diff options
| author | Michael Baentsch <57787676+baentsch@users.noreply.github.com> | 2022-09-26 17:32:05 +0200 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2023-02-24 11:02:48 +1100 |
| commit | ee58915cfd9d0ad67f52d43cc1a2ce549049d248 (patch) | |
| tree | e892900c53900bd693498bdc9ff2152ae14bcbe6 /ssl/statem | |
| parent | 1817dcaf556df559a32eed14d0947ff961be7b4f (diff) | |
| download | openssl-new-ee58915cfd9d0ad67f52d43cc1a2ce549049d248.tar.gz | |
first cut at sigalg loading
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19312)
Diffstat (limited to 'ssl/statem')
| -rw-r--r-- | ssl/statem/statem_clnt.c | 18 | ||||
| -rw-r--r-- | ssl/statem/statem_lib.c | 7 |
2 files changed, 16 insertions, 9 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index f1ed43abd3..e5b036390a 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1988,7 +1988,8 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, return WORK_ERROR; } - if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { + if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx, + SSL_CONNECTION_GET_CTX(s))) == NULL) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return WORK_ERROR; } @@ -2434,11 +2435,15 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, PACKET *pkt) { - size_t i; - /* Clear certificate validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) - s->s3.tmp.valid_flags[i] = 0; + if (s->s3.tmp.valid_flags != NULL) + memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); + else + s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); + + /* Give up for good if allocation didn't work */ + if (s->s3.tmp.valid_flags == NULL) + return 0; if (SSL_CONNECTION_IS_TLS13(s)) { PACKET reqctx, extensions; @@ -3768,7 +3773,8 @@ int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) return 1; /* This is the passed certificate */ - clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); + clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx, + SSL_CONNECTION_GET_CTX(s)); /* Check certificate is recognised and suitable for cipher */ if (clu == NULL || (alg_a & clu->amask) == 0) { diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index ebedbeefbb..1bc01e1d25 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -468,7 +468,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) goto err; } - if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { + if (ssl_cert_lookup_by_pkey(pkey, NULL, sctx) == NULL) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); goto err; @@ -1602,7 +1602,7 @@ static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method) */ static int is_tls13_capable(const SSL_CONNECTION *s) { - int i; + size_t i; int curve; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); @@ -1625,7 +1625,8 @@ static int is_tls13_capable(const SSL_CONNECTION *s) if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) return 1; - for (i = 0; i < SSL_PKEY_NUM; i++) { + /* All provider-based sig algs are required to support at least TLS1.3 */ + for (i = 0; i < s->ssl_pkey_num; i++) { /* Skip over certs disallowed for TLSv1.3 */ switch (i) { case SSL_PKEY_DSA_SIGN: |