diff options
| author | beck <> | 2018-11-09 05:02:53 +0000 |
|---|---|---|
| committer | beck <> | 2018-11-09 05:02:53 +0000 |
| commit | ca33c3ff0591d66dce8114d7a819cbcf44516dd0 (patch) | |
| tree | a10a843f3ef55dc5fa5b4e06a3ab7054c9e50d81 /src/lib/libssl/ssl_sigalgs.c | |
| parent | a372ad90b16c412b47d7dc8e6799b05c43f5ad5e (diff) | |
| download | openbsd-ca33c3ff0591d66dce8114d7a819cbcf44516dd0.tar.gz openbsd-ca33c3ff0591d66dce8114d7a819cbcf44516dd0.tar.bz2 openbsd-ca33c3ff0591d66dce8114d7a819cbcf44516dd0.zip | |
Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@
Diffstat (limited to 'src/lib/libssl/ssl_sigalgs.c')
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.c | 40 |
1 files changed, 34 insertions, 6 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index d214b0dbbf..fe10965feb 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.2 2018/11/09 05:02:53 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018, Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -24,7 +24,6 @@ | |||
| 24 | #include "ssl_sigalgs.h" | 24 | #include "ssl_sigalgs.h" |
| 25 | #include "tls13_internal.h" | 25 | #include "tls13_internal.h" |
| 26 | 26 | ||
| 27 | /* This table must be kept in preference order for now */ | ||
| 28 | const struct ssl_sigalg sigalgs[] = { | 27 | const struct ssl_sigalg sigalgs[] = { |
| 29 | { | 28 | { |
| 30 | .value = SIGALG_RSA_PKCS1_SHA512, | 29 | .value = SIGALG_RSA_PKCS1_SHA512, |
| @@ -157,6 +156,24 @@ const struct ssl_sigalg sigalgs[] = { | |||
| 157 | }, | 156 | }, |
| 158 | }; | 157 | }; |
| 159 | 158 | ||
| 159 | /* Sigalgs for tls 1.2, in preference order, */ | ||
| 160 | uint16_t tls12_sigalgs[] = { | ||
| 161 | SIGALG_RSA_PKCS1_SHA512, | ||
| 162 | SIGALG_ECDSA_SECP512R1_SHA512, | ||
| 163 | SIGALG_GOSTR12_512_STREEBOG_512, | ||
| 164 | SIGALG_RSA_PKCS1_SHA384, | ||
| 165 | SIGALG_ECDSA_SECP384R1_SHA384, | ||
| 166 | SIGALG_RSA_PKCS1_SHA256, | ||
| 167 | SIGALG_ECDSA_SECP256R1_SHA256, | ||
| 168 | SIGALG_GOSTR12_256_STREEBOG_256, | ||
| 169 | SIGALG_GOSTR01_GOST94, | ||
| 170 | SIGALG_RSA_PKCS1_SHA224, | ||
| 171 | SIGALG_ECDSA_SECP224R1_SHA224, | ||
| 172 | SIGALG_RSA_PKCS1_SHA1, /* XXX */ | ||
| 173 | SIGALG_ECDSA_SHA1, /* XXX */ | ||
| 174 | }; | ||
| 175 | size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); | ||
| 176 | |||
| 160 | const struct ssl_sigalg * | 177 | const struct ssl_sigalg * |
| 161 | ssl_sigalg_lookup(uint16_t sigalg) | 178 | ssl_sigalg_lookup(uint16_t sigalg) |
| 162 | { | 179 | { |
| @@ -206,12 +223,23 @@ ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md) | |||
| 206 | } | 223 | } |
| 207 | 224 | ||
| 208 | int | 225 | int |
| 209 | ssl_sigalgs_build(CBB *cbb) | 226 | ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) |
| 210 | { | 227 | { |
| 211 | int i; | 228 | const struct ssl_sigalg *sap; |
| 229 | size_t i; | ||
| 212 | 230 | ||
| 213 | for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { | 231 | for (i = 0; sigalgs[i].value != SIGALG_NONE; i++); |
| 214 | if (!CBB_add_u16(cbb, sigalgs[i].value)) | 232 | if (len > i) |
| 233 | return 0; | ||
| 234 | |||
| 235 | /* XXX check for duplicates and other sanity BS? */ | ||
| 236 | |||
| 237 | /* Add values in order as long as they are supported. */ | ||
| 238 | for (i = 0; i < len; i++) { | ||
| 239 | if ((sap = ssl_sigalg_lookup(values[i])) != NULL) { | ||
| 240 | if (!CBB_add_u16(cbb, values[i])) | ||
| 241 | return 0; | ||
| 242 | } else | ||
| 215 | return 0; | 243 | return 0; |
| 216 | } | 244 | } |
| 217 | return 1; | 245 | return 1; |