summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_clnt.c
diff options
context:
space:
mode:
authortb <>2023-06-11 19:01:01 +0000
committertb <>2023-06-11 19:01:01 +0000
commit3e78f2fb356efca03fc4bfdadb63b49114e128a2 (patch)
tree857746157a022e2a8e92ad5ea6c98c37f02c1123 /src/lib/libssl/ssl_clnt.c
parent9ca5a491a6bf2cf73c12da0cc924a6a0c445f762 (diff)
downloadopenbsd-3e78f2fb356efca03fc4bfdadb63b49114e128a2.tar.gz
openbsd-3e78f2fb356efca03fc4bfdadb63b49114e128a2.tar.bz2
openbsd-3e78f2fb356efca03fc4bfdadb63b49114e128a2.zip
Convert legacy server kex to one-shot sign/verify
This converts ssl3_{get,send}_server_key_exchange() to EVP_DigestVerify() and EVP_DigestSign(). In order to do this, build the full signed_params up front and rework the way the key exchange parameters are constructed. This way we can do the verify and sign steps in one go and at the same use a more idiomatic approach with CBB/CBS. with/ok jsing
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
-rw-r--r--src/lib/libssl/ssl_clnt.c44
1 files changed, 27 insertions, 17 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 2ab90b5c37..6aea590132 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.159 2023/06/11 18:50:51 tb Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.160 2023/06/11 19:01:01 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1299,13 +1299,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1299static int 1299static int
1300ssl3_get_server_key_exchange(SSL *s) 1300ssl3_get_server_key_exchange(SSL *s)
1301{ 1301{
1302 CBS cbs, signature; 1302 CBB cbb;
1303 CBS cbs, params, signature;
1303 EVP_MD_CTX *md_ctx; 1304 EVP_MD_CTX *md_ctx;
1304 const unsigned char *param; 1305 unsigned char *signed_params = NULL;
1305 size_t param_len; 1306 size_t signed_params_len;
1307 size_t params_len;
1306 long alg_k, alg_a; 1308 long alg_k, alg_a;
1307 int al, ret; 1309 int al, ret;
1308 1310
1311 memset(&cbb, 0, sizeof(cbb));
1312
1309 alg_k = s->s3->hs.cipher->algorithm_mkey; 1313 alg_k = s->s3->hs.cipher->algorithm_mkey;
1310 alg_a = s->s3->hs.cipher->algorithm_auth; 1314 alg_a = s->s3->hs.cipher->algorithm_auth;
1311 1315
@@ -1341,8 +1345,14 @@ ssl3_get_server_key_exchange(SSL *s)
1341 return (1); 1345 return (1);
1342 } 1346 }
1343 1347
1344 param = CBS_data(&cbs); 1348 if (!CBB_init(&cbb, 0))
1345 param_len = CBS_len(&cbs); 1349 goto err;
1350 if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
1351 goto err;
1352 if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE))
1353 goto err;
1354
1355 CBS_dup(&cbs, &params);
1346 1356
1347 if (alg_k & SSL_kDHE) { 1357 if (alg_k & SSL_kDHE) {
1348 if (!ssl3_get_server_kex_dhe(s, &cbs)) 1358 if (!ssl3_get_server_kex_dhe(s, &cbs))
@@ -1356,7 +1366,12 @@ ssl3_get_server_key_exchange(SSL *s)
1356 goto fatal_err; 1366 goto fatal_err;
1357 } 1367 }
1358 1368
1359 param_len -= CBS_len(&cbs); 1369 if ((params_len = CBS_offset(&cbs)) > CBS_len(&params))
1370 goto err;
1371 if (!CBB_add_bytes(&cbb, CBS_data(&params), params_len))
1372 goto err;
1373 if (!CBB_finish(&cbb, &signed_params, &signed_params_len))
1374 goto err;
1360 1375
1361 /* if it was signed, check the signature */ 1376 /* if it was signed, check the signature */
1362 if ((alg_a & SSL_aNULL) == 0) { 1377 if ((alg_a & SSL_aNULL) == 0) {
@@ -1400,21 +1415,13 @@ ssl3_get_server_key_exchange(SSL *s)
1400 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(), 1415 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(),
1401 NULL, pkey)) 1416 NULL, pkey))
1402 goto err; 1417 goto err;
1403 if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->client_random,
1404 SSL3_RANDOM_SIZE))
1405 goto err;
1406 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && 1418 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
1407 (!EVP_PKEY_CTX_set_rsa_padding(pctx, 1419 (!EVP_PKEY_CTX_set_rsa_padding(pctx,
1408 RSA_PKCS1_PSS_PADDING) || 1420 RSA_PKCS1_PSS_PADDING) ||
1409 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) 1421 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)))
1410 goto err; 1422 goto err;
1411 if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->server_random, 1423 if (EVP_DigestVerify(md_ctx, CBS_data(&signature),
1412 SSL3_RANDOM_SIZE)) 1424 CBS_len(&signature), signed_params, signed_params_len) <= 0) {
1413 goto err;
1414 if (!EVP_DigestVerifyUpdate(md_ctx, param, param_len))
1415 goto err;
1416 if (EVP_DigestVerifyFinal(md_ctx, CBS_data(&signature),
1417 CBS_len(&signature)) <= 0) {
1418 al = SSL_AD_DECRYPT_ERROR; 1425 al = SSL_AD_DECRYPT_ERROR;
1419 SSLerror(s, SSL_R_BAD_SIGNATURE); 1426 SSLerror(s, SSL_R_BAD_SIGNATURE);
1420 goto fatal_err; 1427 goto fatal_err;
@@ -1428,6 +1435,7 @@ ssl3_get_server_key_exchange(SSL *s)
1428 } 1435 }
1429 1436
1430 EVP_MD_CTX_free(md_ctx); 1437 EVP_MD_CTX_free(md_ctx);
1438 free(signed_params);
1431 1439
1432 return (1); 1440 return (1);
1433 1441
@@ -1439,7 +1447,9 @@ ssl3_get_server_key_exchange(SSL *s)
1439 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1447 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1440 1448
1441 err: 1449 err:
1450 CBB_cleanup(&cbb);
1442 EVP_MD_CTX_free(md_ctx); 1451 EVP_MD_CTX_free(md_ctx);
1452 free(signed_params);
1443 1453
1444 return (-1); 1454 return (-1);
1445} 1455}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 11:58:12 +0000