Google Git
Sign in
boringssl / boringssl.git / d1d8078025cc654d60ee873c88740f8a987a77b7^! / . / ssl / s3_clnt.c
commitd1d8078025cc654d60ee873c88740f8a987a77b7[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Sun Jul 05 11:54:09 2015 -0400
committerAdam Langley <agl@google.com>Tue Jul 07 01:22:13 2015 +0000
tree41fa0b452fa1f1e6c70f152dedf53c8f34b9f08a
parent570364800c55d668b309d70a14cb2ee3d2f7892a [diff] [blame]
Fold away certificate slots mechanism.

This allows us to remove the confusing EVP_PKEY argument to the
SSL_PRIVATE_KEY_METHOD wrapper functions. It also simplifies some of the
book-keeping around the CERT structure, as well as the API for
configuring certificates themselves. The current one is a little odd as
some functions automatically route to the slot while others affect the
most recently touched slot. Others still (extra_certs) apply to all
slots, making them not terribly useful.

Consumers with complex needs should use cert_cb or the early callback
(select_certificate_cb) to configure whatever they like based on the
ClientHello.

BUG=486295

Change-Id: Ice29ffeb867fa4959898b70dfc50fc00137f01f3
Reviewed-on: https://boringssl-review.googlesource.com/5351
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 40df103..d004f2b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -930,15 +930,9 @@
   }
 
   /* Check the certificate's type matches the cipher. */
-  int cert_type = ssl_cert_type(pkey);
-  if (cert_type < 0) {
-    OPENSSL_PUT_ERROR(SSL, ssl3_check_certificate_for_cipher,
-                      SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-    goto err;
-  }
-  int expected_type = ssl_cipher_get_cert_index(cipher);
-  assert(expected_type >= 0);
-  if (cert_type != expected_type) {
+  int expected_type = ssl_cipher_get_key_type(cipher);
+  assert(expected_type != EVP_PKEY_NONE);
+  if (pkey->type != expected_type) {
     OPENSSL_PUT_ERROR(SSL, ssl3_check_certificate_for_cipher,
                       SSL_R_WRONG_CERTIFICATE_TYPE);
     goto err;
@@ -2020,8 +2014,7 @@
     uint8_t *p = ssl_handshake_start(s);
     size_t signature_length = 0;
     unsigned long n = 0;
-    EVP_PKEY *pkey = s->cert->key->privatekey;
-    assert(pkey != NULL || s->cert->key_method != NULL);
+    assert(s->cert->privatekey != NULL || s->cert->key_method != NULL);
 
     if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
       uint8_t *buf = (uint8_t *)s->init_buf->data;
@@ -2031,8 +2024,8 @@
 
       /* Write out the digest type if need be. */
       if (SSL_USE_SIGALGS(s)) {
-        md = tls1_choose_signing_digest(s, pkey);
-        if (!tls12_get_sigandhash(s, p, pkey, md)) {
+        md = tls1_choose_signing_digest(s);
+        if (!tls12_get_sigandhash(s, p, md)) {
           OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, ERR_R_INTERNAL_ERROR);
           return -1;
         }
@@ -2041,7 +2034,7 @@
       }
 
       /* Compute the digest. */
-      const int pkey_type = ssl_private_key_type(s, pkey);
+      const int pkey_type = ssl_private_key_type(s);
       if (!ssl3_cert_verify_hash(s, digest, &digest_length, &md, pkey_type)) {
         return -1;
       }
@@ -2053,7 +2046,7 @@
       }
 
       /* Sign the digest. */
-      signature_length = ssl_private_key_max_signature_len(s, pkey);
+      signature_length = ssl_private_key_max_signature_len(s);
       if (p + 2 + signature_length > buf + SSL3_RT_MAX_PLAIN_LENGTH) {
         OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify,
                           SSL_R_DATA_LENGTH_TOO_LONG);
@@ -2061,7 +2054,7 @@
       }
 
       s->rwstate = SSL_PRIVATE_KEY_OPERATION;
-      sign_result = ssl_private_key_sign(s, pkey, &p[2], &signature_length,
+      sign_result = ssl_private_key_sign(s, &p[2], &signature_length,
                                          signature_length, md, digest,
                                          digest_length);
     } else {
@@ -2070,7 +2063,7 @@
         p += 2;
         n += 2;
       }
-      signature_length = ssl_private_key_max_signature_len(s, pkey);
+      signature_length = ssl_private_key_max_signature_len(s);
       s->rwstate = SSL_PRIVATE_KEY_OPERATION;
       sign_result = ssl_private_key_sign_complete(s, &p[2], &signature_length,
                                                   signature_length);
@@ -2098,9 +2091,9 @@
 
 /* ssl3_has_client_certificate returns true if a client certificate is
  * configured. */
-static int ssl3_has_client_certificate(SSL *s) {
-  return s->cert && s->cert->key->x509 && (s->cert->key->privatekey ||
-                                           s->cert->key_method);
+static int ssl3_has_client_certificate(SSL *ssl) {
+  return ssl->cert && ssl->cert->x509 && (ssl->cert->privatekey ||
+                                          ssl->cert->key_method);
 }
 
 int ssl3_send_client_certificate(SSL *s) {
@@ -2179,8 +2172,14 @@
   }
 
   if (s->state == SSL3_ST_CW_CERT_C) {
-    CERT_PKEY *cert_pkey = (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key;
-    if (!ssl3_output_cert_chain(s, cert_pkey)) {
+    if (s->s3->tmp.cert_req == 2) {
+      /* Send an empty Certificate message. */
+      uint8_t *p = ssl_handshake_start(s);
+      l2n3(0, p);
+      if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, 3)) {
+        return -1;
+      }
+    } else if (!ssl3_output_cert_chain(s)) {
       return -1;
     }
     s->state = SSL3_ST_CW_CERT_D;