diff options
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
-rw-r--r-- | src/lib/libssl/ssl_clnt.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 02bd3d5dfe..6fe15dcf1d 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssl_clnt.c,v 1.118 2021/11/19 18:53:10 tb Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.119 2021/11/26 16:41:42 tb Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -1925,6 +1925,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) | |||
1925 | unsigned char *enc_pms = NULL; | 1925 | unsigned char *enc_pms = NULL; |
1926 | uint16_t max_legacy_version; | 1926 | uint16_t max_legacy_version; |
1927 | EVP_PKEY *pkey = NULL; | 1927 | EVP_PKEY *pkey = NULL; |
1928 | RSA *rsa; | ||
1928 | int ret = -1; | 1929 | int ret = -1; |
1929 | int enc_len; | 1930 | int enc_len; |
1930 | CBB epms; | 1931 | CBB epms; |
@@ -1934,8 +1935,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) | |||
1934 | */ | 1935 | */ |
1935 | 1936 | ||
1936 | pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509); | 1937 | pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509); |
1937 | if (pkey == NULL || pkey->type != EVP_PKEY_RSA || | 1938 | if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { |
1938 | pkey->pkey.rsa == NULL) { | ||
1939 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 1939 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
1940 | goto err; | 1940 | goto err; |
1941 | } | 1941 | } |
@@ -1953,12 +1953,12 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) | |||
1953 | pms[1] = max_legacy_version & 0xff; | 1953 | pms[1] = max_legacy_version & 0xff; |
1954 | arc4random_buf(&pms[2], sizeof(pms) - 2); | 1954 | arc4random_buf(&pms[2], sizeof(pms) - 2); |
1955 | 1955 | ||
1956 | if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) { | 1956 | if ((enc_pms = malloc(RSA_size(rsa))) == NULL) { |
1957 | SSLerror(s, ERR_R_MALLOC_FAILURE); | 1957 | SSLerror(s, ERR_R_MALLOC_FAILURE); |
1958 | goto err; | 1958 | goto err; |
1959 | } | 1959 | } |
1960 | 1960 | ||
1961 | enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa, | 1961 | enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa, |
1962 | RSA_PKCS1_PADDING); | 1962 | RSA_PKCS1_PADDING); |
1963 | if (enc_len <= 0) { | 1963 | if (enc_len <= 0) { |
1964 | SSLerror(s, SSL_R_BAD_RSA_ENCRYPT); | 1964 | SSLerror(s, SSL_R_BAD_RSA_ENCRYPT); |
@@ -2385,6 +2385,7 @@ static int | |||
2385 | ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) | 2385 | ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) |
2386 | { | 2386 | { |
2387 | CBB cbb_signature; | 2387 | CBB cbb_signature; |
2388 | RSA *rsa; | ||
2388 | unsigned char data[EVP_MAX_MD_SIZE]; | 2389 | unsigned char data[EVP_MAX_MD_SIZE]; |
2389 | unsigned char *signature = NULL; | 2390 | unsigned char *signature = NULL; |
2390 | unsigned int signature_len; | 2391 | unsigned int signature_len; |
@@ -2395,8 +2396,10 @@ ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) | |||
2395 | goto err; | 2396 | goto err; |
2396 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) | 2397 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) |
2397 | goto err; | 2398 | goto err; |
2398 | if (RSA_sign(NID_md5_sha1, data, data_len, signature, | 2399 | if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) |
2399 | &signature_len, pkey->pkey.rsa) <= 0 ) { | 2400 | goto err; |
2401 | if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len, | ||
2402 | rsa) <= 0 ) { | ||
2400 | SSLerror(s, ERR_R_RSA_LIB); | 2403 | SSLerror(s, ERR_R_RSA_LIB); |
2401 | goto err; | 2404 | goto err; |
2402 | } | 2405 | } |
@@ -2418,6 +2421,7 @@ static int | |||
2418 | ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) | 2421 | ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) |
2419 | { | 2422 | { |
2420 | CBB cbb_signature; | 2423 | CBB cbb_signature; |
2424 | EC_KEY *eckey; | ||
2421 | unsigned char data[EVP_MAX_MD_SIZE]; | 2425 | unsigned char data[EVP_MAX_MD_SIZE]; |
2422 | unsigned char *signature = NULL; | 2426 | unsigned char *signature = NULL; |
2423 | unsigned int signature_len; | 2427 | unsigned int signature_len; |
@@ -2427,8 +2431,10 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) | |||
2427 | goto err; | 2431 | goto err; |
2428 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) | 2432 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) |
2429 | goto err; | 2433 | goto err; |
2434 | if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) | ||
2435 | goto err; | ||
2430 | if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, | 2436 | if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, |
2431 | signature, &signature_len, pkey->pkey.ec)) { | 2437 | signature, &signature_len, eckey)) { |
2432 | SSLerror(s, ERR_R_ECDSA_LIB); | 2438 | SSLerror(s, ERR_R_ECDSA_LIB); |
2433 | goto err; | 2439 | goto err; |
2434 | } | 2440 | } |
@@ -2543,15 +2549,15 @@ ssl3_send_client_verify(SSL *s) | |||
2543 | if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg, | 2549 | if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg, |
2544 | &cert_verify)) | 2550 | &cert_verify)) |
2545 | goto err; | 2551 | goto err; |
2546 | } else if (pkey->type == EVP_PKEY_RSA) { | 2552 | } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { |
2547 | if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify)) | 2553 | if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify)) |
2548 | goto err; | 2554 | goto err; |
2549 | } else if (pkey->type == EVP_PKEY_EC) { | 2555 | } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { |
2550 | if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) | 2556 | if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) |
2551 | goto err; | 2557 | goto err; |
2552 | #ifndef OPENSSL_NO_GOST | 2558 | #ifndef OPENSSL_NO_GOST |
2553 | } else if (pkey->type == NID_id_GostR3410_94 || | 2559 | } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 || |
2554 | pkey->type == NID_id_GostR3410_2001) { | 2560 | EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { |
2555 | if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify)) | 2561 | if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify)) |
2556 | goto err; | 2562 | goto err; |
2557 | #endif | 2563 | #endif |