diff options
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_lib.c | 138 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 4 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 3 | ||||
-rw-r--r-- | ssl/t1_ext.c | 15 |
4 files changed, 115 insertions, 45 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 6875f384b1..5a6e6a7060 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4039,10 +4039,32 @@ err: return NULL; } -int SSL_set_ct_validation_callback(SSL *s, ct_validation_cb callback, void *arg) +static int ct_permissive(const CT_POLICY_EVAL_CTX *ctx, + const STACK_OF(SCT) *scts, void *unused_arg) { - int ret = 0; + return 1; +} + +static int ct_strict(const CT_POLICY_EVAL_CTX *ctx, + const STACK_OF(SCT) *scts, void *unused_arg) +{ + int count = scts != NULL ? sk_SCT_num(scts) : 0; + int i; + for (i = 0; i < count; ++i) { + SCT *sct = sk_SCT_value(scts, i); + int status = SCT_get_validation_status(sct); + + if (status == SCT_VALIDATION_STATUS_VALID) + return 1; + } + SSLerr(SSL_F_CT_STRICT, SSL_R_NO_VALID_SCTS); + return 0; +} + +int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback, + void *arg) +{ /* * Since code exists that uses the custom extension handler for CT, look * for this and throw an error if they have already registered to use CT. @@ -4051,28 +4073,25 @@ int SSL_set_ct_validation_callback(SSL *s, ct_validation_cb callback, void *arg) TLSEXT_TYPE_signed_certificate_timestamp)) { SSLerr(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); - goto err; + return 0; } - s->ct_validation_callback = callback; - s->ct_validation_callback_arg = arg; - if (callback != NULL) { /* If we are validating CT, then we MUST accept SCTs served via OCSP */ if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp)) - goto err; + return 0; } - ret = 1; -err: - return ret; + s->ct_validation_callback = callback; + s->ct_validation_callback_arg = arg; + + return 1; } -int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ct_validation_cb callback, +int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, + ssl_ct_validation_cb callback, void *arg) { - int ret = 0; - /* * Since code exists that uses the custom extension handler for CT, look for * this and throw an error if they have already registered to use CT. @@ -4081,59 +4100,90 @@ int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ct_validation_cb callback, TLSEXT_TYPE_signed_certificate_timestamp)) { SSLerr(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); - goto err; + return 0; } ctx->ct_validation_callback = callback; ctx->ct_validation_callback_arg = arg; - ret = 1; -err: - return ret; + return 1; } -ct_validation_cb SSL_get_ct_validation_callback(const SSL *s) +int SSL_ct_is_enabled(const SSL *s) { - return s->ct_validation_callback; + return s->ct_validation_callback != NULL; } -ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx) +int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx) { - return ctx->ct_validation_callback; + return ctx->ct_validation_callback != NULL; } int ssl_validate_ct(SSL *s) { int ret = 0; X509 *cert = s->session != NULL ? s->session->peer : NULL; - X509 *issuer = NULL; + X509 *issuer; + struct dane_st *dane = &s->dane; CT_POLICY_EVAL_CTX *ctx = NULL; const STACK_OF(SCT) *scts; - /* If no callback is set, attempt no validation - just return success */ - if (s->ct_validation_callback == NULL) + /* + * If no callback is set, the peer is anonymous, or its chain is invalid, + * skip SCT validation - just return success. Applications that continue + * handshakes without certificates, with unverified chains, or pinned leaf + * certificates are outside the scope of the WebPKI and CT. + * + * The above exclusions notwithstanding the vast majority of peers will + * have rather ordinary certificate chains validated by typical + * applications that perform certificate verification and therefore will + * process SCTs when enabled. + */ + if (s->ct_validation_callback == NULL || cert == NULL || + s->verify_result != X509_V_OK || + s->verified_chain == NULL || + sk_X509_num(s->verified_chain) <= 1) return 1; - if (cert == NULL) { - SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_NO_CERTIFICATE_ASSIGNED); - goto end; + /* + * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3) + * trust-anchors. See https://tools.ietf.org/html/rfc7671#section-4.2 + */ + if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) { + switch (dane->mtlsa->usage) { + case DANETLS_USAGE_DANE_TA: + case DANETLS_USAGE_DANE_EE: + return 1; + } } - if (s->verified_chain != NULL && sk_X509_num(s->verified_chain) > 1) - issuer = sk_X509_value(s->verified_chain, 1); - ctx = CT_POLICY_EVAL_CTX_new(); if (ctx == NULL) { SSLerr(SSL_F_SSL_VALIDATE_CT, ERR_R_MALLOC_FAILURE); goto end; } + issuer = sk_X509_value(s->verified_chain, 1); CT_POLICY_EVAL_CTX_set0_cert(ctx, cert); CT_POLICY_EVAL_CTX_set0_issuer(ctx, issuer); CT_POLICY_EVAL_CTX_set0_log_store(ctx, s->ctx->ctlog_store); scts = SSL_get0_peer_scts(s); - if (SCT_LIST_validate(scts, ctx) != 1) { + /* + * This function returns success (> 0) only when all the SCTs are valid, 0 + * when some are invalid, and < 0 on various internal errors (out of + * memory, etc.). Having some, or even all, invalid SCTs is not sufficient + * reason to abort the handshake, that decision is up to the callback. + * Therefore, we error out only in the unexpected case that the return + * value is negative. + * + * XXX: One might well argue that the return value of this function is an + * unforunate design choice. Its job is only to determine the validation + * status of each of the provided SCTs. So long as it correctly separates + * the wheat from the chaff it should return success. Failure in this case + * ought to correspond to an inability to carry out its duties. + */ + if (SCT_LIST_validate(scts, ctx) < 0) { SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_SCT_VERIFICATION_FAILED); goto end; } @@ -4147,6 +4197,32 @@ end: return ret; } +int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode) +{ + switch (validation_mode) { + default: + SSLerr(SSL_F_SSL_CTX_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE); + return 0; + case SSL_CT_VALIDATION_PERMISSIVE: + return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL); + case SSL_CT_VALIDATION_STRICT: + return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL); + } +} + +int SSL_enable_ct(SSL *s, int validation_mode) +{ + switch (validation_mode) { + default: + SSLerr(SSL_F_SSL_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE); + return 0; + case SSL_CT_VALIDATION_PERMISSIVE: + return SSL_set_ct_validation_callback(s, ct_permissive, NULL); + case SSL_CT_VALIDATION_STRICT: + return SSL_set_ct_validation_callback(s, ct_strict, NULL); + } +} + int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx) { return CTLOG_STORE_load_default_file(ctx->ctlog_store); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4a2b52d19e..8c8876c88e 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -816,7 +816,7 @@ struct ssl_ctx_st { * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. * If they are not, the connection should be aborted. */ - ct_validation_cb ct_validation_callback; + ssl_ct_validation_cb ct_validation_callback; void *ct_validation_callback_arg; # endif @@ -1123,7 +1123,7 @@ struct ssl_st { * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. * If they are not, the connection should be aborted. */ - ct_validation_cb ct_validation_callback; + ssl_ct_validation_cb ct_validation_callback; /* User-supplied argument tha tis passed to the ct_validation_callback */ void *ct_validation_callback_arg; /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 19ea227e6a..fe1cde69e1 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2067,7 +2067,8 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) #ifndef OPENSSL_NO_CT if (s->ct_validation_callback != NULL) { - if (!ssl_validate_ct(s)) { + /* Note we validate the SCTs whether or not we abort on error */ + if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return MSG_PROCESS_ERROR; } diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c index 7940cfc2bf..e9933976cf 100644 --- a/ssl/t1_ext.c +++ b/ssl/t1_ext.c @@ -260,12 +260,6 @@ int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, custom_ext_parse_cb parse_cb, void *parse_arg) { - int ret = custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb, - free_cb, add_arg, parse_cb, parse_arg); - - if (ret != 1) - goto end; - #ifndef OPENSSL_NO_CT /* * We don't want applications registering callbacks for SCT extensions @@ -273,12 +267,11 @@ int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, * these two things may not play well together. */ if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp && - SSL_CTX_get_ct_validation_callback(ctx) != NULL) { - ret = 0; - } + SSL_CTX_ct_is_enabled(ctx)) + return 0; #endif -end: - return ret; + return custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb, + free_cb, add_arg, parse_cb, parse_arg); } int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, |