OCSP sign does not RSA_METHOD_FLAG_NO_CHECK #12064
Description
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. If RSA_set_flags() to enable RSA_METHOD_FLAG_NO_CHECK, then OCSP sign operations can fail because the X509_check_private_key().
A similar condition could exist in ocsp_cl.c. But I have not run into a failure there.
See attached patch file containing a possible solution.
ocsp_srv.c.diff.txt
apps/openssl version -a
OpenSSL 1.1.1h-dev xx XXX xxxx
built on: Sat Jun 6 05:57:21 2020 UTC
platform: darwin64-x86_64-cc
options: bn(64,64) rc4(int) des(int) idea(int) blowfish(ptr)
compiler: cc -fPIC -arch x86_64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -D_REENTRANT -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific
perl configdata.pm --dump
Command line (with current working directory = .):
perl ./Configure darwin64-x86_64-cc no-asm
Perl information:
perl
5.18.4 for darwin-thread-multi-2level
Enabled features:
aria
async
autoalginit
autoerrinit
autoload-config
bf
blake2
buildtest-c\+\+
camellia
capieng
cast
chacha
cmac
cms
comp
ct
deprecated
des
dgram
dh
dsa
dso
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
engine
err
filenames
gost
hw(-.+)?
idea
makedepend
md4
mdc2
multiblock
nextprotoneg
pinshared
ocb
ocsp
pic
poly1305
posix-io
psk
rc2
rc4
rdrand
rfc3779
rmd160
scrypt
seed
shared
siphash
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
static-engine
stdio
tests
threads
tls
ts
ui-console
whirlpool
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method
Disabled features:
afalgeng [not-linux] OPENSSL_NO_AFALGENG
asan [default] OPENSSL_NO_ASAN
asm [option] OPENSSL_NO_ASM
crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG
crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
devcryptoeng [default] OPENSSL_NO_DEVCRYPTOENG
ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128
egd [default] OPENSSL_NO_EGD
external-tests [default] OPENSSL_NO_EXTERNAL_TESTS
fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER
fuzz-afl [default] OPENSSL_NO_FUZZ_AFL
heartbeats [default] OPENSSL_NO_HEARTBEATS
md2 [default] OPENSSL_NO_MD2 (skip crypto/md2)
msan [default] OPENSSL_NO_MSAN
rc5 [default] OPENSSL_NO_RC5 (skip crypto/rc5)
sctp [default] OPENSSL_NO_SCTP
ssl-trace [default] OPENSSL_NO_SSL_TRACE
ubsan [default] OPENSSL_NO_UBSAN
unit-test [default] OPENSSL_NO_UNIT_TEST
weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS
zlib [default]
zlib-dynamic [default]
ssl3 [default] OPENSSL_NO_SSL3
ssl3-method [default] OPENSSL_NO_SSL3_METHOD
Config target attributes:
AR => "ar",
ARFLAGS => "r",
CC => "cc",
CFLAGS => "-O3 -Wall",
HASHBANGPERL => "/usr/bin/env perl",
RANLIB => "ranlib -c",
RC => "windres",
aes_asm_src => "aes_core.c aes_cbc.c",
aes_obj => "aes_core.o aes_cbc.o",
apps_aux_src => "",
apps_init_src => "",
apps_obj => "",
bf_asm_src => "bf_enc.c",
bf_obj => "bf_enc.o",
bn_asm_src => "bn_asm.c",
bn_obj => "bn_asm.o",
bn_ops => "SIXTY_FOUR_BIT_LONG",
build_file => "Makefile",
build_scheme => [ "unified", "unix" ],
cast_asm_src => "c_enc.c",
cast_obj => "c_enc.o",
cflags => "-arch x86_64",
chacha_asm_src => "chacha_enc.c",
chacha_obj => "chacha_enc.o",
cmll_asm_src => "camellia.c cmll_misc.c cmll_cbc.c",
cmll_obj => "camellia.o cmll_misc.o cmll_cbc.o",
cppflags => "-D_REENTRANT",
cpuid_asm_src => "mem_clr.c",
cpuid_obj => "mem_clr.o",
defines => [ ],
des_asm_src => "des_enc.c fcrypt_b.c",
des_obj => "des_enc.o fcrypt_b.o",
disable => [ ],
dso_extension => ".dylib",
dso_scheme => "dlfcn",
ec_asm_src => "",
ec_obj => "",
enable => [ ],
exe_extension => "",
includes => [ ],
keccak1600_asm_src => "keccak1600.c",
keccak1600_obj => "keccak1600.o",
lflags => "-Wl,-search_paths_first",
lib_cflags => "",
lib_cppflags => "-DL_ENDIAN",
lib_defines => [ ],
md5_asm_src => "",
md5_obj => "",
modes_asm_src => "",
modes_obj => "",
module_cflags => "-fPIC",
module_cxxflags => "",
module_ldflags => "-bundle",
padlock_asm_src => "",
padlock_obj => "",
perlasm_scheme => "macosx",
poly1305_asm_src => "",
poly1305_obj => "",
rc4_asm_src => "rc4_enc.c rc4_skey.c",
rc4_obj => "rc4_enc.o rc4_skey.o",
rc5_asm_src => "rc5_enc.c",
rc5_obj => "rc5_enc.o",
rmd160_asm_src => "",
rmd160_obj => "",
shared_cflag => "-fPIC",
shared_defines => [ ],
shared_extension => ".\$(SHLIB_VERSION_NUMBER).dylib",
shared_extension_simple => ".dylib",
shared_ldflag => "-dynamiclib -current_version \$(SHLIB_VERSION_NUMBER) -compatibility_version \$(SHLIB_VERSION_NUMBER)",
shared_rcflag => "",
shared_sonameflag => "-install_name \$(INSTALLTOP)/\$(LIBDIR)/",
shared_target => "darwin-shared",
sys_id => "MACOSX",
thread_defines => [ ],
thread_scheme => "pthreads",
unistd => "<unistd.h>",
uplink_aux_src => "",
uplink_obj => "",
wp_asm_src => "wp_block.c",
wp_obj => "wp_block.o",
Recorded environment:
AR =
ARFLAGS =
AS =
ASFLAGS =
BUILDFILE =
CC =
CFLAGS =
CPP =
CPPDEFINES =
CPPFLAGS =
CPPINCLUDES =
CROSS_COMPILE =
CXX =
CXXFLAGS =
HASHBANGPERL =
LD =
LDFLAGS =
LDLIBS =
MT =
MTFLAGS =
OPENSSL_LOCAL_CONFIG_DIR =
PERL =
RANLIB =
RC =
RCFLAGS =
RM =
WINDRES =
__CNF_CFLAGS =
__CNF_CPPDEFINES =
__CNF_CPPFLAGS =
__CNF_CPPINCLUDES =
__CNF_CXXFLAGS =
__CNF_LDFLAGS =
__CNF_LDLIBS =
Makevars:
AR = ar
ARFLAGS = r
CC = cc
CFLAGS = -O3 -Wall
CPPDEFINES =
CPPFLAGS =
CPPINCLUDES =
CXXFLAGS =
HASHBANGPERL = /usr/bin/env perl
LDFLAGS =
LDLIBS =
PERL = perl
RANLIB = ranlib -c
RC = windres
RCFLAGS =
NOTE: These variables only represent the configuration view. The build file
template may have processed these variables further, please have a look at the
build file for more exact data:
Makefile
build file:
Makefile
build file templates:
Configurations/common0.tmpl
Configurations/unix-Makefile.tmpl
Configurations/common.tmpl