Switch verify sigalg pref functions to SSL_HANDSHAKE.
Functions that take SSL* do not necessarily have an ssl->config
available because it is released post-handshake, whereas hs->config can
be accessed without a null check.
Change-Id: I3d9f3838c1f2d79f92beac363a90fb6046671053
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/39844
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 4041fe9..25f96d0 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -1050,7 +1050,7 @@
return ssl_hs_error;
}
uint8_t alert = SSL_AD_DECODE_ERROR;
- if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {
+ if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) {
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
@@ -1273,7 +1273,7 @@
ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
? key_usage_encipherment
: key_usage_digital_signature;
- if (ssl->config->enforce_rsa_key_usage ||
+ if (hs->config->enforce_rsa_key_usage ||
EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
return ssl_hs_error;
