Google Git
Sign in
boringssl / boringssl.git / 0fc37ef0827e02f350840e848c9578898d57368f^! / . / ssl / internal.h
commit0fc37ef0827e02f350840e848c9578898d57368f[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed Aug 17 15:29:46 2016 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Wed Aug 24 00:24:34 2016 +0000
tree8e85e60082fea5efbe378acdf0a02d9e834f32ef
parent7bee853d18686a1fd792da04f5279a937ec9ee3d [diff] [blame]
Fix a number of sigalg scope issues.

peer_sigalgs should live on SSL_HANDSHAKE. This both releases a little
bit of memory after the handshake is over and also avoids the bug where
the sigalgs get dropped if SSL_set_SSL_CTX is called at a bad time. See
also upstream's 14e14bf6964965d02ce89805d9de867f000095aa.

This only affects consumers using the old SNI callback and not
select_certificate_cb.

Add a test that the SNI callback works as expected. In doing so, add an
SSL_CTX version of the signing preferences API. This is a property of
the cert/key pair (really just the key) and should be tied to that. This
makes it a bit easier to have the regression test work with TLS 1.2 too.

I thought we'd fixed this already, but apparently not... :-/

BUG=95

Change-Id: I75b02fad4059e6aa46c3b05183a07d72880711b3
Reviewed-on: https://boringssl-review.googlesource.com/10445
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/internal.h b/ssl/internal.h
index 092d14b..660ba79 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -907,6 +907,13 @@
   uint8_t *public_key;
   size_t public_key_len;
 
+  /* peer_sigalgs are the signature algorithms that the peer supports. These are
+   * taken from the contents of the signature algorithms extension for a server
+   * or from the CertificateRequest for a client. */
+  uint16_t *peer_sigalgs;
+  /* num_peer_sigalgs is the number of entries in |peer_sigalgs|. */
+  size_t num_peer_sigalgs;
+
   uint8_t session_tickets_sent;
 } /* SSL_HANDSHAKE */;
 
@@ -1030,17 +1037,10 @@
   DH *dh_tmp;
   DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
 
-  /* peer_sigalgs are the algorithm/hash pairs that the peer supports. These
-   * are taken from the contents of signature algorithms extension for a server
-   * or from the CertificateRequest for a client. */
-  uint16_t *peer_sigalgs;
-  /* peer_sigalgslen is the number of entries in |peer_sigalgs|. */
-  size_t peer_sigalgslen;
-
-  /* sigalgs, if non-NULL, is the set of digests supported by |privatekey| in
-   * decreasing order of preference. */
+  /* sigalgs, if non-NULL, is the set of signature algorithms supported by
+   * |privatekey| in decreasing order of preference. */
   uint16_t *sigalgs;
-  size_t sigalgs_len;
+  size_t num_sigalgs;
 
   /* Certificate setup callback: if set is called whenever a
    * certificate may be required (client or server). the callback