import OpenSSL 1.0.0e

author: djm <> 2011-11-03 02:32:23 +0000
committer: djm <> 2011-11-03 02:32:23 +0000
commit: 113f799ec7d1728f0a5d7ab5b0e3b42e3de56407 (patch)
tree: 26d712b25a8fa580b8f2dfc6df470ba5ffea9eb7 /src/lib/libssl/ssl_lib.c
parent: 829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (diff)
download: openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.gz
openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.bz2
openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.zip
1 files changed, 15 insertions, 32 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 3157f20eac..46732791fd 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1833,7 +1833,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #endif
        X509 *x = NULL;
        EVP_PKEY *ecc_pkey = NULL;
-        int signature_nid = 0;
+        int signature_nid = 0, pk_nid = 0, md_nid = 0;
        if (c == NULL) return;
@@ -1963,18 +1963,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                    EVP_PKEY_bits(ecc_pkey) : 0;
                EVP_PKEY_free(ecc_pkey);
                if ((x->sig_alg) && (x->sig_alg->algorithm))
+                        {
                        signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+                        OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+                        }
 #ifndef OPENSSL_NO_ECDH
                if (ecdh_ok)
                        {
-                        const char *sig = OBJ_nid2ln(signature_nid);
-                        if (sig == NULL)
+                        if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
-                                {
-                                ERR_clear_error();
-                                sig = "unknown";
-                                }
-                                
-                        if (strstr(sig, "WithRSA"))
                                {
                                mask_k|=SSL_kECDHr;
                                mask_a|=SSL_aECDH;
@@ -1985,7 +1982,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                                        }
                                }
-                        if (signature_nid == NID_ecdsa_with_SHA1)
+                        if (pk_nid == NID_X9_62_id_ecPublicKey)
                                {
                                mask_k|=SSL_kECDHe;
                                mask_a|=SSL_aECDH;
@@ -2039,7 +2036,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
        unsigned long alg_k, alg_a;
        EVP_PKEY *pkey = NULL;
        int keysize = 0;
-        int signature_nid = 0;
+        int signature_nid = 0, md_nid = 0, pk_nid = 0;
        alg_k = cs->algorithm_mkey;
        alg_a = cs->algorithm_auth;
@@ -2057,7 +2054,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
        /* This call populates the ex_flags field correctly */
        X509_check_purpose(x, -1, 0);
        if ((x->sig_alg) && (x->sig_alg->algorithm))
+                {
                signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+                OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+                }
        if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
                {
                /* key usage, if present, must allow key agreement */
@@ -2069,7 +2069,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                if (alg_k & SSL_kECDHe)
                        {
                        /* signature alg must be ECDSA */
-                        if (signature_nid != NID_ecdsa_with_SHA1)
+                        if (pk_nid != NID_X9_62_id_ecPublicKey)
                                {
                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
                                return 0;
@@ -2079,13 +2079,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                        {
                        /* signature alg must be RSA */
-                        const char *sig = OBJ_nid2ln(signature_nid);
+                        if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
-                        if (sig == NULL)
-                                {
-                                ERR_clear_error();
-                                sig = "unknown";
-                                }
-                        if (strstr(sig, "WithRSA") == NULL)
                                {
                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
                                return 0;
@@ -2110,23 +2104,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 /* THIS NEEDS CLEANING UP */
 X509 *ssl_get_server_send_cert(SSL *s)
        {
-        unsigned long alg_k,alg_a,mask_k,mask_a;
+        unsigned long alg_k,alg_a;
        CERT *c;
-        int i,is_export;
+        int i;
        c=s->cert;
        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
-        if (is_export)
-                {
-                mask_k = c->export_mask_k;
-                mask_a = c->export_mask_a;
-                }
-        else
-                {
-                mask_k = c->mask_k;
-                mask_a = c->mask_a;
-                }
        
        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
author	djm <>	2011-11-03 02:32:23 +0000
committer	djm <>	2011-11-03 02:32:23 +0000
commit	113f799ec7d1728f0a5d7ab5b0e3b42e3de56407 (patch)
tree	26d712b25a8fa580b8f2dfc6df470ba5ffea9eb7 /src/lib/libssl/ssl_lib.c
parent	829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (diff)
download	openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.gz openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.bz2 openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 3157f20eac..46732791fd 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1833,7 +1833,7 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
1833	#endif	1833	#endif
1834	X509 *x = NULL;	1834	X509 *x = NULL;
1835	EVP_PKEY *ecc_pkey = NULL;	1835	EVP_PKEY *ecc_pkey = NULL;
1836	int signature_nid = 0;	1836	int signature_nid = 0, pk_nid = 0, md_nid = 0;
1837		1837
1838	if (c == NULL) return;	1838	if (c == NULL) return;
1839		1839
@@ -1963,18 +1963,15 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
1963	EVP_PKEY_bits(ecc_pkey) : 0;	1963	EVP_PKEY_bits(ecc_pkey) : 0;
1964	EVP_PKEY_free(ecc_pkey);	1964	EVP_PKEY_free(ecc_pkey);
1965	if ((x->sig_alg) && (x->sig_alg->algorithm))	1965	if ((x->sig_alg) && (x->sig_alg->algorithm))
		1966	{
1966	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);	1967	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
		1968	OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
		1969	}
1967	#ifndef OPENSSL_NO_ECDH	1970	#ifndef OPENSSL_NO_ECDH
1968	if (ecdh_ok)	1971	if (ecdh_ok)
1969	{	1972	{
1970	const char *sig = OBJ_nid2ln(signature_nid);	1973
1971	if (sig == NULL)	1974	if (pk_nid == NID_rsaEncryption \|\| pk_nid == NID_rsa)
1972	{
1973	ERR_clear_error();
1974	sig = "unknown";
1975	}
1976
1977	if (strstr(sig, "WithRSA"))
1978	{	1975	{
1979	mask_k\|=SSL_kECDHr;	1976	mask_k\|=SSL_kECDHr;
1980	mask_a\|=SSL_aECDH;	1977	mask_a\|=SSL_aECDH;
@@ -1985,7 +1982,7 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
1985	}	1982	}
1986	}	1983	}
1987		1984
1988	if (signature_nid == NID_ecdsa_with_SHA1)	1985	if (pk_nid == NID_X9_62_id_ecPublicKey)
1989	{	1986	{
1990	mask_k\|=SSL_kECDHe;	1987	mask_k\|=SSL_kECDHe;
1991	mask_a\|=SSL_aECDH;	1988	mask_a\|=SSL_aECDH;
@@ -2039,7 +2036,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2039	unsigned long alg_k, alg_a;	2036	unsigned long alg_k, alg_a;
2040	EVP_PKEY *pkey = NULL;	2037	EVP_PKEY *pkey = NULL;
2041	int keysize = 0;	2038	int keysize = 0;
2042	int signature_nid = 0;	2039	int signature_nid = 0, md_nid = 0, pk_nid = 0;
2043		2040
2044	alg_k = cs->algorithm_mkey;	2041	alg_k = cs->algorithm_mkey;
2045	alg_a = cs->algorithm_auth;	2042	alg_a = cs->algorithm_auth;
@@ -2057,7 +2054,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2057	/* This call populates the ex_flags field correctly */	2054	/* This call populates the ex_flags field correctly */
2058	X509_check_purpose(x, -1, 0);	2055	X509_check_purpose(x, -1, 0);
2059	if ((x->sig_alg) && (x->sig_alg->algorithm))	2056	if ((x->sig_alg) && (x->sig_alg->algorithm))
		2057	{
2060	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);	2058	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
		2059	OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
		2060	}
2061	if (alg_k & SSL_kECDHe \|\| alg_k & SSL_kECDHr)	2061	if (alg_k & SSL_kECDHe \|\| alg_k & SSL_kECDHr)
2062	{	2062	{
2063	/* key usage, if present, must allow key agreement */	2063	/* key usage, if present, must allow key agreement */
@@ -2069,7 +2069,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2069	if (alg_k & SSL_kECDHe)	2069	if (alg_k & SSL_kECDHe)
2070	{	2070	{
2071	/* signature alg must be ECDSA */	2071	/* signature alg must be ECDSA */
2072	if (signature_nid != NID_ecdsa_with_SHA1)	2072	if (pk_nid != NID_X9_62_id_ecPublicKey)
2073	{	2073	{
2074	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);	2074	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2075	return 0;	2075	return 0;
@@ -2079,13 +2079,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2079	{	2079	{
2080	/* signature alg must be RSA */	2080	/* signature alg must be RSA */
2081		2081
2082	const char *sig = OBJ_nid2ln(signature_nid);	2082	if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
2083	if (sig == NULL)
2084	{
2085	ERR_clear_error();
2086	sig = "unknown";
2087	}
2088	if (strstr(sig, "WithRSA") == NULL)
2089	{	2083	{
2090	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);	2084	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2091	return 0;	2085	return 0;
@@ -2110,23 +2104,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2110	/* THIS NEEDS CLEANING UP */	2104	/* THIS NEEDS CLEANING UP */
2111	X509 ssl_get_server_send_cert(SSL s)	2105	X509 ssl_get_server_send_cert(SSL s)
2112	{	2106	{
2113	unsigned long alg_k,alg_a,mask_k,mask_a;	2107	unsigned long alg_k,alg_a;
2114	CERT *c;	2108	CERT *c;
2115	int i,is_export;	2109	int i;
2116		2110
2117	c=s->cert;	2111	c=s->cert;
2118	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);	2112	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
2119	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
2120	if (is_export)
2121	{
2122	mask_k = c->export_mask_k;
2123	mask_a = c->export_mask_a;
2124	}
2125	else
2126	{
2127	mask_k = c->mask_k;
2128	mask_a = c->mask_a;
2129	}
2130		2113
2131	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;	2114	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2132	alg_a = s->s3->tmp.new_cipher->algorithm_auth;	2115	alg_a = s->s3->tmp.new_cipher->algorithm_auth;