diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-03 12:43:31 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-03 14:15:15 +0900 |
commit | 66c1da57eb03c19f96f3f1c843ea2a93dca3d243 (patch) | |
tree | fca71b509eb3066e50e09e2e0a5e29830b7f76f1 /ext/openssl | |
parent | 0d4456b49a7c4975bab021262561652ef3d457ce (diff) | |
download | ruby-openssl-66c1da57eb03c19f96f3f1c843ea2a93dca3d243.tar.gz |
ssl: reject keys without private componentstopic/ssl-check-pkey-private
OpenSSL checks if the PKey's public key matches with the certificate,
but does not check that the PKey contains the private components. As a
result, OpenSSL does a NULL dereference while doing SSL/TLS negotiation.
[Bug #8673]
Diffstat (limited to 'ext/openssl')
-rw-r--r-- | ext/openssl/ossl_ssl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 7236f668..76832081 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -228,7 +228,7 @@ ossl_call_client_cert_cb(VALUE obj) ary = rb_funcall(cb, rb_intern("call"), 1, obj); Check_Type(ary, T_ARRAY); GetX509CertPtr(cert = rb_ary_entry(ary, 0)); - GetPKeyPtr(key = rb_ary_entry(ary, 1)); + GetPrivPKeyPtr(key = rb_ary_entry(ary, 1)); return rb_ary_new3(2, cert, key); } @@ -774,7 +774,7 @@ ossl_sslctx_setup(VALUE self) val = ossl_sslctx_get_cert(self); cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */ val = ossl_sslctx_get_key(self); - key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */ + key = NIL_P(val) ? NULL : GetPrivPKeyPtr(val); /* NO DUP NEEDED */ if (cert && key) { if (!SSL_CTX_use_certificate(ctx, cert)) { /* Adds a ref => Safe to FREE */ |