[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Wed May 30 08:19:33 UTC 2018


The branch master has been updated
       via  f3a246c63eefc1e5da434df5dc7f48795a12c38b (commit)
       via  41f10305d83ac5335f8ff05cce0854b4d93d333f (commit)
       via  1f65c0459a1382481f29756b85e9ec12aedaa6bf (commit)
      from  02a7e0a9f63ec97e9671fec2bb8ce7c289fb4d66 (commit)


- Log -----------------------------------------------------------------
commit f3a246c63eefc1e5da434df5dc7f48795a12c38b
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Thu May 3 18:31:47 2018 +0300

    Text description of GOST signature algorithms
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6168)

commit 41f10305d83ac5335f8ff05cce0854b4d93d333f
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Thu May 3 18:31:01 2018 +0300

    Send GOST SignatureAlgorithms when TLS 1.2 in use
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6168)

commit 1f65c0459a1382481f29756b85e9ec12aedaa6bf
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Thu May 3 17:25:48 2018 +0300

    Bugfix: GOST2012 certificates for GOST ciphersuites were broken.
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6168)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_cb.c    |  9 +++++++++
 ssl/ssl_locl.h |  5 -----
 ssl/t1_lib.c   | 22 +++++++++++++++++++++-
 3 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 820491a..46b3864 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -234,6 +234,15 @@ static const char *get_sigtype(int nid)
      case NID_ED448:
         return "Ed448";
 
+     case NID_id_GostR3410_2001:
+        return "gost2001";
+
+     case NID_id_GostR3410_2012_256:
+        return "gost2012_256";
+
+     case NID_id_GostR3410_2012_512:
+        return "gost2012_512";
+
     default:
         return NULL;
     }
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4aec810..31e5cc8 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -383,11 +383,6 @@
 # define SSL_PKEY_ED25519        7
 # define SSL_PKEY_ED448          8
 # define SSL_PKEY_NUM            9
-/*
- * Pseudo-constant. GOST cipher suites can use different certs for 1
- * SSL_CIPHER. So let's see which one we have in fact.
- */
-# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
 
 /*-
  * SSL_kRSA <- RSA_ENC
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c076782..aab50e1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -661,7 +661,12 @@ static const uint16_t tls12_sigalgs[] = {
 
     TLSEXT_SIGALG_dsa_sha256,
     TLSEXT_SIGALG_dsa_sha384,
-    TLSEXT_SIGALG_dsa_sha512
+    TLSEXT_SIGALG_dsa_sha512,
+#endif
+#ifndef OPENSSL_NO_GOST
+    TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
+    TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
+    TLSEXT_SIGALG_gostr34102001_gostr3411,
 #endif
 };
 
@@ -857,6 +862,21 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
                     break;
                 }
             }
+
+            /*
+             * Some GOST ciphersuites allow more than one signature algorithms
+             * */
+            if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
+                int real_idx;
+
+                for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
+                     real_idx--) {
+                    if (s->cert->pkeys[real_idx].privatekey != NULL) {
+                        idx = real_idx;
+                        break;
+                    }
+                }
+            }
         } else {
             idx = s->cert->key - s->cert->pkeys;
         }


More information about the openssl-commits mailing list