Remove TLS strict mode.

It's new in OpenSSL 1.0.2 so it's never set by existing code. This removes gobs
and gobs of complexity from tls1_check_chain. It only checks the local
certificate, not the peer certificate. The uses appear to be:

- Sanity-check configuration. Not worth the complexity.

- Guide in selecting ciphers based on ClientHello parameters and which
  certificates in the CERT_PKEY are compatible. This isn't very useful one its
  own since the CERT_PKEY array only stores one slot per type (e.g. you cannot
  configure RSA/SHA-1 and RSA/SHA-256).

- For the (currently removed) SSL_check_chain to return more information based
  on ClientHello parameters and guide selecting a certificate. This is
  potentially useful but, as noted in the commit which removed it, redundant
  with ssl_early_callback_ctx.

This CL is largely mechanical removing of dead codepaths. The follow-up will
clean up the now unnecessary parts of this function.

Change-Id: I2ebfa17e4f73e59aa1ee9e4ae7f615af2c6cf590
Reviewed-on: https://boringssl-review.googlesource.com/2285
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2014-11-13 15:53:52 -05:00 committed by Adam Langley
parent 1ad868176d
commit 253b3e76dc
3 changed files with 11 additions and 192 deletions

View File

@ -2348,11 +2348,6 @@ static int ssl3_check_client_certificate(SSL *s)
/* If no suitable signature algorithm can't use certificate */ /* If no suitable signature algorithm can't use certificate */
if (SSL_USE_SIGALGS(s) && !s->cert->key->digest) if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
return 0; return 0;
/* If strict mode check suitability of chain before using it.
*/
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
!tls1_check_chain(s, s->cert->key - s->cert->pkeys))
return 0;
return 1; return 1;
} }

View File

@ -457,9 +457,6 @@ typedef struct cert_pkey_st
int valid_flags; int valid_flags;
} CERT_PKEY; } CERT_PKEY;
#define SSL_CERT_FLAGS_CHECK_TLS_STRICT \
SSL_CERT_FLAG_TLS_STRICT
typedef struct cert_st typedef struct cert_st
{ {
/* Current active set */ /* Current active set */

View File

@ -808,8 +808,8 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert,
if (hash == sent_sigs[0] && signature == sent_sigs[1]) if (hash == sent_sigs[0] && signature == sent_sigs[1])
break; break;
} }
/* Allow fallback to SHA1 if not strict mode */ /* Allow fallback to SHA-1. */
if (i == sent_sigslen && (hash != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) if (i == sent_sigslen && hash != TLSEXT_hash_sha1)
{ {
OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE); OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
*out_alert = SSL_AD_ILLEGAL_PARAMETER; *out_alert = SSL_AD_ILLEGAL_PARAMETER;
@ -2745,22 +2745,17 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs)
} }
} }
/* In strict mode leave unset digests as NULL to indicate we can't
* use the certificate for signing. /* Set any remaining keys to default values. NOTE: if alg is
* not supported it stays as NULL.
*/ */
if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
{ {
/* Set any remaining keys to default values. NOTE: if alg is c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
* not supported it stays as NULL. c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
*/
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
{
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
}
if (!c->pkeys[SSL_PKEY_ECC].digest)
c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
} }
if (!c->pkeys[SSL_PKEY_ECC].digest)
c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
return 1; return 1;
} }
@ -2921,125 +2916,25 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
return 0; return 0;
} }
static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
{
int sig_nid;
size_t i;
if (default_nid == -1)
return 1;
sig_nid = X509_get_signature_nid(x);
if (default_nid)
return sig_nid == default_nid ? 1 : 0;
for (i = 0; i < c->shared_sigalgslen; i++)
if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
return 1;
return 0;
}
/* Check to see if a certificate issuer name matches list of CA names */
static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
{
X509_NAME *nm;
size_t i;
nm = X509_get_issuer_name(x);
for (i = 0; i < sk_X509_NAME_num(names); i++)
{
if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
return 1;
}
return 0;
}
/* Check certificate chain is consistent with TLS extensions and is usable by /* Check certificate chain is consistent with TLS extensions and is usable by
* server. This allows the server to check chains before attempting to use them. * server. This allows the server to check chains before attempting to use them.
*/ */
int tls1_check_chain(SSL *s, int idx) int tls1_check_chain(SSL *s, int idx)
{ {
size_t i;
int rv = 0; int rv = 0;
int strict_mode;
CERT_PKEY *cpk = NULL; CERT_PKEY *cpk = NULL;
CERT *c = s->cert; CERT *c = s->cert;
X509 *x; X509 *x;
EVP_PKEY *pk; EVP_PKEY *pk;
STACK_OF(X509) *chain;
cpk = c->pkeys + idx; cpk = c->pkeys + idx;
x = cpk->x509; x = cpk->x509;
pk = cpk->privatekey; pk = cpk->privatekey;
chain = cpk->chain;
strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
/* If no cert or key, forget it */ /* If no cert or key, forget it */
if (!x || !pk) if (!x || !pk)
goto end; goto end;
/* Check all signature algorithms are consistent with
* signature algorithms extension if TLS 1.2 or later
* and strict mode.
*/
if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
{
int default_nid;
unsigned char rsign = 0;
if (c->peer_sigalgs)
default_nid = 0;
/* If no sigalgs extension use defaults from RFC5246 */
else
{
switch(idx)
{
case SSL_PKEY_RSA_ENC:
case SSL_PKEY_RSA_SIGN:
rsign = TLSEXT_signature_rsa;
default_nid = NID_sha1WithRSAEncryption;
break;
case SSL_PKEY_ECC:
rsign = TLSEXT_signature_ecdsa;
default_nid = NID_ecdsa_with_SHA1;
break;
default:
default_nid = -1;
break;
}
}
/* If peer sent no signature algorithms extension and we
* have set preferred signature algorithms check we support
* sha1.
*/
if (default_nid > 0 && c->conf_sigalgs)
{
size_t j;
const unsigned char *p = c->conf_sigalgs;
for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
{
if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
break;
}
if (j == c->conf_sigalgslen)
{
goto end;
}
}
/* Check signature algorithm of each cert in chain */
if (!tls1_check_sig_alg(c, x, default_nid))
{
goto end;
}
else
rv |= CERT_PKEY_EE_SIGNATURE;
rv |= CERT_PKEY_CA_SIGNATURE;
for (i = 0; i < sk_X509_num(chain); i++)
{
if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
default_nid))
{
goto end;
}
}
}
/* Check cert parameters are consistent */ /* Check cert parameters are consistent */
if (tls1_check_cert_param(s, x, 2)) if (tls1_check_cert_param(s, x, 2))
rv |= CERT_PKEY_EE_PARAM; rv |= CERT_PKEY_EE_PARAM;
@ -3047,75 +2942,7 @@ int tls1_check_chain(SSL *s, int idx)
goto end; goto end;
if (!s->server) if (!s->server)
rv |= CERT_PKEY_CA_PARAM; rv |= CERT_PKEY_CA_PARAM;
/* In strict mode check rest of chain too */ rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE|CERT_PKEY_VALID;
else if (strict_mode)
{
rv |= CERT_PKEY_CA_PARAM;
for (i = 0; i < sk_X509_num(chain); i++)
{
X509 *ca = sk_X509_value(chain, i);
if (!tls1_check_cert_param(s, ca, 0))
{
goto end;
}
}
}
if (!s->server && strict_mode)
{
STACK_OF(X509_NAME) *ca_dn;
uint8_t check_type = 0;
switch (pk->type)
{
case EVP_PKEY_RSA:
check_type = TLS_CT_RSA_SIGN;
break;
case EVP_PKEY_EC:
check_type = TLS_CT_ECDSA_SIGN;
break;
}
if (check_type)
{
if (s->s3->tmp.certificate_types &&
memchr(s->s3->tmp.certificate_types, check_type, s->s3->tmp.num_certificate_types))
{
rv |= CERT_PKEY_CERT_TYPE;
}
if (!(rv & CERT_PKEY_CERT_TYPE))
goto end;
}
else
rv |= CERT_PKEY_CERT_TYPE;
ca_dn = s->s3->tmp.ca_names;
if (!sk_X509_NAME_num(ca_dn))
rv |= CERT_PKEY_ISSUER_NAME;
if (!(rv & CERT_PKEY_ISSUER_NAME))
{
if (ssl_check_ca_name(ca_dn, x))
rv |= CERT_PKEY_ISSUER_NAME;
}
if (!(rv & CERT_PKEY_ISSUER_NAME))
{
for (i = 0; i < sk_X509_num(chain); i++)
{
X509 *xtmp = sk_X509_value(chain, i);
if (ssl_check_ca_name(ca_dn, xtmp))
{
rv |= CERT_PKEY_ISSUER_NAME;
break;
}
}
}
if (!(rv & CERT_PKEY_ISSUER_NAME))
goto end;
}
else
rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
rv |= CERT_PKEY_VALID;
end: end: