1 1.1.1.2 christos /* 2 1.1.1.2 christos * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1.1.2 christos * Licensed under the OpenSSL license (the "License"). You may not use 5 1.1.1.2 christos * this file except in compliance with the License. You can obtain a copy 6 1.1.1.2 christos * in the file LICENSE in the source distribution or at 7 1.1.1.2 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdio.h> 11 1.1.1.2 christos #include <stdlib.h> 12 1.1 christos #include <openssl/objects.h> 13 1.1 christos #include <openssl/evp.h> 14 1.1 christos #include <openssl/hmac.h> 15 1.1 christos #include <openssl/ocsp.h> 16 1.1.1.2 christos #include <openssl/conf.h> 17 1.1.1.2 christos #include <openssl/x509v3.h> 18 1.1.1.2 christos #include <openssl/dh.h> 19 1.1.1.2 christos #include <openssl/bn.h> 20 1.1.1.2 christos #include "internal/nelem.h" 21 1.1.1.2 christos #include "ssl_local.h" 22 1.1.1.2 christos #include <openssl/ct.h> 23 1.1 christos 24 1.1.1.2 christos static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 25 1.1.1.2 christos static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); 26 1.1 christos 27 1.1.1.2 christos SSL3_ENC_METHOD const TLSv1_enc_data = { 28 1.1 christos tls1_enc, 29 1.1 christos tls1_mac, 30 1.1 christos tls1_setup_key_block, 31 1.1 christos tls1_generate_master_secret, 32 1.1 christos tls1_change_cipher_state, 33 1.1 christos tls1_final_finish_mac, 34 1.1 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 35 1.1 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 36 1.1 christos tls1_alert_code, 37 1.1 christos tls1_export_keying_material, 38 1.1 christos 0, 39 1.1 christos ssl3_set_handshake_header, 40 1.1.1.2 christos tls_close_construct_packet, 41 1.1 christos ssl3_handshake_write 42 1.1 christos }; 43 1.1 christos 44 1.1.1.2 christos SSL3_ENC_METHOD const TLSv1_1_enc_data = { 45 1.1 christos tls1_enc, 46 1.1 christos tls1_mac, 47 1.1 christos tls1_setup_key_block, 48 1.1 christos tls1_generate_master_secret, 49 1.1 christos tls1_change_cipher_state, 50 1.1 christos tls1_final_finish_mac, 51 1.1 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 52 1.1 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 53 1.1 christos tls1_alert_code, 54 1.1 christos tls1_export_keying_material, 55 1.1 christos SSL_ENC_FLAG_EXPLICIT_IV, 56 1.1 christos ssl3_set_handshake_header, 57 1.1.1.2 christos tls_close_construct_packet, 58 1.1 christos ssl3_handshake_write 59 1.1 christos }; 60 1.1 christos 61 1.1.1.2 christos SSL3_ENC_METHOD const TLSv1_2_enc_data = { 62 1.1 christos tls1_enc, 63 1.1 christos tls1_mac, 64 1.1 christos tls1_setup_key_block, 65 1.1 christos tls1_generate_master_secret, 66 1.1 christos tls1_change_cipher_state, 67 1.1 christos tls1_final_finish_mac, 68 1.1 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 69 1.1 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 70 1.1 christos tls1_alert_code, 71 1.1 christos tls1_export_keying_material, 72 1.1 christos SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 73 1.1 christos | SSL_ENC_FLAG_TLS1_2_CIPHERS, 74 1.1 christos ssl3_set_handshake_header, 75 1.1.1.2 christos tls_close_construct_packet, 76 1.1.1.2 christos ssl3_handshake_write 77 1.1.1.2 christos }; 78 1.1.1.2 christos 79 1.1.1.2 christos SSL3_ENC_METHOD const TLSv1_3_enc_data = { 80 1.1.1.2 christos tls13_enc, 81 1.1.1.2 christos tls1_mac, 82 1.1.1.2 christos tls13_setup_key_block, 83 1.1.1.2 christos tls13_generate_master_secret, 84 1.1.1.2 christos tls13_change_cipher_state, 85 1.1.1.2 christos tls13_final_finish_mac, 86 1.1.1.2 christos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 87 1.1.1.2 christos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 88 1.1.1.2 christos tls13_alert_code, 89 1.1.1.2 christos tls13_export_keying_material, 90 1.1.1.2 christos SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 91 1.1.1.2 christos ssl3_set_handshake_header, 92 1.1.1.2 christos tls_close_construct_packet, 93 1.1 christos ssl3_handshake_write 94 1.1 christos }; 95 1.1 christos 96 1.1 christos long tls1_default_timeout(void) 97 1.1 christos { 98 1.1 christos /* 99 1.1 christos * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 100 1.1 christos * http, the cache would over fill 101 1.1 christos */ 102 1.1 christos return (60 * 60 * 2); 103 1.1 christos } 104 1.1 christos 105 1.1 christos int tls1_new(SSL *s) 106 1.1 christos { 107 1.1 christos if (!ssl3_new(s)) 108 1.1.1.2 christos return 0; 109 1.1.1.2 christos if (!s->method->ssl_clear(s)) 110 1.1.1.2 christos return 0; 111 1.1.1.2 christos 112 1.1.1.2 christos return 1; 113 1.1 christos } 114 1.1 christos 115 1.1 christos void tls1_free(SSL *s) 116 1.1 christos { 117 1.1.1.2 christos OPENSSL_free(s->ext.session_ticket); 118 1.1 christos ssl3_free(s); 119 1.1 christos } 120 1.1 christos 121 1.1.1.2 christos int tls1_clear(SSL *s) 122 1.1 christos { 123 1.1.1.2 christos if (!ssl3_clear(s)) 124 1.1.1.2 christos return 0; 125 1.1.1.2 christos 126 1.1.1.2 christos if (s->method->version == TLS_ANY_VERSION) 127 1.1.1.2 christos s->version = TLS_MAX_VERSION; 128 1.1.1.2 christos else 129 1.1.1.2 christos s->version = s->method->version; 130 1.1.1.2 christos 131 1.1.1.2 christos return 1; 132 1.1 christos } 133 1.1 christos 134 1.1 christos #ifndef OPENSSL_NO_EC 135 1.1 christos 136 1.1.1.2 christos /* 137 1.1.1.2 christos * Table of curve information. 138 1.1.1.2 christos * Do not delete entries or reorder this array! It is used as a lookup 139 1.1.1.2 christos * table: the index of each entry is one less than the TLS curve id. 140 1.1.1.2 christos */ 141 1.1.1.2 christos static const TLS_GROUP_INFO nid_list[] = { 142 1.1.1.2 christos {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ 143 1.1.1.2 christos {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ 144 1.1.1.2 christos {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ 145 1.1.1.2 christos {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */ 146 1.1.1.2 christos {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */ 147 1.1.1.2 christos {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */ 148 1.1.1.2 christos {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */ 149 1.1.1.2 christos {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */ 150 1.1.1.2 christos {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */ 151 1.1.1.2 christos {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */ 152 1.1.1.2 christos {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */ 153 1.1.1.2 christos {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */ 154 1.1.1.2 christos {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */ 155 1.1.1.2 christos {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */ 156 1.1.1.2 christos {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */ 157 1.1.1.2 christos {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */ 158 1.1.1.2 christos {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */ 159 1.1.1.2 christos {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ 160 1.1.1.2 christos {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ 161 1.1.1.2 christos {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ 162 1.1.1.2 christos {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ 163 1.1.1.2 christos {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ 164 1.1.1.2 christos {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ 165 1.1.1.2 christos {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ 166 1.1.1.2 christos {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ 167 1.1.1.2 christos {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 168 1.1.1.2 christos {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 169 1.1.1.2 christos {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ 170 1.1.1.2 christos {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ 171 1.1.1.2 christos {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */ 172 1.1 christos }; 173 1.1 christos 174 1.1 christos static const unsigned char ecformats_default[] = { 175 1.1 christos TLSEXT_ECPOINTFORMAT_uncompressed, 176 1.1 christos TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 177 1.1 christos TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 178 1.1 christos }; 179 1.1 christos 180 1.1.1.2 christos /* The default curves */ 181 1.1.1.2 christos static const uint16_t eccurves_default[] = { 182 1.1.1.2 christos 29, /* X25519 (29) */ 183 1.1.1.2 christos 23, /* secp256r1 (23) */ 184 1.1.1.2 christos 30, /* X448 (30) */ 185 1.1.1.2 christos 25, /* secp521r1 (25) */ 186 1.1.1.2 christos 24, /* secp384r1 (24) */ 187 1.1 christos }; 188 1.1 christos 189 1.1.1.2 christos static const uint16_t suiteb_curves[] = { 190 1.1.1.2 christos TLSEXT_curve_P_256, 191 1.1.1.2 christos TLSEXT_curve_P_384 192 1.1 christos }; 193 1.1 christos 194 1.1.1.2 christos const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) 195 1.1 christos { 196 1.1 christos /* ECC curves from RFC 4492 and RFC 7027 */ 197 1.1.1.2 christos if (group_id < 1 || group_id > OSSL_NELEM(nid_list)) 198 1.1.1.2 christos return NULL; 199 1.1.1.2 christos return &nid_list[group_id - 1]; 200 1.1 christos } 201 1.1 christos 202 1.1.1.2 christos static uint16_t tls1_nid2group_id(int nid) 203 1.1 christos { 204 1.1.1.2 christos size_t i; 205 1.1.1.2 christos for (i = 0; i < OSSL_NELEM(nid_list); i++) { 206 1.1.1.2 christos if (nid_list[i].nid == nid) 207 1.1.1.2 christos return (uint16_t)(i + 1); 208 1.1 christos } 209 1.1.1.2 christos return 0; 210 1.1 christos } 211 1.1 christos 212 1.1 christos /* 213 1.1.1.2 christos * Set *pgroups to the supported groups list and *pgroupslen to 214 1.1.1.2 christos * the number of groups supported. 215 1.1 christos */ 216 1.1.1.2 christos void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 217 1.1.1.2 christos size_t *pgroupslen) 218 1.1 christos { 219 1.1 christos 220 1.1.1.2 christos /* For Suite B mode only include P-256, P-384 */ 221 1.1.1.2 christos switch (tls1_suiteb(s)) { 222 1.1.1.2 christos case SSL_CERT_FLAG_SUITEB_128_LOS: 223 1.1.1.2 christos *pgroups = suiteb_curves; 224 1.1.1.2 christos *pgroupslen = OSSL_NELEM(suiteb_curves); 225 1.1.1.2 christos break; 226 1.1 christos 227 1.1.1.2 christos case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 228 1.1.1.2 christos *pgroups = suiteb_curves; 229 1.1.1.2 christos *pgroupslen = 1; 230 1.1.1.2 christos break; 231 1.1.1.2 christos 232 1.1.1.2 christos case SSL_CERT_FLAG_SUITEB_192_LOS: 233 1.1.1.2 christos *pgroups = suiteb_curves + 1; 234 1.1.1.2 christos *pgroupslen = 1; 235 1.1.1.2 christos break; 236 1.1.1.2 christos 237 1.1.1.2 christos default: 238 1.1.1.2 christos if (s->ext.supportedgroups == NULL) { 239 1.1.1.2 christos *pgroups = eccurves_default; 240 1.1.1.2 christos *pgroupslen = OSSL_NELEM(eccurves_default); 241 1.1.1.2 christos } else { 242 1.1.1.2 christos *pgroups = s->ext.supportedgroups; 243 1.1.1.2 christos *pgroupslen = s->ext.supportedgroups_len; 244 1.1 christos } 245 1.1.1.2 christos break; 246 1.1 christos } 247 1.1 christos } 248 1.1 christos 249 1.1.1.2 christos /* See if curve is allowed by security callback */ 250 1.1.1.2 christos int tls_curve_allowed(SSL *s, uint16_t curve, int op) 251 1.1 christos { 252 1.1.1.2 christos const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve); 253 1.1.1.2 christos unsigned char ctmp[2]; 254 1.1.1.2 christos 255 1.1.1.2 christos if (cinfo == NULL) 256 1.1 christos return 0; 257 1.1.1.2 christos # ifdef OPENSSL_NO_EC2M 258 1.1.1.2 christos if (cinfo->flags & TLS_CURVE_CHAR2) 259 1.1 christos return 0; 260 1.1.1.2 christos # endif 261 1.1.1.2 christos ctmp[0] = curve >> 8; 262 1.1.1.2 christos ctmp[1] = curve & 0xff; 263 1.1.1.2 christos return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); 264 1.1.1.2 christos } 265 1.1.1.2 christos 266 1.1.1.2 christos /* Return 1 if "id" is in "list" */ 267 1.1.1.2 christos static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 268 1.1.1.2 christos { 269 1.1.1.2 christos size_t i; 270 1.1.1.2 christos for (i = 0; i < listlen; i++) 271 1.1.1.2 christos if (list[i] == id) 272 1.1 christos return 1; 273 1.1 christos return 0; 274 1.1 christos } 275 1.1 christos 276 1.1 christos /*- 277 1.1.1.2 christos * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 278 1.1.1.2 christos * if there is no match. 279 1.1.1.2 christos * For nmatch == -1, return number of matches 280 1.1.1.2 christos * For nmatch == -2, return the id of the group to use for 281 1.1.1.2 christos * a tmp key, or 0 if there is no match. 282 1.1 christos */ 283 1.1.1.2 christos uint16_t tls1_shared_group(SSL *s, int nmatch) 284 1.1 christos { 285 1.1.1.2 christos const uint16_t *pref, *supp; 286 1.1.1.2 christos size_t num_pref, num_supp, i; 287 1.1 christos int k; 288 1.1.1.2 christos 289 1.1 christos /* Can't do anything on client side */ 290 1.1 christos if (s->server == 0) 291 1.1.1.2 christos return 0; 292 1.1 christos if (nmatch == -2) { 293 1.1 christos if (tls1_suiteb(s)) { 294 1.1 christos /* 295 1.1 christos * For Suite B ciphersuite determines curve: we already know 296 1.1 christos * these are acceptable due to previous checks. 297 1.1 christos */ 298 1.1 christos unsigned long cid = s->s3->tmp.new_cipher->id; 299 1.1.1.2 christos 300 1.1 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 301 1.1.1.2 christos return TLSEXT_curve_P_256; 302 1.1 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 303 1.1.1.2 christos return TLSEXT_curve_P_384; 304 1.1 christos /* Should never happen */ 305 1.1.1.2 christos return 0; 306 1.1 christos } 307 1.1 christos /* If not Suite B just return first preference shared curve */ 308 1.1 christos nmatch = 0; 309 1.1 christos } 310 1.1 christos /* 311 1.1.1.2 christos * If server preference set, our groups are the preference order 312 1.1.1.2 christos * otherwise peer decides. 313 1.1 christos */ 314 1.1.1.2 christos if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 315 1.1.1.2 christos tls1_get_supported_groups(s, &pref, &num_pref); 316 1.1.1.2 christos tls1_get_peer_groups(s, &supp, &num_supp); 317 1.1.1.2 christos } else { 318 1.1.1.2 christos tls1_get_peer_groups(s, &pref, &num_pref); 319 1.1.1.2 christos tls1_get_supported_groups(s, &supp, &num_supp); 320 1.1.1.2 christos } 321 1.1 christos 322 1.1.1.2 christos for (k = 0, i = 0; i < num_pref; i++) { 323 1.1.1.2 christos uint16_t id = pref[i]; 324 1.1.1.2 christos 325 1.1.1.2 christos if (!tls1_in_list(id, supp, num_supp) 326 1.1.1.2 christos || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 327 1.1.1.2 christos continue; 328 1.1.1.2 christos if (nmatch == k) 329 1.1.1.2 christos return id; 330 1.1.1.2 christos k++; 331 1.1 christos } 332 1.1 christos if (nmatch == -1) 333 1.1 christos return k; 334 1.1 christos /* Out of range (nmatch > k). */ 335 1.1.1.2 christos return 0; 336 1.1 christos } 337 1.1 christos 338 1.1.1.2 christos int tls1_set_groups(uint16_t **pext, size_t *pextlen, 339 1.1.1.2 christos int *groups, size_t ngroups) 340 1.1 christos { 341 1.1.1.2 christos uint16_t *glist; 342 1.1 christos size_t i; 343 1.1 christos /* 344 1.1.1.2 christos * Bitmap of groups included to detect duplicates: only works while group 345 1.1 christos * ids < 32 346 1.1 christos */ 347 1.1 christos unsigned long dup_list = 0; 348 1.1 christos 349 1.1.1.2 christos if (ngroups == 0) { 350 1.1.1.2 christos SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); 351 1.1 christos return 0; 352 1.1.1.2 christos } 353 1.1.1.2 christos if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 354 1.1.1.2 christos SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); 355 1.1.1.2 christos return 0; 356 1.1.1.2 christos } 357 1.1.1.2 christos for (i = 0; i < ngroups; i++) { 358 1.1 christos unsigned long idmask; 359 1.1.1.2 christos uint16_t id; 360 1.1.1.2 christos /* TODO(TLS1.3): Convert for DH groups */ 361 1.1.1.2 christos id = tls1_nid2group_id(groups[i]); 362 1.1 christos idmask = 1L << id; 363 1.1 christos if (!id || (dup_list & idmask)) { 364 1.1.1.2 christos OPENSSL_free(glist); 365 1.1 christos return 0; 366 1.1 christos } 367 1.1 christos dup_list |= idmask; 368 1.1.1.2 christos glist[i] = id; 369 1.1 christos } 370 1.1.1.2 christos OPENSSL_free(*pext); 371 1.1.1.2 christos *pext = glist; 372 1.1.1.2 christos *pextlen = ngroups; 373 1.1 christos return 1; 374 1.1 christos } 375 1.1 christos 376 1.1.1.2 christos # define MAX_CURVELIST OSSL_NELEM(nid_list) 377 1.1 christos 378 1.1 christos typedef struct { 379 1.1 christos size_t nidcnt; 380 1.1 christos int nid_arr[MAX_CURVELIST]; 381 1.1 christos } nid_cb_st; 382 1.1 christos 383 1.1 christos static int nid_cb(const char *elem, int len, void *arg) 384 1.1 christos { 385 1.1 christos nid_cb_st *narg = arg; 386 1.1 christos size_t i; 387 1.1 christos int nid; 388 1.1 christos char etmp[20]; 389 1.1 christos if (elem == NULL) 390 1.1 christos return 0; 391 1.1 christos if (narg->nidcnt == MAX_CURVELIST) 392 1.1 christos return 0; 393 1.1 christos if (len > (int)(sizeof(etmp) - 1)) 394 1.1 christos return 0; 395 1.1 christos memcpy(etmp, elem, len); 396 1.1 christos etmp[len] = 0; 397 1.1 christos nid = EC_curve_nist2nid(etmp); 398 1.1 christos if (nid == NID_undef) 399 1.1 christos nid = OBJ_sn2nid(etmp); 400 1.1 christos if (nid == NID_undef) 401 1.1 christos nid = OBJ_ln2nid(etmp); 402 1.1 christos if (nid == NID_undef) 403 1.1 christos return 0; 404 1.1 christos for (i = 0; i < narg->nidcnt; i++) 405 1.1 christos if (narg->nid_arr[i] == nid) 406 1.1 christos return 0; 407 1.1 christos narg->nid_arr[narg->nidcnt++] = nid; 408 1.1 christos return 1; 409 1.1 christos } 410 1.1 christos 411 1.1.1.2 christos /* Set groups based on a colon separate list */ 412 1.1.1.2 christos int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) 413 1.1 christos { 414 1.1 christos nid_cb_st ncb; 415 1.1 christos ncb.nidcnt = 0; 416 1.1 christos if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) 417 1.1 christos return 0; 418 1.1 christos if (pext == NULL) 419 1.1 christos return 1; 420 1.1.1.2 christos return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); 421 1.1 christos } 422 1.1.1.2 christos /* Return group id of a key */ 423 1.1.1.2 christos static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 424 1.1 christos { 425 1.1.1.2 christos EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 426 1.1 christos const EC_GROUP *grp; 427 1.1.1.2 christos 428 1.1.1.2 christos if (ec == NULL) 429 1.1 christos return 0; 430 1.1 christos grp = EC_KEY_get0_group(ec); 431 1.1.1.2 christos return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); 432 1.1.1.2 christos } 433 1.1.1.2 christos 434 1.1.1.2 christos /* Check a key is compatible with compression extension */ 435 1.1.1.2 christos static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 436 1.1.1.2 christos { 437 1.1.1.2 christos const EC_KEY *ec; 438 1.1.1.2 christos const EC_GROUP *grp; 439 1.1.1.2 christos unsigned char comp_id; 440 1.1.1.2 christos size_t i; 441 1.1.1.2 christos 442 1.1.1.2 christos /* If not an EC key nothing to check */ 443 1.1.1.2 christos if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 444 1.1.1.2 christos return 1; 445 1.1.1.2 christos ec = EVP_PKEY_get0_EC_KEY(pkey); 446 1.1.1.2 christos grp = EC_KEY_get0_group(ec); 447 1.1.1.2 christos 448 1.1.1.2 christos /* Get required compression id */ 449 1.1.1.2 christos if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { 450 1.1.1.2 christos comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 451 1.1.1.2 christos } else if (SSL_IS_TLS13(s)) { 452 1.1.1.2 christos /* 453 1.1.1.2 christos * ec_point_formats extension is not used in TLSv1.3 so we ignore 454 1.1.1.2 christos * this check. 455 1.1.1.2 christos */ 456 1.1.1.2 christos return 1; 457 1.1 christos } else { 458 1.1.1.2 christos int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); 459 1.1.1.2 christos 460 1.1.1.2 christos if (field_type == NID_X9_62_prime_field) 461 1.1.1.2 christos comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 462 1.1.1.2 christos else if (field_type == NID_X9_62_characteristic_two_field) 463 1.1.1.2 christos comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 464 1.1 christos else 465 1.1 christos return 0; 466 1.1 christos } 467 1.1 christos /* 468 1.1 christos * If point formats extension present check it, otherwise everything is 469 1.1 christos * supported (see RFC4492). 470 1.1 christos */ 471 1.1.1.2 christos if (s->ext.peer_ecpointformats == NULL) 472 1.1 christos return 1; 473 1.1.1.2 christos 474 1.1.1.2 christos for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 475 1.1.1.2 christos if (s->ext.peer_ecpointformats[i] == comp_id) 476 1.1.1.2 christos return 1; 477 1.1.1.2 christos } 478 1.1.1.2 christos return 0; 479 1.1.1.2 christos } 480 1.1.1.2 christos 481 1.1.1.2 christos /* Check a group id matches preferences */ 482 1.1.1.2 christos int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 483 1.1.1.2 christos { 484 1.1.1.2 christos const uint16_t *groups; 485 1.1.1.2 christos size_t groups_len; 486 1.1.1.2 christos 487 1.1.1.2 christos if (group_id == 0) 488 1.1.1.2 christos return 0; 489 1.1.1.2 christos 490 1.1.1.2 christos /* Check for Suite B compliance */ 491 1.1.1.2 christos if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) { 492 1.1.1.2 christos unsigned long cid = s->s3->tmp.new_cipher->id; 493 1.1.1.2 christos 494 1.1.1.2 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 495 1.1.1.2 christos if (group_id != TLSEXT_curve_P_256) 496 1.1.1.2 christos return 0; 497 1.1.1.2 christos } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 498 1.1.1.2 christos if (group_id != TLSEXT_curve_P_384) 499 1.1.1.2 christos return 0; 500 1.1.1.2 christos } else { 501 1.1.1.2 christos /* Should never happen */ 502 1.1 christos return 0; 503 1.1 christos } 504 1.1.1.2 christos } 505 1.1.1.2 christos 506 1.1.1.2 christos if (check_own_groups) { 507 1.1.1.2 christos /* Check group is one of our preferences */ 508 1.1.1.2 christos tls1_get_supported_groups(s, &groups, &groups_len); 509 1.1.1.2 christos if (!tls1_in_list(group_id, groups, groups_len)) 510 1.1 christos return 0; 511 1.1 christos } 512 1.1.1.2 christos 513 1.1.1.2 christos if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 514 1.1.1.2 christos return 0; 515 1.1.1.2 christos 516 1.1.1.2 christos /* For clients, nothing more to check */ 517 1.1.1.2 christos if (!s->server) 518 1.1.1.2 christos return 1; 519 1.1.1.2 christos 520 1.1.1.2 christos /* Check group is one of peers preferences */ 521 1.1.1.2 christos tls1_get_peer_groups(s, &groups, &groups_len); 522 1.1.1.2 christos 523 1.1.1.2 christos /* 524 1.1.1.2 christos * RFC 4492 does not require the supported elliptic curves extension 525 1.1.1.2 christos * so if it is not sent we can just choose any curve. 526 1.1.1.2 christos * It is invalid to send an empty list in the supported groups 527 1.1.1.2 christos * extension, so groups_len == 0 always means no extension. 528 1.1.1.2 christos */ 529 1.1.1.2 christos if (groups_len == 0) 530 1.1.1.2 christos return 1; 531 1.1.1.2 christos return tls1_in_list(group_id, groups, groups_len); 532 1.1 christos } 533 1.1 christos 534 1.1.1.2 christos void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 535 1.1.1.2 christos size_t *num_formats) 536 1.1 christos { 537 1.1 christos /* 538 1.1 christos * If we have a custom point format list use it otherwise use default 539 1.1 christos */ 540 1.1.1.2 christos if (s->ext.ecpointformats) { 541 1.1.1.2 christos *pformats = s->ext.ecpointformats; 542 1.1.1.2 christos *num_formats = s->ext.ecpointformats_len; 543 1.1 christos } else { 544 1.1 christos *pformats = ecformats_default; 545 1.1 christos /* For Suite B we don't support char2 fields */ 546 1.1 christos if (tls1_suiteb(s)) 547 1.1 christos *num_formats = sizeof(ecformats_default) - 1; 548 1.1 christos else 549 1.1 christos *num_formats = sizeof(ecformats_default); 550 1.1 christos } 551 1.1 christos } 552 1.1 christos 553 1.1 christos /* 554 1.1 christos * Check cert parameters compatible with extensions: currently just checks EC 555 1.1 christos * certificates have compatible curves and compression. 556 1.1 christos */ 557 1.1.1.2 christos static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 558 1.1 christos { 559 1.1.1.2 christos uint16_t group_id; 560 1.1 christos EVP_PKEY *pkey; 561 1.1.1.2 christos pkey = X509_get0_pubkey(x); 562 1.1.1.2 christos if (pkey == NULL) 563 1.1 christos return 0; 564 1.1 christos /* If not EC nothing to do */ 565 1.1.1.2 christos if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 566 1.1 christos return 1; 567 1.1.1.2 christos /* Check compression */ 568 1.1.1.2 christos if (!tls1_check_pkey_comp(s, pkey)) 569 1.1 christos return 0; 570 1.1.1.2 christos group_id = tls1_get_group_id(pkey); 571 1.1 christos /* 572 1.1.1.2 christos * For a server we allow the certificate to not be in our list of supported 573 1.1.1.2 christos * groups. 574 1.1 christos */ 575 1.1.1.2 christos if (!tls1_check_group_id(s, group_id, !s->server)) 576 1.1 christos return 0; 577 1.1 christos /* 578 1.1 christos * Special case for suite B. We *MUST* sign using SHA256+P-256 or 579 1.1.1.2 christos * SHA384+P-384. 580 1.1 christos */ 581 1.1.1.2 christos if (check_ee_md && tls1_suiteb(s)) { 582 1.1 christos int check_md; 583 1.1 christos size_t i; 584 1.1.1.2 christos 585 1.1 christos /* Check to see we have necessary signing algorithm */ 586 1.1.1.2 christos if (group_id == TLSEXT_curve_P_256) 587 1.1 christos check_md = NID_ecdsa_with_SHA256; 588 1.1.1.2 christos else if (group_id == TLSEXT_curve_P_384) 589 1.1 christos check_md = NID_ecdsa_with_SHA384; 590 1.1 christos else 591 1.1 christos return 0; /* Should never happen */ 592 1.1.1.2 christos for (i = 0; i < s->shared_sigalgslen; i++) { 593 1.1.1.2 christos if (check_md == s->shared_sigalgs[i]->sigandhash) 594 1.1.1.2 christos return 1;; 595 1.1 christos } 596 1.1.1.2 christos return 0; 597 1.1 christos } 598 1.1.1.2 christos return 1; 599 1.1 christos } 600 1.1 christos 601 1.1.1.2 christos /* 602 1.1.1.2 christos * tls1_check_ec_tmp_key - Check EC temporary key compatibility 603 1.1.1.2 christos * @s: SSL connection 604 1.1.1.2 christos * @cid: Cipher ID we're considering using 605 1.1.1.2 christos * 606 1.1.1.2 christos * Checks that the kECDHE cipher suite we're considering using 607 1.1.1.2 christos * is compatible with the client extensions. 608 1.1.1.2 christos * 609 1.1.1.2 christos * Returns 0 when the cipher can't be used or 1 when it can. 610 1.1.1.2 christos */ 611 1.1 christos int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 612 1.1 christos { 613 1.1.1.2 christos /* If not Suite B just need a shared group */ 614 1.1.1.2 christos if (!tls1_suiteb(s)) 615 1.1.1.2 christos return tls1_shared_group(s, 0) != 0; 616 1.1 christos /* 617 1.1 christos * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 618 1.1 christos * curves permitted. 619 1.1 christos */ 620 1.1.1.2 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 621 1.1.1.2 christos return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 622 1.1.1.2 christos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 623 1.1.1.2 christos return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 624 1.1 christos 625 1.1.1.2 christos return 0; 626 1.1 christos } 627 1.1 christos 628 1.1 christos #else 629 1.1 christos 630 1.1 christos static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 631 1.1 christos { 632 1.1 christos return 1; 633 1.1 christos } 634 1.1 christos 635 1.1 christos #endif /* OPENSSL_NO_EC */ 636 1.1 christos 637 1.1.1.2 christos /* Default sigalg schemes */ 638 1.1.1.2 christos static const uint16_t tls12_sigalgs[] = { 639 1.1.1.2 christos #ifndef OPENSSL_NO_EC 640 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 641 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 642 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 643 1.1.1.2 christos TLSEXT_SIGALG_ed25519, 644 1.1.1.2 christos TLSEXT_SIGALG_ed448, 645 1.1.1.2 christos #endif 646 1.1 christos 647 1.1.1.2 christos TLSEXT_SIGALG_rsa_pss_pss_sha256, 648 1.1.1.2 christos TLSEXT_SIGALG_rsa_pss_pss_sha384, 649 1.1.1.2 christos TLSEXT_SIGALG_rsa_pss_pss_sha512, 650 1.1.1.2 christos TLSEXT_SIGALG_rsa_pss_rsae_sha256, 651 1.1.1.2 christos TLSEXT_SIGALG_rsa_pss_rsae_sha384, 652 1.1.1.2 christos TLSEXT_SIGALG_rsa_pss_rsae_sha512, 653 1.1.1.2 christos 654 1.1.1.2 christos TLSEXT_SIGALG_rsa_pkcs1_sha256, 655 1.1.1.2 christos TLSEXT_SIGALG_rsa_pkcs1_sha384, 656 1.1.1.2 christos TLSEXT_SIGALG_rsa_pkcs1_sha512, 657 1.1 christos 658 1.1.1.2 christos #ifndef OPENSSL_NO_EC 659 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_sha224, 660 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_sha1, 661 1.1.1.2 christos #endif 662 1.1.1.2 christos TLSEXT_SIGALG_rsa_pkcs1_sha224, 663 1.1.1.2 christos TLSEXT_SIGALG_rsa_pkcs1_sha1, 664 1.1.1.2 christos #ifndef OPENSSL_NO_DSA 665 1.1.1.2 christos TLSEXT_SIGALG_dsa_sha224, 666 1.1.1.2 christos TLSEXT_SIGALG_dsa_sha1, 667 1.1.1.2 christos 668 1.1.1.2 christos TLSEXT_SIGALG_dsa_sha256, 669 1.1.1.2 christos TLSEXT_SIGALG_dsa_sha384, 670 1.1.1.2 christos TLSEXT_SIGALG_dsa_sha512, 671 1.1.1.2 christos #endif 672 1.1.1.2 christos #ifndef OPENSSL_NO_GOST 673 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 674 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 675 1.1.1.2 christos TLSEXT_SIGALG_gostr34102001_gostr3411, 676 1.1.1.2 christos #endif 677 1.1.1.2 christos }; 678 1.1 christos 679 1.1.1.2 christos #ifndef OPENSSL_NO_EC 680 1.1.1.2 christos static const uint16_t suiteb_sigalgs[] = { 681 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 682 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_secp384r1_sha384 683 1.1.1.2 christos }; 684 1.1.1.2 christos #endif 685 1.1 christos 686 1.1.1.2 christos static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 687 1.1.1.2 christos #ifndef OPENSSL_NO_EC 688 1.1.1.2 christos {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 689 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 690 1.1.1.2 christos NID_ecdsa_with_SHA256, NID_X9_62_prime256v1}, 691 1.1.1.2 christos {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 692 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 693 1.1.1.2 christos NID_ecdsa_with_SHA384, NID_secp384r1}, 694 1.1.1.2 christos {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 695 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 696 1.1.1.2 christos NID_ecdsa_with_SHA512, NID_secp521r1}, 697 1.1.1.2 christos {"ed25519", TLSEXT_SIGALG_ed25519, 698 1.1.1.2 christos NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 699 1.1.1.2 christos NID_undef, NID_undef}, 700 1.1.1.2 christos {"ed448", TLSEXT_SIGALG_ed448, 701 1.1.1.2 christos NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 702 1.1.1.2 christos NID_undef, NID_undef}, 703 1.1.1.2 christos {NULL, TLSEXT_SIGALG_ecdsa_sha224, 704 1.1.1.2 christos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 705 1.1.1.2 christos NID_ecdsa_with_SHA224, NID_undef}, 706 1.1.1.2 christos {NULL, TLSEXT_SIGALG_ecdsa_sha1, 707 1.1.1.2 christos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 708 1.1.1.2 christos NID_ecdsa_with_SHA1, NID_undef}, 709 1.1.1.2 christos #endif 710 1.1.1.2 christos {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 711 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 712 1.1.1.2 christos NID_undef, NID_undef}, 713 1.1.1.2 christos {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 714 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 715 1.1.1.2 christos NID_undef, NID_undef}, 716 1.1.1.2 christos {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 717 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 718 1.1.1.2 christos NID_undef, NID_undef}, 719 1.1.1.2 christos {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 720 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 721 1.1.1.2 christos NID_undef, NID_undef}, 722 1.1.1.2 christos {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 723 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 724 1.1.1.2 christos NID_undef, NID_undef}, 725 1.1.1.2 christos {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 726 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 727 1.1.1.2 christos NID_undef, NID_undef}, 728 1.1.1.2 christos {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 729 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 730 1.1.1.2 christos NID_sha256WithRSAEncryption, NID_undef}, 731 1.1.1.2 christos {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 732 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 733 1.1.1.2 christos NID_sha384WithRSAEncryption, NID_undef}, 734 1.1.1.2 christos {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 735 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 736 1.1.1.2 christos NID_sha512WithRSAEncryption, NID_undef}, 737 1.1.1.2 christos {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 738 1.1.1.2 christos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 739 1.1.1.2 christos NID_sha224WithRSAEncryption, NID_undef}, 740 1.1.1.2 christos {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 741 1.1.1.2 christos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 742 1.1.1.2 christos NID_sha1WithRSAEncryption, NID_undef}, 743 1.1.1.2 christos #ifndef OPENSSL_NO_DSA 744 1.1.1.2 christos {NULL, TLSEXT_SIGALG_dsa_sha256, 745 1.1.1.2 christos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 746 1.1.1.2 christos NID_dsa_with_SHA256, NID_undef}, 747 1.1.1.2 christos {NULL, TLSEXT_SIGALG_dsa_sha384, 748 1.1.1.2 christos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 749 1.1.1.2 christos NID_undef, NID_undef}, 750 1.1.1.2 christos {NULL, TLSEXT_SIGALG_dsa_sha512, 751 1.1.1.2 christos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 752 1.1.1.2 christos NID_undef, NID_undef}, 753 1.1.1.2 christos {NULL, TLSEXT_SIGALG_dsa_sha224, 754 1.1.1.2 christos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 755 1.1.1.2 christos NID_undef, NID_undef}, 756 1.1.1.2 christos {NULL, TLSEXT_SIGALG_dsa_sha1, 757 1.1.1.2 christos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 758 1.1.1.2 christos NID_dsaWithSHA1, NID_undef}, 759 1.1.1.2 christos #endif 760 1.1.1.2 christos #ifndef OPENSSL_NO_GOST 761 1.1.1.2 christos {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 762 1.1.1.2 christos NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 763 1.1.1.2 christos NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 764 1.1.1.2 christos NID_undef, NID_undef}, 765 1.1.1.2 christos {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 766 1.1.1.2 christos NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 767 1.1.1.2 christos NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 768 1.1.1.2 christos NID_undef, NID_undef}, 769 1.1.1.2 christos {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 770 1.1.1.2 christos NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 771 1.1.1.2 christos NID_id_GostR3410_2001, SSL_PKEY_GOST01, 772 1.1.1.2 christos NID_undef, NID_undef} 773 1.1.1.2 christos #endif 774 1.1.1.2 christos }; 775 1.1.1.2 christos /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 776 1.1.1.2 christos static const SIGALG_LOOKUP legacy_rsa_sigalg = { 777 1.1.1.2 christos "rsa_pkcs1_md5_sha1", 0, 778 1.1.1.2 christos NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 779 1.1.1.2 christos EVP_PKEY_RSA, SSL_PKEY_RSA, 780 1.1.1.2 christos NID_undef, NID_undef 781 1.1 christos }; 782 1.1 christos 783 1.1.1.2 christos /* 784 1.1.1.2 christos * Default signature algorithm values used if signature algorithms not present. 785 1.1.1.2 christos * From RFC5246. Note: order must match certificate index order. 786 1.1.1.2 christos */ 787 1.1.1.2 christos static const uint16_t tls_default_sigalg[] = { 788 1.1.1.2 christos TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 789 1.1.1.2 christos 0, /* SSL_PKEY_RSA_PSS_SIGN */ 790 1.1.1.2 christos TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 791 1.1.1.2 christos TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 792 1.1.1.2 christos TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 793 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */ 794 1.1.1.2 christos TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */ 795 1.1.1.2 christos 0, /* SSL_PKEY_ED25519 */ 796 1.1.1.2 christos 0, /* SSL_PKEY_ED448 */ 797 1.1 christos }; 798 1.1.1.2 christos 799 1.1.1.2 christos /* Lookup TLS signature algorithm */ 800 1.1.1.2 christos static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg) 801 1.1 christos { 802 1.1.1.2 christos size_t i; 803 1.1.1.2 christos const SIGALG_LOOKUP *s; 804 1.1.1.2 christos 805 1.1.1.2 christos for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 806 1.1.1.2 christos i++, s++) { 807 1.1.1.2 christos if (s->sigalg == sigalg) 808 1.1.1.2 christos return s; 809 1.1.1.2 christos } 810 1.1.1.2 christos return NULL; 811 1.1.1.2 christos } 812 1.1.1.2 christos /* Lookup hash: return 0 if invalid or not enabled */ 813 1.1.1.2 christos int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 814 1.1.1.2 christos { 815 1.1.1.2 christos const EVP_MD *md; 816 1.1.1.2 christos if (lu == NULL) 817 1.1.1.2 christos return 0; 818 1.1.1.2 christos /* lu->hash == NID_undef means no associated digest */ 819 1.1.1.2 christos if (lu->hash == NID_undef) { 820 1.1.1.2 christos md = NULL; 821 1.1.1.2 christos } else { 822 1.1.1.2 christos md = ssl_md(lu->hash_idx); 823 1.1.1.2 christos if (md == NULL) 824 1.1.1.2 christos return 0; 825 1.1.1.2 christos } 826 1.1.1.2 christos if (pmd) 827 1.1.1.2 christos *pmd = md; 828 1.1.1.2 christos return 1; 829 1.1.1.2 christos } 830 1.1.1.2 christos 831 1.1.1.2 christos /* 832 1.1.1.2 christos * Check if key is large enough to generate RSA-PSS signature. 833 1.1.1.2 christos * 834 1.1.1.2 christos * The key must greater than or equal to 2 * hash length + 2. 835 1.1.1.2 christos * SHA512 has a hash length of 64 bytes, which is incompatible 836 1.1.1.2 christos * with a 128 byte (1024 bit) key. 837 1.1.1.2 christos */ 838 1.1.1.2 christos #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2) 839 1.1.1.2 christos static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu) 840 1.1.1.2 christos { 841 1.1.1.2 christos const EVP_MD *md; 842 1.1.1.2 christos 843 1.1.1.2 christos if (rsa == NULL) 844 1.1.1.2 christos return 0; 845 1.1.1.2 christos if (!tls1_lookup_md(lu, &md) || md == NULL) 846 1.1.1.2 christos return 0; 847 1.1.1.2 christos if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 848 1.1.1.2 christos return 0; 849 1.1.1.2 christos return 1; 850 1.1.1.2 christos } 851 1.1.1.2 christos 852 1.1.1.2 christos /* 853 1.1.1.2 christos * Returns a signature algorithm when the peer did not send a list of supported 854 1.1.1.2 christos * signature algorithms. The signature algorithm is fixed for the certificate 855 1.1.1.2 christos * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 856 1.1.1.2 christos * certificate type from |s| will be used. 857 1.1.1.2 christos * Returns the signature algorithm to use, or NULL on error. 858 1.1.1.2 christos */ 859 1.1.1.2 christos static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 860 1.1.1.2 christos { 861 1.1.1.2 christos if (idx == -1) { 862 1.1.1.2 christos if (s->server) { 863 1.1.1.2 christos size_t i; 864 1.1.1.2 christos 865 1.1.1.2 christos /* Work out index corresponding to ciphersuite */ 866 1.1.1.2 christos for (i = 0; i < SSL_PKEY_NUM; i++) { 867 1.1.1.2 christos const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 868 1.1.1.2 christos 869 1.1.1.2 christos if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) { 870 1.1.1.2 christos idx = i; 871 1.1.1.2 christos break; 872 1.1.1.2 christos } 873 1.1.1.2 christos } 874 1.1.1.2 christos 875 1.1.1.2 christos /* 876 1.1.1.2 christos * Some GOST ciphersuites allow more than one signature algorithms 877 1.1.1.2 christos * */ 878 1.1.1.2 christos if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 879 1.1.1.2 christos int real_idx; 880 1.1.1.2 christos 881 1.1.1.2 christos for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 882 1.1.1.2 christos real_idx--) { 883 1.1.1.2 christos if (s->cert->pkeys[real_idx].privatekey != NULL) { 884 1.1.1.2 christos idx = real_idx; 885 1.1.1.2 christos break; 886 1.1.1.2 christos } 887 1.1.1.2 christos } 888 1.1.1.2 christos } 889 1.1.1.2 christos } else { 890 1.1.1.2 christos idx = s->cert->key - s->cert->pkeys; 891 1.1.1.2 christos } 892 1.1.1.2 christos } 893 1.1.1.2 christos if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 894 1.1.1.2 christos return NULL; 895 1.1.1.2 christos if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 896 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); 897 1.1.1.2 christos 898 1.1.1.2 christos if (!tls1_lookup_md(lu, NULL)) 899 1.1.1.2 christos return NULL; 900 1.1.1.2 christos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 901 1.1.1.2 christos return NULL; 902 1.1.1.2 christos return lu; 903 1.1.1.2 christos } 904 1.1.1.2 christos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 905 1.1.1.2 christos return NULL; 906 1.1.1.2 christos return &legacy_rsa_sigalg; 907 1.1.1.2 christos } 908 1.1.1.2 christos /* Set peer sigalg based key type */ 909 1.1.1.2 christos int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 910 1.1.1.2 christos { 911 1.1.1.2 christos size_t idx; 912 1.1.1.2 christos const SIGALG_LOOKUP *lu; 913 1.1.1.2 christos 914 1.1.1.2 christos if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 915 1.1.1.2 christos return 0; 916 1.1.1.2 christos lu = tls1_get_legacy_sigalg(s, idx); 917 1.1.1.2 christos if (lu == NULL) 918 1.1.1.2 christos return 0; 919 1.1.1.2 christos s->s3->tmp.peer_sigalg = lu; 920 1.1.1.2 christos return 1; 921 1.1.1.2 christos } 922 1.1.1.2 christos 923 1.1.1.2 christos size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 924 1.1.1.2 christos { 925 1.1.1.2 christos /* 926 1.1.1.2 christos * If Suite B mode use Suite B sigalgs only, ignore any other 927 1.1 christos * preferences. 928 1.1 christos */ 929 1.1.1.2 christos #ifndef OPENSSL_NO_EC 930 1.1 christos switch (tls1_suiteb(s)) { 931 1.1 christos case SSL_CERT_FLAG_SUITEB_128_LOS: 932 1.1 christos *psigs = suiteb_sigalgs; 933 1.1.1.2 christos return OSSL_NELEM(suiteb_sigalgs); 934 1.1 christos 935 1.1 christos case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 936 1.1 christos *psigs = suiteb_sigalgs; 937 1.1.1.2 christos return 1; 938 1.1 christos 939 1.1 christos case SSL_CERT_FLAG_SUITEB_192_LOS: 940 1.1.1.2 christos *psigs = suiteb_sigalgs + 1; 941 1.1.1.2 christos return 1; 942 1.1 christos } 943 1.1.1.2 christos #endif 944 1.1.1.2 christos /* 945 1.1.1.2 christos * We use client_sigalgs (if not NULL) if we're a server 946 1.1.1.2 christos * and sending a certificate request or if we're a client and 947 1.1.1.2 christos * determining which shared algorithm to use. 948 1.1.1.2 christos */ 949 1.1.1.2 christos if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 950 1.1 christos *psigs = s->cert->client_sigalgs; 951 1.1 christos return s->cert->client_sigalgslen; 952 1.1 christos } else if (s->cert->conf_sigalgs) { 953 1.1 christos *psigs = s->cert->conf_sigalgs; 954 1.1 christos return s->cert->conf_sigalgslen; 955 1.1 christos } else { 956 1.1 christos *psigs = tls12_sigalgs; 957 1.1.1.2 christos return OSSL_NELEM(tls12_sigalgs); 958 1.1 christos } 959 1.1 christos } 960 1.1 christos 961 1.1.1.2 christos #ifndef OPENSSL_NO_EC 962 1.1.1.2 christos /* 963 1.1.1.2 christos * Called by servers only. Checks that we have a sig alg that supports the 964 1.1.1.2 christos * specified EC curve. 965 1.1.1.2 christos */ 966 1.1.1.2 christos int tls_check_sigalg_curve(const SSL *s, int curve) 967 1.1.1.2 christos { 968 1.1.1.2 christos const uint16_t *sigs; 969 1.1.1.2 christos size_t siglen, i; 970 1.1.1.2 christos 971 1.1.1.2 christos if (s->cert->conf_sigalgs) { 972 1.1.1.2 christos sigs = s->cert->conf_sigalgs; 973 1.1.1.2 christos siglen = s->cert->conf_sigalgslen; 974 1.1.1.2 christos } else { 975 1.1.1.2 christos sigs = tls12_sigalgs; 976 1.1.1.2 christos siglen = OSSL_NELEM(tls12_sigalgs); 977 1.1.1.2 christos } 978 1.1.1.2 christos 979 1.1.1.2 christos for (i = 0; i < siglen; i++) { 980 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]); 981 1.1.1.2 christos 982 1.1.1.2 christos if (lu == NULL) 983 1.1.1.2 christos continue; 984 1.1.1.2 christos if (lu->sig == EVP_PKEY_EC 985 1.1.1.2 christos && lu->curve != NID_undef 986 1.1.1.2 christos && curve == lu->curve) 987 1.1.1.2 christos return 1; 988 1.1.1.2 christos } 989 1.1.1.2 christos 990 1.1.1.2 christos return 0; 991 1.1.1.2 christos } 992 1.1.1.2 christos #endif 993 1.1.1.2 christos 994 1.1.1.2 christos /* 995 1.1.1.2 christos * Return the number of security bits for the signature algorithm, or 0 on 996 1.1.1.2 christos * error. 997 1.1.1.2 christos */ 998 1.1.1.2 christos static int sigalg_security_bits(const SIGALG_LOOKUP *lu) 999 1.1.1.2 christos { 1000 1.1.1.2 christos const EVP_MD *md = NULL; 1001 1.1.1.2 christos int secbits = 0; 1002 1.1.1.2 christos 1003 1.1.1.2 christos if (!tls1_lookup_md(lu, &md)) 1004 1.1.1.2 christos return 0; 1005 1.1.1.2 christos if (md != NULL) 1006 1.1.1.2 christos { 1007 1.1.1.2 christos /* Security bits: half digest bits */ 1008 1.1.1.2 christos secbits = EVP_MD_size(md) * 4; 1009 1.1.1.2 christos } else { 1010 1.1.1.2 christos /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 1011 1.1.1.2 christos if (lu->sigalg == TLSEXT_SIGALG_ed25519) 1012 1.1.1.2 christos secbits = 128; 1013 1.1.1.2 christos else if (lu->sigalg == TLSEXT_SIGALG_ed448) 1014 1.1.1.2 christos secbits = 224; 1015 1.1.1.2 christos } 1016 1.1.1.2 christos return secbits; 1017 1.1.1.2 christos } 1018 1.1.1.2 christos 1019 1.1 christos /* 1020 1.1 christos * Check signature algorithm is consistent with sent supported signature 1021 1.1.1.2 christos * algorithms and if so set relevant digest and signature scheme in 1022 1.1.1.2 christos * s. 1023 1.1 christos */ 1024 1.1.1.2 christos int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 1025 1.1 christos { 1026 1.1.1.2 christos const uint16_t *sent_sigs; 1027 1.1.1.2 christos const EVP_MD *md = NULL; 1028 1.1.1.2 christos char sigalgstr[2]; 1029 1.1.1.2 christos size_t sent_sigslen, i, cidx; 1030 1.1.1.2 christos int pkeyid = EVP_PKEY_id(pkey); 1031 1.1.1.2 christos const SIGALG_LOOKUP *lu; 1032 1.1.1.2 christos int secbits = 0; 1033 1.1.1.2 christos 1034 1.1 christos /* Should never happen */ 1035 1.1.1.2 christos if (pkeyid == -1) 1036 1.1 christos return -1; 1037 1.1.1.2 christos if (SSL_IS_TLS13(s)) { 1038 1.1.1.2 christos /* Disallow DSA for TLS 1.3 */ 1039 1.1.1.2 christos if (pkeyid == EVP_PKEY_DSA) { 1040 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1041 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 1042 1.1.1.2 christos return 0; 1043 1.1.1.2 christos } 1044 1.1.1.2 christos /* Only allow PSS for TLS 1.3 */ 1045 1.1.1.2 christos if (pkeyid == EVP_PKEY_RSA) 1046 1.1.1.2 christos pkeyid = EVP_PKEY_RSA_PSS; 1047 1.1.1.2 christos } 1048 1.1.1.2 christos lu = tls1_lookup_sigalg(sig); 1049 1.1.1.2 christos /* 1050 1.1.1.2 christos * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1051 1.1.1.2 christos * is consistent with signature: RSA keys can be used for RSA-PSS 1052 1.1.1.2 christos */ 1053 1.1.1.2 christos if (lu == NULL 1054 1.1.1.2 christos || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1055 1.1.1.2 christos || (pkeyid != lu->sig 1056 1.1.1.2 christos && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1057 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1058 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 1059 1.1.1.2 christos return 0; 1060 1.1.1.2 christos } 1061 1.1.1.2 christos /* Check the sigalg is consistent with the key OID */ 1062 1.1.1.2 christos if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) 1063 1.1.1.2 christos || lu->sig_idx != (int)cidx) { 1064 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1065 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 1066 1.1 christos return 0; 1067 1.1 christos } 1068 1.1.1.2 christos 1069 1.1.1.2 christos #ifndef OPENSSL_NO_EC 1070 1.1.1.2 christos if (pkeyid == EVP_PKEY_EC) { 1071 1.1.1.2 christos 1072 1.1.1.2 christos /* Check point compression is permitted */ 1073 1.1.1.2 christos if (!tls1_check_pkey_comp(s, pkey)) { 1074 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1075 1.1.1.2 christos SSL_F_TLS12_CHECK_PEER_SIGALG, 1076 1.1.1.2 christos SSL_R_ILLEGAL_POINT_COMPRESSION); 1077 1.1 christos return 0; 1078 1.1 christos } 1079 1.1.1.2 christos 1080 1.1.1.2 christos /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1081 1.1.1.2 christos if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1082 1.1.1.2 christos EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 1083 1.1.1.2 christos int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 1084 1.1.1.2 christos 1085 1.1.1.2 christos if (lu->curve != NID_undef && curve != lu->curve) { 1086 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1087 1.1.1.2 christos SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1088 1.1 christos return 0; 1089 1.1.1.2 christos } 1090 1.1.1.2 christos } 1091 1.1.1.2 christos if (!SSL_IS_TLS13(s)) { 1092 1.1.1.2 christos /* Check curve matches extensions */ 1093 1.1.1.2 christos if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1094 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1095 1.1.1.2 christos SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1096 1.1.1.2 christos return 0; 1097 1.1.1.2 christos } 1098 1.1.1.2 christos if (tls1_suiteb(s)) { 1099 1.1.1.2 christos /* Check sigalg matches a permissible Suite B value */ 1100 1.1.1.2 christos if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1101 1.1.1.2 christos && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1102 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1103 1.1.1.2 christos SSL_F_TLS12_CHECK_PEER_SIGALG, 1104 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 1105 1.1 christos return 0; 1106 1.1 christos } 1107 1.1.1.2 christos } 1108 1.1 christos } 1109 1.1.1.2 christos } else if (tls1_suiteb(s)) { 1110 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1111 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 1112 1.1 christos return 0; 1113 1.1.1.2 christos } 1114 1.1.1.2 christos #endif 1115 1.1 christos 1116 1.1 christos /* Check signature matches a type we sent */ 1117 1.1.1.2 christos sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1118 1.1.1.2 christos for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1119 1.1.1.2 christos if (sig == *sent_sigs) 1120 1.1 christos break; 1121 1.1 christos } 1122 1.1 christos /* Allow fallback to SHA1 if not strict mode */ 1123 1.1.1.2 christos if (i == sent_sigslen && (lu->hash != NID_sha1 1124 1.1.1.2 christos || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1125 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1126 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 1127 1.1 christos return 0; 1128 1.1 christos } 1129 1.1.1.2 christos if (!tls1_lookup_md(lu, &md)) { 1130 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1131 1.1.1.2 christos SSL_R_UNKNOWN_DIGEST); 1132 1.1 christos return 0; 1133 1.1 christos } 1134 1.1 christos /* 1135 1.1.1.2 christos * Make sure security callback allows algorithm. For historical 1136 1.1.1.2 christos * reasons we have to pass the sigalg as a two byte char array. 1137 1.1 christos */ 1138 1.1.1.2 christos sigalgstr[0] = (sig >> 8) & 0xff; 1139 1.1.1.2 christos sigalgstr[1] = sig & 0xff; 1140 1.1.1.2 christos secbits = sigalg_security_bits(lu); 1141 1.1.1.2 christos if (secbits == 0 || 1142 1.1.1.2 christos !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, 1143 1.1.1.2 christos md != NULL ? EVP_MD_type(md) : NID_undef, 1144 1.1.1.2 christos (void *)sigalgstr)) { 1145 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1146 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 1147 1.1.1.2 christos return 0; 1148 1.1.1.2 christos } 1149 1.1.1.2 christos /* Store the sigalg the peer uses */ 1150 1.1.1.2 christos s->s3->tmp.peer_sigalg = lu; 1151 1.1.1.2 christos return 1; 1152 1.1.1.2 christos } 1153 1.1.1.2 christos 1154 1.1.1.2 christos int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1155 1.1.1.2 christos { 1156 1.1.1.2 christos if (s->s3->tmp.peer_sigalg == NULL) 1157 1.1.1.2 christos return 0; 1158 1.1.1.2 christos *pnid = s->s3->tmp.peer_sigalg->sig; 1159 1.1.1.2 christos return 1; 1160 1.1.1.2 christos } 1161 1.1.1.2 christos 1162 1.1.1.2 christos int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1163 1.1.1.2 christos { 1164 1.1.1.2 christos if (s->s3->tmp.sigalg == NULL) 1165 1.1.1.2 christos return 0; 1166 1.1.1.2 christos *pnid = s->s3->tmp.sigalg->sig; 1167 1.1 christos return 1; 1168 1.1 christos } 1169 1.1 christos 1170 1.1 christos /* 1171 1.1.1.2 christos * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1172 1.1.1.2 christos * supported, doesn't appear in supported signature algorithms, isn't supported 1173 1.1.1.2 christos * by the enabled protocol versions or by the security level. 1174 1.1.1.2 christos * 1175 1.1.1.2 christos * This function should only be used for checking which ciphers are supported 1176 1.1.1.2 christos * by the client. 1177 1.1.1.2 christos * 1178 1.1.1.2 christos * Call ssl_cipher_disabled() to check that it's enabled or not. 1179 1.1 christos */ 1180 1.1.1.2 christos int ssl_set_client_disabled(SSL *s) 1181 1.1 christos { 1182 1.1.1.2 christos s->s3->tmp.mask_a = 0; 1183 1.1.1.2 christos s->s3->tmp.mask_k = 0; 1184 1.1.1.2 christos ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1185 1.1.1.2 christos if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver, 1186 1.1.1.2 christos &s->s3->tmp.max_ver, NULL) != 0) 1187 1.1.1.2 christos return 0; 1188 1.1.1.2 christos #ifndef OPENSSL_NO_PSK 1189 1.1 christos /* with PSK there must be client callback set */ 1190 1.1 christos if (!s->psk_client_callback) { 1191 1.1.1.2 christos s->s3->tmp.mask_a |= SSL_aPSK; 1192 1.1.1.2 christos s->s3->tmp.mask_k |= SSL_PSK; 1193 1.1 christos } 1194 1.1.1.2 christos #endif /* OPENSSL_NO_PSK */ 1195 1.1.1.2 christos #ifndef OPENSSL_NO_SRP 1196 1.1 christos if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1197 1.1.1.2 christos s->s3->tmp.mask_a |= SSL_aSRP; 1198 1.1.1.2 christos s->s3->tmp.mask_k |= SSL_kSRP; 1199 1.1 christos } 1200 1.1.1.2 christos #endif 1201 1.1.1.2 christos return 1; 1202 1.1 christos } 1203 1.1 christos 1204 1.1.1.2 christos /* 1205 1.1.1.2 christos * ssl_cipher_disabled - check that a cipher is disabled or not 1206 1.1.1.2 christos * @s: SSL connection that you want to use the cipher on 1207 1.1.1.2 christos * @c: cipher to check 1208 1.1.1.2 christos * @op: Security check that you want to do 1209 1.1.1.2 christos * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 1210 1.1.1.2 christos * 1211 1.1.1.2 christos * Returns 1 when it's disabled, 0 when enabled. 1212 1.1.1.2 christos */ 1213 1.1.1.2 christos int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1214 1.1 christos { 1215 1.1.1.2 christos if (c->algorithm_mkey & s->s3->tmp.mask_k 1216 1.1.1.2 christos || c->algorithm_auth & s->s3->tmp.mask_a) 1217 1.1.1.2 christos return 1; 1218 1.1.1.2 christos if (s->s3->tmp.max_ver == 0) 1219 1.1.1.2 christos return 1; 1220 1.1.1.2 christos if (!SSL_IS_DTLS(s)) { 1221 1.1.1.2 christos int min_tls = c->min_tls; 1222 1.1 christos 1223 1.1 christos /* 1224 1.1.1.2 christos * For historical reasons we will allow ECHDE to be selected by a server 1225 1.1.1.2 christos * in SSLv3 if we are a client 1226 1.1 christos */ 1227 1.1.1.2 christos if (min_tls == TLS1_VERSION && ecdhe 1228 1.1.1.2 christos && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1229 1.1.1.2 christos min_tls = SSL3_VERSION; 1230 1.1 christos 1231 1.1.1.2 christos if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver)) 1232 1.1.1.2 christos return 1; 1233 1.1 christos } 1234 1.1.1.2 christos if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) 1235 1.1.1.2 christos || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) 1236 1.1.1.2 christos return 1; 1237 1.1 christos 1238 1.1.1.2 christos return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 1239 1.1.1.2 christos } 1240 1.1 christos 1241 1.1.1.2 christos int tls_use_ticket(SSL *s) 1242 1.1.1.2 christos { 1243 1.1.1.2 christos if ((s->options & SSL_OP_NO_TICKET)) 1244 1.1.1.2 christos return 0; 1245 1.1.1.2 christos return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1246 1.1.1.2 christos } 1247 1.1 christos 1248 1.1.1.2 christos int tls1_set_server_sigalgs(SSL *s) 1249 1.1.1.2 christos { 1250 1.1.1.2 christos size_t i; 1251 1.1 christos 1252 1.1.1.2 christos /* Clear any shared signature algorithms */ 1253 1.1.1.2 christos OPENSSL_free(s->shared_sigalgs); 1254 1.1.1.2 christos s->shared_sigalgs = NULL; 1255 1.1.1.2 christos s->shared_sigalgslen = 0; 1256 1.1.1.2 christos /* Clear certificate validity flags */ 1257 1.1.1.2 christos for (i = 0; i < SSL_PKEY_NUM; i++) 1258 1.1.1.2 christos s->s3->tmp.valid_flags[i] = 0; 1259 1.1.1.2 christos /* 1260 1.1.1.2 christos * If peer sent no signature algorithms check to see if we support 1261 1.1.1.2 christos * the default algorithm for each certificate type 1262 1.1.1.2 christos */ 1263 1.1.1.2 christos if (s->s3->tmp.peer_cert_sigalgs == NULL 1264 1.1.1.2 christos && s->s3->tmp.peer_sigalgs == NULL) { 1265 1.1.1.2 christos const uint16_t *sent_sigs; 1266 1.1.1.2 christos size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1267 1.1 christos 1268 1.1.1.2 christos for (i = 0; i < SSL_PKEY_NUM; i++) { 1269 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1270 1.1.1.2 christos size_t j; 1271 1.1 christos 1272 1.1.1.2 christos if (lu == NULL) 1273 1.1.1.2 christos continue; 1274 1.1.1.2 christos /* Check default matches a type we sent */ 1275 1.1.1.2 christos for (j = 0; j < sent_sigslen; j++) { 1276 1.1.1.2 christos if (lu->sigalg == sent_sigs[j]) { 1277 1.1.1.2 christos s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN; 1278 1.1.1.2 christos break; 1279 1.1.1.2 christos } 1280 1.1.1.2 christos } 1281 1.1 christos } 1282 1.1 christos return 1; 1283 1.1 christos } 1284 1.1 christos 1285 1.1.1.2 christos if (!tls1_process_sigalgs(s)) { 1286 1.1.1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1287 1.1.1.2 christos SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR); 1288 1.1 christos return 0; 1289 1.1 christos } 1290 1.1.1.2 christos if (s->shared_sigalgs != NULL) 1291 1.1.1.2 christos return 1; 1292 1.1.1.2 christos 1293 1.1.1.2 christos /* Fatal error if no shared signature algorithms */ 1294 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS, 1295 1.1.1.2 christos SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 1296 1.1.1.2 christos return 0; 1297 1.1 christos } 1298 1.1 christos 1299 1.1 christos /*- 1300 1.1.1.2 christos * Gets the ticket information supplied by the client if any. 1301 1.1 christos * 1302 1.1.1.2 christos * hello: The parsed ClientHello data 1303 1.1 christos * ret: (output) on return, if a ticket was decrypted, then this is set to 1304 1.1 christos * point to the resulting session. 1305 1.1 christos */ 1306 1.1.1.2 christos SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1307 1.1.1.2 christos SSL_SESSION **ret) 1308 1.1 christos { 1309 1.1.1.2 christos size_t size; 1310 1.1.1.2 christos RAW_EXTENSION *ticketext; 1311 1.1 christos 1312 1.1 christos *ret = NULL; 1313 1.1.1.2 christos s->ext.ticket_expected = 0; 1314 1.1 christos 1315 1.1 christos /* 1316 1.1.1.2 christos * If tickets disabled or not supported by the protocol version 1317 1.1.1.2 christos * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1318 1.1 christos * resumption. 1319 1.1 christos */ 1320 1.1.1.2 christos if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1321 1.1.1.2 christos return SSL_TICKET_NONE; 1322 1.1 christos 1323 1.1.1.2 christos ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1324 1.1.1.2 christos if (!ticketext->present) 1325 1.1.1.2 christos return SSL_TICKET_NONE; 1326 1.1 christos 1327 1.1.1.2 christos size = PACKET_remaining(&ticketext->data); 1328 1.1.1.2 christos 1329 1.1.1.2 christos return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1330 1.1.1.2 christos hello->session_id, hello->session_id_len, ret); 1331 1.1 christos } 1332 1.1 christos 1333 1.1 christos /*- 1334 1.1 christos * tls_decrypt_ticket attempts to decrypt a session ticket. 1335 1.1 christos * 1336 1.1.1.2 christos * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1337 1.1.1.2 christos * expecting a pre-shared key ciphersuite, in which case we have no use for 1338 1.1.1.2 christos * session tickets and one will never be decrypted, nor will 1339 1.1.1.2 christos * s->ext.ticket_expected be set to 1. 1340 1.1.1.2 christos * 1341 1.1.1.2 christos * Side effects: 1342 1.1.1.2 christos * Sets s->ext.ticket_expected to 1 if the server will have to issue 1343 1.1.1.2 christos * a new session ticket to the client because the client indicated support 1344 1.1.1.2 christos * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1345 1.1.1.2 christos * a session ticket or we couldn't use the one it gave us, or if 1346 1.1.1.2 christos * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1347 1.1.1.2 christos * Otherwise, s->ext.ticket_expected is set to 0. 1348 1.1.1.2 christos * 1349 1.1 christos * etick: points to the body of the session ticket extension. 1350 1.1.1.2 christos * eticklen: the length of the session tickets extension. 1351 1.1 christos * sess_id: points at the session ID. 1352 1.1 christos * sesslen: the length of the session ID. 1353 1.1 christos * psess: (output) on return, if a ticket was decrypted, then this is set to 1354 1.1 christos * point to the resulting session. 1355 1.1 christos */ 1356 1.1.1.2 christos SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1357 1.1.1.2 christos size_t eticklen, const unsigned char *sess_id, 1358 1.1.1.2 christos size_t sesslen, SSL_SESSION **psess) 1359 1.1 christos { 1360 1.1.1.2 christos SSL_SESSION *sess = NULL; 1361 1.1 christos unsigned char *sdec; 1362 1.1 christos const unsigned char *p; 1363 1.1.1.2 christos int slen, renew_ticket = 0, declen; 1364 1.1.1.2 christos SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1365 1.1.1.2 christos size_t mlen; 1366 1.1 christos unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1367 1.1.1.2 christos HMAC_CTX *hctx = NULL; 1368 1.1.1.2 christos EVP_CIPHER_CTX *ctx = NULL; 1369 1.1.1.2 christos SSL_CTX *tctx = s->session_ctx; 1370 1.1.1.2 christos 1371 1.1.1.2 christos if (eticklen == 0) { 1372 1.1.1.2 christos /* 1373 1.1.1.2 christos * The client will accept a ticket but doesn't currently have 1374 1.1.1.2 christos * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 1375 1.1.1.2 christos */ 1376 1.1.1.2 christos ret = SSL_TICKET_EMPTY; 1377 1.1.1.2 christos goto end; 1378 1.1.1.2 christos } 1379 1.1.1.2 christos if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 1380 1.1.1.2 christos /* 1381 1.1.1.2 christos * Indicate that the ticket couldn't be decrypted rather than 1382 1.1.1.2 christos * generating the session from ticket now, trigger 1383 1.1.1.2 christos * abbreviated handshake based on external mechanism to 1384 1.1.1.2 christos * calculate the master secret later. 1385 1.1.1.2 christos */ 1386 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1387 1.1.1.2 christos goto end; 1388 1.1.1.2 christos } 1389 1.1.1.2 christos 1390 1.1.1.2 christos /* Need at least keyname + iv */ 1391 1.1.1.2 christos if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1392 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1393 1.1.1.2 christos goto end; 1394 1.1.1.2 christos } 1395 1.1 christos 1396 1.1 christos /* Initialize session ticket encryption and HMAC contexts */ 1397 1.1.1.2 christos hctx = HMAC_CTX_new(); 1398 1.1.1.2 christos if (hctx == NULL) { 1399 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_MALLOC; 1400 1.1.1.2 christos goto end; 1401 1.1.1.2 christos } 1402 1.1.1.2 christos ctx = EVP_CIPHER_CTX_new(); 1403 1.1.1.2 christos if (ctx == NULL) { 1404 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_MALLOC; 1405 1.1.1.2 christos goto end; 1406 1.1.1.2 christos } 1407 1.1.1.2 christos if (tctx->ext.ticket_key_cb) { 1408 1.1 christos unsigned char *nctick = (unsigned char *)etick; 1409 1.1.1.2 christos int rv = tctx->ext.ticket_key_cb(s, nctick, 1410 1.1.1.2 christos nctick + TLSEXT_KEYNAME_LENGTH, 1411 1.1.1.2 christos ctx, hctx, 0); 1412 1.1.1.2 christos if (rv < 0) { 1413 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1414 1.1.1.2 christos goto end; 1415 1.1.1.2 christos } 1416 1.1.1.2 christos if (rv == 0) { 1417 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1418 1.1.1.2 christos goto end; 1419 1.1.1.2 christos } 1420 1.1 christos if (rv == 2) 1421 1.1 christos renew_ticket = 1; 1422 1.1 christos } else { 1423 1.1 christos /* Check key name matches */ 1424 1.1.1.2 christos if (memcmp(etick, tctx->ext.tick_key_name, 1425 1.1.1.2 christos TLSEXT_KEYNAME_LENGTH) != 0) { 1426 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1427 1.1.1.2 christos goto end; 1428 1.1.1.2 christos } 1429 1.1.1.2 christos if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key, 1430 1.1.1.2 christos sizeof(tctx->ext.secure->tick_hmac_key), 1431 1.1.1.2 christos EVP_sha256(), NULL) <= 0 1432 1.1.1.2 christos || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 1433 1.1.1.2 christos tctx->ext.secure->tick_aes_key, 1434 1.1.1.2 christos etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1435 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1436 1.1.1.2 christos goto end; 1437 1.1.1.2 christos } 1438 1.1.1.2 christos if (SSL_IS_TLS13(s)) 1439 1.1.1.2 christos renew_ticket = 1; 1440 1.1 christos } 1441 1.1 christos /* 1442 1.1 christos * Attempt to process session ticket, first conduct sanity and integrity 1443 1.1 christos * checks on ticket. 1444 1.1 christos */ 1445 1.1.1.2 christos mlen = HMAC_size(hctx); 1446 1.1.1.2 christos if (mlen == 0) { 1447 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1448 1.1.1.2 christos goto end; 1449 1.1 christos } 1450 1.1.1.2 christos 1451 1.1 christos /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1452 1.1.1.2 christos if (eticklen <= 1453 1.1.1.2 christos TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { 1454 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1455 1.1.1.2 christos goto end; 1456 1.1 christos } 1457 1.1 christos eticklen -= mlen; 1458 1.1 christos /* Check HMAC of encrypted ticket */ 1459 1.1.1.2 christos if (HMAC_Update(hctx, etick, eticklen) <= 0 1460 1.1.1.2 christos || HMAC_Final(hctx, tick_hmac, NULL) <= 0) { 1461 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1462 1.1.1.2 christos goto end; 1463 1.1 christos } 1464 1.1.1.2 christos 1465 1.1 christos if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1466 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1467 1.1.1.2 christos goto end; 1468 1.1 christos } 1469 1.1 christos /* Attempt to decrypt session data */ 1470 1.1 christos /* Move p after IV to start of encrypted ticket, update length */ 1471 1.1.1.2 christos p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1472 1.1.1.2 christos eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1473 1.1 christos sdec = OPENSSL_malloc(eticklen); 1474 1.1.1.2 christos if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1475 1.1.1.2 christos (int)eticklen) <= 0) { 1476 1.1 christos OPENSSL_free(sdec); 1477 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1478 1.1.1.2 christos goto end; 1479 1.1 christos } 1480 1.1.1.2 christos if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1481 1.1 christos OPENSSL_free(sdec); 1482 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1483 1.1.1.2 christos goto end; 1484 1.1 christos } 1485 1.1.1.2 christos slen += declen; 1486 1.1 christos p = sdec; 1487 1.1 christos 1488 1.1 christos sess = d2i_SSL_SESSION(NULL, &p, slen); 1489 1.1.1.2 christos slen -= p - sdec; 1490 1.1 christos OPENSSL_free(sdec); 1491 1.1 christos if (sess) { 1492 1.1.1.2 christos /* Some additional consistency checks */ 1493 1.1.1.2 christos if (slen != 0) { 1494 1.1.1.2 christos SSL_SESSION_free(sess); 1495 1.1.1.2 christos sess = NULL; 1496 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1497 1.1.1.2 christos goto end; 1498 1.1.1.2 christos } 1499 1.1 christos /* 1500 1.1 christos * The session ID, if non-empty, is used by some clients to detect 1501 1.1 christos * that the ticket has been accepted. So we copy it to the session 1502 1.1 christos * structure. If it is empty set length to zero as required by 1503 1.1 christos * standard. 1504 1.1 christos */ 1505 1.1.1.2 christos if (sesslen) { 1506 1.1 christos memcpy(sess->session_id, sess_id, sesslen); 1507 1.1.1.2 christos sess->session_id_length = sesslen; 1508 1.1.1.2 christos } 1509 1.1 christos if (renew_ticket) 1510 1.1.1.2 christos ret = SSL_TICKET_SUCCESS_RENEW; 1511 1.1 christos else 1512 1.1.1.2 christos ret = SSL_TICKET_SUCCESS; 1513 1.1.1.2 christos goto end; 1514 1.1 christos } 1515 1.1 christos ERR_clear_error(); 1516 1.1 christos /* 1517 1.1 christos * For session parse failure, indicate that we need to send a new ticket. 1518 1.1 christos */ 1519 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1520 1.1.1.2 christos 1521 1.1.1.2 christos end: 1522 1.1.1.2 christos EVP_CIPHER_CTX_free(ctx); 1523 1.1.1.2 christos HMAC_CTX_free(hctx); 1524 1.1 christos 1525 1.1.1.2 christos /* 1526 1.1.1.2 christos * If set, the decrypt_ticket_cb() is called unless a fatal error was 1527 1.1.1.2 christos * detected above. The callback is responsible for checking |ret| before it 1528 1.1.1.2 christos * performs any action 1529 1.1.1.2 christos */ 1530 1.1.1.2 christos if (s->session_ctx->decrypt_ticket_cb != NULL 1531 1.1.1.2 christos && (ret == SSL_TICKET_EMPTY 1532 1.1.1.2 christos || ret == SSL_TICKET_NO_DECRYPT 1533 1.1.1.2 christos || ret == SSL_TICKET_SUCCESS 1534 1.1.1.2 christos || ret == SSL_TICKET_SUCCESS_RENEW)) { 1535 1.1.1.2 christos size_t keyname_len = eticklen; 1536 1.1.1.2 christos int retcb; 1537 1.1.1.2 christos 1538 1.1.1.2 christos if (keyname_len > TLSEXT_KEYNAME_LENGTH) 1539 1.1.1.2 christos keyname_len = TLSEXT_KEYNAME_LENGTH; 1540 1.1.1.2 christos retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 1541 1.1.1.2 christos ret, 1542 1.1.1.2 christos s->session_ctx->ticket_cb_data); 1543 1.1.1.2 christos switch (retcb) { 1544 1.1.1.2 christos case SSL_TICKET_RETURN_ABORT: 1545 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1546 1.1.1.2 christos break; 1547 1.1 christos 1548 1.1.1.2 christos case SSL_TICKET_RETURN_IGNORE: 1549 1.1.1.2 christos ret = SSL_TICKET_NONE; 1550 1.1.1.2 christos SSL_SESSION_free(sess); 1551 1.1.1.2 christos sess = NULL; 1552 1.1.1.2 christos break; 1553 1.1 christos 1554 1.1.1.2 christos case SSL_TICKET_RETURN_IGNORE_RENEW: 1555 1.1.1.2 christos if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 1556 1.1.1.2 christos ret = SSL_TICKET_NO_DECRYPT; 1557 1.1.1.2 christos /* else the value of |ret| will already do the right thing */ 1558 1.1.1.2 christos SSL_SESSION_free(sess); 1559 1.1.1.2 christos sess = NULL; 1560 1.1.1.2 christos break; 1561 1.1 christos 1562 1.1.1.2 christos case SSL_TICKET_RETURN_USE: 1563 1.1.1.2 christos case SSL_TICKET_RETURN_USE_RENEW: 1564 1.1.1.2 christos if (ret != SSL_TICKET_SUCCESS 1565 1.1.1.2 christos && ret != SSL_TICKET_SUCCESS_RENEW) 1566 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1567 1.1.1.2 christos else if (retcb == SSL_TICKET_RETURN_USE) 1568 1.1.1.2 christos ret = SSL_TICKET_SUCCESS; 1569 1.1.1.2 christos else 1570 1.1.1.2 christos ret = SSL_TICKET_SUCCESS_RENEW; 1571 1.1.1.2 christos break; 1572 1.1 christos 1573 1.1.1.2 christos default: 1574 1.1.1.2 christos ret = SSL_TICKET_FATAL_ERR_OTHER; 1575 1.1.1.2 christos } 1576 1.1 christos } 1577 1.1 christos 1578 1.1.1.2 christos if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 1579 1.1.1.2 christos switch (ret) { 1580 1.1.1.2 christos case SSL_TICKET_NO_DECRYPT: 1581 1.1.1.2 christos case SSL_TICKET_SUCCESS_RENEW: 1582 1.1.1.2 christos case SSL_TICKET_EMPTY: 1583 1.1.1.2 christos s->ext.ticket_expected = 1; 1584 1.1.1.2 christos } 1585 1.1 christos } 1586 1.1.1.2 christos 1587 1.1.1.2 christos *psess = sess; 1588 1.1.1.2 christos 1589 1.1.1.2 christos return ret; 1590 1.1 christos } 1591 1.1 christos 1592 1.1.1.2 christos /* Check to see if a signature algorithm is allowed */ 1593 1.1.1.2 christos static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) 1594 1.1 christos { 1595 1.1.1.2 christos unsigned char sigalgstr[2]; 1596 1.1.1.2 christos int secbits; 1597 1.1.1.2 christos 1598 1.1.1.2 christos /* See if sigalgs is recognised and if hash is enabled */ 1599 1.1.1.2 christos if (!tls1_lookup_md(lu, NULL)) 1600 1.1 christos return 0; 1601 1.1.1.2 christos /* DSA is not allowed in TLS 1.3 */ 1602 1.1.1.2 christos if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 1603 1.1 christos return 0; 1604 1.1.1.2 christos /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ 1605 1.1.1.2 christos if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION 1606 1.1.1.2 christos && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 1607 1.1.1.2 christos || lu->hash_idx == SSL_MD_MD5_IDX 1608 1.1.1.2 christos || lu->hash_idx == SSL_MD_SHA224_IDX)) 1609 1.1 christos return 0; 1610 1.1 christos 1611 1.1.1.2 christos /* See if public key algorithm allowed */ 1612 1.1.1.2 christos if (ssl_cert_is_disabled(lu->sig_idx)) 1613 1.1.1.2 christos return 0; 1614 1.1 christos 1615 1.1.1.2 christos if (lu->sig == NID_id_GostR3410_2012_256 1616 1.1.1.2 christos || lu->sig == NID_id_GostR3410_2012_512 1617 1.1.1.2 christos || lu->sig == NID_id_GostR3410_2001) { 1618 1.1.1.2 christos /* We never allow GOST sig algs on the server with TLSv1.3 */ 1619 1.1.1.2 christos if (s->server && SSL_IS_TLS13(s)) 1620 1.1.1.2 christos return 0; 1621 1.1.1.2 christos if (!s->server 1622 1.1.1.2 christos && s->method->version == TLS_ANY_VERSION 1623 1.1.1.2 christos && s->s3->tmp.max_ver >= TLS1_3_VERSION) { 1624 1.1.1.2 christos int i, num; 1625 1.1.1.2 christos STACK_OF(SSL_CIPHER) *sk; 1626 1.1 christos 1627 1.1.1.2 christos /* 1628 1.1.1.2 christos * We're a client that could negotiate TLSv1.3. We only allow GOST 1629 1.1.1.2 christos * sig algs if we could negotiate TLSv1.2 or below and we have GOST 1630 1.1.1.2 christos * ciphersuites enabled. 1631 1.1.1.2 christos */ 1632 1.1 christos 1633 1.1.1.2 christos if (s->s3->tmp.min_ver >= TLS1_3_VERSION) 1634 1.1.1.2 christos return 0; 1635 1.1 christos 1636 1.1.1.2 christos sk = SSL_get_ciphers(s); 1637 1.1.1.2 christos num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 1638 1.1.1.2 christos for (i = 0; i < num; i++) { 1639 1.1.1.2 christos const SSL_CIPHER *c; 1640 1.1.1.2 christos 1641 1.1.1.2 christos c = sk_SSL_CIPHER_value(sk, i); 1642 1.1.1.2 christos /* Skip disabled ciphers */ 1643 1.1.1.2 christos if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 1644 1.1.1.2 christos continue; 1645 1.1.1.2 christos 1646 1.1.1.2 christos if ((c->algorithm_mkey & SSL_kGOST) != 0) 1647 1.1.1.2 christos break; 1648 1.1.1.2 christos } 1649 1.1.1.2 christos if (i == num) 1650 1.1.1.2 christos return 0; 1651 1.1.1.2 christos } 1652 1.1 christos } 1653 1.1.1.2 christos 1654 1.1.1.2 christos /* Finally see if security callback allows it */ 1655 1.1.1.2 christos secbits = sigalg_security_bits(lu); 1656 1.1.1.2 christos sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 1657 1.1.1.2 christos sigalgstr[1] = lu->sigalg & 0xff; 1658 1.1.1.2 christos return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 1659 1.1 christos } 1660 1.1 christos 1661 1.1.1.2 christos /* 1662 1.1.1.2 christos * Get a mask of disabled public key algorithms based on supported signature 1663 1.1.1.2 christos * algorithms. For example if no signature algorithm supports RSA then RSA is 1664 1.1.1.2 christos * disabled. 1665 1.1.1.2 christos */ 1666 1.1.1.2 christos 1667 1.1.1.2 christos void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 1668 1.1 christos { 1669 1.1.1.2 christos const uint16_t *sigalgs; 1670 1.1.1.2 christos size_t i, sigalgslen; 1671 1.1.1.2 christos uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 1672 1.1.1.2 christos /* 1673 1.1.1.2 christos * Go through all signature algorithms seeing if we support any 1674 1.1.1.2 christos * in disabled_mask. 1675 1.1.1.2 christos */ 1676 1.1.1.2 christos sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 1677 1.1.1.2 christos for (i = 0; i < sigalgslen; i++, sigalgs++) { 1678 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); 1679 1.1.1.2 christos const SSL_CERT_LOOKUP *clu; 1680 1.1.1.2 christos 1681 1.1.1.2 christos if (lu == NULL) 1682 1.1.1.2 christos continue; 1683 1.1.1.2 christos 1684 1.1.1.2 christos clu = ssl_cert_lookup_by_idx(lu->sig_idx); 1685 1.1.1.2 christos if (clu == NULL) 1686 1.1.1.2 christos continue; 1687 1.1.1.2 christos 1688 1.1.1.2 christos /* If algorithm is disabled see if we can enable it */ 1689 1.1.1.2 christos if ((clu->amask & disabled_mask) != 0 1690 1.1.1.2 christos && tls12_sigalg_allowed(s, op, lu)) 1691 1.1.1.2 christos disabled_mask &= ~clu->amask; 1692 1.1 christos } 1693 1.1.1.2 christos *pmask_a |= disabled_mask; 1694 1.1 christos } 1695 1.1 christos 1696 1.1.1.2 christos int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 1697 1.1.1.2 christos const uint16_t *psig, size_t psiglen) 1698 1.1.1.2 christos { 1699 1.1.1.2 christos size_t i; 1700 1.1.1.2 christos int rv = 0; 1701 1.1.1.2 christos 1702 1.1.1.2 christos for (i = 0; i < psiglen; i++, psig++) { 1703 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig); 1704 1.1.1.2 christos 1705 1.1.1.2 christos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1706 1.1.1.2 christos continue; 1707 1.1.1.2 christos if (!WPACKET_put_bytes_u16(pkt, *psig)) 1708 1.1.1.2 christos return 0; 1709 1.1.1.2 christos /* 1710 1.1.1.2 christos * If TLS 1.3 must have at least one valid TLS 1.3 message 1711 1.1.1.2 christos * signing algorithm: i.e. neither RSA nor SHA1/SHA224 1712 1.1.1.2 christos */ 1713 1.1.1.2 christos if (rv == 0 && (!SSL_IS_TLS13(s) 1714 1.1.1.2 christos || (lu->sig != EVP_PKEY_RSA 1715 1.1.1.2 christos && lu->hash != NID_sha1 1716 1.1.1.2 christos && lu->hash != NID_sha224))) 1717 1.1.1.2 christos rv = 1; 1718 1.1 christos } 1719 1.1.1.2 christos if (rv == 0) 1720 1.1.1.2 christos SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 1721 1.1.1.2 christos return rv; 1722 1.1 christos } 1723 1.1 christos 1724 1.1 christos /* Given preference and allowed sigalgs set shared sigalgs */ 1725 1.1.1.2 christos static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 1726 1.1.1.2 christos const uint16_t *pref, size_t preflen, 1727 1.1.1.2 christos const uint16_t *allow, size_t allowlen) 1728 1.1 christos { 1729 1.1.1.2 christos const uint16_t *ptmp, *atmp; 1730 1.1 christos size_t i, j, nmatch = 0; 1731 1.1.1.2 christos for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 1732 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp); 1733 1.1.1.2 christos 1734 1.1 christos /* Skip disabled hashes or signature algorithms */ 1735 1.1.1.2 christos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 1736 1.1 christos continue; 1737 1.1.1.2 christos for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 1738 1.1.1.2 christos if (*ptmp == *atmp) { 1739 1.1 christos nmatch++; 1740 1.1.1.2 christos if (shsig) 1741 1.1.1.2 christos *shsig++ = lu; 1742 1.1 christos break; 1743 1.1 christos } 1744 1.1 christos } 1745 1.1 christos } 1746 1.1 christos return nmatch; 1747 1.1 christos } 1748 1.1 christos 1749 1.1 christos /* Set shared signature algorithms for SSL structures */ 1750 1.1 christos static int tls1_set_shared_sigalgs(SSL *s) 1751 1.1 christos { 1752 1.1.1.2 christos const uint16_t *pref, *allow, *conf; 1753 1.1 christos size_t preflen, allowlen, conflen; 1754 1.1 christos size_t nmatch; 1755 1.1.1.2 christos const SIGALG_LOOKUP **salgs = NULL; 1756 1.1 christos CERT *c = s->cert; 1757 1.1 christos unsigned int is_suiteb = tls1_suiteb(s); 1758 1.1.1.2 christos 1759 1.1.1.2 christos OPENSSL_free(s->shared_sigalgs); 1760 1.1.1.2 christos s->shared_sigalgs = NULL; 1761 1.1.1.2 christos s->shared_sigalgslen = 0; 1762 1.1 christos /* If client use client signature algorithms if not NULL */ 1763 1.1 christos if (!s->server && c->client_sigalgs && !is_suiteb) { 1764 1.1 christos conf = c->client_sigalgs; 1765 1.1 christos conflen = c->client_sigalgslen; 1766 1.1 christos } else if (c->conf_sigalgs && !is_suiteb) { 1767 1.1 christos conf = c->conf_sigalgs; 1768 1.1 christos conflen = c->conf_sigalgslen; 1769 1.1 christos } else 1770 1.1.1.2 christos conflen = tls12_get_psigalgs(s, 0, &conf); 1771 1.1 christos if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 1772 1.1 christos pref = conf; 1773 1.1 christos preflen = conflen; 1774 1.1.1.2 christos allow = s->s3->tmp.peer_sigalgs; 1775 1.1.1.2 christos allowlen = s->s3->tmp.peer_sigalgslen; 1776 1.1 christos } else { 1777 1.1 christos allow = conf; 1778 1.1 christos allowlen = conflen; 1779 1.1.1.2 christos pref = s->s3->tmp.peer_sigalgs; 1780 1.1.1.2 christos preflen = s->s3->tmp.peer_sigalgslen; 1781 1.1 christos } 1782 1.1.1.2 christos nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 1783 1.1 christos if (nmatch) { 1784 1.1.1.2 christos if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 1785 1.1.1.2 christos SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE); 1786 1.1 christos return 0; 1787 1.1.1.2 christos } 1788 1.1.1.2 christos nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 1789 1.1 christos } else { 1790 1.1 christos salgs = NULL; 1791 1.1 christos } 1792 1.1.1.2 christos s->shared_sigalgs = salgs; 1793 1.1.1.2 christos s->shared_sigalgslen = nmatch; 1794 1.1 christos return 1; 1795 1.1 christos } 1796 1.1 christos 1797 1.1.1.2 christos int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 1798 1.1.1.2 christos { 1799 1.1.1.2 christos unsigned int stmp; 1800 1.1.1.2 christos size_t size, i; 1801 1.1.1.2 christos uint16_t *buf; 1802 1.1.1.2 christos 1803 1.1.1.2 christos size = PACKET_remaining(pkt); 1804 1.1.1.2 christos 1805 1.1.1.2 christos /* Invalid data length */ 1806 1.1.1.2 christos if (size == 0 || (size & 1) != 0) 1807 1.1.1.2 christos return 0; 1808 1.1.1.2 christos 1809 1.1.1.2 christos size >>= 1; 1810 1.1.1.2 christos 1811 1.1.1.2 christos if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 1812 1.1.1.2 christos SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE); 1813 1.1.1.2 christos return 0; 1814 1.1.1.2 christos } 1815 1.1.1.2 christos for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 1816 1.1.1.2 christos buf[i] = stmp; 1817 1.1.1.2 christos 1818 1.1.1.2 christos if (i != size) { 1819 1.1.1.2 christos OPENSSL_free(buf); 1820 1.1.1.2 christos return 0; 1821 1.1.1.2 christos } 1822 1.1 christos 1823 1.1.1.2 christos OPENSSL_free(*pdest); 1824 1.1.1.2 christos *pdest = buf; 1825 1.1.1.2 christos *pdestlen = size; 1826 1.1.1.2 christos 1827 1.1.1.2 christos return 1; 1828 1.1.1.2 christos } 1829 1.1.1.2 christos 1830 1.1.1.2 christos int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 1831 1.1 christos { 1832 1.1 christos /* Extension ignored for inappropriate versions */ 1833 1.1 christos if (!SSL_USE_SIGALGS(s)) 1834 1.1 christos return 1; 1835 1.1 christos /* Should never happen */ 1836 1.1.1.2 christos if (s->cert == NULL) 1837 1.1 christos return 0; 1838 1.1 christos 1839 1.1.1.2 christos if (cert) 1840 1.1.1.2 christos return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs, 1841 1.1.1.2 christos &s->s3->tmp.peer_cert_sigalgslen); 1842 1.1.1.2 christos else 1843 1.1.1.2 christos return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs, 1844 1.1.1.2 christos &s->s3->tmp.peer_sigalgslen); 1845 1.1.1.2 christos 1846 1.1 christos } 1847 1.1 christos 1848 1.1.1.2 christos /* Set preferred digest for each key type */ 1849 1.1.1.2 christos 1850 1.1 christos int tls1_process_sigalgs(SSL *s) 1851 1.1 christos { 1852 1.1 christos size_t i; 1853 1.1.1.2 christos uint32_t *pvalid = s->s3->tmp.valid_flags; 1854 1.1.1.2 christos 1855 1.1 christos if (!tls1_set_shared_sigalgs(s)) 1856 1.1 christos return 0; 1857 1.1 christos 1858 1.1.1.2 christos for (i = 0; i < SSL_PKEY_NUM; i++) 1859 1.1.1.2 christos pvalid[i] = 0; 1860 1.1 christos 1861 1.1.1.2 christos for (i = 0; i < s->shared_sigalgslen; i++) { 1862 1.1.1.2 christos const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 1863 1.1.1.2 christos int idx = sigptr->sig_idx; 1864 1.1 christos 1865 1.1.1.2 christos /* Ignore PKCS1 based sig algs in TLSv1.3 */ 1866 1.1.1.2 christos if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 1867 1.1.1.2 christos continue; 1868 1.1.1.2 christos /* If not disabled indicate we can explicitly sign */ 1869 1.1.1.2 christos if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) 1870 1.1.1.2 christos pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 1871 1.1 christos } 1872 1.1 christos return 1; 1873 1.1 christos } 1874 1.1 christos 1875 1.1 christos int SSL_get_sigalgs(SSL *s, int idx, 1876 1.1 christos int *psign, int *phash, int *psignhash, 1877 1.1 christos unsigned char *rsig, unsigned char *rhash) 1878 1.1 christos { 1879 1.1.1.2 christos uint16_t *psig = s->s3->tmp.peer_sigalgs; 1880 1.1.1.2 christos size_t numsigalgs = s->s3->tmp.peer_sigalgslen; 1881 1.1.1.2 christos if (psig == NULL || numsigalgs > INT_MAX) 1882 1.1 christos return 0; 1883 1.1 christos if (idx >= 0) { 1884 1.1.1.2 christos const SIGALG_LOOKUP *lu; 1885 1.1.1.2 christos 1886 1.1.1.2 christos if (idx >= (int)numsigalgs) 1887 1.1 christos return 0; 1888 1.1 christos psig += idx; 1889 1.1.1.2 christos if (rhash != NULL) 1890 1.1.1.2 christos *rhash = (unsigned char)((*psig >> 8) & 0xff); 1891 1.1.1.2 christos if (rsig != NULL) 1892 1.1.1.2 christos *rsig = (unsigned char)(*psig & 0xff); 1893 1.1.1.2 christos lu = tls1_lookup_sigalg(*psig); 1894 1.1.1.2 christos if (psign != NULL) 1895 1.1.1.2 christos *psign = lu != NULL ? lu->sig : NID_undef; 1896 1.1.1.2 christos if (phash != NULL) 1897 1.1.1.2 christos *phash = lu != NULL ? lu->hash : NID_undef; 1898 1.1.1.2 christos if (psignhash != NULL) 1899 1.1.1.2 christos *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 1900 1.1 christos } 1901 1.1.1.2 christos return (int)numsigalgs; 1902 1.1 christos } 1903 1.1 christos 1904 1.1 christos int SSL_get_shared_sigalgs(SSL *s, int idx, 1905 1.1 christos int *psign, int *phash, int *psignhash, 1906 1.1 christos unsigned char *rsig, unsigned char *rhash) 1907 1.1 christos { 1908 1.1.1.2 christos const SIGALG_LOOKUP *shsigalgs; 1909 1.1.1.2 christos if (s->shared_sigalgs == NULL 1910 1.1.1.2 christos || idx < 0 1911 1.1.1.2 christos || idx >= (int)s->shared_sigalgslen 1912 1.1.1.2 christos || s->shared_sigalgslen > INT_MAX) 1913 1.1.1.2 christos return 0; 1914 1.1.1.2 christos shsigalgs = s->shared_sigalgs[idx]; 1915 1.1.1.2 christos if (phash != NULL) 1916 1.1.1.2 christos *phash = shsigalgs->hash; 1917 1.1.1.2 christos if (psign != NULL) 1918 1.1.1.2 christos *psign = shsigalgs->sig; 1919 1.1.1.2 christos if (psignhash != NULL) 1920 1.1.1.2 christos *psignhash = shsigalgs->sigandhash; 1921 1.1.1.2 christos if (rsig != NULL) 1922 1.1.1.2 christos *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 1923 1.1.1.2 christos if (rhash != NULL) 1924 1.1.1.2 christos *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 1925 1.1.1.2 christos return (int)s->shared_sigalgslen; 1926 1.1 christos } 1927 1.1 christos 1928 1.1.1.2 christos /* Maximum possible number of unique entries in sigalgs array */ 1929 1.1.1.2 christos #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 1930 1.1 christos 1931 1.1 christos typedef struct { 1932 1.1 christos size_t sigalgcnt; 1933 1.1.1.2 christos /* TLSEXT_SIGALG_XXX values */ 1934 1.1.1.2 christos uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 1935 1.1 christos } sig_cb_st; 1936 1.1 christos 1937 1.1.1.2 christos static void get_sigorhash(int *psig, int *phash, const char *str) 1938 1.1.1.2 christos { 1939 1.1.1.2 christos if (strcmp(str, "RSA") == 0) { 1940 1.1.1.2 christos *psig = EVP_PKEY_RSA; 1941 1.1.1.2 christos } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 1942 1.1.1.2 christos *psig = EVP_PKEY_RSA_PSS; 1943 1.1.1.2 christos } else if (strcmp(str, "DSA") == 0) { 1944 1.1.1.2 christos *psig = EVP_PKEY_DSA; 1945 1.1.1.2 christos } else if (strcmp(str, "ECDSA") == 0) { 1946 1.1.1.2 christos *psig = EVP_PKEY_EC; 1947 1.1.1.2 christos } else { 1948 1.1.1.2 christos *phash = OBJ_sn2nid(str); 1949 1.1.1.2 christos if (*phash == NID_undef) 1950 1.1.1.2 christos *phash = OBJ_ln2nid(str); 1951 1.1.1.2 christos } 1952 1.1.1.2 christos } 1953 1.1.1.2 christos /* Maximum length of a signature algorithm string component */ 1954 1.1.1.2 christos #define TLS_MAX_SIGSTRING_LEN 40 1955 1.1.1.2 christos 1956 1.1 christos static int sig_cb(const char *elem, int len, void *arg) 1957 1.1 christos { 1958 1.1 christos sig_cb_st *sarg = arg; 1959 1.1 christos size_t i; 1960 1.1.1.2 christos const SIGALG_LOOKUP *s; 1961 1.1.1.2 christos char etmp[TLS_MAX_SIGSTRING_LEN], *p; 1962 1.1.1.2 christos int sig_alg = NID_undef, hash_alg = NID_undef; 1963 1.1 christos if (elem == NULL) 1964 1.1 christos return 0; 1965 1.1.1.2 christos if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 1966 1.1 christos return 0; 1967 1.1.1.2 christos if (len > (int)(sizeof(etmp) - 1)) 1968 1.1 christos return 0; 1969 1.1.1.2 christos memcpy(etmp, elem, len); 1970 1.1.1.2 christos etmp[len] = 0; 1971 1.1.1.2 christos p = strchr(etmp, '+'); 1972 1.1.1.2 christos /* 1973 1.1.1.2 christos * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 1974 1.1.1.2 christos * if there's no '+' in the provided name, look for the new-style combined 1975 1.1.1.2 christos * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 1976 1.1.1.2 christos * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 1977 1.1.1.2 christos * rsa_pss_rsae_* that differ only by public key OID; in such cases 1978 1.1.1.2 christos * we will pick the _rsae_ variant, by virtue of them appearing earlier 1979 1.1.1.2 christos * in the table. 1980 1.1.1.2 christos */ 1981 1.1.1.2 christos if (p == NULL) { 1982 1.1.1.2 christos for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 1983 1.1.1.2 christos i++, s++) { 1984 1.1.1.2 christos if (s->name != NULL && strcmp(etmp, s->name) == 0) { 1985 1.1.1.2 christos sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 1986 1.1.1.2 christos break; 1987 1.1.1.2 christos } 1988 1.1.1.2 christos } 1989 1.1.1.2 christos if (i == OSSL_NELEM(sigalg_lookup_tbl)) 1990 1.1.1.2 christos return 0; 1991 1.1.1.2 christos } else { 1992 1.1.1.2 christos *p = 0; 1993 1.1.1.2 christos p++; 1994 1.1.1.2 christos if (*p == 0) 1995 1.1.1.2 christos return 0; 1996 1.1.1.2 christos get_sigorhash(&sig_alg, &hash_alg, etmp); 1997 1.1.1.2 christos get_sigorhash(&sig_alg, &hash_alg, p); 1998 1.1.1.2 christos if (sig_alg == NID_undef || hash_alg == NID_undef) 1999 1.1.1.2 christos return 0; 2000 1.1.1.2 christos for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2001 1.1.1.2 christos i++, s++) { 2002 1.1.1.2 christos if (s->hash == hash_alg && s->sig == sig_alg) { 2003 1.1.1.2 christos sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2004 1.1.1.2 christos break; 2005 1.1.1.2 christos } 2006 1.1.1.2 christos } 2007 1.1.1.2 christos if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2008 1.1.1.2 christos return 0; 2009 1.1.1.2 christos } 2010 1.1 christos 2011 1.1.1.2 christos /* Reject duplicates */ 2012 1.1.1.2 christos for (i = 0; i < sarg->sigalgcnt - 1; i++) { 2013 1.1.1.2 christos if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 2014 1.1.1.2 christos sarg->sigalgcnt--; 2015 1.1 christos return 0; 2016 1.1.1.2 christos } 2017 1.1 christos } 2018 1.1 christos return 1; 2019 1.1 christos } 2020 1.1 christos 2021 1.1 christos /* 2022 1.1.1.2 christos * Set supported signature algorithms based on a colon separated list of the 2023 1.1 christos * form sig+hash e.g. RSA+SHA512:DSA+SHA512 2024 1.1 christos */ 2025 1.1 christos int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 2026 1.1 christos { 2027 1.1 christos sig_cb_st sig; 2028 1.1 christos sig.sigalgcnt = 0; 2029 1.1 christos if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 2030 1.1 christos return 0; 2031 1.1 christos if (c == NULL) 2032 1.1 christos return 1; 2033 1.1.1.2 christos return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 2034 1.1 christos } 2035 1.1 christos 2036 1.1.1.2 christos int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 2037 1.1 christos int client) 2038 1.1 christos { 2039 1.1.1.2 christos uint16_t *sigalgs; 2040 1.1.1.2 christos 2041 1.1.1.2 christos if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2042 1.1.1.2 christos SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE); 2043 1.1.1.2 christos return 0; 2044 1.1.1.2 christos } 2045 1.1.1.2 christos memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 2046 1.1.1.2 christos 2047 1.1.1.2 christos if (client) { 2048 1.1.1.2 christos OPENSSL_free(c->client_sigalgs); 2049 1.1.1.2 christos c->client_sigalgs = sigalgs; 2050 1.1.1.2 christos c->client_sigalgslen = salglen; 2051 1.1.1.2 christos } else { 2052 1.1.1.2 christos OPENSSL_free(c->conf_sigalgs); 2053 1.1.1.2 christos c->conf_sigalgs = sigalgs; 2054 1.1.1.2 christos c->conf_sigalgslen = salglen; 2055 1.1.1.2 christos } 2056 1.1.1.2 christos 2057 1.1.1.2 christos return 1; 2058 1.1.1.2 christos } 2059 1.1.1.2 christos 2060 1.1.1.2 christos int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2061 1.1.1.2 christos { 2062 1.1.1.2 christos uint16_t *sigalgs, *sptr; 2063 1.1 christos size_t i; 2064 1.1.1.2 christos 2065 1.1 christos if (salglen & 1) 2066 1.1 christos return 0; 2067 1.1.1.2 christos if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2068 1.1.1.2 christos SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE); 2069 1.1 christos return 0; 2070 1.1.1.2 christos } 2071 1.1 christos for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2072 1.1.1.2 christos size_t j; 2073 1.1.1.2 christos const SIGALG_LOOKUP *curr; 2074 1.1.1.2 christos int md_id = *psig_nids++; 2075 1.1.1.2 christos int sig_id = *psig_nids++; 2076 1.1.1.2 christos 2077 1.1.1.2 christos for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2078 1.1.1.2 christos j++, curr++) { 2079 1.1.1.2 christos if (curr->hash == md_id && curr->sig == sig_id) { 2080 1.1.1.2 christos *sptr++ = curr->sigalg; 2081 1.1.1.2 christos break; 2082 1.1.1.2 christos } 2083 1.1.1.2 christos } 2084 1.1 christos 2085 1.1.1.2 christos if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2086 1.1 christos goto err; 2087 1.1 christos } 2088 1.1 christos 2089 1.1 christos if (client) { 2090 1.1.1.2 christos OPENSSL_free(c->client_sigalgs); 2091 1.1 christos c->client_sigalgs = sigalgs; 2092 1.1.1.2 christos c->client_sigalgslen = salglen / 2; 2093 1.1 christos } else { 2094 1.1.1.2 christos OPENSSL_free(c->conf_sigalgs); 2095 1.1 christos c->conf_sigalgs = sigalgs; 2096 1.1.1.2 christos c->conf_sigalgslen = salglen / 2; 2097 1.1 christos } 2098 1.1 christos 2099 1.1 christos return 1; 2100 1.1 christos 2101 1.1 christos err: 2102 1.1 christos OPENSSL_free(sigalgs); 2103 1.1 christos return 0; 2104 1.1 christos } 2105 1.1 christos 2106 1.1.1.2 christos static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 2107 1.1 christos { 2108 1.1.1.2 christos int sig_nid, use_pc_sigalgs = 0; 2109 1.1 christos size_t i; 2110 1.1.1.2 christos const SIGALG_LOOKUP *sigalg; 2111 1.1.1.2 christos size_t sigalgslen; 2112 1.1 christos if (default_nid == -1) 2113 1.1 christos return 1; 2114 1.1 christos sig_nid = X509_get_signature_nid(x); 2115 1.1 christos if (default_nid) 2116 1.1 christos return sig_nid == default_nid ? 1 : 0; 2117 1.1.1.2 christos 2118 1.1.1.2 christos if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) { 2119 1.1.1.2 christos /* 2120 1.1.1.2 christos * If we're in TLSv1.3 then we only get here if we're checking the 2121 1.1.1.2 christos * chain. If the peer has specified peer_cert_sigalgs then we use them 2122 1.1.1.2 christos * otherwise we default to normal sigalgs. 2123 1.1.1.2 christos */ 2124 1.1.1.2 christos sigalgslen = s->s3->tmp.peer_cert_sigalgslen; 2125 1.1.1.2 christos use_pc_sigalgs = 1; 2126 1.1.1.2 christos } else { 2127 1.1.1.2 christos sigalgslen = s->shared_sigalgslen; 2128 1.1.1.2 christos } 2129 1.1.1.2 christos for (i = 0; i < sigalgslen; i++) { 2130 1.1.1.2 christos sigalg = use_pc_sigalgs 2131 1.1.1.2 christos ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) 2132 1.1.1.2 christos : s->shared_sigalgs[i]; 2133 1.1.1.2 christos if (sigalg != NULL && sig_nid == sigalg->sigandhash) 2134 1.1 christos return 1; 2135 1.1.1.2 christos } 2136 1.1 christos return 0; 2137 1.1 christos } 2138 1.1 christos 2139 1.1 christos /* Check to see if a certificate issuer name matches list of CA names */ 2140 1.1 christos static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 2141 1.1 christos { 2142 1.1 christos X509_NAME *nm; 2143 1.1 christos int i; 2144 1.1 christos nm = X509_get_issuer_name(x); 2145 1.1 christos for (i = 0; i < sk_X509_NAME_num(names); i++) { 2146 1.1 christos if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 2147 1.1 christos return 1; 2148 1.1 christos } 2149 1.1 christos return 0; 2150 1.1 christos } 2151 1.1 christos 2152 1.1 christos /* 2153 1.1 christos * Check certificate chain is consistent with TLS extensions and is usable by 2154 1.1 christos * server. This servers two purposes: it allows users to check chains before 2155 1.1 christos * passing them to the server and it allows the server to check chains before 2156 1.1 christos * attempting to use them. 2157 1.1 christos */ 2158 1.1 christos 2159 1.1.1.2 christos /* Flags which need to be set for a certificate when strict mode not set */ 2160 1.1 christos 2161 1.1.1.2 christos #define CERT_PKEY_VALID_FLAGS \ 2162 1.1 christos (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 2163 1.1 christos /* Strict mode flags */ 2164 1.1.1.2 christos #define CERT_PKEY_STRICT_FLAGS \ 2165 1.1 christos (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 2166 1.1 christos | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 2167 1.1 christos 2168 1.1 christos int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 2169 1.1 christos int idx) 2170 1.1 christos { 2171 1.1 christos int i; 2172 1.1 christos int rv = 0; 2173 1.1 christos int check_flags = 0, strict_mode; 2174 1.1 christos CERT_PKEY *cpk = NULL; 2175 1.1 christos CERT *c = s->cert; 2176 1.1.1.2 christos uint32_t *pvalid; 2177 1.1 christos unsigned int suiteb_flags = tls1_suiteb(s); 2178 1.1 christos /* idx == -1 means checking server chains */ 2179 1.1 christos if (idx != -1) { 2180 1.1 christos /* idx == -2 means checking client certificate chains */ 2181 1.1 christos if (idx == -2) { 2182 1.1 christos cpk = c->key; 2183 1.1.1.2 christos idx = (int)(cpk - c->pkeys); 2184 1.1 christos } else 2185 1.1 christos cpk = c->pkeys + idx; 2186 1.1.1.2 christos pvalid = s->s3->tmp.valid_flags + idx; 2187 1.1 christos x = cpk->x509; 2188 1.1 christos pk = cpk->privatekey; 2189 1.1 christos chain = cpk->chain; 2190 1.1 christos strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 2191 1.1 christos /* If no cert or key, forget it */ 2192 1.1 christos if (!x || !pk) 2193 1.1 christos goto end; 2194 1.1 christos } else { 2195 1.1.1.2 christos size_t certidx; 2196 1.1.1.2 christos 2197 1.1 christos if (!x || !pk) 2198 1.1 christos return 0; 2199 1.1.1.2 christos 2200 1.1.1.2 christos if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 2201 1.1 christos return 0; 2202 1.1.1.2 christos idx = certidx; 2203 1.1.1.2 christos pvalid = s->s3->tmp.valid_flags + idx; 2204 1.1.1.2 christos 2205 1.1 christos if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 2206 1.1 christos check_flags = CERT_PKEY_STRICT_FLAGS; 2207 1.1 christos else 2208 1.1 christos check_flags = CERT_PKEY_VALID_FLAGS; 2209 1.1 christos strict_mode = 1; 2210 1.1 christos } 2211 1.1 christos 2212 1.1 christos if (suiteb_flags) { 2213 1.1 christos int ok; 2214 1.1 christos if (check_flags) 2215 1.1 christos check_flags |= CERT_PKEY_SUITEB; 2216 1.1 christos ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 2217 1.1 christos if (ok == X509_V_OK) 2218 1.1 christos rv |= CERT_PKEY_SUITEB; 2219 1.1 christos else if (!check_flags) 2220 1.1 christos goto end; 2221 1.1 christos } 2222 1.1 christos 2223 1.1 christos /* 2224 1.1 christos * Check all signature algorithms are consistent with signature 2225 1.1 christos * algorithms extension if TLS 1.2 or later and strict mode. 2226 1.1 christos */ 2227 1.1 christos if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 2228 1.1 christos int default_nid; 2229 1.1.1.2 christos int rsign = 0; 2230 1.1.1.2 christos if (s->s3->tmp.peer_cert_sigalgs != NULL 2231 1.1.1.2 christos || s->s3->tmp.peer_sigalgs != NULL) { 2232 1.1 christos default_nid = 0; 2233 1.1 christos /* If no sigalgs extension use defaults from RFC5246 */ 2234 1.1.1.2 christos } else { 2235 1.1 christos switch (idx) { 2236 1.1.1.2 christos case SSL_PKEY_RSA: 2237 1.1.1.2 christos rsign = EVP_PKEY_RSA; 2238 1.1 christos default_nid = NID_sha1WithRSAEncryption; 2239 1.1 christos break; 2240 1.1 christos 2241 1.1 christos case SSL_PKEY_DSA_SIGN: 2242 1.1.1.2 christos rsign = EVP_PKEY_DSA; 2243 1.1 christos default_nid = NID_dsaWithSHA1; 2244 1.1 christos break; 2245 1.1 christos 2246 1.1 christos case SSL_PKEY_ECC: 2247 1.1.1.2 christos rsign = EVP_PKEY_EC; 2248 1.1 christos default_nid = NID_ecdsa_with_SHA1; 2249 1.1 christos break; 2250 1.1 christos 2251 1.1.1.2 christos case SSL_PKEY_GOST01: 2252 1.1.1.2 christos rsign = NID_id_GostR3410_2001; 2253 1.1.1.2 christos default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2254 1.1.1.2 christos break; 2255 1.1.1.2 christos 2256 1.1.1.2 christos case SSL_PKEY_GOST12_256: 2257 1.1.1.2 christos rsign = NID_id_GostR3410_2012_256; 2258 1.1.1.2 christos default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2259 1.1.1.2 christos break; 2260 1.1.1.2 christos 2261 1.1.1.2 christos case SSL_PKEY_GOST12_512: 2262 1.1.1.2 christos rsign = NID_id_GostR3410_2012_512; 2263 1.1.1.2 christos default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2264 1.1.1.2 christos break; 2265 1.1.1.2 christos 2266 1.1 christos default: 2267 1.1 christos default_nid = -1; 2268 1.1 christos break; 2269 1.1 christos } 2270 1.1 christos } 2271 1.1 christos /* 2272 1.1 christos * If peer sent no signature algorithms extension and we have set 2273 1.1 christos * preferred signature algorithms check we support sha1. 2274 1.1 christos */ 2275 1.1 christos if (default_nid > 0 && c->conf_sigalgs) { 2276 1.1 christos size_t j; 2277 1.1.1.2 christos const uint16_t *p = c->conf_sigalgs; 2278 1.1.1.2 christos for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2279 1.1.1.2 christos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p); 2280 1.1.1.2 christos 2281 1.1.1.2 christos if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 2282 1.1 christos break; 2283 1.1 christos } 2284 1.1 christos if (j == c->conf_sigalgslen) { 2285 1.1 christos if (check_flags) 2286 1.1 christos goto skip_sigs; 2287 1.1 christos else 2288 1.1 christos goto end; 2289 1.1 christos } 2290 1.1 christos } 2291 1.1 christos /* Check signature algorithm of each cert in chain */ 2292 1.1.1.2 christos if (SSL_IS_TLS13(s)) { 2293 1.1.1.2 christos /* 2294 1.1.1.2 christos * We only get here if the application has called SSL_check_chain(), 2295 1.1.1.2 christos * so check_flags is always set. 2296 1.1.1.2 christos */ 2297 1.1.1.2 christos if (find_sig_alg(s, x, pk) != NULL) 2298 1.1.1.2 christos rv |= CERT_PKEY_EE_SIGNATURE; 2299 1.1.1.2 christos } else if (!tls1_check_sig_alg(s, x, default_nid)) { 2300 1.1 christos if (!check_flags) 2301 1.1 christos goto end; 2302 1.1 christos } else 2303 1.1 christos rv |= CERT_PKEY_EE_SIGNATURE; 2304 1.1 christos rv |= CERT_PKEY_CA_SIGNATURE; 2305 1.1 christos for (i = 0; i < sk_X509_num(chain); i++) { 2306 1.1.1.2 christos if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 2307 1.1 christos if (check_flags) { 2308 1.1 christos rv &= ~CERT_PKEY_CA_SIGNATURE; 2309 1.1 christos break; 2310 1.1 christos } else 2311 1.1 christos goto end; 2312 1.1 christos } 2313 1.1 christos } 2314 1.1 christos } 2315 1.1 christos /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 2316 1.1 christos else if (check_flags) 2317 1.1 christos rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 2318 1.1 christos skip_sigs: 2319 1.1 christos /* Check cert parameters are consistent */ 2320 1.1.1.2 christos if (tls1_check_cert_param(s, x, 1)) 2321 1.1 christos rv |= CERT_PKEY_EE_PARAM; 2322 1.1 christos else if (!check_flags) 2323 1.1 christos goto end; 2324 1.1 christos if (!s->server) 2325 1.1 christos rv |= CERT_PKEY_CA_PARAM; 2326 1.1 christos /* In strict mode check rest of chain too */ 2327 1.1 christos else if (strict_mode) { 2328 1.1 christos rv |= CERT_PKEY_CA_PARAM; 2329 1.1 christos for (i = 0; i < sk_X509_num(chain); i++) { 2330 1.1 christos X509 *ca = sk_X509_value(chain, i); 2331 1.1 christos if (!tls1_check_cert_param(s, ca, 0)) { 2332 1.1 christos if (check_flags) { 2333 1.1 christos rv &= ~CERT_PKEY_CA_PARAM; 2334 1.1 christos break; 2335 1.1 christos } else 2336 1.1 christos goto end; 2337 1.1 christos } 2338 1.1 christos } 2339 1.1 christos } 2340 1.1 christos if (!s->server && strict_mode) { 2341 1.1 christos STACK_OF(X509_NAME) *ca_dn; 2342 1.1 christos int check_type = 0; 2343 1.1.1.2 christos switch (EVP_PKEY_id(pk)) { 2344 1.1 christos case EVP_PKEY_RSA: 2345 1.1 christos check_type = TLS_CT_RSA_SIGN; 2346 1.1 christos break; 2347 1.1 christos case EVP_PKEY_DSA: 2348 1.1 christos check_type = TLS_CT_DSS_SIGN; 2349 1.1 christos break; 2350 1.1 christos case EVP_PKEY_EC: 2351 1.1 christos check_type = TLS_CT_ECDSA_SIGN; 2352 1.1 christos break; 2353 1.1 christos } 2354 1.1 christos if (check_type) { 2355 1.1.1.2 christos const uint8_t *ctypes = s->s3->tmp.ctype; 2356 1.1.1.2 christos size_t j; 2357 1.1.1.2 christos 2358 1.1.1.2 christos for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) { 2359 1.1.1.2 christos if (*ctypes == check_type) { 2360 1.1 christos rv |= CERT_PKEY_CERT_TYPE; 2361 1.1 christos break; 2362 1.1 christos } 2363 1.1 christos } 2364 1.1 christos if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 2365 1.1 christos goto end; 2366 1.1.1.2 christos } else { 2367 1.1 christos rv |= CERT_PKEY_CERT_TYPE; 2368 1.1.1.2 christos } 2369 1.1 christos 2370 1.1.1.2 christos ca_dn = s->s3->tmp.peer_ca_names; 2371 1.1 christos 2372 1.1.1.2 christos if (ca_dn == NULL 2373 1.1.1.2 christos || sk_X509_NAME_num(ca_dn) == 0 2374 1.1.1.2 christos || ssl_check_ca_name(ca_dn, x)) 2375 1.1 christos rv |= CERT_PKEY_ISSUER_NAME; 2376 1.1.1.2 christos else 2377 1.1 christos for (i = 0; i < sk_X509_num(chain); i++) { 2378 1.1 christos X509 *xtmp = sk_X509_value(chain, i); 2379 1.1.1.2 christos 2380 1.1 christos if (ssl_check_ca_name(ca_dn, xtmp)) { 2381 1.1 christos rv |= CERT_PKEY_ISSUER_NAME; 2382 1.1 christos break; 2383 1.1 christos } 2384 1.1 christos } 2385 1.1.1.2 christos 2386 1.1 christos if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 2387 1.1 christos goto end; 2388 1.1 christos } else 2389 1.1 christos rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 2390 1.1 christos 2391 1.1 christos if (!check_flags || (rv & check_flags) == check_flags) 2392 1.1 christos rv |= CERT_PKEY_VALID; 2393 1.1 christos 2394 1.1 christos end: 2395 1.1 christos 2396 1.1.1.2 christos if (TLS1_get_version(s) >= TLS1_2_VERSION) 2397 1.1.1.2 christos rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2398 1.1.1.2 christos else 2399 1.1 christos rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 2400 1.1 christos 2401 1.1 christos /* 2402 1.1 christos * When checking a CERT_PKEY structure all flags are irrelevant if the 2403 1.1 christos * chain is invalid. 2404 1.1 christos */ 2405 1.1 christos if (!check_flags) { 2406 1.1.1.2 christos if (rv & CERT_PKEY_VALID) { 2407 1.1.1.2 christos *pvalid = rv; 2408 1.1.1.2 christos } else { 2409 1.1.1.2 christos /* Preserve sign and explicit sign flag, clear rest */ 2410 1.1.1.2 christos *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2411 1.1 christos return 0; 2412 1.1 christos } 2413 1.1 christos } 2414 1.1 christos return rv; 2415 1.1 christos } 2416 1.1 christos 2417 1.1 christos /* Set validity of certificates in an SSL structure */ 2418 1.1 christos void tls1_set_cert_validity(SSL *s) 2419 1.1 christos { 2420 1.1.1.2 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2421 1.1.1.2 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 2422 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 2423 1.1 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2424 1.1.1.2 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2425 1.1.1.2 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2426 1.1.1.2 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2427 1.1.1.2 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2428 1.1.1.2 christos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 2429 1.1 christos } 2430 1.1 christos 2431 1.1.1.2 christos /* User level utility function to check a chain is suitable */ 2432 1.1 christos int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 2433 1.1 christos { 2434 1.1 christos return tls1_check_chain(s, x, pk, chain, -1); 2435 1.1 christos } 2436 1.1 christos 2437 1.1.1.2 christos #ifndef OPENSSL_NO_DH 2438 1.1.1.2 christos DH *ssl_get_auto_dh(SSL *s) 2439 1.1.1.2 christos { 2440 1.1.1.2 christos DH *dhp = NULL; 2441 1.1.1.2 christos BIGNUM *p = NULL, *g = NULL; 2442 1.1.1.2 christos int dh_secbits = 80, sec_level_bits; 2443 1.1.1.2 christos 2444 1.1.1.2 christos if (s->cert->dh_tmp_auto != 2) { 2445 1.1.1.2 christos if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2446 1.1.1.2 christos if (s->s3->tmp.new_cipher->strength_bits == 256) 2447 1.1.1.2 christos dh_secbits = 128; 2448 1.1.1.2 christos else 2449 1.1.1.2 christos dh_secbits = 80; 2450 1.1.1.2 christos } else { 2451 1.1.1.2 christos if (s->s3->tmp.cert == NULL) 2452 1.1.1.2 christos return NULL; 2453 1.1.1.2 christos dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); 2454 1.1.1.2 christos } 2455 1.1.1.2 christos } 2456 1.1.1.2 christos 2457 1.1.1.2 christos dhp = DH_new(); 2458 1.1.1.2 christos if (dhp == NULL) 2459 1.1.1.2 christos return NULL; 2460 1.1.1.2 christos g = BN_new(); 2461 1.1.1.2 christos if (g == NULL || !BN_set_word(g, 2)) { 2462 1.1.1.2 christos DH_free(dhp); 2463 1.1.1.2 christos BN_free(g); 2464 1.1.1.2 christos return NULL; 2465 1.1.1.2 christos } 2466 1.1.1.2 christos 2467 1.1.1.2 christos /* Do not pick a prime that is too weak for the current security level */ 2468 1.1.1.2 christos sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); 2469 1.1.1.2 christos if (dh_secbits < sec_level_bits) 2470 1.1.1.2 christos dh_secbits = sec_level_bits; 2471 1.1.1.2 christos 2472 1.1.1.2 christos if (dh_secbits >= 192) 2473 1.1.1.2 christos p = BN_get_rfc3526_prime_8192(NULL); 2474 1.1.1.2 christos else if (dh_secbits >= 152) 2475 1.1.1.2 christos p = BN_get_rfc3526_prime_4096(NULL); 2476 1.1.1.2 christos else if (dh_secbits >= 128) 2477 1.1.1.2 christos p = BN_get_rfc3526_prime_3072(NULL); 2478 1.1.1.2 christos else if (dh_secbits >= 112) 2479 1.1.1.2 christos p = BN_get_rfc3526_prime_2048(NULL); 2480 1.1.1.2 christos else 2481 1.1.1.2 christos p = BN_get_rfc2409_prime_1024(NULL); 2482 1.1.1.2 christos if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { 2483 1.1.1.2 christos DH_free(dhp); 2484 1.1.1.2 christos BN_free(p); 2485 1.1.1.2 christos BN_free(g); 2486 1.1.1.2 christos return NULL; 2487 1.1.1.2 christos } 2488 1.1.1.2 christos return dhp; 2489 1.1.1.2 christos } 2490 1.1.1.2 christos #endif 2491 1.1.1.2 christos 2492 1.1.1.2 christos static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2493 1.1.1.2 christos { 2494 1.1.1.2 christos int secbits = -1; 2495 1.1.1.2 christos EVP_PKEY *pkey = X509_get0_pubkey(x); 2496 1.1.1.2 christos if (pkey) { 2497 1.1.1.2 christos /* 2498 1.1.1.2 christos * If no parameters this will return -1 and fail using the default 2499 1.1.1.2 christos * security callback for any non-zero security level. This will 2500 1.1.1.2 christos * reject keys which omit parameters but this only affects DSA and 2501 1.1.1.2 christos * omission of parameters is never (?) done in practice. 2502 1.1.1.2 christos */ 2503 1.1.1.2 christos secbits = EVP_PKEY_security_bits(pkey); 2504 1.1.1.2 christos } 2505 1.1.1.2 christos if (s) 2506 1.1.1.2 christos return ssl_security(s, op, secbits, 0, x); 2507 1.1.1.2 christos else 2508 1.1.1.2 christos return ssl_ctx_security(ctx, op, secbits, 0, x); 2509 1.1.1.2 christos } 2510 1.1.1.2 christos 2511 1.1.1.2 christos static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2512 1.1.1.2 christos { 2513 1.1.1.2 christos /* Lookup signature algorithm digest */ 2514 1.1.1.2 christos int secbits, nid, pknid; 2515 1.1.1.2 christos /* Don't check signature if self signed */ 2516 1.1.1.2 christos if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 2517 1.1.1.2 christos return 1; 2518 1.1.1.2 christos if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 2519 1.1.1.2 christos secbits = -1; 2520 1.1.1.2 christos /* If digest NID not defined use signature NID */ 2521 1.1.1.2 christos if (nid == NID_undef) 2522 1.1.1.2 christos nid = pknid; 2523 1.1.1.2 christos if (s) 2524 1.1.1.2 christos return ssl_security(s, op, secbits, nid, x); 2525 1.1.1.2 christos else 2526 1.1.1.2 christos return ssl_ctx_security(ctx, op, secbits, nid, x); 2527 1.1.1.2 christos } 2528 1.1.1.2 christos 2529 1.1.1.2 christos int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 2530 1.1.1.2 christos { 2531 1.1.1.2 christos if (vfy) 2532 1.1.1.2 christos vfy = SSL_SECOP_PEER; 2533 1.1.1.2 christos if (is_ee) { 2534 1.1.1.2 christos if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 2535 1.1.1.2 christos return SSL_R_EE_KEY_TOO_SMALL; 2536 1.1.1.2 christos } else { 2537 1.1.1.2 christos if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 2538 1.1.1.2 christos return SSL_R_CA_KEY_TOO_SMALL; 2539 1.1.1.2 christos } 2540 1.1.1.2 christos if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 2541 1.1.1.2 christos return SSL_R_CA_MD_TOO_WEAK; 2542 1.1.1.2 christos return 1; 2543 1.1.1.2 christos } 2544 1.1.1.2 christos 2545 1.1.1.2 christos /* 2546 1.1.1.2 christos * Check security of a chain, if |sk| includes the end entity certificate then 2547 1.1.1.2 christos * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 2548 1.1.1.2 christos * one to the peer. Return values: 1 if ok otherwise error code to use 2549 1.1.1.2 christos */ 2550 1.1.1.2 christos 2551 1.1.1.2 christos int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 2552 1.1.1.2 christos { 2553 1.1.1.2 christos int rv, start_idx, i; 2554 1.1.1.2 christos if (x == NULL) { 2555 1.1.1.2 christos x = sk_X509_value(sk, 0); 2556 1.1.1.2 christos if (x == NULL) 2557 1.1.1.2 christos return ERR_R_INTERNAL_ERROR; 2558 1.1.1.2 christos start_idx = 1; 2559 1.1.1.2 christos } else 2560 1.1.1.2 christos start_idx = 0; 2561 1.1.1.2 christos 2562 1.1.1.2 christos rv = ssl_security_cert(s, NULL, x, vfy, 1); 2563 1.1.1.2 christos if (rv != 1) 2564 1.1.1.2 christos return rv; 2565 1.1.1.2 christos 2566 1.1.1.2 christos for (i = start_idx; i < sk_X509_num(sk); i++) { 2567 1.1.1.2 christos x = sk_X509_value(sk, i); 2568 1.1.1.2 christos rv = ssl_security_cert(s, NULL, x, vfy, 0); 2569 1.1.1.2 christos if (rv != 1) 2570 1.1.1.2 christos return rv; 2571 1.1.1.2 christos } 2572 1.1.1.2 christos return 1; 2573 1.1.1.2 christos } 2574 1.1.1.2 christos 2575 1.1.1.2 christos /* 2576 1.1.1.2 christos * For TLS 1.2 servers check if we have a certificate which can be used 2577 1.1.1.2 christos * with the signature algorithm "lu" and return index of certificate. 2578 1.1.1.2 christos */ 2579 1.1.1.2 christos 2580 1.1.1.2 christos static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 2581 1.1.1.2 christos { 2582 1.1.1.2 christos int sig_idx = lu->sig_idx; 2583 1.1.1.2 christos const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 2584 1.1.1.2 christos 2585 1.1.1.2 christos /* If not recognised or not supported by cipher mask it is not suitable */ 2586 1.1.1.2 christos if (clu == NULL 2587 1.1.1.2 christos || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0 2588 1.1.1.2 christos || (clu->nid == EVP_PKEY_RSA_PSS 2589 1.1.1.2 christos && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 2590 1.1.1.2 christos return -1; 2591 1.1.1.2 christos 2592 1.1.1.2 christos return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 2593 1.1.1.2 christos } 2594 1.1.1.2 christos 2595 1.1.1.2 christos /* 2596 1.1.1.2 christos * Checks the given cert against signature_algorithm_cert restrictions sent by 2597 1.1.1.2 christos * the peer (if any) as well as whether the hash from the sigalg is usable with 2598 1.1.1.2 christos * the key. 2599 1.1.1.2 christos * Returns true if the cert is usable and false otherwise. 2600 1.1.1.2 christos */ 2601 1.1.1.2 christos static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2602 1.1.1.2 christos EVP_PKEY *pkey) 2603 1.1.1.2 christos { 2604 1.1.1.2 christos const SIGALG_LOOKUP *lu; 2605 1.1.1.2 christos int mdnid, pknid, default_mdnid; 2606 1.1.1.2 christos size_t i; 2607 1.1.1.2 christos 2608 1.1.1.2 christos /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */ 2609 1.1.1.2 christos ERR_set_mark(); 2610 1.1.1.2 christos if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 && 2611 1.1.1.2 christos sig->hash != default_mdnid) 2612 1.1.1.2 christos return 0; 2613 1.1.1.2 christos 2614 1.1.1.2 christos /* If it didn't report a mandatory NID, for whatever reasons, 2615 1.1.1.2 christos * just clear the error and allow all hashes to be used. */ 2616 1.1.1.2 christos ERR_pop_to_mark(); 2617 1.1.1.2 christos 2618 1.1.1.2 christos if (s->s3->tmp.peer_cert_sigalgs != NULL) { 2619 1.1.1.2 christos for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) { 2620 1.1.1.2 christos lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]); 2621 1.1.1.2 christos if (lu == NULL 2622 1.1.1.2 christos || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 2623 1.1.1.2 christos continue; 2624 1.1.1.2 christos /* 2625 1.1.1.2 christos * TODO this does not differentiate between the 2626 1.1.1.2 christos * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 2627 1.1.1.2 christos * have a chain here that lets us look at the key OID in the 2628 1.1.1.2 christos * signing certificate. 2629 1.1.1.2 christos */ 2630 1.1.1.2 christos if (mdnid == lu->hash && pknid == lu->sig) 2631 1.1.1.2 christos return 1; 2632 1.1.1.2 christos } 2633 1.1.1.2 christos return 0; 2634 1.1.1.2 christos } 2635 1.1.1.2 christos return 1; 2636 1.1.1.2 christos } 2637 1.1.1.2 christos 2638 1.1.1.2 christos /* 2639 1.1.1.2 christos * Returns true if |s| has a usable certificate configured for use 2640 1.1.1.2 christos * with signature scheme |sig|. 2641 1.1.1.2 christos * "Usable" includes a check for presence as well as applying 2642 1.1.1.2 christos * the signature_algorithm_cert restrictions sent by the peer (if any). 2643 1.1.1.2 christos * Returns false if no usable certificate is found. 2644 1.1.1.2 christos */ 2645 1.1.1.2 christos static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 2646 1.1.1.2 christos { 2647 1.1.1.2 christos /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 2648 1.1.1.2 christos if (idx == -1) 2649 1.1.1.2 christos idx = sig->sig_idx; 2650 1.1.1.2 christos if (!ssl_has_cert(s, idx)) 2651 1.1.1.2 christos return 0; 2652 1.1.1.2 christos 2653 1.1.1.2 christos return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 2654 1.1.1.2 christos s->cert->pkeys[idx].privatekey); 2655 1.1.1.2 christos } 2656 1.1.1.2 christos 2657 1.1.1.2 christos /* 2658 1.1.1.2 christos * Returns true if the supplied cert |x| and key |pkey| is usable with the 2659 1.1.1.2 christos * specified signature scheme |sig|, or false otherwise. 2660 1.1.1.2 christos */ 2661 1.1.1.2 christos static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2662 1.1.1.2 christos EVP_PKEY *pkey) 2663 1.1.1.2 christos { 2664 1.1.1.2 christos size_t idx; 2665 1.1.1.2 christos 2666 1.1.1.2 christos if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 2667 1.1.1.2 christos return 0; 2668 1.1.1.2 christos 2669 1.1.1.2 christos /* Check the key is consistent with the sig alg */ 2670 1.1.1.2 christos if ((int)idx != sig->sig_idx) 2671 1.1.1.2 christos return 0; 2672 1.1.1.2 christos 2673 1.1.1.2 christos return check_cert_usable(s, sig, x, pkey); 2674 1.1.1.2 christos } 2675 1.1.1.2 christos 2676 1.1.1.2 christos /* 2677 1.1.1.2 christos * Find a signature scheme that works with the supplied certificate |x| and key 2678 1.1.1.2 christos * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 2679 1.1.1.2 christos * available certs/keys to find one that works. 2680 1.1.1.2 christos */ 2681 1.1.1.2 christos static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 2682 1.1.1.2 christos { 2683 1.1.1.2 christos const SIGALG_LOOKUP *lu = NULL; 2684 1.1.1.2 christos size_t i; 2685 1.1.1.2 christos #ifndef OPENSSL_NO_EC 2686 1.1.1.2 christos int curve = -1; 2687 1.1.1.2 christos #endif 2688 1.1.1.2 christos EVP_PKEY *tmppkey; 2689 1.1.1.2 christos 2690 1.1.1.2 christos /* Look for a shared sigalgs matching possible certificates */ 2691 1.1.1.2 christos for (i = 0; i < s->shared_sigalgslen; i++) { 2692 1.1.1.2 christos lu = s->shared_sigalgs[i]; 2693 1.1.1.2 christos 2694 1.1.1.2 christos /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 2695 1.1.1.2 christos if (lu->hash == NID_sha1 2696 1.1.1.2 christos || lu->hash == NID_sha224 2697 1.1.1.2 christos || lu->sig == EVP_PKEY_DSA 2698 1.1.1.2 christos || lu->sig == EVP_PKEY_RSA) 2699 1.1.1.2 christos continue; 2700 1.1.1.2 christos /* Check that we have a cert, and signature_algorithms_cert */ 2701 1.1.1.2 christos if (!tls1_lookup_md(lu, NULL)) 2702 1.1.1.2 christos continue; 2703 1.1.1.2 christos if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 2704 1.1.1.2 christos || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 2705 1.1.1.2 christos continue; 2706 1.1.1.2 christos 2707 1.1.1.2 christos tmppkey = (pkey != NULL) ? pkey 2708 1.1.1.2 christos : s->cert->pkeys[lu->sig_idx].privatekey; 2709 1.1.1.2 christos 2710 1.1.1.2 christos if (lu->sig == EVP_PKEY_EC) { 2711 1.1.1.2 christos #ifndef OPENSSL_NO_EC 2712 1.1.1.2 christos if (curve == -1) { 2713 1.1.1.2 christos EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey); 2714 1.1.1.2 christos curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2715 1.1.1.2 christos } 2716 1.1.1.2 christos if (lu->curve != NID_undef && curve != lu->curve) 2717 1.1.1.2 christos continue; 2718 1.1.1.2 christos #else 2719 1.1.1.2 christos continue; 2720 1.1.1.2 christos #endif 2721 1.1.1.2 christos } else if (lu->sig == EVP_PKEY_RSA_PSS) { 2722 1.1.1.2 christos /* validate that key is large enough for the signature algorithm */ 2723 1.1.1.2 christos if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu)) 2724 1.1.1.2 christos continue; 2725 1.1.1.2 christos } 2726 1.1.1.2 christos break; 2727 1.1.1.2 christos } 2728 1.1.1.2 christos 2729 1.1.1.2 christos if (i == s->shared_sigalgslen) 2730 1.1.1.2 christos return NULL; 2731 1.1.1.2 christos 2732 1.1.1.2 christos return lu; 2733 1.1.1.2 christos } 2734 1.1.1.2 christos 2735 1.1.1.2 christos /* 2736 1.1.1.2 christos * Choose an appropriate signature algorithm based on available certificates 2737 1.1.1.2 christos * Sets chosen certificate and signature algorithm. 2738 1.1.1.2 christos * 2739 1.1.1.2 christos * For servers if we fail to find a required certificate it is a fatal error, 2740 1.1.1.2 christos * an appropriate error code is set and a TLS alert is sent. 2741 1.1.1.2 christos * 2742 1.1.1.2 christos * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 2743 1.1.1.2 christos * a fatal error: we will either try another certificate or not present one 2744 1.1.1.2 christos * to the server. In this case no error is set. 2745 1.1.1.2 christos */ 2746 1.1.1.2 christos int tls_choose_sigalg(SSL *s, int fatalerrs) 2747 1.1.1.2 christos { 2748 1.1.1.2 christos const SIGALG_LOOKUP *lu = NULL; 2749 1.1.1.2 christos int sig_idx = -1; 2750 1.1.1.2 christos 2751 1.1.1.2 christos s->s3->tmp.cert = NULL; 2752 1.1.1.2 christos s->s3->tmp.sigalg = NULL; 2753 1.1.1.2 christos 2754 1.1.1.2 christos if (SSL_IS_TLS13(s)) { 2755 1.1.1.2 christos lu = find_sig_alg(s, NULL, NULL); 2756 1.1.1.2 christos if (lu == NULL) { 2757 1.1.1.2 christos if (!fatalerrs) 2758 1.1.1.2 christos return 1; 2759 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG, 2760 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2761 1.1.1.2 christos return 0; 2762 1.1.1.2 christos } 2763 1.1.1.2 christos } else { 2764 1.1.1.2 christos /* If ciphersuite doesn't require a cert nothing to do */ 2765 1.1.1.2 christos if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT)) 2766 1.1.1.2 christos return 1; 2767 1.1.1.2 christos if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 2768 1.1.1.2 christos return 1; 2769 1.1.1.2 christos 2770 1.1.1.2 christos if (SSL_USE_SIGALGS(s)) { 2771 1.1.1.2 christos size_t i; 2772 1.1.1.2 christos if (s->s3->tmp.peer_sigalgs != NULL) { 2773 1.1.1.2 christos #ifndef OPENSSL_NO_EC 2774 1.1.1.2 christos int curve; 2775 1.1.1.2 christos 2776 1.1.1.2 christos /* For Suite B need to match signature algorithm to curve */ 2777 1.1.1.2 christos if (tls1_suiteb(s)) { 2778 1.1.1.2 christos EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 2779 1.1.1.2 christos curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2780 1.1.1.2 christos } else { 2781 1.1.1.2 christos curve = -1; 2782 1.1.1.2 christos } 2783 1.1.1.2 christos #endif 2784 1.1.1.2 christos 2785 1.1.1.2 christos /* 2786 1.1.1.2 christos * Find highest preference signature algorithm matching 2787 1.1.1.2 christos * cert type 2788 1.1.1.2 christos */ 2789 1.1.1.2 christos for (i = 0; i < s->shared_sigalgslen; i++) { 2790 1.1.1.2 christos lu = s->shared_sigalgs[i]; 2791 1.1.1.2 christos 2792 1.1.1.2 christos if (s->server) { 2793 1.1.1.2 christos if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 2794 1.1.1.2 christos continue; 2795 1.1.1.2 christos } else { 2796 1.1.1.2 christos int cc_idx = s->cert->key - s->cert->pkeys; 2797 1.1.1.2 christos 2798 1.1.1.2 christos sig_idx = lu->sig_idx; 2799 1.1.1.2 christos if (cc_idx != sig_idx) 2800 1.1.1.2 christos continue; 2801 1.1.1.2 christos } 2802 1.1.1.2 christos /* Check that we have a cert, and sig_algs_cert */ 2803 1.1.1.2 christos if (!has_usable_cert(s, lu, sig_idx)) 2804 1.1.1.2 christos continue; 2805 1.1.1.2 christos if (lu->sig == EVP_PKEY_RSA_PSS) { 2806 1.1.1.2 christos /* validate that key is large enough for the signature algorithm */ 2807 1.1.1.2 christos EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 2808 1.1.1.2 christos 2809 1.1.1.2 christos if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu)) 2810 1.1.1.2 christos continue; 2811 1.1.1.2 christos } 2812 1.1.1.2 christos #ifndef OPENSSL_NO_EC 2813 1.1.1.2 christos if (curve == -1 || lu->curve == curve) 2814 1.1.1.2 christos #endif 2815 1.1.1.2 christos break; 2816 1.1.1.2 christos } 2817 1.1.1.2 christos #ifndef OPENSSL_NO_GOST 2818 1.1.1.2 christos /* 2819 1.1.1.2 christos * Some Windows-based implementations do not send GOST algorithms indication 2820 1.1.1.2 christos * in supported_algorithms extension, so when we have GOST-based ciphersuite, 2821 1.1.1.2 christos * we have to assume GOST support. 2822 1.1.1.2 christos */ 2823 1.1.1.2 christos if (i == s->shared_sigalgslen && s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { 2824 1.1.1.2 christos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2825 1.1.1.2 christos if (!fatalerrs) 2826 1.1.1.2 christos return 1; 2827 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2828 1.1.1.2 christos SSL_F_TLS_CHOOSE_SIGALG, 2829 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2830 1.1.1.2 christos return 0; 2831 1.1.1.2 christos } else { 2832 1.1.1.2 christos i = 0; 2833 1.1.1.2 christos sig_idx = lu->sig_idx; 2834 1.1.1.2 christos } 2835 1.1.1.2 christos } 2836 1.1 christos #endif 2837 1.1.1.2 christos if (i == s->shared_sigalgslen) { 2838 1.1.1.2 christos if (!fatalerrs) 2839 1.1.1.2 christos return 1; 2840 1.1.1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2841 1.1.1.2 christos SSL_F_TLS_CHOOSE_SIGALG, 2842 1.1.1.2 christos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2843 1.1.1.2 christos return 0; 2844 1.1.1.2 christos } 2845 1.1.1.2 christos } else { 2846 1.1.1.2 christos /* 2847 1.1.1.2 christos * If we have no sigalg use defaults 2848 1.1.1.2 christos */ 2849 1.1.1.2 christos const uint16_t *sent_sigs; 2850 1.1.1.2 christos size_t sent_sigslen; 2851 1.1.1.2 christos 2852 1.1.1.2 christos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2853 1.1.1.2 christos if (!fatalerrs) 2854 1.1.1.2 christos return 1; 2855 1.1.1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2856 1.1.1.2 christos ERR_R_INTERNAL_ERROR); 2857 1.1.1.2 christos return 0; 2858 1.1.1.2 christos } 2859 1.1.1.2 christos 2860 1.1.1.2 christos /* Check signature matches a type we sent */ 2861 1.1.1.2 christos sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2862 1.1.1.2 christos for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 2863 1.1.1.2 christos if (lu->sigalg == *sent_sigs 2864 1.1.1.2 christos && has_usable_cert(s, lu, lu->sig_idx)) 2865 1.1.1.2 christos break; 2866 1.1.1.2 christos } 2867 1.1.1.2 christos if (i == sent_sigslen) { 2868 1.1.1.2 christos if (!fatalerrs) 2869 1.1.1.2 christos return 1; 2870 1.1.1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2871 1.1.1.2 christos SSL_F_TLS_CHOOSE_SIGALG, 2872 1.1.1.2 christos SSL_R_WRONG_SIGNATURE_TYPE); 2873 1.1.1.2 christos return 0; 2874 1.1.1.2 christos } 2875 1.1.1.2 christos } 2876 1.1.1.2 christos } else { 2877 1.1.1.2 christos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2878 1.1.1.2 christos if (!fatalerrs) 2879 1.1.1.2 christos return 1; 2880 1.1.1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2881 1.1.1.2 christos ERR_R_INTERNAL_ERROR); 2882 1.1.1.2 christos return 0; 2883 1.1.1.2 christos } 2884 1.1.1.2 christos } 2885 1.1.1.2 christos } 2886 1.1.1.2 christos if (sig_idx == -1) 2887 1.1.1.2 christos sig_idx = lu->sig_idx; 2888 1.1.1.2 christos s->s3->tmp.cert = &s->cert->pkeys[sig_idx]; 2889 1.1.1.2 christos s->cert->key = s->s3->tmp.cert; 2890 1.1.1.2 christos s->s3->tmp.sigalg = lu; 2891 1.1.1.2 christos return 1; 2892 1.1.1.2 christos } 2893 1.1.1.2 christos 2894 1.1.1.2 christos int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 2895 1.1.1.2 christos { 2896 1.1.1.2 christos if (mode != TLSEXT_max_fragment_length_DISABLED 2897 1.1.1.2 christos && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2898 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2899 1.1.1.2 christos SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2900 1.1.1.2 christos return 0; 2901 1.1.1.2 christos } 2902 1.1.1.2 christos 2903 1.1.1.2 christos ctx->ext.max_fragment_len_mode = mode; 2904 1.1.1.2 christos return 1; 2905 1.1.1.2 christos } 2906 1.1.1.2 christos 2907 1.1.1.2 christos int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 2908 1.1.1.2 christos { 2909 1.1.1.2 christos if (mode != TLSEXT_max_fragment_length_DISABLED 2910 1.1.1.2 christos && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2911 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2912 1.1.1.2 christos SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2913 1.1.1.2 christos return 0; 2914 1.1.1.2 christos } 2915 1.1.1.2 christos 2916 1.1.1.2 christos ssl->ext.max_fragment_len_mode = mode; 2917 1.1.1.2 christos return 1; 2918 1.1.1.2 christos } 2919 1.1.1.2 christos 2920 1.1.1.2 christos uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 2921 1.1.1.2 christos { 2922 1.1.1.2 christos return session->ext.max_fragment_len_mode; 2923 1.1.1.2 christos } 2924
Indexes created Mon Mar 02 05:31:46 UTC 2026