Generate errors when public/private key check is done.

CHANGES

@@ -5,6 +5,9 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Generate errors when private/public key check is done.
+     [Ben Laurie]
+
   *) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support
      for some CRL extensions and new objects added.
      [Steve Henson]

crypto/x509/x509.err

@@ -9,6 +9,7 @@
 #define X509_F_X509V3_ADD_EXTENSION			 105
 #define X509_F_X509V3_PACK_STRING			 106
 #define X509_F_X509V3_UNPACK_STRING			 107
+#define X509_F_X509_CHECK_PRIVATE_KEY			 128
 #define X509_F_X509_EXTENSION_CREATE_BY_NID		 108
 #define X509_F_X509_EXTENSION_CREATE_BY_OBJ		 109
 #define X509_F_X509_GET_PUBKEY_PARAMETERS		 110
@@ -32,15 +33,19 @@
 
 /* Reason codes. */
 #define X509_R_BAD_X509_FILETYPE			 100
+#define X509_R_CANT_CHECK_DH_KEY			 114
 #define X509_R_CERT_ALREADY_IN_HASH_TABLE		 101
 #define X509_R_ERR_ASN1_LIB				 102
 #define X509_R_INVALID_DIRECTORY			 113
+#define X509_R_KEY_TYPE_MISMATCH			 115
+#define X509_R_KEY_VALUES_MISMATCH			 116
 #define X509_R_LOADING_CERT_DIR				 103
 #define X509_R_LOADING_DEFAULTS				 104
 #define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY		 105
 #define X509_R_SHOULD_RETRY				 106
 #define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN	 107
 #define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY		 108
+#define X509_R_UNKNOWN_KEY_TYPE				 117
 #define X509_R_UNKNOWN_NID				 109
 #define X509_R_UNKNOWN_STRING_TYPE			 110
 #define X509_R_UNSUPPORTED_ALGORITHM			 111

crypto/x509/x509.h

@@ -1152,6 +1152,7 @@ X509 *X509_find_by_subject();
 #define X509_F_X509V3_ADD_EXTENSION			 105
 #define X509_F_X509V3_PACK_STRING			 106
 #define X509_F_X509V3_UNPACK_STRING			 107
+#define X509_F_X509_CHECK_PRIVATE_KEY			 128
 #define X509_F_X509_EXTENSION_CREATE_BY_NID		 108
 #define X509_F_X509_EXTENSION_CREATE_BY_OBJ		 109
 #define X509_F_X509_GET_PUBKEY_PARAMETERS		 110
@@ -1175,15 +1176,19 @@ X509 *X509_find_by_subject();
 
 /* Reason codes. */
 #define X509_R_BAD_X509_FILETYPE			 100
+#define X509_R_CANT_CHECK_DH_KEY			 114
 #define X509_R_CERT_ALREADY_IN_HASH_TABLE		 101
 #define X509_R_ERR_ASN1_LIB				 102
 #define X509_R_INVALID_DIRECTORY			 113
+#define X509_R_KEY_TYPE_MISMATCH			 115
+#define X509_R_KEY_VALUES_MISMATCH			 116
 #define X509_R_LOADING_CERT_DIR				 103
 #define X509_R_LOADING_DEFAULTS				 104
 #define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY		 105
 #define X509_R_SHOULD_RETRY				 106
 #define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN	 107
 #define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY		 108
+#define X509_R_UNKNOWN_KEY_TYPE				 117
 #define X509_R_UNKNOWN_NID				 109
 #define X509_R_UNKNOWN_STRING_TYPE			 110
 #define X509_R_UNSUPPORTED_ALGORITHM			 111

crypto/x509/x509_cmp.c

@@ -271,27 +271,40 @@ EVP_PKEY *k;
 	int ok=0;
 
 	xk=X509_get_pubkey(x);
-	if (xk->type != k->type) goto err;
+	if (xk->type != k->type)
+	    {
+	    SSLerr(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
+	    goto err;
+	    }
 	switch (k->type)
 		{
 #ifndef NO_RSA
 	case EVP_PKEY_RSA:
-		if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0) goto err;
-		if (BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0) goto err;
+		if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0
+		    || BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0)
+		    {
+		    SSLerr(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
+		    goto err;
+		    }
 		break;
 #endif
 #ifndef NO_DSA
 	case EVP_PKEY_DSA:
 		if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0)
-			goto err;
+		    {
+		    SSLerr(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
+		    goto err;
+		    }
 		break;
 #endif
 #ifndef NO_DH
 	case EVP_PKEY_DH:
 		/* No idea */
+	        SSLerr(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
 		goto err;
 #endif
 	default:
+	        SSLerr(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
 		goto err;
 		}
 

crypto/x509/x509_err.c

@@ -71,6 +71,7 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509V3_ADD_EXTENSION,0),	"X509V3_ADD_EXTENSION"},
 {ERR_PACK(0,X509_F_X509V3_PACK_STRING,0),	"X509v3_pack_string"},
 {ERR_PACK(0,X509_F_X509V3_UNPACK_STRING,0),	"X509v3_unpack_string"},
+{ERR_PACK(0,X509_F_X509_CHECK_PRIVATE_KEY,0),	"X509_check_private_key"},
 {ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_NID,0),	"X509_EXTENSION_create_by_NID"},
 {ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0),	"X509_EXTENSION_create_by_OBJ"},
 {ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0),	"X509_get_pubkey_parameters"},
@@ -97,15 +98,19 @@ static ERR_STRING_DATA X509_str_functs[]=
 static ERR_STRING_DATA X509_str_reasons[]=
 	{
 {X509_R_BAD_X509_FILETYPE                ,"bad x509 filetype"},
+{X509_R_CANT_CHECK_DH_KEY                ,"cant check dh key"},
 {X509_R_CERT_ALREADY_IN_HASH_TABLE       ,"cert already in hash table"},
 {X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
 {X509_R_INVALID_DIRECTORY                ,"invalid directory"},
+{X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
+{X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
 {X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
 {X509_R_LOADING_DEFAULTS                 ,"loading defaults"},
 {X509_R_NO_CERT_SET_FOR_US_TO_VERIFY     ,"no cert set for us to verify"},
 {X509_R_SHOULD_RETRY                     ,"should retry"},
 {X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN,"unable to find parameters in chain"},
 {X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},
+{X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},
 {X509_R_UNKNOWN_NID                      ,"unknown nid"},
 {X509_R_UNKNOWN_STRING_TYPE              ,"unknown string type"},
 {X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},

crypto/x509v3/v3err.c

@@ -64,7 +64,7 @@
 static ERR_STRING_DATA X509V3_str_functs[]=
 	{
 {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"I2S_ASN1_ENUMERATED"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"i2s_ASN1_ENUMERATED"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),	"i2s_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),	"S2I_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),	"s2i_ASN1_OCTET_STRING"},

ssl/ssl.err

@@ -68,7 +68,6 @@
 #define SSL_F_SSL_CLEAR					 164
 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD		 165
 #define SSL_F_SSL_CREATE_CIPHER_LIST			 166
-#define SSL_F_SSL_CTX_ADD_COMPRESSION			 167
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
 #define SSL_F_SSL_CTX_NEW				 169
 #define SSL_F_SSL_CTX_SET_SSL_VERSION			 170

ssl/ssl.h

@@ -1333,7 +1333,6 @@ void SSL_CTX_set_tmp_dh_callback();
 #define SSL_F_SSL_CLEAR					 164
 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD		 165
 #define SSL_F_SSL_CREATE_CIPHER_LIST			 166
-#define SSL_F_SSL_CTX_ADD_COMPRESSION			 167
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
 #define SSL_F_SSL_CTX_NEW				 169
 #define SSL_F_SSL_CTX_SET_SSL_VERSION			 170

ssl/ssl_err.c

@@ -130,7 +130,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_PACK(0,SSL_F_SSL_CLEAR,0),	"SSL_clear"},
 {ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0),	"SSL_COMP_add_compression_method"},
 {ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0),	"SSL_CREATE_CIPHER_LIST"},
-{ERR_PACK(0,SSL_F_SSL_CTX_ADD_COMPRESSION,0),	"SSL_CTX_ADD_COMPRESSION"},
 {ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0),	"SSL_CTX_check_private_key"},
 {ERR_PACK(0,SSL_F_SSL_CTX_NEW,0),	"SSL_CTX_new"},
 {ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0),	"SSL_CTX_set_ssl_version"},