1*689a9b7eSbeck /* $OpenBSD: ssl_sigalgs.h,v 1.27 2024/02/03 15:58:34 beck Exp $ */ 296b1ac03Sbeck /* 396b13b45Sjsing * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 496b1ac03Sbeck * 596b1ac03Sbeck * Permission to use, copy, modify, and/or distribute this software for any 696b1ac03Sbeck * purpose with or without fee is hereby granted, provided that the above 796b1ac03Sbeck * copyright notice and this permission notice appear in all copies. 896b1ac03Sbeck * 996b1ac03Sbeck * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1096b1ac03Sbeck * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1196b1ac03Sbeck * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 1296b1ac03Sbeck * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1396b1ac03Sbeck * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 1496b1ac03Sbeck * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 1596b1ac03Sbeck * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1696b1ac03Sbeck */ 1796b1ac03Sbeck 1862416295Sjsing #ifndef HEADER_SSL_SIGALGS_H 1962416295Sjsing #define HEADER_SSL_SIGALGS_H 2062416295Sjsing 2162416295Sjsing __BEGIN_HIDDEN_DECLS 2296b1ac03Sbeck 2396b1ac03Sbeck #define SIGALG_NONE 0x0000 2496b1ac03Sbeck 2596b1ac03Sbeck /* 2696b1ac03Sbeck * RFC 8446 Section 4.2.3 2796b1ac03Sbeck * RFC 5246 Section 7.4.1.4.1 2896b1ac03Sbeck */ 2996b1ac03Sbeck #define SIGALG_RSA_PKCS1_SHA224 0x0301 3096b1ac03Sbeck #define SIGALG_RSA_PKCS1_SHA256 0x0401 3196b1ac03Sbeck #define SIGALG_RSA_PKCS1_SHA384 0x0501 3296b1ac03Sbeck #define SIGALG_RSA_PKCS1_SHA512 0x0601 3396b1ac03Sbeck #define SIGALG_ECDSA_SECP224R1_SHA224 0x0303 3496b1ac03Sbeck #define SIGALG_ECDSA_SECP256R1_SHA256 0x0403 3596b1ac03Sbeck #define SIGALG_ECDSA_SECP384R1_SHA384 0x0503 368b21e38aSbeck #define SIGALG_ECDSA_SECP521R1_SHA512 0x0603 3796b1ac03Sbeck #define SIGALG_RSA_PSS_RSAE_SHA256 0x0804 3896b1ac03Sbeck #define SIGALG_RSA_PSS_RSAE_SHA384 0x0805 3996b1ac03Sbeck #define SIGALG_RSA_PSS_RSAE_SHA512 0x0806 4096b1ac03Sbeck #define SIGALG_ED25519 0x0807 4196b1ac03Sbeck #define SIGALG_ED448 0x0808 4296b1ac03Sbeck #define SIGALG_RSA_PSS_PSS_SHA256 0x0809 4396b1ac03Sbeck #define SIGALG_RSA_PSS_PSS_SHA384 0x080a 4496b1ac03Sbeck #define SIGALG_RSA_PSS_PSS_SHA512 0x080b 4596b1ac03Sbeck #define SIGALG_RSA_PKCS1_SHA1 0x0201 4696b1ac03Sbeck #define SIGALG_ECDSA_SHA1 0x0203 4796b1ac03Sbeck #define SIGALG_PRIVATE_START 0xFE00 4896b1ac03Sbeck #define SIGALG_PRIVATE_END 0xFFFF 4996b1ac03Sbeck 50d2a2fa5fSjsing /* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */ 512fab3c32Sbeck #define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01 522fab3c32Sbeck 5396b1ac03Sbeck #define SIGALG_FLAG_RSA_PSS 0x00000001 5496b1ac03Sbeck 5596b1ac03Sbeck struct ssl_sigalg { 5696b1ac03Sbeck uint16_t value; 5796b1ac03Sbeck int key_type; 58e3d56dc6Sjsing const EVP_MD *(*md)(void); 59fe57aeedStb int security_level; 60c5270c5dStb int group_nid; 6196b1ac03Sbeck int flags; 6296b1ac03Sbeck }; 6396b1ac03Sbeck 64678f3880Stb int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level); 6596b13b45Sjsing const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); 6621424b10Sjsing const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, 6721424b10Sjsing uint16_t sigalg_value); 6862416295Sjsing 6962416295Sjsing __END_HIDDEN_DECLS 7062416295Sjsing 7162416295Sjsing #endif 72