diff options
-rw-r--r-- | lib/libssl/ssl_sigalgs.c | 40 | ||||
-rw-r--r-- | lib/libssl/ssl_sigalgs.h | 7 | ||||
-rw-r--r-- | lib/libssl/ssl_srvr.c | 4 | ||||
-rw-r--r-- | lib/libssl/ssl_tlsext.c | 4 |
4 files changed, 43 insertions, 12 deletions
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index d214b0dbbf0..fe10965feb3 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.2 2018/11/09 05:02:53 beck Exp $ */ /* * Copyright (c) 2018, Bob Beck <beck@openbsd.org> * @@ -24,7 +24,6 @@ #include "ssl_sigalgs.h" #include "tls13_internal.h" -/* This table must be kept in preference order for now */ const struct ssl_sigalg sigalgs[] = { { .value = SIGALG_RSA_PKCS1_SHA512, @@ -157,6 +156,24 @@ const struct ssl_sigalg sigalgs[] = { }, }; +/* Sigalgs for tls 1.2, in preference order, */ +uint16_t tls12_sigalgs[] = { + SIGALG_RSA_PKCS1_SHA512, + SIGALG_ECDSA_SECP512R1_SHA512, + SIGALG_GOSTR12_512_STREEBOG_512, + SIGALG_RSA_PKCS1_SHA384, + SIGALG_ECDSA_SECP384R1_SHA384, + SIGALG_RSA_PKCS1_SHA256, + SIGALG_ECDSA_SECP256R1_SHA256, + SIGALG_GOSTR12_256_STREEBOG_256, + SIGALG_GOSTR01_GOST94, + SIGALG_RSA_PKCS1_SHA224, + SIGALG_ECDSA_SECP224R1_SHA224, + SIGALG_RSA_PKCS1_SHA1, /* XXX */ + SIGALG_ECDSA_SHA1, /* XXX */ +}; +size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); + const struct ssl_sigalg * ssl_sigalg_lookup(uint16_t sigalg) { @@ -206,12 +223,23 @@ ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md) } int -ssl_sigalgs_build(CBB *cbb) +ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) { - int i; + const struct ssl_sigalg *sap; + size_t i; - for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { - if (!CBB_add_u16(cbb, sigalgs[i].value)) + for (i = 0; sigalgs[i].value != SIGALG_NONE; i++); + if (len > i) + return 0; + + /* XXX check for duplicates and other sanity BS? */ + + /* Add values in order as long as they are supported. */ + for (i = 0; i < len; i++) { + if ((sap = ssl_sigalg_lookup(values[i])) != NULL) { + if (!CBB_add_u16(cbb, values[i])) + return 0; + } else return 0; } return 1; diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h index a73c398e582..629213e7614 100644 --- a/lib/libssl/ssl_sigalgs.h +++ b/lib/libssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.2 2018/11/09 03:17:04 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.3 2018/11/09 05:02:53 beck Exp $ */ /* * Copyright (c) 2018, Bob Beck <beck@openbsd.org> * @@ -66,10 +66,13 @@ struct ssl_sigalg{ int flags; }; +extern uint16_t tls12_sigalgs[]; +extern size_t tls12_sigalgs_len; + const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); const EVP_MD * ssl_sigalg_md(uint16_t sigalg); uint16_t ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md); -int ssl_sigalgs_build(CBB *cbb); +int ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len); int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); __END_HIDDEN_DECLS diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 0d822713255..59d560d06da 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.52 2018/11/09 00:34:55 beck Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.53 2018/11/09 05:02:53 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1635,7 +1635,7 @@ ssl3_send_certificate_request(SSL *s) if (SSL_USE_SIGALGS(s)) { if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) goto err; - if (!ssl_sigalgs_build(&sigalgs)) + if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) goto err; } diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index dc844998a3c..755bbff7951 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.25 2018/11/09 00:34:55 beck Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.26 2018/11/09 05:02:53 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> @@ -534,7 +534,7 @@ tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - if (!ssl_sigalgs_build(&sigalgs)) + if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) return 0; if (!CBB_flush(cbb)) |