/* Set peer sigalg based key type */
int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
{
- int idx = ssl_cert_type(NULL, pkey);
+ size_t idx;
+ const SIGALG_LOOKUP *lu;
- const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, idx);
+ if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
+ return 0;
+ lu = tls1_get_legacy_sigalg(s, idx);
if (lu == NULL)
return 0;
s->s3->tmp.peer_sigalg = lu;
{
const uint16_t *sigalgs;
size_t i, sigalgslen;
- int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
+ uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
/*
- * Now go through all signature algorithms seeing if we support any for
- * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
- * down calls to security callback only check if we have to.
+ * Go through all signature algorithms seeing if we support any
+ * in disabled_mask.
*/
sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
for (i = 0; i < sigalgslen; i ++, sigalgs++) {
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
+ const SSL_CERT_LOOKUP *clu;
if (lu == NULL)
continue;
- switch (lu->sig) {
-#ifndef OPENSSL_NO_RSA
- /* Any RSA-PSS signature algorithms also mean we allow RSA */
- case EVP_PKEY_RSA_PSS:
- case EVP_PKEY_RSA:
- if (!have_rsa && tls12_sigalg_allowed(s, op, lu))
- have_rsa = 1;
- break;
-#endif
-#ifndef OPENSSL_NO_DSA
- case EVP_PKEY_DSA:
- if (!have_dsa && tls12_sigalg_allowed(s, op, lu))
- have_dsa = 1;
- break;
-#endif
-#ifndef OPENSSL_NO_EC
- case EVP_PKEY_ED25519:
- case EVP_PKEY_EC:
- if (!have_ecdsa && tls12_sigalg_allowed(s, op, lu))
- have_ecdsa = 1;
- break;
-#endif
- }
+
+ clu = ssl_cert_lookup_by_idx(lu->sig_idx);
+
+ /* If algorithm is disabled see if we can enable it */
+ if ((clu->amask & disabled_mask) != 0
+ && tls12_sigalg_allowed(s, op, lu))
+ disabled_mask &= ~clu->amask;
}
- if (!have_rsa)
- *pmask_a |= SSL_aRSA;
- if (!have_dsa)
- *pmask_a |= SSL_aDSS;
- if (!have_ecdsa)
- *pmask_a |= SSL_aECDSA;
+ *pmask_a |= disabled_mask;
}
int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
if (!x || !pk)
goto end;
} else {
+ size_t certidx;
+
if (!x || !pk)
return 0;
- idx = ssl_cert_type(x, pk);
- if (idx == -1)
+
+ if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
return 0;
+ idx = certidx;
pvalid = s->s3->tmp.valid_flags + idx;
if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)