1 files changed, 29 insertions, 7 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6b4c7e72a1..31d411c429 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.191 2018/11/08 20:55:18 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.192 2018/11/10 01:19:09 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -156,6 +156,7 @@
 #endif
 #include "bytestring.h"
+#include "ssl_sigalgs.h"
 const char *SSL_version_str = OPENSSL_VERSION_TEXT;
@@ -2173,8 +2174,11 @@ ssl_get_server_send_cert(const SSL *s)
 }
 EVP_PKEY *
-ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
+ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd,
+    const struct ssl_sigalg **sap)
 {
+        const struct ssl_sigalg *sigalg = NULL;
+        EVP_PKEY *pkey = NULL;
        unsigned long    alg_a;
        CERT            *c;
        int              idx = -1;
@@ -2194,9 +2198,27 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                return (NULL);
        }
-        if (pmd)
-                *pmd = c->pkeys[idx].digest;
+        pkey = c->pkeys[idx].privatekey;
-        return (c->pkeys[idx].privatekey);
+        sigalg = c->pkeys[idx].sigalg;
+        if (!SSL_USE_SIGALGS(s)) {
+                if (pkey->type == EVP_PKEY_RSA) {
+                        sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
+                } else if (pkey->type == EVP_PKEY_EC) {
+                        sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
+                } else {
+                        SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
+                        return (NULL);
+                }
+        }
+        if (sigalg == NULL) {
+                SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
+                return (NULL);
+        }
+        *pmd = sigalg->md();
+        *sap = sigalg;
+        return (pkey);
 }
 DH *
@@ -2810,9 +2832,9 @@ SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
        ssl->cert = ssl_cert_dup(ctx->internal->cert);
        if (ocert != NULL) {
                int i;
-                /* Copy negotiated digests from original certificate. */
+                /* Copy negotiated sigalg from original certificate. */
                for (i = 0; i < SSL_PKEY_NUM; i++)
-                        ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest;
+                        ssl->cert->pkeys[i].sigalg = ocert->pkeys[i].sigalg;
                ssl_cert_free(ocert);
        }
        CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 6b4c7e72a1..31d411c429 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.191 2018/11/08 20:55:18 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.192 2018/11/10 01:19:09 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -156,6 +156,7 @@
156	#endif	156	#endif
157		157
158	#include "bytestring.h"	158	#include "bytestring.h"
		159	#include "ssl_sigalgs.h"
159		160
160	const char *SSL_version_str = OPENSSL_VERSION_TEXT;	161	const char *SSL_version_str = OPENSSL_VERSION_TEXT;
161		162
@@ -2173,8 +2174,11 @@ ssl_get_server_send_cert(const SSL *s)
2173	}	2174	}
2174		2175
2175	EVP_PKEY *	2176	EVP_PKEY *
2176	ssl_get_sign_pkey(SSL s, const SSL_CIPHER cipher, const EVP_MD **pmd)	2177	ssl_get_sign_pkey(SSL s, const SSL_CIPHER cipher, const EVP_MD **pmd,
		2178	const struct ssl_sigalg **sap)
2177	{	2179	{
		2180	const struct ssl_sigalg *sigalg = NULL;
		2181	EVP_PKEY *pkey = NULL;
2178	unsigned long alg_a;	2182	unsigned long alg_a;
2179	CERT *c;	2183	CERT *c;
2180	int idx = -1;	2184	int idx = -1;
@@ -2194,9 +2198,27 @@ ssl_get_sign_pkey(SSL s, const SSL_CIPHER cipher, const EVP_MD **pmd)
2194	SSLerror(s, ERR_R_INTERNAL_ERROR);	2198	SSLerror(s, ERR_R_INTERNAL_ERROR);
2195	return (NULL);	2199	return (NULL);
2196	}	2200	}
2197	if (pmd)	2201
2198	*pmd = c->pkeys[idx].digest;	2202	pkey = c->pkeys[idx].privatekey;
2199	return (c->pkeys[idx].privatekey);	2203	sigalg = c->pkeys[idx].sigalg;
		2204	if (!SSL_USE_SIGALGS(s)) {
		2205	if (pkey->type == EVP_PKEY_RSA) {
		2206	sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
		2207	} else if (pkey->type == EVP_PKEY_EC) {
		2208	sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
		2209	} else {
		2210	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
		2211	return (NULL);
		2212	}
		2213	}
		2214	if (sigalg == NULL) {
		2215	SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
		2216	return (NULL);
		2217	}
		2218	*pmd = sigalg->md();
		2219	*sap = sigalg;
		2220
		2221	return (pkey);
2200	}	2222	}
2201		2223
2202	DH *	2224	DH *
@@ -2810,9 +2832,9 @@ SSL_set_SSL_CTX(SSL ssl, SSL_CTX ctx)
2810	ssl->cert = ssl_cert_dup(ctx->internal->cert);	2832	ssl->cert = ssl_cert_dup(ctx->internal->cert);
2811	if (ocert != NULL) {	2833	if (ocert != NULL) {
2812	int i;	2834	int i;
2813	/* Copy negotiated digests from original certificate. */	2835	/* Copy negotiated sigalg from original certificate. */
2814	for (i = 0; i < SSL_PKEY_NUM; i++)	2836	for (i = 0; i < SSL_PKEY_NUM; i++)
2815	ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest;	2837	ssl->cert->pkeys[i].sigalg = ocert->pkeys[i].sigalg;
2816	ssl_cert_free(ocert);	2838	ssl_cert_free(ocert);
2817	}	2839	}
2818	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);	2840	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);