1 files changed, 213 insertions, 118 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 65277ef4ef..60983fc6fd 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.50 2018/11/21 15:13:29 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.51 2018/11/29 06:21:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2368,154 +2368,256 @@ err:
        return (-1);
 }
-int
+static int
-ssl3_send_client_verify(SSL *s)
+ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify)
 {
-        CBB cbb, cert_verify, cbb_signature;
+        CBB cbb_signature;
-        unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
-        unsigned char *signature = NULL;
-        unsigned int signature_len = 0;
-        const unsigned char *hdata;
-        size_t hdatalen;
        EVP_PKEY_CTX *pctx = NULL;
        EVP_PKEY *pkey;
        EVP_MD_CTX mctx;
        const EVP_MD *md;
+        const unsigned char *hdata;
+        unsigned char *signature = NULL;
+        unsigned int signature_len = 0;
+        size_t hdatalen;
        size_t siglen;
+        int ret = 0;
+        EVP_MD_CTX_init(&mctx);
+        pkey = s->cert->key->privatekey;
+        md = s->cert->key->sigalg->md();
+        if (!tls1_transcript_data(s, &hdata, &hdatalen) ||
+            !CBB_add_u16(cert_verify, s->cert->key->sigalg->value)) {
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
+        if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) {
+                SSLerror(s, ERR_R_EVP_LIB);
+                goto err;
+        }
+        if ((s->cert->key->sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
+            (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
+            !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
+                SSLerror(s, ERR_R_EVP_LIB);
+                goto err;
+        }
+        if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
+                SSLerror(s, ERR_R_EVP_LIB);
+                goto err;
+        }
+        if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) || siglen == 0) {
+                SSLerror(s, ERR_R_EVP_LIB);
+                goto err;
+        }
+        if ((signature = calloc(1, siglen)) == NULL) {
+                SSLerror(s, ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) {
+                SSLerror(s, ERR_R_EVP_LIB);
+                goto err;
+        }
+        signature_len = siglen; /* XXX */
+        if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
+                goto err;
+        if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
+                goto err;
+        if (!CBB_flush(cert_verify))
+                goto err;
+        ret = 1;
+ err:
+        EVP_MD_CTX_cleanup(&mctx);
+        free(signature);
+        return ret;
+}
+static int
+ssl3_send_client_verify_rsa(SSL *s, CBB *cert_verify)
+{
+        CBB cbb_signature;
+        EVP_PKEY *pkey;
+        unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
+        unsigned char *signature = NULL;
+        unsigned int signature_len = 0;
+        int ret = 0;
+        if (!tls1_handshake_hash_value(s, data, sizeof(data), NULL))
+                goto err;
+        pkey = s->cert->key->privatekey;
+        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+                goto err;
+        if (RSA_sign(NID_md5_sha1, data, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
+            signature, &signature_len, pkey->pkey.rsa) <= 0 ) {
+                SSLerror(s, ERR_R_RSA_LIB);
+                goto err;
+        }
+        if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
+                goto err;
+        if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
+                goto err;
+        if (!CBB_flush(cert_verify))
+                goto err;
+        ret = 1;
+ err:
+        free(signature);
+        return ret;
+}
+static int
+ssl3_send_client_verify_ec(SSL *s, CBB *cert_verify)
+{
+        CBB cbb_signature;
+        EVP_PKEY *pkey;
+        unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
+        unsigned char *signature = NULL;
+        unsigned int signature_len = 0;
+        int ret = 0;
+        if (!tls1_handshake_hash_value(s, data, sizeof(data), NULL))
+                goto err;
+        pkey = s->cert->key->privatekey;
+        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+                goto err;
+        if (!ECDSA_sign(pkey->save_type, &data[MD5_DIGEST_LENGTH],
+            SHA_DIGEST_LENGTH, signature, &signature_len, pkey->pkey.ec)) {
+                SSLerror(s, ERR_R_ECDSA_LIB);
+                goto err;
+        }
+        if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
+                goto err;
+        if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
+                goto err;
+        if (!CBB_flush(cert_verify))
+                goto err;
+        ret = 1;
+ err:
+        free(signature);
+        return ret;
+}
+#ifndef OPENSSL_NO_GOST
+static int
+ssl3_send_client_verify_gost(SSL *s, CBB *cert_verify)
+{
+        CBB cbb_signature;
+        EVP_MD_CTX mctx;
+        EVP_PKEY_CTX *pctx;
+        EVP_PKEY *pkey;
+        const EVP_MD *md;
+        const unsigned char *hdata;
+        unsigned char signbuf[128];
+        unsigned char *signature = NULL;
+        unsigned int signature_len = 0;
+        unsigned int u;
+        size_t hdatalen;
+        size_t sigsize;
+        int nid;
+        int ret = 0;
        EVP_MD_CTX_init(&mctx);
+        pkey = s->cert->key->privatekey;
+        /* Create context from key and test if sha1 is allowed as digest. */
+        if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
+                goto err;
+        if (EVP_PKEY_sign_init(pctx) <= 0)
+                goto err;
+        /* XXX - is this needed? */
+        if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
+                ERR_clear_error();
+        if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
+        if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
+            !(md = EVP_get_digestbynid(nid))) {
+                SSLerror(s, ERR_R_EVP_LIB);
+                goto err;
+        }
+        if (!EVP_DigestInit_ex(&mctx, md, NULL) ||
+            !EVP_DigestUpdate(&mctx, hdata, hdatalen) ||
+            !EVP_DigestFinal(&mctx, signbuf, &u) ||
+            (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
+            (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
+                EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
+                NULL) <= 0) ||
+            (EVP_PKEY_sign(pctx, signature, &sigsize, signbuf, u) <= 0)) {
+                SSLerror(s, ERR_R_EVP_LIB);
+                goto err;
+        }
+        if (sigsize > UINT_MAX)
+                goto err;
+        signature_len = sigsize;
+        if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
+                goto err;
+        if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
+                goto err;
+        if (!CBB_flush(cert_verify))
+                goto err;
+        ret = 1;
+ err:
+        EVP_MD_CTX_cleanup(&mctx);
+        EVP_PKEY_CTX_free(pctx);
+        free(signature);
+        return ret;
+}
+#endif
+int
+ssl3_send_client_verify(SSL *s)
+{
+        CBB cbb, cert_verify;
+        EVP_PKEY *pkey;
        memset(&cbb, 0, sizeof(cbb));
        if (S3I(s)->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
                if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
                    SSL3_MT_CERTIFICATE_VERIFY))
                        goto err;
-                /*
-                 * Create context from key and test if sha1 is allowed as
-                 * digest.
-                 */
-                pkey = s->cert->key->privatekey;
-                md = s->cert->key->sigalg->md();
-                pctx = EVP_PKEY_CTX_new(pkey, NULL);
-                EVP_PKEY_sign_init(pctx);
-                /* XXX - is this needed? */
+                pkey = s->cert->key->privatekey;
-                if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
-                        ERR_clear_error();
-                if (!SSL_USE_SIGALGS(s)) {
-                        tls1_transcript_free(s);
-                        if (!tls1_handshake_hash_value(s, data, sizeof(data),
-                            NULL))
-                                goto err;
-                }
                /*
                 * For TLS v1.2 send signature algorithm and signature
                 * using agreed digest and cached handshake records.
                 */
                if (SSL_USE_SIGALGS(s)) {
-                        EVP_PKEY_CTX *pctx;
+                        if (!ssl3_send_client_verify_sigalgs(s, &cert_verify))
-                        if (!tls1_transcript_data(s, &hdata, &hdatalen) ||
-                            !CBB_add_u16(&cert_verify,
-                            s->cert->key->sigalg->value)) {
-                                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                        }
-                        if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) {
-                                SSLerror(s, ERR_R_EVP_LIB);
-                                goto err;
-                        }
-                        if ((s->cert->key->sigalg->flags &
-                            SIGALG_FLAG_RSA_PSS) &&
-                            (!EVP_PKEY_CTX_set_rsa_padding(pctx,
-                            RSA_PKCS1_PSS_PADDING) ||
-                            !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
-                                SSLerror(s, ERR_R_EVP_LIB);
-                                goto err;
-                        }
-                        if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
-                                SSLerror(s, ERR_R_EVP_LIB);
-                                goto err;
-                        }
-                        if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) ||
-                            siglen == 0) {
-                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
-                        }
-                        if ((signature = calloc(1, siglen)) == NULL) {
-                                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                        if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) {
-                                SSLerror(s, ERR_R_EVP_LIB);
-                                goto err;
-                        }
-                        signature_len = siglen; /* XXX */
-                        tls1_transcript_free(s);
                } else if (pkey->type == EVP_PKEY_RSA) {
-                        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+                        if (!ssl3_send_client_verify_rsa(s, &cert_verify))
                                goto err;
-                        if (RSA_sign(NID_md5_sha1, data,
-                            MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature,
-                            &signature_len, pkey->pkey.rsa) <= 0 ) {
-                                SSLerror(s, ERR_R_RSA_LIB);
-                                goto err;
-                        }
                } else if (pkey->type == EVP_PKEY_EC) {
-                        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+                        if (!ssl3_send_client_verify_ec(s, &cert_verify))
                                goto err;
-                        if (!ECDSA_sign(pkey->save_type,
-                            &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
-                            signature, &signature_len, pkey->pkey.ec)) {
-                                SSLerror(s, ERR_R_ECDSA_LIB);
-                                goto err;
-                        }
 #ifndef OPENSSL_NO_GOST
                } else if (pkey->type == NID_id_GostR3410_94 ||
                    pkey->type == NID_id_GostR3410_2001) {
-                        unsigned char signbuf[128];
+                        if (!ssl3_send_client_verify_gost(s, &cert_verify))
-                        unsigned int u;
-                        size_t sigsize;
-                        int nid;
-                        if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
-                                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                        }
-                        if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
-                            !(md = EVP_get_digestbynid(nid))) {
-                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
-                        }
-                        if (!EVP_DigestInit_ex(&mctx, md, NULL) ||
-                            !EVP_DigestUpdate(&mctx, hdata, hdatalen) ||
-                            !EVP_DigestFinal(&mctx, signbuf, &u) ||
-                            (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
-                            (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
-                                EVP_PKEY_CTRL_GOST_SIG_FORMAT,
-                                GOST_SIG_FORMAT_RS_LE, NULL) <= 0) ||
-                            (EVP_PKEY_sign(pctx, signature, &sigsize,
-                                signbuf, u) <= 0)) {
-                                SSLerror(s, ERR_R_EVP_LIB);
-                                goto err;
-                        }
-                        if (sigsize > UINT_MAX)
-                                goto err;
-                        signature_len = sigsize;
-                        tls1_transcript_free(s);
 #endif
                } else {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        goto err;
                }
-                if (!CBB_add_u16_length_prefixed(&cert_verify, &cbb_signature))
+                tls1_transcript_free(s);
-                        goto err;
-                if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
-                        goto err;
                if (!ssl3_handshake_msg_finish(s, &cbb))
                        goto err;
@@ -2523,17 +2625,10 @@ ssl3_send_client_verify(SSL *s)
                S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_B;
        }
-        EVP_MD_CTX_cleanup(&mctx);
-        EVP_PKEY_CTX_free(pctx);
-        free(signature);
        return (ssl3_handshake_write(s));
 err:
        CBB_cleanup(&cbb);
-        EVP_MD_CTX_cleanup(&mctx);
-        EVP_PKEY_CTX_free(pctx);
-        free(signature);
        return (-1);
 }

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 65277ef4ef..60983fc6fd 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.50 2018/11/21 15:13:29 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.51 2018/11/29 06:21:09 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2368,154 +2368,256 @@ err:
2368	return (-1);	2368	return (-1);
2369	}	2369	}
2370		2370
2371	int	2371	static int
2372	ssl3_send_client_verify(SSL *s)	2372	ssl3_send_client_verify_sigalgs(SSL s, CBB cert_verify)
2373	{	2373	{
2374	CBB cbb, cert_verify, cbb_signature;	2374	CBB cbb_signature;
2375	unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2376	unsigned char *signature = NULL;
2377	unsigned int signature_len = 0;
2378	const unsigned char *hdata;
2379	size_t hdatalen;
2380	EVP_PKEY_CTX *pctx = NULL;	2375	EVP_PKEY_CTX *pctx = NULL;
2381	EVP_PKEY *pkey;	2376	EVP_PKEY *pkey;
2382	EVP_MD_CTX mctx;	2377	EVP_MD_CTX mctx;
2383	const EVP_MD *md;	2378	const EVP_MD *md;
		2379	const unsigned char *hdata;
		2380	unsigned char *signature = NULL;
		2381	unsigned int signature_len = 0;
		2382	size_t hdatalen;
2384	size_t siglen;	2383	size_t siglen;
		2384	int ret = 0;
		2385
		2386	EVP_MD_CTX_init(&mctx);
		2387
		2388	pkey = s->cert->key->privatekey;
		2389	md = s->cert->key->sigalg->md();
		2390
		2391	if (!tls1_transcript_data(s, &hdata, &hdatalen) \|\|
		2392	!CBB_add_u16(cert_verify, s->cert->key->sigalg->value)) {
		2393	SSLerror(s, ERR_R_INTERNAL_ERROR);
		2394	goto err;
		2395	}
		2396	if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) {
		2397	SSLerror(s, ERR_R_EVP_LIB);
		2398	goto err;
		2399	}
		2400	if ((s->cert->key->sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
		2401	(!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) \|\|
		2402	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
		2403	SSLerror(s, ERR_R_EVP_LIB);
		2404	goto err;
		2405	}
		2406	if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
		2407	SSLerror(s, ERR_R_EVP_LIB);
		2408	goto err;
		2409	}
		2410	if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) \|\| siglen == 0) {
		2411	SSLerror(s, ERR_R_EVP_LIB);
		2412	goto err;
		2413	}
		2414	if ((signature = calloc(1, siglen)) == NULL) {
		2415	SSLerror(s, ERR_R_MALLOC_FAILURE);
		2416	goto err;
		2417	}
		2418	if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) {
		2419	SSLerror(s, ERR_R_EVP_LIB);
		2420	goto err;
		2421	}
		2422	signature_len = siglen; /* XXX */
		2423
		2424	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
		2425	goto err;
		2426	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
		2427	goto err;
		2428	if (!CBB_flush(cert_verify))
		2429	goto err;
2385		2430
		2431	ret = 1;
		2432	err:
		2433	EVP_MD_CTX_cleanup(&mctx);
		2434	free(signature);
		2435	return ret;
		2436	}
		2437
		2438	static int
		2439	ssl3_send_client_verify_rsa(SSL s, CBB cert_verify)
		2440	{
		2441	CBB cbb_signature;
		2442	EVP_PKEY *pkey;
		2443	unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
		2444	unsigned char *signature = NULL;
		2445	unsigned int signature_len = 0;
		2446	int ret = 0;
		2447
		2448	if (!tls1_handshake_hash_value(s, data, sizeof(data), NULL))
		2449	goto err;
		2450
		2451	pkey = s->cert->key->privatekey;
		2452	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
		2453	goto err;
		2454	if (RSA_sign(NID_md5_sha1, data, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
		2455	signature, &signature_len, pkey->pkey.rsa) <= 0 ) {
		2456	SSLerror(s, ERR_R_RSA_LIB);
		2457	goto err;
		2458	}
		2459
		2460	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
		2461	goto err;
		2462	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
		2463	goto err;
		2464	if (!CBB_flush(cert_verify))
		2465	goto err;
		2466
		2467	ret = 1;
		2468	err:
		2469	free(signature);
		2470	return ret;
		2471	}
		2472
		2473	static int
		2474	ssl3_send_client_verify_ec(SSL s, CBB cert_verify)
		2475	{
		2476	CBB cbb_signature;
		2477	EVP_PKEY *pkey;
		2478	unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
		2479	unsigned char *signature = NULL;
		2480	unsigned int signature_len = 0;
		2481	int ret = 0;
		2482
		2483	if (!tls1_handshake_hash_value(s, data, sizeof(data), NULL))
		2484	goto err;
		2485
		2486	pkey = s->cert->key->privatekey;
		2487	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
		2488	goto err;
		2489	if (!ECDSA_sign(pkey->save_type, &data[MD5_DIGEST_LENGTH],
		2490	SHA_DIGEST_LENGTH, signature, &signature_len, pkey->pkey.ec)) {
		2491	SSLerror(s, ERR_R_ECDSA_LIB);
		2492	goto err;
		2493	}
		2494
		2495	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
		2496	goto err;
		2497	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
		2498	goto err;
		2499	if (!CBB_flush(cert_verify))
		2500	goto err;
		2501
		2502	ret = 1;
		2503	err:
		2504	free(signature);
		2505	return ret;
		2506	}
		2507
		2508	#ifndef OPENSSL_NO_GOST
		2509	static int
		2510	ssl3_send_client_verify_gost(SSL s, CBB cert_verify)
		2511	{
		2512	CBB cbb_signature;
		2513	EVP_MD_CTX mctx;
		2514	EVP_PKEY_CTX *pctx;
		2515	EVP_PKEY *pkey;
		2516	const EVP_MD *md;
		2517	const unsigned char *hdata;
		2518	unsigned char signbuf[128];
		2519	unsigned char *signature = NULL;
		2520	unsigned int signature_len = 0;
		2521	unsigned int u;
		2522	size_t hdatalen;
		2523	size_t sigsize;
		2524	int nid;
		2525	int ret = 0;
2386		2526
2387	EVP_MD_CTX_init(&mctx);	2527	EVP_MD_CTX_init(&mctx);
2388		2528
		2529	pkey = s->cert->key->privatekey;
		2530
		2531	/* Create context from key and test if sha1 is allowed as digest. */
		2532	if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
		2533	goto err;
		2534	if (EVP_PKEY_sign_init(pctx) <= 0)
		2535	goto err;
		2536	/* XXX - is this needed? */
		2537	if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
		2538	ERR_clear_error();
		2539
		2540	if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
		2541	SSLerror(s, ERR_R_INTERNAL_ERROR);
		2542	goto err;
		2543	}
		2544	if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) \|\|
		2545	!(md = EVP_get_digestbynid(nid))) {
		2546	SSLerror(s, ERR_R_EVP_LIB);
		2547	goto err;
		2548	}
		2549	if (!EVP_DigestInit_ex(&mctx, md, NULL) \|\|
		2550	!EVP_DigestUpdate(&mctx, hdata, hdatalen) \|\|
		2551	!EVP_DigestFinal(&mctx, signbuf, &u) \|\|
		2552
		2553	(EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) \|\|
		2554	(EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
		2555	EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
		2556	NULL) <= 0) \|\|
		2557	(EVP_PKEY_sign(pctx, signature, &sigsize, signbuf, u) <= 0)) {
		2558	SSLerror(s, ERR_R_EVP_LIB);
		2559	goto err;
		2560	}
		2561	if (sigsize > UINT_MAX)
		2562	goto err;
		2563	signature_len = sigsize;
		2564
		2565	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
		2566	goto err;
		2567	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
		2568	goto err;
		2569	if (!CBB_flush(cert_verify))
		2570	goto err;
		2571
		2572	ret = 1;
		2573	err:
		2574	EVP_MD_CTX_cleanup(&mctx);
		2575	EVP_PKEY_CTX_free(pctx);
		2576	free(signature);
		2577	return ret;
		2578	}
		2579	#endif
		2580
		2581	int
		2582	ssl3_send_client_verify(SSL *s)
		2583	{
		2584	CBB cbb, cert_verify;
		2585	EVP_PKEY *pkey;
		2586
2389	memset(&cbb, 0, sizeof(cbb));	2587	memset(&cbb, 0, sizeof(cbb));
2390		2588
2391	if (S3I(s)->hs.state == SSL3_ST_CW_CERT_VRFY_A) {	2589	if (S3I(s)->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
2392	if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,	2590	if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2393	SSL3_MT_CERTIFICATE_VERIFY))	2591	SSL3_MT_CERTIFICATE_VERIFY))
2394	goto err;	2592	goto err;
2395	/*
2396	* Create context from key and test if sha1 is allowed as
2397	* digest.
2398	*/
2399	pkey = s->cert->key->privatekey;
2400	md = s->cert->key->sigalg->md();
2401	pctx = EVP_PKEY_CTX_new(pkey, NULL);
2402	EVP_PKEY_sign_init(pctx);
2403		2593
2404	/* XXX - is this needed? */	2594	pkey = s->cert->key->privatekey;
2405	if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
2406	ERR_clear_error();
2407		2595
2408	if (!SSL_USE_SIGALGS(s)) {
2409	tls1_transcript_free(s);
2410	if (!tls1_handshake_hash_value(s, data, sizeof(data),
2411	NULL))
2412	goto err;
2413	}
2414	/*	2596	/*
2415	* For TLS v1.2 send signature algorithm and signature	2597	* For TLS v1.2 send signature algorithm and signature
2416	* using agreed digest and cached handshake records.	2598	* using agreed digest and cached handshake records.
2417	*/	2599	*/
2418	if (SSL_USE_SIGALGS(s)) {	2600	if (SSL_USE_SIGALGS(s)) {
2419	EVP_PKEY_CTX *pctx;	2601	if (!ssl3_send_client_verify_sigalgs(s, &cert_verify))
2420	if (!tls1_transcript_data(s, &hdata, &hdatalen) \|\|
2421	!CBB_add_u16(&cert_verify,
2422	s->cert->key->sigalg->value)) {
2423	SSLerror(s, ERR_R_INTERNAL_ERROR);
2424	goto err;
2425	}
2426	if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) {
2427	SSLerror(s, ERR_R_EVP_LIB);
2428	goto err;
2429	}
2430	if ((s->cert->key->sigalg->flags &
2431	SIGALG_FLAG_RSA_PSS) &&
2432	(!EVP_PKEY_CTX_set_rsa_padding(pctx,
2433	RSA_PKCS1_PSS_PADDING) \|\|
2434	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
2435	SSLerror(s, ERR_R_EVP_LIB);
2436	goto err;
2437	}
2438	if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
2439	SSLerror(s, ERR_R_EVP_LIB);
2440	goto err;
2441	}
2442	if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) \|\|
2443	siglen == 0) {
2444	SSLerror(s, ERR_R_EVP_LIB);
2445	goto err;	2602	goto err;
2446	}
2447	if ((signature = calloc(1, siglen)) == NULL) {
2448	SSLerror(s, ERR_R_MALLOC_FAILURE);
2449	goto err;
2450	}
2451	if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) {
2452	SSLerror(s, ERR_R_EVP_LIB);
2453	goto err;
2454	}
2455	signature_len = siglen; /* XXX */
2456	tls1_transcript_free(s);
2457	} else if (pkey->type == EVP_PKEY_RSA) {	2603	} else if (pkey->type == EVP_PKEY_RSA) {
2458	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)	2604	if (!ssl3_send_client_verify_rsa(s, &cert_verify))
2459	goto err;	2605	goto err;
2460	if (RSA_sign(NID_md5_sha1, data,
2461	MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature,
2462	&signature_len, pkey->pkey.rsa) <= 0 ) {
2463	SSLerror(s, ERR_R_RSA_LIB);
2464	goto err;
2465	}
2466	} else if (pkey->type == EVP_PKEY_EC) {	2606	} else if (pkey->type == EVP_PKEY_EC) {
2467	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)	2607	if (!ssl3_send_client_verify_ec(s, &cert_verify))
2468	goto err;	2608	goto err;
2469	if (!ECDSA_sign(pkey->save_type,
2470	&data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2471	signature, &signature_len, pkey->pkey.ec)) {
2472	SSLerror(s, ERR_R_ECDSA_LIB);
2473	goto err;
2474	}
2475	#ifndef OPENSSL_NO_GOST	2609	#ifndef OPENSSL_NO_GOST
2476	} else if (pkey->type == NID_id_GostR3410_94 \|\|	2610	} else if (pkey->type == NID_id_GostR3410_94 \|\|
2477	pkey->type == NID_id_GostR3410_2001) {	2611	pkey->type == NID_id_GostR3410_2001) {
2478	unsigned char signbuf[128];	2612	if (!ssl3_send_client_verify_gost(s, &cert_verify))
2479	unsigned int u;
2480	size_t sigsize;
2481	int nid;
2482
2483	if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2484	SSLerror(s, ERR_R_INTERNAL_ERROR);
2485	goto err;
2486	}
2487	if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) \|\|
2488	!(md = EVP_get_digestbynid(nid))) {
2489	SSLerror(s, ERR_R_EVP_LIB);
2490	goto err;	2613	goto err;
2491	}
2492	if (!EVP_DigestInit_ex(&mctx, md, NULL) \|\|
2493	!EVP_DigestUpdate(&mctx, hdata, hdatalen) \|\|
2494	!EVP_DigestFinal(&mctx, signbuf, &u) \|\|
2495
2496	(EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) \|\|
2497	(EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2498	EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2499	GOST_SIG_FORMAT_RS_LE, NULL) <= 0) \|\|
2500	(EVP_PKEY_sign(pctx, signature, &sigsize,
2501	signbuf, u) <= 0)) {
2502	SSLerror(s, ERR_R_EVP_LIB);
2503	goto err;
2504	}
2505	if (sigsize > UINT_MAX)
2506	goto err;
2507	signature_len = sigsize;
2508	tls1_transcript_free(s);
2509	#endif	2614	#endif
2510	} else {	2615	} else {
2511	SSLerror(s, ERR_R_INTERNAL_ERROR);	2616	SSLerror(s, ERR_R_INTERNAL_ERROR);
2512	goto err;	2617	goto err;
2513	}	2618	}
2514		2619
2515	if (!CBB_add_u16_length_prefixed(&cert_verify, &cbb_signature))	2620	tls1_transcript_free(s);
2516	goto err;
2517	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2518	goto err;
2519		2621
2520	if (!ssl3_handshake_msg_finish(s, &cbb))	2622	if (!ssl3_handshake_msg_finish(s, &cbb))
2521	goto err;	2623	goto err;
@@ -2523,17 +2625,10 @@ ssl3_send_client_verify(SSL *s)
2523	S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_B;	2625	S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_B;
2524	}	2626	}
2525		2627
2526	EVP_MD_CTX_cleanup(&mctx);
2527	EVP_PKEY_CTX_free(pctx);
2528	free(signature);
2529
2530	return (ssl3_handshake_write(s));	2628	return (ssl3_handshake_write(s));
2531		2629
2532	err:	2630	err:
2533	CBB_cleanup(&cbb);	2631	CBB_cleanup(&cbb);
2534	EVP_MD_CTX_cleanup(&mctx);
2535	EVP_PKEY_CTX_free(pctx);
2536	free(signature);
2537		2632
2538	return (-1);	2633	return (-1);
2539	}	2634	}