Djam/libressl
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/libressl.git synced 2025-02-23 16:12:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
libressl/0013-Enable-GOST_SIG_FORMAT_RS_LE-when-verifying-certific.patch
Mikhail Novosyolov faac7d3eaa Add gost-new patches sponsored by ROSA Linux 
TODO: add tests
2020-08-05 12:58:06 +03:00

72 lines
2.5 KiB
Diff
Raw Blame History

From bea1abe78c72962af15bd0868e9dd2fcffd9ddf9 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 5 Jun 2020 17:53:26 +0000
Subject: [PATCH 13/87] Enable GOST_SIG_FORMAT_RS_LE when verifying certificate
signatures.
GOST cipher suites requires that CertVerify signatures be generated in a
special way (see ssl3_send_client_kex_gost(), ssl3_get_cert_verify()).
However, the GOST_SIG_FORMAT_RS_LE flag was not passed in case of TLS 1.2
connections (because they use different code path). Set this flag on
GOST PKEYs.
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
---
src/lib/libssl/ssl_clnt.c | 8 +++++++-
src/lib/libssl/ssl_srvr.c | 9 ++++++++-
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 4d003466c..0a1b6ea24 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.68 2020/05/31 16:36:35 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.69 2020/06/05 17:53:26 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2341,6 +2341,12 @@ ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify)
SSLerror(s, ERR_R_EVP_LIB);
goto err;
}
+ if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
+ EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
+ EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
+ SSLerror(s, ERR_R_EVP_LIB);
+ goto err;
+ }
if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
(!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index fac24f4d0..69e547cbe 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.77 2020/05/31 16:36:35 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.79 2020/06/05 17:53:26 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2187,6 +2187,13 @@ ssl3_get_cert_verify(SSL *s)
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
+ if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
+ EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
+ EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
+ NULL) <= 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
if (!EVP_DigestVerifyUpdate(&mctx, hdata, hdatalen)) {
SSLerror(s, ERR_R_EVP_LIB);
al = SSL_AD_INTERNAL_ERROR;
--
2.17.1
Reference in a new issue View git blame Copy permalink