Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 0fc37ef0827e02f350840e848c9578898d57368f^! / . / include / openssl / ssl.h
commit0fc37ef0827e02f350840e848c9578898d57368f[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed Aug 17 15:29:46 2016 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Wed Aug 24 00:24:34 2016 +0000
tree8e85e60082fea5efbe378acdf0a02d9e834f32ef
parent7bee853d18686a1fd792da04f5279a937ec9ee3d [diff] [blame]
Fix a number of sigalg scope issues.

peer_sigalgs should live on SSL_HANDSHAKE. This both releases a little
bit of memory after the handshake is over and also avoids the bug where
the sigalgs get dropped if SSL_set_SSL_CTX is called at a bad time. See
also upstream's 14e14bf6964965d02ce89805d9de867f000095aa.

This only affects consumers using the old SNI callback and not
select_certificate_cb.

Add a test that the SNI callback works as expected. In doing so, add an
SSL_CTX version of the signing preferences API. This is a property of
the cert/key pair (really just the key) and should be tied to that. This
makes it a bit easier to have the regression test work with TLS 1.2 too.

I thought we'd fixed this already, but apparently not... :-/

BUG=95

Change-Id: I75b02fad4059e6aa46c3b05183a07d72880711b3
Reviewed-on: https://boringssl-review.googlesource.com/10445
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 877e468..7ddbc25 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -921,13 +921,21 @@
  * before TLS 1.2. */
 #define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01
 
+/* SSL_CTX_set_signing_algorithm_prefs configures |ctx| to use |prefs| as the
+ * preference list when signing with |ctx|'s private key. It returns one on
+ * success and zero on error. |prefs| should not include the internal-only value
+ * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
+OPENSSL_EXPORT int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx,
+                                                       const uint16_t *prefs,
+                                                       size_t num_prefs);
+
 /* SSL_set_signing_algorithm_prefs configures |ssl| to use |prefs| as the
  * preference list when signing with |ssl|'s private key. It returns one on
  * success and zero on error. |prefs| should not include the internal-only value
  * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
 OPENSSL_EXPORT int SSL_set_signing_algorithm_prefs(SSL *ssl,
                                                    const uint16_t *prefs,
-                                                   size_t prefs_len);
+                                                   size_t num_prefs);
 
 
 /* Certificate and private key convenience functions. */