generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSA

Browse Source 
using OBJ xref utilities instead of string comparison with OID name.

This removes the arbitrary restriction on using SHA1 only with some ECC
ciphersuites.
This commit is contained in:
Dr. Stephen Henson
2011-08-14 13:48:42 +00:00
parent 2e4abe2ce2
commit e1c3d65f08
2 changed files with 18 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
ssl/ssl_lib.c
View File

@@ -1833,7 +1833,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
#endif
X509 *x = NULL;
EVP_PKEY *ecc_pkey = NULL;
int signature_nid = 0;
int signature_nid = 0, pk_nid = 0, md_nid = 0;
if (c == NULL) return;
@@ -1963,18 +1963,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
EVP_PKEY_bits(ecc_pkey) : 0;
EVP_PKEY_free(ecc_pkey);
if ((x->sig_alg) && (x->sig_alg->algorithm))
{
signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
}
#ifndef OPENSSL_NO_ECDH
if (ecdh_ok)
{
const char *sig = OBJ_nid2ln(signature_nid);
if (sig == NULL)
{
ERR_clear_error();
sig = "unknown";
}
if (strstr(sig, "WithRSA"))
if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
{
mask_k|=SSL_kECDHr;
mask_a|=SSL_aECDH;
@@ -1985,7 +1982,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
}
}
if (signature_nid == NID_ecdsa_with_SHA1)
if (pk_nid == NID_X9_62_id_ecPublicKey)
{
mask_k|=SSL_kECDHe;
mask_a|=SSL_aECDH;
@@ -2039,7 +2036,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
unsigned long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int keysize = 0;
int signature_nid = 0;
int signature_nid = 0, md_nid = 0, pk_nid = 0;
alg_k = cs->algorithm_mkey;
alg_a = cs->algorithm_auth;
@@ -2057,7 +2054,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
/* This call populates the ex_flags field correctly */
X509_check_purpose(x, -1, 0);
if ((x->sig_alg) && (x->sig_alg->algorithm))
{
signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
}
if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
{
/* key usage, if present, must allow key agreement */
@@ -2069,7 +2069,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
if (alg_k & SSL_kECDHe)
{
/* signature alg must be ECDSA */
if (signature_nid != NID_ecdsa_with_SHA1)
if (pk_nid != NID_X9_62_id_ecPublicKey)
{
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
return 0;
@@ -2079,13 +2079,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
{
/* signature alg must be RSA */
const char *sig = OBJ_nid2ln(signature_nid);
if (sig == NULL)
{
ERR_clear_error();
sig = "unknown";
}
if (strstr(sig, "WithRSA") == NULL)
if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
{
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
return 0;