From caf2b6b54f04e89585184ba7bb4cb80b818d5ede Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 23 May 2017 12:56:51 +0100 Subject: [PATCH] Don't use one shot API for SSLv3. SSLv3 (specifically with client auth) cannot use one shot APIs: the digested data and the master secret are handled in separate update operations. So in the special case of SSLv3 use the streaming API. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3527) --- ssl/statem/statem_lib.c | 55 ++++++++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index fbf5a3cc69..c2b14853c2 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -264,16 +264,18 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } - } else if (s->version == SSL3_VERSION) { - if (!EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) { + } + if (s->version == SSL3_VERSION) { + if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 + || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key) + || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } - } - - if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { + } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } @@ -436,23 +438,30 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); goto f_err; } - } else if (s->version == SSL3_VERSION - && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - goto f_err; } - - j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); - - if (j < 0) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - goto f_err; - } else if (j == 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); - goto f_err; + if (s->version == SSL3_VERSION) { + if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 + || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key)) { + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); + goto f_err; + } + if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { + al = SSL_AD_DECRYPT_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); + goto f_err; + } + } else { + j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); + if (j < 0) { + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); + goto f_err; + } else if (j == 0) { + al = SSL_AD_DECRYPT_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); + goto f_err; + } } ret = MSG_PROCESS_CONTINUE_READING; -- 2.25.1