b398d16c1d
Both of these are newly-exported in OpenSSL 1.0.2, so they cannot be used by current consumers. This was added in upstream's 18d7158809c9722f4c6d2a8af7513577274f9b56 to support custom selection of certificates. The intent seems to be that you listen to cert_cb and use SSL_check_chain to lean on OpenSSL to process signature algorithms list for you. Unfortunately, the implementation is slightly suspect: it uses the same function as the codepath which mutates and refers to the CERT_PKEY of the matching type. Some access was guarded by check_flags, but this is too complex. Part of it is also because the matching digest is selected early and we intend to connect this to EVP_PKEY_supports_digest so it is no longer a property of just the key type. Let's remove the hook for now, to unblock removing a lot of complexity. After cleaning up this area, a function like this could be cleaner to support, but we already have a version of this: select_certificate_cb and ssl_early_callback_ctx. Change-Id: I3add425b3996e5e32d4a88e14cc607b4fdaa5aec Reviewed-on: https://boringssl-review.googlesource.com/2283 Reviewed-by: Adam Langley <agl@google.com> |
||
|---|---|---|
| crypto | ||
| doc | ||
| include/openssl | ||
| ssl | ||
| tool | ||
| util | ||
| .clang-format | ||
| .gitignore | ||
| BUILDING | ||
| CMakeLists.txt | ||