Move |no_cert_verify| into state machine
The |no_cert_verify| should be in the state machine structure not in SSL
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ad590e5..445907d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -225,7 +225,6 @@
s->init_buf = NULL;
clear_ciphers(s);
s->first_packet = 0;
- s->no_cert_verify = 0;
/*
* Check to see if we were changed into a different method, if so, revert
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 2c22ee3..24ce4f7 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1021,9 +1021,6 @@
struct ssl3_state_st *s3; /* SSLv3 variables */
struct dtls1_state_st *d1; /* DTLSv1 variables */
- /* Should we skip the CertificateVerify message? */
- unsigned int no_cert_verify;
-
/* callback that allows applications to peek at protocol messages */
void (*msg_callback) (int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg);
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 6ff60ea..ac795ab 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -155,6 +155,7 @@
s->statem.state = MSG_FLOW_UNINITED;
s->statem.hand_state = TLS_ST_BEFORE;
s->statem.in_init = 1;
+ s->statem.no_cert_verify = 0;
}
/*
diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
index fcc6163..f65e09f 100644
--- a/ssl/statem/statem.h
+++ b/ssl/statem/statem.h
@@ -135,6 +135,10 @@
OSSL_HANDSHAKE_STATE hand_state;
int in_init;
int read_state_first_init;
+
+ /* Should we skip the CertificateVerify message? */
+ unsigned int no_cert_verify;
+
int use_timer;
#ifndef OPENSSL_NO_SCTP
int in_sctp_read_sock;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b940280..103f3cc 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -232,10 +232,10 @@
* received a Certificate from the client. If so then |s->session->peer|
* will be non NULL. In some instances a CertificateVerify message is
* not required even if the peer has sent a Certificate (e.g. such as in
- * the case of static DH). In that case |s->no_cert_verify| should be
+ * the case of static DH). In that case |st->no_cert_verify| should be
* set.
*/
- if (s->session->peer == NULL || s->no_cert_verify) {
+ if (s->session->peer == NULL || st->no_cert_verify) {
if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
/*
* For the ECDH ciphersuites when the client sends its ECDH
@@ -2619,7 +2619,7 @@
goto f_err;
}
if (dh_clnt) {
- s->no_cert_verify = 1;
+ s->statem.no_cert_verify = 1;
return MSG_PROCESS_CONTINUE_PROCESSING;
}
} else
@@ -2697,7 +2697,7 @@
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
goto err;
}
- s->no_cert_verify = 1;
+ s->statem.no_cert_verify = 1;
} else {
/*
* Get client's public key from encoded point in the
@@ -2854,7 +2854,7 @@
/* Check if pubkey from client certificate was used */
if (EVP_PKEY_CTX_ctrl
(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
- s->no_cert_verify = 1;
+ s->statem.no_cert_verify = 1;
EVP_PKEY_free(client_pub_pkey);
EVP_PKEY_CTX_free(pkey_ctx);
@@ -2924,7 +2924,7 @@
/* Are we renegotiating? */
&& s->renegotiate
/* Are we going to skip the CertificateVerify? */
- && (s->session->peer == NULL || s->no_cert_verify)
+ && (s->session->peer == NULL || s->statem.no_cert_verify)
&& BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->s3->in_read_app_data = 2;
s->rwstate = SSL_READING;
@@ -2937,7 +2937,7 @@
}
#endif
- if (s->no_cert_verify) {
+ if (s->statem.no_cert_verify) {
/* No certificate verify so we no longer need the handshake_buffer */
BIO_free(s->s3->handshake_buffer);
return WORK_FINISHED_CONTINUE;
