[openssl] master update
kaduk at mit.edu
kaduk at mit.edu
Wed Jun 26 17:57:36 UTC 2019
The branch master has been updated
via 29948ac80c1388cfeb0bd64539ac1fa6e0bb8990 (commit)
via 6f34d7bc7d0c7fcd86c6f2772f26e42c925d8505 (commit)
via 7cb8fb07e8b71dc1fdcb0de10af7fed4347f6ea4 (commit)
from b11327929294cf825e4759d97af6f174bd6b081c (commit)
- Log -----------------------------------------------------------------
commit 29948ac80c1388cfeb0bd64539ac1fa6e0bb8990
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Jun 13 12:26:12 2019 -0700
Move 'shared_sigalgs' from cert_st to ssl_st
It was only ever in cert_st because ssl_st was a public structure
and could not be modified without breaking the API. However, both
structures are now opaque, and thus we can freely change their layout
without breaking applications. In this case, keeping the shared
sigalgs in the SSL object prevents complications wherein they would
inadvertently get cleared during SSL_set_SSL_CTX() (e.g., as run
during a cert_cb).
Fixes #9099
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)
commit 6f34d7bc7d0c7fcd86c6f2772f26e42c925d8505
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Jun 13 12:04:52 2019 -0700
Revert "Delay setting the sig algs until after the cert_cb has been called"
This reverts commit 524006dd1b80c1a86a20119ad988666a80d8d8f5.
While this change did prevent the sigalgs from getting inadvertently
clobbered by SSL_set_SSL_CTX(), it also caused the sigalgs to not be
set when the cert_cb runs. This, in turn, caused significant breakage,
such as SSL_check_chain() failing to find any valid chain. An alternate
approach to fixing the issue from #7244 will follow.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)
commit 7cb8fb07e8b71dc1fdcb0de10af7fed4347f6ea4
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Jun 13 12:02:03 2019 -0700
Add regression test for #9099
Augment the cert_cb sslapitest to include a run that uses
SSL_check_chain() to inspect the certificate prior to installing
it on the SSL object. If the check shows the certificate as not
valid in that context, we do not install a certificate at all, so
the handshake will fail later on in processing (tls_choose_sigalg()),
exposing the indicated regression.
Currently it fails, since we have not yet set the shared sigalgs
by the time the cert_cb runs.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_cert.c | 3 ---
ssl/ssl_lib.c | 6 +++++
ssl/ssl_locl.h | 13 ++++++-----
ssl/statem/statem_srvr.c | 32 ++++++++++++--------------
ssl/t1_lib.c | 60 +++++++++++++++++++++++-------------------------
test/sslapitest.c | 40 ++++++++++++++++++++++++++++++--
6 files changed, 95 insertions(+), 59 deletions(-)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 04963f1..5538e4d 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -154,8 +154,6 @@ CERT *ssl_cert_dup(CERT *cert)
ret->client_sigalgslen = cert->client_sigalgslen;
} else
ret->client_sigalgs = NULL;
- /* Shared sigalgs also NULL */
- ret->shared_sigalgs = NULL;
/* Copy any custom client certificate types */
if (cert->ctype) {
ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len);
@@ -240,7 +238,6 @@ void ssl_cert_free(CERT *c)
ssl_cert_clear_certs(c);
OPENSSL_free(c->conf_sigalgs);
OPENSSL_free(c->client_sigalgs);
- OPENSSL_free(c->shared_sigalgs);
OPENSSL_free(c->ctype);
X509_STORE_free(c->verify_store);
X509_STORE_free(c->chain_store);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d15b743..211a828 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -629,6 +629,11 @@ int SSL_clear(SSL *s)
/* Clear the verification result peername */
X509_VERIFY_PARAM_move_peername(s->param, NULL);
+ /* Clear any shared connection state */
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
+
/*
* Check to see if we were changed into a different method, if so, revert
* back.
@@ -1182,6 +1187,7 @@ void SSL_free(SSL *s)
clear_ciphers(s);
ssl_cert_free(s->cert);
+ OPENSSL_free(s->shared_sigalgs);
/* Free up if allocated */
OPENSSL_free(s->ext.hostname);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index a61987f..269f542 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1661,6 +1661,13 @@ struct ssl_st {
/* Callback for SSL async handling */
SSL_async_callback_fn async_cb;
void *async_cb_arg;
+
+ /*
+ * Signature algorithms shared by client and server: cached because these
+ * are used most often.
+ */
+ const struct sigalg_lookup_st **shared_sigalgs;
+ size_t shared_sigalgslen;
};
/*
@@ -1926,12 +1933,6 @@ typedef struct cert_st {
/* Size of above array */
size_t client_sigalgslen;
/*
- * Signature algorithms shared by client and server: cached because these
- * are used most often.
- */
- const SIGALG_LOOKUP **shared_sigalgs;
- size_t shared_sigalgslen;
- /*
* Certificate setup callback: if set is called whenever a certificate
* may be required (client or server). the callback can then examine any
* appropriate parameters and setup any certificates required. This
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 79c2aa0..acd3e27 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2065,6 +2065,10 @@ static int tls_early_post_process_client_hello(SSL *s)
#else
s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
#endif
+ if (!tls1_set_server_sigalgs(s)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
}
sk_SSL_CIPHER_free(ciphers);
@@ -2232,25 +2236,19 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
if (wst == WORK_MORE_B) {
if (!s->hit || SSL_IS_TLS13(s)) {
/* Let cert callback update server certificates if required */
- if (!s->hit) {
- if (s->cert->cert_cb != NULL) {
- int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
- if (rv == 0) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
- SSL_R_CERT_CB_ERROR);
- goto err;
- }
- if (rv < 0) {
- s->rwstate = SSL_X509_LOOKUP;
- return WORK_MORE_B;
- }
- s->rwstate = SSL_NOTHING;
- }
- if (!tls1_set_server_sigalgs(s)) {
- /* SSLfatal already called */
+ if (!s->hit && s->cert->cert_cb != NULL) {
+ int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
+ if (rv == 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_CERT_CB_ERROR);
goto err;
}
+ if (rv < 0) {
+ s->rwstate = SSL_X509_LOOKUP;
+ return WORK_MORE_B;
+ }
+ s->rwstate = SSL_NOTHING;
}
/* In TLSv1.3 we selected the ciphersuite before resumption */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 95622de..05c4ba5 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -650,7 +650,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
if (check_ee_md && tls1_suiteb(s)) {
int check_md;
size_t i;
- CERT *c = s->cert;
/* Check to see we have necessary signing algorithm */
if (group_id == TLSEXT_curve_P_256)
@@ -659,8 +658,8 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
check_md = NID_ecdsa_with_SHA384;
else
return 0; /* Should never happen */
- for (i = 0; i < c->shared_sigalgslen; i++) {
- if (check_md == c->shared_sigalgs[i]->sigandhash)
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ if (check_md == s->shared_sigalgs[i]->sigandhash)
return 1;;
}
return 0;
@@ -1287,9 +1286,9 @@ int tls1_set_server_sigalgs(SSL *s)
size_t i;
/* Clear any shared signature algorithms */
- OPENSSL_free(s->cert->shared_sigalgs);
- s->cert->shared_sigalgs = NULL;
- s->cert->shared_sigalgslen = 0;
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
/* Clear certificate validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++)
s->s3.tmp.valid_flags[i] = 0;
@@ -1324,7 +1323,7 @@ int tls1_set_server_sigalgs(SSL *s)
SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
return 0;
}
- if (s->cert->shared_sigalgs != NULL)
+ if (s->shared_sigalgs != NULL)
return 1;
/* Fatal error if no shared signature algorithms */
@@ -1796,9 +1795,9 @@ static int tls1_set_shared_sigalgs(SSL *s)
CERT *c = s->cert;
unsigned int is_suiteb = tls1_suiteb(s);
- OPENSSL_free(c->shared_sigalgs);
- c->shared_sigalgs = NULL;
- c->shared_sigalgslen = 0;
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs && !is_suiteb) {
conf = c->client_sigalgs;
@@ -1829,8 +1828,8 @@ static int tls1_set_shared_sigalgs(SSL *s)
} else {
salgs = NULL;
}
- c->shared_sigalgs = salgs;
- c->shared_sigalgslen = nmatch;
+ s->shared_sigalgs = salgs;
+ s->shared_sigalgslen = nmatch;
return 1;
}
@@ -1891,7 +1890,6 @@ int tls1_process_sigalgs(SSL *s)
{
size_t i;
uint32_t *pvalid = s->s3.tmp.valid_flags;
- CERT *c = s->cert;
if (!tls1_set_shared_sigalgs(s))
return 0;
@@ -1899,8 +1897,8 @@ int tls1_process_sigalgs(SSL *s)
for (i = 0; i < SSL_PKEY_NUM; i++)
pvalid[i] = 0;
- for (i = 0; i < c->shared_sigalgslen; i++) {
- const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
int idx = sigptr->sig_idx;
/* Ignore PKCS1 based sig algs in TLSv1.3 */
@@ -1947,12 +1945,12 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
unsigned char *rsig, unsigned char *rhash)
{
const SIGALG_LOOKUP *shsigalgs;
- if (s->cert->shared_sigalgs == NULL
+ if (s->shared_sigalgs == NULL
|| idx < 0
- || idx >= (int)s->cert->shared_sigalgslen
- || s->cert->shared_sigalgslen > INT_MAX)
+ || idx >= (int)s->shared_sigalgslen
+ || s->shared_sigalgslen > INT_MAX)
return 0;
- shsigalgs = s->cert->shared_sigalgs[idx];
+ shsigalgs = s->shared_sigalgs[idx];
if (phash != NULL)
*phash = shsigalgs->hash;
if (psign != NULL)
@@ -1963,7 +1961,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
*rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
if (rhash != NULL)
*rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
- return (int)s->cert->shared_sigalgslen;
+ return (int)s->shared_sigalgslen;
}
/* Maximum possible number of unique entries in sigalgs array */
@@ -2144,7 +2142,7 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
return 0;
}
-static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
+static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
{
int sig_nid;
size_t i;
@@ -2153,8 +2151,8 @@ static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
sig_nid = X509_get_signature_nid(x);
if (default_nid)
return sig_nid == default_nid ? 1 : 0;
- for (i = 0; i < c->shared_sigalgslen; i++)
- if (sig_nid == c->shared_sigalgs[i]->sigandhash)
+ for (i = 0; i < s->shared_sigalgslen; i++)
+ if (sig_nid == s->shared_sigalgs[i]->sigandhash)
return 1;
return 0;
}
@@ -2312,14 +2310,14 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
}
}
/* Check signature algorithm of each cert in chain */
- if (!tls1_check_sig_alg(c, x, default_nid)) {
+ if (!tls1_check_sig_alg(s, x, default_nid)) {
if (!check_flags)
goto end;
} else
rv |= CERT_PKEY_EE_SIGNATURE;
rv |= CERT_PKEY_CA_SIGNATURE;
for (i = 0; i < sk_X509_num(chain); i++) {
- if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
+ if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
if (check_flags) {
rv &= ~CERT_PKEY_CA_SIGNATURE;
break;
@@ -2684,8 +2682,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
#endif
/* Look for a certificate matching shared sigalgs */
- for (i = 0; i < s->cert->shared_sigalgslen; i++) {
- lu = s->cert->shared_sigalgs[i];
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ lu = s->shared_sigalgs[i];
sig_idx = -1;
/* Skip SHA1, SHA224, DSA and RSA if not PSS */
@@ -2719,7 +2717,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
}
break;
}
- if (i == s->cert->shared_sigalgslen) {
+ if (i == s->shared_sigalgslen) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
@@ -2752,8 +2750,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
* Find highest preference signature algorithm matching
* cert type
*/
- for (i = 0; i < s->cert->shared_sigalgslen; i++) {
- lu = s->cert->shared_sigalgs[i];
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ lu = s->shared_sigalgs[i];
if (s->server) {
if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
@@ -2780,7 +2778,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
#endif
break;
}
- if (i == s->cert->shared_sigalgslen) {
+ if (i == s->shared_sigalgslen) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 9a993f7..bc1f006 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6239,6 +6239,9 @@ static int cert_cb_cnt;
static int cert_cb(SSL *s, void *arg)
{
SSL_CTX *ctx = (SSL_CTX *)arg;
+ BIO *in = NULL;
+ EVP_PKEY *pkey = NULL;
+ X509 *x509 = NULL;
if (cert_cb_cnt == 0) {
/* Suspend the handshake */
@@ -6259,9 +6262,39 @@ static int cert_cb(SSL *s, void *arg)
return 0;
cert_cb_cnt++;
return 1;
+ } else if (cert_cb_cnt == 3) {
+ int rv;
+ if (!TEST_ptr(in = BIO_new(BIO_s_file()))
+ || !TEST_int_ge(BIO_read_filename(in, cert), 0)
+ || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
+ goto out;
+ BIO_free(in);
+ if (!TEST_ptr(in = BIO_new(BIO_s_file()))
+ || !TEST_int_ge(BIO_read_filename(in, privkey), 0)
+ || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
+ goto out;
+ rv = SSL_check_chain(s, x509, pkey, NULL);
+ /*
+ * If the cert doesn't show as valid here (e.g., because we don't
+ * have any shared sigalgs), then we will not set it, and there will
+ * be no certificate at all on the SSL or SSL_CTX. This, in turn,
+ * will cause tls_choose_sigalgs() to fail the connection.
+ */
+ if ((rv & CERT_PKEY_VALID)) {
+ if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
+ goto out;
+ }
+ BIO_free(in);
+ EVP_PKEY_free(pkey);
+ X509_free(x509);
+ return 1;
}
/* Abort the handshake */
+ out:
+ BIO_free(in);
+ EVP_PKEY_free(pkey);
+ X509_free(x509);
return 0;
}
@@ -6286,6 +6319,8 @@ static int test_cert_cb_int(int prot, int tst)
if (tst == 0)
cert_cb_cnt = -1;
+ else if (tst == 3)
+ cert_cb_cnt = 3;
else
cert_cb_cnt = 0;
if (tst == 2)
@@ -6298,7 +6333,8 @@ static int test_cert_cb_int(int prot, int tst)
ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
if (!TEST_true(tst == 0 ? !ret : ret)
- || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
+ || (tst > 0
+ && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
goto end;
}
@@ -6686,7 +6722,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
ADD_ALL_TESTS(test_ticket_callbacks, 12);
ADD_ALL_TESTS(test_shutdown, 7);
- ADD_ALL_TESTS(test_cert_cb, 3);
+ ADD_ALL_TESTS(test_cert_cb, 4);
ADD_ALL_TESTS(test_client_cert_cb, 2);
ADD_ALL_TESTS(test_ca_names, 3);
return 1;
More information about the openssl-commits
mailing list