diff options
| author | jsing <> | 2021-06-29 19:20:39 +0000 |
|---|---|---|
| committer | jsing <> | 2021-06-29 19:20:39 +0000 |
| commit | d8bbfb5c853f1528593599b4cad373dd3f4ac17b (patch) | |
| tree | acb82022939a1d3f1bd7dda9dca7bc6324d50b45 /src/lib/libssl/ssl_sigalgs.c | |
| parent | 2084659c33f3dd4553097139197351f79d9931da (diff) | |
| download | openbsd-d8bbfb5c853f1528593599b4cad373dd3f4ac17b.tar.gz openbsd-d8bbfb5c853f1528593599b4cad373dd3f4ac17b.tar.bz2 openbsd-d8bbfb5c853f1528593599b4cad373dd3f4ac17b.zip | |
Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.
Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.
In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.
ok inoguchi@ tb@
Diffstat (limited to 'src/lib/libssl/ssl_sigalgs.c')
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index bd896c829b..28d1d36b85 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.32 2021/06/29 19:10:08 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.33 2021/06/29 19:20:39 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> |
| 4 | * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> | ||
| 4 | * | 5 | * |
| 5 | * Permission to use, copy, modify, and/or distribute this software for any | 6 | * Permission to use, copy, modify, and/or distribute this software for any |
| 6 | * purpose with or without fee is hereby granted, provided that the above | 7 | * purpose with or without fee is hereby granted, provided that the above |
| @@ -14,6 +15,7 @@ | |||
| 14 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN | 15 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 15 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 16 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | */ | 17 | */ |
| 18 | |||
| 17 | #include <string.h> | 19 | #include <string.h> |
| 18 | #include <stdlib.h> | 20 | #include <stdlib.h> |
| 19 | 21 | ||
| @@ -326,7 +328,6 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) | |||
| 326 | if ((sigalg = ssl_sigalg_from_value( | 328 | if ((sigalg = ssl_sigalg_from_value( |
| 327 | S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL) | 329 | S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL) |
| 328 | continue; | 330 | continue; |
| 329 | |||
| 330 | if (ssl_sigalg_pkey_ok(s, sigalg, pkey)) | 331 | if (ssl_sigalg_pkey_ok(s, sigalg, pkey)) |
| 331 | return sigalg; | 332 | return sigalg; |
| 332 | } | 333 | } |
| @@ -334,3 +335,24 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) | |||
| 334 | SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); | 335 | SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); |
| 335 | return NULL; | 336 | return NULL; |
| 336 | } | 337 | } |
| 338 | |||
| 339 | const struct ssl_sigalg * | ||
| 340 | ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value) | ||
| 341 | { | ||
| 342 | const struct ssl_sigalg *sigalg; | ||
| 343 | |||
| 344 | if (!SSL_USE_SIGALGS(s)) | ||
| 345 | return ssl_sigalg_for_legacy(s, pkey); | ||
| 346 | |||
| 347 | if ((sigalg = ssl_sigalg_from_value(S3I(s)->hs.negotiated_tls_version, | ||
| 348 | sigalg_value)) == NULL) { | ||
| 349 | SSLerror(s, SSL_R_UNKNOWN_DIGEST); | ||
| 350 | return (NULL); | ||
| 351 | } | ||
| 352 | if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) { | ||
| 353 | SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); | ||
| 354 | return (NULL); | ||
| 355 | } | ||
| 356 | |||
| 357 | return sigalg; | ||
| 358 | } | ||