diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libtls/tls_signer.c | 58 |
1 files changed, 34 insertions, 24 deletions
diff --git a/src/lib/libtls/tls_signer.c b/src/lib/libtls/tls_signer.c index 177c9d07a4..5eb3707454 100644 --- a/src/lib/libtls/tls_signer.c +++ b/src/lib/libtls/tls_signer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_signer.c,v 1.9 2023/06/18 19:12:58 tb Exp $ */ | 1 | /* $OpenBSD: tls_signer.c,v 1.10 2024/03/26 06:24:52 joshua Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2021 Eric Faurot <eric@openbsd.org> | 3 | * Copyright (c) 2021 Eric Faurot <eric@openbsd.org> |
| 4 | * | 4 | * |
| @@ -91,7 +91,7 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert, | |||
| 91 | 91 | ||
| 92 | /* Compute certificate hash */ | 92 | /* Compute certificate hash */ |
| 93 | if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) { | 93 | if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) { |
| 94 | tls_error_setx(&signer->error, | 94 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 95 | "failed to create certificate bio"); | 95 | "failed to create certificate bio"); |
| 96 | goto err; | 96 | goto err; |
| 97 | } | 97 | } |
| @@ -99,12 +99,12 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert, | |||
| 99 | NULL)) == NULL) { | 99 | NULL)) == NULL) { |
| 100 | if ((ssl_err = ERR_peek_error()) != 0) | 100 | if ((ssl_err = ERR_peek_error()) != 0) |
| 101 | errstr = ERR_error_string(ssl_err, NULL); | 101 | errstr = ERR_error_string(ssl_err, NULL); |
| 102 | tls_error_setx(&signer->error, "failed to load certificate: %s", | 102 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 103 | errstr); | 103 | "failed to load certificate: %s", errstr); |
| 104 | goto err; | 104 | goto err; |
| 105 | } | 105 | } |
| 106 | if (tls_cert_pubkey_hash(x509, &hash) == -1) { | 106 | if (tls_cert_pubkey_hash(x509, &hash) == -1) { |
| 107 | tls_error_setx(&signer->error, | 107 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 108 | "failed to get certificate hash"); | 108 | "failed to get certificate hash"); |
| 109 | goto err; | 109 | goto err; |
| 110 | } | 110 | } |
| @@ -116,23 +116,27 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert, | |||
| 116 | 116 | ||
| 117 | /* Read private key */ | 117 | /* Read private key */ |
| 118 | if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) { | 118 | if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) { |
| 119 | tls_error_setx(&signer->error, "failed to create key bio"); | 119 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 120 | "failed to create key bio"); | ||
| 120 | goto err; | 121 | goto err; |
| 121 | } | 122 | } |
| 122 | if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, | 123 | if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, |
| 123 | NULL)) == NULL) { | 124 | NULL)) == NULL) { |
| 124 | tls_error_setx(&signer->error, "failed to read private key"); | 125 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 126 | "failed to read private key"); | ||
| 125 | goto err; | 127 | goto err; |
| 126 | } | 128 | } |
| 127 | 129 | ||
| 128 | if ((skey = calloc(1, sizeof(*skey))) == NULL) { | 130 | if ((skey = calloc(1, sizeof(*skey))) == NULL) { |
| 129 | tls_error_set(&signer->error, "failed to create key entry"); | 131 | tls_error_set(&signer->error, TLS_ERROR_UNKNOWN, |
| 132 | "failed to create key entry"); | ||
| 130 | goto err; | 133 | goto err; |
| 131 | } | 134 | } |
| 132 | skey->hash = hash; | 135 | skey->hash = hash; |
| 133 | if ((skey->rsa = EVP_PKEY_get1_RSA(pkey)) == NULL && | 136 | if ((skey->rsa = EVP_PKEY_get1_RSA(pkey)) == NULL && |
| 134 | (skey->ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) { | 137 | (skey->ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) { |
| 135 | tls_error_setx(&signer->error, "unknown key type"); | 138 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 139 | "unknown key type"); | ||
| 136 | goto err; | 140 | goto err; |
| 137 | } | 141 | } |
| 138 | 142 | ||
| @@ -194,29 +198,31 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey, | |||
| 194 | } else if (padding_type == TLS_PADDING_RSA_PKCS1) { | 198 | } else if (padding_type == TLS_PADDING_RSA_PKCS1) { |
| 195 | rsa_padding = RSA_PKCS1_PADDING; | 199 | rsa_padding = RSA_PKCS1_PADDING; |
| 196 | } else { | 200 | } else { |
| 197 | tls_error_setx(&signer->error, "invalid RSA padding type (%d)", | 201 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 198 | padding_type); | 202 | "invalid RSA padding type (%d)", padding_type); |
| 199 | return (-1); | 203 | return (-1); |
| 200 | } | 204 | } |
| 201 | 205 | ||
| 202 | if (input_len > INT_MAX) { | 206 | if (input_len > INT_MAX) { |
| 203 | tls_error_setx(&signer->error, "input too large"); | 207 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 208 | "input too large"); | ||
| 204 | return (-1); | 209 | return (-1); |
| 205 | } | 210 | } |
| 206 | if ((rsa_size = RSA_size(skey->rsa)) <= 0) { | 211 | if ((rsa_size = RSA_size(skey->rsa)) <= 0) { |
| 207 | tls_error_setx(&signer->error, "invalid RSA size: %d", | 212 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 208 | rsa_size); | 213 | "invalid RSA size: %d", rsa_size); |
| 209 | return (-1); | 214 | return (-1); |
| 210 | } | 215 | } |
| 211 | if ((signature = calloc(1, rsa_size)) == NULL) { | 216 | if ((signature = calloc(1, rsa_size)) == NULL) { |
| 212 | tls_error_set(&signer->error, "RSA signature"); | 217 | tls_error_set(&signer->error, TLS_ERROR_UNKNOWN, "RSA signature"); |
| 213 | return (-1); | 218 | return (-1); |
| 214 | } | 219 | } |
| 215 | 220 | ||
| 216 | if ((signature_len = RSA_private_encrypt((int)input_len, input, | 221 | if ((signature_len = RSA_private_encrypt((int)input_len, input, |
| 217 | signature, skey->rsa, rsa_padding)) <= 0) { | 222 | signature, skey->rsa, rsa_padding)) <= 0) { |
| 218 | /* XXX - include further details from libcrypto. */ | 223 | /* XXX - include further details from libcrypto. */ |
| 219 | tls_error_setx(&signer->error, "RSA signing failed"); | 224 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 225 | "RSA signing failed"); | ||
| 220 | free(signature); | 226 | free(signature); |
| 221 | return (-1); | 227 | return (-1); |
| 222 | } | 228 | } |
| @@ -239,28 +245,32 @@ tls_sign_ecdsa(struct tls_signer *signer, struct tls_signer_key *skey, | |||
| 239 | *out_signature_len = 0; | 245 | *out_signature_len = 0; |
| 240 | 246 | ||
| 241 | if (padding_type != TLS_PADDING_NONE) { | 247 | if (padding_type != TLS_PADDING_NONE) { |
| 242 | tls_error_setx(&signer->error, "invalid ECDSA padding"); | 248 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 249 | "invalid ECDSA padding"); | ||
| 243 | return (-1); | 250 | return (-1); |
| 244 | } | 251 | } |
| 245 | 252 | ||
| 246 | if (input_len > INT_MAX) { | 253 | if (input_len > INT_MAX) { |
| 247 | tls_error_setx(&signer->error, "digest too large"); | 254 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 255 | "digest too large"); | ||
| 248 | return (-1); | 256 | return (-1); |
| 249 | } | 257 | } |
| 250 | if ((signature_len = ECDSA_size(skey->ecdsa)) <= 0) { | 258 | if ((signature_len = ECDSA_size(skey->ecdsa)) <= 0) { |
| 251 | tls_error_setx(&signer->error, "invalid ECDSA size: %d", | 259 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 252 | signature_len); | 260 | "invalid ECDSA size: %d", signature_len); |
| 253 | return (-1); | 261 | return (-1); |
| 254 | } | 262 | } |
| 255 | if ((signature = calloc(1, signature_len)) == NULL) { | 263 | if ((signature = calloc(1, signature_len)) == NULL) { |
| 256 | tls_error_set(&signer->error, "ECDSA signature"); | 264 | tls_error_set(&signer->error, TLS_ERROR_UNKNOWN, |
| 265 | "ECDSA signature"); | ||
| 257 | return (-1); | 266 | return (-1); |
| 258 | } | 267 | } |
| 259 | 268 | ||
| 260 | if (!ECDSA_sign(0, input, input_len, signature, &signature_len, | 269 | if (!ECDSA_sign(0, input, input_len, signature, &signature_len, |
| 261 | skey->ecdsa)) { | 270 | skey->ecdsa)) { |
| 262 | /* XXX - include further details from libcrypto. */ | 271 | /* XXX - include further details from libcrypto. */ |
| 263 | tls_error_setx(&signer->error, "ECDSA signing failed"); | 272 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, |
| 273 | "ECDSA signing failed"); | ||
| 264 | free(signature); | 274 | free(signature); |
| 265 | return (-1); | 275 | return (-1); |
| 266 | } | 276 | } |
| @@ -286,7 +296,7 @@ tls_signer_sign(struct tls_signer *signer, const char *pubkey_hash, | |||
| 286 | break; | 296 | break; |
| 287 | 297 | ||
| 288 | if (skey == NULL) { | 298 | if (skey == NULL) { |
| 289 | tls_error_setx(&signer->error, "key not found"); | 299 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, "key not found"); |
| 290 | return (-1); | 300 | return (-1); |
| 291 | } | 301 | } |
| 292 | 302 | ||
| @@ -298,7 +308,7 @@ tls_signer_sign(struct tls_signer *signer, const char *pubkey_hash, | |||
| 298 | return tls_sign_ecdsa(signer, skey, input, input_len, | 308 | return tls_sign_ecdsa(signer, skey, input, input_len, |
| 299 | padding_type, out_signature, out_signature_len); | 309 | padding_type, out_signature, out_signature_len); |
| 300 | 310 | ||
| 301 | tls_error_setx(&signer->error, "unknown key type"); | 311 | tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, "unknown key type"); |
| 302 | 312 | ||
| 303 | return (-1); | 313 | return (-1); |
| 304 | } | 314 | } |