Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 0d62f26c3636b24404df00b15bff68fd6d5d65b0^! / . / include / openssl / ssl.h
commit0d62f26c3636b24404df00b15bff68fd6d5d65b0[log] [tgz]
authorSteven Valdez <svaldez@chromium.org>Fri Sep 04 12:41:04 2015 -0400
committerAdam Langley <agl@google.com>Wed Sep 23 21:55:01 2015 +0000
treeb428d46e2be584c6e716afe01f98323e9548e8fd
parent4c60d356a926b68ac20e8090755799e1525874f0 [diff] [blame]
Adding more options for signing digest fallback.

Allow configuring digest preferences for the private key. Some
smartcards have limited support for signing digests, notably Windows
CAPI keys and old Estonian smartcards. Chromium used the supports_digest
hook in SSL_PRIVATE_KEY_METHOD to limit such keys to SHA1. However,
detecting those keys was a heuristic, so some SHA256-capable keys
authenticating to SHA256-only servers regressed in the switch to
BoringSSL. Replace this mechanism with an API to configure digest
preference order. This way heuristically-detected SHA1-only keys may be
configured by Chromium as SHA1-preferring rather than SHA1-requiring.

In doing so, clean up the shared_sigalgs machinery somewhat.

BUG=468076

Change-Id: I996a2df213ae4d8b4062f0ab85b15262ca26f3c6
Reviewed-on: https://boringssl-review.googlesource.com/5755
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 14f9383..be40cf2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -774,6 +774,14 @@
                                              const uint8_t *response,
                                              size_t response_len);
 
+/* SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids|
+ * into |ssl|. These digests will be used, in decreasing order of preference,
+ * when signing with |ssl|'s private key. It returns one on success and zero on
+ * error. */
+OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl,
+                                                    const int *digest_nids,
+                                                    size_t num_digests);
+
 
 /* Certificate and private key convenience functions. */
 
@@ -852,10 +860,6 @@
    * key used by |ssl|. */
   int (*type)(SSL *ssl);
 
-  /* supports_digest returns one if the key used by |ssl| supports signing
-   * digests of type |md| and zero otherwise. */
-  int (*supports_digest)(SSL *ssl, const EVP_MD *md);
-
   /* max_signature_len returns the maximum length of a signature signed by the
    * key used by |ssl|. This must be a constant value for a given |ssl|. */
   size_t (*max_signature_len)(SSL *ssl);
@@ -890,7 +894,7 @@
                                                  size_t *out_len, size_t max_out);
 } SSL_PRIVATE_KEY_METHOD;
 
-/* SSL_use_private_key_method configures a custom private key on |ssl|.
+/* SSL_set_private_key_method configures a custom private key on |ssl|.
  * |key_method| must remain valid for the lifetime of |ssl|. */
 OPENSSL_EXPORT void SSL_set_private_key_method(
     SSL *ssl, const SSL_PRIVATE_KEY_METHOD *key_method);