libssl: stop reaching into the X509 struct and simplify some code by

author tb <tb@openbsd.org>

Sun, 31 Oct 2021 16:37:25 +0000 (16:37 +0000)

committer tb <tb@openbsd.org>

Sun, 31 Oct 2021 16:37:25 +0000 (16:37 +0000)
author tb <tb@openbsd.org>
Sun, 31 Oct 2021 16:37:25 +0000 (16:37 +0000)
committer tb <tb@openbsd.org>
Sun, 31 Oct 2021 16:37:25 +0000 (16:37 +0000)
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c

index f64b893..9220929 100644 (file)
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.276 2021/10/25 10:01:46 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.277 2021/10/31 16:37:25 tb Exp $ */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   * All rights reserved.
   *
@@ -2187,17 +2187,6 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
         X509_VERIFY_PARAM_set_depth(ctx->param, depth);
  }
  
-static int
-ssl_cert_can_sign(X509 *x)
-{
-       /* This call populates extension flags (ex_flags). */
-       X509_check_purpose(x, -1, 0);
-
-       /* Key usage, if present, must allow signing. */
-       return ((x->ex_flags & EXFLAG_KUSAGE) == 0 ||
-           (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE));
-}
-
  void
  ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
  {
@@ -2215,7 +2204,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
  
         cpk = &(c->pkeys[SSL_PKEY_ECC]);
         if (cpk->x509 != NULL && cpk->privatekey != NULL) {
-               if (ssl_cert_can_sign(cpk->x509))
+               /* Key usage, if present, must allow signing. */
+               if (X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)
                         mask_a |= SSL_aECDSA;
         }
  
@@ -2259,12 +2249,8 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
         alg_a = cs->algorithm_auth;
  
         if (alg_a & SSL_aECDSA) {
-               /* This call populates extension flags (ex_flags). */
-               X509_check_purpose(x, -1, 0);
-
                 /* Key usage, if present, must allow signing. */
-               if ((x->ex_flags & EXFLAG_KUSAGE) &&
-                   ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) {
+               if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
                         SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
                         return (0);
                 }
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c

index 733a71f..253c1fc 100644 (file)
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.87 2021/10/25 10:01:46 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.88 2021/10/31 16:37:25 tb Exp $ */
  /*
   * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
   * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -557,15 +557,11 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
         if (cpk->x509 == NULL || cpk->privatekey == NULL)
                 goto done;
  
-       if (!X509_check_purpose(cpk->x509, -1, 0))
-               return 0;
-
         /*
          * The digitalSignature bit MUST be set if the Key Usage extension is
          * present as per RFC 8446 section 4.4.2.2.
          */
-       if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) &&
-           !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
+       if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE))
                 goto done;
  
         if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
author	tb <tb@openbsd.org>
	Sun, 31 Oct 2021 16:37:25 +0000 (16:37 +0000)
committer	tb <tb@openbsd.org>
	Sun, 31 Oct 2021 16:37:25 +0000 (16:37 +0000)
lib/libssl/ssl_lib.c		patch \| blob \| history
lib/libssl/tls13_server.c		patch \| blob \| history