diff options
| author | tb <> | 2023-06-11 19:01:01 +0000 |
|---|---|---|
| committer | tb <> | 2023-06-11 19:01:01 +0000 |
| commit | 3e78f2fb356efca03fc4bfdadb63b49114e128a2 (patch) | |
| tree | 857746157a022e2a8e92ad5ea6c98c37f02c1123 | |
| parent | 9ca5a491a6bf2cf73c12da0cc924a6a0c445f762 (diff) | |
| download | openbsd-3e78f2fb356efca03fc4bfdadb63b49114e128a2.tar.gz openbsd-3e78f2fb356efca03fc4bfdadb63b49114e128a2.tar.bz2 openbsd-3e78f2fb356efca03fc4bfdadb63b49114e128a2.zip | |
Convert legacy server kex to one-shot sign/verify
This converts ssl3_{get,send}_server_key_exchange() to EVP_DigestVerify()
and EVP_DigestSign(). In order to do this, build the full signed_params
up front and rework the way the key exchange parameters are constructed.
This way we can do the verify and sign steps in one go and at the same
use a more idiomatic approach with CBB/CBS.
with/ok jsing
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 44 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 65 |
2 files changed, 62 insertions, 47 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 2ab90b5c37..6aea590132 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.159 2023/06/11 18:50:51 tb Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.160 2023/06/11 19:01:01 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1299,13 +1299,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs) | |||
| 1299 | static int | 1299 | static int |
| 1300 | ssl3_get_server_key_exchange(SSL *s) | 1300 | ssl3_get_server_key_exchange(SSL *s) |
| 1301 | { | 1301 | { |
| 1302 | CBS cbs, signature; | 1302 | CBB cbb; |
| 1303 | CBS cbs, params, signature; | ||
| 1303 | EVP_MD_CTX *md_ctx; | 1304 | EVP_MD_CTX *md_ctx; |
| 1304 | const unsigned char *param; | 1305 | unsigned char *signed_params = NULL; |
| 1305 | size_t param_len; | 1306 | size_t signed_params_len; |
| 1307 | size_t params_len; | ||
| 1306 | long alg_k, alg_a; | 1308 | long alg_k, alg_a; |
| 1307 | int al, ret; | 1309 | int al, ret; |
| 1308 | 1310 | ||
| 1311 | memset(&cbb, 0, sizeof(cbb)); | ||
| 1312 | |||
| 1309 | alg_k = s->s3->hs.cipher->algorithm_mkey; | 1313 | alg_k = s->s3->hs.cipher->algorithm_mkey; |
| 1310 | alg_a = s->s3->hs.cipher->algorithm_auth; | 1314 | alg_a = s->s3->hs.cipher->algorithm_auth; |
| 1311 | 1315 | ||
| @@ -1341,8 +1345,14 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1341 | return (1); | 1345 | return (1); |
| 1342 | } | 1346 | } |
| 1343 | 1347 | ||
| 1344 | param = CBS_data(&cbs); | 1348 | if (!CBB_init(&cbb, 0)) |
| 1345 | param_len = CBS_len(&cbs); | 1349 | goto err; |
| 1350 | if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) | ||
| 1351 | goto err; | ||
| 1352 | if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE)) | ||
| 1353 | goto err; | ||
| 1354 | |||
| 1355 | CBS_dup(&cbs, ¶ms); | ||
| 1346 | 1356 | ||
| 1347 | if (alg_k & SSL_kDHE) { | 1357 | if (alg_k & SSL_kDHE) { |
| 1348 | if (!ssl3_get_server_kex_dhe(s, &cbs)) | 1358 | if (!ssl3_get_server_kex_dhe(s, &cbs)) |
| @@ -1356,7 +1366,12 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1356 | goto fatal_err; | 1366 | goto fatal_err; |
| 1357 | } | 1367 | } |
| 1358 | 1368 | ||
| 1359 | param_len -= CBS_len(&cbs); | 1369 | if ((params_len = CBS_offset(&cbs)) > CBS_len(¶ms)) |
| 1370 | goto err; | ||
| 1371 | if (!CBB_add_bytes(&cbb, CBS_data(¶ms), params_len)) | ||
| 1372 | goto err; | ||
| 1373 | if (!CBB_finish(&cbb, &signed_params, &signed_params_len)) | ||
| 1374 | goto err; | ||
| 1360 | 1375 | ||
| 1361 | /* if it was signed, check the signature */ | 1376 | /* if it was signed, check the signature */ |
| 1362 | if ((alg_a & SSL_aNULL) == 0) { | 1377 | if ((alg_a & SSL_aNULL) == 0) { |
| @@ -1400,21 +1415,13 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1400 | if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(), | 1415 | if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(), |
| 1401 | NULL, pkey)) | 1416 | NULL, pkey)) |
| 1402 | goto err; | 1417 | goto err; |
| 1403 | if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->client_random, | ||
| 1404 | SSL3_RANDOM_SIZE)) | ||
| 1405 | goto err; | ||
| 1406 | if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && | 1418 | if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && |
| 1407 | (!EVP_PKEY_CTX_set_rsa_padding(pctx, | 1419 | (!EVP_PKEY_CTX_set_rsa_padding(pctx, |
| 1408 | RSA_PKCS1_PSS_PADDING) || | 1420 | RSA_PKCS1_PSS_PADDING) || |
| 1409 | !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) | 1421 | !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) |
| 1410 | goto err; | 1422 | goto err; |
| 1411 | if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->server_random, | 1423 | if (EVP_DigestVerify(md_ctx, CBS_data(&signature), |
| 1412 | SSL3_RANDOM_SIZE)) | 1424 | CBS_len(&signature), signed_params, signed_params_len) <= 0) { |
| 1413 | goto err; | ||
| 1414 | if (!EVP_DigestVerifyUpdate(md_ctx, param, param_len)) | ||
| 1415 | goto err; | ||
| 1416 | if (EVP_DigestVerifyFinal(md_ctx, CBS_data(&signature), | ||
| 1417 | CBS_len(&signature)) <= 0) { | ||
| 1418 | al = SSL_AD_DECRYPT_ERROR; | 1425 | al = SSL_AD_DECRYPT_ERROR; |
| 1419 | SSLerror(s, SSL_R_BAD_SIGNATURE); | 1426 | SSLerror(s, SSL_R_BAD_SIGNATURE); |
| 1420 | goto fatal_err; | 1427 | goto fatal_err; |
| @@ -1428,6 +1435,7 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1428 | } | 1435 | } |
| 1429 | 1436 | ||
| 1430 | EVP_MD_CTX_free(md_ctx); | 1437 | EVP_MD_CTX_free(md_ctx); |
| 1438 | free(signed_params); | ||
| 1431 | 1439 | ||
| 1432 | return (1); | 1440 | return (1); |
| 1433 | 1441 | ||
| @@ -1439,7 +1447,9 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1439 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | 1447 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
| 1440 | 1448 | ||
| 1441 | err: | 1449 | err: |
| 1450 | CBB_cleanup(&cbb); | ||
| 1442 | EVP_MD_CTX_free(md_ctx); | 1451 | EVP_MD_CTX_free(md_ctx); |
| 1452 | free(signed_params); | ||
| 1443 | 1453 | ||
| 1444 | return (-1); | 1454 | return (-1); |
| 1445 | } | 1455 | } |
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index d0814a8455..8edbf77156 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.154 2023/06/11 18:50:51 tb Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.155 2023/06/11 19:01:01 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1431,12 +1431,13 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb) | |||
| 1431 | static int | 1431 | static int |
| 1432 | ssl3_send_server_key_exchange(SSL *s) | 1432 | ssl3_send_server_key_exchange(SSL *s) |
| 1433 | { | 1433 | { |
| 1434 | CBB cbb, cbb_params, cbb_signature, server_kex; | 1434 | CBB cbb, cbb_signature, cbb_signed_params, server_kex; |
| 1435 | CBS params; | ||
| 1435 | const struct ssl_sigalg *sigalg = NULL; | 1436 | const struct ssl_sigalg *sigalg = NULL; |
| 1437 | unsigned char *signed_params = NULL; | ||
| 1438 | size_t signed_params_len; | ||
| 1436 | unsigned char *signature = NULL; | 1439 | unsigned char *signature = NULL; |
| 1437 | size_t signature_len = 0; | 1440 | size_t signature_len = 0; |
| 1438 | unsigned char *params = NULL; | ||
| 1439 | size_t params_len; | ||
| 1440 | const EVP_MD *md = NULL; | 1441 | const EVP_MD *md = NULL; |
| 1441 | unsigned long type; | 1442 | unsigned long type; |
| 1442 | EVP_MD_CTX *md_ctx = NULL; | 1443 | EVP_MD_CTX *md_ctx = NULL; |
| @@ -1445,7 +1446,7 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1445 | int al; | 1446 | int al; |
| 1446 | 1447 | ||
| 1447 | memset(&cbb, 0, sizeof(cbb)); | 1448 | memset(&cbb, 0, sizeof(cbb)); |
| 1448 | memset(&cbb_params, 0, sizeof(cbb_params)); | 1449 | memset(&cbb_signed_params, 0, sizeof(cbb_signed_params)); |
| 1449 | 1450 | ||
| 1450 | if ((md_ctx = EVP_MD_CTX_new()) == NULL) | 1451 | if ((md_ctx = EVP_MD_CTX_new()) == NULL) |
| 1451 | goto err; | 1452 | goto err; |
| @@ -1456,15 +1457,26 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1456 | SSL3_MT_SERVER_KEY_EXCHANGE)) | 1457 | SSL3_MT_SERVER_KEY_EXCHANGE)) |
| 1457 | goto err; | 1458 | goto err; |
| 1458 | 1459 | ||
| 1459 | if (!CBB_init(&cbb_params, 0)) | 1460 | if (!CBB_init(&cbb_signed_params, 0)) |
| 1460 | goto err; | 1461 | goto err; |
| 1461 | 1462 | ||
| 1463 | if (!CBB_add_bytes(&cbb_signed_params, s->s3->client_random, | ||
| 1464 | SSL3_RANDOM_SIZE)) { | ||
| 1465 | SSLerror(s, ERR_R_INTERNAL_ERROR); | ||
| 1466 | goto err; | ||
| 1467 | } | ||
| 1468 | if (!CBB_add_bytes(&cbb_signed_params, s->s3->server_random, | ||
| 1469 | SSL3_RANDOM_SIZE)) { | ||
| 1470 | SSLerror(s, ERR_R_INTERNAL_ERROR); | ||
| 1471 | goto err; | ||
| 1472 | } | ||
| 1473 | |||
| 1462 | type = s->s3->hs.cipher->algorithm_mkey; | 1474 | type = s->s3->hs.cipher->algorithm_mkey; |
| 1463 | if (type & SSL_kDHE) { | 1475 | if (type & SSL_kDHE) { |
| 1464 | if (!ssl3_send_server_kex_dhe(s, &cbb_params)) | 1476 | if (!ssl3_send_server_kex_dhe(s, &cbb_signed_params)) |
| 1465 | goto err; | 1477 | goto err; |
| 1466 | } else if (type & SSL_kECDHE) { | 1478 | } else if (type & SSL_kECDHE) { |
| 1467 | if (!ssl3_send_server_kex_ecdhe(s, &cbb_params)) | 1479 | if (!ssl3_send_server_kex_ecdhe(s, &cbb_signed_params)) |
| 1468 | goto err; | 1480 | goto err; |
| 1469 | } else { | 1481 | } else { |
| 1470 | al = SSL_AD_HANDSHAKE_FAILURE; | 1482 | al = SSL_AD_HANDSHAKE_FAILURE; |
| @@ -1472,10 +1484,16 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1472 | goto fatal_err; | 1484 | goto fatal_err; |
| 1473 | } | 1485 | } |
| 1474 | 1486 | ||
| 1475 | if (!CBB_finish(&cbb_params, ¶ms, ¶ms_len)) | 1487 | if (!CBB_finish(&cbb_signed_params, &signed_params, |
| 1488 | &signed_params_len)) | ||
| 1489 | goto err; | ||
| 1490 | |||
| 1491 | CBS_init(¶ms, signed_params, signed_params_len); | ||
| 1492 | if (!CBS_skip(¶ms, 2 * SSL3_RANDOM_SIZE)) | ||
| 1476 | goto err; | 1493 | goto err; |
| 1477 | 1494 | ||
| 1478 | if (!CBB_add_bytes(&server_kex, params, params_len)) | 1495 | if (!CBB_add_bytes(&server_kex, CBS_data(¶ms), |
| 1496 | CBS_len(¶ms))) | ||
| 1479 | goto err; | 1497 | goto err; |
| 1480 | 1498 | ||
| 1481 | /* Add signature unless anonymous. */ | 1499 | /* Add signature unless anonymous. */ |
| @@ -1507,22 +1525,8 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1507 | SSLerror(s, ERR_R_EVP_LIB); | 1525 | SSLerror(s, ERR_R_EVP_LIB); |
| 1508 | goto err; | 1526 | goto err; |
| 1509 | } | 1527 | } |
| 1510 | if (!EVP_DigestSignUpdate(md_ctx, s->s3->client_random, | 1528 | if (!EVP_DigestSign(md_ctx, NULL, &signature_len, |
| 1511 | SSL3_RANDOM_SIZE)) { | 1529 | signed_params, signed_params_len)) { |
| 1512 | SSLerror(s, ERR_R_EVP_LIB); | ||
| 1513 | goto err; | ||
| 1514 | } | ||
| 1515 | if (!EVP_DigestSignUpdate(md_ctx, s->s3->server_random, | ||
| 1516 | SSL3_RANDOM_SIZE)) { | ||
| 1517 | SSLerror(s, ERR_R_EVP_LIB); | ||
| 1518 | goto err; | ||
| 1519 | } | ||
| 1520 | if (!EVP_DigestSignUpdate(md_ctx, params, params_len)) { | ||
| 1521 | SSLerror(s, ERR_R_EVP_LIB); | ||
| 1522 | goto err; | ||
| 1523 | } | ||
| 1524 | if (!EVP_DigestSignFinal(md_ctx, NULL, &signature_len) || | ||
| 1525 | !signature_len) { | ||
| 1526 | SSLerror(s, ERR_R_EVP_LIB); | 1530 | SSLerror(s, ERR_R_EVP_LIB); |
| 1527 | goto err; | 1531 | goto err; |
| 1528 | } | 1532 | } |
| @@ -1530,7 +1534,8 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1530 | SSLerror(s, ERR_R_MALLOC_FAILURE); | 1534 | SSLerror(s, ERR_R_MALLOC_FAILURE); |
| 1531 | goto err; | 1535 | goto err; |
| 1532 | } | 1536 | } |
| 1533 | if (!EVP_DigestSignFinal(md_ctx, signature, &signature_len)) { | 1537 | if (!EVP_DigestSign(md_ctx, signature, &signature_len, |
| 1538 | signed_params, signed_params_len)) { | ||
| 1534 | SSLerror(s, ERR_R_EVP_LIB); | 1539 | SSLerror(s, ERR_R_EVP_LIB); |
| 1535 | goto err; | 1540 | goto err; |
| 1536 | } | 1541 | } |
| @@ -1550,19 +1555,19 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1550 | } | 1555 | } |
| 1551 | 1556 | ||
| 1552 | EVP_MD_CTX_free(md_ctx); | 1557 | EVP_MD_CTX_free(md_ctx); |
| 1553 | free(params); | ||
| 1554 | free(signature); | 1558 | free(signature); |
| 1559 | free(signed_params); | ||
| 1555 | 1560 | ||
| 1556 | return (ssl3_handshake_write(s)); | 1561 | return (ssl3_handshake_write(s)); |
| 1557 | 1562 | ||
| 1558 | fatal_err: | 1563 | fatal_err: |
| 1559 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | 1564 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
| 1560 | err: | 1565 | err: |
| 1561 | CBB_cleanup(&cbb_params); | 1566 | CBB_cleanup(&cbb_signed_params); |
| 1562 | CBB_cleanup(&cbb); | 1567 | CBB_cleanup(&cbb); |
| 1563 | EVP_MD_CTX_free(md_ctx); | 1568 | EVP_MD_CTX_free(md_ctx); |
| 1564 | free(params); | ||
| 1565 | free(signature); | 1569 | free(signature); |
| 1570 | free(signed_params); | ||
| 1566 | 1571 | ||
| 1567 | return (-1); | 1572 | return (-1); |
| 1568 | } | 1573 | } |