Add sigalgs for server side to enable client certificate processing

in tls 1.3 Will be used in a follow on commit to enable tls1.3 client certificates ok jsing@
author: beck <> 2020-01-26 03:29:30 +0000
committer: beck <> 2020-01-26 03:29:30 +0000
commit: 89679d895f206c75ed0b76413abe14207f0b3b8a (patch)
tree: 00bf7e221146da0b71f25da0c1bb8629d7c3b2c3
parent: a2c0070fb94eac5f6c4488396abc1d7d83b48f5b (diff)
download: openbsd-89679d895f206c75ed0b76413abe14207f0b3b8a.tar.gz
openbsd-89679d895f206c75ed0b76413abe14207f0b3b8a.tar.bz2
openbsd-89679d895f206c75ed0b76413abe14207f0b3b8a.zip
1 files changed, 34 insertions, 5 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 24f2bd5022..5cebd1d630 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.56 2020/01/25 12:37:06 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.57 2020/01/26 03:29:30 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -571,20 +571,49 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
 int
 tlsext_sigalgs_server_needs(SSL *s)
 {
-        return 0;
+        return (s->version >= TLS1_3_VERSION);
 }
 int
 tlsext_sigalgs_server_build(SSL *s, CBB *cbb)
 {
-        return 0;
+        uint16_t *tls_sigalgs = tls12_sigalgs;
+        size_t tls_sigalgs_len = tls12_sigalgs_len;
+        CBB sigalgs;
+        if (s->version >= TLS1_3_VERSION) {
+                tls_sigalgs = tls13_sigalgs;
+                tls_sigalgs_len = tls13_sigalgs_len;
+        }
+        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
+                return 0;
+        if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
 }
 int
 tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert)
 {
-        /* As per the RFC, servers must not send this extension. */
+        CBS sigalgs;
-        return 0;
+        if (s->version < TLS1_3_VERSION)
+                return 0;
+        if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
+                return 0;
+        if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
+                return 0;
+        if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len))
+                return 0;
+        return 1;
 }
 /*
author	beck <>	2020-01-26 03:29:30 +0000
committer	beck <>	2020-01-26 03:29:30 +0000
commit	89679d895f206c75ed0b76413abe14207f0b3b8a (patch)
tree	00bf7e221146da0b71f25da0c1bb8629d7c3b2c3
parent	a2c0070fb94eac5f6c4488396abc1d7d83b48f5b (diff)
download	openbsd-89679d895f206c75ed0b76413abe14207f0b3b8a.tar.gz openbsd-89679d895f206c75ed0b76413abe14207f0b3b8a.tar.bz2 openbsd-89679d895f206c75ed0b76413abe14207f0b3b8a.zip

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 24f2bd5022..5cebd1d630 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.56 2020/01/25 12:37:06 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.57 2020/01/26 03:29:30 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -571,20 +571,49 @@ tlsext_sigalgs_server_parse(SSL s, CBS cbs, int *alert)
571	int	571	int
572	tlsext_sigalgs_server_needs(SSL *s)	572	tlsext_sigalgs_server_needs(SSL *s)
573	{	573	{
574	return 0;	574	return (s->version >= TLS1_3_VERSION);
575	}	575	}
576		576
577	int	577	int
578	tlsext_sigalgs_server_build(SSL s, CBB cbb)	578	tlsext_sigalgs_server_build(SSL s, CBB cbb)
579	{	579	{
580	return 0;	580	uint16_t *tls_sigalgs = tls12_sigalgs;
		581	size_t tls_sigalgs_len = tls12_sigalgs_len;
		582	CBB sigalgs;
		583
		584	if (s->version >= TLS1_3_VERSION) {
		585	tls_sigalgs = tls13_sigalgs;
		586	tls_sigalgs_len = tls13_sigalgs_len;
		587	}
		588
		589	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
		590	return 0;
		591
		592	if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len))
		593	return 0;
		594
		595	if (!CBB_flush(cbb))
		596	return 0;
		597
		598	return 1;
581	}	599	}
582		600
583	int	601	int
584	tlsext_sigalgs_client_parse(SSL s, CBS cbs, int *alert)	602	tlsext_sigalgs_client_parse(SSL s, CBS cbs, int *alert)
585	{	603	{
586	/* As per the RFC, servers must not send this extension. */	604	CBS sigalgs;
587	return 0;	605
		606	if (s->version < TLS1_3_VERSION)
		607	return 0;
		608
		609	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
		610	return 0;
		611	if (CBS_len(&sigalgs) % 2 != 0 \|\| CBS_len(&sigalgs) > 64)
		612	return 0;
		613	if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len))
		614	return 0;
		615
		616	return 1;
588	}	617	}
589		618
590	/*	619	/*