From d8311fc93a4d8cffa0398a39a20950b9b6a94b3c Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 8 Jun 2017 17:15:45 +0100 Subject: [PATCH] Add back support for SHA224 based sig algs This used to work but was inadvertently removed as part of the TLSv1.3 work. This adds it back. Fixes #3633 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3639) --- ssl/ssl_locl.h | 3 +++ ssl/t1_lib.c | 31 ++++++++++++++++++++++++------- ssl/t1_trce.c | 3 +++ 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index fe7f7b4e0f..fe6119b2ff 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1857,6 +1857,7 @@ typedef enum downgrade_en { #define TLSEXT_SIGALG_ecdsa_secp256r1_sha256 0x0403 #define TLSEXT_SIGALG_ecdsa_secp384r1_sha384 0x0503 #define TLSEXT_SIGALG_ecdsa_secp521r1_sha512 0x0603 +#define TLSEXT_SIGALG_ecdsa_sha224 0x0303 #define TLSEXT_SIGALG_ecdsa_sha1 0x0203 #define TLSEXT_SIGALG_rsa_pss_sha256 0x0804 #define TLSEXT_SIGALG_rsa_pss_sha384 0x0805 @@ -1864,10 +1865,12 @@ typedef enum downgrade_en { #define TLSEXT_SIGALG_rsa_pkcs1_sha256 0x0401 #define TLSEXT_SIGALG_rsa_pkcs1_sha384 0x0501 #define TLSEXT_SIGALG_rsa_pkcs1_sha512 0x0601 +#define TLSEXT_SIGALG_rsa_pkcs1_sha224 0x0301 #define TLSEXT_SIGALG_rsa_pkcs1_sha1 0x0201 #define TLSEXT_SIGALG_dsa_sha256 0x0402 #define TLSEXT_SIGALG_dsa_sha384 0x0502 #define TLSEXT_SIGALG_dsa_sha512 0x0602 +#define TLSEXT_SIGALG_dsa_sha224 0x0302 #define TLSEXT_SIGALG_dsa_sha1 0x0202 #define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0xeeee #define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0xefef diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c185a09e9c..df48f5b34d 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -686,10 +686,13 @@ static const uint16_t tls12_sigalgs[] = { TLSEXT_SIGALG_rsa_pkcs1_sha512, #ifndef OPENSSL_NO_EC + TLSEXT_SIGALG_ecdsa_sha224, TLSEXT_SIGALG_ecdsa_sha1, #endif + TLSEXT_SIGALG_rsa_pkcs1_sha224, TLSEXT_SIGALG_rsa_pkcs1_sha1, #ifndef OPENSSL_NO_DSA + TLSEXT_SIGALG_dsa_sha224, TLSEXT_SIGALG_dsa_sha1, TLSEXT_SIGALG_dsa_sha256, @@ -716,6 +719,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, NID_ecdsa_with_SHA512, NID_secp521r1}, + {NULL, TLSEXT_SIGALG_ecdsa_sha224, + NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, + NID_ecdsa_with_SHA224, NID_undef}, {NULL, TLSEXT_SIGALG_ecdsa_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, NID_ecdsa_with_SHA1, NID_undef}, @@ -738,6 +744,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, NID_sha512WithRSAEncryption, NID_undef}, + {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, + NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, + NID_sha224WithRSAEncryption, NID_undef}, {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, NID_sha1WithRSAEncryption, NID_undef}, @@ -751,6 +760,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {NULL, TLSEXT_SIGALG_dsa_sha512, NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, NID_undef, NID_undef}, + {NULL, TLSEXT_SIGALG_dsa_sha224, + NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, + NID_undef, NID_undef}, {NULL, TLSEXT_SIGALG_dsa_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, NID_dsaWithSHA1, NID_undef}, @@ -901,10 +913,11 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) } lu = tls1_lookup_sigalg(sig); /* - * Check sigalgs is known. Disallow SHA1 with TLS 1.3. Check key type is - * consistent with signature: RSA keys can be used for RSA-PSS + * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type + * is consistent with signature: RSA keys can be used for RSA-PSS */ - if (lu == NULL || (SSL_IS_TLS13(s) && lu->hash == NID_sha1) + if (lu == NULL + || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) || (pkeyid != lu->sig && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); @@ -1489,10 +1502,12 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, return 0; /* * If TLS 1.3 must have at least one valid TLS 1.3 message - * signing algorithm: i.e. neither RSA nor SHA1 + * signing algorithm: i.e. neither RSA nor SHA1/SHA224 */ if (rv == 0 && (!SSL_IS_TLS13(s) - || (lu->sig != EVP_PKEY_RSA && lu->hash != NID_sha1))) + || (lu->sig != EVP_PKEY_RSA + && lu->hash != NID_sha1 + && lu->hash != NID_sha224))) rv = 1; } if (rv == 0) @@ -2279,8 +2294,10 @@ int tls_choose_sigalg(SSL *s, int *al) for (i = 0; i < s->cert->shared_sigalgslen; i++) { lu = s->cert->shared_sigalgs[i]; - /* Skip SHA1, DSA and RSA if not PSS */ - if (lu->hash == NID_sha1 || lu->sig == EVP_PKEY_DSA + /* Skip SHA1, SHA224, DSA and RSA if not PSS */ + if (lu->hash == NID_sha1 + || lu->hash == NID_sha224 + || lu->sig == EVP_PKEY_DSA || lu->sig == EVP_PKEY_RSA) continue; if (ssl_md(lu->hash_idx) == NULL) diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 891310d270..2e9c43040d 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -533,6 +533,7 @@ static ssl_trace_tbl ssl_sigalg_tbl[] = { {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, "ecdsa_secp256r1_sha256"}, {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, "ecdsa_secp384r1_sha384"}, {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, "ecdsa_secp521r1_sha512"}, + {TLSEXT_SIGALG_ecdsa_sha224, "ecdsa_sha224"}, {TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"}, {TLSEXT_SIGALG_rsa_pss_sha256, "rsa_pss_sha256"}, {TLSEXT_SIGALG_rsa_pss_sha384, "rsa_pss_sha384"}, @@ -540,10 +541,12 @@ static ssl_trace_tbl ssl_sigalg_tbl[] = { {TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"}, {TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"}, {TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"}, + {TLSEXT_SIGALG_rsa_pkcs1_sha224, "rsa_pkcs1_sha224"}, {TLSEXT_SIGALG_rsa_pkcs1_sha1, "rsa_pkcs1_sha1"}, {TLSEXT_SIGALG_dsa_sha256, "dsa_sha256"}, {TLSEXT_SIGALG_dsa_sha384, "dsa_sha384"}, {TLSEXT_SIGALG_dsa_sha512, "dsa_sha512"}, + {TLSEXT_SIGALG_dsa_sha224, "dsa_sha224"}, {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"}, {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"}, {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"}, -- 2.25.1