Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
openssl
提交
6383d316
O
openssl
项目概览
btwise
/
openssl
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
6383d316
编写于
5月 12, 2015
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Move certificate validity flags out of CERT.
Reviewed-by:
N
Rich Salz
<
rsalz@openssl.org
>
上级
d376e57d
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
36 addition
and
35 deletion
+36
-35
ssl/s3_clnt.c
ssl/s3_clnt.c
+1
-1
ssl/s3_lib.c
ssl/s3_lib.c
+1
-1
ssl/ssl_cert.c
ssl/ssl_cert.c
+0
-3
ssl/ssl_lib.c
ssl/ssl_lib.c
+12
-11
ssl/ssl_locl.h
ssl/ssl_locl.h
+8
-8
ssl/t1_lib.c
ssl/t1_lib.c
+14
-11
未找到文件。
ssl/s3_clnt.c
浏览文件 @
6383d316
...
@@ -2164,7 +2164,7 @@ int ssl3_get_certificate_request(SSL *s)
...
@@ -2164,7 +2164,7 @@ int ssl3_get_certificate_request(SSL *s)
/* Clear certificate digests and validity flags */
/* Clear certificate digests and validity flags */
for
(
i
=
0
;
i
<
SSL_PKEY_NUM
;
i
++
)
{
for
(
i
=
0
;
i
<
SSL_PKEY_NUM
;
i
++
)
{
s
->
s3
->
tmp
.
md
[
i
]
=
NULL
;
s
->
s3
->
tmp
.
md
[
i
]
=
NULL
;
s
->
cert
->
pkeys
[
i
].
valid_flags
=
0
;
s
->
s3
->
tmp
.
valid_flags
[
i
]
=
0
;
}
}
if
((
llen
&
1
)
||
!
tls1_save_sigalgs
(
s
,
p
,
llen
))
{
if
((
llen
&
1
)
||
!
tls1_save_sigalgs
(
s
,
p
,
llen
))
{
ssl3_send_alert
(
s
,
SSL3_AL_FATAL
,
SSL_AD_DECODE_ERROR
);
ssl3_send_alert
(
s
,
SSL3_AL_FATAL
,
SSL_AD_DECODE_ERROR
);
...
...
ssl/s3_lib.c
浏览文件 @
6383d316
...
@@ -3892,7 +3892,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
...
@@ -3892,7 +3892,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if
((
c
->
algorithm_ssl
&
SSL_TLSV1_2
)
&&
!
SSL_USE_TLS1_2_CIPHERS
(
s
))
if
((
c
->
algorithm_ssl
&
SSL_TLSV1_2
)
&&
!
SSL_USE_TLS1_2_CIPHERS
(
s
))
continue
;
continue
;
ssl_set_
cert_masks
(
cert
,
c
);
ssl_set_
masks
(
s
,
c
);
mask_k
=
cert
->
mask_k
;
mask_k
=
cert
->
mask_k
;
mask_a
=
cert
->
mask_a
;
mask_a
=
cert
->
mask_a
;
emask_k
=
cert
->
export_mask_k
;
emask_k
=
cert
->
export_mask_k
;
...
...
ssl/ssl_cert.c
浏览文件 @
6383d316
...
@@ -270,7 +270,6 @@ CERT *ssl_cert_dup(CERT *cert)
...
@@ -270,7 +270,6 @@ CERT *ssl_cert_dup(CERT *cert)
goto
err
;
goto
err
;
}
}
}
}
rpk
->
valid_flags
=
0
;
#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_TLSEXT
if
(
cert
->
pkeys
[
i
].
serverinfo
!=
NULL
)
{
if
(
cert
->
pkeys
[
i
].
serverinfo
!=
NULL
)
{
/* Just copy everything. */
/* Just copy everything. */
...
@@ -375,8 +374,6 @@ void ssl_cert_clear_certs(CERT *c)
...
@@ -375,8 +374,6 @@ void ssl_cert_clear_certs(CERT *c)
cpk
->
serverinfo
=
NULL
;
cpk
->
serverinfo
=
NULL
;
cpk
->
serverinfo_length
=
0
;
cpk
->
serverinfo_length
=
0
;
#endif
#endif
/* Clear all flags apart from explicit sign */
cpk
->
valid_flags
&=
CERT_PKEY_EXPLICIT_SIGN
;
}
}
}
}
...
...
ssl/ssl_lib.c
浏览文件 @
6383d316
...
@@ -1933,9 +1933,11 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
...
@@ -1933,9 +1933,11 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
ssl_cert_set_cert_cb
(
s
->
cert
,
cb
,
arg
);
ssl_cert_set_cert_cb
(
s
->
cert
,
cb
,
arg
);
}
}
void
ssl_set_
cert_masks
(
CERT
*
c
,
const
SSL_CIPHER
*
cipher
)
void
ssl_set_
masks
(
SSL
*
s
,
const
SSL_CIPHER
*
cipher
)
{
{
CERT_PKEY
*
cpk
;
CERT_PKEY
*
cpk
;
CERT
*
c
=
s
->
cert
;
int
*
pvalid
=
s
->
s3
->
tmp
.
valid_flags
;
int
rsa_enc
,
rsa_tmp
,
rsa_sign
,
dh_tmp
,
dh_rsa
,
dh_dsa
,
dsa_sign
;
int
rsa_enc
,
rsa_tmp
,
rsa_sign
,
dh_tmp
,
dh_rsa
,
dh_dsa
,
dsa_sign
;
int
rsa_enc_export
,
dh_rsa_export
,
dh_dsa_export
;
int
rsa_enc_export
,
dh_rsa_export
,
dh_dsa_export
;
int
rsa_tmp_export
,
dh_tmp_export
,
kl
;
int
rsa_tmp_export
,
dh_tmp_export
,
kl
;
...
@@ -1972,22 +1974,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
...
@@ -1972,22 +1974,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
have_ecdh_tmp
=
(
c
->
ecdh_tmp
||
c
->
ecdh_tmp_cb
||
c
->
ecdh_tmp_auto
);
have_ecdh_tmp
=
(
c
->
ecdh_tmp
||
c
->
ecdh_tmp_cb
||
c
->
ecdh_tmp_auto
);
#endif
#endif
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_RSA_ENC
]);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_RSA_ENC
]);
rsa_enc
=
cpk
->
valid_flags
&
CERT_PKEY_VALID
;
rsa_enc
=
pvalid
[
SSL_PKEY_RSA_ENC
]
&
CERT_PKEY_VALID
;
rsa_enc_export
=
(
rsa_enc
&&
EVP_PKEY_size
(
cpk
->
privatekey
)
*
8
<=
kl
);
rsa_enc_export
=
(
rsa_enc
&&
EVP_PKEY_size
(
cpk
->
privatekey
)
*
8
<=
kl
);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_RSA_SIGN
]);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_RSA_SIGN
]);
rsa_sign
=
cpk
->
valid_flags
&
CERT_PKEY_SIGN
;
rsa_sign
=
pvalid
[
SSL_PKEY_RSA_SIGN
]
&
CERT_PKEY_SIGN
;
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_DSA_SIGN
]);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_DSA_SIGN
]);
dsa_sign
=
cpk
->
valid_flags
&
CERT_PKEY_SIGN
;
dsa_sign
=
pvalid
[
SSL_PKEY_DSA_SIGN
]
&
CERT_PKEY_SIGN
;
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_DH_RSA
]);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_DH_RSA
]);
dh_rsa
=
cpk
->
valid_flags
&
CERT_PKEY_VALID
;
dh_rsa
=
pvalid
[
SSL_PKEY_DH_RSA
]
&
CERT_PKEY_VALID
;
dh_rsa_export
=
(
dh_rsa
&&
EVP_PKEY_size
(
cpk
->
privatekey
)
*
8
<=
kl
);
dh_rsa_export
=
(
dh_rsa
&&
EVP_PKEY_size
(
cpk
->
privatekey
)
*
8
<=
kl
);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_DH_DSA
]);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_DH_DSA
]);
/* FIX THIS EAY EAY EAY */
dh_dsa
=
pvalid
[
SSL_PKEY_DH_DSA
]
&
CERT_PKEY_VALID
;
dh_dsa
=
cpk
->
valid_flags
&
CERT_PKEY_VALID
;
dh_dsa_export
=
(
dh_dsa
&&
EVP_PKEY_size
(
cpk
->
privatekey
)
*
8
<=
kl
);
dh_dsa_export
=
(
dh_dsa
&&
EVP_PKEY_size
(
cpk
->
privatekey
)
*
8
<=
kl
);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_ECC
]);
cpk
=
&
(
c
->
pkeys
[
SSL_PKEY_ECC
]);
#ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_EC
have_ecc_cert
=
cpk
->
valid_flags
&
CERT_PKEY_VALID
;
have_ecc_cert
=
pvalid
[
SSL_PKEY_ECC
]
&
CERT_PKEY_VALID
;
#endif
#endif
mask_k
=
0
;
mask_k
=
0
;
mask_a
=
0
;
mask_a
=
0
;
...
@@ -2063,7 +2064,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
...
@@ -2063,7 +2064,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
(
x
->
ex_kusage
&
X509v3_KU_KEY_AGREEMENT
)
:
1
;
(
x
->
ex_kusage
&
X509v3_KU_KEY_AGREEMENT
)
:
1
;
ecdsa_ok
=
(
x
->
ex_flags
&
EXFLAG_KUSAGE
)
?
ecdsa_ok
=
(
x
->
ex_flags
&
EXFLAG_KUSAGE
)
?
(
x
->
ex_kusage
&
X509v3_KU_DIGITAL_SIGNATURE
)
:
1
;
(
x
->
ex_kusage
&
X509v3_KU_DIGITAL_SIGNATURE
)
:
1
;
if
(
!
(
cpk
->
valid_flags
&
CERT_PKEY_SIGN
))
if
(
!
(
pvalid
[
SSL_PKEY_ECC
]
&
CERT_PKEY_SIGN
))
ecdsa_ok
=
0
;
ecdsa_ok
=
0
;
ecc_pkey
=
X509_get_pubkey
(
x
);
ecc_pkey
=
X509_get_pubkey
(
x
);
ecc_pkey_size
=
(
ecc_pkey
!=
NULL
)
?
EVP_PKEY_bits
(
ecc_pkey
)
:
0
;
ecc_pkey_size
=
(
ecc_pkey
!=
NULL
)
?
EVP_PKEY_bits
(
ecc_pkey
)
:
0
;
...
@@ -2204,7 +2205,7 @@ static int ssl_get_server_cert_index(const SSL *s)
...
@@ -2204,7 +2205,7 @@ static int ssl_get_server_cert_index(const SSL *s)
return
idx
;
return
idx
;
}
}
CERT_PKEY
*
ssl_get_server_send_pkey
(
const
SSL
*
s
)
CERT_PKEY
*
ssl_get_server_send_pkey
(
SSL
*
s
)
{
{
CERT
*
c
;
CERT
*
c
;
int
i
;
int
i
;
...
@@ -2212,7 +2213,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
...
@@ -2212,7 +2213,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
c
=
s
->
cert
;
c
=
s
->
cert
;
if
(
!
s
->
s3
||
!
s
->
s3
->
tmp
.
new_cipher
)
if
(
!
s
->
s3
||
!
s
->
s3
->
tmp
.
new_cipher
)
return
NULL
;
return
NULL
;
ssl_set_
cert_masks
(
c
,
s
->
s3
->
tmp
.
new_cipher
);
ssl_set_
masks
(
s
,
s
->
s3
->
tmp
.
new_cipher
);
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
/*
/*
...
...
ssl/ssl_locl.h
浏览文件 @
6383d316
...
@@ -1295,6 +1295,12 @@ typedef struct ssl3_state_st {
...
@@ -1295,6 +1295,12 @@ typedef struct ssl3_state_st {
const
EVP_MD
*
peer_md
;
const
EVP_MD
*
peer_md
;
/* Array of digests used for signing */
/* Array of digests used for signing */
const
EVP_MD
*
md
[
SSL_PKEY_NUM
];
const
EVP_MD
*
md
[
SSL_PKEY_NUM
];
/*
* Set if corresponding CERT_PKEY can be used with current
* SSL session: e.g. appropriate curve, signature algorithms etc.
* If zero it can't be used at all.
*/
int
valid_flags
[
SSL_PKEY_NUM
];
}
tmp
;
}
tmp
;
/* Connection binding to prevent renegotiation attacks */
/* Connection binding to prevent renegotiation attacks */
...
@@ -1456,12 +1462,6 @@ typedef struct cert_pkey_st {
...
@@ -1456,12 +1462,6 @@ typedef struct cert_pkey_st {
unsigned
char
*
serverinfo
;
unsigned
char
*
serverinfo
;
size_t
serverinfo_length
;
size_t
serverinfo_length
;
# endif
# endif
/*
* Set if CERT_PKEY can be used with current SSL session: e.g.
* appropriate curve, signature algorithms etc. If zero it can't be used
* at all.
*/
int
valid_flags
;
}
CERT_PKEY
;
}
CERT_PKEY
;
/* Retrieve Suite B flags */
/* Retrieve Suite B flags */
# define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
# define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
...
@@ -1916,14 +1916,14 @@ __owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other
...
@@ -1916,14 +1916,14 @@ __owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other
int
ssl_undefined_function
(
SSL
*
s
);
int
ssl_undefined_function
(
SSL
*
s
);
__owur
int
ssl_undefined_void_function
(
void
);
__owur
int
ssl_undefined_void_function
(
void
);
__owur
int
ssl_undefined_const_function
(
const
SSL
*
s
);
__owur
int
ssl_undefined_const_function
(
const
SSL
*
s
);
__owur
CERT_PKEY
*
ssl_get_server_send_pkey
(
const
SSL
*
s
);
__owur
CERT_PKEY
*
ssl_get_server_send_pkey
(
SSL
*
s
);
# ifndef OPENSSL_NO_TLSEXT
# ifndef OPENSSL_NO_TLSEXT
__owur
int
ssl_get_server_cert_serverinfo
(
SSL
*
s
,
const
unsigned
char
**
serverinfo
,
__owur
int
ssl_get_server_cert_serverinfo
(
SSL
*
s
,
const
unsigned
char
**
serverinfo
,
size_t
*
serverinfo_length
);
size_t
*
serverinfo_length
);
# endif
# endif
__owur
EVP_PKEY
*
ssl_get_sign_pkey
(
SSL
*
s
,
const
SSL_CIPHER
*
c
,
const
EVP_MD
**
pmd
);
__owur
EVP_PKEY
*
ssl_get_sign_pkey
(
SSL
*
s
,
const
SSL_CIPHER
*
c
,
const
EVP_MD
**
pmd
);
__owur
int
ssl_cert_type
(
X509
*
x
,
EVP_PKEY
*
pkey
);
__owur
int
ssl_cert_type
(
X509
*
x
,
EVP_PKEY
*
pkey
);
void
ssl_set_
cert_masks
(
CERT
*
c
,
const
SSL_CIPHER
*
cipher
);
void
ssl_set_
masks
(
SSL
*
s
,
const
SSL_CIPHER
*
cipher
);
__owur
STACK_OF
(
SSL_CIPHER
)
*
ssl_get_ciphers_by_id
(
SSL
*
s
);
__owur
STACK_OF
(
SSL_CIPHER
)
*
ssl_get_ciphers_by_id
(
SSL
*
s
);
__owur
int
ssl_verify_alarm_type
(
long
type
);
__owur
int
ssl_verify_alarm_type
(
long
type
);
void
ssl_load_ciphers
(
void
);
void
ssl_load_ciphers
(
void
);
...
...
ssl/t1_lib.c
浏览文件 @
6383d316
...
@@ -2694,7 +2694,7 @@ int tls1_set_server_sigalgs(SSL *s)
...
@@ -2694,7 +2694,7 @@ int tls1_set_server_sigalgs(SSL *s)
/* Clear certificate digests and validity flags */
/* Clear certificate digests and validity flags */
for
(
i
=
0
;
i
<
SSL_PKEY_NUM
;
i
++
)
{
for
(
i
=
0
;
i
<
SSL_PKEY_NUM
;
i
++
)
{
s
->
s3
->
tmp
.
md
[
i
]
=
NULL
;
s
->
s3
->
tmp
.
md
[
i
]
=
NULL
;
s
->
cert
->
pkeys
[
i
].
valid_flags
=
0
;
s
->
s3
->
tmp
.
valid_flags
[
i
]
=
0
;
}
}
/* If sigalgs received process it. */
/* If sigalgs received process it. */
...
@@ -3450,6 +3450,7 @@ int tls1_process_sigalgs(SSL *s)
...
@@ -3450,6 +3450,7 @@ int tls1_process_sigalgs(SSL *s)
size_t
i
;
size_t
i
;
const
EVP_MD
*
md
;
const
EVP_MD
*
md
;
const
EVP_MD
**
pmd
=
s
->
s3
->
tmp
.
md
;
const
EVP_MD
**
pmd
=
s
->
s3
->
tmp
.
md
;
int
*
pvalid
=
s
->
s3
->
tmp
.
valid_flags
;
CERT
*
c
=
s
->
cert
;
CERT
*
c
=
s
->
cert
;
TLS_SIGALGS
*
sigptr
;
TLS_SIGALGS
*
sigptr
;
if
(
!
tls1_set_shared_sigalgs
(
s
))
if
(
!
tls1_set_shared_sigalgs
(
s
))
...
@@ -3470,10 +3471,9 @@ int tls1_process_sigalgs(SSL *s)
...
@@ -3470,10 +3471,9 @@ int tls1_process_sigalgs(SSL *s)
idx
=
tls12_get_pkey_idx
(
sigs
[
1
]);
idx
=
tls12_get_pkey_idx
(
sigs
[
1
]);
md
=
tls12_get_hash
(
sigs
[
0
]);
md
=
tls12_get_hash
(
sigs
[
0
]);
pmd
[
idx
]
=
md
;
pmd
[
idx
]
=
md
;
c
->
pkeys
[
idx
].
valid_flags
=
CERT_PKEY_EXPLICIT_SIGN
;
pvalid
[
idx
]
=
CERT_PKEY_EXPLICIT_SIGN
;
if
(
idx
==
SSL_PKEY_RSA_SIGN
)
{
if
(
idx
==
SSL_PKEY_RSA_SIGN
)
{
c
->
pkeys
[
SSL_PKEY_RSA_ENC
].
valid_flags
=
pvalid
[
SSL_PKEY_RSA_ENC
]
=
CERT_PKEY_EXPLICIT_SIGN
;
CERT_PKEY_EXPLICIT_SIGN
;
pmd
[
SSL_PKEY_RSA_ENC
]
=
md
;
pmd
[
SSL_PKEY_RSA_ENC
]
=
md
;
}
}
}
}
...
@@ -3486,10 +3486,9 @@ int tls1_process_sigalgs(SSL *s)
...
@@ -3486,10 +3486,9 @@ int tls1_process_sigalgs(SSL *s)
if
(
idx
>
0
&&
pmd
[
idx
]
==
NULL
)
{
if
(
idx
>
0
&&
pmd
[
idx
]
==
NULL
)
{
md
=
tls12_get_hash
(
sigptr
->
rhash
);
md
=
tls12_get_hash
(
sigptr
->
rhash
);
pmd
[
idx
]
=
md
;
pmd
[
idx
]
=
md
;
c
->
pkeys
[
idx
].
valid_flags
=
CERT_PKEY_EXPLICIT_SIGN
;
pvalid
[
idx
]
=
CERT_PKEY_EXPLICIT_SIGN
;
if
(
idx
==
SSL_PKEY_RSA_SIGN
)
{
if
(
idx
==
SSL_PKEY_RSA_SIGN
)
{
c
->
pkeys
[
SSL_PKEY_RSA_ENC
].
valid_flags
=
pvalid
[
SSL_PKEY_RSA_ENC
]
=
CERT_PKEY_EXPLICIT_SIGN
;
CERT_PKEY_EXPLICIT_SIGN
;
pmd
[
SSL_PKEY_RSA_ENC
]
=
md
;
pmd
[
SSL_PKEY_RSA_ENC
]
=
md
;
}
}
}
}
...
@@ -3882,6 +3881,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
...
@@ -3882,6 +3881,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
int
check_flags
=
0
,
strict_mode
;
int
check_flags
=
0
,
strict_mode
;
CERT_PKEY
*
cpk
=
NULL
;
CERT_PKEY
*
cpk
=
NULL
;
CERT
*
c
=
s
->
cert
;
CERT
*
c
=
s
->
cert
;
int
*
pvalid
;
unsigned
int
suiteb_flags
=
tls1_suiteb
(
s
);
unsigned
int
suiteb_flags
=
tls1_suiteb
(
s
);
/* idx == -1 means checking server chains */
/* idx == -1 means checking server chains */
if
(
idx
!=
-
1
)
{
if
(
idx
!=
-
1
)
{
...
@@ -3891,6 +3891,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
...
@@ -3891,6 +3891,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
idx
=
cpk
-
c
->
pkeys
;
idx
=
cpk
-
c
->
pkeys
;
}
else
}
else
cpk
=
c
->
pkeys
+
idx
;
cpk
=
c
->
pkeys
+
idx
;
pvalid
=
s
->
s3
->
tmp
.
valid_flags
+
idx
;
x
=
cpk
->
x509
;
x
=
cpk
->
x509
;
pk
=
cpk
->
privatekey
;
pk
=
cpk
->
privatekey
;
chain
=
cpk
->
chain
;
chain
=
cpk
->
chain
;
...
@@ -3903,7 +3904,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
...
@@ -3903,7 +3904,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
if
(
s
->
cert
->
cert_flags
&
SSL_CERT_FLAG_BROKEN_PROTOCOL
)
{
if
(
s
->
cert
->
cert_flags
&
SSL_CERT_FLAG_BROKEN_PROTOCOL
)
{
rv
=
CERT_PKEY_STRICT_FLAGS
|
CERT_PKEY_EXPLICIT_SIGN
|
rv
=
CERT_PKEY_STRICT_FLAGS
|
CERT_PKEY_EXPLICIT_SIGN
|
CERT_PKEY_VALID
|
CERT_PKEY_SIGN
;
CERT_PKEY_VALID
|
CERT_PKEY_SIGN
;
cpk
->
valid_flags
=
rv
;
*
pvalid
=
rv
;
return
rv
;
return
rv
;
}
}
# endif
# endif
...
@@ -3914,6 +3915,8 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
...
@@ -3914,6 +3915,8 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
if
(
idx
==
-
1
)
if
(
idx
==
-
1
)
return
0
;
return
0
;
cpk
=
c
->
pkeys
+
idx
;
cpk
=
c
->
pkeys
+
idx
;
pvalid
=
s
->
s3
->
tmp
.
valid_flags
+
idx
;
if
(
c
->
cert_flags
&
SSL_CERT_FLAGS_CHECK_TLS_STRICT
)
if
(
c
->
cert_flags
&
SSL_CERT_FLAGS_CHECK_TLS_STRICT
)
check_flags
=
CERT_PKEY_STRICT_FLAGS
;
check_flags
=
CERT_PKEY_STRICT_FLAGS
;
else
else
...
@@ -4100,7 +4103,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
...
@@ -4100,7 +4103,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
end:
end:
if
(
TLS1_get_version
(
s
)
>=
TLS1_2_VERSION
)
{
if
(
TLS1_get_version
(
s
)
>=
TLS1_2_VERSION
)
{
if
(
cpk
->
valid_flags
&
CERT_PKEY_EXPLICIT_SIGN
)
if
(
*
pvalid
&
CERT_PKEY_EXPLICIT_SIGN
)
rv
|=
CERT_PKEY_EXPLICIT_SIGN
|
CERT_PKEY_SIGN
;
rv
|=
CERT_PKEY_EXPLICIT_SIGN
|
CERT_PKEY_SIGN
;
else
if
(
s
->
s3
->
tmp
.
md
[
idx
]
!=
NULL
)
else
if
(
s
->
s3
->
tmp
.
md
[
idx
]
!=
NULL
)
rv
|=
CERT_PKEY_SIGN
;
rv
|=
CERT_PKEY_SIGN
;
...
@@ -4113,10 +4116,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
...
@@ -4113,10 +4116,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
*/
*/
if
(
!
check_flags
)
{
if
(
!
check_flags
)
{
if
(
rv
&
CERT_PKEY_VALID
)
if
(
rv
&
CERT_PKEY_VALID
)
cpk
->
valid_flags
=
rv
;
*
pvalid
=
rv
;
else
{
else
{
/* Preserve explicit sign flag, clear rest */
/* Preserve explicit sign flag, clear rest */
cpk
->
valid_flags
&=
CERT_PKEY_EXPLICIT_SIGN
;
*
pvalid
&=
CERT_PKEY_EXPLICIT_SIGN
;
return
0
;
return
0
;
}
}
}
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录