Add back support for SHA224 based sig algs

This used to work but was inadvertently removed as part of the TLSv1.3
work. This adds it back.

Fixes #3633

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3639)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index fe7f7b4e0faffae74162f10762bb896dd77fe44d..fe6119b2ff4cdf214c3003215895070b38747197 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1857,6 +1857,7 @@ typedef enum downgrade_en {
 #define TLSEXT_SIGALG_ecdsa_secp256r1_sha256                    0x0403
 #define TLSEXT_SIGALG_ecdsa_secp384r1_sha384                    0x0503
 #define TLSEXT_SIGALG_ecdsa_secp521r1_sha512                    0x0603
 #define TLSEXT_SIGALG_ecdsa_secp256r1_sha256                    0x0403
 #define TLSEXT_SIGALG_ecdsa_secp384r1_sha384                    0x0503
 #define TLSEXT_SIGALG_ecdsa_secp521r1_sha512                    0x0603

+#define TLSEXT_SIGALG_ecdsa_sha224                              0x0303

 #define TLSEXT_SIGALG_ecdsa_sha1                                0x0203
 #define TLSEXT_SIGALG_rsa_pss_sha256                            0x0804
 #define TLSEXT_SIGALG_rsa_pss_sha384                            0x0805
 #define TLSEXT_SIGALG_ecdsa_sha1                                0x0203
 #define TLSEXT_SIGALG_rsa_pss_sha256                            0x0804
 #define TLSEXT_SIGALG_rsa_pss_sha384                            0x0805


@@ -1864,10 +1865,12 @@ typedef enum downgrade_en {
 #define TLSEXT_SIGALG_rsa_pkcs1_sha256                          0x0401
 #define TLSEXT_SIGALG_rsa_pkcs1_sha384                          0x0501
 #define TLSEXT_SIGALG_rsa_pkcs1_sha512                          0x0601
 #define TLSEXT_SIGALG_rsa_pkcs1_sha256                          0x0401
 #define TLSEXT_SIGALG_rsa_pkcs1_sha384                          0x0501
 #define TLSEXT_SIGALG_rsa_pkcs1_sha512                          0x0601

+#define TLSEXT_SIGALG_rsa_pkcs1_sha224                          0x0301

 #define TLSEXT_SIGALG_rsa_pkcs1_sha1                            0x0201
 #define TLSEXT_SIGALG_dsa_sha256                                0x0402
 #define TLSEXT_SIGALG_dsa_sha384                                0x0502
 #define TLSEXT_SIGALG_dsa_sha512                                0x0602
 #define TLSEXT_SIGALG_rsa_pkcs1_sha1                            0x0201
 #define TLSEXT_SIGALG_dsa_sha256                                0x0402
 #define TLSEXT_SIGALG_dsa_sha384                                0x0502
 #define TLSEXT_SIGALG_dsa_sha512                                0x0602

+#define TLSEXT_SIGALG_dsa_sha224                                0x0302

 #define TLSEXT_SIGALG_dsa_sha1                                  0x0202
 #define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256       0xeeee
 #define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512       0xefef
 #define TLSEXT_SIGALG_dsa_sha1                                  0x0202
 #define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256       0xeeee
 #define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512       0xefef

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c185a09e9cd2b9ae3633f8cf74f3f71c0d4d8890..df48f5b34d707fcccf1e160849216e0083226f40 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -686,10 +686,13 @@ static const uint16_t tls12_sigalgs[] = {
     TLSEXT_SIGALG_rsa_pkcs1_sha512,
 
 #ifndef OPENSSL_NO_EC
     TLSEXT_SIGALG_rsa_pkcs1_sha512,
 
 #ifndef OPENSSL_NO_EC

+    TLSEXT_SIGALG_ecdsa_sha224,

     TLSEXT_SIGALG_ecdsa_sha1,
 #endif
     TLSEXT_SIGALG_ecdsa_sha1,
 #endif

+    TLSEXT_SIGALG_rsa_pkcs1_sha224,

     TLSEXT_SIGALG_rsa_pkcs1_sha1,
 #ifndef OPENSSL_NO_DSA
     TLSEXT_SIGALG_rsa_pkcs1_sha1,
 #ifndef OPENSSL_NO_DSA

+    TLSEXT_SIGALG_dsa_sha224,

     TLSEXT_SIGALG_dsa_sha1,
 
     TLSEXT_SIGALG_dsa_sha256,
     TLSEXT_SIGALG_dsa_sha1,
 
     TLSEXT_SIGALG_dsa_sha256,


@@ -716,6 +719,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
     {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
      NID_ecdsa_with_SHA512, NID_secp521r1},
     {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
      NID_ecdsa_with_SHA512, NID_secp521r1},

+    {NULL, TLSEXT_SIGALG_ecdsa_sha224,
+     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+     NID_ecdsa_with_SHA224, NID_undef},

     {NULL, TLSEXT_SIGALG_ecdsa_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
      NID_ecdsa_with_SHA1, NID_undef},
     {NULL, TLSEXT_SIGALG_ecdsa_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
      NID_ecdsa_with_SHA1, NID_undef},


@@ -738,6 +744,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
     {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
      NID_sha512WithRSAEncryption, NID_undef},
     {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
      NID_sha512WithRSAEncryption, NID_undef},

+    {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
+     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
+     NID_sha224WithRSAEncryption, NID_undef},

     {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
      NID_sha1WithRSAEncryption, NID_undef},
     {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
      NID_sha1WithRSAEncryption, NID_undef},


@@ -751,6 +760,9 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
     {NULL, TLSEXT_SIGALG_dsa_sha512,
      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
      NID_undef, NID_undef},
     {NULL, TLSEXT_SIGALG_dsa_sha512,
      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
      NID_undef, NID_undef},

+    {NULL, TLSEXT_SIGALG_dsa_sha224,
+     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
+     NID_undef, NID_undef},

     {NULL, TLSEXT_SIGALG_dsa_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
      NID_dsaWithSHA1, NID_undef},
     {NULL, TLSEXT_SIGALG_dsa_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
      NID_dsaWithSHA1, NID_undef},


@@ -901,10 +913,11 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
     }
     lu = tls1_lookup_sigalg(sig);
     /*
     }
     lu = tls1_lookup_sigalg(sig);
     /*

-     * Check sigalgs is known. Disallow SHA1 with TLS 1.3. Check key type is
-     * consistent with signature: RSA keys can be used for RSA-PSS
+     * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
+     * is consistent with signature: RSA keys can be used for RSA-PSS

      */
      */

-    if (lu == NULL || (SSL_IS_TLS13(s) && lu->hash == NID_sha1)
+    if (lu == NULL
+        || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))

         || (pkeyid != lu->sig
         && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
         || (pkeyid != lu->sig
         && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);


@@ -1489,10 +1502,12 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
             return 0;
         /*
          * If TLS 1.3 must have at least one valid TLS 1.3 message
             return 0;
         /*
          * If TLS 1.3 must have at least one valid TLS 1.3 message

-         * signing algorithm: i.e. neither RSA nor SHA1
+         * signing algorithm: i.e. neither RSA nor SHA1/SHA224

          */
         if (rv == 0 && (!SSL_IS_TLS13(s)
          */
         if (rv == 0 && (!SSL_IS_TLS13(s)

-            || (lu->sig != EVP_PKEY_RSA && lu->hash != NID_sha1)))
+            || (lu->sig != EVP_PKEY_RSA
+                && lu->hash != NID_sha1
+                && lu->hash != NID_sha224)))

             rv = 1;
     }
     if (rv == 0)
             rv = 1;
     }
     if (rv == 0)


@@ -2279,8 +2294,10 @@ int tls_choose_sigalg(SSL *s, int *al)
         for (i = 0; i < s->cert->shared_sigalgslen; i++) {
             lu = s->cert->shared_sigalgs[i];
 
         for (i = 0; i < s->cert->shared_sigalgslen; i++) {
             lu = s->cert->shared_sigalgs[i];
 

-            /* Skip SHA1, DSA and RSA if not PSS */
-            if (lu->hash == NID_sha1 || lu->sig == EVP_PKEY_DSA
+            /* Skip SHA1, SHA224, DSA and RSA if not PSS */
+            if (lu->hash == NID_sha1
+                || lu->hash == NID_sha224
+                || lu->sig == EVP_PKEY_DSA

                 || lu->sig == EVP_PKEY_RSA)
                 continue;
             if (ssl_md(lu->hash_idx) == NULL)
                 || lu->sig == EVP_PKEY_RSA)
                 continue;
             if (ssl_md(lu->hash_idx) == NULL)

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 891310d27087c60da154b5562b7c555b7b32a15c..2e9c43040d842730243d0581dad03ff388df5571 100644 (file)
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -533,6 +533,7 @@ static ssl_trace_tbl ssl_sigalg_tbl[] = {
     {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, "ecdsa_secp256r1_sha256"},
     {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, "ecdsa_secp384r1_sha384"},
     {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, "ecdsa_secp521r1_sha512"},
     {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, "ecdsa_secp256r1_sha256"},
     {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, "ecdsa_secp384r1_sha384"},
     {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, "ecdsa_secp521r1_sha512"},

+    {TLSEXT_SIGALG_ecdsa_sha224, "ecdsa_sha224"},

     {TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"},
     {TLSEXT_SIGALG_rsa_pss_sha256, "rsa_pss_sha256"},
     {TLSEXT_SIGALG_rsa_pss_sha384, "rsa_pss_sha384"},
     {TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"},
     {TLSEXT_SIGALG_rsa_pss_sha256, "rsa_pss_sha256"},
     {TLSEXT_SIGALG_rsa_pss_sha384, "rsa_pss_sha384"},


@@ -540,10 +541,12 @@ static ssl_trace_tbl ssl_sigalg_tbl[] = {
     {TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"},
     {TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"},
     {TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"},
     {TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"},
     {TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"},
     {TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"},

+    {TLSEXT_SIGALG_rsa_pkcs1_sha224, "rsa_pkcs1_sha224"},

     {TLSEXT_SIGALG_rsa_pkcs1_sha1, "rsa_pkcs1_sha1"},
     {TLSEXT_SIGALG_dsa_sha256, "dsa_sha256"},
     {TLSEXT_SIGALG_dsa_sha384, "dsa_sha384"},
     {TLSEXT_SIGALG_dsa_sha512, "dsa_sha512"},
     {TLSEXT_SIGALG_rsa_pkcs1_sha1, "rsa_pkcs1_sha1"},
     {TLSEXT_SIGALG_dsa_sha256, "dsa_sha256"},
     {TLSEXT_SIGALG_dsa_sha384, "dsa_sha384"},
     {TLSEXT_SIGALG_dsa_sha512, "dsa_sha512"},

+    {TLSEXT_SIGALG_dsa_sha224, "dsa_sha224"},

     {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},
     {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
     {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
     {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},
     {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
     {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},