Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

4 files changed, 33 insertions, 15 deletions

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index bd896c829b..28d1d36b85 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,6 +1,7 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.32 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.33 2021/06/29 19:20:39 jsing Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +15,7 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+
 #include <string.h>
 #include <stdlib.h>
 
@@ -326,7 +328,6 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
                 if ((sigalg = ssl_sigalg_from_value(
                     S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL)
                         continue;
-
                 if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
                         return sigalg;
         }
@@ -334,3 +335,24 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
         SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
         return NULL;
 }
+
+const struct ssl_sigalg *
+ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
+{
+        const struct ssl_sigalg *sigalg;
+
+        if (!SSL_USE_SIGALGS(s))
+                return ssl_sigalg_for_legacy(s, pkey);
+
+        if ((sigalg = ssl_sigalg_from_value(S3I(s)->hs.negotiated_tls_version,
+            sigalg_value)) == NULL) {
+                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
+                return (NULL);
+        }
+        if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
+                SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
+                return (NULL);
+        }
+
+        return sigalg;
+}
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 6905bba060..dffa0e0158 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.21 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.22 2021/06/29 19:20:39 jsing Exp $ */
 /*
  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
@@ -75,6 +75,8 @@ int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb);
 int ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg,
     EVP_PKEY *pkey);
 const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey);
+const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey,
+    uint16_t sigalg_value);
 
 __END_HIDDEN_DECLS
 
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index dd9a5b1606..62c5174490 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.85 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.86 2021/06/29 19:20:39 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -680,10 +680,6 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (!CBS_get_u16_length_prefixed(cbs, &signature))
                 goto err;
 
-        if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
-            signature_scheme)) == NULL)
-                goto err;
-
         if (!CBB_init(&cbb, 0))
                 goto err;
         if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
@@ -704,7 +700,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
         if ((pkey = X509_get0_pubkey(cert)) == NULL)
                 goto err;
-        if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey))
+        if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
+            signature_scheme)) == NULL)
                 goto err;
         ctx->hs->peer_sigalg = sigalg;
 
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index c3d4ca9bd8..ff410fbb34 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.82 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.83 2021/06/29 19:20:39 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -970,10 +970,6 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (!CBS_get_u16_length_prefixed(cbs, &signature))
                 goto err;
 
-        if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
-            signature_scheme)) == NULL)
-                goto err;
-
         if (!CBB_init(&cbb, 0))
                 goto err;
         if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
@@ -994,7 +990,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
         if ((pkey = X509_get0_pubkey(cert)) == NULL)
                 goto err;
-        if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey))
+        if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
+            signature_scheme)) == NULL)
                 goto err;
         ctx->hs->peer_sigalg = sigalg;