1 files changed, 74 insertions, 16 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 24286569b1..67d663c326 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.54.4.2 2020/08/10 18:59:47 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -811,30 +811,92 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
        return ret;
 }
+static int
+tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
+    int *ok, const struct ssl_sigalg **out_sigalg)
+{
+        const struct ssl_sigalg *sigalg;
+        SSL *s = ctx->ssl;
+        *ok = 0;
+        *out_sigalg = NULL;
+        if (cpk->x509 == NULL || cpk->privatekey == NULL)
+                goto done;
+        if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
+                goto done;
+        *ok = 1;
+        *out_sigalg = sigalg;
+ done:
+        return 1;
+}
+static int
+tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk,
+    const struct ssl_sigalg **out_sigalg)
+{
+        SSL *s = ctx->ssl;
+        const struct ssl_sigalg *sigalg;
+        CERT_PKEY *cpk;
+        int cert_ok;
+        *out_cpk = NULL;
+        *out_sigalg = NULL;
+        cpk = &s->cert->pkeys[SSL_PKEY_ECC];
+        if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
+                return 0;
+        if (cert_ok)
+                goto done;
+        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
+        if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
+                return 0;
+        if (cert_ok)
+                goto done;
+        cpk = NULL;
+        sigalg = NULL;
+ done:
+        *out_cpk = cpk;
+        *out_sigalg = sigalg;
+        return 1;
+}
 int
 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        SSL *s = ctx->ssl;
        CBB cert_request_context, cert_list;
+        const struct ssl_sigalg *sigalg;
        STACK_OF(X509) *chain;
        CERT_PKEY *cpk;
        X509 *cert;
        int i, ret = 0;
-        /* XXX - Need to revisit certificate selection. */
+        if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
-        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
+                goto err;
-        if ((chain = cpk->chain) == NULL)
+        ctx->hs->cpk = cpk;
-                chain = s->ctx->extra_certs;
+        ctx->hs->sigalg = sigalg;
        if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
                goto err;
        if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
                goto err;
-        if (cpk->x509 == NULL)
+        /* No certificate selected. */
+        if (cpk == NULL)
                goto done;
+        if ((chain = cpk->chain) == NULL)
+                chain = s->ctx->extra_certs;
        if (!tls13_cert_add(&cert_list, cpk->x509))
                goto err;
@@ -858,27 +920,23 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        SSL *s = ctx->ssl;
+        const struct ssl_sigalg *sigalg;
-        const struct ssl_sigalg *sigalg = NULL;
        uint8_t *sig = NULL, *sig_content = NULL;
        size_t sig_len, sig_content_len;
        EVP_MD_CTX *mdctx = NULL;
        EVP_PKEY_CTX *pctx;
        EVP_PKEY *pkey;
-        CERT_PKEY *cpk;
+        const CERT_PKEY *cpk;
        CBB sig_cbb;
        int ret = 0;
        memset(&sig_cbb, 0, sizeof(sig_cbb));
-        /* XXX - Need to revisit certificate selection. */
+        if ((cpk = ctx->hs->cpk) == NULL)
-        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
-        pkey = cpk->privatekey;
-        if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
-                /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */
                goto err;
-        }
+        if ((sigalg = ctx->hs->sigalg) == NULL)
+                goto err;
+        pkey = cpk->privatekey;
        if (!CBB_init(&sig_cbb, 0))
                goto err;

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 24286569b1..67d663c326 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.54.4.2 2020/08/10 18:59:47 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -811,30 +811,92 @@ tls13_server_finished_recv(struct tls13_ctx ctx, CBS cbs)
811	return ret;	811	return ret;
812	}	812	}
813		813
		814	static int
		815	tls13_client_check_certificate(struct tls13_ctx ctx, CERT_PKEY cpk,
		816	int ok, const struct ssl_sigalg *out_sigalg)
		817	{
		818	const struct ssl_sigalg *sigalg;
		819	SSL *s = ctx->ssl;
		820
		821	*ok = 0;
		822	*out_sigalg = NULL;
		823
		824	if (cpk->x509 == NULL \|\| cpk->privatekey == NULL)
		825	goto done;
		826
		827	if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
		828	goto done;
		829
		830	*ok = 1;
		831	*out_sigalg = sigalg;
		832
		833	done:
		834	return 1;
		835	}
		836
		837	static int
		838	tls13_client_select_certificate(struct tls13_ctx ctx, CERT_PKEY *out_cpk,
		839	const struct ssl_sigalg **out_sigalg)
		840	{
		841	SSL *s = ctx->ssl;
		842	const struct ssl_sigalg *sigalg;
		843	CERT_PKEY *cpk;
		844	int cert_ok;
		845
		846	*out_cpk = NULL;
		847	*out_sigalg = NULL;
		848
		849	cpk = &s->cert->pkeys[SSL_PKEY_ECC];
		850	if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
		851	return 0;
		852	if (cert_ok)
		853	goto done;
		854
		855	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
		856	if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
		857	return 0;
		858	if (cert_ok)
		859	goto done;
		860
		861	cpk = NULL;
		862	sigalg = NULL;
		863
		864	done:
		865	*out_cpk = cpk;
		866	*out_sigalg = sigalg;
		867
		868	return 1;
		869	}
		870
814	int	871	int
815	tls13_client_certificate_send(struct tls13_ctx ctx, CBB cbb)	872	tls13_client_certificate_send(struct tls13_ctx ctx, CBB cbb)
816	{	873	{
817	SSL *s = ctx->ssl;	874	SSL *s = ctx->ssl;
818	CBB cert_request_context, cert_list;	875	CBB cert_request_context, cert_list;
		876	const struct ssl_sigalg *sigalg;
819	STACK_OF(X509) *chain;	877	STACK_OF(X509) *chain;
820	CERT_PKEY *cpk;	878	CERT_PKEY *cpk;
821	X509 *cert;	879	X509 *cert;
822	int i, ret = 0;	880	int i, ret = 0;
823		881
824	/* XXX - Need to revisit certificate selection. */	882	if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
825	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];	883	goto err;
826		884
827	if ((chain = cpk->chain) == NULL)	885	ctx->hs->cpk = cpk;
828	chain = s->ctx->extra_certs;	886	ctx->hs->sigalg = sigalg;
829		887
830	if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))	888	if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
831	goto err;	889	goto err;
832	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))	890	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
833	goto err;	891	goto err;
834		892
835	if (cpk->x509 == NULL)	893	/* No certificate selected. */
		894	if (cpk == NULL)
836	goto done;	895	goto done;
837		896
		897	if ((chain = cpk->chain) == NULL)
		898	chain = s->ctx->extra_certs;
		899
838	if (!tls13_cert_add(&cert_list, cpk->x509))	900	if (!tls13_cert_add(&cert_list, cpk->x509))
839	goto err;	901	goto err;
840		902
@@ -858,27 +920,23 @@ tls13_client_certificate_send(struct tls13_ctx ctx, CBB cbb)
858	int	920	int
859	tls13_client_certificate_verify_send(struct tls13_ctx ctx, CBB cbb)	921	tls13_client_certificate_verify_send(struct tls13_ctx ctx, CBB cbb)
860	{	922	{
861	SSL *s = ctx->ssl;	923	const struct ssl_sigalg *sigalg;
862	const struct ssl_sigalg *sigalg = NULL;
863	uint8_t sig = NULL, sig_content = NULL;	924	uint8_t sig = NULL, sig_content = NULL;
864	size_t sig_len, sig_content_len;	925	size_t sig_len, sig_content_len;
865	EVP_MD_CTX *mdctx = NULL;	926	EVP_MD_CTX *mdctx = NULL;
866	EVP_PKEY_CTX *pctx;	927	EVP_PKEY_CTX *pctx;
867	EVP_PKEY *pkey;	928	EVP_PKEY *pkey;
868	CERT_PKEY *cpk;	929	const CERT_PKEY *cpk;
869	CBB sig_cbb;	930	CBB sig_cbb;
870	int ret = 0;	931	int ret = 0;
871		932
872	memset(&sig_cbb, 0, sizeof(sig_cbb));	933	memset(&sig_cbb, 0, sizeof(sig_cbb));
873		934
874	/* XXX - Need to revisit certificate selection. */	935	if ((cpk = ctx->hs->cpk) == NULL)
875	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
876	pkey = cpk->privatekey;
877
878	if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
879	/* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */
880	goto err;	936	goto err;
881	}	937	if ((sigalg = ctx->hs->sigalg) == NULL)
		938	goto err;
		939	pkey = cpk->privatekey;
882		940
883	if (!CBB_init(&sig_cbb, 0))	941	if (!CBB_init(&sig_cbb, 0))
884	goto err;	942	goto err;