From 7e65b21a245e64f4e0984eddaaff4137e7bf616f Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 6 Apr 2012 12:00:24 +0000 Subject: [PATCH] Backport: Revise ssl code to use CERT_PKEY structure when outputting a certificate chain (from HEAD) --- ssl/d1_both.c | 4 ++-- ssl/d1_clnt.c | 2 +- ssl/d1_srvr.c | 8 ++++---- ssl/s3_both.c | 4 ++-- ssl/s3_clnt.c | 2 +- ssl/s3_srvr.c | 8 ++++---- ssl/ssl_cert.c | 9 ++++++++- ssl/ssl_lib.c | 4 ++-- ssl/ssl_locl.h | 8 ++++---- 9 files changed, 28 insertions(+), 21 deletions(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index fdadebcd71..373285885c 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -992,13 +992,13 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b) return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC)); } -unsigned long dtls1_output_cert_chain(SSL *s, X509 *x) +unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk) { unsigned char *p; unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH; BUF_MEM *buf=s->init_buf; - if (!ssl_add_cert_chain(s, x, &l)) + if (!ssl_add_cert_chain(s, cpk, &l)) return 0; l-= (3 + DTLS1_HM_HEADER_LENGTH); diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index a6ed09c51d..4af8ffda4d 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -1694,7 +1694,7 @@ int dtls1_send_client_certificate(SSL *s) { s->state=SSL3_ST_CW_CERT_D; l=dtls1_output_cert_chain(s, - (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); + (s->s3->tmp.cert_req == 2)?NULL:s->cert->key); s->init_num=(int)l; s->init_off=0; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 29421da9aa..7ab9091836 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -1569,12 +1569,12 @@ err: int dtls1_send_server_certificate(SSL *s) { unsigned long l; - X509 *x; + CERT_PKEY *cpk; if (s->state == SSL3_ST_SW_CERT_A) { - x=ssl_get_server_send_cert(s); - if (x == NULL) + cpk=ssl_get_server_send_pkey(s); + if (cpk == NULL) { /* VRS: allow null cert if auth == KRB5 */ if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || @@ -1585,7 +1585,7 @@ int dtls1_send_server_certificate(SSL *s) } } - l=dtls1_output_cert_chain(s,x); + l=dtls1_output_cert_chain(s,cpk); s->state=SSL3_ST_SW_CERT_B; s->init_num=(int)l; s->init_off=0; diff --git a/ssl/s3_both.c b/ssl/s3_both.c index c159343bbd..2beb818e2b 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -319,13 +319,13 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b) return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC)); } -unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) +unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) { unsigned char *p; unsigned long l=7; BUF_MEM *buf = s->init_buf; - if (!ssl_add_cert_chain(s, x, &l)) + if (!ssl_add_cert_chain(s, cpk, &l)) return 0; l-=7; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index be64f95646..3d8246c4cb 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -3211,7 +3211,7 @@ int ssl3_send_client_certificate(SSL *s) { s->state=SSL3_ST_CW_CERT_D; l=ssl3_output_cert_chain(s, - (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); + (s->s3->tmp.cert_req == 2)?NULL:s->cert->key); s->init_num=(int)l; s->init_off=0; } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 5c826792d3..a05fae4987 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -3351,12 +3351,12 @@ err: int ssl3_send_server_certificate(SSL *s) { unsigned long l; - X509 *x; + CERT_PKEY *cpk; if (s->state == SSL3_ST_SW_CERT_A) { - x=ssl_get_server_send_cert(s); - if (x == NULL) + cpk=ssl_get_server_send_pkey(s); + if (cpk == NULL) { /* VRS: allow null cert if auth == KRB5 */ if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || @@ -3367,7 +3367,7 @@ int ssl3_send_server_certificate(SSL *s) } } - l=ssl3_output_cert_chain(s,x); + l=ssl3_output_cert_chain(s,cpk); s->state=SSL3_ST_SW_CERT_B; s->init_num=(int)l; s->init_off=0; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 1c6325e9f8..16c060b711 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -873,12 +873,19 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) } /* Add certificate chain to internal SSL BUF_MEM strcuture */ -int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l) +int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) { BUF_MEM *buf = s->init_buf; int no_chain; int i; + X509 *x; + + if (cpk) + x = cpk->x509; + else + x = NULL; + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) no_chain = 1; else diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ac7c9f6e0f..0ff086bc78 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2290,7 +2290,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(SSL *s) { unsigned long alg_k,alg_a; CERT *c; @@ -2350,7 +2350,7 @@ X509 *ssl_get_server_send_cert(SSL *s) } if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return(&c->pkeys[i]); } EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 3b1bad2f67..322aa45000 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -827,11 +827,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc, const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp); int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md); int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); -int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l); +int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); -X509 *ssl_get_server_send_cert(SSL *); +CERT_PKEY *ssl_get_server_send_pkey(SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); @@ -899,7 +899,7 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len); int ssl3_enc(SSL *s, int send_data); int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data); void ssl3_free_digest_list(SSL *s); -unsigned long ssl3_output_cert_chain(SSL *s, X509 *x); +unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk); SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr); int ssl3_setup_buffers(SSL *s); @@ -953,7 +953,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); int dtls1_send_change_cipher_spec(SSL *s, int a, int b); int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen); -unsigned long dtls1_output_cert_chain(SSL *s, X509 *x); +unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk); int dtls1_read_failed(SSL *s, int code); int dtls1_buffer_message(SSL *s, int ccs); int dtls1_retransmit_message(SSL *s, unsigned short seq, -- 2.25.1