Use uint16_t for signature scheme. (98c792d1) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/ssl_locl.h

+6 −6

Original line number	Diff line number	Diff line
		@@ -1266,7 +1266,7 @@ typedef struct ssl3_state_st {
		* algorithms extension for server or as part of a certificate
		* request for client.
		*/
		unsigned int *peer_sigalgs;
		uint16_t *peer_sigalgs;
		/* Size of above array */
		size_t peer_sigalgslen;
		/* Digest peer uses for signing */
		@@ -1535,7 +1535,7 @@ typedef struct cert_st {
		* the client hello as the supported signature algorithms extension. For
		* servers it represents the signature algorithms we are willing to use.
		*/
		unsigned int *conf_sigalgs;
		uint16_t *conf_sigalgs;
		/* Size of above array */
		size_t conf_sigalgslen;
		/*
		@@ -1545,7 +1545,7 @@ typedef struct cert_st {
		* represents the signature algorithms we are willing to use for client
		* authentication.
		*/
		unsigned int *client_sigalgs;
		uint16_t *client_sigalgs;
		/* Size of above array */
		size_t client_sigalgslen;
		/*
		@@ -1595,7 +1595,7 @@ struct tls_sigalgs_st {
		/* Combined hash and signature NID */
		int signandhash_nid;
		/* Raw value used in extension */
		unsigned int rsigalg;
		uint16_t rsigalg;
		};

		# define FP_ICC (int ()(const void ,const void *))
		@@ -2250,10 +2250,10 @@ __owur EVP_MD_CTX ssl_replace_hash(EVP_MD_CTX hash, const EVP_MD md);
		void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
		__owur long ssl_get_algorithm2(SSL *s);
		__owur int tls12_copy_sigalgs(SSL s, WPACKET pkt,
		const unsigned int *psig, size_t psiglen);
		const uint16_t *psig, size_t psiglen);
		__owur int tls1_save_sigalgs(SSL s, PACKET pkt);
		__owur int tls1_process_sigalgs(SSL *s);
		__owur size_t tls12_get_psigalgs(SSL s, int sent, const unsigned int *psigs);
		__owur size_t tls12_get_psigalgs(SSL s, int sent, const uint16_t *psigs);
		__owur int tls12_check_peer_sigalg(const EVP_MD *pmd, SSL s, unsigned int sig,
		EVP_PKEY *pkey);
		void ssl_set_client_disabled(SSL *s);

ssl/statem/extensions_clnt.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -227,7 +227,7 @@ int tls_construct_ctos_sig_algs(SSL s, WPACKET pkt, X509 *x, size_t chainidx,
		int *al)
		{
		size_t salglen;
		const unsigned int *salg;
		const uint16_t *salg;

		if (!SSL_CLIENT_USE_SIGALGS(s))
		return 1;

ssl/statem/statem_srvr.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2332,7 +2332,7 @@ int tls_construct_certificate_request(SSL s, WPACKET pkt)
		}

		if (SSL_USE_SIGALGS(s)) {
		const unsigned int *psigs;
		const uint16_t *psigs;
		size_t nl = tls12_get_psigalgs(s, 1, &psigs);

		if (!WPACKET_start_sub_packet_u16(pkt)

ssl/t1_lib.c

+21 −20

Original line number	Diff line number	Diff line
		@@ -670,7 +670,7 @@ static int tls1_check_cert_param(SSL s, X509 x, int set_ee_md)
		#endif /* OPENSSL_NO_EC */

		/* Default sigalg schemes */
		static const unsigned int tls12_sigalgs[] = {
		static const uint16_t tls12_sigalgs[] = {
		#ifndef OPENSSL_NO_EC
		TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
		TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
		@@ -699,14 +699,14 @@ static const unsigned int tls12_sigalgs[] = {
		};

		#ifndef OPENSSL_NO_EC
		static const unsigned int suiteb_sigalgs[] = {
		static const uint16_t suiteb_sigalgs[] = {
		TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
		TLSEXT_SIGALG_ecdsa_secp384r1_sha384
		};
		#endif

		typedef struct sigalg_lookup_st {
		unsigned int sigalg;
		uint16_t sigalg;
		int hash;
		int sig;
		} SIGALG_LOOKUP;
		@@ -742,7 +742,7 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
		#endif
		};

		static int tls_sigalg_get_hash(unsigned int sigalg)
		static int tls_sigalg_get_hash(uint16_t sigalg)
		{
		size_t i;
		const SIGALG_LOOKUP *curr;
		@@ -756,7 +756,7 @@ static int tls_sigalg_get_hash(unsigned int sigalg)
		return 0;
		}

		static int tls_sigalg_get_sig(unsigned int sigalg)
		static int tls_sigalg_get_sig(uint16_t sigalg)
		{
		size_t i;
		const SIGALG_LOOKUP *curr;
		@@ -769,7 +769,8 @@ static int tls_sigalg_get_sig(unsigned int sigalg)

		return 0;
		}
		size_t tls12_get_psigalgs(SSL s, int sent, const unsigned int *psigs)

		size_t tls12_get_psigalgs(SSL s, int sent, const uint16_t *psigs)
		{
		/*
		* If Suite B mode use Suite B sigalgs only, ignore any other
		@@ -814,7 +815,7 @@ size_t tls12_get_psigalgs(SSL s, int sent, const unsigned int *psigs)
		int tls12_check_peer_sigalg(const EVP_MD *pmd, SSL s, unsigned int sig,
		EVP_PKEY *pkey)
		{
		const unsigned int *sent_sigs;
		const uint16_t *sent_sigs;
		char sigalgstr[2];
		size_t sent_sigslen, i;
		int pkeyid = EVP_PKEY_id(pkey);
		@@ -1365,7 +1366,7 @@ static int tls12_get_pkey_idx(int sig_nid)

		/* Convert TLS 1.2 signature algorithm extension values into NIDs */
		static void tls1_lookup_sigalg(int phash_nid, int psign_nid,
		int *psignhash_nid, unsigned int data)
		int *psignhash_nid, uint16_t data)
		{
		int sign_nid = NID_undef, hash_nid = NID_undef;
		if (!phash_nid && !psign_nid && !psignhash_nid)
		@@ -1414,7 +1415,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, unsigned int ptmp)

		void ssl_set_sig_mask(uint32_t pmask_a, SSL s, int op)
		{
		const unsigned int *sigalgs;
		const uint16_t *sigalgs;
		size_t i, sigalgslen;
		int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
		/*
		@@ -1454,7 +1455,7 @@ void ssl_set_sig_mask(uint32_t pmask_a, SSL s, int op)
		}

		int tls12_copy_sigalgs(SSL s, WPACKET pkt,
		const unsigned int *psig, size_t psiglen)
		const uint16_t *psig, size_t psiglen)
		{
		size_t i;

		@@ -1469,10 +1470,10 @@ int tls12_copy_sigalgs(SSL s, WPACKET pkt,

		/* Given preference and allowed sigalgs set shared sigalgs */
		static size_t tls12_shared_sigalgs(SSL s, TLS_SIGALGS shsig,
		const unsigned int *pref, size_t preflen,
		const unsigned int *allow, size_t allowlen)
		const uint16_t *pref, size_t preflen,
		const uint16_t *allow, size_t allowlen)
		{
		const unsigned int ptmp, atmp;
		const uint16_t ptmp, atmp;
		size_t i, j, nmatch = 0;
		for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
		/* Skip disabled hashes or signature algorithms */
		@@ -1498,7 +1499,7 @@ static size_t tls12_shared_sigalgs(SSL s, TLS_SIGALGS shsig,
		/* Set shared signature algorithms for SSL structures */
		static int tls1_set_shared_sigalgs(SSL *s)
		{
		const unsigned int pref, allow, *conf;
		const uint16_t pref, allow, *conf;
		size_t preflen, allowlen, conflen;
		size_t nmatch;
		TLS_SIGALGS *salgs = NULL;
		@@ -1547,6 +1548,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
		int tls1_save_sigalgs(SSL s, PACKET pkt)
		{
		CERT *c = s->cert;
		unsigned int stmp;
		size_t size, i;

		/* Extension ignored for inappropriate versions */
		@@ -1570,9 +1572,8 @@ int tls1_save_sigalgs(SSL s, PACKET pkt)
		if (s->s3->tmp.peer_sigalgs == NULL)
		return 0;
		s->s3->tmp.peer_sigalgslen = size;
		for (i = 0; i < size && PACKET_get_net_2(pkt, &s->s3->tmp.peer_sigalgs[i]);
		i++)
		continue;
		for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
		s->s3->tmp.peer_sigalgs[i] = stmp;

		if (i != size)
		return 0;
		@@ -1655,7 +1656,7 @@ int SSL_get_sigalgs(SSL *s, int idx,
		int psign, int phash, int *psignhash,
		unsigned char rsig, unsigned char rhash)
		{
		unsigned int *psig = s->s3->tmp.peer_sigalgs;
		uint16_t *psig = s->s3->tmp.peer_sigalgs;
		size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
		if (psig == NULL \|\| numsigalgs > INT_MAX)
		return 0;
		@@ -1771,7 +1772,7 @@ int tls1_set_sigalgs_list(CERT c, const char str, int client)
		/* TODO(TLS1.3): Needs updating to allow setting of TLS1.3 sig algs */
		int tls1_set_sigalgs(CERT c, const int psig_nids, size_t salglen, int client)
		{
		unsigned int sigalgs, sptr;
		uint16_t sigalgs, sptr;
		size_t i;

		if (salglen & 1)
		@@ -1971,7 +1972,7 @@ int tls1_check_chain(SSL s, X509 x, EVP_PKEY pk, STACK_OF(X509) chain,
		*/
		if (default_nid > 0 && c->conf_sigalgs) {
		size_t j;
		const unsigned int *p = c->conf_sigalgs;
		const uint16_t *p = c->conf_sigalgs;
		for (j = 0; j < c->conf_sigalgslen; j++, p++) {
		if (tls_sigalg_get_hash(*p) == NID_sha1
		&& tls_sigalg_get_sig(*p) == rsign)