[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Wed May 30 08:19:33 UTC 2018
The branch master has been updated
via f3a246c63eefc1e5da434df5dc7f48795a12c38b (commit)
via 41f10305d83ac5335f8ff05cce0854b4d93d333f (commit)
via 1f65c0459a1382481f29756b85e9ec12aedaa6bf (commit)
from 02a7e0a9f63ec97e9671fec2bb8ce7c289fb4d66 (commit)
- Log -----------------------------------------------------------------
commit f3a246c63eefc1e5da434df5dc7f48795a12c38b
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date: Thu May 3 18:31:47 2018 +0300
Text description of GOST signature algorithms
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)
commit 41f10305d83ac5335f8ff05cce0854b4d93d333f
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date: Thu May 3 18:31:01 2018 +0300
Send GOST SignatureAlgorithms when TLS 1.2 in use
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)
commit 1f65c0459a1382481f29756b85e9ec12aedaa6bf
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date: Thu May 3 17:25:48 2018 +0300
Bugfix: GOST2012 certificates for GOST ciphersuites were broken.
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)
-----------------------------------------------------------------------
Summary of changes:
apps/s_cb.c | 9 +++++++++
ssl/ssl_locl.h | 5 -----
ssl/t1_lib.c | 22 +++++++++++++++++++++-
3 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 820491a..46b3864 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -234,6 +234,15 @@ static const char *get_sigtype(int nid)
case NID_ED448:
return "Ed448";
+ case NID_id_GostR3410_2001:
+ return "gost2001";
+
+ case NID_id_GostR3410_2012_256:
+ return "gost2012_256";
+
+ case NID_id_GostR3410_2012_512:
+ return "gost2012_512";
+
default:
return NULL;
}
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4aec810..31e5cc8 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -383,11 +383,6 @@
# define SSL_PKEY_ED25519 7
# define SSL_PKEY_ED448 8
# define SSL_PKEY_NUM 9
-/*
- * Pseudo-constant. GOST cipher suites can use different certs for 1
- * SSL_CIPHER. So let's see which one we have in fact.
- */
-# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
/*-
* SSL_kRSA <- RSA_ENC
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c076782..aab50e1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -661,7 +661,12 @@ static const uint16_t tls12_sigalgs[] = {
TLSEXT_SIGALG_dsa_sha256,
TLSEXT_SIGALG_dsa_sha384,
- TLSEXT_SIGALG_dsa_sha512
+ TLSEXT_SIGALG_dsa_sha512,
+#endif
+#ifndef OPENSSL_NO_GOST
+ TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
+ TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
+ TLSEXT_SIGALG_gostr34102001_gostr3411,
#endif
};
@@ -857,6 +862,21 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
break;
}
}
+
+ /*
+ * Some GOST ciphersuites allow more than one signature algorithms
+ * */
+ if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
+ int real_idx;
+
+ for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
+ real_idx--) {
+ if (s->cert->pkeys[real_idx].privatekey != NULL) {
+ idx = real_idx;
+ break;
+ }
+ }
+ }
} else {
idx = s->cert->key - s->cert->pkeys;
}
More information about the openssl-commits
mailing list