dh_tmp = 0;
#endif
- rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
- rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;
+ rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
+ rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_SIGN;
dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
#ifndef OPENSSL_NO_EC
have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
}
idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
- if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509)
- idx = SSL_PKEY_RSA_SIGN;
if (idx == SSL_PKEY_GOST_EC) {
if (s->cert->pkeys[SSL_PKEY_GOST12_512].x509)
idx = SSL_PKEY_GOST12_512;
alg_a = cipher->algorithm_auth;
c = s->cert;
- if ((alg_a & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
+ if (alg_a & SSL_aDSS && c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)
idx = SSL_PKEY_DSA_SIGN;
- else if (alg_a & SSL_aRSA) {
- if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
- idx = SSL_PKEY_RSA_SIGN;
- else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
- idx = SSL_PKEY_RSA_ENC;
- } else if ((alg_a & SSL_aECDSA) &&
- (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
+ else if (alg_a & SSL_aRSA && c->pkeys[SSL_PKEY_RSA].privatekey != NULL)
+ idx = SSL_PKEY_RSA;
+ else if (alg_a & SSL_aECDSA &&
+ c->pkeys[SSL_PKEY_ECC].privatekey != NULL)
idx = SSL_PKEY_ECC;
if (idx == -1) {
SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);
# define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
/* Mostly for SSLv3 */
-# define SSL_PKEY_RSA_ENC 0
-# define SSL_PKEY_RSA_SIGN 1
-# define SSL_PKEY_DSA_SIGN 2
-# define SSL_PKEY_ECC 3
-# define SSL_PKEY_GOST01 4
-# define SSL_PKEY_GOST12_256 5
-# define SSL_PKEY_GOST12_512 6
-# define SSL_PKEY_NUM 7
+# define SSL_PKEY_RSA 0
+# define SSL_PKEY_DSA_SIGN 1
+# define SSL_PKEY_ECC 2
+# define SSL_PKEY_GOST01 3
+# define SSL_PKEY_GOST12_256 4
+# define SSL_PKEY_GOST12_512 5
+# define SSL_PKEY_NUM 6
/*
* Pseudo-constant. GOST cipher suites can use different certs for 1
* SSL_CIPHER. So let's see which one we have in fact.
# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
/*
- * TODO(TLS1.3) for now use RSA_SIGN keys for PSS
+ * TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS
*/
-#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA_SIGN
+#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA
/*-
* SSL_kRSA <- RSA_ENC
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
NID_undef, NID_undef},
{"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
- NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA_SIGN,
+ NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha256WithRSAEncryption, NID_undef},
{"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
- NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA_SIGN,
+ NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha384WithRSAEncryption, NID_undef},
{"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
- NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA_SIGN,
+ NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha512WithRSAEncryption, NID_undef},
{"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
- NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA_SIGN,
+ NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha1WithRSAEncryption, NID_undef},
#ifndef OPENSSL_NO_DSA
{NULL, TLSEXT_SIGALG_dsa_sha256,
#endif
#ifndef OPENSSL_NO_RSA
if (SSL_USE_SIGALGS(s))
- pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
+ pmd[SSL_PKEY_RSA] = ssl_md(SSL_MD_SHA1_IDX);
else
- pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
- pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
+ pmd[SSL_PKEY_RSA] = ssl_md(SSL_MD_MD5_SHA1_IDX);
#endif
#ifndef OPENSSL_NO_EC
pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
switch (sig_nid) {
#ifndef OPENSSL_NO_RSA
case EVP_PKEY_RSA:
- return SSL_PKEY_RSA_SIGN;
+ return SSL_PKEY_RSA;
/*
* For now return RSA key for PSS. When we support PSS only keys
* this will need to be updated.
*/
case EVP_PKEY_RSA_PSS:
- return SSL_PKEY_RSA_SIGN;
+ return SSL_PKEY_RSA;
#endif
#ifndef OPENSSL_NO_DSA
case EVP_PKEY_DSA:
md = ssl_md(sigptr->hash_idx);
pmd[idx] = md;
pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
- if (idx == SSL_PKEY_RSA_SIGN) {
- pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
- pmd[SSL_PKEY_RSA_ENC] = md;
- }
}
}
/*
pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
#endif
#ifndef OPENSSL_NO_RSA
- if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
- pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
- pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
+ if (pmd[SSL_PKEY_RSA] == NULL) {
+ pmd[SSL_PKEY_RSA] = EVP_sha1();
}
#endif
#ifndef OPENSSL_NO_EC
/* If no sigalgs extension use defaults from RFC5246 */
else {
switch (idx) {
- case SSL_PKEY_RSA_ENC:
- case SSL_PKEY_RSA_SIGN:
+ case SSL_PKEY_RSA:
rsign = EVP_PKEY_RSA;
default_nid = NID_sha1WithRSAEncryption;
break;
/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
{
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
continue;
idx = lu->sig_idx;
c = &s->cert->pkeys[idx];
- if (c->x509 == NULL || c->privatekey == NULL) {
- if (idx != SSL_PKEY_RSA_SIGN)
- continue;
- idx = SSL_PKEY_RSA_ENC;
- c = s->cert->pkeys + idx;
- if (c->x509 == NULL || c->privatekey == NULL)
+ if (c->x509 == NULL || c->privatekey == NULL)
continue;
- }
if (lu->sig == EVP_PKEY_EC) {
#ifndef OPENSSL_NO_EC
if (curve == -1) {
projects / oweals / openssl.git / commitdiff