Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 6383d316 编写于 作者: D Dr. Stephen Henson
浏览文件
操作

Move certificate validity flags out of CERT. 

Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 d376e57d
隐藏空白更改
内联 并排
Showing with 36 addition and 35 deletion
ssl/s3_clnt.c
浏览文件 @ 6383d316
...@@ -2164,7 +2164,7 @@ int ssl3_get_certificate_request(SSL *s) ...@@ -2164,7 +2164,7 @@ int ssl3_get_certificate_request(SSL *s)
/* Clear certificate digests and validity flags */ /* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) { for (i = 0; i < SSL_PKEY_NUM; i++) {
s->s3->tmp.md[i] = NULL; s->s3->tmp.md[i] = NULL;
s->cert->pkeys[i].valid_flags = 0; s->s3->tmp.valid_flags[i] = 0;
} }
if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) { if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
......
ssl/s3_lib.c
浏览文件 @ 6383d316
...@@ -3892,7 +3892,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ...@@ -3892,7 +3892,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
continue; continue;
ssl_set_cert_masks(cert, c); ssl_set_masks(s, c);
mask_k = cert->mask_k; mask_k = cert->mask_k;
mask_a = cert->mask_a; mask_a = cert->mask_a;
emask_k = cert->export_mask_k; emask_k = cert->export_mask_k;
......
ssl/ssl_cert.c
浏览文件 @ 6383d316
...@@ -270,7 +270,6 @@ CERT *ssl_cert_dup(CERT *cert) ...@@ -270,7 +270,6 @@ CERT *ssl_cert_dup(CERT *cert)
goto err; goto err;
} }
} }
rpk->valid_flags = 0;
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
if (cert->pkeys[i].serverinfo != NULL) { if (cert->pkeys[i].serverinfo != NULL) {
/* Just copy everything. */ /* Just copy everything. */
...@@ -375,8 +374,6 @@ void ssl_cert_clear_certs(CERT *c) ...@@ -375,8 +374,6 @@ void ssl_cert_clear_certs(CERT *c)
cpk->serverinfo = NULL; cpk->serverinfo = NULL;
cpk->serverinfo_length = 0; cpk->serverinfo_length = 0;
#endif #endif
/* Clear all flags apart from explicit sign */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
} }
} }
......
ssl/ssl_lib.c
浏览文件 @ 6383d316
...@@ -1933,9 +1933,11 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) ...@@ -1933,9 +1933,11 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
ssl_cert_set_cert_cb(s->cert, cb, arg); ssl_cert_set_cert_cb(s->cert, cb, arg);
} }
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
{ {
CERT_PKEY *cpk; CERT_PKEY *cpk;
CERT *c = s->cert;
int *pvalid = s->s3->tmp.valid_flags;
int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
int rsa_enc_export, dh_rsa_export, dh_dsa_export; int rsa_enc_export, dh_rsa_export, dh_dsa_export;
int rsa_tmp_export, dh_tmp_export, kl; int rsa_tmp_export, dh_tmp_export, kl;
...@@ -1972,22 +1974,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) ...@@ -1972,22 +1974,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
#endif #endif
cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
rsa_enc = cpk->valid_flags & CERT_PKEY_VALID; rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
rsa_sign = cpk->valid_flags & CERT_PKEY_SIGN; rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
dsa_sign = cpk->valid_flags & CERT_PKEY_SIGN; dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DH_RSA]); cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
dh_rsa = cpk->valid_flags & CERT_PKEY_VALID; dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID;
dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_DH_DSA]); cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
/* FIX THIS EAY EAY EAY */ dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID;
dh_dsa = cpk->valid_flags & CERT_PKEY_VALID;
dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_ECC]); cpk = &(c->pkeys[SSL_PKEY_ECC]);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
have_ecc_cert = cpk->valid_flags & CERT_PKEY_VALID; have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
#endif #endif
mask_k = 0; mask_k = 0;
mask_a = 0; mask_a = 0;
...@@ -2063,7 +2064,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) ...@@ -2063,7 +2064,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
(x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
if (!(cpk->valid_flags & CERT_PKEY_SIGN)) if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
ecdsa_ok = 0; ecdsa_ok = 0;
ecc_pkey = X509_get_pubkey(x); ecc_pkey = X509_get_pubkey(x);
ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
...@@ -2204,7 +2205,7 @@ static int ssl_get_server_cert_index(const SSL *s) ...@@ -2204,7 +2205,7 @@ static int ssl_get_server_cert_index(const SSL *s)
return idx; return idx;
} }
CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
{ {
CERT *c; CERT *c;
int i; int i;
...@@ -2212,7 +2213,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) ...@@ -2212,7 +2213,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
c = s->cert; c = s->cert;
if (!s->s3 || !s->s3->tmp.new_cipher) if (!s->s3 || !s->s3->tmp.new_cipher)
return NULL; return NULL;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher); ssl_set_masks(s, s->s3->tmp.new_cipher);
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
/* /*
......
ssl/ssl_locl.h
浏览文件 @ 6383d316
...@@ -1295,6 +1295,12 @@ typedef struct ssl3_state_st { ...@@ -1295,6 +1295,12 @@ typedef struct ssl3_state_st {
const EVP_MD *peer_md; const EVP_MD *peer_md;
/* Array of digests used for signing */ /* Array of digests used for signing */
const EVP_MD *md[SSL_PKEY_NUM]; const EVP_MD *md[SSL_PKEY_NUM];
/*
* Set if corresponding CERT_PKEY can be used with current
* SSL session: e.g. appropriate curve, signature algorithms etc.
* If zero it can't be used at all.
*/
int valid_flags[SSL_PKEY_NUM];
} tmp; } tmp;
/* Connection binding to prevent renegotiation attacks */ /* Connection binding to prevent renegotiation attacks */
...@@ -1456,12 +1462,6 @@ typedef struct cert_pkey_st { ...@@ -1456,12 +1462,6 @@ typedef struct cert_pkey_st {
unsigned char *serverinfo; unsigned char *serverinfo;
size_t serverinfo_length; size_t serverinfo_length;
# endif # endif
/*
* Set if CERT_PKEY can be used with current SSL session: e.g.
* appropriate curve, signature algorithms etc. If zero it can't be used
* at all.
*/
int valid_flags;
} CERT_PKEY; } CERT_PKEY;
/* Retrieve Suite B flags */ /* Retrieve Suite B flags */
# define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS) # define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
...@@ -1916,14 +1916,14 @@ __owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other ...@@ -1916,14 +1916,14 @@ __owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other
int ssl_undefined_function(SSL *s); int ssl_undefined_function(SSL *s);
__owur int ssl_undefined_void_function(void); __owur int ssl_undefined_void_function(void);
__owur int ssl_undefined_const_function(const SSL *s); __owur int ssl_undefined_const_function(const SSL *s);
__owur CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s);
# ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_TLSEXT
__owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
size_t *serverinfo_length); size_t *serverinfo_length);
# endif # endif
__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); __owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
__owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey); __owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher);
__owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
__owur int ssl_verify_alarm_type(long type); __owur int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void); void ssl_load_ciphers(void);
......
ssl/t1_lib.c
浏览文件 @ 6383d316
...@@ -2694,7 +2694,7 @@ int tls1_set_server_sigalgs(SSL *s) ...@@ -2694,7 +2694,7 @@ int tls1_set_server_sigalgs(SSL *s)
/* Clear certificate digests and validity flags */ /* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) { for (i = 0; i < SSL_PKEY_NUM; i++) {
s->s3->tmp.md[i] = NULL; s->s3->tmp.md[i] = NULL;
s->cert->pkeys[i].valid_flags = 0; s->s3->tmp.valid_flags[i] = 0;
} }
/* If sigalgs received process it. */ /* If sigalgs received process it. */
...@@ -3450,6 +3450,7 @@ int tls1_process_sigalgs(SSL *s) ...@@ -3450,6 +3450,7 @@ int tls1_process_sigalgs(SSL *s)
size_t i; size_t i;
const EVP_MD *md; const EVP_MD *md;
const EVP_MD **pmd = s->s3->tmp.md; const EVP_MD **pmd = s->s3->tmp.md;
int *pvalid = s->s3->tmp.valid_flags;
CERT *c = s->cert; CERT *c = s->cert;
TLS_SIGALGS *sigptr; TLS_SIGALGS *sigptr;
if (!tls1_set_shared_sigalgs(s)) if (!tls1_set_shared_sigalgs(s))
...@@ -3470,10 +3471,9 @@ int tls1_process_sigalgs(SSL *s) ...@@ -3470,10 +3471,9 @@ int tls1_process_sigalgs(SSL *s)
idx = tls12_get_pkey_idx(sigs[1]); idx = tls12_get_pkey_idx(sigs[1]);
md = tls12_get_hash(sigs[0]); md = tls12_get_hash(sigs[0]);
pmd[idx] = md; pmd[idx] = md;
c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN) { if (idx == SSL_PKEY_RSA_SIGN) {
c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
CERT_PKEY_EXPLICIT_SIGN;
pmd[SSL_PKEY_RSA_ENC] = md; pmd[SSL_PKEY_RSA_ENC] = md;
} }
} }
...@@ -3486,10 +3486,9 @@ int tls1_process_sigalgs(SSL *s) ...@@ -3486,10 +3486,9 @@ int tls1_process_sigalgs(SSL *s)
if (idx > 0 && pmd[idx] == NULL) { if (idx > 0 && pmd[idx] == NULL) {
md = tls12_get_hash(sigptr->rhash); md = tls12_get_hash(sigptr->rhash);
pmd[idx] = md; pmd[idx] = md;
c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
if (idx == SSL_PKEY_RSA_SIGN) { if (idx == SSL_PKEY_RSA_SIGN) {
c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
CERT_PKEY_EXPLICIT_SIGN;
pmd[SSL_PKEY_RSA_ENC] = md; pmd[SSL_PKEY_RSA_ENC] = md;
} }
} }
...@@ -3882,6 +3881,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ...@@ -3882,6 +3881,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
int check_flags = 0, strict_mode; int check_flags = 0, strict_mode;
CERT_PKEY *cpk = NULL; CERT_PKEY *cpk = NULL;
CERT *c = s->cert; CERT *c = s->cert;
int *pvalid;
unsigned int suiteb_flags = tls1_suiteb(s); unsigned int suiteb_flags = tls1_suiteb(s);
/* idx == -1 means checking server chains */ /* idx == -1 means checking server chains */
if (idx != -1) { if (idx != -1) {
...@@ -3891,6 +3891,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ...@@ -3891,6 +3891,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
idx = cpk - c->pkeys; idx = cpk - c->pkeys;
} else } else
cpk = c->pkeys + idx; cpk = c->pkeys + idx;
pvalid = s->s3->tmp.valid_flags + idx;
x = cpk->x509; x = cpk->x509;
pk = cpk->privatekey; pk = cpk->privatekey;
chain = cpk->chain; chain = cpk->chain;
...@@ -3903,7 +3904,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ...@@ -3903,7 +3904,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN | rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
CERT_PKEY_VALID | CERT_PKEY_SIGN; CERT_PKEY_VALID | CERT_PKEY_SIGN;
cpk->valid_flags = rv; *pvalid = rv;
return rv; return rv;
} }
# endif # endif
...@@ -3914,6 +3915,8 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ...@@ -3914,6 +3915,8 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
if (idx == -1) if (idx == -1)
return 0; return 0;
cpk = c->pkeys + idx; cpk = c->pkeys + idx;
pvalid = s->s3->tmp.valid_flags + idx;
if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
check_flags = CERT_PKEY_STRICT_FLAGS; check_flags = CERT_PKEY_STRICT_FLAGS;
else else
...@@ -4100,7 +4103,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ...@@ -4100,7 +4103,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
end: end:
if (TLS1_get_version(s) >= TLS1_2_VERSION) { if (TLS1_get_version(s) >= TLS1_2_VERSION) {
if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN) if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
else if (s->s3->tmp.md[idx] != NULL) else if (s->s3->tmp.md[idx] != NULL)
rv |= CERT_PKEY_SIGN; rv |= CERT_PKEY_SIGN;
...@@ -4113,10 +4116,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ...@@ -4113,10 +4116,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
*/ */
if (!check_flags) { if (!check_flags) {
if (rv & CERT_PKEY_VALID) if (rv & CERT_PKEY_VALID)
cpk->valid_flags = rv; *pvalid = rv;
else { else {
/* Preserve explicit sign flag, clear rest */ /* Preserve explicit sign flag, clear rest */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
return 0; return 0;
} }
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册