1 files changed, 0 insertions, 388 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
deleted file mode 100644
index f59beb4320..0000000000
--- a/src/lib/libssl/ssl_sigalgs.c
+++ /dev/null
@@ -1,388 +0,0 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.48 2022/11/26 16:08:56 tb Exp $ */
-/*
- * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
- * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <string.h>
-#include <stdlib.h>
-#include <openssl/evp.h>
-#include <openssl/opensslconf.h>
-#include "bytestring.h"
-#include "ssl_local.h"
-#include "ssl_sigalgs.h"
-#include "tls13_internal.h"
-const struct ssl_sigalg sigalgs[] = {
-        {
-                .value = SIGALG_RSA_PKCS1_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .security_level = 5,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP521R1_SHA512,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha512,
-                .security_level = 5,
-                .group_nid = NID_secp521r1,
-        },
-#ifndef OPENSSL_NO_GOST
-        {
-                .value = SIGALG_GOSTR12_512_STREEBOG_512,
-                .key_type = EVP_PKEY_GOSTR12_512,
-                .md = EVP_streebog512,
-                .security_level = 0,
-        },
-#endif
-        {
-                .value = SIGALG_RSA_PKCS1_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .security_level = 4,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP384R1_SHA384,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha384,
-                .security_level = 4,
-                .group_nid = NID_secp384r1,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .security_level = 3,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP256R1_SHA256,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha256,
-                .security_level = 3,
-                .group_nid = NID_X9_62_prime256v1,
-        },
-#ifndef OPENSSL_NO_GOST
-        {
-                .value = SIGALG_GOSTR12_256_STREEBOG_256,
-                .key_type = EVP_PKEY_GOSTR12_256,
-                .md = EVP_streebog256,
-                .security_level = 0,
-        },
-        {
-                .value = SIGALG_GOSTR01_GOST94,
-                .key_type = EVP_PKEY_GOSTR01,
-                .md = EVP_gostr341194,
-                .security_level = 0, /* XXX */
-        },
-#endif
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .security_level = 3,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .security_level = 4,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_RSAE_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .security_level = 5,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA256,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha256,
-                .security_level = 3,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA384,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha384,
-                .security_level = 4,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PSS_PSS_SHA512,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha512,
-                .security_level = 5,
-                .flags = SIGALG_FLAG_RSA_PSS,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA224,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha224,
-                .security_level = 2,
-        },
-        {
-                .value = SIGALG_ECDSA_SECP224R1_SHA224,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha224,
-                .security_level = 2,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_SHA1,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_sha1,
-                .security_level = 1,
-        },
-        {
-                .value = SIGALG_ECDSA_SHA1,
-                .key_type = EVP_PKEY_EC,
-                .md = EVP_sha1,
-                .security_level = 1,
-        },
-        {
-                .value = SIGALG_RSA_PKCS1_MD5_SHA1,
-                .key_type = EVP_PKEY_RSA,
-                .md = EVP_md5_sha1,
-                .security_level = 1,
-        },
-        {
-                .value = SIGALG_NONE,
-        },
-};
-/* Sigalgs for TLSv1.3, in preference order. */
-const uint16_t tls13_sigalgs[] = {
-        SIGALG_RSA_PSS_RSAE_SHA512,
-        SIGALG_RSA_PKCS1_SHA512,
-        SIGALG_ECDSA_SECP521R1_SHA512,
-        SIGALG_RSA_PSS_RSAE_SHA384,
-        SIGALG_RSA_PKCS1_SHA384,
-        SIGALG_ECDSA_SECP384R1_SHA384,
-        SIGALG_RSA_PSS_RSAE_SHA256,
-        SIGALG_RSA_PKCS1_SHA256,
-        SIGALG_ECDSA_SECP256R1_SHA256,
-};
-const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
-/* Sigalgs for TLSv1.2, in preference order. */
-const uint16_t tls12_sigalgs[] = {
-        SIGALG_RSA_PSS_RSAE_SHA512,
-        SIGALG_RSA_PKCS1_SHA512,
-        SIGALG_ECDSA_SECP521R1_SHA512,
-        SIGALG_RSA_PSS_RSAE_SHA384,
-        SIGALG_RSA_PKCS1_SHA384,
-        SIGALG_ECDSA_SECP384R1_SHA384,
-        SIGALG_RSA_PSS_RSAE_SHA256,
-        SIGALG_RSA_PKCS1_SHA256,
-        SIGALG_ECDSA_SECP256R1_SHA256,
-        SIGALG_RSA_PKCS1_SHA1, /* XXX */
-        SIGALG_ECDSA_SHA1,     /* XXX */
-};
-const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
-static void
-ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
-    size_t *out_len)
-{
-        if (tls_version >= TLS1_3_VERSION) {
-                *out_values = tls13_sigalgs;
-                *out_len = tls13_sigalgs_len;
-        } else {
-                *out_values = tls12_sigalgs;
-                *out_len = tls12_sigalgs_len;
-        }
-}
-static const struct ssl_sigalg *
-ssl_sigalg_lookup(uint16_t value)
-{
-        int i;
-        for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
-                if (sigalgs[i].value == value)
-                        return &sigalgs[i];
-        }
-        return NULL;
-}
-static const struct ssl_sigalg *
-ssl_sigalg_from_value(SSL *s, uint16_t value)
-{
-        const uint16_t *values;
-        size_t len;
-        int i;
-        ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
-            &values, &len);
-        for (i = 0; i < len; i++) {
-                if (values[i] == value)
-                        return ssl_sigalg_lookup(value);
-        }
-        return NULL;
-}
-int
-ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
-{
-        const struct ssl_sigalg *sigalg;
-        const uint16_t *values;
-        size_t len;
-        size_t i;
-        int ret = 0;
-        ssl_sigalgs_for_version(tls_version, &values, &len);
-        /* Add values in order as long as they are supported. */
-        for (i = 0; i < len; i++) {
-                /* Do not allow the legacy value for < 1.2 to be used. */
-                if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
-                        return 0;
-                if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
-                        return 0;
-                if (sigalg->security_level < security_level)
-                        continue;
-                if (!CBB_add_u16(cbb, values[i]))
-                        return 0;
-                ret = 1;
-        }
-        return ret;
-}
-static const struct ssl_sigalg *
-ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
-{
-        if (SSL_get_security_level(s) > 1)
-                return NULL;
-        /* Default signature algorithms used for TLSv1.2 and earlier. */
-        switch (EVP_PKEY_id(pkey)) {
-        case EVP_PKEY_RSA:
-                if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
-                        return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
-                return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
-        case EVP_PKEY_EC:
-                return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
-#ifndef OPENSSL_NO_GOST
-        case EVP_PKEY_GOSTR01:
-                return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
-#endif
-        }
-        SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
-        return NULL;
-}
-static int
-ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
-{
-        if (sigalg == NULL || pkey == NULL)
-                return 0;
-        if (sigalg->key_type != EVP_PKEY_id(pkey))
-                return 0;
-        /* RSA PSS must have a sufficiently large RSA key. */
-        if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
-                if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
-                    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
-                        return 0;
-        }
-        if (!ssl_security_sigalg_check(s, pkey))
-                return 0;
-        if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
-                return 1;
-        /* RSA cannot be used without PSS in TLSv1.3. */
-        if (sigalg->key_type == EVP_PKEY_RSA &&
-            (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
-                return 0;
-        /* Ensure that group matches for EC keys. */
-        if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
-                if (sigalg->group_nid == 0)
-                        return 0;
-                if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
-                    EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
-                        return 0;
-        }
-        return 1;
-}
-const struct ssl_sigalg *
-ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
-{
-        CBS cbs;
-        if (!SSL_USE_SIGALGS(s))
-                return ssl_sigalg_for_legacy(s, pkey);
-        /*
-         * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
-         * in which case the server must use the default.
-         */
-        if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
-            s->s3->hs.sigalgs == NULL)
-                return ssl_sigalg_for_legacy(s, pkey);
-        /*
-         * If we get here, we have client or server sent sigalgs, use one.
-         */
-        CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
-        while (CBS_len(&cbs) > 0) {
-                const struct ssl_sigalg *sigalg;
-                uint16_t sigalg_value;
-                if (!CBS_get_u16(&cbs, &sigalg_value))
-                        return NULL;
-                if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
-                        continue;
-                if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
-                        return sigalg;
-        }
-        SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
-        return NULL;
-}
-const struct ssl_sigalg *
-ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
-{
-        const struct ssl_sigalg *sigalg;
-        if (!SSL_USE_SIGALGS(s))
-                return ssl_sigalg_for_legacy(s, pkey);
-        if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
-                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
-                return NULL;
-        }
-        if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
-                SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
-                return NULL;
-        }
-        return sigalg;
-}

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c deleted file mode 100644 index f59beb4320..0000000000 --- a/src/lib/libssl/ssl_sigalgs.c +++ /dev/null
@@ -1,388 +0,0 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.48 2022/11/26 16:08:56 tb Exp $ */
2	/*
3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5	*
6	* Permission to use, copy, modify, and/or distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <string.h>
20	#include <stdlib.h>
21
22	#include <openssl/evp.h>
23	#include <openssl/opensslconf.h>
24
25	#include "bytestring.h"
26	#include "ssl_local.h"
27	#include "ssl_sigalgs.h"
28	#include "tls13_internal.h"
29
30	const struct ssl_sigalg sigalgs[] = {
31	{
32	.value = SIGALG_RSA_PKCS1_SHA512,
33	.key_type = EVP_PKEY_RSA,
34	.md = EVP_sha512,
35	.security_level = 5,
36	},
37	{
38	.value = SIGALG_ECDSA_SECP521R1_SHA512,
39	.key_type = EVP_PKEY_EC,
40	.md = EVP_sha512,
41	.security_level = 5,
42	.group_nid = NID_secp521r1,
43	},
44	#ifndef OPENSSL_NO_GOST
45	{
46	.value = SIGALG_GOSTR12_512_STREEBOG_512,
47	.key_type = EVP_PKEY_GOSTR12_512,
48	.md = EVP_streebog512,
49	.security_level = 0,
50	},
51	#endif
52	{
53	.value = SIGALG_RSA_PKCS1_SHA384,
54	.key_type = EVP_PKEY_RSA,
55	.md = EVP_sha384,
56	.security_level = 4,
57	},
58	{
59	.value = SIGALG_ECDSA_SECP384R1_SHA384,
60	.key_type = EVP_PKEY_EC,
61	.md = EVP_sha384,
62	.security_level = 4,
63	.group_nid = NID_secp384r1,
64	},
65	{
66	.value = SIGALG_RSA_PKCS1_SHA256,
67	.key_type = EVP_PKEY_RSA,
68	.md = EVP_sha256,
69	.security_level = 3,
70	},
71	{
72	.value = SIGALG_ECDSA_SECP256R1_SHA256,
73	.key_type = EVP_PKEY_EC,
74	.md = EVP_sha256,
75	.security_level = 3,
76	.group_nid = NID_X9_62_prime256v1,
77	},
78	#ifndef OPENSSL_NO_GOST
79	{
80	.value = SIGALG_GOSTR12_256_STREEBOG_256,
81	.key_type = EVP_PKEY_GOSTR12_256,
82	.md = EVP_streebog256,
83	.security_level = 0,
84	},
85	{
86	.value = SIGALG_GOSTR01_GOST94,
87	.key_type = EVP_PKEY_GOSTR01,
88	.md = EVP_gostr341194,
89	.security_level = 0, /* XXX */
90	},
91	#endif
92	{
93	.value = SIGALG_RSA_PSS_RSAE_SHA256,
94	.key_type = EVP_PKEY_RSA,
95	.md = EVP_sha256,
96	.security_level = 3,
97	.flags = SIGALG_FLAG_RSA_PSS,
98	},
99	{
100	.value = SIGALG_RSA_PSS_RSAE_SHA384,
101	.key_type = EVP_PKEY_RSA,
102	.md = EVP_sha384,
103	.security_level = 4,
104	.flags = SIGALG_FLAG_RSA_PSS,
105	},
106	{
107	.value = SIGALG_RSA_PSS_RSAE_SHA512,
108	.key_type = EVP_PKEY_RSA,
109	.md = EVP_sha512,
110	.security_level = 5,
111	.flags = SIGALG_FLAG_RSA_PSS,
112	},
113	{
114	.value = SIGALG_RSA_PSS_PSS_SHA256,
115	.key_type = EVP_PKEY_RSA,
116	.md = EVP_sha256,
117	.security_level = 3,
118	.flags = SIGALG_FLAG_RSA_PSS,
119	},
120	{
121	.value = SIGALG_RSA_PSS_PSS_SHA384,
122	.key_type = EVP_PKEY_RSA,
123	.md = EVP_sha384,
124	.security_level = 4,
125	.flags = SIGALG_FLAG_RSA_PSS,
126	},
127	{
128	.value = SIGALG_RSA_PSS_PSS_SHA512,
129	.key_type = EVP_PKEY_RSA,
130	.md = EVP_sha512,
131	.security_level = 5,
132	.flags = SIGALG_FLAG_RSA_PSS,
133	},
134	{
135	.value = SIGALG_RSA_PKCS1_SHA224,
136	.key_type = EVP_PKEY_RSA,
137	.md = EVP_sha224,
138	.security_level = 2,
139	},
140	{
141	.value = SIGALG_ECDSA_SECP224R1_SHA224,
142	.key_type = EVP_PKEY_EC,
143	.md = EVP_sha224,
144	.security_level = 2,
145	},
146	{
147	.value = SIGALG_RSA_PKCS1_SHA1,
148	.key_type = EVP_PKEY_RSA,
149	.md = EVP_sha1,
150	.security_level = 1,
151	},
152	{
153	.value = SIGALG_ECDSA_SHA1,
154	.key_type = EVP_PKEY_EC,
155	.md = EVP_sha1,
156	.security_level = 1,
157	},
158	{
159	.value = SIGALG_RSA_PKCS1_MD5_SHA1,
160	.key_type = EVP_PKEY_RSA,
161	.md = EVP_md5_sha1,
162	.security_level = 1,
163	},
164	{
165	.value = SIGALG_NONE,
166	},
167	};
168
169	/* Sigalgs for TLSv1.3, in preference order. */
170	const uint16_t tls13_sigalgs[] = {
171	SIGALG_RSA_PSS_RSAE_SHA512,
172	SIGALG_RSA_PKCS1_SHA512,
173	SIGALG_ECDSA_SECP521R1_SHA512,
174	SIGALG_RSA_PSS_RSAE_SHA384,
175	SIGALG_RSA_PKCS1_SHA384,
176	SIGALG_ECDSA_SECP384R1_SHA384,
177	SIGALG_RSA_PSS_RSAE_SHA256,
178	SIGALG_RSA_PKCS1_SHA256,
179	SIGALG_ECDSA_SECP256R1_SHA256,
180	};
181	const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
182
183	/* Sigalgs for TLSv1.2, in preference order. */
184	const uint16_t tls12_sigalgs[] = {
185	SIGALG_RSA_PSS_RSAE_SHA512,
186	SIGALG_RSA_PKCS1_SHA512,
187	SIGALG_ECDSA_SECP521R1_SHA512,
188	SIGALG_RSA_PSS_RSAE_SHA384,
189	SIGALG_RSA_PKCS1_SHA384,
190	SIGALG_ECDSA_SECP384R1_SHA384,
191	SIGALG_RSA_PSS_RSAE_SHA256,
192	SIGALG_RSA_PKCS1_SHA256,
193	SIGALG_ECDSA_SECP256R1_SHA256,
194	SIGALG_RSA_PKCS1_SHA1, /* XXX */
195	SIGALG_ECDSA_SHA1, /* XXX */
196	};
197	const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
198
199	static void
200	ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
201	size_t *out_len)
202	{
203	if (tls_version >= TLS1_3_VERSION) {
204	*out_values = tls13_sigalgs;
205	*out_len = tls13_sigalgs_len;
206	} else {
207	*out_values = tls12_sigalgs;
208	*out_len = tls12_sigalgs_len;
209	}
210	}
211
212	static const struct ssl_sigalg *
213	ssl_sigalg_lookup(uint16_t value)
214	{
215	int i;
216
217	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
218	if (sigalgs[i].value == value)
219	return &sigalgs[i];
220	}
221
222	return NULL;
223	}
224
225	static const struct ssl_sigalg *
226	ssl_sigalg_from_value(SSL *s, uint16_t value)
227	{
228	const uint16_t *values;
229	size_t len;
230	int i;
231
232	ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
233	&values, &len);
234
235	for (i = 0; i < len; i++) {
236	if (values[i] == value)
237	return ssl_sigalg_lookup(value);
238	}
239
240	return NULL;
241	}
242
243	int
244	ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
245	{
246	const struct ssl_sigalg *sigalg;
247	const uint16_t *values;
248	size_t len;
249	size_t i;
250	int ret = 0;
251
252	ssl_sigalgs_for_version(tls_version, &values, &len);
253
254	/* Add values in order as long as they are supported. */
255	for (i = 0; i < len; i++) {
256	/* Do not allow the legacy value for < 1.2 to be used. */
257	if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
258	return 0;
259	if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
260	return 0;
261	if (sigalg->security_level < security_level)
262	continue;
263
264	if (!CBB_add_u16(cbb, values[i]))
265	return 0;
266
267	ret = 1;
268	}
269	return ret;
270	}
271
272	static const struct ssl_sigalg *
273	ssl_sigalg_for_legacy(SSL s, EVP_PKEY pkey)
274	{
275	if (SSL_get_security_level(s) > 1)
276	return NULL;
277
278	/* Default signature algorithms used for TLSv1.2 and earlier. */
279	switch (EVP_PKEY_id(pkey)) {
280	case EVP_PKEY_RSA:
281	if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
282	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
283	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
284	case EVP_PKEY_EC:
285	return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
286	#ifndef OPENSSL_NO_GOST
287	case EVP_PKEY_GOSTR01:
288	return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
289	#endif
290	}
291	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
292	return NULL;
293	}
294
295	static int
296	ssl_sigalg_pkey_ok(SSL s, const struct ssl_sigalg sigalg, EVP_PKEY *pkey)
297	{
298	if (sigalg == NULL \|\| pkey == NULL)
299	return 0;
300	if (sigalg->key_type != EVP_PKEY_id(pkey))
301	return 0;
302
303	/* RSA PSS must have a sufficiently large RSA key. */
304	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
305	if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA \|\|
306	EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
307	return 0;
308	}
309
310	if (!ssl_security_sigalg_check(s, pkey))
311	return 0;
312
313	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
314	return 1;
315
316	/* RSA cannot be used without PSS in TLSv1.3. */
317	if (sigalg->key_type == EVP_PKEY_RSA &&
318	(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
319	return 0;
320
321	/* Ensure that group matches for EC keys. */
322	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
323	if (sigalg->group_nid == 0)
324	return 0;
325	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
326	EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
327	return 0;
328	}
329
330	return 1;
331	}
332
333	const struct ssl_sigalg *
334	ssl_sigalg_select(SSL s, EVP_PKEY pkey)
335	{
336	CBS cbs;
337
338	if (!SSL_USE_SIGALGS(s))
339	return ssl_sigalg_for_legacy(s, pkey);
340
341	/*
342	* RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
343	* in which case the server must use the default.
344	*/
345	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
346	s->s3->hs.sigalgs == NULL)
347	return ssl_sigalg_for_legacy(s, pkey);
348
349	/*
350	* If we get here, we have client or server sent sigalgs, use one.
351	*/
352	CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
353	while (CBS_len(&cbs) > 0) {
354	const struct ssl_sigalg *sigalg;
355	uint16_t sigalg_value;
356
357	if (!CBS_get_u16(&cbs, &sigalg_value))
358	return NULL;
359
360	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
361	continue;
362	if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
363	return sigalg;
364	}
365
366	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
367	return NULL;
368	}
369
370	const struct ssl_sigalg *
371	ssl_sigalg_for_peer(SSL s, EVP_PKEY pkey, uint16_t sigalg_value)
372	{
373	const struct ssl_sigalg *sigalg;
374
375	if (!SSL_USE_SIGALGS(s))
376	return ssl_sigalg_for_legacy(s, pkey);
377
378	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
379	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
380	return NULL;
381	}
382	if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
383	SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
384	return NULL;
385	}
386
387	return sigalg;
388	}