From 9d5673aba64ae0ef2a3cf86dfa9793d394a7cd6c Mon Sep 17 00:00:00 2001 From: beck <> Date: Fri, 9 Nov 2018 00:34:55 +0000 Subject: Reimplement the sigalgs processing code into a new implementation that will be usable with TLS 1.3 with less eye bleed. ok jsing@ tb@ --- src/lib/libssl/Makefile | 4 +- src/lib/libssl/ssl_clnt.c | 31 +++--- src/lib/libssl/ssl_locl.h | 8 +- src/lib/libssl/ssl_sigalgs.c | 218 +++++++++++++++++++++++++++++++++++++++++++ src/lib/libssl/ssl_sigalgs.h | 69 ++++++++++++++ src/lib/libssl/ssl_srvr.c | 36 +++---- src/lib/libssl/ssl_tlsext.c | 11 +-- src/lib/libssl/t1_lib.c | 191 ++++--------------------------------- src/lib/libssl/tls1.h | 25 +---- 9 files changed, 340 insertions(+), 253 deletions(-) create mode 100644 src/lib/libssl/ssl_sigalgs.c create mode 100644 src/lib/libssl/ssl_sigalgs.h diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile index 3969b453a5..17f73a8c4f 100644 --- a/src/lib/libssl/Makefile +++ b/src/lib/libssl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.42 2018/11/08 23:54:59 tb Exp $ +# $OpenBSD: Makefile,v 1.43 2018/11/09 00:34:55 beck Exp $ .include .ifndef NOMAN @@ -34,7 +34,7 @@ SRCS= \ ssl_asn1.c ssl_txt.c ssl_algs.c \ bio_ssl.c ssl_err.c ssl_methods.c \ ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c \ - tls13_handshake.c tls13_key_schedule.c + tls13_handshake.c tls13_key_schedule.c ssl_sigalgs.c SRCS+= s3_cbc.c SRCS+= bs_ber.c bs_cbb.c bs_cbs.c diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index c2aa7e8190..f1b3d40e7c 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.37 2018/11/08 22:28:52 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.38 2018/11/09 00:34:55 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,6 +170,7 @@ #endif #include "bytestring.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); @@ -1431,9 +1432,8 @@ ssl3_get_server_key_exchange(SSL *s) EVP_PKEY *pkey = NULL; EVP_MD_CTX md_ctx; const unsigned char *param; - uint8_t hash_id, sig_id; long n, alg_k, alg_a; - int al, ok, sigalg; + int al, ok; size_t param_len; EVP_MD_CTX_init(&md_ctx); @@ -1506,24 +1506,16 @@ ssl3_get_server_key_exchange(SSL *s) /* if it was signed, check the signature */ if (pkey != NULL) { if (SSL_USE_SIGALGS(s)) { - if (!CBS_get_u8(&cbs, &hash_id)) - goto truncated; - if (!CBS_get_u8(&cbs, &sig_id)) - goto truncated; + uint16_t sigalg; - if ((md = tls12_get_hash(hash_id)) == NULL) { + if (!CBS_get_u16(&cbs, &sigalg)) + goto truncated; + if ((md = ssl_sigalg_md(sigalg)) == NULL) { SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; goto f_err; } - - /* Check key type is consistent with signature. */ - if ((sigalg = tls12_get_sigid(pkey)) == -1) { - /* Should never happen */ - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - if (sigalg != sig_id) { + if (!ssl_sigalg_pkey_check(sigalg, pkey)) { SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); al = SSL_AD_DECODE_ERROR; goto f_err; @@ -2409,10 +2401,13 @@ ssl3_send_client_verify(SSL *s) * using agreed digest and cached handshake records. */ if (SSL_USE_SIGALGS(s)) { - md = s->cert->key->digest; + uint16_t sigalg; + md = s->cert->key->digest; if (!tls1_transcript_data(s, &hdata, &hdatalen) || - !tls12_get_hashandsig(&cert_verify, pkey, md)) { + (sigalg = ssl_sigalg_value(pkey, md)) == + SIGALG_NONE || + !CBB_add_u16(&cert_verify, sigalg)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 3b08f8c772..8567c51c67 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.222 2018/11/08 22:28:52 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.223 2018/11/09 00:34:55 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1286,15 +1286,9 @@ int ssl_check_serverhello_tlsext(SSL *s); #define tlsext_tick_md EVP_sha256 int tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len, CBS *ext_block, SSL_SESSION **ret); -int tls12_get_hashid(const EVP_MD *md); -int tls12_get_sigid(const EVP_PKEY *pk); -int tls12_get_hashandsig(CBB *cbb, const EVP_PKEY *pk, const EVP_MD *md); -const EVP_MD *tls12_get_hash(unsigned char hash_alg); long ssl_get_algorithm2(SSL *s); int tls1_process_sigalgs(SSL *s, CBS *cbs); -void tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, - size_t *sigalgs_len); int tls1_check_ec_server_key(SSL *s); diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c new file mode 100644 index 0000000000..d214b0dbbf --- /dev/null +++ b/src/lib/libssl/ssl_sigalgs.c @@ -0,0 +1,218 @@ +/* $OpenBSD: ssl_sigalgs.c,v 1.1 2018/11/09 00:34:55 beck Exp $ */ +/* + * Copyright (c) 2018, Bob Beck + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#include +#include + +#include + +#include "bytestring.h" +#include "ssl_locl.h" +#include "ssl_sigalgs.h" +#include "tls13_internal.h" + +/* This table must be kept in preference order for now */ +const struct ssl_sigalg sigalgs[] = { + { + .value = SIGALG_RSA_PKCS1_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + }, + { + .value = SIGALG_ECDSA_SECP512R1_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_EC, + .pkey_idx = SSL_PKEY_ECC, + }, +#ifndef OPENSSL_NO_GOST + { + .value = SIGALG_GOSTR12_512_STREEBOG_512, + .md = EVP_streebog512, + .key_type = EVP_PKEY_GOSTR12_512, + .pkey_idx = SSL_PKEY_GOST01, /* XXX */ + }, +#endif + { + .value = SIGALG_RSA_PKCS1_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + }, + { + .value = SIGALG_ECDSA_SECP384R1_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_EC, + .pkey_idx = SSL_PKEY_ECC, + }, + { + .value = SIGALG_RSA_PKCS1_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + }, + { + .value = SIGALG_ECDSA_SECP256R1_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_EC, + .pkey_idx = SSL_PKEY_ECC, + }, +#ifndef OPENSSL_NO_GOST + { + .value = SIGALG_GOSTR12_256_STREEBOG_256, + .md = EVP_streebog256, + .key_type = EVP_PKEY_GOSTR12_256, + .pkey_idx = SSL_PKEY_GOST01, /* XXX */ + }, + { + .value = SIGALG_GOSTR01_GOST94, + .md = EVP_gostr341194, + .key_type = EVP_PKEY_GOSTR01, + .pkey_idx = SSL_PKEY_GOST01, + }, +#endif +#ifdef LIBRESSL_HAS_TLS1_3 + { + .value = SIGALG_RSA_PSS_RSAE_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_RSAE_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_RSAE_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_PSS_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_PSS_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_PSS_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + .flags = SIGALG_FLAG_RSA_PSS, + }, +#endif + { + .value = SIGALG_RSA_PKCS1_SHA224, + .md = EVP_sha224, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + }, + { + .value = SIGALG_ECDSA_SECP224R1_SHA224, + .md = EVP_sha224, + .key_type = EVP_PKEY_EC, + .pkey_idx = SSL_PKEY_ECC, + }, + { + .value = SIGALG_RSA_PKCS1_SHA1, + .key_type = EVP_PKEY_RSA, + .pkey_idx = SSL_PKEY_RSA_SIGN, + .md = EVP_sha1, + }, + { + .value = SIGALG_ECDSA_SHA1, + .key_type = EVP_PKEY_EC, + .md = EVP_sha1, + .pkey_idx = SSL_PKEY_ECC, + }, + { + .value = SIGALG_NONE, + }, +}; + +const struct ssl_sigalg * +ssl_sigalg_lookup(uint16_t sigalg) +{ + int i; + + for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { + if (sigalgs[i].value == sigalg) + return &sigalgs[i]; + } + + return NULL; +} + +const EVP_MD * +ssl_sigalg_md(uint16_t sigalg) +{ + const struct ssl_sigalg *sap; + + if ((sap = ssl_sigalg_lookup(sigalg)) != NULL) + return sap->md(); + + return NULL; +} + +int +ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk) +{ + const struct ssl_sigalg *sap; + + if ((sap = ssl_sigalg_lookup(sigalg)) != NULL) + return sap->key_type == pk->type; + + return 0; +} + +uint16_t +ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md) +{ + int i; + + for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { + if ((sigalgs[i].key_type == pk->type) && + ((sigalgs[i].md() == md))) + return sigalgs[i].value; + } + return SIGALG_NONE; +} + +int +ssl_sigalgs_build(CBB *cbb) +{ + int i; + + for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { + if (!CBB_add_u16(cbb, sigalgs[i].value)) + return 0; + } + return 1; +} diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h new file mode 100644 index 0000000000..b0ed70b7fc --- /dev/null +++ b/src/lib/libssl/ssl_sigalgs.h @@ -0,0 +1,69 @@ +/* $OpenBSD: ssl_sigalgs.h,v 1.1 2018/11/09 00:34:55 beck Exp $ */ +/* + * Copyright (c) 2018, Bob Beck + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + + +#define SIGALG_NONE 0x0000 + +/* + * RFC 8446 Section 4.2.3 + * RFC 5246 Section 7.4.1.4.1 + */ +#define SIGALG_RSA_PKCS1_SHA224 0x0301 +#define SIGALG_RSA_PKCS1_SHA256 0x0401 +#define SIGALG_RSA_PKCS1_SHA384 0x0501 +#define SIGALG_RSA_PKCS1_SHA512 0x0601 +#define SIGALG_ECDSA_SECP224R1_SHA224 0x0303 +#define SIGALG_ECDSA_SECP256R1_SHA256 0x0403 +#define SIGALG_ECDSA_SECP384R1_SHA384 0x0503 +#define SIGALG_ECDSA_SECP512R1_SHA512 0x0603 +#define SIGALG_RSA_PSS_RSAE_SHA256 0x0804 +#define SIGALG_RSA_PSS_RSAE_SHA384 0x0805 +#define SIGALG_RSA_PSS_RSAE_SHA512 0x0806 +#define SIGALG_ED25519 0x0807 +#define SIGALG_ED448 0x0808 +#define SIGALG_RSA_PSS_PSS_SHA256 0x0809 +#define SIGALG_RSA_PSS_PSS_SHA384 0x080a +#define SIGALG_RSA_PSS_PSS_SHA512 0x080b +#define SIGALG_RSA_PKCS1_SHA1 0x0201 +#define SIGALG_ECDSA_SHA1 0x0203 +#define SIGALG_PRIVATE_START 0xFE00 +#define SIGALG_PRIVATE_END 0xFFFF + +/* + * If Russia can elect the US President, surely + * IANA could fix this problem. + */ +#define SIGALG_GOSTR12_512_STREEBOG_512 0xEFEF +#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE +#define SIGALG_GOSTR01_GOST94 0xEDED + +#define SIGALG_FLAG_RSA_PSS 0x00000001 + +struct ssl_sigalg{ + uint16_t value; + const EVP_MD *(*md)(void); + int key_type; + int pkey_idx; /* XXX get rid of this eventually */ + int curve_nid; + int flags; +}; + +const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); +const EVP_MD * ssl_sigalg_md(uint16_t sigalg); +uint16_t ssl_sigalg_value(const EVP_PKEY *pk, const EVP_MD *md); +int ssl_sigalgs_build(CBB *cbb); +int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index af9152d3de..0d82271325 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.51 2018/11/08 22:28:52 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.52 2018/11/09 00:34:55 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -166,6 +166,7 @@ #include #include "bytestring.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" int @@ -1545,7 +1546,10 @@ ssl3_send_server_key_exchange(SSL *s) /* Send signature algorithm. */ if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_hashandsig(&server_kex, pkey, md)) { + uint16_t sigalg; + if ((sigalg = ssl_sigalg_value(pkey, md)) == + SIGALG_NONE || + !CBB_add_u16(&server_kex, sigalg)) { /* Should never happen */ al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_INTERNAL_ERROR); @@ -1629,14 +1633,9 @@ ssl3_send_certificate_request(SSL *s) goto err; if (SSL_USE_SIGALGS(s)) { - unsigned char *sigalgs_data; - size_t sigalgs_len; - - tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len); - if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) goto err; - if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) + if (!ssl_sigalgs_build(&sigalgs)) goto err; } @@ -2089,8 +2088,7 @@ ssl3_get_cert_verify(SSL *s) EVP_PKEY *pkey = NULL; X509 *peer = NULL; EVP_MD_CTX mctx; - uint8_t hash_id, sig_id; - int al, ok, sigalg, verify; + int al, ok, verify; const unsigned char *hdata; size_t hdatalen; int type = 0; @@ -2157,24 +2155,16 @@ ssl3_get_cert_verify(SSL *s) goto err; } else { if (SSL_USE_SIGALGS(s)) { - if (!CBS_get_u8(&cbs, &hash_id)) - goto truncated; - if (!CBS_get_u8(&cbs, &sig_id)) - goto truncated; + uint16_t sigalg; - if ((md = tls12_get_hash(hash_id)) == NULL) { + if (!CBS_get_u16(&cbs, &sigalg)) + goto truncated; + if ((md = ssl_sigalg_md(sigalg)) == NULL) { SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; goto f_err; } - - /* Check key type is consistent with signature. */ - if ((sigalg = tls12_get_sigid(pkey)) == -1) { - /* Should never happen */ - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - if (sigalg != sig_id) { + if (!ssl_sigalg_pkey_check(sigalg, pkey)) { SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); al = SSL_AD_DECODE_ERROR; goto f_err; diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index f64d215799..dc844998a3 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.24 2018/11/05 20:41:30 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.25 2018/11/09 00:34:55 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -22,6 +22,7 @@ #include "bytestring.h" #include "ssl_tlsext.h" +#include "ssl_sigalgs.h" /* * Supported Application-Layer Protocol Negotiation - RFC 7301 @@ -528,16 +529,14 @@ tlsext_sigalgs_clienthello_needs(SSL *s) int tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) { - unsigned char *sigalgs_data; - size_t sigalgs_len; CBB sigalgs; - tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len); - if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) + + if (!ssl_sigalgs_build(&sigalgs)) return 0; + if (!CBB_flush(cbb)) return 0; diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 1cb0cfb453..1fc433cca1 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.148 2018/11/08 20:55:18 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.149 2018/11/09 00:34:55 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -119,6 +119,7 @@ #include "ssl_locl.h" #include "bytestring.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, @@ -604,43 +605,6 @@ tls1_check_ec_server_key(SSL *s) return tls1_check_ec_key(s, &curve_id, &comp_id); } -/* - * List of supported signature algorithms and hashes. Should make this - * customisable at some point, for now include everything we support. - */ - -static unsigned char tls12_sigalgs[] = { - TLSEXT_hash_sha512, TLSEXT_signature_rsa, - TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, -#ifndef OPENSSL_NO_GOST - TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, -#endif - - TLSEXT_hash_sha384, TLSEXT_signature_rsa, - TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, - - TLSEXT_hash_sha256, TLSEXT_signature_rsa, - TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, - -#ifndef OPENSSL_NO_GOST - TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, - TLSEXT_hash_gost94, TLSEXT_signature_gostr01, -#endif - - TLSEXT_hash_sha224, TLSEXT_signature_rsa, - TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, - - TLSEXT_hash_sha1, TLSEXT_signature_rsa, - TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, -}; - -void -tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, size_t *sigalgs_len) -{ - *sigalgs = tls12_sigalgs; - *sigalgs_len = sizeof(tls12_sigalgs); -} - int ssl_check_clienthello_tlsext_early(SSL *s) { @@ -1036,115 +1000,11 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, return 2; } -/* Tables to translate from NIDs to TLS v1.2 ids */ - -typedef struct { - int nid; - int id; -} tls12_lookup; - -static tls12_lookup tls12_md[] = { - {NID_md5, TLSEXT_hash_md5}, - {NID_sha1, TLSEXT_hash_sha1}, - {NID_sha224, TLSEXT_hash_sha224}, - {NID_sha256, TLSEXT_hash_sha256}, - {NID_sha384, TLSEXT_hash_sha384}, - {NID_sha512, TLSEXT_hash_sha512}, - {NID_id_GostR3411_94, TLSEXT_hash_gost94}, - {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, - {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} -}; - -static tls12_lookup tls12_sig[] = { - {EVP_PKEY_RSA, TLSEXT_signature_rsa}, - {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, - {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, -}; - -static int -tls12_find_id(int nid, tls12_lookup *table, size_t tlen) -{ - size_t i; - for (i = 0; i < tlen; i++) { - if (table[i].nid == nid) - return table[i].id; - } - return -1; -} - -int -tls12_get_hashid(const EVP_MD *md) -{ - if (md == NULL) - return -1; - - return tls12_find_id(EVP_MD_type(md), tls12_md, - sizeof(tls12_md) / sizeof(tls12_lookup)); -} - -int -tls12_get_sigid(const EVP_PKEY *pk) -{ - if (pk == NULL) - return -1; - - return tls12_find_id(pk->type, tls12_sig, - sizeof(tls12_sig) / sizeof(tls12_lookup)); -} - -int -tls12_get_hashandsig(CBB *cbb, const EVP_PKEY *pk, const EVP_MD *md) -{ - int hash_id, sig_id; - - if ((hash_id = tls12_get_hashid(md)) == -1) - return 0; - if ((sig_id = tls12_get_sigid(pk)) == -1) - return 0; - - if (!CBB_add_u8(cbb, hash_id)) - return 0; - if (!CBB_add_u8(cbb, sig_id)) - return 0; - - return 1; -} - -const EVP_MD * -tls12_get_hash(unsigned char hash_alg) -{ - switch (hash_alg) { - case TLSEXT_hash_sha1: - return EVP_sha1(); - case TLSEXT_hash_sha224: - return EVP_sha224(); - case TLSEXT_hash_sha256: - return EVP_sha256(); - case TLSEXT_hash_sha384: - return EVP_sha384(); - case TLSEXT_hash_sha512: - return EVP_sha512(); -#ifndef OPENSSL_NO_GOST - case TLSEXT_hash_gost94: - return EVP_gostr341194(); - case TLSEXT_hash_streebog_256: - return EVP_streebog256(); - case TLSEXT_hash_streebog_512: - return EVP_streebog512(); -#endif - default: - return NULL; - } -} - /* Set preferred digest for each key type */ - int tls1_process_sigalgs(SSL *s, CBS *cbs) { - const EVP_MD *md; CERT *c = s->cert; - int idx; /* Extension ignored for inappropriate versions */ if (!SSL_USE_SIGALGS(s)) @@ -1153,53 +1013,38 @@ tls1_process_sigalgs(SSL *s, CBS *cbs) c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; c->pkeys[SSL_PKEY_ECC].digest = NULL; +#ifndef OPENSSL_NO_GOST c->pkeys[SSL_PKEY_GOST01].digest = NULL; - +#endif while (CBS_len(cbs) > 0) { - uint8_t hash_alg, sig_alg; + const EVP_MD *md; + uint16_t sig_alg; + const struct ssl_sigalg *sigalg; - if (!CBS_get_u8(cbs, &hash_alg) || !CBS_get_u8(cbs, &sig_alg)) + if (!CBS_get_u16(cbs, &sig_alg)) return 0; - switch (sig_alg) { - case TLSEXT_signature_rsa: - idx = SSL_PKEY_RSA_SIGN; - break; - case TLSEXT_signature_ecdsa: - idx = SSL_PKEY_ECC; - break; - case TLSEXT_signature_gostr01: - case TLSEXT_signature_gostr12_256: - case TLSEXT_signature_gostr12_512: - idx = SSL_PKEY_GOST01; - break; - default: - continue; + if ((sigalg = ssl_sigalg_lookup(sig_alg)) != NULL && + c->pkeys[sigalg->pkey_idx].digest == NULL) { + md = sigalg->md(); + c->pkeys[sigalg->pkey_idx].digest = md; + if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN) + c->pkeys[SSL_PKEY_RSA_ENC].digest = md; } - - if (c->pkeys[idx].digest == NULL) { - md = tls12_get_hash(hash_alg); - if (md) { - c->pkeys[idx].digest = md; - if (idx == SSL_PKEY_RSA_SIGN) - c->pkeys[SSL_PKEY_RSA_ENC].digest = md; - } - } - } /* * Set any remaining keys to default values. NOTE: if alg is not * supported it stays as NULL. */ - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { + if (c->pkeys[SSL_PKEY_RSA_SIGN].digest == NULL) c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); + if (c->pkeys[SSL_PKEY_RSA_ENC].digest == NULL) c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - } - if (!c->pkeys[SSL_PKEY_ECC].digest) + if (c->pkeys[SSL_PKEY_ECC].digest == NULL) c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #ifndef OPENSSL_NO_GOST - if (!c->pkeys[SSL_PKEY_GOST01].digest) + if (c->pkeys[SSL_PKEY_GOST01].digest == NULL) c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); #endif return 1; diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h index 603201ad17..c253f6d2c0 100644 --- a/src/lib/libssl/tls1.h +++ b/src/lib/libssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.36 2018/11/07 01:53:36 jsing Exp $ */ +/* $OpenBSD: tls1.h,v 1.37 2018/11/09 00:34:55 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -295,29 +295,6 @@ extern "C" { #define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2 #define TLSEXT_ECPOINTFORMAT_last 2 -/* Signature and hash algorithms from RFC 5246. */ - -#define TLSEXT_signature_anonymous 0 -#define TLSEXT_signature_rsa 1 -#define TLSEXT_signature_dsa 2 -#define TLSEXT_signature_ecdsa 3 -/* FIXME IANA */ -#define TLSEXT_signature_gostr01 237 -#define TLSEXT_signature_gostr12_256 238 -#define TLSEXT_signature_gostr12_512 239 - -#define TLSEXT_hash_none 0 -#define TLSEXT_hash_md5 1 -#define TLSEXT_hash_sha1 2 -#define TLSEXT_hash_sha224 3 -#define TLSEXT_hash_sha256 4 -#define TLSEXT_hash_sha384 5 -#define TLSEXT_hash_sha512 6 -/* FIXME IANA */ -#define TLSEXT_hash_gost94 237 -#define TLSEXT_hash_streebog_256 238 -#define TLSEXT_hash_streebog_512 239 - #define TLSEXT_MAXLEN_host_name 255 const char *SSL_get_servername(const SSL *s, const int type); -- cgit v1.2.3-55-g6feb