diff options
| author | jsing <> | 2018-08-10 17:52:35 +0000 |
|---|---|---|
| committer | jsing <> | 2018-08-10 17:52:35 +0000 |
| commit | 548ea7a2477f6deb089b0d5b196b74db0d8071b2 (patch) | |
| tree | 5bfea9936434087c7029b77198ca8ebcd576252c /src | |
| parent | 9dc5469269149f3dca7211909877d492c5998b03 (diff) | |
| download | openbsd-548ea7a2477f6deb089b0d5b196b74db0d8071b2.tar.gz openbsd-548ea7a2477f6deb089b0d5b196b74db0d8071b2.tar.bz2 openbsd-548ea7a2477f6deb089b0d5b196b74db0d8071b2.zip | |
Simplify server key exchange signature verification.
Everything can go through the EVP_Verify* code path.
ok inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 67 |
1 files changed, 18 insertions, 49 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index a4d0d048bd..f9cdd8657a 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.26 2018/06/03 15:31:30 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.27 2018/08/10 17:52:35 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1439,7 +1439,6 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) | |||
| 1439 | int | 1439 | int |
| 1440 | ssl3_get_server_key_exchange(SSL *s) | 1440 | ssl3_get_server_key_exchange(SSL *s) |
| 1441 | { | 1441 | { |
| 1442 | unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2]; | ||
| 1443 | EVP_MD_CTX md_ctx; | 1442 | EVP_MD_CTX md_ctx; |
| 1444 | unsigned char *param, *p; | 1443 | unsigned char *param, *p; |
| 1445 | int al, i, j, param_len, ok; | 1444 | int al, i, j, param_len, ok; |
| @@ -1514,15 +1513,12 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1514 | if (pkey != NULL) { | 1513 | if (pkey != NULL) { |
| 1515 | if (SSL_USE_SIGALGS(s)) { | 1514 | if (SSL_USE_SIGALGS(s)) { |
| 1516 | int sigalg = tls12_get_sigid(pkey); | 1515 | int sigalg = tls12_get_sigid(pkey); |
| 1517 | /* Should never happen */ | ||
| 1518 | if (sigalg == -1) { | 1516 | if (sigalg == -1) { |
| 1517 | /* Should never happen */ | ||
| 1519 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 1518 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 1520 | goto err; | 1519 | goto err; |
| 1521 | } | 1520 | } |
| 1522 | /* | 1521 | /* Check key type is consistent with signature. */ |
| 1523 | * Check key type is consistent | ||
| 1524 | * with signature | ||
| 1525 | */ | ||
| 1526 | if (2 > n) | 1522 | if (2 > n) |
| 1527 | goto truncated; | 1523 | goto truncated; |
| 1528 | if (sigalg != (int)p[1]) { | 1524 | if (sigalg != (int)p[1]) { |
| @@ -1538,8 +1534,11 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1538 | } | 1534 | } |
| 1539 | p += 2; | 1535 | p += 2; |
| 1540 | n -= 2; | 1536 | n -= 2; |
| 1541 | } else | 1537 | } else if (pkey->type == EVP_PKEY_RSA) { |
| 1538 | md = EVP_md5_sha1(); | ||
| 1539 | } else { | ||
| 1542 | md = EVP_sha1(); | 1540 | md = EVP_sha1(); |
| 1541 | } | ||
| 1543 | 1542 | ||
| 1544 | if (2 > n) | 1543 | if (2 > n) |
| 1545 | goto truncated; | 1544 | goto truncated; |
| @@ -1554,47 +1553,17 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1554 | goto f_err; | 1553 | goto f_err; |
| 1555 | } | 1554 | } |
| 1556 | 1555 | ||
| 1557 | if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { | 1556 | EVP_VerifyInit_ex(&md_ctx, md, NULL); |
| 1558 | j = 0; | 1557 | EVP_VerifyUpdate(&md_ctx, s->s3->client_random, |
| 1559 | q = md_buf; | 1558 | SSL3_RANDOM_SIZE); |
| 1560 | if (!EVP_DigestInit_ex(&md_ctx, EVP_md5_sha1(), NULL)) { | 1559 | EVP_VerifyUpdate(&md_ctx, s->s3->server_random, |
| 1561 | al = SSL_AD_INTERNAL_ERROR; | 1560 | SSL3_RANDOM_SIZE); |
| 1562 | goto f_err; | 1561 | EVP_VerifyUpdate(&md_ctx, param, param_len); |
| 1563 | } | 1562 | if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) { |
| 1564 | EVP_DigestUpdate(&md_ctx, s->s3->client_random, | 1563 | /* bad signature */ |
| 1565 | SSL3_RANDOM_SIZE); | 1564 | al = SSL_AD_DECRYPT_ERROR; |
| 1566 | EVP_DigestUpdate(&md_ctx, s->s3->server_random, | 1565 | SSLerror(s, SSL_R_BAD_SIGNATURE); |
| 1567 | SSL3_RANDOM_SIZE); | 1566 | goto f_err; |
| 1568 | EVP_DigestUpdate(&md_ctx, param, param_len); | ||
| 1569 | EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i); | ||
| 1570 | q += i; | ||
| 1571 | j += i; | ||
| 1572 | i = RSA_verify(NID_md5_sha1, md_buf, j, | ||
| 1573 | p, n, pkey->pkey.rsa); | ||
| 1574 | if (i < 0) { | ||
| 1575 | al = SSL_AD_DECRYPT_ERROR; | ||
| 1576 | SSLerror(s, SSL_R_BAD_RSA_DECRYPT); | ||
| 1577 | goto f_err; | ||
| 1578 | } | ||
| 1579 | if (i == 0) { | ||
| 1580 | /* bad signature */ | ||
| 1581 | al = SSL_AD_DECRYPT_ERROR; | ||
| 1582 | SSLerror(s, SSL_R_BAD_SIGNATURE); | ||
| 1583 | goto f_err; | ||
| 1584 | } | ||
| 1585 | } else { | ||
| 1586 | EVP_VerifyInit_ex(&md_ctx, md, NULL); | ||
| 1587 | EVP_VerifyUpdate(&md_ctx, s->s3->client_random, | ||
| 1588 | SSL3_RANDOM_SIZE); | ||
| 1589 | EVP_VerifyUpdate(&md_ctx, s->s3->server_random, | ||
| 1590 | SSL3_RANDOM_SIZE); | ||
| 1591 | EVP_VerifyUpdate(&md_ctx, param, param_len); | ||
| 1592 | if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) { | ||
| 1593 | /* bad signature */ | ||
| 1594 | al = SSL_AD_DECRYPT_ERROR; | ||
| 1595 | SSLerror(s, SSL_R_BAD_SIGNATURE); | ||
| 1596 | goto f_err; | ||
| 1597 | } | ||
| 1598 | } | 1567 | } |
| 1599 | } else { | 1568 | } else { |
| 1600 | /* aNULL does not need public keys. */ | 1569 | /* aNULL does not need public keys. */ |