From 8acc30923121ec4884a8cb19e75bd99889131e7f Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 19 Oct 2016 16:38:40 +0000 Subject: Remove support for fixed ECDH cipher suites - these is not widely supported and more importantly they do not provide PFS (if you want to use ECDH, use ECDHE instead). With input from guenther@. ok deraadt@ guenther@ --- src/lib/libssl/s3_clnt.c | 19 +-- src/lib/libssl/s3_lib.c | 306 +--------------------------------------------- src/lib/libssl/s3_srvr.c | 22 ++-- src/lib/libssl/ssl_ciph.c | 32 +---- src/lib/libssl/ssl_lib.c | 113 +++-------------- src/lib/libssl/ssl_locl.h | 6 +- src/lib/libssl/t1_lib.c | 10 +- 7 files changed, 42 insertions(+), 466 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 264cb012d5..d7cd37dec8 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.138 2016/03/27 00:55:38 mmcc Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.139 2016/10/19 16:38:40 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1968,13 +1968,12 @@ err: } static int -ssl3_send_client_kex_ecdh(SSL *s, SESS_CERT *sess_cert, unsigned char *p, +ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sess_cert, unsigned char *p, int *outlen) { EC_KEY *tkey, *clnt_ecdh = NULL; const EC_GROUP *srvr_group = NULL; const EC_POINT *srvr_ecpoint = NULL; - EVP_PKEY *srvr_pub_pkey = NULL; BN_CTX *bn_ctx = NULL; unsigned char *encodedPoint = NULL; unsigned char *key = NULL; @@ -1994,14 +1993,6 @@ ssl3_send_client_kex_ecdh(SSL *s, SESS_CERT *sess_cert, unsigned char *p, } tkey = sess_cert->peer_ecdh_tmp; - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { - /* Get the Server Public Key from certificate. */ - srvr_pub_pkey = X509_get_pubkey( - sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); - if (srvr_pub_pkey != NULL && srvr_pub_pkey->type == EVP_PKEY_EC) - tkey = srvr_pub_pkey->pkey.ec; - } - if (tkey == NULL) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); @@ -2093,7 +2084,6 @@ err: BN_CTX_free(bn_ctx); free(encodedPoint); EC_KEY_free(clnt_ecdh); - EVP_PKEY_free(srvr_pub_pkey); return (ret); } @@ -2242,8 +2232,9 @@ ssl3_send_client_key_exchange(SSL *s) } else if (alg_k & SSL_kDHE) { if (ssl3_send_client_kex_dhe(s, sess_cert, p, &n) != 1) goto err; - } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { - if (ssl3_send_client_kex_ecdh(s, sess_cert, p, &n) != 1) + } else if (alg_k & SSL_kECDHE) { + if (ssl3_send_client_kex_ecdhe(s, sess_cert, p, + &n) != 1) goto err; } else if (alg_k & SSL_kGOST) { if (ssl3_send_client_kex_gost(s, sess_cert, p, &n) != 1) diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index e873c17c87..92beeae3c4 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.109 2016/10/19 16:38:40 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1129,86 +1129,6 @@ SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ - /* Cipher C001 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher C002 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C003 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher C004 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C005 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - /* Cipher C006 */ { .valid = 1, @@ -1289,86 +1209,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher C00B */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher C00C */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C00D */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher C00E */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C00F */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - /* Cipher C010 */ { .valid = 1, @@ -1564,38 +1404,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher C025 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C026 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA384, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, - .strength_bits = 256, - .alg_bits = 256, - }, - /* Cipher C027 */ { .valid = 1, @@ -1628,38 +1436,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher C029 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C02A */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA384, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, - .strength_bits = 256, - .alg_bits = 256, - }, - /* GCM based TLS v1.2 ciphersuites from RFC5289 */ /* Cipher C02B */ @@ -1698,42 +1474,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher C02D */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C02E */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - /* Cipher C02F */ { .valid = 1, @@ -1770,42 +1510,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher C031 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C032 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) /* Cipher CC13 */ { @@ -2604,7 +2308,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * If we are considering an ECC cipher suite that uses our * certificate check it. */ - if (alg_a & (SSL_aECDSA|SSL_aECDH)) + if (alg_a & SSL_aECDSA) ok = ok && tls1_check_ec_server_key(s); /* * If we are considering an ECC cipher suite that uses @@ -2647,14 +2351,10 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) } p[ret++] = SSL3_CT_RSA_SIGN; p[ret++] = SSL3_CT_DSS_SIGN; - if ((alg_k & (SSL_kECDHr|SSL_kECDHe))) { - p[ret++] = TLS_CT_RSA_FIXED_ECDH; - p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; - } /* * ECDSA certs can be used with RSA cipher suites as well - * so we don't need to check for SSL_kECDH or SSL_kECDHE + * so we don't need to check for SSL_kECDH or SSL_kECDHE. */ p[ret++] = TLS_CT_ECDSA_SIGN; diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index d2a03e05d2..8ecd51669a 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.127 2016/09/22 07:17:41 guenther Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.128 2016/10/19 16:38:40 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1764,9 +1764,7 @@ ssl3_get_client_key_exchange(SSL *s) s->method->ssl3_enc->generate_master_secret( s, s->session->master_key, p, i); explicit_bzero(p, i); - } else - - if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { + } else if (alg_k & SSL_kECDHE) { int ret = 1; int key_size; const EC_KEY *tkey; @@ -1780,17 +1778,11 @@ ssl3_get_client_key_exchange(SSL *s) goto err; } - /* Let's get server private key and group information. */ - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { - /* Use the certificate */ - tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; - } else { - /* - * Use the ephermeral values we saved when - * generating the ServerKeyExchange msg. - */ - tkey = s->s3->tmp.ecdh; - } + /* + * Use the ephemeral values we saved when + * generating the ServerKeyExchange message. + */ + tkey = s->s3->tmp.ecdh; group = EC_KEY_get0_group(tkey); priv_key = EC_KEY_get0_private_key(tkey); diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 526d98e293..2bf73c6606 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.87 2016/10/19 16:38:40 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -257,28 +257,14 @@ static const SSL_CIPHER cipher_aliases[] = { .name = SSL_TXT_DH, .algorithm_mkey = SSL_kDHE, }, - - { - .name = SSL_TXT_kECDHr, - .algorithm_mkey = SSL_kECDHr, - }, - { - .name = SSL_TXT_kECDHe, - .algorithm_mkey = SSL_kECDHe, - }, - { - .name = SSL_TXT_kECDH, - .algorithm_mkey = SSL_kECDHr|SSL_kECDHe, - }, { .name = SSL_TXT_kEECDH, .algorithm_mkey = SSL_kECDHE, }, { .name = SSL_TXT_ECDH, - .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kECDHE, + .algorithm_mkey = SSL_kECDHE, }, - { .name = SSL_TXT_kGOST, .algorithm_mkey = SSL_kGOST, @@ -301,10 +287,6 @@ static const SSL_CIPHER cipher_aliases[] = { .name = SSL_TXT_aNULL, .algorithm_auth = SSL_aNULL, }, - { - .name = SSL_TXT_aECDH, - .algorithm_auth = SSL_aECDH, - }, { .name = SSL_TXT_aECDSA, .algorithm_auth = SSL_aECDSA, @@ -1455,7 +1437,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); /* Move ciphers without forward secrecy to the end */ - ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); /* RC4 is sort of broken - move it to the end */ @@ -1597,12 +1578,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kDHE: kx = "DH"; break; - case SSL_kECDHr: - kx = "ECDH/RSA"; - break; - case SSL_kECDHe: - kx = "ECDH/ECDSA"; - break; case SSL_kECDHE: kx = "ECDH"; break; @@ -1620,9 +1595,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aDSS: au = "DSS"; break; - case SSL_aECDH: - au = "ECDH"; - break; case SSL_aNULL: au = "None"; break; diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 3596315166..4fa9b149b1 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.118 2016/09/22 12:34:59 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.119 2016/10/19 16:38:40 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2004,14 +2004,11 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { - CERT_PKEY *cpk; int rsa_enc, rsa_sign, dh_tmp, dsa_sign; + int have_ecc_cert, have_ecdh_tmp; unsigned long mask_k, mask_a; - int have_ecc_cert, ecdh_ok, ecdsa_ok; - int have_ecdh_tmp; X509 *x = NULL; - EVP_PKEY *ecc_pkey = NULL; - int signature_nid = 0, pk_nid = 0, md_nid = 0; + CERT_PKEY *cpk; if (c == NULL) return; @@ -2021,6 +2018,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || c->ecdh_tmp_auto != 0); + cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); @@ -2058,93 +2056,40 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) * ECDSA cipher suites depending on the key usage extension. */ if (have_ecc_cert) { - /* This call populates extension flags (ex_flags) */ x = (c->pkeys[SSL_PKEY_ECC]).x509; + + /* This call populates extension flags (ex_flags). */ X509_check_purpose(x, -1, 0); - ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? - (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; - ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? - (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; - ecc_pkey = X509_get_pubkey(x); - EVP_PKEY_free(ecc_pkey); - if ((x->sig_alg) && (x->sig_alg->algorithm)) { - signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); - OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); - } - if (ecdh_ok) { - if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { - mask_k|=SSL_kECDHr; - mask_a|=SSL_aECDH; - } - if (pk_nid == NID_X9_62_id_ecPublicKey) { - mask_k|=SSL_kECDHe; - mask_a|=SSL_aECDH; - } - } - if (ecdsa_ok) + + /* Key usage, if present, must allow signing. */ + if ((x->ex_flags & EXFLAG_KUSAGE) == 0 || + (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) mask_a|=SSL_aECDSA; } - if (have_ecdh_tmp) { + if (have_ecdh_tmp) mask_k|=SSL_kECDHE; - } - c->mask_k = mask_k; c->mask_a = mask_a; c->valid = 1; } -/* This handy macro borrowed from crypto/x509v3/v3_purp.c */ -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) - - int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { - unsigned long alg_k, alg_a; - int signature_nid = 0, md_nid = 0, pk_nid = 0; const SSL_CIPHER *cs = s->s3->tmp.new_cipher; + unsigned long alg_a; - alg_k = cs->algorithm_mkey; alg_a = cs->algorithm_auth; - /* This call populates the ex_flags field correctly */ - X509_check_purpose(x, -1, 0); - if ((x->sig_alg) && (x->sig_alg->algorithm)) { - signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); - OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); - } - if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) { - /* key usage, if present, must allow key agreement */ - if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) { - SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, - SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); - return (0); - } - if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < - TLS1_2_VERSION) { - /* signature alg must be ECDSA */ - if (pk_nid != NID_X9_62_id_ecPublicKey) { - SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, - SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); - return (0); - } - } - if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < - TLS1_2_VERSION) { - /* signature alg must be RSA */ - if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { - SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, - SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); - return (0); - } - } - } if (alg_a & SSL_aECDSA) { - /* key usage, if present, must allow signing */ - if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) { + /* This call populates extension flags (ex_flags). */ + X509_check_purpose(x, -1, 0); + + /* Key usage, if present, must allow signing. */ + if ((x->ex_flags & EXFLAG_KUSAGE) && + ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING); return (0); @@ -2152,39 +2097,21 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) } return (1); - /* all checks are ok */ } - -/* THIS NEEDS CLEANING UP */ CERT_PKEY * ssl_get_server_send_pkey(const SSL *s) { - unsigned long alg_k, alg_a; + unsigned long alg_a; CERT *c; int i; c = s->cert; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { - /* - * We don't need to look at SSL_kECDHE - * since no certificate is needed for - * anon ECDH and for authenticated - * ECDHE, the check for the auth - * algorithm will set i correctly - * NOTE: For ECDH-RSA, we need an ECC - * not an RSA cert but for EECDH-RSA - * we need an RSA cert. Placing the - * checks for SSL_kECDH before RSA - * checks ensures the correct cert is chosen. - */ - i = SSL_PKEY_ECC; - } else if (alg_a & SSL_aECDSA) { + if (alg_a & SSL_aECDSA) { i = SSL_PKEY_ECC; } else if (alg_a & SSL_aDSS) { i = SSL_PKEY_DSA_SIGN; diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 2a521fe26a..1b768e3939 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.129 2016/04/28 16:39:45 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.130 2016/10/19 16:38:40 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -255,8 +255,6 @@ /* Bits for algorithm_mkey (key exchange algorithm) */ #define SSL_kRSA 0x00000001L /* RSA key exchange */ #define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ -#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ -#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ #define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ #define SSL_kGOST 0x00000200L /* GOST key exchange */ @@ -264,11 +262,9 @@ #define SSL_aRSA 0x00000001L /* RSA auth */ #define SSL_aDSS 0x00000002L /* DSS auth */ #define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ -#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ #define SSL_aECDSA 0x00000040L /* ECDSA auth*/ #define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ - /* Bits for algorithm_enc (symmetric encryption) */ #define SSL_DES 0x00000001L #define SSL_3DES 0x00000002L diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 257cd0bd07..e7dbe9cd99 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.92 2016/10/02 21:18:08 guenther Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.93 2016/10/19 16:38:40 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -651,8 +651,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || - (alg_a & SSL_aECDSA))) { + if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) { using_ecc = 1; break; } @@ -964,8 +963,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) alg_a = s->s3->tmp.new_cipher->algorithm_auth; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || - alg_a & SSL_aECDSA) && + using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) && s->session->tlsext_ecpointformatlist != NULL; ret += 2; @@ -1959,7 +1957,7 @@ ssl_check_serverhello_tlsext(SSL *s) (s->tlsext_ecpointformatlist_length > 0) && (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { + ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; -- cgit v1.2.3-55-g6feb