diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2017-02-15 16:23:49 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2017-02-16 16:43:44 +0000 |
| commit | ad4dd362e036b8481d51e1bfc6e9322b6cf074dc (patch) | |
| tree | 2481f0f1db2e133c493306b2155c9cdf55b34b83 /ssl/t1_lib.c | |
| parent | 717a265aa5f618fb30f857f240f6b2b0ab7ad4c7 (diff) | |
Use tls_choose_sigalg for client auth.
For client auth call tls_choose_sigalg to select the certificate
and signature algorithm. Use the selected algorithm in
tls_construct_cert_verify.
Remove obsolete tls12_get_sigandhash.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2643)
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 5f44f5a112..fc9ae687f6 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1349,58 +1349,6 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick, return ret; } -int tls12_get_sigandhash(SSL *s, WPACKET *pkt, const EVP_PKEY *pk, - const EVP_MD *md, int *ispss) -{ - int md_id, sig_id; - size_t i; - const SIGALG_LOOKUP *curr; - - if (md == NULL) - return 0; - md_id = EVP_MD_type(md); - sig_id = EVP_PKEY_id(pk); - if (md_id == NID_undef) - return 0; - /* For TLS 1.3 only allow RSA-PSS */ - if (SSL_IS_TLS13(s) && sig_id == EVP_PKEY_RSA) - sig_id = EVP_PKEY_RSA_PSS; - - if (s->s3->tmp.peer_sigalgs == NULL) { - /* Should never happen: we abort if no sigalgs extension and TLS 1.3 */ - if (SSL_IS_TLS13(s)) - return 0; - /* For TLS 1.2 and no sigalgs lookup using complete table */ - for (i = 0, curr = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); - i++, curr++) { - if (curr->hash == md_id && curr->sig == sig_id) { - if (!WPACKET_put_bytes_u16(pkt, curr->sigalg)) - return 0; - *ispss = curr->sig == EVP_PKEY_RSA_PSS; - return 1; - } - } - return 0; - } - - for (i = 0; i < s->cert->shared_sigalgslen; i++) { - curr = s->cert->shared_sigalgs[i]; - - /* - * Look for matching key and hash. If key type is RSA also match PSS - * signature type. - */ - if (curr->hash == md_id && (curr->sig == sig_id - || (sig_id == EVP_PKEY_RSA && curr->sig == EVP_PKEY_RSA_PSS))){ - if (!WPACKET_put_bytes_u16(pkt, curr->sigalg)) - return 0; - *ispss = curr->sig == EVP_PKEY_RSA_PSS; - return 1; - } - } - return 0; -} - static int tls12_get_pkey_idx(int sig_nid) { switch (sig_nid) { |