From ca7ca9085f4d708728d31588c33c108c19a51cae Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Tue, 29 Jun 2021 18:59:25 +0000
Subject: [PATCH] Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@
---
 lib/libssl/ssl_sigalgs.c | 59 ++++++++++++++++++----------------------
 1 file changed, 27 insertions(+), 32 deletions(-)

diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index dbb08e0a468..456332e7cfc 100644
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.30 2021/06/29 18:55:47 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.31 2021/06/29 18:59:25 jsing Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  *
@@ -239,6 +239,26 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
 	return 1;
 }
 
+static const struct ssl_sigalg *
+ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
+{
+	/* Default signature algorithms used for TLSv1.2 and earlier. */
+	switch (pkey->type) {
+	case EVP_PKEY_RSA:
+		if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION)
+			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
+		return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
+	case EVP_PKEY_EC:
+		return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
+#ifndef OPENSSL_NO_GOST
+	case EVP_PKEY_GOSTR01:
+		return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
+#endif
+	}
+	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
+	return (NULL);
+}
+
 int
 ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
     int check_curve)
@@ -280,41 +300,16 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
 	if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION)
 		check_curve = 1;
 
-	/* Pre TLS 1.2 defaults */
-	if (!SSL_USE_SIGALGS(s)) {
-		switch (pkey->type) {
-		case EVP_PKEY_RSA:
-			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
-		case EVP_PKEY_EC:
-			return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
-#ifndef OPENSSL_NO_GOST
-		case EVP_PKEY_GOSTR01:
-			return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
-#endif
-		}
-		SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
-		return (NULL);
-	}
+	if (!SSL_USE_SIGALGS(s))
+		return ssl_sigalg_for_legacy(s, pkey);
 
 	/*
-	 * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in
-	 * which case the server must use the the default.
+	 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
+	 * in which case the server must use the default.
 	 */
 	if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
-	    S3I(s)->hs.sigalgs == NULL) {
-		switch (pkey->type) {
-		case EVP_PKEY_RSA:
-			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
-		case EVP_PKEY_EC:
-			return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
-#ifndef OPENSSL_NO_GOST
-		case EVP_PKEY_GOSTR01:
-			return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
-#endif
-		}
-		SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
-		return (NULL);
-	}
+	    S3I(s)->hs.sigalgs == NULL)
+		return ssl_sigalg_for_legacy(s, pkey);
 
 	/*
 	 * If we get here, we have client or server sent sigalgs, use one.
-- 
2.20.1