/src/libressl/ssl/ssl_sigalgs.c

Source (jump to first uncovered line)
/* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */
/*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <string.h>
#include <stdlib.h>

#include <openssl/evp.h>
#include <openssl/opensslconf.h>

#include "bytestring.h"
#include "ssl_locl.h"
#include "ssl_sigalgs.h"
#include "tls13_internal.h"

const struct ssl_sigalg sigalgs[] = {
  {
    .value = SIGALG_RSA_PKCS1_SHA512,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha512,
    .security_level = 5,
  },
  {
    .value = SIGALG_ECDSA_SECP521R1_SHA512,
    .key_type = EVP_PKEY_EC,
    .md = EVP_sha512,
    .security_level = 5,
    .group_nid = NID_secp521r1,
  },
#ifndef OPENSSL_NO_GOST
  {
    .value = SIGALG_GOSTR12_512_STREEBOG_512,
    .key_type = EVP_PKEY_GOSTR12_512,
    .md = EVP_streebog512,
    .security_level = 0,
  },
#endif
  {
    .value = SIGALG_RSA_PKCS1_SHA384,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha384,
    .security_level = 4,
  },
  {
    .value = SIGALG_ECDSA_SECP384R1_SHA384,
    .key_type = EVP_PKEY_EC,
    .md = EVP_sha384,
    .security_level = 4,
    .group_nid = NID_secp384r1,
  },
  {
    .value = SIGALG_RSA_PKCS1_SHA256,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha256,
    .security_level = 3,
  },
  {
    .value = SIGALG_ECDSA_SECP256R1_SHA256,
    .key_type = EVP_PKEY_EC,
    .md = EVP_sha256,
    .security_level = 3,
    .group_nid = NID_X9_62_prime256v1,
  },
#ifndef OPENSSL_NO_GOST
  {
    .value = SIGALG_GOSTR12_256_STREEBOG_256,
    .key_type = EVP_PKEY_GOSTR12_256,
    .md = EVP_streebog256,
    .security_level = 0,
  },
  {
    .value = SIGALG_GOSTR01_GOST94,
    .key_type = EVP_PKEY_GOSTR01,
    .md = EVP_gostr341194,
    .security_level = 0, /* XXX */
  },
#endif
  {
    .value = SIGALG_RSA_PSS_RSAE_SHA256,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha256,
    .security_level = 3,
    .flags = SIGALG_FLAG_RSA_PSS,
  },
  {
    .value = SIGALG_RSA_PSS_RSAE_SHA384,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha384,
    .security_level = 4,
    .flags = SIGALG_FLAG_RSA_PSS,
  },
  {
    .value = SIGALG_RSA_PSS_RSAE_SHA512,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha512,
    .security_level = 5,
    .flags = SIGALG_FLAG_RSA_PSS,
  },
  {
    .value = SIGALG_RSA_PSS_PSS_SHA256,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha256,
    .security_level = 3,
    .flags = SIGALG_FLAG_RSA_PSS,
  },
  {
    .value = SIGALG_RSA_PSS_PSS_SHA384,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha384,
    .security_level = 4,
    .flags = SIGALG_FLAG_RSA_PSS,
  },
  {
    .value = SIGALG_RSA_PSS_PSS_SHA512,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha512,
    .security_level = 5,
    .flags = SIGALG_FLAG_RSA_PSS,
  },
  {
    .value = SIGALG_RSA_PKCS1_SHA224,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha224,
    .security_level = 2,
  },
  {
    .value = SIGALG_ECDSA_SECP224R1_SHA224,
    .key_type = EVP_PKEY_EC,
    .md = EVP_sha224,
    .security_level = 2,
  },
  {
    .value = SIGALG_RSA_PKCS1_SHA1,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_sha1,
    .security_level = 1,
  },
  {
    .value = SIGALG_ECDSA_SHA1,
    .key_type = EVP_PKEY_EC,
    .md = EVP_sha1,
    .security_level = 1,
  },
  {
    .value = SIGALG_RSA_PKCS1_MD5_SHA1,
    .key_type = EVP_PKEY_RSA,
    .md = EVP_md5_sha1,
    .security_level = 1,
  },
  {
    .value = SIGALG_NONE,
  },
};

/* Sigalgs for TLSv1.3, in preference order. */
const uint16_t tls13_sigalgs[] = {
  SIGALG_RSA_PSS_RSAE_SHA512,
  SIGALG_RSA_PKCS1_SHA512,
  SIGALG_ECDSA_SECP521R1_SHA512,
  SIGALG_RSA_PSS_RSAE_SHA384,
  SIGALG_RSA_PKCS1_SHA384,
  SIGALG_ECDSA_SECP384R1_SHA384,
  SIGALG_RSA_PSS_RSAE_SHA256,
  SIGALG_RSA_PKCS1_SHA256,
  SIGALG_ECDSA_SECP256R1_SHA256,
};
const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));

/* Sigalgs for TLSv1.2, in preference order. */
const uint16_t tls12_sigalgs[] = {
  SIGALG_RSA_PSS_RSAE_SHA512,
  SIGALG_RSA_PKCS1_SHA512,
  SIGALG_ECDSA_SECP521R1_SHA512,
  SIGALG_RSA_PSS_RSAE_SHA384,
  SIGALG_RSA_PKCS1_SHA384,
  SIGALG_ECDSA_SECP384R1_SHA384,
  SIGALG_RSA_PSS_RSAE_SHA256,
  SIGALG_RSA_PKCS1_SHA256,
  SIGALG_ECDSA_SECP256R1_SHA256,
  SIGALG_RSA_PKCS1_SHA1, /* XXX */
  SIGALG_ECDSA_SHA1,     /* XXX */
};
const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));

static void
ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
    size_t *out_len)
{
  if (tls_version >= TLS1_3_VERSION) {
    *out_values = tls13_sigalgs;
    *out_len = tls13_sigalgs_len;
  } else {
    *out_values = tls12_sigalgs;
    *out_len = tls12_sigalgs_len;
  }
}

static const struct ssl_sigalg *
ssl_sigalg_lookup(uint16_t value)
{
  int i;

  for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
    if (sigalgs[i].value == value)
      return &sigalgs[i];
  }

  return NULL;
}

static const struct ssl_sigalg *
ssl_sigalg_from_value(SSL *s, uint16_t value)
{
  const uint16_t *values;
  size_t len;
  int i;

  ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
      &values, &len);

  for (i = 0; i < len; i++) {
    if (values[i] == value)
      return ssl_sigalg_lookup(value);
  }

  return NULL;
}

int
ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
{
  const struct ssl_sigalg *sigalg;
  const uint16_t *values;
  size_t len;
  size_t i;
  int ret = 0;

  ssl_sigalgs_for_version(tls_version, &values, &len);

  /* Add values in order as long as they are supported. */
  for (i = 0; i < len; i++) {
    /* Do not allow the legacy value for < 1.2 to be used. */
    if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
      return 0;
    if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
      return 0;
    if (sigalg->security_level < security_level)
      continue;

    if (!CBB_add_u16(cbb, values[i]))
      return 0;

    ret = 1;
  }
  return ret;
}

static const struct ssl_sigalg *
ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
{
  if (SSL_get_security_level(s) > 1)
    return NULL;

  /* Default signature algorithms used for TLSv1.2 and earlier. */
  switch (EVP_PKEY_id(pkey)) {
  case EVP_PKEY_RSA:
    if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
      return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
    return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
  case EVP_PKEY_EC:
    return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
#ifndef OPENSSL_NO_GOST
  case EVP_PKEY_GOSTR01:
    return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
#endif
  }
  SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
  return NULL;
}

static int
ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
{
  if (sigalg == NULL || pkey == NULL)
    return 0;
  if (sigalg->key_type != EVP_PKEY_id(pkey))
    return 0;

  /* RSA PSS must have a sufficiently large RSA key. */
  if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
    if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
        EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
      return 0;
  }

  if (!ssl_security_sigalg_check(s, pkey))
    return 0;

  if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
    return 1;

  /* RSA cannot be used without PSS in TLSv1.3. */
  if (sigalg->key_type == EVP_PKEY_RSA &&
      (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
    return 0;

  /* Ensure that group matches for EC keys. */
  if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
    if (sigalg->group_nid == 0)
      return 0;
    if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
        EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
      return 0;
  }

  return 1;
}

const struct ssl_sigalg *
ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
{
  CBS cbs;

  if (!SSL_USE_SIGALGS(s))
    return ssl_sigalg_for_legacy(s, pkey);

  /*
   * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
   * in which case the server must use the default.
   */
  if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
      s->s3->hs.sigalgs == NULL)
    return ssl_sigalg_for_legacy(s, pkey);

  /*
   * If we get here, we have client or server sent sigalgs, use one.
   */
  CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
  while (CBS_len(&cbs) > 0) {
    const struct ssl_sigalg *sigalg;
    uint16_t sigalg_value;

    if (!CBS_get_u16(&cbs, &sigalg_value))
      return NULL;

    if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
      continue;
    if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
      return sigalg;
  }

  SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
  return NULL;
}

const struct ssl_sigalg *
ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
{
  const struct ssl_sigalg *sigalg;

  if (!SSL_USE_SIGALGS(s))
    return ssl_sigalg_for_legacy(s, pkey);

  if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
    SSLerror(s, SSL_R_UNKNOWN_DIGEST);
    return NULL;
  }
  if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
    SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
    return NULL;
  }

  return sigalg;
}

Coverage Report

Created: 2022-08-24 06:31

Line	Count	Source (jump to first uncovered line)
1		/* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */
2		/*
3		* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4		* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5		*
6		* Permission to use, copy, modify, and/or distribute this software for any
7		* purpose with or without fee is hereby granted, provided that the above
8		* copyright notice and this permission notice appear in all copies.
9		*
10		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13		* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15		* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16		* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17		*/
18
19		#include <string.h>
20		#include <stdlib.h>
21
22		#include <openssl/evp.h>
23		#include <openssl/opensslconf.h>
24
25		#include "bytestring.h"
26		#include "ssl_locl.h"
27		#include "ssl_sigalgs.h"
28		#include "tls13_internal.h"
29
30		const struct ssl_sigalg sigalgs[] = {
31		{
32		.value = SIGALG_RSA_PKCS1_SHA512,
33		.key_type = EVP_PKEY_RSA,
34		.md = EVP_sha512,
35		.security_level = 5,
36		},
37		{
38		.value = SIGALG_ECDSA_SECP521R1_SHA512,
39		.key_type = EVP_PKEY_EC,
40		.md = EVP_sha512,
41		.security_level = 5,
42		.group_nid = NID_secp521r1,
43		},
44		#ifndef OPENSSL_NO_GOST
45		{
46		.value = SIGALG_GOSTR12_512_STREEBOG_512,
47		.key_type = EVP_PKEY_GOSTR12_512,
48		.md = EVP_streebog512,
49		.security_level = 0,
50		},
51		#endif
52		{
53		.value = SIGALG_RSA_PKCS1_SHA384,
54		.key_type = EVP_PKEY_RSA,
55		.md = EVP_sha384,
56		.security_level = 4,
57		},
58		{
59		.value = SIGALG_ECDSA_SECP384R1_SHA384,
60		.key_type = EVP_PKEY_EC,
61		.md = EVP_sha384,
62		.security_level = 4,
63		.group_nid = NID_secp384r1,
64		},
65		{
66		.value = SIGALG_RSA_PKCS1_SHA256,
67		.key_type = EVP_PKEY_RSA,
68		.md = EVP_sha256,
69		.security_level = 3,
70		},
71		{
72		.value = SIGALG_ECDSA_SECP256R1_SHA256,
73		.key_type = EVP_PKEY_EC,
74		.md = EVP_sha256,
75		.security_level = 3,
76		.group_nid = NID_X9_62_prime256v1,
77		},
78		#ifndef OPENSSL_NO_GOST
79		{
80		.value = SIGALG_GOSTR12_256_STREEBOG_256,
81		.key_type = EVP_PKEY_GOSTR12_256,
82		.md = EVP_streebog256,
83		.security_level = 0,
84		},
85		{
86		.value = SIGALG_GOSTR01_GOST94,
87		.key_type = EVP_PKEY_GOSTR01,
88		.md = EVP_gostr341194,
89		.security_level = 0, /* XXX */
90		},
91		#endif
92		{
93		.value = SIGALG_RSA_PSS_RSAE_SHA256,
94		.key_type = EVP_PKEY_RSA,
95		.md = EVP_sha256,
96		.security_level = 3,
97		.flags = SIGALG_FLAG_RSA_PSS,
98		},
99		{
100		.value = SIGALG_RSA_PSS_RSAE_SHA384,
101		.key_type = EVP_PKEY_RSA,
102		.md = EVP_sha384,
103		.security_level = 4,
104		.flags = SIGALG_FLAG_RSA_PSS,
105		},
106		{
107		.value = SIGALG_RSA_PSS_RSAE_SHA512,
108		.key_type = EVP_PKEY_RSA,
109		.md = EVP_sha512,
110		.security_level = 5,
111		.flags = SIGALG_FLAG_RSA_PSS,
112		},
113		{
114		.value = SIGALG_RSA_PSS_PSS_SHA256,
115		.key_type = EVP_PKEY_RSA,
116		.md = EVP_sha256,
117		.security_level = 3,
118		.flags = SIGALG_FLAG_RSA_PSS,
119		},
120		{
121		.value = SIGALG_RSA_PSS_PSS_SHA384,
122		.key_type = EVP_PKEY_RSA,
123		.md = EVP_sha384,
124		.security_level = 4,
125		.flags = SIGALG_FLAG_RSA_PSS,
126		},
127		{
128		.value = SIGALG_RSA_PSS_PSS_SHA512,
129		.key_type = EVP_PKEY_RSA,
130		.md = EVP_sha512,
131		.security_level = 5,
132		.flags = SIGALG_FLAG_RSA_PSS,
133		},
134		{
135		.value = SIGALG_RSA_PKCS1_SHA224,
136		.key_type = EVP_PKEY_RSA,
137		.md = EVP_sha224,
138		.security_level = 2,
139		},
140		{
141		.value = SIGALG_ECDSA_SECP224R1_SHA224,
142		.key_type = EVP_PKEY_EC,
143		.md = EVP_sha224,
144		.security_level = 2,
145		},
146		{
147		.value = SIGALG_RSA_PKCS1_SHA1,
148		.key_type = EVP_PKEY_RSA,
149		.md = EVP_sha1,
150		.security_level = 1,
151		},
152		{
153		.value = SIGALG_ECDSA_SHA1,
154		.key_type = EVP_PKEY_EC,
155		.md = EVP_sha1,
156		.security_level = 1,
157		},
158		{
159		.value = SIGALG_RSA_PKCS1_MD5_SHA1,
160		.key_type = EVP_PKEY_RSA,
161		.md = EVP_md5_sha1,
162		.security_level = 1,
163		},
164		{
165		.value = SIGALG_NONE,
166		},
167		};
168
169		/* Sigalgs for TLSv1.3, in preference order. */
170		const uint16_t tls13_sigalgs[] = {
171		SIGALG_RSA_PSS_RSAE_SHA512,
172		SIGALG_RSA_PKCS1_SHA512,
173		SIGALG_ECDSA_SECP521R1_SHA512,
174		SIGALG_RSA_PSS_RSAE_SHA384,
175		SIGALG_RSA_PKCS1_SHA384,
176		SIGALG_ECDSA_SECP384R1_SHA384,
177		SIGALG_RSA_PSS_RSAE_SHA256,
178		SIGALG_RSA_PKCS1_SHA256,
179		SIGALG_ECDSA_SECP256R1_SHA256,
180		};
181		const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
182
183		/* Sigalgs for TLSv1.2, in preference order. */
184		const uint16_t tls12_sigalgs[] = {
185		SIGALG_RSA_PSS_RSAE_SHA512,
186		SIGALG_RSA_PKCS1_SHA512,
187		SIGALG_ECDSA_SECP521R1_SHA512,
188		SIGALG_RSA_PSS_RSAE_SHA384,
189		SIGALG_RSA_PKCS1_SHA384,
190		SIGALG_ECDSA_SECP384R1_SHA384,
191		SIGALG_RSA_PSS_RSAE_SHA256,
192		SIGALG_RSA_PKCS1_SHA256,
193		SIGALG_ECDSA_SECP256R1_SHA256,
194		SIGALG_RSA_PKCS1_SHA1, /* XXX */
195		SIGALG_ECDSA_SHA1, /* XXX */
196		};
197		const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
198
199		static void
200		ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
201		size_t *out_len)
202	6.87k	{
203	6.87k	if (tls_version >= TLS1_3_VERSION) {
204	0	*out_values = tls13_sigalgs;
205	0	*out_len = tls13_sigalgs_len;
206	6.87k	} else {
207	6.87k	*out_values = tls12_sigalgs;
208	6.87k	*out_len = tls12_sigalgs_len;
209	6.87k	}
210	6.87k	}
211
212		static const struct ssl_sigalg *
213		ssl_sigalg_lookup(uint16_t value)
214	74.6k	{
215	74.6k	int i;
216
217	645k	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
218	645k	if (sigalgs[i].value == value)
219	74.6k	return &sigalgs[i];
220	645k	}
221
222	0	return NULL;
223	74.6k	}
224
225		static const struct ssl_sigalg *
226		ssl_sigalg_from_value(SSL *s, uint16_t value)
227	111	{
228	111	const uint16_t *values;
229	111	size_t len;
230	111	int i;
231
232	111	ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
233	111	&values, &len);
234
235	790	for (i = 0; i < len; i++) {
236	788	if (values[i] == value)
237	109	return ssl_sigalg_lookup(value);
238	788	}
239
240	2	return NULL;
241	111	}
242
243		int
244		ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
245	6.76k	{
246	6.76k	const struct ssl_sigalg *sigalg;
247	6.76k	const uint16_t *values;
248	6.76k	size_t len;
249	6.76k	size_t i;
250	6.76k	int ret = 0;
251
252	6.76k	ssl_sigalgs_for_version(tls_version, &values, &len);
253
254		/* Add values in order as long as they are supported. */
255	81.1k	for (i = 0; i < len; i++) {
256		/* Do not allow the legacy value for < 1.2 to be used. */
257	74.4k	if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
258	0	return 0;
259	74.4k	if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
260	0	return 0;
261	74.4k	if (sigalg->security_level < security_level)
262	0	continue;
263
264	74.4k	if (!CBB_add_u16(cbb, values[i]))
265	0	return 0;
266
267	74.4k	ret = 1;
268	74.4k	}
269	6.76k	return ret;
270	6.76k	}
271
272		static const struct ssl_sigalg *
273		ssl_sigalg_for_legacy(SSL s, EVP_PKEY pkey)
274	95	{
275	95	if (SSL_get_security_level(s) > 1)
276	0	return NULL;
277
278		/* Default signature algorithms used for TLSv1.2 and earlier. */
279	95	switch (EVP_PKEY_id(pkey)) {
280	9	case EVP_PKEY_RSA:
281	9	if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
282	9	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
283	0	return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
284	86	case EVP_PKEY_EC:
285	86	return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
286	0	#ifndef OPENSSL_NO_GOST
287	0	case EVP_PKEY_GOSTR01:
288	0	return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
289	95	#endif
290	95	}
291	0	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
292	0	return NULL;
293	95	}
294
295		static int
296		ssl_sigalg_pkey_ok(SSL s, const struct ssl_sigalg sigalg, EVP_PKEY *pkey)
297	109	{
298	109	if (sigalg == NULL \|\| pkey == NULL)
299	0	return 0;
300	109	if (sigalg->key_type != EVP_PKEY_id(pkey))
301	5	return 0;
302
303		/* RSA PSS must have a sufficiently large RSA key. */
304	104	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
305	21	if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA \|\|
306	21	EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
307	1	return 0;
308	21	}
309
310	103	if (!ssl_security_sigalg_check(s, pkey))
311	0	return 0;
312
313	103	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
314	103	return 1;
315
316		/* RSA cannot be used without PSS in TLSv1.3. */
317	0	if (sigalg->key_type == EVP_PKEY_RSA &&
318	0	(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
319	0	return 0;
320
321		/* Ensure that group matches for EC keys. */
322	0	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
323	0	if (sigalg->group_nid == 0)
324	0	return 0;
325	0	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
326	0	EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
327	0	return 0;
328	0	}
329
330	0	return 1;
331	0	}
332
333		const struct ssl_sigalg *
334		ssl_sigalg_select(SSL s, EVP_PKEY pkey)
335	0	{
336	0	CBS cbs;
337
338	0	if (!SSL_USE_SIGALGS(s))
339	0	return ssl_sigalg_for_legacy(s, pkey);
340
341		/*
342		* RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
343		* in which case the server must use the default.
344		*/
345	0	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
346	0	s->s3->hs.sigalgs == NULL)
347	0	return ssl_sigalg_for_legacy(s, pkey);
348
349		/*
350		* If we get here, we have client or server sent sigalgs, use one.
351		*/
352	0	CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
353	0	while (CBS_len(&cbs) > 0) {
354	0	const struct ssl_sigalg *sigalg;
355	0	uint16_t sigalg_value;
356
357	0	if (!CBS_get_u16(&cbs, &sigalg_value))
358	0	return NULL;
359
360	0	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
361	0	continue;
362	0	if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
363	0	return sigalg;
364	0	}
365
366	0	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
367	0	return NULL;
368	0	}
369
370		const struct ssl_sigalg *
371		ssl_sigalg_for_peer(SSL s, EVP_PKEY pkey, uint16_t sigalg_value)
372	206	{
373	206	const struct ssl_sigalg *sigalg;
374
375	206	if (!SSL_USE_SIGALGS(s))
376	95	return ssl_sigalg_for_legacy(s, pkey);
377
378	111	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
379	2	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
380	2	return NULL;
381	2	}
382	109	if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
383	6	SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
384	6	return NULL;
385	6	}
386
387	103	return sigalg;
388	109	}