generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove static ECDH support.

Browse Source 
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This commit is contained in:
Dr. Stephen Henson
2016-02-11 18:19:27 +00:00
parent fd7dc201d3
commit ce0c1f2bb2
7 changed files with 30 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
ssl/s3_lib.c
View File

@@ -1645,85 +1645,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
#endif #endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
/* Cipher C001 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
/* Cipher C002 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C003 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
/* Cipher C004 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C005 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher C006 */ /* Cipher C006 */
{ {
@@ -1805,86 +1726,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256, 256,
}, },
/* Cipher C00B */
{
1,
TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
/* Cipher C00C */
{
1,
TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C00D */
{
1,
TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
/* Cipher C00E */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C00F */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher C010 */ /* Cipher C010 */
{ {
1, 1,
@@ -2227,37 +2068,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256, 256,
}, },
/* Cipher C025 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
SSL_kECDHe,
SSL_aECDH,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C026 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
SSL_kECDHe,
SSL_aECDH,
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* Cipher C027 */ /* Cipher C027 */
{ {
@@ -2291,38 +2101,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256, 256,
}, },
/* Cipher C029 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
SSL_kECDHr,
SSL_aECDH,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C02A */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
SSL_kECDHr,
SSL_aECDH,
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* GCM based TLS v1.2 ciphersuites from RFC5289 */ /* GCM based TLS v1.2 ciphersuites from RFC5289 */
/* Cipher C02B */ /* Cipher C02B */
@@ -2357,38 +2135,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256, 256,
}, },
/* Cipher C02D */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHe,
SSL_aECDH,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C02E */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHe,
SSL_aECDH,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* Cipher C02F */ /* Cipher C02F */
{ {
1, 1,
@@ -2421,38 +2167,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256, 256,
}, },
/* Cipher C031 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHr,
SSL_aECDH,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C032 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHr,
SSL_aECDH,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* PSK ciphersuites from RFC 5489 */ /* PSK ciphersuites from RFC 5489 */
/* Cipher C033 */ /* Cipher C033 */
{ {
@@ -2627,34 +2341,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256, 256,
256}, 256},
{ /* Cipher C074 */
1,
TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kECDHe,
SSL_aECDH,
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
{ /* Cipher C075 */
1,
TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kECDHe,
SSL_aECDH,
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
{ /* Cipher C076 */ { /* Cipher C076 */
1, 1,
TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
@@ -2683,33 +2369,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256, 256,
256}, 256},
{ /* Cipher C078 */
1,
TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kECDHr,
SSL_aECDH,
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
{ /* Cipher C079 */
1,
TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kECDHr,
SSL_aECDH,
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
# endif /* OPENSSL_NO_CAMELLIA */ # endif /* OPENSSL_NO_CAMELLIA */
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */

37
ssl/ssl_ciph.c
View File

@@ -310,12 +310,9 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, {0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
0}, 0},
{0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kECDHe, 0, SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kECDH, 0, SSL_kECDHr | SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kEECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_kEECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_kECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_ECDH, 0, SSL_kECDHr | SSL_kECDHe | SSL_kECDHE, 0, 0, 0, 0, 0, {0, SSL_TXT_ECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0,
0, 0, 0}, 0, 0, 0},
{0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0},
@@ -330,7 +327,6 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aECDH, 0, 0, SSL_aECDH, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
@@ -503,8 +499,8 @@ void ssl_load_ciphers(void)
disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK;
#endif #endif
#ifdef OPENSSL_NO_EC #ifdef OPENSSL_NO_EC
disabled_mkey_mask |= SSL_kECDHe | SSL_kECDHr | SSL_kECDHEPSK; disabled_mkey_mask |= SSL_kECDHEPSK;
disabled_auth_mask |= SSL_aECDSA | SSL_aECDH; disabled_auth_mask |= SSL_aECDSA;
#endif #endif
#ifdef OPENSSL_NO_PSK #ifdef OPENSSL_NO_PSK
disabled_mkey_mask |= SSL_PSK; disabled_mkey_mask |= SSL_PSK;
@@ -1459,9 +1455,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail); &tail);
/* Move ciphers without forward secrecy to the end */
ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail);
/* /*
* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, * ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1,
* &head, &tail); * &head, &tail);
@@ -1606,12 +1599,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
case SSL_kDHE: case SSL_kDHE:
kx = "DH"; kx = "DH";
break; break;
case SSL_kECDHr:
kx = "ECDH/RSA";
break;
case SSL_kECDHe:
kx = "ECDH/ECDSA";
break;
case SSL_kECDHE: case SSL_kECDHE:
kx = "ECDH"; kx = "ECDH";
break; break;
@@ -1644,9 +1631,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
case SSL_aDSS: case SSL_aDSS:
au = "DSS"; au = "DSS";
break; break;
case SSL_aECDH:
au = "ECDH";
break;
case SSL_aNULL: case SSL_aNULL:
au = "None"; au = "None";
break; break;
@@ -1939,22 +1923,11 @@ const char *SSL_COMP_get_name(const COMP_METHOD *comp)
/* For a cipher return the index corresponding to the certificate type */ /* For a cipher return the index corresponding to the certificate type */
int ssl_cipher_get_cert_index(const SSL_CIPHER *c) int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
{ {
uint32_t alg_k, alg_a; uint32_t alg_a;
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth; alg_a = c->algorithm_auth;
if (alg_k & (SSL_kECDHr | SSL_kECDHe)) { if (alg_a & SSL_aECDSA)
/*
* we don't need to look at SSL_kECDHE since no certificate is needed
* for anon ECDH and for authenticated ECDHE, the check for the auth
* algorithm will set i correctly NOTE: For ECDH-RSA, we need an ECC
* not an RSA cert but for ECDHE-RSA we need an RSA cert. Placing the
* checks for SSL_kECDH before RSA checks ensures the correct cert is
* chosen.
*/
return SSL_PKEY_ECC;
} else if (alg_a & SSL_aECDSA)
return SSL_PKEY_ECC; return SSL_PKEY_ECC;
else if (alg_a & SSL_aDSS) else if (alg_a & SSL_aDSS)
return SSL_PKEY_DSA_SIGN; return SSL_PKEY_DSA_SIGN;

54
ssl/ssl_lib.c
View File

@@ -2504,7 +2504,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
unsigned long mask_k, mask_a; unsigned long mask_k, mask_a;
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
int have_ecc_cert, ecdsa_ok; int have_ecc_cert, ecdsa_ok;
int ecdh_ok;
X509 *x = NULL; X509 *x = NULL;
int pk_nid = 0, md_nid = 0; int pk_nid = 0, md_nid = 0;
#endif #endif
@@ -2575,23 +2574,10 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
cpk = &c->pkeys[SSL_PKEY_ECC]; cpk = &c->pkeys[SSL_PKEY_ECC];
x = cpk->x509; x = cpk->x509;
ex_kusage = X509_get_key_usage(x); ex_kusage = X509_get_key_usage(x);
ecdh_ok = ex_kusage & X509v3_KU_KEY_AGREEMENT;
ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE; ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
ecdsa_ok = 0; ecdsa_ok = 0;
OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid); OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (ecdh_ok) {
if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
mask_k |= SSL_kECDHr;
mask_a |= SSL_aECDH;
}
if (pk_nid == NID_X9_62_id_ecPublicKey) {
mask_k |= SSL_kECDHe;
mask_a |= SSL_aECDH;
}
}
if (ecdsa_ok) { if (ecdsa_ok) {
mask_a |= SSL_aECDSA; mask_a |= SSL_aECDSA;
} }
@@ -2621,50 +2607,14 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
{ {
unsigned long alg_k, alg_a; if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) {
int md_nid = 0, pk_nid = 0;
const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
uint32_t ex_kusage = X509_get_key_usage(x);
alg_k = cs->algorithm_mkey;
alg_a = cs->algorithm_auth;
OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
/* key usage, if present, must allow key agreement */
if (!(ex_kusage & X509v3_KU_KEY_AGREEMENT)) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
return 0;
}
if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION) {
/* signature alg must be ECDSA */
if (pk_nid != NID_X9_62_id_ecPublicKey) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
return 0;
}
}
if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION) {
/* signature alg must be RSA */
if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
return 0;
}
}
}
if (alg_a & SSL_aECDSA) {
/* key usage, if present, must allow signing */ /* key usage, if present, must allow signing */
if (!(ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) { if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_NOT_FOR_SIGNING); SSL_R_ECC_CERT_NOT_FOR_SIGNING);
return 0; return 0;
} }
} }
return 1; /* all checks are ok */ return 1; /* all checks are ok */
} }

30
ssl/ssl_locl.h
View File

@@ -297,24 +297,20 @@
# define SSL_kDHE 0x00000002U # define SSL_kDHE 0x00000002U
/* synonym */ /* synonym */
# define SSL_kEDH SSL_kDHE # define SSL_kEDH SSL_kDHE
/* ECDH cert, RSA CA cert */
# define SSL_kECDHr 0x00000004U
/* ECDH cert, ECDSA CA cert */
# define SSL_kECDHe 0x00000008U
/* ephemeral ECDH */ /* ephemeral ECDH */
# define SSL_kECDHE 0x00000010U # define SSL_kECDHE 0x00000004U
/* synonym */ /* synonym */
# define SSL_kEECDH SSL_kECDHE # define SSL_kEECDH SSL_kECDHE
/* PSK */ /* PSK */
# define SSL_kPSK 0x00000020U # define SSL_kPSK 0x00000008U
/* GOST key exchange */ /* GOST key exchange */
# define SSL_kGOST 0x00000040U # define SSL_kGOST 0x00000010U
/* SRP */ /* SRP */
# define SSL_kSRP 0x00000080U # define SSL_kSRP 0x00000020U
# define SSL_kRSAPSK 0x00000100U # define SSL_kRSAPSK 0x00000040U
# define SSL_kECDHEPSK 0x00000200U # define SSL_kECDHEPSK 0x00000080U
# define SSL_kDHEPSK 0x00000400U # define SSL_kDHEPSK 0x00000100U
/* all PSK */ /* all PSK */
@@ -327,18 +323,16 @@
# define SSL_aDSS 0x00000002U # define SSL_aDSS 0x00000002U
/* no auth (i.e. use ADH or AECDH) */ /* no auth (i.e. use ADH or AECDH) */
# define SSL_aNULL 0x00000004U # define SSL_aNULL 0x00000004U
/* Fixed ECDH auth (kECDHe or kECDHr) */
# define SSL_aECDH 0x00000008U
/* ECDSA auth*/ /* ECDSA auth*/
# define SSL_aECDSA 0x00000010U # define SSL_aECDSA 0x00000008U
/* PSK auth */ /* PSK auth */
# define SSL_aPSK 0x00000020U # define SSL_aPSK 0x00000010U
/* GOST R 34.10-2001 signature auth */ /* GOST R 34.10-2001 signature auth */
# define SSL_aGOST01 0x00000040U # define SSL_aGOST01 0x00000020U
/* SRP auth */ /* SRP auth */
# define SSL_aSRP 0x00000080U # define SSL_aSRP 0x00000040U
/* GOST R 34.10-2012 signature auth */ /* GOST R 34.10-2012 signature auth */
# define SSL_aGOST12 0x00000100U # define SSL_aGOST12 0x00000080U
/* Bits for algorithm_enc (symmetric encryption) */ /* Bits for algorithm_enc (symmetric encryption) */
# define SSL_DES 0x00000001U # define SSL_DES 0x00000001U

10
ssl/statem/statem_clnt.c
View File

@@ -2264,19 +2264,14 @@ psk_err:
#endif #endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
else if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) { else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
if (s->s3->peer_tmp != NULL) {
skey = s->s3->peer_tmp; skey = s->s3->peer_tmp;
} else {
/* Get the Server Public Key from Cert */
skey = X509_get0_pubkey(s->session->peer);
if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) { if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
}
ckey = ssl_generate_pkey(skey, NID_undef); ckey = ssl_generate_pkey(skey, NID_undef);
@@ -2777,9 +2772,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_ECDSA_SIGNING_CERT); SSL_R_MISSING_ECDSA_SIGNING_CERT);
goto f_err; goto f_err;
} else if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_ECDH_CERT);
goto f_err;
} }
#endif #endif
pkey = X509_get0_pubkey(s->session->peer); pkey = X509_get0_pubkey(s->session->peer);

16
ssl/statem/statem_srvr.c
View File

@@ -2365,20 +2365,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
#endif #endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) { if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
EVP_PKEY *skey = NULL; EVP_PKEY *skey = s->s3->tmp.pkey;
/* Let's get server private key and group information */
if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
/* use the certificate */
skey = s->cert->pkeys[SSL_PKEY_ECC].privatekey;
} else {
/*
* use the ephermeral values we saved when generating the
* ServerKeyExchange msg.
*/
skey = s->s3->tmp.pkey;
}
if (PACKET_remaining(pkt) == 0L) { if (PACKET_remaining(pkt) == 0L) {
/* We don't support ECDH client auth */ /* We don't support ECDH client auth */

18
ssl/t1_lib.c
View File

@@ -1072,14 +1072,6 @@ void ssl_set_client_disabled(SSL *s)
if (s->client_version == SSL3_VERSION) if (s->client_version == SSL3_VERSION)
s->s3->tmp.mask_ssl |= SSL_TLSV1; s->s3->tmp.mask_ssl |= SSL_TLSV1;
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
/*
* Disable static DH if we don't include any appropriate signature
* algorithms.
*/
if (s->s3->tmp.mask_a & SSL_aRSA)
s->s3->tmp.mask_k |= SSL_kECDHr;
if (s->s3->tmp.mask_a & SSL_aECDSA)
s->s3->tmp.mask_k |= SSL_kECDHe;
# ifndef OPENSSL_NO_PSK # ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */ /* with PSK there must be client callback set */
if (!s->psk_client_callback) { if (!s->psk_client_callback) {
@@ -1130,8 +1122,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
alg_k = c->algorithm_mkey; alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth; alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK) if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
|| (alg_a & SSL_aECDSA))) { || (alg_a & SSL_aECDSA)) {
using_ecc = 1; using_ecc = 1;
break; break;
} }
@@ -1507,8 +1499,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)) int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
|| (alg_a & SSL_aECDSA);
using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
#endif #endif
@@ -2815,8 +2806,7 @@ int ssl_check_serverhello_tlsext(SSL *s)
&& (s->tlsext_ecpointformatlist_length > 0) && (s->tlsext_ecpointformatlist_length > 0)
&& (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist != NULL)
&& (s->session->tlsext_ecpointformatlist_length > 0) && (s->session->tlsext_ecpointformatlist_length > 0)
&& ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)) && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
|| (alg_a & SSL_aECDSA))) {
/* we are using an ECC cipher */ /* we are using an ECC cipher */
size_t i; size_t i;
unsigned char *list; unsigned char *list;