summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2021-06-27 18:15:36 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2021-06-27 18:15:36 +0000
commiteff32d0381fafe68382da55601d445e73c70b38f (patch)
tree7fdd317bd13fb57f516d071f01428bbec6adc44f /lib/libssl
parent3b2183cf554fb7e7387b92e40cac22c06b7fc371 (diff)
Change ssl_sigalgs_from_value() to perform sigalg list selection.
Rather that passing in a sigalg list at every call site, pass in the appropriate TLS version and have ssl_sigalgs_from_value() perform the sigalg list selection itself. This allows the sigalg lists to be made internal to the sigalgs code. ok tb@
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/ssl_clnt.c7
-rw-r--r--lib/libssl/ssl_sigalgs.c24
-rw-r--r--lib/libssl/ssl_sigalgs.h14
-rw-r--r--lib/libssl/ssl_srvr.c6
-rw-r--r--lib/libssl/tls13_client.c6
-rw-r--r--lib/libssl/tls13_server.c6
6 files changed, 31 insertions, 32 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index c092fe4c891..fac30b26aa7 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.100 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.101 2021/06/27 18:15:35 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1550,8 +1550,9 @@ ssl3_get_server_key_exchange(SSL *s)
if (!CBS_get_u16(&cbs, &sigalg_value))
goto decode_err;
- if ((sigalg = ssl_sigalg_from_value(sigalg_value,
- tls12_sigalgs, tls12_sigalgs_len)) == NULL) {
+ if ((sigalg = ssl_sigalg_from_value(
+ S3I(s)->hs.negotiated_tls_version,
+ sigalg_value)) == NULL) {
SSLerror(s, SSL_R_UNKNOWN_DIGEST);
al = SSL_AD_DECODE_ERROR;
goto fatal_err;
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index 8c7f6d673a6..f2238b4fdab 100644
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.28 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.29 2021/06/27 18:15:35 jsing Exp $ */
/*
* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
*
@@ -188,12 +188,12 @@ ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
}
const struct ssl_sigalg *
-ssl_sigalg_lookup(uint16_t sigalg)
+ssl_sigalg_lookup(uint16_t value)
{
int i;
for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
- if (sigalgs[i].value == sigalg)
+ if (sigalgs[i].value == value)
return &sigalgs[i];
}
@@ -201,13 +201,17 @@ ssl_sigalg_lookup(uint16_t sigalg)
}
const struct ssl_sigalg *
-ssl_sigalg_from_value(uint16_t sigalg, const uint16_t *values, size_t len)
+ssl_sigalg_from_value(uint16_t tls_version, uint16_t value)
{
+ const uint16_t *values;
+ size_t len;
int i;
+ ssl_sigalgs_for_version(tls_version, &values, &len);
+
for (i = 0; i < len; i++) {
- if (values[i] == sigalg)
- return ssl_sigalg_lookup(sigalg);
+ if (values[i] == value)
+ return ssl_sigalg_lookup(value);
}
return NULL;
@@ -322,14 +326,14 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
*/
CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
while (CBS_len(&cbs) > 0) {
- uint16_t sig_alg;
const struct ssl_sigalg *sigalg;
+ uint16_t sigalg_value;
- if (!CBS_get_u16(&cbs, &sig_alg))
+ if (!CBS_get_u16(&cbs, &sigalg_value))
return 0;
- if ((sigalg = ssl_sigalg_from_value(sig_alg, tls_sigalgs,
- tls_sigalgs_len)) == NULL)
+ if ((sigalg = ssl_sigalg_from_value(
+ S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL)
continue;
/* RSA cannot be used without PSS in TLSv1.3. */
diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h
index 64cf0bb73b2..c91e66a5a9a 100644
--- a/lib/libssl/ssl_sigalgs.h
+++ b/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.19 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.20 2021/06/27 18:15:35 jsing Exp $ */
/*
* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
*
@@ -55,7 +55,7 @@ __BEGIN_HIDDEN_DECLS
#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE
#define SIGALG_GOSTR01_GOST94 0xEDED
-/* Legacy sigalg for < 1.2 same value as boring uses*/
+/* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */
#define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01
#define SIGALG_FLAG_RSA_PSS 0x00000001
@@ -68,16 +68,10 @@ struct ssl_sigalg {
int flags;
};
-extern const uint16_t tls12_sigalgs[];
-extern const size_t tls12_sigalgs_len;
-extern const uint16_t tls13_sigalgs[];
-extern const size_t tls13_sigalgs_len;
-
const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
-const struct ssl_sigalg *ssl_sigalg_from_value(uint16_t sigalg,
- const uint16_t *values, size_t len);
+const struct ssl_sigalg *ssl_sigalg_from_value(uint16_t tls_version,
+ uint16_t value);
int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb);
-int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk);
int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
int check_curve);
const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey);
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 201f600a3ee..259c6679f2c 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.113 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.114 2021/06/27 18:15:35 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2192,8 +2192,8 @@ ssl3_get_cert_verify(SSL *s)
if (!CBS_get_u16(&cbs, &sigalg_value))
goto decode_err;
- if ((sigalg = ssl_sigalg_from_value(sigalg_value,
- tls12_sigalgs, tls12_sigalgs_len)) == NULL ||
+ if ((sigalg = ssl_sigalg_from_value(
+ S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL ||
(md = sigalg->md()) == NULL) {
SSLerror(s, SSL_R_UNKNOWN_DIGEST);
al = SSL_AD_DECODE_ERROR;
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index de9316e8d78..644b16e26c6 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.81 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.82 2021/06/27 18:15:35 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@@ -671,8 +671,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!CBS_get_u16_length_prefixed(cbs, &signature))
goto err;
- if ((sigalg = ssl_sigalg_from_value(signature_scheme,
- tls13_sigalgs, tls13_sigalgs_len)) == NULL)
+ if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
+ signature_scheme)) == NULL)
goto err;
if (!CBB_init(&cbb, 0))
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 8f47bdfa886..b68a2f9294a 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.79 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.80 2021/06/27 18:15:35 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -970,8 +970,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!CBS_get_u16_length_prefixed(cbs, &signature))
goto err;
- if ((sigalg = ssl_sigalg_from_value(signature_scheme,
- tls13_sigalgs, tls13_sigalgs_len)) == NULL)
+ if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
+ signature_scheme)) == NULL)
goto err;
if (!CBB_init(&cbb, 0))