summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2018-11-09 00:34:55 +0000
committerbeck <>2018-11-09 00:34:55 +0000
commit9d5673aba64ae0ef2a3cf86dfa9793d394a7cd6c (patch)
tree931f6037636eb2559f997c863050b18ff7fe93ab
parent0a537e488c3eafa2ea0bf8dacdcb4db1769a86f5 (diff)
downloadopenbsd-9d5673aba64ae0ef2a3cf86dfa9793d394a7cd6c.tar.gz
openbsd-9d5673aba64ae0ef2a3cf86dfa9793d394a7cd6c.tar.bz2
openbsd-9d5673aba64ae0ef2a3cf86dfa9793d394a7cd6c.zip
Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed. ok jsing@ tb@
Diffstat
-rw-r--r--src/lib/libssl/Makefile4
-rw-r--r--src/lib/libssl/ssl_clnt.c31
-rw-r--r--src/lib/libssl/ssl_locl.h8
-rw-r--r--src/lib/libssl/ssl_sigalgs.c218
-rw-r--r--src/lib/libssl/ssl_sigalgs.h69
-rw-r--r--src/lib/libssl/ssl_srvr.c36
-rw-r--r--src/lib/libssl/ssl_tlsext.c11
-rw-r--r--src/lib/libssl/t1_lib.c191
-rw-r--r--src/lib/libssl/tls1.h25
9 files changed, 340 insertions, 253 deletions
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 3969b453a5..17f73a8c4f 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.42 2018/11/08 23:54:59 tb Exp $ 1# $OpenBSD: Makefile,v 1.43 2018/11/09 00:34:55 beck Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.ifndef NOMAN 4.ifndef NOMAN
@@ -34,7 +34,7 @@ SRCS= \
34 ssl_asn1.c ssl_txt.c ssl_algs.c \ 34 ssl_asn1.c ssl_txt.c ssl_algs.c \
35 bio_ssl.c ssl_err.c ssl_methods.c \ 35 bio_ssl.c ssl_err.c ssl_methods.c \
36 ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c \ 36 ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c \
37 tls13_handshake.c tls13_key_schedule.c 37 tls13_handshake.c tls13_key_schedule.c ssl_sigalgs.c
38SRCS+= s3_cbc.c 38SRCS+= s3_cbc.c
39SRCS+= bs_ber.c bs_cbb.c bs_cbs.c 39SRCS+= bs_ber.c bs_cbb.c bs_cbs.c
40 40
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index c2aa7e8190..f1b3d40e7c 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.37 2018/11/08 22:28:52 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.38 2018/11/09 00:34:55 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -170,6 +170,7 @@
170#endif 170#endif
171 171
172#include "bytestring.h" 172#include "bytestring.h"
173#include "ssl_sigalgs.h"
173#include "ssl_tlsext.h" 174#include "ssl_tlsext.h"
174 175
175static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); 176static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
@@ -1431,9 +1432,8 @@ ssl3_get_server_key_exchange(SSL *s)
1431 EVP_PKEY *pkey = NULL; 1432 EVP_PKEY *pkey = NULL;
1432 EVP_MD_CTX md_ctx; 1433 EVP_MD_CTX md_ctx;
1433 const unsigned char *param; 1434 const unsigned char *param;
1434 uint8_t hash_id, sig_id;
1435 long n, alg_k, alg_a; 1435 long n, alg_k, alg_a;
1436 int al, ok, sigalg; 1436 int al, ok;
1437 size_t param_len; 1437 size_t param_len;
1438 1438
1439 EVP_MD_CTX_init(&md_ctx); 1439 EVP_MD_CTX_init(&md_ctx);
@@ -1506,24 +1506,16 @@ ssl3_get_server_key_exchange(SSL *s)
1506 /* if it was signed, check the signature */ 1506 /* if it was signed, check the signature */
1507 if (pkey != NULL) { 1507 if (pkey != NULL) {
1508 if (SSL_USE_SIGALGS(s)) { 1508 if (SSL_USE_SIGALGS(s)) {
1509 if (!CBS_get_u8(&cbs, &hash_id)) 1509 uint16_t sigalg;
1510 goto truncated;
1511 if (!CBS_get_u8(&cbs, &sig_id))
1512 goto truncated;
1513 1510
1514 if ((md = tls12_get_hash(hash_id)) == NULL) { 1511 if (!CBS_get_u16(&cbs, &sigalg))
1512 goto truncated;
1513 if ((md = ssl_sigalg_md(sigalg)) == NULL) {
1515 SSLerror(s, SSL_R_UNKNOWN_DIGEST); 1514 SSLerror(s, SSL_R_UNKNOWN_DIGEST);
1516 al = SSL_AD_DECODE_ERROR; 1515 al = SSL_AD_DECODE_ERROR;
1517 goto f_err; 1516 goto f_err;
1518 } 1517 }
1519 1518 if (!ssl_sigalg_pkey_check(sigalg, pkey)) {
1520 /* Check key type is consistent with signature. */
1521 if ((sigalg = tls12_get_sigid(pkey)) == -1) {
1522 /* Should never happen */
1523 SSLerror(s, ERR_R_INTERNAL_ERROR);
1524 goto err;
1525 }
1526 if (sigalg != sig_id) {
1527 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); 1519 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
1528 al = SSL_AD_DECODE_ERROR; 1520 al = SSL_AD_DECODE_ERROR;
1529 goto f_err; 1521 goto f_err;
@@ -2409,10 +2401,13 @@ ssl3_send_client_verify(SSL *s)
2409 * using agreed digest and cached handshake records. 2401 * using agreed digest and cached handshake records.
2410 */ 2402 */
2411 if (SSL_USE_SIGALGS(s)) { 2403 if (SSL_USE_SIGALGS(s)) {
2412 md = s->cert->key->digest; 2404 uint16_t sigalg;
2413 2405
2406 md = s->cert->key->digest;
2414 if (!tls1_transcript_data(s, &hdata, &hdatalen) || 2407 if (!tls1_transcript_data(s, &hdata, &hdatalen) ||
2415 !tls12_get_hashandsig(&cert_verify, pkey, md)) { 2408 (sigalg = ssl_sigalg_value(pkey, md)) ==
2409 SIGALG_NONE ||
2410 !CBB_add_u16(&cert_verify, sigalg)) {
2416 SSLerror(s, ERR_R_INTERNAL_ERROR); 2411 SSLerror(s, ERR_R_INTERNAL_ERROR);
2417 goto err; 2412 goto err;
2418 } 2413 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3b08f8c772..8567c51c67 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.222 2018/11/08 22:28:52 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.223 2018/11/09 00:34:55 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1286,15 +1286,9 @@ int ssl_check_serverhello_tlsext(SSL *s);
1286#define tlsext_tick_md EVP_sha256 1286#define tlsext_tick_md EVP_sha256
1287int tls1_process_ticket(SSL *s, const unsigned char *session_id, 1287int tls1_process_ticket(SSL *s, const unsigned char *session_id,
1288 int session_id_len, CBS *ext_block, SSL_SESSION **ret); 1288 int session_id_len, CBS *ext_block, SSL_SESSION **ret);
1289int tls12_get_hashid(const EVP_MD *md);
1290int tls12_get_sigid(const EVP_PKEY *pk);
1291int tls12_get_hashandsig(CBB *cbb, const EVP_PKEY *pk, const EVP_MD *md);
1292const EVP_MD *tls12_get_hash(unsigned char hash_alg);
1293 1289
1294long ssl_get_algorithm2(SSL *s); 1290long ssl_get_algorithm2(SSL *s);
1295int tls1_process_sigalgs(SSL *s, CBS *cbs); 1291int tls1_process_sigalgs(SSL *s, CBS *cbs);
1296void tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs,
1297 size_t *sigalgs_len);
1298 1292
1299int tls1_check_ec_server_key(SSL *s); 1293int tls1_check_ec_server_key(SSL *s);
1300 1294
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
new file mode 100644
index 0000000000..d214b0dbbf
--- /dev/null
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -0,0 +1,218 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */
2/*
3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
12 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
14 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
15 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17#include <string.h>
18#include <stdlib.h>
19
20#include <openssl/evp.h>
21
22#include "bytestring.h"
23#include "ssl_locl.h"
24#include "ssl_sigalgs.h"
25#include "tls13_internal.h"
26
27/* This table must be kept in preference order for now */
28const struct ssl_sigalg sigalgs[] = {
29 {
30 .value = SIGALG_RSA_PKCS1_SHA512,
31 .md = EVP_sha512,
32 .key_type = EVP_PKEY_RSA,
33 .pkey_idx = SSL_PKEY_RSA_SIGN,
34 },
35 {
36 .value = SIGALG_ECDSA_SECP512R1_SHA512,
37 .md = EVP_sha512,
38 .key_type = EVP_PKEY_EC,
39 .pkey_idx = SSL_PKEY_ECC,
40 },
41#ifndef OPENSSL_NO_GOST
42 {
43 .value = SIGALG_GOSTR12_512_STREEBOG_512,
44 .md = EVP_streebog512,
45 .key_type = EVP_PKEY_GOSTR12_512,
46 .pkey_idx = SSL_PKEY_GOST01, /* XXX */
47 },
48#endif
49 {
50 .value = SIGALG_RSA_PKCS1_SHA384,
51 .md = EVP_sha384,
52 .key_type = EVP_PKEY_RSA,
53 .pkey_idx = SSL_PKEY_RSA_SIGN,
54 },
55 {
56 .value = SIGALG_ECDSA_SECP384R1_SHA384,
57 .md = EVP_sha384,
58 .key_type = EVP_PKEY_EC,
59 .pkey_idx = SSL_PKEY_ECC,
60 },
61 {
62 .value = SIGALG_RSA_PKCS1_SHA256,
63 .md = EVP_sha256,
64 .key_type = EVP_PKEY_RSA,
65 .pkey_idx = SSL_PKEY_RSA_SIGN,
66 },
67 {
68 .value = SIGALG_ECDSA_SECP256R1_SHA256,
69 .md = EVP_sha256,
70 .key_type = EVP_PKEY_EC,
71 .pkey_idx = SSL_PKEY_ECC,
72 },
73#ifndef OPENSSL_NO_GOST
74 {
75 .value = SIGALG_GOSTR12_256_STREEBOG_256,
76 .md = EVP_streebog256,
77 .key_type = EVP_PKEY_GOSTR12_256,
78 .pkey_idx = SSL_PKEY_GOST01, /* XXX */
79 },
80 {
81 .value = SIGALG_GOSTR01_GOST94,
82 .md = EVP_gostr341194,
83 .key_type = EVP_PKEY_GOSTR01,
84 .pkey_idx = SSL_PKEY_GOST01,
85 },
86#endif
87#ifdef LIBRESSL_HAS_TLS1_3
88 {
89 .value = SIGALG_RSA_PSS_RSAE_SHA256,
90 .md = EVP_sha256,
91 .key_type = EVP_PKEY_RSA,
92 .pkey_idx = SSL_PKEY_RSA_SIGN,
93 .flags = SIGALG_FLAG_RSA_PSS,
94 },
95 {
96 .value = SIGALG_RSA_PSS_RSAE_SHA384,
97 .md = EVP_sha384,
98 .key_type = EVP_PKEY_RSA,
99 .pkey_idx = SSL_PKEY_RSA_SIGN,
100 .flags = SIGALG_FLAG_RSA_PSS,
101 },
102 {
103 .value = SIGALG_RSA_PSS_RSAE_SHA512,
104 .md = EVP_sha512,
105 .key_type = EVP_PKEY_RSA,
106 .pkey_idx = SSL_PKEY_RSA_SIGN,
107 .flags = SIGALG_FLAG_RSA_PSS,
108 },
109 {
110 .value = SIGALG_RSA_PSS_PSS_SHA256,
111 .md = EVP_sha256,
112 .key_type = EVP_PKEY_RSA,
113 .pkey_idx = SSL_PKEY_RSA_SIGN,
114 .flags = SIGALG_FLAG_RSA_PSS,
115 },
116 {
117 .value = SIGALG_RSA_PSS_PSS_SHA384,
118 .md = EVP_sha384,
119 .key_type = EVP_PKEY_RSA,
120 .pkey_idx = SSL_PKEY_RSA_SIGN,
121 .flags = SIGALG_FLAG_RSA_PSS,
122 },
123 {
124 .value = SIGALG_RSA_PSS_PSS_SHA512,
125 .md = EVP_sha512,
126 .key_type = EVP_PKEY_RSA,
127 .pkey_idx = SSL_PKEY_RSA_SIGN,
128 .flags = SIGALG_FLAG_RSA_PSS,
129 },
130#endif
131 {
132 .value = SIGALG_RSA_PKCS1_SHA224,
133 .md = EVP_sha224,
134 .key_type = EVP_PKEY_RSA,
135 .pkey_idx = SSL_PKEY_RSA_SIGN,
136 },
137 {
138 .value = SIGALG_ECDSA_SECP224R1_SHA224,
139 .md = EVP_sha224,
140 .key_type = EVP_PKEY_EC,
141 .pkey_idx = SSL_PKEY_ECC,
142 },
143 {
144 .value = SIGALG_RSA_PKCS1_SHA1,
145 .key_type = EVP_PKEY_RSA,
146 .pkey_idx = SSL_PKEY_RSA_SIGN,
147 .md = EVP_sha1,
148 },
149 {
150 .value = SIGALG_ECDSA_SHA1,
151 .key_type = EVP_PKEY_EC,
152 .md = EVP_sha1,
153 .pkey_idx = SSL_PKEY_ECC,
154 },
155 {
156 .value = SIGALG_NONE,
157 },
158};
159
160const struct ssl_sigalg *
161ssl_sigalg_lookup(uint16_t sigalg)
162{
163 int i;
164
165 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
166 if (sigalgs[i].value == sigalg)
167 return &sigalgs[i];
168 }
169
170 return NULL;
171}
172
173const EVP_MD *
174ssl_sigalg_md(uint16_t sigalg)
175{
176 const struct ssl_sigalg *sap;
177
178 if ((sap = ssl_sigalg_lookup(sigalg)) != NULL)
179 return sap->md();
180
181 return NULL;
182}
183
184int
185ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk)
186{
187 const struct ssl_sigalg *sap;
188
189 if ((sap = ssl_sigalg_lookup(sigalg)) != NULL)
190 return sap->key_type == pk->type;
191
192 return 0;
193}
194
195uint16_t
196ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md)
197{
198 int i;
199
200 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
201 if ((sigalgs[i].key_type == pk->type) &&
202 ((sigalgs[i].md() == md)))
203 return sigalgs[i].value;
204 }
205 return SIGALG_NONE;
206}
207
208int
209ssl_sigalgs_build(CBB *cbb)
210{
211 int i;
212
213 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
214 if (!CBB_add_u16(cbb, sigalgs[i].value))
215 return 0;
216 }
217 return 1;
218}
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
new file mode 100644
index 0000000000..b0ed70b7fc
--- /dev/null
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -0,0 +1,69 @@
1/* $OpenBSD: ssl_sigalgs.h,v 1.1 2018/11/09 00:34:55 beck Exp $ */
2/*
3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
12 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
14 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
15 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18
19#define SIGALG_NONE 0x0000
20
21/*
22 * RFC 8446 Section 4.2.3
23 * RFC 5246 Section 7.4.1.4.1
24 */
25#define SIGALG_RSA_PKCS1_SHA224 0x0301
26#define SIGALG_RSA_PKCS1_SHA256 0x0401
27#define SIGALG_RSA_PKCS1_SHA384 0x0501
28#define SIGALG_RSA_PKCS1_SHA512 0x0601
29#define SIGALG_ECDSA_SECP224R1_SHA224 0x0303
30#define SIGALG_ECDSA_SECP256R1_SHA256 0x0403
31#define SIGALG_ECDSA_SECP384R1_SHA384 0x0503
32#define SIGALG_ECDSA_SECP512R1_SHA512 0x0603
33#define SIGALG_RSA_PSS_RSAE_SHA256 0x0804
34#define SIGALG_RSA_PSS_RSAE_SHA384 0x0805
35#define SIGALG_RSA_PSS_RSAE_SHA512 0x0806
36#define SIGALG_ED25519 0x0807
37#define SIGALG_ED448 0x0808
38#define SIGALG_RSA_PSS_PSS_SHA256 0x0809
39#define SIGALG_RSA_PSS_PSS_SHA384 0x080a
40#define SIGALG_RSA_PSS_PSS_SHA512 0x080b
41#define SIGALG_RSA_PKCS1_SHA1 0x0201
42#define SIGALG_ECDSA_SHA1 0x0203
43#define SIGALG_PRIVATE_START 0xFE00
44#define SIGALG_PRIVATE_END 0xFFFF
45
46/*
47 * If Russia can elect the US President, surely
48 * IANA could fix this problem.
49 */
50#define SIGALG_GOSTR12_512_STREEBOG_512 0xEFEF
51#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE
52#define SIGALG_GOSTR01_GOST94 0xEDED
53
54#define SIGALG_FLAG_RSA_PSS 0x00000001
55
56struct ssl_sigalg{
57 uint16_t value;
58 const EVP_MD *(*md)(void);
59 int key_type;
60 int pkey_idx; /* XXX get rid of this eventually */
61 int curve_nid;
62 int flags;
63};
64
65const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
66const EVP_MD * ssl_sigalg_md(uint16_t sigalg);
67uint16_t ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md);
68int ssl_sigalgs_build(CBB *cbb);
69int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index af9152d3de..0d82271325 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.51 2018/11/08 22:28:52 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.52 2018/11/09 00:34:55 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -166,6 +166,7 @@
166#include <openssl/x509.h> 166#include <openssl/x509.h>
167 167
168#include "bytestring.h" 168#include "bytestring.h"
169#include "ssl_sigalgs.h"
169#include "ssl_tlsext.h" 170#include "ssl_tlsext.h"
170 171
171int 172int
@@ -1545,7 +1546,10 @@ ssl3_send_server_key_exchange(SSL *s)
1545 1546
1546 /* Send signature algorithm. */ 1547 /* Send signature algorithm. */
1547 if (SSL_USE_SIGALGS(s)) { 1548 if (SSL_USE_SIGALGS(s)) {
1548 if (!tls12_get_hashandsig(&server_kex, pkey, md)) { 1549 uint16_t sigalg;
1550 if ((sigalg = ssl_sigalg_value(pkey, md)) ==
1551 SIGALG_NONE ||
1552 !CBB_add_u16(&server_kex, sigalg)) {
1549 /* Should never happen */ 1553 /* Should never happen */
1550 al = SSL_AD_INTERNAL_ERROR; 1554 al = SSL_AD_INTERNAL_ERROR;
1551 SSLerror(s, ERR_R_INTERNAL_ERROR); 1555 SSLerror(s, ERR_R_INTERNAL_ERROR);
@@ -1629,14 +1633,9 @@ ssl3_send_certificate_request(SSL *s)
1629 goto err; 1633 goto err;
1630 1634
1631 if (SSL_USE_SIGALGS(s)) { 1635 if (SSL_USE_SIGALGS(s)) {
1632 unsigned char *sigalgs_data;
1633 size_t sigalgs_len;
1634
1635 tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len);
1636
1637 if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) 1636 if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
1638 goto err; 1637 goto err;
1639 if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) 1638 if (!ssl_sigalgs_build(&sigalgs))
1640 goto err; 1639 goto err;
1641 } 1640 }
1642 1641
@@ -2089,8 +2088,7 @@ ssl3_get_cert_verify(SSL *s)
2089 EVP_PKEY *pkey = NULL; 2088 EVP_PKEY *pkey = NULL;
2090 X509 *peer = NULL; 2089 X509 *peer = NULL;
2091 EVP_MD_CTX mctx; 2090 EVP_MD_CTX mctx;
2092 uint8_t hash_id, sig_id; 2091 int al, ok, verify;
2093 int al, ok, sigalg, verify;
2094 const unsigned char *hdata; 2092 const unsigned char *hdata;
2095 size_t hdatalen; 2093 size_t hdatalen;
2096 int type = 0; 2094 int type = 0;
@@ -2157,24 +2155,16 @@ ssl3_get_cert_verify(SSL *s)
2157 goto err; 2155 goto err;
2158 } else { 2156 } else {
2159 if (SSL_USE_SIGALGS(s)) { 2157 if (SSL_USE_SIGALGS(s)) {
2160 if (!CBS_get_u8(&cbs, &hash_id)) 2158 uint16_t sigalg;
2161 goto truncated;
2162 if (!CBS_get_u8(&cbs, &sig_id))
2163 goto truncated;
2164 2159
2165 if ((md = tls12_get_hash(hash_id)) == NULL) { 2160 if (!CBS_get_u16(&cbs, &sigalg))
2161 goto truncated;
2162 if ((md = ssl_sigalg_md(sigalg)) == NULL) {
2166 SSLerror(s, SSL_R_UNKNOWN_DIGEST); 2163 SSLerror(s, SSL_R_UNKNOWN_DIGEST);
2167 al = SSL_AD_DECODE_ERROR; 2164 al = SSL_AD_DECODE_ERROR;
2168 goto f_err; 2165 goto f_err;
2169 } 2166 }
2170 2167 if (!ssl_sigalg_pkey_check(sigalg, pkey)) {
2171 /* Check key type is consistent with signature. */
2172 if ((sigalg = tls12_get_sigid(pkey)) == -1) {
2173 /* Should never happen */
2174 SSLerror(s, ERR_R_INTERNAL_ERROR);
2175 goto err;
2176 }
2177 if (sigalg != sig_id) {
2178 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); 2168 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
2179 al = SSL_AD_DECODE_ERROR; 2169 al = SSL_AD_DECODE_ERROR;
2180 goto f_err; 2170 goto f_err;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index f64d215799..dc844998a3 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.24 2018/11/05 20:41:30 jsing Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.25 2018/11/09 00:34:55 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -22,6 +22,7 @@
22 22
23#include "bytestring.h" 23#include "bytestring.h"
24#include "ssl_tlsext.h" 24#include "ssl_tlsext.h"
25#include "ssl_sigalgs.h"
25 26
26/* 27/*
27 * Supported Application-Layer Protocol Negotiation - RFC 7301 28 * Supported Application-Layer Protocol Negotiation - RFC 7301
@@ -528,16 +529,14 @@ tlsext_sigalgs_clienthello_needs(SSL *s)
528int 529int
529tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) 530tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb)
530{ 531{
531 unsigned char *sigalgs_data;
532 size_t sigalgs_len;
533 CBB sigalgs; 532 CBB sigalgs;
534 533
535 tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len);
536
537 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 534 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
538 return 0; 535 return 0;
539 if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) 536
537 if (!ssl_sigalgs_build(&sigalgs))
540 return 0; 538 return 0;
539
541 if (!CBB_flush(cbb)) 540 if (!CBB_flush(cbb))
542 return 0; 541 return 0;
543 542
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 1cb0cfb453..1fc433cca1 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.148 2018/11/08 20:55:18 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.149 2018/11/09 00:34:55 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -119,6 +119,7 @@
119#include "ssl_locl.h" 119#include "ssl_locl.h"
120 120
121#include "bytestring.h" 121#include "bytestring.h"
122#include "ssl_sigalgs.h"
122#include "ssl_tlsext.h" 123#include "ssl_tlsext.h"
123 124
124static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 125static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
@@ -604,43 +605,6 @@ tls1_check_ec_server_key(SSL *s)
604 return tls1_check_ec_key(s, &curve_id, &comp_id); 605 return tls1_check_ec_key(s, &curve_id, &comp_id);
605} 606}
606 607
607/*
608 * List of supported signature algorithms and hashes. Should make this
609 * customisable at some point, for now include everything we support.
610 */
611
612static unsigned char tls12_sigalgs[] = {
613 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
614 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
615#ifndef OPENSSL_NO_GOST
616 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
617#endif
618
619 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
620 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
621
622 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
623 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
624
625#ifndef OPENSSL_NO_GOST
626 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
627 TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
628#endif
629
630 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
631 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
632
633 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
634 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
635};
636
637void
638tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, size_t *sigalgs_len)
639{
640 *sigalgs = tls12_sigalgs;
641 *sigalgs_len = sizeof(tls12_sigalgs);
642}
643
644int 608int
645ssl_check_clienthello_tlsext_early(SSL *s) 609ssl_check_clienthello_tlsext_early(SSL *s)
646{ 610{
@@ -1036,115 +1000,11 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1036 return 2; 1000 return 2;
1037} 1001}
1038 1002
1039/* Tables to translate from NIDs to TLS v1.2 ids */
1040
1041typedef struct {
1042 int nid;
1043 int id;
1044} tls12_lookup;
1045
1046static tls12_lookup tls12_md[] = {
1047 {NID_md5, TLSEXT_hash_md5},
1048 {NID_sha1, TLSEXT_hash_sha1},
1049 {NID_sha224, TLSEXT_hash_sha224},
1050 {NID_sha256, TLSEXT_hash_sha256},
1051 {NID_sha384, TLSEXT_hash_sha384},
1052 {NID_sha512, TLSEXT_hash_sha512},
1053 {NID_id_GostR3411_94, TLSEXT_hash_gost94},
1054 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
1055 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
1056};
1057
1058static tls12_lookup tls12_sig[] = {
1059 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
1060 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
1061 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
1062};
1063
1064static int
1065tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
1066{
1067 size_t i;
1068 for (i = 0; i < tlen; i++) {
1069 if (table[i].nid == nid)
1070 return table[i].id;
1071 }
1072 return -1;
1073}
1074
1075int
1076tls12_get_hashid(const EVP_MD *md)
1077{
1078 if (md == NULL)
1079 return -1;
1080
1081 return tls12_find_id(EVP_MD_type(md), tls12_md,
1082 sizeof(tls12_md) / sizeof(tls12_lookup));
1083}
1084
1085int
1086tls12_get_sigid(const EVP_PKEY *pk)
1087{
1088 if (pk == NULL)
1089 return -1;
1090
1091 return tls12_find_id(pk->type, tls12_sig,
1092 sizeof(tls12_sig) / sizeof(tls12_lookup));
1093}
1094
1095int
1096tls12_get_hashandsig(CBB *cbb, const EVP_PKEY *pk, const EVP_MD *md)
1097{
1098 int hash_id, sig_id;
1099
1100 if ((hash_id = tls12_get_hashid(md)) == -1)
1101 return 0;
1102 if ((sig_id = tls12_get_sigid(pk)) == -1)
1103 return 0;
1104
1105 if (!CBB_add_u8(cbb, hash_id))
1106 return 0;
1107 if (!CBB_add_u8(cbb, sig_id))
1108 return 0;
1109
1110 return 1;
1111}
1112
1113const EVP_MD *
1114tls12_get_hash(unsigned char hash_alg)
1115{
1116 switch (hash_alg) {
1117 case TLSEXT_hash_sha1:
1118 return EVP_sha1();
1119 case TLSEXT_hash_sha224:
1120 return EVP_sha224();
1121 case TLSEXT_hash_sha256:
1122 return EVP_sha256();
1123 case TLSEXT_hash_sha384:
1124 return EVP_sha384();
1125 case TLSEXT_hash_sha512:
1126 return EVP_sha512();
1127#ifndef OPENSSL_NO_GOST
1128 case TLSEXT_hash_gost94:
1129 return EVP_gostr341194();
1130 case TLSEXT_hash_streebog_256:
1131 return EVP_streebog256();
1132 case TLSEXT_hash_streebog_512:
1133 return EVP_streebog512();
1134#endif
1135 default:
1136 return NULL;
1137 }
1138}
1139
1140/* Set preferred digest for each key type */ 1003/* Set preferred digest for each key type */
1141
1142int 1004int
1143tls1_process_sigalgs(SSL *s, CBS *cbs) 1005tls1_process_sigalgs(SSL *s, CBS *cbs)
1144{ 1006{
1145 const EVP_MD *md;
1146 CERT *c = s->cert; 1007 CERT *c = s->cert;
1147 int idx;
1148 1008
1149 /* Extension ignored for inappropriate versions */ 1009 /* Extension ignored for inappropriate versions */
1150 if (!SSL_USE_SIGALGS(s)) 1010 if (!SSL_USE_SIGALGS(s))
@@ -1153,53 +1013,38 @@ tls1_process_sigalgs(SSL *s, CBS *cbs)
1153 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 1013 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
1154 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 1014 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
1155 c->pkeys[SSL_PKEY_ECC].digest = NULL; 1015 c->pkeys[SSL_PKEY_ECC].digest = NULL;
1016#ifndef OPENSSL_NO_GOST
1156 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 1017 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
1157 1018#endif
1158 while (CBS_len(cbs) > 0) { 1019 while (CBS_len(cbs) > 0) {
1159 uint8_t hash_alg, sig_alg; 1020 const EVP_MD *md;
1021 uint16_t sig_alg;
1022 const struct ssl_sigalg *sigalg;
1160 1023
1161 if (!CBS_get_u8(cbs, &hash_alg) || !CBS_get_u8(cbs, &sig_alg)) 1024 if (!CBS_get_u16(cbs, &sig_alg))
1162 return 0; 1025 return 0;
1163 1026
1164 switch (sig_alg) { 1027 if ((sigalg = ssl_sigalg_lookup(sig_alg)) != NULL &&
1165 case TLSEXT_signature_rsa: 1028 c->pkeys[sigalg->pkey_idx].digest == NULL) {
1166 idx = SSL_PKEY_RSA_SIGN; 1029 md = sigalg->md();
1167 break; 1030 c->pkeys[sigalg->pkey_idx].digest = md;
1168 case TLSEXT_signature_ecdsa: 1031 if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN)
1169 idx = SSL_PKEY_ECC; 1032 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
1170 break;
1171 case TLSEXT_signature_gostr01:
1172 case TLSEXT_signature_gostr12_256:
1173 case TLSEXT_signature_gostr12_512:
1174 idx = SSL_PKEY_GOST01;
1175 break;
1176 default:
1177 continue;
1178 } 1033 }
1179
1180 if (c->pkeys[idx].digest == NULL) {
1181 md = tls12_get_hash(hash_alg);
1182 if (md) {
1183 c->pkeys[idx].digest = md;
1184 if (idx == SSL_PKEY_RSA_SIGN)
1185 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
1186 }
1187 }
1188
1189 } 1034 }
1190 1035
1191 /* 1036 /*
1192 * Set any remaining keys to default values. NOTE: if alg is not 1037 * Set any remaining keys to default values. NOTE: if alg is not
1193 * supported it stays as NULL. 1038 * supported it stays as NULL.
1194 */ 1039 */
1195 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 1040 if (c->pkeys[SSL_PKEY_RSA_SIGN].digest == NULL)
1196 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 1041 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
1042 if (c->pkeys[SSL_PKEY_RSA_ENC].digest == NULL)
1197 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 1043 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
1198 } 1044 if (c->pkeys[SSL_PKEY_ECC].digest == NULL)
1199 if (!c->pkeys[SSL_PKEY_ECC].digest)
1200 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 1045 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
1201#ifndef OPENSSL_NO_GOST 1046#ifndef OPENSSL_NO_GOST
1202 if (!c->pkeys[SSL_PKEY_GOST01].digest) 1047 if (c->pkeys[SSL_PKEY_GOST01].digest == NULL)
1203 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 1048 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
1204#endif 1049#endif
1205 return 1; 1050 return 1;
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index 603201ad17..c253f6d2c0 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls1.h,v 1.36 2018/11/07 01:53:36 jsing Exp $ */ 1/* $OpenBSD: tls1.h,v 1.37 2018/11/09 00:34:55 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -295,29 +295,6 @@ extern "C" {
295#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2 295#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2
296#define TLSEXT_ECPOINTFORMAT_last 2 296#define TLSEXT_ECPOINTFORMAT_last 2
297 297
298/* Signature and hash algorithms from RFC 5246. */
299
300#define TLSEXT_signature_anonymous 0
301#define TLSEXT_signature_rsa 1
302#define TLSEXT_signature_dsa 2
303#define TLSEXT_signature_ecdsa 3
304/* FIXME IANA */
305#define TLSEXT_signature_gostr01 237
306#define TLSEXT_signature_gostr12_256 238
307#define TLSEXT_signature_gostr12_512 239
308
309#define TLSEXT_hash_none 0
310#define TLSEXT_hash_md5 1
311#define TLSEXT_hash_sha1 2
312#define TLSEXT_hash_sha224 3
313#define TLSEXT_hash_sha256 4
314#define TLSEXT_hash_sha384 5
315#define TLSEXT_hash_sha512 6
316/* FIXME IANA */
317#define TLSEXT_hash_gost94 237
318#define TLSEXT_hash_streebog_256 238
319#define TLSEXT_hash_streebog_512 239
320
321#define TLSEXT_MAXLEN_host_name 255 298#define TLSEXT_MAXLEN_host_name 255
322 299
323const char *SSL_get_servername(const SSL *s, const int type); 300const char *SSL_get_servername(const SSL *s, const int type);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 13:47:34 +0000