diff options
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.c | 26 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 9 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 9 |
4 files changed, 33 insertions, 15 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index bd896c829b..28d1d36b85 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.32 2021/06/29 19:10:08 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.33 2021/06/29 19:20:39 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> |
| 4 | * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> | ||
| 4 | * | 5 | * |
| 5 | * Permission to use, copy, modify, and/or distribute this software for any | 6 | * Permission to use, copy, modify, and/or distribute this software for any |
| 6 | * purpose with or without fee is hereby granted, provided that the above | 7 | * purpose with or without fee is hereby granted, provided that the above |
| @@ -14,6 +15,7 @@ | |||
| 14 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN | 15 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 15 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 16 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | */ | 17 | */ |
| 18 | |||
| 17 | #include <string.h> | 19 | #include <string.h> |
| 18 | #include <stdlib.h> | 20 | #include <stdlib.h> |
| 19 | 21 | ||
| @@ -326,7 +328,6 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) | |||
| 326 | if ((sigalg = ssl_sigalg_from_value( | 328 | if ((sigalg = ssl_sigalg_from_value( |
| 327 | S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL) | 329 | S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL) |
| 328 | continue; | 330 | continue; |
| 329 | |||
| 330 | if (ssl_sigalg_pkey_ok(s, sigalg, pkey)) | 331 | if (ssl_sigalg_pkey_ok(s, sigalg, pkey)) |
| 331 | return sigalg; | 332 | return sigalg; |
| 332 | } | 333 | } |
| @@ -334,3 +335,24 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) | |||
| 334 | SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); | 335 | SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); |
| 335 | return NULL; | 336 | return NULL; |
| 336 | } | 337 | } |
| 338 | |||
| 339 | const struct ssl_sigalg * | ||
| 340 | ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value) | ||
| 341 | { | ||
| 342 | const struct ssl_sigalg *sigalg; | ||
| 343 | |||
| 344 | if (!SSL_USE_SIGALGS(s)) | ||
| 345 | return ssl_sigalg_for_legacy(s, pkey); | ||
| 346 | |||
| 347 | if ((sigalg = ssl_sigalg_from_value(S3I(s)->hs.negotiated_tls_version, | ||
| 348 | sigalg_value)) == NULL) { | ||
| 349 | SSLerror(s, SSL_R_UNKNOWN_DIGEST); | ||
| 350 | return (NULL); | ||
| 351 | } | ||
| 352 | if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) { | ||
| 353 | SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); | ||
| 354 | return (NULL); | ||
| 355 | } | ||
| 356 | |||
| 357 | return sigalg; | ||
| 358 | } | ||
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h index 6905bba060..dffa0e0158 100644 --- a/src/lib/libssl/ssl_sigalgs.h +++ b/src/lib/libssl/ssl_sigalgs.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.h,v 1.21 2021/06/29 19:10:08 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.h,v 1.22 2021/06/29 19:20:39 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -75,6 +75,8 @@ int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb); | |||
| 75 | int ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, | 75 | int ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, |
| 76 | EVP_PKEY *pkey); | 76 | EVP_PKEY *pkey); |
| 77 | const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); | 77 | const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); |
| 78 | const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, | ||
| 79 | uint16_t sigalg_value); | ||
| 78 | 80 | ||
| 79 | __END_HIDDEN_DECLS | 81 | __END_HIDDEN_DECLS |
| 80 | 82 | ||
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index dd9a5b1606..62c5174490 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.85 2021/06/29 19:10:08 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.86 2021/06/29 19:20:39 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -680,10 +680,6 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 680 | if (!CBS_get_u16_length_prefixed(cbs, &signature)) | 680 | if (!CBS_get_u16_length_prefixed(cbs, &signature)) |
| 681 | goto err; | 681 | goto err; |
| 682 | 682 | ||
| 683 | if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version, | ||
| 684 | signature_scheme)) == NULL) | ||
| 685 | goto err; | ||
| 686 | |||
| 687 | if (!CBB_init(&cbb, 0)) | 683 | if (!CBB_init(&cbb, 0)) |
| 688 | goto err; | 684 | goto err; |
| 689 | if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, | 685 | if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, |
| @@ -704,7 +700,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 704 | goto err; | 700 | goto err; |
| 705 | if ((pkey = X509_get0_pubkey(cert)) == NULL) | 701 | if ((pkey = X509_get0_pubkey(cert)) == NULL) |
| 706 | goto err; | 702 | goto err; |
| 707 | if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey)) | 703 | if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, |
| 704 | signature_scheme)) == NULL) | ||
| 708 | goto err; | 705 | goto err; |
| 709 | ctx->hs->peer_sigalg = sigalg; | 706 | ctx->hs->peer_sigalg = sigalg; |
| 710 | 707 | ||
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index c3d4ca9bd8..ff410fbb34 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.82 2021/06/29 19:10:08 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.83 2021/06/29 19:20:39 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -970,10 +970,6 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 970 | if (!CBS_get_u16_length_prefixed(cbs, &signature)) | 970 | if (!CBS_get_u16_length_prefixed(cbs, &signature)) |
| 971 | goto err; | 971 | goto err; |
| 972 | 972 | ||
| 973 | if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version, | ||
| 974 | signature_scheme)) == NULL) | ||
| 975 | goto err; | ||
| 976 | |||
| 977 | if (!CBB_init(&cbb, 0)) | 973 | if (!CBB_init(&cbb, 0)) |
| 978 | goto err; | 974 | goto err; |
| 979 | if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, | 975 | if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, |
| @@ -994,7 +990,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 994 | goto err; | 990 | goto err; |
| 995 | if ((pkey = X509_get0_pubkey(cert)) == NULL) | 991 | if ((pkey = X509_get0_pubkey(cert)) == NULL) |
| 996 | goto err; | 992 | goto err; |
| 997 | if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey)) | 993 | if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, |
| 994 | signature_scheme)) == NULL) | ||
| 998 | goto err; | 995 | goto err; |
| 999 | ctx->hs->peer_sigalg = sigalg; | 996 | ctx->hs->peer_sigalg = sigalg; |
| 1000 | 997 | ||