From 98c792d18c067f45a0a04bf6e6b0ea6cae238804 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 25 Jan 2017 14:33:55 +0000 Subject: [PATCH] Use uint16_t for signature scheme. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/2301) --- ssl/ssl_locl.h | 12 +++++------ ssl/statem/extensions_clnt.c | 2 +- ssl/statem/statem_srvr.c | 2 +- ssl/t1_lib.c | 41 ++++++++++++++++++------------------ 4 files changed, 29 insertions(+), 28 deletions(-) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index c7bfa22f8b..55182bd576 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1266,7 +1266,7 @@ typedef struct ssl3_state_st { * algorithms extension for server or as part of a certificate * request for client. */ - unsigned int *peer_sigalgs; + uint16_t *peer_sigalgs; /* Size of above array */ size_t peer_sigalgslen; /* Digest peer uses for signing */ @@ -1535,7 +1535,7 @@ typedef struct cert_st { * the client hello as the supported signature algorithms extension. For * servers it represents the signature algorithms we are willing to use. */ - unsigned int *conf_sigalgs; + uint16_t *conf_sigalgs; /* Size of above array */ size_t conf_sigalgslen; /* @@ -1545,7 +1545,7 @@ typedef struct cert_st { * represents the signature algorithms we are willing to use for client * authentication. */ - unsigned int *client_sigalgs; + uint16_t *client_sigalgs; /* Size of above array */ size_t client_sigalgslen; /* @@ -1595,7 +1595,7 @@ struct tls_sigalgs_st { /* Combined hash and signature NID */ int signandhash_nid; /* Raw value used in extension */ - unsigned int rsigalg; + uint16_t rsigalg; }; # define FP_ICC (int (*)(const void *,const void *)) @@ -2250,10 +2250,10 @@ __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md); void ssl_clear_hash_ctx(EVP_MD_CTX **hash); __owur long ssl_get_algorithm2(SSL *s); __owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, - const unsigned int *psig, size_t psiglen); + const uint16_t *psig, size_t psiglen); __owur int tls1_save_sigalgs(SSL *s, PACKET *pkt); __owur int tls1_process_sigalgs(SSL *s); -__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned int **psigs); +__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); __owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, unsigned int sig, EVP_PKEY *pkey); void ssl_set_client_disabled(SSL *s); diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index ceae77f124..68b52e1353 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -227,7 +227,7 @@ int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, int *al) { size_t salglen; - const unsigned int *salg; + const uint16_t *salg; if (!SSL_CLIENT_USE_SIGALGS(s)) return 1; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 139a9daa6d..4228a4be10 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2332,7 +2332,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) } if (SSL_USE_SIGALGS(s)) { - const unsigned int *psigs; + const uint16_t *psigs; size_t nl = tls12_get_psigalgs(s, 1, &psigs); if (!WPACKET_start_sub_packet_u16(pkt) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index a7239c7d87..7dcbabd4df 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -670,7 +670,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) #endif /* OPENSSL_NO_EC */ /* Default sigalg schemes */ -static const unsigned int tls12_sigalgs[] = { +static const uint16_t tls12_sigalgs[] = { #ifndef OPENSSL_NO_EC TLSEXT_SIGALG_ecdsa_secp256r1_sha256, TLSEXT_SIGALG_ecdsa_secp384r1_sha384, @@ -699,14 +699,14 @@ static const unsigned int tls12_sigalgs[] = { }; #ifndef OPENSSL_NO_EC -static const unsigned int suiteb_sigalgs[] = { +static const uint16_t suiteb_sigalgs[] = { TLSEXT_SIGALG_ecdsa_secp256r1_sha256, TLSEXT_SIGALG_ecdsa_secp384r1_sha384 }; #endif typedef struct sigalg_lookup_st { - unsigned int sigalg; + uint16_t sigalg; int hash; int sig; } SIGALG_LOOKUP; @@ -742,7 +742,7 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { #endif }; -static int tls_sigalg_get_hash(unsigned int sigalg) +static int tls_sigalg_get_hash(uint16_t sigalg) { size_t i; const SIGALG_LOOKUP *curr; @@ -756,7 +756,7 @@ static int tls_sigalg_get_hash(unsigned int sigalg) return 0; } -static int tls_sigalg_get_sig(unsigned int sigalg) +static int tls_sigalg_get_sig(uint16_t sigalg) { size_t i; const SIGALG_LOOKUP *curr; @@ -769,7 +769,8 @@ static int tls_sigalg_get_sig(unsigned int sigalg) return 0; } -size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned int **psigs) + +size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) { /* * If Suite B mode use Suite B sigalgs only, ignore any other @@ -814,7 +815,7 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned int **psigs) int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, unsigned int sig, EVP_PKEY *pkey) { - const unsigned int *sent_sigs; + const uint16_t *sent_sigs; char sigalgstr[2]; size_t sent_sigslen, i; int pkeyid = EVP_PKEY_id(pkey); @@ -1365,7 +1366,7 @@ static int tls12_get_pkey_idx(int sig_nid) /* Convert TLS 1.2 signature algorithm extension values into NIDs */ static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, - int *psignhash_nid, unsigned int data) + int *psignhash_nid, uint16_t data) { int sign_nid = NID_undef, hash_nid = NID_undef; if (!phash_nid && !psign_nid && !psignhash_nid) @@ -1414,7 +1415,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, unsigned int ptmp) void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) { - const unsigned int *sigalgs; + const uint16_t *sigalgs; size_t i, sigalgslen; int have_rsa = 0, have_dsa = 0, have_ecdsa = 0; /* @@ -1454,7 +1455,7 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) } int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, - const unsigned int *psig, size_t psiglen) + const uint16_t *psig, size_t psiglen) { size_t i; @@ -1469,10 +1470,10 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, /* Given preference and allowed sigalgs set shared sigalgs */ static size_t tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, - const unsigned int *pref, size_t preflen, - const unsigned int *allow, size_t allowlen) + const uint16_t *pref, size_t preflen, + const uint16_t *allow, size_t allowlen) { - const unsigned int *ptmp, *atmp; + const uint16_t *ptmp, *atmp; size_t i, j, nmatch = 0; for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { /* Skip disabled hashes or signature algorithms */ @@ -1498,7 +1499,7 @@ static size_t tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, /* Set shared signature algorithms for SSL structures */ static int tls1_set_shared_sigalgs(SSL *s) { - const unsigned int *pref, *allow, *conf; + const uint16_t *pref, *allow, *conf; size_t preflen, allowlen, conflen; size_t nmatch; TLS_SIGALGS *salgs = NULL; @@ -1547,6 +1548,7 @@ static int tls1_set_shared_sigalgs(SSL *s) int tls1_save_sigalgs(SSL *s, PACKET *pkt) { CERT *c = s->cert; + unsigned int stmp; size_t size, i; /* Extension ignored for inappropriate versions */ @@ -1570,9 +1572,8 @@ int tls1_save_sigalgs(SSL *s, PACKET *pkt) if (s->s3->tmp.peer_sigalgs == NULL) return 0; s->s3->tmp.peer_sigalgslen = size; - for (i = 0; i < size && PACKET_get_net_2(pkt, &s->s3->tmp.peer_sigalgs[i]); - i++) - continue; + for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) + s->s3->tmp.peer_sigalgs[i] = stmp; if (i != size) return 0; @@ -1655,7 +1656,7 @@ int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) { - unsigned int *psig = s->s3->tmp.peer_sigalgs; + uint16_t *psig = s->s3->tmp.peer_sigalgs; size_t numsigalgs = s->s3->tmp.peer_sigalgslen; if (psig == NULL || numsigalgs > INT_MAX) return 0; @@ -1771,7 +1772,7 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) /* TODO(TLS1.3): Needs updating to allow setting of TLS1.3 sig algs */ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) { - unsigned int *sigalgs, *sptr; + uint16_t *sigalgs, *sptr; size_t i; if (salglen & 1) @@ -1971,7 +1972,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, */ if (default_nid > 0 && c->conf_sigalgs) { size_t j; - const unsigned int *p = c->conf_sigalgs; + const uint16_t *p = c->conf_sigalgs; for (j = 0; j < c->conf_sigalgslen; j++, p++) { if (tls_sigalg_get_hash(*p) == NID_sha1 && tls_sigalg_get_sig(*p) == rsign)