X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=96290e2834067d0fe55926ec6f37754ada6a88c0;hp=48e99c501163ed70d6d038fe1a3692588260e9d2;hb=6660baee66e474058229911950e26e56f31fb0bf;hpb=b28fbdfa7dd72fa8ca4fde7008634ee87b067998

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 48e99c5011..96290e2834 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -333,6 +333,21 @@ static void tls1_get_curvelist(SSL *s, int sess,
 		*pcurveslen = sizeof(eccurves_default);
 		}
 	}
+/* Check a curve is one of our preferences */
+int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
+	{
+	const unsigned char *curves;
+	size_t curveslen, i;
+	if (len != 3 || p[0] != NAMED_CURVE_TYPE)
+		return 0;
+	tls1_get_curvelist(s, 0, &curves, &curveslen);
+	for (i = 0; i < curveslen; i += 2, curves += 2)
+		{
+		if (p[1] == curves[0] && p[2] == curves[1])
+			return 1;
+		}
+	return 0;
+	}
 
 /* Return nth shared curve. If nmatch == -1 return number of
  * matches.
@@ -583,8 +598,13 @@ int tls1_check_ec_tmp_key(SSL *s)
 			return 0;
 		}
 	if (!tls1_set_ec_id(curve_id, NULL, ec))
-		return 1;
+		return 0;
+/* Set this to allow use of invalid curves for testing */
+#if 0
+	return 1;
+#else
 	return tls1_check_ec_key(s, curve_id, NULL);
+#endif
 	}
 
 #endif /* OPENSSL_NO_EC */
@@ -660,6 +680,45 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
 			return sizeof(tls12_sigalgs);
 		}
 	}
+/* Check signature algorithm is consistent with sent supported signature
+ * algorithms and if so return relevant digest.
+ */
+int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
+				const unsigned char *sig, EVP_PKEY *pkey)
+	{
+	const unsigned char *sent_sigs;
+	size_t sent_sigslen, i;
+	int sigalg = tls12_get_sigid(pkey);
+	/* Should never happen */
+	if (sigalg == -1)
+		return -1;
+	/* Check key type is consistent with signature */
+	if (sigalg != (int)sig[1])
+		{
+		SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
+		return 0;
+		}
+	/* Check signature matches a type we sent */
+	sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
+	for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
+		{
+		if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
+			break;
+		}
+	/* Allow fallback to SHA1 if not strict mode */
+	if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
+		{
+		SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
+		return 0;
+		}
+	*pmd = tls12_get_hash(sig[0]);
+	if (*pmd == NULL)
+		{
+		SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
+		return 0;
+		}
+	return 1;
+	}
 /* Get a mask of disabled algorithms: an algorithm is disabled
  * if it isn't supported or doesn't appear in supported signature
  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
@@ -1392,6 +1451,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 	unsigned short len;
 	unsigned char *data = *p;
 	int renegotiate_seen = 0;
+	size_t i;
 
 	s->servername_done = 0;
 	s->tlsext_status_type = -1;
@@ -1415,6 +1475,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 		OPENSSL_free(s->cert->shared_sigalgs);
 		s->cert->shared_sigalgs = NULL;
 		}
+	/* Clear certificate digests and validity flags */
+	for (i = 0; i < SSL_PKEY_NUM; i++)
+		{
+		s->cert->pkeys[i].digest = NULL;
+		s->cert->pkeys[i].valid_flags = 0;
+		}
 
 	if (data >= (d+n-2))
 		goto ri_check;
@@ -1903,7 +1969,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			 * in the case of a session resumption. */
 			if (!s->hit)
 				{
-				size_t i;
 				if (s->s3->tlsext_authz_client_types != NULL)
 					OPENSSL_free(s->s3->tlsext_authz_client_types);
 				s->s3->tlsext_authz_client_types =
@@ -3025,7 +3090,7 @@ static int tls12_get_pkey_idx(unsigned char sig_alg)
 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
 			int *psignhash_nid, const unsigned char *data)
 	{
-	int sign_nid, hash_nid;
+	int sign_nid = 0, hash_nid = 0;
 	if (!phash_nid && !psign_nid && !psignhash_nid)
 		return;
 	if (phash_nid || psignhash_nid)
@@ -3158,11 +3223,6 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
 	if (!c)
 		return 0;
 
-	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
-	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
-	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
-	c->pkeys[SSL_PKEY_ECC].digest = NULL;
-
 	c->peer_sigalgs = OPENSSL_malloc(dsize);
 	if (!c->peer_sigalgs)
 		return 0;
@@ -3179,8 +3239,12 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
 			{
 			md = tls12_get_hash(sigptr->rhash);
 			c->pkeys[idx].digest = md;
+			c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
 			if (idx == SSL_PKEY_RSA_SIGN)
+				{
+				c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
 				c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+				}
 			}
 
 		}
@@ -3524,40 +3588,76 @@ static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
 			return 1;
 	return 0;
 	}
+/* Check to see if a certificate issuer name matches list of CA names */
+static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
+	{
+	X509_NAME *nm;
+	int i;
+	nm = X509_get_issuer_name(x);
+	for (i = 0; i < sk_X509_NAME_num(names); i++)
+		{
+		if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
+			return 1;
+		}
+	return 0;
+	}
 
 /* Check certificate chain is consistent with TLS extensions and is
- * usable by server.
+ * usable by server. This servers two purposes: it allows users to 
+ * check chains before passing them to the server and it allows the
+ * server to check chains before attempting to use them.
  */
+
+/* Flags which need to be set for a certificate when stict mode not set */
+
+#define CERT_PKEY_VALID_FLAGS \
+	(CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
+/* Strict mode flags */
+#define CERT_PKEY_STRICT_FLAGS \
+	 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
+	 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
+
 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 									int idx)
 	{
 	int i;
-	int rv = CERT_PKEY_INVALID;
+	int rv = 0;
+	int check_flags = 0, strict_mode;
 	CERT_PKEY *cpk = NULL;
 	CERT *c = s->cert;
+	/* idx != -1 means checking server chains */
 	if (idx != -1)
 		{
 		cpk = c->pkeys + idx;
 		x = cpk->x509;
 		pk = cpk->privatekey;
 		chain = cpk->chain;
+		strict_mode = c->cert_flags & SSL_CERT_FLAG_TLS_STRICT;
 		/* If no cert or key, forget it */
 		if (!x || !pk)
 			goto end;
 		}
 	else
 		{
+		if (!x || !pk)
+			goto end;
 		idx = ssl_cert_type(x, pk);
 		if (idx == -1)
 			goto end;
+		cpk = c->pkeys + idx;
+		if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+			check_flags = CERT_PKEY_STRICT_FLAGS;
+		else
+			check_flags = CERT_PKEY_VALID_FLAGS;
+		strict_mode = 1;
 		}
 
+
 	/* Check all signature algorithms are consistent with
 	 * signature algorithms extension if TLS 1.2 or later
 	 * and strict mode.
 	 */
-	if (TLS1_get_version(s) >= TLS1_2_VERSION
-		&& c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+	if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
 		{
 		int default_nid;
 		unsigned char rsign = 0;
@@ -3605,39 +3705,171 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 					break;
 				}
 			if (j == c->conf_sigalgslen)
-				goto end;
+				{
+				if (check_flags)
+					goto skip_sigs;
+				else
+					goto end;
+				}
 			}
 		/* Check signature algorithm of each cert in chain */
 		if (!tls1_check_sig_alg(c, x, default_nid))
-			goto end;
+			{
+			if (!check_flags) goto end;
+			}
+		else
+			rv |= CERT_PKEY_EE_SIGNATURE;
+		rv |= CERT_PKEY_CA_SIGNATURE;
 		for (i = 0; i < sk_X509_num(chain); i++)
 			{
 			if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
 							default_nid))
-				goto end;
+				{
+				if (check_flags)
+					{
+					rv &= ~CERT_PKEY_CA_SIGNATURE;
+					break;
+					}
+				else
+					goto end;
+				}
 			}
 		}
-
-	/* Check cert parameters are consistent */
-	if (!tls1_check_cert_param(s, x))
+	/* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
+	else if(check_flags)
+		rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
+	skip_sigs:
+	/* Check cert parameters are consistent: server certs only */
+	if (!s->server || tls1_check_cert_param(s, x))
+		rv |= CERT_PKEY_EE_PARAM;
+	else if (!check_flags)
 		goto end;
+	if (!s->server)
+		rv |= CERT_PKEY_CA_PARAM;
 	/* In strict mode check rest of chain too */
-	if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+	else if (strict_mode)
 		{
+		rv |= CERT_PKEY_CA_PARAM;
 		for (i = 0; i < sk_X509_num(chain); i++)
 			{
 			if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
+				{
+				if (check_flags)
+					{
+					rv &= ~CERT_PKEY_CA_PARAM;
+					break;
+					}
+				else
+					goto end;
+				}
+			}
+		}
+	if (!s->server && strict_mode)
+		{
+		STACK_OF(X509_NAME) *ca_dn;
+		int check_type = 0;
+		switch (pk->type)
+			{
+		case EVP_PKEY_RSA:
+			check_type = TLS_CT_RSA_SIGN;
+			break;
+		case EVP_PKEY_DSA:
+			check_type = TLS_CT_DSS_SIGN;
+			break;
+		case EVP_PKEY_EC:
+			check_type = TLS_CT_ECDSA_SIGN;
+			break;
+		case EVP_PKEY_DH:
+		case EVP_PKEY_DHX:
+				{
+				int cert_type = X509_certificate_type(x, pk);
+				if (cert_type & EVP_PKS_RSA)
+					check_type = TLS_CT_RSA_FIXED_DH;
+				if (cert_type & EVP_PKS_DSA)
+					check_type = TLS_CT_DSS_FIXED_DH;
+				}
+			}
+		if (check_type)
+			{
+			const unsigned char *ctypes;
+			int ctypelen;
+			if (c->ctypes)
+				{
+				ctypes = c->ctypes;
+				ctypelen = (int)c->ctype_num;
+				}
+			else
+				{
+				ctypes = (unsigned char *)s->s3->tmp.ctype;
+				ctypelen = s->s3->tmp.ctype_num;
+				}
+			for (i = 0; i < ctypelen; i++)
+				{
+				if (ctypes[i] == check_type)
+					{
+					rv |= CERT_PKEY_CERT_TYPE;
+					break;
+					}
+				}
+			if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
 				goto end;
 			}
+		else
+			rv |= CERT_PKEY_CERT_TYPE;
+
+
+		ca_dn = s->s3->tmp.ca_names;
+
+		if (!sk_X509_NAME_num(ca_dn))
+			rv |= CERT_PKEY_ISSUER_NAME;
+
+		if (!(rv & CERT_PKEY_ISSUER_NAME))
+			{
+			if (ssl_check_ca_name(ca_dn, x))
+				rv |= CERT_PKEY_ISSUER_NAME;
+			}
+		if (!(rv & CERT_PKEY_ISSUER_NAME))
+			{
+			for (i = 0; i < sk_X509_num(chain); i++)
+				{
+				X509 *xtmp = sk_X509_value(chain, i);
+				if (ssl_check_ca_name(ca_dn, xtmp))
+					{
+					rv |= CERT_PKEY_ISSUER_NAME;
+					break;
+					}
+				}
+			}
+		if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
+			goto end;
 		}
-	rv = CERT_PKEY_VALID;
+	else
+		rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
+
+	if (!check_flags || (rv & check_flags) == check_flags)
+		rv |= CERT_PKEY_VALID;
 
 	end:
-	if (cpk)
+
+	if (TLS1_get_version(s) >= TLS1_2_VERSION)
 		{
-		if (rv && cpk->digest)
+		if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
+			rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
+		else if (cpk->digest)
 			rv |= CERT_PKEY_SIGN;
-		cpk->valid_flags = rv;
+		}
+	else
+		rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
+
+	/* When checking a CERT_PKEY structure all flags are irrelevant
+	 * if the chain is invalid.
+	 */
+	if (!check_flags)
+		{
+		if (rv & CERT_PKEY_VALID)
+			cpk->valid_flags = rv;
+		else
+			cpk->valid_flags = 0;
 		}
 	return rv;
 	}