diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2016-01-19 00:21:12 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2016-01-20 03:24:59 +0000 |
| commit | 3aeb93486588e7dd01379c50b8fd496d55cf8858 (patch) | |
| tree | e5d5793ef4786dbfac5c724e8235a3aa1ce323b2 /ssl | |
| parent | a8eda4312db1f98cffda38670e2d40d36566785a (diff) | |
make EVP_PKEY opaque
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_cert.c | 2 | ||||
| -rw-r--r-- | ssl/ssl_rsa.c | 12 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 19 | ||||
| -rw-r--r-- | ssl/statem/statem_lib.c | 2 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 20 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 12 |
6 files changed, 33 insertions, 34 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 75ccc72414..2aaf99cc23 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -214,7 +214,7 @@ CERT *ssl_cert_dup(CERT *cert) if (cpk->privatekey != NULL) { rpk->privatekey = cpk->privatekey; - CRYPTO_add(&cpk->privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(cpk->privatekey); } if (cpk->chain) { diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index a02230d0f1..aa4959916b 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -196,8 +196,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) * Don't check the public/private key, this is mostly for smart * cards. */ - if ((pkey->type == EVP_PKEY_RSA) && - (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ; + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA + && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK); else #endif if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { @@ -208,7 +208,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) } EVP_PKEY_free(c->pkeys[i].privatekey); - CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(pkey); c->pkeys[i].privatekey = pkey; c->key = &(c->pkeys[i]); return (1); @@ -392,9 +392,9 @@ static int ssl_set_cert(CERT *c, X509 *x) * Don't check the public/private key, this is mostly for smart * cards. */ - if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && - (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & - RSA_METHOD_FLAG_NO_CHECK)) ; + if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA + && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) & + RSA_METHOD_FLAG_NO_CHECK) ; else #endif /* OPENSSL_NO_RSA */ if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 5925923133..047bcf5d5b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1683,7 +1683,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) #ifdef SSL_DEBUG fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif - } else if (pkey->type == EVP_PKEY_RSA) { + } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { md = EVP_md5_sha1(); } else { md = EVP_sha1(); @@ -2191,8 +2191,7 @@ psk_err: } pkey = X509_get0_pubkey(s->session->peer); - if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) - || (pkey->pkey.rsa == NULL)) { + if (EVP_PKEY_get0_RSA(pkey) == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -2273,9 +2272,7 @@ psk_err: } else { /* Get the Server Public Key from Cert */ skey = X509_get0_pubkey(s->session->peer); - if ((skey == NULL) - || (skey->type != EVP_PKEY_EC) - || (skey->pkey.ec == NULL)) { + if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -2609,10 +2606,12 @@ int tls_construct_client_verify(SSL *s) goto err; } #ifndef OPENSSL_NO_GOST - if (pkey->type == NID_id_GostR3410_2001 - || pkey->type == NID_id_GostR3410_2012_256 - || pkey->type == NID_id_GostR3410_2012_512) { - BUF_reverse(p + 2, NULL, u); + { + int pktype = EVP_PKEY_id(pkey); + if (pktype == NID_id_GostR3410_2001 + || pktype == NID_id_GostR3410_2012_256 + || pktype == NID_id_GostR3410_2012_512) + BUF_reverse(p + 2, NULL, u); } #endif diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 984df19b58..70559666b0 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -612,7 +612,7 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey) if (pk == NULL) goto err; - i = pk->type; + i = EVP_PKEY_id(pk); if (i == EVP_PKEY_RSA) { ret = SSL_PKEY_RSA_ENC; } else if (i == EVP_PKEY_DSA) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 5ee0c94e17..2ac9dc3a59 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2080,7 +2080,6 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) unsigned long alg_k; #ifndef OPENSSL_NO_RSA RSA *rsa = NULL; - EVP_PKEY *pkey = NULL; #endif #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY *ckey = NULL; @@ -2173,15 +2172,13 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) size_t j; /* FIX THIS UP EAY EAY EAY EAY */ - pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; - if ((pkey == NULL) || - (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { + rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey); + if (rsa == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE); goto f_err; } - rsa = pkey->pkey.rsa; /* SSLv3 and pre-standard DTLS omit the length bytes. */ if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) { @@ -2694,7 +2691,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) * length field (CryptoPro implementations at least till CSP 4.0) */ #ifndef OPENSSL_NO_GOST - if (PACKET_remaining(pkt) == 64 && pkey->type == NID_id_GostR3410_2001) { + if (PACKET_remaining(pkt) == 64 + && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { len = 64; } else #endif @@ -2764,10 +2762,12 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } #ifndef OPENSSL_NO_GOST - if (pkey->type == NID_id_GostR3410_2001 - || pkey->type == NID_id_GostR3410_2012_256 - || pkey->type == NID_id_GostR3410_2012_512) { - BUF_reverse(data, NULL, len); + { + int pktype = EVP_PKEY_id(pkey); + if (pktype == NID_id_GostR3410_2001 + || pktype == NID_id_GostR3410_2012_256 + || pktype == NID_id_GostR3410_2012_512) + BUF_reverse(data, NULL, len); } #endif diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 41b55c8d4b..6937b45c61 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -793,9 +793,9 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) if (!pkey) return 0; /* If not EC nothing to do */ - if (pkey->type != EVP_PKEY_EC) + if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) return 1; - rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); + rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)); if (!rv) return 0; /* @@ -990,10 +990,10 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, return 0; } #ifndef OPENSSL_NO_EC - if (pkey->type == EVP_PKEY_EC) { + if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { unsigned char curve_id[2], comp_id; /* Check compression and curve matches extensions */ - if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec)) + if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) return 0; if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); @@ -3227,7 +3227,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, int tls12_get_sigid(const EVP_PKEY *pk) { - return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig)); + return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig)); } typedef struct { @@ -4110,7 +4110,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, if (!s->server && strict_mode) { STACK_OF(X509_NAME) *ca_dn; int check_type = 0; - switch (pk->type) { + switch (EVP_PKEY_id(pk)) { case EVP_PKEY_RSA: check_type = TLS_CT_RSA_SIGN; break; |