6 files changed, 24 insertions, 34 deletions
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 9894648db8..ad16d2175b 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.40 2022/01/08 12:43:44 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.41 2022/02/03 16:33:12 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -522,32 +522,22 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
 }
 int
-ssl_cert_type(X509 *x, EVP_PKEY *pkey)
+ssl_cert_type(EVP_PKEY *pkey)
 {
-        EVP_PKEY *pk;
-        int ret = -1, i;
        if (pkey == NULL)
-                pk = X509_get_pubkey(x);
+                return -1;
-        else
-                pk = pkey;
+        switch (EVP_PKEY_id(pkey)) {
-        if (pk == NULL)
+        case EVP_PKEY_EC:
-                goto err;
+                return SSL_PKEY_ECC;
+        case NID_id_GostR3410_2001:
-        i = EVP_PKEY_id(pk);
+        case NID_id_GostR3410_2001_cc:
-        if (i == EVP_PKEY_RSA) {
+                return SSL_PKEY_GOST01;
-                ret = SSL_PKEY_RSA;
+        case EVP_PKEY_RSA:
-        } else if (i == EVP_PKEY_EC) {
+                return SSL_PKEY_RSA;
-                ret = SSL_PKEY_ECC;
-        } else if (i == NID_id_GostR3410_2001 ||
-            i == NID_id_GostR3410_2001_cc) {
-                ret = SSL_PKEY_GOST01;
        }
- err:
+        return -1;
-        if (!pkey)
-                EVP_PKEY_free(pk);
-        return (ret);
 }
 int
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index a402535c7d..6d50ade398 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.139 2022/01/24 13:53:29 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.140 2022/02/03 16:33:12 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1166,7 +1166,7 @@ ssl3_get_server_certificate(SSL *s)
                SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
                goto fatal_err;
        }
-        if ((cert_type = ssl_cert_type(x, pkey)) < 0) {
+        if ((cert_type = ssl_cert_type(pkey)) < 0) {
                x = NULL;
                al = SSL3_AL_FATAL;
                SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 546854b462..ee64ec208e 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.383 2022/01/11 19:03:15 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.384 2022/02/03 16:33:12 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1310,7 +1310,7 @@ SSL_CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd,
    const struct ssl_sigalg **sap);
 size_t ssl_dhe_params_auto_key_bits(SSL *s);
-int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
+int ssl_cert_type(EVP_PKEY *pkey);
 void ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_has_ecc_ciphers(SSL *s);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 6b1010e413..f5c90fca8b 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.38 2022/01/08 12:43:44 jsing Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.39 2022/02/03 16:33:12 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -171,7 +171,7 @@ ssl_set_pkey(SSL_CERT *c, EVP_PKEY *pkey)
 {
        int i;
-        i = ssl_cert_type(NULL, pkey);
+        i = ssl_cert_type(pkey);
        if (i < 0) {
                SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
                return (0);
@@ -354,7 +354,7 @@ ssl_set_cert(SSL_CERT *c, X509 *x)
                return (0);
        }
-        i = ssl_cert_type(x, pkey);
+        i = ssl_cert_type(pkey);
        if (i < 0) {
                SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
                EVP_PKEY_free(pkey);
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 4b52f6cf62..11eb880a6e 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.93 2022/01/11 19:03:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.94 2022/02/03 16:33:12 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -625,7 +625,7 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (EVP_PKEY_missing_parameters(pkey))
                goto err;
-        if ((cert_type = ssl_cert_type(cert, pkey)) < 0)
+        if ((cert_type = ssl_cert_type(pkey)) < 0)
                goto err;
        X509_up_ref(cert);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 10e49104d4..4ac84a808c 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.95 2022/01/11 19:03:15 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.96 2022/02/03 16:33:12 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -918,7 +918,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (EVP_PKEY_missing_parameters(pkey))
                goto err;
-        if ((cert_type = ssl_cert_type(cert, pkey)) < 0)
+        if ((cert_type = ssl_cert_type(pkey)) < 0)
                goto err;
        X509_up_ref(cert);

diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c index 9894648db8..ad16d2175b 100644 --- a/src/lib/libssl/ssl_both.c +++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_both.c,v 1.40 2022/01/08 12:43:44 jsing Exp $ */	1	/* $OpenBSD: ssl_both.c,v 1.41 2022/02/03 16:33:12 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -522,32 +522,22 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
522	}	522	}
523		523
524	int	524	int
525	ssl_cert_type(X509 x, EVP_PKEY pkey)	525	ssl_cert_type(EVP_PKEY *pkey)
526	{	526	{
527	EVP_PKEY *pk;
528	int ret = -1, i;
529
530	if (pkey == NULL)	527	if (pkey == NULL)
531	pk = X509_get_pubkey(x);	528	return -1;
532	else	529
533	pk = pkey;	530	switch (EVP_PKEY_id(pkey)) {
534	if (pk == NULL)	531	case EVP_PKEY_EC:
535	goto err;	532	return SSL_PKEY_ECC;
536		533	case NID_id_GostR3410_2001:
537	i = EVP_PKEY_id(pk);	534	case NID_id_GostR3410_2001_cc:
538	if (i == EVP_PKEY_RSA) {	535	return SSL_PKEY_GOST01;
539	ret = SSL_PKEY_RSA;	536	case EVP_PKEY_RSA:
540	} else if (i == EVP_PKEY_EC) {	537	return SSL_PKEY_RSA;
541	ret = SSL_PKEY_ECC;
542	} else if (i == NID_id_GostR3410_2001 \|\|
543	i == NID_id_GostR3410_2001_cc) {
544	ret = SSL_PKEY_GOST01;
545	}	538	}
546		539
547	err:	540	return -1;
548	if (!pkey)
549	EVP_PKEY_free(pk);
550	return (ret);
551	}	541	}
552		542
553	int	543	int


diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index a402535c7d..6d50ade398 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.139 2022/01/24 13:53:29 tb Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.140 2022/02/03 16:33:12 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1166,7 +1166,7 @@ ssl3_get_server_certificate(SSL *s)
1166	SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);	1166	SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1167	goto fatal_err;	1167	goto fatal_err;
1168	}	1168	}
1169	if ((cert_type = ssl_cert_type(x, pkey)) < 0) {	1169	if ((cert_type = ssl_cert_type(pkey)) < 0) {
1170	x = NULL;	1170	x = NULL;
1171	al = SSL3_AL_FATAL;	1171	al = SSL3_AL_FATAL;
1172	SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);	1172	SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 546854b462..ee64ec208e 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.383 2022/01/11 19:03:15 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.384 2022/02/03 16:33:12 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1310,7 +1310,7 @@ SSL_CERT_PKEY ssl_get_server_send_pkey(const SSL s);
1310	EVP_PKEY ssl_get_sign_pkey(SSL s, const SSL_CIPHER c, const EVP_MD *pmd,	1310	EVP_PKEY ssl_get_sign_pkey(SSL s, const SSL_CIPHER c, const EVP_MD *pmd,
1311	const struct ssl_sigalg **sap);	1311	const struct ssl_sigalg **sap);
1312	size_t ssl_dhe_params_auto_key_bits(SSL *s);	1312	size_t ssl_dhe_params_auto_key_bits(SSL *s);
1313	int ssl_cert_type(X509 x, EVP_PKEY pkey);	1313	int ssl_cert_type(EVP_PKEY *pkey);
1314	void ssl_set_cert_masks(SSL_CERT c, const SSL_CIPHER cipher);	1314	void ssl_set_cert_masks(SSL_CERT c, const SSL_CIPHER cipher);
1315	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);	1315	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);
1316	int ssl_has_ecc_ciphers(SSL *s);	1316	int ssl_has_ecc_ciphers(SSL *s);


diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 6b1010e413..f5c90fca8b 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_rsa.c,v 1.38 2022/01/08 12:43:44 jsing Exp $ */	1	/* $OpenBSD: ssl_rsa.c,v 1.39 2022/02/03 16:33:12 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -171,7 +171,7 @@ ssl_set_pkey(SSL_CERT c, EVP_PKEY pkey)
171	{	171	{
172	int i;	172	int i;
173		173
174	i = ssl_cert_type(NULL, pkey);	174	i = ssl_cert_type(pkey);
175	if (i < 0) {	175	if (i < 0) {
176	SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);	176	SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
177	return (0);	177	return (0);
@@ -354,7 +354,7 @@ ssl_set_cert(SSL_CERT c, X509 x)
354	return (0);	354	return (0);
355	}	355	}
356		356
357	i = ssl_cert_type(x, pkey);	357	i = ssl_cert_type(pkey);
358	if (i < 0) {	358	if (i < 0) {
359	SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);	359	SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
360	EVP_PKEY_free(pkey);	360	EVP_PKEY_free(pkey);


diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 4b52f6cf62..11eb880a6e 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.93 2022/01/11 19:03:15 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.94 2022/02/03 16:33:12 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -625,7 +625,7 @@ tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs)
625	goto err;	625	goto err;
626	if (EVP_PKEY_missing_parameters(pkey))	626	if (EVP_PKEY_missing_parameters(pkey))
627	goto err;	627	goto err;
628	if ((cert_type = ssl_cert_type(cert, pkey)) < 0)	628	if ((cert_type = ssl_cert_type(pkey)) < 0)
629	goto err;	629	goto err;
630		630
631	X509_up_ref(cert);	631	X509_up_ref(cert);


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 10e49104d4..4ac84a808c 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.95 2022/01/11 19:03:15 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.96 2022/02/03 16:33:12 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -918,7 +918,7 @@ tls13_client_certificate_recv(struct tls13_ctx ctx, CBS cbs)
918	goto err;	918	goto err;
919	if (EVP_PKEY_missing_parameters(pkey))	919	if (EVP_PKEY_missing_parameters(pkey))
920	goto err;	920	goto err;
921	if ((cert_type = ssl_cert_type(cert, pkey)) < 0)	921	if ((cert_type = ssl_cert_type(pkey)) < 0)
922	goto err;	922	goto err;
923		923
924	X509_up_ref(cert);	924	X509_up_ref(cert);