1 files changed, 0 insertions, 361 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
deleted file mode 100644
index 18d71f6b95..0000000000
--- a/src/lib/libssl/ssl_sigalgs.c
+++ /dev/null
@@ -1,361 +0,0 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.50 2024/07/09 13:43:57 beck Exp $ */
-/*
- * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
- * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <string.h>
-#include <stdlib.h>
-#include <openssl/evp.h>
-#include <openssl/opensslconf.h>
-#include "bytestring.h"
-#include "ssl_local.h"
-#include "ssl_sigalgs.h"
-#include "tls13_internal.h"
-const struct ssl_sigalg sigalgs[] = {
-        {
-                .value = SIGALG_RSA_PKCS1_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .security_level = 5,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP521R1_SHA512,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha512,
-                .security_level = 5,
-                .group_nid = NID_secp521r1,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .security_level = 4,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP384R1_SHA384,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha384,
-                .security_level = 4,
-                .group_nid = NID_secp384r1,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .security_level = 3,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP256R1_SHA256,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha256,
-                .security_level = 3,
-                .group_nid = NID_X9_62_prime256v1,
-        },
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .security_level = 3,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .security_level = 4,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .security_level = 5,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .security_level = 3,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .security_level = 4,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .security_level = 5,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA224,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha224,
-                .security_level = 2,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP224R1_SHA224,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha224,
-                .security_level = 2,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA1,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha1,
-                .security_level = 1,
-        },
-        {
-                .value = SIGALG_ECDSA_SHA1,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha1,
-                .security_level = 1,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_MD5_SHA1,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_md5_sha1,
-                .security_level = 1,
-        },
-        {
-                .value = SIGALG_NONE,
-        },
-};
-/* Sigalgs for TLSv1.3, in preference order. */
-const uint16_t tls13_sigalgs[] = {
-        SIGALG_RSA_PSS_RSAE_SHA512,
-        SIGALG_RSA_PKCS1_SHA512,
-        SIGALG_ECDSA_SECP521R1_SHA512,
-        SIGALG_RSA_PSS_RSAE_SHA384,
-        SIGALG_RSA_PKCS1_SHA384,
-        SIGALG_ECDSA_SECP384R1_SHA384,
-        SIGALG_RSA_PSS_RSAE_SHA256,
-        SIGALG_RSA_PKCS1_SHA256,
-        SIGALG_ECDSA_SECP256R1_SHA256,
-};
-const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
-/* Sigalgs for TLSv1.2, in preference order. */
-const uint16_t tls12_sigalgs[] = {
-        SIGALG_RSA_PSS_RSAE_SHA512,
-        SIGALG_RSA_PKCS1_SHA512,
-        SIGALG_ECDSA_SECP521R1_SHA512,
-        SIGALG_RSA_PSS_RSAE_SHA384,
-        SIGALG_RSA_PKCS1_SHA384,
-        SIGALG_ECDSA_SECP384R1_SHA384,
-        SIGALG_RSA_PSS_RSAE_SHA256,
-        SIGALG_RSA_PKCS1_SHA256,
-        SIGALG_ECDSA_SECP256R1_SHA256,
-        SIGALG_RSA_PKCS1_SHA1, /* XXX */
-        SIGALG_ECDSA_SHA1,     /* XXX */
-};
-const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
-static void
-ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
-    size_t *out_len)
-{
-        if (tls_version >= TLS1_3_VERSION) {
-                *out_values = tls13_sigalgs;
-                *out_len = tls13_sigalgs_len;
-        } else {
-                *out_values = tls12_sigalgs;
-                *out_len = tls12_sigalgs_len;
-        }
-}
-static const struct ssl_sigalg *
-ssl_sigalg_lookup(uint16_t value)
-{
-        int i;
-        for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
-                if (sigalgs[i].value == value)
-                        return &sigalgs[i];
-        }
-        return NULL;
-}
-static const struct ssl_sigalg *
-ssl_sigalg_from_value(SSL *s, uint16_t value)
-{
-        const uint16_t *values;
-        size_t len;
-        int i;
-        ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
-            &values, &len);
-        for (i = 0; i < len; i++) {
-                if (values[i] == value)
-                        return ssl_sigalg_lookup(value);
-        }
-        return NULL;
-}
-int
-ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
-{
-        const struct ssl_sigalg *sigalg;
-        const uint16_t *values;
-        size_t len;
-        size_t i;
-        int ret = 0;
-        ssl_sigalgs_for_version(tls_version, &values, &len);
-        /* Add values in order as long as they are supported. */
-        for (i = 0; i < len; i++) {
-                /* Do not allow the legacy value for < 1.2 to be used. */
-                if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
-                        return 0;
-                if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
-                        return 0;
-                if (sigalg->security_level < security_level)
-                        continue;
-                if (!CBB_add_u16(cbb, values[i]))
-                        return 0;
-                ret = 1;
-        }
-        return ret;
-}
-static const struct ssl_sigalg *
-ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
-{
-        if (SSL_get_security_level(s) > 1)
-                return NULL;
-        /* Default signature algorithms used for TLSv1.2 and earlier. */
-        switch (EVP_PKEY_id(pkey)) {
-        case EVP_PKEY_RSA:
-                if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
-                        return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
-                return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
-        case EVP_PKEY_EC:
-                return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
-        }
-        SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
-        return NULL;
-}
-static int
-ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
-{
-        if (sigalg == NULL || pkey == NULL)
-                return 0;
-        if (sigalg->key_type != EVP_PKEY_id(pkey))
-                return 0;
-        /* RSA PSS must have a sufficiently large RSA key. */
-        if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
-                if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
-                    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
-                        return 0;
-        }
-        if (!ssl_security_sigalg_check(s, pkey))
-                return 0;
-        if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
-                return 1;
-        /* RSA cannot be used without PSS in TLSv1.3. */
-        if (sigalg->key_type == EVP_PKEY_RSA &&
-            (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
-                return 0;
-        /* Ensure that group matches for EC keys. */
-        if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
-                if (sigalg->group_nid == 0)
-                        return 0;
-                if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
-                    EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
-                        return 0;
-        }
-        return 1;
-}
-const struct ssl_sigalg *
-ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
-{
-        CBS cbs;
-        if (!SSL_USE_SIGALGS(s))
-                return ssl_sigalg_for_legacy(s, pkey);
-        /*
-         * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
-         * in which case the server must use the default.
-         */
-        if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
-            s->s3->hs.sigalgs == NULL)
-                return ssl_sigalg_for_legacy(s, pkey);
-        /*
-         * If we get here, we have client or server sent sigalgs, use one.
-         */
-        CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
-        while (CBS_len(&cbs) > 0) {
-                const struct ssl_sigalg *sigalg;
-                uint16_t sigalg_value;
-                if (!CBS_get_u16(&cbs, &sigalg_value))
-                        return NULL;
-                if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
-                        continue;
-                if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
-                        return sigalg;
-        }
-        return NULL;
-}
-const struct ssl_sigalg *
-ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
-{
-        const struct ssl_sigalg *sigalg;
-        if (!SSL_USE_SIGALGS(s))
-                return ssl_sigalg_for_legacy(s, pkey);
-        if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
-                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
-                return NULL;
-        }
-        if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
-                SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
-                return NULL;
-        }
-        return sigalg;
-}

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c deleted file mode 100644 index 18d71f6b95..0000000000 --- a/src/lib/libssl/ssl_sigalgs.c +++ /dev/null
@@ -1,361 +0,0 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.50 2024/07/09 13:43:57 beck Exp $ */
2	/*
3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5	*
6	* Permission to use, copy, modify, and/or distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <string.h>
20	#include <stdlib.h>
21
22	#include <openssl/evp.h>
23	#include <openssl/opensslconf.h>
24
25	#include "bytestring.h"
26	#include "ssl_local.h"
27	#include "ssl_sigalgs.h"
28	#include "tls13_internal.h"
29
30	const struct ssl_sigalg sigalgs[] = {
31	{
32	.value = SIGALG_RSA_PKCS1_SHA512,
33	.key_type = EVP_PKEY_RSA,
34	.md = EVP_sha512,
35	.security_level = 5,
36	},
37	{
38	.value = SIGALG_ECDSA_SECP521R1_SHA512,
39	.key_type = EVP_PKEY_EC,
40	.md = EVP_sha512,
41	.security_level = 5,
42	.group_nid = NID_secp521r1,
43	},
44	{
45	.value = SIGALG_RSA_PKCS1_SHA384,
46	.key_type = EVP_PKEY_RSA,
47	.md = EVP_sha384,
48	.security_level = 4,
49	},
50	{
51	.value = SIGALG_ECDSA_SECP384R1_SHA384,
52	.key_type = EVP_PKEY_EC,
53	.md = EVP_sha384,
54	.security_level = 4,
55	.group_nid = NID_secp384r1,
56	},
57	{
58	.value = SIGALG_RSA_PKCS1_SHA256,
59	.key_type = EVP_PKEY_RSA,
60	.md = EVP_sha256,
61	.security_level = 3,
62	},
63	{
64	.value = SIGALG_ECDSA_SECP256R1_SHA256,
65	.key_type = EVP_PKEY_EC,
66	.md = EVP_sha256,
67	.security_level = 3,
68	.group_nid = NID_X9_62_prime256v1,
69	},
70	{
71	.value = SIGALG_RSA_PSS_RSAE_SHA256,
72	.key_type = EVP_PKEY_RSA,
73	.md = EVP_sha256,
74	.security_level = 3,
75	.flags = SIGALG_FLAG_RSA_PSS,
76	},
77	{
78	.value = SIGALG_RSA_PSS_RSAE_SHA384,
79	.key_type = EVP_PKEY_RSA,
80	.md = EVP_sha384,
81	.security_level = 4,
82	.flags = SIGALG_FLAG_RSA_PSS,
83	},
84	{
85	.value = SIGALG_RSA_PSS_RSAE_SHA512,
86	.key_type = EVP_PKEY_RSA,
87	.md = EVP_sha512,
88	.security_level = 5,
89	.flags = SIGALG_FLAG_RSA_PSS,
90	},
91	{
92	.value = SIGALG_RSA_PSS_PSS_SHA256,
93	.key_type = EVP_PKEY_RSA,
94	.md = EVP_sha256,
95	.security_level = 3,
96	.flags = SIGALG_FLAG_RSA_PSS,
97	},
98	{
99	.value = SIGALG_RSA_PSS_PSS_SHA384,
100	.key_type = EVP_PKEY_RSA,
101	.md = EVP_sha384,
102	.security_level = 4,
103	.flags = SIGALG_FLAG_RSA_PSS,
104	},
105	{
106	.value = SIGALG_RSA_PSS_PSS_SHA512,
107	.key_type = EVP_PKEY_RSA,
108	.md = EVP_sha512,
109	.security_level = 5,
110	.flags = SIGALG_FLAG_RSA_PSS,
111	},
112	{
113	.value = SIGALG_RSA_PKCS1_SHA224,
114	.key_type = EVP_PKEY_RSA,
115	.md = EVP_sha224,
116	.security_level = 2,
117	},
118	{
119	.value = SIGALG_ECDSA_SECP224R1_SHA224,
120	.key_type = EVP_PKEY_EC,
121	.md = EVP_sha224,
122	.security_level = 2,
123	},
124	{
125	.value = SIGALG_RSA_PKCS1_SHA1,
126	.key_type = EVP_PKEY_RSA,
127	.md = EVP_sha1,
128	.security_level = 1,
129	},
130	{
131	.value = SIGALG_ECDSA_SHA1,
132	.key_type = EVP_PKEY_EC,
133	.md = EVP_sha1,
134	.security_level = 1,
135	},
136	{
137	.value = SIGALG_RSA_PKCS1_MD5_SHA1,
138	.key_type = EVP_PKEY_RSA,
139	.md = EVP_md5_sha1,
140	.security_level = 1,
141	},
142	{
143	.value = SIGALG_NONE,
144	},
145	};
146
147	/* Sigalgs for TLSv1.3, in preference order. */
148	const uint16_t tls13_sigalgs[] = {
149	SIGALG_RSA_PSS_RSAE_SHA512,
150	SIGALG_RSA_PKCS1_SHA512,
151	SIGALG_ECDSA_SECP521R1_SHA512,
152	SIGALG_RSA_PSS_RSAE_SHA384,
153	SIGALG_RSA_PKCS1_SHA384,
154	SIGALG_ECDSA_SECP384R1_SHA384,
155	SIGALG_RSA_PSS_RSAE_SHA256,
156	SIGALG_RSA_PKCS1_SHA256,
157	SIGALG_ECDSA_SECP256R1_SHA256,
158	};
159	const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
160
161	/* Sigalgs for TLSv1.2, in preference order. */
162	const uint16_t tls12_sigalgs[] = {
163	SIGALG_RSA_PSS_RSAE_SHA512,
164	SIGALG_RSA_PKCS1_SHA512,
165	SIGALG_ECDSA_SECP521R1_SHA512,
166	SIGALG_RSA_PSS_RSAE_SHA384,
167	SIGALG_RSA_PKCS1_SHA384,
168	SIGALG_ECDSA_SECP384R1_SHA384,
169	SIGALG_RSA_PSS_RSAE_SHA256,
170	SIGALG_RSA_PKCS1_SHA256,
171	SIGALG_ECDSA_SECP256R1_SHA256,
172	SIGALG_RSA_PKCS1_SHA1, /* XXX */
173	SIGALG_ECDSA_SHA1, /* XXX */
174	};
175	const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
176
177	static void
178	ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
179	size_t *out_len)
180	{
181	if (tls_version >= TLS1_3_VERSION) {
182	*out_values = tls13_sigalgs;
183	*out_len = tls13_sigalgs_len;
184	} else {
185	*out_values = tls12_sigalgs;
186	*out_len = tls12_sigalgs_len;
187	}
188	}
189
190	static const struct ssl_sigalg *
191	ssl_sigalg_lookup(uint16_t value)
192	{
193	int i;
194
195	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
196	if (sigalgs[i].value == value)
197	return &sigalgs[i];
198	}
199
200	return NULL;
201	}
202
203	static const struct ssl_sigalg *
204	ssl_sigalg_from_value(SSL *s, uint16_t value)
205	{
206	const uint16_t *values;
207	size_t len;
208	int i;
209
210	ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
211	&values, &len);
212
213	for (i = 0; i < len; i++) {
214	if (values[i] == value)
215	return ssl_sigalg_lookup(value);
216	}
217
218	return NULL;
219	}
220
221	int
222	ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
223	{
224	const struct ssl_sigalg *sigalg;
225	const uint16_t *values;
226	size_t len;
227	size_t i;
228	int ret = 0;
229
230	ssl_sigalgs_for_version(tls_version, &values, &len);
231
232	/* Add values in order as long as they are supported. */
233	for (i = 0; i < len; i++) {
234	/* Do not allow the legacy value for < 1.2 to be used. */
235	if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
236	return 0;
237	if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
238	return 0;
239	if (sigalg->security_level < security_level)
240	continue;
241
242	if (!CBB_add_u16(cbb, values[i]))
243	return 0;
244
245	ret = 1;
246	}
247	return ret;
248	}
249
250	static const struct ssl_sigalg *
251	ssl_sigalg_for_legacy(SSL s, EVP_PKEY pkey)
252	{
253	if (SSL_get_security_level(s) > 1)
254	return NULL;
255
256	/* Default signature algorithms used for TLSv1.2 and earlier. */
257	switch (EVP_PKEY_id(pkey)) {
258	case EVP_PKEY_RSA:
259	if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
260	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
261	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
262	case EVP_PKEY_EC:
263	return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
264	}
265	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
266	return NULL;
267	}
268
269	static int
270	ssl_sigalg_pkey_ok(SSL s, const struct ssl_sigalg sigalg, EVP_PKEY *pkey)
271	{
272	if (sigalg == NULL \|\| pkey == NULL)
273	return 0;
274	if (sigalg->key_type != EVP_PKEY_id(pkey))
275	return 0;
276
277	/* RSA PSS must have a sufficiently large RSA key. */
278	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
279	if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA \|\|
280	EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
281	return 0;
282	}
283
284	if (!ssl_security_sigalg_check(s, pkey))
285	return 0;
286
287	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
288	return 1;
289
290	/* RSA cannot be used without PSS in TLSv1.3. */
291	if (sigalg->key_type == EVP_PKEY_RSA &&
292	(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
293	return 0;
294
295	/* Ensure that group matches for EC keys. */
296	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
297	if (sigalg->group_nid == 0)
298	return 0;
299	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
300	EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
301	return 0;
302	}
303
304	return 1;
305	}
306
307	const struct ssl_sigalg *
308	ssl_sigalg_select(SSL s, EVP_PKEY pkey)
309	{
310	CBS cbs;
311
312	if (!SSL_USE_SIGALGS(s))
313	return ssl_sigalg_for_legacy(s, pkey);
314
315	/*
316	* RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
317	* in which case the server must use the default.
318	*/
319	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
320	s->s3->hs.sigalgs == NULL)
321	return ssl_sigalg_for_legacy(s, pkey);
322
323	/*
324	* If we get here, we have client or server sent sigalgs, use one.
325	*/
326	CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
327	while (CBS_len(&cbs) > 0) {
328	const struct ssl_sigalg *sigalg;
329	uint16_t sigalg_value;
330
331	if (!CBS_get_u16(&cbs, &sigalg_value))
332	return NULL;
333
334	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
335	continue;
336	if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
337	return sigalg;
338	}
339
340	return NULL;
341	}
342
343	const struct ssl_sigalg *
344	ssl_sigalg_for_peer(SSL s, EVP_PKEY pkey, uint16_t sigalg_value)
345	{
346	const struct ssl_sigalg *sigalg;
347
348	if (!SSL_USE_SIGALGS(s))
349	return ssl_sigalg_for_legacy(s, pkey);
350
351	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
352	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
353	return NULL;
354	}
355	if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
356	SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
357	return NULL;
358	}
359
360	return sigalg;
361	}