Convert ssl3_get_server_key_exchange() to CBS.

ok inoguchi@ tb@
author: jsing <> 2018-08-16 17:39:50 +0000
committer: jsing <> 2018-08-16 17:39:50 +0000
commit: 9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61 (patch)
tree: b373f4cb97c8546fc6d21a90b12e5ff0f899b04c
parent: cc9764508a051dbe7f350aa5752adffacbe370f0 (diff)
download: openbsd-9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61.tar.gz
openbsd-9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61.tar.bz2
openbsd-9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61.zip
1 files changed, 55 insertions, 69 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 83b2c1be58..c53fbda4ba 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.29 2018/08/14 16:31:02 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.30 2018/08/16 17:39:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1189,9 +1189,9 @@ err:
 }
 static int
-ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
+ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 {
-        CBS cbs, dhp, dhg, dhpk;
+        CBS dhp, dhg, dhpk;
        BN_CTX *bn_ctx = NULL;
        SESS_CERT *sc = NULL;
        DH *dh = NULL;
@@ -1201,31 +1201,26 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
        alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
        sc = SSI(s)->sess_cert;
-        if (*nn < 0)
-                goto err;
-        CBS_init(&cbs, *pp, *nn);
        if ((dh = DH_new()) == NULL) {
                SSLerror(s, ERR_R_DH_LIB);
                goto err;
        }
-        if (!CBS_get_u16_length_prefixed(&cbs, &dhp))
+        if (!CBS_get_u16_length_prefixed(cbs, &dhp))
                goto truncated;
        if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) {
                SSLerror(s, ERR_R_BN_LIB);
                goto err;
        }
-        if (!CBS_get_u16_length_prefixed(&cbs, &dhg))
+        if (!CBS_get_u16_length_prefixed(cbs, &dhg))
                goto truncated;
        if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) {
                SSLerror(s, ERR_R_BN_LIB);
                goto err;
        }
-        if (!CBS_get_u16_length_prefixed(&cbs, &dhpk))
+        if (!CBS_get_u16_length_prefixed(cbs, &dhpk))
                goto truncated;
        if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk),
            NULL)) == NULL) {
@@ -1250,9 +1245,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
        sc->peer_dh_tmp = dh;
-        *nn = CBS_len(&cbs);
-        *pp = (unsigned char *)CBS_data(&cbs);
        return (1);
 truncated:
@@ -1353,9 +1345,9 @@ ssl3_get_server_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, int nid, CBS *public)
 }
 static int
-ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
+ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 {
-        CBS cbs, public;
+        CBS public;
        uint8_t curve_type;
        uint16_t curve_id;
        SESS_CERT *sc;
@@ -1366,15 +1358,10 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
        alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
        sc = SSI(s)->sess_cert;
-        if (*nn < 0)
-                goto err;
-        CBS_init(&cbs, *pp, *nn);
        /* Only named curves are supported. */
-        if (!CBS_get_u8(&cbs, &curve_type) ||
+        if (!CBS_get_u8(cbs, &curve_type) ||
            curve_type != NAMED_CURVE_TYPE ||
-            !CBS_get_u16(&cbs, &curve_id)) {
+            !CBS_get_u16(cbs, &curve_id)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
                goto f_err;
@@ -1396,7 +1383,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
                goto f_err;
        }
-        if (!CBS_get_u8_length_prefixed(&cbs, &public))
+        if (!CBS_get_u8_length_prefixed(cbs, &public))
                goto truncated;
        if (nid == NID_X25519) {
@@ -1420,9 +1407,6 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
                /* XXX - Anonymous ECDH, so no certificate or pkey. */
                *pkey = NULL;
-        *nn = CBS_len(&cbs);
-        *pp = (unsigned char *)CBS_data(&cbs);
        return (1);
 truncated:
@@ -1439,12 +1423,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
 int
 ssl3_get_server_key_exchange(SSL *s)
 {
-        EVP_MD_CTX       md_ctx;
+        CBS cbs, signature;
-        unsigned char   *param, *p;
+        const EVP_MD *md = NULL;
-        int              al, i, j, param_len, ok;
+        EVP_PKEY *pkey = NULL;
-        long             n, alg_k, alg_a;
+        EVP_MD_CTX md_ctx;
-        EVP_PKEY        *pkey = NULL;
+        const unsigned char *param;
-        const            EVP_MD *md = NULL;
+        uint8_t hash_id, sig_id;
+        long n, alg_k, alg_a;
+        int al, ok, sigalg;
+        size_t param_len;
+        EVP_MD_CTX_init(&md_ctx);
        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
        alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
@@ -1458,7 +1447,10 @@ ssl3_get_server_key_exchange(SSL *s)
        if (!ok)
                return ((int)n);
-        EVP_MD_CTX_init(&md_ctx);
+        if (n < 0)
+                goto err;
+        CBS_init(&cbs, s->internal->init_msg, n);
        if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
                /*
@@ -1491,14 +1483,14 @@ ssl3_get_server_key_exchange(SSL *s)
                        goto err;
        }
-        param = p = (unsigned char *)s->internal->init_msg;
+        param = CBS_data(&cbs);
-        param_len = n;
+        param_len = CBS_len(&cbs);
        if (alg_k & SSL_kDHE) {
-                if (ssl3_get_server_kex_dhe(s, &pkey, &p, &n) != 1)
+                if (ssl3_get_server_kex_dhe(s, &pkey, &cbs) != 1)
                        goto err;
        } else if (alg_k & SSL_kECDHE) {
-                if (ssl3_get_server_kex_ecdhe(s, &pkey, &p, &n) != 1)
+                if (ssl3_get_server_kex_ecdhe(s, &pkey, &cbs) != 1)
                        goto err;
        } else if (alg_k != 0) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -1506,47 +1498,42 @@ ssl3_get_server_key_exchange(SSL *s)
                        goto f_err;
        }
-        param_len = param_len - n;
+        param_len -= CBS_len(&cbs);
        /* if it was signed, check the signature */
        if (pkey != NULL) {
                if (SSL_USE_SIGALGS(s)) {
-                        int sigalg = tls12_get_sigid(pkey);
+                        if (!CBS_get_u8(&cbs, &hash_id))
-                        if (sigalg == -1) {
+                                goto truncated;
+                        if (!CBS_get_u8(&cbs, &sig_id))
+                                goto truncated;
+                        if ((md = tls12_get_hash(hash_id)) == NULL) {
+                                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
+                                al = SSL_AD_DECODE_ERROR;
+                                goto f_err;
+                        }
+                        /* Check key type is consistent with signature. */
+                        if ((sigalg = tls12_get_sigid(pkey)) == -1) {
                                /* Should never happen */
                                SSLerror(s, ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
-                        /* Check key type is consistent with signature. */
+                        if (sigalg != sig_id) {
-                        if (2 > n)
-                                goto truncated;
-                        if (sigalg != (int)p[1]) {
                                SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
                                al = SSL_AD_DECODE_ERROR;
                                goto f_err;
                        }
-                        md = tls12_get_hash(p[0]);
-                        if (md == NULL) {
-                                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
-                                al = SSL_AD_DECODE_ERROR;
-                                goto f_err;
-                        }
-                        p += 2;
-                        n -= 2;
                } else if (pkey->type == EVP_PKEY_RSA) {
                        md = EVP_md5_sha1();
                } else {
                        md = EVP_sha1();
                }
-                if (2 > n)
+                if (!CBS_get_u16_length_prefixed(&cbs, &signature))
                        goto truncated;
-                n2s(p, i);
+                if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
-                n -= 2;
-                j = EVP_PKEY_size(pkey);
-                if (i != n || n > j) {
-                        /* wrong packet length */
                        al = SSL_AD_DECODE_ERROR;
                        SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);
                        goto f_err;
@@ -1562,8 +1549,8 @@ ssl3_get_server_key_exchange(SSL *s)
                        goto err;
                if (!EVP_VerifyUpdate(&md_ctx, param, param_len))
                        goto err;
-                if (EVP_VerifyFinal(&md_ctx, p, (int)n, pkey) <= 0) {
+                if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature),
-                        /* bad signature */
+                    CBS_len(&signature), pkey) <= 0) {
                        al = SSL_AD_DECRYPT_ERROR;
                        SSLerror(s, SSL_R_BAD_SIGNATURE);
                        goto f_err;
@@ -1574,12 +1561,12 @@ ssl3_get_server_key_exchange(SSL *s)
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        goto err;
                }
-                /* still data left over */
+        }
-                if (n != 0) {
-                        al = SSL_AD_DECODE_ERROR;
+        if (CBS_len(&cbs) != 0) {
-                        SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
+                al = SSL_AD_DECODE_ERROR;
-                        goto f_err;
+                SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
-                }
+                goto f_err;
        }
        EVP_PKEY_free(pkey);
@@ -1588,7 +1575,6 @@ ssl3_get_server_key_exchange(SSL *s)
        return (1);
 truncated:
-        /* wrong packet length */
        al = SSL_AD_DECODE_ERROR;
        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
author	jsing <>	2018-08-16 17:39:50 +0000
committer	jsing <>	2018-08-16 17:39:50 +0000
commit	9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61 (patch)
tree	b373f4cb97c8546fc6d21a90b12e5ff0f899b04c
parent	cc9764508a051dbe7f350aa5752adffacbe370f0 (diff)
download	openbsd-9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61.tar.gz openbsd-9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61.tar.bz2 openbsd-9cd1cb90ed6f3e1401ed5e8e6febe658cc5e4d61.zip

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 83b2c1be58..c53fbda4ba 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.29 2018/08/14 16:31:02 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.30 2018/08/16 17:39:50 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1189,9 +1189,9 @@ err:
1189	}	1189	}
1190		1190
1191	static int	1191	static int
1192	ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)	1192	ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)
1193	{	1193	{
1194	CBS cbs, dhp, dhg, dhpk;	1194	CBS dhp, dhg, dhpk;
1195	BN_CTX *bn_ctx = NULL;	1195	BN_CTX *bn_ctx = NULL;
1196	SESS_CERT *sc = NULL;	1196	SESS_CERT *sc = NULL;
1197	DH *dh = NULL;	1197	DH *dh = NULL;
@@ -1201,31 +1201,26 @@ ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
1201	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;	1201	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
1202	sc = SSI(s)->sess_cert;	1202	sc = SSI(s)->sess_cert;
1203		1203
1204	if (*nn < 0)
1205	goto err;
1206
1207	CBS_init(&cbs, pp, nn);
1208
1209	if ((dh = DH_new()) == NULL) {	1204	if ((dh = DH_new()) == NULL) {
1210	SSLerror(s, ERR_R_DH_LIB);	1205	SSLerror(s, ERR_R_DH_LIB);
1211	goto err;	1206	goto err;
1212	}	1207	}
1213		1208
1214	if (!CBS_get_u16_length_prefixed(&cbs, &dhp))	1209	if (!CBS_get_u16_length_prefixed(cbs, &dhp))
1215	goto truncated;	1210	goto truncated;
1216	if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) {	1211	if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) {
1217	SSLerror(s, ERR_R_BN_LIB);	1212	SSLerror(s, ERR_R_BN_LIB);
1218	goto err;	1213	goto err;
1219	}	1214	}
1220		1215
1221	if (!CBS_get_u16_length_prefixed(&cbs, &dhg))	1216	if (!CBS_get_u16_length_prefixed(cbs, &dhg))
1222	goto truncated;	1217	goto truncated;
1223	if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) {	1218	if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) {
1224	SSLerror(s, ERR_R_BN_LIB);	1219	SSLerror(s, ERR_R_BN_LIB);
1225	goto err;	1220	goto err;
1226	}	1221	}
1227		1222
1228	if (!CBS_get_u16_length_prefixed(&cbs, &dhpk))	1223	if (!CBS_get_u16_length_prefixed(cbs, &dhpk))
1229	goto truncated;	1224	goto truncated;
1230	if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk),	1225	if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk),
1231	NULL)) == NULL) {	1226	NULL)) == NULL) {
@@ -1250,9 +1245,6 @@ ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
1250		1245
1251	sc->peer_dh_tmp = dh;	1246	sc->peer_dh_tmp = dh;
1252		1247
1253	*nn = CBS_len(&cbs);
1254	pp = (unsigned char )CBS_data(&cbs);
1255
1256	return (1);	1248	return (1);
1257		1249
1258	truncated:	1250	truncated:
@@ -1353,9 +1345,9 @@ ssl3_get_server_kex_ecdhe_ecx(SSL s, SESS_CERT sc, int nid, CBS *public)
1353	}	1345	}
1354		1346
1355	static int	1347	static int
1356	ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)	1348	ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, CBS cbs)
1357	{	1349	{
1358	CBS cbs, public;	1350	CBS public;
1359	uint8_t curve_type;	1351	uint8_t curve_type;
1360	uint16_t curve_id;	1352	uint16_t curve_id;
1361	SESS_CERT *sc;	1353	SESS_CERT *sc;
@@ -1366,15 +1358,10 @@ ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
1366	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;	1358	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
1367	sc = SSI(s)->sess_cert;	1359	sc = SSI(s)->sess_cert;
1368		1360
1369	if (*nn < 0)
1370	goto err;
1371
1372	CBS_init(&cbs, pp, nn);
1373
1374	/* Only named curves are supported. */	1361	/* Only named curves are supported. */
1375	if (!CBS_get_u8(&cbs, &curve_type) \|\|	1362	if (!CBS_get_u8(cbs, &curve_type) \|\|
1376	curve_type != NAMED_CURVE_TYPE \|\|	1363	curve_type != NAMED_CURVE_TYPE \|\|
1377	!CBS_get_u16(&cbs, &curve_id)) {	1364	!CBS_get_u16(cbs, &curve_id)) {
1378	al = SSL_AD_DECODE_ERROR;	1365	al = SSL_AD_DECODE_ERROR;
1379	SSLerror(s, SSL_R_LENGTH_TOO_SHORT);	1366	SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
1380	goto f_err;	1367	goto f_err;
@@ -1396,7 +1383,7 @@ ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
1396	goto f_err;	1383	goto f_err;
1397	}	1384	}
1398		1385
1399	if (!CBS_get_u8_length_prefixed(&cbs, &public))	1386	if (!CBS_get_u8_length_prefixed(cbs, &public))
1400	goto truncated;	1387	goto truncated;
1401		1388
1402	if (nid == NID_X25519) {	1389	if (nid == NID_X25519) {
@@ -1420,9 +1407,6 @@ ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
1420	/* XXX - Anonymous ECDH, so no certificate or pkey. */	1407	/* XXX - Anonymous ECDH, so no certificate or pkey. */
1421	*pkey = NULL;	1408	*pkey = NULL;
1422		1409
1423	*nn = CBS_len(&cbs);
1424	pp = (unsigned char )CBS_data(&cbs);
1425
1426	return (1);	1410	return (1);
1427		1411
1428	truncated:	1412	truncated:
@@ -1439,12 +1423,17 @@ ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
1439	int	1423	int
1440	ssl3_get_server_key_exchange(SSL *s)	1424	ssl3_get_server_key_exchange(SSL *s)
1441	{	1425	{
1442	EVP_MD_CTX md_ctx;	1426	CBS cbs, signature;
1443	unsigned char param, p;	1427	const EVP_MD *md = NULL;
1444	int al, i, j, param_len, ok;	1428	EVP_PKEY *pkey = NULL;
1445	long n, alg_k, alg_a;	1429	EVP_MD_CTX md_ctx;
1446	EVP_PKEY *pkey = NULL;	1430	const unsigned char *param;
1447	const EVP_MD *md = NULL;	1431	uint8_t hash_id, sig_id;
		1432	long n, alg_k, alg_a;
		1433	int al, ok, sigalg;
		1434	size_t param_len;
		1435
		1436	EVP_MD_CTX_init(&md_ctx);
1448		1437
1449	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;	1438	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
1450	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;	1439	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
@@ -1458,7 +1447,10 @@ ssl3_get_server_key_exchange(SSL *s)
1458	if (!ok)	1447	if (!ok)
1459	return ((int)n);	1448	return ((int)n);
1460		1449
1461	EVP_MD_CTX_init(&md_ctx);	1450	if (n < 0)
		1451	goto err;
		1452
		1453	CBS_init(&cbs, s->internal->init_msg, n);
1462		1454
1463	if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {	1455	if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1464	/*	1456	/*
@@ -1491,14 +1483,14 @@ ssl3_get_server_key_exchange(SSL *s)
1491	goto err;	1483	goto err;
1492	}	1484	}
1493		1485
1494	param = p = (unsigned char *)s->internal->init_msg;	1486	param = CBS_data(&cbs);
1495	param_len = n;	1487	param_len = CBS_len(&cbs);
1496		1488
1497	if (alg_k & SSL_kDHE) {	1489	if (alg_k & SSL_kDHE) {
1498	if (ssl3_get_server_kex_dhe(s, &pkey, &p, &n) != 1)	1490	if (ssl3_get_server_kex_dhe(s, &pkey, &cbs) != 1)
1499	goto err;	1491	goto err;
1500	} else if (alg_k & SSL_kECDHE) {	1492	} else if (alg_k & SSL_kECDHE) {
1501	if (ssl3_get_server_kex_ecdhe(s, &pkey, &p, &n) != 1)	1493	if (ssl3_get_server_kex_ecdhe(s, &pkey, &cbs) != 1)
1502	goto err;	1494	goto err;
1503	} else if (alg_k != 0) {	1495	} else if (alg_k != 0) {
1504	al = SSL_AD_UNEXPECTED_MESSAGE;	1496	al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -1506,47 +1498,42 @@ ssl3_get_server_key_exchange(SSL *s)
1506	goto f_err;	1498	goto f_err;
1507	}	1499	}
1508		1500
1509	param_len = param_len - n;	1501	param_len -= CBS_len(&cbs);
1510		1502
1511	/* if it was signed, check the signature */	1503	/* if it was signed, check the signature */
1512	if (pkey != NULL) {	1504	if (pkey != NULL) {
1513	if (SSL_USE_SIGALGS(s)) {	1505	if (SSL_USE_SIGALGS(s)) {
1514	int sigalg = tls12_get_sigid(pkey);	1506	if (!CBS_get_u8(&cbs, &hash_id))
1515	if (sigalg == -1) {	1507	goto truncated;
		1508	if (!CBS_get_u8(&cbs, &sig_id))
		1509	goto truncated;
		1510
		1511	if ((md = tls12_get_hash(hash_id)) == NULL) {
		1512	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
		1513	al = SSL_AD_DECODE_ERROR;
		1514	goto f_err;
		1515	}
		1516
		1517	/* Check key type is consistent with signature. */
		1518	if ((sigalg = tls12_get_sigid(pkey)) == -1) {
1516	/* Should never happen */	1519	/* Should never happen */
1517	SSLerror(s, ERR_R_INTERNAL_ERROR);	1520	SSLerror(s, ERR_R_INTERNAL_ERROR);
1518	goto err;	1521	goto err;
1519	}	1522	}
1520	/* Check key type is consistent with signature. */	1523	if (sigalg != sig_id) {
1521	if (2 > n)
1522	goto truncated;
1523	if (sigalg != (int)p[1]) {
1524	SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);	1524	SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
1525	al = SSL_AD_DECODE_ERROR;	1525	al = SSL_AD_DECODE_ERROR;
1526	goto f_err;	1526	goto f_err;
1527	}	1527	}
1528	md = tls12_get_hash(p[0]);
1529	if (md == NULL) {
1530	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
1531	al = SSL_AD_DECODE_ERROR;
1532	goto f_err;
1533	}
1534	p += 2;
1535	n -= 2;
1536	} else if (pkey->type == EVP_PKEY_RSA) {	1528	} else if (pkey->type == EVP_PKEY_RSA) {
1537	md = EVP_md5_sha1();	1529	md = EVP_md5_sha1();
1538	} else {	1530	} else {
1539	md = EVP_sha1();	1531	md = EVP_sha1();
1540	}	1532	}
1541		1533
1542	if (2 > n)	1534	if (!CBS_get_u16_length_prefixed(&cbs, &signature))
1543	goto truncated;	1535	goto truncated;
1544	n2s(p, i);	1536	if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
1545	n -= 2;
1546	j = EVP_PKEY_size(pkey);
1547
1548	if (i != n \|\| n > j) {
1549	/* wrong packet length */
1550	al = SSL_AD_DECODE_ERROR;	1537	al = SSL_AD_DECODE_ERROR;
1551	SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);	1538	SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);
1552	goto f_err;	1539	goto f_err;
@@ -1562,8 +1549,8 @@ ssl3_get_server_key_exchange(SSL *s)
1562	goto err;	1549	goto err;
1563	if (!EVP_VerifyUpdate(&md_ctx, param, param_len))	1550	if (!EVP_VerifyUpdate(&md_ctx, param, param_len))
1564	goto err;	1551	goto err;
1565	if (EVP_VerifyFinal(&md_ctx, p, (int)n, pkey) <= 0) {	1552	if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature),
1566	/* bad signature */	1553	CBS_len(&signature), pkey) <= 0) {
1567	al = SSL_AD_DECRYPT_ERROR;	1554	al = SSL_AD_DECRYPT_ERROR;
1568	SSLerror(s, SSL_R_BAD_SIGNATURE);	1555	SSLerror(s, SSL_R_BAD_SIGNATURE);
1569	goto f_err;	1556	goto f_err;
@@ -1574,12 +1561,12 @@ ssl3_get_server_key_exchange(SSL *s)
1574	SSLerror(s, ERR_R_INTERNAL_ERROR);	1561	SSLerror(s, ERR_R_INTERNAL_ERROR);
1575	goto err;	1562	goto err;
1576	}	1563	}
1577	/* still data left over */	1564	}
1578	if (n != 0) {	1565
1579	al = SSL_AD_DECODE_ERROR;	1566	if (CBS_len(&cbs) != 0) {
1580	SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);	1567	al = SSL_AD_DECODE_ERROR;
1581	goto f_err;	1568	SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1582	}	1569	goto f_err;
1583	}	1570	}
1584		1571
1585	EVP_PKEY_free(pkey);	1572	EVP_PKEY_free(pkey);
@@ -1588,7 +1575,6 @@ ssl3_get_server_key_exchange(SSL *s)
1588	return (1);	1575	return (1);
1589		1576
1590	truncated:	1577	truncated:
1591	/* wrong packet length */
1592	al = SSL_AD_DECODE_ERROR;	1578	al = SSL_AD_DECODE_ERROR;
1593	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);	1579	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1594		1580