Switch some ints to bools and Spans.
Change-Id: I505b29ae20fb660229900c4e046a0b1e5606d02c Reviewed-on: https://boringssl-review.googlesource.com/25164 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
This commit is contained in:
David Benjamin
CQ bot account: commit-bot@chromium.org
parent
32b5940267
commit
610cdbb102
@ -1677,28 +1677,29 @@ uint16_t ssl_get_grease_value(SSL_HANDSHAKE *hs, enum ssl_grease_index_t index);
|
|||||||
// Signature algorithms.
|
// Signature algorithms.
|
||||||
|
|
||||||
// tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
|
// tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
|
||||||
// algorithms and saves them on |hs|. It returns one on success and zero on
|
// algorithms and saves them on |hs|. It returns true on success and false on
|
||||||
// error.
|
// error.
|
||||||
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
|
bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
|
||||||
|
|
||||||
// tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
|
// tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
|
||||||
// that should be used with |pkey| in TLS 1.1 and earlier. It returns one on
|
// that should be used with |pkey| in TLS 1.1 and earlier. It returns true on
|
||||||
// success and zero if |pkey| may not be used at those versions.
|
// success and false if |pkey| may not be used at those versions.
|
||||||
int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);
|
bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);
|
||||||
|
|
||||||
// tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
|
// tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
|
||||||
// with |hs|'s private key based on the peer's preferences and the algorithms
|
// with |hs|'s private key based on the peer's preferences and the algorithms
|
||||||
// supported. It returns one on success and zero on error.
|
// supported. It returns true on success and false on error.
|
||||||
int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
|
bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
|
||||||
|
|
||||||
// tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
|
// tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
|
||||||
// peer signature to |out|. It returns one on success and zero on error.
|
// peer signature to |out|. It returns true on success and false on error.
|
||||||
int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out);
|
bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out);
|
||||||
|
|
||||||
// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
|
// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
|
||||||
// signature. It returns one on success and zero on error, setting |*out_alert|
|
// signature. It returns true on success and false on error, setting
|
||||||
// to an alert to send.
|
// |*out_alert| to an alert to send.
|
||||||
int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg);
|
bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
|
||||||
|
uint16_t sigalg);
|
||||||
|
|
||||||
|
|
||||||
// Underdocumented functions.
|
// Underdocumented functions.
|
||||||
|
|||||||
@ -464,29 +464,30 @@ static const uint16_t kSignSignatureAlgorithms[] = {
|
|||||||
SSL_SIGN_RSA_PKCS1_SHA1,
|
SSL_SIGN_RSA_PKCS1_SHA1,
|
||||||
};
|
};
|
||||||
|
|
||||||
int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
|
bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
|
||||||
const uint16_t *sigalgs = kVerifySignatureAlgorithms;
|
bool use_default = ssl->ctx->num_verify_sigalgs == 0;
|
||||||
size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
|
Span<const uint16_t> sigalgs = kVerifySignatureAlgorithms;
|
||||||
if (ssl->ctx->num_verify_sigalgs != 0) {
|
if (!use_default) {
|
||||||
sigalgs = ssl->ctx->verify_sigalgs;
|
sigalgs = MakeConstSpan(ssl->ctx->verify_sigalgs,
|
||||||
num_sigalgs = ssl->ctx->num_verify_sigalgs;
|
ssl->ctx->num_verify_sigalgs);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (size_t i = 0; i < num_sigalgs; i++) {
|
for (uint16_t sigalg : sigalgs) {
|
||||||
if (sigalgs == kVerifySignatureAlgorithms &&
|
if (use_default &&
|
||||||
sigalgs[i] == SSL_SIGN_ED25519 &&
|
sigalg == SSL_SIGN_ED25519 &&
|
||||||
!ssl->ctx->ed25519_enabled) {
|
!ssl->ctx->ed25519_enabled) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (!CBB_add_u16(out, sigalgs[i])) {
|
if (!CBB_add_u16(out, sigalg)) {
|
||||||
return 0;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return 1;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg) {
|
bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
|
||||||
|
uint16_t sigalg) {
|
||||||
const uint16_t *sigalgs = kVerifySignatureAlgorithms;
|
const uint16_t *sigalgs = kVerifySignatureAlgorithms;
|
||||||
size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
|
size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
|
||||||
if (ssl->ctx->num_verify_sigalgs != 0) {
|
if (ssl->ctx->num_verify_sigalgs != 0) {
|
||||||
@ -501,13 +502,13 @@ int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg) {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (sigalg == sigalgs[i]) {
|
if (sigalg == sigalgs[i]) {
|
||||||
return 1;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
||||||
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
||||||
return 0;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// tls_extension represents a TLS extension that is handled internally. The
|
// tls_extension represents a TLS extension that is handled internally. The
|
||||||
@ -3369,29 +3370,29 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|||||||
return ssl_ticket_aead_success;
|
return ssl_ticket_aead_success;
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
|
bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
|
||||||
// Extension ignored for inappropriate versions
|
// Extension ignored for inappropriate versions
|
||||||
if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
|
if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
|
||||||
return 1;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
return parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
|
return parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
|
bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
|
||||||
switch (EVP_PKEY_id(pkey)) {
|
switch (EVP_PKEY_id(pkey)) {
|
||||||
case EVP_PKEY_RSA:
|
case EVP_PKEY_RSA:
|
||||||
*out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
|
*out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
|
||||||
return 1;
|
return true;
|
||||||
case EVP_PKEY_EC:
|
case EVP_PKEY_EC:
|
||||||
*out = SSL_SIGN_ECDSA_SHA1;
|
*out = SSL_SIGN_ECDSA_SHA1;
|
||||||
return 1;
|
return true;
|
||||||
default:
|
default:
|
||||||
return 0;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
||||||
SSL *const ssl = hs->ssl;
|
SSL *const ssl = hs->ssl;
|
||||||
CERT *cert = ssl->cert;
|
CERT *cert = ssl->cert;
|
||||||
|
|
||||||
@ -3400,9 +3401,9 @@ int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
|||||||
if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
|
if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
|
||||||
if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
|
if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
|
||||||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
|
||||||
return 0;
|
return false;
|
||||||
}
|
}
|
||||||
return 1;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
|
Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
|
||||||
@ -3431,13 +3432,13 @@ int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
|||||||
for (uint16_t peer_sigalg : peer_sigalgs) {
|
for (uint16_t peer_sigalg : peer_sigalgs) {
|
||||||
if (sigalg == peer_sigalg) {
|
if (sigalg == peer_sigalg) {
|
||||||
*out = sigalg;
|
*out = sigalg;
|
||||||
return 1;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
|
||||||
return 0;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user