1 files changed, 68 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 1813d46f41..9db2d1ab41 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.7 2017/08/12 21:17:03 doug Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.8 2017/08/12 21:47:59 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -361,6 +361,64 @@ tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert)
 }
 /*
+ * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
+ */
+int
+tlsext_sigalgs_clienthello_needs(SSL *s)
+{
+        return (TLS1_get_client_version(s) >= TLS1_2_VERSION);
+}
+int
+tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb)
+{
+        unsigned char *sigalgs_data;
+        size_t sigalgs_len;
+        CBB sigalgs;
+        tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len);
+        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
+                return 0;
+        if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}
+int
+tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS sigalgs;
+        if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
+                return 0;
+        return tls1_process_sigalgs(s, &sigalgs);
+}
+int
+tlsext_sigalgs_serverhello_needs(SSL *s)
+{
+        return 0;
+}
+int
+tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb)
+{
+        return 0;
+}
+int
+tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert)
+{
+        /* As per the RFC, servers must not send this extension. */
+        return 0;
+}
+/*
 * Server Name Indication - RFC 6066, section 3.
 */
 int
@@ -673,6 +731,15 @@ static struct tls_extension tls_extensions[] = {
                .serverhello_build = tlsext_sessionticket_serverhello_build,
                .serverhello_parse = tlsext_sessionticket_serverhello_parse,
        },
+        {
+                .type = TLSEXT_TYPE_signature_algorithms,
+                .clienthello_needs = tlsext_sigalgs_clienthello_needs,
+                .clienthello_build = tlsext_sigalgs_clienthello_build,
+                .clienthello_parse = tlsext_sigalgs_clienthello_parse,
+                .serverhello_needs = tlsext_sigalgs_serverhello_needs,
+                .serverhello_build = tlsext_sigalgs_serverhello_build,
+                .serverhello_parse = tlsext_sigalgs_serverhello_parse,
+        },
 };
 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 1813d46f41..9db2d1ab41 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.7 2017/08/12 21:17:03 doug Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.8 2017/08/12 21:47:59 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -361,6 +361,64 @@ tlsext_ri_serverhello_parse(SSL s, CBS cbs, int *alert)
361	}	361	}
362		362
363	/*	363	/*
		364	* Signature Algorithms - RFC 5246 section 7.4.1.4.1.
		365	*/
		366	int
		367	tlsext_sigalgs_clienthello_needs(SSL *s)
		368	{
		369	return (TLS1_get_client_version(s) >= TLS1_2_VERSION);
		370	}
		371
		372	int
		373	tlsext_sigalgs_clienthello_build(SSL s, CBB cbb)
		374	{
		375	unsigned char *sigalgs_data;
		376	size_t sigalgs_len;
		377	CBB sigalgs;
		378
		379	tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len);
		380
		381	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
		382	return 0;
		383	if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len))
		384	return 0;
		385	if (!CBB_flush(cbb))
		386	return 0;
		387
		388	return 1;
		389	}
		390
		391	int
		392	tlsext_sigalgs_clienthello_parse(SSL s, CBS cbs, int *alert)
		393	{
		394	CBS sigalgs;
		395
		396	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
		397	return 0;
		398
		399	return tls1_process_sigalgs(s, &sigalgs);
		400	}
		401
		402	int
		403	tlsext_sigalgs_serverhello_needs(SSL *s)
		404	{
		405	return 0;
		406	}
		407
		408	int
		409	tlsext_sigalgs_serverhello_build(SSL s, CBB cbb)
		410	{
		411	return 0;
		412	}
		413
		414	int
		415	tlsext_sigalgs_serverhello_parse(SSL s, CBS cbs, int *alert)
		416	{
		417	/* As per the RFC, servers must not send this extension. */
		418	return 0;
		419	}
		420
		421	/*
364	* Server Name Indication - RFC 6066, section 3.	422	* Server Name Indication - RFC 6066, section 3.
365	*/	423	*/
366	int	424	int
@@ -673,6 +731,15 @@ static struct tls_extension tls_extensions[] = {
673	.serverhello_build = tlsext_sessionticket_serverhello_build,	731	.serverhello_build = tlsext_sessionticket_serverhello_build,
674	.serverhello_parse = tlsext_sessionticket_serverhello_parse,	732	.serverhello_parse = tlsext_sessionticket_serverhello_parse,
675	},	733	},
		734	{
		735	.type = TLSEXT_TYPE_signature_algorithms,
		736	.clienthello_needs = tlsext_sigalgs_clienthello_needs,
		737	.clienthello_build = tlsext_sigalgs_clienthello_build,
		738	.clienthello_parse = tlsext_sigalgs_clienthello_parse,
		739	.serverhello_needs = tlsext_sigalgs_serverhello_needs,
		740	.serverhello_build = tlsext_sigalgs_serverhello_build,
		741	.serverhello_parse = tlsext_sigalgs_serverhello_parse,
		742	},
676	};	743	};
677		744
678	#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))	745	#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))