4 files changed, 29 insertions, 28 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index d3ac3d969d..590932bdf6 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.26 2021/06/27 17:50:06 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.27 2021/06/27 17:59:17 jsing Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 *
@@ -174,6 +174,19 @@ const uint16_t tls12_sigalgs[] = {
 };
 const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
+static void
+ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
+    size_t *out_len)
+{
+        if (tls_version >= TLS1_3_VERSION) {
+                *out_values = tls13_sigalgs;
+                *out_len = tls13_sigalgs_len;
+        } else {
+                *out_values = tls12_sigalgs;
+                *out_len = tls12_sigalgs_len;
+        }
+}
 const struct ssl_sigalg *
 ssl_sigalg_lookup(uint16_t sigalg)
 {
@@ -201,10 +214,14 @@ ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len)
 }
 int
-ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len)
+ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
 {
+        const uint16_t *values;
+        size_t len;
        size_t i;
+        ssl_sigalgs_for_version(tls_version, &values, &len);
        /* Add values in order as long as they are supported. */
        for (i = 0; i < len; i++) {
                /* Do not allow the legacy value for < 1.2 to be used. */
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index db21eda1f8..64a2bd435c 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.17 2021/06/27 17:45:16 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.18 2021/06/27 17:59:17 jsing Exp $ */
 /*
 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
 *
@@ -75,7 +75,7 @@ extern const size_t tls13_sigalgs_len;
 const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
 const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len);
-int ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len);
+int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb);
 int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk);
 int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
    int check_curve);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index c4bcd228ef..93fd8cfb85 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.111 2021/05/16 14:10:43 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.112 2021/06/27 17:59:17 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1671,9 +1671,11 @@ ssl3_send_certificate_request(SSL *s)
                        goto err;
                if (SSL_USE_SIGALGS(s)) {
-                        if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
+                        if (!CBB_add_u16_length_prefixed(&cert_request,
+                            &sigalgs))
                                goto err;
-                        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+                        if (!ssl_sigalgs_build(
+                            S3I(s)->hs.negotiated_tls_version, &sigalgs))
                                goto err;
                }
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 035d6b4564..22932f969d 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.96 2021/06/27 17:59:17 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -558,21 +558,12 @@ tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
 int
 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        const uint16_t *tls_sigalgs = tls12_sigalgs;
-        size_t tls_sigalgs_len = tls12_sigalgs_len;
        CBB sigalgs;
-        if (S3I(s)->hs.our_min_tls_version >= TLS1_3_VERSION) {
-                tls_sigalgs = tls13_sigalgs;
-                tls_sigalgs_len = tls13_sigalgs_len;
-        }
        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                return 0;
+        if (!ssl_sigalgs_build(S3I(s)->hs.our_min_tls_version, &sigalgs))
-        if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len))
                return 0;
        if (!CBB_flush(cbb))
                return 0;
@@ -603,21 +594,12 @@ tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
 int
 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        const uint16_t *tls_sigalgs = tls12_sigalgs;
-        size_t tls_sigalgs_len = tls12_sigalgs_len;
        CBB sigalgs;
-        if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
-                tls_sigalgs = tls13_sigalgs;
-                tls_sigalgs_len = tls13_sigalgs_len;
-        }
        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                return 0;
+        if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs))
-        if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len))
                return 0;
        if (!CBB_flush(cbb))
                return 0;

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index d3ac3d969d..590932bdf6 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.26 2021/06/27 17:50:06 jsing Exp $ */	1	/* $OpenBSD: ssl_sigalgs.c,v 1.27 2021/06/27 17:59:17 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -174,6 +174,19 @@ const uint16_t tls12_sigalgs[] = {
174	};	174	};
175	const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));	175	const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
176		176
		177	static void
		178	ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
		179	size_t *out_len)
		180	{
		181	if (tls_version >= TLS1_3_VERSION) {
		182	*out_values = tls13_sigalgs;
		183	*out_len = tls13_sigalgs_len;
		184	} else {
		185	*out_values = tls12_sigalgs;
		186	*out_len = tls12_sigalgs_len;
		187	}
		188	}
		189
177	const struct ssl_sigalg *	190	const struct ssl_sigalg *
178	ssl_sigalg_lookup(uint16_t sigalg)	191	ssl_sigalg_lookup(uint16_t sigalg)
179	{	192	{
@@ -201,10 +214,14 @@ ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len)
201	}	214	}
202		215
203	int	216	int
204	ssl_sigalgs_build(CBB cbb, const uint16_t values, size_t len)	217	ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
205	{	218	{
		219	const uint16_t *values;
		220	size_t len;
206	size_t i;	221	size_t i;
207		222
		223	ssl_sigalgs_for_version(tls_version, &values, &len);
		224
208	/* Add values in order as long as they are supported. */	225	/* Add values in order as long as they are supported. */
209	for (i = 0; i < len; i++) {	226	for (i = 0; i < len; i++) {
210	/* Do not allow the legacy value for < 1.2 to be used. */	227	/* Do not allow the legacy value for < 1.2 to be used. */


diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h index db21eda1f8..64a2bd435c 100644 --- a/src/lib/libssl/ssl_sigalgs.h +++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.h,v 1.17 2021/06/27 17:45:16 jsing Exp $ */	1	/* $OpenBSD: ssl_sigalgs.h,v 1.18 2021/06/27 17:59:17 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -75,7 +75,7 @@ extern const size_t tls13_sigalgs_len;
75		75
76	const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);	76	const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
77	const struct ssl_sigalg ssl_sigalg(uint16_t sigalg, const uint16_t values, size_t len);	77	const struct ssl_sigalg ssl_sigalg(uint16_t sigalg, const uint16_t values, size_t len);
78	int ssl_sigalgs_build(CBB cbb, const uint16_t values, size_t len);	78	int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb);
79	int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk);	79	int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk);
80	int ssl_sigalg_pkey_ok(const struct ssl_sigalg sigalg, EVP_PKEY pkey,	80	int ssl_sigalg_pkey_ok(const struct ssl_sigalg sigalg, EVP_PKEY pkey,
81	int check_curve);	81	int check_curve);


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index c4bcd228ef..93fd8cfb85 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.111 2021/05/16 14:10:43 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.112 2021/06/27 17:59:17 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1671,9 +1671,11 @@ ssl3_send_certificate_request(SSL *s)
1671	goto err;	1671	goto err;
1672		1672
1673	if (SSL_USE_SIGALGS(s)) {	1673	if (SSL_USE_SIGALGS(s)) {
1674	if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))	1674	if (!CBB_add_u16_length_prefixed(&cert_request,
		1675	&sigalgs))
1675	goto err;	1676	goto err;
1676	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))	1677	if (!ssl_sigalgs_build(
		1678	S3I(s)->hs.negotiated_tls_version, &sigalgs))
1677	goto err;	1679	goto err;
1678	}	1680	}
1679		1681


diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 035d6b4564..22932f969d 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.96 2021/06/27 17:59:17 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -558,21 +558,12 @@ tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
558	int	558	int
559	tlsext_sigalgs_client_build(SSL s, uint16_t msg_type, CBB cbb)	559	tlsext_sigalgs_client_build(SSL s, uint16_t msg_type, CBB cbb)
560	{	560	{
561	const uint16_t *tls_sigalgs = tls12_sigalgs;
562	size_t tls_sigalgs_len = tls12_sigalgs_len;
563	CBB sigalgs;	561	CBB sigalgs;
564		562
565	if (S3I(s)->hs.our_min_tls_version >= TLS1_3_VERSION) {
566	tls_sigalgs = tls13_sigalgs;
567	tls_sigalgs_len = tls13_sigalgs_len;
568	}
569
570	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))	563	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
571	return 0;	564	return 0;
572		565	if (!ssl_sigalgs_build(S3I(s)->hs.our_min_tls_version, &sigalgs))
573	if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len))
574	return 0;	566	return 0;
575
576	if (!CBB_flush(cbb))	567	if (!CBB_flush(cbb))
577	return 0;	568	return 0;
578		569
@@ -603,21 +594,12 @@ tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
603	int	594	int
604	tlsext_sigalgs_server_build(SSL s, uint16_t msg_type, CBB cbb)	595	tlsext_sigalgs_server_build(SSL s, uint16_t msg_type, CBB cbb)
605	{	596	{
606	const uint16_t *tls_sigalgs = tls12_sigalgs;
607	size_t tls_sigalgs_len = tls12_sigalgs_len;
608	CBB sigalgs;	597	CBB sigalgs;
609		598
610	if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
611	tls_sigalgs = tls13_sigalgs;
612	tls_sigalgs_len = tls13_sigalgs_len;
613	}
614
615	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))	599	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
616	return 0;	600	return 0;
617		601	if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs))
618	if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len))
619	return 0;	602	return 0;
620
621	if (!CBB_flush(cbb))	603	if (!CBB_flush(cbb))
622	return 0;	604	return 0;
623		605