*pcurveslen = sizeof(eccurves_default);
}
}
+/* Check a curve is one of our preferences */
+int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
+ {
+ const unsigned char *curves;
+ size_t curveslen, i;
+ if (len != 3 || p[0] != NAMED_CURVE_TYPE)
+ return 0;
+ tls1_get_curvelist(s, 0, &curves, &curveslen);
+ for (i = 0; i < curveslen; i += 2, curves += 2)
+ {
+ if (p[1] == curves[0] && p[2] == curves[1])
+ return 1;
+ }
+ return 0;
+ }
/* Return nth shared curve. If nmatch == -1 return number of
* matches.
}
return 1;
}
-/* Check EC server key is compatible with client extensions */
-int tls1_check_ec_server_key(SSL *s)
+
+/* Check cert parameters compatible with extensions: currently just checks
+ * EC certificates have compatible curves and compression.
+ */
+static int tls1_check_cert_param(SSL *s, X509 *x)
{
- int rv;
- CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
- EVP_PKEY *pkey;
unsigned char comp_id, curve_id[2];
- if (!cpk->x509 || !cpk->privatekey)
- return 0;
- pkey = X509_get_pubkey(cpk->x509);
+ EVP_PKEY *pkey;
+ int rv;
+ pkey = X509_get_pubkey(x);
if (!pkey)
return 0;
+ /* If not EC nothing to do */
+ if (pkey->type != EVP_PKEY_EC)
+ {
+ EVP_PKEY_free(pkey);
+ return 1;
+ }
rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
EVP_PKEY_free(pkey);
if (!rv)
return 0;
}
if (!tls1_set_ec_id(curve_id, NULL, ec))
- return 1;
+ return 0;
+/* Set this to allow use of invalid curves for testing */
+#if 0
+ return 1;
+#else
return tls1_check_ec_key(s, curve_id, NULL);
+#endif
}
#endif /* OPENSSL_NO_EC */
#endif
};
-size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
+size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
{
- const unsigned char *sigs;
- size_t sigslen;
- sigs = s->cert->conf_sigalgs;
-
- if (sigs)
- sigslen = s->cert->conf_sigalgslen;
+ /* If server use client authentication sigalgs if not NULL */
+ if (s->server && s->cert->client_sigalgs)
+ {
+ *psigs = s->cert->client_sigalgs;
+ return s->cert->client_sigalgslen;
+ }
+ else if (s->cert->conf_sigalgs)
+ {
+ *psigs = s->cert->conf_sigalgs;
+ return s->cert->conf_sigalgslen;
+ }
else
{
- sigs = tls12_sigalgs;
- sigslen = sizeof(tls12_sigalgs);
+ *psigs = tls12_sigalgs;
#ifdef OPENSSL_FIPS
/* If FIPS mode don't include MD5 which is last */
if (FIPS_mode())
- sigslen -= 2;
+ return sizeof(tls12_sigalgs) - 2;
+ else
#endif
+ return sizeof(tls12_sigalgs);
}
-
- if (p)
- memcpy(p, sigs, sigslen);
- return sigslen;
+ }
+/* Check signature algorithm is consistent with sent supported signature
+ * algorithms and if so return relevant digest.
+ */
+int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
+ const unsigned char *sig, EVP_PKEY *pkey)
+ {
+ const unsigned char *sent_sigs;
+ size_t sent_sigslen, i;
+ int sigalg = tls12_get_sigid(pkey);
+ /* Should never happen */
+ if (sigalg == -1)
+ return -1;
+ /* Check key type is consistent with signature */
+ if (sigalg != (int)sig[1])
+ {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
+ /* Check signature matches a type we sent */
+ sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
+ for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
+ {
+ if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
+ break;
+ }
+ /* Allow fallback to SHA1 if not strict mode */
+ if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
+ {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
+ *pmd = tls12_get_hash(sig[0]);
+ if (*pmd == NULL)
+ {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
+ return 0;
+ }
+ return 1;
+ }
+/* Get a mask of disabled algorithms: an algorithm is disabled
+ * if it isn't supported or doesn't appear in supported signature
+ * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
+ * session and not global settings.
+ *
+ */
+void ssl_set_client_disabled(SSL *s)
+ {
+ CERT *c = s->cert;
+ const unsigned char *sigalgs;
+ size_t i, sigalgslen;
+ int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
+ c->mask_a = 0;
+ c->mask_k = 0;
+ /* If less than TLS 1.2 don't allow TLS 1.2 only ciphers */
+ if (TLS1_get_version(s) < TLS1_2_VERSION)
+ c->mask_ssl = SSL_TLSV1_2;
+ else
+ c->mask_ssl = 0;
+ /* Now go through all signature algorithms seeing if we support
+ * any for RSA, DSA, ECDSA. Do this for all versions not just
+ * TLS 1.2.
+ */
+ sigalgslen = tls12_get_psigalgs(s, &sigalgs);
+ for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
+ {
+ switch(sigalgs[1])
+ {
+#ifndef OPENSSL_NO_RSA
+ case TLSEXT_signature_rsa:
+ have_rsa = 1;
+ break;
+#endif
+#ifndef OPENSSL_NO_DSA
+ case TLSEXT_signature_dsa:
+ have_dsa = 1;
+ break;
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ case TLSEXT_signature_ecdsa:
+ have_ecdsa = 1;
+ break;
+#endif
+ }
+ }
+ /* Disable auth and static DH if we don't include any appropriate
+ * signature algorithms.
+ */
+ if (!have_rsa)
+ {
+ c->mask_a |= SSL_aRSA;
+ c->mask_k |= SSL_kDHr|SSL_kECDHr;
+ }
+ if (!have_dsa)
+ {
+ c->mask_a |= SSL_aDSS;
+ c->mask_k |= SSL_kDHd;
+ }
+ if (!have_ecdsa)
+ {
+ c->mask_a |= SSL_aECDSA;
+ c->mask_k |= SSL_kECDHe;
+ }
+#ifndef OPENSSL_NO_KRB5
+ if (!kssl_tgt_is_available(s->kssl_ctx))
+ {
+ c->mask_a |= SSL_aKRB5;
+ c->mask_k |= SSL_kKRB5;
+ }
+#endif
+#ifndef OPENSSL_NO_PSK
+ /* with PSK there must be client callback set */
+ if (!s->psk_client_callback)
+ {
+ c->mask_a |= SSL_aPSK;
+ c->mask_k |= SSL_kPSK;
+ }
+#endif /* OPENSSL_NO_PSK */
+ c->valid = 1;
}
/* byte_compare is a compare function for qsort(3) that compares bytes. */
if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
{
size_t salglen;
- salglen = tls12_get_sig_algs(s, NULL);
+ const unsigned char *salg;
+ salglen = tls12_get_psigalgs(s, &salg);
if ((size_t)(limit - ret) < salglen + 6)
return NULL;
s2n(TLSEXT_TYPE_signature_algorithms,ret);
s2n(salglen + 2, ret);
s2n(salglen, ret);
- tls12_get_sig_algs(s, ret);
+ memcpy(ret, salg, salglen);
ret += salglen;
}
static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
int *psignhash_nid, const unsigned char *data)
{
- int sign_nid, hash_nid;
+ int sign_nid = 0, hash_nid = 0;
if (!phash_nid && !psign_nid && !psignhash_nid)
return;
if (phash_nid || psignhash_nid)
size_t nmatch;
TLS_SIGALGS *salgs = NULL;
CERT *c = s->cert;
- conf = c->conf_sigalgs;
- if (conf)
+ /* If client use client signature algorithms if not NULL */
+ if (!s->server && c->client_sigalgs)
+ {
+ conf = c->client_sigalgs;
+ conflen = c->client_sigalgslen;
+ }
+ else if (c->conf_sigalgs)
+ {
+ conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
+ }
else
{
conf = tls12_sigalgs;
}
}
- /* Set any remaining keys to default values. NOTE: if alg is not
- * supported it stays as NULL.
+ /* In strict mode leave unset digests as NULL to indicate we can't
+ * use the certificate for signing.
*/
+ if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
+ {
+ /* Set any remaining keys to default values. NOTE: if alg is
+ * not supported it stays as NULL.
+ */
#ifndef OPENSSL_NO_DSA
- if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+ if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
#endif
#ifndef OPENSSL_NO_RSA
- if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
- {
- c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
- c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
- }
+ if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
+ {
+ c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
+ c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+ }
#endif
#ifndef OPENSSL_NO_ECDSA
- if (!c->pkeys[SSL_PKEY_ECC].digest)
- c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+ if (!c->pkeys[SSL_PKEY_ECC].digest)
+ c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
#endif
+ }
return 1;
}
/* Set suppored signature algorithms based on a colon separated list
* of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
-int tls1_set_sigalgs_list(CERT *c, const char *str)
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
{
sig_cb_st sig;
sig.sigalgcnt = 0;
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
return 0;
- return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt);
+ return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
}
-int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen)
+int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
{
unsigned char *sigalgs, *sptr;
int rhash, rsign;
*sptr++ = rsign;
}
- if (c->conf_sigalgs)
- OPENSSL_free(c->conf_sigalgs);
+ if (client)
+ {
+ if (c->client_sigalgs)
+ OPENSSL_free(c->client_sigalgs);
+ c->client_sigalgs = sigalgs;
+ c->client_sigalgslen = salglen;
+ }
+ else
+ {
+ if (c->conf_sigalgs)
+ OPENSSL_free(c->conf_sigalgs);
+ c->conf_sigalgs = sigalgs;
+ c->conf_sigalgslen = salglen;
+ }
- c->conf_sigalgs = sigalgs;
- c->conf_sigalgslen = salglen;
return 1;
err:
return 0;
}
+static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
+ {
+ int sig_nid;
+ size_t i;
+ if (default_nid == -1)
+ return 1;
+ sig_nid = X509_get_signature_nid(x);
+ if (default_nid)
+ return sig_nid == default_nid ? 1 : 0;
+ for (i = 0; i < c->shared_sigalgslen; i++)
+ if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
+ return 1;
+ return 0;
+ }
+
+/* Check certificate chain is consistent with TLS extensions and is
+ * usable by server.
+ */
+int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
+ int idx)
+ {
+ int i;
+ int rv = CERT_PKEY_INVALID;
+ CERT_PKEY *cpk = NULL;
+ CERT *c = s->cert;
+ if (idx != -1)
+ {
+ cpk = c->pkeys + idx;
+ x = cpk->x509;
+ pk = cpk->privatekey;
+ chain = cpk->chain;
+ /* If no cert or key, forget it */
+ if (!x || !pk)
+ goto end;
+ }
+ else
+ {
+ idx = ssl_cert_type(x, pk);
+ if (idx == -1)
+ goto end;
+ }
+
+ /* Check all signature algorithms are consistent with
+ * signature algorithms extension if TLS 1.2 or later
+ * and strict mode.
+ */
+ if (TLS1_get_version(s) >= TLS1_2_VERSION
+ && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+ {
+ int default_nid;
+ unsigned char rsign = 0;
+ if (c->peer_sigalgs)
+ default_nid = 0;
+ /* If no sigalgs extension use defaults from RFC5246 */
+ else
+ {
+ switch(idx)
+ {
+ case SSL_PKEY_RSA_ENC:
+ case SSL_PKEY_RSA_SIGN:
+ case SSL_PKEY_DH_RSA:
+ rsign = TLSEXT_signature_rsa;
+ default_nid = NID_sha1WithRSAEncryption;
+ break;
+
+ case SSL_PKEY_DSA_SIGN:
+ case SSL_PKEY_DH_DSA:
+ rsign = TLSEXT_signature_dsa;
+ default_nid = NID_dsaWithSHA1;
+ break;
+
+ case SSL_PKEY_ECC:
+ rsign = TLSEXT_signature_ecdsa;
+ default_nid = NID_ecdsa_with_SHA1;
+ break;
+
+ default:
+ default_nid = -1;
+ break;
+ }
+ }
+ /* If peer sent no signature algorithms extension and we
+ * have set preferred signature algorithms check we support
+ * sha1.
+ */
+ if (default_nid > 0 && c->conf_sigalgs)
+ {
+ size_t j;
+ const unsigned char *p = c->conf_sigalgs;
+ for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
+ {
+ if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
+ break;
+ }
+ if (j == c->conf_sigalgslen)
+ goto end;
+ }
+ /* Check signature algorithm of each cert in chain */
+ if (!tls1_check_sig_alg(c, x, default_nid))
+ goto end;
+ for (i = 0; i < sk_X509_num(chain); i++)
+ {
+ if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
+ default_nid))
+ goto end;
+ }
+ }
+
+ /* Check cert parameters are consistent */
+ if (!tls1_check_cert_param(s, x))
+ goto end;
+ /* In strict mode check rest of chain too */
+ if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+ {
+ for (i = 0; i < sk_X509_num(chain); i++)
+ {
+ if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
+ goto end;
+ }
+ }
+ rv = CERT_PKEY_VALID;
+
+ end:
+ if (cpk)
+ {
+ if (rv && cpk->digest)
+ rv |= CERT_PKEY_SIGN;
+ cpk->valid_flags = rv;
+ }
+ return rv;
+ }
+
+/* Set validity of certificates in an SSL structure */
+void tls1_set_cert_validity(SSL *s)
+ {
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+ }
+/* User level utiity function to check a chain is suitable */
+int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
+ {
+ return tls1_check_chain(s, x, pk, chain, -1);
+ }
+
#endif
projects / openssl.git / blobdiff