Check-in [51a2b1ec9a]
Bounty program for improvements to Tcl and certain Tcl packages.
Overview
Comment:Only load private key if we loaded a non-default certificate
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | mjanssen-asn1-certs
Files: files | file ages | folders
SHA3-256: 51a2b1ec9aa0c324c6e0057aa74641c26998821dd901a1a78c1c1734a5633c34
User & Date: rkeene on 2020-05-04 15:09:14
Other Links: branch diff | manifest | tags
Context
2020-05-04
15:10
Integrated mjanssen's work on loading certificates and keys as values check-in: b08bbeb9a1 user: rkeene tags: trunk
15:09
Only load private key if we loaded a non-default certificate Closed-Leaf check-in: 51a2b1ec9a user: rkeene tags: mjanssen-asn1-certs
15:02
Updated to support cert/certfile independantly of key/keyfile check-in: 952ef184e6 user: rkeene tags: mjanssen-asn1-certs
Changes

Modified tls.c from [e32cfd6f1e] to [93c7ba9ac0].

  1083   1083       char *DHparams;
  1084   1084   {
  1085   1085       Tcl_Interp *interp = statePtr->interp;
  1086   1086       SSL_CTX *ctx = NULL;
  1087   1087       Tcl_DString ds;
  1088   1088       Tcl_DString ds1;
  1089   1089       int off = 0;
         1090  +    int load_private_key;
  1090   1091       const SSL_METHOD *method;
  1091   1092   
  1092   1093       dprintf("Called");
  1093   1094   
  1094   1095       if (!proto) {
  1095   1096   	Tcl_AppendResult(interp, "no valid protocol selected", NULL);
  1096   1097   	return (SSL_CTX *)0;
................................................................................
  1262   1263   	}
  1263   1264   	SSL_CTX_set_tmp_dh(ctx, dh);
  1264   1265   	DH_free(dh);
  1265   1266       }
  1266   1267   #endif
  1267   1268   
  1268   1269       /* set our certificate */
         1270  +    load_private_key = 0;
  1269   1271       if (certfile != NULL) {
         1272  +	load_private_key = 1;
         1273  +
  1270   1274   	Tcl_DStringInit(&ds);
  1271   1275   
  1272   1276   	if (SSL_CTX_use_certificate_file(ctx, F2N( certfile, &ds),
  1273   1277   					SSL_FILETYPE_PEM) <= 0) {
  1274   1278   	    Tcl_DStringFree(&ds);
  1275   1279   	    Tcl_AppendResult(interp,
  1276   1280   			     "unable to set certificate file ", certfile, ": ",
  1277   1281   			     REASON(), (char *) NULL);
  1278   1282   	    SSL_CTX_free(ctx);
  1279   1283   	    return (SSL_CTX *)0;
  1280   1284   	}
  1281   1285       } else if (cert != NULL) {
         1286  +	load_private_key = 1;
  1282   1287   	if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
  1283   1288   	    Tcl_DStringFree(&ds);
  1284   1289   	    Tcl_AppendResult(interp,
  1285   1290   			     "unable to set certificate: ",
  1286   1291   			     REASON(), (char *) NULL);
  1287   1292   	    SSL_CTX_free(ctx);
  1288   1293   	    return (SSL_CTX *)0;
................................................................................
  1300   1305   	    SSL_CTX_free(ctx);
  1301   1306   	    return (SSL_CTX *)0;
  1302   1307   #endif
  1303   1308   	}
  1304   1309       }
  1305   1310   
  1306   1311       /* set our private key */
  1307         -    if (keyfile == NULL && key == NULL) {
  1308         -	keyfile = certfile;
  1309         -    }
  1310         -
  1311         -    if (keyfile != NULL) {
  1312         -	/* get the private key associated with this certificate */
  1313         -	if (keyfile == NULL) {
         1312  +    if (load_private_key) {
         1313  +	if (keyfile == NULL && key == NULL) {
  1314   1314   	    keyfile = certfile;
  1315   1315   	}
  1316   1316   
  1317         -	if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds),
  1318         -					SSL_FILETYPE_PEM) <= 0) {
         1317  +	if (keyfile != NULL) {
         1318  +	    /* get the private key associated with this certificate */
         1319  +	    if (keyfile == NULL) {
         1320  +		keyfile = certfile;
         1321  +	    }
         1322  +
         1323  +	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
         1324  +		Tcl_DStringFree(&ds);
         1325  +		/* flush the passphrase which might be left in the result */
         1326  +		Tcl_SetResult(interp, NULL, TCL_STATIC);
         1327  +		Tcl_AppendResult(interp,
         1328  +			         "unable to set public key file ", keyfile, " ",
         1329  +			         REASON(), (char *) NULL);
         1330  +		SSL_CTX_free(ctx);
         1331  +		return (SSL_CTX *)0;
         1332  +	    }
         1333  +
  1319   1334   	    Tcl_DStringFree(&ds);
  1320         -	    /* flush the passphrase which might be left in the result */
  1321         -	    Tcl_SetResult(interp, NULL, TCL_STATIC);
  1322         -	    Tcl_AppendResult(interp,
  1323         -			     "unable to set public key file ", keyfile, " ",
  1324         -			     REASON(), (char *) NULL);
  1325         -	    SSL_CTX_free(ctx);
  1326         -	    return (SSL_CTX *)0;
         1335  +	} else if (key != NULL) {
         1336  +	    if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
         1337  +		Tcl_DStringFree(&ds);
         1338  +		/* flush the passphrase which might be left in the result */
         1339  +		Tcl_SetResult(interp, NULL, TCL_STATIC);
         1340  +		Tcl_AppendResult(interp,
         1341  +		                 "unable to set public key: ",
         1342  +		                 REASON(), (char *) NULL);
         1343  +		SSL_CTX_free(ctx);
         1344  +		return (SSL_CTX *)0;
         1345  +	    }
  1327   1346   	}
  1328         -	Tcl_DStringFree(&ds);
  1329   1347   	/* Now we know that a key and cert have been set against
  1330   1348   	 * the SSL context */
  1331   1349   	if (!SSL_CTX_check_private_key(ctx)) {
  1332   1350   	    Tcl_AppendResult(interp,
  1333   1351   			     "private key does not match the certificate public key",
  1334   1352   			     (char *) NULL);
  1335   1353   	    SSL_CTX_free(ctx);
  1336         -	    return (SSL_CTX *)0;
  1337         -	}
  1338         -    } else if (key != NULL) {
  1339         -	if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
  1340         -	    Tcl_DStringFree(&ds);
  1341         -	    /* flush the passphrase which might be left in the result */
  1342         -	    Tcl_SetResult(interp, NULL, TCL_STATIC);
  1343         -	    Tcl_AppendResult(interp,
  1344         -			     "unable to set public key: ",
  1345         -			     REASON(), (char *) NULL);
  1346         -	    SSL_CTX_free(ctx);
  1347   1354   	    return (SSL_CTX *)0;
  1348   1355   	}
  1349   1356       }
  1350   1357   
  1351   1358       /* Set verification CAs */
  1352   1359       Tcl_DStringInit(&ds);
  1353   1360       Tcl_DStringInit(&ds1);