Move |no_cert_verify| into state machine

The |no_cert_verify| should be in the state machine structure not in SSL

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ad590e5116103dcc54ff0a474b3bd486888403a6..445907d6172b8c5e0900575e4108780f5bdfdb2c 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -225,7 +225,6 @@ int SSL_clear(SSL *s)
     s->init_buf = NULL;
     clear_ciphers(s);
     s->first_packet = 0;
-    s->no_cert_verify = 0;
 
     /*
      * Check to see if we were changed into a different method, if so, revert

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 2c22ee3ac4fdf8bc458cbf98ac379b151adc6f87..24ce4f752ac2179dc05fb38f3076581c540f48a3 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1021,9 +1021,6 @@ struct ssl_st {
     struct ssl3_state_st *s3;   /* SSLv3 variables */
     struct dtls1_state_st *d1;  /* DTLSv1 variables */
 
-    /* Should we skip the CertificateVerify message? */
-    unsigned int no_cert_verify;
-
     /* callback that allows applications to peek at protocol messages */
     void (*msg_callback) (int write_p, int version, int content_type,
                           const void *buf, size_t len, SSL *ssl, void *arg);

diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 6ff60eaccd981b448966762d2311af2982c228c4..ac795ab052f265460991d21908fc3b2c1bcf3c21 100644 (file)
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -155,6 +155,7 @@ void ossl_statem_clear(SSL *s)
     s->statem.state = MSG_FLOW_UNINITED;
     s->statem.hand_state = TLS_ST_BEFORE;
     s->statem.in_init = 1;
+    s->statem.no_cert_verify = 0;
 }
 
 /*

diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
index fcc6163863d2985091073a98a88c4c7dc9796050..f65e09f0c479cfa6a3c3d39f1bcea2bdcb2f0536 100644 (file)
--- a/ssl/statem/statem.h
+++ b/ssl/statem/statem.h
@@ -135,6 +135,10 @@ struct statem_st {
     OSSL_HANDSHAKE_STATE hand_state;
     int in_init;
     int read_state_first_init;
+
+    /* Should we skip the CertificateVerify message? */
+    unsigned int no_cert_verify;
+
     int use_timer;
 #ifndef OPENSSL_NO_SCTP
     int in_sctp_read_sock;

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b940280e5b0e0f5e12f841f7fd86e081c3ff9487..103f3cc3a6b8073b73bc983198db0cd8a6b55aed 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -232,10 +232,10 @@ int server_read_transition(SSL *s, int mt)
          * received a Certificate from the client. If so then |s->session->peer|
          * will be non NULL. In some instances a CertificateVerify message is
          * not required even if the peer has sent a Certificate (e.g. such as in
-         * the case of static DH). In that case |s->no_cert_verify| should be
+         * the case of static DH). In that case |st->no_cert_verify| should be
          * set.
          */
-        if (s->session->peer == NULL || s->no_cert_verify) {
+        if (s->session->peer == NULL || st->no_cert_verify) {
             if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                 /*
                  * For the ECDH ciphersuites when the client sends its ECDH
@@ -2619,7 +2619,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
             goto f_err;
         }
         if (dh_clnt) {
-            s->no_cert_verify = 1;
+            s->statem.no_cert_verify = 1;
             return MSG_PROCESS_CONTINUE_PROCESSING;
         }
     } else
@@ -2697,7 +2697,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
                 SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
                 goto err;
             }
-            s->no_cert_verify = 1;
+            s->statem.no_cert_verify = 1;
         } else {
             /*
              * Get client's public key from encoded point in the
@@ -2854,7 +2854,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
         /* Check if pubkey from client certificate was used */
         if (EVP_PKEY_CTX_ctrl
             (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
-            s->no_cert_verify = 1;
+            s->statem.no_cert_verify = 1;
 
         EVP_PKEY_free(client_pub_pkey);
         EVP_PKEY_CTX_free(pkey_ctx);
@@ -2924,7 +2924,7 @@ enum WORK_STATE tls_post_process_client_key_exchange(SSL *s,
             /* Are we renegotiating? */
             && s->renegotiate
             /* Are we going to skip the CertificateVerify? */
-            && (s->session->peer == NULL || s->no_cert_verify)
+            && (s->session->peer == NULL || s->statem.no_cert_verify)
             && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
         s->s3->in_read_app_data = 2;
         s->rwstate = SSL_READING;
@@ -2937,7 +2937,7 @@ enum WORK_STATE tls_post_process_client_key_exchange(SSL *s,
     }
 #endif
 
-    if (s->no_cert_verify) {
+    if (s->statem.no_cert_verify) {
         /* No certificate verify so we no longer need the handshake_buffer */
         BIO_free(s->s3->handshake_buffer);
         return WORK_FINISHED_CONTINUE;