Switch some ints to bools and Spans.
Change-Id: I505b29ae20fb660229900c4e046a0b1e5606d02c
Reviewed-on: https://boringssl-review.googlesource.com/25164
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index d4f0e3f..441f62f 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1677,28 +1677,29 @@
// Signature algorithms.
// tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
-// algorithms and saves them on |hs|. It returns one on success and zero on
+// algorithms and saves them on |hs|. It returns true on success and false on
// error.
-int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
+bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
// tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
-// that should be used with |pkey| in TLS 1.1 and earlier. It returns one on
-// success and zero if |pkey| may not be used at those versions.
-int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);
+// that should be used with |pkey| in TLS 1.1 and earlier. It returns true on
+// success and false if |pkey| may not be used at those versions.
+bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);
// tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
// with |hs|'s private key based on the peer's preferences and the algorithms
-// supported. It returns one on success and zero on error.
-int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
+// supported. It returns true on success and false on error.
+bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
// tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
-// peer signature to |out|. It returns one on success and zero on error.
-int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out);
+// peer signature to |out|. It returns true on success and false on error.
+bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out);
// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
-// signature. It returns one on success and zero on error, setting |*out_alert|
-// to an alert to send.
-int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg);
+// signature. It returns true on success and false on error, setting
+// |*out_alert| to an alert to send.
+bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
+ uint16_t sigalg);
// Underdocumented functions.
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index de02476..4303d4e 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -464,29 +464,30 @@
SSL_SIGN_RSA_PKCS1_SHA1,
};
-int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
- const uint16_t *sigalgs = kVerifySignatureAlgorithms;
- size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
- if (ssl->ctx->num_verify_sigalgs != 0) {
- sigalgs = ssl->ctx->verify_sigalgs;
- num_sigalgs = ssl->ctx->num_verify_sigalgs;
+bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
+ bool use_default = ssl->ctx->num_verify_sigalgs == 0;
+ Span<const uint16_t> sigalgs = kVerifySignatureAlgorithms;
+ if (!use_default) {
+ sigalgs = MakeConstSpan(ssl->ctx->verify_sigalgs,
+ ssl->ctx->num_verify_sigalgs);
}
- for (size_t i = 0; i < num_sigalgs; i++) {
- if (sigalgs == kVerifySignatureAlgorithms &&
- sigalgs[i] == SSL_SIGN_ED25519 &&
+ for (uint16_t sigalg : sigalgs) {
+ if (use_default &&
+ sigalg == SSL_SIGN_ED25519 &&
!ssl->ctx->ed25519_enabled) {
continue;
}
- if (!CBB_add_u16(out, sigalgs[i])) {
- return 0;
+ if (!CBB_add_u16(out, sigalg)) {
+ return false;
}
}
- return 1;
+ return true;
}
-int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg) {
+bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
+ uint16_t sigalg) {
const uint16_t *sigalgs = kVerifySignatureAlgorithms;
size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
if (ssl->ctx->num_verify_sigalgs != 0) {
@@ -501,13 +502,13 @@
continue;
}
if (sigalg == sigalgs[i]) {
- return 1;
+ return true;
}
}
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
- return 0;
+ return false;
}
// tls_extension represents a TLS extension that is handled internally. The
@@ -3369,29 +3370,29 @@
return ssl_ticket_aead_success;
}
-int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
+bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
// Extension ignored for inappropriate versions
if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
- return 1;
+ return true;
}
return parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
}
-int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
+bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
switch (EVP_PKEY_id(pkey)) {
case EVP_PKEY_RSA:
*out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
- return 1;
+ return true;
case EVP_PKEY_EC:
*out = SSL_SIGN_ECDSA_SHA1;
- return 1;
+ return true;
default:
- return 0;
+ return false;
}
}
-int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
+bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
SSL *const ssl = hs->ssl;
CERT *cert = ssl->cert;
@@ -3400,9 +3401,9 @@
if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
- return 0;
+ return false;
}
- return 1;
+ return true;
}
Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
@@ -3431,13 +3432,13 @@
for (uint16_t peer_sigalg : peer_sigalgs) {
if (sigalg == peer_sigalg) {
*out = sigalg;
- return 1;
+ return true;
}
}
}
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
- return 0;
+ return false;
}
int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {