diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 31da0fd3..1ad8fbfd 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -970,9 +970,9 @@ OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl, #define SSL_SIGN_ECDSA_SECP256R1_SHA256 0x0403 #define SSL_SIGN_ECDSA_SECP384R1_SHA384 0x0503 #define SSL_SIGN_ECDSA_SECP521R1_SHA512 0x0603 -#define SSL_SIGN_RSA_PSS_SHA256 0x0804 -#define SSL_SIGN_RSA_PSS_SHA384 0x0805 -#define SSL_SIGN_RSA_PSS_SHA512 0x0806 +#define SSL_SIGN_RSA_PSS_RSAE_SHA256 0x0804 +#define SSL_SIGN_RSA_PSS_RSAE_SHA384 0x0805 +#define SSL_SIGN_RSA_PSS_RSAE_SHA512 0x0806 #define SSL_SIGN_ED25519 0x0807 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to @@ -4116,6 +4116,12 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl); OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); +// The following constants are legacy aliases for RSA-PSS with rsaEncryption +// keys. Use the new names instead. +#define SSL_SIGN_RSA_PSS_SHA256 SSL_SIGN_RSA_PSS_RSAE_SHA256 +#define SSL_SIGN_RSA_PSS_SHA384 SSL_SIGN_RSA_PSS_RSAE_SHA384 +#define SSL_SIGN_RSA_PSS_SHA512 SSL_SIGN_RSA_PSS_RSAE_SHA512 + // Private structures. // diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc index 33cc720a..eb0b2aa6 100644 --- a/ssl/ssl_privkey.cc +++ b/ssl/ssl_privkey.cc @@ -111,9 +111,9 @@ static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = { {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 0}, {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 0}, - {SSL_SIGN_RSA_PSS_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 1}, - {SSL_SIGN_RSA_PSS_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 1}, - {SSL_SIGN_RSA_PSS_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 1}, + {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 1}, + {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 1}, + {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 1}, {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, 0}, {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1, @@ -429,12 +429,12 @@ const char *SSL_get_signature_algorithm_name(uint16_t sigalg, return include_curve ? "ecdsa_secp384r1_sha384" : "ecdsa_sha384"; case SSL_SIGN_ECDSA_SECP521R1_SHA512: return include_curve ? "ecdsa_secp521r1_sha512" : "ecdsa_sha512"; - case SSL_SIGN_RSA_PSS_SHA256: - return "rsa_pss_sha256"; - case SSL_SIGN_RSA_PSS_SHA384: - return "rsa_pss_sha384"; - case SSL_SIGN_RSA_PSS_SHA512: - return "rsa_pss_sha512"; + case SSL_SIGN_RSA_PSS_RSAE_SHA256: + return "rsa_pss_rsae_sha256"; + case SSL_SIGN_RSA_PSS_RSAE_SHA384: + return "rsa_pss_rsae_sha384"; + case SSL_SIGN_RSA_PSS_RSAE_SHA512: + return "rsa_pss_rsae_sha512"; case SSL_SIGN_ED25519: return "ed25519"; default: diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 12f044c8..c5456e18 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc @@ -3884,10 +3884,10 @@ TEST(SSLTest, SignatureAlgorithmProperties) { SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256)); EXPECT_EQ(EVP_PKEY_RSA, - SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_SHA384)); + SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384)); EXPECT_EQ(EVP_sha384(), - SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_SHA384)); - EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_SHA384)); + SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384)); + EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384)); } void MoveBIOs(SSL *dest, SSL *src) { diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index 2d3a6646..f862ab48 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc @@ -419,15 +419,15 @@ static const uint16_t kVerifySignatureAlgorithms[] = { // List our preferred algorithms first. SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP256R1_SHA256, - SSL_SIGN_RSA_PSS_SHA256, + SSL_SIGN_RSA_PSS_RSAE_SHA256, SSL_SIGN_RSA_PKCS1_SHA256, // Larger hashes are acceptable. SSL_SIGN_ECDSA_SECP384R1_SHA384, - SSL_SIGN_RSA_PSS_SHA384, + SSL_SIGN_RSA_PSS_RSAE_SHA384, SSL_SIGN_RSA_PKCS1_SHA384, - SSL_SIGN_RSA_PSS_SHA512, + SSL_SIGN_RSA_PSS_RSAE_SHA512, SSL_SIGN_RSA_PKCS1_SHA512, // For now, SHA-1 is still accepted but least preferable. @@ -445,18 +445,18 @@ static const uint16_t kSignSignatureAlgorithms[] = { // List our preferred algorithms first. SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP256R1_SHA256, - SSL_SIGN_RSA_PSS_SHA256, + SSL_SIGN_RSA_PSS_RSAE_SHA256, SSL_SIGN_RSA_PKCS1_SHA256, // If needed, sign larger hashes. // // TODO(davidben): Determine which of these may be pruned. SSL_SIGN_ECDSA_SECP384R1_SHA384, - SSL_SIGN_RSA_PSS_SHA384, + SSL_SIGN_RSA_PSS_RSAE_SHA384, SSL_SIGN_RSA_PKCS1_SHA384, SSL_SIGN_ECDSA_SECP521R1_SHA512, - SSL_SIGN_RSA_PSS_SHA512, + SSL_SIGN_RSA_PSS_RSAE_SHA512, SSL_SIGN_RSA_PKCS1_SHA512, // If the peer supports nothing else, sign with SHA-1. diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc index 107de52c..ccd221f7 100644 --- a/ssl/test/bssl_shim.cc +++ b/ssl/test/bssl_shim.cc @@ -333,40 +333,14 @@ static ssl_private_key_result_t AsyncPrivateKeySign( abort(); } - // Determine the hash. - const EVP_MD *md; - switch (signature_algorithm) { - case SSL_SIGN_RSA_PKCS1_SHA1: - case SSL_SIGN_ECDSA_SHA1: - md = EVP_sha1(); - break; - case SSL_SIGN_RSA_PKCS1_SHA256: - case SSL_SIGN_ECDSA_SECP256R1_SHA256: - case SSL_SIGN_RSA_PSS_SHA256: - md = EVP_sha256(); - break; - case SSL_SIGN_RSA_PKCS1_SHA384: - case SSL_SIGN_ECDSA_SECP384R1_SHA384: - case SSL_SIGN_RSA_PSS_SHA384: - md = EVP_sha384(); - break; - case SSL_SIGN_RSA_PKCS1_SHA512: - case SSL_SIGN_ECDSA_SECP521R1_SHA512: - case SSL_SIGN_RSA_PSS_SHA512: - md = EVP_sha512(); - break; - case SSL_SIGN_RSA_PKCS1_MD5_SHA1: - md = EVP_md5_sha1(); - break; - case SSL_SIGN_ED25519: - md = nullptr; - break; - default: - fprintf(stderr, "Unknown signature algorithm %04x.\n", - signature_algorithm); - return ssl_private_key_failure; + if (EVP_PKEY_id(test_state->private_key.get()) != + SSL_get_signature_algorithm_key_type(signature_algorithm)) { + fprintf(stderr, "Key type does not match signature algorithm.\n"); + abort(); } + // Determine the hash. + const EVP_MD *md = SSL_get_signature_algorithm_digest(signature_algorithm); bssl::ScopedEVP_MD_CTX ctx; EVP_PKEY_CTX *pctx; if (!EVP_DigestSignInit(ctx.get(), &pctx, md, nullptr, @@ -375,15 +349,11 @@ static ssl_private_key_result_t AsyncPrivateKeySign( } // Configure additional signature parameters. - switch (signature_algorithm) { - case SSL_SIGN_RSA_PSS_SHA256: - case SSL_SIGN_RSA_PSS_SHA384: - case SSL_SIGN_RSA_PSS_SHA512: - if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || - !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, - -1 /* salt len = hash len */)) { - return ssl_private_key_failure; - } + if (SSL_is_signature_algorithm_rsa_pss(signature_algorithm)) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || + !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) { + return ssl_private_key_failure; + } } // Write the signature into |test_state|.