The branch master has been updated via 38e8f3cd815f86b80d54892bb40ba67ab9fb83bd (commit) via faadddc906b9f3ee2059a1a20d43d8f42e143939 (commit) via a8bb912d84cb8fe45260790f854ddc628f1f4f5a (commit) via 9195ddcd0fd810de755893571eebe459485bf8c4 (commit) from 5e1f879ab5a2bfdf2d58222f965f93fe1b511ce7 (commit)
- Log ----------------------------------------------------------------- commit 38e8f3cd815f86b80d54892bb40ba67ab9fb83bd Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Feb 19 21:16:46 2017 +0000 Check validity, not just signing for all certificates Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2679) commit faadddc906b9f3ee2059a1a20d43d8f42e143939 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Feb 19 18:55:26 2017 +0000 Add no siglags test for ECDSA certificate Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2679) commit a8bb912d84cb8fe45260790f854ddc628f1f4f5a Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Feb 19 18:47:16 2017 +0000 Set default validity flags. Set default validity flags if signature algorithms extension is not present. Preserve flags when checking chains. Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2679) commit 9195ddcd0fd810de755893571eebe459485bf8c4 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sat Feb 18 03:42:15 2017 +0000 remove md array: it is not used any more. Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2679) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_lib.c | 4 +- ssl/ssl_locl.h | 2 - ssl/statem/statem_clnt.c | 8 +- ssl/t1_lib.c | 158 +++++++++++++------------------------- test/recipes/70-test_sslsigalgs.t | 14 +++- 5 files changed, 69 insertions(+), 117 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 48c37b8..dea2dac 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2768,8 +2768,8 @@ void ssl_set_masks(SSL *s) #endif rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; - rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_SIGN; - dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN; + rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; + dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID; #ifndef OPENSSL_NO_EC have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; #endif diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 70a47a8..6557834 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1320,8 +1320,6 @@ typedef struct ssl3_state_st { size_t peer_sigalgslen; /* Sigalg peer actualy uses */ const SIGALG_LOOKUP *peer_sigalg; - /* Array of digests used for signing */ - const EVP_MD *md[SSL_PKEY_NUM]; /* * Set if corresponding CERT_PKEY can be used with current * SSL session: e.g. appropriate curve, signature algorithms etc. diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 9f2e7af..3957a73 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2240,11 +2240,9 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) goto err; } - /* Clear certificate digests and validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) { - s->s3->tmp.md[i] = NULL; + /* Clear certificate validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) s->s3->tmp.valid_flags[i] = 0; - } if (!tls1_save_sigalgs(s, &sigalgs)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, @@ -2256,8 +2254,6 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); goto err; } - } else { - ssl_set_default_md(s); } /* get the CA RDNs */ diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 243cef5..140b1f1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -568,7 +568,7 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats, * Check cert parameters compatible with extensions: currently just checks EC * certificates have compatible curves and compression. */ -static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) +static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) { unsigned char comp_id, curve_id[2]; EVP_PKEY *pkey; @@ -591,9 +591,9 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) return 0; /* * Special case for suite B. We *MUST* sign using SHA256+P-256 or - * SHA384+P-384, adjust digest if necessary. + * SHA384+P-384. */ - if (set_ee_md && tls1_suiteb(s)) { + if (check_ee_md && tls1_suiteb(s)) { int check_md; size_t i; CERT *c = s->cert; @@ -611,12 +611,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) break; if (i == c->shared_sigalgslen) return 0; - if (set_ee_md == 2) { - if (check_md == NID_ecdsa_with_SHA256) - s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256(); - else - s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384(); - } } return rv; } @@ -1069,29 +1063,6 @@ int tls_use_ticket(SSL *s) return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); } -/* Initialise digests to default values */ -void ssl_set_default_md(SSL *s) -{ - const EVP_MD **pmd = s->s3->tmp.md; -#ifndef OPENSSL_NO_DSA - pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX); -#endif -#ifndef OPENSSL_NO_RSA - if (SSL_USE_SIGALGS(s)) - pmd[SSL_PKEY_RSA] = ssl_md(SSL_MD_SHA1_IDX); - else - pmd[SSL_PKEY_RSA] = ssl_md(SSL_MD_MD5_SHA1_IDX); -#endif -#ifndef OPENSSL_NO_EC - pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX); -#endif -#ifndef OPENSSL_NO_GOST - pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX); - pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX); - pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX); -#endif -} - int tls1_set_server_sigalgs(SSL *s) { int al; @@ -1101,30 +1072,44 @@ int tls1_set_server_sigalgs(SSL *s) OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; s->cert->shared_sigalgslen = 0; - /* Clear certificate digests and validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) { - s->s3->tmp.md[i] = NULL; + /* Clear certificate validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) s->s3->tmp.valid_flags[i] = 0; - } + /* + * If peer sent no signature algorithms check to see if we support + * the default algorithm for each certificate type + */ + if (s->s3->tmp.peer_sigalgs == NULL) { + const uint16_t *sent_sigs; + size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); - /* If sigalgs received process it. */ - if (s->s3->tmp.peer_sigalgs) { - if (!tls1_process_sigalgs(s)) { - SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto err; - } - /* Fatal error is no shared signature algorithms */ - if (!s->cert->shared_sigalgs) { - SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, - SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); - al = SSL_AD_ILLEGAL_PARAMETER; - goto err; + for (i = 0; i < SSL_PKEY_NUM; i++) { + const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); + size_t j; + + if (lu == NULL) + continue; + /* Check default matches a type we sent */ + for (j = 0; j < sent_sigslen; j++) { + if (lu->sigalg == sent_sigs[j]) { + s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN; + break; + } + } } - } else { - ssl_set_default_md(s); + return 1; } - return 1; + + if (!tls1_process_sigalgs(s)) { + SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); + al = SSL_AD_INTERNAL_ERROR; + goto err; + } + if (s->cert->shared_sigalgs != NULL) + return 1; + /* Fatal error is no shared signature algorithms */ + SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); + al = SSL_AD_ILLEGAL_PARAMETER; err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; @@ -1587,62 +1572,26 @@ int tls1_save_sigalgs(SSL *s, PACKET *pkt) int tls1_process_sigalgs(SSL *s) { - int idx; size_t i; - const EVP_MD *md; - const EVP_MD **pmd = s->s3->tmp.md; uint32_t *pvalid = s->s3->tmp.valid_flags; CERT *c = s->cert; if (!tls1_set_shared_sigalgs(s)) return 0; + for (i = 0; i < SSL_PKEY_NUM; i++) + pvalid[i] = 0; + for (i = 0; i < c->shared_sigalgslen; i++) { const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i]; + int idx = sigptr->sig_idx; /* Ignore PKCS1 based sig algs in TLSv1.3 */ if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) continue; - idx = tls12_get_pkey_idx(sigptr->sig); - if (idx >= 0 && pmd[idx] == NULL) { - md = ssl_md(sigptr->hash_idx); - pmd[idx] = md; - pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN; - } - } - /* - * In strict mode or TLS1.3 leave unset digests as NULL to indicate we can't - * use the certificate for signing. - */ - if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) - && !SSL_IS_TLS13(s)) { - /* - * Set any remaining keys to default values. NOTE: if alg is not - * supported it stays as NULL. - */ -#ifndef OPENSSL_NO_DSA - if (pmd[SSL_PKEY_DSA_SIGN] == NULL) - pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1(); -#endif -#ifndef OPENSSL_NO_RSA - if (pmd[SSL_PKEY_RSA] == NULL) { - pmd[SSL_PKEY_RSA] = EVP_sha1(); - } -#endif -#ifndef OPENSSL_NO_EC - if (pmd[SSL_PKEY_ECC] == NULL) - pmd[SSL_PKEY_ECC] = EVP_sha1(); -#endif -#ifndef OPENSSL_NO_GOST - if (pmd[SSL_PKEY_GOST01] == NULL) - pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94); - if (pmd[SSL_PKEY_GOST12_256] == NULL) - pmd[SSL_PKEY_GOST12_256] = - EVP_get_digestbynid(NID_id_GostR3411_2012_256); - if (pmd[SSL_PKEY_GOST12_512] == NULL) - pmd[SSL_PKEY_GOST12_512] = - EVP_get_digestbynid(NID_id_GostR3411_2012_512); -#endif + /* If not disabled indicate we can explicitly sign */ + if (pvalid[idx] == 0 && tls12_get_pkey_idx(sigptr->sig) != -1) + pvalid[sigptr->sig_idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; } return 1; } @@ -2020,7 +1969,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; skip_sigs: /* Check cert parameters are consistent */ - if (tls1_check_cert_param(s, x, check_flags ? 1 : 2)) + if (tls1_check_cert_param(s, x, 1)) rv |= CERT_PKEY_EE_PARAM; else if (!check_flags) goto end; @@ -2103,12 +2052,9 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, end: - if (TLS1_get_version(s) >= TLS1_2_VERSION) { - if (*pvalid & CERT_PKEY_EXPLICIT_SIGN) - rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; - else if (s->s3->tmp.md[idx] != NULL) - rv |= CERT_PKEY_SIGN; - } else + if (TLS1_get_version(s) >= TLS1_2_VERSION) + rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); + else rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; /* @@ -2116,11 +2062,11 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, * chain is invalid. */ if (!check_flags) { - if (rv & CERT_PKEY_VALID) + if (rv & CERT_PKEY_VALID) { *pvalid = rv; - else { - /* Preserve explicit sign flag, clear rest */ - *pvalid &= CERT_PKEY_EXPLICIT_SIGN; + } else { + /* Preserve sign and explicit sign flag, clear rest */ + *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; return 0; } } diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index e543418..0588797 100755 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -48,7 +48,7 @@ use constant { #Test 1: Default sig algs should succeed $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 15; +plan tests => 16; ok(TLSProxy::Message->success, "Default sigalgs"); my $testtype; @@ -183,6 +183,18 @@ SKIP: { $proxy->start(); ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs"); $proxy->filter(\&sigalgs_filter); + + #Test 16: No sig algs extension, ECDSA cert, TLSv1.2 should succeed + $proxy->clear(); + $testtype = NO_SIG_ALGS_EXT; + $proxy->clientflags("-no_tls1_3"); + $proxy->serverflags("-cert " . srctop_file("test", "certs", + "server-ecdsa-cert.pem") . + " -key " . srctop_file("test", "certs", + "server-ecdsa-key.pem")), + $proxy->ciphers("ECDHE-ECDSA-AES128-SHA:TLS13-AES-128-GCM-SHA256"); + $proxy->start(); + ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA"); } _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits