Alexandre Lision | f26d3e5 | 2014-04-14 16:22:31 -0400 | [diff] [blame] | 1 | From 3a8c7b1a08b2766a7f8a388eee14442281b4e295 Mon Sep 17 00:00:00 2001 |
| 2 | From: Adam Langley <agl@chromium.org> |
| 3 | Date: Thu, 24 Jan 2013 16:27:14 -0500 |
| 4 | Subject: [PATCH 19/36] tls12_digests |
| 5 | |
| 6 | Fixes a bug with handling TLS 1.2 and digest functions for DSA and ECDSA |
| 7 | keys. |
| 8 | --- |
| 9 | ssl/s3_clnt.c | 26 +++++++++++++-- |
| 10 | ssl/ssl3.h | 11 +++++- |
| 11 | ssl/ssl_cert.c | 20 ----------- |
| 12 | ssl/ssl_lib.c | 35 +++++++++++-------- |
| 13 | ssl/ssl_locl.h | 4 +-- |
| 14 | ssl/t1_lib.c | 104 ++++++++++++++++++++------------------------------------- |
| 15 | 6 files changed, 94 insertions(+), 106 deletions(-) |
| 16 | |
| 17 | diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c |
| 18 | index c9196b3..1f3b376 100644 |
| 19 | --- a/ssl/s3_clnt.c |
| 20 | +++ b/ssl/s3_clnt.c |
| 21 | @@ -1990,12 +1990,13 @@ int ssl3_get_certificate_request(SSL *s) |
| 22 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG); |
| 23 | goto err; |
| 24 | } |
| 25 | - if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) |
| 26 | + if (llen & 1) |
| 27 | { |
| 28 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); |
| 29 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR); |
| 30 | goto err; |
| 31 | } |
| 32 | + tls1_process_sigalgs(s, p, llen); |
| 33 | p += llen; |
| 34 | } |
| 35 | |
| 36 | @@ -3017,7 +3018,28 @@ int ssl3_send_client_verify(SSL *s) |
| 37 | { |
| 38 | long hdatalen = 0; |
| 39 | void *hdata; |
| 40 | - const EVP_MD *md = s->cert->key->digest; |
| 41 | + const EVP_MD *md; |
| 42 | + switch (ssl_cert_type(NULL, pkey)) |
| 43 | + { |
| 44 | + case SSL_PKEY_RSA_ENC: |
| 45 | + md = s->s3->digest_rsa; |
| 46 | + break; |
| 47 | + case SSL_PKEY_DSA_SIGN: |
| 48 | + md = s->s3->digest_dsa; |
| 49 | + break; |
| 50 | + case SSL_PKEY_ECC: |
| 51 | + md = s->s3->digest_ecdsa; |
| 52 | + break; |
| 53 | + default: |
| 54 | + md = NULL; |
| 55 | + } |
| 56 | + if (!md) |
| 57 | + /* Unlike with the SignatureAlgorithm extension (sent by clients), |
| 58 | + * there are no default algorithms for the CertificateRequest message |
| 59 | + * (sent by servers). However, now that we've sent a certificate |
| 60 | + * for which we don't really know what hash to use for signing, the |
| 61 | + * best we can do is try a default algorithm. */ |
| 62 | + md = EVP_sha1(); |
| 63 | hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, |
| 64 | &hdata); |
| 65 | if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) |
| 66 | diff --git a/ssl/ssl3.h b/ssl/ssl3.h |
| 67 | index 29098e4..3229995 100644 |
| 68 | --- a/ssl/ssl3.h |
| 69 | +++ b/ssl/ssl3.h |
| 70 | @@ -550,6 +550,16 @@ typedef struct ssl3_state_st |
| 71 | * verified Channel ID from the client: a P256 point, (x,y), where |
| 72 | * each are big-endian values. */ |
| 73 | unsigned char tlsext_channel_id[64]; |
| 74 | + |
| 75 | + /* These point to the digest function to use for signatures made with |
| 76 | + * each type of public key. A NULL value indicates that the default |
| 77 | + * digest should be used, which is SHA1 as of TLS 1.2. |
| 78 | + * |
| 79 | + * (These should be in the tmp member, but we have to put them here to |
| 80 | + * ensure binary compatibility with earlier OpenSSL 1.0.* releases.) */ |
| 81 | + const EVP_MD *digest_rsa; |
| 82 | + const EVP_MD *digest_dsa; |
| 83 | + const EVP_MD *digest_ecdsa; |
| 84 | } SSL3_STATE; |
| 85 | |
| 86 | #endif |
| 87 | @@ -700,4 +710,3 @@ typedef struct ssl3_state_st |
| 88 | } |
| 89 | #endif |
| 90 | #endif |
| 91 | - |
| 92 | diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c |
| 93 | index 5123a89..bc4150b 100644 |
| 94 | --- a/ssl/ssl_cert.c |
| 95 | +++ b/ssl/ssl_cert.c |
| 96 | @@ -160,21 +160,6 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void) |
| 97 | return ssl_x509_store_ctx_idx; |
| 98 | } |
| 99 | |
| 100 | -static void ssl_cert_set_default_md(CERT *cert) |
| 101 | - { |
| 102 | - /* Set digest values to defaults */ |
| 103 | -#ifndef OPENSSL_NO_DSA |
| 104 | - cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); |
| 105 | -#endif |
| 106 | -#ifndef OPENSSL_NO_RSA |
| 107 | - cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); |
| 108 | - cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); |
| 109 | -#endif |
| 110 | -#ifndef OPENSSL_NO_ECDSA |
| 111 | - cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); |
| 112 | -#endif |
| 113 | - } |
| 114 | - |
| 115 | CERT *ssl_cert_new(void) |
| 116 | { |
| 117 | CERT *ret; |
| 118 | @@ -189,7 +174,6 @@ CERT *ssl_cert_new(void) |
| 119 | |
| 120 | ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); |
| 121 | ret->references=1; |
| 122 | - ssl_cert_set_default_md(ret); |
| 123 | return(ret); |
| 124 | } |
| 125 | |
| 126 | @@ -322,10 +306,6 @@ CERT *ssl_cert_dup(CERT *cert) |
| 127 | * chain is held inside SSL_CTX */ |
| 128 | |
| 129 | ret->references=1; |
| 130 | - /* Set digests to defaults. NB: we don't copy existing values as they |
| 131 | - * will be set during handshake. |
| 132 | - */ |
| 133 | - ssl_cert_set_default_md(ret); |
| 134 | |
| 135 | return(ret); |
| 136 | |
| 137 | diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c |
| 138 | index 5f8b0b0..e360550 100644 |
| 139 | --- a/ssl/ssl_lib.c |
| 140 | +++ b/ssl/ssl_lib.c |
| 141 | @@ -2345,32 +2345,41 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) |
| 142 | { |
| 143 | unsigned long alg_a; |
| 144 | CERT *c; |
| 145 | - int idx = -1; |
| 146 | |
| 147 | alg_a = cipher->algorithm_auth; |
| 148 | c=s->cert; |
| 149 | |
| 150 | + /* SHA1 is the default for all signature algorithms up to TLS 1.2, |
| 151 | + * except RSA which is handled specially in s3_srvr.c */ |
| 152 | + if (pmd) |
| 153 | + *pmd = EVP_sha1(); |
| 154 | + |
| 155 | if ((alg_a & SSL_aDSS) && |
| 156 | - (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) |
| 157 | - idx = SSL_PKEY_DSA_SIGN; |
| 158 | + (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) |
| 159 | + { |
| 160 | + if (pmd && s->s3 && s->s3->digest_dsa) |
| 161 | + *pmd = s->s3->digest_dsa; |
| 162 | + return c->pkeys[SSL_PKEY_DSA_SIGN].privatekey; |
| 163 | + } |
| 164 | else if (alg_a & SSL_aRSA) |
| 165 | { |
| 166 | + if (pmd && s->s3 && s->s3->digest_rsa) |
| 167 | + *pmd = s->s3->digest_rsa; |
| 168 | if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) |
| 169 | - idx = SSL_PKEY_RSA_SIGN; |
| 170 | - else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) |
| 171 | - idx = SSL_PKEY_RSA_ENC; |
| 172 | + return c->pkeys[SSL_PKEY_RSA_SIGN].privatekey; |
| 173 | + if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) |
| 174 | + return c->pkeys[SSL_PKEY_RSA_ENC].privatekey; |
| 175 | } |
| 176 | else if ((alg_a & SSL_aECDSA) && |
| 177 | (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) |
| 178 | - idx = SSL_PKEY_ECC; |
| 179 | - if (idx == -1) |
| 180 | { |
| 181 | - SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); |
| 182 | - return(NULL); |
| 183 | + if (pmd && s->s3 && s->s3->digest_ecdsa) |
| 184 | + *pmd = s->s3->digest_ecdsa; |
| 185 | + return c->pkeys[SSL_PKEY_ECC].privatekey; |
| 186 | } |
| 187 | - if (pmd) |
| 188 | - *pmd = c->pkeys[idx].digest; |
| 189 | - return c->pkeys[idx].privatekey; |
| 190 | + |
| 191 | + SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); |
| 192 | + return(NULL); |
| 193 | } |
| 194 | |
| 195 | void ssl_update_cache(SSL *s,int mode) |
| 196 | diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h |
| 197 | index 6d38f0f..3e89fcb 100644 |
| 198 | --- a/ssl/ssl_locl.h |
| 199 | +++ b/ssl/ssl_locl.h |
| 200 | @@ -485,8 +485,6 @@ typedef struct cert_pkey_st |
| 201 | { |
| 202 | X509 *x509; |
| 203 | EVP_PKEY *privatekey; |
| 204 | - /* Digest to use when signing */ |
| 205 | - const EVP_MD *digest; |
| 206 | } CERT_PKEY; |
| 207 | |
| 208 | typedef struct cert_st |
| 209 | @@ -1142,7 +1140,7 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, |
| 210 | int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, |
| 211 | int *al); |
| 212 | long ssl_get_algorithm2(SSL *s); |
| 213 | -int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); |
| 214 | +void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); |
| 215 | int tls12_get_req_sig_algs(SSL *s, unsigned char *p); |
| 216 | |
| 217 | int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); |
| 218 | diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c |
| 219 | index 26805e4..6af51a9 100644 |
| 220 | --- a/ssl/t1_lib.c |
| 221 | +++ b/ssl/t1_lib.c |
| 222 | @@ -897,6 +897,13 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in |
| 223 | |
| 224 | s->servername_done = 0; |
| 225 | s->tlsext_status_type = -1; |
| 226 | + |
| 227 | + /* Reset TLS 1.2 digest functions to defaults because they don't carry |
| 228 | + * over to a renegotiation. */ |
| 229 | + s->s3->digest_rsa = NULL; |
| 230 | + s->s3->digest_dsa = NULL; |
| 231 | + s->s3->digest_ecdsa = NULL; |
| 232 | + |
| 233 | #ifndef OPENSSL_NO_NEXTPROTONEG |
| 234 | s->s3->next_proto_neg_seen = 0; |
| 235 | #endif |
| 236 | @@ -1198,11 +1205,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in |
| 237 | *al = SSL_AD_DECODE_ERROR; |
| 238 | return 0; |
| 239 | } |
| 240 | - if (!tls1_process_sigalgs(s, data, dsize)) |
| 241 | - { |
| 242 | - *al = SSL_AD_DECODE_ERROR; |
| 243 | - return 0; |
| 244 | - } |
| 245 | + tls1_process_sigalgs(s, data, dsize); |
| 246 | } |
| 247 | else if (type == TLSEXT_TYPE_status_request && |
| 248 | s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) |
| 249 | @@ -2354,18 +2357,6 @@ static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) |
| 250 | } |
| 251 | return -1; |
| 252 | } |
| 253 | -#if 0 |
| 254 | -static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) |
| 255 | - { |
| 256 | - size_t i; |
| 257 | - for (i = 0; i < tlen; i++) |
| 258 | - { |
| 259 | - if (table[i].id == id) |
| 260 | - return table[i].nid; |
| 261 | - } |
| 262 | - return -1; |
| 263 | - } |
| 264 | -#endif |
| 265 | |
| 266 | int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) |
| 267 | { |
| 268 | @@ -2384,6 +2375,8 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) |
| 269 | return 1; |
| 270 | } |
| 271 | |
| 272 | +/* tls12_get_sigid returns the TLS 1.2 SignatureAlgorithm value corresponding |
| 273 | + * to the given public key, or -1 if not known. */ |
| 274 | int tls12_get_sigid(const EVP_PKEY *pk) |
| 275 | { |
| 276 | return tls12_find_id(pk->type, tls12_sig, |
| 277 | @@ -2403,47 +2396,49 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) |
| 278 | return EVP_md5(); |
| 279 | #endif |
| 280 | #ifndef OPENSSL_NO_SHA |
| 281 | - case TLSEXT_hash_sha1: |
| 282 | + case TLSEXT_hash_sha1: |
| 283 | return EVP_sha1(); |
| 284 | #endif |
| 285 | #ifndef OPENSSL_NO_SHA256 |
| 286 | - case TLSEXT_hash_sha224: |
| 287 | + case TLSEXT_hash_sha224: |
| 288 | return EVP_sha224(); |
| 289 | |
| 290 | - case TLSEXT_hash_sha256: |
| 291 | + case TLSEXT_hash_sha256: |
| 292 | return EVP_sha256(); |
| 293 | #endif |
| 294 | #ifndef OPENSSL_NO_SHA512 |
| 295 | - case TLSEXT_hash_sha384: |
| 296 | + case TLSEXT_hash_sha384: |
| 297 | return EVP_sha384(); |
| 298 | |
| 299 | - case TLSEXT_hash_sha512: |
| 300 | + case TLSEXT_hash_sha512: |
| 301 | return EVP_sha512(); |
| 302 | #endif |
| 303 | - default: |
| 304 | + default: |
| 305 | return NULL; |
| 306 | |
| 307 | } |
| 308 | } |
| 309 | |
| 310 | -/* Set preferred digest for each key type */ |
| 311 | - |
| 312 | -int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) |
| 313 | +/* tls1_process_sigalgs processes a signature_algorithms extension and sets the |
| 314 | + * digest functions accordingly for each key type. |
| 315 | + * |
| 316 | + * See RFC 5246, section 7.4.1.4.1. |
| 317 | + * |
| 318 | + * data: points to the content of the extension, not including type and length |
| 319 | + * headers. |
| 320 | + * dsize: the number of bytes of |data|. Must be even. |
| 321 | + */ |
| 322 | +void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) |
| 323 | { |
| 324 | - int i, idx; |
| 325 | - const EVP_MD *md; |
| 326 | - CERT *c = s->cert; |
| 327 | + int i; |
| 328 | + const EVP_MD *md, **digest_ptr; |
| 329 | /* Extension ignored for TLS versions below 1.2 */ |
| 330 | if (TLS1_get_version(s) < TLS1_2_VERSION) |
| 331 | - return 1; |
| 332 | - /* Should never happen */ |
| 333 | - if (!c) |
| 334 | - return 0; |
| 335 | + return; |
| 336 | |
| 337 | - c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; |
| 338 | - c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; |
| 339 | - c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; |
| 340 | - c->pkeys[SSL_PKEY_ECC].digest = NULL; |
| 341 | + s->s3->digest_rsa = NULL; |
| 342 | + s->s3->digest_dsa = NULL; |
| 343 | + s->s3->digest_ecdsa = NULL; |
| 344 | |
| 345 | for (i = 0; i < dsize; i += 2) |
| 346 | { |
| 347 | @@ -2453,56 +2448,31 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) |
| 348 | { |
| 349 | #ifndef OPENSSL_NO_RSA |
| 350 | case TLSEXT_signature_rsa: |
| 351 | - idx = SSL_PKEY_RSA_SIGN; |
| 352 | + digest_ptr = &s->s3->digest_rsa; |
| 353 | break; |
| 354 | #endif |
| 355 | #ifndef OPENSSL_NO_DSA |
| 356 | case TLSEXT_signature_dsa: |
| 357 | - idx = SSL_PKEY_DSA_SIGN; |
| 358 | + digest_ptr = &s->s3->digest_dsa; |
| 359 | break; |
| 360 | #endif |
| 361 | #ifndef OPENSSL_NO_ECDSA |
| 362 | case TLSEXT_signature_ecdsa: |
| 363 | - idx = SSL_PKEY_ECC; |
| 364 | + digest_ptr = &s->s3->digest_ecdsa; |
| 365 | break; |
| 366 | #endif |
| 367 | default: |
| 368 | continue; |
| 369 | } |
| 370 | |
| 371 | - if (c->pkeys[idx].digest == NULL) |
| 372 | + if (*digest_ptr == NULL) |
| 373 | { |
| 374 | md = tls12_get_hash(hash_alg); |
| 375 | if (md) |
| 376 | - { |
| 377 | - c->pkeys[idx].digest = md; |
| 378 | - if (idx == SSL_PKEY_RSA_SIGN) |
| 379 | - c->pkeys[SSL_PKEY_RSA_ENC].digest = md; |
| 380 | - } |
| 381 | + *digest_ptr = md; |
| 382 | } |
| 383 | |
| 384 | } |
| 385 | - |
| 386 | - |
| 387 | - /* Set any remaining keys to default values. NOTE: if alg is not |
| 388 | - * supported it stays as NULL. |
| 389 | - */ |
| 390 | -#ifndef OPENSSL_NO_DSA |
| 391 | - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) |
| 392 | - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); |
| 393 | -#endif |
| 394 | -#ifndef OPENSSL_NO_RSA |
| 395 | - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) |
| 396 | - { |
| 397 | - c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); |
| 398 | - c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); |
| 399 | - } |
| 400 | -#endif |
| 401 | -#ifndef OPENSSL_NO_ECDSA |
| 402 | - if (!c->pkeys[SSL_PKEY_ECC].digest) |
| 403 | - c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); |
| 404 | -#endif |
| 405 | - return 1; |
| 406 | } |
| 407 | |
| 408 | #endif |
| 409 | -- |
| 410 | 1.8.2.1 |
| 411 | |