Commit d8311fc9 authored by Matt Caswell's avatar Matt Caswell
Browse files

Add back support for SHA224 based sig algs 



This used to work but was inadvertently removed as part of the TLSv1.3
work. This adds it back.

Fixes #3633

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3639)
parent edef840f

ssl/ssl_locl.h

+3 −0
Original line number Diff line number Diff line
@@ -1857,6 +1857,7 @@ typedef enum downgrade_en { 
#define TLSEXT_SIGALG_ecdsa_secp256r1_sha256                    0x0403

#define TLSEXT_SIGALG_ecdsa_secp384r1_sha384                    0x0503

#define TLSEXT_SIGALG_ecdsa_secp521r1_sha512                    0x0603

#define TLSEXT_SIGALG_ecdsa_sha224                              0x0303

#define TLSEXT_SIGALG_ecdsa_sha1                                0x0203

#define TLSEXT_SIGALG_rsa_pss_sha256                            0x0804

#define TLSEXT_SIGALG_rsa_pss_sha384                            0x0805
@@ -1864,10 +1865,12 @@ typedef enum downgrade_en { 
#define TLSEXT_SIGALG_rsa_pkcs1_sha256                          0x0401

#define TLSEXT_SIGALG_rsa_pkcs1_sha384                          0x0501

#define TLSEXT_SIGALG_rsa_pkcs1_sha512                          0x0601

#define TLSEXT_SIGALG_rsa_pkcs1_sha224                          0x0301

#define TLSEXT_SIGALG_rsa_pkcs1_sha1                            0x0201

#define TLSEXT_SIGALG_dsa_sha256                                0x0402

#define TLSEXT_SIGALG_dsa_sha384                                0x0502

#define TLSEXT_SIGALG_dsa_sha512                                0x0602

#define TLSEXT_SIGALG_dsa_sha224                                0x0302

#define TLSEXT_SIGALG_dsa_sha1                                  0x0202

#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256       0xeeee

#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512       0xefef

ssl/t1_lib.c

+24 −7
Original line number Diff line number Diff line
@@ -686,10 +686,13 @@ static const uint16_t tls12_sigalgs[] = { 
    TLSEXT_SIGALG_rsa_pkcs1_sha512,



#ifndef OPENSSL_NO_EC

    TLSEXT_SIGALG_ecdsa_sha224,

    TLSEXT_SIGALG_ecdsa_sha1,

#endif

    TLSEXT_SIGALG_rsa_pkcs1_sha224,

    TLSEXT_SIGALG_rsa_pkcs1_sha1,

#ifndef OPENSSL_NO_DSA

    TLSEXT_SIGALG_dsa_sha224,

    TLSEXT_SIGALG_dsa_sha1,



    TLSEXT_SIGALG_dsa_sha256,
@@ -716,6 +719,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 
    {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,

     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,

     NID_ecdsa_with_SHA512, NID_secp521r1},

    {NULL, TLSEXT_SIGALG_ecdsa_sha224,

     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,

     NID_ecdsa_with_SHA224, NID_undef},

    {NULL, TLSEXT_SIGALG_ecdsa_sha1,

     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,

     NID_ecdsa_with_SHA1, NID_undef},
@@ -738,6 +744,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 
    {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,

     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,

     NID_sha512WithRSAEncryption, NID_undef},

    {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,

     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,

     NID_sha224WithRSAEncryption, NID_undef},

    {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,

     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,

     NID_sha1WithRSAEncryption, NID_undef},
@@ -751,6 +760,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 
    {NULL, TLSEXT_SIGALG_dsa_sha512,

     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,

     NID_undef, NID_undef},

    {NULL, TLSEXT_SIGALG_dsa_sha224,

     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,

     NID_undef, NID_undef},

    {NULL, TLSEXT_SIGALG_dsa_sha1,

     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,

     NID_dsaWithSHA1, NID_undef},
@@ -901,10 +913,11 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 
    }

    lu = tls1_lookup_sigalg(sig);

    /*

     * Check sigalgs is known. Disallow SHA1 with TLS 1.3. Check key type is

     * consistent with signature: RSA keys can be used for RSA-PSS

     * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type

     * is consistent with signature: RSA keys can be used for RSA-PSS

     */

    if (lu == NULL || (SSL_IS_TLS13(s) && lu->hash == NID_sha1)

    if (lu == NULL

        || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))

        || (pkeyid != lu->sig

        && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {

        SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
@@ -1489,10 +1502,12 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 
            return 0;

        /*

         * If TLS 1.3 must have at least one valid TLS 1.3 message

         * signing algorithm: i.e. neither RSA nor SHA1

         * signing algorithm: i.e. neither RSA nor SHA1/SHA224

         */

        if (rv == 0 && (!SSL_IS_TLS13(s)

            || (lu->sig != EVP_PKEY_RSA && lu->hash != NID_sha1)))

            || (lu->sig != EVP_PKEY_RSA

                && lu->hash != NID_sha1

                && lu->hash != NID_sha224)))

            rv = 1;

    }

    if (rv == 0)
@@ -2279,8 +2294,10 @@ int tls_choose_sigalg(SSL *s, int *al) 
        for (i = 0; i < s->cert->shared_sigalgslen; i++) {

            lu = s->cert->shared_sigalgs[i];



            /* Skip SHA1, DSA and RSA if not PSS */

            if (lu->hash == NID_sha1 || lu->sig == EVP_PKEY_DSA

            /* Skip SHA1, SHA224, DSA and RSA if not PSS */

            if (lu->hash == NID_sha1

                || lu->hash == NID_sha224

                || lu->sig == EVP_PKEY_DSA

                || lu->sig == EVP_PKEY_RSA)

                continue;

            if (ssl_md(lu->hash_idx) == NULL)

ssl/t1_trce.c

+3 −0
Original line number Diff line number Diff line
@@ -533,6 +533,7 @@ static ssl_trace_tbl ssl_sigalg_tbl[] = { 
    {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, "ecdsa_secp256r1_sha256"},

    {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, "ecdsa_secp384r1_sha384"},

    {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, "ecdsa_secp521r1_sha512"},

    {TLSEXT_SIGALG_ecdsa_sha224, "ecdsa_sha224"},

    {TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"},

    {TLSEXT_SIGALG_rsa_pss_sha256, "rsa_pss_sha256"},

    {TLSEXT_SIGALG_rsa_pss_sha384, "rsa_pss_sha384"},
@@ -540,10 +541,12 @@ static ssl_trace_tbl ssl_sigalg_tbl[] = { 
    {TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"},

    {TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"},

    {TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"},

    {TLSEXT_SIGALG_rsa_pkcs1_sha224, "rsa_pkcs1_sha224"},

    {TLSEXT_SIGALG_rsa_pkcs1_sha1, "rsa_pkcs1_sha1"},

    {TLSEXT_SIGALG_dsa_sha256, "dsa_sha256"},

    {TLSEXT_SIGALG_dsa_sha384, "dsa_sha384"},

    {TLSEXT_SIGALG_dsa_sha512, "dsa_sha512"},

    {TLSEXT_SIGALG_dsa_sha224, "dsa_sha224"},

    {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},

    {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},

    {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},