From cf199fec52be90f5ad0b5ada0984c21ae61f8e86 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 14 Aug 2011 13:47:30 +0000 Subject: [PATCH] Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSA using OBJ xref utilities instead of string comparison with OID name. This removes the arbitrary restriction on using SHA1 only with some ECC ciphersuites. --- CHANGES | 5 +++++ crypto/Makefile | 14 ++++++++++++++ crypto/aes/Makefile | 8 +++++--- crypto/bf/Makefile | 7 +++++-- crypto/camellia/Makefile | 13 ++++++++++--- crypto/cast/Makefile | 5 ++++- crypto/cmac/Makefile | 35 +++++++++++++++++++++++++++++++++++ crypto/des/Makefile | 5 +++-- crypto/dso/Makefile | 2 +- crypto/ec/Makefile | 26 +++++++++++++++++++++++++- crypto/engine/Makefile | 28 ++++++++++++++++++++++++++++ crypto/idea/Makefile | 5 ++++- crypto/md4/Makefile | 8 +++++--- crypto/md5/Makefile | 8 +++++--- crypto/mdc2/Makefile | 14 +++++++------- crypto/rc2/Makefile | 6 +++++- crypto/rc4/Makefile | 5 +++++ crypto/ripemd/Makefile | 7 +++++-- crypto/sha/Makefile | 14 ++++++++++---- crypto/whrlpool/Makefile | 5 ++++- ssl/ssl_lib.c | 32 +++++++++++++------------------- 21 files changed, 198 insertions(+), 54 deletions(-) diff --git a/CHANGES b/CHANGES index d2a10b01a9..68e7bc4a82 100644 --- a/CHANGES +++ b/CHANGES @@ -159,6 +159,11 @@ Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] + *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check + signature public key algorithm by using OID xref utilities instead. + Before this you could only use some ECC ciphersuites with SHA1 only. + [Steve Henson] + *) Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: diff --git a/crypto/Makefile b/crypto/Makefile index 58c8d1ec10..44248087a1 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -174,6 +174,7 @@ ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ex_data.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h ex_data.o: ex_data.c +fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h mem.o: ../include/openssl/err.h ../include/openssl/lhash.h @@ -194,6 +195,19 @@ mem_dbg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h mem_dbg.o: mem_dbg.c o_dir.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_dir.o: LPdir_unix.c o_dir.c o_dir.h +o_fips.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h +o_fips.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +o_fips.o: ../include/openssl/err.h ../include/openssl/lhash.h +o_fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +o_fips.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h +o_fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h +o_fips.o: o_fips.c +o_init.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/crypto.h +o_init.o: ../include/openssl/e_os2.h ../include/openssl/err.h +o_init.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h +o_init.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +o_init.o: ../include/openssl/safestack.h ../include/openssl/stack.h +o_init.o: ../include/openssl/symhacks.h o_init.c o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_str.o: o_str.c o_str.h o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c diff --git a/crypto/aes/Makefile b/crypto/aes/Makefile index 3517465bd0..5012b947a4 100644 --- a/crypto/aes/Makefile +++ b/crypto/aes/Makefile @@ -121,9 +121,11 @@ aes_ige.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h aes_ige.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h aes_ige.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h aes_ige.o: ../../include/openssl/symhacks.h ../cryptlib.h aes_ige.c aes_locl.h -aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h -aes_misc.o: ../../include/openssl/opensslconf.h -aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c +aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h +aes_misc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +aes_misc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +aes_misc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +aes_misc.o: ../../include/openssl/symhacks.h aes_locl.h aes_misc.c aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/modes.h aes_ofb.o: ../../include/openssl/opensslconf.h aes_ofb.c aes_wrap.o: ../../e_os.h ../../include/openssl/aes.h diff --git a/crypto/bf/Makefile b/crypto/bf/Makefile index dd2c2c708e..d01bfaa315 100644 --- a/crypto/bf/Makefile +++ b/crypto/bf/Makefile @@ -94,5 +94,8 @@ bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h bf_enc.o: ../../include/openssl/opensslconf.h bf_enc.c bf_locl.h bf_ofb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h bf_ofb64.c -bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h -bf_skey.o: ../../include/openssl/opensslconf.h bf_locl.h bf_pi.h bf_skey.c +bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/crypto.h +bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +bf_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +bf_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +bf_skey.o: ../../include/openssl/symhacks.h bf_locl.h bf_pi.h bf_skey.c diff --git a/crypto/camellia/Makefile b/crypto/camellia/Makefile index a5d08a8fd3..6ce6fc99cd 100644 --- a/crypto/camellia/Makefile +++ b/crypto/camellia/Makefile @@ -96,8 +96,15 @@ cmll_ctr.o: ../../include/openssl/camellia.h ../../include/openssl/modes.h cmll_ctr.o: ../../include/openssl/opensslconf.h cmll_ctr.c cmll_ecb.o: ../../include/openssl/camellia.h cmll_ecb.o: ../../include/openssl/opensslconf.h cmll_ecb.c cmll_locl.h -cmll_misc.o: ../../include/openssl/camellia.h -cmll_misc.o: ../../include/openssl/opensslconf.h -cmll_misc.o: ../../include/openssl/opensslv.h cmll_locl.h cmll_misc.c +cmll_misc.o: ../../include/openssl/camellia.h ../../include/openssl/crypto.h +cmll_misc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +cmll_misc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +cmll_misc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +cmll_misc.o: ../../include/openssl/symhacks.h cmll_locl.h cmll_misc.c cmll_ofb.o: ../../include/openssl/camellia.h ../../include/openssl/modes.h cmll_ofb.o: ../../include/openssl/opensslconf.h cmll_ofb.c +cmll_utl.o: ../../include/openssl/camellia.h ../../include/openssl/crypto.h +cmll_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +cmll_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +cmll_utl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +cmll_utl.o: ../../include/openssl/symhacks.h cmll_locl.h cmll_utl.c diff --git a/crypto/cast/Makefile b/crypto/cast/Makefile index 0acc38f28d..f3f4859886 100644 --- a/crypto/cast/Makefile +++ b/crypto/cast/Makefile @@ -95,5 +95,8 @@ c_ofb64.o: ../../e_os.h ../../include/openssl/cast.h c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h c_ofb64.o: c_ofb64.c cast_lcl.h c_skey.o: ../../e_os.h ../../include/openssl/cast.h -c_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +c_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +c_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +c_skey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h +c_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h c_skey.o: c_skey.c cast_lcl.h cast_s.h diff --git a/crypto/cmac/Makefile b/crypto/cmac/Makefile index 80bb676ac6..54e7cc39d5 100644 --- a/crypto/cmac/Makefile +++ b/crypto/cmac/Makefile @@ -74,3 +74,38 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. +cm_ameth.o: ../../e_os.h ../../include/openssl/asn1.h +cm_ameth.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +cm_ameth.o: ../../include/openssl/cmac.h ../../include/openssl/crypto.h +cm_ameth.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +cm_ameth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +cm_ameth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +cm_ameth.o: ../../include/openssl/opensslconf.h +cm_ameth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +cm_ameth.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +cm_ameth.o: ../../include/openssl/symhacks.h ../asn1/asn1_locl.h ../cryptlib.h +cm_ameth.o: cm_ameth.c +cm_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h +cm_pmeth.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +cm_pmeth.o: ../../include/openssl/cmac.h ../../include/openssl/conf.h +cm_pmeth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +cm_pmeth.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +cm_pmeth.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +cm_pmeth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +cm_pmeth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +cm_pmeth.o: ../../include/openssl/opensslconf.h +cm_pmeth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +cm_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h +cm_pmeth.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +cm_pmeth.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h +cm_pmeth.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +cm_pmeth.o: ../cryptlib.h ../evp/evp_locl.h cm_pmeth.c +cmac.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h +cmac.o: ../../include/openssl/buffer.h ../../include/openssl/cmac.h +cmac.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +cmac.o: ../../include/openssl/err.h ../../include/openssl/evp.h +cmac.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +cmac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +cmac.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +cmac.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +cmac.o: ../../include/openssl/symhacks.h ../cryptlib.h cmac.c diff --git a/crypto/des/Makefile b/crypto/des/Makefile index ae982265fd..a6e1001329 100644 --- a/crypto/des/Makefile +++ b/crypto/des/Makefile @@ -257,8 +257,9 @@ rpc_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h rpc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rpc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rpc_enc.o: des_locl.h des_ver.h rpc_des.h rpc_enc.c -set_key.o: ../../include/openssl/des.h ../../include/openssl/des_old.h -set_key.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +set_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h +set_key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h +set_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h set_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h set_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h set_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h diff --git a/crypto/dso/Makefile b/crypto/dso/Makefile index f26a05b701..fb2709ed63 100644 --- a/crypto/dso/Makefile +++ b/crypto/dso/Makefile @@ -139,7 +139,7 @@ dso_vms.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_vms.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dso_vms.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h dso_vms.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -dso_vms.o: ../cryptlib.h ../vms_rms.h dso_vms.c +dso_vms.o: ../cryptlib.h dso_vms.c dso_win32.o: ../../e_os.h ../../include/openssl/bio.h dso_win32.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_win32.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h diff --git a/crypto/ec/Makefile b/crypto/ec/Makefile index 3a74c5e69f..7d0b5df8fe 100644 --- a/crypto/ec/Makefile +++ b/crypto/ec/Makefile @@ -89,6 +89,14 @@ ec2_mult.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h ec2_mult.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ec2_mult.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ec2_mult.o: ../../include/openssl/symhacks.h ec2_mult.c ec_lcl.h +ec2_oct.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +ec2_oct.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h +ec2_oct.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +ec2_oct.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +ec2_oct.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h +ec2_oct.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +ec2_oct.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +ec2_oct.o: ../../include/openssl/symhacks.h ec2_oct.c ec_lcl.h ec2_smpl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ec2_smpl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h ec2_smpl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h @@ -176,6 +184,14 @@ ec_mult.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h ec_mult.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ec_mult.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ec_mult.o: ../../include/openssl/symhacks.h ec_lcl.h ec_mult.c +ec_oct.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +ec_oct.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h +ec_oct.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +ec_oct.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +ec_oct.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h +ec_oct.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +ec_oct.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +ec_oct.o: ../../include/openssl/symhacks.h ec_lcl.h ec_oct.c ec_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h ec_pmeth.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h ec_pmeth.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h @@ -223,7 +239,15 @@ ecp_nist.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h ecp_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ecp_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ecp_nist.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_nist.c -ecp_nistp224.o: ecp_nistp224.c +ecp_nistp224.o: ../../include/openssl/opensslconf.h ecp_nistp224.c +ecp_oct.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +ecp_oct.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h +ecp_oct.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +ecp_oct.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +ecp_oct.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h +ecp_oct.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +ecp_oct.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +ecp_oct.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_oct.c ecp_smpl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ecp_smpl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h ecp_smpl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h diff --git a/crypto/engine/Makefile b/crypto/engine/Makefile index 322ae259b2..d29bdd09a0 100644 --- a/crypto/engine/Makefile +++ b/crypto/engine/Makefile @@ -251,6 +251,34 @@ eng_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h eng_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h eng_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_pkey.c +eng_rdrand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +eng_rdrand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +eng_rdrand.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +eng_rdrand.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +eng_rdrand.o: ../../include/openssl/engine.h ../../include/openssl/err.h +eng_rdrand.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +eng_rdrand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +eng_rdrand.o: ../../include/openssl/opensslconf.h +eng_rdrand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +eng_rdrand.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h +eng_rdrand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +eng_rdrand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +eng_rdrand.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +eng_rdrand.o: eng_rdrand.c +eng_rsax.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +eng_rsax.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +eng_rsax.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +eng_rsax.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +eng_rsax.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h +eng_rsax.o: ../../include/openssl/err.h ../../include/openssl/evp.h +eng_rsax.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +eng_rsax.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +eng_rsax.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +eng_rsax.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +eng_rsax.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +eng_rsax.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +eng_rsax.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +eng_rsax.o: eng_rsax.c eng_table.o: ../../e_os.h ../../include/openssl/asn1.h eng_table.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h diff --git a/crypto/idea/Makefile b/crypto/idea/Makefile index b2e7add666..8af0acdad9 100644 --- a/crypto/idea/Makefile +++ b/crypto/idea/Makefile @@ -82,5 +82,8 @@ i_ecb.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h i_ecb.o: ../../include/openssl/opensslv.h i_ecb.c idea_lcl.h i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h i_ofb64.o: i_ofb64.c idea_lcl.h +i_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h -i_skey.o: i_skey.c idea_lcl.h +i_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +i_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +i_skey.o: ../../include/openssl/symhacks.h i_skey.c idea_lcl.h diff --git a/crypto/md4/Makefile b/crypto/md4/Makefile index c94a1398ed..e6f1e4478c 100644 --- a/crypto/md4/Makefile +++ b/crypto/md4/Makefile @@ -76,9 +76,11 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h -md4_dgst.o: ../../include/openssl/opensslconf.h -md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_dgst.c +md4_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h +md4_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +md4_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +md4_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h md4_dgst.c md4_dgst.o: md4_locl.h md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h md4_one.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h diff --git a/crypto/md5/Makefile b/crypto/md5/Makefile index 9858d53d31..b9e2ce9a38 100644 --- a/crypto/md5/Makefile +++ b/crypto/md5/Makefile @@ -89,9 +89,11 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md5.h -md5_dgst.o: ../../include/openssl/opensslconf.h -md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_dgst.c +md5_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h +md5_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +md5_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +md5_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h md5_dgst.c md5_dgst.o: md5_locl.h md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h md5_one.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h diff --git a/crypto/mdc2/Makefile b/crypto/mdc2/Makefile index 1d064f17a6..141553149d 100644 --- a/crypto/mdc2/Makefile +++ b/crypto/mdc2/Makefile @@ -84,10 +84,10 @@ mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h mdc2_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h mdc2_one.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h mdc2_one.o: ../../include/openssl/ui_compat.h ../cryptlib.h mdc2_one.c -mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h -mdc2dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/mdc2.h -mdc2dgst.o: ../../include/openssl/opensslconf.h -mdc2dgst.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h -mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h -mdc2dgst.o: mdc2dgst.c +mdc2dgst.o: ../../include/openssl/crypto.h ../../include/openssl/des.h +mdc2dgst.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h +mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h +mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +mdc2dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +mdc2dgst.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +mdc2dgst.o: ../../include/openssl/ui_compat.h mdc2dgst.c diff --git a/crypto/rc2/Makefile b/crypto/rc2/Makefile index 73eac347e7..8a9d49ab5e 100644 --- a/crypto/rc2/Makefile +++ b/crypto/rc2/Makefile @@ -78,7 +78,11 @@ rc2_cbc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h rc2_cbc.o: rc2_cbc.c rc2_locl.h rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h rc2_ecb.o: ../../include/openssl/rc2.h rc2_ecb.c rc2_locl.h -rc2_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h +rc2_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +rc2_skey.o: ../../include/openssl/opensslconf.h +rc2_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +rc2_skey.o: ../../include/openssl/rc2.h ../../include/openssl/safestack.h +rc2_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rc2_skey.o: rc2_locl.h rc2_skey.c rc2cfb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h rc2cfb64.o: rc2_locl.h rc2cfb64.c diff --git a/crypto/rc4/Makefile b/crypto/rc4/Makefile index 8f6b0dc68a..cec0b0221c 100644 --- a/crypto/rc4/Makefile +++ b/crypto/rc4/Makefile @@ -113,3 +113,8 @@ rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rc4_skey.o: ../../include/openssl/rc4.h ../../include/openssl/safestack.h rc4_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rc4_skey.o: ../cryptlib.h rc4_locl.h rc4_skey.c +rc4_utl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +rc4_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +rc4_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc4.h +rc4_utl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +rc4_utl.o: ../../include/openssl/symhacks.h rc4_utl.c diff --git a/crypto/ripemd/Makefile b/crypto/ripemd/Makefile index d5b1067dbe..25140b2a73 100644 --- a/crypto/ripemd/Makefile +++ b/crypto/ripemd/Makefile @@ -82,8 +82,11 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h +rmd_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +rmd_dgst.o: ../../include/openssl/opensslconf.h +rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +rmd_dgst.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h +rmd_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rmd_dgst.o: ../md32_common.h rmd_dgst.c rmd_locl.h rmdconst.h rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rmd_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h diff --git a/crypto/sha/Makefile b/crypto/sha/Makefile index e6eccb05f9..a5de902794 100644 --- a/crypto/sha/Makefile +++ b/crypto/sha/Makefile @@ -119,8 +119,11 @@ sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h sha1_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h sha1_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h sha1_one.o: sha1_one.c -sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h +sha1dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +sha1dgst.o: ../../include/openssl/opensslconf.h +sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +sha1dgst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +sha1dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h sha1dgst.o: ../md32_common.h sha1dgst.c sha_locl.h sha256.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h sha256.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h @@ -135,8 +138,11 @@ sha512.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h sha512.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h sha512.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h sha512.o: ../cryptlib.h sha512.c -sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h +sha_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +sha_dgst.o: ../../include/openssl/opensslconf.h +sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +sha_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +sha_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h sha_dgst.o: ../md32_common.h sha_dgst.c sha_locl.h sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h sha_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h diff --git a/crypto/whrlpool/Makefile b/crypto/whrlpool/Makefile index 566b996290..f4d46e4d17 100644 --- a/crypto/whrlpool/Makefile +++ b/crypto/whrlpool/Makefile @@ -89,5 +89,8 @@ clean: wp_block.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h wp_block.o: ../../include/openssl/whrlpool.h wp_block.c wp_locl.h -wp_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +wp_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +wp_dgst.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +wp_dgst.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h +wp_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h wp_dgst.o: ../../include/openssl/whrlpool.h wp_dgst.c wp_locl.h diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 65a515753e..720b24a734 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1864,7 +1864,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #endif X509 *x = NULL; EVP_PKEY *ecc_pkey = NULL; - int signature_nid = 0; + int signature_nid = 0, pk_nid = 0, md_nid = 0; if (c == NULL) return; @@ -1994,18 +1994,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) EVP_PKEY_bits(ecc_pkey) : 0; EVP_PKEY_free(ecc_pkey); if ((x->sig_alg) && (x->sig_alg->algorithm)) + { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); + OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); + } #ifndef OPENSSL_NO_ECDH if (ecdh_ok) { - const char *sig = OBJ_nid2ln(signature_nid); - if (sig == NULL) - { - ERR_clear_error(); - sig = "unknown"; - } - - if (strstr(sig, "WithRSA")) + + if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { mask_k|=SSL_kECDHr; mask_a|=SSL_aECDH; @@ -2016,7 +2013,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) } } - if (signature_nid == NID_ecdsa_with_SHA1) + if (pk_nid == NID_X9_62_id_ecPublicKey) { mask_k|=SSL_kECDHe; mask_a|=SSL_aECDH; @@ -2070,7 +2067,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) unsigned long alg_k, alg_a; EVP_PKEY *pkey = NULL; int keysize = 0; - int signature_nid = 0; + int signature_nid = 0, md_nid = 0, pk_nid = 0; const SSL_CIPHER *cs = s->s3->tmp.new_cipher; alg_k = cs->algorithm_mkey; @@ -2089,7 +2086,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) /* This call populates the ex_flags field correctly */ X509_check_purpose(x, -1, 0); if ((x->sig_alg) && (x->sig_alg->algorithm)) + { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); + OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); + } if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) { /* key usage, if present, must allow key agreement */ @@ -2101,7 +2101,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION) { /* signature alg must be ECDSA */ - if (signature_nid != NID_ecdsa_with_SHA1) + if (pk_nid != NID_X9_62_id_ecPublicKey) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); return 0; @@ -2111,13 +2111,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { /* signature alg must be RSA */ - const char *sig = OBJ_nid2ln(signature_nid); - if (sig == NULL) - { - ERR_clear_error(); - sig = "unknown"; - } - if (strstr(sig, "WithRSA") == NULL) + if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); return 0; -- 2.25.1