diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2015-05-18 23:29:57 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2015-05-19 14:05:29 +0100 |
| commit | 4d69f9e69d2f5069ab37da68f4b93a6f337fb13e (patch) | |
| tree | 0965207983caf836e56722f30bef899ada5334be | |
| parent | 00d565cfbe90fab3b157e644caca4eb4a2ebec79 (diff) | |
move masks out of CERT structure
Reviewed-by: Rich Salz <rsalz@openssl.org>
| -rw-r--r-- | ssl/s3_clnt.c | 5 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 10 | ||||
| -rw-r--r-- | ssl/ssl_cert.c | 5 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 9 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 23 | ||||
| -rw-r--r-- | ssl/ssl_rsa.c | 2 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 38 |
7 files changed, 39 insertions, 53 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 3b49fa4a33..46f9909830 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -957,7 +957,6 @@ int ssl3_get_server_hello(SSL *s) { STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *c; - CERT *ct = s->cert; unsigned char *p, *d; int i, al = SSL_AD_INTERNAL_ERROR, ok; unsigned int j; @@ -1151,9 +1150,9 @@ int ssl3_get_server_hello(SSL *s) } /* Set version disabled mask now we know version */ if (!SSL_USE_TLS1_2_CIPHERS(s)) - ct->mask_ssl = SSL_TLSV1_2; + s->s3->tmp.mask_ssl = SSL_TLSV1_2; else - ct->mask_ssl = 0; + s->s3->tmp.mask_ssl = 0; /* * If it is a disabled cipher we didn't send it in client hello, so * return an error. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index c28c447618..78e95fc6d6 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3843,11 +3843,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i, ii, ok; - CERT *cert; unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a; /* Let's see which ciphers we can support */ - cert = s->cert; #if 0 /* @@ -3893,10 +3891,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; ssl_set_masks(s, c); - mask_k = cert->mask_k; - mask_a = cert->mask_a; - emask_k = cert->export_mask_k; - emask_a = cert->export_mask_a; + mask_k = s->s3->tmp.mask_k; + mask_a = s->s3->tmp.mask_a; + emask_k = s->s3->tmp.export_mask_k; + emask_a = s->s3->tmp.export_mask_a; #ifndef OPENSSL_NO_SRP if (s->srp_ctx.srp_Mask & SSL_kSRP) { mask_k |= SSL_kSRP; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 14c0c16142..987b2b72c0 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -196,11 +196,6 @@ CERT *ssl_cert_dup(CERT *cert) memset(ret, 0, sizeof(*ret)); ret->key = &ret->pkeys[cert->key - cert->pkeys]; - ret->valid = cert->valid; - ret->mask_k = cert->mask_k; - ret->mask_a = cert->mask_a; - ret->export_mask_k = cert->export_mask_k; - ret->export_mask_a = cert->export_mask_a; #ifndef OPENSSL_NO_RSA if (cert->rsa_tmp != NULL) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b44cb1956f..2624b377f4 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2114,11 +2114,10 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) emask_a |= SSL_aPSK; #endif - c->mask_k = mask_k; - c->mask_a = mask_a; - c->export_mask_k = emask_k; - c->export_mask_a = emask_a; - c->valid = 1; + s->s3->tmp.mask_k = mask_k; + s->s3->tmp.mask_a = mask_a; + s->s3->tmp.export_mask_k = emask_k; + s->s3->tmp.export_mask_a = emask_a; } /* This handy macro borrowed from crypto/x509v3/v3_purp.c */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index d2ee6344ae..04e59085d2 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1301,6 +1301,17 @@ typedef struct ssl3_state_st { * If zero it can't be used at all. */ int valid_flags[SSL_PKEY_NUM]; + /* + * For servers the following masks are for the key and auth algorithms + * that are supported by the certs below. For clients they are masks of + * *disabled* algorithms based on the current session. + */ + unsigned long mask_k; + unsigned long mask_a; + unsigned long export_mask_k; + unsigned long export_mask_a; + /* Client only */ + unsigned long mask_ssl; } tmp; /* Connection binding to prevent renegotiation attacks */ @@ -1509,18 +1520,6 @@ typedef struct cert_st { * an index, not a pointer. */ CERT_PKEY *key; - /* - * For servers the following masks are for the key and auth algorithms - * that are supported by the certs below. For clients they are masks of - * *disabled* algorithms based on the current session. - */ - int valid; - unsigned long mask_k; - unsigned long mask_a; - unsigned long export_mask_k; - unsigned long export_mask_a; - /* Client only */ - unsigned long mask_ssl; # ifndef OPENSSL_NO_RSA RSA *rsa_tmp; RSA *(*rsa_tmp_cb) (SSL *ssl, int is_export, int keysize); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 31ce9bdbd1..a9c832c8b6 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -216,7 +216,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); c->pkeys[i].privatekey = pkey; c->key = &(c->pkeys[i]); - c->valid = 0; return (1); } @@ -420,7 +419,6 @@ static int ssl_set_cert(CERT *c, X509 *x) c->pkeys[i].x509 = x; c->key = &(c->pkeys[i]); - c->valid = 0; return (1); } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 529157425a..f3fa0f5f5e 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1048,46 +1048,44 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, */ void ssl_set_client_disabled(SSL *s) { - CERT *c = s->cert; - c->mask_a = 0; - c->mask_k = 0; + s->s3->tmp.mask_a = 0; + s->s3->tmp.mask_k = 0; /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) - c->mask_ssl = SSL_TLSV1_2; + s->s3->tmp.mask_ssl = SSL_TLSV1_2; else - c->mask_ssl = 0; - ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK); + s->s3->tmp.mask_ssl = 0; + ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); /* * Disable static DH if we don't include any appropriate signature * algorithms. */ - if (c->mask_a & SSL_aRSA) - c->mask_k |= SSL_kDHr | SSL_kECDHr; - if (c->mask_a & SSL_aDSS) - c->mask_k |= SSL_kDHd; - if (c->mask_a & SSL_aECDSA) - c->mask_k |= SSL_kECDHe; + if (s->s3->tmp.mask_a & SSL_aRSA) + s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr; + if (s->s3->tmp.mask_a & SSL_aDSS) + s->s3->tmp.mask_k |= SSL_kDHd; + if (s->s3->tmp.mask_a & SSL_aECDSA) + s->s3->tmp.mask_k |= SSL_kECDHe; # ifndef OPENSSL_NO_PSK /* with PSK there must be client callback set */ if (!s->psk_client_callback) { - c->mask_a |= SSL_aPSK; - c->mask_k |= SSL_kPSK; + s->s3->tmp.mask_a |= SSL_aPSK; + s->s3->tmp.mask_k |= SSL_kPSK; } # endif /* OPENSSL_NO_PSK */ # ifndef OPENSSL_NO_SRP if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { - c->mask_a |= SSL_aSRP; - c->mask_k |= SSL_kSRP; + s->s3->tmp.mask_a |= SSL_aSRP; + s->s3->tmp.mask_k |= SSL_kSRP; } # endif - c->valid = 1; } int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) { - CERT *ct = s->cert; - if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k - || c->algorithm_auth & ct->mask_a) + if (c->algorithm_ssl & s->s3->tmp.mask_ssl + || c->algorithm_mkey & s->s3->tmp.mask_k + || c->algorithm_auth & s->s3->tmp.mask_a) return 1; return !ssl_security(s, op, c->strength_bits, 0, (void *)c); } |