8 files changed, 93 insertions, 40 deletions

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 26755d7c03a..e9e900b6432 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.54 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.55 2019/01/23 18:39:28 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1680,7 +1680,8 @@ ssl3_get_certificate_request(SSL *s)
 			SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
 			goto err;
 		}
-		if (!tls1_process_sigalgs(s, &sigalgs)) {
+		if (!tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+		    tls12_sigalgs_len)) {
 			ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
 			SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
 			goto err;
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 7fd155648c3..8447484ec7a 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.230 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.231 2019/01/23 18:39:28 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1313,7 +1313,7 @@ int tls1_process_ticket(SSL *s, const unsigned char *session_id,
     int session_id_len, CBS *ext_block, SSL_SESSION **ret);
 
 long ssl_get_algorithm2(SSL *s);
-int tls1_process_sigalgs(SSL *s, CBS *cbs);
+int tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *, size_t);
 
 int tls1_check_ec_server_key(SSL *s);
 
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index 182ea1edaae..041e940d8e6 100644
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.13 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.14 2019/01/23 18:39:28 beck Exp $ */
 /*
- * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -163,13 +163,30 @@ const struct ssl_sigalg sigalgs[] = {
 	},
 };
 
+/* Sigalgs for tls 1.3, in preference order, */
+uint16_t tls13_sigalgs[] = {
+	SIGALG_RSA_PSS_RSAE_SHA512,
+	SIGALG_RSA_PKCS1_SHA512,
+	SIGALG_ECDSA_SECP512R1_SHA512,
+	SIGALG_RSA_PSS_RSAE_SHA384,
+	SIGALG_RSA_PKCS1_SHA384,
+	SIGALG_ECDSA_SECP384R1_SHA384,
+	SIGALG_RSA_PSS_RSAE_SHA256,
+	SIGALG_RSA_PKCS1_SHA256,
+	SIGALG_ECDSA_SECP256R1_SHA256,
+};
+size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
+
 /* Sigalgs for tls 1.2, in preference order, */
 uint16_t tls12_sigalgs[] = {
+	SIGALG_RSA_PSS_RSAE_SHA512,
 	SIGALG_RSA_PKCS1_SHA512,
 	SIGALG_ECDSA_SECP512R1_SHA512,
 	SIGALG_GOSTR12_512_STREEBOG_512,
+	SIGALG_RSA_PSS_RSAE_SHA384,
 	SIGALG_RSA_PKCS1_SHA384,
 	SIGALG_ECDSA_SECP384R1_SHA384,
+	SIGALG_RSA_PSS_RSAE_SHA256,
 	SIGALG_RSA_PKCS1_SHA256,
 	SIGALG_ECDSA_SECP256R1_SHA256,
 	SIGALG_GOSTR12_256_STREEBOG_256,
diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h
index a45700389bc..0bc7322e17f 100644
--- a/lib/libssl/ssl_sigalgs.h
+++ b/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.10 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.11 2019/01/23 18:39:28 beck Exp $ */
 /*
  * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
  *
@@ -71,6 +71,8 @@ struct ssl_sigalg{
 
 extern uint16_t tls12_sigalgs[];
 extern size_t tls12_sigalgs_len;
+extern uint16_t tls13_sigalgs[];
+extern size_t tls13_sigalgs_len;
 
 const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
 const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len);
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index d5c30c4e736..2214a61ed3d 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.33 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.34 2019/01/23 18:39:28 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,8 +536,27 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb)
 	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
 		return 0;
 
-	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+	switch (TLS1_get_client_version(s)) {
+	case TLS1_2_VERSION:
+		if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+			return 0;
+		break;
+	case TLS1_3_VERSION:
+		if  (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
+			if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
+			    tls12_sigalgs_len))
+			    return 0;
+		}
+		else {
+			if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
+			    tls13_sigalgs_len))
+			    return 0;
+		}
+		break;
+	default:
+		/* Should not happen */
 		return 0;
+	}
 
 	if (!CBB_flush(cbb))
 		return 0;
@@ -553,7 +572,18 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
 	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
 		return 0;
 
-	return tls1_process_sigalgs(s, &sigalgs);
+	switch (s->version) {
+	case TLS1_3_VERSION:
+		return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
+		    tls13_sigalgs_len);
+	case TLS1_2_VERSION:
+		return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+		    tls12_sigalgs_len);
+	default:
+		break;
+	}
+
+	return 0;
 }
 
 int
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index cde022939de..8986a0e755d 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.152 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.153 2019/01/23 18:39:28 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1002,11 +1002,12 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 
 /* Set preferred digest for each key type */
 int
-tls1_process_sigalgs(SSL *s, CBS *cbs)
+tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *sigalgs, size_t sigalgs_len)
 {
 	CERT *c = s->cert;
 
 	/* Extension ignored for inappropriate versions */
+	/* XXX get rid of this? */
 	if (!SSL_USE_SIGALGS(s))
 		return 1;
 
@@ -1023,9 +1024,8 @@ tls1_process_sigalgs(SSL *s, CBS *cbs)
 		if (!CBS_get_u16(cbs, &sig_alg))
 			return 0;
 
-		if ((sigalg = ssl_sigalg(sig_alg, tls12_sigalgs,
-		    tls12_sigalgs_len)) != NULL &&
-		    c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
+		if ((sigalg = ssl_sigalg(sig_alg, sigalgs, sigalgs_len)) !=
+		    NULL && c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
 			c->pkeys[sigalg->pkey_idx].sigalg = sigalg;
 			if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN)
 				c->pkeys[SSL_PKEY_RSA_ENC].sigalg = sigalg;
diff --git a/regress/lib/libssl/client/clienttest.c b/regress/lib/libssl/client/clienttest.c
index cb45dc583c4..25a8790e61e 100644
--- a/regress/lib/libssl/client/clienttest.c
+++ b/regress/lib/libssl/client/clienttest.c
@@ -141,15 +141,15 @@ static unsigned char cipher_list_tls12_chacha[] = {
 };
 
 static unsigned char client_hello_tls12[] = {
-	0x16, 0x03, 0x01, 0x00, 0xbf, 0x01, 0x00, 0x00,
-	0xbb, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0xcc, 0xa9,
-	0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c,
-	0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a,
-	0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 0xff, 0x85,
+	0x16, 0x03, 0x01, 0x00, 0xc5, 0x01, 0x00, 0x00,
+	0xc1, 0x03, 0x03, 0xc9, 0xf9, 0x1f, 0x05, 0xaf,
+	0x61, 0xd7, 0xe7, 0x84, 0xd1, 0x1c, 0x6f, 0x79,
+	0x32, 0x04, 0x8e, 0x5c, 0xe3, 0x18, 0x5a, 0x85,
+	0xee, 0x44, 0xe1, 0xca, 0x32, 0xce, 0x07, 0xd3,
+	0xdb, 0x0f, 0x91, 0x00, 0x00, 0x5c, 0xc0, 0x30,
+	0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
+	0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
+	0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85,
 	0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d,
 	0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84,
 	0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23,
@@ -158,14 +158,15 @@ static unsigned char client_hello_tls12[] = {
 	0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41,
 	0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0x00, 0x04,
 	0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a,
-	0x00, 0xff, 0x01, 0x00, 0x00, 0x36, 0x00, 0x0b,
+	0x00, 0xff, 0x01, 0x00, 0x00, 0x3c, 0x00, 0x0b,
 	0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08,
 	0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
-	0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x1c,
-	0x00, 0x1a, 0x06, 0x01, 0x06, 0x03, 0xef, 0xef,
-	0x05, 0x01, 0x05, 0x03, 0x04, 0x01, 0x04, 0x03,
-	0xee, 0xee, 0xed, 0xed, 0x03, 0x01, 0x03, 0x03,
-	0x02, 0x01, 0x02, 0x03,
+	0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x22,
+	0x00, 0x20, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
+	0xef, 0xef, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03,
+	0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0xee, 0xee,
+	0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 0x02, 0x01,
+	0x02, 0x03,
 };
 
 struct client_hello_test {
diff --git a/regress/lib/libssl/tlsext/tlsexttest.c b/regress/lib/libssl/tlsext/tlsexttest.c
index 5689a1c29e5..32895a49add 100644
--- a/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.24 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.25 2019/01/23 18:39:28 beck Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1505,10 +1505,11 @@ test_tlsext_ri_server(void)
  */
 
 static unsigned char tlsext_sigalgs_client[] = {
-	0x00, 0x1a, 0x06, 0x01, 0x06, 0x03, 0xef, 0xef,
-	0x05, 0x01, 0x05, 0x03, 0x04, 0x01, 0x04, 0x03,
-	0xee, 0xee, 0xed, 0xed, 0x03, 0x01, 0x03, 0x03,
-	0x02, 0x01, 0x02, 0x03,
+	0x00, 0x20, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
+	0xef, 0xef, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03,
+	0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0xee, 0xee,
+	0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 0x02, 0x01,
+	0x02, 0x03,
 };
 
 static int
@@ -2732,13 +2733,14 @@ test_tlsext_srtp_server(void)
 #endif /* OPENSSL_NO_SRTP */
 
 unsigned char tlsext_clienthello_default[] = {
-	0x00, 0x36, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
+	0x00, 0x3c, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
 	0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d,
 	0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
-	0x00, 0x0d, 0x00, 0x1c, 0x00, 0x1a, 0x06, 0x01,
-	0x06, 0x03, 0xef, 0xef, 0x05, 0x01, 0x05, 0x03,
-	0x04, 0x01, 0x04, 0x03, 0xee, 0xee, 0xed, 0xed,
-	0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
+	0x00, 0x0d, 0x00, 0x22, 0x00, 0x20, 0x08, 0x06,
+	0x06, 0x01, 0x06, 0x03, 0xef, 0xef, 0x08, 0x05,
+	0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01,
+	0x04, 0x03, 0xee, 0xee, 0xed, 0xed, 0x03, 0x01,
+	0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
 };
 
 unsigned char tlsext_clienthello_disabled[] = {};