From a497cf25162e100ad46bd08222b6e7584b2d5bee Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 14 Feb 2017 00:35:26 +0000 Subject: [PATCH] Use CERT_PKEY pointer instead of index Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2623) --- ssl/s3_lib.c | 4 ++-- ssl/ssl_lib.c | 14 ++++---------- ssl/ssl_locl.h | 10 ++++++---- ssl/statem/statem_srvr.c | 11 +++++------ ssl/t1_lib.c | 10 ++++------ 5 files changed, 21 insertions(+), 28 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ac2e858e76..8537e804a8 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3149,9 +3149,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) */ if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) return 2; - if (s->s3->tmp.cert_idx == -1) + if (s->s3->tmp.cert == NULL) return 0; - s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx]; + s->cert->key = s->s3->tmp.cert; return 1; } return ssl_cert_set_current(s->cert, larg); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5bc4c404ce..1642215ce4 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2836,20 +2836,14 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length) { - CERT *c = NULL; - int i = 0; + CERT_PKEY *cpk = s->s3->tmp.cert; *serverinfo_length = 0; - c = s->cert; - i = s->s3->tmp.cert_idx; - - if (i == -1) - return 0; - if (c->pkeys[i].serverinfo == NULL) + if (cpk == NULL || cpk->serverinfo == NULL) return 0; - *serverinfo = c->pkeys[i].serverinfo; - *serverinfo_length = c->pkeys[i].serverinfo_length; + *serverinfo = cpk->serverinfo; + *serverinfo_length = cpk->serverinfo_length; return 1; } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 09bfed6f79..106ff69492 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1213,6 +1213,8 @@ typedef struct sigalg_lookup_st { int curve; } SIGALG_LOOKUP; +typedef struct cert_pkey_st CERT_PKEY; + typedef struct ssl3_state_st { long flags; size_t read_mac_secret_size; @@ -1296,8 +1298,8 @@ typedef struct ssl3_state_st { # endif /* Signature algorithm we actually use */ const SIGALG_LOOKUP *sigalg; - /* Index of certificate we use */ - int cert_idx; + /* Pointer to certificate we use */ + CERT_PKEY *cert; /* * signature algorithms peer reports: e.g. supported signature * algorithms extension for server or as part of a certificate @@ -1491,7 +1493,7 @@ typedef struct dtls1_state_st { # define NAMED_CURVE_TYPE 3 # endif /* OPENSSL_NO_EC */ -typedef struct cert_pkey_st { +struct cert_pkey_st { X509 *x509; EVP_PKEY *privatekey; /* Chain for this certificate */ @@ -1505,7 +1507,7 @@ typedef struct cert_pkey_st { */ unsigned char *serverinfo; size_t serverinfo_length; -} CERT_PKEY; +}; /* Retrieve Suite B flags */ # define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS) /* Uses to check strict mode: suite B modes are always strict */ diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index a251a6ff8c..2330bde360 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1761,12 +1761,12 @@ static int tls_handle_status_request(SSL *s, int *al) int ret; /* If no certificate can't return certificate status */ - if (s->s3->tmp.cert_idx != -1) { + if (s->s3->tmp.cert != NULL) { /* * Set current certificate to one we will use so SSL_get_certificate * et al can pick it up. */ - s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx]; + s->cert->key = s->s3->tmp.cert; ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); switch (ret) { /* We don't want to send a status request response */ @@ -2249,7 +2249,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) /* not anonymous */ if (lu != NULL) { - EVP_PKEY *pkey = s->cert->pkeys[s->s3->tmp.cert_idx].privatekey; + EVP_PKEY *pkey = s->s3->tmp.cert->privatekey; const EVP_MD *md = ssl_md(lu->hash_idx); unsigned char *sigbytes1, *sigbytes2; size_t siglen; @@ -3197,14 +3197,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) int tls_construct_server_certificate(SSL *s, WPACKET *pkt) { - CERT_PKEY *cpk; + CERT_PKEY *cpk = s->s3->tmp.cert; int al = SSL_AD_INTERNAL_ERROR; - if (s->s3->tmp.cert_idx == -1) { + if (cpk == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); return 0; } - cpk = &s->cert->pkeys[s->s3->tmp.cert_idx]; /* * In TLSv1.3 the certificate chain is always preceded by a 0 length context diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 0ae41cd71e..31c3b04fc1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2201,11 +2201,9 @@ DH *ssl_get_auto_dh(SSL *s) else dh_secbits = 80; } else { - CERT_PKEY *cpk; - if (s->s3->tmp.cert_idx == -1) + if (s->s3->tmp.cert == NULL) return NULL; - cpk = &s->cert->pkeys[s->s3->tmp.cert_idx]; - dh_secbits = EVP_PKEY_security_bits(cpk->privatekey); + dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); } if (dh_secbits >= 128) { @@ -2369,7 +2367,7 @@ int tls_choose_sigalg(SSL *s, int *al) idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); /* If no certificate for ciphersuite return */ if (idx == -1) { - s->s3->tmp.cert_idx = -1; + s->s3->tmp.cert = NULL; s->s3->tmp.sigalg = NULL; return 1; } @@ -2445,7 +2443,7 @@ int tls_choose_sigalg(SSL *s, int *al) } } } - s->s3->tmp.cert_idx = idx; + s->s3->tmp.cert = &s->cert->pkeys[idx]; s->s3->tmp.sigalg = lu; return 1; } -- 2.25.1