Use cert_index and sigalg (f365a3e2) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

ssl/s3_lib.c

+3 −5

Original line number	Diff line number	Diff line
		@@ -3137,12 +3137,11 @@ long ssl3_ctrl(SSL s, int cmd, long larg, void parg)

		case SSL_CTRL_SET_CURRENT_CERT:
		if (larg == SSL_CERT_SET_SERVER) {
		CERT_PKEY *cpk;
		const SSL_CIPHER *cipher;
		if (!s->server)
		return 0;
		cipher = s->s3->tmp.new_cipher;
		if (!cipher)
		if (cipher == NULL)
		return 0;
		/*
		* No certificate for unauthenticated ciphersuites or using SRP
		@@ -3150,10 +3149,9 @@ long ssl3_ctrl(SSL s, int cmd, long larg, void parg)
		*/
		if (cipher->algorithm_auth & (SSL_aNULL \| SSL_aSRP))
		return 2;
		cpk = ssl_get_server_send_pkey(s);
		if (!cpk)
		if (s->s3->tmp.cert_idx == -1)
		return 0;
		s->cert->key = cpk;
		s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];
		return 1;
		}
		return ssl_cert_set_current(s->cert, larg);

ssl/ssl_lib.c

+1 −75

Original line number	Diff line number	Diff line
		@@ -2833,80 +2833,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)

		#endif

		static int ssl_get_server_cert_index(const SSL *s)
		{
		int idx;

		if (SSL_IS_TLS13(s)) {
		if (s->s3->tmp.sigalg == NULL) {
		SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX, ERR_R_INTERNAL_ERROR);
		return -1;
		}
		return s->s3->tmp.cert_idx;
		}

		idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
		if (idx == SSL_PKEY_GOST_EC) {
		if (s->cert->pkeys[SSL_PKEY_GOST12_512].x509)
		idx = SSL_PKEY_GOST12_512;
		else if (s->cert->pkeys[SSL_PKEY_GOST12_256].x509)
		idx = SSL_PKEY_GOST12_256;
		else if (s->cert->pkeys[SSL_PKEY_GOST01].x509)
		idx = SSL_PKEY_GOST01;
		else
		idx = -1;
		}
		if (idx == -1)
		SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX, ERR_R_INTERNAL_ERROR);
		return idx;
		}

		CERT_PKEY ssl_get_server_send_pkey(SSL s)
		{
		CERT *c;
		int i;

		c = s->cert;
		if (!s->s3 \|\| !s->s3->tmp.new_cipher)
		return NULL;
		ssl_set_masks(s);

		i = ssl_get_server_cert_index(s);

		/* This may or may not be an error. */
		if (i < 0)
		return NULL;

		/* May be NULL. */
		return &c->pkeys[i];
		}

		EVP_PKEY ssl_get_sign_pkey(SSL s, const SSL_CIPHER *cipher,
		const EVP_MD **pmd)
		{
		unsigned long alg_a;
		CERT *c;
		int idx = -1;

		alg_a = cipher->algorithm_auth;
		c = s->cert;

		if (alg_a & SSL_aDSS && c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)
		idx = SSL_PKEY_DSA_SIGN;
		else if (alg_a & SSL_aRSA && c->pkeys[SSL_PKEY_RSA].privatekey != NULL)
		idx = SSL_PKEY_RSA;
		else if (alg_a & SSL_aECDSA &&
		c->pkeys[SSL_PKEY_ECC].privatekey != NULL)
		idx = SSL_PKEY_ECC;
		if (idx == -1) {
		SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);
		return (NULL);
		}
		if (pmd)
		*pmd = s->s3->tmp.md[idx];
		return c->pkeys[idx].privatekey;
		}

		int ssl_get_server_cert_serverinfo(SSL s, const unsigned char *serverinfo,
		size_t *serverinfo_length)
		{
		@@ -2915,7 +2841,7 @@ int ssl_get_server_cert_serverinfo(SSL s, const unsigned char *serverinfo,
		*serverinfo_length = 0;

		c = s->cert;
		i = ssl_get_server_cert_index(s);
		i = s->s3->tmp.cert_idx;

		if (i == -1)
		return 0;

ssl/ssl_locl.h

+0 −3

Original line number	Diff line number	Diff line
		@@ -2012,12 +2012,9 @@ __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
		int ssl_undefined_function(SSL *s);
		__owur int ssl_undefined_void_function(void);
		__owur int ssl_undefined_const_function(const SSL *s);
		__owur CERT_PKEY ssl_get_server_send_pkey(SSL s);
		__owur int ssl_get_server_cert_serverinfo(SSL *s,
		const unsigned char **serverinfo,
		size_t *serverinfo_length);
		__owur EVP_PKEY ssl_get_sign_pkey(SSL s, const SSL_CIPHER *c,
		const EVP_MD **pmd);
		__owur int ssl_cert_type(const X509 x, const EVP_PKEY pkey);
		void ssl_set_masks(SSL *s);
		__owur STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);

ssl/statem/statem_clnt.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -2058,16 +2058,16 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		al = SSL_AD_DECODE_ERROR;
		goto err;
		}
		md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
		#ifdef SSL_DEBUG
		fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
		#endif
		} else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
		md = EVP_md5_sha1();
		} else {
		md = EVP_sha1();
		} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
		al = SSL_AD_INTERNAL_ERROR;
		goto err;
		}

		md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);

		if (!PACKET_get_length_prefixed_2(pkt, &signature)
		\|\| PACKET_remaining(pkt) != 0) {
		al = SSL_AD_DECODE_ERROR;

ssl/statem/statem_lib.c

+3 −8

Original line number	Diff line number	Diff line
		@@ -331,20 +331,15 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL s, PACKET pkt)
		al = SSL_AD_DECODE_ERROR;
		goto f_err;
		}
		md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
		#ifdef SSL_DEBUG
		fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
		#endif
		} else {
		/* Use default digest for this key type */
		int idx = ssl_cert_type(NULL, pkey);
		if (idx >= 0)
		md = s->s3->tmp.md[idx];
		if (md == NULL) {
		} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
		al = SSL_AD_INTERNAL_ERROR;
		goto f_err;
		}
		}

		md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);

		if (!PACKET_get_net_2(pkt, &len)) {
		SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);