From d8bbfb5c853f1528593599b4cad373dd3f4ac17b Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 29 Jun 2021 19:20:39 +0000 Subject: Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code. Provide an ssl_sigalg_for_peer() function that knows how to figure out which signature algorithm should be used for a peer provided signature, performing appropriate validation to ensure that the peer provided value is suitable for the protocol version and key in use. In the TLSv1.3 code, this replaces the need for separate calls to lookup the sigalg from the peer provided value, then perform validation. ok inoguchi@ tb@ --- src/lib/libssl/tls13_client.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'src/lib/libssl/tls13_client.c') diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index dd9a5b1606..62c5174490 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.85 2021/06/29 19:10:08 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.86 2021/06/29 19:20:39 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -680,10 +680,6 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_get_u16_length_prefixed(cbs, &signature)) goto err; - if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version, - signature_scheme)) == NULL) - goto err; - if (!CBB_init(&cbb, 0)) goto err; if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, @@ -704,7 +700,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if ((pkey = X509_get0_pubkey(cert)) == NULL) goto err; - if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey)) + if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, + signature_scheme)) == NULL) goto err; ctx->hs->peer_sigalg = sigalg; -- cgit v1.2.3-55-g6feb