mirror of
https://abf.rosa.ru/djam/libressl.git
synced 2025-02-23 16:12:53 +00:00
146 lines
4.4 KiB
Diff
146 lines
4.4 KiB
Diff
From d0051e736d9d643dbd3977b472bf011eb4f37cb3 Mon Sep 17 00:00:00 2001
|
|
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|
Date: Fri, 27 Mar 2020 18:25:51 +0300
|
|
Subject: [PATCH 68/87] ssl_sigalgs: select proper default algorithm for GOST
|
|
pkeys
|
|
|
|
Return default sigalg algorithm depending in the default digest
|
|
algorithm (GOST94 or Streebog) selected by pkey.
|
|
|
|
Sponsored by ROSA Linux
|
|
|
|
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|
---
|
|
src/lib/libssl/ssl_sigalgs.c | 43 ++++++++++++++++++++--
|
|
src/regress/lib/libssl/tlsext/tlsexttest.c | 10 +++--
|
|
2 files changed, 45 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
|
|
index 6378ec8c0..224c01af0 100644
|
|
--- a/src/lib/libssl/ssl_sigalgs.c
|
|
+++ b/src/lib/libssl/ssl_sigalgs.c
|
|
@@ -40,7 +40,7 @@ const struct ssl_sigalg sigalgs[] = {
|
|
{
|
|
.value = SIGALG_GOSTR12_512_STREEBOG_512,
|
|
.md = EVP_streebog512,
|
|
- .key_type = EVP_PKEY_GOSTR12_512,
|
|
+ .key_type = EVP_PKEY_GOSTR01,
|
|
},
|
|
#endif
|
|
{
|
|
@@ -69,7 +69,7 @@ const struct ssl_sigalg sigalgs[] = {
|
|
{
|
|
.value = SIGALG_GOSTR12_256_STREEBOG_256,
|
|
.md = EVP_streebog256,
|
|
- .key_type = EVP_PKEY_GOSTR12_256,
|
|
+ .key_type = EVP_PKEY_GOSTR01,
|
|
},
|
|
{
|
|
.value = SIGALG_GOSTR01_GOST94,
|
|
@@ -170,6 +170,11 @@ uint16_t tls12_sigalgs[] = {
|
|
SIGALG_ECDSA_SECP256R1_SHA256,
|
|
SIGALG_RSA_PKCS1_SHA1, /* XXX */
|
|
SIGALG_ECDSA_SHA1, /* XXX */
|
|
+#ifndef OPENSSL_NO_GOST
|
|
+ SIGALG_GOSTR12_512_STREEBOG_512,
|
|
+ SIGALG_GOSTR12_256_STREEBOG_256,
|
|
+ SIGALG_GOSTR01_GOST94,
|
|
+#endif
|
|
};
|
|
size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
|
|
|
|
@@ -254,9 +259,39 @@ ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
|
|
}
|
|
}
|
|
|
|
+#ifndef OPENSSL_NO_GOST
|
|
+ if (pkey->type == EVP_PKEY_GOSTR01) {
|
|
+ int nid;
|
|
+
|
|
+ if (!EVP_PKEY_get_default_digest_nid(pkey, &nid))
|
|
+ return 0;
|
|
+
|
|
+ return EVP_MD_type(sigalg->md()) == nid;
|
|
+ }
|
|
+#endif
|
|
+
|
|
return 1;
|
|
}
|
|
|
|
+#ifndef OPENSSL_NO_GOST
|
|
+static const struct ssl_sigalg *
|
|
+ssl_sigalg_gost_select(SSL *s, EVP_PKEY *pkey)
|
|
+{
|
|
+ int nid = NID_id_GostR3411_94;
|
|
+
|
|
+ if (!EVP_PKEY_get_default_digest_nid(pkey, &nid)) {
|
|
+ SSLerror(s, ERR_R_EVP_LIB);
|
|
+ /* fallthrough, return GOST94 */
|
|
+ }
|
|
+ if (nid == NID_id_tc26_gost3411_2012_256)
|
|
+ return ssl_sigalg_lookup(SIGALG_GOSTR12_256_STREEBOG_256);
|
|
+ else if (nid == NID_id_tc26_gost3411_2012_512)
|
|
+ return ssl_sigalg_lookup(SIGALG_GOSTR12_512_STREEBOG_512);
|
|
+ else
|
|
+ return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
|
|
+}
|
|
+#endif
|
|
+
|
|
const struct ssl_sigalg *
|
|
ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
|
|
{
|
|
@@ -280,7 +315,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
|
|
return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
|
|
#ifndef OPENSSL_NO_GOST
|
|
case EVP_PKEY_GOSTR01:
|
|
- return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
|
|
+ return ssl_sigalg_gost_select(s, pkey);
|
|
#endif
|
|
}
|
|
SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
|
|
@@ -300,7 +335,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
|
|
return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
|
|
#ifndef OPENSSL_NO_GOST
|
|
case EVP_PKEY_GOSTR01:
|
|
- return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
|
|
+ return ssl_sigalg_gost_select(s, pkey);
|
|
#endif
|
|
}
|
|
SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
|
|
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
|
|
index fe500a9d6..58955cd78 100644
|
|
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
|
|
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
|
|
@@ -1506,9 +1506,10 @@ test_tlsext_ri_server(void)
|
|
*/
|
|
|
|
static unsigned char tlsext_sigalgs_client[] = {
|
|
- 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
|
|
+ 0x00, 0x1c, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
|
|
0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04,
|
|
0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
|
|
+ 0xef, 0xef, 0xee, 0xee, 0xed, 0xed,
|
|
};
|
|
|
|
static int
|
|
@@ -2713,13 +2714,14 @@ test_tlsext_srtp_server(void)
|
|
#endif /* OPENSSL_NO_SRTP */
|
|
|
|
unsigned char tlsext_clienthello_default[] = {
|
|
- 0x00, 0x32, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
|
|
+ 0x00, 0x38, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
|
|
0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d,
|
|
0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
|
|
- 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06,
|
|
+ 0x00, 0x0d, 0x00, 0x1e, 0x00, 0x1c, 0x08, 0x06,
|
|
0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01,
|
|
0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03,
|
|
- 0x02, 0x01, 0x02, 0x03,
|
|
+ 0x02, 0x01, 0x02, 0x03, 0xef, 0xef, 0xee, 0xee,
|
|
+ 0xed, 0xed,
|
|
};
|
|
|
|
unsigned char tlsext_clienthello_disabled[] = {};
|
|
--
|
|
2.17.1
|
|
|