From fe57aeed66704666cbcd786d1ed2da4c5de23d97 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 29 Jun 2022 07:53:00 +0000 Subject: [PATCH] Annotate sigalgs with their security level. ok beck jsing --- lib/libssl/ssl_sigalgs.c | 22 +++++++++++++++++++++- lib/libssl/ssl_sigalgs.h | 3 ++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index daf735a8ffd..79239ef597c 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.41 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.42 2022/06/29 07:53:00 tb Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck * Copyright (c) 2021 Joel Sing @@ -32,11 +32,13 @@ const struct ssl_sigalg sigalgs[] = { .value = SIGALG_RSA_PKCS1_SHA512, .key_type = EVP_PKEY_RSA, .md = EVP_sha512, + .security_level = 5, }, { .value = SIGALG_ECDSA_SECP521R1_SHA512, .key_type = EVP_PKEY_EC, .md = EVP_sha512, + .security_level = 5, .curve_nid = NID_secp521r1, }, #ifndef OPENSSL_NO_GOST @@ -44,28 +46,33 @@ const struct ssl_sigalg sigalgs[] = { .value = SIGALG_GOSTR12_512_STREEBOG_512, .key_type = EVP_PKEY_GOSTR12_512, .md = EVP_streebog512, + .security_level = 0, }, #endif { .value = SIGALG_RSA_PKCS1_SHA384, .key_type = EVP_PKEY_RSA, .md = EVP_sha384, + .security_level = 4, }, { .value = SIGALG_ECDSA_SECP384R1_SHA384, .key_type = EVP_PKEY_EC, .md = EVP_sha384, + .security_level = 4, .curve_nid = NID_secp384r1, }, { .value = SIGALG_RSA_PKCS1_SHA256, .key_type = EVP_PKEY_RSA, .md = EVP_sha256, + .security_level = 3, }, { .value = SIGALG_ECDSA_SECP256R1_SHA256, .key_type = EVP_PKEY_EC, .md = EVP_sha256, + .security_level = 3, .curve_nid = NID_X9_62_prime256v1, }, #ifndef OPENSSL_NO_GOST @@ -73,73 +80,86 @@ const struct ssl_sigalg sigalgs[] = { .value = SIGALG_GOSTR12_256_STREEBOG_256, .key_type = EVP_PKEY_GOSTR12_256, .md = EVP_streebog256, + .security_level = 0, }, { .value = SIGALG_GOSTR01_GOST94, .key_type = EVP_PKEY_GOSTR01, .md = EVP_gostr341194, + .security_level = 0, /* XXX */ }, #endif { .value = SIGALG_RSA_PSS_RSAE_SHA256, .key_type = EVP_PKEY_RSA, .md = EVP_sha256, + .security_level = 3, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_RSAE_SHA384, .key_type = EVP_PKEY_RSA, .md = EVP_sha384, + .security_level = 4, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_RSAE_SHA512, .key_type = EVP_PKEY_RSA, .md = EVP_sha512, + .security_level = 5, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA256, .key_type = EVP_PKEY_RSA, .md = EVP_sha256, + .security_level = 3, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA384, .key_type = EVP_PKEY_RSA, .md = EVP_sha384, + .security_level = 4, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA512, .key_type = EVP_PKEY_RSA, .md = EVP_sha512, + .security_level = 5, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PKCS1_SHA224, .key_type = EVP_PKEY_RSA, .md = EVP_sha224, + .security_level = 2, }, { .value = SIGALG_ECDSA_SECP224R1_SHA224, .key_type = EVP_PKEY_EC, .md = EVP_sha224, + .security_level = 2, }, { .value = SIGALG_RSA_PKCS1_SHA1, .key_type = EVP_PKEY_RSA, .md = EVP_sha1, + .security_level = 1, }, { .value = SIGALG_ECDSA_SHA1, .key_type = EVP_PKEY_EC, .md = EVP_sha1, + .security_level = 1, }, { .value = SIGALG_RSA_PKCS1_MD5_SHA1, .key_type = EVP_PKEY_RSA, .md = EVP_md5_sha1, + .security_level = 1, }, { .value = SIGALG_NONE, diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h index beab11afd67..9f4a3a3c33d 100644 --- a/lib/libssl/ssl_sigalgs.h +++ b/lib/libssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.23 2021/06/29 19:25:59 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.24 2022/06/29 07:53:00 tb Exp $ */ /* * Copyright (c) 2018-2019 Bob Beck * @@ -64,6 +64,7 @@ struct ssl_sigalg { uint16_t value; int key_type; const EVP_MD *(*md)(void); + int security_level; int curve_nid; int flags; }; -- 2.20.1