1 files changed, 52 insertions, 24 deletions

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index ac2cddacf9a..298e4b7ff89 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.41 2018/11/10 01:19:09 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.42 2018/11/11 02:03:23 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1508,15 +1508,21 @@ ssl3_get_server_key_exchange(SSL *s)
 
 	/* if it was signed, check the signature */
 	if (pkey != NULL) {
+		EVP_PKEY_CTX *pctx;
+		const struct ssl_sigalg *sigalg;
+
 		if (SSL_USE_SIGALGS(s)) {
-			const struct ssl_sigalg *sigalg;
 			uint16_t sigalg_value;
 
 			if (!CBS_get_u16(&cbs, &sigalg_value))
 				goto truncated;
 			if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs,
-			    tls12_sigalgs_len)) == NULL ||
-			    (md = sigalg->md()) == NULL) {
+				    tls12_sigalgs_len)) == NULL) {
+				SSLerror(s, SSL_R_UNKNOWN_DIGEST);
+				al = SSL_AD_DECODE_ERROR;
+				goto f_err;
+			}
+			if ((md = sigalg->md()) == NULL) {
 				SSLerror(s, SSL_R_UNKNOWN_DIGEST);
 				al = SSL_AD_DECODE_ERROR;
 				goto f_err;
@@ -1527,10 +1533,15 @@ ssl3_get_server_key_exchange(SSL *s)
 				goto f_err;
 			}
 		} else if (pkey->type == EVP_PKEY_RSA) {
-			md = EVP_md5_sha1();
+			sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
+		} else if (pkey->type == EVP_PKEY_EC) {
+			sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
 		} else {
-			md = EVP_sha1();
+			SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
+			al = SSL_AD_DECODE_ERROR;
+			goto f_err;
 		}
+		md = sigalg->md();
 
 		if (!CBS_get_u16_length_prefixed(&cbs, &signature))
 			goto truncated;
@@ -1540,18 +1551,18 @@ ssl3_get_server_key_exchange(SSL *s)
 			goto f_err;
 		}
 
-		if (!EVP_VerifyInit_ex(&md_ctx, md, NULL))
+		if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey))
 			goto err;
-		if (!EVP_VerifyUpdate(&md_ctx, s->s3->client_random,
+		if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random,
 		    SSL3_RANDOM_SIZE))
 			goto err;
-		if (!EVP_VerifyUpdate(&md_ctx, s->s3->server_random,
+		if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->server_random,
 		    SSL3_RANDOM_SIZE))
 			goto err;
-		if (!EVP_VerifyUpdate(&md_ctx, param, param_len))
+		if (!EVP_DigestVerifyUpdate(&md_ctx, param, param_len))
 			goto err;
-		if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature),
-		    CBS_len(&signature), pkey) <= 0) {
+		if (EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),
+		    CBS_len(&signature)) <= 0) {
 			al = SSL_AD_DECRYPT_ERROR;
 			SSLerror(s, SSL_R_BAD_SIGNATURE);
 			goto f_err;
@@ -2363,13 +2374,15 @@ ssl3_send_client_verify(SSL *s)
 	CBB cbb, cert_verify, cbb_signature;
 	unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
 	unsigned char *signature = NULL;
-	unsigned int signature_len;
+	unsigned int signature_len = 0;
 	const unsigned char *hdata;
 	size_t hdatalen;
 	EVP_PKEY_CTX *pctx = NULL;
 	EVP_PKEY *pkey;
 	EVP_MD_CTX mctx;
 	const EVP_MD *md;
+	size_t siglen;
+
 
 	EVP_MD_CTX_init(&mctx);
 
@@ -2379,12 +2392,12 @@ ssl3_send_client_verify(SSL *s)
 		if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
 		    SSL3_MT_CERTIFICATE_VERIFY))
 			goto err;
-
 		/*
 		 * Create context from key and test if sha1 is allowed as
 		 * digest.
 		 */
 		pkey = s->cert->key->privatekey;
+		md = s->cert->key->sigalg->md();
 		pctx = EVP_PKEY_CTX_new(pkey, NULL);
 		EVP_PKEY_sign_init(pctx);
 
@@ -2392,37 +2405,50 @@ ssl3_send_client_verify(SSL *s)
 		if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
 			ERR_clear_error();
 
-		if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
-			goto err;
-
 		if (!SSL_USE_SIGALGS(s)) {
 			tls1_transcript_free(s);
 			if (!tls1_handshake_hash_value(s, data, sizeof(data),
 			    NULL))
 				goto err;
 		}
-
 		/*
 		 * For TLS v1.2 send signature algorithm and signature
 		 * using agreed digest and cached handshake records.
 		 */
 		if (SSL_USE_SIGALGS(s)) {
-			md = s->cert->key->sigalg->md();
+			EVP_PKEY_CTX *pctx;
 			if (!tls1_transcript_data(s, &hdata, &hdatalen) ||
 			    !CBB_add_u16(&cert_verify,
-				s->cert->key->sigalg->value)) {
+			    s->cert->key->sigalg->value)) {
 				SSLerror(s, ERR_R_INTERNAL_ERROR);
 				goto err;
 			}
-			if (!EVP_SignInit_ex(&mctx, md, NULL) ||
-			    !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
-			    !EVP_SignFinal(&mctx, signature, &signature_len,
-				pkey)) {
+			if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) {
 				SSLerror(s, ERR_R_EVP_LIB);
 				goto err;
 			}
+			if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
+				SSLerror(s, ERR_R_EVP_LIB);
+				goto err;
+			}
+			if (!EVP_DigestSignFinal(&mctx, NULL, &siglen) ||
+			    siglen == 0) {
+				SSLerror(s, ERR_R_EVP_LIB);
+				goto err;
+			}
+			if ((signature = calloc(1, siglen)) == NULL) {
+				SSLerror(s, ERR_R_MALLOC_FAILURE);
+				goto err;
+			}
+			if (!EVP_DigestSignFinal(&mctx, signature, &siglen)) {
+				SSLerror(s, ERR_R_EVP_LIB);
+				goto err;
+			}
+			signature_len = siglen; /* XXX */
 			tls1_transcript_free(s);
 		} else if (pkey->type == EVP_PKEY_RSA) {
+			if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+				goto err;
 			if (RSA_sign(NID_md5_sha1, data,
 			    MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature,
 			    &signature_len, pkey->pkey.rsa) <= 0 ) {
@@ -2430,6 +2456,8 @@ ssl3_send_client_verify(SSL *s)
 				goto err;
 			}
 		} else if (pkey->type == EVP_PKEY_EC) {
+			if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
+				goto err;
 			if (!ECDSA_sign(pkey->save_type,
 			    &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
 			    signature, &signature_len, pkey->pkey.ec)) {