Tolerate PKCS#8 DSA format with negative private key.

diff --git a/CHANGES b/CHANGES
index ac3191abb8201a5471b86129de5f0fa02edfaa6a..75efddf8950c533873f12fe9d136691ff71da3d1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 0.9.8m (?) and 1.0.0  [xx XXX xxxx]
 
+  *) Tolerate yet another broken PKCS#8 key format: private key value negative.
+     [Steve Henson]
+
   *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
      output hashes compatible with older versions of OpenSSL.
      [Willy Weisz <weisz@vcpc.univie.ac.at>]

diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index c93ce7734de9b325d35bec5aa870b5bbb9fc4f2a..7edeb179dd1afd52bf8d7d35bfaa5432094756a2 100644 (file)
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -403,6 +403,10 @@ int MAIN(int argc, char **argv)
                        BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
                        break;
 
+                       case PKCS8_NEG_PRIVKEY:
+                       BIO_printf(bio_err, "DSA private key value is negative\n");
+                       break;
+
                        default:
                        BIO_printf(bio_err, "Unknown broken type\n");
                        break;

diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index a588740cd80c327ed652bc9e27d3748f456560cc..5482330c84ded5b47aeb24e21dcd7a9019465231 100644 (file)
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -237,8 +237,16 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
                }
        else
                {
+               const unsigned char *q = p;
                if (!(privkey=d2i_ASN1_INTEGER(NULL, &p, pklen)))
                        goto decerr;
+               if (privkey->type == V_ASN1_NEG_INTEGER)
+                       {
+                       p8->broken = PKCS8_NEG_PRIVKEY;
+                       ASN1_INTEGER_free(privkey);
+                       if (!(privkey=d2i_ASN1_UINTEGER(NULL, &q, pklen)))
+                               goto decerr;
+                       }
                if (ptype != V_ASN1_SEQUENCE)
                        goto decerr;
                }

diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index e0ec25b061954acc41033beea1e5e8f04d481a75..604f4fb27fb98f7007862c2f6e7a5eed57e32aaa 100644 (file)
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -585,6 +585,7 @@ struct pkcs8_priv_key_info_st
 #define PKCS8_NO_OCTET         1
 #define PKCS8_EMBEDDED_PARAM   2
 #define PKCS8_NS_DB            3
+#define PKCS8_NEG_PRIVKEY      4
         ASN1_INTEGER *version;
         X509_ALGOR *pkeyalg;
         ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */

diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 9331e6715338d2dd180d60bb54deca7452fa81a7..72ebcadfe6e0e5d4fcbf928f3a3d3d845e7d0202 100644 (file)
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -247,7 +247,9 @@ If an unpatched client attempts to connect to a patched OpenSSL server then
 the attempt will succeed but renegotiation is not permitted. As required
 by the standard a B<no_renegotiation> alert is sent back to the client if
 the TLS v1.0 protocol is used. If SSLv3.0 is used then renegotiation results
-in a fatal B<handshake_failed> alert.
+in a fatal B<handshake_failed> alert. If the patched server attempts to
+renegotiate (existing applications which renegotiate may well do this) then
+a fatal B<handshake_failed> alert is sent.
 
 If a patched OpenSSL client attempts to connect to an unpatched server
 then the connection will fail because it is not possible to determine