summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2018-11-16 02:41:16 +0000
committerbeck <>2018-11-16 02:41:16 +0000
commitbc7f7090db96e35bfcf73da923be89cb0b15c0e9 (patch)
tree81fc6ce79f085ec2150e52ecdda69a90efe41c22
parentb48e8a19a37f8c20a0c41e40ccd93d4e06600fb8 (diff)
downloadopenbsd-bc7f7090db96e35bfcf73da923be89cb0b15c0e9.tar.gz
openbsd-bc7f7090db96e35bfcf73da923be89cb0b15c0e9.tar.bz2
openbsd-bc7f7090db96e35bfcf73da923be89cb0b15c0e9.zip
Unbreak legacy ciphers for prior to 1.1 by setting having a legacy
sigalg for MD5_SHA1 and using it as the non sigalgs default ok jsing@
Diffstat
-rw-r--r--src/lib/libssl/ssl_cert.c8
-rw-r--r--src/lib/libssl/ssl_clnt.c4
-rw-r--r--src/lib/libssl/ssl_sigalgs.c15
-rw-r--r--src/lib/libssl/ssl_sigalgs.h5
4 files changed, 22 insertions, 10 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 30bb74508d..e78335c5bb 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.70 2018/11/10 01:19:09 beck Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.71 2018/11/16 02:41:16 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -161,11 +161,11 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void)
161static void 161static void
162ssl_cert_set_default_sigalgs(CERT *cert) 162ssl_cert_set_default_sigalgs(CERT *cert)
163{ 163{
164 /* Set digest values to defaults */ 164 /* Set digest values to legacy defaults */
165 cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg = 165 cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg =
166 ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 166 ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
167 cert->pkeys[SSL_PKEY_RSA_ENC].sigalg = 167 cert->pkeys[SSL_PKEY_RSA_ENC].sigalg =
168 ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 168 ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
169 cert->pkeys[SSL_PKEY_ECC].sigalg = 169 cert->pkeys[SSL_PKEY_ECC].sigalg =
170 ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); 170 ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
171#ifndef OPENSSL_NO_GOST 171#ifndef OPENSSL_NO_GOST
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 2094417994..2f9724f99f 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.44 2018/11/11 21:54:47 beck Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.45 2018/11/16 02:41:16 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1533,7 +1533,7 @@ ssl3_get_server_key_exchange(SSL *s)
1533 goto f_err; 1533 goto f_err;
1534 } 1534 }
1535 } else if (pkey->type == EVP_PKEY_RSA) { 1535 } else if (pkey->type == EVP_PKEY_RSA) {
1536 sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 1536 sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
1537 } else if (pkey->type == EVP_PKEY_EC) { 1537 } else if (pkey->type == EVP_PKEY_EC) {
1538 sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); 1538 sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
1539 } else { 1539 } else {
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 835c40e74e..a6b4251d70 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.10 2018/11/14 02:27:15 beck Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.11 2018/11/16 02:41:16 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -153,6 +153,12 @@ const struct ssl_sigalg sigalgs[] = {
153 .pkey_idx = SSL_PKEY_ECC, 153 .pkey_idx = SSL_PKEY_ECC,
154 }, 154 },
155 { 155 {
156 .value = SIGALG_RSA_PKCS1_MD5_SHA1,
157 .key_type = EVP_PKEY_RSA,
158 .pkey_idx = SSL_PKEY_RSA_SIGN,
159 .md = EVP_md5_sha1,
160 },
161 {
156 .value = SIGALG_NONE, 162 .value = SIGALG_NONE,
157 }, 163 },
158}; 164};
@@ -209,7 +215,6 @@ ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len)
209int 215int
210ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) 216ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len)
211{ 217{
212 const struct ssl_sigalg *sap;
213 size_t i; 218 size_t i;
214 219
215 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++); 220 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++);
@@ -220,7 +225,11 @@ ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len)
220 225
221 /* Add values in order as long as they are supported. */ 226 /* Add values in order as long as they are supported. */
222 for (i = 0; i < len; i++) { 227 for (i = 0; i < len; i++) {
223 if ((sap = ssl_sigalg_lookup(values[i])) != NULL) { 228 /* Do not allow the legacy value for < 1.2 to be used */
229 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
230 return 0;
231
232 if (ssl_sigalg_lookup(values[i]) != NULL) {
224 if (!CBB_add_u16(cbb, values[i])) 233 if (!CBB_add_u16(cbb, values[i]))
225 return 0; 234 return 0;
226 } else 235 } else
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 1bce6e8ee3..5ae595835b 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.h,v 1.7 2018/11/11 21:54:47 beck Exp $ */ 1/* $OpenBSD: ssl_sigalgs.h,v 1.8 2018/11/16 02:41:16 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -55,6 +55,9 @@ __BEGIN_HIDDEN_DECLS
55#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE 55#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE
56#define SIGALG_GOSTR01_GOST94 0xEDED 56#define SIGALG_GOSTR01_GOST94 0xEDED
57 57
58/* Legacy sigalg for < 1.2 same value as boring uses*/
59#define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01
60
58#define SIGALG_FLAG_RSA_PSS 0x00000001 61#define SIGALG_FLAG_RSA_PSS 0x00000001
59 62
60struct ssl_sigalg{ 63struct ssl_sigalg{
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 05:47:51 +0000