[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Tue May 19 13:07:14 UTC 2015
The branch master has been updated
via 4d69f9e69d2f5069ab37da68f4b93a6f337fb13e (commit)
from 00d565cfbe90fab3b157e644caca4eb4a2ebec79 (commit)
- Log -----------------------------------------------------------------
commit 4d69f9e69d2f5069ab37da68f4b93a6f337fb13e
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon May 18 23:29:57 2015 +0100
move masks out of CERT structure
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_clnt.c | 5 ++---
ssl/s3_lib.c | 10 ++++------
ssl/ssl_cert.c | 5 -----
ssl/ssl_lib.c | 9 ++++-----
ssl/ssl_locl.h | 23 +++++++++++------------
ssl/ssl_rsa.c | 2 --
ssl/t1_lib.c | 38 ++++++++++++++++++--------------------
7 files changed, 39 insertions(+), 53 deletions(-)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 3b49fa4..46f9909 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -957,7 +957,6 @@ int ssl3_get_server_hello(SSL *s)
{
STACK_OF(SSL_CIPHER) *sk;
const SSL_CIPHER *c;
- CERT *ct = s->cert;
unsigned char *p, *d;
int i, al = SSL_AD_INTERNAL_ERROR, ok;
unsigned int j;
@@ -1151,9 +1150,9 @@ int ssl3_get_server_hello(SSL *s)
}
/* Set version disabled mask now we know version */
if (!SSL_USE_TLS1_2_CIPHERS(s))
- ct->mask_ssl = SSL_TLSV1_2;
+ s->s3->tmp.mask_ssl = SSL_TLSV1_2;
else
- ct->mask_ssl = 0;
+ s->s3->tmp.mask_ssl = 0;
/*
* If it is a disabled cipher we didn't send it in client hello, so
* return an error.
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index c28c447..78e95fc 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3843,11 +3843,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *prio, *allow;
int i, ii, ok;
- CERT *cert;
unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
/* Let's see which ciphers we can support */
- cert = s->cert;
#if 0
/*
@@ -3893,10 +3891,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
continue;
ssl_set_masks(s, c);
- mask_k = cert->mask_k;
- mask_a = cert->mask_a;
- emask_k = cert->export_mask_k;
- emask_a = cert->export_mask_a;
+ mask_k = s->s3->tmp.mask_k;
+ mask_a = s->s3->tmp.mask_a;
+ emask_k = s->s3->tmp.export_mask_k;
+ emask_a = s->s3->tmp.export_mask_a;
#ifndef OPENSSL_NO_SRP
if (s->srp_ctx.srp_Mask & SSL_kSRP) {
mask_k |= SSL_kSRP;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 14c0c16..987b2b7 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -196,11 +196,6 @@ CERT *ssl_cert_dup(CERT *cert)
memset(ret, 0, sizeof(*ret));
ret->key = &ret->pkeys[cert->key - cert->pkeys];
- ret->valid = cert->valid;
- ret->mask_k = cert->mask_k;
- ret->mask_a = cert->mask_a;
- ret->export_mask_k = cert->export_mask_k;
- ret->export_mask_a = cert->export_mask_a;
#ifndef OPENSSL_NO_RSA
if (cert->rsa_tmp != NULL) {
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b44cb19..2624b37 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2114,11 +2114,10 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
emask_a |= SSL_aPSK;
#endif
- c->mask_k = mask_k;
- c->mask_a = mask_a;
- c->export_mask_k = emask_k;
- c->export_mask_a = emask_a;
- c->valid = 1;
+ s->s3->tmp.mask_k = mask_k;
+ s->s3->tmp.mask_a = mask_a;
+ s->s3->tmp.export_mask_k = emask_k;
+ s->s3->tmp.export_mask_a = emask_a;
}
/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d2ee634..04e5908 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1301,6 +1301,17 @@ typedef struct ssl3_state_st {
* If zero it can't be used at all.
*/
int valid_flags[SSL_PKEY_NUM];
+ /*
+ * For servers the following masks are for the key and auth algorithms
+ * that are supported by the certs below. For clients they are masks of
+ * *disabled* algorithms based on the current session.
+ */
+ unsigned long mask_k;
+ unsigned long mask_a;
+ unsigned long export_mask_k;
+ unsigned long export_mask_a;
+ /* Client only */
+ unsigned long mask_ssl;
} tmp;
/* Connection binding to prevent renegotiation attacks */
@@ -1509,18 +1520,6 @@ typedef struct cert_st {
* an index, not a pointer.
*/
CERT_PKEY *key;
- /*
- * For servers the following masks are for the key and auth algorithms
- * that are supported by the certs below. For clients they are masks of
- * *disabled* algorithms based on the current session.
- */
- int valid;
- unsigned long mask_k;
- unsigned long mask_a;
- unsigned long export_mask_k;
- unsigned long export_mask_a;
- /* Client only */
- unsigned long mask_ssl;
# ifndef OPENSSL_NO_RSA
RSA *rsa_tmp;
RSA *(*rsa_tmp_cb) (SSL *ssl, int is_export, int keysize);
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 31ce9bd..a9c832c 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -216,7 +216,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
c->pkeys[i].privatekey = pkey;
c->key = &(c->pkeys[i]);
- c->valid = 0;
return (1);
}
@@ -420,7 +419,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
c->pkeys[i].x509 = x;
c->key = &(c->pkeys[i]);
- c->valid = 0;
return (1);
}
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 5291574..f3fa0f5 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1048,46 +1048,44 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
*/
void ssl_set_client_disabled(SSL *s)
{
- CERT *c = s->cert;
- c->mask_a = 0;
- c->mask_k = 0;
+ s->s3->tmp.mask_a = 0;
+ s->s3->tmp.mask_k = 0;
/* Don't allow TLS 1.2 only ciphers if we don't suppport them */
if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
- c->mask_ssl = SSL_TLSV1_2;
+ s->s3->tmp.mask_ssl = SSL_TLSV1_2;
else
- c->mask_ssl = 0;
- ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
+ s->s3->tmp.mask_ssl = 0;
+ ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
/*
* Disable static DH if we don't include any appropriate signature
* algorithms.
*/
- if (c->mask_a & SSL_aRSA)
- c->mask_k |= SSL_kDHr | SSL_kECDHr;
- if (c->mask_a & SSL_aDSS)
- c->mask_k |= SSL_kDHd;
- if (c->mask_a & SSL_aECDSA)
- c->mask_k |= SSL_kECDHe;
+ if (s->s3->tmp.mask_a & SSL_aRSA)
+ s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr;
+ if (s->s3->tmp.mask_a & SSL_aDSS)
+ s->s3->tmp.mask_k |= SSL_kDHd;
+ if (s->s3->tmp.mask_a & SSL_aECDSA)
+ s->s3->tmp.mask_k |= SSL_kECDHe;
# ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */
if (!s->psk_client_callback) {
- c->mask_a |= SSL_aPSK;
- c->mask_k |= SSL_kPSK;
+ s->s3->tmp.mask_a |= SSL_aPSK;
+ s->s3->tmp.mask_k |= SSL_kPSK;
}
# endif /* OPENSSL_NO_PSK */
# ifndef OPENSSL_NO_SRP
if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
- c->mask_a |= SSL_aSRP;
- c->mask_k |= SSL_kSRP;
+ s->s3->tmp.mask_a |= SSL_aSRP;
+ s->s3->tmp.mask_k |= SSL_kSRP;
}
# endif
- c->valid = 1;
}
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
{
- CERT *ct = s->cert;
- if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k
- || c->algorithm_auth & ct->mask_a)
+ if (c->algorithm_ssl & s->s3->tmp.mask_ssl
+ || c->algorithm_mkey & s->s3->tmp.mask_k
+ || c->algorithm_auth & s->s3->tmp.mask_a)
return 1;
return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
}
More information about the openssl-commits
mailing list