commit 025638597af11c3255d8151293ae12d46f05e8e4
author Steven Valdez <svaldez@google.com> Thu Jun 23 13:33:05 2016 -0400
committer David Benjamin <davidben@google.com> Tue Jun 28 14:18:53 2016 +0000
tree 75d79273bf29933ff4e66a2cc2bd886f02a6fdbe
parent 9d632f4582c25e37f33d502f3ba50b2f4fc794ac

Changing representation of signature/hash to use SignatureScheme.

As part of the SignatureAlgorithm change in the TLS 1.3 specification,
the existing signature/hash combinations are replaced with a combined
signature algorithm identifier. This change maintains the existing APIs
while fixing the internal representations. The signing code currently
still treats the SignatureAlgorithm as a decomposed value, which will be
fixed as part of a separate CL.

Change-Id: I0cd1660d74ad9bcf55ce5da4449bf2922660be36
Reviewed-on: https://boringssl-review.googlesource.com/8480
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

ssl/handshake_server.c

diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 128bb8d..0356735 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -1254,7 +1254,7 @@
     const EVP_MD *md;
     if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
       md = tls1_choose_signing_digest(ssl);
-      if (!tls12_add_sigandhash(ssl, &body, md)) {
+      if (!tls12_add_sigalg(ssl, &body, md)) {
         OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
         goto err;
@@ -1335,16 +1335,22 @@
   /* Get configured signature algorithms. */
   int have_rsa_sign = 0;
   int have_ecdsa_sign = 0;
-  const uint8_t *sig;
-  size_t siglen = tls12_get_psigalgs(ssl, &sig);
+  const uint16_t *sig_algs;
+  size_t sig_algs_len = tls12_get_psigalgs(ssl, &sig_algs);
   size_t i;
-  for (i = 0; i < siglen; i += 2, sig += 2) {
-    switch (sig[1]) {
-      case TLSEXT_signature_rsa:
+  for (i = 0; i < sig_algs_len; i++) {
+    switch (sig_algs[i]) {
+      case SSL_SIGN_RSA_PKCS1_SHA512:
+      case SSL_SIGN_RSA_PKCS1_SHA384:
+      case SSL_SIGN_RSA_PKCS1_SHA256:
+      case SSL_SIGN_RSA_PKCS1_SHA1:
         have_rsa_sign = 1;
         break;
 
-      case TLSEXT_signature_ecdsa:
+      case SSL_SIGN_ECDSA_SECP521R1_SHA512:
+      case SSL_SIGN_ECDSA_SECP384R1_SHA384:
+      case SSL_SIGN_ECDSA_SECP256R1_SHA256:
+      case SSL_SIGN_ECDSA_SHA1:
         have_ecdsa_sign = 1;
         break;
     }
@@ -1378,12 +1384,18 @@
   }
 
   if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
-    const uint8_t *sigalgs;
+    const uint16_t *sigalgs;
     size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs);
-    if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) ||
-        !CBB_add_bytes(&sigalgs_cbb, sigalgs, sigalgs_len)) {
+    if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
       goto err;
     }
+
+    size_t i;
+    for (i = 0; i < sigalgs_len; i++) {
+      if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
+        goto err;
+      }
+    }
   }
 
   STACK_OF(X509_NAME) *sk = SSL_get_client_CA_list(ssl);
@@ -1888,16 +1900,16 @@
 
   /* Determine the digest type if needbe. */
   if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
-    uint8_t hash, signature_type;
-    if (!CBS_get_u8(&certificate_verify, &hash) ||
-        !CBS_get_u8(&certificate_verify, &signature_type)) {
+    uint16_t signature_algorithm;
+    if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
       al = SSL_AD_DECODE_ERROR;
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
       goto f_err;
     }
-    if (!tls12_check_peer_sigalg(ssl, &md, &al, hash, signature_type, pkey)) {
+    if (!tls12_check_peer_sigalg(ssl, &md, &al, signature_algorithm, pkey)) {
       goto f_err;
     }
+    ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;
   }
 
   /* Compute the digest. */