diff options
| author | tb <> | 2021-10-31 16:37:25 +0000 |
|---|---|---|
| committer | tb <> | 2021-10-31 16:37:25 +0000 |
| commit | 28fece5b9dd86061a4bab6046a280c18aa785eff (patch) | |
| tree | 2992b3f8d49509860d10f75bb83918eca4758de1 /src/lib | |
| parent | 6c9847830c6a51cd6b998ba0ac7594553f875a9e (diff) | |
| download | openbsd-28fece5b9dd86061a4bab6046a280c18aa785eff.tar.gz openbsd-28fece5b9dd86061a4bab6046a280c18aa785eff.tar.bz2 openbsd-28fece5b9dd86061a4bab6046a280c18aa785eff.zip | |
libssl: stop reaching into the X509 struct and simplify some code by
using X509_get_key_usage().
ok beck jsing
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 22 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 8 |
2 files changed, 6 insertions, 24 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index f64b89352e..9220929f88 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.276 2021/10/25 10:01:46 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.277 2021/10/31 16:37:25 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2187,17 +2187,6 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) | |||
| 2187 | X509_VERIFY_PARAM_set_depth(ctx->param, depth); | 2187 | X509_VERIFY_PARAM_set_depth(ctx->param, depth); |
| 2188 | } | 2188 | } |
| 2189 | 2189 | ||
| 2190 | static int | ||
| 2191 | ssl_cert_can_sign(X509 *x) | ||
| 2192 | { | ||
| 2193 | /* This call populates extension flags (ex_flags). */ | ||
| 2194 | X509_check_purpose(x, -1, 0); | ||
| 2195 | |||
| 2196 | /* Key usage, if present, must allow signing. */ | ||
| 2197 | return ((x->ex_flags & EXFLAG_KUSAGE) == 0 || | ||
| 2198 | (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)); | ||
| 2199 | } | ||
| 2200 | |||
| 2201 | void | 2190 | void |
| 2202 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | 2191 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) |
| 2203 | { | 2192 | { |
| @@ -2215,7 +2204,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 2215 | 2204 | ||
| 2216 | cpk = &(c->pkeys[SSL_PKEY_ECC]); | 2205 | cpk = &(c->pkeys[SSL_PKEY_ECC]); |
| 2217 | if (cpk->x509 != NULL && cpk->privatekey != NULL) { | 2206 | if (cpk->x509 != NULL && cpk->privatekey != NULL) { |
| 2218 | if (ssl_cert_can_sign(cpk->x509)) | 2207 | /* Key usage, if present, must allow signing. */ |
| 2208 | if (X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE) | ||
| 2219 | mask_a |= SSL_aECDSA; | 2209 | mask_a |= SSL_aECDSA; |
| 2220 | } | 2210 | } |
| 2221 | 2211 | ||
| @@ -2259,12 +2249,8 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) | |||
| 2259 | alg_a = cs->algorithm_auth; | 2249 | alg_a = cs->algorithm_auth; |
| 2260 | 2250 | ||
| 2261 | if (alg_a & SSL_aECDSA) { | 2251 | if (alg_a & SSL_aECDSA) { |
| 2262 | /* This call populates extension flags (ex_flags). */ | ||
| 2263 | X509_check_purpose(x, -1, 0); | ||
| 2264 | |||
| 2265 | /* Key usage, if present, must allow signing. */ | 2252 | /* Key usage, if present, must allow signing. */ |
| 2266 | if ((x->ex_flags & EXFLAG_KUSAGE) && | 2253 | if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) { |
| 2267 | ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) { | ||
| 2268 | SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING); | 2254 | SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING); |
| 2269 | return (0); | 2255 | return (0); |
| 2270 | } | 2256 | } |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 733a71f7d1..253c1fc208 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.87 2021/10/25 10:01:46 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.88 2021/10/31 16:37:25 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -557,15 +557,11 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, | |||
| 557 | if (cpk->x509 == NULL || cpk->privatekey == NULL) | 557 | if (cpk->x509 == NULL || cpk->privatekey == NULL) |
| 558 | goto done; | 558 | goto done; |
| 559 | 559 | ||
| 560 | if (!X509_check_purpose(cpk->x509, -1, 0)) | ||
| 561 | return 0; | ||
| 562 | |||
| 563 | /* | 560 | /* |
| 564 | * The digitalSignature bit MUST be set if the Key Usage extension is | 561 | * The digitalSignature bit MUST be set if the Key Usage extension is |
| 565 | * present as per RFC 8446 section 4.4.2.2. | 562 | * present as per RFC 8446 section 4.4.2.2. |
| 566 | */ | 563 | */ |
| 567 | if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && | 564 | if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)) |
| 568 | !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) | ||
| 569 | goto done; | 565 | goto done; |
| 570 | 566 | ||
| 571 | if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) | 567 | if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) |