}
/* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) {
- s->cert->pkeys[i].digest = NULL;
+ s->s3->tmp.md[i] = NULL;
s->cert->pkeys[i].valid_flags = 0;
}
if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) {
if (SSL_USE_SIGALGS(s)) {
long hdatalen = 0;
void *hdata;
- const EVP_MD *md = s->cert->key->digest;
+ const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
return 0;
/* If no suitable signature algorithm can't use certificate */
- if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
+ if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys])
return 0;
/*
* If strict mode check suitability of chain before using it. This also
return ssl_x509_store_ctx_idx;
}
-void ssl_cert_set_default_md(CERT *cert)
-{
- /* Set digest values to defaults */
-#ifndef OPENSSL_NO_DSA
- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-#endif
-#ifndef OPENSSL_NO_RSA
- cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
- cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
-#endif
-#ifndef OPENSSL_NO_EC
- cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
-#endif
-}
-
CERT *ssl_cert_new(void)
{
CERT *ret = OPENSSL_malloc(sizeof(*ret));
ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
ret->references = 1;
- ssl_cert_set_default_md(ret);
ret->sec_cb = ssl_security_default_callback;
ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
ret->sec_ex = NULL;
}
ret->references = 1;
- /*
- * Set digests to defaults. NB: we don't copy existing values as they
- * will be set during handshake.
- */
- ssl_cert_set_default_md(ret);
/* Configured sigalgs copied across */
if (cert->conf_sigalgs) {
ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
unsigned char *peer_sigalgs;
/* Size of above array */
size_t peer_sigalgslen;
+ /* Digest peer uses for signing */
+ const EVP_MD *peer_md;
+ /* Array of digests used for signing */
+ const EVP_MD *md[SSL_PKEY_NUM];
} tmp;
/* Connection binding to prevent renegotiation attacks */
typedef struct cert_pkey_st {
X509 *x509;
EVP_PKEY *privatekey;
- /* Digest to use when signing */
- const EVP_MD *digest;
/* Chain for this certificate */
STACK_OF(X509) *chain;
# ifndef OPENSSL_NO_TLSEXT
int ssl_clear_bad_session(SSL *s);
__owur CERT *ssl_cert_new(void);
__owur CERT *ssl_cert_dup(CERT *cert);
-void ssl_cert_set_default_md(CERT *cert);
void ssl_cert_clear_certs(CERT *c);
void ssl_cert_free(CERT *c);
__owur SESS_CERT *ssl_sess_cert_new(void);
return 0;
if (set_ee_md == 2) {
if (check_md == NID_ecdsa_with_SHA256)
- c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
+ s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
else
- c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
+ s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
}
}
return rv;
/*
* Store the digest used so applications can retrieve it if they wish.
*/
- if (s->session && s->session->sess_cert)
- s->session->sess_cert->peer_key->digest = *pmd;
+ s->s3->tmp.peer_md = *pmd;
return 1;
}
return 1;
}
}
+/* Initialise digests to default values */
+static void ssl_set_default_md(SSL *s)
+{
+ const EVP_MD **pmd = s->s3->tmp.md;
+#ifndef OPENSSL_NO_DSA
+ pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_RSA
+ pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
+ pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_EC
+ pmd[SSL_PKEY_ECC] = EVP_sha1();
+#endif
+}
int tls1_set_server_sigalgs(SSL *s)
{
s->cert->shared_sigalgslen = 0;
/* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) {
- s->cert->pkeys[i].digest = NULL;
+ s->s3->tmp.md[i] = NULL;
s->cert->pkeys[i].valid_flags = 0;
}
al = SSL_AD_ILLEGAL_PARAMETER;
goto err;
}
- } else
- ssl_cert_set_default_md(s->cert);
+ } else {
+ ssl_set_default_md(s);
+ }
return 1;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
int idx;
size_t i;
const EVP_MD *md;
+ const EVP_MD **pmd = s->s3->tmp.md;
CERT *c = s->cert;
TLS_SIGALGS *sigptr;
if (!tls1_set_shared_sigalgs(s))
if (sigs) {
idx = tls12_get_pkey_idx(sigs[1]);
md = tls12_get_hash(sigs[0]);
- c->pkeys[idx].digest = md;
+ pmd[idx] = md;
c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN) {
c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
CERT_PKEY_EXPLICIT_SIGN;
- c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+ pmd[SSL_PKEY_RSA_ENC] = md;
}
}
}
for (i = 0, sigptr = c->shared_sigalgs;
i < c->shared_sigalgslen; i++, sigptr++) {
idx = tls12_get_pkey_idx(sigptr->rsign);
- if (idx > 0 && c->pkeys[idx].digest == NULL) {
+ if (idx > 0 && pmd[idx] == NULL) {
md = tls12_get_hash(sigptr->rhash);
- c->pkeys[idx].digest = md;
+ pmd[idx] = md;
c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN) {
c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
CERT_PKEY_EXPLICIT_SIGN;
- c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+ pmd[SSL_PKEY_RSA_ENC] = md;
}
}
* supported it stays as NULL.
*/
# ifndef OPENSSL_NO_DSA
- if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
+ if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
+ pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
# endif
# ifndef OPENSSL_NO_RSA
- if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
- c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
- c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+ if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
+ pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
+ pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
}
# endif
# ifndef OPENSSL_NO_EC
- if (!c->pkeys[SSL_PKEY_ECC].digest)
- c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
+ if (pmd[SSL_PKEY_ECC] == NULL)
+ pmd[SSL_PKEY_ECC] = EVP_sha1();
# endif
}
return 1;
if (TLS1_get_version(s) >= TLS1_2_VERSION) {
if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
- else if (cpk->digest)
+ else if (s->s3->tmp.md[idx] != NULL)
rv |= CERT_PKEY_SIGN;
} else
rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
projects / oweals / openssl.git / commitdiff