Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

6 files changed, 31 insertions, 32 deletions

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index c092fe4c89..fac30b26aa 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.100 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.101 2021/06/27 18:15:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1550,8 +1550,9 @@ ssl3_get_server_key_exchange(SSL *s)
 
                         if (!CBS_get_u16(&cbs, &sigalg_value))
                                 goto decode_err;
-                        if ((sigalg = ssl_sigalg_from_value(sigalg_value,
-                            tls12_sigalgs, tls12_sigalgs_len)) == NULL) {
+                        if ((sigalg = ssl_sigalg_from_value(
+                            S3I(s)->hs.negotiated_tls_version,
+                            sigalg_value)) == NULL) {
                                 SSLerror(s, SSL_R_UNKNOWN_DIGEST);
                                 al = SSL_AD_DECODE_ERROR;
                                 goto fatal_err;
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 8c7f6d673a..f2238b4fda 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.28 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.29 2021/06/27 18:15:35 jsing Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  *
@@ -188,12 +188,12 @@ ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
 }
 
 const struct ssl_sigalg *
-ssl_sigalg_lookup(uint16_t sigalg)
+ssl_sigalg_lookup(uint16_t value)
 {
         int i;
 
         for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
-                if (sigalgs[i].value == sigalg)
+                if (sigalgs[i].value == value)
                         return &sigalgs[i];
         }
 
@@ -201,13 +201,17 @@ ssl_sigalg_lookup(uint16_t sigalg)
 }
 
 const struct ssl_sigalg *
-ssl_sigalg_from_value(uint16_t sigalg, const uint16_t *values, size_t len)
+ssl_sigalg_from_value(uint16_t tls_version, uint16_t value)
 {
+        const uint16_t *values;
+        size_t len;
         int i;
 
+        ssl_sigalgs_for_version(tls_version, &values, &len);
+
         for (i = 0; i < len; i++) {
-                if (values[i] == sigalg)
-                        return ssl_sigalg_lookup(sigalg);
+                if (values[i] == value)
+                        return ssl_sigalg_lookup(value);
         }
 
         return NULL;
@@ -322,14 +326,14 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
          */
         CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
         while (CBS_len(&cbs) > 0) {
-                uint16_t sig_alg;
                 const struct ssl_sigalg *sigalg;
+                uint16_t sigalg_value;
 
-                if (!CBS_get_u16(&cbs, &sig_alg))
+                if (!CBS_get_u16(&cbs, &sigalg_value))
                         return 0;
 
-                if ((sigalg = ssl_sigalg_from_value(sig_alg, tls_sigalgs,
-                    tls_sigalgs_len)) == NULL)
+                if ((sigalg = ssl_sigalg_from_value(
+                    S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL)
                         continue;
 
                 /* RSA cannot be used without PSS in TLSv1.3. */
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 64cf0bb73b..c91e66a5a9 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.19 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.20 2021/06/27 18:15:35 jsing Exp $ */
 /*
  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
@@ -55,7 +55,7 @@ __BEGIN_HIDDEN_DECLS
 #define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE
 #define SIGALG_GOSTR01_GOST94           0xEDED
 
-/* Legacy sigalg for < 1.2 same value as boring uses*/
+/* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */
 #define SIGALG_RSA_PKCS1_MD5_SHA1       0xFF01
 
 #define SIGALG_FLAG_RSA_PSS     0x00000001
@@ -68,16 +68,10 @@ struct ssl_sigalg {
         int flags;
 };
 
-extern const uint16_t tls12_sigalgs[];
-extern const size_t tls12_sigalgs_len;
-extern const uint16_t tls13_sigalgs[];
-extern const size_t tls13_sigalgs_len;
-
 const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
-const struct ssl_sigalg *ssl_sigalg_from_value(uint16_t sigalg,
-    const uint16_t *values, size_t len);
+const struct ssl_sigalg *ssl_sigalg_from_value(uint16_t tls_version,
+    uint16_t value);
 int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb);
-int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk);
 int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
     int check_curve);
 const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 201f600a3e..259c6679f2 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.113 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.114 2021/06/27 18:15:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2192,8 +2192,8 @@ ssl3_get_cert_verify(SSL *s)
 
                 if (!CBS_get_u16(&cbs, &sigalg_value))
                         goto decode_err;
-                if ((sigalg = ssl_sigalg_from_value(sigalg_value,
-                    tls12_sigalgs, tls12_sigalgs_len)) == NULL ||
+                if ((sigalg = ssl_sigalg_from_value(
+                    S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL ||
                     (md = sigalg->md()) == NULL) {
                         SSLerror(s, SSL_R_UNKNOWN_DIGEST);
                         al = SSL_AD_DECODE_ERROR;
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index de9316e8d7..644b16e26c 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.81 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.82 2021/06/27 18:15:35 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -671,8 +671,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (!CBS_get_u16_length_prefixed(cbs, &signature))
                 goto err;
 
-        if ((sigalg = ssl_sigalg_from_value(signature_scheme,
-            tls13_sigalgs, tls13_sigalgs_len)) == NULL)
+        if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
+            signature_scheme)) == NULL)
                 goto err;
 
         if (!CBB_init(&cbb, 0))
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 8f47bdfa88..b68a2f9294 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.79 2021/06/27 18:09:07 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.80 2021/06/27 18:15:35 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -970,8 +970,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (!CBS_get_u16_length_prefixed(cbs, &signature))
                 goto err;
 
-        if ((sigalg = ssl_sigalg_from_value(signature_scheme,
-            tls13_sigalgs, tls13_sigalgs_len)) == NULL)
+        if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
+            signature_scheme)) == NULL)
                 goto err;
 
         if (!CBB_init(&cbb, 0))