Use CERT_PKEY pointer instead of index

Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)

Use CERT_PKEY pointer instead of index
Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
a497cf25 · Dr. Stephen Henson · f695571e · a497cf25 · a497cf25 · a497cf25
Showing with 21 addition and 28 deletion

ssl/s3_lib.c ssl/s3_lib.c +2 -2

ssl/ssl_lib.c ssl/ssl_lib.c +4 -10

ssl/ssl_locl.h ssl/ssl_locl.h +6 -4

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +5 -6

ssl/t1_lib.c ssl/t1_lib.c +4 -6

未找到文件。
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3149,9 +3149,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
             */
            if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
                return 2;
-            if (s->s3->tmp.cert_idx == -1)
+            if (s->s3->tmp.cert == NULL)
                return 0;
-            s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];
+            s->cert->key = s->s3->tmp.cert;
            return 1;
        }
        return ssl_cert_set_current(s->cert, larg);

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2836,20 +2836,14 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
                                   size_t *serverinfo_length)
 {
-    CERT *c = NULL;
-    int i = 0;
+    CERT_PKEY *cpk = s->s3->tmp.cert;
    *serverinfo_length = 0;

-    c = s->cert;
-    i = s->s3->tmp.cert_idx;
-
-    if (i == -1)
-        return 0;
-    if (c->pkeys[i].serverinfo == NULL)
+    if (cpk == NULL || cpk->serverinfo == NULL)
        return 0;

-    *serverinfo = c->pkeys[i].serverinfo;
-    *serverinfo_length = c->pkeys[i].serverinfo_length;
+    *serverinfo = cpk->serverinfo;
+    *serverinfo_length = cpk->serverinfo_length;
    return 1;
 }


--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1213,6 +1213,8 @@ typedef struct sigalg_lookup_st {
    int curve;
 } SIGALG_LOOKUP;

+typedef struct cert_pkey_st CERT_PKEY;
+
 typedef struct ssl3_state_st {
    long flags;
    size_t read_mac_secret_size;
@@ -1296,8 +1298,8 @@ typedef struct ssl3_state_st {
 # endif
        /* Signature algorithm we actually use */
        const SIGALG_LOOKUP *sigalg;
-        /* Index of certificate we use */
-        int cert_idx;
+        /* Pointer to certificate we use */
+        CERT_PKEY *cert;
        /*
         * signature algorithms peer reports: e.g. supported signature
         * algorithms extension for server or as part of a certificate
@@ -1491,7 +1493,7 @@ typedef struct dtls1_state_st {
 #  define NAMED_CURVE_TYPE           3
 # endif                         /* OPENSSL_NO_EC */

-typedef struct cert_pkey_st {
+struct cert_pkey_st {
    X509 *x509;
    EVP_PKEY *privatekey;
    /* Chain for this certificate */
@@ -1505,7 +1507,7 @@ typedef struct cert_pkey_st {
     */
    unsigned char *serverinfo;
    size_t serverinfo_length;
-} CERT_PKEY;
+};
 /* Retrieve Suite B flags */
 # define tls1_suiteb(s)  (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
 /* Uses to check strict mode: suite B modes are always strict */

--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1761,12 +1761,12 @@ static int tls_handle_status_request(SSL *s, int *al)
        int ret;

        /* If no certificate can't return certificate status */
-        if (s->s3->tmp.cert_idx != -1) {
+        if (s->s3->tmp.cert != NULL) {
            /*
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
             */
-            s->cert->key = &s->cert->pkeys[s->s3->tmp.cert_idx];
+            s->cert->key = s->s3->tmp.cert;
            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
            switch (ret) {
                /* We don't want to send a status request response */
@@ -2249,7 +2249,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)

    /* not anonymous */
    if (lu != NULL) {
-        EVP_PKEY *pkey = s->cert->pkeys[s->s3->tmp.cert_idx].privatekey;
+        EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
        const EVP_MD *md = ssl_md(lu->hash_idx);
        unsigned char *sigbytes1, *sigbytes2;
        size_t siglen;
@@ -3197,14 +3197,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)

 int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
 {
-    CERT_PKEY *cpk;
+    CERT_PKEY *cpk = s->s3->tmp.cert;
    int al = SSL_AD_INTERNAL_ERROR;

-    if (s->s3->tmp.cert_idx == -1) {
+    if (cpk == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }
-    cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];

    /*
     * In TLSv1.3 the certificate chain is always preceded by a 0 length context

--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2201,11 +2201,9 @@ DH *ssl_get_auto_dh(SSL *s)
        else
            dh_secbits = 80;
    } else {
-        CERT_PKEY *cpk;
-        if (s->s3->tmp.cert_idx == -1)
+        if (s->s3->tmp.cert == NULL)
            return NULL;
-        cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];
-        dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
+        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
    }

    if (dh_secbits >= 128) {
@@ -2369,7 +2367,7 @@ int tls_choose_sigalg(SSL *s, int *al)
        idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
        /* If no certificate for ciphersuite return */
        if (idx == -1) {
-            s->s3->tmp.cert_idx = -1;
+            s->s3->tmp.cert = NULL;
            s->s3->tmp.sigalg = NULL;
            return 1;
        }
@@ -2445,7 +2443,7 @@ int tls_choose_sigalg(SSL *s, int *al)
            }
        }
    }
-    s->s3->tmp.cert_idx = idx;
+    s->s3->tmp.cert = &s->cert->pkeys[idx];
    s->s3->tmp.sigalg = lu;
    return 1;
 }