1 files changed, 7 insertions, 15 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 17ac1f84ff..d3ac3d969d 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.25 2021/06/27 17:45:16 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.26 2021/06/27 17:50:06 jsing Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 *
@@ -144,7 +144,7 @@ const struct ssl_sigalg sigalgs[] = {
        },
 };
-/* Sigalgs for tls 1.3, in preference order, */
+/* Sigalgs for TLSv1.3, in preference order. */
 const uint16_t tls13_sigalgs[] = {
        SIGALG_RSA_PSS_RSAE_SHA512,
        SIGALG_RSA_PKCS1_SHA512,
@@ -158,7 +158,7 @@ const uint16_t tls13_sigalgs[] = {
 };
 const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
-/* Sigalgs for tls 1.2, in preference order, */
+/* Sigalgs for TLSv1.2, in preference order. */
 const uint16_t tls12_sigalgs[] = {
        SIGALG_RSA_PSS_RSAE_SHA512,
        SIGALG_RSA_PKCS1_SHA512,
@@ -205,22 +205,14 @@ ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len)
 {
        size_t i;
-        for (i = 0; sigalgs[i].value != SIGALG_NONE; i++);
-        if (len > i)
-                return 0;
-        /* XXX check for duplicates and other sanity BS? */
        /* Add values in order as long as they are supported. */
        for (i = 0; i < len; i++) {
-                /* Do not allow the legacy value for < 1.2 to be used */
+                /* Do not allow the legacy value for < 1.2 to be used. */
                if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
                        return 0;
+                if (ssl_sigalg_lookup(values[i]) == NULL)
-                if (ssl_sigalg_lookup(values[i]) != NULL) {
+                        return 0;
-                        if (!CBB_add_u16(cbb, values[i]))
+                if (!CBB_add_u16(cbb, values[i]))
-                                return 0;
-                } else
                        return 0;
        }
        return 1;

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index 17ac1f84ff..d3ac3d969d 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.25 2021/06/27 17:45:16 jsing Exp $ */	1	/* $OpenBSD: ssl_sigalgs.c,v 1.26 2021/06/27 17:50:06 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -144,7 +144,7 @@ const struct ssl_sigalg sigalgs[] = {
144	},	144	},
145	};	145	};
146		146
147	/* Sigalgs for tls 1.3, in preference order, */	147	/* Sigalgs for TLSv1.3, in preference order. */
148	const uint16_t tls13_sigalgs[] = {	148	const uint16_t tls13_sigalgs[] = {
149	SIGALG_RSA_PSS_RSAE_SHA512,	149	SIGALG_RSA_PSS_RSAE_SHA512,
150	SIGALG_RSA_PKCS1_SHA512,	150	SIGALG_RSA_PKCS1_SHA512,
@@ -158,7 +158,7 @@ const uint16_t tls13_sigalgs[] = {
158	};	158	};
159	const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));	159	const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
160		160
161	/* Sigalgs for tls 1.2, in preference order, */	161	/* Sigalgs for TLSv1.2, in preference order. */
162	const uint16_t tls12_sigalgs[] = {	162	const uint16_t tls12_sigalgs[] = {
163	SIGALG_RSA_PSS_RSAE_SHA512,	163	SIGALG_RSA_PSS_RSAE_SHA512,
164	SIGALG_RSA_PKCS1_SHA512,	164	SIGALG_RSA_PKCS1_SHA512,
@@ -205,22 +205,14 @@ ssl_sigalgs_build(CBB cbb, const uint16_t values, size_t len)
205	{	205	{
206	size_t i;	206	size_t i;
207		207
208	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++);
209	if (len > i)
210	return 0;
211
212	/* XXX check for duplicates and other sanity BS? */
213
214	/* Add values in order as long as they are supported. */	208	/* Add values in order as long as they are supported. */
215	for (i = 0; i < len; i++) {	209	for (i = 0; i < len; i++) {
216	/* Do not allow the legacy value for < 1.2 to be used */	210	/* Do not allow the legacy value for < 1.2 to be used. */
217	if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)	211	if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
218	return 0;	212	return 0;
219		213	if (ssl_sigalg_lookup(values[i]) == NULL)
220	if (ssl_sigalg_lookup(values[i]) != NULL) {	214	return 0;
221	if (!CBB_add_u16(cbb, values[i]))	215	if (!CBB_add_u16(cbb, values[i]))
222	return 0;
223	} else
224	return 0;	216	return 0;
225	}	217	}
226	return 1;	218	return 1;