Pull sigalg selection up into ssl3_send_client_verify().

This means that we do sigalg selection for all cases, including those where are are not sending sigalgs. This is needed in order to track our signature type in legacy cases. ok tb@
author: jsing <> 2021-06-29 19:56:11 +0000
committer: jsing <> 2021-06-29 19:56:11 +0000
commit: 7c7e8559fa82726509586a00b183c2b60fee576e (patch)
tree: c2f016c9ad983b0d50f3b660f4b8ce91c0206dea /src
parent: 7946a3793c5e16cd6b152d6c21f53524e2b0d202 (diff)
download: openbsd-7c7e8559fa82726509586a00b183c2b60fee576e.tar.gz
openbsd-7c7e8559fa82726509586a00b183c2b60fee576e.tar.bz2
openbsd-7c7e8559fa82726509586a00b183c2b60fee576e.zip
1 files changed, 11 insertions, 14 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index a7a7bf93a5..4085fed39b 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.105 2021/06/29 19:43:15 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.106 2021/06/29 19:56:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2317,9 +2317,9 @@ ssl3_send_client_key_exchange(SSL *s)
 }
 static int
-ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
+ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
+    const struct ssl_sigalg *sigalg, CBB *cert_verify)
 {
-        const struct ssl_sigalg *sigalg;
        CBB cbb_signature;
        EVP_PKEY_CTX *pctx = NULL;
        EVP_MD_CTX mctx;
@@ -2331,16 +2331,6 @@ ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
        EVP_MD_CTX_init(&mctx);
-        if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
-                SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
-                goto err;
-        }
-        if ((md = sigalg->md()) == NULL) {
-                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
-                goto err;
-        }
-        S3I(s)->hs.our_sigalg = sigalg;
        if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
@@ -2532,6 +2522,7 @@ ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 int
 ssl3_send_client_verify(SSL *s)
 {
+        const struct ssl_sigalg *sigalg;
        CBB cbb, cert_verify;
        EVP_PKEY *pkey;
@@ -2543,13 +2534,19 @@ ssl3_send_client_verify(SSL *s)
                        goto err;
                pkey = s->cert->key->privatekey;
+                if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
+                        SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
+                        goto err;
+                }
+                S3I(s)->hs.our_sigalg = sigalg;
                /*
                 * For TLS v1.2 send signature algorithm and signature using
                 * agreed digest and cached handshake records.
                 */
                if (SSL_USE_SIGALGS(s)) {
-                        if (!ssl3_send_client_verify_sigalgs(s, pkey, &cert_verify))
+                        if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
+                            &cert_verify))
                                goto err;
                } else if (pkey->type == EVP_PKEY_RSA) {
                        if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
author	jsing <>	2021-06-29 19:56:11 +0000
committer	jsing <>	2021-06-29 19:56:11 +0000
commit	7c7e8559fa82726509586a00b183c2b60fee576e (patch)
tree	c2f016c9ad983b0d50f3b660f4b8ce91c0206dea /src
parent	7946a3793c5e16cd6b152d6c21f53524e2b0d202 (diff)
download	openbsd-7c7e8559fa82726509586a00b183c2b60fee576e.tar.gz openbsd-7c7e8559fa82726509586a00b183c2b60fee576e.tar.bz2 openbsd-7c7e8559fa82726509586a00b183c2b60fee576e.zip