Add support for RSA PSS algorithims being used in sigalgs.

lightly tested, but will need sanity checks and regress test changes before being added to any sigalgs list for real ok jsing@ tb@
author: beck <beck@openbsd.org> 2018-11-11 02:22:34 +0000
committer: beck <beck@openbsd.org> 2018-11-11 02:22:34 +0000
commit: 844b899067c6f42584de987519955eb3dad992b0 (patch)
tree: f9104d15f24621b09f8c087097c8b58b908ccf14 /lib/libssl/ssl_clnt.c
parent: Convert signatures and verifcation to use the EVP_DigestXXX api (diff)
download: wireguard-openbsd-844b899067c6f42584de987519955eb3dad992b0.tar.xz
wireguard-openbsd-844b899067c6f42584de987519955eb3dad992b0.zip
1 files changed, 14 insertions, 1 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 298e4b7ff89..9f8d999ff19 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.42 2018/11/11 02:03:23 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.43 2018/11/11 02:22:34 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1556,6 +1556,11 @@ ssl3_get_server_key_exchange(SSL *s)
 		if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random,
 		    SSL3_RANDOM_SIZE))
 			goto err;
+		if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
+		    (!EVP_PKEY_CTX_set_rsa_padding(pctx,
+		    RSA_PKCS1_PSS_PADDING) ||
+		    !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)))
+			goto err;
 		if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->server_random,
 		    SSL3_RANDOM_SIZE))
 			goto err;
@@ -2427,6 +2432,14 @@ ssl3_send_client_verify(SSL *s)
 				SSLerror(s, ERR_R_EVP_LIB);
 				goto err;
 			}
+			if ((s->cert->key->sigalg->flags &
+			    SIGALG_FLAG_RSA_PSS) &&
+			    (!EVP_PKEY_CTX_set_rsa_padding(pctx,
+			    RSA_PKCS1_PSS_PADDING) ||
+			    !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
+				SSLerror(s, ERR_R_EVP_LIB);
+				goto err;
+			}
 			if (!EVP_DigestSignUpdate(&mctx, hdata, hdatalen)) {
 				SSLerror(s, ERR_R_EVP_LIB);
 				goto err;
author	beck <beck@openbsd.org>	2018-11-11 02:22:34 +0000
committer	beck <beck@openbsd.org>	2018-11-11 02:22:34 +0000
commit	844b899067c6f42584de987519955eb3dad992b0 (patch)
tree	f9104d15f24621b09f8c087097c8b58b908ccf14 /lib/libssl/ssl_clnt.c
parent	Convert signatures and verifcation to use the EVP_DigestXXX api (diff)
download	wireguard-openbsd-844b899067c6f42584de987519955eb3dad992b0.tar.xz wireguard-openbsd-844b899067c6f42584de987519955eb3dad992b0.zip