Revise ssl code to use a CERT_PKEY structure when outputting a
authorDr. Stephen Henson <steve@openssl.org>
Thu, 26 Jan 2012 16:00:34 +0000 (16:00 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 26 Jan 2012 16:00:34 +0000 (16:00 +0000)
certificate chain instead of an X509 structure.

This makes it easier to enhance code in future and the chain
output functions have access to the CERT_PKEY structure being
used.

ssl/d1_both.c
ssl/d1_clnt.c
ssl/d1_srvr.c
ssl/s3_both.c
ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl_cert.c
ssl/ssl_lib.c
ssl/ssl_locl.h

index ad2d1fc..b96e34f 100644 (file)
@@ -992,13 +992,13 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
        return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
        }
 
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk)
        {
        unsigned char *p;
        unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH;
        BUF_MEM *buf=s->init_buf;
 
-       if (!ssl_add_cert_chain(s, x, &l))
+       if (!ssl_add_cert_chain(s, cpk, &l))
                return 0;
 
        l-= (3 + DTLS1_HM_HEADER_LENGTH);
index bb1fd6a..299ffb3 100644 (file)
@@ -1695,7 +1695,7 @@ int dtls1_send_client_certificate(SSL *s)
                {
                s->state=SSL3_ST_CW_CERT_D;
                l=dtls1_output_cert_chain(s,
-                       (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+                       (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
                s->init_num=(int)l;
                s->init_off=0;
 
index 6af53b2..89f47ce 100644 (file)
@@ -1570,12 +1570,12 @@ err:
 int dtls1_send_server_certificate(SSL *s)
        {
        unsigned long l;
-       X509 *x;
+       CERT_PKEY *cpk;
 
        if (s->state == SSL3_ST_SW_CERT_A)
                {
-               x=ssl_get_server_send_cert(s);
-               if (x == NULL)
+               cpk=ssl_get_server_send_pkey(s);
+               if (cpk == NULL)
                        {
                        /* VRS: allow null cert if auth == KRB5 */
                        if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
@@ -1586,7 +1586,7 @@ int dtls1_send_server_certificate(SSL *s)
                                }
                        }
 
-               l=dtls1_output_cert_chain(s,x);
+               l=dtls1_output_cert_chain(s,cpk);
                s->state=SSL3_ST_SW_CERT_B;
                s->init_num=(int)l;
                s->init_off=0;
index 153b2bf..11a9998 100644 (file)
@@ -321,13 +321,13 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
        return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
        }
 
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk)
        {
        unsigned char *p;
        unsigned long l=7;
        BUF_MEM *buf = s->init_buf;
 
-       if (!ssl_add_cert_chain(s, x, &l))
+       if (!ssl_add_cert_chain(s, cpk, &l))
                return 0;
 
        l-=7;
index 7a8b7f2..e7b477a 100644 (file)
@@ -3177,7 +3177,7 @@ int ssl3_send_client_certificate(SSL *s)
                {
                s->state=SSL3_ST_CW_CERT_D;
                l=ssl3_output_cert_chain(s,
-                       (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+                       (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
                s->init_num=(int)l;
                s->init_off=0;
                }
index a3343a5..b0c32bc 100644 (file)
@@ -3362,12 +3362,12 @@ err:
 int ssl3_send_server_certificate(SSL *s)
        {
        unsigned long l;
-       X509 *x;
+       CERT_PKEY *cpk;
 
        if (s->state == SSL3_ST_SW_CERT_A)
                {
-               x=ssl_get_server_send_cert(s);
-               if (x == NULL)
+               cpk=ssl_get_server_send_pkey(s);
+               if (cpk == NULL)
                        {
                        /* VRS: allow null cert if auth == KRB5 */
                        if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
@@ -3378,7 +3378,7 @@ int ssl3_send_server_certificate(SSL *s)
                                }
                        }
 
-               l=ssl3_output_cert_chain(s,x);
+               l=ssl3_output_cert_chain(s,cpk);
                s->state=SSL3_ST_SW_CERT_B;
                s->init_num=(int)l;
                s->init_off=0;
index c1e7ec1..3ad1f49 100644 (file)
@@ -873,12 +873,19 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
        }
 
 /* Add certificate chain to internal SSL BUF_MEM strcuture */
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l)
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
        {
        BUF_MEM *buf = s->init_buf;
        int no_chain;
        int i;
 
+       X509 *x;
+
+       if (cpk)
+               x = cpk->x509;
+       else
+               x = NULL;
+
        if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
                no_chain = 1;
        else
index 9f29f3e..c1c825b 100644 (file)
@@ -2292,7 +2292,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 #endif
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
        {
        unsigned long alg_k,alg_a;
        CERT *c;
@@ -2352,7 +2352,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
                }
        if (c->pkeys[i].x509 == NULL) return(NULL);
 
-       return(c->pkeys[i].x509);
+       return(&c->pkeys[i]);
        }
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
index 25f5fd4..6660558 100644 (file)
@@ -825,11 +825,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
                       const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
 int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);                         
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l);
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+CERT_PKEY *ssl_get_server_send_pkey(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
@@ -897,7 +897,7 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
 int ssl3_enc(SSL *s, int send_data);
 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
 void ssl3_free_digest_list(SSL *s);
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
                               STACK_OF(SSL_CIPHER) *srvr);
 int    ssl3_setup_buffers(SSL *s);
@@ -951,7 +951,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 
 int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 int dtls1_read_failed(SSL *s, int code);
 int dtls1_buffer_message(SSL *s, int ccs);
 int dtls1_retransmit_message(SSL *s, unsigned short seq,