diff options
| author | jsing <> | 2021-06-27 19:23:51 +0000 |
|---|---|---|
| committer | jsing <> | 2021-06-27 19:23:51 +0000 |
| commit | 965b27267cd3ec2efbae469ff3190c696e822852 (patch) | |
| tree | a69f06d8a93017bbcd381361796ab0149ede3065 /src | |
| parent | fe2e9ea28e886fa3dae7e2d6035a86fae494be20 (diff) | |
| download | openbsd-965b27267cd3ec2efbae469ff3190c696e822852.tar.gz openbsd-965b27267cd3ec2efbae469ff3190c696e822852.tar.bz2 openbsd-965b27267cd3ec2efbae469ff3190c696e822852.zip | |
Track the sigalgs used by ourselves and our peer.
Move the sigalg pointer from SSL_HANDSHAKE_TLS13 to SSL_HANDSHAKE, naming
it our_sigalg, adding an equivalent peer_sigalg. Adjust the TLSv1.3 code
that records our signature algorithm. Add code to record the signature
algorithm used by our peer.
Needed for upcoming API additions.
ok tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 9 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 7 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 7 |
3 files changed, 14 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 5f99c08cc9..200219c141 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.351 2021/06/23 11:12:33 tb Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.352 2021/06/27 19:23:51 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -444,9 +444,8 @@ typedef struct ssl_handshake_tls13_st { | |||
| 444 | int use_legacy; | 444 | int use_legacy; |
| 445 | int hrr; | 445 | int hrr; |
| 446 | 446 | ||
| 447 | /* Certificate and sigalg selected for use (static pointers). */ | 447 | /* Certificate selected for use (static pointer). */ |
| 448 | const CERT_PKEY *cpk; | 448 | const CERT_PKEY *cpk; |
| 449 | const struct ssl_sigalg *sigalg; | ||
| 450 | 449 | ||
| 451 | /* Version proposed by peer server. */ | 450 | /* Version proposed by peer server. */ |
| 452 | uint16_t server_version; | 451 | uint16_t server_version; |
| @@ -503,6 +502,10 @@ typedef struct ssl_handshake_st { | |||
| 503 | /* Extensions seen in this handshake. */ | 502 | /* Extensions seen in this handshake. */ |
| 504 | uint32_t extensions_seen; | 503 | uint32_t extensions_seen; |
| 505 | 504 | ||
| 505 | /* Signature algorithms selected for use (static pointers). */ | ||
| 506 | const struct ssl_sigalg *our_sigalg; | ||
| 507 | const struct ssl_sigalg *peer_sigalg; | ||
| 508 | |||
| 506 | /* sigalgs offered in this handshake in wire form */ | 509 | /* sigalgs offered in this handshake in wire form */ |
| 507 | uint8_t *sigalgs; | 510 | uint8_t *sigalgs; |
| 508 | size_t sigalgs_len; | 511 | size_t sigalgs_len; |
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 644b16e26c..4ba0dd92f2 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.82 2021/06/27 18:15:35 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.83 2021/06/27 19:23:51 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -697,6 +697,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 697 | goto err; | 697 | goto err; |
| 698 | if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) | 698 | if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) |
| 699 | goto err; | 699 | goto err; |
| 700 | ctx->hs->peer_sigalg = sigalg; | ||
| 700 | 701 | ||
| 701 | if (CBS_len(&signature) > EVP_PKEY_size(pkey)) | 702 | if (CBS_len(&signature) > EVP_PKEY_size(pkey)) |
| 702 | goto err; | 703 | goto err; |
| @@ -898,7 +899,7 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 898 | goto err; | 899 | goto err; |
| 899 | 900 | ||
| 900 | ctx->hs->tls13.cpk = cpk; | 901 | ctx->hs->tls13.cpk = cpk; |
| 901 | ctx->hs->tls13.sigalg = sigalg; | 902 | ctx->hs->our_sigalg = sigalg; |
| 902 | 903 | ||
| 903 | if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) | 904 | if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) |
| 904 | goto err; | 905 | goto err; |
| @@ -949,7 +950,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 949 | 950 | ||
| 950 | if ((cpk = ctx->hs->tls13.cpk) == NULL) | 951 | if ((cpk = ctx->hs->tls13.cpk) == NULL) |
| 951 | goto err; | 952 | goto err; |
| 952 | if ((sigalg = ctx->hs->tls13.sigalg) == NULL) | 953 | if ((sigalg = ctx->hs->our_sigalg) == NULL) |
| 953 | goto err; | 954 | goto err; |
| 954 | pkey = cpk->privatekey; | 955 | pkey = cpk->privatekey; |
| 955 | 956 | ||
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index b68a2f9294..18cb056755 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.80 2021/06/27 18:15:35 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.81 2021/06/27 19:23:51 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -635,7 +635,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 635 | } | 635 | } |
| 636 | 636 | ||
| 637 | ctx->hs->tls13.cpk = cpk; | 637 | ctx->hs->tls13.cpk = cpk; |
| 638 | ctx->hs->tls13.sigalg = sigalg; | 638 | ctx->hs->our_sigalg = sigalg; |
| 639 | 639 | ||
| 640 | if ((chain = cpk->chain) == NULL) | 640 | if ((chain = cpk->chain) == NULL) |
| 641 | chain = s->ctx->extra_certs; | 641 | chain = s->ctx->extra_certs; |
| @@ -708,7 +708,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 708 | 708 | ||
| 709 | if ((cpk = ctx->hs->tls13.cpk) == NULL) | 709 | if ((cpk = ctx->hs->tls13.cpk) == NULL) |
| 710 | goto err; | 710 | goto err; |
| 711 | if ((sigalg = ctx->hs->tls13.sigalg) == NULL) | 711 | if ((sigalg = ctx->hs->our_sigalg) == NULL) |
| 712 | goto err; | 712 | goto err; |
| 713 | pkey = cpk->privatekey; | 713 | pkey = cpk->privatekey; |
| 714 | 714 | ||
| @@ -996,6 +996,7 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 996 | goto err; | 996 | goto err; |
| 997 | if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) | 997 | if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) |
| 998 | goto err; | 998 | goto err; |
| 999 | ctx->hs->peer_sigalg = sigalg; | ||
| 999 | 1000 | ||
| 1000 | if (CBS_len(&signature) > EVP_PKEY_size(pkey)) | 1001 | if (CBS_len(&signature) > EVP_PKEY_size(pkey)) |
| 1001 | goto err; | 1002 | goto err; |