diff options
| author | David Benjamin <davidben@chromium.org> | 2014-11-14 03:17:25 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-11-19 01:22:33 +0300 |
| commit | ec2f27dee1d5f1de5a3fe519641daa4fc82430d1 (patch) | |
| tree | 20019ff55edae7ff49a121cdc38009fd3fc33bf3 /ssl/ssl_lib.c | |
| parent | 033e5f47d1a95fb9972bc3e4bebe1986b724dc5f (diff) | |
Account for EVP_PKEY capabilities in selecting hash functions.
tls1_process_sigalgs now only determines the intersection between the peer
algorithms and those configured locally. That list is queried later to
determine the hash algorithm to use when signing CertificateVerify or
ServerKeyExchange.
This is needed to support client auth on Windows where smartcards or CAPI may
not support all hash functions.
As a bonus, this does away with more connection-global state. This avoids the
current situation where digests are chosen before keys are known (for
CertificateVerify) or for slots that don't exist.
Change-Id: Iec3619a103d691291d8ebe08ef77d574f2faf0e8
Reviewed-on: https://boringssl-review.googlesource.com/2280
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl/ssl_lib.c')
| -rw-r--r-- | ssl/ssl_lib.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2059032f..94383e59 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2242,7 +2242,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) return &s->cert->pkeys[i]; } -EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) +EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher) { unsigned long alg_a; CERT *c; @@ -2266,8 +2266,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) OPENSSL_PUT_ERROR(SSL, ssl_get_sign_pkey, ERR_R_INTERNAL_ERROR); return(NULL); } - if (pmd) - *pmd = c->pkeys[idx].digest; return c->pkeys[idx].privatekey; } |