diff options
author | Matt Caswell <matt@openssl.org> | 2016-12-14 14:31:21 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-01-10 23:02:50 +0000 |
commit | 703bcee021790d33e07809c9b07fd51d2b4b5474 (patch) | |
tree | 329bdc88314a202c2d53896b5e1901e15de2b3f2 /ssl/statem | |
parent | 5f9b64a2fdfd0ccf04d58c8b04d576f13950d63f (diff) |
Convert Sigalgs processing to use ints
In TLSv1.2 an individual sig alg is represented by 1 byte for the hash
and 1 byte for the signature. In TLSv1.3 each sig alg is represented by
two bytes, where the two bytes together represent a single hash and
signature combination. This converts the internal representation of sigalgs
to use a single int for the pair, rather than a pair of bytes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 2 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 6 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 14 | ||||
-rw-r--r-- | ssl/statem/statem_lib.c | 7 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 3 |
5 files changed, 17 insertions, 15 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index be0c979eb9..18f5ca3d1b 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -226,7 +226,7 @@ int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, int *al) { size_t salglen; - const unsigned char *salg; + const unsigned int *salg; if (!SSL_CLIENT_USE_SIGALGS(s)) return 1; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index c868bb9e2c..d58eedda3a 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -204,15 +204,13 @@ int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, PACKET supported_sig_algs; if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) - || (PACKET_remaining(&supported_sig_algs) % 2) != 0 || PACKET_remaining(&supported_sig_algs) == 0) { *al = SSL_AD_DECODE_ERROR; return 0; } - if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs), - PACKET_remaining(&supported_sig_algs))) { - *al = TLS1_AD_INTERNAL_ERROR; + if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) { + *al = TLS1_AD_DECODE_ERROR; return 0; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ff57e9217a..432dc915b7 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1880,14 +1880,15 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) } if (SSL_USE_SIGALGS(s)) { - const unsigned char *sigalgs; + unsigned int sigalg; int rv; - if (!PACKET_get_bytes(pkt, &sigalgs, 2)) { + + if (!PACKET_get_net_2(pkt, &sigalg)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto err; } - rv = tls12_check_peer_sigalg(&md, s, sigalgs, pkey); + rv = tls12_check_peer_sigalg(&md, s, sigalg, pkey); if (rv == -1) { al = SSL_AD_INTERNAL_ERROR; goto err; @@ -2026,8 +2027,9 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) s->s3->tmp.ctype[i] = data[i]; if (SSL_USE_SIGALGS(s)) { - if (!PACKET_get_net_2(pkt, &list_len) - || !PACKET_get_bytes(pkt, &data, list_len)) { + PACKET sigalgs; + + if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); @@ -2039,7 +2041,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) s->s3->tmp.md[i] = NULL; s->s3->tmp.valid_flags[i] = 0; } - if ((list_len & 1) || !tls1_save_sigalgs(s, data, list_len)) { + if (!tls1_save_sigalgs(s, &sigalgs)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_SIGNATURE_ALGORITHMS_ERROR); diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 827de4be34..4353202e39 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -238,7 +238,7 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) { EVP_PKEY *pkey = NULL; - const unsigned char *sig, *data; + const unsigned char *data; #ifndef OPENSSL_NO_GOST unsigned char *gost_data = NULL; #endif @@ -284,12 +284,13 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) { if (SSL_USE_SIGALGS(s)) { int rv; + unsigned int sigalg; - if (!PACKET_get_bytes(pkt, &sig, 2)) { + if (!PACKET_get_net_2(pkt, &sigalg)) { al = SSL_AD_DECODE_ERROR; goto f_err; } - rv = tls12_check_peer_sigalg(&md, s, sig, pkey); + rv = tls12_check_peer_sigalg(&md, s, sigalg, pkey); if (rv == -1) { goto f_err; } else if (rv == 0) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d08ed6f77b..12eb6aeb42 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2292,8 +2292,9 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) } if (SSL_USE_SIGALGS(s)) { - const unsigned char *psigs; + const unsigned int *psigs; size_t nl = tls12_get_psigalgs(s, &psigs); + if (!WPACKET_start_sub_packet_u16(pkt) || !tls12_copy_sigalgs(s, pkt, psigs, nl) || !WPACKET_close(pkt)) { |