Remove peer temp keys from SESS_CERT
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Dr. Stephen Henson
parent
7fba8407cc
commit
8d92c1f8a3
4 changed files with 55 additions and 49 deletions
|
|
@ -1464,22 +1464,22 @@ int ssl3_get_key_exchange(SSL *s)
|
|||
}
|
||||
|
||||
param = p = (unsigned char *)s->init_msg;
|
||||
if (s->session->sess_cert != NULL) {
|
||||
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
RSA_free(s->session->sess_cert->peer_rsa_tmp);
|
||||
s->session->sess_cert->peer_rsa_tmp = NULL;
|
||||
RSA_free(s->s3->peer_rsa_tmp);
|
||||
s->s3->peer_rsa_tmp = NULL;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
DH_free(s->session->sess_cert->peer_dh_tmp);
|
||||
s->session->sess_cert->peer_dh_tmp = NULL;
|
||||
DH_free(s->s3->peer_dh_tmp);
|
||||
s->s3->peer_dh_tmp = NULL;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
|
||||
s->session->sess_cert->peer_ecdh_tmp = NULL;
|
||||
EC_KEY_free(s->s3->peer_ecdh_tmp);
|
||||
s->s3->peer_ecdh_tmp = NULL;
|
||||
#endif
|
||||
} else {
|
||||
|
||||
if (s->session->sess_cert == NULL)
|
||||
s->session->sess_cert = ssl_sess_cert_new();
|
||||
}
|
||||
|
||||
/* Total length of the parameters including the length prefix */
|
||||
param_len = 0;
|
||||
|
|
@ -1711,7 +1711,7 @@ int ssl3_get_key_exchange(SSL *s)
|
|||
goto f_err;
|
||||
}
|
||||
|
||||
s->session->sess_cert->peer_rsa_tmp = rsa;
|
||||
s->s3->peer_rsa_tmp = rsa;
|
||||
rsa = NULL;
|
||||
}
|
||||
#else /* OPENSSL_NO_RSA */
|
||||
|
|
@ -1806,7 +1806,7 @@ int ssl3_get_key_exchange(SSL *s)
|
|||
# endif
|
||||
/* else anonymous DH, so no certificate or pkey. */
|
||||
|
||||
s->session->sess_cert->peer_dh_tmp = dh;
|
||||
s->s3->peer_dh_tmp = dh;
|
||||
dh = NULL;
|
||||
}
|
||||
#endif /* !OPENSSL_NO_DH */
|
||||
|
|
@ -1917,7 +1917,7 @@ int ssl3_get_key_exchange(SSL *s)
|
|||
# endif
|
||||
/* else anonymous ECDH, so no certificate or pkey. */
|
||||
EC_KEY_set_public_key(ecdh, srvr_ecpoint);
|
||||
s->session->sess_cert->peer_ecdh_tmp = ecdh;
|
||||
s->s3->peer_ecdh_tmp = ecdh;
|
||||
ecdh = NULL;
|
||||
BN_CTX_free(bn_ctx);
|
||||
bn_ctx = NULL;
|
||||
|
|
@ -2446,8 +2446,8 @@ int ssl3_send_client_key_exchange(SSL *s)
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (s->session->sess_cert->peer_rsa_tmp != NULL)
|
||||
rsa = s->session->sess_cert->peer_rsa_tmp;
|
||||
if (s->s3->peer_rsa_tmp != NULL)
|
||||
rsa = s->s3->peer_rsa_tmp;
|
||||
else {
|
||||
pkey =
|
||||
X509_get_pubkey(s->session->
|
||||
|
|
@ -2504,8 +2504,8 @@ int ssl3_send_client_key_exchange(SSL *s)
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (scert->peer_dh_tmp != NULL)
|
||||
dh_srvr = scert->peer_dh_tmp;
|
||||
if (s->s3->peer_dh_tmp != NULL)
|
||||
dh_srvr = s->s3->peer_dh_tmp;
|
||||
else {
|
||||
/* we get them from the cert */
|
||||
int idx = scert->peer_cert_type;
|
||||
|
|
@ -2558,7 +2558,7 @@ int ssl3_send_client_key_exchange(SSL *s)
|
|||
*/
|
||||
|
||||
n = DH_compute_key(pms, dh_srvr->pub_key, dh_clnt);
|
||||
if (scert->peer_dh_tmp == NULL)
|
||||
if (s->s3->peer_dh_tmp == NULL)
|
||||
DH_free(dh_srvr);
|
||||
|
||||
if (n <= 0) {
|
||||
|
|
@ -2624,8 +2624,8 @@ int ssl3_send_client_key_exchange(SSL *s)
|
|||
*/
|
||||
}
|
||||
|
||||
if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
|
||||
tkey = s->session->sess_cert->peer_ecdh_tmp;
|
||||
if (s->s3->peer_ecdh_tmp != NULL) {
|
||||
tkey = s->s3->peer_ecdh_tmp;
|
||||
} else {
|
||||
/* Get the Server Public Key from Cert */
|
||||
srvr_pub_pkey =
|
||||
|
|
@ -3357,10 +3357,10 @@ int ssl3_check_cert_and_algorithm(SSL *s)
|
|||
goto err;
|
||||
}
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
rsa = s->session->sess_cert->peer_rsa_tmp;
|
||||
rsa = s->s3->peer_rsa_tmp;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
dh = s->session->sess_cert->peer_dh_tmp;
|
||||
dh = s->s3->peer_dh_tmp;
|
||||
#endif
|
||||
|
||||
/* This is the passed certificate */
|
||||
|
|
|
|||
31
ssl/s3_lib.c
31
ssl/s3_lib.c
|
|
@ -2894,11 +2894,17 @@ void ssl3_free(SSL *s)
|
|||
return;
|
||||
|
||||
ssl3_cleanup_key_block(s);
|
||||
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
RSA_free(s->s3->peer_rsa_tmp);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
DH_free(s->s3->tmp.dh);
|
||||
DH_free(s->s3->peer_dh_tmp);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
EC_KEY_free(s->s3->tmp.ecdh);
|
||||
EC_KEY_free(s->s3->peer_ecdh_tmp);
|
||||
#endif
|
||||
|
||||
sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
|
||||
|
|
@ -2929,13 +2935,22 @@ void ssl3_clear(SSL *s)
|
|||
OPENSSL_free(s->s3->tmp.peer_sigalgs);
|
||||
s->s3->tmp.peer_sigalgs = NULL;
|
||||
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
RSA_free(s->s3->peer_rsa_tmp);
|
||||
s->s3->peer_rsa_tmp = NULL;
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
DH_free(s->s3->tmp.dh);
|
||||
s->s3->tmp.dh = NULL;
|
||||
DH_free(s->s3->peer_dh_tmp);
|
||||
s->s3->peer_dh_tmp = NULL;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
EC_KEY_free(s->s3->tmp.ecdh);
|
||||
s->s3->tmp.ecdh = NULL;
|
||||
EC_KEY_free(s->s3->peer_ecdh_tmp);
|
||||
s->s3->peer_ecdh_tmp = NULL;
|
||||
s->s3->is_probably_safari = 0;
|
||||
#endif /* !OPENSSL_NO_EC */
|
||||
|
||||
|
|
@ -3330,28 +3345,26 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
|||
if (s->server || !s->session || !s->session->sess_cert)
|
||||
return 0;
|
||||
else {
|
||||
SESS_CERT *sc;
|
||||
EVP_PKEY *ptmp;
|
||||
int rv = 0;
|
||||
sc = s->session->sess_cert;
|
||||
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
|
||||
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp)
|
||||
if (!s->s3->peer_rsa_tmp && !s->s3->peer_dh_tmp && !s->s3->peer_ecdh_tmp)
|
||||
return 0;
|
||||
#endif
|
||||
ptmp = EVP_PKEY_new();
|
||||
if (!ptmp)
|
||||
return 0;
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
else if (sc->peer_rsa_tmp)
|
||||
rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
|
||||
else if (s->s3->peer_rsa_tmp)
|
||||
rv = EVP_PKEY_set1_RSA(ptmp, s->s3->peer_rsa_tmp);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
else if (sc->peer_dh_tmp)
|
||||
rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
|
||||
else if (s->s3->peer_dh_tmp)
|
||||
rv = EVP_PKEY_set1_DH(ptmp, s->s3->peer_dh_tmp);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
else if (sc->peer_ecdh_tmp)
|
||||
rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
|
||||
else if (s->s3->peer_ecdh_tmp)
|
||||
rv = EVP_PKEY_set1_EC_KEY(ptmp, s->s3->peer_ecdh_tmp);
|
||||
#endif
|
||||
if (rv) {
|
||||
*(EVP_PKEY **)parg = ptmp;
|
||||
|
|
|
|||
|
|
@ -570,16 +570,6 @@ void ssl_sess_cert_free(SESS_CERT *sc)
|
|||
#endif
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
RSA_free(sc->peer_rsa_tmp);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
DH_free(sc->peer_dh_tmp);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
EC_KEY_free(sc->peer_ecdh_tmp);
|
||||
#endif
|
||||
|
||||
OPENSSL_free(sc);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1340,6 +1340,18 @@ typedef struct ssl3_state_st {
|
|||
*/
|
||||
char is_probably_safari;
|
||||
# endif /* !OPENSSL_NO_EC */
|
||||
|
||||
/* For clients: peer temporary key */
|
||||
# ifndef OPENSSL_NO_RSA
|
||||
RSA *peer_rsa_tmp;
|
||||
# endif
|
||||
# ifndef OPENSSL_NO_DH
|
||||
DH *peer_dh_tmp;
|
||||
# endif
|
||||
# ifndef OPENSSL_NO_EC
|
||||
EC_KEY *peer_ecdh_tmp;
|
||||
# endif
|
||||
|
||||
} SSL3_STATE;
|
||||
|
||||
|
||||
|
|
@ -1589,15 +1601,6 @@ typedef struct sess_cert_st {
|
|||
* Obviously we don't have the private keys of these, so maybe we
|
||||
* shouldn't even use the CERT_PKEY type here.
|
||||
*/
|
||||
# ifndef OPENSSL_NO_RSA
|
||||
RSA *peer_rsa_tmp; /* not used for SSL 2 */
|
||||
# endif
|
||||
# ifndef OPENSSL_NO_DH
|
||||
DH *peer_dh_tmp; /* not used for SSL 2 */
|
||||
# endif
|
||||
# ifndef OPENSSL_NO_EC
|
||||
EC_KEY *peer_ecdh_tmp;
|
||||
# endif
|
||||
int references; /* actually always 1 at the moment */
|
||||
} SESS_CERT;
|
||||
/* Structure containing decoded values of signature algorithms extension */
|
||||
|
|
|
|||
Loading…
Reference in a new issue