Commit a497cf25 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Use CERT_PKEY pointer instead of index 



Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
parent f695571e

ssl/s3_lib.c

+2 −2
Original line number Diff line number Diff line
@@ -3149,9 +3149,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
             */

            if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))

                return 2;

            if (s->s3->tmp.cert_idx == -1)

            if (s->s3->tmp.cert == NULL)

                return 0;

            s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];

            s->cert->key = s->s3->tmp.cert;

            return 1;

        }

        return ssl_cert_set_current(s->cert, larg);

ssl/ssl_lib.c

+4 −10
Original line number Diff line number Diff line
@@ -2836,20 +2836,14 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) 
int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,

                                   size_t *serverinfo_length)

{

    CERT *c = NULL;

    int i = 0;

    CERT_PKEY *cpk = s->s3->tmp.cert;

    *serverinfo_length = 0;



    c = s->cert;

    i = s->s3->tmp.cert_idx;



    if (i == -1)

        return 0;

    if (c->pkeys[i].serverinfo == NULL)

    if (cpk == NULL || cpk->serverinfo == NULL)

        return 0;



    *serverinfo = c->pkeys[i].serverinfo;

    *serverinfo_length = c->pkeys[i].serverinfo_length;

    *serverinfo = cpk->serverinfo;

    *serverinfo_length = cpk->serverinfo_length;

    return 1;

}

ssl/ssl_locl.h

+6 −4
Original line number Diff line number Diff line
@@ -1213,6 +1213,8 @@ typedef struct sigalg_lookup_st { 
    int curve;

} SIGALG_LOOKUP;



typedef struct cert_pkey_st CERT_PKEY;



typedef struct ssl3_state_st {

    long flags;

    size_t read_mac_secret_size;
@@ -1296,8 +1298,8 @@ typedef struct ssl3_state_st { 
# endif

        /* Signature algorithm we actually use */

        const SIGALG_LOOKUP *sigalg;

        /* Index of certificate we use */

        int cert_idx;

        /* Pointer to certificate we use */

        CERT_PKEY *cert;

        /*

         * signature algorithms peer reports: e.g. supported signature

         * algorithms extension for server or as part of a certificate
@@ -1491,7 +1493,7 @@ typedef struct dtls1_state_st { 
#  define NAMED_CURVE_TYPE           3

# endif                         /* OPENSSL_NO_EC */



typedef struct cert_pkey_st {

struct cert_pkey_st {

    X509 *x509;

    EVP_PKEY *privatekey;

    /* Chain for this certificate */
@@ -1505,7 +1507,7 @@ typedef struct cert_pkey_st { 
     */

    unsigned char *serverinfo;

    size_t serverinfo_length;

} CERT_PKEY;

};

/* Retrieve Suite B flags */

# define tls1_suiteb(s)  (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)

/* Uses to check strict mode: suite B modes are always strict */

ssl/statem/statem_srvr.c

+5 −6
Original line number Diff line number Diff line
@@ -1761,12 +1761,12 @@ static int tls_handle_status_request(SSL *s, int *al) 
        int ret;



        /* If no certificate can't return certificate status */

        if (s->s3->tmp.cert_idx != -1) {

        if (s->s3->tmp.cert != NULL) {

            /*

             * Set current certificate to one we will use so SSL_get_certificate

             * et al can pick it up.

             */

            s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];

            s->cert->key = s->s3->tmp.cert;

            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);

            switch (ret) {

                /* We don't want to send a status request response */
@@ -2249,7 +2249,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) 


    /* not anonymous */

    if (lu != NULL) {

        EVP_PKEY *pkey = s->cert->pkeys[s->s3->tmp.cert_idx].privatekey;

        EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;

        const EVP_MD *md = ssl_md(lu->hash_idx);

        unsigned char *sigbytes1, *sigbytes2;

        size_t siglen;
@@ -3197,14 +3197,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) 


int tls_construct_server_certificate(SSL *s, WPACKET *pkt)

{

    CERT_PKEY *cpk;

    CERT_PKEY *cpk = s->s3->tmp.cert;

    int al = SSL_AD_INTERNAL_ERROR;



    if (s->s3->tmp.cert_idx == -1) {

    if (cpk == NULL) {

        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);

        return 0;

    }

    cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];



    /*

     * In TLSv1.3 the certificate chain is always preceded by a 0 length context

ssl/t1_lib.c

+4 −6
Original line number Diff line number Diff line
@@ -2201,11 +2201,9 @@ DH *ssl_get_auto_dh(SSL *s) 
        else

            dh_secbits = 80;

    } else {

        CERT_PKEY *cpk;

        if (s->s3->tmp.cert_idx == -1)

        if (s->s3->tmp.cert == NULL)

            return NULL;

        cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];

        dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);

        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);

    }



    if (dh_secbits >= 128) {
@@ -2369,7 +2367,7 @@ int tls_choose_sigalg(SSL *s, int *al) 
        idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);

        /* If no certificate for ciphersuite return */

        if (idx == -1) {

            s->s3->tmp.cert_idx = -1;

            s->s3->tmp.cert = NULL;

            s->s3->tmp.sigalg = NULL;

            return 1;

        }
@@ -2445,7 +2443,7 @@ int tls_choose_sigalg(SSL *s, int *al) 
            }

        }

    }

    s->s3->tmp.cert_idx = idx;

    s->s3->tmp.cert = &s->cert->pkeys[idx];

    s->s3->tmp.sigalg = lu;

    return 1;

}