1 files changed, 0 insertions, 355 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
deleted file mode 100644
index 765f39d4a9..0000000000
--- a/src/lib/libssl/ssl_sigalgs.c
+++ /dev/null
@@ -1,355 +0,0 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.37 2021/06/29 19:36:14 jsing Exp $ */
-/*
- * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
- * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <string.h>
-#include <stdlib.h>
-#include <openssl/evp.h>
-#include <openssl/opensslconf.h>
-#include "bytestring.h"
-#include "ssl_locl.h"
-#include "ssl_sigalgs.h"
-#include "tls13_internal.h"
-const struct ssl_sigalg sigalgs[] = {
-        {
-                .value = SIGALG_RSA_PKCS1_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP521R1_SHA512,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha512,
-                .curve_nid = NID_secp521r1,
-        },
-#ifndef OPENSSL_NO_GOST
-        {
-                .value = SIGALG_GOSTR12_512_STREEBOG_512,
-                .key_type = EVP_PKEY_GOSTR12_512,
-                .md = EVP_streebog512,
-        },
-#endif
-        {
-                .value = SIGALG_RSA_PKCS1_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP384R1_SHA384,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha384,
-                .curve_nid = NID_secp384r1,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP256R1_SHA256,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha256,
-                .curve_nid = NID_X9_62_prime256v1,
-        },
-#ifndef OPENSSL_NO_GOST
-        {
-                .value = SIGALG_GOSTR12_256_STREEBOG_256,
-                .key_type = EVP_PKEY_GOSTR12_256,
-                .md = EVP_streebog256,
-        },
-        {
-                .value = SIGALG_GOSTR01_GOST94,
-                .key_type = EVP_PKEY_GOSTR01,
-                .md = EVP_gostr341194,
-        },
-#endif
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA224,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha224,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP224R1_SHA224,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha224,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA1,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha1,
-        },
-        {
-                .value = SIGALG_ECDSA_SHA1,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha1,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_MD5_SHA1,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_md5_sha1,
-        },
-        {
-                .value = SIGALG_NONE,
-        },
-};
-/* Sigalgs for TLSv1.3, in preference order. */
-const uint16_t tls13_sigalgs[] = {
-        SIGALG_RSA_PSS_RSAE_SHA512,
-        SIGALG_RSA_PKCS1_SHA512,
-        SIGALG_ECDSA_SECP521R1_SHA512,
-        SIGALG_RSA_PSS_RSAE_SHA384,
-        SIGALG_RSA_PKCS1_SHA384,
-        SIGALG_ECDSA_SECP384R1_SHA384,
-        SIGALG_RSA_PSS_RSAE_SHA256,
-        SIGALG_RSA_PKCS1_SHA256,
-        SIGALG_ECDSA_SECP256R1_SHA256,
-};
-const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
-/* Sigalgs for TLSv1.2, in preference order. */
-const uint16_t tls12_sigalgs[] = {
-        SIGALG_RSA_PSS_RSAE_SHA512,
-        SIGALG_RSA_PKCS1_SHA512,
-        SIGALG_ECDSA_SECP521R1_SHA512,
-        SIGALG_RSA_PSS_RSAE_SHA384,
-        SIGALG_RSA_PKCS1_SHA384,
-        SIGALG_ECDSA_SECP384R1_SHA384,
-        SIGALG_RSA_PSS_RSAE_SHA256,
-        SIGALG_RSA_PKCS1_SHA256,
-        SIGALG_ECDSA_SECP256R1_SHA256,
-        SIGALG_RSA_PKCS1_SHA1, /* XXX */
-        SIGALG_ECDSA_SHA1,     /* XXX */
-};
-const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
-static void
-ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
-    size_t *out_len)
-{
-        if (tls_version >= TLS1_3_VERSION) {
-                *out_values = tls13_sigalgs;
-                *out_len = tls13_sigalgs_len;
-        } else {
-                *out_values = tls12_sigalgs;
-                *out_len = tls12_sigalgs_len;
-        }
-}
-static const struct ssl_sigalg *
-ssl_sigalg_lookup(uint16_t value)
-{
-        int i;
-        for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
-                if (sigalgs[i].value == value)
-                        return &sigalgs[i];
-        }
-        return NULL;
-}
-static const struct ssl_sigalg *
-ssl_sigalg_from_value(SSL *s, uint16_t value)
-{
-        const uint16_t *values;
-        size_t len;
-        int i;
-        ssl_sigalgs_for_version(S3I(s)->hs.negotiated_tls_version,
-            &values, &len);
-        for (i = 0; i < len; i++) {
-                if (values[i] == value)
-                        return ssl_sigalg_lookup(value);
-        }
-        return NULL;
-}
-int
-ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
-{
-        const uint16_t *values;
-        size_t len;
-        size_t i;
-        ssl_sigalgs_for_version(tls_version, &values, &len);
-        /* Add values in order as long as they are supported. */
-        for (i = 0; i < len; i++) {
-                /* Do not allow the legacy value for < 1.2 to be used. */
-                if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
-                        return 0;
-                if (ssl_sigalg_lookup(values[i]) == NULL)
-                        return 0;
-                if (!CBB_add_u16(cbb, values[i]))
-                        return 0;
-        }
-        return 1;
-}
-static const struct ssl_sigalg *
-ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
-{
-        /* Default signature algorithms used for TLSv1.2 and earlier. */
-        switch (pkey->type) {
-        case EVP_PKEY_RSA:
-                if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION)
-                        return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
-                return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
-        case EVP_PKEY_EC:
-                return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
-#ifndef OPENSSL_NO_GOST
-        case EVP_PKEY_GOSTR01:
-                return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
-#endif
-        }
-        SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
-        return (NULL);
-}
-static int
-ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
-{
-        if (sigalg == NULL || pkey == NULL)
-                return 0;
-        if (sigalg->key_type != pkey->type)
-                return 0;
-        /* RSA PSS must have a sufficiently large RSA key. */
-        if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
-                if (pkey->type != EVP_PKEY_RSA ||
-                    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
-                        return 0;
-        }
-        if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION)
-                return 1;
-        /* RSA cannot be used without PSS in TLSv1.3. */
-        if (sigalg->key_type == EVP_PKEY_RSA &&
-            (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
-                return 0;
-        /* Ensure that curve matches for EC keys. */
-        if (pkey->type == EVP_PKEY_EC) {
-                if (sigalg->curve_nid == 0)
-                        return 0;
-                if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
-                    EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid)
-                        return 0;
-        }
-        return 1;
-}
-const struct ssl_sigalg *
-ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
-{
-        CBS cbs;
-        if (!SSL_USE_SIGALGS(s))
-                return ssl_sigalg_for_legacy(s, pkey);
-        /*
-         * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
-         * in which case the server must use the default.
-         */
-        if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
-            S3I(s)->hs.sigalgs == NULL)
-                return ssl_sigalg_for_legacy(s, pkey);
-        /*
-         * If we get here, we have client or server sent sigalgs, use one.
-         */
-        CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
-        while (CBS_len(&cbs) > 0) {
-                const struct ssl_sigalg *sigalg;
-                uint16_t sigalg_value;
-                if (!CBS_get_u16(&cbs, &sigalg_value))
-                        return 0;
-                if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
-                        continue;
-                if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
-                        return sigalg;
-        }
-        SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
-        return NULL;
-}
-const struct ssl_sigalg *
-ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
-{
-        const struct ssl_sigalg *sigalg;
-        if (!SSL_USE_SIGALGS(s))
-                return ssl_sigalg_for_legacy(s, pkey);
-        if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
-                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
-                return (NULL);
-        }
-        if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
-                SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
-                return (NULL);
-        }
-        return sigalg;
-}

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c deleted file mode 100644 index 765f39d4a9..0000000000 --- a/src/lib/libssl/ssl_sigalgs.c +++ /dev/null
@@ -1,355 +0,0 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.37 2021/06/29 19:36:14 jsing Exp $ */
2	/*
3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5	*
6	* Permission to use, copy, modify, and/or distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <string.h>
20	#include <stdlib.h>
21
22	#include <openssl/evp.h>
23	#include <openssl/opensslconf.h>
24
25	#include "bytestring.h"
26	#include "ssl_locl.h"
27	#include "ssl_sigalgs.h"
28	#include "tls13_internal.h"
29
30	const struct ssl_sigalg sigalgs[] = {
31	{
32	.value = SIGALG_RSA_PKCS1_SHA512,
33	.key_type = EVP_PKEY_RSA,
34	.md = EVP_sha512,
35	},
36	{
37	.value = SIGALG_ECDSA_SECP521R1_SHA512,
38	.key_type = EVP_PKEY_EC,
39	.md = EVP_sha512,
40	.curve_nid = NID_secp521r1,
41	},
42	#ifndef OPENSSL_NO_GOST
43	{
44	.value = SIGALG_GOSTR12_512_STREEBOG_512,
45	.key_type = EVP_PKEY_GOSTR12_512,
46	.md = EVP_streebog512,
47	},
48	#endif
49	{
50	.value = SIGALG_RSA_PKCS1_SHA384,
51	.key_type = EVP_PKEY_RSA,
52	.md = EVP_sha384,
53	},
54	{
55	.value = SIGALG_ECDSA_SECP384R1_SHA384,
56	.key_type = EVP_PKEY_EC,
57	.md = EVP_sha384,
58	.curve_nid = NID_secp384r1,
59	},
60	{
61	.value = SIGALG_RSA_PKCS1_SHA256,
62	.key_type = EVP_PKEY_RSA,
63	.md = EVP_sha256,
64	},
65	{
66	.value = SIGALG_ECDSA_SECP256R1_SHA256,
67	.key_type = EVP_PKEY_EC,
68	.md = EVP_sha256,
69	.curve_nid = NID_X9_62_prime256v1,
70	},
71	#ifndef OPENSSL_NO_GOST
72	{
73	.value = SIGALG_GOSTR12_256_STREEBOG_256,
74	.key_type = EVP_PKEY_GOSTR12_256,
75	.md = EVP_streebog256,
76	},
77	{
78	.value = SIGALG_GOSTR01_GOST94,
79	.key_type = EVP_PKEY_GOSTR01,
80	.md = EVP_gostr341194,
81	},
82	#endif
83	{
84	.value = SIGALG_RSA_PSS_RSAE_SHA256,
85	.key_type = EVP_PKEY_RSA,
86	.md = EVP_sha256,
87	.flags = SIGALG_FLAG_RSA_PSS,
88	},
89	{
90	.value = SIGALG_RSA_PSS_RSAE_SHA384,
91	.key_type = EVP_PKEY_RSA,
92	.md = EVP_sha384,
93	.flags = SIGALG_FLAG_RSA_PSS,
94	},
95	{
96	.value = SIGALG_RSA_PSS_RSAE_SHA512,
97	.key_type = EVP_PKEY_RSA,
98	.md = EVP_sha512,
99	.flags = SIGALG_FLAG_RSA_PSS,
100	},
101	{
102	.value = SIGALG_RSA_PSS_PSS_SHA256,
103	.key_type = EVP_PKEY_RSA,
104	.md = EVP_sha256,
105	.flags = SIGALG_FLAG_RSA_PSS,
106	},
107	{
108	.value = SIGALG_RSA_PSS_PSS_SHA384,
109	.key_type = EVP_PKEY_RSA,
110	.md = EVP_sha384,
111	.flags = SIGALG_FLAG_RSA_PSS,
112	},
113	{
114	.value = SIGALG_RSA_PSS_PSS_SHA512,
115	.key_type = EVP_PKEY_RSA,
116	.md = EVP_sha512,
117	.flags = SIGALG_FLAG_RSA_PSS,
118	},
119	{
120	.value = SIGALG_RSA_PKCS1_SHA224,
121	.key_type = EVP_PKEY_RSA,
122	.md = EVP_sha224,
123	},
124	{
125	.value = SIGALG_ECDSA_SECP224R1_SHA224,
126	.key_type = EVP_PKEY_EC,
127	.md = EVP_sha224,
128	},
129	{
130	.value = SIGALG_RSA_PKCS1_SHA1,
131	.key_type = EVP_PKEY_RSA,
132	.md = EVP_sha1,
133	},
134	{
135	.value = SIGALG_ECDSA_SHA1,
136	.key_type = EVP_PKEY_EC,
137	.md = EVP_sha1,
138	},
139	{
140	.value = SIGALG_RSA_PKCS1_MD5_SHA1,
141	.key_type = EVP_PKEY_RSA,
142	.md = EVP_md5_sha1,
143	},
144	{
145	.value = SIGALG_NONE,
146	},
147	};
148
149	/* Sigalgs for TLSv1.3, in preference order. */
150	const uint16_t tls13_sigalgs[] = {
151	SIGALG_RSA_PSS_RSAE_SHA512,
152	SIGALG_RSA_PKCS1_SHA512,
153	SIGALG_ECDSA_SECP521R1_SHA512,
154	SIGALG_RSA_PSS_RSAE_SHA384,
155	SIGALG_RSA_PKCS1_SHA384,
156	SIGALG_ECDSA_SECP384R1_SHA384,
157	SIGALG_RSA_PSS_RSAE_SHA256,
158	SIGALG_RSA_PKCS1_SHA256,
159	SIGALG_ECDSA_SECP256R1_SHA256,
160	};
161	const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
162
163	/* Sigalgs for TLSv1.2, in preference order. */
164	const uint16_t tls12_sigalgs[] = {
165	SIGALG_RSA_PSS_RSAE_SHA512,
166	SIGALG_RSA_PKCS1_SHA512,
167	SIGALG_ECDSA_SECP521R1_SHA512,
168	SIGALG_RSA_PSS_RSAE_SHA384,
169	SIGALG_RSA_PKCS1_SHA384,
170	SIGALG_ECDSA_SECP384R1_SHA384,
171	SIGALG_RSA_PSS_RSAE_SHA256,
172	SIGALG_RSA_PKCS1_SHA256,
173	SIGALG_ECDSA_SECP256R1_SHA256,
174	SIGALG_RSA_PKCS1_SHA1, /* XXX */
175	SIGALG_ECDSA_SHA1, /* XXX */
176	};
177	const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
178
179	static void
180	ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
181	size_t *out_len)
182	{
183	if (tls_version >= TLS1_3_VERSION) {
184	*out_values = tls13_sigalgs;
185	*out_len = tls13_sigalgs_len;
186	} else {
187	*out_values = tls12_sigalgs;
188	*out_len = tls12_sigalgs_len;
189	}
190	}
191
192	static const struct ssl_sigalg *
193	ssl_sigalg_lookup(uint16_t value)
194	{
195	int i;
196
197	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
198	if (sigalgs[i].value == value)
199	return &sigalgs[i];
200	}
201
202	return NULL;
203	}
204
205	static const struct ssl_sigalg *
206	ssl_sigalg_from_value(SSL *s, uint16_t value)
207	{
208	const uint16_t *values;
209	size_t len;
210	int i;
211
212	ssl_sigalgs_for_version(S3I(s)->hs.negotiated_tls_version,
213	&values, &len);
214
215	for (i = 0; i < len; i++) {
216	if (values[i] == value)
217	return ssl_sigalg_lookup(value);
218	}
219
220	return NULL;
221	}
222
223	int
224	ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
225	{
226	const uint16_t *values;
227	size_t len;
228	size_t i;
229
230	ssl_sigalgs_for_version(tls_version, &values, &len);
231
232	/* Add values in order as long as they are supported. */
233	for (i = 0; i < len; i++) {
234	/* Do not allow the legacy value for < 1.2 to be used. */
235	if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
236	return 0;
237	if (ssl_sigalg_lookup(values[i]) == NULL)
238	return 0;
239	if (!CBB_add_u16(cbb, values[i]))
240	return 0;
241	}
242	return 1;
243	}
244
245	static const struct ssl_sigalg *
246	ssl_sigalg_for_legacy(SSL s, EVP_PKEY pkey)
247	{
248	/* Default signature algorithms used for TLSv1.2 and earlier. */
249	switch (pkey->type) {
250	case EVP_PKEY_RSA:
251	if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION)
252	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
253	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
254	case EVP_PKEY_EC:
255	return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
256	#ifndef OPENSSL_NO_GOST
257	case EVP_PKEY_GOSTR01:
258	return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
259	#endif
260	}
261	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
262	return (NULL);
263	}
264
265	static int
266	ssl_sigalg_pkey_ok(SSL s, const struct ssl_sigalg sigalg, EVP_PKEY *pkey)
267	{
268	if (sigalg == NULL \|\| pkey == NULL)
269	return 0;
270	if (sigalg->key_type != pkey->type)
271	return 0;
272
273	/* RSA PSS must have a sufficiently large RSA key. */
274	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
275	if (pkey->type != EVP_PKEY_RSA \|\|
276	EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
277	return 0;
278	}
279
280	if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION)
281	return 1;
282
283	/* RSA cannot be used without PSS in TLSv1.3. */
284	if (sigalg->key_type == EVP_PKEY_RSA &&
285	(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
286	return 0;
287
288	/* Ensure that curve matches for EC keys. */
289	if (pkey->type == EVP_PKEY_EC) {
290	if (sigalg->curve_nid == 0)
291	return 0;
292	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
293	EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid)
294	return 0;
295	}
296
297	return 1;
298	}
299
300	const struct ssl_sigalg *
301	ssl_sigalg_select(SSL s, EVP_PKEY pkey)
302	{
303	CBS cbs;
304
305	if (!SSL_USE_SIGALGS(s))
306	return ssl_sigalg_for_legacy(s, pkey);
307
308	/*
309	* RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
310	* in which case the server must use the default.
311	*/
312	if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
313	S3I(s)->hs.sigalgs == NULL)
314	return ssl_sigalg_for_legacy(s, pkey);
315
316	/*
317	* If we get here, we have client or server sent sigalgs, use one.
318	*/
319	CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
320	while (CBS_len(&cbs) > 0) {
321	const struct ssl_sigalg *sigalg;
322	uint16_t sigalg_value;
323
324	if (!CBS_get_u16(&cbs, &sigalg_value))
325	return 0;
326
327	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
328	continue;
329	if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
330	return sigalg;
331	}
332
333	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
334	return NULL;
335	}
336
337	const struct ssl_sigalg *
338	ssl_sigalg_for_peer(SSL s, EVP_PKEY pkey, uint16_t sigalg_value)
339	{
340	const struct ssl_sigalg *sigalg;
341
342	if (!SSL_USE_SIGALGS(s))
343	return ssl_sigalg_for_legacy(s, pkey);
344
345	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
346	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
347	return (NULL);
348	}
349	if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
350	SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
351	return (NULL);
352	}
353
354	return sigalg;
355	}