int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
{
- EVP_PKEY *pkey;
- const EVP_MD *md;
+ EVP_PKEY *pkey = NULL;
+ const EVP_MD *md = NULL;
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
size_t hdatalen = 0, siglen = 0;
void *hdata;
unsigned char *sig = NULL;
unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
- int pktype, ispss = 0;
+ const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
- if (s->server) {
- /* Only happens in TLSv1.3 */
- /*
- * TODO(TLS1.3): This needs to change. We should not get this from the
- * cipher. However, for now, we have not done the work to separate the
- * certificate type from the ciphersuite
- */
- pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md);
- if (pkey == NULL)
- goto err;
- } else {
- md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
- pkey = s->cert->key->privatekey;
+ if (lu == NULL || s->s3->tmp.cert == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ pkey = s->s3->tmp.cert->privatekey;
+ md = ssl_md(lu->hash_idx);
+
+ if (pkey == NULL || md == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
}
- pktype = EVP_PKEY_id(pkey);
mctx = EVP_MD_CTX_new();
if (mctx == NULL) {
goto err;
}
- if (SSL_USE_SIGALGS(s) && !tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) {
+ if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
-#ifdef SSL_DEBUG
- fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
-#endif
siglen = EVP_PKEY_size(pkey);
sig = OPENSSL_malloc(siglen);
if (sig == NULL) {
goto err;
}
- if (ispss) {
+ if (lu->sig == EVP_PKEY_RSA_PSS) {
if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
- /* -1 here means set saltlen to the digest len */
- || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) {
+ || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
+ RSA_PSS_SALTLEN_DIGEST) <= 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB);
goto err;
}
#ifndef OPENSSL_NO_GOST
{
+ int pktype = lu->sig;
+
if (pktype == NID_id_GostR3410_2001
|| pktype == NID_id_GostR3410_2012_256
|| pktype == NID_id_GostR3410_2012_512)
unsigned char *gost_data = NULL;
#endif
int al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
- int type = 0, j, pktype, ispss = 0;
+ int type = 0, j, pktype;
unsigned int len;
X509 *peer;
const EVP_MD *md = NULL;
peer = s->session->peer;
pkey = X509_get0_pubkey(peer);
+ if (pkey == NULL) {
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+
pktype = EVP_PKEY_id(pkey);
type = X509_certificate_type(peer, pkey);
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- rv = tls12_check_peer_sigalg(&md, s, sigalg, pkey);
+ rv = tls12_check_peer_sigalg(s, sigalg, pkey);
if (rv == -1) {
goto f_err;
} else if (rv == 0) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- ispss = SIGID_IS_PSS(sigalg);
#ifdef SSL_DEBUG
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif
- } else {
- /* Use default digest for this key type */
- int idx = ssl_cert_type(NULL, pkey);
- if (idx >= 0)
- md = s->s3->tmp.md[idx];
- if (md == NULL) {
+ } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
- }
}
+ md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
+
if (!PACKET_get_net_2(pkt, &len)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
al = SSL_AD_DECODE_ERROR;
}
#endif
- if (ispss) {
+ if (SSL_USE_PSS(s)) {
if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
- /* -1 here means set saltlen to the digest len */
- || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) {
+ || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
+ RSA_PSS_SALTLEN_DIGEST) <= 0) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
goto f_err;
}
goto err;
}
- /* Log the master secret, if logging is enabled. */
- if (!ssl_log_master_secret(s, s->s3->client_random, SSL3_RANDOM_SIZE,
- s->session->master_key,
- s->session->master_key_length))
+ /*
+ * Log the master secret, if logging is enabled. We don't log it for
+ * TLSv1.3: there's a different key schedule for that.
+ */
+ if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
+ s->session->master_key,
+ s->session->master_key_length))
return 0;
/*
default:
return -1;
case EVP_PKEY_RSA:
- return SSL_PKEY_RSA_ENC;
+ return SSL_PKEY_RSA;
case EVP_PKEY_DSA:
return SSL_PKEY_DSA_SIGN;
#ifndef OPENSSL_NO_EC
switch (server_version) {
default:
+ if (!SSL_IS_TLS13(s)) {
+ if (version_cmp(s, client_version, s->version) < 0)
+ return SSL_R_WRONG_SSL_VERSION;
+ /*
+ * If this SSL handle is not from a version flexible method we don't
+ * (and never did) check min/max FIPS or Suite B constraints. Hope
+ * that's OK. It is up to the caller to not choose fixed protocol
+ * versions they don't want. If not, then easy to fix, just return
+ * ssl_method_error(s, s->method)
+ */
+ return 0;
+ }
/*
- * TODO(TLS1.3): This check will fail if someone attempts to do
- * renegotiation in TLS1.3 at the moment. We need to ensure we disable
- * renegotiation for TLS1.3
- */
- if (version_cmp(s, client_version, s->version) < 0)
- return SSL_R_WRONG_SSL_VERSION;
- /*
- * If this SSL handle is not from a version flexible method we don't
- * (and never did) check min/max FIPS or Suite B constraints. Hope
- * that's OK. It is up to the caller to not choose fixed protocol
- * versions they don't want. If not, then easy to fix, just return
- * ssl_method_error(s, s->method)
+ * Fall through if we are TLSv1.3 already (this means we must be after
+ * a HelloRetryRequest
*/
- return 0;
case TLS_ANY_VERSION:
table = tls_version_table;
break;
}
if (best_vers > 0) {
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * We get here if this is after a HelloRetryRequest. In this
+ * case we just check that we still negotiated TLSv1.3
+ */
+ if (best_vers != TLS1_3_VERSION)
+ return SSL_R_UNSUPPORTED_PROTOCOL;
+ return 0;
+ }
s->version = best_vers;
s->method = best_method;
return 0;
continue;
if (vent->cmeth == NULL)
break;
+ if (s->hello_retry_request && version != TLS1_3_VERSION)
+ return SSL_R_WRONG_SSL_VERSION;
+
method = vent->cmeth();
err = ssl_method_error(s, method);
if (err != 0)
s->client_version = ver_max;
return 0;
}
+
+/*
+ * Checks a list of |groups| to determine if the |group_id| is in it. If it is
+ * and |checkallow| is 1 then additionally check if the group is allowed to be
+ * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
+ * 1) or 0 otherwise.
+ */
+#ifndef OPENSSL_NO_EC
+int check_in_list(SSL *s, unsigned int group_id, const unsigned char *groups,
+ size_t num_groups, int checkallow)
+{
+ size_t i;
+
+ if (groups == NULL || num_groups == 0)
+ return 0;
+
+ for (i = 0; i < num_groups; i++, groups += 2) {
+ unsigned int share_id = (groups[0] << 8) | (groups[1]);
+
+ if (group_id == share_id
+ && (!checkallow
+ || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
+ break;
+ }
+ }
+
+ /* If i == num_groups then not in the list */
+ return i < num_groups;
+}
+#endif
projects / openssl.git / blobdiff