diff options
| author |   jsing <jsing@openbsd.org> | 2020-06-05 17:53:26 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2020-06-05 17:53:26 +0000 |
| commit | c2a7ee207bba151810ec11f3f8ecfd436c0b4e80 (patch) | |
| tree | 07d96ef2748a3fa0c382103f699c520320d7b128 /lib/libssl/ssl_clnt.c | |
| parent | Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. (diff) | |
| download | wireguard-openbsd-c2a7ee207bba151810ec11f3f8ecfd436c0b4e80.tar.xz wireguard-openbsd-c2a7ee207bba151810ec11f3f8ecfd436c0b4e80.zip | |
Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
GOST cipher suites requires that CertVerify signatures be generated in a
special way (see ssl3_send_client_kex_gost(), ssl3_get_cert_verify()).
However, the GOST_SIG_FORMAT_RS_LE flag was not passed in case of TLS 1.2
connections (because they use different code path). Set this flag on
GOST PKEYs.
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
Diffstat (limited to 'lib/libssl/ssl_clnt.c')
| -rw-r--r-- | lib/libssl/ssl_clnt.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 4d003466c48..0a1b6ea2410 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.68 2020/05/31 16:36:35 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.69 2020/06/05 17:53:26 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2341,6 +2341,12 @@ ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify) SSLerror(s, ERR_R_EVP_LIB); goto err; } + if (sigalg->key_type == EVP_PKEY_GOSTR01 && + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { |