From 1d1af6410d0c4ee38c0860bd94272d6660531426 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 8 Dec 2015 07:27:43 -0800 Subject: [PATCH 1/4] OpenSSH added support for additional NID types. Update our compatibility layer --- src/ssl.c | 24 ++++++++++++++++++++---- wolfssl/openssl/evp.h | 1 + wolfssl/openssl/rsa.h | 7 +++++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4362f95f1..90626cac4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13310,9 +13310,16 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, return 0; } - if (type != NID_md5 && type != NID_sha1) { - WOLFSSL_MSG("Bad md type"); - return 0; + switch (type) { + case NID_md2: break; + case NID_md5: break; + case NID_sha1: break; + case NID_sha256: break; + case NID_sha384: break; + case NID_sha512: break; + default: + WOLFSSL_MSG("This NID_ is not yet implemented"); + return 0; } if (rsa->inSet == 0) @@ -13356,7 +13363,16 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } if (rng) { - type = (type == NID_md5) ? MD5h : SHAh; + + switch (type) { + case NID_md2: type = MD2h; break; + case NID_md5: type = MD5h; break; + case NID_sha1: type = SHAh; break; + case NID_sha256: type = SHA256h; break; + case NID_sha384: type = SHA384h; break; + case NID_sha512: type = SHA512h; break; + /* no default, already checked if NID is supported */ + } signSz = wc_EncodeSignature(encodedSig, m, mLen, type); if (signSz == 0) { diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 6d3449f07..6ea1443e5 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -132,6 +132,7 @@ enum { EVP_PKEY_EC = 13, IDEA_CBC_TYPE = 14, NID_sha1 = 64, + NID_md2 = 3, NID_md5 = 4 }; diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h index 2db993b65..210a24e4c 100644 --- a/wolfssl/openssl/rsa.h +++ b/wolfssl/openssl/rsa.h @@ -17,6 +17,13 @@ enum { RSA_PKCS1_PADDING = 1 }; +/* rsaTypes */ +enum { + NID_sha256 = 672, + NID_sha384 = 673, + NID_sha512 = 674 +}; + struct WOLFSSL_RSA { WOLFSSL_BIGNUM* n; WOLFSSL_BIGNUM* e; From d395c5aba3a94bdff23143e1371e1ad962bacd04 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Wed, 16 Dec 2015 11:40:58 -0700 Subject: [PATCH 2/4] condense to one switch statement for testing of message digests --- src/ssl.c | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index a5b0f7580..582e9660c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13311,14 +13311,14 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } switch (type) { - case NID_md2: break; - case NID_md5: break; - case NID_sha1: break; - case NID_sha256: break; - case NID_sha384: break; - case NID_sha512: break; + case NID_md2: type = MD2h; break; + case NID_md5: type = MD5h; break; + case NID_sha1: type = SHAh; break; + case NID_sha256: type = SHA256h; break; + case NID_sha384: type = SHA384h; break; + case NID_sha512: type = SHA512h; break; default: - WOLFSSL_MSG("This NID_ is not yet implemented"); + WOLFSSL_MSG("This NID (md type) is not yet implemented"); return 0; } @@ -13364,16 +13364,6 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, if (rng) { - switch (type) { - case NID_md2: type = MD2h; break; - case NID_md5: type = MD5h; break; - case NID_sha1: type = SHAh; break; - case NID_sha256: type = SHA256h; break; - case NID_sha384: type = SHA384h; break; - case NID_sha512: type = SHA512h; break; - /* no default, already checked if NID is supported */ - } - signSz = wc_EncodeSignature(encodedSig, m, mLen, type); if (signSz == 0) { WOLFSSL_MSG("Bad Encode Signature"); From 0cb2374c6923d9d05e634abc7c2738d687c0099a Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 21 Dec 2015 23:03:45 -0700 Subject: [PATCH 3/4] Ensure configured before assuming message digest is supported --- src/ssl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 582e9660c..c250f0efc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13311,14 +13311,26 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } switch (type) { + #ifndef WOLFSSL_MD2 case NID_md2: type = MD2h; break; + #endif + #ifndef NO_MD5 case NID_md5: type = MD5h; break; + #endif + #ifndef NO_SHA case NID_sha1: type = SHAh; break; + #endif + #ifndef NO_SHA256 case NID_sha256: type = SHA256h; break; + #endif + #ifdef WOLFSSL_SHA384 case NID_sha384: type = SHA384h; break; + #endif + #ifdef WOLFSSL_SHA512 case NID_sha512: type = SHA512h; break; + #endif default: - WOLFSSL_MSG("This NID (md type) is not yet implemented"); + WOLFSSL_MSG("This NID (md type) not configured or not implemented"); return 0; } From cbf3213c4ff1f7600714ea18fb4bda29f3314495 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 21 Dec 2015 23:33:33 -0700 Subject: [PATCH 4/4] correct logic on pre-processor macro --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index c250f0efc..ead593a5a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13311,7 +13311,7 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } switch (type) { - #ifndef WOLFSSL_MD2 + #ifdef WOLFSSL_MD2 case NID_md2: type = MD2h; break; #endif #ifndef NO_MD5