diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2021-06-29 19:23:37 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2021-06-29 19:23:37 +0000 |
| commit | e2863e3270c295ecc805654a9bc357c7574961fc (patch) | |
| tree | a26d21a2d475ee43bd20fdd72ea96b8986d4ce73 /lib | |
| parent | 73578e77f783e84571dd0f44e0a634db9c7f3516 (diff) | |
Convert legacy stack client to ssl_sigalg_for_peer().
ok inoguchi@ tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/ssl_clnt.c | 46 |
1 files changed, 12 insertions, 34 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 25a3321324b..6fe22e04e87 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.103 2021/06/29 19:10:08 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.104 2021/06/29 19:23:36 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1465,7 +1465,6 @@ int ssl3_get_server_key_exchange(SSL *s) { CBS cbs, signature; - const EVP_MD *md = NULL; EVP_PKEY *pkey = NULL; EVP_MD_CTX md_ctx; const unsigned char *param; @@ -1535,49 +1534,21 @@ ssl3_get_server_key_exchange(SSL *s) } else if (alg_k != 0) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto fatal_err; + goto fatal_err; } param_len -= CBS_len(&cbs); /* if it was signed, check the signature */ if (pkey != NULL) { - EVP_PKEY_CTX *pctx; + uint16_t sigalg_value = SIGALG_NONE; const struct ssl_sigalg *sigalg; + EVP_PKEY_CTX *pctx; if (SSL_USE_SIGALGS(s)) { - uint16_t sigalg_value; - if (!CBS_get_u16(&cbs, &sigalg_value)) goto decode_err; - if ((sigalg = ssl_sigalg_from_value( - S3I(s)->hs.negotiated_tls_version, - sigalg_value)) == NULL) { - SSLerror(s, SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto fatal_err; - } - if ((md = sigalg->md()) == NULL) { - SSLerror(s, SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto fatal_err; - } - if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); - al = SSL_AD_DECODE_ERROR; - goto fatal_err; - } - } else if (pkey->type == EVP_PKEY_RSA) { - sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); - } else if (pkey->type == EVP_PKEY_EC) { - sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); - } else { - SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); - al = SSL_AD_DECODE_ERROR; - goto fatal_err; } - md = sigalg->md(); - if (!CBS_get_u16_length_prefixed(&cbs, &signature)) goto decode_err; if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { @@ -1586,7 +1557,14 @@ ssl3_get_server_key_exchange(SSL *s) goto fatal_err; } - if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey)) + if ((sigalg = ssl_sigalg_for_peer(s, pkey, + sigalg_value)) == NULL) { + al = SSL_AD_DECODE_ERROR; + goto fatal_err; + } + + if (!EVP_DigestVerifyInit(&md_ctx, &pctx, sigalg->md(), + NULL, pkey)) goto err; if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random, SSL3_RANDOM_SIZE)) |