Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
a0f63828
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
a0f63828
编写于
11月 24, 2015
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Use EVP_md5_sha1() to generate client verify
Reviewed-by:
N
Tim Hudson
<
tjh@openssl.org
>
上级
396d5fd0
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
39 addition
and
141 deletion
+39
-141
ssl/ssl_locl.h
ssl/ssl_locl.h
+1
-0
ssl/statem/statem_clnt.c
ssl/statem/statem_clnt.c
+37
-140
ssl/t1_lib.c
ssl/t1_lib.c
+1
-1
未找到文件。
ssl/ssl_locl.h
浏览文件 @
a0f63828
...
...
@@ -2069,6 +2069,7 @@ __owur unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
__owur
unsigned
char
*
ssl_add_serverhello_tlsext
(
SSL
*
s
,
unsigned
char
*
buf
,
unsigned
char
*
limit
,
int
*
al
);
__owur
int
ssl_parse_clienthello_tlsext
(
SSL
*
s
,
PACKET
*
pkt
);
void
ssl_set_default_md
(
SSL
*
s
);
__owur
int
tls1_set_server_sigalgs
(
SSL
*
s
);
__owur
int
ssl_check_clienthello_tlsext_late
(
SSL
*
s
);
__owur
int
ssl_parse_serverhello_tlsext
(
SSL
*
s
,
PACKET
*
pkt
);
...
...
ssl/statem/statem_clnt.c
浏览文件 @
a0f63828
...
...
@@ -1361,15 +1361,6 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
goto
f_err
;
}
s
->
s3
->
tmp
.
new_cipher
=
c
;
/*
* Don't digest cached records if no sigalgs: we may need them for client
* authentication.
*/
if
(
!
(
SSL_USE_SIGALGS
(
s
)
||
(
s
->
s3
->
tmp
.
new_cipher
->
algorithm_auth
&
(
SSL_aGOST12
|
SSL_aGOST01
)))
&&
!
ssl3_digest_cached_records
(
s
,
0
))
goto
f_err
;
/* lets get the compression algorithm */
/* COMPRESSION */
if
(
!
PACKET_get_1
(
pkt
,
&
compression
))
{
...
...
@@ -2075,6 +2066,8 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
SSLerr
(
SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
,
ERR_R_MALLOC_FAILURE
);
goto
err
;
}
}
else
{
ssl_set_default_md
(
s
);
}
/* get the CA RDNs */
...
...
@@ -2967,167 +2960,71 @@ int tls_client_key_exchange_post_work(SSL *s)
int
tls_construct_client_verify
(
SSL
*
s
)
{
unsigned
char
*
p
;
unsigned
char
data
[
EVP_MAX_MD_SIZE
];
/* GOST R 34.11-2012-256*/
EVP_PKEY
*
pkey
;
EVP_PKEY_CTX
*
pctx
=
NULL
;
const
EVP_MD
*
md
=
s
->
s3
->
tmp
.
md
[
s
->
cert
->
key
-
s
->
cert
->
pkeys
]
;
EVP_MD_CTX
mctx
;
unsigned
u
=
0
;
unsigned
long
n
;
int
j
;
long
hdatalen
=
0
;
void
*
hdata
;
EVP_MD_CTX_init
(
&
mctx
);
p
=
ssl_handshake_start
(
s
);
pkey
=
s
->
cert
->
key
->
privatekey
;
/* Create context from key and test if sha1 is allowed as digest */
pctx
=
EVP_PKEY_CTX_new
(
pkey
,
NULL
);
if
(
pctx
==
NULL
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_MALLOC_FAILURE
);
goto
err
;
}
if
(
EVP_PKEY_sign_init
(
pctx
)
<=
0
)
{
hdatalen
=
BIO_get_mem_data
(
s
->
s3
->
handshake_buffer
,
&
hdata
);
if
(
hdatalen
<=
0
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
if
(
EVP_PKEY_CTX_set_signature_md
(
pctx
,
EVP_sha1
())
>
0
)
{
if
(
!
SSL_USE_SIGALGS
(
s
))
s
->
method
->
ssl3_enc
->
cert_verify_mac
(
s
,
NID_sha1
,
&
(
data
[
MD5_DIGEST_LENGTH
]));
}
else
{
ERR_clear_error
();
}
/*
* For TLS v1.2 send signature algorithm and signature using agreed
* digest and cached handshake records.
*/
if
(
SSL_USE_SIGALGS
(
s
)
||
pkey
->
type
==
NID_id_GostR3410_2001
||
pkey
->
type
==
NID_id_GostR3410_2012_256
||
pkey
->
type
==
NID_id_GostR3410_2012_512
)
{
long
hdatalen
=
0
;
void
*
hdata
;
const
EVP_MD
*
md
=
s
->
s3
->
tmp
.
md
[
s
->
cert
->
key
-
s
->
cert
->
pkeys
];
hdatalen
=
BIO_get_mem_data
(
s
->
s3
->
handshake_buffer
,
&
hdata
);
if
(
!
SSL_USE_SIGALGS
(
s
))
{
int
dgst_nid
;
if
(
EVP_PKEY_get_default_digest_nid
(
pkey
,
&
dgst_nid
)
<=
0
||
(
md
=
EVP_get_digestbynid
(
dgst_nid
))
==
NULL
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
}
if
(
hdatalen
<=
0
||
!
tls12_get_sigandhash
(
p
,
pkey
,
md
))
{
if
(
SSL_USE_SIGALGS
(
s
))
{
if
(
!
tls12_get_sigandhash
(
p
,
pkey
,
md
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
if
(
SSL_USE_SIGALGS
(
s
)
)
{
p
+=
2
;
}
p
+=
2
;
}
#ifdef SSL_DEBUG
fprintf
(
stderr
,
"Using TLS 1.2 with client alg %s
\n
"
,
EVP_MD_name
(
md
));
#endif
if
(
!
EVP_SignInit_ex
(
&
mctx
,
md
,
NULL
)
||
!
EVP_SignUpdate
(
&
mctx
,
hdata
,
hdatalen
)
||
!
EVP_SignFinal
(
&
mctx
,
p
+
2
,
&
u
,
pkey
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_EVP_LIB
);
goto
err
;
}
if
(
pkey
->
type
==
NID_id_GostR3410_2001
||
pkey
->
type
==
NID_id_GostR3410_2012_256
||
pkey
->
type
==
NID_id_GostR3410_2012_512
)
{
unsigned
int
i
,
k
;
for
(
i
=
u
-
1
,
k
=
0
;
k
<
u
/
2
;
k
++
,
i
--
)
{
char
c
=
p
[
2
+
k
];
p
[
2
+
k
]
=
p
[
2
+
i
];
p
[
2
+
i
]
=
c
;
}
}
s2n
(
u
,
p
);
n
=
u
+
2
;
if
(
SSL_USE_SIGALGS
(
s
))
n
+=
2
;
/* Digest cached records and discard handshake buffer */
if
(
!
ssl3_digest_cached_records
(
s
,
0
))
goto
err
;
}
else
#ifndef OPENSSL_NO_RSA
if
(
pkey
->
type
==
EVP_PKEY_RSA
)
{
s
->
method
->
ssl3_enc
->
cert_verify_mac
(
s
,
NID_md5
,
&
(
data
[
0
]));
if
(
RSA_sign
(
NID_md5_sha1
,
data
,
MD5_DIGEST_LENGTH
+
SHA_DIGEST_LENGTH
,
&
(
p
[
2
]),
&
u
,
pkey
->
pkey
.
rsa
)
<=
0
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_RSA_LIB
);
goto
err
;
}
s2n
(
u
,
p
);
n
=
u
+
2
;
}
else
#endif
#ifndef OPENSSL_NO_DSA
if
(
pkey
->
type
==
EVP_PKEY_DSA
)
{
if
(
!
DSA_sign
(
pkey
->
save_type
,
&
(
data
[
MD5_DIGEST_LENGTH
]),
SHA_DIGEST_LENGTH
,
&
(
p
[
2
]),
(
unsigned
int
*
)
&
j
,
pkey
->
pkey
.
dsa
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_DSA_LIB
);
goto
err
;
}
s2n
(
j
,
p
);
n
=
j
+
2
;
}
else
#endif
#ifndef OPENSSL_NO_EC
if
(
pkey
->
type
==
EVP_PKEY_EC
)
{
if
(
!
ECDSA_sign
(
pkey
->
save_type
,
&
(
data
[
MD5_DIGEST_LENGTH
]),
SHA_DIGEST_LENGTH
,
&
(
p
[
2
]),
(
unsigned
int
*
)
&
j
,
pkey
->
pkey
.
ec
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_ECDSA_LIB
);
goto
err
;
}
s2n
(
j
,
p
);
n
=
j
+
2
;
}
else
#endif
fprintf
(
stderr
,
"Using client alg %s
\n
"
,
EVP_MD_name
(
md
));
#endif
if
(
!
EVP_SignInit_ex
(
&
mctx
,
md
,
NULL
)
||
!
EVP_SignUpdate
(
&
mctx
,
hdata
,
hdatalen
)
||
(
s
->
version
==
SSL3_VERSION
&&
!
EVP_MD_CTX_ctrl
(
&
mctx
,
EVP_CTRL_SSL3_MASTER_SECRET
,
s
->
session
->
master_key_length
,
s
->
session
->
master_key
))
||
!
EVP_SignFinal
(
&
mctx
,
p
+
2
,
&
u
,
pkey
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_EVP_LIB
);
goto
err
;
}
if
(
pkey
->
type
==
NID_id_GostR3410_2001
||
pkey
->
type
==
NID_id_GostR3410_2012_256
||
pkey
->
type
==
NID_id_GostR3410_2012_512
)
{
unsigned
char
signbuf
[
128
];
int
i
;
size_t
sigsize
=
(
pkey
->
type
==
NID_id_GostR3410_2012_512
)
?
128
:
64
;
int
dgst_nid
=
NID_undef
;
EVP_PKEY_get_default_digest_nid
(
pkey
,
&
dgst_nid
);
s
->
method
->
ssl3_enc
->
cert_verify_mac
(
s
,
dgst_nid
,
data
);
if
(
EVP_PKEY_sign
(
pctx
,
signbuf
,
&
sigsize
,
data
,
EVP_MD_size
(
EVP_get_digestbynid
(
dgst_nid
)))
<=
0
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
unsigned
int
i
,
k
;
for
(
i
=
u
-
1
,
k
=
0
;
k
<
u
/
2
;
k
++
,
i
--
)
{
char
c
=
p
[
2
+
k
];
p
[
2
+
k
]
=
p
[
2
+
i
];
p
[
2
+
i
]
=
c
;
}
for
(
i
=
sigsize
-
1
,
j
=
0
;
i
>=
0
;
j
++
,
i
--
)
{
p
[
2
+
j
]
=
signbuf
[
i
];
}
s2n
(
j
,
p
);
n
=
j
+
2
;
}
else
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
s2n
(
u
,
p
);
n
=
u
+
2
;
if
(
SSL_USE_SIGALGS
(
s
))
n
+=
2
;
/* Digest cached records and discard handshake buffer */
if
(
!
ssl3_digest_cached_records
(
s
,
0
))
goto
err
;
if
(
!
ssl_set_handshake_header
(
s
,
SSL3_MT_CERTIFICATE_VERIFY
,
n
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
EVP_MD_CTX_cleanup
(
&
mctx
);
EVP_PKEY_CTX_free
(
pctx
);
return
1
;
err:
EVP_MD_CTX_cleanup
(
&
mctx
);
EVP_PKEY_CTX_free
(
pctx
);
return
0
;
}
...
...
ssl/t1_lib.c
浏览文件 @
a0f63828
...
...
@@ -2705,7 +2705,7 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
}
}
/* Initialise digests to default values */
static
void
ssl_set_default_md
(
SSL
*
s
)
void
ssl_set_default_md
(
SSL
*
s
)
{
const
EVP_MD
**
pmd
=
s
->
s3
->
tmp
.
md
;
#ifndef OPENSSL_NO_DSA
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录