1 files changed, 27 insertions, 44 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index fa1d209c8c..2da0a60c08 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.214 2020/05/19 16:35:20 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.215 2020/05/21 19:28:32 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1965,67 +1965,50 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
        X509_VERIFY_PARAM_set_depth(ctx->param, depth);
 }
+static int
+ssl_cert_can_sign(X509 *x)
+{
+        /* This call populates extension flags (ex_flags). */
+        X509_check_purpose(x, -1, 0);
+        /* Key usage, if present, must allow signing. */
+        return ((x->ex_flags & EXFLAG_KUSAGE) == 0 ||
+            (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE));
+}
 void
 ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 {
-        int              rsa, dh_tmp;
+        unsigned long mask_a, mask_k;
-        int              have_ecc_cert;
+        CERT_PKEY *cpk;
-        unsigned long    mask_k, mask_a;
-        X509            *x = NULL;
-        CERT_PKEY       *cpk;
        if (c == NULL)
                return;
-        dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL ||
+        mask_a = SSL_aNULL | SSL_aTLS1_3;
-            c->dh_tmp_auto != 0);
+        mask_k = SSL_kECDHE | SSL_kTLS1_3;
-        cpk = &(c->pkeys[SSL_PKEY_RSA]);
+        if (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto != 0)
-        rsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
+                mask_k |= SSL_kDHE;
-        cpk = &(c->pkeys[SSL_PKEY_ECC]);
-        have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
-        mask_k = 0;
+        cpk = &(c->pkeys[SSL_PKEY_ECC]);
-        mask_a = 0;
+        if (cpk->x509 != NULL && cpk->privatekey != NULL) {
+                if (ssl_cert_can_sign(cpk->x509))
+                        mask_a |= SSL_aECDSA;
+        }
        cpk = &(c->pkeys[SSL_PKEY_GOST01]);
-        if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
+        if (cpk->x509 != NULL && cpk->privatekey != NULL) {
                mask_k |= SSL_kGOST;
                mask_a |= SSL_aGOST01;
        }
-        if (rsa)
+        cpk = &(c->pkeys[SSL_PKEY_RSA]);
-                mask_k |= SSL_kRSA;
+        if (cpk->x509 != NULL && cpk->privatekey != NULL) {
-        if (dh_tmp)
-                mask_k |= SSL_kDHE;
-        if (rsa)
                mask_a |= SSL_aRSA;
+                mask_k |= SSL_kRSA;
-        mask_a |= SSL_aNULL;
-        mask_a |= SSL_aTLS1_3;
-        mask_k |= SSL_kTLS1_3;
-        /*
-         * An ECC certificate may be usable for ECDH and/or
-         * ECDSA cipher suites depending on the key usage extension.
-         */
-        if (have_ecc_cert) {
-                x = (c->pkeys[SSL_PKEY_ECC]).x509;
-                /* This call populates extension flags (ex_flags). */
-                X509_check_purpose(x, -1, 0);
-                /* Key usage, if present, must allow signing. */
-                if ((x->ex_flags & EXFLAG_KUSAGE) == 0 ||
-                    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
-                        mask_a |= SSL_aECDSA;
        }
-        mask_k |= SSL_kECDHE;
        c->mask_k = mask_k;
        c->mask_a = mask_a;
        c->valid = 1;

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index fa1d209c8c..2da0a60c08 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.214 2020/05/19 16:35:20 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.215 2020/05/21 19:28:32 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1965,67 +1965,50 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
1965	X509_VERIFY_PARAM_set_depth(ctx->param, depth);	1965	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
1966	}	1966	}
1967		1967
		1968	static int
		1969	ssl_cert_can_sign(X509 *x)
		1970	{
		1971	/* This call populates extension flags (ex_flags). */
		1972	X509_check_purpose(x, -1, 0);
		1973
		1974	/* Key usage, if present, must allow signing. */
		1975	return ((x->ex_flags & EXFLAG_KUSAGE) == 0 \|\|
		1976	(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE));
		1977	}
		1978
1968	void	1979	void
1969	ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)	1980	ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
1970	{	1981	{
1971	int rsa, dh_tmp;	1982	unsigned long mask_a, mask_k;
1972	int have_ecc_cert;	1983	CERT_PKEY *cpk;
1973	unsigned long mask_k, mask_a;
1974	X509 *x = NULL;
1975	CERT_PKEY *cpk;
1976		1984
1977	if (c == NULL)	1985	if (c == NULL)
1978	return;	1986	return;
1979		1987
1980	dh_tmp = (c->dh_tmp != NULL \|\| c->dh_tmp_cb != NULL \|\|	1988	mask_a = SSL_aNULL \| SSL_aTLS1_3;
1981	c->dh_tmp_auto != 0);	1989	mask_k = SSL_kECDHE \| SSL_kTLS1_3;
1982		1990
1983	cpk = &(c->pkeys[SSL_PKEY_RSA]);	1991	if (c->dh_tmp != NULL \|\| c->dh_tmp_cb != NULL \|\| c->dh_tmp_auto != 0)
1984	rsa = (cpk->x509 != NULL && cpk->privatekey != NULL);	1992	mask_k \|= SSL_kDHE;
1985	cpk = &(c->pkeys[SSL_PKEY_ECC]);
1986	have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
1987		1993
1988	mask_k = 0;	1994	cpk = &(c->pkeys[SSL_PKEY_ECC]);
1989	mask_a = 0;	1995	if (cpk->x509 != NULL && cpk->privatekey != NULL) {
		1996	if (ssl_cert_can_sign(cpk->x509))
		1997	mask_a \|= SSL_aECDSA;
		1998	}
1990		1999
1991	cpk = &(c->pkeys[SSL_PKEY_GOST01]);	2000	cpk = &(c->pkeys[SSL_PKEY_GOST01]);
1992	if (cpk->x509 != NULL && cpk->privatekey !=NULL) {	2001	if (cpk->x509 != NULL && cpk->privatekey != NULL) {
1993	mask_k \|= SSL_kGOST;	2002	mask_k \|= SSL_kGOST;
1994	mask_a \|= SSL_aGOST01;	2003	mask_a \|= SSL_aGOST01;
1995	}	2004	}
1996		2005
1997	if (rsa)	2006	cpk = &(c->pkeys[SSL_PKEY_RSA]);
1998	mask_k \|= SSL_kRSA;	2007	if (cpk->x509 != NULL && cpk->privatekey != NULL) {
1999
2000	if (dh_tmp)
2001	mask_k \|= SSL_kDHE;
2002
2003	if (rsa)
2004	mask_a \|= SSL_aRSA;	2008	mask_a \|= SSL_aRSA;
2005		2009	mask_k \|= SSL_kRSA;
2006	mask_a \|= SSL_aNULL;
2007	mask_a \|= SSL_aTLS1_3;
2008
2009	mask_k \|= SSL_kTLS1_3;
2010
2011	/*
2012	* An ECC certificate may be usable for ECDH and/or
2013	* ECDSA cipher suites depending on the key usage extension.
2014	*/
2015	if (have_ecc_cert) {
2016	x = (c->pkeys[SSL_PKEY_ECC]).x509;
2017
2018	/* This call populates extension flags (ex_flags). */
2019	X509_check_purpose(x, -1, 0);
2020
2021	/* Key usage, if present, must allow signing. */
2022	if ((x->ex_flags & EXFLAG_KUSAGE) == 0 \|\|
2023	(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
2024	mask_a \|= SSL_aECDSA;
2025	}	2010	}
2026		2011
2027	mask_k \|= SSL_kECDHE;
2028
2029	c->mask_k = mask_k;	2012	c->mask_k = mask_k;
2030	c->mask_a = mask_a;	2013	c->mask_a = mask_a;
2031	c->valid = 1;	2014	c->valid = 1;