diff options
| author | beck <> | 2018-11-09 05:02:53 +0000 |
|---|---|---|
| committer | beck <> | 2018-11-09 05:02:53 +0000 |
| commit | 85848fddf8c87379828aad8b378f86e0d5966a60 (patch) | |
| tree | a10a843f3ef55dc5fa5b4e06a3ab7054c9e50d81 | |
| parent | e67eb8087c3d0d0e7689c7c0cb6b55a14b7b1c46 (diff) | |
| download | openbsd-85848fddf8c87379828aad8b378f86e0d5966a60.tar.gz openbsd-85848fddf8c87379828aad8b378f86e0d5966a60.tar.bz2 openbsd-85848fddf8c87379828aad8b378f86e0d5966a60.zip | |
Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.c | 40 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.h | 7 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 4 |
4 files changed, 43 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index d214b0dbbf..fe10965feb 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.2 2018/11/09 05:02:53 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018, Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -24,7 +24,6 @@ | |||
| 24 | #include "ssl_sigalgs.h" | 24 | #include "ssl_sigalgs.h" |
| 25 | #include "tls13_internal.h" | 25 | #include "tls13_internal.h" |
| 26 | 26 | ||
| 27 | /* This table must be kept in preference order for now */ | ||
| 28 | const struct ssl_sigalg sigalgs[] = { | 27 | const struct ssl_sigalg sigalgs[] = { |
| 29 | { | 28 | { |
| 30 | .value = SIGALG_RSA_PKCS1_SHA512, | 29 | .value = SIGALG_RSA_PKCS1_SHA512, |
| @@ -157,6 +156,24 @@ const struct ssl_sigalg sigalgs[] = { | |||
| 157 | }, | 156 | }, |
| 158 | }; | 157 | }; |
| 159 | 158 | ||
| 159 | /* Sigalgs for tls 1.2, in preference order, */ | ||
| 160 | uint16_t tls12_sigalgs[] = { | ||
| 161 | SIGALG_RSA_PKCS1_SHA512, | ||
| 162 | SIGALG_ECDSA_SECP512R1_SHA512, | ||
| 163 | SIGALG_GOSTR12_512_STREEBOG_512, | ||
| 164 | SIGALG_RSA_PKCS1_SHA384, | ||
| 165 | SIGALG_ECDSA_SECP384R1_SHA384, | ||
| 166 | SIGALG_RSA_PKCS1_SHA256, | ||
| 167 | SIGALG_ECDSA_SECP256R1_SHA256, | ||
| 168 | SIGALG_GOSTR12_256_STREEBOG_256, | ||
| 169 | SIGALG_GOSTR01_GOST94, | ||
| 170 | SIGALG_RSA_PKCS1_SHA224, | ||
| 171 | SIGALG_ECDSA_SECP224R1_SHA224, | ||
| 172 | SIGALG_RSA_PKCS1_SHA1, /* XXX */ | ||
| 173 | SIGALG_ECDSA_SHA1, /* XXX */ | ||
| 174 | }; | ||
| 175 | size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); | ||
| 176 | |||
| 160 | const struct ssl_sigalg * | 177 | const struct ssl_sigalg * |
| 161 | ssl_sigalg_lookup(uint16_t sigalg) | 178 | ssl_sigalg_lookup(uint16_t sigalg) |
| 162 | { | 179 | { |
| @@ -206,12 +223,23 @@ ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md) | |||
| 206 | } | 223 | } |
| 207 | 224 | ||
| 208 | int | 225 | int |
| 209 | ssl_sigalgs_build(CBB *cbb) | 226 | ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) |
| 210 | { | 227 | { |
| 211 | int i; | 228 | const struct ssl_sigalg *sap; |
| 229 | size_t i; | ||
| 212 | 230 | ||
| 213 | for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { | 231 | for (i = 0; sigalgs[i].value != SIGALG_NONE; i++); |
| 214 | if (!CBB_add_u16(cbb, sigalgs[i].value)) | 232 | if (len > i) |
| 233 | return 0; | ||
| 234 | |||
| 235 | /* XXX check for duplicates and other sanity BS? */ | ||
| 236 | |||
| 237 | /* Add values in order as long as they are supported. */ | ||
| 238 | for (i = 0; i < len; i++) { | ||
| 239 | if ((sap = ssl_sigalg_lookup(values[i])) != NULL) { | ||
| 240 | if (!CBB_add_u16(cbb, values[i])) | ||
| 241 | return 0; | ||
| 242 | } else | ||
| 215 | return 0; | 243 | return 0; |
| 216 | } | 244 | } |
| 217 | return 1; | 245 | return 1; |
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h index a73c398e58..629213e761 100644 --- a/src/lib/libssl/ssl_sigalgs.h +++ b/src/lib/libssl/ssl_sigalgs.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.h,v 1.2 2018/11/09 03:17:04 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.h,v 1.3 2018/11/09 05:02:53 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018, Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -66,10 +66,13 @@ struct ssl_sigalg{ | |||
| 66 | int flags; | 66 | int flags; |
| 67 | }; | 67 | }; |
| 68 | 68 | ||
| 69 | extern uint16_t tls12_sigalgs[]; | ||
| 70 | extern size_t tls12_sigalgs_len; | ||
| 71 | |||
| 69 | const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); | 72 | const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); |
| 70 | const EVP_MD * ssl_sigalg_md(uint16_t sigalg); | 73 | const EVP_MD * ssl_sigalg_md(uint16_t sigalg); |
| 71 | uint16_t ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md); | 74 | uint16_t ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md); |
| 72 | int ssl_sigalgs_build(CBB *cbb); | 75 | int ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len); |
| 73 | int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); | 76 | int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); |
| 74 | 77 | ||
| 75 | __END_HIDDEN_DECLS | 78 | __END_HIDDEN_DECLS |
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 0d82271325..59d560d06d 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.52 2018/11/09 00:34:55 beck Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.53 2018/11/09 05:02:53 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1635,7 +1635,7 @@ ssl3_send_certificate_request(SSL *s) | |||
| 1635 | if (SSL_USE_SIGALGS(s)) { | 1635 | if (SSL_USE_SIGALGS(s)) { |
| 1636 | if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) | 1636 | if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) |
| 1637 | goto err; | 1637 | goto err; |
| 1638 | if (!ssl_sigalgs_build(&sigalgs)) | 1638 | if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) |
| 1639 | goto err; | 1639 | goto err; |
| 1640 | } | 1640 | } |
| 1641 | 1641 | ||
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index dc844998a3..755bbff795 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.25 2018/11/09 00:34:55 beck Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.26 2018/11/09 05:02:53 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -534,7 +534,7 @@ tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) | |||
| 534 | if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) | 534 | if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) |
| 535 | return 0; | 535 | return 0; |
| 536 | 536 | ||
| 537 | if (!ssl_sigalgs_build(&sigalgs)) | 537 | if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) |
| 538 | return 0; | 538 | return 0; |
| 539 | 539 | ||
| 540 | if (!CBB_flush(cbb)) | 540 | if (!CBB_flush(cbb)) |