mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-21 01:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Move certificate validity flags out of CERT.

Browse Source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-05-12 22:17:34 +01:00
parent d376e57d68
commit 6383d31645
6 changed files with 36 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/s3_clnt.c
View File

@ -2164,7 +2164,7 @@ int ssl3_get_certificate_request(SSL *s)
/* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) {
s->s3->tmp.md[i] = NULL;
s->cert->pkeys[i].valid_flags = 0;
s->s3->tmp.valid_flags[i] = 0;
}
if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

2
ssl/s3_lib.c
View File

@ -3892,7 +3892,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
continue;
ssl_set_cert_masks(cert, c);
ssl_set_masks(s, c);
mask_k = cert->mask_k;
mask_a = cert->mask_a;
emask_k = cert->export_mask_k;

3
ssl/ssl_cert.c
View File

@ -270,7 +270,6 @@ CERT *ssl_cert_dup(CERT *cert)
goto err;
}
}
rpk->valid_flags = 0;
#ifndef OPENSSL_NO_TLSEXT
if (cert->pkeys[i].serverinfo != NULL) {
/* Just copy everything. */
@ -375,8 +374,6 @@ void ssl_cert_clear_certs(CERT *c)
cpk->serverinfo = NULL;
cpk->serverinfo_length = 0;
#endif
/* Clear all flags apart from explicit sign */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
}
}

23
ssl/ssl_lib.c
View File

@ -1933,9 +1933,11 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
ssl_cert_set_cert_cb(s->cert, cb, arg);
}
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
{
CERT_PKEY *cpk;
CERT *c = s->cert;
int *pvalid = s->s3->tmp.valid_flags;
int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
int rsa_enc_export, dh_rsa_export, dh_dsa_export;
int rsa_tmp_export, dh_tmp_export, kl;
@ -1972,22 +1974,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
#endif
cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
rsa_enc = cpk->valid_flags & CERT_PKEY_VALID;
rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
rsa_sign = cpk->valid_flags & CERT_PKEY_SIGN;
rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
dsa_sign = cpk->valid_flags & CERT_PKEY_SIGN;
dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
dh_rsa = cpk->valid_flags & CERT_PKEY_VALID;
dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID;
dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
/* FIX THIS EAY EAY EAY */
dh_dsa = cpk->valid_flags & CERT_PKEY_VALID;
dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID;
dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_ECC]);
#ifndef OPENSSL_NO_EC
have_ecc_cert = cpk->valid_flags & CERT_PKEY_VALID;
have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
#endif
mask_k = 0;
mask_a = 0;
@ -2063,7 +2064,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
(x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
if (!(cpk->valid_flags & CERT_PKEY_SIGN))
if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
ecdsa_ok = 0;
ecc_pkey = X509_get_pubkey(x);
ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
@ -2204,7 +2205,7 @@ static int ssl_get_server_cert_index(const SSL *s)
return idx;
}
CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
{
CERT *c;
int i;
@ -2212,7 +2213,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
c = s->cert;
if (!s->s3 || !s->s3->tmp.new_cipher)
return NULL;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
ssl_set_masks(s, s->s3->tmp.new_cipher);
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
/*

16
ssl/ssl_locl.h
View File

@ -1295,6 +1295,12 @@ typedef struct ssl3_state_st {
const EVP_MD *peer_md;
/* Array of digests used for signing */
const EVP_MD *md[SSL_PKEY_NUM];
/*
* Set if corresponding CERT_PKEY can be used with current
* SSL session: e.g. appropriate curve, signature algorithms etc.
* If zero it can't be used at all.
*/
int valid_flags[SSL_PKEY_NUM];
} tmp;
/* Connection binding to prevent renegotiation attacks */
@ -1456,12 +1462,6 @@ typedef struct cert_pkey_st {
unsigned char *serverinfo;
size_t serverinfo_length;
# endif
/*
* Set if CERT_PKEY can be used with current SSL session: e.g.
* appropriate curve, signature algorithms etc. If zero it can't be used
* at all.
*/
int valid_flags;
} CERT_PKEY;
/* Retrieve Suite B flags */
# define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
@ -1916,14 +1916,14 @@ __owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other
int ssl_undefined_function(SSL *s);
__owur int ssl_undefined_void_function(void);
__owur int ssl_undefined_const_function(const SSL *s);
__owur CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
__owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s);
# ifndef OPENSSL_NO_TLSEXT
__owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
size_t *serverinfo_length);
# endif
__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
__owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher);
__owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
__owur int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void);

25
ssl/t1_lib.c
View File

@ -2694,7 +2694,7 @@ int tls1_set_server_sigalgs(SSL *s)
/* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) {
s->s3->tmp.md[i] = NULL;
s->cert->pkeys[i].valid_flags = 0;
s->s3->tmp.valid_flags[i] = 0;
}
/* If sigalgs received process it. */
@ -3450,6 +3450,7 @@ int tls1_process_sigalgs(SSL *s)
size_t i;
const EVP_MD *md;
const EVP_MD **pmd = s->s3->tmp.md;
int *pvalid = s->s3->tmp.valid_flags;
CERT *c = s->cert;
TLS_SIGALGS *sigptr;
if (!tls1_set_shared_sigalgs(s))
@ -3470,10 +3471,9 @@ int tls1_process_sigalgs(SSL *s)
idx = tls12_get_pkey_idx(sigs[1]);
md = tls12_get_hash(sigs[0]);
pmd[idx] = md;
c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN) {
c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
CERT_PKEY_EXPLICIT_SIGN;
pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
pmd[SSL_PKEY_RSA_ENC] = md;
}
}
@ -3486,10 +3486,9 @@ int tls1_process_sigalgs(SSL *s)
if (idx > 0 && pmd[idx] == NULL) {
md = tls12_get_hash(sigptr->rhash);
pmd[idx] = md;
c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN) {
c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
CERT_PKEY_EXPLICIT_SIGN;
pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
pmd[SSL_PKEY_RSA_ENC] = md;
}
}
@ -3882,6 +3881,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
int check_flags = 0, strict_mode;
CERT_PKEY *cpk = NULL;
CERT *c = s->cert;
int *pvalid;
unsigned int suiteb_flags = tls1_suiteb(s);
/* idx == -1 means checking server chains */
if (idx != -1) {
@ -3891,6 +3891,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
idx = cpk - c->pkeys;
} else
cpk = c->pkeys + idx;
pvalid = s->s3->tmp.valid_flags + idx;
x = cpk->x509;
pk = cpk->privatekey;
chain = cpk->chain;
@ -3903,7 +3904,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
CERT_PKEY_VALID | CERT_PKEY_SIGN;
cpk->valid_flags = rv;
*pvalid = rv;
return rv;
}
# endif
@ -3914,6 +3915,8 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
if (idx == -1)
return 0;
cpk = c->pkeys + idx;
pvalid = s->s3->tmp.valid_flags + idx;
if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
check_flags = CERT_PKEY_STRICT_FLAGS;
else
@ -4100,7 +4103,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
end:
if (TLS1_get_version(s) >= TLS1_2_VERSION) {
if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
else if (s->s3->tmp.md[idx] != NULL)
rv |= CERT_PKEY_SIGN;
@ -4113,10 +4116,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
*/
if (!check_flags) {
if (rv & CERT_PKEY_VALID)
cpk->valid_flags = rv;
*pvalid = rv;
else {
/* Preserve explicit sign flag, clear rest */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
*pvalid &= CERT_PKEY_EXPLICIT_SIGN;
return 0;
}
}