Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1752648256, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"fc6d6e545a00dc95944baf48c448bd5f", "commit": {"type":"commit", "time": 1485820979, "time_ofs": 0, "oid_tree": { "oid": "a12a221b1ca207ee966f50e053eb4d6305229deb", "alias": []}, "oid":{ "oid": "f742cda820cec70009ca914f8efbc725f3976b65", "alias": []}, "msg": "Store table entry to peer signature algorithm.", "sig_commit": { "git_time": { "time": 1485820979, "offset": 0 }, "name": "Dr. Stephen Henson", "email": "steve@openssl.org", "md5": "fb4026c8240f7577a612418c24e54343" }, "sig_author": { "git_time": { "time": 1485784119, "offset": 0 }, "name": "Dr. Stephen Henson", "email": "steve@openssl.org", "md5": "fb4026c8240f7577a612418c24e54343" }}, "body": "Store table entry to peer signature algorithm.\n\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/2324)" , "diff": "diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c\nindex 936a301..df9d0c7 100644\n--- a/ssl/s3_lib.c\n+++ b/ssl/s3_lib.c\n@@ -3177,20 +3177,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)\n return ssl_cert_set_cert_store(s-\u003ecert, parg, 1, larg);\n \n case SSL_CTRL_GET_PEER_SIGNATURE_NID:\n- if (SSL_USE_SIGALGS(s)) {\n- if (s-\u003esession) {\n- const EVP_MD *sig;\n- sig \u003d s-\u003es3-\u003etmp.peer_md;\n- if (sig) {\n- *(int *)parg \u003d EVP_MD_type(sig);\n- return 1;\n- }\n- }\n- return 0;\n- }\n- /* Might want to do something here for other versions */\n- else\n+ if (s-\u003es3-\u003etmp.peer_sigalg \u003d\u003d NULL)\n return 0;\n+ *(int *)parg \u003d s-\u003es3-\u003etmp.peer_sigalg-\u003ehash;\n+ return 1;\n \n case SSL_CTRL_GET_SERVER_TMP_KEY:\n #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)\ndiff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h\nindex 13be4f3..c2139cb 100644\n--- a/ssl/ssl_locl.h\n+++ b/ssl/ssl_locl.h\n@@ -1180,6 +1180,25 @@ struct ssl_st {\n CRYPTO_RWLOCK *lock;\n };\n \n+/*\n+ * Structure containing table entry of values associated with the signature\n+ * algorithms (signature scheme) extension\n+*/\n+typedef struct sigalg_lookup_st {\n+ /* TLS 1.3 signature scheme name */\n+ const char *name;\n+ /* Raw value used in extension */\n+ uint16_t sigalg;\n+ /* NID of hash algorithm */\n+ int hash;\n+ /* NID of signature algorithm */\n+ int sig;\n+ /* Combined hash and signature NID, if any */\n+ int sigandhash;\n+ /* Required public key curve (ECDSA only) */\n+ int curve;\n+} SIGALG_LOOKUP;\n+\n typedef struct ssl3_state_st {\n long flags;\n size_t read_mac_secret_size;\n@@ -1269,10 +1288,10 @@ typedef struct ssl3_state_st {\n uint16_t *peer_sigalgs;\n /* Size of above array */\n size_t peer_sigalgslen;\n+ /* Sigalg peer actualy uses */\n+ const SIGALG_LOOKUP *peer_sigalg;\n /* Digest peer uses for signing */\n const EVP_MD *peer_md;\n- /* Signature type: public key type or EVP_PKEY_RSA_PSS for PSS */\n- int peer_sigtype;\n /* Array of digests used for signing */\n const EVP_MD *md[SSL_PKEY_NUM];\n /*\n@@ -1509,25 +1528,6 @@ typedef struct {\n size_t meths_count;\n } custom_ext_methods;\n \n-/*\n- * Structure containing table entry of values associated with the signature\n- * algorithms (signature scheme) extension\n-*/\n-typedef struct sigalg_lookup_st {\n- /* TLS 1.3 signature scheme name */\n- const char *name;\n- /* Raw value used in extension */\n- uint16_t sigalg;\n- /* NID of hash algorithm */\n- int hash;\n- /* NID of signature algorithm */\n- int sig;\n- /* Combined hash and signature NID, if any */\n- int sigandhash;\n- /* Required public key curve (ECDSA only) */\n- int curve;\n-} SIGALG_LOOKUP;\n-\n typedef struct cert_st {\n /* Current active set */\n /*\n@@ -1750,7 +1750,8 @@ typedef enum tlsext_index_en {\n /* An invalid index into the TLSv1.3 PSK identities */\n #define TLSEXT_PSK_BAD_IDENTITY -1\n \n-#define SSL_USE_PSS(s) (s-\u003es3-\u003etmp.peer_sigtype \u003d\u003d EVP_PKEY_RSA_PSS)\n+#define SSL_USE_PSS(s) (s-\u003es3-\u003etmp.peer_sigalg !\u003d NULL \u0026\u0026 \u005c\n+ s-\u003es3-\u003etmp.peer_sigalg-\u003esig \u003d\u003d EVP_PKEY_RSA_PSS)\n \n /* A dummy signature value not valid for TLSv1.2 signature algs */\n #define TLSEXT_signature_rsa_pss 0x0101\n@@ -2260,7 +2261,7 @@ __owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,\n __owur int tls1_save_sigalgs(SSL *s, PACKET *pkt);\n __owur int tls1_process_sigalgs(SSL *s);\n __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);\n-__owur int tls12_check_peer_sigalg(SSL *s, unsigned int sig, EVP_PKEY *pkey);\n+__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);\n void ssl_set_client_disabled(SSL *s);\n __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);\n \ndiff --git a/ssl/t1_lib.c b/ssl/t1_lib.c\nindex c906061..2a39e7e 100644\n--- a/ssl/t1_lib.c\n+++ b/ssl/t1_lib.c\n@@ -823,23 +823,25 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)\n * algorithms and if so set relevant digest and signature scheme in\n * s.\n */\n-int tls12_check_peer_sigalg(SSL *s, unsigned int sig, EVP_PKEY *pkey)\n+int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)\n {\n const uint16_t *sent_sigs;\n const EVP_MD *md \u003d NULL;\n char sigalgstr[2];\n size_t sent_sigslen, i;\n int pkeyid \u003d EVP_PKEY_id(pkey);\n- int peer_sigtype;\n+ const SIGALG_LOOKUP *lu;\n \n /* Should never happen */\n if (pkeyid \u003d\u003d -1)\n return -1;\n- /* Check key type is consistent with signature */\n- peer_sigtype \u003d tls_sigalg_get_sig(sig);\n- /* RSA keys can be used for RSA-PSS */\n- if (pkeyid !\u003d peer_sigtype\n- \u0026\u0026 (peer_sigtype !\u003d EVP_PKEY_RSA_PSS || pkeyid !\u003d EVP_PKEY_RSA)) {\n+ lu \u003d tls1_lookup_sigalg(sig);\n+ /*\n+ * Check sigalgs is known and key type is consistent with signature:\n+ * RSA keys can be used for RSA-PSS\n+ */\n+ if (lu \u003d\u003d NULL || (pkeyid !\u003d lu-\u003esig\n+ \u0026\u0026 (lu-\u003esig !\u003d EVP_PKEY_RSA_PSS || pkeyid !\u003d EVP_PKEY_RSA))) {\n SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);\n return 0;\n }\n@@ -883,13 +885,12 @@ int tls12_check_peer_sigalg(SSL *s, unsigned int sig, EVP_PKEY *pkey)\n break;\n }\n /* Allow fallback to SHA1 if not strict mode */\n- if (i \u003d\u003d sent_sigslen\n- \u0026\u0026 (tls_sigalg_get_hash(sig) !\u003d NID_sha1\n- || s-\u003ecert-\u003ecert_flags \u0026 SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {\n+ if (i \u003d\u003d sent_sigslen \u0026\u0026 (lu-\u003ehash !\u003d NID_sha1\n+ || s-\u003ecert-\u003ecert_flags \u0026 SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {\n SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);\n return 0;\n }\n- md \u003d tls12_get_hash(tls_sigalg_get_hash(sig));\n+ md \u003d tls12_get_hash(lu-\u003ehash);\n if (md \u003d\u003d NULL) {\n SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);\n return 0;\n@@ -910,15 +911,15 @@ int tls12_check_peer_sigalg(SSL *s, unsigned int sig, EVP_PKEY *pkey)\n * Store the digest used so applications can retrieve it if they wish.\n */\n s-\u003es3-\u003etmp.peer_md \u003d md;\n- s-\u003es3-\u003etmp.peer_sigtype \u003d peer_sigtype;\n+ s-\u003es3-\u003etmp.peer_sigalg \u003d lu;\n return 1;\n }\n \n int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)\n {\n- if (s-\u003es3-\u003etmp.peer_sigtype \u003d\u003d NID_undef)\n+ if (s-\u003es3-\u003etmp.peer_sigalg \u003d\u003d NULL)\n return 0;\n- *pnid \u003d s-\u003es3-\u003etmp.peer_sigtype;\n+ *pnid \u003d s-\u003es3-\u003etmp.peer_sigalg-\u003esig;\n return 1;\n }\n \n","s":{"c":1752648256,"u": 34309}} ],"g": 35637,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}