Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

Check sigalg security level when selecting them.

ok beck jsing

Check the security bits of the sigalgs' pkey

ok beck jsing

Check the security level when building sigalgs

ok beck jsing

Annotate sigalgs with their security level.

ok beck jsing

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Remove the remaining three parens in return statements.

Use correct spelling of NULL.

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

Check sigalg security level when selecting them.

ok beck jsing

Check the security bits of the sigalgs' pkey

ok beck jsing

Check the security level when building sigalgs

ok beck jsing

Annotate sigalgs with their security level.

ok beck jsing

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Remove the remaining three parens in return statements.

Use correct spelling of NULL.

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

Check sigalg security level when selecting them.

ok beck jsing

Check the security bits of the sigalgs' pkey

ok beck jsing

Check the security level when building sigalgs

ok beck jsing

Annotate sigalgs with their security level.

ok beck jsing

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Remove the remaining three parens in return statements.

Use correct spelling of NULL.

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Check sigalg security level when selecting them.

ok beck jsing

Check the security bits of the sigalgs' pkey

ok beck jsing

Check the security level when building sigalgs

ok beck jsing

Annotate sigalgs with their security level.

ok beck jsing

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Remove the remaining three parens in return statements.

Use correct spelling of NULL.

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Remove the remaining three parens in return statements.

Use correct spelling of NULL.

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Remove the remaining three parens in return statements.

Use correct spelling of NULL.

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().

Suggested by tb@

Simplify RSA PSS key size comment.

Wording provided by tb@

Change ssl_sigalg_from_value() to take SSL * instead of a TLS version.

This simplifies callers, as only the negotiated TLS version needs to be
used here.

Requested by tb@

Make various sigalg functions static now that they're only used internally.

Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.

Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.

In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.

ok inoguchi@ tb@

Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@

Factor out handling of legacy default signature algorithms.

In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.

ok inoguchi@ tb@

Mop up now unused variables.

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Change ssl_sigalgs_from_value() to perform sigalg list selection.

Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.

ok tb@

Rename ssl_sigalg() to ssl_sigalg_from_value().

This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.

ok tb@

Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

Tidy some comments and simplify some code.

ok tb@

Keep sigalg initialiser order consistent - key type, then hash.

This matches the order that sigalgs are specified in.

ok tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@

Add check function to verify that pkey is usable with a sigalg.
Include check for appropriate RSA key size when used with PSS.
ok tb@

Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@

Remove dead code
ok jsing@

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@

Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Improve internal version handling.

Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.

Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.

Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).

ok tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Forcibly ensure that only PSS may be used with RSA in TLS 1.3.
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

branches: 1.20.8;
Correct subtle bug in sigalgs, only care about curve_nid if we are
checking the curve.
ok jsing@ tb@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Avoid an internal 2 byte overread in ssl_sigalgs().

Found by oss-fuzz, fixes issue #13797.

ok beck@ tb@

Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is deprecated.
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@

Correct ECDSA_SECP512R1 typo to ECDSA_SECP521R1
spotted by naddy@

Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@

In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1
Makes connections to outlook.office365.com work

Temporary workaround for breakage seen in www.videolan.org with curve mismatch

Fix pkey_ok to be less strange, and add cuve checks required for the EC ones
ok tb@