-/* $OpenBSD: ssl_clnt.c,v 1.136 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.137 2022/01/11 19:03:15 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
int
ssl3_get_server_certificate(SSL *s)
{
- int al, i, ret;
CBS cbs, cert_list;
X509 *x = NULL;
const unsigned char *q;
STACK_OF(X509) *sk = NULL;
- EVP_PKEY *pkey = NULL;
+ EVP_PKEY *pkey;
+ int cert_type;
+ int al, ret;
if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0)
x = NULL;
}
- i = ssl_verify_cert_chain(s, sk);
- if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) {
+ if (ssl_verify_cert_chain(s, sk) <= 0 &&
+ s->verify_mode != SSL_VERIFY_NONE) {
al = ssl_verify_alarm_type(s->verify_result);
SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
goto fatal_err;
-
}
ERR_clear_error(); /* but we keep s->verify_result */
*/
x = sk_X509_value(sk, 0);
- pkey = X509_get_pubkey(x);
-
- if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
+ if ((pkey = X509_get0_pubkey(x)) == NULL ||
+ EVP_PKEY_missing_parameters(pkey)) {
x = NULL;
al = SSL3_AL_FATAL;
SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
goto fatal_err;
}
-
- i = ssl_cert_type(x, pkey);
- if (i < 0) {
+ if ((cert_type = ssl_cert_type(x, pkey)) < 0) {
x = NULL;
al = SSL3_AL_FATAL;
SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
goto fatal_err;
}
- s->session->peer_cert_type = i;
-
- sk_X509_pop_free(s->session->cert_chain, X509_free);
- s->session->cert_chain = sk;
- sk = NULL;
-
- X509_up_ref(x);
- X509_free(s->session->peer_pkeys[i].x509);
- s->session->peer_pkeys[i].x509 = x;
- s->session->peer_key = &s->session->peer_pkeys[i];
X509_up_ref(x);
X509_free(s->session->peer_cert);
s->session->peer_cert = x;
+ s->session->peer_cert_type = cert_type;
s->session->verify_result = s->verify_result;
+ sk_X509_pop_free(s->session->cert_chain, X509_free);
+ s->session->cert_chain = sk;
+ sk = NULL;
+
x = NULL;
ret = 1;
ssl3_send_alert(s, SSL3_AL_FATAL, al);
}
err:
- EVP_PKEY_free(pkey);
X509_free(x);
sk_X509_pop_free(sk, X509_free);
EVP_PKEY_CTX *pctx;
EVP_PKEY *pkey = NULL;
- if ((alg_a & SSL_aRSA) != 0) {
- pkey = X509_get0_pubkey(
- s->session->peer_pkeys[SSL_PKEY_RSA].x509);
- } else if ((alg_a & SSL_aECDSA) != 0) {
- pkey = X509_get0_pubkey(
- s->session->peer_pkeys[SSL_PKEY_ECC].x509);
+ if ((alg_a & SSL_aRSA) != 0 &&
+ s->session->peer_cert_type == SSL_PKEY_RSA) {
+ pkey = X509_get0_pubkey(s->session->peer_cert);
+ } else if ((alg_a & SSL_aECDSA) != 0 &&
+ s->session->peer_cert_type == SSL_PKEY_ECC) {
+ pkey = X509_get0_pubkey(s->session->peer_cert);
}
if (pkey == NULL) {
al = SSL_AD_ILLEGAL_PARAMETER;
unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];
unsigned char *enc_pms = NULL;
uint16_t max_legacy_version;
- EVP_PKEY *pkey = NULL;
+ EVP_PKEY *pkey;
RSA *rsa;
int ret = 0;
int enc_len;
* RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1.
*/
- pkey = X509_get_pubkey(s->session->peer_pkeys[SSL_PKEY_RSA].x509);
+ pkey = X509_get0_pubkey(s->session->peer_cert);
if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
goto err;
err:
explicit_bzero(pms, sizeof(pms));
- EVP_PKEY_free(pkey);
free(enc_pms);
return ret;
unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
EVP_PKEY_CTX *pkey_ctx = NULL;
EVP_MD_CTX *ukm_hash = NULL;
- EVP_PKEY *pub_key;
- X509 *peer_cert;
+ EVP_PKEY *pkey;
size_t msglen;
unsigned int md_len;
CBB gostblob;
int ret = 0;
/* Get server sertificate PKEY and create ctx from it */
- peer_cert = s->session->peer_pkeys[SSL_PKEY_GOST01].x509;
- if ((pub_key = X509_get0_pubkey(peer_cert)) == NULL) {
+ pkey = X509_get0_pubkey(s->session->peer_cert);
+ if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
goto err;
}
- if ((pkey_ctx = EVP_PKEY_CTX_new(pub_key, NULL)) == NULL) {
+ if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
SSLerror(s, ERR_R_MALLOC_FAILURE);
goto err;
}
ssl3_check_cert_and_algorithm(SSL *s)
{
long alg_k, alg_a;
- EVP_PKEY *pkey = NULL;
int nid = NID_undef;
- int i, idx;
+ int i;
alg_k = S3I(s)->hs.cipher->algorithm_mkey;
alg_a = S3I(s)->hs.cipher->algorithm_auth;
/* This is the passed certificate. */
- idx = s->session->peer_cert_type;
- if (idx == SSL_PKEY_ECC) {
- if (!ssl_check_srvr_ecc_cert_and_alg(s,
- s->session->peer_pkeys[idx].x509)) {
- /* check failed */
+ if (s->session->peer_cert_type == SSL_PKEY_ECC) {
+ if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) {
SSLerror(s, SSL_R_BAD_ECC_CERT);
goto fatal_err;
- } else {
- return (1);
}
+ return (1);
}
- pkey = X509_get_pubkey(s->session->peer_pkeys[idx].x509);
- i = X509_certificate_type(s->session->peer_pkeys[idx].x509, pkey);
- EVP_PKEY_free(pkey);
+
+ i = X509_certificate_type(s->session->peer_cert, NULL);
/* Check that we have a certificate if we require one. */
if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
-/* $OpenBSD: ssl_locl.h,v 1.382 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.383 2022/01/11 19:03:15 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
- /* This is the cert for the other end. */
+ /* Peer provided leaf (end-entity) certificate. */
X509 *peer_cert;
+ int peer_cert_type;
/* when app_verify_callback accepts a session where the peer's certificate
* is not ok, we must remember the error for session reuse: */
STACK_OF(X509) *cert_chain; /* as received from peer */
- /* The 'peer_...' members are used only by clients. */
- int peer_cert_type;
-
- /* Obviously we don't have the private keys of these,
- * so maybe we shouldn't even use the SSL_CERT_PKEY type here. */
- SSL_CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
- SSL_CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
-
size_t tlsext_ecpointformatlist_length;
uint8_t *tlsext_ecpointformatlist; /* peer's list */
size_t tlsext_supportedgroups_length;
-/* $OpenBSD: tls13_client.c,v 1.92 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.93 2022/01/11 19:03:15 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
X509 *cert = NULL;
EVP_PKEY *pkey;
const uint8_t *p;
- int cert_idx, alert_desc;
+ int alert_desc, cert_type;
int ret = 0;
if ((certs = sk_X509_new_null()) == NULL)
goto err;
if (EVP_PKEY_missing_parameters(pkey))
goto err;
- if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
+ if ((cert_type = ssl_cert_type(cert, pkey)) < 0)
goto err;
- sk_X509_pop_free(s->session->cert_chain, X509_free);
- s->session->cert_chain = certs;
- certs = NULL;
-
- X509_up_ref(cert);
- X509_free(s->session->peer_pkeys[cert_idx].x509);
- s->session->peer_pkeys[cert_idx].x509 = cert;
- s->session->peer_key = &s->session->peer_pkeys[cert_idx];
-
X509_up_ref(cert);
X509_free(s->session->peer_cert);
s->session->peer_cert = cert;
+ s->session->peer_cert_type = cert_type;
s->session->verify_result = s->verify_result;
+ sk_X509_pop_free(s->session->cert_chain, X509_free);
+ s->session->cert_chain = certs;
+ certs = NULL;
+
if (ctx->ocsp_status_recv_cb != NULL &&
!ctx->ocsp_status_recv_cb(ctx))
goto err;
-/* $OpenBSD: tls13_server.c,v 1.94 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.95 2022/01/11 19:03:15 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
X509 *cert = NULL;
EVP_PKEY *pkey;
const uint8_t *p;
- int cert_idx;
+ int cert_type;
int ret = 0;
if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
goto err;
if (EVP_PKEY_missing_parameters(pkey))
goto err;
- if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
+ if ((cert_type = ssl_cert_type(cert, pkey)) < 0)
goto err;
- sk_X509_pop_free(s->session->cert_chain, X509_free);
- s->session->cert_chain = certs;
- certs = NULL;
-
- X509_up_ref(cert);
- X509_free(s->session->peer_pkeys[cert_idx].x509);
- s->session->peer_pkeys[cert_idx].x509 = cert;
- s->session->peer_key = &s->session->peer_pkeys[cert_idx];
-
X509_up_ref(cert);
X509_free(s->session->peer_cert);
s->session->peer_cert = cert;
+ s->session->peer_cert_type = cert_type;
s->session->verify_result = s->verify_result;
+ sk_X509_pop_free(s->session->cert_chain, X509_free);
+ s->session->cert_chain = certs;
+ certs = NULL;
+
ctx->handshake_stage.hs_type |= WITH_CCV;
ret = 1;
projects / openbsd / commitdiff