-/* $OpenBSD: ssl_sigalgs.c,v 1.32 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.33 2021/06/29 19:20:39 jsing Exp $ */
/*
* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+
#include <string.h>
#include <stdlib.h>
if ((sigalg = ssl_sigalg_from_value(
S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL)
continue;
-
if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
return sigalg;
}
SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
return NULL;
}
+
+const struct ssl_sigalg *
+ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
+{
+ const struct ssl_sigalg *sigalg;
+
+ if (!SSL_USE_SIGALGS(s))
+ return ssl_sigalg_for_legacy(s, pkey);
+
+ if ((sigalg = ssl_sigalg_from_value(S3I(s)->hs.negotiated_tls_version,
+ sigalg_value)) == NULL) {
+ SSLerror(s, SSL_R_UNKNOWN_DIGEST);
+ return (NULL);
+ }
+ if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
+ SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
+ return (NULL);
+ }
+
+ return sigalg;
+}
-/* $OpenBSD: ssl_sigalgs.h,v 1.21 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.22 2021/06/29 19:20:39 jsing Exp $ */
/*
* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
*
int ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg,
EVP_PKEY *pkey);
const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey);
+const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey,
+ uint16_t sigalg_value);
__END_HIDDEN_DECLS
-/* $OpenBSD: tls13_client.c,v 1.85 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.86 2021/06/29 19:20:39 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
if (!CBS_get_u16_length_prefixed(cbs, &signature))
goto err;
- if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
- signature_scheme)) == NULL)
- goto err;
-
if (!CBB_init(&cbb, 0))
goto err;
if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
goto err;
if ((pkey = X509_get0_pubkey(cert)) == NULL)
goto err;
- if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey))
+ if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
+ signature_scheme)) == NULL)
goto err;
ctx->hs->peer_sigalg = sigalg;
-/* $OpenBSD: tls13_server.c,v 1.82 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.83 2021/06/29 19:20:39 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
if (!CBS_get_u16_length_prefixed(cbs, &signature))
goto err;
- if ((sigalg = ssl_sigalg_from_value(ctx->hs->negotiated_tls_version,
- signature_scheme)) == NULL)
- goto err;
-
if (!CBB_init(&cbb, 0))
goto err;
if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
goto err;
if ((pkey = X509_get0_pubkey(cert)) == NULL)
goto err;
- if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey))
+ if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
+ signature_scheme)) == NULL)
goto err;
ctx->hs->peer_sigalg = sigalg;
projects / openbsd / commitdiff