Remove support for fixed ECDH cipher suites - these is not widely supported

and more importantly they do not provide PFS (if you want to use ECDH, use ECDHE instead). With input from guenther@. ok deraadt@ guenther@
author: jsing <> 2016-10-19 16:38:40 +0000
committer: jsing <> 2016-10-19 16:38:40 +0000
commit: 8acc30923121ec4884a8cb19e75bd99889131e7f (patch)
tree: 69cebce9957786fdcd7943948cd528b764891fb2 /src/lib/libssl/ssl_lib.c
parent: ac7c37977891b32e21ccb19829cc10dc20c3d5ca (diff)
download: openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.gz
openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.bz2
openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.zip
1 files changed, 20 insertions, 93 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 3596315166..4fa9b149b1 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.118 2016/09/22 12:34:59 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.119 2016/10/19 16:38:40 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2004,14 +2004,11 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
 void
 ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 {
-        CERT_PKEY       *cpk;
        int              rsa_enc, rsa_sign, dh_tmp, dsa_sign;
+        int              have_ecc_cert, have_ecdh_tmp;
        unsigned long    mask_k, mask_a;
-        int              have_ecc_cert, ecdh_ok, ecdsa_ok;
-        int              have_ecdh_tmp;
        X509            *x = NULL;
-        EVP_PKEY        *ecc_pkey = NULL;
+        CERT_PKEY       *cpk;
-        int              signature_nid = 0, pk_nid = 0, md_nid = 0;
        if (c == NULL)
                return;
@@ -2021,6 +2018,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL ||
            c->ecdh_tmp_auto != 0);
        cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
        rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
        cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
@@ -2058,93 +2056,40 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
         * ECDSA cipher suites depending on the key usage extension.
         */
        if (have_ecc_cert) {
-                /* This call populates extension flags (ex_flags) */
                x = (c->pkeys[SSL_PKEY_ECC]).x509;
+                /* This call populates extension flags (ex_flags). */
                X509_check_purpose(x, -1, 0);
-                ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
-                (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+                /* Key usage, if present, must allow signing. */
-                ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
+                if ((x->ex_flags & EXFLAG_KUSAGE) == 0 ||
-                (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+                    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
-                ecc_pkey = X509_get_pubkey(x);
-                EVP_PKEY_free(ecc_pkey);
-                if ((x->sig_alg) && (x->sig_alg->algorithm)) {
-                        signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-                        OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
-                }
-                if (ecdh_ok) {
-                        if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
-                                mask_k|=SSL_kECDHr;
-                                mask_a|=SSL_aECDH;
-                        }
-                        if (pk_nid == NID_X9_62_id_ecPublicKey) {
-                                mask_k|=SSL_kECDHe;
-                                mask_a|=SSL_aECDH;
-                        }
-                }
-                if (ecdsa_ok)
                        mask_a|=SSL_aECDSA;
        }
-        if (have_ecdh_tmp) {
+        if (have_ecdh_tmp)
                mask_k|=SSL_kECDHE;
-        }
        c->mask_k = mask_k;
        c->mask_a = mask_a;
        c->valid = 1;
 }
-/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
-#define ku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 int
 ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 {
-        unsigned long            alg_k, alg_a;
-        int                      signature_nid = 0, md_nid = 0, pk_nid = 0;
        const SSL_CIPHER        *cs = s->s3->tmp.new_cipher;
+        unsigned long            alg_a;
-        alg_k = cs->algorithm_mkey;
        alg_a = cs->algorithm_auth;
-        /* This call populates the ex_flags field correctly */
-        X509_check_purpose(x, -1, 0);
-        if ((x->sig_alg) && (x->sig_alg->algorithm)) {
-                signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-                OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
-        }
-        if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
-                /* key usage, if present, must allow key agreement */
-                if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
-                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
-                            SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
-                        return (0);
-                }
-                if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) <
-                    TLS1_2_VERSION) {
-                        /* signature alg must be ECDSA */
-                        if (pk_nid != NID_X9_62_id_ecPublicKey) {
-                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
-                                    SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
-                                return (0);
-                        }
-                }
-                if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) <
-                    TLS1_2_VERSION) {
-                        /* signature alg must be RSA */
-                        if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) {
-                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
-                                    SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
-                                return (0);
-                        }
-                }
-        }
        if (alg_a & SSL_aECDSA) {
-                /* key usage, if present, must allow signing */
+                /* This call populates extension flags (ex_flags). */
-                if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
+                X509_check_purpose(x, -1, 0);
+                /* Key usage, if present, must allow signing. */
+                if ((x->ex_flags & EXFLAG_KUSAGE) &&
+                    ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) {
                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
                            SSL_R_ECC_CERT_NOT_FOR_SIGNING);
                        return (0);
@@ -2152,39 +2097,21 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
        }
        return (1);
-        /* all checks are ok */
 }
-/* THIS NEEDS CLEANING UP */
 CERT_PKEY *
 ssl_get_server_send_pkey(const SSL *s)
 {
-        unsigned long    alg_k, alg_a;
+        unsigned long    alg_a;
        CERT            *c;
        int              i;
        c = s->cert;
        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-        if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
+        if (alg_a & SSL_aECDSA) {
-                /*
-                 * We don't need to look at SSL_kECDHE
-                 * since no certificate is needed for
-                 * anon ECDH and for authenticated
-                 * ECDHE, the check for the auth
-                 * algorithm will set i correctly
-                 * NOTE: For ECDH-RSA, we need an ECC
-                 * not an RSA cert but for EECDH-RSA
-                 * we need an RSA cert. Placing the
-                 * checks for SSL_kECDH before RSA
-                 * checks ensures the correct cert is chosen.
-                 */
-                i = SSL_PKEY_ECC;
-        } else if (alg_a & SSL_aECDSA) {
                i = SSL_PKEY_ECC;
        } else if (alg_a & SSL_aDSS) {
                i = SSL_PKEY_DSA_SIGN;
author	jsing <>	2016-10-19 16:38:40 +0000
committer	jsing <>	2016-10-19 16:38:40 +0000
commit	8acc30923121ec4884a8cb19e75bd99889131e7f (patch)
tree	69cebce9957786fdcd7943948cd528b764891fb2 /src/lib/libssl/ssl_lib.c
parent	ac7c37977891b32e21ccb19829cc10dc20c3d5ca (diff)
download	openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.gz openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.bz2 openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 3596315166..4fa9b149b1 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.118 2016/09/22 12:34:59 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.119 2016/10/19 16:38:40 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2004,14 +2004,11 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
2004	void	2004	void
2005	ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)	2005	ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
2006	{	2006	{
2007	CERT_PKEY *cpk;
2008	int rsa_enc, rsa_sign, dh_tmp, dsa_sign;	2007	int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
		2008	int have_ecc_cert, have_ecdh_tmp;
2009	unsigned long mask_k, mask_a;	2009	unsigned long mask_k, mask_a;
2010	int have_ecc_cert, ecdh_ok, ecdsa_ok;
2011	int have_ecdh_tmp;
2012	X509 *x = NULL;	2010	X509 *x = NULL;
2013	EVP_PKEY *ecc_pkey = NULL;	2011	CERT_PKEY *cpk;
2014	int signature_nid = 0, pk_nid = 0, md_nid = 0;
2015		2012
2016	if (c == NULL)	2013	if (c == NULL)
2017	return;	2014	return;
@@ -2021,6 +2018,7 @@ ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
2021		2018
2022	have_ecdh_tmp = (c->ecdh_tmp != NULL \|\| c->ecdh_tmp_cb != NULL \|\|	2019	have_ecdh_tmp = (c->ecdh_tmp != NULL \|\| c->ecdh_tmp_cb != NULL \|\|
2023	c->ecdh_tmp_auto != 0);	2020	c->ecdh_tmp_auto != 0);
		2021
2024	cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);	2022	cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
2025	rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);	2023	rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
2026	cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);	2024	cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
@@ -2058,93 +2056,40 @@ ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
2058	* ECDSA cipher suites depending on the key usage extension.	2056	* ECDSA cipher suites depending on the key usage extension.
2059	*/	2057	*/
2060	if (have_ecc_cert) {	2058	if (have_ecc_cert) {
2061	/* This call populates extension flags (ex_flags) */
2062	x = (c->pkeys[SSL_PKEY_ECC]).x509;	2059	x = (c->pkeys[SSL_PKEY_ECC]).x509;
		2060
		2061	/* This call populates extension flags (ex_flags). */
2063	X509_check_purpose(x, -1, 0);	2062	X509_check_purpose(x, -1, 0);
2064	ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?	2063
2065	(x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;	2064	/* Key usage, if present, must allow signing. */
2066	ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?	2065	if ((x->ex_flags & EXFLAG_KUSAGE) == 0 \|\|
2067	(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;	2066	(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
2068	ecc_pkey = X509_get_pubkey(x);
2069	EVP_PKEY_free(ecc_pkey);
2070	if ((x->sig_alg) && (x->sig_alg->algorithm)) {
2071	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2072	OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2073	}
2074	if (ecdh_ok) {
2075	if (pk_nid == NID_rsaEncryption \|\| pk_nid == NID_rsa) {
2076	mask_k\|=SSL_kECDHr;
2077	mask_a\|=SSL_aECDH;
2078	}
2079	if (pk_nid == NID_X9_62_id_ecPublicKey) {
2080	mask_k\|=SSL_kECDHe;
2081	mask_a\|=SSL_aECDH;
2082	}
2083	}
2084	if (ecdsa_ok)
2085	mask_a\|=SSL_aECDSA;	2067	mask_a\|=SSL_aECDSA;
2086	}	2068	}
2087		2069
2088	if (have_ecdh_tmp) {	2070	if (have_ecdh_tmp)
2089	mask_k\|=SSL_kECDHE;	2071	mask_k\|=SSL_kECDHE;
2090	}
2091
2092		2072
2093	c->mask_k = mask_k;	2073	c->mask_k = mask_k;
2094	c->mask_a = mask_a;	2074	c->mask_a = mask_a;
2095	c->valid = 1;	2075	c->valid = 1;
2096	}	2076	}
2097		2077
2098	/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
2099	#define ku_reject(x, usage) \
2100	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
2101
2102
2103	int	2078	int
2104	ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)	2079	ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)
2105	{	2080	{
2106	unsigned long alg_k, alg_a;
2107	int signature_nid = 0, md_nid = 0, pk_nid = 0;
2108	const SSL_CIPHER *cs = s->s3->tmp.new_cipher;	2081	const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
		2082	unsigned long alg_a;
2109		2083
2110	alg_k = cs->algorithm_mkey;
2111	alg_a = cs->algorithm_auth;	2084	alg_a = cs->algorithm_auth;
2112		2085
2113	/* This call populates the ex_flags field correctly */
2114	X509_check_purpose(x, -1, 0);
2115	if ((x->sig_alg) && (x->sig_alg->algorithm)) {
2116	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2117	OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2118	}
2119	if (alg_k & SSL_kECDHe \|\| alg_k & SSL_kECDHr) {
2120	/* key usage, if present, must allow key agreement */
2121	if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
2122	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2123	SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2124	return (0);
2125	}
2126	if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) <
2127	TLS1_2_VERSION) {
2128	/* signature alg must be ECDSA */
2129	if (pk_nid != NID_X9_62_id_ecPublicKey) {
2130	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2131	SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2132	return (0);
2133	}
2134	}
2135	if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) <
2136	TLS1_2_VERSION) {
2137	/* signature alg must be RSA */
2138	if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) {
2139	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2140	SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2141	return (0);
2142	}
2143	}
2144	}
2145	if (alg_a & SSL_aECDSA) {	2086	if (alg_a & SSL_aECDSA) {
2146	/* key usage, if present, must allow signing */	2087	/* This call populates extension flags (ex_flags). */
2147	if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {	2088	X509_check_purpose(x, -1, 0);
		2089
		2090	/* Key usage, if present, must allow signing. */
		2091	if ((x->ex_flags & EXFLAG_KUSAGE) &&
		2092	((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) {
2148	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,	2093	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2149	SSL_R_ECC_CERT_NOT_FOR_SIGNING);	2094	SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2150	return (0);	2095	return (0);
@@ -2152,39 +2097,21 @@ ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)
2152	}	2097	}
2153		2098
2154	return (1);	2099	return (1);
2155	/* all checks are ok */
2156	}	2100	}
2157		2101
2158
2159	/* THIS NEEDS CLEANING UP */
2160	CERT_PKEY *	2102	CERT_PKEY *
2161	ssl_get_server_send_pkey(const SSL *s)	2103	ssl_get_server_send_pkey(const SSL *s)
2162	{	2104	{
2163	unsigned long alg_k, alg_a;	2105	unsigned long alg_a;
2164	CERT *c;	2106	CERT *c;
2165	int i;	2107	int i;
2166		2108
2167	c = s->cert;	2109	c = s->cert;
2168	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);	2110	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
2169		2111
2170	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2171	alg_a = s->s3->tmp.new_cipher->algorithm_auth;	2112	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2172		2113
2173	if (alg_k & (SSL_kECDHr\|SSL_kECDHe)) {	2114	if (alg_a & SSL_aECDSA) {
2174	/*
2175	* We don't need to look at SSL_kECDHE
2176	* since no certificate is needed for
2177	* anon ECDH and for authenticated
2178	* ECDHE, the check for the auth
2179	* algorithm will set i correctly
2180	* NOTE: For ECDH-RSA, we need an ECC
2181	* not an RSA cert but for EECDH-RSA
2182	* we need an RSA cert. Placing the
2183	* checks for SSL_kECDH before RSA
2184	* checks ensures the correct cert is chosen.
2185	*/
2186	i = SSL_PKEY_ECC;
2187	} else if (alg_a & SSL_aECDSA) {
2188	i = SSL_PKEY_ECC;	2115	i = SSL_PKEY_ECC;
2189	} else if (alg_a & SSL_aDSS) {	2116	} else if (alg_a & SSL_aDSS) {
2190	i = SSL_PKEY_DSA_SIGN;	2117	i = SSL_PKEY_DSA_SIGN;