Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 025638597af11c3255d8151293ae12d46f05e8e4^! / . / include / openssl / ssl.h
commit025638597af11c3255d8151293ae12d46f05e8e4[log] [tgz]
authorSteven Valdez <svaldez@google.com>Thu Jun 23 13:33:05 2016 -0400
committerDavid Benjamin <davidben@google.com>Tue Jun 28 14:18:53 2016 +0000
tree75d79273bf29933ff4e66a2cc2bd886f02a6fdbe
parent9d632f4582c25e37f33d502f3ba50b2f4fc794ac [diff] [blame]
Changing representation of signature/hash to use SignatureScheme.

As part of the SignatureAlgorithm change in the TLS 1.3 specification,
the existing signature/hash combinations are replaced with a combined
signature algorithm identifier. This change maintains the existing APIs
while fixing the internal representations. The signing code currently
still treats the SignatureAlgorithm as a decomposed value, which will be
fixed as part of a separate CL.

Change-Id: I0cd1660d74ad9bcf55ce5da4449bf2922660be36
Reviewed-on: https://boringssl-review.googlesource.com/8480
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 6ce9412..797da38 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -2958,10 +2958,9 @@
  * respectively. */
 OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl);
 
-/* SSL_get_server_key_exchange_hash, on a client, returns the hash the server
- * used to sign the ServerKeyExchange in TLS 1.2. If not applicable, it returns
- * |TLSEXT_hash_none|. */
-OPENSSL_EXPORT uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl);
+/* SSL_get_peer_signature_algorithm returns the signature algorithm used by the
+ * peer. If not applicable, it returns zero. */
+OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl);
 
 /* TODO(davidben): Remove this when wpa_supplicant in Android has synced with
  * upstream. */
@@ -3193,6 +3192,14 @@
 OPENSSL_EXPORT int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,
                                                const char *profiles);
 
+/* SSL_get_server_key_exchange_hash, on a client, returns the hash the server
+ * used to sign the ServerKeyExchange in TLS 1.2. If not applicable, it returns
+ * |TLSEXT_hash_none|.
+ *
+ * TODO(davidben): Remove once Chromium switches to
+ * |SSL_get_peer_signature_algorithm|. */
+OPENSSL_EXPORT uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl);
+
 /* SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on
  * success and one on failure.
  *
@@ -4248,10 +4255,9 @@
      * False Start. The client may write data at this point. */
     char in_false_start;
 
-    /* server_key_exchange_hash, on a client, is the hash the server used to
-     * sign the ServerKeyExchange in TLS 1.2. If not applicable, it is
-     * |TLSEXT_hash_none|. */
-    uint8_t server_key_exchange_hash;
+    /* peer_signature_algorithm is the signature algorithm used to authenticate
+     * the peer, or zero if not applicable. */
+    uint16_t peer_signature_algorithm;
 
     /* ecdh_ctx is the current ECDH instance. */
     SSL_ECDH_CTX ecdh_ctx;