diff options
| author | David Benjamin <davidben@chromium.org> | 2014-11-14 00:02:33 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-11-19 01:20:53 +0300 |
| commit | 6a8d70c528eee2cd4b6f626c33d11e45a44ca2fa (patch) | |
| tree | 19aa6a93a0e71b0d9f010cfa0ff05f53c2a74fe5 /ssl/t1_lib.c | |
| parent | 253b3e76dc8045dc4639164aeda8b966745f20a4 (diff) | |
Trim tls1_check_chain and CERT_PKEY flags.
Many are now unused. Only two are currently considered in cipher selection:
CERT_PKEY_VALID and CERT_PKEY_SIGN. (As per previous commits, this is either
bizarre due to limited slots or redundant with ssl_early_callback_ctx. We can
probably prune this too.)
This also fixes a bug where DTLS 1.0 went through a TLS 1.2 codepath. As the
DTLS code is currently arranged, all version comparisons must be done via
macros like SSL_USE_SIGALGS. (Probably we should add functions to map from DTLS
to TLS versions and slowly move the library to using the TLS version as
in-memory representation.)
Change-Id: I89bcf5b7b9ea5cdecf54f4445156586377328fe0
Reviewed-on: https://boringssl-review.googlesource.com/2286
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 56 |
1 files changed, 14 insertions, 42 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 4456dfca..c31720c5 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -657,7 +657,7 @@ static void tls1_get_formatlist(SSL *s, const unsigned char **pformats, /* Check cert parameters compatible with extensions: currently just checks * EC certificates have compatible curves and compression. */ -static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) +static int tls1_check_cert_param(SSL *s, X509 *x) { uint8_t comp_id; uint16_t curve_id; @@ -2920,52 +2920,24 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) * server. This allows the server to check chains before attempting to use them. */ -int tls1_check_chain(SSL *s, int idx) +void tls1_check_chain(SSL *s, size_t idx) { - int rv = 0; - CERT_PKEY *cpk = NULL; - CERT *c = s->cert; - X509 *x; - EVP_PKEY *pk; - - cpk = c->pkeys + idx; - x = cpk->x509; - pk = cpk->privatekey; - /* If no cert or key, forget it */ - if (!x || !pk) - goto end; + CERT_PKEY *cpk = &s->cert->pkeys[idx]; - /* Check cert parameters are consistent */ - if (tls1_check_cert_param(s, x, 2)) - rv |= CERT_PKEY_EE_PARAM; - else - goto end; - if (!s->server) - rv |= CERT_PKEY_CA_PARAM; - rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE|CERT_PKEY_VALID; + /* Clear the flags. */ + cpk->valid_flags = 0; - end: + /* If no cert or key, forget it. */ + if (!cpk->x509 || !cpk->privatekey) + return; - if (TLS1_get_version(s) >= TLS1_2_VERSION) - { - if (cpk->digest) - rv |= CERT_PKEY_SIGN; - } - else - rv |= CERT_PKEY_SIGN; + /* Check cert parameters are consistent */ + if (!tls1_check_cert_param(s, cpk->x509)) + return; - /* When checking a CERT_PKEY structure all flags are irrelevant - * if the chain is invalid. - */ - if (rv & CERT_PKEY_VALID) - cpk->valid_flags = rv; - else - { - /* Clear flags. */ - cpk->valid_flags = 0; - return 0; - } - return rv; + cpk->valid_flags = CERT_PKEY_VALID; + if (!SSL_USE_SIGALGS(s) || cpk->digest) + cpk->valid_flags |= CERT_PKEY_SIGN; } /* Set validity of certificates in an SSL structure */ |