Check for pkey support

Similar to the recently added HAS_PKUTIL (f829878a43), this PR adds HAS_PKEY, which indicates whether OpenSSL has the pkey utility. HAS_PKEY is then checked before attempting to do something that requires the pkey utility.
This commit is contained in:
David Cooper 2017-12-13 11:01:58 -05:00 committed by GitHub
parent 69956016b3
commit cea570836f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 2 deletions

View File

@ -276,6 +276,7 @@ HAS_SSL2=false
HAS_SSL3=false HAS_SSL3=false
HAS_TLS13=false HAS_TLS13=false
HAS_PKUTIL=false HAS_PKUTIL=false
HAS_PKEY=false
HAS_NO_SSL2=false HAS_NO_SSL2=false
HAS_NOSERVERNAME=false HAS_NOSERVERNAME=false
HAS_ALPN=false HAS_ALPN=false
@ -8120,6 +8121,8 @@ get_pub_key_size() {
local pubkey pubkeybits local pubkey pubkeybits
local -i i len1 len local -i i len1 len
"$HAS_PKEY" || return 1
# OpenSSL displays the number of bits for RSA and ECC # OpenSSL displays the number of bits for RSA and ECC
pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -text 2>>$ERRFILE | grep -aw "Public-Key:" | sed -e 's/.*(//' -e 's/)//') pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -text 2>>$ERRFILE | grep -aw "Public-Key:" | sed -e 's/.*(//' -e 's/)//')
if [[ -n $pubkeybits ]]; then if [[ -n $pubkeybits ]]; then
@ -8222,6 +8225,8 @@ get_dh_ephemeralkey() {
local dh_p dh_g dh_y dh_param len1 key_bitstring local dh_p dh_g dh_y dh_param len1 key_bitstring
local -i i dh_p_len dh_g_len dh_y_len dh_param_len local -i i dh_p_len dh_g_len dh_y_len dh_param_len
"$HAS_PKEY" || return 1
tls_serverkeyexchange_ascii_len=${#tls_serverkeyexchange_ascii} tls_serverkeyexchange_ascii_len=${#tls_serverkeyexchange_ascii}
dh_p_len=2*$(hex2dec "${tls_serverkeyexchange_ascii:0:4}") dh_p_len=2*$(hex2dec "${tls_serverkeyexchange_ascii:0:4}")
offset=4+$dh_p_len offset=4+$dh_p_len
@ -9100,7 +9105,10 @@ parse_tls_serverhello() {
*) named_curve_str="" ; named_curve_oid="" ;; *) named_curve_str="" ; named_curve_oid="" ;;
esac esac
let offset=$extns_offset+20+$i let offset=$extns_offset+20+$i
if [[ $named_curve -eq 29 ]]; then if ! "$HAS_PKEY"; then
# The key can't be extracted without the pkey utility.
key_bitstring=""
elif [[ $named_curve -eq 29 ]]; then
key_bitstring="302a300506032b656e032100${tls_serverhello_ascii:offset:msg_len}" key_bitstring="302a300506032b656e032100${tls_serverhello_ascii:offset:msg_len}"
elif [[ $named_curve -eq 30 ]]; then elif [[ $named_curve -eq 30 ]]; then
key_bitstring="3042300506032b656f033900${tls_serverhello_ascii:offset:msg_len}" key_bitstring="3042300506032b656f033900${tls_serverhello_ascii:offset:msg_len}"
@ -9566,7 +9574,7 @@ parse_tls_serverhello() {
*) named_curve=0; named_curve_str="" ;; *) named_curve=0; named_curve_str="" ;;
esac esac
[[ -z "$key_bitstring" ]] && named_curve=0 && named_curve_str="" [[ -z "$key_bitstring" ]] && named_curve=0 && named_curve_str=""
if [[ $named_curve -ne 0 ]] && [[ "${TLS13_KEY_SHARES[named_curve]}" =~ BEGIN ]]; then if "$HAS_PKEY" && [[ $named_curve -ne 0 ]] && [[ "${TLS13_KEY_SHARES[named_curve]}" =~ BEGIN ]]; then
ephemeral_param="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | grep -A 1000 "prime:")" ephemeral_param="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | grep -A 1000 "prime:")"
rfc7919_param="$($OPENSSL pkey -text -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -A 1000 "prime:")" rfc7919_param="$($OPENSSL pkey -text -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -A 1000 "prime:")"
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str="" [[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
@ -12884,6 +12892,10 @@ run_robot() {
prln_local_problem "Your $OPENSSL does not support the pkeyutl utility." prln_local_problem "Your $OPENSSL does not support the pkeyutl utility."
fileout "ROBOT" "WARN" "Your $OPENSSL does not support the pkeyutl utility." fileout "ROBOT" "WARN" "Your $OPENSSL does not support the pkeyutl utility."
return 7 return 7
elif ! "$HAS_PKEY"; then
prln_local_problem "Your $OPENSSL does not support the pkey utility."
fileout "ROBOT" "WARN" "Your $OPENSSL does not support the pkey utility."
return 7
fi fi
if [[ 0 -eq $(has_server_protocol tls1_2) ]]; then if [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
@ -13288,6 +13300,9 @@ find_openssl_binary() {
$OPENSSL s_client -noservername -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -noservername -connect x 2>&1 | grep -aq "unknown option" || \
HAS_NOSERVERNAME=true HAS_NOSERVERNAME=true
$OPENSSL pkey -help 2>&1 | grep -q Error || \
HAS_PKEY=true
$OPENSSL pkeyutl 2>&1 | grep -q Error || \ $OPENSSL pkeyutl 2>&1 | grep -q Error || \
HAS_PKUTIL=true HAS_PKUTIL=true