X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=b3166d6254415aa9e0a8dec6c53c33a1539aa3ee;hb=d47c01a31a67ff4370b1883a58cabd0279752bb4;hp=dcfecf4f5b79b077215bfd268d286bc5fc210c7f;hpb=0f229cce65c1e7a04ed114c04327d75169b6dac3;p=oweals%2Fopenssl.git diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index dcfecf4f5b..b3166d6254 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -241,6 +241,12 @@ static const unsigned char eccurves_default[] = 0,17, /* secp160r2 (17) */ }; +static const unsigned char suiteb_curves[] = + { + 0, TLSEXT_curve_P_256, + 0, TLSEXT_curve_P_384 + }; + int tls1_ec_curve_id2nid(int curve_id) { /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ @@ -320,22 +326,74 @@ static void tls1_get_curvelist(SSL *s, int sess, { *pcurves = s->session->tlsext_ellipticcurvelist; *pcurveslen = s->session->tlsext_ellipticcurvelist_length; + return; } - else + /* For Suite B mode only include P-256, P-384 */ + switch (tls1_suiteb(s)) { + case SSL_CERT_FLAG_SUITEB_128_LOS: + *pcurves = suiteb_curves; + *pcurveslen = sizeof(suiteb_curves); + break; + + case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: + *pcurves = suiteb_curves; + *pcurveslen = 2; + break; + + case SSL_CERT_FLAG_SUITEB_192_LOS: + *pcurves = suiteb_curves + 2; + *pcurveslen = 2; + break; + default: *pcurves = s->tlsext_ellipticcurvelist; *pcurveslen = s->tlsext_ellipticcurvelist_length; } - /* If not set use default: for now static structure */ if (!*pcurves) { *pcurves = eccurves_default; *pcurveslen = sizeof(eccurves_default); } } +/* Check a curve is one of our preferences */ +int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) + { + const unsigned char *curves; + size_t curveslen, i; + unsigned int suiteb_flags = tls1_suiteb(s); + if (len != 3 || p[0] != NAMED_CURVE_TYPE) + return 0; + /* Check curve matches Suite B preferences */ + if (suiteb_flags) + { + unsigned long cid = s->s3->tmp.new_cipher->id; + if (p[1]) + return 0; + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + { + if (p[2] != TLSEXT_curve_P_256) + return 0; + } + else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + { + if (p[2] != TLSEXT_curve_P_384) + return 0; + } + else /* Should never happen */ + return 0; + } + tls1_get_curvelist(s, 0, &curves, &curveslen); + for (i = 0; i < curveslen; i += 2, curves += 2) + { + if (p[1] == curves[0] && p[2] == curves[1]) + return 1; + } + return 0; + } /* Return nth shared curve. If nmatch == -1 return number of - * matches. + * matches. For nmatch == -2 return the NID of the curve to use for + * an EC tmp key. */ int tls1_shared_curve(SSL *s, int nmatch) @@ -346,6 +404,25 @@ int tls1_shared_curve(SSL *s, int nmatch) /* Can't do anything on client side */ if (s->server == 0) return -1; + if (nmatch == -2) + { + if (tls1_suiteb(s)) + { + /* For Suite B ciphersuite determines curve: we + * already know these are acceptable due to previous + * checks. + */ + unsigned long cid = s->s3->tmp.new_cipher->id; + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + return NID_X9_62_prime256v1; /* P-256 */ + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + return NID_secp384r1; /* P-384 */ + /* Should never happen */ + return NID_undef; + } + /* If not Suite B just return first preference shared curve */ + nmatch = 0; + } tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &supp, &supplen); tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), @@ -525,6 +602,8 @@ static int tls1_check_ec_key(SSL *s, if (i == plen) return 0; } + if (!curve_id) + return 1; /* Check curve is consistent with client and server preferences */ for (j = 0; j <= 1; j++) { @@ -536,32 +615,115 @@ static int tls1_check_ec_key(SSL *s, } if (i == plen) return 0; + /* For clients can only check sent curve list */ + if (!s->server) + return 1; } return 1; } -/* Check EC server key is compatible with client extensions */ -int tls1_check_ec_server_key(SSL *s) + +/* Check cert parameters compatible with extensions: currently just checks + * EC certificates have compatible curves and compression. + */ +static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) { - int rv; - CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; - EVP_PKEY *pkey; unsigned char comp_id, curve_id[2]; - if (!cpk->x509 || !cpk->privatekey) - return 0; - pkey = X509_get_pubkey(cpk->x509); + EVP_PKEY *pkey; + int rv; + pkey = X509_get_pubkey(x); if (!pkey) return 0; + /* If not EC nothing to do */ + if (pkey->type != EVP_PKEY_EC) + { + EVP_PKEY_free(pkey); + return 1; + } rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); EVP_PKEY_free(pkey); if (!rv) return 0; - return tls1_check_ec_key(s, curve_id, &comp_id); + /* Can't check curve_id for client certs as we don't have a + * supported curves extension. + */ + rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); + if (!rv) + return 0; + /* Special case for suite B. We *MUST* sign using SHA256+P-256 or + * SHA384+P-384, adjust digest if necessary. + */ + if (set_ee_md && tls1_suiteb(s)) + { + int check_md; + size_t i; + CERT *c = s->cert; + if (curve_id[0]) + return 0; + /* Check to see we have necessary signing algorithm */ + if (curve_id[1] == TLSEXT_curve_P_256) + check_md = NID_ecdsa_with_SHA256; + else if (curve_id[1] == TLSEXT_curve_P_384) + check_md = NID_ecdsa_with_SHA384; + else + return 0; /* Should never happen */ + for (i = 0; i < c->shared_sigalgslen; i++) + if (check_md == c->shared_sigalgs[i].signandhash_nid) + break; + if (i == c->shared_sigalgslen) + return 0; + if (set_ee_md == 2) + { + if (check_md == NID_ecdsa_with_SHA256) + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256(); + else + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384(); + } + } + return rv; } /* Check EC temporary key is compatible with client extensions */ -int tls1_check_ec_tmp_key(SSL *s) +int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) { unsigned char curve_id[2]; EC_KEY *ec = s->cert->ecdh_tmp; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Allow any curve: not just those peer supports */ + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTCOL) + return 1; +#endif + /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, + * no other curves permitted. + */ + if (tls1_suiteb(s)) + { + /* Curve to check determined by ciphersuite */ + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + curve_id[1] = TLSEXT_curve_P_256; + else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + curve_id[1] = TLSEXT_curve_P_384; + else + return 0; + curve_id[0] = 0; + /* Check this curve is acceptable */ + if (!tls1_check_ec_key(s, curve_id, NULL)) + return 0; + /* If auto or setting curve from callback assume OK */ + if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb) + return 1; + /* Otherwise check curve is acceptable */ + else + { + unsigned char curve_tmp[2]; + if (!ec) + return 0; + if (!tls1_set_ec_id(curve_tmp, NULL, ec)) + return 0; + if (!curve_tmp[0] || curve_tmp[1] == curve_id[1]) + return 1; + return 0; + } + + } if (s->cert->ecdh_tmp_auto) { /* Need a shared curve */ @@ -577,8 +739,13 @@ int tls1_check_ec_tmp_key(SSL *s) return 0; } if (!tls1_set_ec_id(curve_id, NULL, ec)) - return 1; + return 0; +/* Set this to allow use of invalid curves for testing */ +#if 0 + return 1; +#else return tls1_check_ec_key(s, curve_id, NULL); +#endif } #endif /* OPENSSL_NO_EC */ @@ -629,37 +796,213 @@ static unsigned char tls12_sigalgs[] = { #endif }; -size_t tls12_get_sig_algs(SSL *s, unsigned char *p) +static unsigned char suiteb_sigalgs[] = { + tlsext_sigalg_ecdsa(TLSEXT_hash_sha256) + tlsext_sigalg_ecdsa(TLSEXT_hash_sha384) +}; + +size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) { - TLS_SIGALGS *sptr = s->cert->conf_sigalgs; - size_t slen; + /* If Suite B mode use Suite B sigalgs only, ignore any other + * preferences. + */ + switch (tls1_suiteb(s)) + { + case SSL_CERT_FLAG_SUITEB_128_LOS: + *psigs = suiteb_sigalgs; + return sizeof(suiteb_sigalgs); - /* Use custom signature algorithms if any are set */ + case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: + *psigs = suiteb_sigalgs; + return 2; - if (sptr) + case SSL_CERT_FLAG_SUITEB_192_LOS: + *psigs = suiteb_sigalgs + 2; + return 2; + } + + /* If server use client authentication sigalgs if not NULL */ + if (s->server && s->cert->client_sigalgs) + { + *psigs = s->cert->client_sigalgs; + return s->cert->client_sigalgslen; + } + else if (s->cert->conf_sigalgs) + { + *psigs = s->cert->conf_sigalgs; + return s->cert->conf_sigalgslen; + } + else + { + *psigs = tls12_sigalgs; +#ifdef OPENSSL_FIPS + /* If FIPS mode don't include MD5 which is last */ + if (FIPS_mode()) + return sizeof(tls12_sigalgs) - 2; + else +#endif + return sizeof(tls12_sigalgs); + } + } +/* Check signature algorithm is consistent with sent supported signature + * algorithms and if so return relevant digest. + */ +int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, + const unsigned char *sig, EVP_PKEY *pkey) + { + const unsigned char *sent_sigs; + size_t sent_sigslen, i; + int sigalg = tls12_get_sigid(pkey); + /* Should never happen */ + if (sigalg == -1) + return -1; + /* Check key type is consistent with signature */ + if (sigalg != (int)sig[1]) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + if (pkey->type == EVP_PKEY_EC) { - slen = s->cert->conf_sigalgslen; - if (p) + unsigned char curve_id[2], comp_id; + /* Check compression and curve matches extensions */ + if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec)) + return 0; + if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { - size_t i; - for (i = 0; i < slen; i++, sptr++) + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE); + return 0; + } + /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */ + if (tls1_suiteb(s)) + { + if (curve_id[0]) + return 0; + if (curve_id[1] == TLSEXT_curve_P_256) { - *p++ = sptr->rhash; - *p++ = sptr->rsign; + if (sig[0] != TLSEXT_hash_sha256) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_ILLEGAL_SUITEB_DIGEST); + return 0; + } } + else if (curve_id[1] == TLSEXT_curve_P_384) + { + if (sig[0] != TLSEXT_hash_sha384) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_ILLEGAL_SUITEB_DIGEST); + return 0; + } + } + else + return 0; } - return slen * 2; } - - slen = sizeof(tls12_sigalgs); -#ifdef OPENSSL_FIPS - /* If FIPS mode don't include MD5 which is last */ - if (FIPS_mode()) - slen -= 2; + else if (tls1_suiteb(s)) + return 0; + + /* Check signature matches a type we sent */ + sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); + for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2) + { + if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1]) + break; + } + /* Allow fallback to SHA1 if not strict mode */ + if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + *pmd = tls12_get_hash(sig[0]); + if (*pmd == NULL) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST); + return 0; + } + return 1; + } +/* Get a mask of disabled algorithms: an algorithm is disabled + * if it isn't supported or doesn't appear in supported signature + * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific + * session and not global settings. + * + */ +void ssl_set_client_disabled(SSL *s) + { + CERT *c = s->cert; + const unsigned char *sigalgs; + size_t i, sigalgslen; + int have_rsa = 0, have_dsa = 0, have_ecdsa = 0; + c->mask_a = 0; + c->mask_k = 0; + /* If less than TLS 1.2 don't allow TLS 1.2 only ciphers */ + if (TLS1_get_version(s) < TLS1_2_VERSION) + c->mask_ssl = SSL_TLSV1_2; + else + c->mask_ssl = 0; + /* Now go through all signature algorithms seeing if we support + * any for RSA, DSA, ECDSA. Do this for all versions not just + * TLS 1.2. + */ + sigalgslen = tls12_get_psigalgs(s, &sigalgs); + for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) + { + switch(sigalgs[1]) + { +#ifndef OPENSSL_NO_RSA + case TLSEXT_signature_rsa: + have_rsa = 1; + break; +#endif +#ifndef OPENSSL_NO_DSA + case TLSEXT_signature_dsa: + have_dsa = 1; + break; +#endif +#ifndef OPENSSL_NO_ECDSA + case TLSEXT_signature_ecdsa: + have_ecdsa = 1; + break; +#endif + } + } + /* Disable auth and static DH if we don't include any appropriate + * signature algorithms. + */ + if (!have_rsa) + { + c->mask_a |= SSL_aRSA; + c->mask_k |= SSL_kDHr|SSL_kECDHr; + } + if (!have_dsa) + { + c->mask_a |= SSL_aDSS; + c->mask_k |= SSL_kDHd; + } + if (!have_ecdsa) + { + c->mask_a |= SSL_aECDSA; + c->mask_k |= SSL_kECDHe; + } +#ifndef OPENSSL_NO_KRB5 + if (!kssl_tgt_is_available(s->kssl_ctx)) + { + c->mask_a |= SSL_aKRB5; + c->mask_k |= SSL_kKRB5; + } #endif - if (p) - memcpy(p, tls12_sigalgs, slen); - return slen; +#ifndef OPENSSL_NO_PSK + /* with PSK there must be client callback set */ + if (!s->psk_client_callback) + { + c->mask_a |= SSL_aPSK; + c->mask_k |= SSL_kPSK; + } +#endif /* OPENSSL_NO_PSK */ + c->valid = 1; } /* byte_compare is a compare function for qsort(3) that compares bytes. */ @@ -895,13 +1238,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { size_t salglen; - salglen = tls12_get_sig_algs(s, NULL); + const unsigned char *salg; + salglen = tls12_get_psigalgs(s, &salg); if ((size_t)(limit - ret) < salglen + 6) return NULL; s2n(TLSEXT_TYPE_signature_algorithms,ret); s2n(salglen + 2, ret); s2n(salglen, ret); - tls12_get_sig_algs(s, ret); + memcpy(ret, salg, salglen); ret += salglen; } @@ -1312,7 +1656,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char unsigned short len; unsigned char *data = *p; int renegotiate_seen = 0; - int sigalg_seen = 0; + size_t i; s->servername_done = 0; s->tlsext_status_type = -1; @@ -1324,6 +1668,24 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif + /* Clear any signature algorithms extension received */ + if (s->cert->peer_sigalgs) + { + OPENSSL_free(s->cert->peer_sigalgs); + s->cert->peer_sigalgs = NULL; + } + /* Clear any shared sigtnature algorithms */ + if (s->cert->shared_sigalgs) + { + OPENSSL_free(s->cert->shared_sigalgs); + s->cert->shared_sigalgs = NULL; + } + /* Clear certificate digests and validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) + { + s->cert->pkeys[i].digest = NULL; + s->cert->pkeys[i].valid_flags = 0; + } if (data >= (d+n-2)) goto ri_check; @@ -1599,15 +1961,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char else if (type == TLSEXT_TYPE_signature_algorithms) { int dsize; - if (sigalg_seen || size < 2) + if (s->cert->peer_sigalgs || size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; } - sigalg_seen = 1; n2s(data,dsize); size -= 2; - if (dsize != size || dsize & 1) + if (dsize != size || dsize & 1 || !dsize) { *al = SSL_AD_DECODE_ERROR; return 0; @@ -1617,6 +1978,16 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *al = SSL_AD_DECODE_ERROR; return 0; } + /* If sigalgs received and no shared algorithms fatal + * error. + */ + if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs) + { + SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, + SSL_R_NO_SHARED_SIGATURE_ALGORITHMS); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } } else if (type == TLSEXT_TYPE_status_request && s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) @@ -1802,7 +2173,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char * in the case of a session resumption. */ if (!s->hit) { - size_t i; if (s->s3->tlsext_authz_client_types != NULL) OPENSSL_free(s->s3->tlsext_authz_client_types); s->s3->tlsext_authz_client_types = @@ -1855,6 +2225,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } + /* If no signature algorithms extension set default values */ + if (!s->cert->peer_sigalgs) + ssl_cert_set_default_md(s->cert); return 1; } @@ -2861,11 +3234,147 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) } } +static int tls12_get_pkey_idx(unsigned char sig_alg) + { + switch(sig_alg) + { +#ifndef OPENSSL_NO_RSA + case TLSEXT_signature_rsa: + return SSL_PKEY_RSA_SIGN; +#endif +#ifndef OPENSSL_NO_DSA + case TLSEXT_signature_dsa: + return SSL_PKEY_DSA_SIGN; +#endif +#ifndef OPENSSL_NO_ECDSA + case TLSEXT_signature_ecdsa: + return SSL_PKEY_ECC; +#endif + } + return -1; + } + +/* Convert TLS 1.2 signature algorithm extension values into NIDs */ +static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, + int *psignhash_nid, const unsigned char *data) + { + int sign_nid = 0, hash_nid = 0; + if (!phash_nid && !psign_nid && !psignhash_nid) + return; + if (phash_nid || psignhash_nid) + { + hash_nid = tls12_find_nid(data[0], tls12_md, + sizeof(tls12_md)/sizeof(tls12_lookup)); + if (phash_nid) + *phash_nid = hash_nid; + } + if (psign_nid || psignhash_nid) + { + sign_nid = tls12_find_nid(data[1], tls12_sig, + sizeof(tls12_sig)/sizeof(tls12_lookup)); + if (psign_nid) + *psign_nid = sign_nid; + } + if (psignhash_nid) + { + if (sign_nid && hash_nid) + OBJ_find_sigid_by_algs(psignhash_nid, + hash_nid, sign_nid); + else + *psignhash_nid = NID_undef; + } + } +/* Given preference and allowed sigalgs set shared sigalgs */ +static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig, + const unsigned char *pref, size_t preflen, + const unsigned char *allow, size_t allowlen) + { + const unsigned char *ptmp, *atmp; + size_t i, j, nmatch = 0; + for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2) + { + /* Skip disabled hashes or signature algorithms */ + if (tls12_get_hash(ptmp[0]) == NULL) + continue; + if (tls12_get_pkey_idx(ptmp[1]) == -1) + continue; + for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2) + { + if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) + { + nmatch++; + if (shsig) + { + shsig->rhash = ptmp[0]; + shsig->rsign = ptmp[1]; + tls1_lookup_sigalg(&shsig->hash_nid, + &shsig->sign_nid, + &shsig->signandhash_nid, + ptmp); + shsig++; + } + break; + } + } + } + return nmatch; + } + +/* Set shared signature algorithms for SSL structures */ +static int tls1_set_shared_sigalgs(SSL *s) + { + const unsigned char *pref, *allow, *conf; + size_t preflen, allowlen, conflen; + size_t nmatch; + TLS_SIGALGS *salgs = NULL; + CERT *c = s->cert; + unsigned int is_suiteb = tls1_suiteb(s); + /* If client use client signature algorithms if not NULL */ + if (!s->server && c->client_sigalgs && !is_suiteb) + { + conf = c->client_sigalgs; + conflen = c->client_sigalgslen; + } + else if (c->conf_sigalgs && !is_suiteb) + { + conf = c->conf_sigalgs; + conflen = c->conf_sigalgslen; + } + else + conflen = tls12_get_psigalgs(s, &conf); + if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) + { + pref = conf; + preflen = conflen; + allow = c->peer_sigalgs; + allowlen = c->peer_sigalgslen; + } + else + { + allow = conf; + allowlen = conflen; + pref = c->peer_sigalgs; + preflen = c->peer_sigalgslen; + } + nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen); + if (!nmatch) + return 1; + salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); + if (!salgs) + return 0; + nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen); + c->shared_sigalgs = salgs; + c->shared_sigalgslen = nmatch; + return 1; + } + + /* Set preferred digest for each key type */ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) { - int i, idx; + int idx; + size_t i; const EVP_MD *md; CERT *c = s->cert; TLS_SIGALGS *sigptr; @@ -2876,112 +3385,126 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) if (!c) return 0; - c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; - c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; - c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; - c->pkeys[SSL_PKEY_ECC].digest = NULL; - - if (c->peer_sigalgs) - OPENSSL_free(c->peer_sigalgs); - c->peer_sigalgs = OPENSSL_malloc((dsize/2) * sizeof(TLS_SIGALGS)); + c->peer_sigalgs = OPENSSL_malloc(dsize); if (!c->peer_sigalgs) return 0; - c->peer_sigalgslen = dsize/2; + c->peer_sigalgslen = dsize; + memcpy(c->peer_sigalgs, data, dsize); - for (i = 0, sigptr = c->peer_sigalgs; i < dsize; i += 2, sigptr++) + tls1_set_shared_sigalgs(s); + +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTCOL) { - sigptr->rhash = data[i]; - sigptr->rsign = data[i + 1]; - sigptr->hash_nid = tls12_find_nid(sigptr->rhash, tls12_md, - sizeof(tls12_md)/sizeof(tls12_lookup)); - sigptr->sign_nid = tls12_find_nid(sigptr->rsign, tls12_sig, - sizeof(tls12_sig)/sizeof(tls12_lookup)); - if (!OBJ_find_sigid_by_algs(&sigptr->signandhash_nid, - sigptr->hash_nid, - sigptr->sign_nid)) - sigptr->signandhash_nid = NID_undef; - switch(sigptr->rsign) + /* Use first set signature preference to force message + * digest, ignoring any peer preferences. + */ + const unsigned char *sigs = NULL; + if (s->server) + sigs = c->conf_sigalgs; + else + sigs = c->client_sigalgs; + if (sigs) { -#ifndef OPENSSL_NO_RSA - case TLSEXT_signature_rsa: - idx = SSL_PKEY_RSA_SIGN; - break; -#endif -#ifndef OPENSSL_NO_DSA - case TLSEXT_signature_dsa: - idx = SSL_PKEY_DSA_SIGN; - break; -#endif -#ifndef OPENSSL_NO_ECDSA - case TLSEXT_signature_ecdsa: - idx = SSL_PKEY_ECC; - break; -#endif - default: - continue; + idx = tls12_get_pkey_idx(sigs[1]); + md = tls12_get_hash(sigs[0]); + c->pkeys[idx].digest = md; + c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + if (idx == SSL_PKEY_RSA_SIGN) + { + c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + c->pkeys[SSL_PKEY_RSA_ENC].digest = md; + } } + } +#endif - if (c->pkeys[idx].digest == NULL) + for (i = 0, sigptr = c->shared_sigalgs; + i < c->shared_sigalgslen; i++, sigptr++) + { + idx = tls12_get_pkey_idx(sigptr->rsign); + if (idx > 0 && c->pkeys[idx].digest == NULL) { md = tls12_get_hash(sigptr->rhash); - if (md) + c->pkeys[idx].digest = md; + c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + if (idx == SSL_PKEY_RSA_SIGN) { - c->pkeys[idx].digest = md; - if (idx == SSL_PKEY_RSA_SIGN) - c->pkeys[SSL_PKEY_RSA_ENC].digest = md; + c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + c->pkeys[SSL_PKEY_RSA_ENC].digest = md; } } } - - - /* Set any remaining keys to default values. NOTE: if alg is not - * supported it stays as NULL. + /* In strict mode leave unset digests as NULL to indicate we can't + * use the certificate for signing. */ + if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) + { + /* Set any remaining keys to default values. NOTE: if alg is + * not supported it stays as NULL. + */ #ifndef OPENSSL_NO_DSA - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); + if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) + c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) - { - c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - } + if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) + { + c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); + c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); + } #endif #ifndef OPENSSL_NO_ECDSA - if (!c->pkeys[SSL_PKEY_ECC].digest) - c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); + if (!c->pkeys[SSL_PKEY_ECC].digest) + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif + } return 1; } -#endif int SSL_get_sigalgs(SSL *s, int idx, - int *psign, int *phash, int *psignandhash, + int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) { - if (s->cert->peer_sigalgs == NULL) + const unsigned char *psig = s->cert->peer_sigalgs; + if (psig == NULL) return 0; if (idx >= 0) { - TLS_SIGALGS *psig; + idx <<= 1; if (idx >= (int)s->cert->peer_sigalgslen) return 0; - psig = s->cert->peer_sigalgs + idx; - if (psign) - *psign = psig->sign_nid; - if (phash) - *phash = psig->hash_nid; - if (psignandhash) - *psignandhash = psig->signandhash_nid; - if (rsig) - *rsig = psig->rsign; + psig += idx; if (rhash) - *rhash = psig->rhash; + *rhash = psig[0]; + if (rsig) + *rsig = psig[1]; + tls1_lookup_sigalg(phash, psign, psignhash, psig); } - return s->cert->peer_sigalgslen; + return s->cert->peer_sigalgslen / 2; + } + +int SSL_get_shared_sigalgs(SSL *s, int idx, + int *psign, int *phash, int *psignhash, + unsigned char *rsig, unsigned char *rhash) + { + TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs; + if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) + return 0; + shsigalgs += idx; + if (phash) + *phash = shsigalgs->hash_nid; + if (psign) + *psign = shsigalgs->sign_nid; + if (psignhash) + *psignhash = shsigalgs->signandhash_nid; + if (rsig) + *rsig = shsigalgs->rsign; + if (rhash) + *rhash = shsigalgs->rhash; + return s->cert->shared_sigalgslen; } @@ -3130,7 +3653,7 @@ tls1_heartbeat(SSL *s) } #endif -#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num *2) +#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) typedef struct { @@ -3185,54 +3708,410 @@ static int sig_cb(const char *elem, int len, void *arg) /* Set suppored signature algorithms based on a colon separated list * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */ -int tls1_set_sigalgs_list(CERT *c, const char *str) +int tls1_set_sigalgs_list(CERT *c, const char *str, int client) { sig_cb_st sig; sig.sigalgcnt = 0; if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; - return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt); + return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); } -int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen) +int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) { - TLS_SIGALGS *sigalgs, *sptr; + unsigned char *sigalgs, *sptr; int rhash, rsign; size_t i; if (salglen & 1) return 0; - salglen /= 2; - sigalgs = OPENSSL_malloc(sizeof(TLS_SIGALGS) * salglen); + sigalgs = OPENSSL_malloc(salglen); if (sigalgs == NULL) return 0; - for (i = 0, sptr = sigalgs; i < salglen; i++, sptr++) + for (i = 0, sptr = sigalgs; i < salglen; i+=2) { - sptr->hash_nid = *salg++; - sptr->sign_nid = *salg++; - rhash = tls12_find_id(sptr->hash_nid, tls12_md, + rhash = tls12_find_id(*psig_nids++, tls12_md, sizeof(tls12_md)/sizeof(tls12_lookup)); - rsign = tls12_find_id(sptr->sign_nid, tls12_sig, + rsign = tls12_find_id(*psig_nids++, tls12_sig, sizeof(tls12_sig)/sizeof(tls12_lookup)); if (rhash == -1 || rsign == -1) goto err; - - if (!OBJ_find_sigid_by_algs(&sptr->signandhash_nid, - sptr->hash_nid, - sptr->sign_nid)) - sptr->signandhash_nid = NID_undef; - sptr->rhash = rhash; - sptr->rsign = rsign; + *sptr++ = rhash; + *sptr++ = rsign; } - if (c->conf_sigalgs) - OPENSSL_free(c->conf_sigalgs); + if (client) + { + if (c->client_sigalgs) + OPENSSL_free(c->client_sigalgs); + c->client_sigalgs = sigalgs; + c->client_sigalgslen = salglen; + } + else + { + if (c->conf_sigalgs) + OPENSSL_free(c->conf_sigalgs); + c->conf_sigalgs = sigalgs; + c->conf_sigalgslen = salglen; + } - c->conf_sigalgs = sigalgs; - c->conf_sigalgslen = salglen; return 1; err: OPENSSL_free(sigalgs); return 0; } + +static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) + { + int sig_nid; + size_t i; + if (default_nid == -1) + return 1; + sig_nid = X509_get_signature_nid(x); + if (default_nid) + return sig_nid == default_nid ? 1 : 0; + for (i = 0; i < c->shared_sigalgslen; i++) + if (sig_nid == c->shared_sigalgs[i].signandhash_nid) + return 1; + return 0; + } +/* Check to see if a certificate issuer name matches list of CA names */ +static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) + { + X509_NAME *nm; + int i; + nm = X509_get_issuer_name(x); + for (i = 0; i < sk_X509_NAME_num(names); i++) + { + if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) + return 1; + } + return 0; + } + +/* Check certificate chain is consistent with TLS extensions and is + * usable by server. This servers two purposes: it allows users to + * check chains before passing them to the server and it allows the + * server to check chains before attempting to use them. + */ + +/* Flags which need to be set for a certificate when stict mode not set */ + +#define CERT_PKEY_VALID_FLAGS \ + (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) +/* Strict mode flags */ +#define CERT_PKEY_STRICT_FLAGS \ + (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ + | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) + +int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, + int idx) + { + int i; + int rv = 0; + int check_flags = 0, strict_mode; + CERT_PKEY *cpk = NULL; + CERT *c = s->cert; + unsigned int suiteb_flags = tls1_suiteb(s); + /* idx == -1 means checking server chains */ + if (idx != -1) + { + /* idx == -2 means checking client certificate chains */ + if (idx == -2) + { + cpk = c->key; + idx = cpk - c->pkeys; + } + else + cpk = c->pkeys + idx; + x = cpk->x509; + pk = cpk->privatekey; + chain = cpk->chain; + strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; + /* If no cert or key, forget it */ + if (!x || !pk) + goto end; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Allow any certificate to pass test */ + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTCOL) + { + rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN; + cpk->valid_flags = rv; + return rv; + } +#endif + } + else + { + if (!x || !pk) + goto end; + idx = ssl_cert_type(x, pk); + if (idx == -1) + goto end; + cpk = c->pkeys + idx; + if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) + check_flags = CERT_PKEY_STRICT_FLAGS; + else + check_flags = CERT_PKEY_VALID_FLAGS; + strict_mode = 1; + } + + if (suiteb_flags) + { + int ok; + if (check_flags) + check_flags |= CERT_PKEY_SUITEB; + ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); + if (ok != X509_V_OK) + { + if (check_flags) + rv |= CERT_PKEY_SUITEB; + else + goto end; + } + } + + /* Check all signature algorithms are consistent with + * signature algorithms extension if TLS 1.2 or later + * and strict mode. + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) + { + int default_nid; + unsigned char rsign = 0; + if (c->peer_sigalgs) + default_nid = 0; + /* If no sigalgs extension use defaults from RFC5246 */ + else + { + switch(idx) + { + case SSL_PKEY_RSA_ENC: + case SSL_PKEY_RSA_SIGN: + case SSL_PKEY_DH_RSA: + rsign = TLSEXT_signature_rsa; + default_nid = NID_sha1WithRSAEncryption; + break; + + case SSL_PKEY_DSA_SIGN: + case SSL_PKEY_DH_DSA: + rsign = TLSEXT_signature_dsa; + default_nid = NID_dsaWithSHA1; + break; + + case SSL_PKEY_ECC: + rsign = TLSEXT_signature_ecdsa; + default_nid = NID_ecdsa_with_SHA1; + break; + + default: + default_nid = -1; + break; + } + } + /* If peer sent no signature algorithms extension and we + * have set preferred signature algorithms check we support + * sha1. + */ + if (default_nid > 0 && c->conf_sigalgs) + { + size_t j; + const unsigned char *p = c->conf_sigalgs; + for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) + { + if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign) + break; + } + if (j == c->conf_sigalgslen) + { + if (check_flags) + goto skip_sigs; + else + goto end; + } + } + /* Check signature algorithm of each cert in chain */ + if (!tls1_check_sig_alg(c, x, default_nid)) + { + if (!check_flags) goto end; + } + else + rv |= CERT_PKEY_EE_SIGNATURE; + rv |= CERT_PKEY_CA_SIGNATURE; + for (i = 0; i < sk_X509_num(chain); i++) + { + if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), + default_nid)) + { + if (check_flags) + { + rv &= ~CERT_PKEY_CA_SIGNATURE; + break; + } + else + goto end; + } + } + } + /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ + else if(check_flags) + rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE; + skip_sigs: + /* Check cert parameters are consistent */ + if (tls1_check_cert_param(s, x, check_flags ? 1 : 2)) + rv |= CERT_PKEY_EE_PARAM; + else if (!check_flags) + goto end; + if (!s->server) + rv |= CERT_PKEY_CA_PARAM; + /* In strict mode check rest of chain too */ + else if (strict_mode) + { + rv |= CERT_PKEY_CA_PARAM; + for (i = 0; i < sk_X509_num(chain); i++) + { + X509 *ca = sk_X509_value(chain, i); + if (!tls1_check_cert_param(s, ca, 0)) + { + if (check_flags) + { + rv &= ~CERT_PKEY_CA_PARAM; + break; + } + else + goto end; + } + } + } + if (!s->server && strict_mode) + { + STACK_OF(X509_NAME) *ca_dn; + int check_type = 0; + switch (pk->type) + { + case EVP_PKEY_RSA: + check_type = TLS_CT_RSA_SIGN; + break; + case EVP_PKEY_DSA: + check_type = TLS_CT_DSS_SIGN; + break; + case EVP_PKEY_EC: + check_type = TLS_CT_ECDSA_SIGN; + break; + case EVP_PKEY_DH: + case EVP_PKEY_DHX: + { + int cert_type = X509_certificate_type(x, pk); + if (cert_type & EVP_PKS_RSA) + check_type = TLS_CT_RSA_FIXED_DH; + if (cert_type & EVP_PKS_DSA) + check_type = TLS_CT_DSS_FIXED_DH; + } + } + if (check_type) + { + const unsigned char *ctypes; + int ctypelen; + if (c->ctypes) + { + ctypes = c->ctypes; + ctypelen = (int)c->ctype_num; + } + else + { + ctypes = (unsigned char *)s->s3->tmp.ctype; + ctypelen = s->s3->tmp.ctype_num; + } + for (i = 0; i < ctypelen; i++) + { + if (ctypes[i] == check_type) + { + rv |= CERT_PKEY_CERT_TYPE; + break; + } + } + if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) + goto end; + } + else + rv |= CERT_PKEY_CERT_TYPE; + + + ca_dn = s->s3->tmp.ca_names; + + if (!sk_X509_NAME_num(ca_dn)) + rv |= CERT_PKEY_ISSUER_NAME; + + if (!(rv & CERT_PKEY_ISSUER_NAME)) + { + if (ssl_check_ca_name(ca_dn, x)) + rv |= CERT_PKEY_ISSUER_NAME; + } + if (!(rv & CERT_PKEY_ISSUER_NAME)) + { + for (i = 0; i < sk_X509_num(chain); i++) + { + X509 *xtmp = sk_X509_value(chain, i); + if (ssl_check_ca_name(ca_dn, xtmp)) + { + rv |= CERT_PKEY_ISSUER_NAME; + break; + } + } + } + if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) + goto end; + } + else + rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE; + + if (!check_flags || (rv & check_flags) == check_flags) + rv |= CERT_PKEY_VALID; + + end: + + if (TLS1_get_version(s) >= TLS1_2_VERSION) + { + if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN) + rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN; + else if (cpk->digest) + rv |= CERT_PKEY_SIGN; + } + else + rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN; + + /* When checking a CERT_PKEY structure all flags are irrelevant + * if the chain is invalid. + */ + if (!check_flags) + { + if (rv & CERT_PKEY_VALID) + cpk->valid_flags = rv; + else + { + /* Preserve explicit sign flag, clear rest */ + cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; + return 0; + } + } + return rv; + } + +/* Set validity of certificates in an SSL structure */ +void tls1_set_cert_validity(SSL *s) + { + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); + } +/* User level utiity function to check a chain is suitable */ +int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) + { + return tls1_check_chain(s, x, pk, chain, -1); + } + +#endif