summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_srvr.c
diff options
context:
space:
mode:
authorbeck <>2024-02-03 15:58:34 +0000
committerbeck <>2024-02-03 15:58:34 +0000
commitfeaf10d0a7eb5e59e69c058b10c91c45d2b1b0e3 (patch)
treedc1f0834366a35df8a6de61e2722798629d7c4c2 /src/lib/libssl/ssl_srvr.c
parenta931b9fe4c471545a30c6975c303fa27abc695af (diff)
downloadopenbsd-feaf10d0a7eb5e59e69c058b10c91c45d2b1b0e3.tar.gz
openbsd-feaf10d0a7eb5e59e69c058b10c91c45d2b1b0e3.tar.bz2
openbsd-feaf10d0a7eb5e59e69c058b10c91c45d2b1b0e3.zip
Remove GOST and STREEBOG support from libssl.
This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_srvr.c152
1 files changed, 4 insertions, 148 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index f26fde5061..117afac85e 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.158 2023/12/29 12:24:33 tb Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.159 2024/02/03 15:58:34 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -162,10 +162,6 @@
162#include <openssl/opensslconf.h> 162#include <openssl/opensslconf.h>
163#include <openssl/x509.h> 163#include <openssl/x509.h>
164 164
165#ifndef OPENSSL_NO_GOST
166#include <openssl/gost.h>
167#endif
168
169#include "bytestring.h" 165#include "bytestring.h"
170#include "dtls_local.h" 166#include "dtls_local.h"
171#include "ssl_local.h" 167#include "ssl_local.h"
@@ -564,15 +560,7 @@ ssl3_accept(SSL *s)
564 } 560 }
565 561
566 alg_k = s->s3->hs.cipher->algorithm_mkey; 562 alg_k = s->s3->hs.cipher->algorithm_mkey;
567 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 563 if (SSL_USE_SIGALGS(s)) {
568 /*
569 * A GOST client may use the key from its
570 * certificate for key exchange, in which case
571 * the CertificateVerify message is not sent.
572 */
573 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
574 s->init_num = 0;
575 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
576 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; 564 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
577 s->init_num = 0; 565 s->init_num = 0;
578 if (!s->session->peer_cert) 566 if (!s->session->peer_cert)
@@ -795,7 +783,6 @@ ssl3_get_client_hello(SSL *s)
795 unsigned long id; 783 unsigned long id;
796 SSL_CIPHER *c; 784 SSL_CIPHER *c;
797 STACK_OF(SSL_CIPHER) *ciphers = NULL; 785 STACK_OF(SSL_CIPHER) *ciphers = NULL;
798 unsigned long alg_k;
799 const SSL_METHOD *method; 786 const SSL_METHOD *method;
800 uint16_t shared_version; 787 uint16_t shared_version;
801 788
@@ -1138,10 +1125,8 @@ ssl3_get_client_hello(SSL *s)
1138 if (!tls1_transcript_hash_init(s)) 1125 if (!tls1_transcript_hash_init(s))
1139 goto err; 1126 goto err;
1140 1127
1141 alg_k = s->s3->hs.cipher->algorithm_mkey; 1128 if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER))
1142 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || 1129 tls1_transcript_free(s);
1143 !(s->verify_mode & SSL_VERIFY_PEER))
1144 tls1_transcript_free(s);
1145 1130
1146 /* 1131 /*
1147 * We now have the following setup. 1132 * We now have the following setup.
@@ -1816,75 +1801,6 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1816} 1801}
1817 1802
1818static int 1803static int
1819ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
1820{
1821 unsigned char premaster_secret[32];
1822 EVP_PKEY_CTX *pkey_ctx = NULL;
1823 EVP_PKEY *client_pubkey;
1824 EVP_PKEY *pkey = NULL;
1825 size_t outlen;
1826 CBS gostblob;
1827
1828 /* Get our certificate private key*/
1829#ifndef OPENSSL_NO_GOST
1830 if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1831 pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1832#endif
1833
1834 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
1835 goto err;
1836 if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
1837 goto err;
1838
1839 /*
1840 * If client certificate is present and is of the same type,
1841 * maybe use it for key exchange.
1842 * Don't mind errors from EVP_PKEY_derive_set_peer, because
1843 * it is completely valid to use a client certificate for
1844 * authorization only.
1845 */
1846 if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
1847 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
1848 ERR_clear_error();
1849 }
1850
1851 /* Decrypt session key */
1852 if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
1853 goto decode_err;
1854 if (CBS_len(cbs) != 0)
1855 goto decode_err;
1856 outlen = sizeof(premaster_secret);
1857 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
1858 CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
1859 SSLerror(s, SSL_R_DECRYPTION_FAILED);
1860 goto err;
1861 }
1862
1863 if (!tls12_derive_master_secret(s, premaster_secret,
1864 sizeof(premaster_secret)))
1865 goto err;
1866
1867 /* Check if pubkey from client certificate was used */
1868 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY,
1869 2, NULL) > 0)
1870 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
1871
1872 explicit_bzero(premaster_secret, sizeof(premaster_secret));
1873 EVP_PKEY_CTX_free(pkey_ctx);
1874
1875 return 1;
1876
1877 decode_err:
1878 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1879 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1880 err:
1881 explicit_bzero(premaster_secret, sizeof(premaster_secret));
1882 EVP_PKEY_CTX_free(pkey_ctx);
1883
1884 return 0;
1885}
1886
1887static int
1888ssl3_get_client_key_exchange(SSL *s) 1804ssl3_get_client_key_exchange(SSL *s)
1889{ 1805{
1890 unsigned long alg_k; 1806 unsigned long alg_k;
@@ -1912,9 +1828,6 @@ ssl3_get_client_key_exchange(SSL *s)
1912 } else if (alg_k & SSL_kECDHE) { 1828 } else if (alg_k & SSL_kECDHE) {
1913 if (!ssl3_get_client_kex_ecdhe(s, &cbs)) 1829 if (!ssl3_get_client_kex_ecdhe(s, &cbs))
1914 goto err; 1830 goto err;
1915 } else if (alg_k & SSL_kGOST) {
1916 if (!ssl3_get_client_kex_gost(s, &cbs))
1917 goto err;
1918 } else { 1831 } else {
1919 al = SSL_AD_HANDSHAKE_FAILURE; 1832 al = SSL_AD_HANDSHAKE_FAILURE;
1920 SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE); 1833 SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);
@@ -2043,15 +1956,6 @@ ssl3_get_cert_verify(SSL *s)
2043 al = SSL_AD_INTERNAL_ERROR; 1956 al = SSL_AD_INTERNAL_ERROR;
2044 goto fatal_err; 1957 goto fatal_err;
2045 } 1958 }
2046#ifndef OPENSSL_NO_GOST
2047 if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2048 EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2049 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
2050 NULL) <= 0) {
2051 al = SSL_AD_INTERNAL_ERROR;
2052 goto fatal_err;
2053 }
2054#endif
2055 if (EVP_DigestVerify(mctx, CBS_data(&signature), 1959 if (EVP_DigestVerify(mctx, CBS_data(&signature),
2056 CBS_len(&signature), hdata, hdatalen) <= 0) { 1960 CBS_len(&signature), hdata, hdatalen) <= 0) {
2057 SSLerror(s, ERR_R_EVP_LIB); 1961 SSLerror(s, ERR_R_EVP_LIB);
@@ -2096,54 +2000,6 @@ ssl3_get_cert_verify(SSL *s)
2096 SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); 2000 SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
2097 goto fatal_err; 2001 goto fatal_err;
2098 } 2002 }
2099#ifndef OPENSSL_NO_GOST
2100 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2101 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2102 unsigned char sigbuf[128];
2103 unsigned int siglen = sizeof(sigbuf);
2104 EVP_PKEY_CTX *pctx;
2105 const EVP_MD *md;
2106 int nid;
2107
2108 if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2109 SSLerror(s, ERR_R_INTERNAL_ERROR);
2110 al = SSL_AD_INTERNAL_ERROR;
2111 goto fatal_err;
2112 }
2113 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2114 !(md = EVP_get_digestbynid(nid))) {
2115 SSLerror(s, ERR_R_EVP_LIB);
2116 al = SSL_AD_INTERNAL_ERROR;
2117 goto fatal_err;
2118 }
2119 if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
2120 SSLerror(s, ERR_R_EVP_LIB);
2121 al = SSL_AD_INTERNAL_ERROR;
2122 goto fatal_err;
2123 }
2124 if (!EVP_DigestInit_ex(mctx, md, NULL) ||
2125 !EVP_DigestUpdate(mctx, hdata, hdatalen) ||
2126 !EVP_DigestFinal(mctx, sigbuf, &siglen) ||
2127 (EVP_PKEY_verify_init(pctx) <= 0) ||
2128 (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
2129 (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2130 EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2131 GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) {
2132 SSLerror(s, ERR_R_EVP_LIB);
2133 al = SSL_AD_INTERNAL_ERROR;
2134 EVP_PKEY_CTX_free(pctx);
2135 goto fatal_err;
2136 }
2137 if (EVP_PKEY_verify(pctx, CBS_data(&signature),
2138 CBS_len(&signature), sigbuf, siglen) <= 0) {
2139 al = SSL_AD_DECRYPT_ERROR;
2140 SSLerror(s, SSL_R_BAD_SIGNATURE);
2141 EVP_PKEY_CTX_free(pctx);
2142 goto fatal_err;
2143 }
2144
2145 EVP_PKEY_CTX_free(pctx);
2146#endif
2147 } else { 2003 } else {
2148 SSLerror(s, ERR_R_INTERNAL_ERROR); 2004 SSLerror(s, ERR_R_INTERNAL_ERROR);
2149 al = SSL_AD_UNSUPPORTED_CERTIFICATE; 2005 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-28 16:35:28 +0000