From b8858aec136d56950ea2fc4f2d906f81f1c085a6 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 28 Jun 2017 17:56:45 +0100 Subject: [PATCH] Replace tls12_get_pkey_idx The functiontls12_get_pkey_idx is only used to see if a certificate index is enabled: call ssl_cert_is_disabled instead. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3858) --- ssl/t1_lib.c | 43 +++---------------------------------------- 1 file changed, 3 insertions(+), 40 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 95b9b8b4d0..c478d2cd44 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1398,43 +1398,6 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick, return ret; } -static int tls12_get_pkey_idx(int sig_nid) -{ - switch (sig_nid) { -#ifndef OPENSSL_NO_RSA - case EVP_PKEY_RSA: - return SSL_PKEY_RSA; - /* - * For now return RSA key for PSS. When we support PSS only keys - * this will need to be updated. - */ - case EVP_PKEY_RSA_PSS: - return SSL_PKEY_RSA; -#endif -#ifndef OPENSSL_NO_DSA - case EVP_PKEY_DSA: - return SSL_PKEY_DSA_SIGN; -#endif -#ifndef OPENSSL_NO_EC - case EVP_PKEY_EC: - return SSL_PKEY_ECC; - case EVP_PKEY_ED25519: - return SSL_PKEY_ED25519; -#endif -#ifndef OPENSSL_NO_GOST - case NID_id_GostR3410_2001: - return SSL_PKEY_GOST01; - - case NID_id_GostR3410_2012_256: - return SSL_PKEY_GOST12_256; - - case NID_id_GostR3410_2012_512: - return SSL_PKEY_GOST12_512; -#endif - } - return -1; -} - /* Check to see if a signature algorithm is allowed */ static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) { @@ -1454,7 +1417,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) || lu->hash_idx == SSL_MD_SHA224_IDX)) return 0; /* See if public key algorithm allowed */ - if (tls12_get_pkey_idx(lu->sig) == -1) + if (ssl_cert_is_disabled(lu->sig_idx)) return 0; if (lu->hash == NID_undef) return 1; @@ -1678,8 +1641,8 @@ int tls1_process_sigalgs(SSL *s) if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) continue; /* If not disabled indicate we can explicitly sign */ - if (pvalid[idx] == 0 && tls12_get_pkey_idx(sigptr->sig) != -1) - pvalid[sigptr->sig_idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; + if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) + pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; } return 1; } -- 2.25.1