kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4071 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6fdea2aba9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6fdea2aba9'
${ noResults }
boringssl/ssl/ssl_cert.c

908 lines
28 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  112.  * ECC cipher suite support in OpenSSL originally developed by

  113.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  114. 

  115. #include <openssl/ssl.h>

  116. 

  117. #include <assert.h>

  118. #include <limits.h>

  119. #include <string.h>

  120. 

  121. #include <openssl/bn.h>

  122. #include <openssl/buf.h>

  123. #include <openssl/bytestring.h>

  124. #include <openssl/ec_key.h>

  125. #include <openssl/err.h>

  126. #include <openssl/mem.h>

  127. #include <openssl/sha.h>

  128. #include <openssl/x509.h>

  129. 

  130. #include "../crypto/internal.h"

  131. #include "internal.h"

  132. 

  133. 

  134. CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method) {

  135.   CERT *ret = OPENSSL_malloc(sizeof(CERT));

  136.   if (ret == NULL) {

  137.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  138.     return NULL;

  139.   }

  140.   OPENSSL_memset(ret, 0, sizeof(CERT));

  141.   ret->x509_method = x509_method;

  142. 

  143.   return ret;

  144. }

  145. 

  146. static CRYPTO_BUFFER *buffer_up_ref(CRYPTO_BUFFER *buffer) {

  147.   CRYPTO_BUFFER_up_ref(buffer);

  148.   return buffer;

  149. }

  150. 

  151. CERT *ssl_cert_dup(CERT *cert) {

  152.   CERT *ret = OPENSSL_malloc(sizeof(CERT));

  153.   if (ret == NULL) {

  154.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  155.     return NULL;

  156.   }

  157.   OPENSSL_memset(ret, 0, sizeof(CERT));

  158. 

  159.   ret->chain = sk_CRYPTO_BUFFER_deep_copy(cert->chain, buffer_up_ref,

  160.                                           CRYPTO_BUFFER_free);

  161. 

  162.   if (cert->privatekey != NULL) {

  163.     EVP_PKEY_up_ref(cert->privatekey);

  164.     ret->privatekey = cert->privatekey;

  165.   }

  166. 

  167.   ret->key_method = cert->key_method;

  168.   ret->x509_method = cert->x509_method;

  169. 

  170.   if (cert->sigalgs != NULL) {

  171.     ret->sigalgs =

  172.         BUF_memdup(cert->sigalgs, cert->num_sigalgs * sizeof(cert->sigalgs[0]));

  173.     if (ret->sigalgs == NULL) {

  174.       goto err;

  175.     }

  176.   }

  177.   ret->num_sigalgs = cert->num_sigalgs;

  178. 

  179.   ret->cert_cb = cert->cert_cb;

  180.   ret->cert_cb_arg = cert->cert_cb_arg;

  181. 

  182.   ret->x509_method->cert_dup(ret, cert);

  183. 

  184.   if (cert->signed_cert_timestamp_list != NULL) {

  185.     CRYPTO_BUFFER_up_ref(cert->signed_cert_timestamp_list);

  186.     ret->signed_cert_timestamp_list = cert->signed_cert_timestamp_list;

  187.   }

  188. 

  189.   if (cert->ocsp_response != NULL) {

  190.     CRYPTO_BUFFER_up_ref(cert->ocsp_response);

  191.     ret->ocsp_response = cert->ocsp_response;

  192.   }

  193. 

  194.   ret->sid_ctx_length = cert->sid_ctx_length;

  195.   OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx));

  196. 

  197.   ret->enable_early_data = cert->enable_early_data;

  198. 

  199.   return ret;

  200. 

  201. err:

  202.   ssl_cert_free(ret);

  203.   return NULL;

  204. }

  205. 

  206. /* Free up and clear all certificates and chains */

  207. void ssl_cert_clear_certs(CERT *cert) {

  208.   if (cert == NULL) {

  209.     return;

  210.   }

  211. 

  212.   cert->x509_method->cert_clear(cert);

  213. 

  214.   sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);

  215.   cert->chain = NULL;

  216.   EVP_PKEY_free(cert->privatekey);

  217.   cert->privatekey = NULL;

  218.   cert->key_method = NULL;

  219. }

  220. 

  221. void ssl_cert_free(CERT *c) {

  222.   if (c == NULL) {

  223.     return;

  224.   }

  225. 

  226.   ssl_cert_clear_certs(c);

  227.   c->x509_method->cert_free(c);

  228.   OPENSSL_free(c->sigalgs);

  229.   CRYPTO_BUFFER_free(c->signed_cert_timestamp_list);

  230.   CRYPTO_BUFFER_free(c->ocsp_response);

  231. 

  232.   OPENSSL_free(c);

  233. }

  234. 

  235. static void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg),

  236.                                  void *arg) {

  237.   c->cert_cb = cb;

  238.   c->cert_cb_arg = arg;

  239. }

  240. 

  241. enum leaf_cert_and_privkey_result_t {

  242.   leaf_cert_and_privkey_error,

  243.   leaf_cert_and_privkey_ok,

  244.   leaf_cert_and_privkey_mismatch,

  245. };

  246. 

  247. /* check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|

  248.  * and the private key in |privkey| are suitable and coherent. It returns

  249.  * |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is

  250.  * found. If the certificate and private key are valid, but incoherent, it

  251.  * returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns

  252.  * |leaf_cert_and_privkey_ok|. */

  253. static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(

  254.     CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) {

  255.   enum leaf_cert_and_privkey_result_t ret = leaf_cert_and_privkey_error;

  256. 

  257.   CBS cert_cbs;

  258.   CRYPTO_BUFFER_init_CBS(leaf_buffer, &cert_cbs);

  259.   EVP_PKEY *pubkey = ssl_cert_parse_pubkey(&cert_cbs);

  260.   if (pubkey == NULL) {

  261.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  262.     goto out;

  263.   }

  264. 

  265.   if (!ssl_is_key_type_supported(pubkey->type)) {

  266.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  267.     goto out;

  268.   }

  269. 

  270.   /* An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA

  271.    * certificates, so sanity-check the key usage extension. */

  272.   if (pubkey->type == EVP_PKEY_EC &&

  273.       !ssl_cert_check_digital_signature_key_usage(&cert_cbs)) {

  274.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  275.     goto out;

  276.   }

  277. 

  278.   if (privkey != NULL &&

  279.       /* Sanity-check that the private key and the certificate match. */

  280.       !ssl_compare_public_and_private_key(pubkey, privkey)) {

  281.     ERR_clear_error();

  282.     ret = leaf_cert_and_privkey_mismatch;

  283.     goto out;

  284.   }

  285. 

  286.   ret = leaf_cert_and_privkey_ok;

  287. 

  288. out:

  289.   EVP_PKEY_free(pubkey);

  290.   return ret;

  291. }

  292. 

  293. static int cert_set_chain_and_key(

  294.     CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs,

  295.     EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) {

  296.   if (num_certs == 0 ||

  297.       (privkey == NULL && privkey_method == NULL)) {

  298.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  299.     return 0;

  300.   }

  301. 

  302.   if (privkey != NULL && privkey_method != NULL) {

  303.     OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD);

  304.     return 0;

  305.   }

  306. 

  307.   switch (check_leaf_cert_and_privkey(certs[0], privkey)) {

  308.     case leaf_cert_and_privkey_error:

  309.       return 0;

  310.     case leaf_cert_and_privkey_mismatch:

  311.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH);

  312.       return 0;

  313.     case leaf_cert_and_privkey_ok:

  314.       break;

  315.   }

  316. 

  317.   STACK_OF(CRYPTO_BUFFER) *certs_sk = sk_CRYPTO_BUFFER_new_null();

  318.   if (certs_sk == NULL) {

  319.     return 0;

  320.   }

  321. 

  322.   for (size_t i = 0; i < num_certs; i++) {

  323.     if (!sk_CRYPTO_BUFFER_push(certs_sk, certs[i])) {

  324.       sk_CRYPTO_BUFFER_pop_free(certs_sk, CRYPTO_BUFFER_free);

  325.       return 0;

  326.     }

  327.     CRYPTO_BUFFER_up_ref(certs[i]);

  328.   }

  329. 

  330.   EVP_PKEY_free(cert->privatekey);

  331.   cert->privatekey = privkey;

  332.   if (privkey != NULL) {

  333.     EVP_PKEY_up_ref(privkey);

  334.   }

  335.   cert->key_method = privkey_method;

  336. 

  337.   sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);

  338.   cert->chain = certs_sk;

  339. 

  340.   return 1;

  341. }

  342. 

  343. int SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs,

  344.                           size_t num_certs, EVP_PKEY *privkey,

  345.                           const SSL_PRIVATE_KEY_METHOD *privkey_method) {

  346.   return cert_set_chain_and_key(ssl->cert, certs, num_certs, privkey,

  347.                                 privkey_method);

  348. }

  349. 

  350. int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,

  351.                               size_t num_certs, EVP_PKEY *privkey,

  352.                               const SSL_PRIVATE_KEY_METHOD *privkey_method) {

  353.   return cert_set_chain_and_key(ctx->cert, certs, num_certs, privkey,

  354.                                 privkey_method);

  355. }

  356. 

  357. int ssl_set_cert(CERT *cert, CRYPTO_BUFFER *buffer) {

  358.   switch (check_leaf_cert_and_privkey(buffer, cert->privatekey)) {

  359.     case leaf_cert_and_privkey_error:

  360.       return 0;

  361.     case leaf_cert_and_privkey_mismatch:

  362.       /* don't fail for a cert/key mismatch, just free current private key

  363.        * (when switching to a different cert & key, first this function should

  364.        * be used, then |ssl_set_pkey|. */

  365.       EVP_PKEY_free(cert->privatekey);

  366.       cert->privatekey = NULL;

  367.       break;

  368.     case leaf_cert_and_privkey_ok:

  369.       break;

  370.   }

  371. 

  372.   cert->x509_method->cert_flush_cached_leaf(cert);

  373. 

  374.   if (cert->chain != NULL) {

  375.     CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain, 0));

  376.     sk_CRYPTO_BUFFER_set(cert->chain, 0, buffer);

  377.     CRYPTO_BUFFER_up_ref(buffer);

  378.     return 1;

  379.   }

  380. 

  381.   cert->chain = sk_CRYPTO_BUFFER_new_null();

  382.   if (cert->chain == NULL) {

  383.     return 0;

  384.   }

  385. 

  386.   if (!sk_CRYPTO_BUFFER_push(cert->chain, buffer)) {

  387.     sk_CRYPTO_BUFFER_free(cert->chain);

  388.     cert->chain = NULL;

  389.     return 0;

  390.   }

  391.   CRYPTO_BUFFER_up_ref(buffer);

  392. 

  393.   return 1;

  394. }

  395. 

  396. int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,

  397.                                  const uint8_t *der) {

  398.   CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new(der, der_len, NULL);

  399.   if (buffer == NULL) {

  400.     return 0;

  401.   }

  402. 

  403.   const int ok = ssl_set_cert(ctx->cert, buffer);

  404.   CRYPTO_BUFFER_free(buffer);

  405.   return ok;

  406. }

  407. 

  408. int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {

  409.   CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new(der, der_len, NULL);

  410.   if (buffer == NULL) {

  411.     return 0;

  412.   }

  413. 

  414.   const int ok = ssl_set_cert(ssl->cert, buffer);

  415.   CRYPTO_BUFFER_free(buffer);

  416.   return ok;

  417. }

  418. 

  419. int ssl_has_certificate(const SSL *ssl) {

  420.   return ssl->cert->chain != NULL &&

  421.          sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0) != NULL &&

  422.          ssl_has_private_key(ssl);

  423. }

  424. 

  425. STACK_OF(CRYPTO_BUFFER) *ssl_parse_cert_chain(uint8_t *out_alert,

  426.                                               EVP_PKEY **out_pubkey,

  427.                                               uint8_t *out_leaf_sha256,

  428.                                               CBS *cbs,

  429.                                               CRYPTO_BUFFER_POOL *pool) {

  430.   *out_pubkey = NULL;

  431. 

  432.   STACK_OF(CRYPTO_BUFFER) *ret = sk_CRYPTO_BUFFER_new_null();

  433.   if (ret == NULL) {

  434.     *out_alert = SSL_AD_INTERNAL_ERROR;

  435.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  436.     return NULL;

  437.   }

  438. 

  439.   CBS certificate_list;

  440.   if (!CBS_get_u24_length_prefixed(cbs, &certificate_list)) {

  441.     *out_alert = SSL_AD_DECODE_ERROR;

  442.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  443.     goto err;

  444.   }

  445. 

  446.   while (CBS_len(&certificate_list) > 0) {

  447.     CBS certificate;

  448.     if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||

  449.         CBS_len(&certificate) == 0) {

  450.       *out_alert = SSL_AD_DECODE_ERROR;

  451.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);

  452.       goto err;

  453.     }

  454. 

  455.     if (sk_CRYPTO_BUFFER_num(ret) == 0) {

  456.       *out_pubkey = ssl_cert_parse_pubkey(&certificate);

  457.       if (*out_pubkey == NULL) {

  458.         *out_alert = SSL_AD_DECODE_ERROR;

  459.         goto err;

  460.       }

  461. 

  462.       /* Retain the hash of the leaf certificate if requested. */

  463.       if (out_leaf_sha256 != NULL) {

  464.         SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);

  465.       }

  466.     }

  467. 

  468.     CRYPTO_BUFFER *buf =

  469.         CRYPTO_BUFFER_new_from_CBS(&certificate, pool);

  470.     if (buf == NULL) {

  471.       *out_alert = SSL_AD_DECODE_ERROR;

  472.       goto err;

  473.     }

  474. 

  475.     if (!sk_CRYPTO_BUFFER_push(ret, buf)) {

  476.       *out_alert = SSL_AD_INTERNAL_ERROR;

  477.       CRYPTO_BUFFER_free(buf);

  478.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  479.       goto err;

  480.     }

  481.   }

  482. 

  483.   return ret;

  484. 

  485. err:

  486.   EVP_PKEY_free(*out_pubkey);

  487.   *out_pubkey = NULL;

  488.   sk_CRYPTO_BUFFER_pop_free(ret, CRYPTO_BUFFER_free);

  489.   return NULL;

  490. }

  491. 

  492. int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {

  493.   if (!ssl_has_certificate(ssl)) {

  494.     return CBB_add_u24(cbb, 0);

  495.   }

  496. 

  497.   CBB certs;

  498.   if (!CBB_add_u24_length_prefixed(cbb, &certs)) {

  499.     goto err;

  500.   }

  501. 

  502.   STACK_OF(CRYPTO_BUFFER) *chain = ssl->cert->chain;

  503.   for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) {

  504.     CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i);

  505.     CBB child;

  506.     if (!CBB_add_u24_length_prefixed(&certs, &child) ||

  507.         !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),

  508.                        CRYPTO_BUFFER_len(buffer)) ||

  509.         !CBB_flush(&certs)) {

  510.       goto err;

  511.     }

  512.   }

  513. 

  514.   return CBB_flush(cbb);

  515. 

  516. err:

  517.   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  518.   return 0;

  519. }

  520. 

  521. /* ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and

  522.  * positions |*out_tbs_cert| to cover the TBSCertificate, starting at the

  523.  * subjectPublicKeyInfo. */

  524. static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {

  525.   /* From RFC 5280, section 4.1

  526.    *    Certificate  ::=  SEQUENCE  {

  527.    *      tbsCertificate       TBSCertificate,

  528.    *      signatureAlgorithm   AlgorithmIdentifier,

  529.    *      signatureValue       BIT STRING  }

  530. 

  531.    * TBSCertificate  ::=  SEQUENCE  {

  532.    *      version         [0]  EXPLICIT Version DEFAULT v1,

  533.    *      serialNumber         CertificateSerialNumber,

  534.    *      signature            AlgorithmIdentifier,

  535.    *      issuer               Name,

  536.    *      validity             Validity,

  537.    *      subject              Name,

  538.    *      subjectPublicKeyInfo SubjectPublicKeyInfo,

  539.    *      ... } */

  540.   CBS buf = *in;

  541. 

  542.   CBS toplevel;

  543.   if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||

  544.       CBS_len(&buf) != 0 ||

  545.       !CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||

  546.       /* version */

  547.       !CBS_get_optional_asn1(

  548.           out_tbs_cert, NULL, NULL,

  549.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||

  550.       /* serialNumber */

  551.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||

  552.       /* signature algorithm */

  553.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  554.       /* issuer */

  555.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  556.       /* validity */

  557.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  558.       /* subject */

  559.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {

  560.     return 0;

  561.   }

  562. 

  563.   return 1;

  564. }

  565. 

  566. EVP_PKEY *ssl_cert_parse_pubkey(const CBS *in) {

  567.   CBS buf = *in, tbs_cert;

  568.   if (!ssl_cert_skip_to_spki(&buf, &tbs_cert)) {

  569.     OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  570.     return NULL;

  571.   }

  572. 

  573.   return EVP_parse_public_key(&tbs_cert);

  574. }

  575. 

  576. int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,

  577.                                        const EVP_PKEY *privkey) {

  578.   if (EVP_PKEY_is_opaque(privkey)) {

  579.     /* We cannot check an opaque private key and have to trust that it

  580.      * matches. */

  581.     return 1;

  582.   }

  583. 

  584.   int ret = 0;

  585. 

  586.   switch (EVP_PKEY_cmp(pubkey, privkey)) {

  587.     case 1:

  588.       ret = 1;

  589.       break;

  590.     case 0:

  591.       OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);

  592.       break;

  593.     case -1:

  594.       OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);

  595.       break;

  596.     case -2:

  597.       OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);

  598.     default:

  599.       assert(0);

  600.       break;

  601.   }

  602. 

  603.   return ret;

  604. }

  605. 

  606. int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {

  607.   if (privkey == NULL) {

  608.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);

  609.     return 0;

  610.   }

  611. 

  612.   if (cert->chain == NULL ||

  613.       sk_CRYPTO_BUFFER_value(cert->chain, 0) == NULL) {

  614.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);

  615.     return 0;

  616.   }

  617. 

  618.   CBS cert_cbs;

  619.   CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain, 0), &cert_cbs);

  620.   EVP_PKEY *pubkey = ssl_cert_parse_pubkey(&cert_cbs);

  621.   if (!pubkey) {

  622.     OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);

  623.     return 0;

  624.   }

  625. 

  626.   const int ok = ssl_compare_public_and_private_key(pubkey, privkey);

  627.   EVP_PKEY_free(pubkey);

  628.   return ok;

  629. }

  630. 

  631. int ssl_cert_check_digital_signature_key_usage(const CBS *in) {

  632.   CBS buf = *in;

  633. 

  634.   CBS tbs_cert, outer_extensions;

  635.   int has_extensions;

  636.   if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||

  637.       /* subjectPublicKeyInfo */

  638.       !CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  639.       /* issuerUniqueID */

  640.       !CBS_get_optional_asn1(

  641.           &tbs_cert, NULL, NULL,

  642.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||

  643.       /* subjectUniqueID */

  644.       !CBS_get_optional_asn1(

  645.           &tbs_cert, NULL, NULL,

  646.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||

  647.       !CBS_get_optional_asn1(

  648.           &tbs_cert, &outer_extensions, &has_extensions,

  649.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3)) {

  650.     goto parse_err;

  651.   }

  652. 

  653.   if (!has_extensions) {

  654.     return 1;

  655.   }

  656. 

  657.   CBS extensions;

  658.   if (!CBS_get_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) {

  659.     goto parse_err;

  660.   }

  661. 

  662.   while (CBS_len(&extensions) > 0) {

  663.     CBS extension, oid, contents;

  664.     if (!CBS_get_asn1(&extensions, &extension, CBS_ASN1_SEQUENCE) ||

  665.         !CBS_get_asn1(&extension, &oid, CBS_ASN1_OBJECT) ||

  666.         (CBS_peek_asn1_tag(&extension, CBS_ASN1_BOOLEAN) &&

  667.          !CBS_get_asn1(&extension, NULL, CBS_ASN1_BOOLEAN)) ||

  668.         !CBS_get_asn1(&extension, &contents, CBS_ASN1_OCTETSTRING) ||

  669.         CBS_len(&extension) != 0) {

  670.       goto parse_err;

  671.     }

  672. 

  673.     static const uint8_t kKeyUsageOID[3] = {0x55, 0x1d, 0x0f};

  674.     if (CBS_len(&oid) != sizeof(kKeyUsageOID) ||

  675.         OPENSSL_memcmp(CBS_data(&oid), kKeyUsageOID, sizeof(kKeyUsageOID)) !=

  676.             0) {

  677.       continue;

  678.     }

  679. 

  680.     CBS bit_string;

  681.     if (!CBS_get_asn1(&contents, &bit_string, CBS_ASN1_BITSTRING) ||

  682.         CBS_len(&contents) != 0) {

  683.       goto parse_err;

  684.     }

  685. 

  686.     /* This is the KeyUsage extension. See

  687.      * https://tools.ietf.org/html/rfc5280#section-4.2.1.3 */

  688.     if (!CBS_is_valid_asn1_bitstring(&bit_string)) {

  689.       goto parse_err;

  690.     }

  691. 

  692.     if (!CBS_asn1_bitstring_has_bit(&bit_string, 0)) {

  693.       OPENSSL_PUT_ERROR(SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);

  694.       return 0;

  695.     }

  696. 

  697.     return 1;

  698.   }

  699. 

  700.   /* No KeyUsage extension found. */

  701.   return 1;

  702. 

  703. parse_err:

  704.   OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  705.   return 0;

  706. }

  707. 

  708. STACK_OF(CRYPTO_BUFFER) *

  709.     ssl_parse_client_CA_list(SSL *ssl, uint8_t *out_alert, CBS *cbs) {

  710.   CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool;

  711. 

  712.   STACK_OF(CRYPTO_BUFFER) *ret = sk_CRYPTO_BUFFER_new_null();

  713.   if (ret == NULL) {

  714.     *out_alert = SSL_AD_INTERNAL_ERROR;

  715.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  716.     return NULL;

  717.   }

  718. 

  719.   CBS child;

  720.   if (!CBS_get_u16_length_prefixed(cbs, &child)) {

  721.     *out_alert = SSL_AD_DECODE_ERROR;

  722.     OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);

  723.     goto err;

  724.   }

  725. 

  726.   while (CBS_len(&child) > 0) {

  727.     CBS distinguished_name;

  728.     if (!CBS_get_u16_length_prefixed(&child, &distinguished_name)) {

  729.       *out_alert = SSL_AD_DECODE_ERROR;

  730.       OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG);

  731.       goto err;

  732.     }

  733. 

  734.     CRYPTO_BUFFER *buffer =

  735.         CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool);

  736.     if (buffer == NULL ||

  737.         !sk_CRYPTO_BUFFER_push(ret, buffer)) {

  738.       CRYPTO_BUFFER_free(buffer);

  739.       *out_alert = SSL_AD_INTERNAL_ERROR;

  740.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  741.       goto err;

  742.     }

  743.   }

  744. 

  745.   if (!ssl->ctx->x509_method->check_client_CA_list(ret)) {

  746.     *out_alert = SSL_AD_INTERNAL_ERROR;

  747.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  748.     goto err;

  749.   }

  750. 

  751.   return ret;

  752. 

  753. err:

  754.   sk_CRYPTO_BUFFER_pop_free(ret, CRYPTO_BUFFER_free);

  755.   return NULL;

  756. }

  757. 

  758. int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {

  759.   CBB child, name_cbb;

  760.   if (!CBB_add_u16_length_prefixed(cbb, &child)) {

  761.     return 0;

  762.   }

  763. 

  764.   STACK_OF(CRYPTO_BUFFER) *names = ssl->client_CA;

  765.   if (names == NULL) {

  766.     names = ssl->ctx->client_CA;

  767.   }

  768.   if (names == NULL) {

  769.     return CBB_flush(cbb);

  770.   }

  771. 

  772.   for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(names); i++) {

  773.     const CRYPTO_BUFFER *name = sk_CRYPTO_BUFFER_value(names, i);

  774. 

  775.     if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||

  776.         !CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),

  777.                        CRYPTO_BUFFER_len(name))) {

  778.       return 0;

  779.     }

  780.   }

  781. 

  782.   return CBB_flush(cbb);

  783. }

  784. 

  785. void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),

  786.                          void *arg) {

  787.   ssl_cert_set_cert_cb(ctx->cert, cb, arg);

  788. }

  789. 

  790. void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {

  791.   ssl_cert_set_cert_cb(ssl->cert, cb, arg);

  792. }

  793. 

  794. STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) {

  795.   SSL_SESSION *session = SSL_get_session(ssl);

  796.   if (session == NULL) {

  797.     return NULL;

  798.   }

  799. 

  800.   return session->certs;

  801. }

  802. 

  803. STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {

  804.   if (ssl->s3->hs == NULL) {

  805.     return NULL;

  806.   }

  807.   return ssl->s3->hs->ca_names;

  808. }

  809. 

  810. int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,

  811.                                const CRYPTO_BUFFER *leaf) {

  812.   SSL *const ssl = hs->ssl;

  813.   assert(ssl3_protocol_version(ssl) < TLS1_3_VERSION);

  814. 

  815.   /* Check the certificate's type matches the cipher. */

  816.   if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {

  817.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);

  818.     return 0;

  819.   }

  820. 

  821.   /* Check key usages for all key types but RSA. This is needed to distinguish

  822.    * ECDH certificates, which we do not support, from ECDSA certificates. In

  823.    * principle, we should check RSA key usages based on cipher, but this breaks

  824.    * buggy antivirus deployments. Other key types are always used for signing.

  825.    *

  826.    * TODO(davidben): Get more recent data on RSA key usages. */

  827.   if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {

  828.     CBS leaf_cbs;

  829.     CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));

  830.     if (!ssl_cert_check_digital_signature_key_usage(&leaf_cbs)) {

  831.       return 0;

  832.     }

  833.   }

  834. 

  835.   if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {

  836.     /* Check the key's group and point format are acceptable. */

  837.     EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);

  838.     uint16_t group_id;

  839.     if (!ssl_nid_to_group_id(

  840.             &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||

  841.         !tls1_check_group_id(ssl, group_id) ||

  842.         EC_KEY_get_conv_form(ec_key) != POINT_CONVERSION_UNCOMPRESSED) {

  843.       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);

  844.       return 0;

  845.     }

  846.   }

  847. 

  848.   return 1;

  849. }

  850. 

  851. int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {

  852.   SSL *const ssl = hs->ssl;

  853.   if (!ssl_has_certificate(ssl)) {

  854.     /* Nothing to do. */

  855.     return 1;

  856.   }

  857. 

  858.   if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(ssl)) {

  859.     return 0;

  860.   }

  861. 

  862.   CBS leaf;

  863.   CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0), &leaf);

  864. 

  865.   EVP_PKEY_free(hs->local_pubkey);

  866.   hs->local_pubkey = ssl_cert_parse_pubkey(&leaf);

  867.   return hs->local_pubkey != NULL;

  868. }

  869. 

  870. static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,

  871.                                            size_t list_len) {

  872.   CBS sct_list;

  873.   CBS_init(&sct_list, list, list_len);

  874.   if (!ssl_is_sct_list_valid(&sct_list)) {

  875.     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST);

  876.     return 0;

  877.   }

  878. 

  879.   CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);

  880.   cert->signed_cert_timestamp_list =

  881.       CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), NULL);

  882.   return cert->signed_cert_timestamp_list != NULL;

  883. }

  884. 

  885. int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list,

  886.                                            size_t list_len) {

  887.   return set_signed_cert_timestamp_list(ctx->cert, list, list_len);

  888. }

  889. 

  890. int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list,

  891.                                        size_t list_len) {

  892.   return set_signed_cert_timestamp_list(ssl->cert, list, list_len);

  893. }

  894. 

  895. int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response,

  896.                               size_t response_len) {

  897.   CRYPTO_BUFFER_free(ctx->cert->ocsp_response);

  898.   ctx->cert->ocsp_response = CRYPTO_BUFFER_new(response, response_len, NULL);

  899.   return ctx->cert->ocsp_response != NULL;

  900. }

  901. 

  902. int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,

  903.                           size_t response_len) {

  904.   CRYPTO_BUFFER_free(ssl->cert->ocsp_response);

  905.   ssl->cert->ocsp_response = CRYPTO_BUFFER_new(response, response_len, NULL);

  906.   return ssl->cert->ocsp_response != NULL;

  907. }