1From 3a8c7b1a08b2766a7f8a388eee14442281b4e295 Mon Sep 17 00:00:00 2001 2From: Adam Langley <agl@chromium.org> 3Date: Thu, 24 Jan 2013 16:27:14 -0500 4Subject: [PATCH 19/36] tls12_digests 5 6Fixes a bug with handling TLS 1.2 and digest functions for DSA and ECDSA 7keys. 8--- 9 ssl/s3_clnt.c | 26 +++++++++++++-- 10 ssl/ssl3.h | 11 +++++- 11 ssl/ssl_cert.c | 20 ----------- 12 ssl/ssl_lib.c | 35 +++++++++++-------- 13 ssl/ssl_locl.h | 4 +-- 14 ssl/t1_lib.c | 104 ++++++++++++++++++++------------------------------------- 15 6 files changed, 94 insertions(+), 106 deletions(-) 16 17diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c 18index c9196b3..1f3b376 100644 19--- a/ssl/s3_clnt.c 20+++ b/ssl/s3_clnt.c 21@@ -1990,12 +1990,13 @@ int ssl3_get_certificate_request(SSL *s) 22 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG); 23 goto err; 24 } 25- if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 26+ if (llen & 1) 27 { 28 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 29 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR); 30 goto err; 31 } 32+ tls1_process_sigalgs(s, p, llen); 33 p += llen; 34 } 35 36@@ -3017,7 +3018,28 @@ int ssl3_send_client_verify(SSL *s) 37 { 38 long hdatalen = 0; 39 void *hdata; 40- const EVP_MD *md = s->cert->key->digest; 41+ const EVP_MD *md; 42+ switch (ssl_cert_type(NULL, pkey)) 43+ { 44+ case SSL_PKEY_RSA_ENC: 45+ md = s->s3->digest_rsa; 46+ break; 47+ case SSL_PKEY_DSA_SIGN: 48+ md = s->s3->digest_dsa; 49+ break; 50+ case SSL_PKEY_ECC: 51+ md = s->s3->digest_ecdsa; 52+ break; 53+ default: 54+ md = NULL; 55+ } 56+ if (!md) 57+ /* Unlike with the SignatureAlgorithm extension (sent by clients), 58+ * there are no default algorithms for the CertificateRequest message 59+ * (sent by servers). However, now that we've sent a certificate 60+ * for which we don't really know what hash to use for signing, the 61+ * best we can do is try a default algorithm. */ 62+ md = EVP_sha1(); 63 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 64 &hdata); 65 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 66diff --git a/ssl/ssl3.h b/ssl/ssl3.h 67index 29098e4..3229995 100644 68--- a/ssl/ssl3.h 69+++ b/ssl/ssl3.h 70@@ -550,6 +550,16 @@ typedef struct ssl3_state_st 71 * verified Channel ID from the client: a P256 point, (x,y), where 72 * each are big-endian values. */ 73 unsigned char tlsext_channel_id[64]; 74+ 75+ /* These point to the digest function to use for signatures made with 76+ * each type of public key. A NULL value indicates that the default 77+ * digest should be used, which is SHA1 as of TLS 1.2. 78+ * 79+ * (These should be in the tmp member, but we have to put them here to 80+ * ensure binary compatibility with earlier OpenSSL 1.0.* releases.) */ 81+ const EVP_MD *digest_rsa; 82+ const EVP_MD *digest_dsa; 83+ const EVP_MD *digest_ecdsa; 84 } SSL3_STATE; 85 86 #endif 87@@ -700,4 +710,3 @@ typedef struct ssl3_state_st 88 } 89 #endif 90 #endif 91- 92diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c 93index 5123a89..bc4150b 100644 94--- a/ssl/ssl_cert.c 95+++ b/ssl/ssl_cert.c 96@@ -160,21 +160,6 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void) 97 return ssl_x509_store_ctx_idx; 98 } 99 100-static void ssl_cert_set_default_md(CERT *cert) 101- { 102- /* Set digest values to defaults */ 103-#ifndef OPENSSL_NO_DSA 104- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 105-#endif 106-#ifndef OPENSSL_NO_RSA 107- cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 108- cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 109-#endif 110-#ifndef OPENSSL_NO_ECDSA 111- cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 112-#endif 113- } 114- 115 CERT *ssl_cert_new(void) 116 { 117 CERT *ret; 118@@ -189,7 +174,6 @@ CERT *ssl_cert_new(void) 119 120 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); 121 ret->references=1; 122- ssl_cert_set_default_md(ret); 123 return(ret); 124 } 125 126@@ -322,10 +306,6 @@ CERT *ssl_cert_dup(CERT *cert) 127 * chain is held inside SSL_CTX */ 128 129 ret->references=1; 130- /* Set digests to defaults. NB: we don't copy existing values as they 131- * will be set during handshake. 132- */ 133- ssl_cert_set_default_md(ret); 134 135 return(ret); 136 137diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c 138index 5f8b0b0..e360550 100644 139--- a/ssl/ssl_lib.c 140+++ b/ssl/ssl_lib.c 141@@ -2345,32 +2345,41 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) 142 { 143 unsigned long alg_a; 144 CERT *c; 145- int idx = -1; 146 147 alg_a = cipher->algorithm_auth; 148 c=s->cert; 149 150+ /* SHA1 is the default for all signature algorithms up to TLS 1.2, 151+ * except RSA which is handled specially in s3_srvr.c */ 152+ if (pmd) 153+ *pmd = EVP_sha1(); 154+ 155 if ((alg_a & SSL_aDSS) && 156- (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 157- idx = SSL_PKEY_DSA_SIGN; 158+ (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 159+ { 160+ if (pmd && s->s3 && s->s3->digest_dsa) 161+ *pmd = s->s3->digest_dsa; 162+ return c->pkeys[SSL_PKEY_DSA_SIGN].privatekey; 163+ } 164 else if (alg_a & SSL_aRSA) 165 { 166+ if (pmd && s->s3 && s->s3->digest_rsa) 167+ *pmd = s->s3->digest_rsa; 168 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 169- idx = SSL_PKEY_RSA_SIGN; 170- else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 171- idx = SSL_PKEY_RSA_ENC; 172+ return c->pkeys[SSL_PKEY_RSA_SIGN].privatekey; 173+ if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 174+ return c->pkeys[SSL_PKEY_RSA_ENC].privatekey; 175 } 176 else if ((alg_a & SSL_aECDSA) && 177 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) 178- idx = SSL_PKEY_ECC; 179- if (idx == -1) 180 { 181- SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); 182- return(NULL); 183+ if (pmd && s->s3 && s->s3->digest_ecdsa) 184+ *pmd = s->s3->digest_ecdsa; 185+ return c->pkeys[SSL_PKEY_ECC].privatekey; 186 } 187- if (pmd) 188- *pmd = c->pkeys[idx].digest; 189- return c->pkeys[idx].privatekey; 190+ 191+ SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); 192+ return(NULL); 193 } 194 195 void ssl_update_cache(SSL *s,int mode) 196@@ -3138,26 +3160,15 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) 197 198 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) 199 { 200- CERT *ocert = ssl->cert; 201 if (ssl->ctx == ctx) 202 return ssl->ctx; 203 #ifndef OPENSSL_NO_TLSEXT 204 if (ctx == NULL) 205 ctx = ssl->initial_ctx; 206 #endif 207+ if (ssl->cert != NULL) 208+ ssl_cert_free(ssl->cert); 209 ssl->cert = ssl_cert_dup(ctx->cert); 210- if (ocert != NULL) 211- { 212- int i; 213- /* Copy negotiated digests from original */ 214- for (i = 0; i < SSL_PKEY_NUM; i++) 215- { 216- CERT_PKEY *cpk = ocert->pkeys + i; 217- CERT_PKEY *rpk = ssl->cert->pkeys + i; 218- rpk->digest = cpk->digest; 219- } 220- ssl_cert_free(ocert); 221- } 222 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 223 if (ssl->ctx != NULL) 224 SSL_CTX_free(ssl->ctx); /* decrement reference count */ 225diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h 226index 6d38f0f..3e89fcb 100644 227--- a/ssl/ssl_locl.h 228+++ b/ssl/ssl_locl.h 229@@ -485,8 +485,6 @@ typedef struct cert_pkey_st 230 { 231 X509 *x509; 232 EVP_PKEY *privatekey; 233- /* Digest to use when signing */ 234- const EVP_MD *digest; 235 } CERT_PKEY; 236 237 typedef struct cert_st 238@@ -1142,7 +1140,7 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, 239 int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, 240 int *al); 241 long ssl_get_algorithm2(SSL *s); 242-int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); 243+void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); 244 int tls12_get_req_sig_algs(SSL *s, unsigned char *p); 245 246 int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); 247diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c 248index 26805e4..6af51a9 100644 249--- a/ssl/t1_lib.c 250+++ b/ssl/t1_lib.c 251@@ -897,6 +897,13 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in 252 253 s->servername_done = 0; 254 s->tlsext_status_type = -1; 255+ 256+ /* Reset TLS 1.2 digest functions to defaults because they don't carry 257+ * over to a renegotiation. */ 258+ s->s3->digest_rsa = NULL; 259+ s->s3->digest_dsa = NULL; 260+ s->s3->digest_ecdsa = NULL; 261+ 262 #ifndef OPENSSL_NO_NEXTPROTONEG 263 s->s3->next_proto_neg_seen = 0; 264 #endif 265@@ -1198,11 +1205,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in 266 *al = SSL_AD_DECODE_ERROR; 267 return 0; 268 } 269- if (!tls1_process_sigalgs(s, data, dsize)) 270- { 271- *al = SSL_AD_DECODE_ERROR; 272- return 0; 273- } 274+ tls1_process_sigalgs(s, data, dsize); 275 } 276 else if (type == TLSEXT_TYPE_status_request && 277 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 278@@ -2354,18 +2357,6 @@ static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 279 } 280 return -1; 281 } 282-#if 0 283-static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 284- { 285- size_t i; 286- for (i = 0; i < tlen; i++) 287- { 288- if (table[i].id == id) 289- return table[i].nid; 290- } 291- return -1; 292- } 293-#endif 294 295 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 296 { 297@@ -2384,6 +2375,8 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 298 return 1; 299 } 300 301+/* tls12_get_sigid returns the TLS 1.2 SignatureAlgorithm value corresponding 302+ * to the given public key, or -1 if not known. */ 303 int tls12_get_sigid(const EVP_PKEY *pk) 304 { 305 return tls12_find_id(pk->type, tls12_sig, 306@@ -2403,47 +2396,49 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) 307 return EVP_md5(); 308 #endif 309 #ifndef OPENSSL_NO_SHA 310- case TLSEXT_hash_sha1: 311+ case TLSEXT_hash_sha1: 312 return EVP_sha1(); 313 #endif 314 #ifndef OPENSSL_NO_SHA256 315- case TLSEXT_hash_sha224: 316+ case TLSEXT_hash_sha224: 317 return EVP_sha224(); 318 319- case TLSEXT_hash_sha256: 320+ case TLSEXT_hash_sha256: 321 return EVP_sha256(); 322 #endif 323 #ifndef OPENSSL_NO_SHA512 324- case TLSEXT_hash_sha384: 325+ case TLSEXT_hash_sha384: 326 return EVP_sha384(); 327 328- case TLSEXT_hash_sha512: 329+ case TLSEXT_hash_sha512: 330 return EVP_sha512(); 331 #endif 332- default: 333+ default: 334 return NULL; 335 336 } 337 } 338 339-/* Set preferred digest for each key type */ 340- 341-int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 342+/* tls1_process_sigalgs processes a signature_algorithms extension and sets the 343+ * digest functions accordingly for each key type. 344+ * 345+ * See RFC 5246, section 7.4.1.4.1. 346+ * 347+ * data: points to the content of the extension, not including type and length 348+ * headers. 349+ * dsize: the number of bytes of |data|. Must be even. 350+ */ 351+void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 352 { 353- int i, idx; 354- const EVP_MD *md; 355- CERT *c = s->cert; 356+ int i; 357+ const EVP_MD *md, **digest_ptr; 358 /* Extension ignored for TLS versions below 1.2 */ 359 if (TLS1_get_version(s) < TLS1_2_VERSION) 360- return 1; 361- /* Should never happen */ 362- if (!c) 363- return 0; 364+ return; 365 366- c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 367- c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 368- c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 369- c->pkeys[SSL_PKEY_ECC].digest = NULL; 370+ s->s3->digest_rsa = NULL; 371+ s->s3->digest_dsa = NULL; 372+ s->s3->digest_ecdsa = NULL; 373 374 for (i = 0; i < dsize; i += 2) 375 { 376@@ -2453,56 +2448,31 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 377 { 378 #ifndef OPENSSL_NO_RSA 379 case TLSEXT_signature_rsa: 380- idx = SSL_PKEY_RSA_SIGN; 381+ digest_ptr = &s->s3->digest_rsa; 382 break; 383 #endif 384 #ifndef OPENSSL_NO_DSA 385 case TLSEXT_signature_dsa: 386- idx = SSL_PKEY_DSA_SIGN; 387+ digest_ptr = &s->s3->digest_dsa; 388 break; 389 #endif 390 #ifndef OPENSSL_NO_ECDSA 391 case TLSEXT_signature_ecdsa: 392- idx = SSL_PKEY_ECC; 393+ digest_ptr = &s->s3->digest_ecdsa; 394 break; 395 #endif 396 default: 397 continue; 398 } 399 400- if (c->pkeys[idx].digest == NULL) 401+ if (*digest_ptr == NULL) 402 { 403 md = tls12_get_hash(hash_alg); 404 if (md) 405- { 406- c->pkeys[idx].digest = md; 407- if (idx == SSL_PKEY_RSA_SIGN) 408- c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 409- } 410+ *digest_ptr = md; 411 } 412 413 } 414- 415- 416- /* Set any remaining keys to default values. NOTE: if alg is not 417- * supported it stays as NULL. 418- */ 419-#ifndef OPENSSL_NO_DSA 420- if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 421- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 422-#endif 423-#ifndef OPENSSL_NO_RSA 424- if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 425- { 426- c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 427- c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 428- } 429-#endif 430-#ifndef OPENSSL_NO_ECDSA 431- if (!c->pkeys[SSL_PKEY_ECC].digest) 432- c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 433-#endif 434- return 1; 435 } 436 437 #endif 438-- 4391.8.2.1 440 441