3 files changed, 93 insertions, 45 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index ac2cddacf9..298e4b7ff8 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.41 2018/11/10 01:19:09 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.42 2018/11/11 02:03:23 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1508,15 +1508,21 @@ ssl3_get_server_key_exchange(SSL *s)
        /* if it was signed, check the signature */
        if (pkey != NULL) {
+                EVP_PKEY_CTX *pctx;
+                const struct ssl_sigalg *sigalg;
                if (SSL_USE_SIGALGS(s)) {
-                        const struct ssl_sigalg *sigalg;
                        uint16_t sigalg_value;
                        if (!CBS_get_u16(&cbs, &sigalg_value))
                                goto truncated;
                        if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs,
-                            tls12_sigalgs_len)) == NULL ||
+                                    tls12_sigalgs_len)) == NULL) {
-                            (md = sigalg->md()) == NULL) {
+                                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
+                                al = SSL_AD_DECODE_ERROR;
+                                goto f_err;
+                        }
+                        if ((md = sigalg->md()) == NULL) {
                                SSLerror(s, SSL_R_UNKNOWN_DIGEST);
                                al = SSL_AD_DECODE_ERROR;
                                goto f_err;
@@ -1527,10 +1533,15 @@ ssl3_get_server_key_exchange(SSL *s)
                                goto f_err;
                        }
                } else if (pkey->type == EVP_PKEY_RSA) {
-                        md = EVP_md5_sha1();
+                        sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
+                } else if (pkey->type == EVP_PKEY_EC) {
+                        sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
                } else {
-                        md = EVP_sha1();
+                        SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
+                        al = SSL_AD_DECODE_ERROR;
+                        goto f_err;
                }
+                md = sigalg->md();
                if (!CBS_get_u16_length_prefixed(&cbs, &signature))
                        goto truncated;
@@ -1540,18 +1551,18 @@ ssl3_get_server_key_exchange(SSL *s)
                        goto f_err;
                }
-                if (!EVP_VerifyInit_ex(&md_ctx, md, NULL))
+                if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey))
                        goto err;
-                if (!EVP_VerifyUpdate(&md_ctx, s->s3->client_random,
+                if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random,
                    SSL3_RANDOM_SIZE))
                        goto err;
-                if (!EVP_VerifyUpdate(&md_ctx, s->s3->server_random,
+                if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->server_random,
                    SSL3_RANDOM_SIZE))
                        goto err;
-                if (!EVP_VerifyUpdate(&md_ctx, param, param_len))
+                if (!EVP_DigestVerifyUpdate(&md_ctx, param, param_len))
                        goto err;
-                if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature),
+                if (EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),
-                    CBS_len(&signature), pkey) <= 0) {
+                    CBS_len(&signature)) <= 0) {
                        al = SSL_AD_DECRYPT_ERROR;
                        SSLerror(s, SSL_R_BAD_SIGNATURE);
                        goto f_err;
@@ -2363,13 +2374,15 @@ ssl3_send_client_verify(SSL *s)
        CBB cbb, cert_verify, cbb_signature;
        unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
        unsigned char *signature = NULL;
-        unsigned int signature_len;
+        unsigned int signature_len = 0;
        const unsigned char *hdata;
        size_t hdatalen;
        EVP_PKEY_CTX *pctx = NULL;
        EVP_PKEY *pkey;
        EVP_MD_CTX mctx;
        const EVP_MD *md;
+        size_t siglen;
        EVP_MD_CTX_init(&mctx);
@@ -2379,12 +2392,12 @@ ssl3_send_client_verify(SSL *s)
                if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
                    SSL3_MT_CERTIFICATE_VERIFY))
                        goto err;
                /*
                 * Create context from key and test if sha1 is allowed as
                 * digest.
                 */
                pkey = s->cert->key->privatekey;
+                md = s->cert->key->sigalg->md();
                pctx = EVP_PKEY_CTX_new(pkey, NULL);
                EVP_PKEY_sign_init(pctx);
@@ -2392,37 +2405,50 @@ ssl3_send_client_verify(SSL *s)
                if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
                        ERR_clear_error();
-                if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
-                        goto err;
                if (!SSL_USE_SIGALGS(s)) {
                        tls1_transcript_free(s);
                        if (!tls1_handshake_hash_value(s, data, sizeof(data),
                            NULL))
                                goto err;
                }
                /*
                 * For TLS v1.2 send signature algorithm and signature
                 * using agreed digest and cached handshake records.
                 */
                if (SSL_USE_SIGALGS(s)) {
-                        md = s->cert->key->sigalg->md();
+                        EVP_PKEY_CTX *pctx;
                        if (!tls1_transcript_data(s, &hdata, &hdatalen) ||
                            !CBB_add_u16(&cert_verify,
-                                s->cert->key->sigalg->value)) {
+                            s->cert->key->sigalg->value)) {
                                SSLerror(s, ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
-                        if (!EVP_SignInit_ex(&mctx, md, NULL) ||
+                        if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) {
-                            !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
-                            !EVP_SignFinal(&mctx, signature, &signature_len,
-                                pkey)) {
                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
                        }
+                        if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
+                                SSLerror(s, ERR_R_EVP_LIB);
+                                goto err;
+                        }
+                        if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) ||
+                            siglen == 0) {
+                                SSLerror(s, ERR_R_EVP_LIB);
+                                goto err;
+                        }
+                        if ((signature = calloc(1, siglen)) == NULL) {
+                                SSLerror(s, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                        if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) {
+                                SSLerror(s, ERR_R_EVP_LIB);
+                                goto err;
+                        }
+                        signature_len = siglen; /* XXX */
                        tls1_transcript_free(s);
                } else if (pkey->type == EVP_PKEY_RSA) {
+                        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+                                goto err;
                        if (RSA_sign(NID_md5_sha1, data,
                            MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature,
                            &signature_len, pkey->pkey.rsa) <= 0 ) {
@@ -2430,6 +2456,8 @@ ssl3_send_client_verify(SSL *s)
                                goto err;
                        }
                } else if (pkey->type == EVP_PKEY_EC) {
+                        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+                                goto err;
                        if (!ECDSA_sign(pkey->save_type,
                            &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
                            signature, &signature_len, pkey->pkey.ec)) {
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index cee3f0bf6d..5dc261810b 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.5 2018/11/10 08:42:39 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.6 2018/11/11 02:03:23 beck Exp $ */
 /*
 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
 *
@@ -83,7 +83,6 @@ const struct ssl_sigalg sigalgs[] = {
                .pkey_idx = SSL_PKEY_GOST01,
        },
 #endif
-#ifdef LIBRESSL_HAS_TLS1_3
        {
                .value = SIGALG_RSA_PSS_RSAE_SHA256,
                .md = EVP_sha256,
@@ -126,7 +125,6 @@ const struct ssl_sigalg sigalgs[] = {
                .pkey_idx = SSL_PKEY_RSA_SIGN,
                .flags = SIGALG_FLAG_RSA_PSS,
        },
-#endif
        {
                .value = SIGALG_RSA_PKCS1_SHA224,
                .md = EVP_sha224,
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 587a538060..f1b8a49468 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.55 2018/11/10 01:19:09 beck Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.56 2018/11/11 02:03:23 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -345,7 +345,7 @@ ssl3_accept(SSL *s)
                                        D1I(s)->handshake_write_seq = 1;
                                        D1I(s)->next_handshake_write_seq = 1;
                                        goto end;
-                                }                               
+                                }
                        } else {
                                if (s->internal->rwstate != SSL_X509_LOOKUP) {
                                        ret = ssl3_get_client_hello(s);
@@ -1485,12 +1485,13 @@ ssl3_send_server_key_exchange(SSL *s)
        CBB cbb, cbb_params, cbb_signature, server_kex;
        const struct ssl_sigalg *sigalg = NULL;
        unsigned char *signature = NULL;
-        unsigned int signature_len;
+        size_t signature_len = 0;
        unsigned char *params = NULL;
        size_t params_len;
        const EVP_MD *md = NULL;
        unsigned long type;
        EVP_MD_CTX md_ctx;
+        EVP_PKEY_CTX *pctx;
        EVP_PKEY *pkey;
        int al;
@@ -1544,21 +1545,34 @@ ssl3_send_server_key_exchange(SSL *s)
                                }
                        }
-                        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+                        if (!EVP_DigestSignInit(&md_ctx, &pctx, md, NULL, pkey)) {
+                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
+                        }
-                        if (!EVP_SignInit_ex(&md_ctx, md, NULL))
+                        if (!EVP_DigestSignUpdate(&md_ctx, s->s3->client_random,
+                            SSL3_RANDOM_SIZE)) {
+                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
-                        if (!EVP_SignUpdate(&md_ctx, s->s3->client_random,
+                        }
-                            SSL3_RANDOM_SIZE))
+                        if (!EVP_DigestSignUpdate(&md_ctx, s->s3->server_random,
+                            SSL3_RANDOM_SIZE)) {
+                                SSLerror(s, ERR_R_EVP_LIB);
+                                goto err;
+                        }
+                        if (!EVP_DigestSignUpdate(&md_ctx, params, params_len)) {
+                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
-                        if (!EVP_SignUpdate(&md_ctx, s->s3->server_random,
+                        }
-                            SSL3_RANDOM_SIZE))
+                        if (!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
+                            !signature_len) {
+                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
-                        if (!EVP_SignUpdate(&md_ctx, params, params_len))
+                        }
+                        if ((signature = calloc(1, signature_len)) == NULL) {
+                                SSLerror(s, ERR_R_MALLOC_FAILURE);
                                goto err;
-                        if (!EVP_SignFinal(&md_ctx, signature, &signature_len,
+                        }
-                            pkey)) {
+                        if (!EVP_DigestSignFinal(&md_ctx, signature, &signature_len)) {
                                SSLerror(s, ERR_R_EVP_LIB);
                                goto err;
                        }
@@ -2071,6 +2085,7 @@ int
 ssl3_get_cert_verify(SSL *s)
 {
        CBS cbs, signature;
+        const struct ssl_sigalg *sigalg;
        const EVP_MD *md = NULL;
        EVP_PKEY *pkey = NULL;
        X509 *peer = NULL;
@@ -2135,14 +2150,16 @@ ssl3_get_cert_verify(SSL *s)
         * If key is GOST and n is exactly 64, it is a bare
         * signature without length field.
         */
+        /* This hack is awful and needs to die in fire */
        if ((pkey->type == NID_id_GostR3410_94 ||
             pkey->type == NID_id_GostR3410_2001) && CBS_len(&cbs) == 64) {
+                if (SSL_USE_SIGALGS(s))
+                        goto truncated;
                CBS_dup(&cbs, &signature);
                if (!CBS_skip(&cbs, CBS_len(&cbs)))
                        goto err;
        } else {
                if (SSL_USE_SIGALGS(s)) {
-                        const struct ssl_sigalg *sigalg;
                        uint16_t sigalg_value;
                        if (!CBS_get_u16(&cbs, &sigalg_value))
@@ -2175,19 +2192,24 @@ ssl3_get_cert_verify(SSL *s)
        }
        if (SSL_USE_SIGALGS(s)) {
+                EVP_PKEY_CTX *pctx;
                if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
                }
-                if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
+                if (!EVP_DigestVerifyInit(&mctx, &pctx, md, NULL, pkey)) {
-                    !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
+                        SSLerror(s, ERR_R_EVP_LIB);
+                        al = SSL_AD_INTERNAL_ERROR;
+                        goto f_err;
+                }
+                if (!EVP_DigestVerifyUpdate(&mctx, hdata, hdatalen)) {
                        SSLerror(s, ERR_R_EVP_LIB);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
                }
-                if (EVP_VerifyFinal(&mctx, CBS_data(&signature),
+                if (EVP_DigestVerifyFinal(&mctx, CBS_data(&signature),
-                    CBS_len(&signature), pkey) <= 0) {
+                    CBS_len(&signature)) <= 0) {
                        al = SSL_AD_DECRYPT_ERROR;
                        SSLerror(s, SSL_R_BAD_SIGNATURE);
                        goto f_err;

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index ac2cddacf9..298e4b7ff8 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.41 2018/11/10 01:19:09 beck Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.42 2018/11/11 02:03:23 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1508,15 +1508,21 @@ ssl3_get_server_key_exchange(SSL *s)
1508		1508
1509	/* if it was signed, check the signature */	1509	/* if it was signed, check the signature */
1510	if (pkey != NULL) {	1510	if (pkey != NULL) {
		1511	EVP_PKEY_CTX *pctx;
		1512	const struct ssl_sigalg *sigalg;
		1513
1511	if (SSL_USE_SIGALGS(s)) {	1514	if (SSL_USE_SIGALGS(s)) {
1512	const struct ssl_sigalg *sigalg;
1513	uint16_t sigalg_value;	1515	uint16_t sigalg_value;
1514		1516
1515	if (!CBS_get_u16(&cbs, &sigalg_value))	1517	if (!CBS_get_u16(&cbs, &sigalg_value))
1516	goto truncated;	1518	goto truncated;
1517	if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs,	1519	if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs,
1518	tls12_sigalgs_len)) == NULL \|\|	1520	tls12_sigalgs_len)) == NULL) {
1519	(md = sigalg->md()) == NULL) {	1521	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
		1522	al = SSL_AD_DECODE_ERROR;
		1523	goto f_err;
		1524	}
		1525	if ((md = sigalg->md()) == NULL) {
1520	SSLerror(s, SSL_R_UNKNOWN_DIGEST);	1526	SSLerror(s, SSL_R_UNKNOWN_DIGEST);
1521	al = SSL_AD_DECODE_ERROR;	1527	al = SSL_AD_DECODE_ERROR;
1522	goto f_err;	1528	goto f_err;
@@ -1527,10 +1533,15 @@ ssl3_get_server_key_exchange(SSL *s)
1527	goto f_err;	1533	goto f_err;
1528	}	1534	}
1529	} else if (pkey->type == EVP_PKEY_RSA) {	1535	} else if (pkey->type == EVP_PKEY_RSA) {
1530	md = EVP_md5_sha1();	1536	sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
		1537	} else if (pkey->type == EVP_PKEY_EC) {
		1538	sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
1531	} else {	1539	} else {
1532	md = EVP_sha1();	1540	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
		1541	al = SSL_AD_DECODE_ERROR;
		1542	goto f_err;
1533	}	1543	}
		1544	md = sigalg->md();
1534		1545
1535	if (!CBS_get_u16_length_prefixed(&cbs, &signature))	1546	if (!CBS_get_u16_length_prefixed(&cbs, &signature))
1536	goto truncated;	1547	goto truncated;
@@ -1540,18 +1551,18 @@ ssl3_get_server_key_exchange(SSL *s)
1540	goto f_err;	1551	goto f_err;
1541	}	1552	}
1542		1553
1543	if (!EVP_VerifyInit_ex(&md_ctx, md, NULL))	1554	if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey))
1544	goto err;	1555	goto err;
1545	if (!EVP_VerifyUpdate(&md_ctx, s->s3->client_random,	1556	if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random,
1546	SSL3_RANDOM_SIZE))	1557	SSL3_RANDOM_SIZE))
1547	goto err;	1558	goto err;
1548	if (!EVP_VerifyUpdate(&md_ctx, s->s3->server_random,	1559	if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->server_random,
1549	SSL3_RANDOM_SIZE))	1560	SSL3_RANDOM_SIZE))
1550	goto err;	1561	goto err;
1551	if (!EVP_VerifyUpdate(&md_ctx, param, param_len))	1562	if (!EVP_DigestVerifyUpdate(&md_ctx, param, param_len))
1552	goto err;	1563	goto err;
1553	if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature),	1564	if (EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),
1554	CBS_len(&signature), pkey) <= 0) {	1565	CBS_len(&signature)) <= 0) {
1555	al = SSL_AD_DECRYPT_ERROR;	1566	al = SSL_AD_DECRYPT_ERROR;
1556	SSLerror(s, SSL_R_BAD_SIGNATURE);	1567	SSLerror(s, SSL_R_BAD_SIGNATURE);
1557	goto f_err;	1568	goto f_err;
@@ -2363,13 +2374,15 @@ ssl3_send_client_verify(SSL *s)
2363	CBB cbb, cert_verify, cbb_signature;	2374	CBB cbb, cert_verify, cbb_signature;
2364	unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];	2375	unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2365	unsigned char *signature = NULL;	2376	unsigned char *signature = NULL;
2366	unsigned int signature_len;	2377	unsigned int signature_len = 0;
2367	const unsigned char *hdata;	2378	const unsigned char *hdata;
2368	size_t hdatalen;	2379	size_t hdatalen;
2369	EVP_PKEY_CTX *pctx = NULL;	2380	EVP_PKEY_CTX *pctx = NULL;
2370	EVP_PKEY *pkey;	2381	EVP_PKEY *pkey;
2371	EVP_MD_CTX mctx;	2382	EVP_MD_CTX mctx;
2372	const EVP_MD *md;	2383	const EVP_MD *md;
		2384	size_t siglen;
		2385
2373		2386
2374	EVP_MD_CTX_init(&mctx);	2387	EVP_MD_CTX_init(&mctx);
2375		2388
@@ -2379,12 +2392,12 @@ ssl3_send_client_verify(SSL *s)
2379	if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,	2392	if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2380	SSL3_MT_CERTIFICATE_VERIFY))	2393	SSL3_MT_CERTIFICATE_VERIFY))
2381	goto err;	2394	goto err;
2382
2383	/*	2395	/*
2384	* Create context from key and test if sha1 is allowed as	2396	* Create context from key and test if sha1 is allowed as
2385	* digest.	2397	* digest.
2386	*/	2398	*/
2387	pkey = s->cert->key->privatekey;	2399	pkey = s->cert->key->privatekey;
		2400	md = s->cert->key->sigalg->md();
2388	pctx = EVP_PKEY_CTX_new(pkey, NULL);	2401	pctx = EVP_PKEY_CTX_new(pkey, NULL);
2389	EVP_PKEY_sign_init(pctx);	2402	EVP_PKEY_sign_init(pctx);
2390		2403
@@ -2392,37 +2405,50 @@ ssl3_send_client_verify(SSL *s)
2392	if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)	2405	if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
2393	ERR_clear_error();	2406	ERR_clear_error();
2394		2407
2395	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2396	goto err;
2397
2398	if (!SSL_USE_SIGALGS(s)) {	2408	if (!SSL_USE_SIGALGS(s)) {
2399	tls1_transcript_free(s);	2409	tls1_transcript_free(s);
2400	if (!tls1_handshake_hash_value(s, data, sizeof(data),	2410	if (!tls1_handshake_hash_value(s, data, sizeof(data),
2401	NULL))	2411	NULL))
2402	goto err;	2412	goto err;
2403	}	2413	}
2404
2405	/*	2414	/*
2406	* For TLS v1.2 send signature algorithm and signature	2415	* For TLS v1.2 send signature algorithm and signature
2407	* using agreed digest and cached handshake records.	2416	* using agreed digest and cached handshake records.
2408	*/	2417	*/
2409	if (SSL_USE_SIGALGS(s)) {	2418	if (SSL_USE_SIGALGS(s)) {
2410	md = s->cert->key->sigalg->md();	2419	EVP_PKEY_CTX *pctx;
2411	if (!tls1_transcript_data(s, &hdata, &hdatalen) \|\|	2420	if (!tls1_transcript_data(s, &hdata, &hdatalen) \|\|
2412	!CBB_add_u16(&cert_verify,	2421	!CBB_add_u16(&cert_verify,
2413	s->cert->key->sigalg->value)) {	2422	s->cert->key->sigalg->value)) {
2414	SSLerror(s, ERR_R_INTERNAL_ERROR);	2423	SSLerror(s, ERR_R_INTERNAL_ERROR);
2415	goto err;	2424	goto err;
2416	}	2425	}
2417	if (!EVP_SignInit_ex(&mctx, md, NULL) \|\|	2426	if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) {
2418	!EVP_SignUpdate(&mctx, hdata, hdatalen) \|\|
2419	!EVP_SignFinal(&mctx, signature, &signature_len,
2420	pkey)) {
2421	SSLerror(s, ERR_R_EVP_LIB);	2427	SSLerror(s, ERR_R_EVP_LIB);
2422	goto err;	2428	goto err;
2423	}	2429	}
		2430	if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
		2431	SSLerror(s, ERR_R_EVP_LIB);
		2432	goto err;
		2433	}
		2434	if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) \|\|
		2435	siglen == 0) {
		2436	SSLerror(s, ERR_R_EVP_LIB);
		2437	goto err;
		2438	}
		2439	if ((signature = calloc(1, siglen)) == NULL) {
		2440	SSLerror(s, ERR_R_MALLOC_FAILURE);
		2441	goto err;
		2442	}
		2443	if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) {
		2444	SSLerror(s, ERR_R_EVP_LIB);
		2445	goto err;
		2446	}
		2447	signature_len = siglen; /* XXX */
2424	tls1_transcript_free(s);	2448	tls1_transcript_free(s);
2425	} else if (pkey->type == EVP_PKEY_RSA) {	2449	} else if (pkey->type == EVP_PKEY_RSA) {
		2450	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
		2451	goto err;
2426	if (RSA_sign(NID_md5_sha1, data,	2452	if (RSA_sign(NID_md5_sha1, data,
2427	MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature,	2453	MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature,
2428	&signature_len, pkey->pkey.rsa) <= 0 ) {	2454	&signature_len, pkey->pkey.rsa) <= 0 ) {
@@ -2430,6 +2456,8 @@ ssl3_send_client_verify(SSL *s)
2430	goto err;	2456	goto err;
2431	}	2457	}
2432	} else if (pkey->type == EVP_PKEY_EC) {	2458	} else if (pkey->type == EVP_PKEY_EC) {
		2459	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
		2460	goto err;
2433	if (!ECDSA_sign(pkey->save_type,	2461	if (!ECDSA_sign(pkey->save_type,
2434	&data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,	2462	&data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2435	signature, &signature_len, pkey->pkey.ec)) {	2463	signature, &signature_len, pkey->pkey.ec)) {


diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index cee3f0bf6d..5dc261810b 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.5 2018/11/10 08:42:39 beck Exp $ */	1	/* $OpenBSD: ssl_sigalgs.c,v 1.6 2018/11/11 02:03:23 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -83,7 +83,6 @@ const struct ssl_sigalg sigalgs[] = {
83	.pkey_idx = SSL_PKEY_GOST01,	83	.pkey_idx = SSL_PKEY_GOST01,
84	},	84	},
85	#endif	85	#endif
86	#ifdef LIBRESSL_HAS_TLS1_3
87	{	86	{
88	.value = SIGALG_RSA_PSS_RSAE_SHA256,	87	.value = SIGALG_RSA_PSS_RSAE_SHA256,
89	.md = EVP_sha256,	88	.md = EVP_sha256,
@@ -126,7 +125,6 @@ const struct ssl_sigalg sigalgs[] = {
126	.pkey_idx = SSL_PKEY_RSA_SIGN,	125	.pkey_idx = SSL_PKEY_RSA_SIGN,
127	.flags = SIGALG_FLAG_RSA_PSS,	126	.flags = SIGALG_FLAG_RSA_PSS,
128	},	127	},
129	#endif
130	{	128	{
131	.value = SIGALG_RSA_PKCS1_SHA224,	129	.value = SIGALG_RSA_PKCS1_SHA224,
132	.md = EVP_sha224,	130	.md = EVP_sha224,


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 587a538060..f1b8a49468 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.55 2018/11/10 01:19:09 beck Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.56 2018/11/11 02:03:23 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -345,7 +345,7 @@ ssl3_accept(SSL *s)
345	D1I(s)->handshake_write_seq = 1;	345	D1I(s)->handshake_write_seq = 1;
346	D1I(s)->next_handshake_write_seq = 1;	346	D1I(s)->next_handshake_write_seq = 1;
347	goto end;	347	goto end;
348	}	348	}
349	} else {	349	} else {
350	if (s->internal->rwstate != SSL_X509_LOOKUP) {	350	if (s->internal->rwstate != SSL_X509_LOOKUP) {
351	ret = ssl3_get_client_hello(s);	351	ret = ssl3_get_client_hello(s);
@@ -1485,12 +1485,13 @@ ssl3_send_server_key_exchange(SSL *s)
1485	CBB cbb, cbb_params, cbb_signature, server_kex;	1485	CBB cbb, cbb_params, cbb_signature, server_kex;
1486	const struct ssl_sigalg *sigalg = NULL;	1486	const struct ssl_sigalg *sigalg = NULL;
1487	unsigned char *signature = NULL;	1487	unsigned char *signature = NULL;
1488	unsigned int signature_len;	1488	size_t signature_len = 0;
1489	unsigned char *params = NULL;	1489	unsigned char *params = NULL;
1490	size_t params_len;	1490	size_t params_len;
1491	const EVP_MD *md = NULL;	1491	const EVP_MD *md = NULL;
1492	unsigned long type;	1492	unsigned long type;
1493	EVP_MD_CTX md_ctx;	1493	EVP_MD_CTX md_ctx;
		1494	EVP_PKEY_CTX *pctx;
1494	EVP_PKEY *pkey;	1495	EVP_PKEY *pkey;
1495	int al;	1496	int al;
1496		1497
@@ -1544,21 +1545,34 @@ ssl3_send_server_key_exchange(SSL *s)
1544	}	1545	}
1545	}	1546	}
1546		1547
1547	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)	1548	if (!EVP_DigestSignInit(&md_ctx, &pctx, md, NULL, pkey)) {
		1549	SSLerror(s, ERR_R_EVP_LIB);
1548	goto err;	1550	goto err;
1549		1551	}
1550	if (!EVP_SignInit_ex(&md_ctx, md, NULL))	1552	if (!EVP_DigestSignUpdate(&md_ctx, s->s3->client_random,
		1553	SSL3_RANDOM_SIZE)) {
		1554	SSLerror(s, ERR_R_EVP_LIB);
1551	goto err;	1555	goto err;
1552	if (!EVP_SignUpdate(&md_ctx, s->s3->client_random,	1556	}
1553	SSL3_RANDOM_SIZE))	1557	if (!EVP_DigestSignUpdate(&md_ctx, s->s3->server_random,
		1558	SSL3_RANDOM_SIZE)) {
		1559	SSLerror(s, ERR_R_EVP_LIB);
		1560	goto err;
		1561	}
		1562	if (!EVP_DigestSignUpdate(&md_ctx, params, params_len)) {
		1563	SSLerror(s, ERR_R_EVP_LIB);
1554	goto err;	1564	goto err;
1555	if (!EVP_SignUpdate(&md_ctx, s->s3->server_random,	1565	}
1556	SSL3_RANDOM_SIZE))	1566	if (!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) \|\|
		1567	!signature_len) {
		1568	SSLerror(s, ERR_R_EVP_LIB);
1557	goto err;	1569	goto err;
1558	if (!EVP_SignUpdate(&md_ctx, params, params_len))	1570	}
		1571	if ((signature = calloc(1, signature_len)) == NULL) {
		1572	SSLerror(s, ERR_R_MALLOC_FAILURE);
1559	goto err;	1573	goto err;
1560	if (!EVP_SignFinal(&md_ctx, signature, &signature_len,	1574	}
1561	pkey)) {	1575	if (!EVP_DigestSignFinal(&md_ctx, signature, &signature_len)) {
1562	SSLerror(s, ERR_R_EVP_LIB);	1576	SSLerror(s, ERR_R_EVP_LIB);
1563	goto err;	1577	goto err;
1564	}	1578	}
@@ -2071,6 +2085,7 @@ int
2071	ssl3_get_cert_verify(SSL *s)	2085	ssl3_get_cert_verify(SSL *s)
2072	{	2086	{
2073	CBS cbs, signature;	2087	CBS cbs, signature;
		2088	const struct ssl_sigalg *sigalg;
2074	const EVP_MD *md = NULL;	2089	const EVP_MD *md = NULL;
2075	EVP_PKEY *pkey = NULL;	2090	EVP_PKEY *pkey = NULL;
2076	X509 *peer = NULL;	2091	X509 *peer = NULL;
@@ -2135,14 +2150,16 @@ ssl3_get_cert_verify(SSL *s)
2135	* If key is GOST and n is exactly 64, it is a bare	2150	* If key is GOST and n is exactly 64, it is a bare
2136	* signature without length field.	2151	* signature without length field.
2137	*/	2152	*/
		2153	/* This hack is awful and needs to die in fire */
2138	if ((pkey->type == NID_id_GostR3410_94 \|\|	2154	if ((pkey->type == NID_id_GostR3410_94 \|\|
2139	pkey->type == NID_id_GostR3410_2001) && CBS_len(&cbs) == 64) {	2155	pkey->type == NID_id_GostR3410_2001) && CBS_len(&cbs) == 64) {
		2156	if (SSL_USE_SIGALGS(s))
		2157	goto truncated;
2140	CBS_dup(&cbs, &signature);	2158	CBS_dup(&cbs, &signature);
2141	if (!CBS_skip(&cbs, CBS_len(&cbs)))	2159	if (!CBS_skip(&cbs, CBS_len(&cbs)))
2142	goto err;	2160	goto err;
2143	} else {	2161	} else {
2144	if (SSL_USE_SIGALGS(s)) {	2162	if (SSL_USE_SIGALGS(s)) {
2145	const struct ssl_sigalg *sigalg;
2146	uint16_t sigalg_value;	2163	uint16_t sigalg_value;
2147		2164
2148	if (!CBS_get_u16(&cbs, &sigalg_value))	2165	if (!CBS_get_u16(&cbs, &sigalg_value))
@@ -2175,19 +2192,24 @@ ssl3_get_cert_verify(SSL *s)
2175	}	2192	}
2176		2193
2177	if (SSL_USE_SIGALGS(s)) {	2194	if (SSL_USE_SIGALGS(s)) {
		2195	EVP_PKEY_CTX *pctx;
2178	if (!tls1_transcript_data(s, &hdata, &hdatalen)) {	2196	if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2179	SSLerror(s, ERR_R_INTERNAL_ERROR);	2197	SSLerror(s, ERR_R_INTERNAL_ERROR);
2180	al = SSL_AD_INTERNAL_ERROR;	2198	al = SSL_AD_INTERNAL_ERROR;
2181	goto f_err;	2199	goto f_err;
2182	}	2200	}
2183	if (!EVP_VerifyInit_ex(&mctx, md, NULL) \|\|	2201	if (!EVP_DigestVerifyInit(&mctx, &pctx, md, NULL, pkey)) {
2184	!EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {	2202	SSLerror(s, ERR_R_EVP_LIB);
		2203	al = SSL_AD_INTERNAL_ERROR;
		2204	goto f_err;
		2205	}
		2206	if (!EVP_DigestVerifyUpdate(&mctx, hdata, hdatalen)) {
2185	SSLerror(s, ERR_R_EVP_LIB);	2207	SSLerror(s, ERR_R_EVP_LIB);
2186	al = SSL_AD_INTERNAL_ERROR;	2208	al = SSL_AD_INTERNAL_ERROR;
2187	goto f_err;	2209	goto f_err;
2188	}	2210	}
2189	if (EVP_VerifyFinal(&mctx, CBS_data(&signature),	2211	if (EVP_DigestVerifyFinal(&mctx, CBS_data(&signature),
2190	CBS_len(&signature), pkey) <= 0) {	2212	CBS_len(&signature)) <= 0) {
2191	al = SSL_AD_DECRYPT_ERROR;	2213	al = SSL_AD_DECRYPT_ERROR;
2192	SSLerror(s, SSL_R_BAD_SIGNATURE);	2214	SSLerror(s, SSL_R_BAD_SIGNATURE);
2193	goto f_err;	2215	goto f_err;