return 1;
}
+/*
+ * Size of the to-be-signed TLS13 data, without the hash size itself:
+ * 64 bytes of value 32, 33 context bytes, 1 byte separator
+ */
+#define TLS13_TBS_START_SIZE 64
+#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
+
+static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
+ void **hdata, size_t *hdatalen)
+{
+ static const char *servercontext = "TLS 1.3, server CertificateVerify";
+ static const char *clientcontext = "TLS 1.3, client CertificateVerify";
+
+ if (SSL_IS_TLS13(s)) {
+ size_t hashlen;
+
+ /* Set the first 64 bytes of to-be-signed data to octet 32 */
+ memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
+ /* This copies the 33 bytes of context plus the 0 separator byte */
+ if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
+ || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
+ strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
+ else
+ strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
+
+ /*
+ * If we're currently reading then we need to use the saved handshake
+ * hash value. We can't use the current handshake hash state because
+ * that includes the CertVerify itself.
+ */
+ if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
+ || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
+ memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
+ s->cert_verify_hash_len);
+ hashlen = s->cert_verify_hash_len;
+ } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
+ EVP_MAX_MD_SIZE, &hashlen)) {
+ return 0;
+ }
+
+ *hdata = tls13tbs;
+ *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
+ } else {
+ size_t retlen;
+
+ retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
+ if (retlen <= 0)
+ return 0;
+ *hdatalen = retlen;
+ }
+
+ return 1;
+}
+
int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
{
EVP_PKEY *pkey;
- const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
+ const EVP_MD *md;
EVP_MD_CTX *mctx = NULL;
- unsigned u = 0;
- long hdatalen = 0;
+ EVP_PKEY_CTX *pctx = NULL;
+ size_t hdatalen = 0, siglen = 0;
void *hdata;
unsigned char *sig = NULL;
+ unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
+ int pktype, ispss = 0;
+
+ if (s->server) {
+ /* Only happens in TLSv1.3 */
+ /*
+ * TODO(TLS1.3): This needs to change. We should not get this from the
+ * cipher. However, for now, we have not done the work to separate the
+ * certificate type from the ciphersuite
+ */
+ pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md);
+ if (pkey == NULL)
+ goto err;
+ } else {
+ md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
+ pkey = s->cert->key->privatekey;
+ }
+ pktype = EVP_PKEY_id(pkey);
mctx = EVP_MD_CTX_new();
if (mctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
- pkey = s->cert->key->privatekey;
- hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
- if (hdatalen <= 0) {
+ /* Get the data to be signed */
+ if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (SSL_USE_SIGALGS(s)&& !tls12_get_sigandhash(pkt, pkey, md)) {
+ if (SSL_USE_SIGALGS(s) && !tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifdef SSL_DEBUG
fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
#endif
- sig = OPENSSL_malloc(EVP_PKEY_size(pkey));
+ siglen = EVP_PKEY_size(pkey);
+ sig = OPENSSL_malloc(siglen);
if (sig == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (!EVP_SignInit_ex(mctx, md, NULL)
- || !EVP_SignUpdate(mctx, hdata, hdatalen)
- || (s->version == SSL3_VERSION
- && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
- (int)s->session->master_key_length,
- s->session->master_key))
- || !EVP_SignFinal(mctx, sig, &u, pkey)) {
+
+ if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0
+ || EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB);
goto err;
}
+
+ if (ispss) {
+ if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
+ /* -1 here means set saltlen to the digest len */
+ || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB);
+ goto err;
+ }
+ } else if (s->version == SSL3_VERSION) {
+ if (!EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
+ (int)s->session->master_key_length,
+ s->session->master_key)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB);
+ goto err;
+ }
+ }
+
+ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB);
+ goto err;
+ }
+
#ifndef OPENSSL_NO_GOST
{
- int pktype = EVP_PKEY_id(pkey);
if (pktype == NID_id_GostR3410_2001
|| pktype == NID_id_GostR3410_2012_256
|| pktype == NID_id_GostR3410_2012_512)
- BUF_reverse(sig, NULL, u);
+ BUF_reverse(sig, NULL, siglen);
}
#endif
- if (!WPACKET_sub_memcpy_u16(pkt, sig, u)) {
+ if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
{
EVP_PKEY *pkey = NULL;
- const unsigned char *sig, *data;
+ const unsigned char *data;
#ifndef OPENSSL_NO_GOST
unsigned char *gost_data = NULL;
#endif
- int al, ret = MSG_PROCESS_ERROR;
- int type = 0, j;
+ int al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
+ int type = 0, j, pktype, ispss = 0;
unsigned int len;
X509 *peer;
const EVP_MD *md = NULL;
- long hdatalen = 0;
+ size_t hdatalen = 0;
void *hdata;
-
+ unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+ EVP_PKEY_CTX *pctx = NULL;
if (mctx == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
peer = s->session->peer;
pkey = X509_get0_pubkey(peer);
+ pktype = EVP_PKEY_id(pkey);
type = X509_certificate_type(peer, pkey);
if (!(type & EVP_PKT_SIGN)) {
{
if (SSL_USE_SIGALGS(s)) {
int rv;
+ unsigned int sigalg;
- if (!PACKET_get_bytes(pkt, &sig, 2)) {
+ if (!PACKET_get_net_2(pkt, &sigalg)) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
+ rv = tls12_check_peer_sigalg(&md, s, sigalg, pkey);
if (rv == -1) {
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
} else if (rv == 0) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
+ ispss = SIGID_IS_PSS(sigalg);
#ifdef SSL_DEBUG
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif
goto f_err;
}
- hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
- if (hdatalen <= 0) {
+ if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
#ifdef SSL_DEBUG
fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
#endif
- if (!EVP_VerifyInit_ex(mctx, md, NULL)
- || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) {
+ if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0
+ || EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
#ifndef OPENSSL_NO_GOST
{
- int pktype = EVP_PKEY_id(pkey);
if (pktype == NID_id_GostR3410_2001
|| pktype == NID_id_GostR3410_2012_256
|| pktype == NID_id_GostR3410_2012_512) {
if ((gost_data = OPENSSL_malloc(len)) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
BUF_reverse(gost_data, data, len);
}
#endif
- if (s->version == SSL3_VERSION
+ if (ispss) {
+ if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
+ /* -1 here means set saltlen to the digest len */
+ || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) {
+ SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
+ goto f_err;
+ }
+ } else if (s->version == SSL3_VERSION
&& !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
(int)s->session->master_key_length,
s->session->master_key)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
- if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) {
+ if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
al = SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
goto f_err;
}
- ret = MSG_PROCESS_CONTINUE_PROCESSING;
+ if (SSL_IS_TLS13(s))
+ ret = MSG_PROCESS_CONTINUE_READING;
+ else
+ ret = MSG_PROCESS_CONTINUE_PROCESSING;
if (0) {
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);