summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libssl/ssl_sigalgs.c40
-rw-r--r--lib/libssl/ssl_sigalgs.h7
-rw-r--r--lib/libssl/ssl_srvr.c4
-rw-r--r--lib/libssl/ssl_tlsext.c4
4 files changed, 43 insertions, 12 deletions
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index d214b0dbbf0..fe10965feb3 100644
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.2 2018/11/09 05:02:53 beck Exp $ */
/*
* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
*
@@ -24,7 +24,6 @@
#include "ssl_sigalgs.h"
#include "tls13_internal.h"
-/* This table must be kept in preference order for now */
const struct ssl_sigalg sigalgs[] = {
{
.value = SIGALG_RSA_PKCS1_SHA512,
@@ -157,6 +156,24 @@ const struct ssl_sigalg sigalgs[] = {
},
};
+/* Sigalgs for tls 1.2, in preference order, */
+uint16_t tls12_sigalgs[] = {
+ SIGALG_RSA_PKCS1_SHA512,
+ SIGALG_ECDSA_SECP512R1_SHA512,
+ SIGALG_GOSTR12_512_STREEBOG_512,
+ SIGALG_RSA_PKCS1_SHA384,
+ SIGALG_ECDSA_SECP384R1_SHA384,
+ SIGALG_RSA_PKCS1_SHA256,
+ SIGALG_ECDSA_SECP256R1_SHA256,
+ SIGALG_GOSTR12_256_STREEBOG_256,
+ SIGALG_GOSTR01_GOST94,
+ SIGALG_RSA_PKCS1_SHA224,
+ SIGALG_ECDSA_SECP224R1_SHA224,
+ SIGALG_RSA_PKCS1_SHA1, /* XXX */
+ SIGALG_ECDSA_SHA1, /* XXX */
+};
+size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
+
const struct ssl_sigalg *
ssl_sigalg_lookup(uint16_t sigalg)
{
@@ -206,12 +223,23 @@ ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md)
}
int
-ssl_sigalgs_build(CBB *cbb)
+ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len)
{
- int i;
+ const struct ssl_sigalg *sap;
+ size_t i;
- for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
- if (!CBB_add_u16(cbb, sigalgs[i].value))
+ for (i = 0; sigalgs[i].value != SIGALG_NONE; i++);
+ if (len > i)
+ return 0;
+
+ /* XXX check for duplicates and other sanity BS? */
+
+ /* Add values in order as long as they are supported. */
+ for (i = 0; i < len; i++) {
+ if ((sap = ssl_sigalg_lookup(values[i])) != NULL) {
+ if (!CBB_add_u16(cbb, values[i]))
+ return 0;
+ } else
return 0;
}
return 1;
diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h
index a73c398e582..629213e7614 100644
--- a/lib/libssl/ssl_sigalgs.h
+++ b/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.2 2018/11/09 03:17:04 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.3 2018/11/09 05:02:53 beck Exp $ */
/*
* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
*
@@ -66,10 +66,13 @@ struct ssl_sigalg{
int flags;
};
+extern uint16_t tls12_sigalgs[];
+extern size_t tls12_sigalgs_len;
+
const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
const EVP_MD * ssl_sigalg_md(uint16_t sigalg);
uint16_t ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md);
-int ssl_sigalgs_build(CBB *cbb);
+int ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len);
int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk);
__END_HIDDEN_DECLS
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 0d822713255..59d560d06da 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.52 2018/11/09 00:34:55 beck Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.53 2018/11/09 05:02:53 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1635,7 +1635,7 @@ ssl3_send_certificate_request(SSL *s)
if (SSL_USE_SIGALGS(s)) {
if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
goto err;
- if (!ssl_sigalgs_build(&sigalgs))
+ if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
goto err;
}
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index dc844998a3c..755bbff7951 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.25 2018/11/09 00:34:55 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.26 2018/11/09 05:02:53 beck Exp $ */
/*
* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -534,7 +534,7 @@ tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb)
if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
return 0;
- if (!ssl_sigalgs_build(&sigalgs))
+ if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
return 0;
if (!CBB_flush(cbb))