Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSA

[openssl.git] / ssl / ssl_lib.c
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index f59a45411e496106a5f8d10ebb4afe9f5caab69a..22039fb1680bc418a6ddcb87696790551cdac1f0 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -146,6 +146,7 @@
  #  include <assert.h>
  #endif
  #include <stdio.h>
+#include <openssl/crypto.h>
  #include "ssl_locl.h"
  #include "kssl_lcl.h"
  #include <openssl/objects.h>
@@ -202,9 +203,9 @@ int SSL_clear(SSL *s)
         * needed because SSL_clear is not called when doing renegotiation) */
         /* This is set if we are doing dynamic renegotiation so keep
          * the old cipher.  It is sort of a SSL_clear_lite :-) */
-       if (s->new_session) return(1);
+       if (s->renegotiate) return(1);
  #else
-       if (s->new_session)
+       if (s->renegotiate)
                 {
                 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
                 return 0;
@@ -319,6 +320,7 @@ SSL *SSL_new(SSL_CTX *ctx)
         s->msg_callback=ctx->msg_callback;
         s->msg_callback_arg=ctx->msg_callback_arg;
         s->verify_mode=ctx->verify_mode;
+       s->not_resumable_session_cb=ctx->not_resumable_session_cb;
  #if 0
         s->verify_depth=ctx->verify_depth;
  #endif
@@ -353,7 +355,7 @@ SSL *SSL_new(SSL_CTX *ctx)
         s->tlsext_ocsp_resplen = -1;
         CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
         s->initial_ctx=ctx;
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
         s->next_proto_negotiated = NULL;
  # endif
  #endif
@@ -589,7 +591,7 @@ void SSL_free(SSL *s)
                 kssl_ctx_free(s->kssl_ctx);
  #endif /* OPENSSL_NO_KRB5 */
  
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
         if (s->next_proto_negotiated)
                 OPENSSL_free(s->next_proto_negotiated);
  #endif
@@ -1016,18 +1018,29 @@ int SSL_shutdown(SSL *s)
  
  int SSL_renegotiate(SSL *s)
         {
-       if (s->new_session == 0)
-               {
-               s->new_session=1;
-               }
+       if (s->renegotiate == 0)
+               s->renegotiate=1;
+
+       s->new_session=1;
+
         return(s->method->ssl_renegotiate(s));
         }
  
+int SSL_renegotiate_abbreviated(SSL *s)
+{
+       if (s->renegotiate == 0)
+               s->renegotiate=1;
+       
+       s->new_session=0;
+       
+       return(s->method->ssl_renegotiate(s));
+}
+
  int SSL_renegotiate_pending(SSL *s)
         {
         /* becomes true when negotiation is requested;
          * false again once a handshake has finished */
-       return (s->new_session != 0);
+       return (s->renegotiate != 0);
         }
  
  long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
@@ -1363,6 +1376,10 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
         for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                 {
                 c=sk_SSL_CIPHER_value(sk,i);
+               /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
+               if ((c->algorithm_ssl & SSL_TLSV1_2) && 
+                       (TLS1_get_version(s) < TLS1_2_VERSION))
+                       continue;
  #ifndef OPENSSL_NO_KRB5
                 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
                     nokrb5)
@@ -1380,7 +1397,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
         /* If p == q, no ciphers and caller indicates an error. Otherwise
          * add SCSV if not renegotiating.
          */
-       if (p != q && !s->new_session)
+       if (p != q && !s->renegotiate)
                 {
                 static SSL_CIPHER scsv =
                         {
@@ -1427,7 +1444,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                         (p[n-1] == (SSL3_CK_SCSV & 0xff)))
                         {
                         /* SCSV fatal if renegotiating */
-                       if (s->new_session)
+                       if (s->renegotiate)
                                 {
                                 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
@@ -1485,7 +1502,7 @@ int SSL_get_servername_type(const SSL *s)
         return -1;
         }
  
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
  /* SSL_select_next_proto implements the standard protocol selection. It is
   * expected that this function is called from the callback set by
   * SSL_CTX_set_next_proto_select_cb.
@@ -1647,6 +1664,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
                 return(NULL);
                 }
  
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+               return NULL;
+               }
+#endif
+
         if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                 {
                 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1766,7 +1791,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
         ret->tlsext_status_cb = 0;
         ret->tlsext_status_arg = NULL;
  
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
         ret->next_protos_advertised_cb = 0;
         ret->next_proto_select_cb = 0;
  # endif
@@ -1776,6 +1801,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
         ret->psk_client_callback=NULL;
         ret->psk_server_callback=NULL;
  #endif
+#ifndef OPENSSL_NO_SRP
+       SSL_CTX_SRP_CTX_init(ret);
+#endif
  #ifndef OPENSSL_NO_BUF_FREELISTS
         ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
         ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1818,6 +1846,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
          * deployed might change this.
          */
         ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+       /* Disable TLS v1.2 by default for now */
+       ret->options |= SSL_OP_NO_TLSv1_2;
  
         return(ret);
  err:
@@ -1908,6 +1938,9 @@ void SSL_CTX_free(SSL_CTX *a)
         if (a->psk_identity_hint)
                 OPENSSL_free(a->psk_identity_hint);
  #endif
+#ifndef OPENSSL_NO_SRP
+       SSL_CTX_SRP_CTX_free(a);
+#endif
  #ifndef OPENSSL_NO_ENGINE
         if (a->client_cert_engine)
                 ENGINE_finish(a->client_cert_engine);
@@ -1963,7 +1996,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
  #endif
         X509 *x = NULL;
         EVP_PKEY *ecc_pkey = NULL;
-       int signature_nid = 0;
+       int signature_nid = 0, pk_nid = 0, md_nid = 0;
  
         if (c == NULL) return;
  
@@ -2093,18 +2126,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                     EVP_PKEY_bits(ecc_pkey) : 0;
                 EVP_PKEY_free(ecc_pkey);
                 if ((x->sig_alg) && (x->sig_alg->algorithm))
+                       {
                         signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+                       OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+                       }
  #ifndef OPENSSL_NO_ECDH
                 if (ecdh_ok)
                         {
-                       const char *sig = OBJ_nid2ln(signature_nid);
-                       if (sig == NULL)
-                               {
-                               ERR_clear_error();
-                               sig = "unknown";
-                               }
-                               
-                       if (strstr(sig, "WithRSA"))
+
+                       if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
                                 {
                                 mask_k|=SSL_kECDHr;
                                 mask_a|=SSL_aECDH;
@@ -2115,7 +2145,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                                         }
                                 }
  
-                       if (signature_nid == NID_ecdsa_with_SHA1)
+                       if (pk_nid == NID_X9_62_id_ecPublicKey)
                                 {
                                 mask_k|=SSL_kECDHe;
                                 mask_a|=SSL_aECDH;
@@ -2164,12 +2194,13 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
  
  #ifndef OPENSSL_NO_EC
  
-int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
+int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
         {
         unsigned long alg_k, alg_a;
         EVP_PKEY *pkey = NULL;
         int keysize = 0;
-       int signature_nid = 0;
+       int signature_nid = 0, md_nid = 0, pk_nid = 0;
+       const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
  
         alg_k = cs->algorithm_mkey;
         alg_a = cs->algorithm_auth;
@@ -2187,7 +2218,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
         /* This call populates the ex_flags field correctly */
         X509_check_purpose(x, -1, 0);
         if ((x->sig_alg) && (x->sig_alg->algorithm))
+               {
                 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+               OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+               }
         if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
                 {
                 /* key usage, if present, must allow key agreement */
@@ -2196,26 +2230,20 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                         SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
                         return 0;
                         }
-               if (alg_k & SSL_kECDHe)
+               if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
                         {
                         /* signature alg must be ECDSA */
-                       if (signature_nid != NID_ecdsa_with_SHA1)
+                       if (pk_nid != NID_X9_62_id_ecPublicKey)
                                 {
                                 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
                                 return 0;
                                 }
                         }
-               if (alg_k & SSL_kECDHr)
+               if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
                         {
                         /* signature alg must be RSA */
  
-                       const char *sig = OBJ_nid2ln(signature_nid);
-                       if (sig == NULL)
-                               {
-                               ERR_clear_error();
-                               sig = "unknown";
-                               }
-                       if (strstr(sig, "WithRSA") == NULL)
+                       if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
                                 {
                                 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
                                 return 0;
@@ -2301,34 +2329,36 @@ X509 *ssl_get_server_send_cert(SSL *s)
         return(c->pkeys[i].x509);
         }
  
-EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher)
+EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
         {
         unsigned long alg_a;
         CERT *c;
+       int idx = -1;
  
         alg_a = cipher->algorithm_auth;
         c=s->cert;
  
         if ((alg_a & SSL_aDSS) &&
                 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
-               return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
+               idx = SSL_PKEY_DSA_SIGN;
         else if (alg_a & SSL_aRSA)
                 {
                 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
-                       return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
+                       idx = SSL_PKEY_RSA_SIGN;
                 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
-                       return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
-               else
-                       return(NULL);
+                       idx = SSL_PKEY_RSA_ENC;
                 }
         else if ((alg_a & SSL_aECDSA) &&
                  (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
-               return(c->pkeys[SSL_PKEY_ECC].privatekey);
-       else /* if (alg_a & SSL_aNULL) */
+               idx = SSL_PKEY_ECC;
+       if (idx == -1)
                 {
                 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
                 return(NULL);
                 }
+       if (pmd)
+               *pmd = c->pkeys[idx].digest;
+       return c->pkeys[idx].privatekey;
         }
  
  void ssl_update_cache(SSL *s,int mode)
@@ -2553,10 +2583,12 @@ SSL_METHOD *ssl_bad_method(int ver)
  
  const char *SSL_get_version(const SSL *s)
         {
-       if (s->version == TLS1_1_VERSION)
+       if (s->version == TLS1_2_VERSION)
+               return("TLSv1.2");
+       else if (s->version == TLS1_1_VERSION)
                 return("TLSv1.1");
-       else if (s->version == SSL3_VERSION)
-               return("SSLv3");
+       else if (s->version == TLS1_VERSION)
+               return("TLSv1");
         else if (s->version == SSL3_VERSION)
                 return("SSLv3");
         else if (s->version == SSL2_VERSION)
@@ -2649,6 +2681,7 @@ SSL *SSL_dup(SSL *s)
         ret->in_handshake = s->in_handshake;
         ret->handshake_func = s->handshake_func;
         ret->server = s->server;
+       ret->renegotiate = s->renegotiate;
         ret->new_session = s->new_session;
         ret->quiet_shutdown = s->quiet_shutdown;
         ret->shutdown=s->shutdown;
@@ -2914,6 +2947,11 @@ int SSL_state(const SSL *ssl)
         return(ssl->state);
         }
  
+void SSL_set_state(SSL *ssl, int state)
+       {
+       ssl->state = state;
+       }
+
  void SSL_set_verify_result(SSL *ssl,long arg)
         {
         ssl->verify_result=arg;
@@ -3152,6 +3190,19 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int con
         SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
         }
  
+void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
+       int (*cb)(SSL *ssl, int is_forward_secure))
+       {
+       SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
+               (void (*)(void))cb);
+       }
+void SSL_set_not_resumable_session_callback(SSL *ssl,
+       int (*cb)(SSL *ssl, int is_forward_secure))
+       {
+       SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
+               (void (*)(void))cb);
+       }
+
  /* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
   * vairable, freeing  EVP_MD_CTX previously stored in that variable, if
   * any. If EVP_MD pointer is passed, initializes ctx with this md
@@ -3172,6 +3223,16 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
         *hash=NULL;
  }
  
+void SSL_set_debug(SSL *s, int debug)
+       {
+       s->debug = debug;
+       }
+
+int SSL_cache_hit(SSL *s)
+       {
+       return s->hit;
+       }
+
  #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
  #include "../crypto/bio/bss_file.c"
  #endif