[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Mon Nov 30 03:52:07 UTC 2015
The branch master has been updated
via 30c7fea496083d41b809db0041e6dfd3ea9cb858 (commit)
via 7afd231275a6841556dd674ac0df471d0b7bcf33 (commit)
from aa430c7467bcb7aa0a88fac45369e3dea7e13a23 (commit)
- Log -----------------------------------------------------------------
commit 30c7fea496083d41b809db0041e6dfd3ea9cb858
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Nov 29 16:59:18 2015 +0000
Remove GOST special case: handled automatically now.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit 7afd231275a6841556dd674ac0df471d0b7bcf33
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Nov 29 16:54:27 2015 +0000
Use digest indices for signature algorithms.
Don't hard code EVP_sha* etc for signature algorithms: use table
indices instead. Add SHA224 and SHA512 to tables.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_ciph.c | 6 ++++--
ssl/ssl_locl.h | 4 +++-
ssl/t1_lib.c | 60 +++++++++++++---------------------------------------------
3 files changed, 20 insertions(+), 50 deletions(-)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 2059fa0..58fd1fa 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -230,11 +230,13 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
{SSL_GOST12_256, NID_id_GostR3411_2012_256}, /* SSL_MD_GOST12_256_IDX 6 */
{SSL_GOST89MAC12, NID_gost_mac_12}, /* SSL_MD_GOST89MAC12_IDX 7 */
{SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
- {0, NID_md5_sha1} /* SSL_MD_MD5_SHA1_IDX 9 */
+ {0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */
+ {0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */
+ {0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */
};
static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
/* Utility function for table lookup */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 9d28b97..b4c6244 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -406,7 +406,9 @@
# define SSL_MD_GOST89MAC12_IDX 7
# define SSL_MD_GOST12_512_IDX 8
# define SSL_MD_MD5_SHA1_IDX 9
-# define SSL_MAX_DIGEST 10
+# define SSL_MD_SHA224_IDX 10
+# define SSL_MD_SHA512_IDX 11
+# define SSL_MAX_DIGEST 12
/* Bits for algorithm2 (handshake digests and other extra flags) */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ed6fb07..02ad438 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -994,22 +994,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
return s->cert->conf_sigalgslen;
} else {
*psigs = tls12_sigalgs;
-#ifndef OPENSSL_NO_GOST
- /*
- * We expect that GOST 2001 signature and GOST 34.11-94 hash are present in all engines
- * and GOST 2012 algorithms are not always present.
- * It may change when the old algorithms are deprecated.
- */
- if ((EVP_get_digestbynid(NID_id_GostR3411_94) != NULL)
- && (EVP_get_digestbynid(NID_id_GostR3411_2012_256) == NULL)) {
- return sizeof(tls12_sigalgs) - 4;
- } else if (EVP_get_digestbynid(NID_id_GostR3411_94) == NULL) {
- return sizeof(tls12_sigalgs) - 6;
- }
return sizeof(tls12_sigalgs);
-#else
- return sizeof(tls12_sigalgs);
-#endif
}
}
@@ -3254,39 +3239,20 @@ int tls12_get_sigid(const EVP_PKEY *pk)
typedef struct {
int nid;
int secbits;
- const EVP_MD *(*mfunc) (void);
+ int md_idx;
unsigned char tlsext_hash;
} tls12_hash_info;
-static const EVP_MD* md_gost94()
-{
- return EVP_get_digestbynid(NID_id_GostR3411_94);
-}
-
-static const EVP_MD* md_gost2012_256()
-{
- return EVP_get_digestbynid(NID_id_GostR3411_2012_256);
-}
-
-static const EVP_MD* md_gost2012_512()
-{
- return EVP_get_digestbynid(NID_id_GostR3411_2012_512);
-}
-
static const tls12_hash_info tls12_md_info[] = {
-#ifdef OPENSSL_NO_MD5
- {NID_md5, 64, 0, TLSEXT_hash_md5},
-#else
- {NID_md5, 64, EVP_md5, TLSEXT_hash_md5},
-#endif
- {NID_sha1, 80, EVP_sha1, TLSEXT_hash_sha1},
- {NID_sha224, 112, EVP_sha224, TLSEXT_hash_sha224},
- {NID_sha256, 128, EVP_sha256, TLSEXT_hash_sha256},
- {NID_sha384, 192, EVP_sha384, TLSEXT_hash_sha384},
- {NID_sha512, 256, EVP_sha512, TLSEXT_hash_sha512},
- {NID_id_GostR3411_94, 128, md_gost94, TLSEXT_hash_gostr3411},
- {NID_id_GostR3411_2012_256, 128, md_gost2012_256, TLSEXT_hash_gostr34112012_256},
- {NID_id_GostR3411_2012_512, 256, md_gost2012_512, TLSEXT_hash_gostr34112012_512},
+ {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
+ {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
+ {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
+ {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
+ {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
+ {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
+ {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
+ {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
+ {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
};
static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
@@ -3310,9 +3276,9 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
return NULL;
inf = tls12_get_hash_info(hash_alg);
- if (!inf || !inf->mfunc)
+ if (!inf)
return NULL;
- return inf->mfunc();
+ return ssl_md(inf->md_idx);
}
static int tls12_get_pkey_idx(unsigned char sig_alg)
@@ -3374,7 +3340,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
{
/* See if we have an entry in the hash table and it is enabled */
const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
- if (!hinf || !hinf->mfunc)
+ if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
return 0;
/* See if public key algorithm allowed */
if (tls12_get_pkey_idx(ptmp[1]) == -1)
More information about the openssl-commits
mailing list