kris
/
boringssl
1
0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 0 Wiki Activity
瀏覽代碼

Remove CERT_PKEY_EXPLICIT_SIGN flag. 

This is maintained just to distinguish whether the digest was negotiated or we
simply fell back to assuming SHA-1 support. No code is sensitive to this flag
and it adds complexity because it is set at a different time, for now, from the
rest of valid_flags.

The flag is new in OpenSSL 1.0.2, so nothing external could be sensitive to it.

Change-Id: I9304e358d56f44d912d78beabf14316d456bf389
Reviewed-on: https://boringssl-review.googlesource.com/2282
Reviewed-by: Adam Langley <agl@google.com>
kris/onging/CECPQ3_patch15
David Benjamin 10 年之前
committed by Adam Langley
父節點
248f350ed8
當前提交
675227e0d2
共有 3 個文件被更改,包括 6 次插入12 次删除
分割檢視
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -2
      include/openssl/ssl.h
  2. +2
    -2
      ssl/ssl_cert.c
  3. +4
    -8
      ssl/t1_lib.c

+ 0
- 2
include/openssl/ssl.h 查看文件

@@ -556,8 +556,6 @@ struct ssl_session_st
#define CERT_PKEY_EE_PARAM 0x40
/* CA certificate parameters OK */
#define CERT_PKEY_CA_PARAM 0x80
/* Signing explicitly allowed as opposed to SHA1 fallback */
#define CERT_PKEY_EXPLICIT_SIGN 0x100
/* Client CA issuer names match (always set for server cert) */
#define CERT_PKEY_ISSUER_NAME 0x200
/* Cert type matches client types (always set for server cert) */


+ 2
- 2
ssl/ssl_cert.c 查看文件

@@ -390,8 +390,8 @@ void ssl_cert_clear_certs(CERT *c)
sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = NULL;
}
/* Clear all flags apart from explicit sign */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
/* Clear all flags. */
cpk->valid_flags = 0;
}
}



+ 4
- 8
ssl/t1_lib.c 查看文件

@@ -2738,10 +2738,8 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs)
{
md = tls12_get_hash(sigptr->rhash);
c->pkeys[idx].digest = md;
c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN)
{
c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
}
}
@@ -3175,13 +3173,11 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,

if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
else if (cpk->digest)
if (cpk->digest)
rv |= CERT_PKEY_SIGN;
}
else
rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
rv |= CERT_PKEY_SIGN;

/* When checking a CERT_PKEY structure all flags are irrelevant
* if the chain is invalid.
@@ -3192,8 +3188,8 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
cpk->valid_flags = rv;
else
{
/* Preserve explicit sign flag, clear rest */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
/* Clear flags. */
cpk->valid_flags = 0;
return 0;
}
}


Write Preview
Loading…
取消
儲存