEY:
+			BIO_printf(bio_err, "DSA private key value is negative\n");
+			break;
+
 			default:
 			BIO_printf(bio_err, "Unknown broken type\n");
 			break;
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@ -237,8 +237,16 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 		}
 	else
 		{
+		const unsigned char *q = p;
 		if (!(privkey=d2i_ASN1_INTEGER(NULL, &p, pklen)))
 			goto decerr;
+		if (privkey->type == V_ASN1_NEG_INTEGER)
+			{
+			p8->broken = PKCS8_NEG_PRIVKEY;
+			ASN1_INTEGER_free(privkey);
+			if (!(privkey=d2i_ASN1_UINTEGER(NULL, &q, pklen)))
+				goto decerr;
+			}
 		if (ptype != V_ASN1_SEQUENCE)
 			goto decerr;
 		}
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@ -585,6 +585,7 @@ struct pkcs8_priv_key_info_st
 #define PKCS8_NO_OCTET		1
 #define PKCS8_EMBEDDED_PARAM	2
 #define PKCS8_NS_DB		3
+#define PKCS8_NEG_PRIVKEY	4
        ASN1_INTEGER *version;
        X509_ALGOR *pkeyalg;
        ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@ -247,7 +247,9 @@ If an unpatched client attempts to connect to a patched OpenSSL server then
 the attempt will succeed but renegotiation is not permitted. As required
 by the standard a B<no_renegotiation> alert is sent back to the client if
 the TLS v1.0 protocol is used. If SSLv3.0 is used then renegotiation results
-in a fatal B<handshake_failed> alert.
+in a fatal B<handshake_failed> alert. If the patched server attempts to
+renegotiate (existing applications which renegotiate may well do this) then
+a fatal B<handshake_failed> alert is sent.

 If a patched OpenSSL client attempts to connect to an unpatched server
 then the connection will fail because it is not possible to determine