Move signing digest out of CERT.

        }

        /* Clear certificate digests and validity flags */

        for (i = 0; i < SSL_PKEY_NUM; i++) {

            s->cert->pkeys[i].digest = NULL;

            s->s3->tmp.md[i] = NULL;

            s->cert->pkeys[i].valid_flags = 0;

        }

        if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) {

        if (SSL_USE_SIGALGS(s)) {

            long hdatalen = 0;

            void *hdata;

            const EVP_MD *md = s->cert->key->digest;

            const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];

            hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);

            if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {

                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);

    if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)

        return 0;

    /* If no suitable signature algorithm can't use certificate */

    if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)

    if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys])

        return 0;

    /*

     * If strict mode check suitability of chain before using it. This also

        if (SSL_USE_SIGALGS(s)) {

            if (s->session && s->session->sess_cert) {

                const EVP_MD *sig;

                sig = s->session->sess_cert->peer_key->digest;

                sig = s->s3->tmp.peer_md;

                if (sig) {

                    *(int *)parg = EVP_MD_type(sig);

                    return 1;

    return ssl_x509_store_ctx_idx;

}

void ssl_cert_set_default_md(CERT *cert)

{

    /* Set digest values to defaults */

#ifndef OPENSSL_NO_DSA

    cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();

#endif

#ifndef OPENSSL_NO_RSA

    cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();

    cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();

#endif

#ifndef OPENSSL_NO_EC

    cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();

#endif

}

CERT *ssl_cert_new(void)

{

    CERT *ret = OPENSSL_malloc(sizeof(*ret));

    ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);

    ret->references = 1;

    ssl_cert_set_default_md(ret);

    ret->sec_cb = ssl_security_default_callback;

    ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;

    ret->sec_ex = NULL;

    }

    ret->references = 1;

    /*

     * Set digests to defaults. NB: we don't copy existing values as they

     * will be set during handshake.

     */

    ssl_cert_set_default_md(ret);

    /* Configured sigalgs copied across */

    if (cert->conf_sigalgs) {

        ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);

        return (NULL);

    }

    if (pmd)

        *pmd = c->pkeys[idx].digest;

        *pmd = s->s3->tmp.md[idx];

    return c->pkeys[idx].privatekey;

}

        unsigned char *peer_sigalgs;

        /* Size of above array */

        size_t peer_sigalgslen;

        /* Digest peer uses for signing */

        const EVP_MD *peer_md;

        /* Array of digests used for signing */

        const EVP_MD *md[SSL_PKEY_NUM];

    } tmp;

    /* Connection binding to prevent renegotiation attacks */

typedef struct cert_pkey_st {

    X509 *x509;

    EVP_PKEY *privatekey;

    /* Digest to use when signing */

    const EVP_MD *digest;

    /* Chain for this certificate */

    STACK_OF(X509) *chain;

# ifndef OPENSSL_NO_TLSEXT

int ssl_clear_bad_session(SSL *s);

__owur CERT *ssl_cert_new(void);

__owur CERT *ssl_cert_dup(CERT *cert);

void ssl_cert_set_default_md(CERT *cert);

void ssl_cert_clear_certs(CERT *c);

void ssl_cert_free(CERT *c);

__owur SESS_CERT *ssl_sess_cert_new(void);