Commit 604ba26560ca71bf8a1c127da96727b5b2b077e1 - openssl

Fix SSL_check_chain() The function SSL_check_chain() can be used by applications to check that a cert and chain is compatible with the negotiated parameters. This could be useful (for example) from the certificate callback. Unfortunately this function was applying TLSv1.2 sig algs rules and did not work correctly if TLSv1.3 was negotiated. We refactor tls_choose_sigalg to split it up and create a new function find_sig_alg which can (optionally) take a certificate and key as parameters and find an appropriate sig alg if one exists. If the cert and key are not supplied then we try to find a cert and key from the ones we have available that matches the shared sig algs. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9443) Matt Caswell 4 years ago

1 changed file(s) with 141 addition(s) and 64 deletion(s). Raw diff Collapse all Expand all

+141

-64

ssl/t1_lib.c less more

19	19	#include "internal/nelem.h"
20	20	#include "ssl_locl.h"
21	21	#include <openssl/ct.h>
	22
	23	static const SIGALG_LOOKUP find_sig_alg(SSL s, X509 x, EVP_PKEY pkey);
22	24
23	25	SSL3_ENC_METHOD const TLSv1_enc_data = {
24	26	tls1_enc,

2071	2073
2072	2074	static int tls1_check_sig_alg(SSL s, X509 x, int default_nid)
2073	2075	{
2074		int sig_nid;
	2076	int sig_nid, use_pc_sigalgs = 0;
2075	2077	size_t i;
	2078	const SIGALG_LOOKUP *sigalg;
	2079	size_t sigalgslen;
2076	2080	if (default_nid == -1)
2077	2081	return 1;
2078	2082	sig_nid = X509_get_signature_nid(x);
2079	2083	if (default_nid)
2080	2084	return sig_nid == default_nid ? 1 : 0;
2081		for (i = 0; i < s->shared_sigalgslen; i++)
2082		if (sig_nid == s->shared_sigalgs[i]->sigandhash)
	2085
	2086	if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) {
	2087	/*
	2088	* If we're in TLSv1.3 then we only get here if we're checking the
	2089	* chain. If the peer has specified peer_cert_sigalgs then we use them
	2090	* otherwise we default to normal sigalgs.
	2091	*/
	2092	sigalgslen = s->s3->tmp.peer_cert_sigalgslen;
	2093	use_pc_sigalgs = 1;
	2094	} else {
	2095	sigalgslen = s->shared_sigalgslen;
	2096	}
	2097	for (i = 0; i < sigalgslen; i++) {
	2098	sigalg = use_pc_sigalgs
	2099	? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
	2100	: s->shared_sigalgs[i];
	2101	if (sig_nid == sigalg->sigandhash)
2083	2102	return 1;
	2103	}
2084	2104	return 0;
2085	2105	}
2086	2106

2237	2257	}
2238	2258	}
2239	2259	/* Check signature algorithm of each cert in chain */
2240		if (!tls1_check_sig_alg(s, x, default_nid)) {
	2260	if (SSL_IS_TLS13(s)) {
	2261	/*
	2262	* We only get here if the application has called SSL_check_chain(),
	2263	* so check_flags is always set.
	2264	*/
	2265	if (find_sig_alg(s, x, pk) != NULL)
	2266	rv \|= CERT_PKEY_EE_SIGNATURE;
	2267	} else if (!tls1_check_sig_alg(s, x, default_nid)) {
2241	2268	if (!check_flags)
2242	2269	goto end;
2243	2270	} else

2525	2552	}
2526	2553
2527	2554	/*
2528		* Returns true if \|s\| has a usable certificate configured for use
2529		* with signature scheme \|sig\|.
2530		* "Usable" includes a check for presence as well as applying
2531		* the signature_algorithm_cert restrictions sent by the peer (if any).
2532		* Returns false if no usable certificate is found.
	2555	* Checks the given cert against signature_algorithm_cert restrictions sent by
	2556	* the peer (if any) as well as whether the hash from the sigalg is usable with
	2557	* the key.
	2558	* Returns true if the cert is usable and false otherwise.
2533	2559	*/
2534		static int has_usable_cert(SSL s, const SIGALG_LOOKUP sig, int idx)
	2560	static int check_cert_usable(SSL s, const SIGALG_LOOKUP sig, X509 *x,
	2561	EVP_PKEY *pkey)
2535	2562	{
2536	2563	const SIGALG_LOOKUP *lu;
2537	2564	int mdnid, pknid, default_mdnid;
2538	2565	int mandatory_md = 0;
2539	2566	size_t i;
2540	2567
2541		/* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
2542		if (idx == -1)
2543		idx = sig->sig_idx;
2544		if (!ssl_has_cert(s, idx))
2545		return 0;
2546	2568	/* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
2547	2569	ERR_set_mark();
2548		switch (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey,
2549		&default_mdnid)) {
	2570	switch (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid)) {
2550	2571	case 2:
2551	2572	mandatory_md = 1;
2552	2573	break;
2553	2574	case 1:
2554		break;
2555	2575	default: /* If it didn't report a mandatory NID, for whatever reasons,
2556	2576	* just clear the error and allow all hashes to be used. */
2557		ERR_pop_to_mark();
2558		}
	2577	break;
	2578	}
	2579	ERR_pop_to_mark();
2559	2580	if (s->s3->tmp.peer_cert_sigalgs != NULL) {
2560	2581	for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
2561	2582	lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
2562	2583	if (lu == NULL
2563		\|\| !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
2564		&pknid, NULL, NULL)
	2584	\|\| !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)
2565	2585	\|\| (mandatory_md && mdnid != default_mdnid))
2566	2586	continue;
2567	2587	/*

2576	2596	return 0;
2577	2597	}
2578	2598	return !mandatory_md \|\| sig->hash == default_mdnid;
	2599	}
	2600
	2601	/*
	2602	* Returns true if \|s\| has a usable certificate configured for use
	2603	* with signature scheme \|sig\|.
	2604	* "Usable" includes a check for presence as well as applying
	2605	* the signature_algorithm_cert restrictions sent by the peer (if any).
	2606	* Returns false if no usable certificate is found.
	2607	*/
	2608	static int has_usable_cert(SSL s, const SIGALG_LOOKUP sig, int idx)
	2609	{
	2610	/* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
	2611	if (idx == -1)
	2612	idx = sig->sig_idx;
	2613	if (!ssl_has_cert(s, idx))
	2614	return 0;
	2615
	2616	return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
	2617	s->cert->pkeys[idx].privatekey);
	2618	}
	2619
	2620	/*
	2621	* Returns true if the supplied cert \|x\| and key \|pkey\| is usable with the
	2622	* specified signature scheme \|sig\|, or false otherwise.
	2623	*/
	2624	static int is_cert_usable(SSL s, const SIGALG_LOOKUP sig, X509 *x,
	2625	EVP_PKEY *pkey)
	2626	{
	2627	size_t idx;
	2628
	2629	if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
	2630	return 0;
	2631
	2632	/* Check the key is consistent with the sig alg */
	2633	if ((int)idx != sig->sig_idx)
	2634	return 0;
	2635
	2636	return check_cert_usable(s, sig, x, pkey);
	2637	}
	2638
	2639	/*
	2640	* Find a signature scheme that works with the supplied certificate \|x\| and key
	2641	* \|pkey\|. \|x\| and \|pkey\| may be NULL in which case we additionally look at our
	2642	* available certs/keys to find one that works.
	2643	*/
	2644	static const SIGALG_LOOKUP find_sig_alg(SSL s, X509 x, EVP_PKEY pkey)
	2645	{
	2646	const SIGALG_LOOKUP *lu = NULL;
	2647	size_t i;
	2648	#ifndef OPENSSL_NO_EC
	2649	int curve = -1;
	2650	#endif
	2651	EVP_PKEY *tmppkey;
	2652
	2653	/* Look for a shared sigalgs matching possible certificates */
	2654	for (i = 0; i < s->shared_sigalgslen; i++) {
	2655	lu = s->shared_sigalgs[i];
	2656
	2657	/* Skip SHA1, SHA224, DSA and RSA if not PSS */
	2658	if (lu->hash == NID_sha1
	2659	\|\| lu->hash == NID_sha224
	2660	\|\| lu->sig == EVP_PKEY_DSA
	2661	\|\| lu->sig == EVP_PKEY_RSA)
	2662	continue;
	2663	/* Check that we have a cert, and signature_algorithms_cert */
	2664	if (!tls1_lookup_md(lu, NULL))
	2665	continue;
	2666	if ((pkey == NULL && !has_usable_cert(s, lu, -1))
	2667	\|\| (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
	2668	continue;
	2669
	2670	tmppkey = (pkey != NULL) ? pkey
	2671	: s->cert->pkeys[lu->sig_idx].privatekey;
	2672
	2673	if (lu->sig == EVP_PKEY_EC) {
	2674	#ifndef OPENSSL_NO_EC
	2675	if (curve == -1) {
	2676	EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
	2677	curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
	2678	}
	2679	if (lu->curve != NID_undef && curve != lu->curve)
	2680	continue;
	2681	#else
	2682	continue;
	2683	#endif
	2684	} else if (lu->sig == EVP_PKEY_RSA_PSS) {
	2685	/* validate that key is large enough for the signature algorithm */
	2686	if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
	2687	continue;
	2688	}
	2689	break;
	2690	}
	2691
	2692	if (i == s->shared_sigalgslen)
	2693	return NULL;
	2694
	2695	return lu;
2579	2696	}
2580	2697
2581	2698	/*

2598	2715	s->s3->tmp.sigalg = NULL;
2599	2716
2600	2717	if (SSL_IS_TLS13(s)) {
2601		size_t i;
2602		#ifndef OPENSSL_NO_EC
2603		int curve = -1;
2604		#endif
2605
2606		/* Look for a certificate matching shared sigalgs */
2607		for (i = 0; i < s->shared_sigalgslen; i++) {
2608		lu = s->shared_sigalgs[i];
2609		sig_idx = -1;
2610
2611		/* Skip SHA1, SHA224, DSA and RSA if not PSS */
2612		if (lu->hash == NID_sha1
2613		\|\| lu->hash == NID_sha224
2614		\|\| lu->sig == EVP_PKEY_DSA
2615		\|\| lu->sig == EVP_PKEY_RSA)
2616		continue;
2617		/* Check that we have a cert, and signature_algorithms_cert */
2618		if (!tls1_lookup_md(lu, NULL) \|\| !has_usable_cert(s, lu, -1))
2619		continue;
2620		if (lu->sig == EVP_PKEY_EC) {
2621		#ifndef OPENSSL_NO_EC
2622		if (curve == -1) {
2623		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2624
2625		curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
2626		}
2627		if (lu->curve != NID_undef && curve != lu->curve)
2628		continue;
2629		#else
2630		continue;
2631		#endif
2632		} else if (lu->sig == EVP_PKEY_RSA_PSS) {
2633		/* validate that key is large enough for the signature algorithm */
2634		EVP_PKEY *pkey;
2635
2636		pkey = s->cert->pkeys[lu->sig_idx].privatekey;
2637		if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
2638		continue;
2639		}
2640		break;
2641		}
2642		if (i == s->shared_sigalgslen) {
	2718	lu = find_sig_alg(s, NULL, NULL);
	2719	if (lu == NULL) {
2643	2720	if (!fatalerrs)
2644	2721	return 1;
2645	2722	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,