1 files changed, 4 insertions, 148 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index f26fde5061..117afac85e 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.158 2023/12/29 12:24:33 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.159 2024/02/03 15:58:34 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -162,10 +162,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/x509.h>
-#ifndef OPENSSL_NO_GOST
-#include <openssl/gost.h>
-#endif
 #include "bytestring.h"
 #include "dtls_local.h"
 #include "ssl_local.h"
@@ -564,15 +560,7 @@ ssl3_accept(SSL *s)
                        }
                        alg_k = s->s3->hs.cipher->algorithm_mkey;
-                        if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
+                        if (SSL_USE_SIGALGS(s)) {
-                                /*
-                                 * A GOST client may use the key from its
-                                 * certificate for key exchange, in which case
-                                 * the CertificateVerify message is not sent.
-                                 */
-                                s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
-                                s->init_num = 0;
-                        } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
                                s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
                                s->init_num = 0;
                                if (!s->session->peer_cert)
@@ -795,7 +783,6 @@ ssl3_get_client_hello(SSL *s)
        unsigned long id;
        SSL_CIPHER *c;
        STACK_OF(SSL_CIPHER) *ciphers = NULL;
-        unsigned long alg_k;
        const SSL_METHOD *method;
        uint16_t shared_version;
@@ -1138,10 +1125,8 @@ ssl3_get_client_hello(SSL *s)
        if (!tls1_transcript_hash_init(s))
                goto err;
-        alg_k = s->s3->hs.cipher->algorithm_mkey;
+        if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER))
-        if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
+                tls1_transcript_free(s); 
-            !(s->verify_mode & SSL_VERIFY_PEER))
-                tls1_transcript_free(s);
        /*
         * We now have the following setup.
@@ -1816,75 +1801,6 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
 }
 static int
-ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
-{
-        unsigned char premaster_secret[32];
-        EVP_PKEY_CTX *pkey_ctx = NULL;
-        EVP_PKEY *client_pubkey;
-        EVP_PKEY *pkey = NULL;
-        size_t outlen;
-        CBS gostblob;
-        /* Get our certificate private key*/
-#ifndef OPENSSL_NO_GOST
-        if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
-                pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
-#endif
-        if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
-                goto err;
-        if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
-                goto err;
-        /*
-         * If client certificate is present and is of the same type,
-         * maybe use it for key exchange.
-         * Don't mind errors from EVP_PKEY_derive_set_peer, because
-         * it is completely valid to use a client certificate for
-         * authorization only.
-         */
-        if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
-                if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
-                        ERR_clear_error();
-        }
-        /* Decrypt session key */
-        if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
-                goto decode_err;
-        if (CBS_len(cbs) != 0)
-                goto decode_err;
-        outlen = sizeof(premaster_secret);
-        if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
-            CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
-                SSLerror(s, SSL_R_DECRYPTION_FAILED);
-                goto err;
-        }
-        if (!tls12_derive_master_secret(s, premaster_secret,
-            sizeof(premaster_secret)))
-                goto err;
-        /* Check if pubkey from client certificate was used */
-        if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY,
-            2, NULL) > 0)
-                s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
-        explicit_bzero(premaster_secret, sizeof(premaster_secret));
-        EVP_PKEY_CTX_free(pkey_ctx);
-        return 1;
- decode_err:
-        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- err:
-        explicit_bzero(premaster_secret, sizeof(premaster_secret));
-        EVP_PKEY_CTX_free(pkey_ctx);
-        return 0;
-}
-static int
 ssl3_get_client_key_exchange(SSL *s)
 {
        unsigned long alg_k;
@@ -1912,9 +1828,6 @@ ssl3_get_client_key_exchange(SSL *s)
        } else if (alg_k & SSL_kECDHE) {
                if (!ssl3_get_client_kex_ecdhe(s, &cbs))
                        goto err;
-        } else if (alg_k & SSL_kGOST) {
-                if (!ssl3_get_client_kex_gost(s, &cbs))
-                        goto err;
        } else {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);
@@ -2043,15 +1956,6 @@ ssl3_get_cert_verify(SSL *s)
                        al = SSL_AD_INTERNAL_ERROR;
                        goto fatal_err;
                }
-#ifndef OPENSSL_NO_GOST
-                if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
-                    EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
-                    EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
-                    NULL) <= 0) {
-                        al = SSL_AD_INTERNAL_ERROR;
-                        goto fatal_err;
-                }
-#endif
                if (EVP_DigestVerify(mctx, CBS_data(&signature),
                    CBS_len(&signature), hdata, hdatalen) <= 0) {
                        SSLerror(s, ERR_R_EVP_LIB);
@@ -2096,54 +2000,6 @@ ssl3_get_cert_verify(SSL *s)
                        SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
                        goto fatal_err;
                }
-#ifndef OPENSSL_NO_GOST
-        } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
-            EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
-                unsigned char sigbuf[128];
-                unsigned int siglen = sizeof(sigbuf);
-                EVP_PKEY_CTX *pctx;
-                const EVP_MD *md;
-                int nid;
-                if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
-                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                        al = SSL_AD_INTERNAL_ERROR;
-                        goto fatal_err;
-                }
-                if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
-                    !(md = EVP_get_digestbynid(nid))) {
-                        SSLerror(s, ERR_R_EVP_LIB);
-                        al = SSL_AD_INTERNAL_ERROR;
-                        goto fatal_err;
-                }
-                if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
-                        SSLerror(s, ERR_R_EVP_LIB);
-                        al = SSL_AD_INTERNAL_ERROR;
-                        goto fatal_err;
-                }
-                if (!EVP_DigestInit_ex(mctx, md, NULL) ||
-                    !EVP_DigestUpdate(mctx, hdata, hdatalen) ||
-                    !EVP_DigestFinal(mctx, sigbuf, &siglen) ||
-                    (EVP_PKEY_verify_init(pctx) <= 0) ||
-                    (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
-                    (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
-                    EVP_PKEY_CTRL_GOST_SIG_FORMAT,
-                    GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) {
-                        SSLerror(s, ERR_R_EVP_LIB);
-                        al = SSL_AD_INTERNAL_ERROR;
-                        EVP_PKEY_CTX_free(pctx);
-                        goto fatal_err;
-                }
-                if (EVP_PKEY_verify(pctx, CBS_data(&signature),
-                    CBS_len(&signature), sigbuf, siglen) <= 0) {
-                        al = SSL_AD_DECRYPT_ERROR;
-                        SSLerror(s, SSL_R_BAD_SIGNATURE);
-                        EVP_PKEY_CTX_free(pctx);
-                        goto fatal_err;
-                }
-                EVP_PKEY_CTX_free(pctx);
-#endif
        } else {
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                al = SSL_AD_UNSUPPORTED_CERTIFICATE;

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index f26fde5061..117afac85e 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.158 2023/12/29 12:24:33 tb Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.159 2024/02/03 15:58:34 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -162,10 +162,6 @@
162	#include <openssl/opensslconf.h>	162	#include <openssl/opensslconf.h>
163	#include <openssl/x509.h>	163	#include <openssl/x509.h>
164		164
165	#ifndef OPENSSL_NO_GOST
166	#include <openssl/gost.h>
167	#endif
168
169	#include "bytestring.h"	165	#include "bytestring.h"
170	#include "dtls_local.h"	166	#include "dtls_local.h"
171	#include "ssl_local.h"	167	#include "ssl_local.h"
@@ -564,15 +560,7 @@ ssl3_accept(SSL *s)
564	}	560	}
565		561
566	alg_k = s->s3->hs.cipher->algorithm_mkey;	562	alg_k = s->s3->hs.cipher->algorithm_mkey;
567	if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {	563	if (SSL_USE_SIGALGS(s)) {
568	/*
569	* A GOST client may use the key from its
570	* certificate for key exchange, in which case
571	* the CertificateVerify message is not sent.
572	*/
573	s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
574	s->init_num = 0;
575	} else if (SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) {
576	s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;	564	s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
577	s->init_num = 0;	565	s->init_num = 0;
578	if (!s->session->peer_cert)	566	if (!s->session->peer_cert)
@@ -795,7 +783,6 @@ ssl3_get_client_hello(SSL *s)
795	unsigned long id;	783	unsigned long id;
796	SSL_CIPHER *c;	784	SSL_CIPHER *c;
797	STACK_OF(SSL_CIPHER) *ciphers = NULL;	785	STACK_OF(SSL_CIPHER) *ciphers = NULL;
798	unsigned long alg_k;
799	const SSL_METHOD *method;	786	const SSL_METHOD *method;
800	uint16_t shared_version;	787	uint16_t shared_version;
801		788
@@ -1138,10 +1125,8 @@ ssl3_get_client_hello(SSL *s)
1138	if (!tls1_transcript_hash_init(s))	1125	if (!tls1_transcript_hash_init(s))
1139	goto err;	1126	goto err;
1140		1127
1141	alg_k = s->s3->hs.cipher->algorithm_mkey;	1128	if (!SSL_USE_SIGALGS(s) \|\| !(s->verify_mode & SSL_VERIFY_PEER))
1142	if (!(SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) \|\|	1129	tls1_transcript_free(s);
1143	!(s->verify_mode & SSL_VERIFY_PEER))
1144	tls1_transcript_free(s);
1145		1130
1146	/*	1131	/*
1147	* We now have the following setup.	1132	* We now have the following setup.
@@ -1816,75 +1801,6 @@ ssl3_get_client_kex_ecdhe(SSL s, CBS cbs)
1816	}	1801	}
1817		1802
1818	static int	1803	static int
1819	ssl3_get_client_kex_gost(SSL s, CBS cbs)
1820	{
1821	unsigned char premaster_secret[32];
1822	EVP_PKEY_CTX *pkey_ctx = NULL;
1823	EVP_PKEY *client_pubkey;
1824	EVP_PKEY *pkey = NULL;
1825	size_t outlen;
1826	CBS gostblob;
1827
1828	/* Get our certificate private key*/
1829	#ifndef OPENSSL_NO_GOST
1830	if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1831	pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1832	#endif
1833
1834	if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
1835	goto err;
1836	if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
1837	goto err;
1838
1839	/*
1840	* If client certificate is present and is of the same type,
1841	* maybe use it for key exchange.
1842	* Don't mind errors from EVP_PKEY_derive_set_peer, because
1843	* it is completely valid to use a client certificate for
1844	* authorization only.
1845	*/
1846	if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
1847	if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
1848	ERR_clear_error();
1849	}
1850
1851	/* Decrypt session key */
1852	if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
1853	goto decode_err;
1854	if (CBS_len(cbs) != 0)
1855	goto decode_err;
1856	outlen = sizeof(premaster_secret);
1857	if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
1858	CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
1859	SSLerror(s, SSL_R_DECRYPTION_FAILED);
1860	goto err;
1861	}
1862
1863	if (!tls12_derive_master_secret(s, premaster_secret,
1864	sizeof(premaster_secret)))
1865	goto err;
1866
1867	/* Check if pubkey from client certificate was used */
1868	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY,
1869	2, NULL) > 0)
1870	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;
1871
1872	explicit_bzero(premaster_secret, sizeof(premaster_secret));
1873	EVP_PKEY_CTX_free(pkey_ctx);
1874
1875	return 1;
1876
1877	decode_err:
1878	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1879	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1880	err:
1881	explicit_bzero(premaster_secret, sizeof(premaster_secret));
1882	EVP_PKEY_CTX_free(pkey_ctx);
1883
1884	return 0;
1885	}
1886
1887	static int
1888	ssl3_get_client_key_exchange(SSL *s)	1804	ssl3_get_client_key_exchange(SSL *s)
1889	{	1805	{
1890	unsigned long alg_k;	1806	unsigned long alg_k;
@@ -1912,9 +1828,6 @@ ssl3_get_client_key_exchange(SSL *s)
1912	} else if (alg_k & SSL_kECDHE) {	1828	} else if (alg_k & SSL_kECDHE) {
1913	if (!ssl3_get_client_kex_ecdhe(s, &cbs))	1829	if (!ssl3_get_client_kex_ecdhe(s, &cbs))
1914	goto err;	1830	goto err;
1915	} else if (alg_k & SSL_kGOST) {
1916	if (!ssl3_get_client_kex_gost(s, &cbs))
1917	goto err;
1918	} else {	1831	} else {
1919	al = SSL_AD_HANDSHAKE_FAILURE;	1832	al = SSL_AD_HANDSHAKE_FAILURE;
1920	SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);	1833	SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);
@@ -2043,15 +1956,6 @@ ssl3_get_cert_verify(SSL *s)
2043	al = SSL_AD_INTERNAL_ERROR;	1956	al = SSL_AD_INTERNAL_ERROR;
2044	goto fatal_err;	1957	goto fatal_err;
2045	}	1958	}
2046	#ifndef OPENSSL_NO_GOST
2047	if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2048	EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2049	EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
2050	NULL) <= 0) {
2051	al = SSL_AD_INTERNAL_ERROR;
2052	goto fatal_err;
2053	}
2054	#endif
2055	if (EVP_DigestVerify(mctx, CBS_data(&signature),	1959	if (EVP_DigestVerify(mctx, CBS_data(&signature),
2056	CBS_len(&signature), hdata, hdatalen) <= 0) {	1960	CBS_len(&signature), hdata, hdatalen) <= 0) {
2057	SSLerror(s, ERR_R_EVP_LIB);	1961	SSLerror(s, ERR_R_EVP_LIB);
@@ -2096,54 +2000,6 @@ ssl3_get_cert_verify(SSL *s)
2096	SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);	2000	SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
2097	goto fatal_err;	2001	goto fatal_err;
2098	}	2002	}
2099	#ifndef OPENSSL_NO_GOST
2100	} else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 \|\|
2101	EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2102	unsigned char sigbuf[128];
2103	unsigned int siglen = sizeof(sigbuf);
2104	EVP_PKEY_CTX *pctx;
2105	const EVP_MD *md;
2106	int nid;
2107
2108	if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2109	SSLerror(s, ERR_R_INTERNAL_ERROR);
2110	al = SSL_AD_INTERNAL_ERROR;
2111	goto fatal_err;
2112	}
2113	if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) \|\|
2114	!(md = EVP_get_digestbynid(nid))) {
2115	SSLerror(s, ERR_R_EVP_LIB);
2116	al = SSL_AD_INTERNAL_ERROR;
2117	goto fatal_err;
2118	}
2119	if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
2120	SSLerror(s, ERR_R_EVP_LIB);
2121	al = SSL_AD_INTERNAL_ERROR;
2122	goto fatal_err;
2123	}
2124	if (!EVP_DigestInit_ex(mctx, md, NULL) \|\|
2125	!EVP_DigestUpdate(mctx, hdata, hdatalen) \|\|
2126	!EVP_DigestFinal(mctx, sigbuf, &siglen) \|\|
2127	(EVP_PKEY_verify_init(pctx) <= 0) \|\|
2128	(EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) \|\|
2129	(EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2130	EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2131	GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) {
2132	SSLerror(s, ERR_R_EVP_LIB);
2133	al = SSL_AD_INTERNAL_ERROR;
2134	EVP_PKEY_CTX_free(pctx);
2135	goto fatal_err;
2136	}
2137	if (EVP_PKEY_verify(pctx, CBS_data(&signature),
2138	CBS_len(&signature), sigbuf, siglen) <= 0) {
2139	al = SSL_AD_DECRYPT_ERROR;
2140	SSLerror(s, SSL_R_BAD_SIGNATURE);
2141	EVP_PKEY_CTX_free(pctx);
2142	goto fatal_err;
2143	}
2144
2145	EVP_PKEY_CTX_free(pctx);
2146	#endif
2147	} else {	2003	} else {
2148	SSLerror(s, ERR_R_INTERNAL_ERROR);	2004	SSLerror(s, ERR_R_INTERNAL_ERROR);
2149	al = SSL_AD_UNSUPPORTED_CERTIFICATE;	2005	al = SSL_AD_UNSUPPORTED_CERTIFICATE;