Fix no-ec following sigalgs refactor (5eeb6c6e) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/t1_lib.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -735,13 +735,17 @@ static const unsigned int tls12_sigalgs[] = {
		TLSEXT_SIGALG_rsa_pkcs1_sha384,
		TLSEXT_SIGALG_rsa_pkcs1_sha512,

		#ifndef OPENSSL_NO_EC
		TLSEXT_SIGALG_ecdsa_sha1,
		#endif
		TLSEXT_SIGALG_rsa_pkcs1_sha1,
		#ifndef OPENSSL_NO_DSA
		TLSEXT_SIGALG_dsa_sha1,

		TLSEXT_SIGALG_dsa_sha256,
		TLSEXT_SIGALG_dsa_sha384,
		TLSEXT_SIGALG_dsa_sha512
		#endif
		};

		#ifndef OPENSSL_NO_EC
		@@ -758,10 +762,12 @@ typedef struct sigalg_lookup_st {
		} SIGALG_LOOKUP;

		static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
		#ifndef OPENSSL_NO_EC
		{TLSEXT_SIGALG_ecdsa_secp256r1_sha256, NID_sha256, EVP_PKEY_EC},
		{TLSEXT_SIGALG_ecdsa_secp384r1_sha384, NID_sha384, EVP_PKEY_EC},
		{TLSEXT_SIGALG_ecdsa_secp521r1_sha512, NID_sha512, EVP_PKEY_EC},
		{TLSEXT_SIGALG_ecdsa_sha1, NID_sha1, EVP_PKEY_EC},
		#endif
		/*
		* PSS must appear before PKCS1 so that we prefer that when signing where
		* possible
		@@ -773,13 +779,17 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
		{TLSEXT_SIGALG_rsa_pkcs1_sha384, NID_sha384, EVP_PKEY_RSA},
		{TLSEXT_SIGALG_rsa_pkcs1_sha512, NID_sha512, EVP_PKEY_RSA},
		{TLSEXT_SIGALG_rsa_pkcs1_sha1, NID_sha1, EVP_PKEY_RSA},
		#ifndef OPENSSL_NO_DSA
		{TLSEXT_SIGALG_dsa_sha256, NID_sha256, EVP_PKEY_DSA},
		{TLSEXT_SIGALG_dsa_sha384, NID_sha384, EVP_PKEY_DSA},
		{TLSEXT_SIGALG_dsa_sha512, NID_sha512, EVP_PKEY_DSA},
		{TLSEXT_SIGALG_dsa_sha1, NID_sha1, EVP_PKEY_DSA},
		#endif
		#ifndef OPENSSL_NO_GOST
		{TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, NID_id_GostR3411_2012_256, NID_id_GostR3410_2012_256},
		{TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, NID_id_GostR3411_2012_512, NID_id_GostR3410_2012_512},
		{TLSEXT_SIGALG_gostr34102001_gostr3411, NID_id_GostR3411_94, NID_id_GostR3410_2001}
		#endif
		};

		static int tls_sigalg_get_hash(unsigned int sigalg)

test/recipes/70-test_sslsigalgs.t

+3 −3

Original line number	Diff line number	Diff line
		@@ -92,8 +92,8 @@ SKIP: {
		}

		SKIP: {
		skip "TLSv1.3 or TLSv1.2 disabled", 2
		if disabled("tls1_2") \|\| disabled("tls1_3");
		skip "EC, TLSv1.3 or TLSv1.2 disabled", 2
		if disabled("tls1_2") \|\| disabled("tls1_3") \|\| disabled("ec");

		#Test 7: Sending a valid sig algs list but not including a sig type that
		# matches the certificate should fail in TLSv1.3. We need TLSv1.2
		@@ -118,7 +118,7 @@ SKIP: {
		}

		SKIP: {
		skip "TLSv1.2 disabled", 7 if disabled("tls1_2");
		skip "EC or TLSv1.2 disabled", 7 if disabled("tls1_2") \|\| disabled("ec");

		$proxy->filter(\&sigalgs_filter);

test/sslapitest.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -897,19 +897,25 @@ typedef struct {
		} sigalgs_list;

		static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
		#ifndef OPENSSL_NO_EC
		static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
		static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
		#endif
		static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
		static const int invalidlist2[] = {NID_sha256, NID_undef};
		static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
		static const int invalidlist4[] = {NID_sha256};
		static const sigalgs_list testsigalgs[] = {
		{validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
		#ifndef OPENSSL_NO_EC
		{validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
		{validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
		#endif
		{NULL, 0, "RSA+SHA256", 1, 1},
		#ifndef OPENSSL_NO_EC
		{NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
		{NULL, 0, "ECDSA+SHA512", 1, 0},
		#endif
		{invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
		{invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
		{invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},