Merge the RSA_ENC and RSA_SIGN certificate slots.
The distinction was not well-enforced in the code. In fact, it wasn't
even possible to use the RSA_SIGN slot because ssl_set_pkey and
ssl_set_cert would always use the RSA_ENC slot.
A follow-up will fold away the mechanism altogether, but this is an easy
initial simplfication.
BUG=486295
Change-Id: I66b5bf3e6dc243dac7c75924c1c1983538e49060
Reviewed-on: https://boringssl-review.googlesource.com/5349
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index d8f28b3..838fce7 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -255,10 +255,9 @@
const char *rule_str);
/* SSL_PKEY_* denote certificate types. */
-#define SSL_PKEY_RSA_ENC 0
-#define SSL_PKEY_RSA_SIGN 1
-#define SSL_PKEY_ECC 2
-#define SSL_PKEY_NUM 3
+#define SSL_PKEY_RSA 0
+#define SSL_PKEY_ECC 1
+#define SSL_PKEY_NUM 2
/* ssl_cipher_get_value returns the cipher suite id of |cipher|. */
uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher);
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 0f86354..4bbf1c2 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -505,7 +505,7 @@
int ssl_cert_type(EVP_PKEY *pkey) {
switch (pkey->type) {
case EVP_PKEY_RSA:
- return SSL_PKEY_RSA_ENC;
+ return SSL_PKEY_RSA;
case EVP_PKEY_EC:
return SSL_PKEY_ECC;
default:
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 36788f1..3130a3f 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1692,7 +1692,7 @@
uint8_t good;
size_t rsa_size, decrypt_len, premaster_index, j;
- pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
+ pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
if (pkey == NULL || pkey->type != EVP_PKEY_RSA || pkey->pkey.rsa == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 85aa079..a442ec3 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -158,7 +158,7 @@
}
memset(ret, 0, sizeof(CERT));
- ret->key = &ret->pkeys[SSL_PKEY_RSA_ENC];
+ ret->key = &ret->pkeys[SSL_PKEY_RSA];
return ret;
}
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index 1b850a4..1a8c0b2 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -1682,7 +1682,7 @@
if (alg_a & SSL_aECDSA) {
return SSL_PKEY_ECC;
} else if (alg_a & SSL_aRSA) {
- return SSL_PKEY_RSA_ENC;
+ return SSL_PKEY_RSA;
}
return -1;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 71b4a5d..0064b43 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1835,7 +1835,7 @@
void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
uint32_t *out_mask_a) {
CERT *c = s->cert;
- int rsa_enc, rsa_sign, dh_tmp;
+ int have_rsa_cert, dh_tmp;
uint32_t mask_k, mask_a;
int have_ecc_cert, ecdsa_ok;
X509 *x;
@@ -1849,19 +1849,16 @@
dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
- rsa_enc = ssl_has_key(s, SSL_PKEY_RSA_ENC);
- rsa_sign = ssl_has_key(s, SSL_PKEY_RSA_SIGN);
+ have_rsa_cert = ssl_has_key(s, SSL_PKEY_RSA);
have_ecc_cert = ssl_has_key(s, SSL_PKEY_ECC);
mask_k = 0;
mask_a = 0;
- if (rsa_enc) {
- mask_k |= SSL_kRSA;
- }
if (dh_tmp) {
mask_k |= SSL_kDHE;
}
- if (rsa_enc || rsa_sign) {
+ if (have_rsa_cert) {
+ mask_k |= SSL_kRSA;
mask_a |= SSL_aRSA;
}
@@ -1899,11 +1896,7 @@
}
static int ssl_get_server_cert_index(const SSL *s) {
- int idx;
- idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
- if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509) {
- idx = SSL_PKEY_RSA_SIGN;
- }
+ int idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
if (idx == -1) {
OPENSSL_PUT_ERROR(SSL, ssl_get_server_cert_index, ERR_R_INTERNAL_ERROR);
}
@@ -1927,12 +1920,9 @@
CERT *c = s->cert;
int idx = -1;
- if (alg_a & SSL_aRSA) {
- if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) {
- idx = SSL_PKEY_RSA_SIGN;
- } else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) {
- idx = SSL_PKEY_RSA_ENC;
- }
+ if ((alg_a & SSL_aRSA) &&
+ (c->pkeys[SSL_PKEY_RSA].privatekey != NULL)) {
+ idx = SSL_PKEY_RSA;
} else if ((alg_a & SSL_aECDSA) &&
(c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) {
idx = SSL_PKEY_ECC;