From adff4236f4fcfc06dc85a8decabda33d2f5a3428 Mon Sep 17 00:00:00 2001 From: jsing Date: Sun, 27 Jun 2021 19:23:51 +0000 Subject: [PATCH] Track the sigalgs used by ourselves and our peer. Move the sigalg pointer from SSL_HANDSHAKE_TLS13 to SSL_HANDSHAKE, naming it our_sigalg, adding an equivalent peer_sigalg. Adjust the TLSv1.3 code that records our signature algorithm. Add code to record the signature algorithm used by our peer. Needed for upcoming API additions. ok tb@ --- lib/libssl/ssl_locl.h | 9 ++++++--- lib/libssl/tls13_client.c | 7 ++++--- lib/libssl/tls13_server.c | 7 ++++--- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 5f99c08cc9c..200219c1416 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.351 2021/06/23 11:12:33 tb Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.352 2021/06/27 19:23:51 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -444,9 +444,8 @@ typedef struct ssl_handshake_tls13_st { int use_legacy; int hrr; - /* Certificate and sigalg selected for use (static pointers). */ + /* Certificate selected for use (static pointer). */ const CERT_PKEY *cpk; - const struct ssl_sigalg *sigalg; /* Version proposed by peer server. */ uint16_t server_version; @@ -503,6 +502,10 @@ typedef struct ssl_handshake_st { /* Extensions seen in this handshake. */ uint32_t extensions_seen; + /* Signature algorithms selected for use (static pointers). */ + const struct ssl_sigalg *our_sigalg; + const struct ssl_sigalg *peer_sigalg; + /* sigalgs offered in this handshake in wire form */ uint8_t *sigalgs; size_t sigalgs_len; diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index 644b16e26c6..4ba0dd92f2f 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.82 2021/06/27 18:15:35 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.83 2021/06/27 19:23:51 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -697,6 +697,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) goto err; + ctx->hs->peer_sigalg = sigalg; if (CBS_len(&signature) > EVP_PKEY_size(pkey)) goto err; @@ -898,7 +899,7 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) goto err; ctx->hs->tls13.cpk = cpk; - ctx->hs->tls13.sigalg = sigalg; + ctx->hs->our_sigalg = sigalg; if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) goto err; @@ -949,7 +950,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) if ((cpk = ctx->hs->tls13.cpk) == NULL) goto err; - if ((sigalg = ctx->hs->tls13.sigalg) == NULL) + if ((sigalg = ctx->hs->our_sigalg) == NULL) goto err; pkey = cpk->privatekey; diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index b68a2f9294a..18cb0567552 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.80 2021/06/27 18:15:35 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.81 2021/06/27 19:23:51 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -635,7 +635,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) } ctx->hs->tls13.cpk = cpk; - ctx->hs->tls13.sigalg = sigalg; + ctx->hs->our_sigalg = sigalg; if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; @@ -708,7 +708,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) if ((cpk = ctx->hs->tls13.cpk) == NULL) goto err; - if ((sigalg = ctx->hs->tls13.sigalg) == NULL) + if ((sigalg = ctx->hs->our_sigalg) == NULL) goto err; pkey = cpk->privatekey; @@ -996,6 +996,7 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) goto err; + ctx->hs->peer_sigalg = sigalg; if (CBS_len(&signature) > EVP_PKEY_size(pkey)) goto err; -- 2.20.1