commit ebad508ef111ef13106019f6e9b22bdae7bf57ef
author David Benjamin <davidben@google.com> Mon Feb 03 19:32:19 2020 -0500
committer Adam Langley <agl@google.com> Wed Feb 05 23:21:08 2020 +0000
tree 920c62e26ff69ed2a5a34946f19e4fa0e1b07929
parent 10165d82c16a9cab4a61569eaea9f0fadb36346c

Switch verify sigalg pref functions to SSL_HANDSHAKE.

Functions that take SSL* do not necessarily have an ssl->config
available because it is released post-handshake, whereas hs->config can
be accessed without a null check.

Change-Id: I3d9f3838c1f2d79f92beac363a90fb6046671053
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/39844
Reviewed-by: Adam Langley <agl@google.com>

ssl/t1_lib.cc

diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 7958b5c..2b8e941 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -473,10 +473,12 @@
   bool skip_ed25519 = false;
 };
 
-static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl) {
+static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(
+    const SSL_HANDSHAKE *hs) {
+  SSL *const ssl = hs->ssl;
   SSLSignatureAlgorithmList ret;
-  if (!ssl->config->verify_sigalgs.empty()) {
-    ret.list = ssl->config->verify_sigalgs;
+  if (!hs->config->verify_sigalgs.empty()) {
+    ret.list = hs->config->verify_sigalgs;
   } else {
     ret.list = kVerifySignatureAlgorithms;
     ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
@@ -484,8 +486,8 @@
   return ret;
 }
 
-bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
+bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
+  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(hs);
   uint16_t sigalg;
   while (list.Next(&sigalg)) {
     if (!CBB_add_u16(out, sigalg)) {
@@ -495,9 +497,9 @@
   return true;
 }
 
-bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
+bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
                              uint16_t sigalg) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
+  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(hs);
   uint16_t verify_sigalg;
   while (list.Next(&verify_sigalg)) {
     if (verify_sigalg == sigalg) {
@@ -936,7 +938,6 @@
 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
 
 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  SSL *const ssl = hs->ssl;
   if (hs->max_version < TLS1_2_VERSION) {
     return true;
   }
@@ -945,7 +946,7 @@
   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
+      !tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||
       !CBB_flush(out)) {
     return false;
   }