-/* $OpenBSD: ssl_clnt.c,v 1.102 2021/06/27 19:16:59 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.103 2021/06/29 19:10:08 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
al = SSL_AD_DECODE_ERROR;
goto fatal_err;
}
- if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) {
+ if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
al = SSL_AD_DECODE_ERROR;
goto fatal_err;
-/* $OpenBSD: ssl_sigalgs.c,v 1.31 2021/06/29 18:59:25 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.32 2021/06/29 19:10:08 jsing Exp $ */
/*
* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
*
}
int
-ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
- int check_curve)
+ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
{
if (sigalg == NULL || pkey == NULL)
return 0;
if (sigalg->key_type != pkey->type)
return 0;
+ /*
+ * RSA PSS must have an RSA key that needs to be at
+ * least as big as twice the size of the hash + 2
+ */
if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
- /*
- * RSA PSS Must have an RSA key that needs to be at
- * least as big as twice the size of the hash + 2
- */
if (pkey->type != EVP_PKEY_RSA ||
EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
return 0;
}
- if (pkey->type == EVP_PKEY_EC && check_curve) {
- /* Curve must match for EC keys. */
+ /* RSA cannot be used without PSS in TLSv1.3. */
+ if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
+ sigalg->key_type == EVP_PKEY_RSA &&
+ (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
+ return 0;
+
+ /* Ensure that curve matches for EC keys. */
+ if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
+ pkey->type == EVP_PKEY_EC) {
if (sigalg->curve_nid == 0)
return 0;
- if (EC_GROUP_get_curve_name(EC_KEY_get0_group
- (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) {
+ if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
+ EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid)
return 0;
- }
}
return 1;
const struct ssl_sigalg *
ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
{
- int check_curve = 0;
CBS cbs;
- if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION)
- check_curve = 1;
-
if (!SSL_USE_SIGALGS(s))
return ssl_sigalg_for_legacy(s, pkey);
S3I(s)->hs.negotiated_tls_version, sigalg_value)) == NULL)
continue;
- /* RSA cannot be used without PSS in TLSv1.3. */
- if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
- sigalg->key_type == EVP_PKEY_RSA &&
- (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
- continue;
-
- if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
+ if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
return sigalg;
}
-/* $OpenBSD: ssl_sigalgs.h,v 1.20 2021/06/27 18:15:35 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.21 2021/06/29 19:10:08 jsing Exp $ */
/*
* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
*
const struct ssl_sigalg *ssl_sigalg_from_value(uint16_t tls_version,
uint16_t value);
int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb);
-int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
- int check_curve);
+int ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg,
+ EVP_PKEY *pkey);
const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey);
__END_HIDDEN_DECLS
-/* $OpenBSD: ssl_srvr.c,v 1.114 2021/06/27 18:15:35 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.115 2021/06/29 19:10:08 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
al = SSL_AD_DECODE_ERROR;
goto fatal_err;
}
- if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) {
+ if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
al = SSL_AD_DECODE_ERROR;
goto fatal_err;
-/* $OpenBSD: tls13_client.c,v 1.84 2021/06/29 18:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.85 2021/06/29 19:10:08 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
goto err;
if ((pkey = X509_get0_pubkey(cert)) == NULL)
goto err;
- if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
+ if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey))
goto err;
ctx->hs->peer_sigalg = sigalg;
-/* $OpenBSD: tls13_server.c,v 1.81 2021/06/27 19:23:51 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.82 2021/06/29 19:10:08 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
goto err;
if ((pkey = X509_get0_pubkey(cert)) == NULL)
goto err;
- if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
+ if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey))
goto err;
ctx->hs->peer_sigalg = sigalg;
projects / openbsd / commitdiff