From c4b0c3ce36f2d5ac2132de87823d28de2ad5e331 Mon Sep 17 00:00:00 2001 From: jsing Date: Sun, 27 Jun 2021 17:59:17 +0000 Subject: [PATCH] Change ssl_sigalgs_build() to perform sigalg list selection. Rather that doing sigalg list selection at every call site, pass in the appropriate TLS version and have ssl_sigalgs_build() perform the sigalg list selection itself. This reduces code duplication, simplifies the calling code and is the first step towards internalising the sigalg lists. ok tb@ --- lib/libssl/ssl_sigalgs.c | 21 +++++++++++++++++++-- lib/libssl/ssl_sigalgs.h | 4 ++-- lib/libssl/ssl_srvr.c | 8 +++++--- lib/libssl/ssl_tlsext.c | 24 +++--------------------- 4 files changed, 29 insertions(+), 28 deletions(-) diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index d3ac3d969df..590932bdf6e 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.26 2021/06/27 17:50:06 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.27 2021/06/27 17:59:17 jsing Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck * @@ -174,6 +174,19 @@ const uint16_t tls12_sigalgs[] = { }; const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); +static void +ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values, + size_t *out_len) +{ + if (tls_version >= TLS1_3_VERSION) { + *out_values = tls13_sigalgs; + *out_len = tls13_sigalgs_len; + } else { + *out_values = tls12_sigalgs; + *out_len = tls12_sigalgs_len; + } +} + const struct ssl_sigalg * ssl_sigalg_lookup(uint16_t sigalg) { @@ -201,10 +214,14 @@ ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len) } int -ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len) +ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) { + const uint16_t *values; + size_t len; size_t i; + ssl_sigalgs_for_version(tls_version, &values, &len); + /* Add values in order as long as they are supported. */ for (i = 0; i < len; i++) { /* Do not allow the legacy value for < 1.2 to be used. */ diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h index db21eda1f8b..64a2bd435c6 100644 --- a/lib/libssl/ssl_sigalgs.h +++ b/lib/libssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.17 2021/06/27 17:45:16 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.18 2021/06/27 17:59:17 jsing Exp $ */ /* * Copyright (c) 2018-2019 Bob Beck * @@ -75,7 +75,7 @@ extern const size_t tls13_sigalgs_len; const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len); -int ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len); +int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb); int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, int check_curve); diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index c4bcd228ef1..93fd8cfb85d 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.111 2021/05/16 14:10:43 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.112 2021/06/27 17:59:17 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1671,9 +1671,11 @@ ssl3_send_certificate_request(SSL *s) goto err; if (SSL_USE_SIGALGS(s)) { - if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) + if (!CBB_add_u16_length_prefixed(&cert_request, + &sigalgs)) goto err; - if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) + if (!ssl_sigalgs_build( + S3I(s)->hs.negotiated_tls_version, &sigalgs)) goto err; } diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 035d6b4564d..22932f969dc 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.96 2021/06/27 17:59:17 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -558,21 +558,12 @@ tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) int tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - const uint16_t *tls_sigalgs = tls12_sigalgs; - size_t tls_sigalgs_len = tls12_sigalgs_len; CBB sigalgs; - if (S3I(s)->hs.our_min_tls_version >= TLS1_3_VERSION) { - tls_sigalgs = tls13_sigalgs; - tls_sigalgs_len = tls13_sigalgs_len; - } - if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - - if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) + if (!ssl_sigalgs_build(S3I(s)->hs.our_min_tls_version, &sigalgs)) return 0; - if (!CBB_flush(cbb)) return 0; @@ -603,21 +594,12 @@ tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) int tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - const uint16_t *tls_sigalgs = tls12_sigalgs; - size_t tls_sigalgs_len = tls12_sigalgs_len; CBB sigalgs; - if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { - tls_sigalgs = tls13_sigalgs; - tls_sigalgs_len = tls13_sigalgs_len; - } - if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - - if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) + if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs)) return 0; - if (!CBB_flush(cbb)) return 0; -- 2.20.1