diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c index dd3ab040..ce736b57 100644 --- a/ssl/handshake_client.c +++ b/ssl/handshake_client.c @@ -264,7 +264,7 @@ int ssl3_connect(SSL *ssl) { break; case SSL3_ST_CR_CERT_A: - if (ssl->s3->hs->use_cert_auth) { + if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ret = ssl3_get_server_certificate(ssl); if (ret <= 0) { goto end; @@ -288,7 +288,7 @@ int ssl3_connect(SSL *ssl) { break; case SSL3_ST_VERIFY_SERVER_CERT: - if (ssl->s3->hs->use_cert_auth) { + if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ret = ssl3_verify_server_cert(ssl); if (ret <= 0) { goto end; @@ -308,7 +308,7 @@ int ssl3_connect(SSL *ssl) { break; case SSL3_ST_CR_CERT_REQ_A: - if (ssl->s3->hs->use_cert_auth) { + if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ret = ssl3_get_certificate_request(ssl); if (ret <= 0) { goto end; @@ -952,9 +952,6 @@ static int ssl3_get_server_hello(SSL *ssl) { ssl->s3->new_session->cipher = c; } ssl->s3->tmp.new_cipher = c; - if (ssl_cipher_uses_certificate_auth(c)) { - ssl->s3->hs->use_cert_auth = 1; - } /* Now that the cipher is known, initialize the handshake hash. */ if (!ssl3_init_handshake_hash(ssl)) { @@ -964,7 +961,8 @@ static int ssl3_get_server_hello(SSL *ssl) { /* If doing a full handshake, the server may request a client certificate * which requires hashing the handshake transcript. Otherwise, the handshake * buffer may be released. */ - if (ssl->session != NULL || !ssl->s3->hs->use_cert_auth) { + if (ssl->session != NULL || + !ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ssl3_free_handshake_buffer(ssl); } @@ -1286,7 +1284,7 @@ static int ssl3_get_server_key_exchange(SSL *ssl) { CBS_len(&server_key_exchange_orig) - CBS_len(&server_key_exchange)); /* ServerKeyExchange should be signed by the server's public key. */ - if (ssl->s3->hs->use_cert_auth) { + if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { pkey = X509_get_pubkey(ssl->s3->new_session->peer); if (pkey == NULL) { goto err; diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c index 421db42a..0189714e 100644 --- a/ssl/handshake_server.c +++ b/ssl/handshake_server.c @@ -257,7 +257,7 @@ int ssl3_accept(SSL *ssl) { case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: - if (ssl->s3->hs->use_cert_auth) { + if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ret = ssl3_send_server_certificate(ssl); if (ret <= 0) { goto end; @@ -776,9 +776,6 @@ static int ssl3_get_client_hello(SSL *ssl) { ssl->s3->tmp.new_cipher = ssl->session->cipher; ssl->s3->tmp.cert_request = 0; - if (ssl_cipher_uses_certificate_auth(ssl->session->cipher)) { - ssl->s3->hs->use_cert_auth = 1; - } } else { /* Call |cert_cb| to update server certificates if required. */ if (ssl->cert->cert_cb != NULL) { @@ -804,9 +801,6 @@ static int ssl3_get_client_hello(SSL *ssl) { ssl->s3->new_session->cipher = c; ssl->s3->tmp.new_cipher = c; - if (ssl_cipher_uses_certificate_auth(c)) { - ssl->s3->hs->use_cert_auth = 1; - } /* Determine whether to request a client certificate. */ ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); @@ -816,7 +810,7 @@ static int ssl3_get_client_hello(SSL *ssl) { ssl->s3->tmp.cert_request = 0; } /* CertificateRequest may only be sent in certificate-based ciphers. */ - if (!ssl->s3->hs->use_cert_auth) { + if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ssl->s3->tmp.cert_request = 0; } @@ -1053,7 +1047,7 @@ static int ssl3_send_server_key_exchange(SSL *ssl) { } /* Add a signature. */ - if (ssl->s3->hs->use_cert_auth) { + if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { if (!ssl_has_private_key(ssl)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; diff --git a/ssl/internal.h b/ssl/internal.h index 5dff6606..f2856825 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -897,8 +897,6 @@ struct ssl_handshake_st { uint8_t secret[EVP_MAX_MD_SIZE]; uint8_t traffic_secret_0[EVP_MAX_MD_SIZE]; - int use_cert_auth; - SSL_ECDH_CTX *groups; size_t groups_len; /* retry_group is the group ID selected by the server in HelloRetryRequest. */ diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ab4b663d..0febb1c5 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1191,7 +1191,7 @@ static int ext_ocsp_parse_serverhello(SSL *ssl, uint8_t *out_alert, } /* OCSP stapling is forbidden on a non-certificate cipher. */ - if (!ssl->s3->hs->use_cert_auth) { + if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { return 0; } @@ -1244,7 +1244,7 @@ static int ext_ocsp_parse_clienthello(SSL *ssl, uint8_t *out_alert, static int ext_ocsp_add_serverhello(SSL *ssl, CBB *out) { if (!ssl->s3->tmp.ocsp_stapling_requested || ssl->ctx->ocsp_response_length == 0 || - !ssl->s3->hs->use_cert_auth) { + !ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { return 1; } diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c index cf3f284d..20f4bcda 100644 --- a/ssl/tls13_client.c +++ b/ssl/tls13_client.c @@ -267,9 +267,6 @@ static enum ssl_hs_wait_t do_process_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) { ssl->s3->new_session->cipher = cipher; ssl->s3->tmp.new_cipher = cipher; - if (ssl_cipher_uses_certificate_auth(cipher)) { - hs->use_cert_auth = 1; - } /* The PRF hash is now known. Set up the key schedule. */ static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0}; @@ -383,7 +380,7 @@ static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl, ssl->s3->tmp.cert_request = 0; /* CertificateRequest may only be sent in certificate-based ciphers. */ - if (!ssl->s3->hs->use_cert_auth) { + if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { hs->state = state_process_server_finished; return ssl_hs_ok; } diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index e2da097d..48279a79 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c @@ -230,10 +230,6 @@ static enum ssl_hs_wait_t do_select_parameters(SSL *ssl, SSL_HANDSHAKE *hs) { ssl->s3->new_session->cipher = cipher; ssl->s3->tmp.new_cipher = cipher; - - if (ssl_cipher_uses_certificate_auth(cipher)) { - hs->use_cert_auth = 1; - } } else { uint16_t resumption_cipher; if (!ssl_cipher_get_ecdhe_psk_cipher(ssl->s3->new_session->cipher, @@ -243,7 +239,6 @@ static enum ssl_hs_wait_t do_select_parameters(SSL *ssl, SSL_HANDSHAKE *hs) { return ssl_hs_error; } ssl->s3->tmp.new_cipher = SSL_get_cipher_by_value(resumption_cipher); - hs->use_cert_auth = 0; } ssl->method->received_flight(ssl); @@ -386,7 +381,7 @@ static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl, /* Determine whether to request a client certificate. */ ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); /* CertificateRequest may only be sent in certificate-based ciphers. */ - if (!ssl->s3->hs->use_cert_auth) { + if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ssl->s3->tmp.cert_request = 0; } @@ -431,7 +426,7 @@ err: static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl, SSL_HANDSHAKE *hs) { - if (!ssl->s3->hs->use_cert_auth) { + if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { hs->state = state_send_server_finished; return ssl_hs_ok; }