The branch master has been updated via cf8e9233f0139f8ebacbfd4fa34ccf410ec8430c (commit) via 36c91d13d1272f90a722a67a2ded97706fdff102 (commit) from c1acef9263b875cc80431b8054049dedc59cd41d (commit)
- Log ----------------------------------------------------------------- commit cf8e9233f0139f8ebacbfd4fa34ccf410ec8430c Author: Benjamin Kaduk <bka...@akamai.com> Date: Fri Jan 26 09:23:57 2018 -0600 Catch some more old sigalg names in comments Make the sigalg name in comments reflect one that actually exists in the draft standard. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5174) commit 36c91d13d1272f90a722a67a2ded97706fdff102 Author: Benjamin Kaduk <bka...@akamai.com> Date: Fri Jan 26 09:21:08 2018 -0600 Fix ssl-trace with TLS 1.3 draft-23 PSS sigalgs The latest TLS 1.3 draft split the RSA-PSS signature schemes into two versions that indicate the OID of the RSA key being used. This forced us to rename the preprocessor defines for the sigalg values, and the ssl-trace code was not adopted to match, since it was not enabled int the default build. Belatedly update the ssl_sigalg_tbl in the trace code to match. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5174) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set1_sigalgs.pod | 2 +- ssl/t1_trce.c | 9 ++++++--- test/recipes/70-test_sslsigalgs.t | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod index a634eb8..74d0698 100644 --- a/doc/man3/SSL_CTX_set1_sigalgs.pod +++ b/doc/man3/SSL_CTX_set1_sigalgs.pod @@ -78,7 +78,7 @@ The short or long name values for digests can be used in a string (for example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA". -The TLS 1.3 signature scheme names (such as "rsa_pss_sha256") can also +The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also be used with the B<_list> forms of the API. The use of MD5 as a digest is strongly discouraged due to security weaknesses. diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index ada5675..b998765 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -544,9 +544,12 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = { {TLSEXT_SIGALG_ecdsa_sha224, "ecdsa_sha224"}, {TLSEXT_SIGALG_ed25519, "ed25519"}, {TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"}, - {TLSEXT_SIGALG_rsa_pss_sha256, "rsa_pss_sha256"}, - {TLSEXT_SIGALG_rsa_pss_sha384, "rsa_pss_sha384"}, - {TLSEXT_SIGALG_rsa_pss_sha512, "rsa_pss_sha512"}, + {TLSEXT_SIGALG_rsa_pss_rsae_sha256, "rsa_pss_rsae_sha256"}, + {TLSEXT_SIGALG_rsa_pss_rsae_sha384, "rsa_pss_rsae_sha384"}, + {TLSEXT_SIGALG_rsa_pss_rsae_sha512, "rsa_pss_rsae_sha512"}, + {TLSEXT_SIGALG_rsa_pss_pss_sha256, "rsa_pss_pss_sha256"}, + {TLSEXT_SIGALG_rsa_pss_pss_sha384, "rsa_pss_pss_sha384"}, + {TLSEXT_SIGALG_rsa_pss_pss_sha512, "rsa_pss_pss_sha512"}, {TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"}, {TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"}, {TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"}, diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index d1ed6ec..35531c6 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -169,7 +169,7 @@ SKIP: { ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2"); #Test 14: Responding with a sig alg we did not send in TLSv1.2 should fail - # We send rsa_pkcs1_sha256 and respond with rsa_pss_sha256 + # We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256 # TODO(TLS1.3): Add a similar test to the TLSv1.3 section above # when we have an API capable of configuring the TLSv1.3 sig algs $proxy->clear(); _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits