diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2017-09-13 13:53:03 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2017-09-20 12:50:23 +0100 |
| commit | 045d078aefdf8d5b077485630bfd21b09980d2ec (patch) | |
| tree | a2627b9f4fdad74a66de91708c2d555514f4357e /ssl | |
| parent | 6b1c8204b33aaedb7df7a009c241412839aaf950 (diff) | |
| download | openssl-045d078aefdf8d5b077485630bfd21b09980d2ec.tar.gz | |
Add RSA-PSS key certificate type.
Recognise RSA-PSS certificate algorithm and add a new certificate
type.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_cert_table.h | 1 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 21 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 2 |
3 files changed, 11 insertions, 13 deletions
diff --git a/ssl/ssl_cert_table.h b/ssl/ssl_cert_table.h index eae9ff232b..fd6a1ad1e8 100644 --- a/ssl/ssl_cert_table.h +++ b/ssl/ssl_cert_table.h @@ -12,6 +12,7 @@ */ static const SSL_CERT_LOOKUP ssl_cert_info [] = { {EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */ + {EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */ {EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */ {EVP_PKEY_EC, SSL_aECDSA}, /* SSL_PKEY_ECC */ {NID_id_GostR3410_2001, SSL_aGOST01}, /* SSL_PKEY_GOST01 */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 64d5e720e1..95e60414e2 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -363,25 +363,20 @@ /* Mostly for SSLv3 */ # define SSL_PKEY_RSA 0 -# define SSL_PKEY_DSA_SIGN 1 -# define SSL_PKEY_ECC 2 -# define SSL_PKEY_GOST01 3 -# define SSL_PKEY_GOST12_256 4 -# define SSL_PKEY_GOST12_512 5 -# define SSL_PKEY_ED25519 6 -# define SSL_PKEY_NUM 7 +# define SSL_PKEY_RSA_PSS_SIGN 1 +# define SSL_PKEY_DSA_SIGN 2 +# define SSL_PKEY_ECC 3 +# define SSL_PKEY_GOST01 4 +# define SSL_PKEY_GOST12_256 5 +# define SSL_PKEY_GOST12_512 6 +# define SSL_PKEY_ED25519 7 +# define SSL_PKEY_NUM 8 /* * Pseudo-constant. GOST cipher suites can use different certs for 1 * SSL_CIPHER. So let's see which one we have in fact. */ # define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1 -/* - * TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS - */ - -#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA - /*- * SSL_kRSA <- RSA_ENC * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 48c33de64b..ec5b358e28 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -799,6 +799,7 @@ static const SIGALG_LOOKUP legacy_rsa_sigalg = { */ static const uint16_t tls_default_sigalg[] = { TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ + 0, /* SSL_PKEY_RSA_PSS_SIGN */ TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ @@ -2126,6 +2127,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, void tls1_set_cert_validity(SSL *s) { tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); |