summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2021-06-29 19:23:37 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2021-06-29 19:23:37 +0000
commite2863e3270c295ecc805654a9bc357c7574961fc (patch)
treea26d21a2d475ee43bd20fdd72ea96b8986d4ce73 /lib/libssl
parent73578e77f783e84571dd0f44e0a634db9c7f3516 (diff)
Convert legacy stack client to ssl_sigalg_for_peer().
ok inoguchi@ tb@
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/ssl_clnt.c46
1 files changed, 12 insertions, 34 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 25a3321324b..6fe22e04e87 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.103 2021/06/29 19:10:08 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.104 2021/06/29 19:23:36 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1465,7 +1465,6 @@ int
ssl3_get_server_key_exchange(SSL *s)
{
CBS cbs, signature;
- const EVP_MD *md = NULL;
EVP_PKEY *pkey = NULL;
EVP_MD_CTX md_ctx;
const unsigned char *param;
@@ -1535,49 +1534,21 @@ ssl3_get_server_key_exchange(SSL *s)
} else if (alg_k != 0) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
- goto fatal_err;
+ goto fatal_err;
}
param_len -= CBS_len(&cbs);
/* if it was signed, check the signature */
if (pkey != NULL) {
- EVP_PKEY_CTX *pctx;
+ uint16_t sigalg_value = SIGALG_NONE;
const struct ssl_sigalg *sigalg;
+ EVP_PKEY_CTX *pctx;
if (SSL_USE_SIGALGS(s)) {
- uint16_t sigalg_value;
-
if (!CBS_get_u16(&cbs, &sigalg_value))
goto decode_err;
- if ((sigalg = ssl_sigalg_from_value(
- S3I(s)->hs.negotiated_tls_version,
- sigalg_value)) == NULL) {
- SSLerror(s, SSL_R_UNKNOWN_DIGEST);
- al = SSL_AD_DECODE_ERROR;
- goto fatal_err;
- }
- if ((md = sigalg->md()) == NULL) {
- SSLerror(s, SSL_R_UNKNOWN_DIGEST);
- al = SSL_AD_DECODE_ERROR;
- goto fatal_err;
- }
- if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
- SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
- al = SSL_AD_DECODE_ERROR;
- goto fatal_err;
- }
- } else if (pkey->type == EVP_PKEY_RSA) {
- sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
- } else if (pkey->type == EVP_PKEY_EC) {
- sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
- } else {
- SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
- al = SSL_AD_DECODE_ERROR;
- goto fatal_err;
}
- md = sigalg->md();
-
if (!CBS_get_u16_length_prefixed(&cbs, &signature))
goto decode_err;
if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
@@ -1586,7 +1557,14 @@ ssl3_get_server_key_exchange(SSL *s)
goto fatal_err;
}
- if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey))
+ if ((sigalg = ssl_sigalg_for_peer(s, pkey,
+ sigalg_value)) == NULL) {
+ al = SSL_AD_DECODE_ERROR;
+ goto fatal_err;
+ }
+
+ if (!EVP_DigestVerifyInit(&md_ctx, &pctx, sigalg->md(),
+ NULL, pkey))
goto err;
if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random,
SSL3_RANDOM_SIZE))