Replace SSL_PKEY_RSA_ENC, SSL_PKEY_RSA_SIGN (d0ff28f8) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/ssl_cert.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -63,7 +63,7 @@ CERT *ssl_cert_new(void)
	return NULL;		return NULL;
	}		}

	ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);		ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
	ret->references = 1;		ret->references = 1;
	ret->sec_cb = ssl_security_default_callback;		ret->sec_cb = ssl_security_default_callback;
	ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;		ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;

ssl/ssl_ciph.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1909,7 +1909,7 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
	else if (alg_a & SSL_aDSS)		else if (alg_a & SSL_aDSS)
	return SSL_PKEY_DSA_SIGN;		return SSL_PKEY_DSA_SIGN;
	else if (alg_a & SSL_aRSA)		else if (alg_a & SSL_aRSA)
	return SSL_PKEY_RSA_ENC;		return SSL_PKEY_RSA;
	else if (alg_a & SSL_aGOST12)		else if (alg_a & SSL_aGOST12)
	return SSL_PKEY_GOST_EC;		return SSL_PKEY_GOST_EC;
	else if (alg_a & SSL_aGOST01)		else if (alg_a & SSL_aGOST01)

ssl/ssl_lib.c

+7 −12

Original line number	Original line	Diff line number	Diff line
	@@ -2740,8 +2740,8 @@ void ssl_set_masks(SSL *s)
	dh_tmp = 0;		dh_tmp = 0;
	#endif		#endif

	rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;		rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
	rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;		rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_SIGN;
	dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;		dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
	#ifndef OPENSSL_NO_EC		#ifndef OPENSSL_NO_EC
	have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;		have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
	@@ -2855,8 +2855,6 @@ static int ssl_get_server_cert_index(const SSL *s)
	}		}

	idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);		idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
	if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509)
	idx = SSL_PKEY_RSA_SIGN;
	if (idx == SSL_PKEY_GOST_EC) {		if (idx == SSL_PKEY_GOST_EC) {
	if (s->cert->pkeys[SSL_PKEY_GOST12_512].x509)		if (s->cert->pkeys[SSL_PKEY_GOST12_512].x509)
	idx = SSL_PKEY_GOST12_512;		idx = SSL_PKEY_GOST12_512;
	@@ -2902,15 +2900,12 @@ EVP_PKEY ssl_get_sign_pkey(SSL s, const SSL_CIPHER *cipher,
	alg_a = cipher->algorithm_auth;		alg_a = cipher->algorithm_auth;
	c = s->cert;		c = s->cert;

	if ((alg_a & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))		if (alg_a & SSL_aDSS && c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)
	idx = SSL_PKEY_DSA_SIGN;		idx = SSL_PKEY_DSA_SIGN;
	else if (alg_a & SSL_aRSA) {		else if (alg_a & SSL_aRSA && c->pkeys[SSL_PKEY_RSA].privatekey != NULL)
	if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)		idx = SSL_PKEY_RSA;
	idx = SSL_PKEY_RSA_SIGN;		else if (alg_a & SSL_aECDSA &&
	else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)		c->pkeys[SSL_PKEY_ECC].privatekey != NULL)
	idx = SSL_PKEY_RSA_ENC;
	} else if ((alg_a & SSL_aECDSA) &&
	(c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
	idx = SSL_PKEY_ECC;		idx = SSL_PKEY_ECC;
	if (idx == -1) {		if (idx == -1) {
	SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);		SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);

ssl/ssl_locl.h

+9 −10

Original line number	Original line	Diff line number	Diff line
	@@ -398,14 +398,13 @@
	# define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)		# define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)

	/* Mostly for SSLv3 */		/* Mostly for SSLv3 */
	# define SSL_PKEY_RSA_ENC 0		# define SSL_PKEY_RSA 0
	# define SSL_PKEY_RSA_SIGN 1		# define SSL_PKEY_DSA_SIGN 1
	# define SSL_PKEY_DSA_SIGN 2		# define SSL_PKEY_ECC 2
	# define SSL_PKEY_ECC 3		# define SSL_PKEY_GOST01 3
	# define SSL_PKEY_GOST01 4		# define SSL_PKEY_GOST12_256 4
	# define SSL_PKEY_GOST12_256 5		# define SSL_PKEY_GOST12_512 5
	# define SSL_PKEY_GOST12_512 6		# define SSL_PKEY_NUM 6
	# define SSL_PKEY_NUM 7
	/*		/*
	* Pseudo-constant. GOST cipher suites can use different certs for 1		* Pseudo-constant. GOST cipher suites can use different certs for 1
	* SSL_CIPHER. So let's see which one we have in fact.		* SSL_CIPHER. So let's see which one we have in fact.
	@@ -413,10 +412,10 @@
	# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1		# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1

	/*		/*
	* TODO(TLS1.3) for now use RSA_SIGN keys for PSS		* TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS
	*/		*/

	#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA_SIGN		#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA

	/*-		/*-
	* SSL_kRSA <- RSA_ENC		* SSL_kRSA <- RSA_ENC

ssl/statem/statem_lib.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1071,7 +1071,7 @@ int ssl_cert_type(const X509 x, const EVP_PKEY pk)
	default:		default:
	return -1;		return -1;
	case EVP_PKEY_RSA:		case EVP_PKEY_RSA:
	return SSL_PKEY_RSA_ENC;		return SSL_PKEY_RSA;
	case EVP_PKEY_DSA:		case EVP_PKEY_DSA:
	return SSL_PKEY_DSA_SIGN;		return SSL_PKEY_DSA_SIGN;
	#ifndef OPENSSL_NO_EC		#ifndef OPENSSL_NO_EC