From: tb <tb@openbsd.org>
Date: Sun, 31 Oct 2021 16:37:25 +0000 (+0000)
Subject: libssl: stop reaching into the X509 struct and simplify some code by
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=ad70d4758940e74a630416c8072729a9c6845f30;p=openbsd

libssl: stop reaching into the X509 struct and simplify some code by
using X509_get_key_usage().

ok beck jsing
---

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index f64b89352e8..9220929f886 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.276 2021/10/25 10:01:46 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.277 2021/10/31 16:37:25 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2187,17 +2187,6 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
 	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
 }
 
-static int
-ssl_cert_can_sign(X509 *x)
-{
-	/* This call populates extension flags (ex_flags). */
-	X509_check_purpose(x, -1, 0);
-
-	/* Key usage, if present, must allow signing. */
-	return ((x->ex_flags & EXFLAG_KUSAGE) == 0 ||
-	    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE));
-}
-
 void
 ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 {
@@ -2215,7 +2204,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 
 	cpk = &(c->pkeys[SSL_PKEY_ECC]);
 	if (cpk->x509 != NULL && cpk->privatekey != NULL) {
-		if (ssl_cert_can_sign(cpk->x509))
+		/* Key usage, if present, must allow signing. */
+		if (X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)
 			mask_a |= SSL_aECDSA;
 	}
 
@@ -2259,12 +2249,8 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 	alg_a = cs->algorithm_auth;
 
 	if (alg_a & SSL_aECDSA) {
-		/* This call populates extension flags (ex_flags). */
-		X509_check_purpose(x, -1, 0);
-
 		/* Key usage, if present, must allow signing. */
-		if ((x->ex_flags & EXFLAG_KUSAGE) &&
-		    ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) {
+		if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
 			SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
 			return (0);
 		}
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 733a71f7d1f..253c1fc2083 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.87 2021/10/25 10:01:46 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.88 2021/10/31 16:37:25 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -557,15 +557,11 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
 	if (cpk->x509 == NULL || cpk->privatekey == NULL)
 		goto done;
 
-	if (!X509_check_purpose(cpk->x509, -1, 0))
-		return 0;
-
 	/*
 	 * The digitalSignature bit MUST be set if the Key Usage extension is
 	 * present as per RFC 8446 section 4.4.2.2.
 	 */
-	if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) &&
-	    !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
+	if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE))
 		goto done;
 
 	if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)