Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection. ok beck@
author: jsing <> 2019-03-25 17:33:26 +0000
committer: jsing <> 2019-03-25 17:33:26 +0000
commit: 1d1c5f97809275aae99e2af9b38c37e3b1eb8410 (patch)
tree: 24293956674de119dfead3f60d3bf76b67c7b924 /src/lib
parent: adc85e649c82873f1fac3486fcd2504dcdeb3d41 (diff)
download: openbsd-1d1c5f97809275aae99e2af9b38c37e3b1eb8410.tar.gz
openbsd-1d1c5f97809275aae99e2af9b38c37e3b1eb8410.tar.bz2
openbsd-1d1c5f97809275aae99e2af9b38c37e3b1eb8410.zip
5 files changed, 8 insertions, 59 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index ab76939116..6c00b0d336 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.74 2019/03/25 17:33:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -158,22 +158,6 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void)
        return ssl_x509_store_ctx_idx;
 }
-static void
-ssl_cert_set_default_sigalgs(CERT *cert)
-{
-        /* Set digest values to defaults */
-        cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg =
-            ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
-        cert->pkeys[SSL_PKEY_RSA_ENC].sigalg =
-            ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
-        cert->pkeys[SSL_PKEY_ECC].sigalg =
-            ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
-#ifndef OPENSSL_NO_GOST
-        cert->pkeys[SSL_PKEY_GOST01].sigalg =
-            ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
-#endif
-}
 CERT *
 ssl_cert_new(void)
 {
@@ -186,7 +170,6 @@ ssl_cert_new(void)
        }
        ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
        ret->references = 1;
-        ssl_cert_set_default_sigalgs(ret);
        return (ret);
 }
@@ -289,11 +272,6 @@ ssl_cert_dup(CERT *cert)
         */
        ret->references = 1;
-        /*
-         * Set sigalgs to defaults. NB: we don't copy existing values
-         * as they will be set during handshake.
-         */
-        ssl_cert_set_default_sigalgs(ret);
        return (ret);
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 70a4c6d16f..adcaa1b3cc 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.203 2019/03/25 17:21:18 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.204 2019/03/25 17:33:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2734,20 +2734,14 @@ SSL_get_SSL_CTX(const SSL *ssl)
 SSL_CTX *
 SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 {
-        CERT *ocert = ssl->cert;
        if (ssl->ctx == ctx)
                return (ssl->ctx);
        if (ctx == NULL)
                ctx = ssl->initial_ctx;
+        ssl_cert_free(ssl->cert);
        ssl->cert = ssl_cert_dup(ctx->internal->cert);
-        if (ocert != NULL) {
-                int i;
-                /* Copy negotiated sigalg from original certificate. */
-                for (i = 0; i < SSL_PKEY_NUM; i++)
-                        ssl->cert->pkeys[i].sigalg = ocert->pkeys[i].sigalg;
-                ssl_cert_free(ocert);
-        }
        CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
        SSL_CTX_free(ssl->ctx); /* decrement reference count */
        ssl->ctx = ctx;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 5358de452b..2dae72309c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.243 2019/03/25 17:27:31 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.244 2019/03/25 17:33:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -966,8 +966,6 @@ typedef struct cert_pkey_st {
        X509 *x509;
        EVP_PKEY *privatekey;
        STACK_OF(X509) *chain;
-        /* sigalg to use when signing */
-        const struct ssl_sigalg *sigalg;
 } CERT_PKEY;
 typedef struct cert_st {
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 50f4802fdb..129ccccfbc 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.18 2019/03/25 17:21:18 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.19 2019/03/25 17:33:26 jsing Exp $ */
 /*
 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
 *
@@ -29,13 +29,11 @@ const struct ssl_sigalg sigalgs[] = {
                .value = SIGALG_RSA_PKCS1_SHA512,
                .md = EVP_sha512,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
        },
        {
                .value = SIGALG_ECDSA_SECP521R1_SHA512,
                .md = EVP_sha512,
                .key_type = EVP_PKEY_EC,
-                .pkey_idx = SSL_PKEY_ECC,
                .curve_nid = NID_secp521r1,
        },
 #ifndef OPENSSL_NO_GOST
@@ -43,33 +41,28 @@ const struct ssl_sigalg sigalgs[] = {
                .value = SIGALG_GOSTR12_512_STREEBOG_512,
                .md = EVP_streebog512,
                .key_type = EVP_PKEY_GOSTR12_512,
-                .pkey_idx = SSL_PKEY_GOST01, /* XXX */
        },
 #endif
        {
                .value = SIGALG_RSA_PKCS1_SHA384,
                .md = EVP_sha384,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
        },
        {
                .value = SIGALG_ECDSA_SECP384R1_SHA384,
                .md = EVP_sha384,
                .key_type = EVP_PKEY_EC,
-                .pkey_idx = SSL_PKEY_ECC,
                .curve_nid = NID_secp384r1,
        },
        {
                .value = SIGALG_RSA_PKCS1_SHA256,
                .md = EVP_sha256,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
        },
        {
                .value = SIGALG_ECDSA_SECP256R1_SHA256,
                .md = EVP_sha256,
                .key_type = EVP_PKEY_EC,
-                .pkey_idx = SSL_PKEY_ECC,
                .curve_nid = NID_X9_62_prime256v1,
        },
 #ifndef OPENSSL_NO_GOST
@@ -77,85 +70,72 @@ const struct ssl_sigalg sigalgs[] = {
                .value = SIGALG_GOSTR12_256_STREEBOG_256,
                .md = EVP_streebog256,
                .key_type = EVP_PKEY_GOSTR12_256,
-                .pkey_idx = SSL_PKEY_GOST01, /* XXX */
        },
        {
                .value = SIGALG_GOSTR01_GOST94,
                .md = EVP_gostr341194,
                .key_type = EVP_PKEY_GOSTR01,
-                .pkey_idx = SSL_PKEY_GOST01,
        },
 #endif
        {
                .value = SIGALG_RSA_PSS_RSAE_SHA256,
                .md = EVP_sha256,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .flags = SIGALG_FLAG_RSA_PSS,
        },
        {
                .value = SIGALG_RSA_PSS_RSAE_SHA384,
                .md = EVP_sha384,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .flags = SIGALG_FLAG_RSA_PSS,
        },
        {
                .value = SIGALG_RSA_PSS_RSAE_SHA512,
                .md = EVP_sha512,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .flags = SIGALG_FLAG_RSA_PSS,
        },
        {
                .value = SIGALG_RSA_PSS_PSS_SHA256,
                .md = EVP_sha256,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .flags = SIGALG_FLAG_RSA_PSS,
        },
        {
                .value = SIGALG_RSA_PSS_PSS_SHA384,
                .md = EVP_sha384,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .flags = SIGALG_FLAG_RSA_PSS,
        },
        {
                .value = SIGALG_RSA_PSS_PSS_SHA512,
                .md = EVP_sha512,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .flags = SIGALG_FLAG_RSA_PSS,
        },
        {
                .value = SIGALG_RSA_PKCS1_SHA224,
                .md = EVP_sha224,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
        },
        {
                .value = SIGALG_ECDSA_SECP224R1_SHA224,
                .md = EVP_sha224,
                .key_type = EVP_PKEY_EC,
-                .pkey_idx = SSL_PKEY_ECC,
        },
        {
                .value = SIGALG_RSA_PKCS1_SHA1,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .md = EVP_sha1,
        },
        {
                .value = SIGALG_ECDSA_SHA1,
                .key_type = EVP_PKEY_EC,
                .md = EVP_sha1,
-                .pkey_idx = SSL_PKEY_ECC,
        },
        {
                .value = SIGALG_RSA_PKCS1_MD5_SHA1,
                .key_type = EVP_PKEY_RSA,
-                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .md = EVP_md5_sha1,
        },
        {
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index d06731e10d..13a3597fb5 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.13 2019/03/25 17:21:18 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.14 2019/03/25 17:33:26 jsing Exp $ */
 /*
 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
 *
@@ -64,7 +64,6 @@ struct ssl_sigalg{
        uint16_t value;
        const EVP_MD *(*md)(void);
        int key_type;
-        int pkey_idx; /* XXX get rid of this eventually */
        int curve_nid;
        int flags;
 };
author	jsing <>	2019-03-25 17:33:26 +0000
committer	jsing <>	2019-03-25 17:33:26 +0000
commit	1d1c5f97809275aae99e2af9b38c37e3b1eb8410 (patch)
tree	24293956674de119dfead3f60d3bf76b67c7b924 /src/lib
parent	adc85e649c82873f1fac3486fcd2504dcdeb3d41 (diff)
download	openbsd-1d1c5f97809275aae99e2af9b38c37e3b1eb8410.tar.gz openbsd-1d1c5f97809275aae99e2af9b38c37e3b1eb8410.tar.bz2 openbsd-1d1c5f97809275aae99e2af9b38c37e3b1eb8410.zip

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index ab76939116..6c00b0d336 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */	1	/* $OpenBSD: ssl_cert.c,v 1.74 2019/03/25 17:33:26 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -158,22 +158,6 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void)
158	return ssl_x509_store_ctx_idx;	158	return ssl_x509_store_ctx_idx;
159	}	159	}
160		160
161	static void
162	ssl_cert_set_default_sigalgs(CERT *cert)
163	{
164	/* Set digest values to defaults */
165	cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg =
166	ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
167	cert->pkeys[SSL_PKEY_RSA_ENC].sigalg =
168	ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
169	cert->pkeys[SSL_PKEY_ECC].sigalg =
170	ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
171	#ifndef OPENSSL_NO_GOST
172	cert->pkeys[SSL_PKEY_GOST01].sigalg =
173	ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
174	#endif
175	}
176
177	CERT *	161	CERT *
178	ssl_cert_new(void)	162	ssl_cert_new(void)
179	{	163	{
@@ -186,7 +170,6 @@ ssl_cert_new(void)
186	}	170	}
187	ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);	171	ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
188	ret->references = 1;	172	ret->references = 1;
189	ssl_cert_set_default_sigalgs(ret);
190	return (ret);	173	return (ret);
191	}	174	}
192		175
@@ -289,11 +272,6 @@ ssl_cert_dup(CERT *cert)
289	*/	272	*/
290		273
291	ret->references = 1;	274	ret->references = 1;
292	/*
293	* Set sigalgs to defaults. NB: we don't copy existing values
294	* as they will be set during handshake.
295	*/
296	ssl_cert_set_default_sigalgs(ret);
297		275
298	return (ret);	276	return (ret);
299		277


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 70a4c6d16f..adcaa1b3cc 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.203 2019/03/25 17:21:18 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.204 2019/03/25 17:33:26 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2734,20 +2734,14 @@ SSL_get_SSL_CTX(const SSL *ssl)
2734	SSL_CTX *	2734	SSL_CTX *
2735	SSL_set_SSL_CTX(SSL ssl, SSL_CTX ctx)	2735	SSL_set_SSL_CTX(SSL ssl, SSL_CTX ctx)
2736	{	2736	{
2737	CERT *ocert = ssl->cert;
2738
2739	if (ssl->ctx == ctx)	2737	if (ssl->ctx == ctx)
2740	return (ssl->ctx);	2738	return (ssl->ctx);
2741	if (ctx == NULL)	2739	if (ctx == NULL)
2742	ctx = ssl->initial_ctx;	2740	ctx = ssl->initial_ctx;
		2741
		2742	ssl_cert_free(ssl->cert);
2743	ssl->cert = ssl_cert_dup(ctx->internal->cert);	2743	ssl->cert = ssl_cert_dup(ctx->internal->cert);
2744	if (ocert != NULL) {	2744
2745	int i;
2746	/* Copy negotiated sigalg from original certificate. */
2747	for (i = 0; i < SSL_PKEY_NUM; i++)
2748	ssl->cert->pkeys[i].sigalg = ocert->pkeys[i].sigalg;
2749	ssl_cert_free(ocert);
2750	}
2751	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);	2745	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
2752	SSL_CTX_free(ssl->ctx); /* decrement reference count */	2746	SSL_CTX_free(ssl->ctx); /* decrement reference count */
2753	ssl->ctx = ctx;	2747	ssl->ctx = ctx;


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 5358de452b..2dae72309c 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.243 2019/03/25 17:27:31 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.244 2019/03/25 17:33:26 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -966,8 +966,6 @@ typedef struct cert_pkey_st {
966	X509 *x509;	966	X509 *x509;
967	EVP_PKEY *privatekey;	967	EVP_PKEY *privatekey;
968	STACK_OF(X509) *chain;	968	STACK_OF(X509) *chain;
969	/* sigalg to use when signing */
970	const struct ssl_sigalg *sigalg;
971	} CERT_PKEY;	969	} CERT_PKEY;
972		970
973	typedef struct cert_st {	971	typedef struct cert_st {


diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index 50f4802fdb..129ccccfbc 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.18 2019/03/25 17:21:18 jsing Exp $ */	1	/* $OpenBSD: ssl_sigalgs.c,v 1.19 2019/03/25 17:33:26 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -29,13 +29,11 @@ const struct ssl_sigalg sigalgs[] = {
29	.value = SIGALG_RSA_PKCS1_SHA512,	29	.value = SIGALG_RSA_PKCS1_SHA512,
30	.md = EVP_sha512,	30	.md = EVP_sha512,
31	.key_type = EVP_PKEY_RSA,	31	.key_type = EVP_PKEY_RSA,
32	.pkey_idx = SSL_PKEY_RSA_SIGN,
33	},	32	},
34	{	33	{
35	.value = SIGALG_ECDSA_SECP521R1_SHA512,	34	.value = SIGALG_ECDSA_SECP521R1_SHA512,
36	.md = EVP_sha512,	35	.md = EVP_sha512,
37	.key_type = EVP_PKEY_EC,	36	.key_type = EVP_PKEY_EC,
38	.pkey_idx = SSL_PKEY_ECC,
39	.curve_nid = NID_secp521r1,	37	.curve_nid = NID_secp521r1,
40	},	38	},
41	#ifndef OPENSSL_NO_GOST	39	#ifndef OPENSSL_NO_GOST
@@ -43,33 +41,28 @@ const struct ssl_sigalg sigalgs[] = {
43	.value = SIGALG_GOSTR12_512_STREEBOG_512,	41	.value = SIGALG_GOSTR12_512_STREEBOG_512,
44	.md = EVP_streebog512,	42	.md = EVP_streebog512,
45	.key_type = EVP_PKEY_GOSTR12_512,	43	.key_type = EVP_PKEY_GOSTR12_512,
46	.pkey_idx = SSL_PKEY_GOST01, /* XXX */
47	},	44	},
48	#endif	45	#endif
49	{	46	{
50	.value = SIGALG_RSA_PKCS1_SHA384,	47	.value = SIGALG_RSA_PKCS1_SHA384,
51	.md = EVP_sha384,	48	.md = EVP_sha384,
52	.key_type = EVP_PKEY_RSA,	49	.key_type = EVP_PKEY_RSA,
53	.pkey_idx = SSL_PKEY_RSA_SIGN,
54	},	50	},
55	{	51	{
56	.value = SIGALG_ECDSA_SECP384R1_SHA384,	52	.value = SIGALG_ECDSA_SECP384R1_SHA384,
57	.md = EVP_sha384,	53	.md = EVP_sha384,
58	.key_type = EVP_PKEY_EC,	54	.key_type = EVP_PKEY_EC,
59	.pkey_idx = SSL_PKEY_ECC,
60	.curve_nid = NID_secp384r1,	55	.curve_nid = NID_secp384r1,
61	},	56	},
62	{	57	{
63	.value = SIGALG_RSA_PKCS1_SHA256,	58	.value = SIGALG_RSA_PKCS1_SHA256,
64	.md = EVP_sha256,	59	.md = EVP_sha256,
65	.key_type = EVP_PKEY_RSA,	60	.key_type = EVP_PKEY_RSA,
66	.pkey_idx = SSL_PKEY_RSA_SIGN,
67	},	61	},
68	{	62	{
69	.value = SIGALG_ECDSA_SECP256R1_SHA256,	63	.value = SIGALG_ECDSA_SECP256R1_SHA256,
70	.md = EVP_sha256,	64	.md = EVP_sha256,
71	.key_type = EVP_PKEY_EC,	65	.key_type = EVP_PKEY_EC,
72	.pkey_idx = SSL_PKEY_ECC,
73	.curve_nid = NID_X9_62_prime256v1,	66	.curve_nid = NID_X9_62_prime256v1,
74	},	67	},
75	#ifndef OPENSSL_NO_GOST	68	#ifndef OPENSSL_NO_GOST
@@ -77,85 +70,72 @@ const struct ssl_sigalg sigalgs[] = {
77	.value = SIGALG_GOSTR12_256_STREEBOG_256,	70	.value = SIGALG_GOSTR12_256_STREEBOG_256,
78	.md = EVP_streebog256,	71	.md = EVP_streebog256,
79	.key_type = EVP_PKEY_GOSTR12_256,	72	.key_type = EVP_PKEY_GOSTR12_256,
80	.pkey_idx = SSL_PKEY_GOST01, /* XXX */
81	},	73	},
82	{	74	{
83	.value = SIGALG_GOSTR01_GOST94,	75	.value = SIGALG_GOSTR01_GOST94,
84	.md = EVP_gostr341194,	76	.md = EVP_gostr341194,
85	.key_type = EVP_PKEY_GOSTR01,	77	.key_type = EVP_PKEY_GOSTR01,
86	.pkey_idx = SSL_PKEY_GOST01,
87	},	78	},
88	#endif	79	#endif
89	{	80	{
90	.value = SIGALG_RSA_PSS_RSAE_SHA256,	81	.value = SIGALG_RSA_PSS_RSAE_SHA256,
91	.md = EVP_sha256,	82	.md = EVP_sha256,
92	.key_type = EVP_PKEY_RSA,	83	.key_type = EVP_PKEY_RSA,
93	.pkey_idx = SSL_PKEY_RSA_SIGN,
94	.flags = SIGALG_FLAG_RSA_PSS,	84	.flags = SIGALG_FLAG_RSA_PSS,
95	},	85	},
96	{	86	{
97	.value = SIGALG_RSA_PSS_RSAE_SHA384,	87	.value = SIGALG_RSA_PSS_RSAE_SHA384,
98	.md = EVP_sha384,	88	.md = EVP_sha384,
99	.key_type = EVP_PKEY_RSA,	89	.key_type = EVP_PKEY_RSA,
100	.pkey_idx = SSL_PKEY_RSA_SIGN,
101	.flags = SIGALG_FLAG_RSA_PSS,	90	.flags = SIGALG_FLAG_RSA_PSS,
102	},	91	},
103	{	92	{
104	.value = SIGALG_RSA_PSS_RSAE_SHA512,	93	.value = SIGALG_RSA_PSS_RSAE_SHA512,
105	.md = EVP_sha512,	94	.md = EVP_sha512,
106	.key_type = EVP_PKEY_RSA,	95	.key_type = EVP_PKEY_RSA,
107	.pkey_idx = SSL_PKEY_RSA_SIGN,
108	.flags = SIGALG_FLAG_RSA_PSS,	96	.flags = SIGALG_FLAG_RSA_PSS,
109	},	97	},
110	{	98	{
111	.value = SIGALG_RSA_PSS_PSS_SHA256,	99	.value = SIGALG_RSA_PSS_PSS_SHA256,
112	.md = EVP_sha256,	100	.md = EVP_sha256,
113	.key_type = EVP_PKEY_RSA,	101	.key_type = EVP_PKEY_RSA,
114	.pkey_idx = SSL_PKEY_RSA_SIGN,
115	.flags = SIGALG_FLAG_RSA_PSS,	102	.flags = SIGALG_FLAG_RSA_PSS,
116	},	103	},
117	{	104	{
118	.value = SIGALG_RSA_PSS_PSS_SHA384,	105	.value = SIGALG_RSA_PSS_PSS_SHA384,
119	.md = EVP_sha384,	106	.md = EVP_sha384,
120	.key_type = EVP_PKEY_RSA,	107	.key_type = EVP_PKEY_RSA,
121	.pkey_idx = SSL_PKEY_RSA_SIGN,
122	.flags = SIGALG_FLAG_RSA_PSS,	108	.flags = SIGALG_FLAG_RSA_PSS,
123	},	109	},
124	{	110	{
125	.value = SIGALG_RSA_PSS_PSS_SHA512,	111	.value = SIGALG_RSA_PSS_PSS_SHA512,
126	.md = EVP_sha512,	112	.md = EVP_sha512,
127	.key_type = EVP_PKEY_RSA,	113	.key_type = EVP_PKEY_RSA,
128	.pkey_idx = SSL_PKEY_RSA_SIGN,
129	.flags = SIGALG_FLAG_RSA_PSS,	114	.flags = SIGALG_FLAG_RSA_PSS,
130	},	115	},
131	{	116	{
132	.value = SIGALG_RSA_PKCS1_SHA224,	117	.value = SIGALG_RSA_PKCS1_SHA224,
133	.md = EVP_sha224,	118	.md = EVP_sha224,
134	.key_type = EVP_PKEY_RSA,	119	.key_type = EVP_PKEY_RSA,
135	.pkey_idx = SSL_PKEY_RSA_SIGN,
136	},	120	},
137	{	121	{
138	.value = SIGALG_ECDSA_SECP224R1_SHA224,	122	.value = SIGALG_ECDSA_SECP224R1_SHA224,
139	.md = EVP_sha224,	123	.md = EVP_sha224,
140	.key_type = EVP_PKEY_EC,	124	.key_type = EVP_PKEY_EC,
141	.pkey_idx = SSL_PKEY_ECC,
142	},	125	},
143	{	126	{
144	.value = SIGALG_RSA_PKCS1_SHA1,	127	.value = SIGALG_RSA_PKCS1_SHA1,
145	.key_type = EVP_PKEY_RSA,	128	.key_type = EVP_PKEY_RSA,
146	.pkey_idx = SSL_PKEY_RSA_SIGN,
147	.md = EVP_sha1,	129	.md = EVP_sha1,
148	},	130	},
149	{	131	{
150	.value = SIGALG_ECDSA_SHA1,	132	.value = SIGALG_ECDSA_SHA1,
151	.key_type = EVP_PKEY_EC,	133	.key_type = EVP_PKEY_EC,
152	.md = EVP_sha1,	134	.md = EVP_sha1,
153	.pkey_idx = SSL_PKEY_ECC,
154	},	135	},
155	{	136	{
156	.value = SIGALG_RSA_PKCS1_MD5_SHA1,	137	.value = SIGALG_RSA_PKCS1_MD5_SHA1,
157	.key_type = EVP_PKEY_RSA,	138	.key_type = EVP_PKEY_RSA,
158	.pkey_idx = SSL_PKEY_RSA_SIGN,
159	.md = EVP_md5_sha1,	139	.md = EVP_md5_sha1,
160	},	140	},
161	{	141	{


diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h index d06731e10d..13a3597fb5 100644 --- a/src/lib/libssl/ssl_sigalgs.h +++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.h,v 1.13 2019/03/25 17:21:18 jsing Exp $ */	1	/* $OpenBSD: ssl_sigalgs.h,v 1.14 2019/03/25 17:33:26 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -64,7 +64,6 @@ struct ssl_sigalg{
64	uint16_t value;	64	uint16_t value;
65	const EVP_MD (md)(void);	65	const EVP_MD (md)(void);
66	int key_type;	66	int key_type;
67	int pkey_idx; /* XXX get rid of this eventually */
68	int curve_nid;	67	int curve_nid;
69	int flags;	68	int flags;
70	};	69	};