Remove CERT_PKEY_EXPLICIT_SIGN flag.

This is maintained just to distinguish whether the digest was negotiated or we
simply fell back to assuming SHA-1 support. No code is sensitive to this flag
and it adds complexity because it is set at a different time, for now, from the
rest of valid_flags.

The flag is new in OpenSSL 1.0.2, so nothing external could be sensitive to it.

Change-Id: I9304e358d56f44d912d78beabf14316d456bf389
Reviewed-on: https://boringssl-review.googlesource.com/2282
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 4 insertions, 8 deletions

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e0bc3e13..b228b2af 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2738,10 +2738,8 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs)
 			{
 			md = tls12_get_hash(sigptr->rhash);
 			c->pkeys[idx].digest = md;
-			c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
 			if (idx == SSL_PKEY_RSA_SIGN)
 				{
-				c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
 				c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
 				}
 			}
@@ -3175,13 +3173,11 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 
 	if (TLS1_get_version(s) >= TLS1_2_VERSION)
 		{
-		if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
-			rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
-		else if (cpk->digest)
+		if (cpk->digest)
 			rv |= CERT_PKEY_SIGN;
 		}
 	else
-		rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
+		rv |= CERT_PKEY_SIGN;
 
 	/* When checking a CERT_PKEY structure all flags are irrelevant
 	 * if the chain is invalid.
@@ -3192,8 +3188,8 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 			cpk->valid_flags = rv;
 		else
 			{
-			/* Preserve explicit sign flag, clear rest */
-			cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
+			/* Clear flags. */
+			cpk->valid_flags = 0;
 			return 0;
 			}
 		}