static inline int cert_req_allowed(SSL *s)
{
/* TLS does not like anon-DH with client cert */
- if (s->version > SSL3_VERSION
- && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+ if ((s->version > SSL3_VERSION
+ && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+ || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
return 0;
return 1;
#endif
if (statem_flush(s) != 1)
return WORK_MORE_B;
-
- if (s->hit && tls_finish_handshake(s, WORK_MORE_A) != 1)
- return WORK_ERROR;
break;
default:
return WORK_FINISHED_STOP;
#endif
- case TLS_ST_CR_FINISHED:
- if (!s->hit)
- return tls_finish_handshake(s, wst);
- else
- return WORK_FINISHED_STOP;
default:
break;
}
s->s3->tmp.mask_ssl = SSL_TLSV1_2;
else
s->s3->tmp.mask_ssl = 0;
+ /* Skip TLS v1.0 ciphersuites if SSLv3 */
+ if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
+ s->s3->tmp.mask_ssl |= SSL_TLSV1;
/*
* If it is a disabled cipher we didn't send it in client hello, so
* return an error.
goto f_err;
}
s->s3->tmp.new_cipher = c;
- /*
- * Don't digest cached records if no sigalgs: we may need them for client
- * authentication.
- */
- if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s, 0))
- goto f_err;
/* lets get the compression algorithm */
/* COMPRESSION */
if (!PACKET_get_1(pkt, &compression)) {
* Add new shared key for SCTP-Auth, will be ignored if
* no SCTP used.
*/
- snprintf((char *)labelbuffer,
- sizeof(DTLS1_SCTP_AUTH_LABEL),
- DTLS1_SCTP_AUTH_LABEL);
+ memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
+ sizeof(DTLS1_SCTP_AUTH_LABEL));
if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey),
}
exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
- if (exp_idx >= 0 && i != exp_idx) {
+ if (exp_idx >= 0 && i != exp_idx
+ && (exp_idx != SSL_PKEY_GOST_EC ||
+ (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
+ && i != SSL_PKEY_GOST01))) {
x = NULL;
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
{
-#ifndef OPENSSL_NO_RSA
- unsigned char *q, md_buf[EVP_MAX_MD_SIZE * 2];
-#endif
EVP_MD_CTX md_ctx;
- int al, j, verify_ret;
+ int al, j;
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
const EVP_MD *md = NULL;
goto f_err;
}
- if (!PACKET_strndup(&psk_identity_hint,
+ if (PACKET_remaining(&psk_identity_hint) == 0) {
+ OPENSSL_free(s->session->psk_identity_hint);
+ s->session->psk_identity_hint = NULL;
+ } else if (!PACKET_strndup(&psk_identity_hint,
&s->session->psk_identity_hint)) {
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
#ifdef SSL_DEBUG
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif
+ } else if (pkey->type == EVP_PKEY_RSA) {
+ md = EVP_md5_sha1();
} else {
md = EVP_sha1();
}
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
goto f_err;
}
-#ifndef OPENSSL_NO_RSA
- if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
- int num;
- unsigned int size;
-
- j = 0;
- q = md_buf;
- for (num = 2; num > 0; num--) {
- EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx, (num == 2)
- ? s->ctx->md5 : s->ctx->sha1, NULL);
- EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md_ctx, PACKET_data(¶ms),
- PACKET_remaining(¶ms));
- EVP_DigestFinal_ex(&md_ctx, q, &size);
- q += size;
- j += size;
- }
- verify_ret =
- RSA_verify(NID_md5_sha1, md_buf, j, PACKET_data(&signature),
- PACKET_remaining(&signature), pkey->pkey.rsa);
- if (verify_ret < 0) {
- al = SSL_AD_DECRYPT_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT);
- goto f_err;
- }
- if (verify_ret == 0) {
- /* bad signature */
- al = SSL_AD_DECRYPT_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
- goto f_err;
- }
- } else
-#endif
- {
- EVP_VerifyInit_ex(&md_ctx, md, NULL);
- EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_VerifyUpdate(&md_ctx, PACKET_data(¶ms),
- PACKET_remaining(¶ms));
- if (EVP_VerifyFinal(&md_ctx, PACKET_data(&signature),
- PACKET_remaining(&signature), pkey) <= 0) {
- /* bad signature */
- al = SSL_AD_DECRYPT_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
- goto f_err;
- }
+ if (EVP_VerifyInit_ex(&md_ctx, md, NULL) <= 0
+ || EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_VerifyUpdate(&md_ctx, PACKET_data(¶ms),
+ PACKET_remaining(¶ms)) <= 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
+ goto f_err;
+ }
+ if (EVP_VerifyFinal(&md_ctx, PACKET_data(&signature),
+ PACKET_remaining(&signature), pkey) <= 0) {
+ /* bad signature */
+ al = SSL_AD_DECRYPT_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
+ goto f_err;
}
} else {
/* aNULL, aSRP or PSK do not need public keys */
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err;
}
+ } else {
+ ssl_set_default_md(s);
}
/* get the CA RDNs */
s->session->tlsext_ticklen = 0;
s->session->tlsext_tick = OPENSSL_malloc(ticklen);
- if (!s->session->tlsext_tick) {
+ if (s->session->tlsext_tick == NULL) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
}
OPENSSL_free(s->tlsext_ocsp_resp);
s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
- if (!s->tlsext_ocsp_resp) {
+ if (s->tlsext_ocsp_resp == NULL) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, ERR_R_MALLOC_FAILURE);
goto f_err;
RSA *rsa;
pmslen = SSL_MAX_MASTER_KEY_LENGTH;
pms = OPENSSL_malloc(pmslen);
- if (!pms)
+ if (pms == NULL)
goto memerr;
if (s->session->peer == NULL) {
pmslen = DH_size(dh_clnt);
pms = OPENSSL_malloc(pmslen);
- if (!pms)
+ if (pms == NULL)
goto memerr;
/*
}
pmslen = (field_size + 7) / 8;
pms = OPENSSL_malloc(pmslen);
- if (!pms)
+ if (pms == NULL)
goto memerr;
n = ECDH_compute_key(pms, pmslen, srvr_ecpoint, clnt_ecdh, NULL);
if (n <= 0 || pmslen != (size_t)n) {
unsigned char shared_ukm[32], tmp[256];
EVP_MD_CTX *ukm_hash;
EVP_PKEY *pub_key;
+ int dgst_nid = NID_id_GostR3411_94;
+ if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
+ dgst_nid = NID_id_GostR3411_2012_256;
+
pmslen = 32;
pms = OPENSSL_malloc(pmslen);
- if (!pms)
+ if (pms == NULL)
goto memerr;
/*
pkey_ctx = EVP_PKEY_CTX_new(pub_key =
X509_get_pubkey(peer_cert), NULL);
+ if (pkey_ctx == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+ ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
/*
* If we have send a certificate, and certificate key
- *
- * * parameters match those of server certificate, use
+ * parameters match those of server certificate, use
* certificate key for key exchange
*/
/* Otherwise, generate ephemeral key pair */
- EVP_PKEY_encrypt_init(pkey_ctx);
- /* Generate session key */
- if (RAND_bytes(pms, pmslen) <= 0) {
+ if (pkey_ctx == NULL
+ || EVP_PKEY_encrypt_init(pkey_ctx) <= 0
+ /* Generate session key */
+ || RAND_bytes(pms, pmslen) <= 0) {
EVP_PKEY_CTX_free(pkey_ctx);
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
* data
*/
ukm_hash = EVP_MD_CTX_create();
- EVP_DigestInit(ukm_hash,
- EVP_get_digestbynid(NID_id_GostR3411_94));
- EVP_DigestUpdate(ukm_hash, s->s3->client_random,
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(ukm_hash, s->s3->server_random,
- SSL3_RANDOM_SIZE);
- EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
+ if (EVP_DigestInit(ukm_hash,
+ EVP_get_digestbynid(dgst_nid)) <= 0
+ || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
+ EVP_MD_CTX_destroy(ukm_hash);
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
EVP_MD_CTX_destroy(ukm_hash);
if (EVP_PKEY_CTX_ctrl
(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8,
*/
*(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
msglen = 255;
- if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) < 0) {
+ if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
SSL_R_LIBRARY_BUG);
goto err;
* Add new shared key for SCTP-Auth, will be ignored if no SCTP
* used.
*/
- snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
- DTLS1_SCTP_AUTH_LABEL);
+ memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
+ sizeof(DTLS1_SCTP_AUTH_LABEL));
if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey), labelbuffer,
int tls_construct_client_verify(SSL *s)
{
unsigned char *p;
- unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
EVP_PKEY *pkey;
- EVP_PKEY_CTX *pctx = NULL;
+ const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
EVP_MD_CTX mctx;
unsigned u = 0;
unsigned long n;
- int j;
+ long hdatalen = 0;
+ void *hdata;
EVP_MD_CTX_init(&mctx);
p = ssl_handshake_start(s);
pkey = s->cert->key->privatekey;
-/* Create context from key and test if sha1 is allowed as digest */
- pctx = EVP_PKEY_CTX_new(pkey, NULL);
- EVP_PKEY_sign_init(pctx);
- if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
- if (!SSL_USE_SIGALGS(s))
- s->method->ssl3_enc->cert_verify_mac(s,
- NID_sha1,
- &(data
- [MD5_DIGEST_LENGTH]));
- } else {
- ERR_clear_error();
+
+ hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
+ if (hdatalen <= 0) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
}
- /*
- * For TLS v1.2 send signature algorithm and signature using agreed
- * digest and cached handshake records.
- */
if (SSL_USE_SIGALGS(s)) {
- long hdatalen = 0;
- void *hdata;
- const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
- hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
- if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
+ if (!tls12_get_sigandhash(p, pkey, md)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
p += 2;
+ }
#ifdef SSL_DEBUG
- fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
- EVP_MD_name(md));
-#endif
- if (!EVP_SignInit_ex(&mctx, md, NULL)
- || !EVP_SignUpdate(&mctx, hdata, hdatalen)
- || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
- goto err;
- }
- s2n(u, p);
- n = u + 4;
- /* Digest cached records and discard handshake buffer */
- if (!ssl3_digest_cached_records(s, 0))
- goto err;
- } else
-#ifndef OPENSSL_NO_RSA
- if (pkey->type == EVP_PKEY_RSA) {
- s->method->ssl3_enc->cert_verify_mac(s, NID_md5, &(data[0]));
- if (RSA_sign(NID_md5_sha1, data,
- MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
- &(p[2]), &u, pkey->pkey.rsa) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_RSA_LIB);
- goto err;
- }
- s2n(u, p);
- n = u + 2;
- } else
-#endif
-#ifndef OPENSSL_NO_DSA
- if (pkey->type == EVP_PKEY_DSA) {
- if (!DSA_sign(pkey->save_type,
- &(data[MD5_DIGEST_LENGTH]),
- SHA_DIGEST_LENGTH, &(p[2]),
- (unsigned int *)&j, pkey->pkey.dsa)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_DSA_LIB);
- goto err;
- }
- s2n(j, p);
- n = j + 2;
- } else
-#endif
-#ifndef OPENSSL_NO_EC
- if (pkey->type == EVP_PKEY_EC) {
- if (!ECDSA_sign(pkey->save_type,
- &(data[MD5_DIGEST_LENGTH]),
- SHA_DIGEST_LENGTH, &(p[2]),
- (unsigned int *)&j, pkey->pkey.ec)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_ECDSA_LIB);
- goto err;
- }
- s2n(j, p);
- n = j + 2;
- } else
-#endif
- if (pkey->type == NID_id_GostR3410_2001) {
- unsigned char signbuf[64];
- int i;
- size_t sigsize = 64;
- s->method->ssl3_enc->cert_verify_mac(s,
- NID_id_GostR3411_94, data);
- if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- for (i = 63, j = 0; i >= 0; j++, i--) {
- p[2 + j] = signbuf[i];
- }
- s2n(j, p);
- n = j + 2;
- } else {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
+ fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
+#endif
+ if (!EVP_SignInit_ex(&mctx, md, NULL)
+ || !EVP_SignUpdate(&mctx, hdata, hdatalen)
+ || (s->version == SSL3_VERSION
+ && !EVP_MD_CTX_ctrl(&mctx, EVP_CTRL_SSL3_MASTER_SECRET,
+ s->session->master_key_length,
+ s->session->master_key))
+ || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
goto err;
}
+ if (pkey->type == NID_id_GostR3410_2001
+ || pkey->type == NID_id_GostR3410_2012_256
+ || pkey->type == NID_id_GostR3410_2012_512) {
+ unsigned int i, k;
+ for (i = u - 1, k = 0; k < u/2; k++, i--) {
+ char c = p[2 + k];
+ p[2 + k] = p[2 + i];
+ p[2 + i] = c;
+ }
+ }
+
+ s2n(u, p);
+ n = u + 2;
+ if (SSL_USE_SIGALGS(s))
+ n += 2;
+ /* Digest cached records and discard handshake buffer */
+ if (!ssl3_digest_cached_records(s, 0))
+ goto err;
if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
EVP_MD_CTX_cleanup(&mctx);
- EVP_PKEY_CTX_free(pctx);
return 1;
err:
EVP_MD_CTX_cleanup(&mctx);
- EVP_PKEY_CTX_free(pctx);
return 0;
}