Loading ssl/s3_clnt.c +1 −1 Original line number Diff line number Diff line Loading @@ -2164,7 +2164,7 @@ int ssl3_get_certificate_request(SSL *s) /* Clear certificate digests and validity flags */ for (i = 0; i < SSL_PKEY_NUM; i++) { s->s3->tmp.md[i] = NULL; s->cert->pkeys[i].valid_flags = 0; s->s3->tmp.valid_flags[i] = 0; } if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); Loading ssl/s3_lib.c +1 −1 Original line number Diff line number Diff line Loading @@ -3892,7 +3892,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) continue; ssl_set_cert_masks(cert, c); ssl_set_masks(s, c); mask_k = cert->mask_k; mask_a = cert->mask_a; emask_k = cert->export_mask_k; Loading ssl/ssl_cert.c +0 −3 Original line number Diff line number Diff line Loading @@ -270,7 +270,6 @@ CERT *ssl_cert_dup(CERT *cert) goto err; } } rpk->valid_flags = 0; #ifndef OPENSSL_NO_TLSEXT if (cert->pkeys[i].serverinfo != NULL) { /* Just copy everything. */ Loading Loading @@ -375,8 +374,6 @@ void ssl_cert_clear_certs(CERT *c) cpk->serverinfo = NULL; cpk->serverinfo_length = 0; #endif /* Clear all flags apart from explicit sign */ cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; } } Loading ssl/ssl_lib.c +12 −11 Original line number Diff line number Diff line Loading @@ -1933,9 +1933,11 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) ssl_cert_set_cert_cb(s->cert, cb, arg); } void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) { CERT_PKEY *cpk; CERT *c = s->cert; int *pvalid = s->s3->tmp.valid_flags; int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; int rsa_enc_export, dh_rsa_export, dh_dsa_export; int rsa_tmp_export, dh_tmp_export, kl; Loading Loading @@ -1972,22 +1974,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); #endif cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc = cpk->valid_flags & CERT_PKEY_VALID; rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID; rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); rsa_sign = cpk->valid_flags & CERT_PKEY_SIGN; rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN; cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); dsa_sign = cpk->valid_flags & CERT_PKEY_SIGN; dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN; cpk = &(c->pkeys[SSL_PKEY_DH_RSA]); dh_rsa = cpk->valid_flags & CERT_PKEY_VALID; dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID; dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ dh_dsa = cpk->valid_flags & CERT_PKEY_VALID; dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID; dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_ECC]); #ifndef OPENSSL_NO_EC have_ecc_cert = cpk->valid_flags & CERT_PKEY_VALID; have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; #endif mask_k = 0; mask_a = 0; Loading Loading @@ -2063,7 +2064,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; if (!(cpk->valid_flags & CERT_PKEY_SIGN)) if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; Loading Loading @@ -2204,7 +2205,7 @@ static int ssl_get_server_cert_index(const SSL *s) return idx; } CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) CERT_PKEY *ssl_get_server_send_pkey(SSL *s) { CERT *c; int i; Loading @@ -2212,7 +2213,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) c = s->cert; if (!s->s3 || !s->s3->tmp.new_cipher) return NULL; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); ssl_set_masks(s, s->s3->tmp.new_cipher); #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL /* Loading ssl/ssl_locl.h +8 −8 Original line number Diff line number Diff line Loading @@ -1295,6 +1295,12 @@ typedef struct ssl3_state_st { const EVP_MD *peer_md; /* Array of digests used for signing */ const EVP_MD *md[SSL_PKEY_NUM]; /* * Set if corresponding CERT_PKEY can be used with current * SSL session: e.g. appropriate curve, signature algorithms etc. * If zero it can't be used at all. */ int valid_flags[SSL_PKEY_NUM]; } tmp; /* Connection binding to prevent renegotiation attacks */ Loading Loading @@ -1456,12 +1462,6 @@ typedef struct cert_pkey_st { unsigned char *serverinfo; size_t serverinfo_length; # endif /* * Set if CERT_PKEY can be used with current SSL session: e.g. * appropriate curve, signature algorithms etc. If zero it can't be used * at all. */ int valid_flags; } CERT_PKEY; /* Retrieve Suite B flags */ # define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS) Loading Loading @@ -1916,14 +1916,14 @@ __owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other int ssl_undefined_function(SSL *s); __owur int ssl_undefined_void_function(void); __owur int ssl_undefined_const_function(const SSL *s); __owur CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s); # ifndef OPENSSL_NO_TLSEXT __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length); # endif __owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); __owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher); __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); __owur int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); Loading Loading
ssl/s3_clnt.c +1 −1 Original line number Diff line number Diff line Loading @@ -2164,7 +2164,7 @@ int ssl3_get_certificate_request(SSL *s) /* Clear certificate digests and validity flags */ for (i = 0; i < SSL_PKEY_NUM; i++) { s->s3->tmp.md[i] = NULL; s->cert->pkeys[i].valid_flags = 0; s->s3->tmp.valid_flags[i] = 0; } if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); Loading
ssl/s3_lib.c +1 −1 Original line number Diff line number Diff line Loading @@ -3892,7 +3892,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) continue; ssl_set_cert_masks(cert, c); ssl_set_masks(s, c); mask_k = cert->mask_k; mask_a = cert->mask_a; emask_k = cert->export_mask_k; Loading
ssl/ssl_cert.c +0 −3 Original line number Diff line number Diff line Loading @@ -270,7 +270,6 @@ CERT *ssl_cert_dup(CERT *cert) goto err; } } rpk->valid_flags = 0; #ifndef OPENSSL_NO_TLSEXT if (cert->pkeys[i].serverinfo != NULL) { /* Just copy everything. */ Loading Loading @@ -375,8 +374,6 @@ void ssl_cert_clear_certs(CERT *c) cpk->serverinfo = NULL; cpk->serverinfo_length = 0; #endif /* Clear all flags apart from explicit sign */ cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; } } Loading
ssl/ssl_lib.c +12 −11 Original line number Diff line number Diff line Loading @@ -1933,9 +1933,11 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) ssl_cert_set_cert_cb(s->cert, cb, arg); } void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) { CERT_PKEY *cpk; CERT *c = s->cert; int *pvalid = s->s3->tmp.valid_flags; int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; int rsa_enc_export, dh_rsa_export, dh_dsa_export; int rsa_tmp_export, dh_tmp_export, kl; Loading Loading @@ -1972,22 +1974,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); #endif cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc = cpk->valid_flags & CERT_PKEY_VALID; rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID; rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); rsa_sign = cpk->valid_flags & CERT_PKEY_SIGN; rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN; cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); dsa_sign = cpk->valid_flags & CERT_PKEY_SIGN; dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN; cpk = &(c->pkeys[SSL_PKEY_DH_RSA]); dh_rsa = cpk->valid_flags & CERT_PKEY_VALID; dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID; dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ dh_dsa = cpk->valid_flags & CERT_PKEY_VALID; dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID; dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_ECC]); #ifndef OPENSSL_NO_EC have_ecc_cert = cpk->valid_flags & CERT_PKEY_VALID; have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; #endif mask_k = 0; mask_a = 0; Loading Loading @@ -2063,7 +2064,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; if (!(cpk->valid_flags & CERT_PKEY_SIGN)) if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; Loading Loading @@ -2204,7 +2205,7 @@ static int ssl_get_server_cert_index(const SSL *s) return idx; } CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) CERT_PKEY *ssl_get_server_send_pkey(SSL *s) { CERT *c; int i; Loading @@ -2212,7 +2213,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) c = s->cert; if (!s->s3 || !s->s3->tmp.new_cipher) return NULL; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); ssl_set_masks(s, s->s3->tmp.new_cipher); #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL /* Loading
ssl/ssl_locl.h +8 −8 Original line number Diff line number Diff line Loading @@ -1295,6 +1295,12 @@ typedef struct ssl3_state_st { const EVP_MD *peer_md; /* Array of digests used for signing */ const EVP_MD *md[SSL_PKEY_NUM]; /* * Set if corresponding CERT_PKEY can be used with current * SSL session: e.g. appropriate curve, signature algorithms etc. * If zero it can't be used at all. */ int valid_flags[SSL_PKEY_NUM]; } tmp; /* Connection binding to prevent renegotiation attacks */ Loading Loading @@ -1456,12 +1462,6 @@ typedef struct cert_pkey_st { unsigned char *serverinfo; size_t serverinfo_length; # endif /* * Set if CERT_PKEY can be used with current SSL session: e.g. * appropriate curve, signature algorithms etc. If zero it can't be used * at all. */ int valid_flags; } CERT_PKEY; /* Retrieve Suite B flags */ # define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS) Loading Loading @@ -1916,14 +1916,14 @@ __owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other int ssl_undefined_function(SSL *s); __owur int ssl_undefined_void_function(void); __owur int ssl_undefined_const_function(const SSL *s); __owur CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s); # ifndef OPENSSL_NO_TLSEXT __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length); # endif __owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); __owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher); __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); __owur int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); Loading
Rich Salz <rsalz@openssl.org>Rich Salz <rsalz@openssl.org>