1 1.1 christos /* 2 1.1 christos * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos * this file except in compliance with the License. You can obtain a copy 6 1.1 christos * in the file LICENSE in the source distribution or at 7 1.1 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdio.h> 11 1.1 christos #include <stdlib.h> 12 1.1 christos #include <ctype.h> 13 1.1 christos #include <openssl/objects.h> 14 1.1 christos #include <openssl/evp.h> 15 1.1 christos #include <openssl/hmac.h> 16 1.1 christos #include <openssl/core_names.h> 17 1.1 christos #include <openssl/ocsp.h> 18 1.1 christos #include <openssl/conf.h> 19 1.1 christos #include <openssl/x509v3.h> 20 1.1 christos #include <openssl/dh.h> 21 1.1 christos #include <openssl/bn.h> 22 1.1 christos #include <openssl/provider.h> 23 1.1 christos #include <openssl/param_build.h> 24 1.1 christos #include "internal/nelem.h" 25 1.1 christos #include "internal/sizes.h" 26 1.1 christos #include "internal/tlsgroups.h" 27 1.1 christos #include "internal/ssl_unwrap.h" 28 1.1 christos #include "ssl_local.h" 29 1.1 christos #include "quic/quic_local.h" 30 1.1 christos #include <openssl/ct.h> 31 1.1 christos 32 1.1 christos static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pkey); 33 1.1 christos static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, const SIGALG_LOOKUP *lu); 34 1.1 christos 35 1.1 christos SSL3_ENC_METHOD const TLSv1_enc_data = { 36 1.1 christos tls1_setup_key_block, 37 1.1 christos tls1_generate_master_secret, 38 1.1 christos tls1_change_cipher_state, 39 1.1 christos tls1_final_finish_mac, 40 1.1 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 41 1.1 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 42 1.1 christos tls1_alert_code, 43 1.1 christos tls1_export_keying_material, 44 1.1 christos 0, 45 1.1 christos ssl3_set_handshake_header, 46 1.1 christos tls_close_construct_packet, 47 1.1 christos ssl3_handshake_write 48 1.1 christos }; 49 1.1 christos 50 1.1 christos SSL3_ENC_METHOD const TLSv1_1_enc_data = { 51 1.1 christos tls1_setup_key_block, 52 1.1 christos tls1_generate_master_secret, 53 1.1 christos tls1_change_cipher_state, 54 1.1 christos tls1_final_finish_mac, 55 1.1 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 56 1.1 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 57 1.1 christos tls1_alert_code, 58 1.1 christos tls1_export_keying_material, 59 1.1 christos 0, 60 1.1 christos ssl3_set_handshake_header, 61 1.1 christos tls_close_construct_packet, 62 1.1 christos ssl3_handshake_write 63 1.1 christos }; 64 1.1 christos 65 1.1 christos SSL3_ENC_METHOD const TLSv1_2_enc_data = { 66 1.1 christos tls1_setup_key_block, 67 1.1 christos tls1_generate_master_secret, 68 1.1 christos tls1_change_cipher_state, 69 1.1 christos tls1_final_finish_mac, 70 1.1 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 71 1.1 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 72 1.1 christos tls1_alert_code, 73 1.1 christos tls1_export_keying_material, 74 1.1 christos SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 75 1.1 christos | SSL_ENC_FLAG_TLS1_2_CIPHERS, 76 1.1 christos ssl3_set_handshake_header, 77 1.1 christos tls_close_construct_packet, 78 1.1 christos ssl3_handshake_write 79 1.1 christos }; 80 1.1 christos 81 1.1 christos SSL3_ENC_METHOD const TLSv1_3_enc_data = { 82 1.1 christos tls13_setup_key_block, 83 1.1 christos tls13_generate_master_secret, 84 1.1 christos tls13_change_cipher_state, 85 1.1 christos tls13_final_finish_mac, 86 1.1 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 87 1.1 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 88 1.1 christos tls13_alert_code, 89 1.1 christos tls13_export_keying_material, 90 1.1 christos SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 91 1.1 christos ssl3_set_handshake_header, 92 1.1 christos tls_close_construct_packet, 93 1.1 christos ssl3_handshake_write 94 1.1 christos }; 95 1.1 christos 96 1.1 christos OSSL_TIME tls1_default_timeout(void) 97 1.1 christos { 98 1.1 christos /* 99 1.1 christos * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 100 1.1 christos * http, the cache would over fill 101 1.1 christos */ 102 1.1 christos return ossl_seconds2time(60 * 60 * 2); 103 1.1 christos } 104 1.1 christos 105 1.1 christos int tls1_new(SSL *s) 106 1.1 christos { 107 1.1 christos if (!ssl3_new(s)) 108 1.1 christos return 0; 109 1.1 christos if (!s->method->ssl_clear(s)) 110 1.1 christos return 0; 111 1.1 christos 112 1.1 christos return 1; 113 1.1 christos } 114 1.1 christos 115 1.1 christos void tls1_free(SSL *s) 116 1.1 christos { 117 1.1 christos SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 118 1.1 christos 119 1.1 christos if (sc == NULL) 120 1.1 christos return; 121 1.1 christos 122 1.1 christos OPENSSL_free(sc->ext.session_ticket); 123 1.1 christos ssl3_free(s); 124 1.1 christos } 125 1.1 christos 126 1.1 christos int tls1_clear(SSL *s) 127 1.1 christos { 128 1.1 christos SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 129 1.1 christos 130 1.1 christos if (sc == NULL) 131 1.1 christos return 0; 132 1.1 christos 133 1.1 christos if (!ssl3_clear(s)) 134 1.1 christos return 0; 135 1.1 christos 136 1.1 christos if (s->method->version == TLS_ANY_VERSION) 137 1.1 christos sc->version = TLS_MAX_VERSION_INTERNAL; 138 1.1 christos else 139 1.1 christos sc->version = s->method->version; 140 1.1 christos 141 1.1 christos return 1; 142 1.1 christos } 143 1.1 christos 144 1.1 christos /* Legacy NID to group_id mapping. Only works for groups we know about */ 145 1.1 christos static const struct { 146 1.1 christos int nid; 147 1.1 christos uint16_t group_id; 148 1.1 christos } nid_to_group[] = { 149 1.1.1.2 christos { NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1 }, 150 1.1.1.2 christos { NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1 }, 151 1.1.1.2 christos { NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2 }, 152 1.1.1.2 christos { NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1 }, 153 1.1.1.2 christos { NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2 }, 154 1.1.1.2 christos { NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1 }, 155 1.1.1.2 christos { NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1 }, 156 1.1.1.2 christos { NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1 }, 157 1.1.1.2 christos { NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1 }, 158 1.1.1.2 christos { NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1 }, 159 1.1.1.2 christos { NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1 }, 160 1.1.1.2 christos { NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1 }, 161 1.1.1.2 christos { NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1 }, 162 1.1.1.2 christos { NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1 }, 163 1.1.1.2 christos { NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1 }, 164 1.1.1.2 christos { NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1 }, 165 1.1.1.2 christos { NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2 }, 166 1.1.1.2 christos { NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1 }, 167 1.1.1.2 christos { NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1 }, 168 1.1.1.2 christos { NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1 }, 169 1.1.1.2 christos { NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1 }, 170 1.1.1.2 christos { NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1 }, 171 1.1.1.2 christos { NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1 }, 172 1.1.1.2 christos { NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1 }, 173 1.1.1.2 christos { NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1 }, 174 1.1.1.2 christos { NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1 }, 175 1.1.1.2 christos { NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1 }, 176 1.1.1.2 christos { NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1 }, 177 1.1.1.2 christos { EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519 }, 178 1.1.1.2 christos { EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448 }, 179 1.1.1.2 christos { NID_brainpoolP256r1tls13, OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13 }, 180 1.1.1.2 christos { NID_brainpoolP384r1tls13, OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13 }, 181 1.1.1.2 christos { NID_brainpoolP512r1tls13, OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13 }, 182 1.1.1.2 christos { NID_id_tc26_gost_3410_2012_256_paramSetA, OSSL_TLS_GROUP_ID_gc256A }, 183 1.1.1.2 christos { NID_id_tc26_gost_3410_2012_256_paramSetB, OSSL_TLS_GROUP_ID_gc256B }, 184 1.1.1.2 christos { NID_id_tc26_gost_3410_2012_256_paramSetC, OSSL_TLS_GROUP_ID_gc256C }, 185 1.1.1.2 christos { NID_id_tc26_gost_3410_2012_256_paramSetD, OSSL_TLS_GROUP_ID_gc256D }, 186 1.1.1.2 christos { NID_id_tc26_gost_3410_2012_512_paramSetA, OSSL_TLS_GROUP_ID_gc512A }, 187 1.1.1.2 christos { NID_id_tc26_gost_3410_2012_512_paramSetB, OSSL_TLS_GROUP_ID_gc512B }, 188 1.1.1.2 christos { NID_id_tc26_gost_3410_2012_512_paramSetC, OSSL_TLS_GROUP_ID_gc512C }, 189 1.1.1.2 christos { NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048 }, 190 1.1.1.2 christos { NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072 }, 191 1.1.1.2 christos { NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096 }, 192 1.1.1.2 christos { NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144 }, 193 1.1.1.2 christos { NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192 } 194 1.1 christos }; 195 1.1 christos 196 1.1 christos static const unsigned char ecformats_default[] = { 197 1.1 christos TLSEXT_ECPOINTFORMAT_uncompressed, 198 1.1 christos TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 199 1.1 christos TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 200 1.1 christos }; 201 1.1 christos 202 1.1 christos /* Group list string of the built-in pseudo group DEFAULT */ 203 1.1 christos #define DEFAULT_GROUP_NAME "DEFAULT" 204 1.1 christos #define TLS_DEFAULT_GROUP_LIST \ 205 1.1 christos "?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072" 206 1.1 christos 207 1.1 christos static const uint16_t suiteb_curves[] = { 208 1.1 christos OSSL_TLS_GROUP_ID_secp256r1, 209 1.1 christos OSSL_TLS_GROUP_ID_secp384r1, 210 1.1 christos }; 211 1.1 christos 212 1.1 christos /* Group list string of the built-in pseudo group DEFAULT_SUITE_B */ 213 1.1 christos #define SUITE_B_GROUP_NAME "DEFAULT_SUITE_B" 214 1.1 christos #define SUITE_B_GROUP_LIST "secp256r1:secp384r1", 215 1.1 christos 216 1.1 christos struct provider_ctx_data_st { 217 1.1 christos SSL_CTX *ctx; 218 1.1 christos OSSL_PROVIDER *provider; 219 1.1 christos }; 220 1.1 christos 221 1.1.1.2 christos #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 222 1.1 christos static OSSL_CALLBACK add_provider_groups; 223 1.1 christos static int add_provider_groups(const OSSL_PARAM params[], void *data) 224 1.1 christos { 225 1.1 christos struct provider_ctx_data_st *pgd = data; 226 1.1 christos SSL_CTX *ctx = pgd->ctx; 227 1.1 christos const OSSL_PARAM *p; 228 1.1 christos TLS_GROUP_INFO *ginf = NULL; 229 1.1 christos EVP_KEYMGMT *keymgmt; 230 1.1 christos unsigned int gid; 231 1.1 christos unsigned int is_kem = 0; 232 1.1 christos int ret = 0; 233 1.1 christos 234 1.1 christos if (ctx->group_list_max_len == ctx->group_list_len) { 235 1.1 christos TLS_GROUP_INFO *tmp = NULL; 236 1.1 christos 237 1.1 christos if (ctx->group_list_max_len == 0) 238 1.1 christos tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) 239 1.1.1.2 christos * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 240 1.1 christos else 241 1.1 christos tmp = OPENSSL_realloc(ctx->group_list, 242 1.1.1.2 christos (ctx->group_list_max_len 243 1.1.1.2 christos + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) 244 1.1.1.2 christos * sizeof(TLS_GROUP_INFO)); 245 1.1 christos if (tmp == NULL) 246 1.1 christos return 0; 247 1.1 christos ctx->group_list = tmp; 248 1.1 christos memset(tmp + ctx->group_list_max_len, 249 1.1.1.2 christos 0, 250 1.1.1.2 christos sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 251 1.1 christos ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; 252 1.1 christos } 253 1.1 christos 254 1.1 christos ginf = &ctx->group_list[ctx->group_list_len]; 255 1.1 christos 256 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); 257 1.1 christos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 258 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 259 1.1 christos goto err; 260 1.1 christos } 261 1.1 christos ginf->tlsname = OPENSSL_strdup(p->data); 262 1.1 christos if (ginf->tlsname == NULL) 263 1.1 christos goto err; 264 1.1 christos 265 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); 266 1.1 christos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 267 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 268 1.1 christos goto err; 269 1.1 christos } 270 1.1 christos ginf->realname = OPENSSL_strdup(p->data); 271 1.1 christos if (ginf->realname == NULL) 272 1.1 christos goto err; 273 1.1 christos 274 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); 275 1.1 christos if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { 276 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 277 1.1 christos goto err; 278 1.1 christos } 279 1.1 christos ginf->group_id = (uint16_t)gid; 280 1.1 christos 281 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); 282 1.1 christos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 283 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 284 1.1 christos goto err; 285 1.1 christos } 286 1.1 christos ginf->algorithm = OPENSSL_strdup(p->data); 287 1.1 christos if (ginf->algorithm == NULL) 288 1.1 christos goto err; 289 1.1 christos 290 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); 291 1.1 christos if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { 292 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 293 1.1 christos goto err; 294 1.1 christos } 295 1.1 christos 296 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); 297 1.1 christos if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { 298 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 299 1.1 christos goto err; 300 1.1 christos } 301 1.1 christos ginf->is_kem = 1 & is_kem; 302 1.1 christos 303 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); 304 1.1 christos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { 305 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 306 1.1 christos goto err; 307 1.1 christos } 308 1.1 christos 309 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); 310 1.1 christos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { 311 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 312 1.1 christos goto err; 313 1.1 christos } 314 1.1 christos 315 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); 316 1.1 christos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { 317 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 318 1.1 christos goto err; 319 1.1 christos } 320 1.1 christos 321 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); 322 1.1 christos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { 323 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 324 1.1 christos goto err; 325 1.1 christos } 326 1.1 christos /* 327 1.1 christos * Now check that the algorithm is actually usable for our property query 328 1.1 christos * string. Regardless of the result we still return success because we have 329 1.1 christos * successfully processed this group, even though we may decide not to use 330 1.1 christos * it. 331 1.1 christos */ 332 1.1 christos ret = 1; 333 1.1 christos ERR_set_mark(); 334 1.1 christos keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); 335 1.1 christos if (keymgmt != NULL) { 336 1.1 christos /* We have successfully fetched the algorithm, we can use the group. */ 337 1.1 christos ctx->group_list_len++; 338 1.1 christos ginf = NULL; 339 1.1 christos EVP_KEYMGMT_free(keymgmt); 340 1.1 christos } 341 1.1 christos ERR_pop_to_mark(); 342 1.1.1.2 christos err: 343 1.1 christos if (ginf != NULL) { 344 1.1 christos OPENSSL_free(ginf->tlsname); 345 1.1 christos OPENSSL_free(ginf->realname); 346 1.1 christos OPENSSL_free(ginf->algorithm); 347 1.1 christos ginf->algorithm = ginf->tlsname = ginf->realname = NULL; 348 1.1 christos } 349 1.1 christos return ret; 350 1.1 christos } 351 1.1 christos 352 1.1 christos static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) 353 1.1 christos { 354 1.1 christos struct provider_ctx_data_st pgd; 355 1.1 christos 356 1.1 christos pgd.ctx = vctx; 357 1.1 christos pgd.provider = provider; 358 1.1 christos return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", 359 1.1.1.2 christos add_provider_groups, &pgd); 360 1.1 christos } 361 1.1 christos 362 1.1 christos int ssl_load_groups(SSL_CTX *ctx) 363 1.1 christos { 364 1.1 christos if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) 365 1.1 christos return 0; 366 1.1 christos 367 1.1 christos return SSL_CTX_set1_groups_list(ctx, TLS_DEFAULT_GROUP_LIST); 368 1.1 christos } 369 1.1 christos 370 1.1.1.2 christos static const char *inferred_keytype(const TLS_SIGALG_INFO *sinf) 371 1.1.1.2 christos { 372 1.1.1.2 christos return (sinf->keytype != NULL 373 1.1.1.2 christos ? sinf->keytype 374 1.1.1.2 christos : (sinf->sig_name != NULL 375 1.1.1.2 christos ? sinf->sig_name 376 1.1.1.2 christos : sinf->sigalg_name)); 377 1.1.1.2 christos } 378 1.1.1.2 christos 379 1.1.1.2 christos #define TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE 10 380 1.1 christos static OSSL_CALLBACK add_provider_sigalgs; 381 1.1 christos static int add_provider_sigalgs(const OSSL_PARAM params[], void *data) 382 1.1 christos { 383 1.1 christos struct provider_ctx_data_st *pgd = data; 384 1.1 christos SSL_CTX *ctx = pgd->ctx; 385 1.1 christos OSSL_PROVIDER *provider = pgd->provider; 386 1.1 christos const OSSL_PARAM *p; 387 1.1 christos TLS_SIGALG_INFO *sinf = NULL; 388 1.1 christos EVP_KEYMGMT *keymgmt; 389 1.1 christos const char *keytype; 390 1.1 christos unsigned int code_point = 0; 391 1.1 christos int ret = 0; 392 1.1 christos 393 1.1 christos if (ctx->sigalg_list_max_len == ctx->sigalg_list_len) { 394 1.1 christos TLS_SIGALG_INFO *tmp = NULL; 395 1.1 christos 396 1.1 christos if (ctx->sigalg_list_max_len == 0) 397 1.1 christos tmp = OPENSSL_malloc(sizeof(TLS_SIGALG_INFO) 398 1.1.1.2 christos * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE); 399 1.1 christos else 400 1.1 christos tmp = OPENSSL_realloc(ctx->sigalg_list, 401 1.1.1.2 christos (ctx->sigalg_list_max_len 402 1.1.1.2 christos + TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE) 403 1.1.1.2 christos * sizeof(TLS_SIGALG_INFO)); 404 1.1 christos if (tmp == NULL) 405 1.1 christos return 0; 406 1.1 christos ctx->sigalg_list = tmp; 407 1.1 christos memset(tmp + ctx->sigalg_list_max_len, 0, 408 1.1.1.2 christos sizeof(TLS_SIGALG_INFO) * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE); 409 1.1 christos ctx->sigalg_list_max_len += TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE; 410 1.1 christos } 411 1.1 christos 412 1.1 christos sinf = &ctx->sigalg_list[ctx->sigalg_list_len]; 413 1.1 christos 414 1.1 christos /* First, mandatory parameters */ 415 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_NAME); 416 1.1 christos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 417 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 418 1.1 christos goto err; 419 1.1 christos } 420 1.1 christos OPENSSL_free(sinf->sigalg_name); 421 1.1 christos sinf->sigalg_name = OPENSSL_strdup(p->data); 422 1.1 christos if (sinf->sigalg_name == NULL) 423 1.1 christos goto err; 424 1.1 christos 425 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME); 426 1.1 christos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 427 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 428 1.1 christos goto err; 429 1.1 christos } 430 1.1 christos OPENSSL_free(sinf->name); 431 1.1 christos sinf->name = OPENSSL_strdup(p->data); 432 1.1 christos if (sinf->name == NULL) 433 1.1 christos goto err; 434 1.1 christos 435 1.1 christos p = OSSL_PARAM_locate_const(params, 436 1.1.1.2 christos OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT); 437 1.1 christos if (p == NULL 438 1.1 christos || !OSSL_PARAM_get_uint(p, &code_point) 439 1.1 christos || code_point > UINT16_MAX) { 440 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 441 1.1 christos goto err; 442 1.1 christos } 443 1.1 christos sinf->code_point = (uint16_t)code_point; 444 1.1 christos 445 1.1 christos p = OSSL_PARAM_locate_const(params, 446 1.1.1.2 christos OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS); 447 1.1 christos if (p == NULL || !OSSL_PARAM_get_uint(p, &sinf->secbits)) { 448 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 449 1.1 christos goto err; 450 1.1 christos } 451 1.1 christos 452 1.1 christos /* Now, optional parameters */ 453 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_OID); 454 1.1 christos if (p == NULL) { 455 1.1 christos sinf->sigalg_oid = NULL; 456 1.1 christos } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 457 1.1 christos goto err; 458 1.1 christos } else { 459 1.1 christos OPENSSL_free(sinf->sigalg_oid); 460 1.1 christos sinf->sigalg_oid = OPENSSL_strdup(p->data); 461 1.1 christos if (sinf->sigalg_oid == NULL) 462 1.1 christos goto err; 463 1.1 christos } 464 1.1 christos 465 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME); 466 1.1 christos if (p == NULL) { 467 1.1 christos sinf->sig_name = NULL; 468 1.1 christos } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 469 1.1 christos goto err; 470 1.1 christos } else { 471 1.1 christos OPENSSL_free(sinf->sig_name); 472 1.1 christos sinf->sig_name = OPENSSL_strdup(p->data); 473 1.1 christos if (sinf->sig_name == NULL) 474 1.1 christos goto err; 475 1.1 christos } 476 1.1 christos 477 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_OID); 478 1.1 christos if (p == NULL) { 479 1.1 christos sinf->sig_oid = NULL; 480 1.1 christos } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 481 1.1 christos goto err; 482 1.1 christos } else { 483 1.1 christos OPENSSL_free(sinf->sig_oid); 484 1.1 christos sinf->sig_oid = OPENSSL_strdup(p->data); 485 1.1 christos if (sinf->sig_oid == NULL) 486 1.1 christos goto err; 487 1.1 christos } 488 1.1 christos 489 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME); 490 1.1 christos if (p == NULL) { 491 1.1 christos sinf->hash_name = NULL; 492 1.1 christos } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 493 1.1 christos goto err; 494 1.1 christos } else { 495 1.1 christos OPENSSL_free(sinf->hash_name); 496 1.1 christos sinf->hash_name = OPENSSL_strdup(p->data); 497 1.1 christos if (sinf->hash_name == NULL) 498 1.1 christos goto err; 499 1.1 christos } 500 1.1 christos 501 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_OID); 502 1.1 christos if (p == NULL) { 503 1.1 christos sinf->hash_oid = NULL; 504 1.1 christos } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 505 1.1 christos goto err; 506 1.1 christos } else { 507 1.1 christos OPENSSL_free(sinf->hash_oid); 508 1.1 christos sinf->hash_oid = OPENSSL_strdup(p->data); 509 1.1 christos if (sinf->hash_oid == NULL) 510 1.1 christos goto err; 511 1.1 christos } 512 1.1 christos 513 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE); 514 1.1 christos if (p == NULL) { 515 1.1 christos sinf->keytype = NULL; 516 1.1 christos } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 517 1.1 christos goto err; 518 1.1 christos } else { 519 1.1 christos OPENSSL_free(sinf->keytype); 520 1.1 christos sinf->keytype = OPENSSL_strdup(p->data); 521 1.1 christos if (sinf->keytype == NULL) 522 1.1 christos goto err; 523 1.1 christos } 524 1.1 christos 525 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID); 526 1.1 christos if (p == NULL) { 527 1.1 christos sinf->keytype_oid = NULL; 528 1.1 christos } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 529 1.1 christos goto err; 530 1.1 christos } else { 531 1.1 christos OPENSSL_free(sinf->keytype_oid); 532 1.1 christos sinf->keytype_oid = OPENSSL_strdup(p->data); 533 1.1 christos if (sinf->keytype_oid == NULL) 534 1.1 christos goto err; 535 1.1 christos } 536 1.1 christos 537 1.1 christos /* Optional, not documented prior to 3.5 */ 538 1.1 christos sinf->mindtls = sinf->maxdtls = -1; 539 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS); 540 1.1 christos if (p != NULL && !OSSL_PARAM_get_int(p, &sinf->mindtls)) { 541 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 542 1.1 christos goto err; 543 1.1 christos } 544 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS); 545 1.1 christos if (p != NULL && !OSSL_PARAM_get_int(p, &sinf->maxdtls)) { 546 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 547 1.1 christos goto err; 548 1.1 christos } 549 1.1 christos /* DTLS version numbers grow downward */ 550 1.1.1.2 christos if ((sinf->maxdtls != 0) && (sinf->maxdtls != -1) && ((sinf->maxdtls > sinf->mindtls))) { 551 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 552 1.1 christos goto err; 553 1.1 christos } 554 1.1 christos /* No provider sigalgs are supported in DTLS, reset after checking. */ 555 1.1 christos sinf->mindtls = sinf->maxdtls = -1; 556 1.1 christos 557 1.1 christos /* The remaining parameters below are mandatory again */ 558 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS); 559 1.1 christos if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->mintls)) { 560 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 561 1.1 christos goto err; 562 1.1 christos } 563 1.1 christos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS); 564 1.1 christos if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->maxtls)) { 565 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 566 1.1 christos goto err; 567 1.1 christos } 568 1.1.1.2 christos if ((sinf->maxtls != 0) && (sinf->maxtls != -1) && ((sinf->maxtls < sinf->mintls))) { 569 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 570 1.1 christos goto err; 571 1.1 christos } 572 1.1.1.2 christos if ((sinf->mintls != 0) && (sinf->mintls != -1) && ((sinf->mintls > TLS1_3_VERSION))) 573 1.1 christos sinf->mintls = sinf->maxtls = -1; 574 1.1.1.2 christos if ((sinf->maxtls != 0) && (sinf->maxtls != -1) && ((sinf->maxtls < TLS1_3_VERSION))) 575 1.1 christos sinf->mintls = sinf->maxtls = -1; 576 1.1 christos 577 1.1 christos /* Ignore unusable sigalgs */ 578 1.1 christos if (sinf->mintls == -1 && sinf->mindtls == -1) { 579 1.1 christos ret = 1; 580 1.1 christos goto err; 581 1.1 christos } 582 1.1 christos 583 1.1 christos /* 584 1.1 christos * Now check that the algorithm is actually usable for our property query 585 1.1 christos * string. Regardless of the result we still return success because we have 586 1.1 christos * successfully processed this signature, even though we may decide not to 587 1.1 christos * use it. 588 1.1 christos */ 589 1.1 christos ret = 1; 590 1.1 christos ERR_set_mark(); 591 1.1.1.2 christos keytype = inferred_keytype(sinf); 592 1.1 christos keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, keytype, ctx->propq); 593 1.1 christos if (keymgmt != NULL) { 594 1.1 christos /* 595 1.1 christos * We have successfully fetched the algorithm - however if the provider 596 1.1 christos * doesn't match this one then we ignore it. 597 1.1 christos * 598 1.1 christos * Note: We're cheating a little here. Technically if the same algorithm 599 1.1 christos * is available from more than one provider then it is undefined which 600 1.1 christos * implementation you will get back. Theoretically this could be 601 1.1 christos * different every time...we assume here that you'll always get the 602 1.1 christos * same one back if you repeat the exact same fetch. Is this a reasonable 603 1.1 christos * assumption to make (in which case perhaps we should document this 604 1.1 christos * behaviour)? 605 1.1 christos */ 606 1.1 christos if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 607 1.1 christos /* 608 1.1 christos * We have a match - so we could use this signature; 609 1.1 christos * Check proper object registration first, though. 610 1.1 christos * Don't care about return value as this may have been 611 1.1 christos * done within providers or previous calls to 612 1.1 christos * add_provider_sigalgs. 613 1.1 christos */ 614 1.1 christos OBJ_create(sinf->sigalg_oid, sinf->sigalg_name, NULL); 615 1.1 christos /* sanity check: Without successful registration don't use alg */ 616 1.1.1.2 christos if ((OBJ_txt2nid(sinf->sigalg_name) == NID_undef) || (OBJ_nid2obj(OBJ_txt2nid(sinf->sigalg_name)) == NULL)) { 617 1.1.1.2 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 618 1.1.1.2 christos goto err; 619 1.1 christos } 620 1.1 christos if (sinf->sig_name != NULL) 621 1.1 christos OBJ_create(sinf->sig_oid, sinf->sig_name, NULL); 622 1.1 christos if (sinf->keytype != NULL) 623 1.1 christos OBJ_create(sinf->keytype_oid, sinf->keytype, NULL); 624 1.1 christos if (sinf->hash_name != NULL) 625 1.1 christos OBJ_create(sinf->hash_oid, sinf->hash_name, NULL); 626 1.1 christos OBJ_add_sigid(OBJ_txt2nid(sinf->sigalg_name), 627 1.1.1.2 christos (sinf->hash_name != NULL 628 1.1.1.2 christos ? OBJ_txt2nid(sinf->hash_name) 629 1.1.1.2 christos : NID_undef), 630 1.1.1.2 christos OBJ_txt2nid(keytype)); 631 1.1 christos ctx->sigalg_list_len++; 632 1.1 christos sinf = NULL; 633 1.1 christos } 634 1.1 christos EVP_KEYMGMT_free(keymgmt); 635 1.1 christos } 636 1.1 christos ERR_pop_to_mark(); 637 1.1.1.2 christos err: 638 1.1 christos if (sinf != NULL) { 639 1.1 christos OPENSSL_free(sinf->name); 640 1.1 christos sinf->name = NULL; 641 1.1 christos OPENSSL_free(sinf->sigalg_name); 642 1.1 christos sinf->sigalg_name = NULL; 643 1.1 christos OPENSSL_free(sinf->sigalg_oid); 644 1.1 christos sinf->sigalg_oid = NULL; 645 1.1 christos OPENSSL_free(sinf->sig_name); 646 1.1 christos sinf->sig_name = NULL; 647 1.1 christos OPENSSL_free(sinf->sig_oid); 648 1.1 christos sinf->sig_oid = NULL; 649 1.1 christos OPENSSL_free(sinf->hash_name); 650 1.1 christos sinf->hash_name = NULL; 651 1.1 christos OPENSSL_free(sinf->hash_oid); 652 1.1 christos sinf->hash_oid = NULL; 653 1.1 christos OPENSSL_free(sinf->keytype); 654 1.1 christos sinf->keytype = NULL; 655 1.1 christos OPENSSL_free(sinf->keytype_oid); 656 1.1 christos sinf->keytype_oid = NULL; 657 1.1 christos } 658 1.1 christos return ret; 659 1.1 christos } 660 1.1 christos 661 1.1 christos static int discover_provider_sigalgs(OSSL_PROVIDER *provider, void *vctx) 662 1.1 christos { 663 1.1 christos struct provider_ctx_data_st pgd; 664 1.1 christos 665 1.1 christos pgd.ctx = vctx; 666 1.1 christos pgd.provider = provider; 667 1.1 christos OSSL_PROVIDER_get_capabilities(provider, "TLS-SIGALG", 668 1.1.1.2 christos add_provider_sigalgs, &pgd); 669 1.1 christos /* 670 1.1 christos * Always OK, even if provider doesn't support the capability: 671 1.1 christos * Reconsider testing retval when legacy sigalgs are also loaded this way. 672 1.1 christos */ 673 1.1 christos return 1; 674 1.1 christos } 675 1.1 christos 676 1.1 christos int ssl_load_sigalgs(SSL_CTX *ctx) 677 1.1 christos { 678 1.1 christos size_t i; 679 1.1 christos SSL_CERT_LOOKUP lu; 680 1.1 christos 681 1.1 christos if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_sigalgs, ctx)) 682 1.1 christos return 0; 683 1.1 christos 684 1.1 christos /* now populate ctx->ssl_cert_info */ 685 1.1 christos if (ctx->sigalg_list_len > 0) { 686 1.1 christos OPENSSL_free(ctx->ssl_cert_info); 687 1.1 christos ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); 688 1.1 christos if (ctx->ssl_cert_info == NULL) 689 1.1 christos return 0; 690 1.1.1.2 christos for (i = 0; i < ctx->sigalg_list_len; i++) { 691 1.1.1.2 christos const char *keytype = inferred_keytype(&ctx->sigalg_list[i]); 692 1.1.1.2 christos ctx->ssl_cert_info[i].pkey_nid = OBJ_txt2nid(keytype); 693 1.1 christos ctx->ssl_cert_info[i].amask = SSL_aANY; 694 1.1 christos } 695 1.1 christos } 696 1.1 christos 697 1.1 christos /* 698 1.1 christos * For now, leave it at this: legacy sigalgs stay in their own 699 1.1 christos * data structures until "legacy cleanup" occurs. 700 1.1 christos */ 701 1.1 christos 702 1.1 christos return 1; 703 1.1 christos } 704 1.1 christos 705 1.1 christos static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) 706 1.1 christos { 707 1.1 christos size_t i; 708 1.1 christos 709 1.1 christos for (i = 0; i < ctx->group_list_len; i++) { 710 1.1 christos if (OPENSSL_strcasecmp(ctx->group_list[i].tlsname, name) == 0 711 1.1.1.2 christos || OPENSSL_strcasecmp(ctx->group_list[i].realname, name) == 0) 712 1.1 christos return ctx->group_list[i].group_id; 713 1.1 christos } 714 1.1 christos 715 1.1 christos return 0; 716 1.1 christos } 717 1.1 christos 718 1.1 christos const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) 719 1.1 christos { 720 1.1 christos size_t i; 721 1.1 christos 722 1.1 christos for (i = 0; i < ctx->group_list_len; i++) { 723 1.1 christos if (ctx->group_list[i].group_id == group_id) 724 1.1 christos return &ctx->group_list[i]; 725 1.1 christos } 726 1.1 christos 727 1.1 christos return NULL; 728 1.1 christos } 729 1.1 christos 730 1.1 christos const char *tls1_group_id2name(SSL_CTX *ctx, uint16_t group_id) 731 1.1 christos { 732 1.1 christos const TLS_GROUP_INFO *tls_group_info = tls1_group_id_lookup(ctx, group_id); 733 1.1 christos 734 1.1 christos if (tls_group_info == NULL) 735 1.1 christos return NULL; 736 1.1 christos 737 1.1 christos return tls_group_info->tlsname; 738 1.1 christos } 739 1.1 christos 740 1.1 christos int tls1_group_id2nid(uint16_t group_id, int include_unknown) 741 1.1 christos { 742 1.1 christos size_t i; 743 1.1 christos 744 1.1 christos if (group_id == 0) 745 1.1 christos return NID_undef; 746 1.1 christos 747 1.1 christos /* 748 1.1 christos * Return well known Group NIDs - for backwards compatibility. This won't 749 1.1 christos * work for groups we don't know about. 750 1.1 christos */ 751 1.1.1.2 christos for (i = 0; i < OSSL_NELEM(nid_to_group); i++) { 752 1.1 christos if (nid_to_group[i].group_id == group_id) 753 1.1 christos return nid_to_group[i].nid; 754 1.1 christos } 755 1.1 christos if (!include_unknown) 756 1.1 christos return NID_undef; 757 1.1 christos return TLSEXT_nid_unknown | (int)group_id; 758 1.1 christos } 759 1.1 christos 760 1.1 christos uint16_t tls1_nid2group_id(int nid) 761 1.1 christos { 762 1.1 christos size_t i; 763 1.1 christos 764 1.1 christos /* 765 1.1 christos * Return well known Group ids - for backwards compatibility. This won't 766 1.1 christos * work for groups we don't know about. 767 1.1 christos */ 768 1.1.1.2 christos for (i = 0; i < OSSL_NELEM(nid_to_group); i++) { 769 1.1 christos if (nid_to_group[i].nid == nid) 770 1.1 christos return nid_to_group[i].group_id; 771 1.1 christos } 772 1.1 christos 773 1.1 christos return 0; 774 1.1 christos } 775 1.1 christos 776 1.1 christos /* 777 1.1 christos * Set *pgroups to the supported groups list and *pgroupslen to 778 1.1 christos * the number of groups supported. 779 1.1 christos */ 780 1.1 christos void tls1_get_supported_groups(SSL_CONNECTION *s, const uint16_t **pgroups, 781 1.1.1.2 christos size_t *pgroupslen) 782 1.1 christos { 783 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 784 1.1 christos 785 1.1 christos /* For Suite B mode only include P-256, P-384 */ 786 1.1 christos switch (tls1_suiteb(s)) { 787 1.1 christos case SSL_CERT_FLAG_SUITEB_128_LOS: 788 1.1 christos *pgroups = suiteb_curves; 789 1.1 christos *pgroupslen = OSSL_NELEM(suiteb_curves); 790 1.1 christos break; 791 1.1 christos 792 1.1 christos case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 793 1.1 christos *pgroups = suiteb_curves; 794 1.1 christos *pgroupslen = 1; 795 1.1 christos break; 796 1.1 christos 797 1.1 christos case SSL_CERT_FLAG_SUITEB_192_LOS: 798 1.1 christos *pgroups = suiteb_curves + 1; 799 1.1 christos *pgroupslen = 1; 800 1.1 christos break; 801 1.1 christos 802 1.1 christos default: 803 1.1 christos if (s->ext.supportedgroups == NULL) { 804 1.1 christos *pgroups = sctx->ext.supportedgroups; 805 1.1 christos *pgroupslen = sctx->ext.supportedgroups_len; 806 1.1 christos } else { 807 1.1 christos *pgroups = s->ext.supportedgroups; 808 1.1 christos *pgroupslen = s->ext.supportedgroups_len; 809 1.1 christos } 810 1.1 christos break; 811 1.1 christos } 812 1.1 christos } 813 1.1 christos 814 1.1 christos /* 815 1.1 christos * Some comments for the function below: 816 1.1 christos * s->ext.supportedgroups == NULL means legacy syntax (no [*,/,-]) from built-in group array. 817 1.1 christos * In this case, we need to send exactly one key share, which MUST be the first (leftmost) 818 1.1 christos * eligible group from the legacy list. Therefore, we provide the entire list of supported 819 1.1 christos * groups in this case. 820 1.1 christos * 821 1.1 christos * A 'flag' to indicate legacy syntax is created by setting the number of key shares to 1, 822 1.1 christos * but the groupID to 0. 823 1.1 christos * The 'flag' is checked right at the beginning in tls_construct_ctos_key_share and either 824 1.1 christos * the "list of requested key share groups" is used, or the "list of supported groups" in 825 1.1 christos * combination with setting add_only_one = 1 is applied. 826 1.1 christos */ 827 1.1 christos void tls1_get_requested_keyshare_groups(SSL_CONNECTION *s, const uint16_t **pgroups, 828 1.1.1.2 christos size_t *pgroupslen) 829 1.1 christos { 830 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 831 1.1 christos 832 1.1 christos if (s->ext.supportedgroups == NULL) { 833 1.1 christos *pgroups = sctx->ext.supportedgroups; 834 1.1 christos *pgroupslen = sctx->ext.supportedgroups_len; 835 1.1 christos } else { 836 1.1 christos *pgroups = s->ext.keyshares; 837 1.1 christos *pgroupslen = s->ext.keyshares_len; 838 1.1 christos } 839 1.1 christos } 840 1.1 christos 841 1.1 christos void tls1_get_group_tuples(SSL_CONNECTION *s, const size_t **ptuples, 842 1.1.1.2 christos size_t *ptupleslen) 843 1.1 christos { 844 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 845 1.1 christos 846 1.1 christos if (s->ext.supportedgroups == NULL) { 847 1.1 christos *ptuples = sctx->ext.tuples; 848 1.1 christos *ptupleslen = sctx->ext.tuples_len; 849 1.1 christos } else { 850 1.1 christos *ptuples = s->ext.tuples; 851 1.1 christos *ptupleslen = s->ext.tuples_len; 852 1.1 christos } 853 1.1 christos } 854 1.1 christos 855 1.1 christos int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id, 856 1.1.1.2 christos int minversion, int maxversion, 857 1.1.1.2 christos int isec, int *okfortls13) 858 1.1 christos { 859 1.1 christos const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 860 1.1.1.2 christos group_id); 861 1.1 christos int ret; 862 1.1 christos int group_minversion, group_maxversion; 863 1.1 christos 864 1.1 christos if (okfortls13 != NULL) 865 1.1 christos *okfortls13 = 0; 866 1.1 christos 867 1.1 christos if (ginfo == NULL) 868 1.1 christos return 0; 869 1.1 christos 870 1.1 christos group_minversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->mindtls : ginfo->mintls; 871 1.1 christos group_maxversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->maxdtls : ginfo->maxtls; 872 1.1 christos 873 1.1 christos if (group_minversion < 0 || group_maxversion < 0) 874 1.1 christos return 0; 875 1.1 christos if (group_maxversion == 0) 876 1.1 christos ret = 1; 877 1.1 christos else 878 1.1 christos ret = (ssl_version_cmp(s, minversion, group_maxversion) <= 0); 879 1.1 christos if (group_minversion > 0) 880 1.1 christos ret &= (ssl_version_cmp(s, maxversion, group_minversion) >= 0); 881 1.1 christos 882 1.1 christos if (!SSL_CONNECTION_IS_DTLS(s)) { 883 1.1 christos if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) 884 1.1 christos *okfortls13 = (group_maxversion == 0) 885 1.1.1.2 christos || (group_maxversion >= TLS1_3_VERSION); 886 1.1 christos } 887 1.1 christos ret &= !isec 888 1.1.1.2 christos || strcmp(ginfo->algorithm, "EC") == 0 889 1.1.1.2 christos || strcmp(ginfo->algorithm, "X25519") == 0 890 1.1.1.2 christos || strcmp(ginfo->algorithm, "X448") == 0; 891 1.1 christos 892 1.1 christos return ret; 893 1.1 christos } 894 1.1 christos 895 1.1 christos /* See if group is allowed by security callback */ 896 1.1 christos int tls_group_allowed(SSL_CONNECTION *s, uint16_t group, int op) 897 1.1 christos { 898 1.1 christos const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 899 1.1.1.2 christos group); 900 1.1 christos unsigned char gtmp[2]; 901 1.1 christos 902 1.1 christos if (ginfo == NULL) 903 1.1 christos return 0; 904 1.1 christos 905 1.1 christos gtmp[0] = group >> 8; 906 1.1 christos gtmp[1] = group & 0xff; 907 1.1 christos return ssl_security(s, op, ginfo->secbits, 908 1.1.1.2 christos tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); 909 1.1 christos } 910 1.1 christos 911 1.1 christos /* Return 1 if "id" is in "list" */ 912 1.1 christos static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 913 1.1 christos { 914 1.1 christos size_t i; 915 1.1 christos for (i = 0; i < listlen; i++) 916 1.1 christos if (list[i] == id) 917 1.1 christos return 1; 918 1.1 christos return 0; 919 1.1 christos } 920 1.1 christos 921 1.1 christos typedef struct { 922 1.1 christos TLS_GROUP_INFO *grp; 923 1.1 christos size_t ix; 924 1.1 christos } TLS_GROUP_IX; 925 1.1 christos 926 1.1 christos DEFINE_STACK_OF(TLS_GROUP_IX) 927 1.1 christos 928 1.1 christos static void free_wrapper(TLS_GROUP_IX *a) 929 1.1 christos { 930 1.1 christos OPENSSL_free(a); 931 1.1 christos } 932 1.1 christos 933 1.1 christos static int tls_group_ix_cmp(const TLS_GROUP_IX *const *a, 934 1.1.1.2 christos const TLS_GROUP_IX *const *b) 935 1.1 christos { 936 1.1 christos int idcmpab = (*a)->grp->group_id < (*b)->grp->group_id; 937 1.1 christos int idcmpba = (*b)->grp->group_id < (*a)->grp->group_id; 938 1.1 christos int ixcmpab = (*a)->ix < (*b)->ix; 939 1.1 christos int ixcmpba = (*b)->ix < (*a)->ix; 940 1.1 christos 941 1.1 christos /* Ascending by group id */ 942 1.1 christos if (idcmpab != idcmpba) 943 1.1 christos return (idcmpba - idcmpab); 944 1.1 christos /* Ascending by original appearance index */ 945 1.1 christos return ixcmpba - ixcmpab; 946 1.1 christos } 947 1.1 christos 948 1.1 christos int tls1_get0_implemented_groups(int min_proto_version, int max_proto_version, 949 1.1.1.2 christos TLS_GROUP_INFO *grps, size_t num, long all, 950 1.1.1.2 christos STACK_OF(OPENSSL_CSTRING) *out) 951 1.1 christos { 952 1.1 christos STACK_OF(TLS_GROUP_IX) *collect = NULL; 953 1.1 christos TLS_GROUP_IX *gix; 954 1.1 christos uint16_t id = 0; 955 1.1 christos int ret = 0; 956 1.1 christos size_t ix; 957 1.1 christos 958 1.1 christos if (grps == NULL || out == NULL) 959 1.1 christos return 0; 960 1.1 christos if ((collect = sk_TLS_GROUP_IX_new(tls_group_ix_cmp)) == NULL) 961 1.1 christos return 0; 962 1.1 christos for (ix = 0; ix < num; ++ix, ++grps) { 963 1.1 christos if (grps->mintls > 0 && max_proto_version > 0 964 1.1.1.2 christos && grps->mintls > max_proto_version) 965 1.1 christos continue; 966 1.1 christos if (grps->maxtls > 0 && min_proto_version > 0 967 1.1 christos && grps->maxtls < min_proto_version) 968 1.1 christos continue; 969 1.1 christos 970 1.1 christos if ((gix = OPENSSL_malloc(sizeof(*gix))) == NULL) 971 1.1 christos goto end; 972 1.1 christos gix->grp = grps; 973 1.1 christos gix->ix = ix; 974 1.1 christos if (sk_TLS_GROUP_IX_push(collect, gix) <= 0) { 975 1.1 christos OPENSSL_free(gix); 976 1.1 christos goto end; 977 1.1 christos } 978 1.1 christos } 979 1.1 christos 980 1.1 christos sk_TLS_GROUP_IX_sort(collect); 981 1.1 christos num = sk_TLS_GROUP_IX_num(collect); 982 1.1 christos for (ix = 0; ix < num; ++ix) { 983 1.1 christos gix = sk_TLS_GROUP_IX_value(collect, ix); 984 1.1 christos if (!all && gix->grp->group_id == id) 985 1.1 christos continue; 986 1.1 christos id = gix->grp->group_id; 987 1.1 christos if (sk_OPENSSL_CSTRING_push(out, gix->grp->tlsname) <= 0) 988 1.1 christos goto end; 989 1.1 christos } 990 1.1 christos ret = 1; 991 1.1 christos 992 1.1.1.2 christos end: 993 1.1 christos sk_TLS_GROUP_IX_pop_free(collect, free_wrapper); 994 1.1 christos return ret; 995 1.1 christos } 996 1.1 christos 997 1.1 christos /*- 998 1.1 christos * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 999 1.1 christos * if there is no match. 1000 1.1 christos * For nmatch == -1, return number of matches 1001 1.1 christos * For nmatch == -2, return the id of the group to use for 1002 1.1 christos * a tmp key, or 0 if there is no match. 1003 1.1 christos */ 1004 1.1 christos uint16_t tls1_shared_group(SSL_CONNECTION *s, int nmatch) 1005 1.1 christos { 1006 1.1 christos const uint16_t *pref, *supp; 1007 1.1 christos size_t num_pref, num_supp, i; 1008 1.1 christos int k; 1009 1.1 christos SSL_CTX *ctx = SSL_CONNECTION_GET_CTX(s); 1010 1.1 christos 1011 1.1 christos /* Can't do anything on client side */ 1012 1.1 christos if (s->server == 0) 1013 1.1 christos return 0; 1014 1.1 christos if (nmatch == -2) { 1015 1.1 christos if (tls1_suiteb(s)) { 1016 1.1 christos /* 1017 1.1 christos * For Suite B ciphersuite determines curve: we already know 1018 1.1 christos * these are acceptable due to previous checks. 1019 1.1 christos */ 1020 1.1 christos unsigned long cid = s->s3.tmp.new_cipher->id; 1021 1.1 christos 1022 1.1 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 1023 1.1 christos return OSSL_TLS_GROUP_ID_secp256r1; 1024 1.1 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 1025 1.1 christos return OSSL_TLS_GROUP_ID_secp384r1; 1026 1.1 christos /* Should never happen */ 1027 1.1 christos return 0; 1028 1.1 christos } 1029 1.1 christos /* If not Suite B just return first preference shared curve */ 1030 1.1 christos nmatch = 0; 1031 1.1 christos } 1032 1.1 christos /* 1033 1.1 christos * If server preference set, our groups are the preference order 1034 1.1 christos * otherwise peer decides. 1035 1.1 christos */ 1036 1.1 christos if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 1037 1.1 christos tls1_get_supported_groups(s, &pref, &num_pref); 1038 1.1 christos tls1_get_peer_groups(s, &supp, &num_supp); 1039 1.1 christos } else { 1040 1.1 christos tls1_get_peer_groups(s, &pref, &num_pref); 1041 1.1 christos tls1_get_supported_groups(s, &supp, &num_supp); 1042 1.1 christos } 1043 1.1 christos 1044 1.1 christos for (k = 0, i = 0; i < num_pref; i++) { 1045 1.1 christos uint16_t id = pref[i]; 1046 1.1 christos const TLS_GROUP_INFO *inf; 1047 1.1 christos int minversion, maxversion; 1048 1.1 christos 1049 1.1 christos if (!tls1_in_list(id, supp, num_supp) 1050 1.1.1.2 christos || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 1051 1.1 christos continue; 1052 1.1 christos inf = tls1_group_id_lookup(ctx, id); 1053 1.1 christos if (!ossl_assert(inf != NULL)) 1054 1.1 christos return 0; 1055 1.1 christos 1056 1.1 christos minversion = SSL_CONNECTION_IS_DTLS(s) 1057 1.1.1.2 christos ? inf->mindtls 1058 1.1.1.2 christos : inf->mintls; 1059 1.1 christos maxversion = SSL_CONNECTION_IS_DTLS(s) 1060 1.1.1.2 christos ? inf->maxdtls 1061 1.1.1.2 christos : inf->maxtls; 1062 1.1 christos if (maxversion == -1) 1063 1.1 christos continue; 1064 1.1 christos if ((minversion != 0 && ssl_version_cmp(s, s->version, minversion) < 0) 1065 1.1 christos || (maxversion != 0 1066 1.1 christos && ssl_version_cmp(s, s->version, maxversion) > 0)) 1067 1.1 christos continue; 1068 1.1 christos 1069 1.1 christos if (nmatch == k) 1070 1.1 christos return id; 1071 1.1.1.2 christos k++; 1072 1.1 christos } 1073 1.1 christos if (nmatch == -1) 1074 1.1 christos return k; 1075 1.1 christos /* Out of range (nmatch > k). */ 1076 1.1 christos return 0; 1077 1.1 christos } 1078 1.1 christos 1079 1.1 christos int tls1_set_groups(uint16_t **grpext, size_t *grpextlen, 1080 1.1.1.2 christos uint16_t **ksext, size_t *ksextlen, 1081 1.1.1.2 christos size_t **tplext, size_t *tplextlen, 1082 1.1.1.2 christos int *groups, size_t ngroups) 1083 1.1 christos { 1084 1.1 christos uint16_t *glist = NULL, *kslist = NULL; 1085 1.1 christos size_t *tpllist = NULL; 1086 1.1 christos size_t i; 1087 1.1 christos /* 1088 1.1 christos * Bitmap of groups included to detect duplicates: two variables are added 1089 1.1 christos * to detect duplicates as some values are more than 32. 1090 1.1 christos */ 1091 1.1 christos unsigned long *dup_list = NULL; 1092 1.1 christos unsigned long dup_list_egrp = 0; 1093 1.1 christos unsigned long dup_list_dhgrp = 0; 1094 1.1 christos 1095 1.1 christos if (ngroups == 0) { 1096 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 1097 1.1 christos return 0; 1098 1.1 christos } 1099 1.1 christos if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) 1100 1.1 christos goto err; 1101 1.1 christos if ((kslist = OPENSSL_malloc(1 * sizeof(*kslist))) == NULL) 1102 1.1 christos goto err; 1103 1.1 christos if ((tpllist = OPENSSL_malloc(1 * sizeof(*tpllist))) == NULL) 1104 1.1 christos goto err; 1105 1.1 christos for (i = 0; i < ngroups; i++) { 1106 1.1 christos unsigned long idmask; 1107 1.1 christos uint16_t id; 1108 1.1 christos id = tls1_nid2group_id(groups[i]); 1109 1.1 christos if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) 1110 1.1 christos goto err; 1111 1.1 christos idmask = 1L << (id & 0x00FF); 1112 1.1 christos dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; 1113 1.1 christos if (!id || ((*dup_list) & idmask)) 1114 1.1 christos goto err; 1115 1.1 christos *dup_list |= idmask; 1116 1.1 christos glist[i] = id; 1117 1.1 christos } 1118 1.1 christos OPENSSL_free(*grpext); 1119 1.1 christos OPENSSL_free(*ksext); 1120 1.1 christos OPENSSL_free(*tplext); 1121 1.1 christos *grpext = glist; 1122 1.1 christos *grpextlen = ngroups; 1123 1.1.1.2 christos /* 1124 1.1.1.2 christos * No * prefix was used, let tls_construct_ctos_key_share choose a key 1125 1.1.1.2 christos * share. This has the advantage that it will filter unsupported groups 1126 1.1.1.2 christos * before choosing one, which this function does not do. See also the 1127 1.1.1.2 christos * comment for tls1_get_requested_keyshare_groups. 1128 1.1.1.2 christos */ 1129 1.1.1.2 christos kslist[0] = 0; 1130 1.1 christos *ksext = kslist; 1131 1.1 christos *ksextlen = 1; 1132 1.1 christos tpllist[0] = ngroups; 1133 1.1 christos *tplext = tpllist; 1134 1.1 christos *tplextlen = 1; 1135 1.1 christos return 1; 1136 1.1 christos err: 1137 1.1 christos OPENSSL_free(glist); 1138 1.1 christos OPENSSL_free(kslist); 1139 1.1 christos OPENSSL_free(tpllist); 1140 1.1 christos return 0; 1141 1.1 christos } 1142 1.1 christos 1143 1.1 christos /* 1144 1.1 christos * Definition of DEFAULT[_XYZ] pseudo group names. 1145 1.1 christos * A pseudo group name is actually a full list of groups, including prefixes 1146 1.1 christos * and or tuple delimiters. It can be hierarchically defined (for potential future use). 1147 1.1 christos * IMPORTANT REMARK: For ease of use, in the built-in lists of groups, unknown groups or 1148 1.1 christos * groups not backed by a provider will always silently be ignored, even without '?' prefix 1149 1.1 christos */ 1150 1.1 christos typedef struct { 1151 1.1 christos const char *list_name; /* The name of this pseudo group */ 1152 1.1 christos const char *group_string; /* The group string of this pseudo group */ 1153 1.1.1.2 christos } default_group_string_st; /* (can include '?', '*'. '-', '/' as needed) */ 1154 1.1 christos 1155 1.1 christos /* Built-in pseudo group-names must start with a (D or d) */ 1156 1.1 christos static const char *DEFAULT_GROUPNAME_FIRST_CHARACTER = "D"; 1157 1.1 christos 1158 1.1 christos /* The list of all built-in pseudo-group-name structures */ 1159 1.1 christos static const default_group_string_st default_group_strings[] = { 1160 1.1.1.2 christos { DEFAULT_GROUP_NAME, TLS_DEFAULT_GROUP_LIST }, 1161 1.1.1.2 christos { SUITE_B_GROUP_NAME, SUITE_B_GROUP_LIST } 1162 1.1 christos }; 1163 1.1 christos 1164 1.1 christos /* 1165 1.1 christos * Some GOST names are not resolved by tls1_group_name2id, 1166 1.1 christos * hence we'll check for those manually 1167 1.1 christos */ 1168 1.1 christos typedef struct { 1169 1.1 christos const char *group_name; 1170 1.1 christos uint16_t groupID; 1171 1.1 christos } name2id_st; 1172 1.1 christos static const name2id_st name2id_arr[] = { 1173 1.1.1.2 christos { "GC256A", OSSL_TLS_GROUP_ID_gc256A }, 1174 1.1.1.2 christos { "GC256B", OSSL_TLS_GROUP_ID_gc256B }, 1175 1.1.1.2 christos { "GC256C", OSSL_TLS_GROUP_ID_gc256C }, 1176 1.1.1.2 christos { "GC256D", OSSL_TLS_GROUP_ID_gc256D }, 1177 1.1.1.2 christos { "GC512A", OSSL_TLS_GROUP_ID_gc512A }, 1178 1.1.1.2 christos { "GC512B", OSSL_TLS_GROUP_ID_gc512B }, 1179 1.1.1.2 christos { "GC512C", OSSL_TLS_GROUP_ID_gc512C }, 1180 1.1 christos }; 1181 1.1 christos 1182 1.1 christos /* 1183 1.1 christos * Group list management: 1184 1.1 christos * We establish three lists along with their related size counters: 1185 1.1 christos * 1) List of (unique) groups 1186 1.1 christos * 2) List of number of groups per group-priority-tuple 1187 1.1 christos * 3) List of (unique) key share groups 1188 1.1 christos */ 1189 1.1 christos #define GROUPLIST_INCREMENT 32 /* Memory allocation chunk size (64 Bytes chunks ~= cache line) */ 1190 1.1 christos #define GROUP_NAME_BUFFER_LENGTH 64 /* Max length of a group name */ 1191 1.1 christos 1192 1.1 christos /* 1193 1.1 christos * Preparation of the prefix used to indicate the desire to send a key share, 1194 1.1 christos * the characters used as separators between groups or tuples of groups, the 1195 1.1 christos * character to indicate that an unknown group should be ignored, and the 1196 1.1 christos * character to indicate that a group should be deleted from a list 1197 1.1 christos */ 1198 1.1 christos #ifndef TUPLE_DELIMITER_CHARACTER 1199 1.1 christos /* The prefix characters to indicate group tuple boundaries */ 1200 1.1.1.2 christos #define TUPLE_DELIMITER_CHARACTER '/' 1201 1.1 christos #endif 1202 1.1 christos #ifndef GROUP_DELIMITER_CHARACTER 1203 1.1 christos /* The prefix characters to indicate group tuple boundaries */ 1204 1.1.1.2 christos #define GROUP_DELIMITER_CHARACTER ':' 1205 1.1 christos #endif 1206 1.1 christos #ifndef IGNORE_UNKNOWN_GROUP_CHARACTER 1207 1.1 christos /* The prefix character to ignore unknown groups */ 1208 1.1.1.2 christos #define IGNORE_UNKNOWN_GROUP_CHARACTER '?' 1209 1.1 christos #endif 1210 1.1 christos #ifndef KEY_SHARE_INDICATOR_CHARACTER 1211 1.1 christos /* The prefix character to trigger a key share addition */ 1212 1.1.1.2 christos #define KEY_SHARE_INDICATOR_CHARACTER '*' 1213 1.1 christos #endif 1214 1.1 christos #ifndef REMOVE_GROUP_INDICATOR_CHARACTER 1215 1.1 christos /* The prefix character to trigger a key share removal */ 1216 1.1.1.2 christos #define REMOVE_GROUP_INDICATOR_CHARACTER '-' 1217 1.1 christos #endif 1218 1.1.1.2 christos static const char prefixes[] = { TUPLE_DELIMITER_CHARACTER, 1219 1.1.1.2 christos GROUP_DELIMITER_CHARACTER, 1220 1.1.1.2 christos IGNORE_UNKNOWN_GROUP_CHARACTER, 1221 1.1.1.2 christos KEY_SHARE_INDICATOR_CHARACTER, 1222 1.1.1.2 christos REMOVE_GROUP_INDICATOR_CHARACTER, 1223 1.1.1.2 christos '\0' }; 1224 1.1 christos 1225 1.1 christos /* 1226 1.1 christos * High-level description of how group strings are analyzed: 1227 1.1 christos * A first call back function (tuple_cb) is used to process group tuples, and a 1228 1.1 christos * second callback function (gid_cb) is used to process the groups inside a tuple. 1229 1.1 christos * Those callback functions are (indirectly) called by CONF_parse_list with 1230 1.1 christos * different separators (nominally ':' or '/'), a variable based on gid_cb_st 1231 1.1 christos * is used to keep track of the parsing results between the various calls 1232 1.1 christos */ 1233 1.1 christos 1234 1.1 christos typedef struct { 1235 1.1 christos SSL_CTX *ctx; 1236 1.1 christos /* Variables to hold the three lists (groups, requested keyshares, tuple structure) */ 1237 1.1 christos size_t gidmax; /* The memory allocation chunk size for the group IDs */ 1238 1.1 christos size_t gidcnt; /* Number of groups */ 1239 1.1 christos uint16_t *gid_arr; /* The IDs of the supported groups (flat list) */ 1240 1.1 christos size_t tplmax; /* The memory allocation chunk size for the tuple counters */ 1241 1.1 christos size_t tplcnt; /* Number of tuples */ 1242 1.1 christos size_t *tuplcnt_arr; /* The number of groups inside a tuple */ 1243 1.1 christos size_t ksidmax; /* The memory allocation chunk size */ 1244 1.1 christos size_t ksidcnt; /* Number of key shares */ 1245 1.1 christos uint16_t *ksid_arr; /* The IDs of the key share groups (flat list) */ 1246 1.1 christos /* Variable to keep state between execution of callback or helper functions */ 1247 1.1 christos size_t tuple_mode; /* Keeps track whether tuple_cb called from 'the top' or from gid_cb */ 1248 1.1 christos int ignore_unknown_default; /* Flag such that unknown groups for DEFAULT[_XYZ] are ignored */ 1249 1.1 christos } gid_cb_st; 1250 1.1 christos 1251 1.1 christos /* Forward declaration of tuple callback function */ 1252 1.1 christos static int tuple_cb(const char *tuple, int len, void *arg); 1253 1.1 christos 1254 1.1 christos /* 1255 1.1 christos * Extract and process the individual groups (and their prefixes if present) 1256 1.1 christos * present in a tuple. Note: The argument 'elem' is a NON-\0-terminated string 1257 1.1 christos * and must be appended by a \0 if used as \0-terminated string 1258 1.1 christos */ 1259 1.1 christos static int gid_cb(const char *elem, int len, void *arg) 1260 1.1 christos { 1261 1.1 christos gid_cb_st *garg = arg; 1262 1.1 christos size_t i, j, k; 1263 1.1 christos uint16_t gid = 0; 1264 1.1 christos int found_group = 0; 1265 1.1 christos char etmp[GROUP_NAME_BUFFER_LENGTH]; 1266 1.1 christos int retval = 1; /* We assume success */ 1267 1.1 christos char *current_prefix; 1268 1.1 christos int ignore_unknown = 0; 1269 1.1 christos int add_keyshare = 0; 1270 1.1 christos int remove_group = 0; 1271 1.1 christos size_t restored_prefix_index = 0; 1272 1.1 christos char *restored_default_group_string; 1273 1.1 christos int continue_while_loop = 1; 1274 1.1 christos 1275 1.1 christos /* Sanity checks */ 1276 1.1 christos if (garg == NULL || elem == NULL || len <= 0) { 1277 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_CONFIG_VALUE); 1278 1.1 christos return 0; 1279 1.1 christos } 1280 1.1 christos 1281 1.1 christos /* Check the possible prefixes (remark: Leading and trailing spaces already cleared) */ 1282 1.1 christos while (continue_while_loop && len > 0 1283 1.1.1.2 christos && ((current_prefix = strchr(prefixes, elem[0])) != NULL 1284 1.1.1.2 christos || OPENSSL_strncasecmp(current_prefix = (char *)DEFAULT_GROUPNAME_FIRST_CHARACTER, elem, 1) == 0)) { 1285 1.1 christos 1286 1.1 christos switch (*current_prefix) { 1287 1.1 christos case TUPLE_DELIMITER_CHARACTER: 1288 1.1 christos /* tuple delimiter not allowed here -> syntax error */ 1289 1.1 christos return -1; 1290 1.1 christos break; 1291 1.1 christos case GROUP_DELIMITER_CHARACTER: 1292 1.1 christos return -1; /* Not a valid prefix for a single group name-> syntax error */ 1293 1.1 christos break; 1294 1.1 christos case KEY_SHARE_INDICATOR_CHARACTER: 1295 1.1 christos if (add_keyshare) 1296 1.1 christos return -1; /* Only single key share prefix allowed -> syntax error */ 1297 1.1 christos add_keyshare = 1; 1298 1.1 christos ++elem; 1299 1.1 christos --len; 1300 1.1 christos break; 1301 1.1 christos case REMOVE_GROUP_INDICATOR_CHARACTER: 1302 1.1 christos if (remove_group) 1303 1.1 christos return -1; /* Only single remove group prefix allowed -> syntax error */ 1304 1.1 christos remove_group = 1; 1305 1.1 christos ++elem; 1306 1.1 christos --len; 1307 1.1 christos break; 1308 1.1 christos case IGNORE_UNKNOWN_GROUP_CHARACTER: 1309 1.1 christos if (ignore_unknown) 1310 1.1 christos return -1; /* Only single ? allowed -> syntax error */ 1311 1.1 christos ignore_unknown = 1; 1312 1.1 christos ++elem; 1313 1.1 christos --len; 1314 1.1 christos break; 1315 1.1 christos default: 1316 1.1 christos /* 1317 1.1 christos * Check whether a DEFAULT[_XYZ] 'pseudo group' (= a built-in 1318 1.1 christos * list of groups) should be added 1319 1.1 christos */ 1320 1.1 christos for (i = 0; i < OSSL_NELEM(default_group_strings); i++) { 1321 1.1 christos if ((size_t)len == (strlen(default_group_strings[i].list_name)) 1322 1.1 christos && OPENSSL_strncasecmp(default_group_strings[i].list_name, elem, len) == 0) { 1323 1.1 christos /* 1324 1.1 christos * We're asked to insert an entire list of groups from a 1325 1.1 christos * DEFAULT[_XYZ] 'pseudo group' which we do by 1326 1.1 christos * recursively calling this function (indirectly via 1327 1.1 christos * CONF_parse_list and tuple_cb); essentially, we treat a DEFAULT 1328 1.1 christos * group string like a tuple which is appended to the current tuple 1329 1.1 christos * rather then starting a new tuple. Variable tuple_mode is the flag which 1330 1.1 christos * controls append tuple vs start new tuple. 1331 1.1 christos */ 1332 1.1 christos 1333 1.1 christos if (ignore_unknown || remove_group) 1334 1.1 christos return -1; /* removal or ignore not allowed here -> syntax error */ 1335 1.1 christos 1336 1.1 christos /* 1337 1.1 christos * First, we restore any keyshare prefix in a new zero-terminated string 1338 1.1 christos * (if not already present) 1339 1.1 christos */ 1340 1.1.1.2 christos restored_default_group_string = OPENSSL_malloc((1 /* max prefix length */ + strlen(default_group_strings[i].group_string) + 1 /* \0 */) * sizeof(char)); 1341 1.1 christos if (restored_default_group_string == NULL) 1342 1.1 christos return 0; 1343 1.1 christos if (add_keyshare 1344 1.1 christos /* Remark: we tolerate a duplicated keyshare indicator here */ 1345 1.1 christos && default_group_strings[i].group_string[0] 1346 1.1.1.2 christos != KEY_SHARE_INDICATOR_CHARACTER) 1347 1.1.1.2 christos restored_default_group_string[restored_prefix_index++] = KEY_SHARE_INDICATOR_CHARACTER; 1348 1.1 christos 1349 1.1 christos memcpy(restored_default_group_string + restored_prefix_index, 1350 1.1.1.2 christos default_group_strings[i].group_string, 1351 1.1.1.2 christos strlen(default_group_strings[i].group_string)); 1352 1.1.1.2 christos restored_default_group_string[strlen(default_group_strings[i].group_string) + restored_prefix_index] = '\0'; 1353 1.1 christos /* We execute the recursive call */ 1354 1.1 christos garg->ignore_unknown_default = 1; /* We ignore unknown groups for DEFAULT_XYZ */ 1355 1.1 christos /* we enforce group mode (= append tuple) for DEFAULT_XYZ group lists */ 1356 1.1 christos garg->tuple_mode = 0; 1357 1.1 christos /* We use the tuple_cb callback to process the pseudo group tuple */ 1358 1.1 christos retval = CONF_parse_list(restored_default_group_string, 1359 1.1.1.2 christos TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, garg); 1360 1.1 christos garg->tuple_mode = 1; /* next call to tuple_cb will again start new tuple */ 1361 1.1 christos garg->ignore_unknown_default = 0; /* reset to original value */ 1362 1.1 christos /* We don't need the \0-terminated string anymore */ 1363 1.1 christos OPENSSL_free(restored_default_group_string); 1364 1.1 christos 1365 1.1 christos return retval; 1366 1.1 christos } 1367 1.1 christos } 1368 1.1 christos /* 1369 1.1 christos * If we reached this point, a group name started with a 'd' or 'D', but no request 1370 1.1 christos * for a DEFAULT[_XYZ] 'pseudo group' was detected, hence processing of the group 1371 1.1 christos * name can continue as usual (= the while loop checking prefixes can end) 1372 1.1 christos */ 1373 1.1 christos continue_while_loop = 0; 1374 1.1 christos break; 1375 1.1 christos } 1376 1.1 christos } 1377 1.1 christos 1378 1.1 christos if (len == 0) 1379 1.1 christos return -1; /* Seems we have prefxes without a group name -> syntax error */ 1380 1.1 christos 1381 1.1 christos if (garg->ignore_unknown_default == 1) /* Always ignore unknown groups for DEFAULT[_XYZ] */ 1382 1.1 christos ignore_unknown = 1; 1383 1.1 christos 1384 1.1 christos /* Memory management in case more groups are present compared to initial allocation */ 1385 1.1 christos if (garg->gidcnt == garg->gidmax) { 1386 1.1.1.2 christos uint16_t *tmp = OPENSSL_realloc(garg->gid_arr, 1387 1.1.1.2 christos (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); 1388 1.1 christos 1389 1.1 christos if (tmp == NULL) 1390 1.1 christos return 0; 1391 1.1 christos 1392 1.1 christos garg->gidmax += GROUPLIST_INCREMENT; 1393 1.1 christos garg->gid_arr = tmp; 1394 1.1 christos } 1395 1.1 christos /* Memory management for key share groups */ 1396 1.1 christos if (garg->ksidcnt == garg->ksidmax) { 1397 1.1.1.2 christos uint16_t *tmp = OPENSSL_realloc(garg->ksid_arr, 1398 1.1.1.2 christos (garg->ksidmax + GROUPLIST_INCREMENT) * sizeof(*garg->ksid_arr)); 1399 1.1 christos 1400 1.1 christos if (tmp == NULL) 1401 1.1 christos return 0; 1402 1.1 christos garg->ksidmax += GROUPLIST_INCREMENT; 1403 1.1 christos garg->ksid_arr = tmp; 1404 1.1 christos } 1405 1.1 christos 1406 1.1 christos if (len > (int)(sizeof(etmp) - 1)) 1407 1.1 christos return -1; /* group name to long -> syntax error */ 1408 1.1 christos 1409 1.1 christos /* 1410 1.1 christos * Prepare addition or removal of a single group by converting 1411 1.1 christos * a group name into its groupID equivalent 1412 1.1 christos */ 1413 1.1 christos 1414 1.1 christos /* Create a \0-terminated string and get the gid for this group if possible */ 1415 1.1 christos memcpy(etmp, elem, len); 1416 1.1 christos etmp[len] = 0; 1417 1.1 christos 1418 1.1 christos /* Get the groupID */ 1419 1.1 christos gid = tls1_group_name2id(garg->ctx, etmp); 1420 1.1 christos /* 1421 1.1 christos * Handle the case where no valid groupID was returned 1422 1.1 christos * e.g. for an unknown group, which we'd ignore (only) if relevant prefix was set 1423 1.1 christos */ 1424 1.1 christos if (gid == 0) { 1425 1.1 christos /* Is it one of the GOST groups ? */ 1426 1.1 christos for (i = 0; i < OSSL_NELEM(name2id_arr); i++) { 1427 1.1 christos if (OPENSSL_strcasecmp(etmp, name2id_arr[i].group_name) == 0) { 1428 1.1 christos gid = name2id_arr[i].groupID; 1429 1.1 christos break; 1430 1.1 christos } 1431 1.1 christos } 1432 1.1 christos if (gid == 0) { /* still not found */ 1433 1.1 christos /* Unknown group - ignore if ignore_unknown; trigger error otherwise */ 1434 1.1 christos retval = ignore_unknown; 1435 1.1 christos goto done; 1436 1.1 christos } 1437 1.1 christos } 1438 1.1 christos 1439 1.1 christos /* Make sure that at least one provider is supporting this groupID */ 1440 1.1 christos found_group = 0; 1441 1.1 christos for (j = 0; j < garg->ctx->group_list_len; j++) 1442 1.1 christos if (garg->ctx->group_list[j].group_id == gid) { 1443 1.1 christos found_group = 1; 1444 1.1 christos break; 1445 1.1 christos } 1446 1.1 christos 1447 1.1 christos /* 1448 1.1 christos * No provider supports this group - ignore if 1449 1.1 christos * ignore_unknown; trigger error otherwise 1450 1.1 christos */ 1451 1.1 christos if (found_group == 0) { 1452 1.1 christos retval = ignore_unknown; 1453 1.1 christos goto done; 1454 1.1 christos } 1455 1.1 christos /* Remove group (and keyshare) from anywhere in the list if present, ignore if not present */ 1456 1.1 christos if (remove_group) { 1457 1.1 christos /* Is the current group specified anywhere in the entire list so far? */ 1458 1.1 christos found_group = 0; 1459 1.1 christos for (i = 0; i < garg->gidcnt; i++) 1460 1.1 christos if (garg->gid_arr[i] == gid) { 1461 1.1 christos found_group = 1; 1462 1.1 christos break; 1463 1.1 christos } 1464 1.1 christos /* The group to remove is at position i in the list of (zero indexed) groups */ 1465 1.1 christos if (found_group) { 1466 1.1 christos /* We remove that group from its position (which is at i)... */ 1467 1.1 christos for (j = i; j < (garg->gidcnt - 1); j++) 1468 1.1 christos garg->gid_arr[j] = garg->gid_arr[j + 1]; /* ...shift remaining groups left ... */ 1469 1.1 christos garg->gidcnt--; /* ..and update the book keeping for the number of groups */ 1470 1.1 christos 1471 1.1 christos /* 1472 1.1 christos * We also must update the number of groups either in a previous tuple (which we 1473 1.1 christos * must identify and check whether it becomes empty due to the deletion) or in 1474 1.1 christos * the current tuple, pending where the deleted group resides 1475 1.1 christos */ 1476 1.1 christos k = 0; 1477 1.1 christos for (j = 0; j < garg->tplcnt; j++) { 1478 1.1 christos k += garg->tuplcnt_arr[j]; 1479 1.1 christos /* Remark: i is zero-indexed, k is one-indexed */ 1480 1.1 christos if (k > i) { /* remove from one of the previous tuples */ 1481 1.1 christos garg->tuplcnt_arr[j]--; 1482 1.1 christos break; /* We took care not to have group duplicates, hence we can stop here */ 1483 1.1 christos } 1484 1.1 christos } 1485 1.1 christos if (k <= i) /* remove from current tuple */ 1486 1.1 christos garg->tuplcnt_arr[j]--; 1487 1.1 christos 1488 1.1 christos /* We also remove the group from the list of keyshares (if present) */ 1489 1.1 christos found_group = 0; 1490 1.1 christos for (i = 0; i < garg->ksidcnt; i++) 1491 1.1 christos if (garg->ksid_arr[i] == gid) { 1492 1.1 christos found_group = 1; 1493 1.1 christos break; 1494 1.1 christos } 1495 1.1 christos if (found_group) { 1496 1.1 christos /* Found, hence we remove that keyshare from its position (which is at i)... */ 1497 1.1 christos for (j = i; j < (garg->ksidcnt - 1); j++) 1498 1.1 christos garg->ksid_arr[j] = garg->ksid_arr[j + 1]; /* shift remaining key shares */ 1499 1.1 christos /* ... and update the book keeping */ 1500 1.1 christos garg->ksidcnt--; 1501 1.1 christos } 1502 1.1 christos } 1503 1.1 christos } else { /* Processing addition of a single new group */ 1504 1.1 christos 1505 1.1 christos /* Check for duplicates */ 1506 1.1 christos for (i = 0; i < garg->gidcnt; i++) 1507 1.1 christos if (garg->gid_arr[i] == gid) { 1508 1.1 christos /* Duplicate group anywhere in the list of groups - ignore */ 1509 1.1 christos goto done; 1510 1.1 christos } 1511 1.1 christos 1512 1.1 christos /* Add the current group to the 'flat' list of groups */ 1513 1.1 christos garg->gid_arr[garg->gidcnt++] = gid; 1514 1.1 christos /* and update the book keeping for the number of groups in current tuple */ 1515 1.1 christos garg->tuplcnt_arr[garg->tplcnt]++; 1516 1.1 christos 1517 1.1 christos /* We memorize if needed that we want to add a key share for the current group */ 1518 1.1 christos if (add_keyshare) 1519 1.1 christos garg->ksid_arr[garg->ksidcnt++] = gid; 1520 1.1 christos } 1521 1.1 christos 1522 1.1 christos done: 1523 1.1 christos return retval; 1524 1.1 christos } 1525 1.1 christos 1526 1.1 christos /* Extract and process a tuple of groups */ 1527 1.1 christos static int tuple_cb(const char *tuple, int len, void *arg) 1528 1.1 christos { 1529 1.1 christos gid_cb_st *garg = arg; 1530 1.1 christos int retval = 1; /* We assume success */ 1531 1.1 christos char *restored_tuple_string; 1532 1.1 christos 1533 1.1 christos /* Sanity checks */ 1534 1.1 christos if (garg == NULL || tuple == NULL || len <= 0) { 1535 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_CONFIG_VALUE); 1536 1.1 christos return 0; 1537 1.1 christos } 1538 1.1 christos 1539 1.1 christos /* Memory management for tuples */ 1540 1.1 christos if (garg->tplcnt == garg->tplmax) { 1541 1.1.1.2 christos size_t *tmp = OPENSSL_realloc(garg->tuplcnt_arr, 1542 1.1.1.2 christos (garg->tplmax + GROUPLIST_INCREMENT) * sizeof(*garg->tuplcnt_arr)); 1543 1.1 christos 1544 1.1 christos if (tmp == NULL) 1545 1.1 christos return 0; 1546 1.1 christos garg->tplmax += GROUPLIST_INCREMENT; 1547 1.1 christos garg->tuplcnt_arr = tmp; 1548 1.1 christos } 1549 1.1 christos 1550 1.1 christos /* Convert to \0-terminated string */ 1551 1.1 christos restored_tuple_string = OPENSSL_malloc((len + 1 /* \0 */) * sizeof(char)); 1552 1.1 christos if (restored_tuple_string == NULL) 1553 1.1 christos return 0; 1554 1.1 christos memcpy(restored_tuple_string, tuple, len); 1555 1.1 christos restored_tuple_string[len] = '\0'; 1556 1.1 christos 1557 1.1 christos /* Analyze group list of this tuple */ 1558 1.1 christos retval = CONF_parse_list(restored_tuple_string, GROUP_DELIMITER_CHARACTER, 1, gid_cb, arg); 1559 1.1 christos 1560 1.1 christos /* We don't need the \o-terminated string anymore */ 1561 1.1 christos OPENSSL_free(restored_tuple_string); 1562 1.1 christos 1563 1.1 christos if (garg->tuplcnt_arr[garg->tplcnt] > 0) { /* Some valid groups are present in current tuple... */ 1564 1.1 christos if (garg->tuple_mode) { 1565 1.1 christos /* We 'close' the tuple */ 1566 1.1 christos garg->tplcnt++; 1567 1.1 christos garg->tuplcnt_arr[garg->tplcnt] = 0; /* Next tuple is initialized to be empty */ 1568 1.1 christos garg->tuple_mode = 1; /* next call will start a tuple (unless overridden in gid_cb) */ 1569 1.1 christos } 1570 1.1 christos } 1571 1.1 christos 1572 1.1 christos return retval; 1573 1.1 christos } 1574 1.1 christos 1575 1.1 christos /* 1576 1.1 christos * Set groups and prepare generation of keyshares based on a string of groupnames, 1577 1.1 christos * names separated by the group or the tuple delimiter, with per-group prefixes to 1578 1.1.1.2 christos * (1) add a key share for this group, (2) ignore the group if unknown to the current 1579 1.1 christos * context, (3) delete a previous occurrence of the group in the current tuple. 1580 1.1 christos * 1581 1.1.1.2 christos * The list parsing is done in two hierarchical steps: The top-level step extracts the 1582 1.1 christos * string of a tuple using tuple_cb, while the next lower step uses gid_cb to 1583 1.1 christos * parse and process the groups inside a tuple 1584 1.1 christos */ 1585 1.1 christos int tls1_set_groups_list(SSL_CTX *ctx, 1586 1.1.1.2 christos uint16_t **grpext, size_t *grpextlen, 1587 1.1.1.2 christos uint16_t **ksext, size_t *ksextlen, 1588 1.1.1.2 christos size_t **tplext, size_t *tplextlen, 1589 1.1.1.2 christos const char *str) 1590 1.1 christos { 1591 1.1 christos size_t i = 0, j; 1592 1.1 christos int ret = 0, parse_ret = 0; 1593 1.1 christos gid_cb_st gcb; 1594 1.1 christos 1595 1.1 christos /* Sanity check */ 1596 1.1 christos if (ctx == NULL) { 1597 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); 1598 1.1 christos return 0; 1599 1.1 christos } 1600 1.1 christos 1601 1.1 christos memset(&gcb, 0, sizeof(gcb)); 1602 1.1 christos gcb.tuple_mode = 1; /* We prepare to collect the first tuple */ 1603 1.1 christos gcb.ignore_unknown_default = 0; 1604 1.1 christos gcb.gidmax = GROUPLIST_INCREMENT; 1605 1.1 christos gcb.tplmax = GROUPLIST_INCREMENT; 1606 1.1 christos gcb.ksidmax = GROUPLIST_INCREMENT; 1607 1.1 christos gcb.ctx = ctx; 1608 1.1 christos 1609 1.1 christos /* Prepare initial chunks of memory for groups, tuples and keyshares groupIDs */ 1610 1.1 christos gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); 1611 1.1 christos if (gcb.gid_arr == NULL) 1612 1.1 christos goto end; 1613 1.1 christos gcb.tuplcnt_arr = OPENSSL_malloc(gcb.tplmax * sizeof(*gcb.tuplcnt_arr)); 1614 1.1 christos if (gcb.tuplcnt_arr == NULL) 1615 1.1 christos goto end; 1616 1.1 christos gcb.tuplcnt_arr[0] = 0; 1617 1.1 christos gcb.ksid_arr = OPENSSL_malloc(gcb.ksidmax * sizeof(*gcb.ksid_arr)); 1618 1.1 christos if (gcb.ksid_arr == NULL) 1619 1.1 christos goto end; 1620 1.1 christos 1621 1.1 christos while (str[0] != '\0' && isspace((unsigned char)*str)) 1622 1.1 christos str++; 1623 1.1 christos if (str[0] == '\0') 1624 1.1 christos goto empty_list; 1625 1.1 christos 1626 1.1 christos /* 1627 1.1 christos * Start the (potentially recursive) tuple processing by calling CONF_parse_list 1628 1.1 christos * with the TUPLE_DELIMITER_CHARACTER (which will call tuple_cb after cleaning spaces) 1629 1.1 christos */ 1630 1.1 christos parse_ret = CONF_parse_list(str, TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, &gcb); 1631 1.1 christos 1632 1.1 christos if (parse_ret == 0) 1633 1.1 christos goto end; 1634 1.1 christos if (parse_ret == -1) { 1635 1.1 christos ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 1636 1.1.1.2 christos "Syntax error in '%s'", str); 1637 1.1 christos goto end; 1638 1.1 christos } 1639 1.1 christos 1640 1.1 christos /* 1641 1.1.1.2 christos * We check whether a tuple was completely emptied by using "-" prefix 1642 1.1 christos * excessively, in which case we remove the tuple 1643 1.1 christos */ 1644 1.1 christos for (i = j = 0; j < gcb.tplcnt; j++) { 1645 1.1 christos if (gcb.tuplcnt_arr[j] == 0) 1646 1.1 christos continue; 1647 1.1 christos /* If there's a gap, move to first unfilled slot */ 1648 1.1 christos if (j == i) 1649 1.1 christos ++i; 1650 1.1 christos else 1651 1.1 christos gcb.tuplcnt_arr[i++] = gcb.tuplcnt_arr[j]; 1652 1.1 christos } 1653 1.1 christos gcb.tplcnt = i; 1654 1.1 christos 1655 1.1 christos if (gcb.ksidcnt > OPENSSL_CLIENT_MAX_KEY_SHARES) { 1656 1.1 christos ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 1657 1.1.1.2 christos "To many keyshares requested in '%s' (max = %d)", 1658 1.1.1.2 christos str, OPENSSL_CLIENT_MAX_KEY_SHARES); 1659 1.1 christos goto end; 1660 1.1 christos } 1661 1.1 christos 1662 1.1 christos /* 1663 1.1 christos * For backward compatibility we let the rest of the code know that a key share 1664 1.1 christos * for the first valid group should be added if no "*" prefix was used anywhere 1665 1.1 christos */ 1666 1.1 christos if (gcb.gidcnt > 0 && gcb.ksidcnt == 0) { 1667 1.1 christos /* 1668 1.1 christos * No key share group prefix character was used, hence we indicate that a single 1669 1.1 christos * key share should be sent and flag that it should come from the supported_groups list 1670 1.1 christos */ 1671 1.1 christos gcb.ksidcnt = 1; 1672 1.1 christos gcb.ksid_arr[0] = 0; 1673 1.1 christos } 1674 1.1 christos 1675 1.1.1.2 christos empty_list: 1676 1.1 christos /* 1677 1.1 christos * A call to tls1_set_groups_list with any of the args (other than ctx) set 1678 1.1 christos * to NULL only does a syntax check, hence we're done here and report success 1679 1.1 christos */ 1680 1.1.1.2 christos if (grpext == NULL || ksext == NULL || tplext == NULL || grpextlen == NULL || ksextlen == NULL || tplextlen == NULL) { 1681 1.1 christos ret = 1; 1682 1.1 christos goto end; 1683 1.1 christos } 1684 1.1 christos 1685 1.1 christos /* 1686 1.1 christos * tuple_cb and gid_cb combo ensures there are no duplicates or unknown groups so we 1687 1.1.1.2 christos * can just go ahead and set the results (after disposing the existing) 1688 1.1 christos */ 1689 1.1 christos OPENSSL_free(*grpext); 1690 1.1 christos *grpext = gcb.gid_arr; 1691 1.1 christos *grpextlen = gcb.gidcnt; 1692 1.1 christos OPENSSL_free(*ksext); 1693 1.1 christos *ksext = gcb.ksid_arr; 1694 1.1 christos *ksextlen = gcb.ksidcnt; 1695 1.1 christos OPENSSL_free(*tplext); 1696 1.1 christos *tplext = gcb.tuplcnt_arr; 1697 1.1 christos *tplextlen = gcb.tplcnt; 1698 1.1 christos 1699 1.1 christos return 1; 1700 1.1 christos 1701 1.1.1.2 christos end: 1702 1.1 christos OPENSSL_free(gcb.gid_arr); 1703 1.1 christos OPENSSL_free(gcb.tuplcnt_arr); 1704 1.1 christos OPENSSL_free(gcb.ksid_arr); 1705 1.1 christos return ret; 1706 1.1 christos } 1707 1.1 christos 1708 1.1 christos /* Check a group id matches preferences */ 1709 1.1 christos int tls1_check_group_id(SSL_CONNECTION *s, uint16_t group_id, 1710 1.1.1.2 christos int check_own_groups) 1711 1.1.1.2 christos { 1712 1.1 christos const uint16_t *groups; 1713 1.1 christos size_t groups_len; 1714 1.1 christos 1715 1.1 christos if (group_id == 0) 1716 1.1 christos return 0; 1717 1.1 christos 1718 1.1 christos /* Check for Suite B compliance */ 1719 1.1 christos if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { 1720 1.1 christos unsigned long cid = s->s3.tmp.new_cipher->id; 1721 1.1 christos 1722 1.1 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 1723 1.1 christos if (group_id != OSSL_TLS_GROUP_ID_secp256r1) 1724 1.1 christos return 0; 1725 1.1 christos } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 1726 1.1 christos if (group_id != OSSL_TLS_GROUP_ID_secp384r1) 1727 1.1 christos return 0; 1728 1.1 christos } else { 1729 1.1 christos /* Should never happen */ 1730 1.1 christos return 0; 1731 1.1 christos } 1732 1.1 christos } 1733 1.1 christos 1734 1.1 christos if (check_own_groups) { 1735 1.1 christos /* Check group is one of our preferences */ 1736 1.1 christos tls1_get_supported_groups(s, &groups, &groups_len); 1737 1.1 christos if (!tls1_in_list(group_id, groups, groups_len)) 1738 1.1 christos return 0; 1739 1.1 christos } 1740 1.1 christos 1741 1.1 christos if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 1742 1.1 christos return 0; 1743 1.1 christos 1744 1.1 christos /* For clients, nothing more to check */ 1745 1.1 christos if (!s->server) 1746 1.1 christos return 1; 1747 1.1 christos 1748 1.1 christos /* Check group is one of peers preferences */ 1749 1.1 christos tls1_get_peer_groups(s, &groups, &groups_len); 1750 1.1 christos 1751 1.1 christos /* 1752 1.1 christos * RFC 4492 does not require the supported elliptic curves extension 1753 1.1 christos * so if it is not sent we can just choose any curve. 1754 1.1 christos * It is invalid to send an empty list in the supported groups 1755 1.1 christos * extension, so groups_len == 0 always means no extension. 1756 1.1 christos */ 1757 1.1 christos if (groups_len == 0) 1758 1.1.1.2 christos return 1; 1759 1.1 christos return tls1_in_list(group_id, groups, groups_len); 1760 1.1 christos } 1761 1.1 christos 1762 1.1 christos void tls1_get_formatlist(SSL_CONNECTION *s, const unsigned char **pformats, 1763 1.1.1.2 christos size_t *num_formats) 1764 1.1 christos { 1765 1.1 christos /* 1766 1.1 christos * If we have a custom point format list use it otherwise use default 1767 1.1 christos */ 1768 1.1 christos if (s->ext.ecpointformats) { 1769 1.1 christos *pformats = s->ext.ecpointformats; 1770 1.1 christos *num_formats = s->ext.ecpointformats_len; 1771 1.1 christos } else { 1772 1.1 christos *pformats = ecformats_default; 1773 1.1 christos /* For Suite B we don't support char2 fields */ 1774 1.1 christos if (tls1_suiteb(s)) 1775 1.1 christos *num_formats = sizeof(ecformats_default) - 1; 1776 1.1 christos else 1777 1.1 christos *num_formats = sizeof(ecformats_default); 1778 1.1 christos } 1779 1.1 christos } 1780 1.1 christos 1781 1.1 christos /* Check a key is compatible with compression extension */ 1782 1.1 christos static int tls1_check_pkey_comp(SSL_CONNECTION *s, EVP_PKEY *pkey) 1783 1.1 christos { 1784 1.1 christos unsigned char comp_id; 1785 1.1 christos size_t i; 1786 1.1 christos int point_conv; 1787 1.1 christos 1788 1.1 christos /* If not an EC key nothing to check */ 1789 1.1 christos if (!EVP_PKEY_is_a(pkey, "EC")) 1790 1.1 christos return 1; 1791 1.1 christos 1792 1.1 christos /* Get required compression id */ 1793 1.1 christos point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); 1794 1.1 christos if (point_conv == 0) 1795 1.1 christos return 0; 1796 1.1 christos if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { 1797 1.1.1.2 christos comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 1798 1.1 christos } else if (SSL_CONNECTION_IS_TLS13(s)) { 1799 1.1 christos /* 1800 1.1 christos * ec_point_formats extension is not used in TLSv1.3 so we ignore 1801 1.1 christos * this check. 1802 1.1 christos */ 1803 1.1 christos return 1; 1804 1.1 christos } else { 1805 1.1 christos int field_type = EVP_PKEY_get_field_type(pkey); 1806 1.1 christos 1807 1.1 christos if (field_type == NID_X9_62_prime_field) 1808 1.1 christos comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1809 1.1 christos else if (field_type == NID_X9_62_characteristic_two_field) 1810 1.1 christos comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1811 1.1 christos else 1812 1.1 christos return 0; 1813 1.1 christos } 1814 1.1 christos /* 1815 1.1 christos * If point formats extension present check it, otherwise everything is 1816 1.1 christos * supported (see RFC4492). 1817 1.1 christos */ 1818 1.1 christos if (s->ext.peer_ecpointformats == NULL) 1819 1.1 christos return 1; 1820 1.1 christos 1821 1.1 christos for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 1822 1.1 christos if (s->ext.peer_ecpointformats[i] == comp_id) 1823 1.1 christos return 1; 1824 1.1 christos } 1825 1.1 christos return 0; 1826 1.1 christos } 1827 1.1 christos 1828 1.1 christos /* Return group id of a key */ 1829 1.1 christos static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 1830 1.1 christos { 1831 1.1 christos int curve_nid = ssl_get_EC_curve_nid(pkey); 1832 1.1 christos 1833 1.1 christos if (curve_nid == NID_undef) 1834 1.1 christos return 0; 1835 1.1 christos return tls1_nid2group_id(curve_nid); 1836 1.1 christos } 1837 1.1 christos 1838 1.1 christos /* 1839 1.1 christos * Check cert parameters compatible with extensions: currently just checks EC 1840 1.1 christos * certificates have compatible curves and compression. 1841 1.1 christos */ 1842 1.1 christos static int tls1_check_cert_param(SSL_CONNECTION *s, X509 *x, int check_ee_md) 1843 1.1 christos { 1844 1.1 christos uint16_t group_id; 1845 1.1 christos EVP_PKEY *pkey; 1846 1.1 christos pkey = X509_get0_pubkey(x); 1847 1.1 christos if (pkey == NULL) 1848 1.1 christos return 0; 1849 1.1 christos /* If not EC nothing to do */ 1850 1.1 christos if (!EVP_PKEY_is_a(pkey, "EC")) 1851 1.1 christos return 1; 1852 1.1 christos /* Check compression */ 1853 1.1 christos if (!tls1_check_pkey_comp(s, pkey)) 1854 1.1 christos return 0; 1855 1.1 christos group_id = tls1_get_group_id(pkey); 1856 1.1 christos /* 1857 1.1 christos * For a server we allow the certificate to not be in our list of supported 1858 1.1 christos * groups. 1859 1.1 christos */ 1860 1.1 christos if (!tls1_check_group_id(s, group_id, !s->server)) 1861 1.1 christos return 0; 1862 1.1 christos /* 1863 1.1 christos * Special case for suite B. We *MUST* sign using SHA256+P-256 or 1864 1.1 christos * SHA384+P-384. 1865 1.1 christos */ 1866 1.1 christos if (check_ee_md && tls1_suiteb(s)) { 1867 1.1 christos int check_md; 1868 1.1 christos size_t i; 1869 1.1 christos 1870 1.1 christos /* Check to see we have necessary signing algorithm */ 1871 1.1 christos if (group_id == OSSL_TLS_GROUP_ID_secp256r1) 1872 1.1 christos check_md = NID_ecdsa_with_SHA256; 1873 1.1 christos else if (group_id == OSSL_TLS_GROUP_ID_secp384r1) 1874 1.1 christos check_md = NID_ecdsa_with_SHA384; 1875 1.1 christos else 1876 1.1.1.2 christos return 0; /* Should never happen */ 1877 1.1 christos for (i = 0; i < s->shared_sigalgslen; i++) { 1878 1.1 christos if (check_md == s->shared_sigalgs[i]->sigandhash) 1879 1.1 christos return 1; 1880 1.1 christos } 1881 1.1 christos return 0; 1882 1.1 christos } 1883 1.1 christos return 1; 1884 1.1 christos } 1885 1.1 christos 1886 1.1 christos /* 1887 1.1 christos * tls1_check_ec_tmp_key - Check EC temporary key compatibility 1888 1.1 christos * @s: SSL connection 1889 1.1 christos * @cid: Cipher ID we're considering using 1890 1.1 christos * 1891 1.1 christos * Checks that the kECDHE cipher suite we're considering using 1892 1.1 christos * is compatible with the client extensions. 1893 1.1 christos * 1894 1.1 christos * Returns 0 when the cipher can't be used or 1 when it can. 1895 1.1 christos */ 1896 1.1 christos int tls1_check_ec_tmp_key(SSL_CONNECTION *s, unsigned long cid) 1897 1.1 christos { 1898 1.1 christos /* If not Suite B just need a shared group */ 1899 1.1 christos if (!tls1_suiteb(s)) 1900 1.1 christos return tls1_shared_group(s, 0) != 0; 1901 1.1 christos /* 1902 1.1 christos * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 1903 1.1 christos * curves permitted. 1904 1.1 christos */ 1905 1.1 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 1906 1.1 christos return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp256r1, 1); 1907 1.1 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 1908 1.1 christos return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp384r1, 1); 1909 1.1 christos 1910 1.1 christos return 0; 1911 1.1 christos } 1912 1.1 christos 1913 1.1 christos /* Default sigalg schemes */ 1914 1.1 christos static const uint16_t tls12_sigalgs[] = { 1915 1.1 christos TLSEXT_SIGALG_mldsa65, 1916 1.1 christos TLSEXT_SIGALG_mldsa87, 1917 1.1 christos TLSEXT_SIGALG_mldsa44, 1918 1.1 christos TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1919 1.1 christos TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1920 1.1 christos TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1921 1.1 christos TLSEXT_SIGALG_ed25519, 1922 1.1 christos TLSEXT_SIGALG_ed448, 1923 1.1 christos TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, 1924 1.1 christos TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, 1925 1.1 christos TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, 1926 1.1 christos 1927 1.1 christos TLSEXT_SIGALG_rsa_pss_pss_sha256, 1928 1.1 christos TLSEXT_SIGALG_rsa_pss_pss_sha384, 1929 1.1 christos TLSEXT_SIGALG_rsa_pss_pss_sha512, 1930 1.1 christos TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1931 1.1 christos TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1932 1.1 christos TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1933 1.1 christos 1934 1.1 christos TLSEXT_SIGALG_rsa_pkcs1_sha256, 1935 1.1 christos TLSEXT_SIGALG_rsa_pkcs1_sha384, 1936 1.1 christos TLSEXT_SIGALG_rsa_pkcs1_sha512, 1937 1.1 christos 1938 1.1 christos TLSEXT_SIGALG_ecdsa_sha224, 1939 1.1 christos TLSEXT_SIGALG_ecdsa_sha1, 1940 1.1 christos 1941 1.1 christos TLSEXT_SIGALG_rsa_pkcs1_sha224, 1942 1.1 christos TLSEXT_SIGALG_rsa_pkcs1_sha1, 1943 1.1 christos 1944 1.1 christos TLSEXT_SIGALG_dsa_sha224, 1945 1.1 christos TLSEXT_SIGALG_dsa_sha1, 1946 1.1 christos 1947 1.1 christos TLSEXT_SIGALG_dsa_sha256, 1948 1.1 christos TLSEXT_SIGALG_dsa_sha384, 1949 1.1 christos TLSEXT_SIGALG_dsa_sha512, 1950 1.1 christos 1951 1.1 christos #ifndef OPENSSL_NO_GOST 1952 1.1 christos TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1953 1.1 christos TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1954 1.1 christos TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1955 1.1 christos TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1956 1.1 christos TLSEXT_SIGALG_gostr34102001_gostr3411, 1957 1.1 christos #endif 1958 1.1 christos }; 1959 1.1 christos 1960 1.1 christos static const uint16_t suiteb_sigalgs[] = { 1961 1.1 christos TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1962 1.1 christos TLSEXT_SIGALG_ecdsa_secp384r1_sha384 1963 1.1 christos }; 1964 1.1 christos 1965 1.1 christos static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 1966 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name, 1967 1.1.1.2 christos "ECDSA+SHA256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1968 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1969 1.1.1.2 christos NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1, 0, 1970 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 1971 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name, 1972 1.1.1.2 christos "ECDSA+SHA384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1973 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1974 1.1.1.2 christos NID_ecdsa_with_SHA384, NID_secp384r1, 1, 0, 1975 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 1976 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name, 1977 1.1.1.2 christos "ECDSA+SHA512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1978 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1979 1.1.1.2 christos NID_ecdsa_with_SHA512, NID_secp521r1, 1, 0, 1980 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 1981 1.1.1.2 christos 1982 1.1.1.2 christos { TLSEXT_SIGALG_ed25519_name, 1983 1.1.1.2 christos NULL, TLSEXT_SIGALG_ed25519, 1984 1.1.1.2 christos NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 1985 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 1986 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 1987 1.1.1.2 christos { TLSEXT_SIGALG_ed448_name, 1988 1.1.1.2 christos NULL, TLSEXT_SIGALG_ed448, 1989 1.1.1.2 christos NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 1990 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 1991 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 1992 1.1.1.2 christos 1993 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_sha224_name, 1994 1.1.1.2 christos "ECDSA+SHA224", TLSEXT_SIGALG_ecdsa_sha224, 1995 1.1.1.2 christos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1996 1.1.1.2 christos NID_ecdsa_with_SHA224, NID_undef, 1, 0, 1997 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 1998 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_sha1_name, 1999 1.1.1.2 christos "ECDSA+SHA1", TLSEXT_SIGALG_ecdsa_sha1, 2000 1.1.1.2 christos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2001 1.1.1.2 christos NID_ecdsa_with_SHA1, NID_undef, 1, 0, 2002 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2003 1.1.1.2 christos 2004 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name, 2005 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_alias, 2006 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, 2007 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2008 1.1.1.2 christos NID_ecdsa_with_SHA256, NID_brainpoolP256r1, 1, 0, 2009 1.1.1.2 christos TLS1_3_VERSION, 0, -1, -1 }, 2010 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name, 2011 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_alias, 2012 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, 2013 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2014 1.1.1.2 christos NID_ecdsa_with_SHA384, NID_brainpoolP384r1, 1, 0, 2015 1.1.1.2 christos TLS1_3_VERSION, 0, -1, -1 }, 2016 1.1.1.2 christos { TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name, 2017 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_alias, 2018 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, 2019 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2020 1.1.1.2 christos NID_ecdsa_with_SHA512, NID_brainpoolP512r1, 1, 0, 2021 1.1.1.2 christos TLS1_3_VERSION, 0, -1, -1 }, 2022 1.1.1.2 christos 2023 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pss_rsae_sha256_name, 2024 1.1.1.2 christos "PSS+SHA256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 2025 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 2026 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2027 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2028 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pss_rsae_sha384_name, 2029 1.1.1.2 christos "PSS+SHA384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 2030 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 2031 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2032 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2033 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pss_rsae_sha512_name, 2034 1.1.1.2 christos "PSS+SHA512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 2035 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 2036 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2037 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2038 1.1.1.2 christos 2039 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pss_pss_sha256_name, 2040 1.1.1.2 christos NULL, TLSEXT_SIGALG_rsa_pss_pss_sha256, 2041 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 2042 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2043 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2044 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pss_pss_sha384_name, 2045 1.1.1.2 christos NULL, TLSEXT_SIGALG_rsa_pss_pss_sha384, 2046 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 2047 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2048 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2049 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pss_pss_sha512_name, 2050 1.1.1.2 christos NULL, TLSEXT_SIGALG_rsa_pss_pss_sha512, 2051 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 2052 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2053 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2054 1.1.1.2 christos 2055 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pkcs1_sha256_name, 2056 1.1.1.2 christos "RSA+SHA256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 2057 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2058 1.1.1.2 christos NID_sha256WithRSAEncryption, NID_undef, 1, 0, 2059 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2060 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pkcs1_sha384_name, 2061 1.1.1.2 christos "RSA+SHA384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 2062 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2063 1.1.1.2 christos NID_sha384WithRSAEncryption, NID_undef, 1, 0, 2064 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2065 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pkcs1_sha512_name, 2066 1.1.1.2 christos "RSA+SHA512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 2067 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2068 1.1.1.2 christos NID_sha512WithRSAEncryption, NID_undef, 1, 0, 2069 1.1.1.2 christos TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2070 1.1.1.2 christos 2071 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pkcs1_sha224_name, 2072 1.1.1.2 christos "RSA+SHA224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 2073 1.1.1.2 christos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2074 1.1.1.2 christos NID_sha224WithRSAEncryption, NID_undef, 1, 0, 2075 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2076 1.1.1.2 christos { TLSEXT_SIGALG_rsa_pkcs1_sha1_name, 2077 1.1.1.2 christos "RSA+SHA1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 2078 1.1.1.2 christos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2079 1.1.1.2 christos NID_sha1WithRSAEncryption, NID_undef, 1, 0, 2080 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2081 1.1.1.2 christos 2082 1.1.1.2 christos { TLSEXT_SIGALG_dsa_sha256_name, 2083 1.1.1.2 christos "DSA+SHA256", TLSEXT_SIGALG_dsa_sha256, 2084 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2085 1.1.1.2 christos NID_dsa_with_SHA256, NID_undef, 1, 0, 2086 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2087 1.1.1.2 christos { TLSEXT_SIGALG_dsa_sha384_name, 2088 1.1.1.2 christos "DSA+SHA384", TLSEXT_SIGALG_dsa_sha384, 2089 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2090 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2091 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2092 1.1.1.2 christos { TLSEXT_SIGALG_dsa_sha512_name, 2093 1.1.1.2 christos "DSA+SHA512", TLSEXT_SIGALG_dsa_sha512, 2094 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2095 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2096 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2097 1.1.1.2 christos { TLSEXT_SIGALG_dsa_sha224_name, 2098 1.1.1.2 christos "DSA+SHA224", TLSEXT_SIGALG_dsa_sha224, 2099 1.1.1.2 christos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2100 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2101 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2102 1.1.1.2 christos { TLSEXT_SIGALG_dsa_sha1_name, 2103 1.1.1.2 christos "DSA+SHA1", TLSEXT_SIGALG_dsa_sha1, 2104 1.1.1.2 christos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2105 1.1.1.2 christos NID_dsaWithSHA1, NID_undef, 1, 0, 2106 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2107 1.1 christos 2108 1.1 christos #ifndef OPENSSL_NO_GOST 2109 1.1.1.2 christos { TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias, /* RFC9189 */ 2110 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_256_intrinsic_name, 2111 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_256_intrinsic, 2112 1.1.1.2 christos NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 2113 1.1.1.2 christos NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 2114 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2115 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2116 1.1.1.2 christos { TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias, /* RFC9189 */ 2117 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_256_intrinsic_name, 2118 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_512_intrinsic, 2119 1.1.1.2 christos NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 2120 1.1.1.2 christos NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 2121 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2122 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2123 1.1.1.2 christos 2124 1.1.1.2 christos { TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name, 2125 1.1.1.2 christos NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 2126 1.1.1.2 christos NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 2127 1.1.1.2 christos NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 2128 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2129 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2130 1.1.1.2 christos { TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name, 2131 1.1.1.2 christos NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 2132 1.1.1.2 christos NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 2133 1.1.1.2 christos NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 2134 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2135 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2136 1.1.1.2 christos { TLSEXT_SIGALG_gostr34102001_gostr3411_name, 2137 1.1.1.2 christos NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 2138 1.1.1.2 christos NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 2139 1.1.1.2 christos NID_id_GostR3410_2001, SSL_PKEY_GOST01, 2140 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2141 1.1.1.2 christos TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2142 1.1 christos #endif 2143 1.1 christos }; 2144 1.1 christos /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 2145 1.1 christos static const SIGALG_LOOKUP legacy_rsa_sigalg = { 2146 1.1 christos "rsa_pkcs1_md5_sha1", NULL, 0, 2147 1.1.1.2 christos NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 2148 1.1.1.2 christos EVP_PKEY_RSA, SSL_PKEY_RSA, 2149 1.1.1.2 christos NID_undef, NID_undef, 1, 0, 2150 1.1.1.2 christos TLS1_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION 2151 1.1 christos }; 2152 1.1 christos 2153 1.1 christos /* 2154 1.1 christos * Default signature algorithm values used if signature algorithms not present. 2155 1.1 christos * From RFC5246. Note: order must match certificate index order. 2156 1.1 christos */ 2157 1.1 christos static const uint16_t tls_default_sigalg[] = { 2158 1.1 christos TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 2159 1.1 christos 0, /* SSL_PKEY_RSA_PSS_SIGN */ 2160 1.1 christos TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 2161 1.1 christos TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 2162 1.1 christos TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 2163 1.1 christos TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ 2164 1.1 christos TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ 2165 1.1 christos 0, /* SSL_PKEY_ED25519 */ 2166 1.1 christos 0, /* SSL_PKEY_ED448 */ 2167 1.1 christos }; 2168 1.1 christos 2169 1.1 christos int ssl_setup_sigalgs(SSL_CTX *ctx) 2170 1.1 christos { 2171 1.1 christos size_t i, cache_idx, sigalgs_len, enabled; 2172 1.1 christos const SIGALG_LOOKUP *lu; 2173 1.1 christos SIGALG_LOOKUP *cache = NULL; 2174 1.1 christos uint16_t *tls12_sigalgs_list = NULL; 2175 1.1 christos EVP_PKEY *tmpkey = EVP_PKEY_new(); 2176 1.1 christos int istls; 2177 1.1 christos int ret = 0; 2178 1.1 christos 2179 1.1 christos if (ctx == NULL) 2180 1.1 christos goto err; 2181 1.1 christos 2182 1.1 christos istls = !SSL_CTX_IS_DTLS(ctx); 2183 1.1 christos 2184 1.1 christos sigalgs_len = OSSL_NELEM(sigalg_lookup_tbl) + ctx->sigalg_list_len; 2185 1.1 christos 2186 1.1 christos cache = OPENSSL_zalloc(sizeof(const SIGALG_LOOKUP) * sigalgs_len); 2187 1.1 christos if (cache == NULL || tmpkey == NULL) 2188 1.1 christos goto err; 2189 1.1 christos 2190 1.1 christos tls12_sigalgs_list = OPENSSL_zalloc(sizeof(uint16_t) * sigalgs_len); 2191 1.1 christos if (tls12_sigalgs_list == NULL) 2192 1.1 christos goto err; 2193 1.1 christos 2194 1.1 christos ERR_set_mark(); 2195 1.1 christos /* First fill cache and tls12_sigalgs list from legacy algorithm list */ 2196 1.1 christos for (i = 0, lu = sigalg_lookup_tbl; 2197 1.1.1.2 christos i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 2198 1.1 christos EVP_PKEY_CTX *pctx; 2199 1.1 christos 2200 1.1 christos cache[i] = *lu; 2201 1.1 christos 2202 1.1 christos /* 2203 1.1 christos * Check hash is available. 2204 1.1 christos * This test is not perfect. A provider could have support 2205 1.1 christos * for a signature scheme, but not a particular hash. However the hash 2206 1.1 christos * could be available from some other loaded provider. In that case it 2207 1.1 christos * could be that the signature is available, and the hash is available 2208 1.1 christos * independently - but not as a combination. We ignore this for now. 2209 1.1 christos */ 2210 1.1 christos if (lu->hash != NID_undef 2211 1.1.1.2 christos && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { 2212 1.1 christos cache[i].available = 0; 2213 1.1 christos continue; 2214 1.1 christos } 2215 1.1 christos 2216 1.1 christos if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 2217 1.1 christos cache[i].available = 0; 2218 1.1 christos continue; 2219 1.1 christos } 2220 1.1 christos pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); 2221 1.1 christos /* If unable to create pctx we assume the sig algorithm is unavailable */ 2222 1.1 christos if (pctx == NULL) 2223 1.1 christos cache[i].available = 0; 2224 1.1 christos EVP_PKEY_CTX_free(pctx); 2225 1.1 christos } 2226 1.1 christos 2227 1.1 christos /* Now complete cache and tls12_sigalgs list with provider sig information */ 2228 1.1 christos cache_idx = OSSL_NELEM(sigalg_lookup_tbl); 2229 1.1 christos for (i = 0; i < ctx->sigalg_list_len; i++) { 2230 1.1 christos TLS_SIGALG_INFO si = ctx->sigalg_list[i]; 2231 1.1 christos cache[cache_idx].name = si.name; 2232 1.1 christos cache[cache_idx].name12 = si.sigalg_name; 2233 1.1 christos cache[cache_idx].sigalg = si.code_point; 2234 1.1 christos tls12_sigalgs_list[cache_idx] = si.code_point; 2235 1.1.1.2 christos cache[cache_idx].hash = si.hash_name ? OBJ_txt2nid(si.hash_name) : NID_undef; 2236 1.1 christos cache[cache_idx].hash_idx = ssl_get_md_idx(cache[cache_idx].hash); 2237 1.1 christos cache[cache_idx].sig = OBJ_txt2nid(si.sigalg_name); 2238 1.1 christos cache[cache_idx].sig_idx = i + SSL_PKEY_NUM; 2239 1.1 christos cache[cache_idx].sigandhash = OBJ_txt2nid(si.sigalg_name); 2240 1.1 christos cache[cache_idx].curve = NID_undef; 2241 1.1 christos cache[cache_idx].mintls = TLS1_3_VERSION; 2242 1.1 christos cache[cache_idx].maxtls = TLS1_3_VERSION; 2243 1.1 christos cache[cache_idx].mindtls = -1; 2244 1.1 christos cache[cache_idx].maxdtls = -1; 2245 1.1 christos /* Compatibility with TLS 1.3 is checked on load */ 2246 1.1 christos cache[cache_idx].available = istls; 2247 1.1 christos cache[cache_idx].advertise = 0; 2248 1.1 christos cache_idx++; 2249 1.1 christos } 2250 1.1 christos ERR_pop_to_mark(); 2251 1.1 christos 2252 1.1 christos enabled = 0; 2253 1.1 christos for (i = 0; i < OSSL_NELEM(tls12_sigalgs); ++i) { 2254 1.1 christos SIGALG_LOOKUP *ent = cache; 2255 1.1 christos size_t j; 2256 1.1 christos 2257 1.1 christos for (j = 0; j < sigalgs_len; ent++, j++) { 2258 1.1 christos if (ent->sigalg != tls12_sigalgs[i]) 2259 1.1 christos continue; 2260 1.1 christos /* Dedup by marking cache entry as default enabled. */ 2261 1.1 christos if (ent->available && !ent->advertise) { 2262 1.1 christos ent->advertise = 1; 2263 1.1 christos tls12_sigalgs_list[enabled++] = tls12_sigalgs[i]; 2264 1.1 christos } 2265 1.1 christos break; 2266 1.1 christos } 2267 1.1 christos } 2268 1.1 christos 2269 1.1 christos /* Append any provider sigalgs not yet handled */ 2270 1.1 christos for (i = OSSL_NELEM(sigalg_lookup_tbl); i < sigalgs_len; ++i) { 2271 1.1 christos SIGALG_LOOKUP *ent = &cache[i]; 2272 1.1 christos 2273 1.1 christos if (ent->available && !ent->advertise) 2274 1.1 christos tls12_sigalgs_list[enabled++] = ent->sigalg; 2275 1.1 christos } 2276 1.1 christos 2277 1.1 christos ctx->sigalg_lookup_cache = cache; 2278 1.1 christos ctx->sigalg_lookup_cache_len = sigalgs_len; 2279 1.1 christos ctx->tls12_sigalgs = tls12_sigalgs_list; 2280 1.1 christos ctx->tls12_sigalgs_len = enabled; 2281 1.1 christos cache = NULL; 2282 1.1 christos tls12_sigalgs_list = NULL; 2283 1.1 christos 2284 1.1 christos ret = 1; 2285 1.1.1.2 christos err: 2286 1.1 christos OPENSSL_free(cache); 2287 1.1 christos OPENSSL_free(tls12_sigalgs_list); 2288 1.1 christos EVP_PKEY_free(tmpkey); 2289 1.1 christos return ret; 2290 1.1 christos } 2291 1.1 christos 2292 1.1 christos #define SIGLEN_BUF_INCREMENT 100 2293 1.1 christos 2294 1.1 christos char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX *libctx) 2295 1.1 christos { 2296 1.1 christos size_t i, maxretlen = SIGLEN_BUF_INCREMENT; 2297 1.1 christos const SIGALG_LOOKUP *lu; 2298 1.1 christos EVP_PKEY *tmpkey = EVP_PKEY_new(); 2299 1.1 christos char *retval = OPENSSL_malloc(maxretlen); 2300 1.1 christos 2301 1.1 christos if (retval == NULL) 2302 1.1 christos return NULL; 2303 1.1 christos 2304 1.1 christos /* ensure retval string is NUL terminated */ 2305 1.1 christos retval[0] = (char)0; 2306 1.1 christos 2307 1.1 christos for (i = 0, lu = sigalg_lookup_tbl; 2308 1.1.1.2 christos i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 2309 1.1 christos EVP_PKEY_CTX *pctx; 2310 1.1 christos int enabled = 1; 2311 1.1 christos 2312 1.1 christos ERR_set_mark(); 2313 1.1 christos /* Check hash is available in some provider. */ 2314 1.1 christos if (lu->hash != NID_undef) { 2315 1.1 christos EVP_MD *hash = EVP_MD_fetch(libctx, OBJ_nid2ln(lu->hash), NULL); 2316 1.1 christos 2317 1.1 christos /* If unable to create we assume the hash algorithm is unavailable */ 2318 1.1 christos if (hash == NULL) { 2319 1.1 christos enabled = 0; 2320 1.1 christos ERR_pop_to_mark(); 2321 1.1 christos continue; 2322 1.1 christos } 2323 1.1 christos EVP_MD_free(hash); 2324 1.1 christos } 2325 1.1 christos 2326 1.1 christos if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 2327 1.1 christos enabled = 0; 2328 1.1 christos ERR_pop_to_mark(); 2329 1.1 christos continue; 2330 1.1 christos } 2331 1.1 christos pctx = EVP_PKEY_CTX_new_from_pkey(libctx, tmpkey, NULL); 2332 1.1 christos /* If unable to create pctx we assume the sig algorithm is unavailable */ 2333 1.1 christos if (pctx == NULL) 2334 1.1 christos enabled = 0; 2335 1.1 christos ERR_pop_to_mark(); 2336 1.1 christos EVP_PKEY_CTX_free(pctx); 2337 1.1 christos 2338 1.1 christos if (enabled) { 2339 1.1 christos const char *sa = lu->name; 2340 1.1 christos 2341 1.1 christos if (sa != NULL) { 2342 1.1 christos if (strlen(sa) + strlen(retval) + 1 >= maxretlen) { 2343 1.1 christos char *tmp; 2344 1.1 christos 2345 1.1 christos maxretlen += SIGLEN_BUF_INCREMENT; 2346 1.1 christos tmp = OPENSSL_realloc(retval, maxretlen); 2347 1.1 christos if (tmp == NULL) { 2348 1.1 christos OPENSSL_free(retval); 2349 1.1 christos return NULL; 2350 1.1 christos } 2351 1.1 christos retval = tmp; 2352 1.1 christos } 2353 1.1 christos if (strlen(retval) > 0) 2354 1.1 christos OPENSSL_strlcat(retval, ":", maxretlen); 2355 1.1 christos OPENSSL_strlcat(retval, sa, maxretlen); 2356 1.1 christos } else { 2357 1.1 christos /* lu->name must not be NULL */ 2358 1.1 christos ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 2359 1.1 christos } 2360 1.1 christos } 2361 1.1 christos } 2362 1.1 christos 2363 1.1 christos EVP_PKEY_free(tmpkey); 2364 1.1 christos return retval; 2365 1.1 christos } 2366 1.1 christos 2367 1.1 christos /* Lookup TLS signature algorithm */ 2368 1.1 christos static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL_CTX *ctx, 2369 1.1.1.2 christos uint16_t sigalg) 2370 1.1 christos { 2371 1.1 christos size_t i; 2372 1.1 christos const SIGALG_LOOKUP *lu = ctx->sigalg_lookup_cache; 2373 1.1 christos 2374 1.1 christos for (i = 0; i < ctx->sigalg_lookup_cache_len; lu++, i++) { 2375 1.1 christos if (lu->sigalg == sigalg) { 2376 1.1 christos if (!lu->available) 2377 1.1 christos return NULL; 2378 1.1 christos return lu; 2379 1.1 christos } 2380 1.1 christos } 2381 1.1 christos return NULL; 2382 1.1 christos } 2383 1.1 christos 2384 1.1 christos /* Lookup hash: return 0 if invalid or not enabled */ 2385 1.1 christos int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 2386 1.1 christos { 2387 1.1 christos const EVP_MD *md; 2388 1.1 christos 2389 1.1 christos if (lu == NULL) 2390 1.1 christos return 0; 2391 1.1 christos /* lu->hash == NID_undef means no associated digest */ 2392 1.1 christos if (lu->hash == NID_undef) { 2393 1.1 christos md = NULL; 2394 1.1 christos } else { 2395 1.1 christos md = ssl_md(ctx, lu->hash_idx); 2396 1.1 christos if (md == NULL) 2397 1.1 christos return 0; 2398 1.1 christos } 2399 1.1 christos if (pmd) 2400 1.1 christos *pmd = md; 2401 1.1 christos return 1; 2402 1.1 christos } 2403 1.1 christos 2404 1.1 christos /* 2405 1.1 christos * Check if key is large enough to generate RSA-PSS signature. 2406 1.1 christos * 2407 1.1 christos * The key must greater than or equal to 2 * hash length + 2. 2408 1.1 christos * SHA512 has a hash length of 64 bytes, which is incompatible 2409 1.1 christos * with a 128 byte (1024 bit) key. 2410 1.1 christos */ 2411 1.1 christos #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) 2412 1.1 christos static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, 2413 1.1.1.2 christos const SIGALG_LOOKUP *lu) 2414 1.1 christos { 2415 1.1 christos const EVP_MD *md; 2416 1.1 christos 2417 1.1 christos if (pkey == NULL) 2418 1.1 christos return 0; 2419 1.1 christos if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) 2420 1.1 christos return 0; 2421 1.1 christos if (EVP_MD_get_size(md) <= 0) 2422 1.1 christos return 0; 2423 1.1 christos if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 2424 1.1 christos return 0; 2425 1.1 christos return 1; 2426 1.1 christos } 2427 1.1 christos 2428 1.1 christos /* 2429 1.1 christos * Returns a signature algorithm when the peer did not send a list of supported 2430 1.1 christos * signature algorithms. The signature algorithm is fixed for the certificate 2431 1.1 christos * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 2432 1.1 christos * certificate type from |s| will be used. 2433 1.1 christos * Returns the signature algorithm to use, or NULL on error. 2434 1.1 christos */ 2435 1.1 christos static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL_CONNECTION *s, 2436 1.1.1.2 christos int idx) 2437 1.1 christos { 2438 1.1 christos if (idx == -1) { 2439 1.1 christos if (s->server) { 2440 1.1 christos size_t i; 2441 1.1 christos 2442 1.1 christos /* Work out index corresponding to ciphersuite */ 2443 1.1 christos for (i = 0; i < s->ssl_pkey_num; i++) { 2444 1.1 christos const SSL_CERT_LOOKUP *clu 2445 1.1 christos = ssl_cert_lookup_by_idx(i, SSL_CONNECTION_GET_CTX(s)); 2446 1.1 christos 2447 1.1 christos if (clu == NULL) 2448 1.1 christos continue; 2449 1.1 christos if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { 2450 1.1 christos idx = i; 2451 1.1 christos break; 2452 1.1 christos } 2453 1.1 christos } 2454 1.1 christos 2455 1.1 christos /* 2456 1.1 christos * Some GOST ciphersuites allow more than one signature algorithms 2457 1.1 christos * */ 2458 1.1 christos if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 2459 1.1 christos int real_idx; 2460 1.1 christos 2461 1.1 christos for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 2462 1.1.1.2 christos real_idx--) { 2463 1.1 christos if (s->cert->pkeys[real_idx].privatekey != NULL) { 2464 1.1 christos idx = real_idx; 2465 1.1 christos break; 2466 1.1 christos } 2467 1.1 christos } 2468 1.1 christos } 2469 1.1 christos /* 2470 1.1 christos * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used 2471 1.1 christos * with new (aGOST12-only) ciphersuites, we should find out which one is available really. 2472 1.1 christos */ 2473 1.1 christos else if (idx == SSL_PKEY_GOST12_256) { 2474 1.1 christos int real_idx; 2475 1.1 christos 2476 1.1 christos for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; 2477 1.1.1.2 christos real_idx--) { 2478 1.1.1.2 christos if (s->cert->pkeys[real_idx].privatekey != NULL) { 2479 1.1.1.2 christos idx = real_idx; 2480 1.1.1.2 christos break; 2481 1.1.1.2 christos } 2482 1.1 christos } 2483 1.1 christos } 2484 1.1 christos } else { 2485 1.1 christos idx = s->cert->key - s->cert->pkeys; 2486 1.1 christos } 2487 1.1 christos } 2488 1.1 christos if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 2489 1.1 christos return NULL; 2490 1.1 christos 2491 1.1 christos if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 2492 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), 2493 1.1.1.2 christos tls_default_sigalg[idx]); 2494 1.1 christos 2495 1.1 christos if (lu == NULL) 2496 1.1 christos return NULL; 2497 1.1 christos if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, NULL)) 2498 1.1 christos return NULL; 2499 1.1 christos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2500 1.1 christos return NULL; 2501 1.1 christos return lu; 2502 1.1 christos } 2503 1.1 christos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 2504 1.1 christos return NULL; 2505 1.1 christos return &legacy_rsa_sigalg; 2506 1.1 christos } 2507 1.1 christos /* Set peer sigalg based key type */ 2508 1.1 christos int tls1_set_peer_legacy_sigalg(SSL_CONNECTION *s, const EVP_PKEY *pkey) 2509 1.1 christos { 2510 1.1 christos size_t idx; 2511 1.1 christos const SIGALG_LOOKUP *lu; 2512 1.1 christos 2513 1.1 christos if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL) 2514 1.1 christos return 0; 2515 1.1 christos lu = tls1_get_legacy_sigalg(s, idx); 2516 1.1 christos if (lu == NULL) 2517 1.1 christos return 0; 2518 1.1 christos s->s3.tmp.peer_sigalg = lu; 2519 1.1 christos return 1; 2520 1.1 christos } 2521 1.1 christos 2522 1.1 christos size_t tls12_get_psigalgs(SSL_CONNECTION *s, int sent, const uint16_t **psigs) 2523 1.1 christos { 2524 1.1 christos /* 2525 1.1 christos * If Suite B mode use Suite B sigalgs only, ignore any other 2526 1.1 christos * preferences. 2527 1.1 christos */ 2528 1.1 christos switch (tls1_suiteb(s)) { 2529 1.1 christos case SSL_CERT_FLAG_SUITEB_128_LOS: 2530 1.1 christos *psigs = suiteb_sigalgs; 2531 1.1 christos return OSSL_NELEM(suiteb_sigalgs); 2532 1.1 christos 2533 1.1 christos case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 2534 1.1 christos *psigs = suiteb_sigalgs; 2535 1.1 christos return 1; 2536 1.1 christos 2537 1.1 christos case SSL_CERT_FLAG_SUITEB_192_LOS: 2538 1.1 christos *psigs = suiteb_sigalgs + 1; 2539 1.1 christos return 1; 2540 1.1 christos } 2541 1.1 christos /* 2542 1.1 christos * We use client_sigalgs (if not NULL) if we're a server 2543 1.1 christos * and sending a certificate request or if we're a client and 2544 1.1 christos * determining which shared algorithm to use. 2545 1.1 christos */ 2546 1.1 christos if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 2547 1.1 christos *psigs = s->cert->client_sigalgs; 2548 1.1 christos return s->cert->client_sigalgslen; 2549 1.1 christos } else if (s->cert->conf_sigalgs) { 2550 1.1 christos *psigs = s->cert->conf_sigalgs; 2551 1.1 christos return s->cert->conf_sigalgslen; 2552 1.1 christos } else { 2553 1.1 christos *psigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs; 2554 1.1 christos return SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len; 2555 1.1 christos } 2556 1.1 christos } 2557 1.1 christos 2558 1.1 christos /* 2559 1.1 christos * Called by servers only. Checks that we have a sig alg that supports the 2560 1.1 christos * specified EC curve. 2561 1.1 christos */ 2562 1.1 christos int tls_check_sigalg_curve(const SSL_CONNECTION *s, int curve) 2563 1.1 christos { 2564 1.1.1.2 christos const uint16_t *sigs; 2565 1.1.1.2 christos size_t siglen, i; 2566 1.1 christos 2567 1.1 christos if (s->cert->conf_sigalgs) { 2568 1.1 christos sigs = s->cert->conf_sigalgs; 2569 1.1 christos siglen = s->cert->conf_sigalgslen; 2570 1.1 christos } else { 2571 1.1 christos sigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs; 2572 1.1 christos siglen = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len; 2573 1.1 christos } 2574 1.1 christos 2575 1.1 christos for (i = 0; i < siglen; i++) { 2576 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), sigs[i]); 2577 1.1 christos 2578 1.1 christos if (lu == NULL) 2579 1.1 christos continue; 2580 1.1 christos if (lu->sig == EVP_PKEY_EC 2581 1.1.1.2 christos && lu->curve != NID_undef 2582 1.1.1.2 christos && curve == lu->curve) 2583 1.1 christos return 1; 2584 1.1 christos } 2585 1.1 christos 2586 1.1 christos return 0; 2587 1.1 christos } 2588 1.1 christos 2589 1.1 christos /* 2590 1.1 christos * Return the number of security bits for the signature algorithm, or 0 on 2591 1.1 christos * error. 2592 1.1 christos */ 2593 1.1 christos static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) 2594 1.1 christos { 2595 1.1 christos const EVP_MD *md = NULL; 2596 1.1 christos int secbits = 0; 2597 1.1 christos 2598 1.1 christos if (!tls1_lookup_md(ctx, lu, &md)) 2599 1.1 christos return 0; 2600 1.1.1.2 christos if (md != NULL) { 2601 1.1 christos int md_type = EVP_MD_get_type(md); 2602 1.1 christos 2603 1.1 christos /* Security bits: half digest bits */ 2604 1.1 christos secbits = EVP_MD_get_size(md) * 4; 2605 1.1 christos if (secbits <= 0) 2606 1.1 christos return 0; 2607 1.1 christos /* 2608 1.1 christos * SHA1 and MD5 are known to be broken. Reduce security bits so that 2609 1.1 christos * they're no longer accepted at security level 1. The real values don't 2610 1.1 christos * really matter as long as they're lower than 80, which is our 2611 1.1 christos * security level 1. 2612 1.1 christos * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for 2613 1.1 christos * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 2614 1.1 christos * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 2615 1.1 christos * puts a chosen-prefix attack for MD5 at 2^39. 2616 1.1 christos */ 2617 1.1 christos if (md_type == NID_sha1) 2618 1.1 christos secbits = 64; 2619 1.1 christos else if (md_type == NID_md5_sha1) 2620 1.1 christos secbits = 67; 2621 1.1 christos else if (md_type == NID_md5) 2622 1.1 christos secbits = 39; 2623 1.1 christos } else { 2624 1.1 christos /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 2625 1.1 christos if (lu->sigalg == TLSEXT_SIGALG_ed25519) 2626 1.1 christos secbits = 128; 2627 1.1 christos else if (lu->sigalg == TLSEXT_SIGALG_ed448) 2628 1.1 christos secbits = 224; 2629 1.1 christos } 2630 1.1 christos /* 2631 1.1 christos * For provider-based sigalgs we have secbits information available 2632 1.1 christos * in the (provider-loaded) sigalg_list structure 2633 1.1 christos */ 2634 1.1 christos if ((secbits == 0) && (lu->sig_idx >= SSL_PKEY_NUM) 2635 1.1.1.2 christos && ((lu->sig_idx - SSL_PKEY_NUM) < (int)ctx->sigalg_list_len)) { 2636 1.1 christos secbits = ctx->sigalg_list[lu->sig_idx - SSL_PKEY_NUM].secbits; 2637 1.1 christos } 2638 1.1 christos return secbits; 2639 1.1 christos } 2640 1.1 christos 2641 1.1 christos static int tls_sigalg_compat(SSL_CONNECTION *sc, const SIGALG_LOOKUP *lu) 2642 1.1 christos { 2643 1.1 christos int minversion, maxversion; 2644 1.1 christos int minproto, maxproto; 2645 1.1 christos 2646 1.1 christos if (!lu->available) 2647 1.1 christos return 0; 2648 1.1 christos 2649 1.1 christos if (SSL_CONNECTION_IS_DTLS(sc)) { 2650 1.1 christos if (sc->ssl.method->version == DTLS_ANY_VERSION) { 2651 1.1 christos minproto = sc->min_proto_version; 2652 1.1 christos maxproto = sc->max_proto_version; 2653 1.1 christos } else { 2654 1.1 christos maxproto = minproto = sc->version; 2655 1.1 christos } 2656 1.1 christos minversion = lu->mindtls; 2657 1.1 christos maxversion = lu->maxdtls; 2658 1.1 christos } else { 2659 1.1 christos if (sc->ssl.method->version == TLS_ANY_VERSION) { 2660 1.1 christos minproto = sc->min_proto_version; 2661 1.1 christos maxproto = sc->max_proto_version; 2662 1.1 christos } else { 2663 1.1 christos maxproto = minproto = sc->version; 2664 1.1 christos } 2665 1.1 christos minversion = lu->mintls; 2666 1.1 christos maxversion = lu->maxtls; 2667 1.1 christos } 2668 1.1 christos if (minversion == -1 || maxversion == -1 2669 1.1 christos || (minversion != 0 && maxproto != 0 2670 1.1 christos && ssl_version_cmp(sc, minversion, maxproto) > 0) 2671 1.1 christos || (maxversion != 0 && minproto != 0 2672 1.1 christos && ssl_version_cmp(sc, maxversion, minproto) < 0) 2673 1.1 christos || !tls12_sigalg_allowed(sc, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2674 1.1 christos return 0; 2675 1.1 christos return 1; 2676 1.1 christos } 2677 1.1 christos 2678 1.1 christos /* 2679 1.1 christos * Check signature algorithm is consistent with sent supported signature 2680 1.1 christos * algorithms and if so set relevant digest and signature scheme in 2681 1.1 christos * s. 2682 1.1 christos */ 2683 1.1 christos int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey) 2684 1.1 christos { 2685 1.1 christos const uint16_t *sent_sigs; 2686 1.1 christos const EVP_MD *md = NULL; 2687 1.1 christos char sigalgstr[2]; 2688 1.1 christos size_t sent_sigslen, i, cidx; 2689 1.1 christos int pkeyid = -1; 2690 1.1 christos const SIGALG_LOOKUP *lu; 2691 1.1 christos int secbits = 0; 2692 1.1 christos 2693 1.1 christos pkeyid = EVP_PKEY_get_id(pkey); 2694 1.1 christos 2695 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) { 2696 1.1 christos /* Disallow DSA for TLS 1.3 */ 2697 1.1 christos if (pkeyid == EVP_PKEY_DSA) { 2698 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2699 1.1 christos return 0; 2700 1.1 christos } 2701 1.1 christos /* Only allow PSS for TLS 1.3 */ 2702 1.1 christos if (pkeyid == EVP_PKEY_RSA) 2703 1.1 christos pkeyid = EVP_PKEY_RSA_PSS; 2704 1.1 christos } 2705 1.1 christos 2706 1.1 christos /* Is this code point available and compatible with the protocol */ 2707 1.1 christos lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), sig); 2708 1.1 christos if (lu == NULL || !tls_sigalg_compat(s, lu)) { 2709 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2710 1.1 christos return 0; 2711 1.1 christos } 2712 1.1 christos 2713 1.1.1.2 christos /* If we don't know the pkey nid yet go and find it */ 2714 1.1.1.2 christos if (pkeyid == EVP_PKEY_KEYMGMT) { 2715 1.1.1.2 christos const SSL_CERT_LOOKUP *scl = ssl_cert_lookup_by_pkey(pkey, NULL, SSL_CONNECTION_GET_CTX(s)); 2716 1.1.1.2 christos 2717 1.1.1.2 christos if (scl == NULL) { 2718 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2719 1.1.1.2 christos return 0; 2720 1.1.1.2 christos } 2721 1.1.1.2 christos pkeyid = scl->pkey_nid; 2722 1.1.1.2 christos } 2723 1.1 christos 2724 1.1 christos /* Should never happen */ 2725 1.1 christos if (pkeyid == -1) { 2726 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2727 1.1 christos return -1; 2728 1.1 christos } 2729 1.1 christos 2730 1.1 christos /* 2731 1.1 christos * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 2732 1.1 christos * is consistent with signature: RSA keys can be used for RSA-PSS 2733 1.1 christos */ 2734 1.1 christos if ((SSL_CONNECTION_IS_TLS13(s) 2735 1.1 christos && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 2736 1.1 christos || (pkeyid != lu->sig 2737 1.1.1.2 christos && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 2738 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2739 1.1 christos return 0; 2740 1.1 christos } 2741 1.1 christos /* Check the sigalg is consistent with the key OID */ 2742 1.1 christos if (!ssl_cert_lookup_by_nid( 2743 1.1.1.2 christos (pkeyid == EVP_PKEY_RSA_PSS) ? EVP_PKEY_get_id(pkey) : pkeyid, 2744 1.1.1.2 christos &cidx, SSL_CONNECTION_GET_CTX(s)) 2745 1.1.1.2 christos || lu->sig_idx != (int)cidx) { 2746 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2747 1.1 christos return 0; 2748 1.1 christos } 2749 1.1 christos 2750 1.1 christos if (pkeyid == EVP_PKEY_EC) { 2751 1.1 christos 2752 1.1 christos /* Check point compression is permitted */ 2753 1.1 christos if (!tls1_check_pkey_comp(s, pkey)) { 2754 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2755 1.1.1.2 christos SSL_R_ILLEGAL_POINT_COMPRESSION); 2756 1.1 christos return 0; 2757 1.1 christos } 2758 1.1 christos 2759 1.1 christos /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 2760 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) || tls1_suiteb(s)) { 2761 1.1 christos int curve = ssl_get_EC_curve_nid(pkey); 2762 1.1 christos 2763 1.1 christos if (lu->curve != NID_undef && curve != lu->curve) { 2764 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 2765 1.1 christos return 0; 2766 1.1 christos } 2767 1.1 christos } 2768 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s)) { 2769 1.1 christos /* Check curve matches extensions */ 2770 1.1 christos if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 2771 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 2772 1.1 christos return 0; 2773 1.1 christos } 2774 1.1 christos if (tls1_suiteb(s)) { 2775 1.1 christos /* Check sigalg matches a permissible Suite B value */ 2776 1.1 christos if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 2777 1.1 christos && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 2778 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2779 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 2780 1.1 christos return 0; 2781 1.1 christos } 2782 1.1 christos } 2783 1.1 christos } 2784 1.1 christos } else if (tls1_suiteb(s)) { 2785 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 2786 1.1 christos return 0; 2787 1.1 christos } 2788 1.1 christos 2789 1.1 christos /* Check signature matches a type we sent */ 2790 1.1 christos sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2791 1.1 christos for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 2792 1.1 christos if (sig == *sent_sigs) 2793 1.1 christos break; 2794 1.1 christos } 2795 1.1 christos /* Allow fallback to SHA1 if not strict mode */ 2796 1.1.1.2 christos if (i == sent_sigslen && (lu->hash != NID_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 2797 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 2798 1.1 christos return 0; 2799 1.1 christos } 2800 1.1 christos if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, &md)) { 2801 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); 2802 1.1 christos return 0; 2803 1.1 christos } 2804 1.1 christos /* 2805 1.1 christos * Make sure security callback allows algorithm. For historical 2806 1.1 christos * reasons we have to pass the sigalg as a two byte char array. 2807 1.1 christos */ 2808 1.1 christos sigalgstr[0] = (sig >> 8) & 0xff; 2809 1.1 christos sigalgstr[1] = sig & 0xff; 2810 1.1 christos secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); 2811 1.1.1.2 christos if (secbits == 0 || !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, md != NULL ? EVP_MD_get_type(md) : NID_undef, (void *)sigalgstr)) { 2812 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 2813 1.1 christos return 0; 2814 1.1 christos } 2815 1.1 christos /* Store the sigalg the peer uses */ 2816 1.1 christos s->s3.tmp.peer_sigalg = lu; 2817 1.1 christos return 1; 2818 1.1 christos } 2819 1.1 christos 2820 1.1 christos int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 2821 1.1 christos { 2822 1.1 christos const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 2823 1.1 christos 2824 1.1 christos if (sc == NULL) 2825 1.1 christos return 0; 2826 1.1 christos 2827 1.1 christos if (sc->s3.tmp.peer_sigalg == NULL) 2828 1.1 christos return 0; 2829 1.1 christos *pnid = sc->s3.tmp.peer_sigalg->sig; 2830 1.1 christos return 1; 2831 1.1 christos } 2832 1.1 christos 2833 1.1 christos int SSL_get_signature_type_nid(const SSL *s, int *pnid) 2834 1.1 christos { 2835 1.1 christos const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 2836 1.1 christos 2837 1.1 christos if (sc == NULL) 2838 1.1 christos return 0; 2839 1.1 christos 2840 1.1 christos if (sc->s3.tmp.sigalg == NULL) 2841 1.1 christos return 0; 2842 1.1 christos *pnid = sc->s3.tmp.sigalg->sig; 2843 1.1 christos return 1; 2844 1.1 christos } 2845 1.1 christos 2846 1.1 christos /* 2847 1.1 christos * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 2848 1.1 christos * supported, doesn't appear in supported signature algorithms, isn't supported 2849 1.1 christos * by the enabled protocol versions or by the security level. 2850 1.1 christos * 2851 1.1 christos * This function should only be used for checking which ciphers are supported 2852 1.1 christos * by the client. 2853 1.1 christos * 2854 1.1 christos * Call ssl_cipher_disabled() to check that it's enabled or not. 2855 1.1 christos */ 2856 1.1 christos int ssl_set_client_disabled(SSL_CONNECTION *s) 2857 1.1 christos { 2858 1.1 christos s->s3.tmp.mask_a = 0; 2859 1.1 christos s->s3.tmp.mask_k = 0; 2860 1.1 christos ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 2861 1.1 christos if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, 2862 1.1.1.2 christos &s->s3.tmp.max_ver, NULL) 2863 1.1.1.2 christos != 0) 2864 1.1 christos return 0; 2865 1.1 christos #ifndef OPENSSL_NO_PSK 2866 1.1 christos /* with PSK there must be client callback set */ 2867 1.1 christos if (!s->psk_client_callback) { 2868 1.1 christos s->s3.tmp.mask_a |= SSL_aPSK; 2869 1.1 christos s->s3.tmp.mask_k |= SSL_PSK; 2870 1.1 christos } 2871 1.1.1.2 christos #endif /* OPENSSL_NO_PSK */ 2872 1.1 christos #ifndef OPENSSL_NO_SRP 2873 1.1 christos if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 2874 1.1 christos s->s3.tmp.mask_a |= SSL_aSRP; 2875 1.1 christos s->s3.tmp.mask_k |= SSL_kSRP; 2876 1.1 christos } 2877 1.1 christos #endif 2878 1.1 christos return 1; 2879 1.1 christos } 2880 1.1 christos 2881 1.1 christos /* 2882 1.1 christos * ssl_cipher_disabled - check that a cipher is disabled or not 2883 1.1 christos * @s: SSL connection that you want to use the cipher on 2884 1.1 christos * @c: cipher to check 2885 1.1 christos * @op: Security check that you want to do 2886 1.1 christos * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 2887 1.1 christos * 2888 1.1 christos * Returns 1 when it's disabled, 0 when enabled. 2889 1.1 christos */ 2890 1.1 christos int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c, 2891 1.1.1.2 christos int op, int ecdhe) 2892 1.1 christos { 2893 1.1 christos int minversion = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; 2894 1.1 christos int maxversion = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; 2895 1.1 christos 2896 1.1 christos if (c->algorithm_mkey & s->s3.tmp.mask_k 2897 1.1 christos || c->algorithm_auth & s->s3.tmp.mask_a) 2898 1.1 christos return 1; 2899 1.1 christos if (s->s3.tmp.max_ver == 0) 2900 1.1 christos return 1; 2901 1.1 christos 2902 1.1 christos if (SSL_IS_QUIC_INT_HANDSHAKE(s)) 2903 1.1 christos /* For QUIC, only allow these ciphersuites. */ 2904 1.1 christos switch (SSL_CIPHER_get_id(c)) { 2905 1.1 christos case TLS1_3_CK_AES_128_GCM_SHA256: 2906 1.1 christos case TLS1_3_CK_AES_256_GCM_SHA384: 2907 1.1 christos case TLS1_3_CK_CHACHA20_POLY1305_SHA256: 2908 1.1 christos break; 2909 1.1 christos default: 2910 1.1 christos return 1; 2911 1.1 christos } 2912 1.1 christos 2913 1.1 christos /* 2914 1.1 christos * For historical reasons we will allow ECHDE to be selected by a server 2915 1.1 christos * in SSLv3 if we are a client 2916 1.1 christos */ 2917 1.1 christos if (minversion == TLS1_VERSION 2918 1.1.1.2 christos && ecdhe 2919 1.1.1.2 christos && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 2920 1.1 christos minversion = SSL3_VERSION; 2921 1.1 christos 2922 1.1 christos if (ssl_version_cmp(s, minversion, s->s3.tmp.max_ver) > 0 2923 1.1 christos || ssl_version_cmp(s, maxversion, s->s3.tmp.min_ver) < 0) 2924 1.1 christos return 1; 2925 1.1 christos 2926 1.1 christos return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 2927 1.1 christos } 2928 1.1 christos 2929 1.1 christos int tls_use_ticket(SSL_CONNECTION *s) 2930 1.1 christos { 2931 1.1 christos if ((s->options & SSL_OP_NO_TICKET)) 2932 1.1 christos return 0; 2933 1.1 christos return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 2934 1.1 christos } 2935 1.1 christos 2936 1.1 christos int tls1_set_server_sigalgs(SSL_CONNECTION *s) 2937 1.1 christos { 2938 1.1 christos size_t i; 2939 1.1 christos 2940 1.1 christos /* Clear any shared signature algorithms */ 2941 1.1 christos OPENSSL_free(s->shared_sigalgs); 2942 1.1 christos s->shared_sigalgs = NULL; 2943 1.1 christos s->shared_sigalgslen = 0; 2944 1.1 christos 2945 1.1 christos /* Clear certificate validity flags */ 2946 1.1 christos if (s->s3.tmp.valid_flags) 2947 1.1 christos memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); 2948 1.1 christos else 2949 1.1 christos s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); 2950 1.1 christos if (s->s3.tmp.valid_flags == NULL) 2951 1.1 christos return 0; 2952 1.1 christos /* 2953 1.1 christos * If peer sent no signature algorithms check to see if we support 2954 1.1 christos * the default algorithm for each certificate type 2955 1.1 christos */ 2956 1.1 christos if (s->s3.tmp.peer_cert_sigalgs == NULL 2957 1.1.1.2 christos && s->s3.tmp.peer_sigalgs == NULL) { 2958 1.1 christos const uint16_t *sent_sigs; 2959 1.1 christos size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2960 1.1 christos 2961 1.1 christos for (i = 0; i < s->ssl_pkey_num; i++) { 2962 1.1 christos const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 2963 1.1 christos size_t j; 2964 1.1 christos 2965 1.1 christos if (lu == NULL) 2966 1.1 christos continue; 2967 1.1 christos /* Check default matches a type we sent */ 2968 1.1 christos for (j = 0; j < sent_sigslen; j++) { 2969 1.1 christos if (lu->sigalg == sent_sigs[j]) { 2970 1.1.1.2 christos s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; 2971 1.1.1.2 christos break; 2972 1.1 christos } 2973 1.1 christos } 2974 1.1 christos } 2975 1.1 christos return 1; 2976 1.1 christos } 2977 1.1 christos 2978 1.1 christos if (!tls1_process_sigalgs(s)) { 2979 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2980 1.1 christos return 0; 2981 1.1 christos } 2982 1.1 christos if (s->shared_sigalgs != NULL) 2983 1.1 christos return 1; 2984 1.1 christos 2985 1.1 christos /* Fatal error if no shared signature algorithms */ 2986 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2987 1.1.1.2 christos SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 2988 1.1 christos return 0; 2989 1.1 christos } 2990 1.1 christos 2991 1.1 christos /*- 2992 1.1 christos * Gets the ticket information supplied by the client if any. 2993 1.1 christos * 2994 1.1 christos * hello: The parsed ClientHello data 2995 1.1 christos * ret: (output) on return, if a ticket was decrypted, then this is set to 2996 1.1 christos * point to the resulting session. 2997 1.1 christos */ 2998 1.1 christos SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s, 2999 1.1.1.2 christos CLIENTHELLO_MSG *hello, 3000 1.1.1.2 christos SSL_SESSION **ret) 3001 1.1 christos { 3002 1.1 christos size_t size; 3003 1.1 christos RAW_EXTENSION *ticketext; 3004 1.1 christos 3005 1.1 christos *ret = NULL; 3006 1.1 christos s->ext.ticket_expected = 0; 3007 1.1 christos 3008 1.1 christos /* 3009 1.1 christos * If tickets disabled or not supported by the protocol version 3010 1.1 christos * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 3011 1.1 christos * resumption. 3012 1.1 christos */ 3013 1.1 christos if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 3014 1.1 christos return SSL_TICKET_NONE; 3015 1.1 christos 3016 1.1 christos ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 3017 1.1 christos if (!ticketext->present) 3018 1.1 christos return SSL_TICKET_NONE; 3019 1.1 christos 3020 1.1 christos size = PACKET_remaining(&ticketext->data); 3021 1.1 christos 3022 1.1 christos return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 3023 1.1.1.2 christos hello->session_id, hello->session_id_len, ret); 3024 1.1 christos } 3025 1.1 christos 3026 1.1 christos /*- 3027 1.1 christos * tls_decrypt_ticket attempts to decrypt a session ticket. 3028 1.1 christos * 3029 1.1 christos * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 3030 1.1 christos * expecting a pre-shared key ciphersuite, in which case we have no use for 3031 1.1 christos * session tickets and one will never be decrypted, nor will 3032 1.1 christos * s->ext.ticket_expected be set to 1. 3033 1.1 christos * 3034 1.1 christos * Side effects: 3035 1.1 christos * Sets s->ext.ticket_expected to 1 if the server will have to issue 3036 1.1 christos * a new session ticket to the client because the client indicated support 3037 1.1 christos * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 3038 1.1 christos * a session ticket or we couldn't use the one it gave us, or if 3039 1.1 christos * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 3040 1.1 christos * Otherwise, s->ext.ticket_expected is set to 0. 3041 1.1 christos * 3042 1.1 christos * etick: points to the body of the session ticket extension. 3043 1.1 christos * eticklen: the length of the session tickets extension. 3044 1.1 christos * sess_id: points at the session ID. 3045 1.1 christos * sesslen: the length of the session ID. 3046 1.1 christos * psess: (output) on return, if a ticket was decrypted, then this is set to 3047 1.1 christos * point to the resulting session. 3048 1.1 christos */ 3049 1.1 christos SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, 3050 1.1.1.2 christos const unsigned char *etick, 3051 1.1.1.2 christos size_t eticklen, 3052 1.1.1.2 christos const unsigned char *sess_id, 3053 1.1.1.2 christos size_t sesslen, SSL_SESSION **psess) 3054 1.1 christos { 3055 1.1 christos SSL_SESSION *sess = NULL; 3056 1.1 christos unsigned char *sdec; 3057 1.1 christos const unsigned char *p; 3058 1.1 christos int slen, ivlen, renew_ticket = 0, declen; 3059 1.1 christos SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 3060 1.1 christos size_t mlen; 3061 1.1 christos unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 3062 1.1 christos SSL_HMAC *hctx = NULL; 3063 1.1 christos EVP_CIPHER_CTX *ctx = NULL; 3064 1.1 christos SSL_CTX *tctx = s->session_ctx; 3065 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3066 1.1 christos 3067 1.1 christos if (eticklen == 0) { 3068 1.1 christos /* 3069 1.1 christos * The client will accept a ticket but doesn't currently have 3070 1.1 christos * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 3071 1.1 christos */ 3072 1.1 christos ret = SSL_TICKET_EMPTY; 3073 1.1 christos goto end; 3074 1.1 christos } 3075 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) { 3076 1.1 christos /* 3077 1.1 christos * Indicate that the ticket couldn't be decrypted rather than 3078 1.1 christos * generating the session from ticket now, trigger 3079 1.1 christos * abbreviated handshake based on external mechanism to 3080 1.1 christos * calculate the master secret later. 3081 1.1 christos */ 3082 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3083 1.1 christos goto end; 3084 1.1 christos } 3085 1.1 christos 3086 1.1 christos /* Need at least keyname + iv */ 3087 1.1 christos if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 3088 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3089 1.1 christos goto end; 3090 1.1 christos } 3091 1.1 christos 3092 1.1 christos /* Initialize session ticket encryption and HMAC contexts */ 3093 1.1 christos hctx = ssl_hmac_new(tctx); 3094 1.1 christos if (hctx == NULL) { 3095 1.1 christos ret = SSL_TICKET_FATAL_ERR_MALLOC; 3096 1.1 christos goto end; 3097 1.1 christos } 3098 1.1 christos ctx = EVP_CIPHER_CTX_new(); 3099 1.1 christos if (ctx == NULL) { 3100 1.1 christos ret = SSL_TICKET_FATAL_ERR_MALLOC; 3101 1.1 christos goto end; 3102 1.1 christos } 3103 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 3104 1.1 christos if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) 3105 1.1 christos #else 3106 1.1 christos if (tctx->ext.ticket_key_evp_cb != NULL) 3107 1.1 christos #endif 3108 1.1 christos { 3109 1.1 christos unsigned char *nctick = (unsigned char *)etick; 3110 1.1 christos int rv = 0; 3111 1.1 christos 3112 1.1 christos if (tctx->ext.ticket_key_evp_cb != NULL) 3113 1.1 christos rv = tctx->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_USER_SSL(s), 3114 1.1.1.2 christos nctick, 3115 1.1.1.2 christos nctick + TLSEXT_KEYNAME_LENGTH, 3116 1.1.1.2 christos ctx, 3117 1.1.1.2 christos ssl_hmac_get0_EVP_MAC_CTX(hctx), 3118 1.1.1.2 christos 0); 3119 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 3120 1.1 christos else if (tctx->ext.ticket_key_cb != NULL) 3121 1.1 christos /* if 0 is returned, write an empty ticket */ 3122 1.1 christos rv = tctx->ext.ticket_key_cb(SSL_CONNECTION_GET_USER_SSL(s), nctick, 3123 1.1.1.2 christos nctick + TLSEXT_KEYNAME_LENGTH, 3124 1.1.1.2 christos ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); 3125 1.1 christos #endif 3126 1.1 christos if (rv < 0) { 3127 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3128 1.1 christos goto end; 3129 1.1 christos } 3130 1.1 christos if (rv == 0) { 3131 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3132 1.1 christos goto end; 3133 1.1 christos } 3134 1.1 christos if (rv == 2) 3135 1.1 christos renew_ticket = 1; 3136 1.1 christos } else { 3137 1.1 christos EVP_CIPHER *aes256cbc = NULL; 3138 1.1 christos 3139 1.1 christos /* Check key name matches */ 3140 1.1 christos if (memcmp(etick, tctx->ext.tick_key_name, 3141 1.1.1.2 christos TLSEXT_KEYNAME_LENGTH) 3142 1.1.1.2 christos != 0) { 3143 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3144 1.1 christos goto end; 3145 1.1 christos } 3146 1.1 christos 3147 1.1 christos aes256cbc = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC", 3148 1.1.1.2 christos sctx->propq); 3149 1.1 christos if (aes256cbc == NULL 3150 1.1 christos || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, 3151 1.1.1.2 christos sizeof(tctx->ext.secure->tick_hmac_key), 3152 1.1.1.2 christos "SHA256") 3153 1.1.1.2 christos <= 0 3154 1.1 christos || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, 3155 1.1.1.2 christos tctx->ext.secure->tick_aes_key, 3156 1.1.1.2 christos etick + TLSEXT_KEYNAME_LENGTH) 3157 1.1.1.2 christos <= 0) { 3158 1.1 christos EVP_CIPHER_free(aes256cbc); 3159 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3160 1.1 christos goto end; 3161 1.1 christos } 3162 1.1 christos EVP_CIPHER_free(aes256cbc); 3163 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) 3164 1.1 christos renew_ticket = 1; 3165 1.1 christos } 3166 1.1 christos /* 3167 1.1 christos * Attempt to process session ticket, first conduct sanity and integrity 3168 1.1 christos * checks on ticket. 3169 1.1 christos */ 3170 1.1 christos mlen = ssl_hmac_size(hctx); 3171 1.1 christos if (mlen == 0) { 3172 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3173 1.1 christos goto end; 3174 1.1 christos } 3175 1.1 christos 3176 1.1 christos ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 3177 1.1 christos if (ivlen < 0) { 3178 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3179 1.1 christos goto end; 3180 1.1 christos } 3181 1.1 christos 3182 1.1 christos /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 3183 1.1 christos if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { 3184 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3185 1.1 christos goto end; 3186 1.1 christos } 3187 1.1 christos eticklen -= mlen; 3188 1.1 christos /* Check HMAC of encrypted ticket */ 3189 1.1 christos if (ssl_hmac_update(hctx, etick, eticklen) <= 0 3190 1.1 christos || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { 3191 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3192 1.1 christos goto end; 3193 1.1 christos } 3194 1.1 christos 3195 1.1 christos if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 3196 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3197 1.1 christos goto end; 3198 1.1 christos } 3199 1.1 christos /* Attempt to decrypt session data */ 3200 1.1 christos /* Move p after IV to start of encrypted ticket, update length */ 3201 1.1 christos p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; 3202 1.1 christos eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; 3203 1.1 christos sdec = OPENSSL_malloc(eticklen); 3204 1.1.1.2 christos if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, (int)eticklen) <= 0) { 3205 1.1 christos OPENSSL_free(sdec); 3206 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3207 1.1 christos goto end; 3208 1.1 christos } 3209 1.1 christos if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 3210 1.1 christos OPENSSL_free(sdec); 3211 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3212 1.1 christos goto end; 3213 1.1 christos } 3214 1.1 christos slen += declen; 3215 1.1 christos p = sdec; 3216 1.1 christos 3217 1.1 christos sess = d2i_SSL_SESSION_ex(NULL, &p, slen, sctx->libctx, sctx->propq); 3218 1.1 christos slen -= p - sdec; 3219 1.1 christos OPENSSL_free(sdec); 3220 1.1 christos if (sess) { 3221 1.1 christos /* Some additional consistency checks */ 3222 1.1 christos if (slen != 0) { 3223 1.1 christos SSL_SESSION_free(sess); 3224 1.1 christos sess = NULL; 3225 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3226 1.1 christos goto end; 3227 1.1 christos } 3228 1.1 christos /* 3229 1.1 christos * The session ID, if non-empty, is used by some clients to detect 3230 1.1 christos * that the ticket has been accepted. So we copy it to the session 3231 1.1 christos * structure. If it is empty set length to zero as required by 3232 1.1 christos * standard. 3233 1.1 christos */ 3234 1.1 christos if (sesslen) { 3235 1.1 christos memcpy(sess->session_id, sess_id, sesslen); 3236 1.1 christos sess->session_id_length = sesslen; 3237 1.1 christos } 3238 1.1 christos if (renew_ticket) 3239 1.1 christos ret = SSL_TICKET_SUCCESS_RENEW; 3240 1.1 christos else 3241 1.1 christos ret = SSL_TICKET_SUCCESS; 3242 1.1 christos goto end; 3243 1.1 christos } 3244 1.1 christos ERR_clear_error(); 3245 1.1 christos /* 3246 1.1 christos * For session parse failure, indicate that we need to send a new ticket. 3247 1.1 christos */ 3248 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3249 1.1 christos 3250 1.1.1.2 christos end: 3251 1.1 christos EVP_CIPHER_CTX_free(ctx); 3252 1.1 christos ssl_hmac_free(hctx); 3253 1.1 christos 3254 1.1 christos /* 3255 1.1 christos * If set, the decrypt_ticket_cb() is called unless a fatal error was 3256 1.1 christos * detected above. The callback is responsible for checking |ret| before it 3257 1.1 christos * performs any action 3258 1.1 christos */ 3259 1.1 christos if (s->session_ctx->decrypt_ticket_cb != NULL 3260 1.1.1.2 christos && (ret == SSL_TICKET_EMPTY 3261 1.1.1.2 christos || ret == SSL_TICKET_NO_DECRYPT 3262 1.1.1.2 christos || ret == SSL_TICKET_SUCCESS 3263 1.1.1.2 christos || ret == SSL_TICKET_SUCCESS_RENEW)) { 3264 1.1 christos size_t keyname_len = eticklen; 3265 1.1 christos int retcb; 3266 1.1 christos 3267 1.1 christos if (keyname_len > TLSEXT_KEYNAME_LENGTH) 3268 1.1 christos keyname_len = TLSEXT_KEYNAME_LENGTH; 3269 1.1 christos retcb = s->session_ctx->decrypt_ticket_cb(SSL_CONNECTION_GET_SSL(s), 3270 1.1.1.2 christos sess, etick, keyname_len, 3271 1.1.1.2 christos ret, 3272 1.1.1.2 christos s->session_ctx->ticket_cb_data); 3273 1.1 christos switch (retcb) { 3274 1.1 christos case SSL_TICKET_RETURN_ABORT: 3275 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3276 1.1 christos break; 3277 1.1 christos 3278 1.1 christos case SSL_TICKET_RETURN_IGNORE: 3279 1.1 christos ret = SSL_TICKET_NONE; 3280 1.1 christos SSL_SESSION_free(sess); 3281 1.1 christos sess = NULL; 3282 1.1 christos break; 3283 1.1 christos 3284 1.1 christos case SSL_TICKET_RETURN_IGNORE_RENEW: 3285 1.1 christos if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 3286 1.1 christos ret = SSL_TICKET_NO_DECRYPT; 3287 1.1 christos /* else the value of |ret| will already do the right thing */ 3288 1.1 christos SSL_SESSION_free(sess); 3289 1.1 christos sess = NULL; 3290 1.1 christos break; 3291 1.1 christos 3292 1.1 christos case SSL_TICKET_RETURN_USE: 3293 1.1 christos case SSL_TICKET_RETURN_USE_RENEW: 3294 1.1 christos if (ret != SSL_TICKET_SUCCESS 3295 1.1.1.2 christos && ret != SSL_TICKET_SUCCESS_RENEW) 3296 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3297 1.1 christos else if (retcb == SSL_TICKET_RETURN_USE) 3298 1.1 christos ret = SSL_TICKET_SUCCESS; 3299 1.1 christos else 3300 1.1 christos ret = SSL_TICKET_SUCCESS_RENEW; 3301 1.1 christos break; 3302 1.1 christos 3303 1.1 christos default: 3304 1.1 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 3305 1.1 christos } 3306 1.1 christos } 3307 1.1 christos 3308 1.1 christos if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) { 3309 1.1 christos switch (ret) { 3310 1.1 christos case SSL_TICKET_NO_DECRYPT: 3311 1.1 christos case SSL_TICKET_SUCCESS_RENEW: 3312 1.1 christos case SSL_TICKET_EMPTY: 3313 1.1 christos s->ext.ticket_expected = 1; 3314 1.1 christos } 3315 1.1 christos } 3316 1.1 christos 3317 1.1 christos *psess = sess; 3318 1.1 christos 3319 1.1 christos return ret; 3320 1.1 christos } 3321 1.1 christos 3322 1.1 christos /* Check to see if a signature algorithm is allowed */ 3323 1.1 christos static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, 3324 1.1.1.2 christos const SIGALG_LOOKUP *lu) 3325 1.1 christos { 3326 1.1 christos unsigned char sigalgstr[2]; 3327 1.1 christos int secbits; 3328 1.1 christos 3329 1.1 christos if (lu == NULL || !lu->available) 3330 1.1 christos return 0; 3331 1.1 christos /* DSA is not allowed in TLS 1.3 */ 3332 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 3333 1.1 christos return 0; 3334 1.1 christos /* 3335 1.1 christos * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 3336 1.1 christos * spec 3337 1.1 christos */ 3338 1.1 christos if (!s->server && !SSL_CONNECTION_IS_DTLS(s) 3339 1.1 christos && s->s3.tmp.min_ver >= TLS1_3_VERSION 3340 1.1 christos && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 3341 1.1 christos || lu->hash_idx == SSL_MD_MD5_IDX 3342 1.1 christos || lu->hash_idx == SSL_MD_SHA224_IDX)) 3343 1.1 christos return 0; 3344 1.1 christos 3345 1.1 christos /* See if public key algorithm allowed */ 3346 1.1 christos if (ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), lu->sig_idx)) 3347 1.1 christos return 0; 3348 1.1 christos 3349 1.1 christos if (lu->sig == NID_id_GostR3410_2012_256 3350 1.1.1.2 christos || lu->sig == NID_id_GostR3410_2012_512 3351 1.1.1.2 christos || lu->sig == NID_id_GostR3410_2001) { 3352 1.1 christos /* We never allow GOST sig algs on the server with TLSv1.3 */ 3353 1.1 christos if (s->server && SSL_CONNECTION_IS_TLS13(s)) 3354 1.1 christos return 0; 3355 1.1 christos if (!s->server 3356 1.1.1.2 christos && SSL_CONNECTION_GET_SSL(s)->method->version == TLS_ANY_VERSION 3357 1.1.1.2 christos && s->s3.tmp.max_ver >= TLS1_3_VERSION) { 3358 1.1 christos int i, num; 3359 1.1 christos STACK_OF(SSL_CIPHER) *sk; 3360 1.1 christos 3361 1.1 christos /* 3362 1.1 christos * We're a client that could negotiate TLSv1.3. We only allow GOST 3363 1.1 christos * sig algs if we could negotiate TLSv1.2 or below and we have GOST 3364 1.1 christos * ciphersuites enabled. 3365 1.1 christos */ 3366 1.1 christos 3367 1.1 christos if (s->s3.tmp.min_ver >= TLS1_3_VERSION) 3368 1.1 christos return 0; 3369 1.1 christos 3370 1.1 christos sk = SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)); 3371 1.1 christos num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 3372 1.1 christos for (i = 0; i < num; i++) { 3373 1.1 christos const SSL_CIPHER *c; 3374 1.1 christos 3375 1.1 christos c = sk_SSL_CIPHER_value(sk, i); 3376 1.1 christos /* Skip disabled ciphers */ 3377 1.1 christos if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 3378 1.1 christos continue; 3379 1.1 christos 3380 1.1 christos if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) 3381 1.1 christos break; 3382 1.1 christos } 3383 1.1 christos if (i == num) 3384 1.1 christos return 0; 3385 1.1 christos } 3386 1.1 christos } 3387 1.1 christos 3388 1.1 christos /* Finally see if security callback allows it */ 3389 1.1 christos secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); 3390 1.1 christos sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 3391 1.1 christos sigalgstr[1] = lu->sigalg & 0xff; 3392 1.1 christos return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 3393 1.1 christos } 3394 1.1 christos 3395 1.1 christos /* 3396 1.1 christos * Get a mask of disabled public key algorithms based on supported signature 3397 1.1 christos * algorithms. For example if no signature algorithm supports RSA then RSA is 3398 1.1 christos * disabled. 3399 1.1 christos */ 3400 1.1 christos 3401 1.1 christos void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op) 3402 1.1 christos { 3403 1.1 christos const uint16_t *sigalgs; 3404 1.1 christos size_t i, sigalgslen; 3405 1.1 christos uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 3406 1.1 christos /* 3407 1.1 christos * Go through all signature algorithms seeing if we support any 3408 1.1 christos * in disabled_mask. 3409 1.1 christos */ 3410 1.1 christos sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 3411 1.1 christos for (i = 0; i < sigalgslen; i++, sigalgs++) { 3412 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *sigalgs); 3413 1.1 christos const SSL_CERT_LOOKUP *clu; 3414 1.1 christos 3415 1.1 christos if (lu == NULL) 3416 1.1 christos continue; 3417 1.1 christos 3418 1.1 christos clu = ssl_cert_lookup_by_idx(lu->sig_idx, 3419 1.1.1.2 christos SSL_CONNECTION_GET_CTX(s)); 3420 1.1 christos if (clu == NULL) 3421 1.1.1.2 christos continue; 3422 1.1 christos 3423 1.1 christos /* If algorithm is disabled see if we can enable it */ 3424 1.1 christos if ((clu->amask & disabled_mask) != 0 3425 1.1.1.2 christos && tls12_sigalg_allowed(s, op, lu)) 3426 1.1 christos disabled_mask &= ~clu->amask; 3427 1.1 christos } 3428 1.1 christos *pmask_a |= disabled_mask; 3429 1.1 christos } 3430 1.1 christos 3431 1.1 christos int tls12_copy_sigalgs(SSL_CONNECTION *s, WPACKET *pkt, 3432 1.1.1.2 christos const uint16_t *psig, size_t psiglen) 3433 1.1 christos { 3434 1.1 christos size_t i; 3435 1.1 christos int rv = 0; 3436 1.1 christos 3437 1.1 christos for (i = 0; i < psiglen; i++, psig++) { 3438 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *psig); 3439 1.1 christos 3440 1.1 christos if (lu == NULL || !tls_sigalg_compat(s, lu)) 3441 1.1 christos continue; 3442 1.1 christos if (!WPACKET_put_bytes_u16(pkt, *psig)) 3443 1.1 christos return 0; 3444 1.1 christos /* 3445 1.1 christos * If TLS 1.3 must have at least one valid TLS 1.3 message 3446 1.1 christos * signing algorithm: i.e. neither RSA nor SHA1/SHA224 3447 1.1 christos */ 3448 1.1.1.2 christos if (rv == 0 && (!SSL_CONNECTION_IS_TLS13(s) || (lu->sig != EVP_PKEY_RSA && lu->hash != NID_sha1 && lu->hash != NID_sha224))) 3449 1.1 christos rv = 1; 3450 1.1 christos } 3451 1.1 christos if (rv == 0) 3452 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3453 1.1 christos return rv; 3454 1.1 christos } 3455 1.1 christos 3456 1.1 christos /* Given preference and allowed sigalgs set shared sigalgs */ 3457 1.1 christos static size_t tls12_shared_sigalgs(SSL_CONNECTION *s, 3458 1.1.1.2 christos const SIGALG_LOOKUP **shsig, 3459 1.1.1.2 christos const uint16_t *pref, size_t preflen, 3460 1.1.1.2 christos const uint16_t *allow, size_t allowlen) 3461 1.1 christos { 3462 1.1 christos const uint16_t *ptmp, *atmp; 3463 1.1 christos size_t i, j, nmatch = 0; 3464 1.1 christos for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 3465 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *ptmp); 3466 1.1 christos 3467 1.1 christos /* Skip disabled hashes or signature algorithms */ 3468 1.1 christos if (lu == NULL 3469 1.1.1.2 christos || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 3470 1.1 christos continue; 3471 1.1 christos for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 3472 1.1 christos if (*ptmp == *atmp) { 3473 1.1 christos nmatch++; 3474 1.1 christos if (shsig) 3475 1.1 christos *shsig++ = lu; 3476 1.1 christos break; 3477 1.1 christos } 3478 1.1 christos } 3479 1.1 christos } 3480 1.1 christos return nmatch; 3481 1.1 christos } 3482 1.1 christos 3483 1.1 christos /* Set shared signature algorithms for SSL structures */ 3484 1.1 christos static int tls1_set_shared_sigalgs(SSL_CONNECTION *s) 3485 1.1 christos { 3486 1.1 christos const uint16_t *pref, *allow, *conf; 3487 1.1 christos size_t preflen, allowlen, conflen; 3488 1.1 christos size_t nmatch; 3489 1.1 christos const SIGALG_LOOKUP **salgs = NULL; 3490 1.1 christos CERT *c = s->cert; 3491 1.1 christos unsigned int is_suiteb = tls1_suiteb(s); 3492 1.1 christos 3493 1.1 christos OPENSSL_free(s->shared_sigalgs); 3494 1.1 christos s->shared_sigalgs = NULL; 3495 1.1 christos s->shared_sigalgslen = 0; 3496 1.1 christos /* If client use client signature algorithms if not NULL */ 3497 1.1 christos if (!s->server && c->client_sigalgs && !is_suiteb) { 3498 1.1 christos conf = c->client_sigalgs; 3499 1.1 christos conflen = c->client_sigalgslen; 3500 1.1 christos } else if (c->conf_sigalgs && !is_suiteb) { 3501 1.1 christos conf = c->conf_sigalgs; 3502 1.1 christos conflen = c->conf_sigalgslen; 3503 1.1 christos } else 3504 1.1 christos conflen = tls12_get_psigalgs(s, 0, &conf); 3505 1.1 christos if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 3506 1.1 christos pref = conf; 3507 1.1 christos preflen = conflen; 3508 1.1 christos allow = s->s3.tmp.peer_sigalgs; 3509 1.1 christos allowlen = s->s3.tmp.peer_sigalgslen; 3510 1.1 christos } else { 3511 1.1 christos allow = conf; 3512 1.1 christos allowlen = conflen; 3513 1.1 christos pref = s->s3.tmp.peer_sigalgs; 3514 1.1 christos preflen = s->s3.tmp.peer_sigalgslen; 3515 1.1 christos } 3516 1.1 christos nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 3517 1.1 christos if (nmatch) { 3518 1.1 christos if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) 3519 1.1 christos return 0; 3520 1.1 christos nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 3521 1.1 christos } else { 3522 1.1 christos salgs = NULL; 3523 1.1 christos } 3524 1.1 christos s->shared_sigalgs = salgs; 3525 1.1 christos s->shared_sigalgslen = nmatch; 3526 1.1 christos return 1; 3527 1.1 christos } 3528 1.1 christos 3529 1.1 christos int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 3530 1.1 christos { 3531 1.1 christos unsigned int stmp; 3532 1.1 christos size_t size, i; 3533 1.1 christos uint16_t *buf; 3534 1.1 christos 3535 1.1 christos size = PACKET_remaining(pkt); 3536 1.1 christos 3537 1.1 christos /* Invalid data length */ 3538 1.1 christos if (size == 0 || (size & 1) != 0) 3539 1.1 christos return 0; 3540 1.1 christos 3541 1.1 christos size >>= 1; 3542 1.1 christos 3543 1.1 christos if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) 3544 1.1 christos return 0; 3545 1.1 christos for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 3546 1.1 christos buf[i] = stmp; 3547 1.1 christos 3548 1.1 christos if (i != size) { 3549 1.1 christos OPENSSL_free(buf); 3550 1.1 christos return 0; 3551 1.1 christos } 3552 1.1 christos 3553 1.1 christos OPENSSL_free(*pdest); 3554 1.1 christos *pdest = buf; 3555 1.1 christos *pdestlen = size; 3556 1.1 christos 3557 1.1 christos return 1; 3558 1.1 christos } 3559 1.1 christos 3560 1.1 christos int tls1_save_sigalgs(SSL_CONNECTION *s, PACKET *pkt, int cert) 3561 1.1 christos { 3562 1.1 christos /* Extension ignored for inappropriate versions */ 3563 1.1 christos if (!SSL_USE_SIGALGS(s)) 3564 1.1 christos return 1; 3565 1.1 christos /* Should never happen */ 3566 1.1 christos if (s->cert == NULL) 3567 1.1 christos return 0; 3568 1.1 christos 3569 1.1 christos if (cert) 3570 1.1 christos return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, 3571 1.1.1.2 christos &s->s3.tmp.peer_cert_sigalgslen); 3572 1.1 christos else 3573 1.1 christos return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, 3574 1.1.1.2 christos &s->s3.tmp.peer_sigalgslen); 3575 1.1 christos } 3576 1.1 christos 3577 1.1 christos /* Set preferred digest for each key type */ 3578 1.1 christos 3579 1.1 christos int tls1_process_sigalgs(SSL_CONNECTION *s) 3580 1.1 christos { 3581 1.1 christos size_t i; 3582 1.1 christos uint32_t *pvalid = s->s3.tmp.valid_flags; 3583 1.1 christos 3584 1.1 christos if (!tls1_set_shared_sigalgs(s)) 3585 1.1 christos return 0; 3586 1.1 christos 3587 1.1 christos for (i = 0; i < s->ssl_pkey_num; i++) 3588 1.1 christos pvalid[i] = 0; 3589 1.1 christos 3590 1.1 christos for (i = 0; i < s->shared_sigalgslen; i++) { 3591 1.1 christos const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 3592 1.1 christos int idx = sigptr->sig_idx; 3593 1.1 christos 3594 1.1 christos /* Ignore PKCS1 based sig algs in TLSv1.3 */ 3595 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 3596 1.1 christos continue; 3597 1.1 christos /* If not disabled indicate we can explicitly sign */ 3598 1.1 christos if (pvalid[idx] == 0 3599 1.1 christos && !ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), idx)) 3600 1.1 christos pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 3601 1.1 christos } 3602 1.1 christos return 1; 3603 1.1 christos } 3604 1.1 christos 3605 1.1 christos int SSL_get_sigalgs(SSL *s, int idx, 3606 1.1.1.2 christos int *psign, int *phash, int *psignhash, 3607 1.1.1.2 christos unsigned char *rsig, unsigned char *rhash) 3608 1.1 christos { 3609 1.1 christos uint16_t *psig; 3610 1.1 christos size_t numsigalgs; 3611 1.1 christos SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 3612 1.1 christos 3613 1.1 christos if (sc == NULL) 3614 1.1 christos return 0; 3615 1.1 christos 3616 1.1 christos psig = sc->s3.tmp.peer_sigalgs; 3617 1.1 christos numsigalgs = sc->s3.tmp.peer_sigalgslen; 3618 1.1 christos 3619 1.1 christos if (psig == NULL || numsigalgs > INT_MAX) 3620 1.1 christos return 0; 3621 1.1 christos if (idx >= 0) { 3622 1.1 christos const SIGALG_LOOKUP *lu; 3623 1.1 christos 3624 1.1 christos if (idx >= (int)numsigalgs) 3625 1.1 christos return 0; 3626 1.1 christos psig += idx; 3627 1.1 christos if (rhash != NULL) 3628 1.1 christos *rhash = (unsigned char)((*psig >> 8) & 0xff); 3629 1.1 christos if (rsig != NULL) 3630 1.1 christos *rsig = (unsigned char)(*psig & 0xff); 3631 1.1 christos lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(sc), *psig); 3632 1.1 christos if (psign != NULL) 3633 1.1 christos *psign = lu != NULL ? lu->sig : NID_undef; 3634 1.1 christos if (phash != NULL) 3635 1.1 christos *phash = lu != NULL ? lu->hash : NID_undef; 3636 1.1 christos if (psignhash != NULL) 3637 1.1 christos *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 3638 1.1 christos } 3639 1.1 christos return (int)numsigalgs; 3640 1.1 christos } 3641 1.1 christos 3642 1.1 christos int SSL_get_shared_sigalgs(SSL *s, int idx, 3643 1.1.1.2 christos int *psign, int *phash, int *psignhash, 3644 1.1.1.2 christos unsigned char *rsig, unsigned char *rhash) 3645 1.1 christos { 3646 1.1 christos const SIGALG_LOOKUP *shsigalgs; 3647 1.1 christos SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 3648 1.1 christos 3649 1.1 christos if (sc == NULL) 3650 1.1 christos return 0; 3651 1.1 christos 3652 1.1 christos if (sc->shared_sigalgs == NULL 3653 1.1 christos || idx < 0 3654 1.1 christos || idx >= (int)sc->shared_sigalgslen 3655 1.1 christos || sc->shared_sigalgslen > INT_MAX) 3656 1.1 christos return 0; 3657 1.1 christos shsigalgs = sc->shared_sigalgs[idx]; 3658 1.1 christos if (phash != NULL) 3659 1.1 christos *phash = shsigalgs->hash; 3660 1.1 christos if (psign != NULL) 3661 1.1 christos *psign = shsigalgs->sig; 3662 1.1 christos if (psignhash != NULL) 3663 1.1 christos *psignhash = shsigalgs->sigandhash; 3664 1.1 christos if (rsig != NULL) 3665 1.1 christos *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 3666 1.1 christos if (rhash != NULL) 3667 1.1 christos *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 3668 1.1 christos return (int)sc->shared_sigalgslen; 3669 1.1 christos } 3670 1.1 christos 3671 1.1 christos /* Maximum possible number of unique entries in sigalgs array */ 3672 1.1 christos #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 3673 1.1 christos 3674 1.1 christos typedef struct { 3675 1.1 christos size_t sigalgcnt; 3676 1.1 christos /* TLSEXT_SIGALG_XXX values */ 3677 1.1 christos uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 3678 1.1 christos SSL_CTX *ctx; 3679 1.1 christos } sig_cb_st; 3680 1.1 christos 3681 1.1 christos static void get_sigorhash(int *psig, int *phash, const char *str) 3682 1.1 christos { 3683 1.1 christos if (OPENSSL_strcasecmp(str, "RSA") == 0) { 3684 1.1 christos *psig = EVP_PKEY_RSA; 3685 1.1 christos } else if (OPENSSL_strcasecmp(str, "RSA-PSS") == 0 3686 1.1.1.2 christos || OPENSSL_strcasecmp(str, "PSS") == 0) { 3687 1.1 christos *psig = EVP_PKEY_RSA_PSS; 3688 1.1 christos } else if (OPENSSL_strcasecmp(str, "DSA") == 0) { 3689 1.1 christos *psig = EVP_PKEY_DSA; 3690 1.1 christos } else if (OPENSSL_strcasecmp(str, "ECDSA") == 0) { 3691 1.1 christos *psig = EVP_PKEY_EC; 3692 1.1 christos } else { 3693 1.1 christos *phash = OBJ_sn2nid(str); 3694 1.1 christos if (*phash == NID_undef) 3695 1.1 christos *phash = OBJ_ln2nid(str); 3696 1.1 christos } 3697 1.1 christos } 3698 1.1 christos /* Maximum length of a signature algorithm string component */ 3699 1.1.1.2 christos #define TLS_MAX_SIGSTRING_LEN 40 3700 1.1 christos 3701 1.1 christos static int sig_cb(const char *elem, int len, void *arg) 3702 1.1 christos { 3703 1.1 christos sig_cb_st *sarg = arg; 3704 1.1 christos size_t i = 0; 3705 1.1 christos const SIGALG_LOOKUP *s; 3706 1.1 christos char etmp[TLS_MAX_SIGSTRING_LEN], *p; 3707 1.1 christos const char *iana, *alias; 3708 1.1 christos int sig_alg = NID_undef, hash_alg = NID_undef; 3709 1.1 christos int ignore_unknown = 0; 3710 1.1 christos 3711 1.1 christos if (elem == NULL) 3712 1.1 christos return 0; 3713 1.1 christos if (elem[0] == '?') { 3714 1.1 christos ignore_unknown = 1; 3715 1.1 christos ++elem; 3716 1.1 christos --len; 3717 1.1 christos } 3718 1.1 christos if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 3719 1.1 christos return 0; 3720 1.1 christos if (len > (int)(sizeof(etmp) - 1)) 3721 1.1 christos return 0; 3722 1.1 christos memcpy(etmp, elem, len); 3723 1.1 christos etmp[len] = 0; 3724 1.1 christos p = strchr(etmp, '+'); 3725 1.1 christos /* 3726 1.1 christos * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 3727 1.1 christos * if there's no '+' in the provided name, look for the new-style combined 3728 1.1 christos * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 3729 1.1 christos * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 3730 1.1 christos * rsa_pss_rsae_* that differ only by public key OID; in such cases 3731 1.1 christos * we will pick the _rsae_ variant, by virtue of them appearing earlier 3732 1.1 christos * in the table. 3733 1.1 christos */ 3734 1.1 christos if (p == NULL) { 3735 1.1 christos if (sarg->ctx != NULL) { 3736 1.1 christos for (i = 0; i < sarg->ctx->sigalg_lookup_cache_len; i++) { 3737 1.1 christos iana = sarg->ctx->sigalg_lookup_cache[i].name; 3738 1.1 christos alias = sarg->ctx->sigalg_lookup_cache[i].name12; 3739 1.1 christos if ((alias != NULL && OPENSSL_strcasecmp(etmp, alias) == 0) 3740 1.1 christos || OPENSSL_strcasecmp(etmp, iana) == 0) { 3741 1.1 christos /* Ignore known, but unavailable sigalgs. */ 3742 1.1 christos if (!sarg->ctx->sigalg_lookup_cache[i].available) 3743 1.1 christos return 1; 3744 1.1.1.2 christos sarg->sigalgs[sarg->sigalgcnt++] = sarg->ctx->sigalg_lookup_cache[i].sigalg; 3745 1.1 christos goto found; 3746 1.1 christos } 3747 1.1 christos } 3748 1.1 christos } else { 3749 1.1 christos /* Syntax checks use the built-in sigalgs */ 3750 1.1 christos for (i = 0, s = sigalg_lookup_tbl; 3751 1.1.1.2 christos i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { 3752 1.1 christos iana = s->name; 3753 1.1 christos alias = s->name12; 3754 1.1 christos if ((alias != NULL && OPENSSL_strcasecmp(etmp, alias) == 0) 3755 1.1 christos || OPENSSL_strcasecmp(etmp, iana) == 0) { 3756 1.1 christos sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 3757 1.1 christos goto found; 3758 1.1 christos } 3759 1.1 christos } 3760 1.1 christos } 3761 1.1 christos } else { 3762 1.1 christos *p = 0; 3763 1.1 christos p++; 3764 1.1 christos if (*p == 0) 3765 1.1 christos return 0; 3766 1.1 christos get_sigorhash(&sig_alg, &hash_alg, etmp); 3767 1.1 christos get_sigorhash(&sig_alg, &hash_alg, p); 3768 1.1 christos if (sig_alg != NID_undef && hash_alg != NID_undef) { 3769 1.1 christos if (sarg->ctx != NULL) { 3770 1.1 christos for (i = 0; i < sarg->ctx->sigalg_lookup_cache_len; i++) { 3771 1.1 christos s = &sarg->ctx->sigalg_lookup_cache[i]; 3772 1.1 christos if (s->hash == hash_alg && s->sig == sig_alg) { 3773 1.1 christos /* Ignore known, but unavailable sigalgs. */ 3774 1.1 christos if (!sarg->ctx->sigalg_lookup_cache[i].available) 3775 1.1 christos return 1; 3776 1.1 christos sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 3777 1.1 christos goto found; 3778 1.1 christos } 3779 1.1 christos } 3780 1.1 christos } else { 3781 1.1 christos for (i = 0; i < OSSL_NELEM(sigalg_lookup_tbl); i++) { 3782 1.1 christos s = &sigalg_lookup_tbl[i]; 3783 1.1 christos if (s->hash == hash_alg && s->sig == sig_alg) { 3784 1.1 christos sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 3785 1.1 christos goto found; 3786 1.1 christos } 3787 1.1 christos } 3788 1.1 christos } 3789 1.1 christos } 3790 1.1 christos } 3791 1.1 christos /* Ignore unknown algorithms if ignore_unknown */ 3792 1.1 christos return ignore_unknown; 3793 1.1 christos 3794 1.1.1.2 christos found: 3795 1.1 christos /* Ignore duplicates */ 3796 1.1 christos for (i = 0; i < sarg->sigalgcnt - 1; i++) { 3797 1.1 christos if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 3798 1.1 christos sarg->sigalgcnt--; 3799 1.1 christos return 1; 3800 1.1 christos } 3801 1.1 christos } 3802 1.1 christos return 1; 3803 1.1 christos } 3804 1.1 christos 3805 1.1 christos /* 3806 1.1 christos * Set supported signature algorithms based on a colon separated list of the 3807 1.1 christos * form sig+hash e.g. RSA+SHA512:DSA+SHA512 3808 1.1 christos */ 3809 1.1 christos int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) 3810 1.1 christos { 3811 1.1 christos sig_cb_st sig; 3812 1.1 christos sig.sigalgcnt = 0; 3813 1.1 christos 3814 1.1 christos if (ctx != NULL) 3815 1.1 christos sig.ctx = ctx; 3816 1.1 christos if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 3817 1.1 christos return 0; 3818 1.1 christos if (sig.sigalgcnt == 0) { 3819 1.1 christos ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 3820 1.1.1.2 christos "No valid signature algorithms in '%s'", str); 3821 1.1 christos return 0; 3822 1.1 christos } 3823 1.1 christos if (c == NULL) 3824 1.1 christos return 1; 3825 1.1 christos return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 3826 1.1 christos } 3827 1.1 christos 3828 1.1 christos int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 3829 1.1.1.2 christos int client) 3830 1.1 christos { 3831 1.1 christos uint16_t *sigalgs; 3832 1.1 christos 3833 1.1 christos if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) 3834 1.1 christos return 0; 3835 1.1 christos memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 3836 1.1 christos 3837 1.1 christos if (client) { 3838 1.1 christos OPENSSL_free(c->client_sigalgs); 3839 1.1 christos c->client_sigalgs = sigalgs; 3840 1.1 christos c->client_sigalgslen = salglen; 3841 1.1 christos } else { 3842 1.1 christos OPENSSL_free(c->conf_sigalgs); 3843 1.1 christos c->conf_sigalgs = sigalgs; 3844 1.1 christos c->conf_sigalgslen = salglen; 3845 1.1 christos } 3846 1.1 christos 3847 1.1 christos return 1; 3848 1.1 christos } 3849 1.1 christos 3850 1.1 christos int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 3851 1.1 christos { 3852 1.1 christos uint16_t *sigalgs, *sptr; 3853 1.1 christos size_t i; 3854 1.1 christos 3855 1.1 christos if (salglen & 1) 3856 1.1 christos return 0; 3857 1.1 christos if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) 3858 1.1 christos return 0; 3859 1.1 christos for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 3860 1.1 christos size_t j; 3861 1.1 christos const SIGALG_LOOKUP *curr; 3862 1.1 christos int md_id = *psig_nids++; 3863 1.1 christos int sig_id = *psig_nids++; 3864 1.1 christos 3865 1.1 christos for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 3866 1.1.1.2 christos j++, curr++) { 3867 1.1 christos if (curr->hash == md_id && curr->sig == sig_id) { 3868 1.1 christos *sptr++ = curr->sigalg; 3869 1.1 christos break; 3870 1.1 christos } 3871 1.1 christos } 3872 1.1 christos 3873 1.1 christos if (j == OSSL_NELEM(sigalg_lookup_tbl)) 3874 1.1 christos goto err; 3875 1.1 christos } 3876 1.1 christos 3877 1.1 christos if (client) { 3878 1.1 christos OPENSSL_free(c->client_sigalgs); 3879 1.1 christos c->client_sigalgs = sigalgs; 3880 1.1 christos c->client_sigalgslen = salglen / 2; 3881 1.1 christos } else { 3882 1.1 christos OPENSSL_free(c->conf_sigalgs); 3883 1.1 christos c->conf_sigalgs = sigalgs; 3884 1.1 christos c->conf_sigalgslen = salglen / 2; 3885 1.1 christos } 3886 1.1 christos 3887 1.1 christos return 1; 3888 1.1 christos 3889 1.1.1.2 christos err: 3890 1.1 christos OPENSSL_free(sigalgs); 3891 1.1 christos return 0; 3892 1.1 christos } 3893 1.1 christos 3894 1.1 christos static int tls1_check_sig_alg(SSL_CONNECTION *s, X509 *x, int default_nid) 3895 1.1 christos { 3896 1.1 christos int sig_nid, use_pc_sigalgs = 0; 3897 1.1 christos size_t i; 3898 1.1 christos const SIGALG_LOOKUP *sigalg; 3899 1.1 christos size_t sigalgslen; 3900 1.1 christos 3901 1.1 christos /*- 3902 1.1 christos * RFC 8446, section 4.2.3: 3903 1.1 christos * 3904 1.1 christos * The signatures on certificates that are self-signed or certificates 3905 1.1 christos * that are trust anchors are not validated, since they begin a 3906 1.1 christos * certification path (see [RFC5280], Section 3.2). A certificate that 3907 1.1 christos * begins a certification path MAY use a signature algorithm that is not 3908 1.1 christos * advertised as being supported in the "signature_algorithms" 3909 1.1 christos * extension. 3910 1.1 christos */ 3911 1.1 christos if (default_nid == -1 || X509_self_signed(x, 0)) 3912 1.1 christos return 1; 3913 1.1 christos sig_nid = X509_get_signature_nid(x); 3914 1.1 christos if (default_nid) 3915 1.1 christos return sig_nid == default_nid ? 1 : 0; 3916 1.1 christos 3917 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { 3918 1.1 christos /* 3919 1.1 christos * If we're in TLSv1.3 then we only get here if we're checking the 3920 1.1 christos * chain. If the peer has specified peer_cert_sigalgs then we use them 3921 1.1 christos * otherwise we default to normal sigalgs. 3922 1.1 christos */ 3923 1.1 christos sigalgslen = s->s3.tmp.peer_cert_sigalgslen; 3924 1.1 christos use_pc_sigalgs = 1; 3925 1.1 christos } else { 3926 1.1 christos sigalgslen = s->shared_sigalgslen; 3927 1.1 christos } 3928 1.1 christos for (i = 0; i < sigalgslen; i++) { 3929 1.1 christos int mdnid, pknid; 3930 1.1 christos 3931 1.1 christos sigalg = use_pc_sigalgs 3932 1.1.1.2 christos ? tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), 3933 1.1.1.2 christos s->s3.tmp.peer_cert_sigalgs[i]) 3934 1.1.1.2 christos : s->shared_sigalgs[i]; 3935 1.1 christos if (sigalg == NULL) 3936 1.1 christos continue; 3937 1.1 christos if (sig_nid == sigalg->sigandhash) 3938 1.1 christos return 1; 3939 1.1 christos if (sigalg->sig != EVP_PKEY_RSA_PSS) 3940 1.1 christos continue; 3941 1.1 christos /* 3942 1.1 christos * Accept RSA PKCS#1 signatures in certificates when the signature 3943 1.1 christos * algorithms include RSA-PSS with a matching digest algorithm. 3944 1.1 christos * 3945 1.1 christos * When a TLS 1.3 peer inadvertently omits the legacy RSA PKCS#1 code 3946 1.1 christos * points, and we're doing strict checking of the certificate chain (in 3947 1.1 christos * a cert_cb via SSL_check_chain()) we may then reject RSA signed 3948 1.1 christos * certificates in the chain, but the TLS requirement on PSS should not 3949 1.1 christos * extend to certificates. Though the peer can in fact list the legacy 3950 1.1 christos * sigalgs for just this purpose, it is not likely that a better chain 3951 1.1 christos * signed with RSA-PSS is available. 3952 1.1 christos */ 3953 1.1 christos if (!OBJ_find_sigid_algs(sig_nid, &mdnid, &pknid)) 3954 1.1 christos continue; 3955 1.1 christos if (pknid == EVP_PKEY_RSA && mdnid == sigalg->hash) 3956 1.1 christos return 1; 3957 1.1 christos } 3958 1.1 christos return 0; 3959 1.1 christos } 3960 1.1 christos 3961 1.1 christos /* Check to see if a certificate issuer name matches list of CA names */ 3962 1.1 christos static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 3963 1.1 christos { 3964 1.1 christos const X509_NAME *nm; 3965 1.1 christos int i; 3966 1.1 christos nm = X509_get_issuer_name(x); 3967 1.1 christos for (i = 0; i < sk_X509_NAME_num(names); i++) { 3968 1.1 christos if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 3969 1.1 christos return 1; 3970 1.1 christos } 3971 1.1 christos return 0; 3972 1.1 christos } 3973 1.1 christos 3974 1.1 christos /* 3975 1.1 christos * Check certificate chain is consistent with TLS extensions and is usable by 3976 1.1 christos * server. This servers two purposes: it allows users to check chains before 3977 1.1 christos * passing them to the server and it allows the server to check chains before 3978 1.1 christos * attempting to use them. 3979 1.1 christos */ 3980 1.1 christos 3981 1.1 christos /* Flags which need to be set for a certificate when strict mode not set */ 3982 1.1 christos 3983 1.1 christos #define CERT_PKEY_VALID_FLAGS \ 3984 1.1.1.2 christos (CERT_PKEY_EE_SIGNATURE | CERT_PKEY_EE_PARAM) 3985 1.1 christos /* Strict mode flags */ 3986 1.1.1.2 christos #define CERT_PKEY_STRICT_FLAGS \ 3987 1.1.1.2 christos (CERT_PKEY_VALID_FLAGS | CERT_PKEY_CA_SIGNATURE | CERT_PKEY_CA_PARAM \ 3988 1.1.1.2 christos | CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE) 3989 1.1 christos 3990 1.1 christos int tls1_check_chain(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pk, 3991 1.1.1.2 christos STACK_OF(X509) *chain, int idx) 3992 1.1 christos { 3993 1.1 christos int i; 3994 1.1 christos int rv = 0; 3995 1.1 christos int check_flags = 0, strict_mode; 3996 1.1 christos CERT_PKEY *cpk = NULL; 3997 1.1 christos CERT *c = s->cert; 3998 1.1 christos uint32_t *pvalid; 3999 1.1 christos unsigned int suiteb_flags = tls1_suiteb(s); 4000 1.1 christos 4001 1.1 christos /* 4002 1.1 christos * Meaning of idx: 4003 1.1 christos * idx == -1 means SSL_check_chain() invocation 4004 1.1 christos * idx == -2 means checking client certificate chains 4005 1.1 christos * idx >= 0 means checking SSL_PKEY index 4006 1.1 christos * 4007 1.1 christos * For RPK, where there may be no cert, we ignore -1 4008 1.1 christos */ 4009 1.1 christos if (idx != -1) { 4010 1.1 christos if (idx == -2) { 4011 1.1 christos cpk = c->key; 4012 1.1 christos idx = (int)(cpk - c->pkeys); 4013 1.1 christos } else 4014 1.1 christos cpk = c->pkeys + idx; 4015 1.1 christos pvalid = s->s3.tmp.valid_flags + idx; 4016 1.1 christos x = cpk->x509; 4017 1.1 christos pk = cpk->privatekey; 4018 1.1 christos chain = cpk->chain; 4019 1.1 christos strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 4020 1.1 christos if (tls12_rpk_and_privkey(s, idx)) { 4021 1.1 christos if (EVP_PKEY_is_a(pk, "EC") && !tls1_check_pkey_comp(s, pk)) 4022 1.1 christos return 0; 4023 1.1 christos *pvalid = rv = CERT_PKEY_RPK; 4024 1.1 christos return rv; 4025 1.1 christos } 4026 1.1 christos /* If no cert or key, forget it */ 4027 1.1 christos if (x == NULL || pk == NULL) 4028 1.1 christos goto end; 4029 1.1 christos } else { 4030 1.1 christos size_t certidx; 4031 1.1 christos 4032 1.1 christos if (x == NULL || pk == NULL) 4033 1.1 christos return 0; 4034 1.1 christos 4035 1.1 christos if (ssl_cert_lookup_by_pkey(pk, &certidx, 4036 1.1.1.2 christos SSL_CONNECTION_GET_CTX(s)) 4037 1.1.1.2 christos == NULL) 4038 1.1 christos return 0; 4039 1.1 christos idx = certidx; 4040 1.1 christos pvalid = s->s3.tmp.valid_flags + idx; 4041 1.1 christos 4042 1.1 christos if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 4043 1.1 christos check_flags = CERT_PKEY_STRICT_FLAGS; 4044 1.1 christos else 4045 1.1 christos check_flags = CERT_PKEY_VALID_FLAGS; 4046 1.1 christos strict_mode = 1; 4047 1.1 christos } 4048 1.1 christos 4049 1.1 christos if (suiteb_flags) { 4050 1.1 christos int ok; 4051 1.1 christos if (check_flags) 4052 1.1 christos check_flags |= CERT_PKEY_SUITEB; 4053 1.1 christos ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 4054 1.1 christos if (ok == X509_V_OK) 4055 1.1 christos rv |= CERT_PKEY_SUITEB; 4056 1.1 christos else if (!check_flags) 4057 1.1 christos goto end; 4058 1.1 christos } 4059 1.1 christos 4060 1.1 christos /* 4061 1.1 christos * Check all signature algorithms are consistent with signature 4062 1.1 christos * algorithms extension if TLS 1.2 or later and strict mode. 4063 1.1 christos */ 4064 1.1 christos if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION 4065 1.1 christos && strict_mode) { 4066 1.1 christos int default_nid; 4067 1.1 christos int rsign = 0; 4068 1.1 christos 4069 1.1 christos if (s->s3.tmp.peer_cert_sigalgs != NULL 4070 1.1.1.2 christos || s->s3.tmp.peer_sigalgs != NULL) { 4071 1.1 christos default_nid = 0; 4072 1.1.1.2 christos /* If no sigalgs extension use defaults from RFC5246 */ 4073 1.1 christos } else { 4074 1.1 christos switch (idx) { 4075 1.1 christos case SSL_PKEY_RSA: 4076 1.1 christos rsign = EVP_PKEY_RSA; 4077 1.1 christos default_nid = NID_sha1WithRSAEncryption; 4078 1.1 christos break; 4079 1.1 christos 4080 1.1 christos case SSL_PKEY_DSA_SIGN: 4081 1.1 christos rsign = EVP_PKEY_DSA; 4082 1.1 christos default_nid = NID_dsaWithSHA1; 4083 1.1 christos break; 4084 1.1 christos 4085 1.1 christos case SSL_PKEY_ECC: 4086 1.1 christos rsign = EVP_PKEY_EC; 4087 1.1 christos default_nid = NID_ecdsa_with_SHA1; 4088 1.1 christos break; 4089 1.1 christos 4090 1.1 christos case SSL_PKEY_GOST01: 4091 1.1 christos rsign = NID_id_GostR3410_2001; 4092 1.1 christos default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 4093 1.1 christos break; 4094 1.1 christos 4095 1.1 christos case SSL_PKEY_GOST12_256: 4096 1.1 christos rsign = NID_id_GostR3410_2012_256; 4097 1.1 christos default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 4098 1.1 christos break; 4099 1.1 christos 4100 1.1 christos case SSL_PKEY_GOST12_512: 4101 1.1 christos rsign = NID_id_GostR3410_2012_512; 4102 1.1 christos default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 4103 1.1 christos break; 4104 1.1 christos 4105 1.1 christos default: 4106 1.1 christos default_nid = -1; 4107 1.1 christos break; 4108 1.1 christos } 4109 1.1 christos } 4110 1.1 christos /* 4111 1.1 christos * If peer sent no signature algorithms extension and we have set 4112 1.1 christos * preferred signature algorithms check we support sha1. 4113 1.1 christos */ 4114 1.1 christos if (default_nid > 0 && c->conf_sigalgs) { 4115 1.1 christos size_t j; 4116 1.1 christos const uint16_t *p = c->conf_sigalgs; 4117 1.1 christos for (j = 0; j < c->conf_sigalgslen; j++, p++) { 4118 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *p); 4119 1.1 christos 4120 1.1 christos if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 4121 1.1 christos break; 4122 1.1 christos } 4123 1.1 christos if (j == c->conf_sigalgslen) { 4124 1.1 christos if (check_flags) 4125 1.1 christos goto skip_sigs; 4126 1.1 christos else 4127 1.1 christos goto end; 4128 1.1 christos } 4129 1.1 christos } 4130 1.1 christos /* Check signature algorithm of each cert in chain */ 4131 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) { 4132 1.1 christos /* 4133 1.1 christos * We only get here if the application has called SSL_check_chain(), 4134 1.1 christos * so check_flags is always set. 4135 1.1 christos */ 4136 1.1 christos if (find_sig_alg(s, x, pk) != NULL) 4137 1.1 christos rv |= CERT_PKEY_EE_SIGNATURE; 4138 1.1 christos } else if (!tls1_check_sig_alg(s, x, default_nid)) { 4139 1.1 christos if (!check_flags) 4140 1.1 christos goto end; 4141 1.1 christos } else 4142 1.1 christos rv |= CERT_PKEY_EE_SIGNATURE; 4143 1.1 christos rv |= CERT_PKEY_CA_SIGNATURE; 4144 1.1 christos for (i = 0; i < sk_X509_num(chain); i++) { 4145 1.1 christos if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 4146 1.1 christos if (check_flags) { 4147 1.1 christos rv &= ~CERT_PKEY_CA_SIGNATURE; 4148 1.1 christos break; 4149 1.1 christos } else 4150 1.1 christos goto end; 4151 1.1 christos } 4152 1.1 christos } 4153 1.1 christos } 4154 1.1 christos /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 4155 1.1 christos else if (check_flags) 4156 1.1 christos rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 4157 1.1.1.2 christos skip_sigs: 4158 1.1 christos /* Check cert parameters are consistent */ 4159 1.1 christos if (tls1_check_cert_param(s, x, 1)) 4160 1.1 christos rv |= CERT_PKEY_EE_PARAM; 4161 1.1 christos else if (!check_flags) 4162 1.1 christos goto end; 4163 1.1 christos if (!s->server) 4164 1.1 christos rv |= CERT_PKEY_CA_PARAM; 4165 1.1 christos /* In strict mode check rest of chain too */ 4166 1.1 christos else if (strict_mode) { 4167 1.1 christos rv |= CERT_PKEY_CA_PARAM; 4168 1.1 christos for (i = 0; i < sk_X509_num(chain); i++) { 4169 1.1 christos X509 *ca = sk_X509_value(chain, i); 4170 1.1 christos if (!tls1_check_cert_param(s, ca, 0)) { 4171 1.1 christos if (check_flags) { 4172 1.1 christos rv &= ~CERT_PKEY_CA_PARAM; 4173 1.1 christos break; 4174 1.1 christos } else 4175 1.1 christos goto end; 4176 1.1 christos } 4177 1.1 christos } 4178 1.1 christos } 4179 1.1 christos if (!s->server && strict_mode) { 4180 1.1 christos STACK_OF(X509_NAME) *ca_dn; 4181 1.1 christos int check_type = 0; 4182 1.1 christos 4183 1.1 christos if (EVP_PKEY_is_a(pk, "RSA")) 4184 1.1 christos check_type = TLS_CT_RSA_SIGN; 4185 1.1 christos else if (EVP_PKEY_is_a(pk, "DSA")) 4186 1.1 christos check_type = TLS_CT_DSS_SIGN; 4187 1.1 christos else if (EVP_PKEY_is_a(pk, "EC")) 4188 1.1 christos check_type = TLS_CT_ECDSA_SIGN; 4189 1.1 christos 4190 1.1 christos if (check_type) { 4191 1.1 christos const uint8_t *ctypes = s->s3.tmp.ctype; 4192 1.1 christos size_t j; 4193 1.1 christos 4194 1.1 christos for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { 4195 1.1 christos if (*ctypes == check_type) { 4196 1.1 christos rv |= CERT_PKEY_CERT_TYPE; 4197 1.1 christos break; 4198 1.1 christos } 4199 1.1 christos } 4200 1.1 christos if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 4201 1.1 christos goto end; 4202 1.1 christos } else { 4203 1.1 christos rv |= CERT_PKEY_CERT_TYPE; 4204 1.1 christos } 4205 1.1 christos 4206 1.1 christos ca_dn = s->s3.tmp.peer_ca_names; 4207 1.1 christos 4208 1.1 christos if (ca_dn == NULL 4209 1.1 christos || sk_X509_NAME_num(ca_dn) == 0 4210 1.1 christos || ssl_check_ca_name(ca_dn, x)) 4211 1.1 christos rv |= CERT_PKEY_ISSUER_NAME; 4212 1.1 christos else 4213 1.1 christos for (i = 0; i < sk_X509_num(chain); i++) { 4214 1.1 christos X509 *xtmp = sk_X509_value(chain, i); 4215 1.1 christos 4216 1.1 christos if (ssl_check_ca_name(ca_dn, xtmp)) { 4217 1.1 christos rv |= CERT_PKEY_ISSUER_NAME; 4218 1.1 christos break; 4219 1.1 christos } 4220 1.1 christos } 4221 1.1 christos 4222 1.1 christos if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 4223 1.1 christos goto end; 4224 1.1 christos } else 4225 1.1 christos rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 4226 1.1 christos 4227 1.1 christos if (!check_flags || (rv & check_flags) == check_flags) 4228 1.1 christos rv |= CERT_PKEY_VALID; 4229 1.1 christos 4230 1.1.1.2 christos end: 4231 1.1 christos 4232 1.1 christos if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION) 4233 1.1 christos rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 4234 1.1 christos else 4235 1.1 christos rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 4236 1.1 christos 4237 1.1 christos /* 4238 1.1 christos * When checking a CERT_PKEY structure all flags are irrelevant if the 4239 1.1 christos * chain is invalid. 4240 1.1 christos */ 4241 1.1 christos if (!check_flags) { 4242 1.1 christos if (rv & CERT_PKEY_VALID) { 4243 1.1 christos *pvalid = rv; 4244 1.1 christos } else { 4245 1.1 christos /* Preserve sign and explicit sign flag, clear rest */ 4246 1.1 christos *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 4247 1.1 christos return 0; 4248 1.1 christos } 4249 1.1 christos } 4250 1.1 christos return rv; 4251 1.1 christos } 4252 1.1 christos 4253 1.1 christos /* Set validity of certificates in an SSL structure */ 4254 1.1 christos void tls1_set_cert_validity(SSL_CONNECTION *s) 4255 1.1 christos { 4256 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 4257 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 4258 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 4259 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 4260 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 4261 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 4262 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 4263 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 4264 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 4265 1.1 christos } 4266 1.1 christos 4267 1.1 christos /* User level utility function to check a chain is suitable */ 4268 1.1 christos int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 4269 1.1 christos { 4270 1.1 christos SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 4271 1.1 christos 4272 1.1 christos if (sc == NULL) 4273 1.1 christos return 0; 4274 1.1 christos 4275 1.1 christos return tls1_check_chain(sc, x, pk, chain, -1); 4276 1.1 christos } 4277 1.1 christos 4278 1.1 christos EVP_PKEY *ssl_get_auto_dh(SSL_CONNECTION *s) 4279 1.1 christos { 4280 1.1 christos EVP_PKEY *dhp = NULL; 4281 1.1 christos BIGNUM *p; 4282 1.1 christos int dh_secbits = 80, sec_level_bits; 4283 1.1 christos EVP_PKEY_CTX *pctx = NULL; 4284 1.1 christos OSSL_PARAM_BLD *tmpl = NULL; 4285 1.1 christos OSSL_PARAM *params = NULL; 4286 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4287 1.1 christos 4288 1.1 christos if (s->cert->dh_tmp_auto != 2) { 4289 1.1 christos if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 4290 1.1 christos if (s->s3.tmp.new_cipher->strength_bits == 256) 4291 1.1 christos dh_secbits = 128; 4292 1.1 christos else 4293 1.1 christos dh_secbits = 80; 4294 1.1 christos } else { 4295 1.1 christos if (s->s3.tmp.cert == NULL) 4296 1.1 christos return NULL; 4297 1.1 christos dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); 4298 1.1 christos } 4299 1.1 christos } 4300 1.1 christos 4301 1.1 christos /* Do not pick a prime that is too weak for the current security level */ 4302 1.1 christos sec_level_bits = ssl_get_security_level_bits(SSL_CONNECTION_GET_SSL(s), 4303 1.1.1.2 christos NULL, NULL); 4304 1.1 christos if (dh_secbits < sec_level_bits) 4305 1.1 christos dh_secbits = sec_level_bits; 4306 1.1 christos 4307 1.1 christos if (dh_secbits >= 192) 4308 1.1 christos p = BN_get_rfc3526_prime_8192(NULL); 4309 1.1 christos else if (dh_secbits >= 152) 4310 1.1 christos p = BN_get_rfc3526_prime_4096(NULL); 4311 1.1 christos else if (dh_secbits >= 128) 4312 1.1 christos p = BN_get_rfc3526_prime_3072(NULL); 4313 1.1 christos else if (dh_secbits >= 112) 4314 1.1 christos p = BN_get_rfc3526_prime_2048(NULL); 4315 1.1 christos else 4316 1.1 christos p = BN_get_rfc2409_prime_1024(NULL); 4317 1.1 christos if (p == NULL) 4318 1.1 christos goto err; 4319 1.1 christos 4320 1.1 christos pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq); 4321 1.1 christos if (pctx == NULL 4322 1.1.1.2 christos || EVP_PKEY_fromdata_init(pctx) != 1) 4323 1.1 christos goto err; 4324 1.1 christos 4325 1.1 christos tmpl = OSSL_PARAM_BLD_new(); 4326 1.1 christos if (tmpl == NULL 4327 1.1.1.2 christos || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 4328 1.1.1.2 christos || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) 4329 1.1 christos goto err; 4330 1.1 christos 4331 1.1 christos params = OSSL_PARAM_BLD_to_param(tmpl); 4332 1.1 christos if (params == NULL 4333 1.1.1.2 christos || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) 4334 1.1 christos goto err; 4335 1.1 christos 4336 1.1 christos err: 4337 1.1 christos OSSL_PARAM_free(params); 4338 1.1 christos OSSL_PARAM_BLD_free(tmpl); 4339 1.1 christos EVP_PKEY_CTX_free(pctx); 4340 1.1 christos BN_free(p); 4341 1.1 christos return dhp; 4342 1.1 christos } 4343 1.1 christos 4344 1.1 christos static int ssl_security_cert_key(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, 4345 1.1.1.2 christos int op) 4346 1.1 christos { 4347 1.1 christos int secbits = -1; 4348 1.1 christos EVP_PKEY *pkey = X509_get0_pubkey(x); 4349 1.1 christos 4350 1.1 christos if (pkey) { 4351 1.1 christos /* 4352 1.1 christos * If no parameters this will return -1 and fail using the default 4353 1.1 christos * security callback for any non-zero security level. This will 4354 1.1 christos * reject keys which omit parameters but this only affects DSA and 4355 1.1 christos * omission of parameters is never (?) done in practice. 4356 1.1 christos */ 4357 1.1 christos secbits = EVP_PKEY_get_security_bits(pkey); 4358 1.1 christos } 4359 1.1 christos if (s != NULL) 4360 1.1 christos return ssl_security(s, op, secbits, 0, x); 4361 1.1 christos else 4362 1.1 christos return ssl_ctx_security(ctx, op, secbits, 0, x); 4363 1.1 christos } 4364 1.1 christos 4365 1.1 christos static int ssl_security_cert_sig(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, 4366 1.1.1.2 christos int op) 4367 1.1 christos { 4368 1.1 christos /* Lookup signature algorithm digest */ 4369 1.1 christos int secbits, nid, pknid; 4370 1.1 christos 4371 1.1 christos /* Don't check signature if self signed */ 4372 1.1 christos if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 4373 1.1 christos return 1; 4374 1.1 christos if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 4375 1.1 christos secbits = -1; 4376 1.1 christos /* If digest NID not defined use signature NID */ 4377 1.1 christos if (nid == NID_undef) 4378 1.1 christos nid = pknid; 4379 1.1 christos if (s != NULL) 4380 1.1 christos return ssl_security(s, op, secbits, nid, x); 4381 1.1 christos else 4382 1.1 christos return ssl_ctx_security(ctx, op, secbits, nid, x); 4383 1.1 christos } 4384 1.1 christos 4385 1.1 christos int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int vfy, 4386 1.1.1.2 christos int is_ee) 4387 1.1 christos { 4388 1.1 christos if (vfy) 4389 1.1 christos vfy = SSL_SECOP_PEER; 4390 1.1 christos if (is_ee) { 4391 1.1 christos if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 4392 1.1 christos return SSL_R_EE_KEY_TOO_SMALL; 4393 1.1 christos } else { 4394 1.1 christos if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 4395 1.1 christos return SSL_R_CA_KEY_TOO_SMALL; 4396 1.1 christos } 4397 1.1 christos if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 4398 1.1 christos return SSL_R_CA_MD_TOO_WEAK; 4399 1.1 christos return 1; 4400 1.1 christos } 4401 1.1 christos 4402 1.1 christos /* 4403 1.1 christos * Check security of a chain, if |sk| includes the end entity certificate then 4404 1.1 christos * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 4405 1.1 christos * one to the peer. Return values: 1 if ok otherwise error code to use 4406 1.1 christos */ 4407 1.1 christos 4408 1.1 christos int ssl_security_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk, 4409 1.1.1.2 christos X509 *x, int vfy) 4410 1.1 christos { 4411 1.1 christos int rv, start_idx, i; 4412 1.1 christos 4413 1.1 christos if (x == NULL) { 4414 1.1 christos x = sk_X509_value(sk, 0); 4415 1.1 christos if (x == NULL) 4416 1.1 christos return ERR_R_INTERNAL_ERROR; 4417 1.1 christos start_idx = 1; 4418 1.1 christos } else 4419 1.1 christos start_idx = 0; 4420 1.1 christos 4421 1.1 christos rv = ssl_security_cert(s, NULL, x, vfy, 1); 4422 1.1 christos if (rv != 1) 4423 1.1 christos return rv; 4424 1.1 christos 4425 1.1 christos for (i = start_idx; i < sk_X509_num(sk); i++) { 4426 1.1 christos x = sk_X509_value(sk, i); 4427 1.1 christos rv = ssl_security_cert(s, NULL, x, vfy, 0); 4428 1.1 christos if (rv != 1) 4429 1.1 christos return rv; 4430 1.1 christos } 4431 1.1 christos return 1; 4432 1.1 christos } 4433 1.1 christos 4434 1.1 christos /* 4435 1.1 christos * For TLS 1.2 servers check if we have a certificate which can be used 4436 1.1 christos * with the signature algorithm "lu" and return index of certificate. 4437 1.1 christos */ 4438 1.1 christos 4439 1.1 christos static int tls12_get_cert_sigalg_idx(const SSL_CONNECTION *s, 4440 1.1.1.2 christos const SIGALG_LOOKUP *lu) 4441 1.1 christos { 4442 1.1 christos int sig_idx = lu->sig_idx; 4443 1.1 christos const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx, 4444 1.1.1.2 christos SSL_CONNECTION_GET_CTX(s)); 4445 1.1 christos 4446 1.1 christos /* If not recognised or not supported by cipher mask it is not suitable */ 4447 1.1 christos if (clu == NULL 4448 1.1.1.2 christos || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 4449 1.1.1.2 christos || (clu->pkey_nid == EVP_PKEY_RSA_PSS 4450 1.1.1.2 christos && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 4451 1.1 christos return -1; 4452 1.1 christos 4453 1.1 christos /* If doing RPK, the CERT_PKEY won't be "valid" */ 4454 1.1 christos if (tls12_rpk_and_privkey(s, sig_idx)) 4455 1.1.1.2 christos return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_RPK ? sig_idx : -1; 4456 1.1 christos 4457 1.1 christos return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 4458 1.1 christos } 4459 1.1 christos 4460 1.1 christos /* 4461 1.1 christos * Checks the given cert against signature_algorithm_cert restrictions sent by 4462 1.1 christos * the peer (if any) as well as whether the hash from the sigalg is usable with 4463 1.1 christos * the key. 4464 1.1 christos * Returns true if the cert is usable and false otherwise. 4465 1.1 christos */ 4466 1.1 christos static int check_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, 4467 1.1.1.2 christos X509 *x, EVP_PKEY *pkey) 4468 1.1 christos { 4469 1.1 christos const SIGALG_LOOKUP *lu; 4470 1.1 christos int mdnid, pknid, supported; 4471 1.1 christos size_t i; 4472 1.1 christos const char *mdname = NULL; 4473 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4474 1.1 christos 4475 1.1 christos /* 4476 1.1 christos * If the given EVP_PKEY cannot support signing with this digest, 4477 1.1 christos * the answer is simply 'no'. 4478 1.1 christos */ 4479 1.1 christos if (sig->hash != NID_undef) 4480 1.1 christos mdname = OBJ_nid2sn(sig->hash); 4481 1.1 christos supported = EVP_PKEY_digestsign_supports_digest(pkey, sctx->libctx, 4482 1.1.1.2 christos mdname, 4483 1.1.1.2 christos sctx->propq); 4484 1.1 christos if (supported <= 0) 4485 1.1 christos return 0; 4486 1.1 christos 4487 1.1 christos /* 4488 1.1 christos * The TLS 1.3 signature_algorithms_cert extension places restrictions 4489 1.1 christos * on the sigalg with which the certificate was signed (by its issuer). 4490 1.1 christos */ 4491 1.1 christos if (s->s3.tmp.peer_cert_sigalgs != NULL) { 4492 1.1 christos if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 4493 1.1 christos return 0; 4494 1.1 christos for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { 4495 1.1 christos lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), 4496 1.1.1.2 christos s->s3.tmp.peer_cert_sigalgs[i]); 4497 1.1 christos if (lu == NULL) 4498 1.1 christos continue; 4499 1.1 christos 4500 1.1 christos /* 4501 1.1 christos * This does not differentiate between the 4502 1.1 christos * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 4503 1.1 christos * have a chain here that lets us look at the key OID in the 4504 1.1 christos * signing certificate. 4505 1.1 christos */ 4506 1.1 christos if (mdnid == lu->hash && pknid == lu->sig) 4507 1.1 christos return 1; 4508 1.1 christos } 4509 1.1 christos return 0; 4510 1.1 christos } 4511 1.1 christos 4512 1.1 christos /* 4513 1.1 christos * Without signat_algorithms_cert, any certificate for which we have 4514 1.1 christos * a viable public key is permitted. 4515 1.1 christos */ 4516 1.1 christos return 1; 4517 1.1 christos } 4518 1.1 christos 4519 1.1 christos /* 4520 1.1 christos * Returns true if |s| has a usable certificate configured for use 4521 1.1 christos * with signature scheme |sig|. 4522 1.1 christos * "Usable" includes a check for presence as well as applying 4523 1.1 christos * the signature_algorithm_cert restrictions sent by the peer (if any). 4524 1.1 christos * Returns false if no usable certificate is found. 4525 1.1 christos */ 4526 1.1 christos static int has_usable_cert(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, int idx) 4527 1.1 christos { 4528 1.1 christos /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 4529 1.1 christos if (idx == -1) 4530 1.1 christos idx = sig->sig_idx; 4531 1.1 christos if (!ssl_has_cert(s, idx)) 4532 1.1 christos return 0; 4533 1.1 christos 4534 1.1 christos return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 4535 1.1.1.2 christos s->cert->pkeys[idx].privatekey); 4536 1.1 christos } 4537 1.1 christos 4538 1.1 christos /* 4539 1.1 christos * Returns true if the supplied cert |x| and key |pkey| is usable with the 4540 1.1 christos * specified signature scheme |sig|, or false otherwise. 4541 1.1 christos */ 4542 1.1 christos static int is_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, X509 *x, 4543 1.1.1.2 christos EVP_PKEY *pkey) 4544 1.1 christos { 4545 1.1 christos size_t idx; 4546 1.1 christos 4547 1.1 christos if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL) 4548 1.1 christos return 0; 4549 1.1 christos 4550 1.1 christos /* Check the key is consistent with the sig alg */ 4551 1.1 christos if ((int)idx != sig->sig_idx) 4552 1.1 christos return 0; 4553 1.1 christos 4554 1.1 christos return check_cert_usable(s, sig, x, pkey); 4555 1.1 christos } 4556 1.1 christos 4557 1.1 christos /* 4558 1.1 christos * Find a signature scheme that works with the supplied certificate |x| and key 4559 1.1 christos * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 4560 1.1 christos * available certs/keys to find one that works. 4561 1.1 christos */ 4562 1.1 christos static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, 4563 1.1.1.2 christos EVP_PKEY *pkey) 4564 1.1 christos { 4565 1.1 christos const SIGALG_LOOKUP *lu = NULL; 4566 1.1 christos size_t i; 4567 1.1 christos int curve = -1; 4568 1.1 christos EVP_PKEY *tmppkey; 4569 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4570 1.1 christos 4571 1.1 christos /* Look for a shared sigalgs matching possible certificates */ 4572 1.1 christos for (i = 0; i < s->shared_sigalgslen; i++) { 4573 1.1 christos /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 4574 1.1 christos lu = s->shared_sigalgs[i]; 4575 1.1 christos if (lu->hash == NID_sha1 4576 1.1 christos || lu->hash == NID_sha224 4577 1.1 christos || lu->sig == EVP_PKEY_DSA 4578 1.1 christos || lu->sig == EVP_PKEY_RSA 4579 1.1 christos || !tls_sigalg_compat(s, lu)) 4580 1.1 christos continue; 4581 1.1 christos 4582 1.1 christos /* Check that we have a cert, and signature_algorithms_cert */ 4583 1.1 christos if (!tls1_lookup_md(sctx, lu, NULL)) 4584 1.1 christos continue; 4585 1.1 christos if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 4586 1.1.1.2 christos || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 4587 1.1 christos continue; 4588 1.1 christos 4589 1.1 christos tmppkey = (pkey != NULL) ? pkey 4590 1.1 christos : s->cert->pkeys[lu->sig_idx].privatekey; 4591 1.1 christos 4592 1.1 christos if (lu->sig == EVP_PKEY_EC) { 4593 1.1 christos if (curve == -1) 4594 1.1 christos curve = ssl_get_EC_curve_nid(tmppkey); 4595 1.1 christos if (lu->curve != NID_undef && curve != lu->curve) 4596 1.1 christos continue; 4597 1.1 christos } else if (lu->sig == EVP_PKEY_RSA_PSS) { 4598 1.1 christos /* validate that key is large enough for the signature algorithm */ 4599 1.1 christos if (!rsa_pss_check_min_key_size(sctx, tmppkey, lu)) 4600 1.1 christos continue; 4601 1.1 christos } 4602 1.1 christos break; 4603 1.1 christos } 4604 1.1 christos 4605 1.1 christos if (i == s->shared_sigalgslen) 4606 1.1 christos return NULL; 4607 1.1 christos 4608 1.1 christos return lu; 4609 1.1 christos } 4610 1.1 christos 4611 1.1 christos /* 4612 1.1 christos * Choose an appropriate signature algorithm based on available certificates 4613 1.1 christos * Sets chosen certificate and signature algorithm. 4614 1.1 christos * 4615 1.1 christos * For servers if we fail to find a required certificate it is a fatal error, 4616 1.1 christos * an appropriate error code is set and a TLS alert is sent. 4617 1.1 christos * 4618 1.1 christos * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 4619 1.1 christos * a fatal error: we will either try another certificate or not present one 4620 1.1 christos * to the server. In this case no error is set. 4621 1.1 christos */ 4622 1.1 christos int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs) 4623 1.1 christos { 4624 1.1 christos const SIGALG_LOOKUP *lu = NULL; 4625 1.1 christos int sig_idx = -1; 4626 1.1 christos 4627 1.1 christos s->s3.tmp.cert = NULL; 4628 1.1 christos s->s3.tmp.sigalg = NULL; 4629 1.1 christos 4630 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) { 4631 1.1 christos lu = find_sig_alg(s, NULL, NULL); 4632 1.1 christos if (lu == NULL) { 4633 1.1 christos if (!fatalerrs) 4634 1.1 christos return 1; 4635 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4636 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4637 1.1 christos return 0; 4638 1.1 christos } 4639 1.1 christos } else { 4640 1.1 christos /* If ciphersuite doesn't require a cert nothing to do */ 4641 1.1 christos if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) 4642 1.1 christos return 1; 4643 1.1 christos if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 4644 1.1.1.2 christos return 1; 4645 1.1 christos 4646 1.1 christos if (SSL_USE_SIGALGS(s)) { 4647 1.1 christos size_t i; 4648 1.1 christos if (s->s3.tmp.peer_sigalgs != NULL) { 4649 1.1 christos int curve = -1; 4650 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4651 1.1 christos 4652 1.1 christos /* For Suite B need to match signature algorithm to curve */ 4653 1.1 christos if (tls1_suiteb(s)) 4654 1.1 christos curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] 4655 1.1.1.2 christos .privatekey); 4656 1.1 christos 4657 1.1 christos /* 4658 1.1 christos * Find highest preference signature algorithm matching 4659 1.1 christos * cert type 4660 1.1 christos */ 4661 1.1 christos for (i = 0; i < s->shared_sigalgslen; i++) { 4662 1.1 christos /* Check the sigalg version bounds */ 4663 1.1 christos lu = s->shared_sigalgs[i]; 4664 1.1 christos if (!tls_sigalg_compat(s, lu)) 4665 1.1 christos continue; 4666 1.1 christos if (s->server) { 4667 1.1 christos if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 4668 1.1 christos continue; 4669 1.1 christos } else { 4670 1.1 christos int cc_idx = s->cert->key - s->cert->pkeys; 4671 1.1 christos 4672 1.1 christos sig_idx = lu->sig_idx; 4673 1.1 christos if (cc_idx != sig_idx) 4674 1.1 christos continue; 4675 1.1 christos } 4676 1.1 christos /* Check that we have a cert, and sig_algs_cert */ 4677 1.1 christos if (!has_usable_cert(s, lu, sig_idx)) 4678 1.1 christos continue; 4679 1.1 christos if (lu->sig == EVP_PKEY_RSA_PSS) { 4680 1.1 christos /* validate that key is large enough for the signature algorithm */ 4681 1.1 christos EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 4682 1.1 christos 4683 1.1 christos if (!rsa_pss_check_min_key_size(sctx, pkey, lu)) 4684 1.1 christos continue; 4685 1.1 christos } 4686 1.1 christos if (curve == -1 || lu->curve == curve) 4687 1.1 christos break; 4688 1.1 christos } 4689 1.1 christos #ifndef OPENSSL_NO_GOST 4690 1.1 christos /* 4691 1.1 christos * Some Windows-based implementations do not send GOST algorithms indication 4692 1.1 christos * in supported_algorithms extension, so when we have GOST-based ciphersuite, 4693 1.1 christos * we have to assume GOST support. 4694 1.1 christos */ 4695 1.1 christos if (i == s->shared_sigalgslen 4696 1.1 christos && (s->s3.tmp.new_cipher->algorithm_auth 4697 1.1.1.2 christos & (SSL_aGOST01 | SSL_aGOST12)) 4698 1.1.1.2 christos != 0) { 4699 1.1.1.2 christos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 4700 1.1.1.2 christos if (!fatalerrs) 4701 1.1.1.2 christos return 1; 4702 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4703 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4704 1.1.1.2 christos return 0; 4705 1.1.1.2 christos } else { 4706 1.1.1.2 christos i = 0; 4707 1.1.1.2 christos sig_idx = lu->sig_idx; 4708 1.1.1.2 christos } 4709 1.1 christos } 4710 1.1 christos #endif 4711 1.1 christos if (i == s->shared_sigalgslen) { 4712 1.1 christos if (!fatalerrs) 4713 1.1 christos return 1; 4714 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4715 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4716 1.1 christos return 0; 4717 1.1 christos } 4718 1.1 christos } else { 4719 1.1 christos /* 4720 1.1 christos * If we have no sigalg use defaults 4721 1.1 christos */ 4722 1.1 christos const uint16_t *sent_sigs; 4723 1.1 christos size_t sent_sigslen; 4724 1.1 christos 4725 1.1 christos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 4726 1.1 christos if (!fatalerrs) 4727 1.1 christos return 1; 4728 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4729 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4730 1.1 christos return 0; 4731 1.1 christos } 4732 1.1 christos 4733 1.1 christos /* Check signature matches a type we sent */ 4734 1.1 christos sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 4735 1.1 christos for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 4736 1.1 christos if (lu->sigalg == *sent_sigs 4737 1.1.1.2 christos && has_usable_cert(s, lu, lu->sig_idx)) 4738 1.1 christos break; 4739 1.1 christos } 4740 1.1 christos if (i == sent_sigslen) { 4741 1.1 christos if (!fatalerrs) 4742 1.1 christos return 1; 4743 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4744 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 4745 1.1 christos return 0; 4746 1.1 christos } 4747 1.1 christos } 4748 1.1 christos } else { 4749 1.1 christos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 4750 1.1 christos if (!fatalerrs) 4751 1.1 christos return 1; 4752 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 4753 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4754 1.1 christos return 0; 4755 1.1 christos } 4756 1.1 christos } 4757 1.1 christos } 4758 1.1 christos if (sig_idx == -1) 4759 1.1 christos sig_idx = lu->sig_idx; 4760 1.1 christos s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; 4761 1.1 christos s->cert->key = s->s3.tmp.cert; 4762 1.1 christos s->s3.tmp.sigalg = lu; 4763 1.1 christos return 1; 4764 1.1 christos } 4765 1.1 christos 4766 1.1 christos int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 4767 1.1 christos { 4768 1.1 christos if (mode != TLSEXT_max_fragment_length_DISABLED 4769 1.1.1.2 christos && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 4770 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 4771 1.1 christos return 0; 4772 1.1 christos } 4773 1.1 christos 4774 1.1 christos ctx->ext.max_fragment_len_mode = mode; 4775 1.1 christos return 1; 4776 1.1 christos } 4777 1.1 christos 4778 1.1 christos int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 4779 1.1 christos { 4780 1.1 christos SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); 4781 1.1 christos 4782 1.1 christos if (sc == NULL 4783 1.1 christos || (IS_QUIC(ssl) && mode != TLSEXT_max_fragment_length_DISABLED)) 4784 1.1 christos return 0; 4785 1.1 christos 4786 1.1 christos if (mode != TLSEXT_max_fragment_length_DISABLED 4787 1.1.1.2 christos && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 4788 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 4789 1.1 christos return 0; 4790 1.1 christos } 4791 1.1 christos 4792 1.1 christos sc->ext.max_fragment_len_mode = mode; 4793 1.1 christos return 1; 4794 1.1 christos } 4795 1.1 christos 4796 1.1 christos uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 4797 1.1 christos { 4798 1.1 christos if (session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) 4799 1.1 christos return TLSEXT_max_fragment_length_DISABLED; 4800 1.1 christos return session->ext.max_fragment_len_mode; 4801 1.1 christos } 4802 1.1 christos 4803 1.1 christos /* 4804 1.1 christos * Helper functions for HMAC access with legacy support included. 4805 1.1 christos */ 4806 1.1 christos SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) 4807 1.1 christos { 4808 1.1 christos SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); 4809 1.1 christos EVP_MAC *mac = NULL; 4810 1.1 christos 4811 1.1 christos if (ret == NULL) 4812 1.1 christos return NULL; 4813 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 4814 1.1 christos if (ctx->ext.ticket_key_evp_cb == NULL 4815 1.1.1.2 christos && ctx->ext.ticket_key_cb != NULL) { 4816 1.1 christos if (!ssl_hmac_old_new(ret)) 4817 1.1 christos goto err; 4818 1.1 christos return ret; 4819 1.1 christos } 4820 1.1 christos #endif 4821 1.1 christos mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); 4822 1.1 christos if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) 4823 1.1 christos goto err; 4824 1.1 christos EVP_MAC_free(mac); 4825 1.1 christos return ret; 4826 1.1.1.2 christos err: 4827 1.1 christos EVP_MAC_CTX_free(ret->ctx); 4828 1.1 christos EVP_MAC_free(mac); 4829 1.1 christos OPENSSL_free(ret); 4830 1.1 christos return NULL; 4831 1.1 christos } 4832 1.1 christos 4833 1.1 christos void ssl_hmac_free(SSL_HMAC *ctx) 4834 1.1 christos { 4835 1.1 christos if (ctx != NULL) { 4836 1.1 christos EVP_MAC_CTX_free(ctx->ctx); 4837 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 4838 1.1 christos ssl_hmac_old_free(ctx); 4839 1.1 christos #endif 4840 1.1 christos OPENSSL_free(ctx); 4841 1.1 christos } 4842 1.1 christos } 4843 1.1 christos 4844 1.1 christos EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) 4845 1.1 christos { 4846 1.1 christos return ctx->ctx; 4847 1.1 christos } 4848 1.1 christos 4849 1.1 christos int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 4850 1.1 christos { 4851 1.1 christos OSSL_PARAM params[2], *p = params; 4852 1.1 christos 4853 1.1 christos if (ctx->ctx != NULL) { 4854 1.1 christos *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); 4855 1.1 christos *p = OSSL_PARAM_construct_end(); 4856 1.1 christos if (EVP_MAC_init(ctx->ctx, key, len, params)) 4857 1.1 christos return 1; 4858 1.1 christos } 4859 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 4860 1.1 christos if (ctx->old_ctx != NULL) 4861 1.1 christos return ssl_hmac_old_init(ctx, key, len, md); 4862 1.1 christos #endif 4863 1.1 christos return 0; 4864 1.1 christos } 4865 1.1 christos 4866 1.1 christos int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 4867 1.1 christos { 4868 1.1 christos if (ctx->ctx != NULL) 4869 1.1 christos return EVP_MAC_update(ctx->ctx, data, len); 4870 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 4871 1.1 christos if (ctx->old_ctx != NULL) 4872 1.1 christos return ssl_hmac_old_update(ctx, data, len); 4873 1.1 christos #endif 4874 1.1 christos return 0; 4875 1.1 christos } 4876 1.1 christos 4877 1.1 christos int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, 4878 1.1.1.2 christos size_t max_size) 4879 1.1 christos { 4880 1.1 christos if (ctx->ctx != NULL) 4881 1.1 christos return EVP_MAC_final(ctx->ctx, md, len, max_size); 4882 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 4883 1.1 christos if (ctx->old_ctx != NULL) 4884 1.1 christos return ssl_hmac_old_final(ctx, md, len); 4885 1.1 christos #endif 4886 1.1 christos return 0; 4887 1.1 christos } 4888 1.1 christos 4889 1.1 christos size_t ssl_hmac_size(const SSL_HMAC *ctx) 4890 1.1 christos { 4891 1.1 christos if (ctx->ctx != NULL) 4892 1.1 christos return EVP_MAC_CTX_get_mac_size(ctx->ctx); 4893 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 4894 1.1 christos if (ctx->old_ctx != NULL) 4895 1.1 christos return ssl_hmac_old_size(ctx); 4896 1.1 christos #endif 4897 1.1 christos return 0; 4898 1.1 christos } 4899 1.1 christos 4900 1.1 christos int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) 4901 1.1 christos { 4902 1.1 christos char gname[OSSL_MAX_NAME_SIZE]; 4903 1.1 christos 4904 1.1 christos if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) 4905 1.1 christos return OBJ_txt2nid(gname); 4906 1.1 christos 4907 1.1 christos return NID_undef; 4908 1.1 christos } 4909 1.1 christos 4910 1.1 christos __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, 4911 1.1.1.2 christos const unsigned char *enckey, 4912 1.1.1.2 christos size_t enckeylen) 4913 1.1 christos { 4914 1.1 christos if (EVP_PKEY_is_a(pkey, "DH")) { 4915 1.1 christos int bits = EVP_PKEY_get_bits(pkey); 4916 1.1 christos 4917 1.1 christos if (bits <= 0 || enckeylen != (size_t)bits / 8) 4918 1.1 christos /* the encoded key must be padded to the length of the p */ 4919 1.1 christos return 0; 4920 1.1 christos } else if (EVP_PKEY_is_a(pkey, "EC")) { 4921 1.1 christos if (enckeylen < 3 /* point format and at least 1 byte for x and y */ 4922 1.1 christos || enckey[0] != 0x04) 4923 1.1 christos return 0; 4924 1.1 christos } 4925 1.1 christos 4926 1.1 christos return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); 4927 1.1 christos } 4928
Indexes created Tue Mar 03 05:31:39 UTC 2026