diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2021-10-31 16:37:26 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2021-10-31 16:37:26 +0000 |
commit | 28cabd41cafd847a10ca9b08c06f365193a331b6 (patch) | |
tree | 1d64ea98be9c736ad333ac062b73ab30ac0389f8 /lib | |
parent | a9518b8a5aeedeff09d25e316c64c13ef447274d (diff) |
libssl: stop reaching into the X509 struct and simplify some code by
using X509_get_key_usage().
ok beck jsing
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libssl/ssl_lib.c | 22 | ||||
-rw-r--r-- | lib/libssl/tls13_server.c | 8 |
2 files changed, 6 insertions, 24 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index f64b89352e8..9220929f886 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.276 2021/10/25 10:01:46 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.277 2021/10/31 16:37:25 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2187,17 +2187,6 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) X509_VERIFY_PARAM_set_depth(ctx->param, depth); } -static int -ssl_cert_can_sign(X509 *x) -{ - /* This call populates extension flags (ex_flags). */ - X509_check_purpose(x, -1, 0); - - /* Key usage, if present, must allow signing. */ - return ((x->ex_flags & EXFLAG_KUSAGE) == 0 || - (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)); -} - void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { @@ -2215,7 +2204,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) cpk = &(c->pkeys[SSL_PKEY_ECC]); if (cpk->x509 != NULL && cpk->privatekey != NULL) { - if (ssl_cert_can_sign(cpk->x509)) + /* Key usage, if present, must allow signing. */ + if (X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE) mask_a |= SSL_aECDSA; } @@ -2259,12 +2249,8 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) alg_a = cs->algorithm_auth; if (alg_a & SSL_aECDSA) { - /* This call populates extension flags (ex_flags). */ - X509_check_purpose(x, -1, 0); - /* Key usage, if present, must allow signing. */ - if ((x->ex_flags & EXFLAG_KUSAGE) && - ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) { + if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) { SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING); return (0); } diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 733a71f7d1f..253c1fc2083 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.87 2021/10/25 10:01:46 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.88 2021/10/31 16:37:25 tb Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -557,15 +557,11 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, if (cpk->x509 == NULL || cpk->privatekey == NULL) goto done; - if (!X509_check_purpose(cpk->x509, -1, 0)) - return 0; - /* * The digitalSignature bit MUST be set if the Key Usage extension is * present as per RFC 8446 section 4.4.2.2. */ - if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && - !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) + if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)) goto done; if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) |