diff options
Diffstat (limited to 'src/lib/libssl/ssl_srvr.c')
-rw-r--r-- | src/lib/libssl/ssl_srvr.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 13644c1625..6b0d85b15b 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssl_srvr.c,v 1.124 2021/11/19 18:53:10 tb Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.125 2021/11/26 16:41:42 tb Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -1727,13 +1727,11 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) | |||
1727 | fakekey[1] = S3I(s)->hs.peer_legacy_version & 0xff; | 1727 | fakekey[1] = S3I(s)->hs.peer_legacy_version & 0xff; |
1728 | 1728 | ||
1729 | pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; | 1729 | pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; |
1730 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || | 1730 | if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { |
1731 | (pkey->pkey.rsa == NULL)) { | ||
1732 | al = SSL_AD_HANDSHAKE_FAILURE; | 1731 | al = SSL_AD_HANDSHAKE_FAILURE; |
1733 | SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE); | 1732 | SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE); |
1734 | goto fatal_err; | 1733 | goto fatal_err; |
1735 | } | 1734 | } |
1736 | rsa = pkey->pkey.rsa; | ||
1737 | 1735 | ||
1738 | pms_len = RSA_size(rsa); | 1736 | pms_len = RSA_size(rsa); |
1739 | if (pms_len < SSL_MAX_MASTER_KEY_LENGTH) | 1737 | if (pms_len < SSL_MAX_MASTER_KEY_LENGTH) |
@@ -2226,10 +2224,17 @@ ssl3_get_cert_verify(SSL *s) | |||
2226 | SSLerror(s, SSL_R_BAD_SIGNATURE); | 2224 | SSLerror(s, SSL_R_BAD_SIGNATURE); |
2227 | goto fatal_err; | 2225 | goto fatal_err; |
2228 | } | 2226 | } |
2229 | } else if (pkey->type == EVP_PKEY_RSA) { | 2227 | } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { |
2228 | RSA *rsa; | ||
2229 | |||
2230 | if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { | ||
2231 | al = SSL_AD_INTERNAL_ERROR; | ||
2232 | SSLerror(s, ERR_R_EVP_LIB); | ||
2233 | goto fatal_err; | ||
2234 | } | ||
2230 | verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify, | 2235 | verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify, |
2231 | MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), | 2236 | MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), |
2232 | CBS_len(&signature), pkey->pkey.rsa); | 2237 | CBS_len(&signature), rsa); |
2233 | if (verify < 0) { | 2238 | if (verify < 0) { |
2234 | al = SSL_AD_DECRYPT_ERROR; | 2239 | al = SSL_AD_DECRYPT_ERROR; |
2235 | SSLerror(s, SSL_R_BAD_RSA_DECRYPT); | 2240 | SSLerror(s, SSL_R_BAD_RSA_DECRYPT); |
@@ -2240,19 +2245,26 @@ ssl3_get_cert_verify(SSL *s) | |||
2240 | SSLerror(s, SSL_R_BAD_RSA_SIGNATURE); | 2245 | SSLerror(s, SSL_R_BAD_RSA_SIGNATURE); |
2241 | goto fatal_err; | 2246 | goto fatal_err; |
2242 | } | 2247 | } |
2243 | } else if (pkey->type == EVP_PKEY_EC) { | 2248 | } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { |
2249 | EC_KEY *eckey; | ||
2250 | |||
2251 | if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) { | ||
2252 | al = SSL_AD_INTERNAL_ERROR; | ||
2253 | SSLerror(s, ERR_R_EVP_LIB); | ||
2254 | goto fatal_err; | ||
2255 | } | ||
2244 | verify = ECDSA_verify(0, | 2256 | verify = ECDSA_verify(0, |
2245 | &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), | 2257 | &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), |
2246 | SHA_DIGEST_LENGTH, CBS_data(&signature), | 2258 | SHA_DIGEST_LENGTH, CBS_data(&signature), |
2247 | CBS_len(&signature), pkey->pkey.ec); | 2259 | CBS_len(&signature), eckey); |
2248 | if (verify <= 0) { | 2260 | if (verify <= 0) { |
2249 | al = SSL_AD_DECRYPT_ERROR; | 2261 | al = SSL_AD_DECRYPT_ERROR; |
2250 | SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); | 2262 | SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); |
2251 | goto fatal_err; | 2263 | goto fatal_err; |
2252 | } | 2264 | } |
2253 | #ifndef OPENSSL_NO_GOST | 2265 | #ifndef OPENSSL_NO_GOST |
2254 | } else if (pkey->type == NID_id_GostR3410_94 || | 2266 | } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 || |
2255 | pkey->type == NID_id_GostR3410_2001) { | 2267 | EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { |
2256 | unsigned char sigbuf[128]; | 2268 | unsigned char sigbuf[128]; |
2257 | unsigned int siglen = sizeof(sigbuf); | 2269 | unsigned int siglen = sizeof(sigbuf); |
2258 | EVP_PKEY_CTX *pctx; | 2270 | EVP_PKEY_CTX *pctx; |