summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_clnt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
-rw-r--r--src/lib/libssl/ssl_clnt.c30
1 files changed, 18 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 02bd3d5dfe..6fe15dcf1d 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.118 2021/11/19 18:53:10 tb Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.119 2021/11/26 16:41:42 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1925,6 +1925,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1925 unsigned char *enc_pms = NULL; 1925 unsigned char *enc_pms = NULL;
1926 uint16_t max_legacy_version; 1926 uint16_t max_legacy_version;
1927 EVP_PKEY *pkey = NULL; 1927 EVP_PKEY *pkey = NULL;
1928 RSA *rsa;
1928 int ret = -1; 1929 int ret = -1;
1929 int enc_len; 1930 int enc_len;
1930 CBB epms; 1931 CBB epms;
@@ -1934,8 +1935,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1934 */ 1935 */
1935 1936
1936 pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509); 1937 pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509);
1937 if (pkey == NULL || pkey->type != EVP_PKEY_RSA || 1938 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
1938 pkey->pkey.rsa == NULL) {
1939 SSLerror(s, ERR_R_INTERNAL_ERROR); 1939 SSLerror(s, ERR_R_INTERNAL_ERROR);
1940 goto err; 1940 goto err;
1941 } 1941 }
@@ -1953,12 +1953,12 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1953 pms[1] = max_legacy_version & 0xff; 1953 pms[1] = max_legacy_version & 0xff;
1954 arc4random_buf(&pms[2], sizeof(pms) - 2); 1954 arc4random_buf(&pms[2], sizeof(pms) - 2);
1955 1955
1956 if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) { 1956 if ((enc_pms = malloc(RSA_size(rsa))) == NULL) {
1957 SSLerror(s, ERR_R_MALLOC_FAILURE); 1957 SSLerror(s, ERR_R_MALLOC_FAILURE);
1958 goto err; 1958 goto err;
1959 } 1959 }
1960 1960
1961 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa, 1961 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
1962 RSA_PKCS1_PADDING); 1962 RSA_PKCS1_PADDING);
1963 if (enc_len <= 0) { 1963 if (enc_len <= 0) {
1964 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT); 1964 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
@@ -2385,6 +2385,7 @@ static int
2385ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) 2385ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2386{ 2386{
2387 CBB cbb_signature; 2387 CBB cbb_signature;
2388 RSA *rsa;
2388 unsigned char data[EVP_MAX_MD_SIZE]; 2389 unsigned char data[EVP_MAX_MD_SIZE];
2389 unsigned char *signature = NULL; 2390 unsigned char *signature = NULL;
2390 unsigned int signature_len; 2391 unsigned int signature_len;
@@ -2395,8 +2396,10 @@ ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2395 goto err; 2396 goto err;
2396 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) 2397 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2397 goto err; 2398 goto err;
2398 if (RSA_sign(NID_md5_sha1, data, data_len, signature, 2399 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
2399 &signature_len, pkey->pkey.rsa) <= 0 ) { 2400 goto err;
2401 if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len,
2402 rsa) <= 0 ) {
2400 SSLerror(s, ERR_R_RSA_LIB); 2403 SSLerror(s, ERR_R_RSA_LIB);
2401 goto err; 2404 goto err;
2402 } 2405 }
@@ -2418,6 +2421,7 @@ static int
2418ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) 2421ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2419{ 2422{
2420 CBB cbb_signature; 2423 CBB cbb_signature;
2424 EC_KEY *eckey;
2421 unsigned char data[EVP_MAX_MD_SIZE]; 2425 unsigned char data[EVP_MAX_MD_SIZE];
2422 unsigned char *signature = NULL; 2426 unsigned char *signature = NULL;
2423 unsigned int signature_len; 2427 unsigned int signature_len;
@@ -2427,8 +2431,10 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2427 goto err; 2431 goto err;
2428 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) 2432 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2429 goto err; 2433 goto err;
2434 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
2435 goto err;
2430 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, 2436 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2431 signature, &signature_len, pkey->pkey.ec)) { 2437 signature, &signature_len, eckey)) {
2432 SSLerror(s, ERR_R_ECDSA_LIB); 2438 SSLerror(s, ERR_R_ECDSA_LIB);
2433 goto err; 2439 goto err;
2434 } 2440 }
@@ -2543,15 +2549,15 @@ ssl3_send_client_verify(SSL *s)
2543 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg, 2549 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2544 &cert_verify)) 2550 &cert_verify))
2545 goto err; 2551 goto err;
2546 } else if (pkey->type == EVP_PKEY_RSA) { 2552 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2547 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify)) 2553 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
2548 goto err; 2554 goto err;
2549 } else if (pkey->type == EVP_PKEY_EC) { 2555 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2550 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) 2556 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2551 goto err; 2557 goto err;
2552#ifndef OPENSSL_NO_GOST 2558#ifndef OPENSSL_NO_GOST
2553 } else if (pkey->type == NID_id_GostR3410_94 || 2559 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2554 pkey->type == NID_id_GostR3410_2001) { 2560 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2555 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify)) 2561 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
2556 goto err; 2562 goto err;
2557#endif 2563#endif