Don't decompose sigalgs in key preferences.
Instead, in SSL_set_private_key_digest_prefs, convert the NID list to a
sigalgs list. We'll need to add a new API later when custom key callers
are ready to start advertising RSA-PSS.
This removes all callers of tls12_get_hash except inside the signing and
verifying functions.
Change-Id: Ie534f3b736c6ac6ebeb0d7770d489f72e3321865
Reviewed-on: https://boringssl-review.googlesource.com/8693
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index 5281504..03a1320 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -778,10 +778,10 @@
/* peer_sigalgslen is the number of entries in |peer_sigalgs|. */
size_t peer_sigalgslen;
- /* digest_nids, if non-NULL, is the set of digests supported by |privatekey|
- * in decreasing order of preference. */
- int *digest_nids;
- size_t num_digest_nids;
+ /* sigalgs, if non-NULL, is the set of digests supported by |privatekey| in
+ * decreasing order of preference. */
+ uint16_t *sigalgs;
+ size_t sigalgs_len;
/* Certificate setup callback: if set is called whenever a
* certificate may be required (client or server). the callback
@@ -1221,10 +1221,6 @@
size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs);
-/* tls12_get_hash returns the EVP_MD corresponding to the TLS signature
- * algorithm |sigalg|. It returns NULL if the type is unknown. */
-const EVP_MD *tls12_get_hash(uint16_t sigalg);
-
/* tls12_check_peer_sigalg checks that |signature_algorithm| is consistent with
* the |pkey| and |ssl|'s sent, supported signature algorithms and returns 1.
* Otherwise it returns 0 and writes an alert into |*out_alert|. */
