summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordoug <>2015-07-14 03:47:38 +0000
committerdoug <>2015-07-14 03:47:38 +0000
commitab8fee4a197bd05ef0521b71e04c32e20f8d271f (patch)
treedc0f83849a1ba3af398e904d3007fd1087888ff9
parentb127caa4bc904d0640762fea9bab8484ab517c85 (diff)
downloadopenbsd-ab8fee4a197bd05ef0521b71e04c32e20f8d271f.tar.gz
openbsd-ab8fee4a197bd05ef0521b71e04c32e20f8d271f.tar.bz2
openbsd-ab8fee4a197bd05ef0521b71e04c32e20f8d271f.zip
Convert ssl3_get_finished to CBS.
ok miod@ jsing@
Diffstat
-rw-r--r--src/lib/libssl/s3_both.c15
-rw-r--r--src/lib/libssl/src/ssl/s3_both.c15
2 files changed, 18 insertions, 12 deletions
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index d9484d77d8..63fea5217d 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.39 2015/06/18 22:51:05 doug Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.40 2015/07/14 03:47:38 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -125,6 +125,8 @@
125#include <openssl/objects.h> 125#include <openssl/objects.h>
126#include <openssl/x509.h> 126#include <openssl/x509.h>
127 127
128#include "bytestring.h"
129
128/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ 130/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
129int 131int
130ssl3_do_write(SSL *s, int type) 132ssl3_do_write(SSL *s, int type)
@@ -222,8 +224,7 @@ ssl3_get_finished(SSL *s, int a, int b)
222{ 224{
223 int al, ok, md_len; 225 int al, ok, md_len;
224 long n; 226 long n;
225 unsigned char *p; 227 CBS cbs;
226
227 228
228 n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 229 n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED,
229 64, /* should actually be 36+4 :-) */ &ok); 230 64, /* should actually be 36+4 :-) */ &ok);
@@ -240,15 +241,17 @@ ssl3_get_finished(SSL *s, int a, int b)
240 s->s3->change_cipher_spec = 0; 241 s->s3->change_cipher_spec = 0;
241 242
242 md_len = s->method->ssl3_enc->finish_mac_length; 243 md_len = s->method->ssl3_enc->finish_mac_length;
243 p = (unsigned char *)s->init_msg;
244 244
245 if (s->s3->tmp.peer_finish_md_len != md_len || n != md_len) { 245 CBS_init(&cbs, s->init_msg, n);
246
247 if (n < 0 || s->s3->tmp.peer_finish_md_len != md_len ||
248 CBS_len(&cbs) != md_len) {
246 al = SSL_AD_DECODE_ERROR; 249 al = SSL_AD_DECODE_ERROR;
247 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); 250 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
248 goto f_err; 251 goto f_err;
249 } 252 }
250 253
251 if (timingsafe_memcmp(p, s->s3->tmp.peer_finish_md, md_len) != 0) { 254 if (!CBS_mem_equal(&cbs, s->s3->tmp.peer_finish_md, CBS_len(&cbs))) {
252 al = SSL_AD_DECRYPT_ERROR; 255 al = SSL_AD_DECRYPT_ERROR;
253 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); 256 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED);
254 goto f_err; 257 goto f_err;
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index d9484d77d8..63fea5217d 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.39 2015/06/18 22:51:05 doug Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.40 2015/07/14 03:47:38 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -125,6 +125,8 @@
125#include <openssl/objects.h> 125#include <openssl/objects.h>
126#include <openssl/x509.h> 126#include <openssl/x509.h>
127 127
128#include "bytestring.h"
129
128/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ 130/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
129int 131int
130ssl3_do_write(SSL *s, int type) 132ssl3_do_write(SSL *s, int type)
@@ -222,8 +224,7 @@ ssl3_get_finished(SSL *s, int a, int b)
222{ 224{
223 int al, ok, md_len; 225 int al, ok, md_len;
224 long n; 226 long n;
225 unsigned char *p; 227 CBS cbs;
226
227 228
228 n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 229 n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED,
229 64, /* should actually be 36+4 :-) */ &ok); 230 64, /* should actually be 36+4 :-) */ &ok);
@@ -240,15 +241,17 @@ ssl3_get_finished(SSL *s, int a, int b)
240 s->s3->change_cipher_spec = 0; 241 s->s3->change_cipher_spec = 0;
241 242
242 md_len = s->method->ssl3_enc->finish_mac_length; 243 md_len = s->method->ssl3_enc->finish_mac_length;
243 p = (unsigned char *)s->init_msg;
244 244
245 if (s->s3->tmp.peer_finish_md_len != md_len || n != md_len) { 245 CBS_init(&cbs, s->init_msg, n);
246
247 if (n < 0 || s->s3->tmp.peer_finish_md_len != md_len ||
248 CBS_len(&cbs) != md_len) {
246 al = SSL_AD_DECODE_ERROR; 249 al = SSL_AD_DECODE_ERROR;
247 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); 250 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
248 goto f_err; 251 goto f_err;
249 } 252 }
250 253
251 if (timingsafe_memcmp(p, s->s3->tmp.peer_finish_md, md_len) != 0) { 254 if (!CBS_mem_equal(&cbs, s->s3->tmp.peer_finish_md, CBS_len(&cbs))) {
252 al = SSL_AD_DECRYPT_ERROR; 255 al = SSL_AD_DECRYPT_ERROR;
253 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); 256 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED);
254 goto f_err; 257 goto f_err;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 13:47:54 +0000