Remove special case for TLS 1.3.
authorDr. Stephen Henson <steve@openssl.org>
Tue, 31 Jan 2017 18:33:14 +0000 (18:33 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 2 Feb 2017 14:45:10 +0000 (14:45 +0000)
We now set the server certificate in tls_choose_sigalg() so there is
no need for a special case for TLS 1.3 any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

ssl/statem/statem_lib.c

index 4b021f9..0f30c54 100644 (file)
@@ -171,8 +171,8 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
 
 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
 {
-    EVP_PKEY *pkey;
-    const EVP_MD *md;
+    EVP_PKEY *pkey = s->cert->key->privatekey;
+    const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
     EVP_MD_CTX *mctx = NULL;
     EVP_PKEY_CTX *pctx = NULL;
     size_t hdatalen = 0, siglen = 0;
@@ -181,20 +181,6 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
     int pktype, ispss = 0;
 
-    if (s->server) {
-        /* Only happens in TLSv1.3 */
-        /*
-         * TODO(TLS1.3): This needs to change. We should not get this from the
-         * cipher. However, for now, we have not done the work to separate the
-         * certificate type from the ciphersuite
-         */
-        pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md);
-        if (pkey == NULL)
-            goto err;
-    } else {
-        md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
-        pkey = s->cert->key->privatekey;
-    }
     pktype = EVP_PKEY_id(pkey);
 
     mctx = EVP_MD_CTX_new();