diff options
| author | jsing <> | 2020-05-19 16:35:21 +0000 |
|---|---|---|
| committer | jsing <> | 2020-05-19 16:35:21 +0000 |
| commit | 6019fdeeec36b84a28e360616bf851bbb984af8c (patch) | |
| tree | 5ff7e57b9c4172ec2feea5a8c0a76ee21339a4af /src/lib | |
| parent | 301bb2dc3c4393a25056c7a1ec7b1d4a5efe6ea2 (diff) | |
| download | openbsd-6019fdeeec36b84a28e360616bf851bbb984af8c.tar.gz openbsd-6019fdeeec36b84a28e360616bf851bbb984af8c.tar.bz2 openbsd-6019fdeeec36b84a28e360616bf851bbb984af8c.zip | |
Replace SSL_PKEY_RSA_ENC/SSL_PKEY_RSA_SIGN with SSL_PKEY_RSA.
Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomplete code
had the following comment:
/* check to see if this is a signing only certificate */
/* EAY EAY EAY EAY */
And while the comment was removed in 2005, the incomplete RSA sign-only
handling has remained ever since.
Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While
here also remove the unused SSL_PKEY_DH_RSA.
ok tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/ssl_both.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_cert.c | 13 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 24 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 12 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 6 |
8 files changed, 31 insertions, 46 deletions
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c index b8929d8f84..488a5ff7c9 100644 --- a/src/lib/libssl/ssl_both.c +++ b/src/lib/libssl/ssl_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_both.c,v 1.17 2020/03/12 17:15:33 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_both.c,v 1.18 2020/05/19 16:35:20 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -591,7 +591,7 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey) | |||
| 591 | 591 | ||
| 592 | i = pk->type; | 592 | i = pk->type; |
| 593 | if (i == EVP_PKEY_RSA) { | 593 | if (i == EVP_PKEY_RSA) { |
| 594 | ret = SSL_PKEY_RSA_ENC; | 594 | ret = SSL_PKEY_RSA; |
| 595 | } else if (i == EVP_PKEY_EC) { | 595 | } else if (i == EVP_PKEY_EC) { |
| 596 | ret = SSL_PKEY_ECC; | 596 | ret = SSL_PKEY_ECC; |
| 597 | } else if (i == NID_id_GostR3410_2001 || | 597 | } else if (i == NID_id_GostR3410_2001 || |
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index af8ef329b4..3567b7b426 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.76 2019/05/15 09:13:16 bcook Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.77 2020/05/19 16:35:20 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -168,7 +168,7 @@ ssl_cert_new(void) | |||
| 168 | SSLerrorx(ERR_R_MALLOC_FAILURE); | 168 | SSLerrorx(ERR_R_MALLOC_FAILURE); |
| 169 | return (NULL); | 169 | return (NULL); |
| 170 | } | 170 | } |
| 171 | ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); | 171 | ret->key = &(ret->pkeys[SSL_PKEY_RSA]); |
| 172 | ret->references = 1; | 172 | ret->references = 1; |
| 173 | return (ret); | 173 | return (ret); |
| 174 | } | 174 | } |
| @@ -240,15 +240,10 @@ ssl_cert_dup(CERT *cert) | |||
| 240 | * (Nothing at the moment, I think.) | 240 | * (Nothing at the moment, I think.) |
| 241 | */ | 241 | */ |
| 242 | 242 | ||
| 243 | case SSL_PKEY_RSA_ENC: | 243 | case SSL_PKEY_RSA: |
| 244 | case SSL_PKEY_RSA_SIGN: | ||
| 245 | /* We have an RSA key. */ | 244 | /* We have an RSA key. */ |
| 246 | break; | 245 | break; |
| 247 | 246 | ||
| 248 | case SSL_PKEY_DH_RSA: | ||
| 249 | /* We have a DH key. */ | ||
| 250 | break; | ||
| 251 | |||
| 252 | case SSL_PKEY_ECC: | 247 | case SSL_PKEY_ECC: |
| 253 | /* We have an ECC key */ | 248 | /* We have an ECC key */ |
| 254 | break; | 249 | break; |
| @@ -377,7 +372,7 @@ ssl_sess_cert_new(void) | |||
| 377 | SSLerrorx(ERR_R_MALLOC_FAILURE); | 372 | SSLerrorx(ERR_R_MALLOC_FAILURE); |
| 378 | return NULL; | 373 | return NULL; |
| 379 | } | 374 | } |
| 380 | ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); | 375 | ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA]); |
| 381 | ret->references = 1; | 376 | ret->references = 1; |
| 382 | 377 | ||
| 383 | return ret; | 378 | return ret; |
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 6b457569a3..fb29e4f5f6 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.66 2020/05/10 14:17:47 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.67 2020/05/19 16:35:20 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1264,7 +1264,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) | |||
| 1264 | } | 1264 | } |
| 1265 | 1265 | ||
| 1266 | if (alg_a & SSL_aRSA) | 1266 | if (alg_a & SSL_aRSA) |
| 1267 | *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | 1267 | *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509); |
| 1268 | else | 1268 | else |
| 1269 | /* XXX - Anonymous DH, so no certificate or pkey. */ | 1269 | /* XXX - Anonymous DH, so no certificate or pkey. */ |
| 1270 | *pkey = NULL; | 1270 | *pkey = NULL; |
| @@ -1397,7 +1397,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) | |||
| 1397 | * and ECDSA. | 1397 | * and ECDSA. |
| 1398 | */ | 1398 | */ |
| 1399 | if (alg_a & SSL_aRSA) | 1399 | if (alg_a & SSL_aRSA) |
| 1400 | *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | 1400 | *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509); |
| 1401 | else if (alg_a & SSL_aECDSA) | 1401 | else if (alg_a & SSL_aECDSA) |
| 1402 | *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509); | 1402 | *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509); |
| 1403 | else | 1403 | else |
| @@ -1933,7 +1933,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) | |||
| 1933 | * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1. | 1933 | * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1. |
| 1934 | */ | 1934 | */ |
| 1935 | 1935 | ||
| 1936 | pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | 1936 | pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509); |
| 1937 | if (pkey == NULL || pkey->type != EVP_PKEY_RSA || | 1937 | if (pkey == NULL || pkey->type != EVP_PKEY_RSA || |
| 1938 | pkey->pkey.rsa == NULL) { | 1938 | pkey->pkey.rsa == NULL) { |
| 1939 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 1939 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 1c4ab636a1..fa1d209c8c 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.213 2020/05/10 14:17:47 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.214 2020/05/19 16:35:20 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1968,7 +1968,7 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) | |||
| 1968 | void | 1968 | void |
| 1969 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | 1969 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) |
| 1970 | { | 1970 | { |
| 1971 | int rsa_enc, rsa_sign, dh_tmp; | 1971 | int rsa, dh_tmp; |
| 1972 | int have_ecc_cert; | 1972 | int have_ecc_cert; |
| 1973 | unsigned long mask_k, mask_a; | 1973 | unsigned long mask_k, mask_a; |
| 1974 | X509 *x = NULL; | 1974 | X509 *x = NULL; |
| @@ -1980,10 +1980,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1980 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || | 1980 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || |
| 1981 | c->dh_tmp_auto != 0); | 1981 | c->dh_tmp_auto != 0); |
| 1982 | 1982 | ||
| 1983 | cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); | 1983 | cpk = &(c->pkeys[SSL_PKEY_RSA]); |
| 1984 | rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1984 | rsa = (cpk->x509 != NULL && cpk->privatekey != NULL); |
| 1985 | cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); | ||
| 1986 | rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); | ||
| 1987 | cpk = &(c->pkeys[SSL_PKEY_ECC]); | 1985 | cpk = &(c->pkeys[SSL_PKEY_ECC]); |
| 1988 | have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1986 | have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); |
| 1989 | 1987 | ||
| @@ -1996,13 +1994,13 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1996 | mask_a |= SSL_aGOST01; | 1994 | mask_a |= SSL_aGOST01; |
| 1997 | } | 1995 | } |
| 1998 | 1996 | ||
| 1999 | if (rsa_enc) | 1997 | if (rsa) |
| 2000 | mask_k |= SSL_kRSA; | 1998 | mask_k |= SSL_kRSA; |
| 2001 | 1999 | ||
| 2002 | if (dh_tmp) | 2000 | if (dh_tmp) |
| 2003 | mask_k |= SSL_kDHE; | 2001 | mask_k |= SSL_kDHE; |
| 2004 | 2002 | ||
| 2005 | if (rsa_enc || rsa_sign) | 2003 | if (rsa) |
| 2006 | mask_a |= SSL_aRSA; | 2004 | mask_a |= SSL_aRSA; |
| 2007 | 2005 | ||
| 2008 | mask_a |= SSL_aNULL; | 2006 | mask_a |= SSL_aNULL; |
| @@ -2085,10 +2083,7 @@ ssl_get_server_send_pkey(const SSL *s) | |||
| 2085 | if (alg_a & SSL_aECDSA) { | 2083 | if (alg_a & SSL_aECDSA) { |
| 2086 | i = SSL_PKEY_ECC; | 2084 | i = SSL_PKEY_ECC; |
| 2087 | } else if (alg_a & SSL_aRSA) { | 2085 | } else if (alg_a & SSL_aRSA) { |
| 2088 | if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) | 2086 | i = SSL_PKEY_RSA; |
| 2089 | i = SSL_PKEY_RSA_SIGN; | ||
| 2090 | else | ||
| 2091 | i = SSL_PKEY_RSA_ENC; | ||
| 2092 | } else if (alg_a & SSL_aGOST01) { | 2087 | } else if (alg_a & SSL_aGOST01) { |
| 2093 | i = SSL_PKEY_GOST01; | 2088 | i = SSL_PKEY_GOST01; |
| 2094 | } else { /* if (alg_a & SSL_aNULL) */ | 2089 | } else { /* if (alg_a & SSL_aNULL) */ |
| @@ -2113,10 +2108,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd, | |||
| 2113 | c = s->cert; | 2108 | c = s->cert; |
| 2114 | 2109 | ||
| 2115 | if (alg_a & SSL_aRSA) { | 2110 | if (alg_a & SSL_aRSA) { |
| 2116 | if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) | 2111 | idx = SSL_PKEY_RSA; |
| 2117 | idx = SSL_PKEY_RSA_SIGN; | ||
| 2118 | else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) | ||
| 2119 | idx = SSL_PKEY_RSA_ENC; | ||
| 2120 | } else if ((alg_a & SSL_aECDSA) && | 2112 | } else if ((alg_a & SSL_aECDSA) && |
| 2121 | (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) | 2113 | (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) |
| 2122 | idx = SSL_PKEY_ECC; | 2114 | idx = SSL_PKEY_ECC; |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 41ac3ca35a..736005b5c9 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.274 2020/05/11 18:19:19 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.275 2020/05/19 16:35:20 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -333,12 +333,10 @@ __BEGIN_HIDDEN_DECLS | |||
| 333 | #define SSL_USE_TLS1_3_CIPHERS(s) \ | 333 | #define SSL_USE_TLS1_3_CIPHERS(s) \ |
| 334 | (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) | 334 | (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) |
| 335 | 335 | ||
| 336 | #define SSL_PKEY_RSA_ENC 0 | 336 | #define SSL_PKEY_RSA 0 |
| 337 | #define SSL_PKEY_RSA_SIGN 1 | 337 | #define SSL_PKEY_ECC 1 |
| 338 | #define SSL_PKEY_DH_RSA 2 | 338 | #define SSL_PKEY_GOST01 2 |
| 339 | #define SSL_PKEY_ECC 3 | 339 | #define SSL_PKEY_NUM 3 |
| 340 | #define SSL_PKEY_GOST01 4 | ||
| 341 | #define SSL_PKEY_NUM 5 | ||
| 342 | 340 | ||
| 343 | #define SSL_MAX_EMPTY_RECORDS 32 | 341 | #define SSL_MAX_EMPTY_RECORDS 32 |
| 344 | 342 | ||
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index e78099cdad..6a90ad17eb 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.75 2020/05/10 14:17:48 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.76 2020/05/19 16:35:20 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1693,7 +1693,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) | |||
| 1693 | fakekey[0] = s->client_version >> 8; | 1693 | fakekey[0] = s->client_version >> 8; |
| 1694 | fakekey[1] = s->client_version & 0xff; | 1694 | fakekey[1] = s->client_version & 0xff; |
| 1695 | 1695 | ||
| 1696 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; | 1696 | pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; |
| 1697 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || | 1697 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || |
| 1698 | (pkey->pkey.rsa == NULL)) { | 1698 | (pkey->pkey.rsa == NULL)) { |
| 1699 | al = SSL_AD_HANDSHAKE_FAILURE; | 1699 | al = SSL_AD_HANDSHAKE_FAILURE; |
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index a17b2bd47f..cef49c496e 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.62 2020/05/19 01:30:34 beck Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.63 2020/05/19 16:35:21 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -834,7 +834,7 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 834 | int i, ret = 0; | 834 | int i, ret = 0; |
| 835 | 835 | ||
| 836 | /* XXX - Need to revisit certificate selection. */ | 836 | /* XXX - Need to revisit certificate selection. */ |
| 837 | cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; | 837 | cpk = &s->cert->pkeys[SSL_PKEY_RSA]; |
| 838 | 838 | ||
| 839 | if ((chain = cpk->chain) == NULL) | 839 | if ((chain = cpk->chain) == NULL) |
| 840 | chain = s->ctx->extra_certs; | 840 | chain = s->ctx->extra_certs; |
| @@ -884,7 +884,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 884 | memset(&sig_cbb, 0, sizeof(sig_cbb)); | 884 | memset(&sig_cbb, 0, sizeof(sig_cbb)); |
| 885 | 885 | ||
| 886 | /* XXX - Need to revisit certificate selection. */ | 886 | /* XXX - Need to revisit certificate selection. */ |
| 887 | cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; | 887 | cpk = &s->cert->pkeys[SSL_PKEY_RSA]; |
| 888 | pkey = cpk->privatekey; | 888 | pkey = cpk->privatekey; |
| 889 | 889 | ||
| 890 | if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { | 890 | if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index ea14cfa683..03d0e488ba 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.48 2020/05/19 01:30:34 beck Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.49 2020/05/19 16:35:21 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -437,7 +437,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 437 | int i, ret = 0; | 437 | int i, ret = 0; |
| 438 | 438 | ||
| 439 | /* XXX - Need to revisit certificate selection. */ | 439 | /* XXX - Need to revisit certificate selection. */ |
| 440 | cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; | 440 | cpk = &s->cert->pkeys[SSL_PKEY_RSA]; |
| 441 | if (cpk->x509 == NULL) { | 441 | if (cpk->x509 == NULL) { |
| 442 | /* A server must always provide a certificate. */ | 442 | /* A server must always provide a certificate. */ |
| 443 | ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; | 443 | ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; |
| @@ -489,7 +489,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 489 | memset(&sig_cbb, 0, sizeof(sig_cbb)); | 489 | memset(&sig_cbb, 0, sizeof(sig_cbb)); |
| 490 | 490 | ||
| 491 | /* XXX - Need to revisit certificate selection. */ | 491 | /* XXX - Need to revisit certificate selection. */ |
| 492 | cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; | 492 | cpk = &s->cert->pkeys[SSL_PKEY_RSA]; |
| 493 | pkey = cpk->privatekey; | 493 | pkey = cpk->privatekey; |
| 494 | 494 | ||
| 495 | if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { | 495 | if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { |