Google Git
Sign in
flutter/third_party/openssl/e469af8d05dd28b1e77de9d8045b2ddd6cb6ee5d^!/./ssl/t1_lib.c
commit
e469af8d05dd28b1e77de9d8045b2ddd6cb6ee5d
[log]
author
Dr. Stephen Henson <steve@openssl.org>
Mon Nov 17 16:52:59 2014 +0000
committer
Dr. Stephen Henson <steve@openssl.org>
Wed Nov 19 14:49:12 2014 +0000
tree
94ac0958d401f910d332d9f39e1cfd97fd59ddad
parent
bcb245a74af139400014d03d578e5f464d601005 [diff] [blame]
Process signature algorithms before deciding on certificate.

The supported signature algorithms extension needs to be processed before
the certificate to use is decided and before a cipher is selected (as the
set of shared signature algorithms supported may impact the choice).
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 56e8dc542bd693b2dccea8828b3d8e5fc6932d0c)

Conflicts:
	ssl/ssl.h
	ssl/ssl_err.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 4e08167..db45c60 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -2967,11 +2967,54 @@
 		}
 	}
 
+int tls1_set_server_sigalgs(SSL *s)
+	{
+	int al;
+	size_t i;
+	/* Clear any shared sigtnature algorithms */
+	if (s->cert->shared_sigalgs)
+		{
+		OPENSSL_free(s->cert->shared_sigalgs);
+		s->cert->shared_sigalgs = NULL;
+		}
+	/* Clear certificate digests and validity flags */
+	for (i = 0; i < SSL_PKEY_NUM; i++)
+		{
+		s->cert->pkeys[i].digest = NULL;
+		s->cert->pkeys[i].valid_flags = 0;
+		}
+
+	/* If sigalgs received process it. */
+	if (s->cert->peer_sigalgs)
+		{
+		if (!tls1_process_sigalgs(s))
+			{
+			SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
+					ERR_R_MALLOC_FAILURE);
+			al = SSL_AD_INTERNAL_ERROR;
+			goto err;
+			}
+		/* Fatal error is no shared signature algorithms */
+		if (!s->cert->shared_sigalgs)
+			{
+			SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
+					SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
+			al = SSL_AD_ILLEGAL_PARAMETER;
+			goto err;
+			}
+		}
+	else
+		ssl_cert_set_default_md(s->cert);
+	return 1;
+	err:
+	ssl3_send_alert(s, SSL3_AL_FATAL, al);
+	return 0;
+	}
+
 int ssl_check_clienthello_tlsext_late(SSL *s)
 	{
 	int ret = SSL_TLSEXT_ERR_OK;
 	int al;
-	size_t i;
 
 	/* If status request then ask callback what to do.
  	 * Note: this must be called after servername callbacks in case
@@ -3017,43 +3060,6 @@
 	else
 		s->tlsext_status_expected = 0;
 
-	/* Clear any shared sigtnature algorithms */
-	if (s->cert->shared_sigalgs)
-		{
-		OPENSSL_free(s->cert->shared_sigalgs);
-		s->cert->shared_sigalgs = NULL;
-		}
-	/* Clear certificate digests and validity flags */
-	for (i = 0; i < SSL_PKEY_NUM; i++)
-		{
-		s->cert->pkeys[i].digest = NULL;
-		s->cert->pkeys[i].valid_flags = 0;
-		}
-
-	/* If sigalgs received process it. */
-	if (s->cert->peer_sigalgs)
-		{
-		if (!tls1_process_sigalgs(s))
-			{
-			SSLerr(SSL_F_SSL_CHECK_CLIENTHELLO_TLSEXT_LATE,
-					ERR_R_MALLOC_FAILURE);
-			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-			al = SSL_AD_INTERNAL_ERROR;
-			goto err;
-			}
-		/* Fatal error is no shared signature algorithms */
-		if (!s->cert->shared_sigalgs)
-			{
-			SSLerr(SSL_F_SSL_CHECK_CLIENTHELLO_TLSEXT_LATE,
-					SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
-			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-			al = SSL_AD_ILLEGAL_PARAMETER;
-			goto err;
-			}
-		}
-	else
-		ssl_cert_set_default_md(s->cert);
-
  err:
 	switch (ret)
 		{