summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_clnt.c
diff options
context:
space:
mode:
authorbeck <>2018-11-10 01:19:09 +0000
committerbeck <>2018-11-10 01:19:09 +0000
commit1dd4b0628e51e31516f047e02f51b266d74539df (patch)
tree7a38d18aacac062bf470573f237552369c229a80 /src/lib/libssl/ssl_clnt.c
parentbd7257fa650660bcef2977e47cf52e067801b716 (diff)
downloadopenbsd-1dd4b0628e51e31516f047e02f51b266d74539df.tar.gz
openbsd-1dd4b0628e51e31516f047e02f51b266d74539df.tar.bz2
openbsd-1dd4b0628e51e31516f047e02f51b266d74539df.zip
Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually decided to use. ok jsing@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_clnt.c24
1 files changed, 12 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index e9e098aa28..ac2cddacf9 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.40 2018/11/09 17:43:31 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.41 2018/11/10 01:19:09 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1509,17 +1509,19 @@ ssl3_get_server_key_exchange(SSL *s)
1509 /* if it was signed, check the signature */ 1509 /* if it was signed, check the signature */
1510 if (pkey != NULL) { 1510 if (pkey != NULL) {
1511 if (SSL_USE_SIGALGS(s)) { 1511 if (SSL_USE_SIGALGS(s)) {
1512 uint16_t sigalg; 1512 const struct ssl_sigalg *sigalg;
1513 uint16_t sigalg_value;
1513 1514
1514 if (!CBS_get_u16(&cbs, &sigalg)) 1515 if (!CBS_get_u16(&cbs, &sigalg_value))
1515 goto truncated; 1516 goto truncated;
1516 if ((md = ssl_sigalg_md(sigalg, tls12_sigalgs, 1517 if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs,
1517 tls12_sigalgs_len)) == NULL) { 1518 tls12_sigalgs_len)) == NULL ||
1519 (md = sigalg->md()) == NULL) {
1518 SSLerror(s, SSL_R_UNKNOWN_DIGEST); 1520 SSLerror(s, SSL_R_UNKNOWN_DIGEST);
1519 al = SSL_AD_DECODE_ERROR; 1521 al = SSL_AD_DECODE_ERROR;
1520 goto f_err; 1522 goto f_err;
1521 } 1523 }
1522 if (!ssl_sigalg_pkey_check(sigalg, pkey)) { 1524 if (sigalg->key_type != pkey->type) {
1523 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); 1525 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
1524 al = SSL_AD_DECODE_ERROR; 1526 al = SSL_AD_DECODE_ERROR;
1525 goto f_err; 1527 goto f_err;
@@ -2405,13 +2407,10 @@ ssl3_send_client_verify(SSL *s)
2405 * using agreed digest and cached handshake records. 2407 * using agreed digest and cached handshake records.
2406 */ 2408 */
2407 if (SSL_USE_SIGALGS(s)) { 2409 if (SSL_USE_SIGALGS(s)) {
2408 uint16_t sigalg; 2410 md = s->cert->key->sigalg->md();
2409
2410 md = s->cert->key->digest;
2411 if (!tls1_transcript_data(s, &hdata, &hdatalen) || 2411 if (!tls1_transcript_data(s, &hdata, &hdatalen) ||
2412 (sigalg = ssl_sigalg_value(pkey, md)) == 2412 !CBB_add_u16(&cert_verify,
2413 SIGALG_NONE || 2413 s->cert->key->sigalg->value)) {
2414 !CBB_add_u16(&cert_verify, sigalg)) {
2415 SSLerror(s, ERR_R_INTERNAL_ERROR); 2414 SSLerror(s, ERR_R_INTERNAL_ERROR);
2416 goto err; 2415 goto err;
2417 } 2416 }
@@ -2457,6 +2456,7 @@ ssl3_send_client_verify(SSL *s)
2457 if (!EVP_DigestInit_ex(&mctx, md, NULL) || 2456 if (!EVP_DigestInit_ex(&mctx, md, NULL) ||
2458 !EVP_DigestUpdate(&mctx, hdata, hdatalen) || 2457 !EVP_DigestUpdate(&mctx, hdata, hdatalen) ||
2459 !EVP_DigestFinal(&mctx, signbuf, &u) || 2458 !EVP_DigestFinal(&mctx, signbuf, &u) ||
2459
2460 (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) || 2460 (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
2461 (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 2461 (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2462 EVP_PKEY_CTRL_GOST_SIG_FORMAT, 2462 EVP_PKEY_CTRL_GOST_SIG_FORMAT,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-25 19:17:15 +0000