Add check function to verify that pkey is usable with a sigalg.

Include check for appropriate RSA key size when used with PSS. ok tb@
author: beck <> 2018-11-11 21:54:47 +0000
committer: beck <> 2018-11-11 21:54:47 +0000
commit: c211b60ba408365c17d7fbd5fe3855d2a30de266 (patch)
tree: 0cdd1c2782b8d6a68cb8c13faf997369c97af830 /src/lib/libssl/ssl_sigalgs.c
parent: 8a99f7096d5d13dfe9e814a08cb0a206eb8d0bbc (diff)
download: openbsd-c211b60ba408365c17d7fbd5fe3855d2a30de266.tar.gz
openbsd-c211b60ba408365c17d7fbd5fe3855d2a30de266.tar.bz2
openbsd-c211b60ba408365c17d7fbd5fe3855d2a30de266.zip
1 files changed, 17 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 5dc261810b..a6c5a4e9d8 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.6 2018/11/11 02:03:23 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.7 2018/11/11 21:54:47 beck Exp $ */
 /*
 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
 *
@@ -225,3 +225,19 @@ ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len)
        }
        return 1;
 }
+int
+ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
+{
+        if (sigalg->key_type == pkey->type) {
+                if (!(sigalg->flags & SIGALG_FLAG_RSA_PSS))
+                        return 1;
+                /*
+                 * RSA keys for PSS need to be at least
+                 * as big as twice the size of the hash + 2
+                 */
+                if (EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
+                        return 1;
+        }
+        return 0;
+}
author	beck <>	2018-11-11 21:54:47 +0000
committer	beck <>	2018-11-11 21:54:47 +0000
commit	c211b60ba408365c17d7fbd5fe3855d2a30de266 (patch)
tree	0cdd1c2782b8d6a68cb8c13faf997369c97af830 /src/lib/libssl/ssl_sigalgs.c
parent	8a99f7096d5d13dfe9e814a08cb0a206eb8d0bbc (diff)
download	openbsd-c211b60ba408365c17d7fbd5fe3855d2a30de266.tar.gz openbsd-c211b60ba408365c17d7fbd5fe3855d2a30de266.tar.bz2 openbsd-c211b60ba408365c17d7fbd5fe3855d2a30de266.zip

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index 5dc261810b..a6c5a4e9d8 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.6 2018/11/11 02:03:23 beck Exp $ */	1	/* $OpenBSD: ssl_sigalgs.c,v 1.7 2018/11/11 21:54:47 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -225,3 +225,19 @@ ssl_sigalgs_build(CBB cbb, uint16_t values, size_t len)
225	}	225	}
226	return 1;	226	return 1;
227	}	227	}
		228
		229	int
		230	ssl_sigalg_pkey_ok(const struct ssl_sigalg sigalg, EVP_PKEY pkey)
		231	{
		232	if (sigalg->key_type == pkey->type) {
		233	if (!(sigalg->flags & SIGALG_FLAG_RSA_PSS))
		234	return 1;
		235	/*
		236	* RSA keys for PSS need to be at least
		237	* as big as twice the size of the hash + 2
		238	*/
		239	if (EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
		240	return 1;
		241	}
		242	return 0;
		243	}