diff options
| author |   beck <beck@openbsd.org> | 2018-11-13 01:19:48 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2018-11-13 01:19:48 +0000 |
| commit | 3ef2d76b1ac919119d0e0d657d9641dcee2e4728 (patch) | |
| tree | 67eaef8ee8942acc35eaa7ba70899f3a55e93c80 /lib/libssl/ssl_sigalgs.c | |
| parent | get the inner and outer tos values right for passing to ip_ecn_ingress (diff) | |
| download | wireguard-openbsd-3ef2d76b1ac919119d0e0d657d9641dcee2e4728.tar.xz wireguard-openbsd-3ef2d76b1ac919119d0e0d657d9641dcee2e4728.zip | |
Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@
Diffstat (limited to 'lib/libssl/ssl_sigalgs.c')
| -rw-r--r-- | lib/libssl/ssl_sigalgs.c | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index a6c5a4e9d8d..8ea51b9c040 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.7 2018/11/11 21:54:47 beck Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.8 2018/11/13 01:19:48 beck Exp $ */ /* * Copyright (c) 2018, Bob Beck <beck@openbsd.org> * @@ -36,6 +36,7 @@ const struct ssl_sigalg sigalgs[] = { .md = EVP_sha512, .key_type = EVP_PKEY_EC, .pkey_idx = SSL_PKEY_ECC, + .curve_nid = NID_secp521r1, }, #ifndef OPENSSL_NO_GOST { @@ -56,6 +57,7 @@ const struct ssl_sigalg sigalgs[] = { .md = EVP_sha384, .key_type = EVP_PKEY_EC, .pkey_idx = SSL_PKEY_ECC, + .curve_nid = NID_secp384r1, }, { .value = SIGALG_RSA_PKCS1_SHA256, @@ -68,6 +70,7 @@ const struct ssl_sigalg sigalgs[] = { .md = EVP_sha256, .key_type = EVP_PKEY_EC, .pkey_idx = SSL_PKEY_ECC, + .curve_nid = NID_X9_62_prime256v1, }, #ifndef OPENSSL_NO_GOST { @@ -229,15 +232,29 @@ ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey) { - if (sigalg->key_type == pkey->type) { - if (!(sigalg->flags & SIGALG_FLAG_RSA_PSS)) - return 1; + if (sigalg == NULL || pkey == NULL) + return 0; + if (sigalg->key_type != pkey->type) + return 0; + + if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) { /* - * RSA keys for PSS need to be at least - * as big as twice the size of the hash + 2 + * RSA PSS Must have an RSA key that needs to be at + * least as big as twice the size of the hash + 2 */ - if (EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) - return 1; + if (pkey->type != EVP_PKEY_RSA || + EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) + return 0; + } + + if (pkey->type == EVP_PKEY_EC) { + if (sigalg->curve_nid == 0) + return 0; + /* Curve must match for EC keys */ + if (EC_GROUP_get_curve_name(EC_KEY_get0_group + (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) + return 0; } - return 0; + + return 1; } |