Fixed compatability issue with libressl

docs/USAGE-GUIDE.md

@@ -528,14 +528,14 @@ The following chart maps the security policy version to protocol version and cip
 
 The "default" and "default_tls13" version is special in that it will be updated with future s2n changes and ciphersuites and protocol versions may be added and removed, or their internal order of preference might change. Numbered versions are fixed and will never change. 
 
-"20160411" follows the same general preference order as "default". The main difference is it has a CBC cipher suite at the top. This is to accomodate certain Java clients that have poor GCM implementations. Users of s2n who have found GCM to be hurting performance for their clients should consider this version.
+"20160411" follows the same general preference order as "default". The main difference is it has a CBC cipher suite at the top. This is to accommodate certain Java clients that have poor GCM implementations. Users of s2n who have found GCM to be hurting performance for their clients should consider this version.
 
-"20170405" is a FIPS compliant cipher suite preference list based on approved algorithms in the [FIPS 140-2 Annex A](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf). Similarly to "20160411", this perference list has CBC cipher suites at the top to accomodate certain Java clients. Users of s2n who plan to enable FIPS mode should consider this version.
+"20170405" is a FIPS compliant cipher suite preference list based on approved algorithms in the [FIPS 140-2 Annex A](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf). Similarly to "20160411", this preference list has CBC cipher suites at the top to accommodate certain Java clients. Users of s2n who plan to enable FIPS mode should consider this version.
 
 s2n does not expose an API to control the order of preference for each ciphersuite or protocol version. s2n follows the following order:
 
 *NOTE*: All ChaCha20-Poly1305 cipher suites will not be available if s2n is not built with an Openssl 1.1.1 libcrypto. The
-underlying encrpyt/decrypt functions are not available in older versions.
+underlying encrypt/decrypt functions are not available in older versions.
 
 1. Always prefer the highest protocol version supported
 2. Always use forward secrecy where possible. Prefer ECDHE over DHE. 

tests/unit/s2n_x509_validator_test.c

@@ -1490,10 +1490,10 @@ int main(int argc, char **argv) {
         s2n_pkey_type pkey_type;
         EXPECT_EQUAL(S2N_CERT_OK,
                      s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type, &public_key_out));
-        s2n_stuffer_free(&chain_stuffer);
         EXPECT_EQUAL(S2N_CERT_ERR_UNTRUSTED,
                      s2n_x509_validator_validate_certificate_signatures(&validator, connection));
 
+        s2n_stuffer_free(&chain_stuffer);
         s2n_connection_free(connection);
         s2n_pkey_free(&public_key_out);
 

tls/s2n_x509_validator.c

@@ -586,9 +586,14 @@ S2N_RESULT s2n_is_certificate_sig_scheme_supported(struct s2n_connection *conn,
     ENSURE_REF(x509_cert);
     ENSURE_REF(out);
 
-    int nid = X509_get_signature_nid(x509_cert);
-
-    /* TODO: add method to differentiate between rsa_pss_pss certs and rsa_pss_rsae certs */
+    int nid = 0;
+
+    #if !defined(LIBRESSL_VERSION_NUMBER)
+        nid = X509_get_signature_nid(x509_cert);
+    #else
+        nid = OBJ_obj2nid(x509_cert->sig_alg->algorithm);
+    #endif
+
     for (int i = 0; i < conn->config->security_policy->certificate_signature_preferences->count; i++) {
 
         if (conn->config->security_policy->certificate_signature_preferences->signature_schemes[i]->libcrypto_nid == nid) {