diff options
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 76 |
1 files changed, 52 insertions, 24 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index ac2cddacf9..298e4b7ff8 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.41 2018/11/10 01:19:09 beck Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.42 2018/11/11 02:03:23 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1508,15 +1508,21 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1508 | 1508 | ||
| 1509 | /* if it was signed, check the signature */ | 1509 | /* if it was signed, check the signature */ |
| 1510 | if (pkey != NULL) { | 1510 | if (pkey != NULL) { |
| 1511 | EVP_PKEY_CTX *pctx; | ||
| 1512 | const struct ssl_sigalg *sigalg; | ||
| 1513 | |||
| 1511 | if (SSL_USE_SIGALGS(s)) { | 1514 | if (SSL_USE_SIGALGS(s)) { |
| 1512 | const struct ssl_sigalg *sigalg; | ||
| 1513 | uint16_t sigalg_value; | 1515 | uint16_t sigalg_value; |
| 1514 | 1516 | ||
| 1515 | if (!CBS_get_u16(&cbs, &sigalg_value)) | 1517 | if (!CBS_get_u16(&cbs, &sigalg_value)) |
| 1516 | goto truncated; | 1518 | goto truncated; |
| 1517 | if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, | 1519 | if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, |
| 1518 | tls12_sigalgs_len)) == NULL || | 1520 | tls12_sigalgs_len)) == NULL) { |
| 1519 | (md = sigalg->md()) == NULL) { | 1521 | SSLerror(s, SSL_R_UNKNOWN_DIGEST); |
| 1522 | al = SSL_AD_DECODE_ERROR; | ||
| 1523 | goto f_err; | ||
| 1524 | } | ||
| 1525 | if ((md = sigalg->md()) == NULL) { | ||
| 1520 | SSLerror(s, SSL_R_UNKNOWN_DIGEST); | 1526 | SSLerror(s, SSL_R_UNKNOWN_DIGEST); |
| 1521 | al = SSL_AD_DECODE_ERROR; | 1527 | al = SSL_AD_DECODE_ERROR; |
| 1522 | goto f_err; | 1528 | goto f_err; |
| @@ -1527,10 +1533,15 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1527 | goto f_err; | 1533 | goto f_err; |
| 1528 | } | 1534 | } |
| 1529 | } else if (pkey->type == EVP_PKEY_RSA) { | 1535 | } else if (pkey->type == EVP_PKEY_RSA) { |
| 1530 | md = EVP_md5_sha1(); | 1536 | sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); |
| 1537 | } else if (pkey->type == EVP_PKEY_EC) { | ||
| 1538 | sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); | ||
| 1531 | } else { | 1539 | } else { |
| 1532 | md = EVP_sha1(); | 1540 | SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); |
| 1541 | al = SSL_AD_DECODE_ERROR; | ||
| 1542 | goto f_err; | ||
| 1533 | } | 1543 | } |
| 1544 | md = sigalg->md(); | ||
| 1534 | 1545 | ||
| 1535 | if (!CBS_get_u16_length_prefixed(&cbs, &signature)) | 1546 | if (!CBS_get_u16_length_prefixed(&cbs, &signature)) |
| 1536 | goto truncated; | 1547 | goto truncated; |
| @@ -1540,18 +1551,18 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1540 | goto f_err; | 1551 | goto f_err; |
| 1541 | } | 1552 | } |
| 1542 | 1553 | ||
| 1543 | if (!EVP_VerifyInit_ex(&md_ctx, md, NULL)) | 1554 | if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey)) |
| 1544 | goto err; | 1555 | goto err; |
| 1545 | if (!EVP_VerifyUpdate(&md_ctx, s->s3->client_random, | 1556 | if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random, |
| 1546 | SSL3_RANDOM_SIZE)) | 1557 | SSL3_RANDOM_SIZE)) |
| 1547 | goto err; | 1558 | goto err; |
| 1548 | if (!EVP_VerifyUpdate(&md_ctx, s->s3->server_random, | 1559 | if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->server_random, |
| 1549 | SSL3_RANDOM_SIZE)) | 1560 | SSL3_RANDOM_SIZE)) |
| 1550 | goto err; | 1561 | goto err; |
| 1551 | if (!EVP_VerifyUpdate(&md_ctx, param, param_len)) | 1562 | if (!EVP_DigestVerifyUpdate(&md_ctx, param, param_len)) |
| 1552 | goto err; | 1563 | goto err; |
| 1553 | if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature), | 1564 | if (EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature), |
| 1554 | CBS_len(&signature), pkey) <= 0) { | 1565 | CBS_len(&signature)) <= 0) { |
| 1555 | al = SSL_AD_DECRYPT_ERROR; | 1566 | al = SSL_AD_DECRYPT_ERROR; |
| 1556 | SSLerror(s, SSL_R_BAD_SIGNATURE); | 1567 | SSLerror(s, SSL_R_BAD_SIGNATURE); |
| 1557 | goto f_err; | 1568 | goto f_err; |
| @@ -2363,13 +2374,15 @@ ssl3_send_client_verify(SSL *s) | |||
| 2363 | CBB cbb, cert_verify, cbb_signature; | 2374 | CBB cbb, cert_verify, cbb_signature; |
| 2364 | unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; | 2375 | unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; |
| 2365 | unsigned char *signature = NULL; | 2376 | unsigned char *signature = NULL; |
| 2366 | unsigned int signature_len; | 2377 | unsigned int signature_len = 0; |
| 2367 | const unsigned char *hdata; | 2378 | const unsigned char *hdata; |
| 2368 | size_t hdatalen; | 2379 | size_t hdatalen; |
| 2369 | EVP_PKEY_CTX *pctx = NULL; | 2380 | EVP_PKEY_CTX *pctx = NULL; |
| 2370 | EVP_PKEY *pkey; | 2381 | EVP_PKEY *pkey; |
| 2371 | EVP_MD_CTX mctx; | 2382 | EVP_MD_CTX mctx; |
| 2372 | const EVP_MD *md; | 2383 | const EVP_MD *md; |
| 2384 | size_t siglen; | ||
| 2385 | |||
| 2373 | 2386 | ||
| 2374 | EVP_MD_CTX_init(&mctx); | 2387 | EVP_MD_CTX_init(&mctx); |
| 2375 | 2388 | ||
| @@ -2379,12 +2392,12 @@ ssl3_send_client_verify(SSL *s) | |||
| 2379 | if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify, | 2392 | if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify, |
| 2380 | SSL3_MT_CERTIFICATE_VERIFY)) | 2393 | SSL3_MT_CERTIFICATE_VERIFY)) |
| 2381 | goto err; | 2394 | goto err; |
| 2382 | |||
| 2383 | /* | 2395 | /* |
| 2384 | * Create context from key and test if sha1 is allowed as | 2396 | * Create context from key and test if sha1 is allowed as |
| 2385 | * digest. | 2397 | * digest. |
| 2386 | */ | 2398 | */ |
| 2387 | pkey = s->cert->key->privatekey; | 2399 | pkey = s->cert->key->privatekey; |
| 2400 | md = s->cert->key->sigalg->md(); | ||
| 2388 | pctx = EVP_PKEY_CTX_new(pkey, NULL); | 2401 | pctx = EVP_PKEY_CTX_new(pkey, NULL); |
| 2389 | EVP_PKEY_sign_init(pctx); | 2402 | EVP_PKEY_sign_init(pctx); |
| 2390 | 2403 | ||
| @@ -2392,37 +2405,50 @@ ssl3_send_client_verify(SSL *s) | |||
| 2392 | if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0) | 2405 | if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0) |
| 2393 | ERR_clear_error(); | 2406 | ERR_clear_error(); |
| 2394 | 2407 | ||
| 2395 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) | ||
| 2396 | goto err; | ||
| 2397 | |||
| 2398 | if (!SSL_USE_SIGALGS(s)) { | 2408 | if (!SSL_USE_SIGALGS(s)) { |
| 2399 | tls1_transcript_free(s); | 2409 | tls1_transcript_free(s); |
| 2400 | if (!tls1_handshake_hash_value(s, data, sizeof(data), | 2410 | if (!tls1_handshake_hash_value(s, data, sizeof(data), |
| 2401 | NULL)) | 2411 | NULL)) |
| 2402 | goto err; | 2412 | goto err; |
| 2403 | } | 2413 | } |
| 2404 | |||
| 2405 | /* | 2414 | /* |
| 2406 | * For TLS v1.2 send signature algorithm and signature | 2415 | * For TLS v1.2 send signature algorithm and signature |
| 2407 | * using agreed digest and cached handshake records. | 2416 | * using agreed digest and cached handshake records. |
| 2408 | */ | 2417 | */ |
| 2409 | if (SSL_USE_SIGALGS(s)) { | 2418 | if (SSL_USE_SIGALGS(s)) { |
| 2410 | md = s->cert->key->sigalg->md(); | 2419 | EVP_PKEY_CTX *pctx; |
| 2411 | if (!tls1_transcript_data(s, &hdata, &hdatalen) || | 2420 | if (!tls1_transcript_data(s, &hdata, &hdatalen) || |
| 2412 | !CBB_add_u16(&cert_verify, | 2421 | !CBB_add_u16(&cert_verify, |
| 2413 | s->cert->key->sigalg->value)) { | 2422 | s->cert->key->sigalg->value)) { |
| 2414 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 2423 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 2415 | goto err; | 2424 | goto err; |
| 2416 | } | 2425 | } |
| 2417 | if (!EVP_SignInit_ex(&mctx, md, NULL) || | 2426 | if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) { |
| 2418 | !EVP_SignUpdate(&mctx, hdata, hdatalen) || | ||
| 2419 | !EVP_SignFinal(&mctx, signature, &signature_len, | ||
| 2420 | pkey)) { | ||
| 2421 | SSLerror(s, ERR_R_EVP_LIB); | 2427 | SSLerror(s, ERR_R_EVP_LIB); |
| 2422 | goto err; | 2428 | goto err; |
| 2423 | } | 2429 | } |
| 2430 | if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) { | ||
| 2431 | SSLerror(s, ERR_R_EVP_LIB); | ||
| 2432 | goto err; | ||
| 2433 | } | ||
| 2434 | if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) || | ||
| 2435 | siglen == 0) { | ||
| 2436 | SSLerror(s, ERR_R_EVP_LIB); | ||
| 2437 | goto err; | ||
| 2438 | } | ||
| 2439 | if ((signature = calloc(1, siglen)) == NULL) { | ||
| 2440 | SSLerror(s, ERR_R_MALLOC_FAILURE); | ||
| 2441 | goto err; | ||
| 2442 | } | ||
| 2443 | if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) { | ||
| 2444 | SSLerror(s, ERR_R_EVP_LIB); | ||
| 2445 | goto err; | ||
| 2446 | } | ||
| 2447 | signature_len = siglen; /* XXX */ | ||
| 2424 | tls1_transcript_free(s); | 2448 | tls1_transcript_free(s); |
| 2425 | } else if (pkey->type == EVP_PKEY_RSA) { | 2449 | } else if (pkey->type == EVP_PKEY_RSA) { |
| 2450 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) | ||
| 2451 | goto err; | ||
| 2426 | if (RSA_sign(NID_md5_sha1, data, | 2452 | if (RSA_sign(NID_md5_sha1, data, |
| 2427 | MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature, | 2453 | MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature, |
| 2428 | &signature_len, pkey->pkey.rsa) <= 0 ) { | 2454 | &signature_len, pkey->pkey.rsa) <= 0 ) { |
| @@ -2430,6 +2456,8 @@ ssl3_send_client_verify(SSL *s) | |||
| 2430 | goto err; | 2456 | goto err; |
| 2431 | } | 2457 | } |
| 2432 | } else if (pkey->type == EVP_PKEY_EC) { | 2458 | } else if (pkey->type == EVP_PKEY_EC) { |
| 2459 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) | ||
| 2460 | goto err; | ||
| 2433 | if (!ECDSA_sign(pkey->save_type, | 2461 | if (!ECDSA_sign(pkey->save_type, |
| 2434 | &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, | 2462 | &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, |
| 2435 | signature, &signature_len, pkey->pkey.ec)) { | 2463 | signature, &signature_len, pkey->pkey.ec)) { |