diff --git a/ssl/ssl_cert_table.h b/ssl/ssl_cert_table.h index eae9ff232b..fd6a1ad1e8 100644 --- a/ssl/ssl_cert_table.h +++ b/ssl/ssl_cert_table.h @@ -12,6 +12,7 @@ */ static const SSL_CERT_LOOKUP ssl_cert_info [] = { {EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */ + {EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */ {EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */ {EVP_PKEY_EC, SSL_aECDSA}, /* SSL_PKEY_ECC */ {NID_id_GostR3410_2001, SSL_aGOST01}, /* SSL_PKEY_GOST01 */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 64d5e720e1..95e60414e2 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -363,25 +363,20 @@ /* Mostly for SSLv3 */ # define SSL_PKEY_RSA 0 -# define SSL_PKEY_DSA_SIGN 1 -# define SSL_PKEY_ECC 2 -# define SSL_PKEY_GOST01 3 -# define SSL_PKEY_GOST12_256 4 -# define SSL_PKEY_GOST12_512 5 -# define SSL_PKEY_ED25519 6 -# define SSL_PKEY_NUM 7 +# define SSL_PKEY_RSA_PSS_SIGN 1 +# define SSL_PKEY_DSA_SIGN 2 +# define SSL_PKEY_ECC 3 +# define SSL_PKEY_GOST01 4 +# define SSL_PKEY_GOST12_256 5 +# define SSL_PKEY_GOST12_512 6 +# define SSL_PKEY_ED25519 7 +# define SSL_PKEY_NUM 8 /* * Pseudo-constant. GOST cipher suites can use different certs for 1 * SSL_CIPHER. So let's see which one we have in fact. */ # define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1 -/* - * TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS - */ - -#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA - /*- * SSL_kRSA <- RSA_ENC * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 48c33de64b..ec5b358e28 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -799,6 +799,7 @@ static const SIGALG_LOOKUP legacy_rsa_sigalg = { */ static const uint16_t tls_default_sigalg[] = { TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ + 0, /* SSL_PKEY_RSA_PSS_SIGN */ TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ @@ -2126,6 +2127,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, void tls1_set_cert_validity(SSL *s) { tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);