From c526ed410cdff6af4729e6abba658759ed19f753 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 26 Jan 2012 16:00:34 +0000 Subject: [PATCH] Revise ssl code to use a CERT_PKEY structure when outputting a certificate chain instead of an X509 structure. This makes it easier to enhance code in future and the chain output functions have access to the CERT_PKEY structure being used. --- ssl/d1_both.c | 4 ++-- ssl/d1_clnt.c | 2 +- ssl/d1_srvr.c | 8 ++++---- ssl/s3_both.c | 4 ++-- ssl/s3_clnt.c | 2 +- ssl/s3_srvr.c | 8 ++++---- ssl/ssl_cert.c | 9 ++++++++- ssl/ssl_lib.c | 4 ++-- ssl/ssl_locl.h | 8 ++++---- 9 files changed, 28 insertions(+), 21 deletions(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index ad2d1fcc98..b96e34f2e0 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -992,13 +992,13 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b) return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC)); } -unsigned long dtls1_output_cert_chain(SSL *s, X509 *x) +unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk) { unsigned char *p; unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH; BUF_MEM *buf=s->init_buf; - if (!ssl_add_cert_chain(s, x, &l)) + if (!ssl_add_cert_chain(s, cpk, &l)) return 0; l-= (3 + DTLS1_HM_HEADER_LENGTH); diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index bb1fd6ac0a..299ffb39b6 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -1695,7 +1695,7 @@ int dtls1_send_client_certificate(SSL *s) { s->state=SSL3_ST_CW_CERT_D; l=dtls1_output_cert_chain(s, - (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); + (s->s3->tmp.cert_req == 2)?NULL:s->cert->key); s->init_num=(int)l; s->init_off=0; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 6af53b2ff4..89f47ce97f 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -1570,12 +1570,12 @@ err: int dtls1_send_server_certificate(SSL *s) { unsigned long l; - X509 *x; + CERT_PKEY *cpk; if (s->state == SSL3_ST_SW_CERT_A) { - x=ssl_get_server_send_cert(s); - if (x == NULL) + cpk=ssl_get_server_send_pkey(s); + if (cpk == NULL) { /* VRS: allow null cert if auth == KRB5 */ if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || @@ -1586,7 +1586,7 @@ int dtls1_send_server_certificate(SSL *s) } } - l=dtls1_output_cert_chain(s,x); + l=dtls1_output_cert_chain(s,cpk); s->state=SSL3_ST_SW_CERT_B; s->init_num=(int)l; s->init_off=0; diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 153b2bfc78..11a9998c59 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -321,13 +321,13 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b) return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC)); } -unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) +unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) { unsigned char *p; unsigned long l=7; BUF_MEM *buf = s->init_buf; - if (!ssl_add_cert_chain(s, x, &l)) + if (!ssl_add_cert_chain(s, cpk, &l)) return 0; l-=7; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 7a8b7f27d0..e7b477a5e7 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -3177,7 +3177,7 @@ int ssl3_send_client_certificate(SSL *s) { s->state=SSL3_ST_CW_CERT_D; l=ssl3_output_cert_chain(s, - (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); + (s->s3->tmp.cert_req == 2)?NULL:s->cert->key); s->init_num=(int)l; s->init_off=0; } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index a3343a562a..b0c32bcc07 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -3362,12 +3362,12 @@ err: int ssl3_send_server_certificate(SSL *s) { unsigned long l; - X509 *x; + CERT_PKEY *cpk; if (s->state == SSL3_ST_SW_CERT_A) { - x=ssl_get_server_send_cert(s); - if (x == NULL) + cpk=ssl_get_server_send_pkey(s); + if (cpk == NULL) { /* VRS: allow null cert if auth == KRB5 */ if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || @@ -3378,7 +3378,7 @@ int ssl3_send_server_certificate(SSL *s) } } - l=ssl3_output_cert_chain(s,x); + l=ssl3_output_cert_chain(s,cpk); s->state=SSL3_ST_SW_CERT_B; s->init_num=(int)l; s->init_off=0; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index c1e7ec1b7e..3ad1f49478 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -873,12 +873,19 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) } /* Add certificate chain to internal SSL BUF_MEM strcuture */ -int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l) +int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) { BUF_MEM *buf = s->init_buf; int no_chain; int i; + X509 *x; + + if (cpk) + x = cpk->x509; + else + x = NULL; + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) no_chain = 1; else diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9f29f3e10b..c1c825b533 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2292,7 +2292,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(SSL *s) { unsigned long alg_k,alg_a; CERT *c; @@ -2352,7 +2352,7 @@ X509 *ssl_get_server_send_cert(SSL *s) } if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return(&c->pkeys[i]); } EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 25f5fd49fb..66605586ac 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -825,11 +825,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc, const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp); int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md); int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); -int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l); +int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); -X509 *ssl_get_server_send_cert(SSL *); +CERT_PKEY *ssl_get_server_send_pkey(SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); @@ -897,7 +897,7 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len); int ssl3_enc(SSL *s, int send_data); int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data); void ssl3_free_digest_list(SSL *s); -unsigned long ssl3_output_cert_chain(SSL *s, X509 *x); +unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk); SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr); int ssl3_setup_buffers(SSL *s); @@ -951,7 +951,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); int dtls1_send_change_cipher_spec(SSL *s, int a, int b); int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen); -unsigned long dtls1_output_cert_chain(SSL *s, X509 *x); +unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk); int dtls1_read_failed(SSL *s, int code); int dtls1_buffer_message(SSL *s, int ccs); int dtls1_retransmit_message(SSL *s, unsigned short seq, -- 2.34.1