diff options
author | David Benjamin <davidben@google.com> | 2016-07-14 20:47:55 +0300 |
---|---|---|
committer | David Benjamin <davidben@google.com> | 2016-07-15 21:17:32 +0300 |
commit | 0c0b7e1e1f35c23ecaed10fb262403f1b3cf5882 (patch) | |
tree | 3828c8d92630b11d94e6f35498b368afc997e8c8 /include | |
parent | ca3d545d7f34d67c8fb05265a0f1cf7f88076776 (diff) |
Widen SSL_PRIVATE_KEY_METHOD types to include the curve name.
This makes custom private keys and EVP_PKEYs symmetric again. There is
no longer a requirement that the caller pre-filter the configured
signing prefs.
Also switch EVP_PKEY_RSA to NID_rsaEncryption. These are identical, but
if some key types are to be NIDs, we should make them all NIDs.
Change-Id: I82ea41c27a3c57f4c4401ffe1ccad406783e4c64
Reviewed-on: https://boringssl-review.googlesource.com/8785
Reviewed-by: David Benjamin <davidben@google.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/openssl/ssl.h | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 7b4b3497..75ea3205 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -980,8 +980,12 @@ enum ssl_private_key_result_t { /* SSL_PRIVATE_KEY_METHOD describes private key hooks. This is used to off-load * signing operations to a custom, potentially asynchronous, backend. */ typedef struct ssl_private_key_method_st { - /* type returns either |EVP_PKEY_RSA| or |EVP_PKEY_EC| to denote the type of - * key used by |ssl|. */ + /* type returns the type of the key used by |ssl|. For RSA keys, return + * |NID_rsaEncryption|. For ECDSA keys, return |NID_X9_62_prime256v1|, + * |NID_secp384r1|, or |NID_secp521r1|, depending on the curve. + * + * Returning |EVP_PKEY_EC| for ECDSA keys is deprecated and may result in + * connection failures in TLS 1.3. */ int (*type)(SSL *ssl); /* max_signature_len returns the maximum length of a signature signed by the |