Remove TLS strict mode.
It's new in OpenSSL 1.0.2 so it's never set by existing code. This removes gobs and gobs of complexity from tls1_check_chain. It only checks the local certificate, not the peer certificate. The uses appear to be: - Sanity-check configuration. Not worth the complexity. - Guide in selecting ciphers based on ClientHello parameters and which certificates in the CERT_PKEY are compatible. This isn't very useful one its own since the CERT_PKEY array only stores one slot per type (e.g. you cannot configure RSA/SHA-1 and RSA/SHA-256). - For the (currently removed) SSL_check_chain to return more information based on ClientHello parameters and guide selecting a certificate. This is potentially useful but, as noted in the commit which removed it, redundant with ssl_early_callback_ctx. This CL is largely mechanical removing of dead codepaths. The follow-up will clean up the now unnecessary parts of this function. Change-Id: I2ebfa17e4f73e59aa1ee9e4ae7f615af2c6cf590 Reviewed-on: https://boringssl-review.googlesource.com/2285 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
1ad868176d
commit
253b3e76dc
@ -2348,11 +2348,6 @@ static int ssl3_check_client_certificate(SSL *s)
|
|||||||
/* If no suitable signature algorithm can't use certificate */
|
/* If no suitable signature algorithm can't use certificate */
|
||||||
if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
|
if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
|
||||||
return 0;
|
return 0;
|
||||||
/* If strict mode check suitability of chain before using it.
|
|
||||||
*/
|
|
||||||
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
|
|
||||||
!tls1_check_chain(s, s->cert->key - s->cert->pkeys))
|
|
||||||
return 0;
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -457,9 +457,6 @@ typedef struct cert_pkey_st
|
|||||||
int valid_flags;
|
int valid_flags;
|
||||||
} CERT_PKEY;
|
} CERT_PKEY;
|
||||||
|
|
||||||
#define SSL_CERT_FLAGS_CHECK_TLS_STRICT \
|
|
||||||
SSL_CERT_FLAG_TLS_STRICT
|
|
||||||
|
|
||||||
typedef struct cert_st
|
typedef struct cert_st
|
||||||
{
|
{
|
||||||
/* Current active set */
|
/* Current active set */
|
||||||
|
195
ssl/t1_lib.c
195
ssl/t1_lib.c
@ -808,8 +808,8 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert,
|
|||||||
if (hash == sent_sigs[0] && signature == sent_sigs[1])
|
if (hash == sent_sigs[0] && signature == sent_sigs[1])
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
/* Allow fallback to SHA1 if not strict mode */
|
/* Allow fallback to SHA-1. */
|
||||||
if (i == sent_sigslen && (hash != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
|
if (i == sent_sigslen && hash != TLSEXT_hash_sha1)
|
||||||
{
|
{
|
||||||
OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
|
OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
|
||||||
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
||||||
@ -2745,22 +2745,17 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs)
|
|||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
/* In strict mode leave unset digests as NULL to indicate we can't
|
|
||||||
* use the certificate for signing.
|
/* Set any remaining keys to default values. NOTE: if alg is
|
||||||
|
* not supported it stays as NULL.
|
||||||
*/
|
*/
|
||||||
if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
|
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
|
||||||
{
|
{
|
||||||
/* Set any remaining keys to default values. NOTE: if alg is
|
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
|
||||||
* not supported it stays as NULL.
|
c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
|
||||||
*/
|
|
||||||
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
|
|
||||||
{
|
|
||||||
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
|
|
||||||
c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
|
|
||||||
}
|
|
||||||
if (!c->pkeys[SSL_PKEY_ECC].digest)
|
|
||||||
c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
|
|
||||||
}
|
}
|
||||||
|
if (!c->pkeys[SSL_PKEY_ECC].digest)
|
||||||
|
c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2921,125 +2916,25 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
|
|
||||||
{
|
|
||||||
int sig_nid;
|
|
||||||
size_t i;
|
|
||||||
if (default_nid == -1)
|
|
||||||
return 1;
|
|
||||||
sig_nid = X509_get_signature_nid(x);
|
|
||||||
if (default_nid)
|
|
||||||
return sig_nid == default_nid ? 1 : 0;
|
|
||||||
for (i = 0; i < c->shared_sigalgslen; i++)
|
|
||||||
if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
|
|
||||||
return 1;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
/* Check to see if a certificate issuer name matches list of CA names */
|
|
||||||
static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
|
|
||||||
{
|
|
||||||
X509_NAME *nm;
|
|
||||||
size_t i;
|
|
||||||
nm = X509_get_issuer_name(x);
|
|
||||||
for (i = 0; i < sk_X509_NAME_num(names); i++)
|
|
||||||
{
|
|
||||||
if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check certificate chain is consistent with TLS extensions and is usable by
|
/* Check certificate chain is consistent with TLS extensions and is usable by
|
||||||
* server. This allows the server to check chains before attempting to use them.
|
* server. This allows the server to check chains before attempting to use them.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
int tls1_check_chain(SSL *s, int idx)
|
int tls1_check_chain(SSL *s, int idx)
|
||||||
{
|
{
|
||||||
size_t i;
|
|
||||||
int rv = 0;
|
int rv = 0;
|
||||||
int strict_mode;
|
|
||||||
CERT_PKEY *cpk = NULL;
|
CERT_PKEY *cpk = NULL;
|
||||||
CERT *c = s->cert;
|
CERT *c = s->cert;
|
||||||
X509 *x;
|
X509 *x;
|
||||||
EVP_PKEY *pk;
|
EVP_PKEY *pk;
|
||||||
STACK_OF(X509) *chain;
|
|
||||||
|
|
||||||
cpk = c->pkeys + idx;
|
cpk = c->pkeys + idx;
|
||||||
x = cpk->x509;
|
x = cpk->x509;
|
||||||
pk = cpk->privatekey;
|
pk = cpk->privatekey;
|
||||||
chain = cpk->chain;
|
|
||||||
strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
|
|
||||||
/* If no cert or key, forget it */
|
/* If no cert or key, forget it */
|
||||||
if (!x || !pk)
|
if (!x || !pk)
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
/* Check all signature algorithms are consistent with
|
|
||||||
* signature algorithms extension if TLS 1.2 or later
|
|
||||||
* and strict mode.
|
|
||||||
*/
|
|
||||||
if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
|
|
||||||
{
|
|
||||||
int default_nid;
|
|
||||||
unsigned char rsign = 0;
|
|
||||||
if (c->peer_sigalgs)
|
|
||||||
default_nid = 0;
|
|
||||||
/* If no sigalgs extension use defaults from RFC5246 */
|
|
||||||
else
|
|
||||||
{
|
|
||||||
switch(idx)
|
|
||||||
{
|
|
||||||
case SSL_PKEY_RSA_ENC:
|
|
||||||
case SSL_PKEY_RSA_SIGN:
|
|
||||||
rsign = TLSEXT_signature_rsa;
|
|
||||||
default_nid = NID_sha1WithRSAEncryption;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SSL_PKEY_ECC:
|
|
||||||
rsign = TLSEXT_signature_ecdsa;
|
|
||||||
default_nid = NID_ecdsa_with_SHA1;
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
|
||||||
default_nid = -1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
/* If peer sent no signature algorithms extension and we
|
|
||||||
* have set preferred signature algorithms check we support
|
|
||||||
* sha1.
|
|
||||||
*/
|
|
||||||
if (default_nid > 0 && c->conf_sigalgs)
|
|
||||||
{
|
|
||||||
size_t j;
|
|
||||||
const unsigned char *p = c->conf_sigalgs;
|
|
||||||
for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
|
|
||||||
{
|
|
||||||
if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (j == c->conf_sigalgslen)
|
|
||||||
{
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
/* Check signature algorithm of each cert in chain */
|
|
||||||
if (!tls1_check_sig_alg(c, x, default_nid))
|
|
||||||
{
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
rv |= CERT_PKEY_EE_SIGNATURE;
|
|
||||||
rv |= CERT_PKEY_CA_SIGNATURE;
|
|
||||||
for (i = 0; i < sk_X509_num(chain); i++)
|
|
||||||
{
|
|
||||||
if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
|
|
||||||
default_nid))
|
|
||||||
{
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check cert parameters are consistent */
|
/* Check cert parameters are consistent */
|
||||||
if (tls1_check_cert_param(s, x, 2))
|
if (tls1_check_cert_param(s, x, 2))
|
||||||
rv |= CERT_PKEY_EE_PARAM;
|
rv |= CERT_PKEY_EE_PARAM;
|
||||||
@ -3047,75 +2942,7 @@ int tls1_check_chain(SSL *s, int idx)
|
|||||||
goto end;
|
goto end;
|
||||||
if (!s->server)
|
if (!s->server)
|
||||||
rv |= CERT_PKEY_CA_PARAM;
|
rv |= CERT_PKEY_CA_PARAM;
|
||||||
/* In strict mode check rest of chain too */
|
rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE|CERT_PKEY_VALID;
|
||||||
else if (strict_mode)
|
|
||||||
{
|
|
||||||
rv |= CERT_PKEY_CA_PARAM;
|
|
||||||
for (i = 0; i < sk_X509_num(chain); i++)
|
|
||||||
{
|
|
||||||
X509 *ca = sk_X509_value(chain, i);
|
|
||||||
if (!tls1_check_cert_param(s, ca, 0))
|
|
||||||
{
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (!s->server && strict_mode)
|
|
||||||
{
|
|
||||||
STACK_OF(X509_NAME) *ca_dn;
|
|
||||||
uint8_t check_type = 0;
|
|
||||||
switch (pk->type)
|
|
||||||
{
|
|
||||||
case EVP_PKEY_RSA:
|
|
||||||
check_type = TLS_CT_RSA_SIGN;
|
|
||||||
break;
|
|
||||||
case EVP_PKEY_EC:
|
|
||||||
check_type = TLS_CT_ECDSA_SIGN;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (check_type)
|
|
||||||
{
|
|
||||||
if (s->s3->tmp.certificate_types &&
|
|
||||||
memchr(s->s3->tmp.certificate_types, check_type, s->s3->tmp.num_certificate_types))
|
|
||||||
{
|
|
||||||
rv |= CERT_PKEY_CERT_TYPE;
|
|
||||||
}
|
|
||||||
if (!(rv & CERT_PKEY_CERT_TYPE))
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
rv |= CERT_PKEY_CERT_TYPE;
|
|
||||||
|
|
||||||
|
|
||||||
ca_dn = s->s3->tmp.ca_names;
|
|
||||||
|
|
||||||
if (!sk_X509_NAME_num(ca_dn))
|
|
||||||
rv |= CERT_PKEY_ISSUER_NAME;
|
|
||||||
|
|
||||||
if (!(rv & CERT_PKEY_ISSUER_NAME))
|
|
||||||
{
|
|
||||||
if (ssl_check_ca_name(ca_dn, x))
|
|
||||||
rv |= CERT_PKEY_ISSUER_NAME;
|
|
||||||
}
|
|
||||||
if (!(rv & CERT_PKEY_ISSUER_NAME))
|
|
||||||
{
|
|
||||||
for (i = 0; i < sk_X509_num(chain); i++)
|
|
||||||
{
|
|
||||||
X509 *xtmp = sk_X509_value(chain, i);
|
|
||||||
if (ssl_check_ca_name(ca_dn, xtmp))
|
|
||||||
{
|
|
||||||
rv |= CERT_PKEY_ISSUER_NAME;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (!(rv & CERT_PKEY_ISSUER_NAME))
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
|
|
||||||
|
|
||||||
rv |= CERT_PKEY_VALID;
|
|
||||||
|
|
||||||
end:
|
end:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user