mirror of
https://github.com/openssl/openssl.git
synced 2024-12-13 12:03:48 +08:00
move masks out of CERT structure
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
parent
00d565cfbe
commit
4d69f9e69d
@ -957,7 +957,6 @@ int ssl3_get_server_hello(SSL *s)
|
||||
{
|
||||
STACK_OF(SSL_CIPHER) *sk;
|
||||
const SSL_CIPHER *c;
|
||||
CERT *ct = s->cert;
|
||||
unsigned char *p, *d;
|
||||
int i, al = SSL_AD_INTERNAL_ERROR, ok;
|
||||
unsigned int j;
|
||||
@ -1151,9 +1150,9 @@ int ssl3_get_server_hello(SSL *s)
|
||||
}
|
||||
/* Set version disabled mask now we know version */
|
||||
if (!SSL_USE_TLS1_2_CIPHERS(s))
|
||||
ct->mask_ssl = SSL_TLSV1_2;
|
||||
s->s3->tmp.mask_ssl = SSL_TLSV1_2;
|
||||
else
|
||||
ct->mask_ssl = 0;
|
||||
s->s3->tmp.mask_ssl = 0;
|
||||
/*
|
||||
* If it is a disabled cipher we didn't send it in client hello, so
|
||||
* return an error.
|
||||
|
10
ssl/s3_lib.c
10
ssl/s3_lib.c
@ -3843,11 +3843,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
SSL_CIPHER *c, *ret = NULL;
|
||||
STACK_OF(SSL_CIPHER) *prio, *allow;
|
||||
int i, ii, ok;
|
||||
CERT *cert;
|
||||
unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
|
||||
|
||||
/* Let's see which ciphers we can support */
|
||||
cert = s->cert;
|
||||
|
||||
#if 0
|
||||
/*
|
||||
@ -3893,10 +3891,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
continue;
|
||||
|
||||
ssl_set_masks(s, c);
|
||||
mask_k = cert->mask_k;
|
||||
mask_a = cert->mask_a;
|
||||
emask_k = cert->export_mask_k;
|
||||
emask_a = cert->export_mask_a;
|
||||
mask_k = s->s3->tmp.mask_k;
|
||||
mask_a = s->s3->tmp.mask_a;
|
||||
emask_k = s->s3->tmp.export_mask_k;
|
||||
emask_a = s->s3->tmp.export_mask_a;
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
if (s->srp_ctx.srp_Mask & SSL_kSRP) {
|
||||
mask_k |= SSL_kSRP;
|
||||
|
@ -196,11 +196,6 @@ CERT *ssl_cert_dup(CERT *cert)
|
||||
memset(ret, 0, sizeof(*ret));
|
||||
|
||||
ret->key = &ret->pkeys[cert->key - cert->pkeys];
|
||||
ret->valid = cert->valid;
|
||||
ret->mask_k = cert->mask_k;
|
||||
ret->mask_a = cert->mask_a;
|
||||
ret->export_mask_k = cert->export_mask_k;
|
||||
ret->export_mask_a = cert->export_mask_a;
|
||||
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
if (cert->rsa_tmp != NULL) {
|
||||
|
@ -2114,11 +2114,10 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
|
||||
emask_a |= SSL_aPSK;
|
||||
#endif
|
||||
|
||||
c->mask_k = mask_k;
|
||||
c->mask_a = mask_a;
|
||||
c->export_mask_k = emask_k;
|
||||
c->export_mask_a = emask_a;
|
||||
c->valid = 1;
|
||||
s->s3->tmp.mask_k = mask_k;
|
||||
s->s3->tmp.mask_a = mask_a;
|
||||
s->s3->tmp.export_mask_k = emask_k;
|
||||
s->s3->tmp.export_mask_a = emask_a;
|
||||
}
|
||||
|
||||
/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
|
||||
|
@ -1301,6 +1301,17 @@ typedef struct ssl3_state_st {
|
||||
* If zero it can't be used at all.
|
||||
*/
|
||||
int valid_flags[SSL_PKEY_NUM];
|
||||
/*
|
||||
* For servers the following masks are for the key and auth algorithms
|
||||
* that are supported by the certs below. For clients they are masks of
|
||||
* *disabled* algorithms based on the current session.
|
||||
*/
|
||||
unsigned long mask_k;
|
||||
unsigned long mask_a;
|
||||
unsigned long export_mask_k;
|
||||
unsigned long export_mask_a;
|
||||
/* Client only */
|
||||
unsigned long mask_ssl;
|
||||
} tmp;
|
||||
|
||||
/* Connection binding to prevent renegotiation attacks */
|
||||
@ -1509,18 +1520,6 @@ typedef struct cert_st {
|
||||
* an index, not a pointer.
|
||||
*/
|
||||
CERT_PKEY *key;
|
||||
/*
|
||||
* For servers the following masks are for the key and auth algorithms
|
||||
* that are supported by the certs below. For clients they are masks of
|
||||
* *disabled* algorithms based on the current session.
|
||||
*/
|
||||
int valid;
|
||||
unsigned long mask_k;
|
||||
unsigned long mask_a;
|
||||
unsigned long export_mask_k;
|
||||
unsigned long export_mask_a;
|
||||
/* Client only */
|
||||
unsigned long mask_ssl;
|
||||
# ifndef OPENSSL_NO_RSA
|
||||
RSA *rsa_tmp;
|
||||
RSA *(*rsa_tmp_cb) (SSL *ssl, int is_export, int keysize);
|
||||
|
@ -216,7 +216,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
|
||||
CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
|
||||
c->pkeys[i].privatekey = pkey;
|
||||
c->key = &(c->pkeys[i]);
|
||||
c->valid = 0;
|
||||
return (1);
|
||||
}
|
||||
|
||||
@ -420,7 +419,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
|
||||
c->pkeys[i].x509 = x;
|
||||
c->key = &(c->pkeys[i]);
|
||||
|
||||
c->valid = 0;
|
||||
return (1);
|
||||
}
|
||||
|
||||
|
38
ssl/t1_lib.c
38
ssl/t1_lib.c
@ -1048,46 +1048,44 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
|
||||
*/
|
||||
void ssl_set_client_disabled(SSL *s)
|
||||
{
|
||||
CERT *c = s->cert;
|
||||
c->mask_a = 0;
|
||||
c->mask_k = 0;
|
||||
s->s3->tmp.mask_a = 0;
|
||||
s->s3->tmp.mask_k = 0;
|
||||
/* Don't allow TLS 1.2 only ciphers if we don't suppport them */
|
||||
if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
|
||||
c->mask_ssl = SSL_TLSV1_2;
|
||||
s->s3->tmp.mask_ssl = SSL_TLSV1_2;
|
||||
else
|
||||
c->mask_ssl = 0;
|
||||
ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
|
||||
s->s3->tmp.mask_ssl = 0;
|
||||
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
|
||||
/*
|
||||
* Disable static DH if we don't include any appropriate signature
|
||||
* algorithms.
|
||||
*/
|
||||
if (c->mask_a & SSL_aRSA)
|
||||
c->mask_k |= SSL_kDHr | SSL_kECDHr;
|
||||
if (c->mask_a & SSL_aDSS)
|
||||
c->mask_k |= SSL_kDHd;
|
||||
if (c->mask_a & SSL_aECDSA)
|
||||
c->mask_k |= SSL_kECDHe;
|
||||
if (s->s3->tmp.mask_a & SSL_aRSA)
|
||||
s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr;
|
||||
if (s->s3->tmp.mask_a & SSL_aDSS)
|
||||
s->s3->tmp.mask_k |= SSL_kDHd;
|
||||
if (s->s3->tmp.mask_a & SSL_aECDSA)
|
||||
s->s3->tmp.mask_k |= SSL_kECDHe;
|
||||
# ifndef OPENSSL_NO_PSK
|
||||
/* with PSK there must be client callback set */
|
||||
if (!s->psk_client_callback) {
|
||||
c->mask_a |= SSL_aPSK;
|
||||
c->mask_k |= SSL_kPSK;
|
||||
s->s3->tmp.mask_a |= SSL_aPSK;
|
||||
s->s3->tmp.mask_k |= SSL_kPSK;
|
||||
}
|
||||
# endif /* OPENSSL_NO_PSK */
|
||||
# ifndef OPENSSL_NO_SRP
|
||||
if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
|
||||
c->mask_a |= SSL_aSRP;
|
||||
c->mask_k |= SSL_kSRP;
|
||||
s->s3->tmp.mask_a |= SSL_aSRP;
|
||||
s->s3->tmp.mask_k |= SSL_kSRP;
|
||||
}
|
||||
# endif
|
||||
c->valid = 1;
|
||||
}
|
||||
|
||||
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
|
||||
{
|
||||
CERT *ct = s->cert;
|
||||
if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k
|
||||
|| c->algorithm_auth & ct->mask_a)
|
||||
if (c->algorithm_ssl & s->s3->tmp.mask_ssl
|
||||
|| c->algorithm_mkey & s->s3->tmp.mask_k
|
||||
|| c->algorithm_auth & s->s3->tmp.mask_a)
|
||||
return 1;
|
||||
return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user