Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
openssl
提交
0d609395
O
openssl
项目概览
btwise
/
openssl
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
0d609395
编写于
1月 25, 2012
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
add support for use of fixed DH client certificates
上级
2ff5ac55
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
123 addition
and
49 deletion
+123
-49
CHANGES
CHANGES
+4
-0
ssl/s3_clnt.c
ssl/s3_clnt.c
+73
-19
ssl/s3_srvr.c
ssl/s3_srvr.c
+46
-30
未找到文件。
CHANGES
浏览文件 @
0d609395
...
...
@@ -4,6 +4,10 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) Support for fixed DH ciphersuite client authentication: where both
server and client use DH certificates with common parameters.
[Steve Henson]
*) Support for fixed DH ciphersuites: those requiring DH server
certificates.
[Steve Henson]
...
...
ssl/s3_clnt.c
浏览文件 @
0d609395
...
...
@@ -2428,18 +2428,33 @@ int ssl3_send_client_key_exchange(SSL *s)
goto
err
;
}
}
/* generate a new random key */
if
((
dh_clnt
=
DHparams_dup
(
dh_srvr
))
==
NULL
)
if
(
s
->
s3
->
flags
&
TLS1_FLAGS_SKIP_CERT_VERIFY
)
{
SSLerr
(
SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
ERR_R_DH_LIB
);
goto
err
;
/* Use client certificate key */
EVP_PKEY
*
clkey
=
s
->
cert
->
key
->
privatekey
;
if
(
clkey
)
dh_clnt
=
EVP_PKEY_get1_DH
(
clkey
);
if
(
dh_clnt
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
}
if
(
!
DH_generate_key
(
dh_clnt
))
else
{
SSLerr
(
SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
ERR_R_DH_LIB
);
DH_free
(
dh_clnt
);
goto
err
;
/* generate a new random key */
if
((
dh_clnt
=
DHparams_dup
(
dh_srvr
))
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
ERR_R_DH_LIB
);
goto
err
;
}
if
(
!
DH_generate_key
(
dh_clnt
))
{
SSLerr
(
SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
ERR_R_DH_LIB
);
DH_free
(
dh_clnt
);
goto
err
;
}
}
/* use the 'p' output buffer for the DH key, but
...
...
@@ -2463,11 +2478,16 @@ int ssl3_send_client_key_exchange(SSL *s)
/* clean up */
memset
(
p
,
0
,
n
);
/* send off the data */
n
=
BN_num_bytes
(
dh_clnt
->
pub_key
);
s2n
(
n
,
p
);
BN_bn2bin
(
dh_clnt
->
pub_key
,
p
);
n
+=
2
;
if
(
s
->
s3
->
flags
&
TLS1_FLAGS_SKIP_CERT_VERIFY
)
n
=
0
;
else
{
/* send off the data */
n
=
BN_num_bytes
(
dh_clnt
->
pub_key
);
s2n
(
n
,
p
);
BN_bn2bin
(
dh_clnt
->
pub_key
,
p
);
n
+=
2
;
}
DH_free
(
dh_clnt
);
...
...
@@ -3054,6 +3074,40 @@ err:
return
(
-
1
);
}
/* Check a certificate can be used for client authentication. Currently
* just check cert exists and if static DH client certificates can be used.
*/
static
int
ssl3_check_client_certificate
(
SSL
*
s
)
{
unsigned
long
alg_k
;
if
(
!
s
->
cert
||
!
s
->
cert
->
key
->
x509
||
!
s
->
cert
->
key
->
privatekey
)
return
0
;
alg_k
=
s
->
s3
->
tmp
.
new_cipher
->
algorithm_mkey
;
/* See if we can use client certificate for fixed DH */
if
(
alg_k
&
(
SSL_kDHr
|
SSL_kDHd
))
{
SESS_CERT
*
scert
=
s
->
session
->
sess_cert
;
int
i
=
scert
->
peer_cert_type
;
EVP_PKEY
*
clkey
=
NULL
,
*
spkey
=
NULL
;
clkey
=
s
->
cert
->
key
->
privatekey
;
/* If client key not DH assume it can be used */
if
(
EVP_PKEY_id
(
clkey
)
!=
EVP_PKEY_DH
)
return
1
;
if
(
i
>=
0
)
spkey
=
X509_get_pubkey
(
scert
->
peer_pkeys
[
i
].
x509
);
if
(
spkey
)
{
/* Compare server and client parameters */
i
=
EVP_PKEY_cmp_parameters
(
clkey
,
spkey
);
EVP_PKEY_free
(
spkey
);
if
(
i
!=
1
)
return
0
;
}
s
->
s3
->
flags
|=
TLS1_FLAGS_SKIP_CERT_VERIFY
;
}
return
1
;
}
int
ssl3_send_client_certificate
(
SSL
*
s
)
{
X509
*
x509
=
NULL
;
...
...
@@ -3063,12 +3117,10 @@ int ssl3_send_client_certificate(SSL *s)
if
(
s
->
state
==
SSL3_ST_CW_CERT_A
)
{
if
((
s
->
cert
==
NULL
)
||
(
s
->
cert
->
key
->
x509
==
NULL
)
||
(
s
->
cert
->
key
->
privatekey
==
NULL
))
s
->
state
=
SSL3_ST_CW_CERT_B
;
else
if
(
ssl3_check_client_certificate
(
s
))
s
->
state
=
SSL3_ST_CW_CERT_C
;
else
s
->
state
=
SSL3_ST_CW_CERT_B
;
}
/* We need to get a client cert */
...
...
@@ -3100,6 +3152,8 @@ int ssl3_send_client_certificate(SSL *s)
if
(
x509
!=
NULL
)
X509_free
(
x509
);
if
(
pkey
!=
NULL
)
EVP_PKEY_free
(
pkey
);
if
(
i
&&
!
ssl3_check_client_certificate
(
s
))
i
=
0
;
if
(
i
==
0
)
{
if
(
s
->
version
==
SSL3_VERSION
)
...
...
ssl/s3_srvr.c
浏览文件 @
0d609395
...
...
@@ -298,6 +298,7 @@ int ssl3_accept(SSL *s)
s
->
init_num
=
0
;
s
->
s3
->
flags
&=
~
SSL3_FLAGS_SGC_RESTART_DONE
;
s
->
s3
->
flags
&=
~
TLS1_FLAGS_SKIP_CERT_VERIFY
;
if
(
s
->
state
!=
SSL_ST_RENEGOTIATE
)
{
...
...
@@ -2132,7 +2133,7 @@ int ssl3_get_client_key_exchange(SSL *s)
#endif
#ifndef OPENSSL_NO_DH
BIGNUM
*
pub
=
NULL
;
DH
*
dh_srvr
;
DH
*
dh_srvr
,
*
dh_clnt
=
NULL
;
#endif
#ifndef OPENSSL_NO_KRB5
KSSL_ERR
kssl_err
;
...
...
@@ -2266,8 +2267,11 @@ int ssl3_get_client_key_exchange(SSL *s)
#ifndef OPENSSL_NO_DH
if
(
alg_k
&
(
SSL_kEDH
|
SSL_kDHr
|
SSL_kDHd
))
{
n2s
(
p
,
i
);
if
(
n
!=
i
+
2
)
int
idx
=
-
1
;
EVP_PKEY
*
skey
=
NULL
;
if
(
n
)
n2s
(
p
,
i
);
if
(
n
&&
n
!=
i
+
2
)
{
if
(
!
(
s
->
options
&
SSL_OP_SSLEAY_080_CLIENT_DH_BUG
))
{
...
...
@@ -2280,44 +2284,52 @@ int ssl3_get_client_key_exchange(SSL *s)
i
=
(
int
)
n
;
}
}
if
(
n
==
0L
)
/* the parameters are in the cert */
if
(
alg_k
&
SSL_kDHr
)
idx
=
SSL_PKEY_DH_RSA
;
else
if
(
alg_k
&
SSL_kDHd
)
idx
=
SSL_PKEY_DH_DSA
;
if
(
idx
>=
0
)
{
skey
=
s
->
cert
->
pkeys
[
idx
].
privatekey
;
if
((
skey
==
NULL
)
||
(
skey
->
type
!=
EVP_PKEY_DH
)
||
(
skey
->
pkey
.
dh
==
NULL
))
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
SSLerr
(
SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE
,
SSL_R_MISSING_RSA_CERTIFICATE
);
goto
f_err
;
}
dh_srvr
=
skey
->
pkey
.
dh
;
}
else
if
(
s
->
s3
->
tmp
.
dh
==
NULL
)
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
SSLerr
(
SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE
,
SSL_R_
UNABLE_TO_DECODE_DH_CERTS
);
SSLerr
(
SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE
,
SSL_R_
MISSING_TMP_DH_KEY
);
goto
f_err
;
}
else
dh_srvr
=
s
->
s3
->
tmp
.
dh
;
if
(
n
==
0L
)
{
int
idx
=
-
1
;
if
(
alg_k
&
SSL_kDHr
)
idx
=
SSL_PKEY_DH_RSA
;
else
if
(
alg_k
&
SSL_kDHd
)
idx
=
SSL_PKEY_DH_DSA
;
if
(
idx
>=
0
)
{
EVP_PKEY
*
skey
=
s
->
cert
->
pkeys
[
idx
].
privatekey
;
if
((
skey
==
NULL
)
||
(
skey
->
type
!=
EVP_PKEY_DH
)
||
(
skey
->
pkey
.
dh
==
NULL
))
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
SSLerr
(
SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE
,
SSL_R_MISSING_RSA_CERTIFICATE
);
goto
f_err
;
}
dh_srvr
=
skey
->
pkey
.
dh
;
/* Get pubkey from cert */
EVP_PKEY
*
clkey
=
X509_get_pubkey
(
s
->
session
->
peer
);
if
(
clkey
)
{
if
(
EVP_PKEY_cmp_parameters
(
clkey
,
skey
)
==
1
)
dh_clnt
=
EVP_PKEY_get1_DH
(
clkey
);
}
else
if
(
s
->
s3
->
tmp
.
dh
==
NULL
)
if
(
dh_clnt
==
NULL
)
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
SSLerr
(
SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE
,
SSL_R_MISSING_TMP_DH_KEY
);
goto
f_err
;
}
else
dh_srvr
=
s
->
s3
->
tmp
.
dh
;
EVP_PKEY_free
(
clkey
);
pub
=
dh_clnt
->
pub_key
;
}
pub
=
BN_bin2bn
(
p
,
i
,
NULL
);
else
pub
=
BN_bin2bn
(
p
,
i
,
NULL
);
if
(
pub
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE
,
SSL_R_BN_LIB
);
...
...
@@ -2335,13 +2347,17 @@ int ssl3_get_client_key_exchange(SSL *s)
DH_free
(
s
->
s3
->
tmp
.
dh
);
s
->
s3
->
tmp
.
dh
=
NULL
;
BN_clear_free
(
pub
);
if
(
dh_clnt
)
DH_free
(
dh_clnt
);
else
BN_clear_free
(
pub
);
pub
=
NULL
;
s
->
session
->
master_key_length
=
s
->
method
->
ssl3_enc
->
generate_master_secret
(
s
,
s
->
session
->
master_key
,
p
,
i
);
OPENSSL_cleanse
(
p
,
i
);
if
(
dh_clnt
)
return
2
;
}
else
#endif
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录