diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 6ce9412d..797da389 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2958,10 +2958,9 @@ OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx); * respectively. */ OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl); -/* SSL_get_server_key_exchange_hash, on a client, returns the hash the server - * used to sign the ServerKeyExchange in TLS 1.2. If not applicable, it returns - * |TLSEXT_hash_none|. */ -OPENSSL_EXPORT uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl); +/* SSL_get_peer_signature_algorithm returns the signature algorithm used by the + * peer. If not applicable, it returns zero. */ +OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl); /* TODO(davidben): Remove this when wpa_supplicant in Android has synced with * upstream. */ @@ -3193,6 +3192,14 @@ OPENSSL_EXPORT void SSL_load_error_strings(void); OPENSSL_EXPORT int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles); +/* SSL_get_server_key_exchange_hash, on a client, returns the hash the server + * used to sign the ServerKeyExchange in TLS 1.2. If not applicable, it returns + * |TLSEXT_hash_none|. + * + * TODO(davidben): Remove once Chromium switches to + * |SSL_get_peer_signature_algorithm|. */ +OPENSSL_EXPORT uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl); + /* SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on * success and one on failure. * @@ -4248,10 +4255,9 @@ typedef struct ssl3_state_st { * False Start. The client may write data at this point. */ char in_false_start; - /* server_key_exchange_hash, on a client, is the hash the server used to - * sign the ServerKeyExchange in TLS 1.2. If not applicable, it is - * |TLSEXT_hash_none|. */ - uint8_t server_key_exchange_hash; + /* peer_signature_algorithm is the signature algorithm used to authenticate + * the peer, or zero if not applicable. */ + uint16_t peer_signature_algorithm; /* ecdh_ctx is the current ECDH instance. */ SSL_ECDH_CTX ecdh_ctx; diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 973ea1c6..7dbc3940 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -261,6 +261,16 @@ extern "C" { #define TLSEXT_hash_sha384 5 #define TLSEXT_hash_sha512 6 +#define SSL_SIGN_RSA_PKCS1_SHA1 0x0201 +#define SSL_SIGN_RSA_PKCS1_SHA256 0x0401 +#define SSL_SIGN_RSA_PKCS1_SHA384 0x0501 +#define SSL_SIGN_RSA_PKCS1_SHA512 0x0601 +#define SSL_SIGN_ECDSA_SHA1 0x0203 +#define SSL_SIGN_ECDSA_SECP256R1_SHA256 0x0403 +#define SSL_SIGN_ECDSA_SECP384R1_SHA384 0x0503 +#define SSL_SIGN_ECDSA_SECP521R1_SHA512 0x0603 + + /* Flag set for unrecognised algorithms */ #define TLSEXT_nid_unknown 0x1000000 diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c index e5c6e2f8..09f4d4fe 100644 --- a/ssl/handshake_client.c +++ b/ssl/handshake_client.c @@ -1311,17 +1311,16 @@ static int ssl3_get_server_key_exchange(SSL *ssl) { const EVP_MD *md = NULL; if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { - uint8_t hash, signature; - if (!CBS_get_u8(&server_key_exchange, &hash) || - !CBS_get_u8(&server_key_exchange, &signature)) { + uint16_t signature_algorithm; + if (!CBS_get_u16(&server_key_exchange, &signature_algorithm)) { al = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); goto f_err; } - if (!tls12_check_peer_sigalg(ssl, &md, &al, hash, signature, pkey)) { + if (!tls12_check_peer_sigalg(ssl, &md, &al, signature_algorithm, pkey)) { goto f_err; } - ssl->s3->tmp.server_key_exchange_hash = hash; + ssl->s3->tmp.peer_signature_algorithm = signature_algorithm; } else if (pkey->type == EVP_PKEY_RSA) { md = EVP_md5_sha1(); } else { @@ -1823,7 +1822,7 @@ static int ssl3_send_cert_verify(SSL *ssl) { const EVP_MD *md = NULL; if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { md = tls1_choose_signing_digest(ssl); - if (!tls12_add_sigandhash(ssl, &body, md)) { + if (!tls12_add_sigalg(ssl, &body, md)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c index 128bb8de..03567358 100644 --- a/ssl/handshake_server.c +++ b/ssl/handshake_server.c @@ -1254,7 +1254,7 @@ static int ssl3_send_server_key_exchange(SSL *ssl) { const EVP_MD *md; if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { md = tls1_choose_signing_digest(ssl); - if (!tls12_add_sigandhash(ssl, &body, md)) { + if (!tls12_add_sigalg(ssl, &body, md)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; @@ -1335,16 +1335,22 @@ static int add_cert_types(SSL *ssl, CBB *cbb) { /* Get configured signature algorithms. */ int have_rsa_sign = 0; int have_ecdsa_sign = 0; - const uint8_t *sig; - size_t siglen = tls12_get_psigalgs(ssl, &sig); + const uint16_t *sig_algs; + size_t sig_algs_len = tls12_get_psigalgs(ssl, &sig_algs); size_t i; - for (i = 0; i < siglen; i += 2, sig += 2) { - switch (sig[1]) { - case TLSEXT_signature_rsa: + for (i = 0; i < sig_algs_len; i++) { + switch (sig_algs[i]) { + case SSL_SIGN_RSA_PKCS1_SHA512: + case SSL_SIGN_RSA_PKCS1_SHA384: + case SSL_SIGN_RSA_PKCS1_SHA256: + case SSL_SIGN_RSA_PKCS1_SHA1: have_rsa_sign = 1; break; - case TLSEXT_signature_ecdsa: + case SSL_SIGN_ECDSA_SECP521R1_SHA512: + case SSL_SIGN_ECDSA_SECP384R1_SHA384: + case SSL_SIGN_ECDSA_SECP256R1_SHA256: + case SSL_SIGN_ECDSA_SHA1: have_ecdsa_sign = 1; break; } @@ -1378,12 +1384,18 @@ static int ssl3_send_certificate_request(SSL *ssl) { } if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { - const uint8_t *sigalgs; + const uint16_t *sigalgs; size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs); - if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) || - !CBB_add_bytes(&sigalgs_cbb, sigalgs, sigalgs_len)) { + if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) { goto err; } + + size_t i; + for (i = 0; i < sigalgs_len; i++) { + if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) { + goto err; + } + } } STACK_OF(X509_NAME) *sk = SSL_get_client_CA_list(ssl); @@ -1888,16 +1900,16 @@ static int ssl3_get_cert_verify(SSL *ssl) { /* Determine the digest type if needbe. */ if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { - uint8_t hash, signature_type; - if (!CBS_get_u8(&certificate_verify, &hash) || - !CBS_get_u8(&certificate_verify, &signature_type)) { + uint16_t signature_algorithm; + if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) { al = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); goto f_err; } - if (!tls12_check_peer_sigalg(ssl, &md, &al, hash, signature_type, pkey)) { + if (!tls12_check_peer_sigalg(ssl, &md, &al, signature_algorithm, pkey)) { goto f_err; } + ssl->s3->tmp.peer_signature_algorithm = signature_algorithm; } /* Compute the digest. */ diff --git a/ssl/internal.h b/ssl/internal.h index 4ecf6e0e..fb8dd9d6 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -747,12 +747,6 @@ enum ssl_hash_message_t { ssl_hash_message, }; -/* Structure containing decoded values of signature algorithms extension */ -typedef struct tls_sigalgs_st { - uint8_t rsign; - uint8_t rhash; -} TLS_SIGALGS; - typedef struct cert_st { X509 *x509; EVP_PKEY *privatekey; @@ -777,7 +771,7 @@ typedef struct cert_st { /* peer_sigalgs are the algorithm/hash pairs that the peer supports. These * are taken from the contents of signature algorithms extension for a server * or from the CertificateRequest for a client. */ - TLS_SIGALGS *peer_sigalgs; + uint16_t *peer_sigalgs; /* peer_sigalgslen is the number of entries in |peer_sigalgs|. */ size_t peer_sigalgslen; @@ -1142,13 +1136,10 @@ int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session, size_t ticket_len, const uint8_t *session_id, size_t session_id_len); -/* tls12_add_sigandhash assembles the SignatureAndHashAlgorithm corresponding to - * |ssl|'s private key and |md|. The two-byte value is written to |out|. It - * returns one on success and zero on failure. */ -int tls12_add_sigandhash(SSL *ssl, CBB *out, const EVP_MD *md); - -int tls12_get_sigid(int pkey_type); -const EVP_MD *tls12_get_hash(uint8_t hash_alg); +/* tls12_add_sigalg picks the SignatureScheme corresponding to |ssl|'s private + * key and |md| and writes it to |out|. It returns one on success and zero on + * failure. */ +int tls12_add_sigalg(SSL *ssl, CBB *out, const EVP_MD *md); /* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns @@ -1220,14 +1211,14 @@ int tls1_parse_peer_sigalgs(SSL *ssl, const CBS *sigalgs); * based on the peer's preferences the digests supported. */ const EVP_MD *tls1_choose_signing_digest(SSL *ssl); -size_t tls12_get_psigalgs(SSL *ssl, const uint8_t **psigs); +size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs); -/* tls12_check_peer_sigalg checks that |hash| and |signature| are consistent - * with |pkey| and |ssl|'s sent, supported signature algorithms and, if so, +/* tls12_check_peer_sigalg checks that |signature_algorithm| is consistent with + * the |pkey| and |ssl|'s sent, supported signature algorithms and, if so, * writes the relevant digest into |*out_md| and returns 1. Otherwise it * returns 0 and writes an alert into |*out_alert|. */ int tls12_check_peer_sigalg(SSL *ssl, const EVP_MD **out_md, int *out_alert, - uint8_t hash, uint8_t signature, EVP_PKEY *pkey); + uint16_t signature_algorithm, EVP_PKEY *pkey); void ssl_set_client_disabled(SSL *ssl); #endif /* OPENSSL_HEADER_SSL_INTERNAL_H */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a7070d10..ebac0f4f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2812,8 +2812,12 @@ uint64_t SSL_get_write_sequence(const SSL *ssl) { return ret; } +uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { + return ssl->s3->tmp.peer_signature_algorithm; +} + uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl) { - return ssl->s3->tmp.server_key_exchange_hash; + return (uint8_t) (SSL_get_peer_signature_algorithm(ssl) >> 8); } size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 16cac15e..4f808656 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -498,39 +498,36 @@ done: /* List of supported signature algorithms and hashes. Should make this * customisable at some point, for now include everything we support. */ -#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, +static const uint16_t kDefaultSignatureAlgorithms[] = { + SSL_SIGN_RSA_PKCS1_SHA512, + SSL_SIGN_ECDSA_SECP521R1_SHA512, -#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, + SSL_SIGN_RSA_PKCS1_SHA384, + SSL_SIGN_ECDSA_SECP384R1_SHA384, -#define tlsext_sigalg(md) tlsext_sigalg_rsa(md) tlsext_sigalg_ecdsa(md) + SSL_SIGN_RSA_PKCS1_SHA256, + SSL_SIGN_ECDSA_SECP256R1_SHA256, -static const uint8_t tls12_sigalgs[] = { - tlsext_sigalg(TLSEXT_hash_sha512) - tlsext_sigalg(TLSEXT_hash_sha384) - tlsext_sigalg(TLSEXT_hash_sha256) - tlsext_sigalg(TLSEXT_hash_sha1) + SSL_SIGN_RSA_PKCS1_SHA1, + SSL_SIGN_ECDSA_SHA1, }; -size_t tls12_get_psigalgs(SSL *ssl, const uint8_t **psigs) { - *psigs = tls12_sigalgs; - return sizeof(tls12_sigalgs); +size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs) { + *psigs = kDefaultSignatureAlgorithms; + return sizeof(kDefaultSignatureAlgorithms) / + sizeof(kDefaultSignatureAlgorithms[0]); } +static int tls12_get_pkey_type(uint16_t sig_alg); +static const EVP_MD *tls12_get_hash(uint16_t sig_alg); + int tls12_check_peer_sigalg(SSL *ssl, const EVP_MD **out_md, int *out_alert, - uint8_t hash, uint8_t signature, EVP_PKEY *pkey) { - const uint8_t *sent_sigs; + uint16_t signature_algorithm, EVP_PKEY *pkey) { + const uint16_t *sent_sigs; size_t sent_sigslen, i; - int sigalg = tls12_get_sigid(pkey->type); - - /* Should never happen */ - if (sigalg == -1) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - *out_alert = SSL_AD_INTERNAL_ERROR; - return 0; - } /* Check key type is consistent with signature */ - if (sigalg != signature) { + if (pkey->type != tls12_get_pkey_type(signature_algorithm)) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); *out_alert = SSL_AD_ILLEGAL_PARAMETER; return 0; @@ -538,8 +535,8 @@ int tls12_check_peer_sigalg(SSL *ssl, const EVP_MD **out_md, int *out_alert, /* Check signature matches a type we sent */ sent_sigslen = tls12_get_psigalgs(ssl, &sent_sigs); - for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) { - if (hash == sent_sigs[0] && signature == sent_sigs[1]) { + for (i = 0; i < sent_sigslen; i++) { + if (signature_algorithm == sent_sigs[i]) { break; } } @@ -550,7 +547,7 @@ int tls12_check_peer_sigalg(SSL *ssl, const EVP_MD **out_md, int *out_alert, return 0; } - *out_md = tls12_get_hash(hash); + *out_md = tls12_get_hash(signature_algorithm); if (*out_md == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_DIGEST); *out_alert = SSL_AD_ILLEGAL_PARAMETER; @@ -566,7 +563,7 @@ int tls12_check_peer_sigalg(SSL *ssl, const EVP_MD **out_md, int *out_alert, * settings. */ void ssl_set_client_disabled(SSL *ssl) { CERT *c = ssl->cert; - const uint8_t *sigalgs; + const uint16_t *sigalgs; size_t i, sigalgslen; int have_rsa = 0, have_ecdsa = 0; c->mask_a = 0; @@ -575,13 +572,19 @@ void ssl_set_client_disabled(SSL *ssl) { /* Now go through all signature algorithms seeing if we support any for RSA, * DSA, ECDSA. Do this for all versions not just TLS 1.2. */ sigalgslen = tls12_get_psigalgs(ssl, &sigalgs); - for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) { - switch (sigalgs[1]) { - case TLSEXT_signature_rsa: + for (i = 0; i < sigalgslen; i++) { + switch (sigalgs[i]) { + case SSL_SIGN_RSA_PKCS1_SHA512: + case SSL_SIGN_RSA_PKCS1_SHA384: + case SSL_SIGN_RSA_PKCS1_SHA256: + case SSL_SIGN_RSA_PKCS1_SHA1: have_rsa = 1; break; - case TLSEXT_signature_ecdsa: + case SSL_SIGN_ECDSA_SECP521R1_SHA512: + case SSL_SIGN_ECDSA_SECP384R1_SHA384: + case SSL_SIGN_ECDSA_SECP256R1_SHA256: + case SSL_SIGN_ECDSA_SHA1: have_ecdsa = 1; break; } @@ -1043,15 +1046,24 @@ static int ext_sigalgs_add_clienthello(SSL *ssl, CBB *out) { return 1; } - const uint8_t *sigalgs_data; + const uint16_t *sigalgs_data; const size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs_data); CBB contents, sigalgs; if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) || !CBB_add_u16_length_prefixed(out, &contents) || - !CBB_add_u16_length_prefixed(&contents, &sigalgs) || - !CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len) || - !CBB_flush(out)) { + !CBB_add_u16_length_prefixed(&contents, &sigalgs)) { + return 0; + } + + size_t i; + for (i = 0; i < sigalgs_len; i++) { + if (!CBB_add_u16(&sigalgs, sigalgs_data[i])) { + return 0; + } + } + + if (!CBB_flush(out)) { return 0; } @@ -2516,51 +2528,44 @@ done: return ret; } -/* Tables to translate from NIDs to TLS v1.2 ids */ +/* Tables to translate from NIDs to TLS v1.2 ids + * + * TODO(svaldez): Remove decomposition of SignatureAlgorithm IDs. */ typedef struct { - int nid; - int id; + int pkey_type; + int md_type; + uint16_t id; } tls12_lookup; -static const tls12_lookup tls12_md[] = { - {NID_sha1, TLSEXT_hash_sha1}, - {NID_sha256, TLSEXT_hash_sha256}, - {NID_sha384, TLSEXT_hash_sha384}, - {NID_sha512, TLSEXT_hash_sha512}, +static const tls12_lookup kTLS12SignatureAlgorithmIDs[] = { + {EVP_PKEY_RSA, NID_sha512, SSL_SIGN_RSA_PKCS1_SHA512}, + {EVP_PKEY_EC, NID_sha512, SSL_SIGN_ECDSA_SECP521R1_SHA512}, + {EVP_PKEY_RSA, NID_sha384, SSL_SIGN_RSA_PKCS1_SHA384}, + {EVP_PKEY_EC, NID_sha384, SSL_SIGN_ECDSA_SECP384R1_SHA384}, + {EVP_PKEY_RSA, NID_sha256, SSL_SIGN_RSA_PKCS1_SHA256}, + {EVP_PKEY_EC, NID_sha256, SSL_SIGN_ECDSA_SECP256R1_SHA256}, + {EVP_PKEY_RSA, NID_sha1, SSL_SIGN_RSA_PKCS1_SHA1}, + {EVP_PKEY_EC, NID_sha1, SSL_SIGN_ECDSA_SHA1}, }; -static const tls12_lookup tls12_sig[] = {{EVP_PKEY_RSA, TLSEXT_signature_rsa}, - {EVP_PKEY_EC, TLSEXT_signature_ecdsa}}; +int tls12_add_sigalg(SSL *ssl, CBB *out, const EVP_MD *md) { + int pkey_type = ssl_private_key_type(ssl); + int md_type = EVP_MD_type(md); -static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen) { size_t i; - for (i = 0; i < tlen; i++) { - if (table[i].nid == nid) { - return table[i].id; + for (i = 0; i < sizeof(kTLS12SignatureAlgorithmIDs) / sizeof(tls12_lookup); + i++) { + if (kTLS12SignatureAlgorithmIDs[i].pkey_type == pkey_type && + kTLS12SignatureAlgorithmIDs[i].md_type == md_type) { + return CBB_add_u16(out, kTLS12SignatureAlgorithmIDs[i].id); } } - return -1; -} - -int tls12_get_sigid(int pkey_type) { - return tls12_find_id(pkey_type, tls12_sig, - sizeof(tls12_sig) / sizeof(tls12_lookup)); -} - -int tls12_add_sigandhash(SSL *ssl, CBB *out, const EVP_MD *md) { - int md_id = tls12_find_id(EVP_MD_type(md), tls12_md, - sizeof(tls12_md) / sizeof(tls12_lookup)); - int sig_id = tls12_get_sigid(ssl_private_key_type(ssl)); - - return md_id != -1 && - sig_id != -1 && - CBB_add_u8(out, (uint8_t)md_id) && - CBB_add_u8(out, (uint8_t)sig_id); + return 0; } -const EVP_MD *tls12_get_hash(uint8_t hash_alg) { - switch (hash_alg) { +static const EVP_MD *tls12_get_hash(uint16_t sig_alg) { + switch (sig_alg >> 8) { case TLSEXT_hash_sha1: return EVP_sha1(); @@ -2580,8 +2585,8 @@ const EVP_MD *tls12_get_hash(uint8_t hash_alg) { /* tls12_get_pkey_type returns the EVP_PKEY type corresponding to TLS signature * algorithm |sig_alg|. It returns -1 if the type is unknown. */ -static int tls12_get_pkey_type(uint8_t sig_alg) { - switch (sig_alg) { +static int tls12_get_pkey_type(uint16_t sig_alg) { + switch (sig_alg & 0xff) { case TLSEXT_signature_rsa: return EVP_PKEY_RSA; @@ -2593,9 +2598,6 @@ static int tls12_get_pkey_type(uint8_t sig_alg) { } } -OPENSSL_COMPILE_ASSERT(sizeof(TLS_SIGALGS) == 2, - sizeof_tls_sigalgs_is_not_two); - int tls1_parse_peer_sigalgs(SSL *ssl, const CBS *in_sigalgs) { /* Extension ignored for inappropriate versions */ if (ssl3_protocol_version(ssl) < TLS1_2_VERSION) { @@ -2620,9 +2622,9 @@ int tls1_parse_peer_sigalgs(SSL *ssl, const CBS *in_sigalgs) { return 1; } - /* This multiplication doesn't overflow because sizeof(TLS_SIGALGS) is two - * (statically asserted above) and we just divided |num_sigalgs| by two. */ - cert->peer_sigalgs = OPENSSL_malloc(num_sigalgs * sizeof(TLS_SIGALGS)); + /* This multiplication doesn't overflow because sizeof(uint16_t) is two + * and we just divided |num_sigalgs| by two. */ + cert->peer_sigalgs = OPENSSL_malloc(num_sigalgs * sizeof(uint16_t)); if (cert->peer_sigalgs == NULL) { return 0; } @@ -2633,9 +2635,7 @@ int tls1_parse_peer_sigalgs(SSL *ssl, const CBS *in_sigalgs) { size_t i; for (i = 0; i < num_sigalgs; i++) { - TLS_SIGALGS *const sigalg = &cert->peer_sigalgs[i]; - if (!CBS_get_u8(&sigalgs, &sigalg->rhash) || - !CBS_get_u8(&sigalgs, &sigalg->rsign)) { + if (!CBS_get_u16(&sigalgs, &cert->peer_sigalgs[i])) { return 0; } } @@ -2662,10 +2662,10 @@ const EVP_MD *tls1_choose_signing_digest(SSL *ssl) { for (i = 0; i < num_digest_nids; i++) { const int digest_nid = digest_nids[i]; for (j = 0; j < cert->peer_sigalgslen; j++) { - const EVP_MD *md = tls12_get_hash(cert->peer_sigalgs[j].rhash); + const EVP_MD *md = tls12_get_hash(cert->peer_sigalgs[j]); if (md == NULL || digest_nid != EVP_MD_type(md) || - tls12_get_pkey_type(cert->peer_sigalgs[j].rsign) != type) { + tls12_get_pkey_type(cert->peer_sigalgs[j]) != type) { continue; }