diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2015-11-29 16:54:27 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2015-11-30 03:49:35 +0000 |
| commit | 7afd231275a6841556dd674ac0df471d0b7bcf33 (patch) | |
| tree | f3a78d58ac73ff01caf6676a3695dc2a2560fc69 /ssl | |
| parent | aa430c7467bcb7aa0a88fac45369e3dea7e13a23 (diff) | |
Use digest indices for signature algorithms.
Don't hard code EVP_sha* etc for signature algorithms: use table
indices instead. Add SHA224 and SHA512 to tables.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_ciph.c | 6 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 4 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 45 |
3 files changed, 20 insertions, 35 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 2059fa071f..58fd1fadf6 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -230,11 +230,13 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = { {SSL_GOST12_256, NID_id_GostR3411_2012_256}, /* SSL_MD_GOST12_256_IDX 6 */ {SSL_GOST89MAC12, NID_gost_mac_12}, /* SSL_MD_GOST89MAC12_IDX 7 */ {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */ - {0, NID_md5_sha1} /* SSL_MD_MD5_SHA1_IDX 9 */ + {0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */ + {0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */ + {0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */ }; static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; /* Utility function for table lookup */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 9d28b97da7..b4c6244896 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -406,7 +406,9 @@ # define SSL_MD_GOST89MAC12_IDX 7 # define SSL_MD_GOST12_512_IDX 8 # define SSL_MD_MD5_SHA1_IDX 9 -# define SSL_MAX_DIGEST 10 +# define SSL_MD_SHA224_IDX 10 +# define SSL_MD_SHA512_IDX 11 +# define SSL_MAX_DIGEST 12 /* Bits for algorithm2 (handshake digests and other extra flags) */ diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ed6fb0725d..0ace6280df 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3254,39 +3254,20 @@ int tls12_get_sigid(const EVP_PKEY *pk) typedef struct { int nid; int secbits; - const EVP_MD *(*mfunc) (void); + int md_idx; unsigned char tlsext_hash; } tls12_hash_info; -static const EVP_MD* md_gost94() -{ - return EVP_get_digestbynid(NID_id_GostR3411_94); -} - -static const EVP_MD* md_gost2012_256() -{ - return EVP_get_digestbynid(NID_id_GostR3411_2012_256); -} - -static const EVP_MD* md_gost2012_512() -{ - return EVP_get_digestbynid(NID_id_GostR3411_2012_512); -} - static const tls12_hash_info tls12_md_info[] = { -#ifdef OPENSSL_NO_MD5 - {NID_md5, 64, 0, TLSEXT_hash_md5}, -#else - {NID_md5, 64, EVP_md5, TLSEXT_hash_md5}, -#endif - {NID_sha1, 80, EVP_sha1, TLSEXT_hash_sha1}, - {NID_sha224, 112, EVP_sha224, TLSEXT_hash_sha224}, - {NID_sha256, 128, EVP_sha256, TLSEXT_hash_sha256}, - {NID_sha384, 192, EVP_sha384, TLSEXT_hash_sha384}, - {NID_sha512, 256, EVP_sha512, TLSEXT_hash_sha512}, - {NID_id_GostR3411_94, 128, md_gost94, TLSEXT_hash_gostr3411}, - {NID_id_GostR3411_2012_256, 128, md_gost2012_256, TLSEXT_hash_gostr34112012_256}, - {NID_id_GostR3411_2012_512, 256, md_gost2012_512, TLSEXT_hash_gostr34112012_512}, + {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5}, + {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1}, + {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224}, + {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256}, + {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384}, + {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512}, + {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411}, + {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256}, + {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512}, }; static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg) @@ -3310,9 +3291,9 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) if (hash_alg == TLSEXT_hash_md5 && FIPS_mode()) return NULL; inf = tls12_get_hash_info(hash_alg); - if (!inf || !inf->mfunc) + if (!inf) return NULL; - return inf->mfunc(); + return ssl_md(inf->md_idx); } static int tls12_get_pkey_idx(unsigned char sig_alg) @@ -3374,7 +3355,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp) { /* See if we have an entry in the hash table and it is enabled */ const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]); - if (!hinf || !hinf->mfunc) + if (hinf == NULL || ssl_md(hinf->md_idx) == NULL) return 0; /* See if public key algorithm allowed */ if (tls12_get_pkey_idx(ptmp[1]) == -1) |