case SSL_CTRL_SET_CURRENT_CERT:
if (larg == SSL_CERT_SET_SERVER) {
- CERT_PKEY *cpk;
const SSL_CIPHER *cipher;
if (!s->server)
return 0;
cipher = s->s3->tmp.new_cipher;
- if (!cipher)
+ if (cipher == NULL)
return 0;
/*
* No certificate for unauthenticated ciphersuites or using SRP
*/
if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
return 2;
- cpk = ssl_get_server_send_pkey(s);
- if (!cpk)
+ if (s->s3->tmp.cert_idx == -1)
return 0;
- s->cert->key = cpk;
+ s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];
return 1;
}
return ssl_cert_set_current(s->cert, larg);
#endif
-static int ssl_get_server_cert_index(const SSL *s)
-{
- int idx;
-
- if (SSL_IS_TLS13(s)) {
- if (s->s3->tmp.sigalg == NULL) {
- SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX, ERR_R_INTERNAL_ERROR);
- return -1;
- }
- return s->s3->tmp.cert_idx;
- }
-
- idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
- if (idx == SSL_PKEY_GOST_EC) {
- if (s->cert->pkeys[SSL_PKEY_GOST12_512].x509)
- idx = SSL_PKEY_GOST12_512;
- else if (s->cert->pkeys[SSL_PKEY_GOST12_256].x509)
- idx = SSL_PKEY_GOST12_256;
- else if (s->cert->pkeys[SSL_PKEY_GOST01].x509)
- idx = SSL_PKEY_GOST01;
- else
- idx = -1;
- }
- if (idx == -1)
- SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX, ERR_R_INTERNAL_ERROR);
- return idx;
-}
-
-CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
-{
- CERT *c;
- int i;
-
- c = s->cert;
- if (!s->s3 || !s->s3->tmp.new_cipher)
- return NULL;
- ssl_set_masks(s);
-
- i = ssl_get_server_cert_index(s);
-
- /* This may or may not be an error. */
- if (i < 0)
- return NULL;
-
- /* May be NULL. */
- return &c->pkeys[i];
-}
-
-EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
- const EVP_MD **pmd)
-{
- unsigned long alg_a;
- CERT *c;
- int idx = -1;
-
- alg_a = cipher->algorithm_auth;
- c = s->cert;
-
- if (alg_a & SSL_aDSS && c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)
- idx = SSL_PKEY_DSA_SIGN;
- else if (alg_a & SSL_aRSA && c->pkeys[SSL_PKEY_RSA].privatekey != NULL)
- idx = SSL_PKEY_RSA;
- else if (alg_a & SSL_aECDSA &&
- c->pkeys[SSL_PKEY_ECC].privatekey != NULL)
- idx = SSL_PKEY_ECC;
- if (idx == -1) {
- SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);
- return (NULL);
- }
- if (pmd)
- *pmd = s->s3->tmp.md[idx];
- return c->pkeys[idx].privatekey;
-}
-
int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
size_t *serverinfo_length)
{
*serverinfo_length = 0;
c = s->cert;
- i = ssl_get_server_cert_index(s);
+ i = s->s3->tmp.cert_idx;
if (i == -1)
return 0;
int ssl_undefined_function(SSL *s);
__owur int ssl_undefined_void_function(void);
__owur int ssl_undefined_const_function(const SSL *s);
-__owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s);
__owur int ssl_get_server_cert_serverinfo(SSL *s,
const unsigned char **serverinfo,
size_t *serverinfo_length);
-__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c,
- const EVP_MD **pmd);
__owur int ssl_cert_type(const X509 *x, const EVP_PKEY *pkey);
void ssl_set_masks(SSL *s);
__owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
al = SSL_AD_DECODE_ERROR;
goto err;
}
- md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
#ifdef SSL_DEBUG
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif
- } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
- md = EVP_md5_sha1();
- } else {
- md = EVP_sha1();
+ } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
+ al = SSL_AD_INTERNAL_ERROR;
+ goto err;
}
+ md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
+
if (!PACKET_get_length_prefixed_2(pkt, &signature)
|| PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
#ifdef SSL_DEBUG
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif
- } else {
- /* Use default digest for this key type */
- int idx = ssl_cert_type(NULL, pkey);
- if (idx >= 0)
- md = s->s3->tmp.md[idx];
- if (md == NULL) {
+ } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
- }
}
+ md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
+
if (!PACKET_get_net_2(pkt, &len)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
al = SSL_AD_DECODE_ERROR;
if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
&& s->ctx->ext.status_cb != NULL) {
int ret;
- CERT_PKEY *certpkey = ssl_get_server_send_pkey(s);
/* If no certificate can't return certificate status */
- if (certpkey != NULL) {
+ if (s->s3->tmp.cert_idx != -1) {
/*
* Set current certificate to one we will use so SSL_get_certificate
* et al can pick it up.
*/
- s->cert->key = certpkey;
+ s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];
ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
switch (ret) {
/* We don't want to send a status request response */
if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
- if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
- == NULL) {
+ if (s->s3->tmp.cert_idx == -1 || s->s3->tmp.sigalg == NULL) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
+ pkey = s->cert->pkeys[s->s3->tmp.cert_idx].privatekey;
+ md = ssl_md(s->s3->tmp.sigalg->hash_idx);
} else {
pkey = NULL;
}
CERT_PKEY *cpk;
int al = SSL_AD_INTERNAL_ERROR;
- cpk = ssl_get_server_send_pkey(s);
- if (cpk == NULL) {
+ if (s->s3->tmp.cert_idx == -1) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
return 0;
}
+ cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];
/*
* In TLSv1.3 the certificate chain is always preceded by a 0 length context
else
dh_secbits = 80;
} else {
- CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
+ CERT_PKEY *cpk;
+ if (s->s3->tmp.cert_idx == -1)
+ return NULL;
+ cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];
dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
}
projects / openssl.git / commitdiff