[openssl-commits] [openssl] master update
kaduk at mit.edu
kaduk at mit.edu
Fri Jan 26 15:40:49 UTC 2018
The branch master has been updated
via cf8e9233f0139f8ebacbfd4fa34ccf410ec8430c (commit)
via 36c91d13d1272f90a722a67a2ded97706fdff102 (commit)
from c1acef9263b875cc80431b8054049dedc59cd41d (commit)
- Log -----------------------------------------------------------------
commit cf8e9233f0139f8ebacbfd4fa34ccf410ec8430c
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Fri Jan 26 09:23:57 2018 -0600
Catch some more old sigalg names in comments
Make the sigalg name in comments reflect one that actually exists
in the draft standard.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5174)
commit 36c91d13d1272f90a722a67a2ded97706fdff102
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Fri Jan 26 09:21:08 2018 -0600
Fix ssl-trace with TLS 1.3 draft-23 PSS sigalgs
The latest TLS 1.3 draft split the RSA-PSS signature schemes into
two versions that indicate the OID of the RSA key being used.
This forced us to rename the preprocessor defines for the sigalg
values, and the ssl-trace code was not adopted to match, since
it was not enabled int the default build.
Belatedly update the ssl_sigalg_tbl in the trace code to match.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5174)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_CTX_set1_sigalgs.pod | 2 +-
ssl/t1_trce.c | 9 ++++++---
test/recipes/70-test_sslsigalgs.t | 2 +-
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
index a634eb8..74d0698 100644
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
@@ -78,7 +78,7 @@ The short or long name values for digests can be used in a string (for
example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and
the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA".
-The TLS 1.3 signature scheme names (such as "rsa_pss_sha256") can also
+The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also
be used with the B<_list> forms of the API.
The use of MD5 as a digest is strongly discouraged due to security weaknesses.
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index ada5675..b998765 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -544,9 +544,12 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = {
{TLSEXT_SIGALG_ecdsa_sha224, "ecdsa_sha224"},
{TLSEXT_SIGALG_ed25519, "ed25519"},
{TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"},
- {TLSEXT_SIGALG_rsa_pss_sha256, "rsa_pss_sha256"},
- {TLSEXT_SIGALG_rsa_pss_sha384, "rsa_pss_sha384"},
- {TLSEXT_SIGALG_rsa_pss_sha512, "rsa_pss_sha512"},
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha256, "rsa_pss_rsae_sha256"},
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha384, "rsa_pss_rsae_sha384"},
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha512, "rsa_pss_rsae_sha512"},
+ {TLSEXT_SIGALG_rsa_pss_pss_sha256, "rsa_pss_pss_sha256"},
+ {TLSEXT_SIGALG_rsa_pss_pss_sha384, "rsa_pss_pss_sha384"},
+ {TLSEXT_SIGALG_rsa_pss_pss_sha512, "rsa_pss_pss_sha512"},
{TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"},
{TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"},
{TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"},
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index d1ed6ec..35531c6 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -169,7 +169,7 @@ SKIP: {
ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");
#Test 14: Responding with a sig alg we did not send in TLSv1.2 should fail
- # We send rsa_pkcs1_sha256 and respond with rsa_pss_sha256
+ # We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256
# TODO(TLS1.3): Add a similar test to the TLSv1.3 section above
# when we have an API capable of configuring the TLSv1.3 sig algs
$proxy->clear();
More information about the openssl-commits
mailing list