Move signing digest out of CERT.

Reviewed-by: N Rich Salz <rsalz@openssl.org>

Move signing digest out of CERT.
Reviewed-by: N Rich Salz <rsalz@openssl.org>
d376e57d · Dr. Stephen Henson · 76106e60 · d376e57d · d376e57d · d376e57d
6 changed file
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2163,7 +2163,7 @@ int ssl3_get_certificate_request(SSL *s)
        }
        /* Clear certificate digests and validity flags */
        for (i = 0; i < SSL_PKEY_NUM; i++) {
-            s->cert->pkeys[i].digest = NULL;
+            s->s3->tmp.md[i] = NULL;
            s->cert->pkeys[i].valid_flags = 0;
        }
        if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) {
@@ -3081,7 +3081,7 @@ int ssl3_send_client_verify(SSL *s)
        if (SSL_USE_SIGALGS(s)) {
            long hdatalen = 0;
            void *hdata;
-            const EVP_MD *md = s->cert->key->digest;
+            const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
            hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
            if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
@@ -3197,7 +3197,7 @@ static int ssl3_check_client_certificate(SSL *s)
    if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
        return 0;
    /* If no suitable signature algorithm can't use certificate */
-    if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
+    if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys])
        return 0;
    /*
     * If strict mode check suitability of chain before using it. This also

--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3326,7 +3326,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        if (SSL_USE_SIGALGS(s)) {
            if (s->session && s->session->sess_cert) {
                const EVP_MD *sig;
-                sig = s->session->sess_cert->peer_key->digest;
+                sig = s->s3->tmp.peer_md;
                if (sig) {
                    *(int *)parg = EVP_MD_type(sig);
                    return 1;

--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -165,21 +165,6 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void)
    return ssl_x509_store_ctx_idx;
 }

-void ssl_cert_set_default_md(CERT *cert)
-{
-    /* Set digest values to defaults */
-#ifndef OPENSSL_NO_DSA
-    cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-#endif
-#ifndef OPENSSL_NO_RSA
-    cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
-    cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
-#endif
-#ifndef OPENSSL_NO_EC
-    cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
-#endif
-}
-
 CERT *ssl_cert_new(void)
 {
    CERT *ret = OPENSSL_malloc(sizeof(*ret));
@@ -192,7 +177,6 @@ CERT *ssl_cert_new(void)

    ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
    ret->references = 1;
-    ssl_cert_set_default_md(ret);
    ret->sec_cb = ssl_security_default_callback;
    ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
    ret->sec_ex = NULL;
@@ -306,11 +290,6 @@ CERT *ssl_cert_dup(CERT *cert)
    }

    ret->references = 1;
-    /*
-     * Set digests to defaults. NB: we don't copy existing values as they
-     * will be set during handshake.
-     */
-    ssl_cert_set_default_md(ret);
    /* Configured sigalgs copied across */
    if (cert->conf_sigalgs) {
        ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2269,7 +2269,7 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
        return (NULL);
    }
    if (pmd)
-        *pmd = c->pkeys[idx].digest;
+        *pmd = s->s3->tmp.md[idx];
    return c->pkeys[idx].privatekey;
 }


--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1291,6 +1291,10 @@ typedef struct ssl3_state_st {
        unsigned char *peer_sigalgs;
        /* Size of above array */
        size_t peer_sigalgslen;
+        /* Digest peer uses for signing */
+        const EVP_MD *peer_md;
+        /* Array of digests used for signing */
+        const EVP_MD *md[SSL_PKEY_NUM];
    } tmp;

    /* Connection binding to prevent renegotiation attacks */
@@ -1439,8 +1443,6 @@ typedef struct dtls1_state_st {
 typedef struct cert_pkey_st {
    X509 *x509;
    EVP_PKEY *privatekey;
-    /* Digest to use when signing */
-    const EVP_MD *digest;
    /* Chain for this certificate */
    STACK_OF(X509) *chain;
 # ifndef OPENSSL_NO_TLSEXT
@@ -1870,7 +1872,6 @@ void ssl_clear_cipher_ctx(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 __owur CERT *ssl_cert_new(void);
 __owur CERT *ssl_cert_dup(CERT *cert);
-void ssl_cert_set_default_md(CERT *cert);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
 __owur SESS_CERT *ssl_sess_cert_new(void);

--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -795,9 +795,9 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
            return 0;
        if (set_ee_md == 2) {
            if (check_md == NID_ecdsa_with_SHA256)
-                c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
+                s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
            else
-                c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
+                s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
        }
    }
    return rv;
@@ -1036,8 +1036,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
    /*
     * Store the digest used so applications can retrieve it if they wish.
     */
-    if (s->session && s->session->sess_cert)
-        s->session->sess_cert->peer_key->digest = *pmd;
+    s->s3->tmp.peer_md = *pmd;
    return 1;
 }

@@ -2668,6 +2667,21 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
        return 1;
    }
 }
+/* Initialise digests to default values */
+static void ssl_set_default_md(SSL *s)
+{
+    const EVP_MD **pmd = s->s3->tmp.md;
+#ifndef OPENSSL_NO_DSA
+    pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_RSA
+    pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
+    pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_EC
+    pmd[SSL_PKEY_ECC] = EVP_sha1();
+#endif
+}

 int tls1_set_server_sigalgs(SSL *s)
 {
@@ -2679,7 +2693,7 @@ int tls1_set_server_sigalgs(SSL *s)
    s->cert->shared_sigalgslen = 0;
    /* Clear certificate digests and validity flags */
    for (i = 0; i < SSL_PKEY_NUM; i++) {
-        s->cert->pkeys[i].digest = NULL;
+        s->s3->tmp.md[i] = NULL;
        s->cert->pkeys[i].valid_flags = 0;
    }

@@ -2697,8 +2711,9 @@ int tls1_set_server_sigalgs(SSL *s)
            al = SSL_AD_ILLEGAL_PARAMETER;
            goto err;
        }
-    } else
-        ssl_cert_set_default_md(s->cert);
+    } else {
+        ssl_set_default_md(s);
+    }
    return 1;
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -3434,6 +3449,7 @@ int tls1_process_sigalgs(SSL *s)
    int idx;
    size_t i;
    const EVP_MD *md;
+    const EVP_MD **pmd = s->s3->tmp.md;
    CERT *c = s->cert;
    TLS_SIGALGS *sigptr;
    if (!tls1_set_shared_sigalgs(s))
@@ -3453,12 +3469,12 @@ int tls1_process_sigalgs(SSL *s)
        if (sigs) {
            idx = tls12_get_pkey_idx(sigs[1]);
            md = tls12_get_hash(sigs[0]);
-            c->pkeys[idx].digest = md;
+            pmd[idx] = md;
            c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
            if (idx == SSL_PKEY_RSA_SIGN) {
                c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
                    CERT_PKEY_EXPLICIT_SIGN;
-                c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+                pmd[SSL_PKEY_RSA_ENC] = md;
            }
        }
    }
@@ -3467,14 +3483,14 @@ int tls1_process_sigalgs(SSL *s)
    for (i = 0, sigptr = c->shared_sigalgs;
         i < c->shared_sigalgslen; i++, sigptr++) {
        idx = tls12_get_pkey_idx(sigptr->rsign);
-        if (idx > 0 && c->pkeys[idx].digest == NULL) {
+        if (idx > 0 && pmd[idx] == NULL) {
            md = tls12_get_hash(sigptr->rhash);
-            c->pkeys[idx].digest = md;
+            pmd[idx] = md;
            c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
            if (idx == SSL_PKEY_RSA_SIGN) {
                c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
                    CERT_PKEY_EXPLICIT_SIGN;
-                c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+                pmd[SSL_PKEY_RSA_ENC] = md;
            }
        }

@@ -3489,18 +3505,18 @@ int tls1_process_sigalgs(SSL *s)
         * supported it stays as NULL.
         */
 # ifndef OPENSSL_NO_DSA
-        if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
-            c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
+        if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
+            pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
 # endif
 # ifndef OPENSSL_NO_RSA
-        if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
-            c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
-            c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+        if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
+            pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
+            pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
        }
 # endif
 # ifndef OPENSSL_NO_EC
-        if (!c->pkeys[SSL_PKEY_ECC].digest)
-            c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
+        if (pmd[SSL_PKEY_ECC] == NULL)
+            pmd[SSL_PKEY_ECC] = EVP_sha1();
 # endif
    }
    return 1;
@@ -4086,7 +4102,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
    if (TLS1_get_version(s) >= TLS1_2_VERSION) {
        if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
            rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
-        else if (cpk->digest)
+        else if (s->s3->tmp.md[idx] != NULL)
            rv |= CERT_PKEY_SIGN;
    } else
        rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;