Make tls1_check_chain return a set of flags indicating checks passed
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.
Print out results of checks for each candidate chain tested in
s_server/s_client.
diff --git a/CHANGES b/CHANGES
index 46b23de..f320ef7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) Make tls1_check_chain return a set of flags indicating checks passed
+ by a certificate chain. Add additional tests to handle client
+ certificates: checks for matching certificate type and issuer name
+ comparison.
+ [Steve Henson]
+
*) If an attempt is made to use a signature algorithm not in the peer
preference list abort the handshake. If client has no suitable
signature algorithms in response to a certificate request do not
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 2ac3f96..f7207c9 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1134,12 +1134,45 @@
struct ssl_excert_st *next, *prev;
};
+struct chain_flags
+ {
+ int flag;
+ const char *name;
+ };
+
+struct chain_flags chain_flags_list[] =
+ {
+ {CERT_PKEY_VALID, "Overall Validity"},
+ {CERT_PKEY_SIGN, "Sign with EE key"},
+ {CERT_PKEY_EE_SIGNATURE, "EE signature"},
+ {CERT_PKEY_CA_SIGNATURE, "CA signature"},
+ {CERT_PKEY_EE_PARAM, "EE key parameters"},
+ {CERT_PKEY_CA_PARAM, "CA key parameters"},
+ {CERT_PKEY_EXPLICIT_SIGN, "Explicity sign with EE key"},
+ {CERT_PKEY_ISSUER_NAME, "Issuer Name"},
+ {CERT_PKEY_CERT_TYPE, "Certificate Type"},
+ {0, NULL}
+ };
+
+
+static void print_chain_flags(BIO *out, int flags)
+ {
+ struct chain_flags *ctmp = chain_flags_list;
+ while(ctmp->name)
+ {
+ BIO_printf(out, "\t%s: %s\n", ctmp->name,
+ flags & ctmp->flag ? "OK" : "NOT OK");
+ ctmp++;
+ }
+ }
+
/* Very basic selection callback: just use any certificate chain
* reported as valid. More sophisticated could prioritise according
* to local policy.
*/
static int set_cert_cb(SSL *ssl, void *arg)
{
+ int i, rv;
SSL_EXCERT *exc = arg;
SSL_certs_clear(ssl);
@@ -1151,10 +1184,20 @@
*/
while (exc->next)
exc = exc->next;
-
+
+ i = 0;
+
while(exc)
{
- if (SSL_check_chain(ssl, exc->cert, exc->key, exc->chain))
+ i++;
+ rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain);
+ BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i);
+ X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0,
+ XN_FLAG_ONELINE);
+ BIO_puts(bio_err, "\n");
+
+ print_chain_flags(bio_err, rv);
+ if (rv & CERT_PKEY_VALID)
{
SSL_use_certificate(ssl, exc->cert);
SSL_use_PrivateKey(ssl, exc->key);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e9c1518..5adbb50 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1963,6 +1963,12 @@
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
goto err;
}
+ /* Clear certificate digests and validity flags */
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ {
+ s->cert->pkeys[i].digest = NULL;
+ s->cert->pkeys[i].valid_flags = 0;
+ }
if ((llen & 1) || !tls1_process_sigalgs(s, p, llen))
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index b8b1ba1..78ead35 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -662,6 +662,26 @@
/* Con't include root CA in chain */
#define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2
+/* Flags returned by SSL_check_chain */
+/* Certificate can be used with this session */
+#define CERT_PKEY_VALID 0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN 0x2
+/* EE certificate signing algorithm OK */
+#define CERT_PKEY_EE_SIGNATURE 0x10
+/* CA signature algorithms OK */
+#define CERT_PKEY_CA_SIGNATURE 0x20
+/* EE certificate parameters OK */
+#define CERT_PKEY_EE_PARAM 0x40
+/* CA certificate parameters OK */
+#define CERT_PKEY_CA_PARAM 0x80
+/* Signing explicitly allowed as opposed to SHA1 fallback */
+#define CERT_PKEY_EXPLICIT_SIGN 0x100
+/* Client CA issuer names match (always set for server cert) */
+#define CERT_PKEY_ISSUER_NAME 0x200
+/* Cert type matches client types (always set for server cert) */
+#define CERT_PKEY_CERT_TYPE 0x400
+
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9547814..eb41cfd 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -467,7 +467,8 @@
if (cpk->authz != NULL)
OPENSSL_free(cpk->authz);
#endif
- cpk->valid_flags = 0;
+ /* Clear all flags apart from explicit sign */
+ cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
}
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a0af428..bec87d8 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2086,21 +2086,21 @@
have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
#endif
cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
- rsa_enc= cpk->valid_flags;
+ rsa_enc= cpk->valid_flags & CERT_PKEY_VALID;
rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
- rsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
+ rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
- dsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
+ dsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
- dh_rsa= cpk->valid_flags;
+ dh_rsa= cpk->valid_flags & CERT_PKEY_VALID;
dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
/* FIX THIS EAY EAY EAY */
- dh_dsa= cpk->valid_flags;
+ dh_dsa= cpk->valid_flags & CERT_PKEY_VALID;
dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_ECC]);
- have_ecc_cert= cpk->valid_flags;
+ have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID;
mask_k=0;
mask_a=0;
emask_k=0;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d8d1b79..1523303 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -466,14 +466,6 @@
#define NAMED_CURVE_TYPE 3
#endif /* OPENSSL_NO_EC */
-/* Values for valid_flags in CERT_PKEY structure */
-/* Certificate inconsistent with session, key missing etc */
-#define CERT_PKEY_INVALID 0x0
-/* Certificate can be used with this sesstion */
-#define CERT_PKEY_VALID 0x1
-/* Certificate can also be used for signing */
-#define CERT_PKEY_SIGN 0x2
-
typedef struct cert_pkey_st
{
X509 *x509;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8b3c213..68bd709 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1451,6 +1451,7 @@
unsigned short len;
unsigned char *data = *p;
int renegotiate_seen = 0;
+ size_t i;
s->servername_done = 0;
s->tlsext_status_type = -1;
@@ -1474,6 +1475,12 @@
OPENSSL_free(s->cert->shared_sigalgs);
s->cert->shared_sigalgs = NULL;
}
+ /* Clear certificate digests and validity flags */
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ {
+ s->cert->pkeys[i].digest = NULL;
+ s->cert->pkeys[i].valid_flags = 0;
+ }
if (data >= (d+n-2))
goto ri_check;
@@ -1961,7 +1968,6 @@
* in the case of a session resumption. */
if (!s->hit)
{
- size_t i;
if (s->s3->tlsext_authz_client_types != NULL)
OPENSSL_free(s->s3->tlsext_authz_client_types);
s->s3->tlsext_authz_client_types =
@@ -3180,11 +3186,6 @@
if (!c)
return 0;
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
- c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
- c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
- c->pkeys[SSL_PKEY_ECC].digest = NULL;
-
c->peer_sigalgs = OPENSSL_malloc(dsize);
if (!c->peer_sigalgs)
return 0;
@@ -3201,8 +3202,12 @@
{
md = tls12_get_hash(sigptr->rhash);
c->pkeys[idx].digest = md;
+ c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN)
+ {
+ c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+ }
}
}
@@ -3546,40 +3551,76 @@
return 1;
return 0;
}
+/* Check to see if a certificate issuer name matches list of CA names */
+static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
+ {
+ X509_NAME *nm;
+ int i;
+ nm = X509_get_issuer_name(x);
+ for (i = 0; i < sk_X509_NAME_num(names); i++)
+ {
+ if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
+ return 1;
+ }
+ return 0;
+ }
/* Check certificate chain is consistent with TLS extensions and is
- * usable by server.
+ * usable by server. This servers two purposes: it allows users to
+ * check chains before passing them to the server and it allows the
+ * server to check chains before attempting to use them.
*/
+
+/* Flags which need to be set for a certificate when stict mode not set */
+
+#define CERT_PKEY_VALID_FLAGS \
+ (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
+/* Strict mode flags */
+#define CERT_PKEY_STRICT_FLAGS \
+ (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
+ | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
+
int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
int idx)
{
int i;
- int rv = CERT_PKEY_INVALID;
+ int rv = 0;
+ int check_flags = 0, strict_mode;
CERT_PKEY *cpk = NULL;
CERT *c = s->cert;
+ /* idx != -1 means checking server chains */
if (idx != -1)
{
cpk = c->pkeys + idx;
x = cpk->x509;
pk = cpk->privatekey;
chain = cpk->chain;
+ strict_mode = c->cert_flags & SSL_CERT_FLAG_TLS_STRICT;
/* If no cert or key, forget it */
if (!x || !pk)
goto end;
}
else
{
+ if (!x || !pk)
+ goto end;
idx = ssl_cert_type(x, pk);
if (idx == -1)
goto end;
+ cpk = c->pkeys + idx;
+ if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+ check_flags = CERT_PKEY_STRICT_FLAGS;
+ else
+ check_flags = CERT_PKEY_VALID_FLAGS;
+ strict_mode = 1;
}
+
/* Check all signature algorithms are consistent with
* signature algorithms extension if TLS 1.2 or later
* and strict mode.
*/
- if (TLS1_get_version(s) >= TLS1_2_VERSION
- && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
{
int default_nid;
unsigned char rsign = 0;
@@ -3627,39 +3668,171 @@
break;
}
if (j == c->conf_sigalgslen)
- goto end;
+ {
+ if (check_flags)
+ goto skip_sigs;
+ else
+ goto end;
+ }
}
/* Check signature algorithm of each cert in chain */
if (!tls1_check_sig_alg(c, x, default_nid))
- goto end;
+ {
+ if (!check_flags) goto end;
+ }
+ else
+ rv |= CERT_PKEY_EE_SIGNATURE;
+ rv |= CERT_PKEY_CA_SIGNATURE;
for (i = 0; i < sk_X509_num(chain); i++)
{
if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
default_nid))
- goto end;
+ {
+ if (check_flags)
+ {
+ rv &= ~CERT_PKEY_CA_SIGNATURE;
+ break;
+ }
+ else
+ goto end;
+ }
}
}
-
- /* Check cert parameters are consistent */
- if (!tls1_check_cert_param(s, x))
+ /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
+ else if(check_flags)
+ rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
+ skip_sigs:
+ /* Check cert parameters are consistent: server certs only */
+ if (!s->server || tls1_check_cert_param(s, x))
+ rv |= CERT_PKEY_EE_PARAM;
+ else if (!check_flags)
goto end;
+ if (!s->server)
+ rv |= CERT_PKEY_CA_PARAM;
/* In strict mode check rest of chain too */
- if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+ else if (strict_mode)
{
+ rv |= CERT_PKEY_CA_PARAM;
for (i = 0; i < sk_X509_num(chain); i++)
{
if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
- goto end;
+ {
+ if (check_flags)
+ {
+ rv &= ~CERT_PKEY_CA_PARAM;
+ break;
+ }
+ else
+ goto end;
+ }
}
}
- rv = CERT_PKEY_VALID;
+ if (!s->server && strict_mode)
+ {
+ STACK_OF(X509_NAME) *ca_dn;
+ int check_type = 0;
+ switch (pk->type)
+ {
+ case EVP_PKEY_RSA:
+ check_type = TLS_CT_RSA_SIGN;
+ break;
+ case EVP_PKEY_DSA:
+ check_type = TLS_CT_DSS_SIGN;
+ break;
+ case EVP_PKEY_EC:
+ check_type = TLS_CT_ECDSA_SIGN;
+ break;
+ case EVP_PKEY_DH:
+ case EVP_PKEY_DHX:
+ {
+ int cert_type = X509_certificate_type(x, pk);
+ if (cert_type & EVP_PKS_RSA)
+ check_type = TLS_CT_RSA_FIXED_DH;
+ if (cert_type & EVP_PKS_DSA)
+ check_type = TLS_CT_DSS_FIXED_DH;
+ }
+ }
+ if (check_type)
+ {
+ const unsigned char *ctypes;
+ int ctypelen;
+ if (c->ctypes)
+ {
+ ctypes = c->ctypes;
+ ctypelen = (int)c->ctype_num;
+ }
+ else
+ {
+ ctypes = (unsigned char *)s->s3->tmp.ctype;
+ ctypelen = s->s3->tmp.ctype_num;
+ }
+ for (i = 0; i < ctypelen; i++)
+ {
+ if (ctypes[i] == check_type)
+ {
+ rv |= CERT_PKEY_CERT_TYPE;
+ break;
+ }
+ }
+ if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
+ goto end;
+ }
+ else
+ rv |= CERT_PKEY_CERT_TYPE;
+
+
+ ca_dn = s->s3->tmp.ca_names;
+
+ if (!sk_X509_NAME_num(ca_dn))
+ rv |= CERT_PKEY_ISSUER_NAME;
+
+ if (!(rv & CERT_PKEY_ISSUER_NAME))
+ {
+ if (ssl_check_ca_name(ca_dn, x))
+ rv |= CERT_PKEY_ISSUER_NAME;
+ }
+ if (!(rv & CERT_PKEY_ISSUER_NAME))
+ {
+ for (i = 0; i < sk_X509_num(chain); i++)
+ {
+ X509 *xtmp = sk_X509_value(chain, i);
+ if (ssl_check_ca_name(ca_dn, xtmp))
+ {
+ rv |= CERT_PKEY_ISSUER_NAME;
+ break;
+ }
+ }
+ }
+ if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
+ goto end;
+ }
+ else
+ rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
+
+ if (!check_flags || (rv & check_flags) == check_flags)
+ rv |= CERT_PKEY_VALID;
end:
- if (cpk)
+
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
- if (rv && cpk->digest)
+ if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
+ rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
+ else if (cpk->digest)
rv |= CERT_PKEY_SIGN;
- cpk->valid_flags = rv;
+ }
+ else
+ rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
+
+ /* When checking a CERT_PKEY structure all flags are irrelevant
+ * if the chain is invalid.
+ */
+ if (!check_flags)
+ {
+ if (rv & CERT_PKEY_VALID)
+ cpk->valid_flags = rv;
+ else
+ cpk->valid_flags = 0;
}
return rv;
}
