simono41/shellinabox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Assume a private key is RSA if the header does not specify a type.

Browse source 
Auto-generated certificates are RSA, but the header does not indicate
this (e.g. BEGIN PRIVATE KEY). Since the type is not specified,
the certificate was not being parsed correctly, and attempts to
connect over HTTPS failed and caused web browser errors.

Fixes "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in Chrome.
Fixes "ssl_error_no_cypher_overlap" in Firefox.
This commit is contained in:
Jay Weisskopf 2012-02-01 23:57:33 -06:00 committed by Marc Singer
parent e20a7d2536
commit 85c3a03aec
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
libhttp/ssl.c
View file

@ -489,7 +489,7 @@ static int sslSetCertificateFromFd(SSL_CTX *context, int fd) {
const unsigned char *data = sslSecureReadASCIIFileToMem(fd); const unsigned char *data = sslSecureReadASCIIFileToMem(fd);
check(!NOINTR(close(fd))); check(!NOINTR(close(fd)));
long dataSize = (long)strlen((const char *)data); long dataSize = (long)strlen((const char *)data);
long certSize, rsaSize, dsaSize, ecSize; long certSize, rsaSize, dsaSize, ecSize, notypeSize;
const unsigned char *record; const unsigned char *record;
const unsigned char *cert = sslPEMtoASN1(data, "CERTIFICATE", &certSize, const unsigned char *cert = sslPEMtoASN1(data, "CERTIFICATE", &certSize,
&record); &record);
@ -499,21 +499,26 @@ static int sslSetCertificateFromFd(SSL_CTX *context, int fd) {
NULL); NULL);
const unsigned char *ec = sslPEMtoASN1(data, "EC PRIVATE KEY", &ecSize, const unsigned char *ec = sslPEMtoASN1(data, "EC PRIVATE KEY", &ecSize,
NULL); NULL);
const unsigned char *notype = sslPEMtoASN1(data, "PRIVATE KEY", &notypeSize,
NULL);
if (certSize && (rsaSize || dsaSize if (certSize && (rsaSize || dsaSize
#ifdef EVP_PKEY_EC #ifdef EVP_PKEY_EC
|| ecSize || ecSize
#endif #endif
) && || notypeSize) &&
SSL_CTX_use_certificate_ASN1(context, certSize, cert) && SSL_CTX_use_certificate_ASN1(context, certSize, cert) &&
(!rsaSize || (!rsaSize ||
SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, context, rsa, rsaSize)) && SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, context, rsa, rsaSize)) &&
(!dsaSize || (!dsaSize ||
SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_DSA, context, dsa, dsaSize)) SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_DSA, context, dsa, dsaSize)) &&
#ifdef EVP_PKEY_EC #ifdef EVP_PKEY_EC
&&
(!ecSize || (!ecSize ||
SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_EC, context, ec, ecSize)) SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_EC, context, ec, ecSize)) &&
#endif #endif
// Assume a private key is RSA if the header does not specify a type.
// (e.g. BEGIN PRIVATE KEY)
(!notypeSize ||
SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, context, notype, notypeSize))
) { ) {
memset((char *)cert, 0, certSize); memset((char *)cert, 0, certSize);
free((char *)cert); free((char *)cert);
@ -549,6 +554,8 @@ static int sslSetCertificateFromFd(SSL_CTX *context, int fd) {
free((char *)dsa); free((char *)dsa);
memset((char *)ec, 0, ecSize); memset((char *)ec, 0, ecSize);
free((char *)ec); free((char *)ec);
memset((char *)notype, 0, notypeSize);
free((char *)notype);
return rc; return rc;
} }