[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Fri Mar 3 23:26:08 UTC 2017
The branch master has been updated
via 8336ca13b1be5358621da075eac7a0ab5dc2bd10 (commit)
via 5528d68f6d716f3bd0b75d0fd223fb866a96346c (commit)
via b0e9ab95ddda78921545ee93a337e23ee99ea5ea (commit)
via 8f12296e2356a0daf751cbc00aed14d4c31a2476 (commit)
via 224b4e37c075f5bbe1573a90a1dc5e5d9a91d9c1 (commit)
from dbaa069a5eb7892b3178a21839a0e14b8d808d81 (commit)
- Log -----------------------------------------------------------------
commit 8336ca13b1be5358621da075eac7a0ab5dc2bd10
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Mar 3 21:02:42 2017 +0000
Update and add test
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
commit 5528d68f6d716f3bd0b75d0fd223fb866a96346c
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Mar 3 03:23:27 2017 +0000
Set specific error is we have no valid signature algorithms set
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
commit b0e9ab95ddda78921545ee93a337e23ee99ea5ea
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Mar 3 03:10:13 2017 +0000
Signature algorithm enhancement.
Change tls12_sigalg_allowed() so it is passed a SIGALG_LOOKUP parameter,
this avoids multiple lookups.
When we copy signature algorithms return an error if no valid TLS message
signing algorithm is present. For TLS 1.3 this means we need at least one
signature algorithm other than RSA PKCS#1 or SHA1 both of which can only be
used to sign certificates and not TLS messages.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
commit 8f12296e2356a0daf751cbc00aed14d4c31a2476
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Mar 3 02:44:18 2017 +0000
Disallow zero length signature algorithms
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
commit 224b4e37c075f5bbe1573a90a1dc5e5d9a91d9c1
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Mar 1 17:15:43 2017 +0000
Don't allow DSA for TLS 1.3
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 1 +
ssl/ssl_err.c | 3 +-
ssl/statem/statem_srvr.c | 1 +
ssl/t1_lib.c | 63 ++++++++++++++++++++---------------
test/ssl-tests/20-cert-select.conf.in | 14 +++++++-
5 files changed, 54 insertions(+), 28 deletions(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 2b4464c..64a312c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2317,6 +2317,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL_WRITE_INTERNAL 524
# define SSL_F_STATE_MACHINE 353
# define SSL_F_TLS12_CHECK_PEER_SIGALG 333
+# define SSL_F_TLS12_COPY_SIGALGS 533
# define SSL_F_TLS13_CHANGE_CIPHER_STATE 440
# define SSL_F_TLS13_SETUP_KEY_BLOCK 441
# define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 6fe8e6e..0ace985 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -256,11 +256,12 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"},
{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
{ERR_FUNC(SSL_F_SSL_WRITE_EARLY_DATA), "SSL_write_early_data"},
- {ERR_FUNC(SSL_F_SSL_WRITE_EARLY_FINISH), "SSL_write_early_finish"},
+ {ERR_FUNC(SSL_F_SSL_WRITE_EARLY_FINISH), "ssl_write_early_finish"},
{ERR_FUNC(SSL_F_SSL_WRITE_EX), "SSL_write_ex"},
{ERR_FUNC(SSL_F_SSL_WRITE_INTERNAL), "ssl_write_internal"},
{ERR_FUNC(SSL_F_STATE_MACHINE), "state_machine"},
{ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"},
+ {ERR_FUNC(SSL_F_TLS12_COPY_SIGALGS), "tls12_copy_sigalgs"},
{ERR_FUNC(SSL_F_TLS13_CHANGE_CIPHER_STATE), "tls13_change_cipher_state"},
{ERR_FUNC(SSL_F_TLS13_SETUP_KEY_BLOCK), "tls13_setup_key_block"},
{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "tls1_change_cipher_state"},
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 7414c19..6c007a1 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2497,6 +2497,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
size_t nl = tls12_get_psigalgs(s, 1, &psigs);
if (!WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
|| !tls12_copy_sigalgs(s, pkt, psigs, nl)
|| !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 099dcdb..5ab7223 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -828,13 +828,6 @@ int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
return 1;
}
-static int tls_sigalg_get_sig(uint16_t sigalg)
-{
- const SIGALG_LOOKUP *r = tls1_lookup_sigalg(sigalg);
-
- return r != NULL ? r->sig : 0;
-}
-
size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
{
/*
@@ -1387,23 +1380,25 @@ static int tls12_get_pkey_idx(int sig_nid)
}
/* Check to see if a signature algorithm is allowed */
-static int tls12_sigalg_allowed(SSL *s, int op, uint16_t ptmp)
+static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
{
- const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(ptmp);
unsigned char sigalgstr[2];
int secbits;
/* See if sigalgs is recognised and if hash is enabled */
if (lu == NULL || ssl_md(lu->hash_idx) == NULL)
return 0;
+ /* DSA is not allowed in TLS 1.3 */
+ if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
+ return 0;
/* See if public key algorithm allowed */
if (tls12_get_pkey_idx(lu->sig) == -1)
return 0;
/* Security bits: half digest bits */
secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
/* Finally see if security callback allows it */
- sigalgstr[0] = (ptmp >> 8) & 0xff;
- sigalgstr[1] = ptmp & 0xff;
+ sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
+ sigalgstr[1] = lu->sigalg & 0xff;
return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
}
@@ -1425,24 +1420,28 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
*/
sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
for (i = 0; i < sigalgslen; i ++, sigalgs++) {
- switch (tls_sigalg_get_sig(*sigalgs)) {
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
+
+ if (lu == NULL)
+ continue;
+ switch (lu->sig) {
#ifndef OPENSSL_NO_RSA
/* Any RSA-PSS signature algorithms also mean we allow RSA */
case EVP_PKEY_RSA_PSS:
case EVP_PKEY_RSA:
- if (!have_rsa && tls12_sigalg_allowed(s, op, *sigalgs))
+ if (!have_rsa && tls12_sigalg_allowed(s, op, lu))
have_rsa = 1;
break;
#endif
#ifndef OPENSSL_NO_DSA
case EVP_PKEY_DSA:
- if (!have_dsa && tls12_sigalg_allowed(s, op, *sigalgs))
+ if (!have_dsa && tls12_sigalg_allowed(s, op, lu))
have_dsa = 1;
break;
#endif
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
- if (!have_ecdsa && tls12_sigalg_allowed(s, op, *sigalgs))
+ if (!have_ecdsa && tls12_sigalg_allowed(s, op, lu))
have_ecdsa = 1;
break;
#endif
@@ -1460,14 +1459,26 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
const uint16_t *psig, size_t psiglen)
{
size_t i;
+ int rv = 0;
for (i = 0; i < psiglen; i++, psig++) {
- if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, *psig)) {
- if (!WPACKET_put_bytes_u16(pkt, *psig))
- return 0;
- }
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);
+
+ if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
+ continue;
+ if (!WPACKET_put_bytes_u16(pkt, *psig))
+ return 0;
+ /*
+ * If TLS 1.3 must have at least one valid TLS 1.3 message
+ * signing algorithm: i.e. neither RSA nor SHA1
+ */
+ if (rv == 0 && (!SSL_IS_TLS13(s)
+ || (lu->sig != EVP_PKEY_RSA && lu->hash != NID_sha1)))
+ rv = 1;
}
- return 1;
+ if (rv == 0)
+ SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+ return rv;
}
/* Given preference and allowed sigalgs set shared sigalgs */
@@ -1478,16 +1489,16 @@ static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
const uint16_t *ptmp, *atmp;
size_t i, j, nmatch = 0;
for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);
+
/* Skip disabled hashes or signature algorithms */
- if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, *ptmp))
+ if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
continue;
for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
if (*ptmp == *atmp) {
nmatch++;
- if (shsig) {
- *shsig = tls1_lookup_sigalg(*ptmp);
- shsig++;
- }
+ if (shsig)
+ *shsig++ = lu;
break;
}
}
@@ -1560,7 +1571,7 @@ int tls1_save_sigalgs(SSL *s, PACKET *pkt)
size = PACKET_remaining(pkt);
/* Invalid data length */
- if ((size & 1) != 0)
+ if (size == 0 || (size & 1) != 0)
return 0;
size >>= 1;
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index 1dd7860..3d50f02 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -334,6 +334,18 @@ my @tests_tls_1_3 = (
"ExpectedResult" => "Success"
},
},
+ {
+ name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
+ server => {
+ "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Request"
+ },
+ client => {},
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
);
push @tests, @tests_tls_1_3 unless disabled("tls1_3");
@@ -370,7 +382,7 @@ my @tests_dsa_tls_1_3 = (
"CipherString" => "ALL",
},
client => {
- "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256",
+ "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
"CipherString" => "ALL",
},
test => {
More information about the openssl-commits
mailing list