ssl: reject keys without private componentstopic/ssl-check-pkey-private

OpenSSL checks if the PKey's public key matches with the certificate, but does not check that the PKey contains the private components. As a result, OpenSSL does a NULL dereference while doing SSL/TLS negotiation. [Bug #8673]
author: Kazuki Yamaguchi <k@rhe.jp> 2016-07-03 12:43:31 +0900
committer: Kazuki Yamaguchi <k@rhe.jp> 2016-07-03 14:15:15 +0900
commit: 66c1da57eb03c19f96f3f1c843ea2a93dca3d243 (patch)
tree: fca71b509eb3066e50e09e2e0a5e29830b7f76f1 /ext/openssl
parent: 0d4456b49a7c4975bab021262561652ef3d457ce (diff)
download: ruby-openssl-66c1da57eb03c19f96f3f1c843ea2a93dca3d243.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 7236f668..76832081 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -228,7 +228,7 @@ ossl_call_client_cert_cb(VALUE obj)
     ary = rb_funcall(cb, rb_intern("call"), 1, obj);
     Check_Type(ary, T_ARRAY);
     GetX509CertPtr(cert = rb_ary_entry(ary, 0));
-    GetPKeyPtr(key = rb_ary_entry(ary, 1));
+    GetPrivPKeyPtr(key = rb_ary_entry(ary, 1));
 
     return rb_ary_new3(2, cert, key);
 }
@@ -774,7 +774,7 @@ ossl_sslctx_setup(VALUE self)
     val = ossl_sslctx_get_cert(self);
     cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
     val = ossl_sslctx_get_key(self);
-    key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */
+    key = NIL_P(val) ? NULL : GetPrivPKeyPtr(val); /* NO DUP NEEDED */
     if (cert && key) {
         if (!SSL_CTX_use_certificate(ctx, cert)) {
             /* Adds a ref => Safe to FREE */
author	Kazuki Yamaguchi <k@rhe.jp>	2016-07-03 12:43:31 +0900
committer	Kazuki Yamaguchi <k@rhe.jp>	2016-07-03 14:15:15 +0900
commit	66c1da57eb03c19f96f3f1c843ea2a93dca3d243 (patch)
tree	fca71b509eb3066e50e09e2e0a5e29830b7f76f1 /ext/openssl
parent	0d4456b49a7c4975bab021262561652ef3d457ce (diff)
download	ruby-openssl-66c1da57eb03c19f96f3f1c843ea2a93dca3d243.tar.gz