*/
if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
return 2;
- if (s->s3->tmp.cert_idx == -1)
+ if (s->s3->tmp.cert == NULL)
return 0;
- s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];
+ s->cert->key = s->s3->tmp.cert;
return 1;
}
return ssl_cert_set_current(s->cert, larg);
int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
size_t *serverinfo_length)
{
- CERT *c = NULL;
- int i = 0;
+ CERT_PKEY *cpk = s->s3->tmp.cert;
*serverinfo_length = 0;
- c = s->cert;
- i = s->s3->tmp.cert_idx;
-
- if (i == -1)
- return 0;
- if (c->pkeys[i].serverinfo == NULL)
+ if (cpk == NULL || cpk->serverinfo == NULL)
return 0;
- *serverinfo = c->pkeys[i].serverinfo;
- *serverinfo_length = c->pkeys[i].serverinfo_length;
+ *serverinfo = cpk->serverinfo;
+ *serverinfo_length = cpk->serverinfo_length;
return 1;
}
int curve;
} SIGALG_LOOKUP;
+typedef struct cert_pkey_st CERT_PKEY;
+
typedef struct ssl3_state_st {
long flags;
size_t read_mac_secret_size;
# endif
/* Signature algorithm we actually use */
const SIGALG_LOOKUP *sigalg;
- /* Index of certificate we use */
- int cert_idx;
+ /* Pointer to certificate we use */
+ CERT_PKEY *cert;
/*
* signature algorithms peer reports: e.g. supported signature
* algorithms extension for server or as part of a certificate
# define NAMED_CURVE_TYPE 3
# endif /* OPENSSL_NO_EC */
-typedef struct cert_pkey_st {
+struct cert_pkey_st {
X509 *x509;
EVP_PKEY *privatekey;
/* Chain for this certificate */
*/
unsigned char *serverinfo;
size_t serverinfo_length;
-} CERT_PKEY;
+};
/* Retrieve Suite B flags */
# define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
/* Uses to check strict mode: suite B modes are always strict */
int ret;
/* If no certificate can't return certificate status */
- if (s->s3->tmp.cert_idx != -1) {
+ if (s->s3->tmp.cert != NULL) {
/*
* Set current certificate to one we will use so SSL_get_certificate
* et al can pick it up.
*/
- s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];
+ s->cert->key = s->s3->tmp.cert;
ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
switch (ret) {
/* We don't want to send a status request response */
/* not anonymous */
if (lu != NULL) {
- EVP_PKEY *pkey = s->cert->pkeys[s->s3->tmp.cert_idx].privatekey;
+ EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
const EVP_MD *md = ssl_md(lu->hash_idx);
unsigned char *sigbytes1, *sigbytes2;
size_t siglen;
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
{
- CERT_PKEY *cpk;
+ CERT_PKEY *cpk = s->s3->tmp.cert;
int al = SSL_AD_INTERNAL_ERROR;
- if (s->s3->tmp.cert_idx == -1) {
+ if (cpk == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
return 0;
}
- cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];
/*
* In TLSv1.3 the certificate chain is always preceded by a 0 length context
else
dh_secbits = 80;
} else {
- CERT_PKEY *cpk;
- if (s->s3->tmp.cert_idx == -1)
+ if (s->s3->tmp.cert == NULL)
return NULL;
- cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];
- dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
}
if (dh_secbits >= 128) {
idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
/* If no certificate for ciphersuite return */
if (idx == -1) {
- s->s3->tmp.cert_idx = -1;
+ s->s3->tmp.cert = NULL;
s->s3->tmp.sigalg = NULL;
return 1;
}
}
}
}
- s->s3->tmp.cert_idx = idx;
+ s->s3->tmp.cert = &s->cert->pkeys[idx];
s->s3->tmp.sigalg = lu;
return 1;
}
projects / oweals / openssl.git / commitdiff