1 files changed, 218 insertions, 0 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
new file mode 100644
index 0000000000..d214b0dbbf
--- /dev/null
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -0,0 +1,218 @@
+/* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */
+/*
+ * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <string.h>
+#include <stdlib.h>
+#include <openssl/evp.h>
+#include "bytestring.h"
+#include "ssl_locl.h"
+#include "ssl_sigalgs.h"
+#include "tls13_internal.h"
+/* This table must be kept in preference order for now */
+const struct ssl_sigalg sigalgs[] = {
+        {
+                .value = SIGALG_RSA_PKCS1_SHA512,
+                .md = EVP_sha512,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+        },
+        {
+                .value = SIGALG_ECDSA_SECP512R1_SHA512,
+                .md = EVP_sha512,
+                .key_type = EVP_PKEY_EC,
+                .pkey_idx = SSL_PKEY_ECC,
+        },
+#ifndef OPENSSL_NO_GOST
+        {
+                .value = SIGALG_GOSTR12_512_STREEBOG_512,
+                .md = EVP_streebog512,
+                .key_type = EVP_PKEY_GOSTR12_512,
+                .pkey_idx = SSL_PKEY_GOST01, /* XXX */
+        },
+#endif
+        {
+                .value = SIGALG_RSA_PKCS1_SHA384,
+                .md = EVP_sha384,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+        },
+        {
+                .value = SIGALG_ECDSA_SECP384R1_SHA384,
+                .md = EVP_sha384,
+                .key_type = EVP_PKEY_EC,
+                .pkey_idx = SSL_PKEY_ECC,
+        },
+        {
+                .value = SIGALG_RSA_PKCS1_SHA256,
+                .md = EVP_sha256,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+        },
+        {
+                .value = SIGALG_ECDSA_SECP256R1_SHA256,
+                .md = EVP_sha256,
+                .key_type = EVP_PKEY_EC,
+                .pkey_idx = SSL_PKEY_ECC,
+        },
+#ifndef OPENSSL_NO_GOST
+        {
+                .value = SIGALG_GOSTR12_256_STREEBOG_256,
+                .md = EVP_streebog256,
+                .key_type = EVP_PKEY_GOSTR12_256,
+                .pkey_idx = SSL_PKEY_GOST01, /* XXX */
+        },
+        {
+                .value = SIGALG_GOSTR01_GOST94,
+                .md = EVP_gostr341194,
+                .key_type = EVP_PKEY_GOSTR01,
+                .pkey_idx = SSL_PKEY_GOST01,
+        },
+#endif
+#ifdef LIBRESSL_HAS_TLS1_3
+        {
+                .value = SIGALG_RSA_PSS_RSAE_SHA256,
+                .md = EVP_sha256,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+                .flags = SIGALG_FLAG_RSA_PSS,
+        },
+        {
+                .value = SIGALG_RSA_PSS_RSAE_SHA384,
+                .md = EVP_sha384,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+                .flags = SIGALG_FLAG_RSA_PSS,
+        },
+        {
+                .value = SIGALG_RSA_PSS_RSAE_SHA512,
+                .md = EVP_sha512,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+                .flags = SIGALG_FLAG_RSA_PSS,
+        },
+        {
+                .value = SIGALG_RSA_PSS_PSS_SHA256,
+                .md = EVP_sha256,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+                .flags = SIGALG_FLAG_RSA_PSS,
+        },
+        {
+                .value = SIGALG_RSA_PSS_PSS_SHA384,
+                .md = EVP_sha384,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+                .flags = SIGALG_FLAG_RSA_PSS,
+        },
+        {
+                .value = SIGALG_RSA_PSS_PSS_SHA512,
+                .md = EVP_sha512,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+                .flags = SIGALG_FLAG_RSA_PSS,
+        },
+#endif
+        {
+                .value = SIGALG_RSA_PKCS1_SHA224,
+                .md = EVP_sha224,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+        },
+        {
+                .value = SIGALG_ECDSA_SECP224R1_SHA224,
+                .md = EVP_sha224,
+                .key_type = EVP_PKEY_EC,
+                .pkey_idx = SSL_PKEY_ECC,
+        },
+        {
+                .value = SIGALG_RSA_PKCS1_SHA1,
+                .key_type = EVP_PKEY_RSA,
+                .pkey_idx = SSL_PKEY_RSA_SIGN,
+                .md = EVP_sha1,
+        },
+        {
+                .value = SIGALG_ECDSA_SHA1,
+                .key_type = EVP_PKEY_EC,
+                .md = EVP_sha1,
+                .pkey_idx = SSL_PKEY_ECC,
+        },
+        {
+                .value = SIGALG_NONE,
+        },
+};
+const struct ssl_sigalg *
+ssl_sigalg_lookup(uint16_t sigalg)
+{
+        int i;
+        for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
+                if (sigalgs[i].value == sigalg)
+                        return &sigalgs[i];
+        }
+        return NULL;
+}
+const EVP_MD *
+ssl_sigalg_md(uint16_t sigalg)
+{
+        const struct ssl_sigalg *sap;
+        if ((sap = ssl_sigalg_lookup(sigalg)) != NULL)
+                return sap->md();
+        return NULL;
+}
+int
+ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk)
+{
+        const struct ssl_sigalg *sap;
+        if ((sap = ssl_sigalg_lookup(sigalg)) != NULL)
+                return sap->key_type == pk->type;
+        return 0;
+}
+uint16_t
+ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md)
+{
+        int i;
+        for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
+                if ((sigalgs[i].key_type == pk->type) &&
+                    ((sigalgs[i].md() == md)))
+                        return sigalgs[i].value;
+        }
+        return SIGALG_NONE;
+}
+int
+ssl_sigalgs_build(CBB *cbb)
+{
+        int i;
+        for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
+                if (!CBB_add_u16(cbb, sigalgs[i].value))
+                        return 0;
+        }
+        return 1;
+}

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c new file mode 100644 index 0000000000..d214b0dbbf --- /dev/null +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -0,0 +1,218 @@
	1	/* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */
	2	/*
	3	* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
	4	*
	5	* Permission to use, copy, modify, and/or distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
	12	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
	14	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
	15	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17	#include <string.h>
	18	#include <stdlib.h>
	19
	20	#include <openssl/evp.h>
	21
	22	#include "bytestring.h"
	23	#include "ssl_locl.h"
	24	#include "ssl_sigalgs.h"
	25	#include "tls13_internal.h"
	26
	27	/* This table must be kept in preference order for now */
	28	const struct ssl_sigalg sigalgs[] = {
	29	{
	30	.value = SIGALG_RSA_PKCS1_SHA512,
	31	.md = EVP_sha512,
	32	.key_type = EVP_PKEY_RSA,
	33	.pkey_idx = SSL_PKEY_RSA_SIGN,
	34	},
	35	{
	36	.value = SIGALG_ECDSA_SECP512R1_SHA512,
	37	.md = EVP_sha512,
	38	.key_type = EVP_PKEY_EC,
	39	.pkey_idx = SSL_PKEY_ECC,
	40	},
	41	#ifndef OPENSSL_NO_GOST
	42	{
	43	.value = SIGALG_GOSTR12_512_STREEBOG_512,
	44	.md = EVP_streebog512,
	45	.key_type = EVP_PKEY_GOSTR12_512,
	46	.pkey_idx = SSL_PKEY_GOST01, /* XXX */
	47	},
	48	#endif
	49	{
	50	.value = SIGALG_RSA_PKCS1_SHA384,
	51	.md = EVP_sha384,
	52	.key_type = EVP_PKEY_RSA,
	53	.pkey_idx = SSL_PKEY_RSA_SIGN,
	54	},
	55	{
	56	.value = SIGALG_ECDSA_SECP384R1_SHA384,
	57	.md = EVP_sha384,
	58	.key_type = EVP_PKEY_EC,
	59	.pkey_idx = SSL_PKEY_ECC,
	60	},
	61	{
	62	.value = SIGALG_RSA_PKCS1_SHA256,
	63	.md = EVP_sha256,
	64	.key_type = EVP_PKEY_RSA,
	65	.pkey_idx = SSL_PKEY_RSA_SIGN,
	66	},
	67	{
	68	.value = SIGALG_ECDSA_SECP256R1_SHA256,
	69	.md = EVP_sha256,
	70	.key_type = EVP_PKEY_EC,
	71	.pkey_idx = SSL_PKEY_ECC,
	72	},
	73	#ifndef OPENSSL_NO_GOST
	74	{
	75	.value = SIGALG_GOSTR12_256_STREEBOG_256,
	76	.md = EVP_streebog256,
	77	.key_type = EVP_PKEY_GOSTR12_256,
	78	.pkey_idx = SSL_PKEY_GOST01, /* XXX */
	79	},
	80	{
	81	.value = SIGALG_GOSTR01_GOST94,
	82	.md = EVP_gostr341194,
	83	.key_type = EVP_PKEY_GOSTR01,
	84	.pkey_idx = SSL_PKEY_GOST01,
	85	},
	86	#endif
	87	#ifdef LIBRESSL_HAS_TLS1_3
	88	{
	89	.value = SIGALG_RSA_PSS_RSAE_SHA256,
	90	.md = EVP_sha256,
	91	.key_type = EVP_PKEY_RSA,
	92	.pkey_idx = SSL_PKEY_RSA_SIGN,
	93	.flags = SIGALG_FLAG_RSA_PSS,
	94	},
	95	{
	96	.value = SIGALG_RSA_PSS_RSAE_SHA384,
	97	.md = EVP_sha384,
	98	.key_type = EVP_PKEY_RSA,
	99	.pkey_idx = SSL_PKEY_RSA_SIGN,
	100	.flags = SIGALG_FLAG_RSA_PSS,
	101	},
	102	{
	103	.value = SIGALG_RSA_PSS_RSAE_SHA512,
	104	.md = EVP_sha512,
	105	.key_type = EVP_PKEY_RSA,
	106	.pkey_idx = SSL_PKEY_RSA_SIGN,
	107	.flags = SIGALG_FLAG_RSA_PSS,
	108	},
	109	{
	110	.value = SIGALG_RSA_PSS_PSS_SHA256,
	111	.md = EVP_sha256,
	112	.key_type = EVP_PKEY_RSA,
	113	.pkey_idx = SSL_PKEY_RSA_SIGN,
	114	.flags = SIGALG_FLAG_RSA_PSS,
	115	},
	116	{
	117	.value = SIGALG_RSA_PSS_PSS_SHA384,
	118	.md = EVP_sha384,
	119	.key_type = EVP_PKEY_RSA,
	120	.pkey_idx = SSL_PKEY_RSA_SIGN,
	121	.flags = SIGALG_FLAG_RSA_PSS,
	122	},
	123	{
	124	.value = SIGALG_RSA_PSS_PSS_SHA512,
	125	.md = EVP_sha512,
	126	.key_type = EVP_PKEY_RSA,
	127	.pkey_idx = SSL_PKEY_RSA_SIGN,
	128	.flags = SIGALG_FLAG_RSA_PSS,
	129	},
	130	#endif
	131	{
	132	.value = SIGALG_RSA_PKCS1_SHA224,
	133	.md = EVP_sha224,
	134	.key_type = EVP_PKEY_RSA,
	135	.pkey_idx = SSL_PKEY_RSA_SIGN,
	136	},
	137	{
	138	.value = SIGALG_ECDSA_SECP224R1_SHA224,
	139	.md = EVP_sha224,
	140	.key_type = EVP_PKEY_EC,
	141	.pkey_idx = SSL_PKEY_ECC,
	142	},
	143	{
	144	.value = SIGALG_RSA_PKCS1_SHA1,
	145	.key_type = EVP_PKEY_RSA,
	146	.pkey_idx = SSL_PKEY_RSA_SIGN,
	147	.md = EVP_sha1,
	148	},
	149	{
	150	.value = SIGALG_ECDSA_SHA1,
	151	.key_type = EVP_PKEY_EC,
	152	.md = EVP_sha1,
	153	.pkey_idx = SSL_PKEY_ECC,
	154	},
	155	{
	156	.value = SIGALG_NONE,
	157	},
	158	};
	159
	160	const struct ssl_sigalg *
	161	ssl_sigalg_lookup(uint16_t sigalg)
	162	{
	163	int i;
	164
	165	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
	166	if (sigalgs[i].value == sigalg)
	167	return &sigalgs[i];
	168	}
	169
	170	return NULL;
	171	}
	172
	173	const EVP_MD *
	174	ssl_sigalg_md(uint16_t sigalg)
	175	{
	176	const struct ssl_sigalg *sap;
	177
	178	if ((sap = ssl_sigalg_lookup(sigalg)) != NULL)
	179	return sap->md();
	180
	181	return NULL;
	182	}
	183
	184	int
	185	ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk)
	186	{
	187	const struct ssl_sigalg *sap;
	188
	189	if ((sap = ssl_sigalg_lookup(sigalg)) != NULL)
	190	return sap->key_type == pk->type;
	191
	192	return 0;
	193	}
	194
	195	uint16_t
	196	ssl_sigalg_value(const EVP_PKEY pk, const EVP_MD md)
	197	{
	198	int i;
	199
	200	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
	201	if ((sigalgs[i].key_type == pk->type) &&
	202	((sigalgs[i].md() == md)))
	203	return sigalgs[i].value;
	204	}
	205	return SIGALG_NONE;
	206	}
	207
	208	int
	209	ssl_sigalgs_build(CBB *cbb)
	210	{
	211	int i;
	212
	213	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
	214	if (!CBB_add_u16(cbb, sigalgs[i].value))
	215	return 0;
	216	}
	217	return 1;
	218	}