1 /* 2 * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <ctype.h> 13 #include <openssl/objects.h> 14 #include <openssl/evp.h> 15 #include <openssl/hmac.h> 16 #include <openssl/core_names.h> 17 #include <openssl/ocsp.h> 18 #include <openssl/conf.h> 19 #include <openssl/x509v3.h> 20 #include <openssl/dh.h> 21 #include <openssl/bn.h> 22 #include <openssl/provider.h> 23 #include <openssl/param_build.h> 24 #include "internal/nelem.h" 25 #include "internal/sizes.h" 26 #include "internal/tlsgroups.h" 27 #include "internal/ssl_unwrap.h" 28 #include "ssl_local.h" 29 #include "quic/quic_local.h" 30 #include <openssl/ct.h> 31 32 static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pkey); 33 static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, const SIGALG_LOOKUP *lu); 34 35 SSL3_ENC_METHOD const TLSv1_enc_data = { 36 tls1_setup_key_block, 37 tls1_generate_master_secret, 38 tls1_change_cipher_state, 39 tls1_final_finish_mac, 40 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 41 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 42 tls1_alert_code, 43 tls1_export_keying_material, 44 0, 45 ssl3_set_handshake_header, 46 tls_close_construct_packet, 47 ssl3_handshake_write 48 }; 49 50 SSL3_ENC_METHOD const TLSv1_1_enc_data = { 51 tls1_setup_key_block, 52 tls1_generate_master_secret, 53 tls1_change_cipher_state, 54 tls1_final_finish_mac, 55 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 56 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 57 tls1_alert_code, 58 tls1_export_keying_material, 59 0, 60 ssl3_set_handshake_header, 61 tls_close_construct_packet, 62 ssl3_handshake_write 63 }; 64 65 SSL3_ENC_METHOD const TLSv1_2_enc_data = { 66 tls1_setup_key_block, 67 tls1_generate_master_secret, 68 tls1_change_cipher_state, 69 tls1_final_finish_mac, 70 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 71 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 72 tls1_alert_code, 73 tls1_export_keying_material, 74 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 75 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 76 ssl3_set_handshake_header, 77 tls_close_construct_packet, 78 ssl3_handshake_write 79 }; 80 81 SSL3_ENC_METHOD const TLSv1_3_enc_data = { 82 tls13_setup_key_block, 83 tls13_generate_master_secret, 84 tls13_change_cipher_state, 85 tls13_final_finish_mac, 86 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 87 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 88 tls13_alert_code, 89 tls13_export_keying_material, 90 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 91 ssl3_set_handshake_header, 92 tls_close_construct_packet, 93 ssl3_handshake_write 94 }; 95 96 OSSL_TIME tls1_default_timeout(void) 97 { 98 /* 99 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 100 * http, the cache would over fill 101 */ 102 return ossl_seconds2time(60 * 60 * 2); 103 } 104 105 int tls1_new(SSL *s) 106 { 107 if (!ssl3_new(s)) 108 return 0; 109 if (!s->method->ssl_clear(s)) 110 return 0; 111 112 return 1; 113 } 114 115 void tls1_free(SSL *s) 116 { 117 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 118 119 if (sc == NULL) 120 return; 121 122 OPENSSL_free(sc->ext.session_ticket); 123 ssl3_free(s); 124 } 125 126 int tls1_clear(SSL *s) 127 { 128 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 129 130 if (sc == NULL) 131 return 0; 132 133 if (!ssl3_clear(s)) 134 return 0; 135 136 if (s->method->version == TLS_ANY_VERSION) 137 sc->version = TLS_MAX_VERSION_INTERNAL; 138 else 139 sc->version = s->method->version; 140 141 return 1; 142 } 143 144 /* Legacy NID to group_id mapping. Only works for groups we know about */ 145 static const struct { 146 int nid; 147 uint16_t group_id; 148 } nid_to_group[] = { 149 { NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1 }, 150 { NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1 }, 151 { NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2 }, 152 { NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1 }, 153 { NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2 }, 154 { NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1 }, 155 { NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1 }, 156 { NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1 }, 157 { NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1 }, 158 { NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1 }, 159 { NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1 }, 160 { NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1 }, 161 { NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1 }, 162 { NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1 }, 163 { NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1 }, 164 { NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1 }, 165 { NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2 }, 166 { NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1 }, 167 { NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1 }, 168 { NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1 }, 169 { NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1 }, 170 { NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1 }, 171 { NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1 }, 172 { NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1 }, 173 { NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1 }, 174 { NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1 }, 175 { NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1 }, 176 { NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1 }, 177 { EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519 }, 178 { EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448 }, 179 { NID_brainpoolP256r1tls13, OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13 }, 180 { NID_brainpoolP384r1tls13, OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13 }, 181 { NID_brainpoolP512r1tls13, OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13 }, 182 { NID_id_tc26_gost_3410_2012_256_paramSetA, OSSL_TLS_GROUP_ID_gc256A }, 183 { NID_id_tc26_gost_3410_2012_256_paramSetB, OSSL_TLS_GROUP_ID_gc256B }, 184 { NID_id_tc26_gost_3410_2012_256_paramSetC, OSSL_TLS_GROUP_ID_gc256C }, 185 { NID_id_tc26_gost_3410_2012_256_paramSetD, OSSL_TLS_GROUP_ID_gc256D }, 186 { NID_id_tc26_gost_3410_2012_512_paramSetA, OSSL_TLS_GROUP_ID_gc512A }, 187 { NID_id_tc26_gost_3410_2012_512_paramSetB, OSSL_TLS_GROUP_ID_gc512B }, 188 { NID_id_tc26_gost_3410_2012_512_paramSetC, OSSL_TLS_GROUP_ID_gc512C }, 189 { NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048 }, 190 { NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072 }, 191 { NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096 }, 192 { NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144 }, 193 { NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192 } 194 }; 195 196 static const unsigned char ecformats_default[] = { 197 TLSEXT_ECPOINTFORMAT_uncompressed, 198 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 199 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 200 }; 201 202 /* Group list string of the built-in pseudo group DEFAULT */ 203 #define DEFAULT_GROUP_NAME "DEFAULT" 204 #define TLS_DEFAULT_GROUP_LIST \ 205 "?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072" 206 207 static const uint16_t suiteb_curves[] = { 208 OSSL_TLS_GROUP_ID_secp256r1, 209 OSSL_TLS_GROUP_ID_secp384r1, 210 }; 211 212 /* Group list string of the built-in pseudo group DEFAULT_SUITE_B */ 213 #define SUITE_B_GROUP_NAME "DEFAULT_SUITE_B" 214 #define SUITE_B_GROUP_LIST "?secp256r1:?secp384r1", 215 216 struct provider_ctx_data_st { 217 SSL_CTX *ctx; 218 OSSL_PROVIDER *provider; 219 }; 220 221 #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 222 static OSSL_CALLBACK add_provider_groups; 223 static int add_provider_groups(const OSSL_PARAM params[], void *data) 224 { 225 struct provider_ctx_data_st *pgd = data; 226 SSL_CTX *ctx = pgd->ctx; 227 const OSSL_PARAM *p; 228 TLS_GROUP_INFO *ginf = NULL; 229 EVP_KEYMGMT *keymgmt; 230 unsigned int gid; 231 unsigned int is_kem = 0; 232 int ret = 0; 233 234 if (ctx->group_list_max_len == ctx->group_list_len) { 235 TLS_GROUP_INFO *tmp = NULL; 236 237 if (ctx->group_list_max_len == 0) 238 tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) 239 * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 240 else 241 tmp = OPENSSL_realloc(ctx->group_list, 242 (ctx->group_list_max_len 243 + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) 244 * sizeof(TLS_GROUP_INFO)); 245 if (tmp == NULL) 246 return 0; 247 ctx->group_list = tmp; 248 memset(tmp + ctx->group_list_max_len, 249 0, 250 sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 251 ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; 252 } 253 254 ginf = &ctx->group_list[ctx->group_list_len]; 255 256 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); 257 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 258 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 259 goto err; 260 } 261 ginf->tlsname = OPENSSL_strdup(p->data); 262 if (ginf->tlsname == NULL) 263 goto err; 264 265 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); 266 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 267 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 268 goto err; 269 } 270 ginf->realname = OPENSSL_strdup(p->data); 271 if (ginf->realname == NULL) 272 goto err; 273 274 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); 275 if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { 276 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 277 goto err; 278 } 279 ginf->group_id = (uint16_t)gid; 280 281 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); 282 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 283 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 284 goto err; 285 } 286 ginf->algorithm = OPENSSL_strdup(p->data); 287 if (ginf->algorithm == NULL) 288 goto err; 289 290 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); 291 if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { 292 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 293 goto err; 294 } 295 296 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); 297 if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { 298 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 299 goto err; 300 } 301 ginf->is_kem = 1 & is_kem; 302 303 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); 304 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { 305 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 306 goto err; 307 } 308 309 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); 310 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { 311 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 312 goto err; 313 } 314 315 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); 316 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { 317 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 318 goto err; 319 } 320 321 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); 322 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { 323 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 324 goto err; 325 } 326 /* 327 * Now check that the algorithm is actually usable for our property query 328 * string. Regardless of the result we still return success because we have 329 * successfully processed this group, even though we may decide not to use 330 * it. 331 */ 332 ret = 1; 333 ERR_set_mark(); 334 keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); 335 if (keymgmt != NULL) { 336 /* We have successfully fetched the algorithm, we can use the group. */ 337 ctx->group_list_len++; 338 ginf = NULL; 339 EVP_KEYMGMT_free(keymgmt); 340 } 341 ERR_pop_to_mark(); 342 err: 343 if (ginf != NULL) { 344 OPENSSL_free(ginf->tlsname); 345 OPENSSL_free(ginf->realname); 346 OPENSSL_free(ginf->algorithm); 347 ginf->algorithm = ginf->tlsname = ginf->realname = NULL; 348 } 349 return ret; 350 } 351 352 static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) 353 { 354 struct provider_ctx_data_st pgd; 355 356 pgd.ctx = vctx; 357 pgd.provider = provider; 358 return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", 359 add_provider_groups, &pgd); 360 } 361 362 int ssl_load_groups(SSL_CTX *ctx) 363 { 364 if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) 365 return 0; 366 367 return SSL_CTX_set1_groups_list(ctx, TLS_DEFAULT_GROUP_LIST); 368 } 369 370 static const char *inferred_keytype(const TLS_SIGALG_INFO *sinf) 371 { 372 return (sinf->keytype != NULL 373 ? sinf->keytype 374 : (sinf->sig_name != NULL 375 ? sinf->sig_name 376 : sinf->sigalg_name)); 377 } 378 379 #define TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE 10 380 static OSSL_CALLBACK add_provider_sigalgs; 381 static int add_provider_sigalgs(const OSSL_PARAM params[], void *data) 382 { 383 struct provider_ctx_data_st *pgd = data; 384 SSL_CTX *ctx = pgd->ctx; 385 OSSL_PROVIDER *provider = pgd->provider; 386 const OSSL_PARAM *p; 387 TLS_SIGALG_INFO *sinf = NULL; 388 EVP_KEYMGMT *keymgmt; 389 const char *keytype; 390 unsigned int code_point = 0; 391 int ret = 0; 392 393 if (ctx->sigalg_list_max_len == ctx->sigalg_list_len) { 394 TLS_SIGALG_INFO *tmp = NULL; 395 396 if (ctx->sigalg_list_max_len == 0) 397 tmp = OPENSSL_malloc(sizeof(TLS_SIGALG_INFO) 398 * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE); 399 else 400 tmp = OPENSSL_realloc(ctx->sigalg_list, 401 (ctx->sigalg_list_max_len 402 + TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE) 403 * sizeof(TLS_SIGALG_INFO)); 404 if (tmp == NULL) 405 return 0; 406 ctx->sigalg_list = tmp; 407 memset(tmp + ctx->sigalg_list_max_len, 0, 408 sizeof(TLS_SIGALG_INFO) * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE); 409 ctx->sigalg_list_max_len += TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE; 410 } 411 412 sinf = &ctx->sigalg_list[ctx->sigalg_list_len]; 413 414 /* First, mandatory parameters */ 415 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_NAME); 416 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 417 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 418 goto err; 419 } 420 OPENSSL_free(sinf->sigalg_name); 421 sinf->sigalg_name = OPENSSL_strdup(p->data); 422 if (sinf->sigalg_name == NULL) 423 goto err; 424 425 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME); 426 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 427 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 428 goto err; 429 } 430 OPENSSL_free(sinf->name); 431 sinf->name = OPENSSL_strdup(p->data); 432 if (sinf->name == NULL) 433 goto err; 434 435 p = OSSL_PARAM_locate_const(params, 436 OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT); 437 if (p == NULL 438 || !OSSL_PARAM_get_uint(p, &code_point) 439 || code_point > UINT16_MAX) { 440 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 441 goto err; 442 } 443 sinf->code_point = (uint16_t)code_point; 444 445 p = OSSL_PARAM_locate_const(params, 446 OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS); 447 if (p == NULL || !OSSL_PARAM_get_uint(p, &sinf->secbits)) { 448 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 449 goto err; 450 } 451 452 /* Now, optional parameters */ 453 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_OID); 454 if (p == NULL) { 455 sinf->sigalg_oid = NULL; 456 } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 457 goto err; 458 } else { 459 OPENSSL_free(sinf->sigalg_oid); 460 sinf->sigalg_oid = OPENSSL_strdup(p->data); 461 if (sinf->sigalg_oid == NULL) 462 goto err; 463 } 464 465 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME); 466 if (p == NULL) { 467 sinf->sig_name = NULL; 468 } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 469 goto err; 470 } else { 471 OPENSSL_free(sinf->sig_name); 472 sinf->sig_name = OPENSSL_strdup(p->data); 473 if (sinf->sig_name == NULL) 474 goto err; 475 } 476 477 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_OID); 478 if (p == NULL) { 479 sinf->sig_oid = NULL; 480 } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 481 goto err; 482 } else { 483 OPENSSL_free(sinf->sig_oid); 484 sinf->sig_oid = OPENSSL_strdup(p->data); 485 if (sinf->sig_oid == NULL) 486 goto err; 487 } 488 489 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME); 490 if (p == NULL) { 491 sinf->hash_name = NULL; 492 } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 493 goto err; 494 } else { 495 OPENSSL_free(sinf->hash_name); 496 sinf->hash_name = OPENSSL_strdup(p->data); 497 if (sinf->hash_name == NULL) 498 goto err; 499 } 500 501 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_OID); 502 if (p == NULL) { 503 sinf->hash_oid = NULL; 504 } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 505 goto err; 506 } else { 507 OPENSSL_free(sinf->hash_oid); 508 sinf->hash_oid = OPENSSL_strdup(p->data); 509 if (sinf->hash_oid == NULL) 510 goto err; 511 } 512 513 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE); 514 if (p == NULL) { 515 sinf->keytype = NULL; 516 } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 517 goto err; 518 } else { 519 OPENSSL_free(sinf->keytype); 520 sinf->keytype = OPENSSL_strdup(p->data); 521 if (sinf->keytype == NULL) 522 goto err; 523 } 524 525 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID); 526 if (p == NULL) { 527 sinf->keytype_oid = NULL; 528 } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { 529 goto err; 530 } else { 531 OPENSSL_free(sinf->keytype_oid); 532 sinf->keytype_oid = OPENSSL_strdup(p->data); 533 if (sinf->keytype_oid == NULL) 534 goto err; 535 } 536 537 /* Optional, not documented prior to 3.5 */ 538 sinf->mindtls = sinf->maxdtls = -1; 539 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS); 540 if (p != NULL && !OSSL_PARAM_get_int(p, &sinf->mindtls)) { 541 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 542 goto err; 543 } 544 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS); 545 if (p != NULL && !OSSL_PARAM_get_int(p, &sinf->maxdtls)) { 546 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 547 goto err; 548 } 549 /* DTLS version numbers grow downward */ 550 if ((sinf->maxdtls != 0) && (sinf->maxdtls != -1) && ((sinf->maxdtls > sinf->mindtls))) { 551 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 552 goto err; 553 } 554 /* No provider sigalgs are supported in DTLS, reset after checking. */ 555 sinf->mindtls = sinf->maxdtls = -1; 556 557 /* The remaining parameters below are mandatory again */ 558 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS); 559 if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->mintls)) { 560 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 561 goto err; 562 } 563 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS); 564 if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->maxtls)) { 565 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 566 goto err; 567 } 568 if ((sinf->maxtls != 0) && (sinf->maxtls != -1) && ((sinf->maxtls < sinf->mintls))) { 569 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 570 goto err; 571 } 572 if ((sinf->mintls != 0) && (sinf->mintls != -1) && ((sinf->mintls > TLS1_3_VERSION))) 573 sinf->mintls = sinf->maxtls = -1; 574 if ((sinf->maxtls != 0) && (sinf->maxtls != -1) && ((sinf->maxtls < TLS1_3_VERSION))) 575 sinf->mintls = sinf->maxtls = -1; 576 577 /* Ignore unusable sigalgs */ 578 if (sinf->mintls == -1 && sinf->mindtls == -1) { 579 ret = 1; 580 goto err; 581 } 582 583 /* 584 * Now check that the algorithm is actually usable for our property query 585 * string. Regardless of the result we still return success because we have 586 * successfully processed this signature, even though we may decide not to 587 * use it. 588 */ 589 ret = 1; 590 ERR_set_mark(); 591 keytype = inferred_keytype(sinf); 592 keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, keytype, ctx->propq); 593 if (keymgmt != NULL) { 594 /* 595 * We have successfully fetched the algorithm - however if the provider 596 * doesn't match this one then we ignore it. 597 * 598 * Note: We're cheating a little here. Technically if the same algorithm 599 * is available from more than one provider then it is undefined which 600 * implementation you will get back. Theoretically this could be 601 * different every time...we assume here that you'll always get the 602 * same one back if you repeat the exact same fetch. Is this a reasonable 603 * assumption to make (in which case perhaps we should document this 604 * behaviour)? 605 */ 606 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 607 /* 608 * We have a match - so we could use this signature; 609 * Check proper object registration first, though. 610 * Don't care about return value as this may have been 611 * done within providers or previous calls to 612 * add_provider_sigalgs. 613 */ 614 OBJ_create(sinf->sigalg_oid, sinf->sigalg_name, NULL); 615 /* sanity check: Without successful registration don't use alg */ 616 if ((OBJ_txt2nid(sinf->sigalg_name) == NID_undef) || (OBJ_nid2obj(OBJ_txt2nid(sinf->sigalg_name)) == NULL)) { 617 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 618 goto err; 619 } 620 if (sinf->sig_name != NULL) 621 OBJ_create(sinf->sig_oid, sinf->sig_name, NULL); 622 if (sinf->keytype != NULL) 623 OBJ_create(sinf->keytype_oid, sinf->keytype, NULL); 624 if (sinf->hash_name != NULL) 625 OBJ_create(sinf->hash_oid, sinf->hash_name, NULL); 626 OBJ_add_sigid(OBJ_txt2nid(sinf->sigalg_name), 627 (sinf->hash_name != NULL 628 ? OBJ_txt2nid(sinf->hash_name) 629 : NID_undef), 630 OBJ_txt2nid(keytype)); 631 ctx->sigalg_list_len++; 632 sinf = NULL; 633 } 634 EVP_KEYMGMT_free(keymgmt); 635 } 636 ERR_pop_to_mark(); 637 err: 638 if (sinf != NULL) { 639 OPENSSL_free(sinf->name); 640 sinf->name = NULL; 641 OPENSSL_free(sinf->sigalg_name); 642 sinf->sigalg_name = NULL; 643 OPENSSL_free(sinf->sigalg_oid); 644 sinf->sigalg_oid = NULL; 645 OPENSSL_free(sinf->sig_name); 646 sinf->sig_name = NULL; 647 OPENSSL_free(sinf->sig_oid); 648 sinf->sig_oid = NULL; 649 OPENSSL_free(sinf->hash_name); 650 sinf->hash_name = NULL; 651 OPENSSL_free(sinf->hash_oid); 652 sinf->hash_oid = NULL; 653 OPENSSL_free(sinf->keytype); 654 sinf->keytype = NULL; 655 OPENSSL_free(sinf->keytype_oid); 656 sinf->keytype_oid = NULL; 657 } 658 return ret; 659 } 660 661 static int discover_provider_sigalgs(OSSL_PROVIDER *provider, void *vctx) 662 { 663 struct provider_ctx_data_st pgd; 664 665 pgd.ctx = vctx; 666 pgd.provider = provider; 667 OSSL_PROVIDER_get_capabilities(provider, "TLS-SIGALG", 668 add_provider_sigalgs, &pgd); 669 /* 670 * Always OK, even if provider doesn't support the capability: 671 * Reconsider testing retval when legacy sigalgs are also loaded this way. 672 */ 673 return 1; 674 } 675 676 int ssl_load_sigalgs(SSL_CTX *ctx) 677 { 678 size_t i; 679 SSL_CERT_LOOKUP lu; 680 681 if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_sigalgs, ctx)) 682 return 0; 683 684 /* now populate ctx->ssl_cert_info */ 685 if (ctx->sigalg_list_len > 0) { 686 OPENSSL_free(ctx->ssl_cert_info); 687 ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); 688 if (ctx->ssl_cert_info == NULL) 689 return 0; 690 for (i = 0; i < ctx->sigalg_list_len; i++) { 691 const char *keytype = inferred_keytype(&ctx->sigalg_list[i]); 692 ctx->ssl_cert_info[i].pkey_nid = OBJ_txt2nid(keytype); 693 ctx->ssl_cert_info[i].amask = SSL_aANY; 694 } 695 } 696 697 /* 698 * For now, leave it at this: legacy sigalgs stay in their own 699 * data structures until "legacy cleanup" occurs. 700 */ 701 702 return 1; 703 } 704 705 static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) 706 { 707 size_t i; 708 709 for (i = 0; i < ctx->group_list_len; i++) { 710 if (OPENSSL_strcasecmp(ctx->group_list[i].tlsname, name) == 0 711 || OPENSSL_strcasecmp(ctx->group_list[i].realname, name) == 0) 712 return ctx->group_list[i].group_id; 713 } 714 715 return 0; 716 } 717 718 const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) 719 { 720 size_t i; 721 722 for (i = 0; i < ctx->group_list_len; i++) { 723 if (ctx->group_list[i].group_id == group_id) 724 return &ctx->group_list[i]; 725 } 726 727 return NULL; 728 } 729 730 const char *tls1_group_id2name(SSL_CTX *ctx, uint16_t group_id) 731 { 732 const TLS_GROUP_INFO *tls_group_info = tls1_group_id_lookup(ctx, group_id); 733 734 if (tls_group_info == NULL) 735 return NULL; 736 737 return tls_group_info->tlsname; 738 } 739 740 int tls1_group_id2nid(uint16_t group_id, int include_unknown) 741 { 742 size_t i; 743 744 if (group_id == 0) 745 return NID_undef; 746 747 /* 748 * Return well known Group NIDs - for backwards compatibility. This won't 749 * work for groups we don't know about. 750 */ 751 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) { 752 if (nid_to_group[i].group_id == group_id) 753 return nid_to_group[i].nid; 754 } 755 if (!include_unknown) 756 return NID_undef; 757 return TLSEXT_nid_unknown | (int)group_id; 758 } 759 760 uint16_t tls1_nid2group_id(int nid) 761 { 762 size_t i; 763 764 /* 765 * Return well known Group ids - for backwards compatibility. This won't 766 * work for groups we don't know about. 767 */ 768 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) { 769 if (nid_to_group[i].nid == nid) 770 return nid_to_group[i].group_id; 771 } 772 773 return 0; 774 } 775 776 /* 777 * Set *pgroups to the supported groups list and *pgroupslen to 778 * the number of groups supported. 779 */ 780 void tls1_get_supported_groups(SSL_CONNECTION *s, const uint16_t **pgroups, 781 size_t *pgroupslen) 782 { 783 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 784 785 /* For Suite B mode only include P-256, P-384 */ 786 switch (tls1_suiteb(s)) { 787 case SSL_CERT_FLAG_SUITEB_128_LOS: 788 *pgroups = suiteb_curves; 789 *pgroupslen = OSSL_NELEM(suiteb_curves); 790 break; 791 792 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 793 *pgroups = suiteb_curves; 794 *pgroupslen = 1; 795 break; 796 797 case SSL_CERT_FLAG_SUITEB_192_LOS: 798 *pgroups = suiteb_curves + 1; 799 *pgroupslen = 1; 800 break; 801 802 default: 803 if (s->ext.supportedgroups == NULL) { 804 *pgroups = sctx->ext.supportedgroups; 805 *pgroupslen = sctx->ext.supportedgroups_len; 806 } else { 807 *pgroups = s->ext.supportedgroups; 808 *pgroupslen = s->ext.supportedgroups_len; 809 } 810 break; 811 } 812 } 813 814 /* 815 * Some comments for the function below: 816 * s->ext.supportedgroups == NULL means legacy syntax (no [*,/,-]) from built-in group array. 817 * In this case, we need to send exactly one key share, which MUST be the first (leftmost) 818 * eligible group from the legacy list. Therefore, we provide the entire list of supported 819 * groups in this case. 820 * 821 * A 'flag' to indicate legacy syntax is created by setting the number of key shares to 1, 822 * but the groupID to 0. 823 * The 'flag' is checked right at the beginning in tls_construct_ctos_key_share and either 824 * the "list of requested key share groups" is used, or the "list of supported groups" in 825 * combination with setting add_only_one = 1 is applied. 826 */ 827 void tls1_get_requested_keyshare_groups(SSL_CONNECTION *s, const uint16_t **pgroups, 828 size_t *pgroupslen) 829 { 830 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 831 832 if (s->ext.supportedgroups == NULL) { 833 *pgroups = sctx->ext.supportedgroups; 834 *pgroupslen = sctx->ext.supportedgroups_len; 835 } else { 836 *pgroups = s->ext.keyshares; 837 *pgroupslen = s->ext.keyshares_len; 838 } 839 } 840 841 void tls1_get_group_tuples(SSL_CONNECTION *s, const size_t **ptuples, 842 size_t *ptupleslen) 843 { 844 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 845 846 if (s->ext.supportedgroups == NULL) { 847 *ptuples = sctx->ext.tuples; 848 *ptupleslen = sctx->ext.tuples_len; 849 } else { 850 *ptuples = s->ext.tuples; 851 *ptupleslen = s->ext.tuples_len; 852 } 853 } 854 855 int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id, 856 int minversion, int maxversion, 857 int isec, int *okfortls13) 858 { 859 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 860 group_id); 861 int ret; 862 int group_minversion, group_maxversion; 863 864 if (okfortls13 != NULL) 865 *okfortls13 = 0; 866 867 if (ginfo == NULL) 868 return 0; 869 870 group_minversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->mindtls : ginfo->mintls; 871 group_maxversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->maxdtls : ginfo->maxtls; 872 873 if (group_minversion < 0 || group_maxversion < 0) 874 return 0; 875 if (group_maxversion == 0) 876 ret = 1; 877 else 878 ret = (ssl_version_cmp(s, minversion, group_maxversion) <= 0); 879 if (group_minversion > 0) 880 ret &= (ssl_version_cmp(s, maxversion, group_minversion) >= 0); 881 882 if (!SSL_CONNECTION_IS_DTLS(s)) { 883 if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) 884 *okfortls13 = (group_maxversion == 0) 885 || (group_maxversion >= TLS1_3_VERSION); 886 } 887 ret &= !isec 888 || strcmp(ginfo->algorithm, "EC") == 0 889 || strcmp(ginfo->algorithm, "X25519") == 0 890 || strcmp(ginfo->algorithm, "X448") == 0; 891 892 return ret; 893 } 894 895 /* See if group is allowed by security callback */ 896 int tls_group_allowed(SSL_CONNECTION *s, uint16_t group, int op) 897 { 898 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 899 group); 900 unsigned char gtmp[2]; 901 902 if (ginfo == NULL) 903 return 0; 904 905 gtmp[0] = group >> 8; 906 gtmp[1] = group & 0xff; 907 return ssl_security(s, op, ginfo->secbits, 908 tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); 909 } 910 911 /* Return 1 if "id" is in "list" */ 912 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 913 { 914 size_t i; 915 for (i = 0; i < listlen; i++) 916 if (list[i] == id) 917 return 1; 918 return 0; 919 } 920 921 typedef struct { 922 TLS_GROUP_INFO *grp; 923 size_t ix; 924 } TLS_GROUP_IX; 925 926 DEFINE_STACK_OF(TLS_GROUP_IX) 927 928 static void free_wrapper(TLS_GROUP_IX *a) 929 { 930 OPENSSL_free(a); 931 } 932 933 static int tls_group_ix_cmp(const TLS_GROUP_IX *const *a, 934 const TLS_GROUP_IX *const *b) 935 { 936 int idcmpab = (*a)->grp->group_id < (*b)->grp->group_id; 937 int idcmpba = (*b)->grp->group_id < (*a)->grp->group_id; 938 int ixcmpab = (*a)->ix < (*b)->ix; 939 int ixcmpba = (*b)->ix < (*a)->ix; 940 941 /* Ascending by group id */ 942 if (idcmpab != idcmpba) 943 return (idcmpba - idcmpab); 944 /* Ascending by original appearance index */ 945 return ixcmpba - ixcmpab; 946 } 947 948 int tls1_get0_implemented_groups(int min_proto_version, int max_proto_version, 949 TLS_GROUP_INFO *grps, size_t num, long all, 950 STACK_OF(OPENSSL_CSTRING) *out) 951 { 952 STACK_OF(TLS_GROUP_IX) *collect = NULL; 953 TLS_GROUP_IX *gix; 954 uint16_t id = 0; 955 int ret = 0; 956 size_t ix; 957 958 if (grps == NULL || out == NULL) 959 return 0; 960 if ((collect = sk_TLS_GROUP_IX_new(tls_group_ix_cmp)) == NULL) 961 return 0; 962 for (ix = 0; ix < num; ++ix, ++grps) { 963 if (grps->mintls > 0 && max_proto_version > 0 964 && grps->mintls > max_proto_version) 965 continue; 966 if (grps->maxtls > 0 && min_proto_version > 0 967 && grps->maxtls < min_proto_version) 968 continue; 969 970 if ((gix = OPENSSL_malloc(sizeof(*gix))) == NULL) 971 goto end; 972 gix->grp = grps; 973 gix->ix = ix; 974 if (sk_TLS_GROUP_IX_push(collect, gix) <= 0) { 975 OPENSSL_free(gix); 976 goto end; 977 } 978 } 979 980 sk_TLS_GROUP_IX_sort(collect); 981 num = sk_TLS_GROUP_IX_num(collect); 982 for (ix = 0; ix < num; ++ix) { 983 gix = sk_TLS_GROUP_IX_value(collect, ix); 984 if (!all && gix->grp->group_id == id) 985 continue; 986 id = gix->grp->group_id; 987 if (sk_OPENSSL_CSTRING_push(out, gix->grp->tlsname) <= 0) 988 goto end; 989 } 990 ret = 1; 991 992 end: 993 sk_TLS_GROUP_IX_pop_free(collect, free_wrapper); 994 return ret; 995 } 996 997 /*- 998 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 999 * if there is no match. 1000 * For nmatch == -1, return number of matches 1001 * For nmatch == -2, return the id of the group to use for 1002 * a tmp key, or 0 if there is no match. 1003 */ 1004 uint16_t tls1_shared_group(SSL_CONNECTION *s, int nmatch) 1005 { 1006 const uint16_t *pref, *supp; 1007 size_t num_pref, num_supp, i; 1008 int k; 1009 SSL_CTX *ctx = SSL_CONNECTION_GET_CTX(s); 1010 1011 /* Can't do anything on client side */ 1012 if (s->server == 0) 1013 return 0; 1014 if (nmatch == -2) { 1015 if (tls1_suiteb(s)) { 1016 /* 1017 * For Suite B ciphersuite determines curve: we already know 1018 * these are acceptable due to previous checks. 1019 */ 1020 unsigned long cid = s->s3.tmp.new_cipher->id; 1021 1022 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 1023 return OSSL_TLS_GROUP_ID_secp256r1; 1024 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 1025 return OSSL_TLS_GROUP_ID_secp384r1; 1026 /* Should never happen */ 1027 return 0; 1028 } 1029 /* If not Suite B just return first preference shared curve */ 1030 nmatch = 0; 1031 } 1032 /* 1033 * If server preference set, our groups are the preference order 1034 * otherwise peer decides. 1035 */ 1036 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 1037 tls1_get_supported_groups(s, &pref, &num_pref); 1038 tls1_get_peer_groups(s, &supp, &num_supp); 1039 } else { 1040 tls1_get_peer_groups(s, &pref, &num_pref); 1041 tls1_get_supported_groups(s, &supp, &num_supp); 1042 } 1043 1044 for (k = 0, i = 0; i < num_pref; i++) { 1045 uint16_t id = pref[i]; 1046 const TLS_GROUP_INFO *inf; 1047 int minversion, maxversion; 1048 1049 if (!tls1_in_list(id, supp, num_supp) 1050 || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 1051 continue; 1052 inf = tls1_group_id_lookup(ctx, id); 1053 if (!ossl_assert(inf != NULL)) 1054 return 0; 1055 1056 minversion = SSL_CONNECTION_IS_DTLS(s) 1057 ? inf->mindtls 1058 : inf->mintls; 1059 maxversion = SSL_CONNECTION_IS_DTLS(s) 1060 ? inf->maxdtls 1061 : inf->maxtls; 1062 if (maxversion == -1) 1063 continue; 1064 if ((minversion != 0 && ssl_version_cmp(s, s->version, minversion) < 0) 1065 || (maxversion != 0 1066 && ssl_version_cmp(s, s->version, maxversion) > 0)) 1067 continue; 1068 1069 if (nmatch == k) 1070 return id; 1071 k++; 1072 } 1073 if (nmatch == -1) 1074 return k; 1075 /* Out of range (nmatch > k). */ 1076 return 0; 1077 } 1078 1079 int tls1_set_groups(uint16_t **grpext, size_t *grpextlen, 1080 uint16_t **ksext, size_t *ksextlen, 1081 size_t **tplext, size_t *tplextlen, 1082 int *groups, size_t ngroups) 1083 { 1084 uint16_t *glist = NULL, *kslist = NULL; 1085 size_t *tpllist = NULL; 1086 size_t i; 1087 /* 1088 * Bitmap of groups included to detect duplicates: two variables are added 1089 * to detect duplicates as some values are more than 32. 1090 */ 1091 unsigned long *dup_list = NULL; 1092 unsigned long dup_list_egrp = 0; 1093 unsigned long dup_list_dhgrp = 0; 1094 1095 if (ngroups == 0) { 1096 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 1097 return 0; 1098 } 1099 if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) 1100 goto err; 1101 if ((kslist = OPENSSL_malloc(1 * sizeof(*kslist))) == NULL) 1102 goto err; 1103 if ((tpllist = OPENSSL_malloc(1 * sizeof(*tpllist))) == NULL) 1104 goto err; 1105 for (i = 0; i < ngroups; i++) { 1106 unsigned long idmask; 1107 uint16_t id; 1108 id = tls1_nid2group_id(groups[i]); 1109 if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) 1110 goto err; 1111 idmask = 1L << (id & 0x00FF); 1112 dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; 1113 if (!id || ((*dup_list) & idmask)) 1114 goto err; 1115 *dup_list |= idmask; 1116 glist[i] = id; 1117 } 1118 OPENSSL_free(*grpext); 1119 OPENSSL_free(*ksext); 1120 OPENSSL_free(*tplext); 1121 *grpext = glist; 1122 *grpextlen = ngroups; 1123 /* 1124 * No * prefix was used, let tls_construct_ctos_key_share choose a key 1125 * share. This has the advantage that it will filter unsupported groups 1126 * before choosing one, which this function does not do. See also the 1127 * comment for tls1_get_requested_keyshare_groups. 1128 */ 1129 kslist[0] = 0; 1130 *ksext = kslist; 1131 *ksextlen = 1; 1132 tpllist[0] = ngroups; 1133 *tplext = tpllist; 1134 *tplextlen = 1; 1135 return 1; 1136 err: 1137 OPENSSL_free(glist); 1138 OPENSSL_free(kslist); 1139 OPENSSL_free(tpllist); 1140 return 0; 1141 } 1142 1143 /* 1144 * Definition of DEFAULT[_XYZ] pseudo group names. 1145 * A pseudo group name is actually a full list of groups, including prefixes 1146 * and or tuple delimiters. It can be hierarchically defined (for potential future use). 1147 * IMPORTANT REMARK: For ease of use, in the built-in lists of groups, unknown groups or 1148 * groups not backed by a provider will always silently be ignored, even without '?' prefix 1149 */ 1150 typedef struct { 1151 const char *list_name; /* The name of this pseudo group */ 1152 const char *group_string; /* The group string of this pseudo group */ 1153 } default_group_string_st; /* (can include '?', '*'. '-', '/' as needed) */ 1154 1155 /* Built-in pseudo group-names must start with a (D or d) */ 1156 static const char *DEFAULT_GROUPNAME_FIRST_CHARACTER = "D"; 1157 1158 /* The list of all built-in pseudo-group-name structures */ 1159 static const default_group_string_st default_group_strings[] = { 1160 { DEFAULT_GROUP_NAME, TLS_DEFAULT_GROUP_LIST }, 1161 { SUITE_B_GROUP_NAME, SUITE_B_GROUP_LIST } 1162 }; 1163 1164 /* 1165 * Some GOST names are not resolved by tls1_group_name2id, 1166 * hence we'll check for those manually 1167 */ 1168 typedef struct { 1169 const char *group_name; 1170 uint16_t groupID; 1171 } name2id_st; 1172 static const name2id_st name2id_arr[] = { 1173 { "GC256A", OSSL_TLS_GROUP_ID_gc256A }, 1174 { "GC256B", OSSL_TLS_GROUP_ID_gc256B }, 1175 { "GC256C", OSSL_TLS_GROUP_ID_gc256C }, 1176 { "GC256D", OSSL_TLS_GROUP_ID_gc256D }, 1177 { "GC512A", OSSL_TLS_GROUP_ID_gc512A }, 1178 { "GC512B", OSSL_TLS_GROUP_ID_gc512B }, 1179 { "GC512C", OSSL_TLS_GROUP_ID_gc512C }, 1180 }; 1181 1182 /* 1183 * Group list management: 1184 * We establish three lists along with their related size counters: 1185 * 1) List of (unique) groups 1186 * 2) List of number of groups per group-priority-tuple 1187 * 3) List of (unique) key share groups 1188 */ 1189 #define GROUPLIST_INCREMENT 32 /* Memory allocation chunk size (64 Bytes chunks ~= cache line) */ 1190 #define GROUP_NAME_BUFFER_LENGTH 64 /* Max length of a group name */ 1191 1192 /* 1193 * Preparation of the prefix used to indicate the desire to send a key share, 1194 * the characters used as separators between groups or tuples of groups, the 1195 * character to indicate that an unknown group should be ignored, and the 1196 * character to indicate that a group should be deleted from a list 1197 */ 1198 #ifndef TUPLE_DELIMITER_CHARACTER 1199 /* The prefix characters to indicate group tuple boundaries */ 1200 #define TUPLE_DELIMITER_CHARACTER '/' 1201 #endif 1202 #ifndef GROUP_DELIMITER_CHARACTER 1203 /* The prefix characters to indicate group tuple boundaries */ 1204 #define GROUP_DELIMITER_CHARACTER ':' 1205 #endif 1206 #ifndef IGNORE_UNKNOWN_GROUP_CHARACTER 1207 /* The prefix character to ignore unknown groups */ 1208 #define IGNORE_UNKNOWN_GROUP_CHARACTER '?' 1209 #endif 1210 #ifndef KEY_SHARE_INDICATOR_CHARACTER 1211 /* The prefix character to trigger a key share addition */ 1212 #define KEY_SHARE_INDICATOR_CHARACTER '*' 1213 #endif 1214 #ifndef REMOVE_GROUP_INDICATOR_CHARACTER 1215 /* The prefix character to trigger a key share removal */ 1216 #define REMOVE_GROUP_INDICATOR_CHARACTER '-' 1217 #endif 1218 static const char prefixes[] = { TUPLE_DELIMITER_CHARACTER, 1219 GROUP_DELIMITER_CHARACTER, 1220 IGNORE_UNKNOWN_GROUP_CHARACTER, 1221 KEY_SHARE_INDICATOR_CHARACTER, 1222 REMOVE_GROUP_INDICATOR_CHARACTER, 1223 '\0' }; 1224 1225 /* 1226 * High-level description of how group strings are analyzed: 1227 * A first call back function (tuple_cb) is used to process group tuples, and a 1228 * second callback function (gid_cb) is used to process the groups inside a tuple. 1229 * Those callback functions are (indirectly) called by CONF_parse_list with 1230 * different separators (nominally ':' or '/'), a variable based on gid_cb_st 1231 * is used to keep track of the parsing results between the various calls 1232 */ 1233 1234 typedef struct { 1235 SSL_CTX *ctx; 1236 /* Variables to hold the three lists (groups, requested keyshares, tuple structure) */ 1237 size_t gidmax; /* The memory allocation chunk size for the group IDs */ 1238 size_t gidcnt; /* Number of groups */ 1239 uint16_t *gid_arr; /* The IDs of the supported groups (flat list) */ 1240 size_t tplmax; /* Allocated length of tuplcnt_arr */ 1241 /* 1242 * Number of *closed* (fully parsed) tuples. During parsing there is 1243 * always one additional active tuple being built, stored at index tplcnt. 1244 * tuplcnt_arr therefore always needs at least tplcnt + 1 allocated slots. 1245 */ 1246 size_t tplcnt; 1247 size_t *tuplcnt_arr; /* Per-tuple group counts; [0..tplcnt-1] closed, [tplcnt] active */ 1248 size_t ksidmax; /* The memory allocation chunk size */ 1249 size_t ksidcnt; /* Number of key shares */ 1250 uint16_t *ksid_arr; /* The IDs of the key share groups (flat list) */ 1251 /* Variable to keep state between execution of callback or helper functions */ 1252 int inner; /* Are we expanding a DEFAULT list */ 1253 int first; /* First tuple of possibly nested expansion? */ 1254 } gid_cb_st; 1255 1256 /* Forward declaration of tuple callback function */ 1257 static int tuple_cb(const char *tuple, int len, void *arg); 1258 1259 /* 1260 * Extract and process the individual groups (and their prefixes if present) 1261 * present in a tuple. Note: The argument 'elem' is a NON-\0-terminated string 1262 * and must be appended by a \0 if used as \0-terminated string 1263 */ 1264 static int gid_cb(const char *elem, int len, void *arg) 1265 { 1266 gid_cb_st *garg = arg; 1267 size_t i, j, k; 1268 uint16_t gid = 0; 1269 int found_group = 0; 1270 char etmp[GROUP_NAME_BUFFER_LENGTH]; 1271 int retval = 1; /* We assume success */ 1272 const char *current_prefix; 1273 int ignore_unknown = 0; 1274 int add_keyshare = 0; 1275 int remove_group = 0; 1276 size_t restored_prefix_index = 0; 1277 char *restored_default_group_string; 1278 int continue_while_loop = 1; 1279 1280 /* Sanity checks */ 1281 if (garg == NULL || elem == NULL || len <= 0) { 1282 ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_CONFIG_VALUE); 1283 return 0; 1284 } 1285 1286 /* Check the possible prefixes (remark: Leading and trailing spaces already cleared) */ 1287 while (continue_while_loop && len > 0 1288 && ((current_prefix = strchr(prefixes, elem[0])) != NULL 1289 || OPENSSL_strncasecmp(current_prefix = (char *)DEFAULT_GROUPNAME_FIRST_CHARACTER, elem, 1) == 0)) { 1290 1291 switch (*current_prefix) { 1292 case TUPLE_DELIMITER_CHARACTER: 1293 /* tuple delimiter not allowed here -> syntax error */ 1294 return -1; 1295 break; 1296 case GROUP_DELIMITER_CHARACTER: 1297 return -1; /* Not a valid prefix for a single group name-> syntax error */ 1298 break; 1299 case KEY_SHARE_INDICATOR_CHARACTER: 1300 if (add_keyshare) 1301 return -1; /* Only single key share prefix allowed -> syntax error */ 1302 add_keyshare = 1; 1303 ++elem; 1304 --len; 1305 break; 1306 case REMOVE_GROUP_INDICATOR_CHARACTER: 1307 if (remove_group) 1308 return -1; /* Only single remove group prefix allowed -> syntax error */ 1309 remove_group = 1; 1310 ++elem; 1311 --len; 1312 break; 1313 case IGNORE_UNKNOWN_GROUP_CHARACTER: 1314 if (ignore_unknown) 1315 return -1; /* Only single ? allowed -> syntax error */ 1316 ignore_unknown = 1; 1317 ++elem; 1318 --len; 1319 break; 1320 default: 1321 /* 1322 * Check whether a DEFAULT[_XYZ] 'pseudo group' (= a built-in 1323 * list of groups) should be added 1324 */ 1325 for (i = 0; i < OSSL_NELEM(default_group_strings); i++) { 1326 if ((size_t)len == (strlen(default_group_strings[i].list_name)) 1327 && OPENSSL_strncasecmp(default_group_strings[i].list_name, elem, len) == 0) { 1328 int saved_first; 1329 1330 /* 1331 * We're asked to insert an entire list of groups from a 1332 * DEFAULT[_XYZ] 'pseudo group' which we do by 1333 * recursively calling this function (indirectly via 1334 * CONF_parse_list and tuple_cb); essentially, we treat a DEFAULT 1335 * group string like a tuple which is appended to the current tuple 1336 * rather then starting a new tuple. 1337 */ 1338 if (ignore_unknown || remove_group) 1339 return -1; /* removal or ignore not allowed here -> syntax error */ 1340 1341 /* 1342 * First, we restore any keyshare prefix in a new zero-terminated string 1343 * (if not already present) 1344 */ 1345 restored_default_group_string = OPENSSL_malloc((1 /* max prefix length */ + strlen(default_group_strings[i].group_string) + 1 /* \0 */) * sizeof(char)); 1346 if (restored_default_group_string == NULL) 1347 return 0; 1348 if (add_keyshare 1349 /* Remark: we tolerate a duplicated keyshare indicator here */ 1350 && default_group_strings[i].group_string[0] 1351 != KEY_SHARE_INDICATOR_CHARACTER) 1352 restored_default_group_string[restored_prefix_index++] = KEY_SHARE_INDICATOR_CHARACTER; 1353 1354 memcpy(restored_default_group_string + restored_prefix_index, 1355 default_group_strings[i].group_string, 1356 strlen(default_group_strings[i].group_string)); 1357 restored_default_group_string[strlen(default_group_strings[i].group_string) + restored_prefix_index] = '\0'; 1358 /* 1359 * Append first tuple of result to current tuple, and don't 1360 * terminate the last tuple until we return to a top-level 1361 * tuple_cb. 1362 */ 1363 saved_first = garg->first; 1364 garg->inner = garg->first = 1; 1365 retval = CONF_parse_list(restored_default_group_string, 1366 TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, garg); 1367 garg->inner = 0; 1368 garg->first = saved_first; 1369 /* We don't need the \0-terminated string anymore */ 1370 OPENSSL_free(restored_default_group_string); 1371 1372 return retval; 1373 } 1374 } 1375 /* 1376 * If we reached this point, a group name started with a 'd' or 'D', but no request 1377 * for a DEFAULT[_XYZ] 'pseudo group' was detected, hence processing of the group 1378 * name can continue as usual (= the while loop checking prefixes can end) 1379 */ 1380 continue_while_loop = 0; 1381 break; 1382 } 1383 } 1384 1385 if (len == 0) 1386 return -1; /* Seems we have prefxes without a group name -> syntax error */ 1387 1388 /* Memory management in case more groups are present compared to initial allocation */ 1389 if (garg->gidcnt == garg->gidmax) { 1390 uint16_t *tmp = OPENSSL_realloc(garg->gid_arr, 1391 (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); 1392 1393 if (tmp == NULL) 1394 return 0; 1395 1396 garg->gidmax += GROUPLIST_INCREMENT; 1397 garg->gid_arr = tmp; 1398 } 1399 /* Memory management for key share groups */ 1400 if (garg->ksidcnt == garg->ksidmax) { 1401 uint16_t *tmp = OPENSSL_realloc(garg->ksid_arr, 1402 (garg->ksidmax + GROUPLIST_INCREMENT) * sizeof(*garg->ksid_arr)); 1403 1404 if (tmp == NULL) 1405 return 0; 1406 garg->ksidmax += GROUPLIST_INCREMENT; 1407 garg->ksid_arr = tmp; 1408 } 1409 1410 if (len > (int)(sizeof(etmp) - 1)) 1411 return -1; /* group name to long -> syntax error */ 1412 1413 /* 1414 * Prepare addition or removal of a single group by converting 1415 * a group name into its groupID equivalent 1416 */ 1417 1418 /* Create a \0-terminated string and get the gid for this group if possible */ 1419 memcpy(etmp, elem, len); 1420 etmp[len] = 0; 1421 1422 /* Get the groupID */ 1423 gid = tls1_group_name2id(garg->ctx, etmp); 1424 /* 1425 * Handle the case where no valid groupID was returned 1426 * e.g. for an unknown group, which we'd ignore (only) if relevant prefix was set 1427 */ 1428 if (gid == 0) { 1429 /* Is it one of the GOST groups ? */ 1430 for (i = 0; i < OSSL_NELEM(name2id_arr); i++) { 1431 if (OPENSSL_strcasecmp(etmp, name2id_arr[i].group_name) == 0) { 1432 gid = name2id_arr[i].groupID; 1433 break; 1434 } 1435 } 1436 if (gid == 0) { /* still not found */ 1437 /* Unknown group - ignore if ignore_unknown; trigger error otherwise */ 1438 retval = ignore_unknown; 1439 goto done; 1440 } 1441 } 1442 1443 /* Make sure that at least one provider is supporting this groupID */ 1444 found_group = 0; 1445 for (j = 0; j < garg->ctx->group_list_len; j++) 1446 if (garg->ctx->group_list[j].group_id == gid) { 1447 found_group = 1; 1448 break; 1449 } 1450 1451 /* 1452 * No provider supports this group - ignore if 1453 * ignore_unknown; trigger error otherwise 1454 */ 1455 if (found_group == 0) { 1456 retval = ignore_unknown; 1457 goto done; 1458 } 1459 /* Remove group (and keyshare) from anywhere in the list if present, ignore if not present */ 1460 if (remove_group) { 1461 /* Is the current group specified anywhere in the entire list so far? */ 1462 found_group = 0; 1463 for (i = 0; i < garg->gidcnt; i++) 1464 if (garg->gid_arr[i] == gid) { 1465 found_group = 1; 1466 break; 1467 } 1468 /* The group to remove is at position i in the list of (zero indexed) groups */ 1469 if (found_group) { 1470 /* We remove that group from its position (which is at i)... */ 1471 for (j = i; j < (garg->gidcnt - 1); j++) 1472 garg->gid_arr[j] = garg->gid_arr[j + 1]; /* ...shift remaining groups left ... */ 1473 garg->gidcnt--; /* ..and update the book keeping for the number of groups */ 1474 1475 /* 1476 * We also must update the number of groups either in a previous tuple (which we 1477 * must identify and check whether it becomes empty due to the deletion) or in 1478 * the current tuple, pending where the deleted group resides 1479 */ 1480 k = 0; 1481 for (j = 0; j < garg->tplcnt; j++) { 1482 k += garg->tuplcnt_arr[j]; 1483 /* Remark: i is zero-indexed, k is one-indexed */ 1484 if (k > i) { /* remove from one of the previous tuples */ 1485 garg->tuplcnt_arr[j]--; 1486 break; /* We took care not to have group duplicates, hence we can stop here */ 1487 } 1488 } 1489 if (k <= i) /* remove from current tuple */ 1490 garg->tuplcnt_arr[j]--; 1491 1492 /* We also remove the group from the list of keyshares (if present) */ 1493 found_group = 0; 1494 for (i = 0; i < garg->ksidcnt; i++) 1495 if (garg->ksid_arr[i] == gid) { 1496 found_group = 1; 1497 break; 1498 } 1499 if (found_group) { 1500 /* Found, hence we remove that keyshare from its position (which is at i)... */ 1501 for (j = i; j < (garg->ksidcnt - 1); j++) 1502 garg->ksid_arr[j] = garg->ksid_arr[j + 1]; /* shift remaining key shares */ 1503 /* ... and update the book keeping */ 1504 garg->ksidcnt--; 1505 } 1506 } 1507 } else { /* Processing addition of a single new group */ 1508 1509 /* Check for duplicates */ 1510 for (i = 0; i < garg->gidcnt; i++) 1511 if (garg->gid_arr[i] == gid) { 1512 /* Duplicate group anywhere in the list of groups - ignore */ 1513 goto done; 1514 } 1515 1516 /* Add the current group to the 'flat' list of groups */ 1517 garg->gid_arr[garg->gidcnt++] = gid; 1518 /* and update the book keeping for the number of groups in current tuple */ 1519 garg->tuplcnt_arr[garg->tplcnt]++; 1520 1521 /* We want to add a key share for the current group */ 1522 if (add_keyshare) 1523 garg->ksid_arr[garg->ksidcnt++] = gid; 1524 } 1525 1526 done: 1527 return retval; 1528 } 1529 1530 /* 1531 * Ensure tuplcnt_arr has room for at least tplcnt + 2 entries so that 1532 * close_tuple() can safely increment tplcnt and write the new active-tuple 1533 * slot at index tplcnt + 1. Must be called before that increment. 1534 */ 1535 static int grow_tuples(gid_cb_st *garg) 1536 { 1537 static size_t max_tplcnt = (~(size_t)0) / sizeof(size_t); 1538 1539 /* 1540 * Ensure we have room for at least one additional tuple. 1541 * (tplcnt + 1 are in active use). 1542 */ 1543 if (garg->tplcnt + 1 == garg->tplmax) { 1544 size_t newcnt = garg->tplmax + GROUPLIST_INCREMENT; 1545 size_t newsz = newcnt * sizeof(size_t); 1546 size_t *tmp; 1547 1548 if (newsz > max_tplcnt 1549 || (tmp = OPENSSL_realloc(garg->tuplcnt_arr, newsz)) == NULL) 1550 return 0; 1551 1552 garg->tplmax = newcnt; 1553 garg->tuplcnt_arr = tmp; 1554 } 1555 return 1; 1556 } 1557 1558 /* 1559 * Finalise the active tuple (at index tplcnt) and open a fresh one. 1560 * tplcnt is the count of closed tuples; the active tuple lives at tplcnt 1561 * throughout parsing. After this call tplcnt is incremented and the new 1562 * active tuple at the updated index is initialised to 0. 1563 * Empty tuples (gidcnt == 0) are discarded without advancing tplcnt. 1564 */ 1565 static int close_tuple(gid_cb_st *garg) 1566 { 1567 size_t gidcnt = garg->tuplcnt_arr[garg->tplcnt]; 1568 1569 if (gidcnt == 0) 1570 return 1; /* Discard empty tuple; no need to open a new slot */ 1571 1572 /* Grow before the increment: the new active slot will be at tplcnt + 1 */ 1573 if (!grow_tuples(garg)) 1574 return 0; 1575 1576 /* Promote closed tuple and initialise the new active tuple slot */ 1577 garg->tuplcnt_arr[++garg->tplcnt] = 0; 1578 return 1; 1579 } 1580 1581 /* Extract and process a tuple of groups */ 1582 static int tuple_cb(const char *tuple, int len, void *arg) 1583 { 1584 gid_cb_st *garg = arg; 1585 int retval = 1; /* We assume success */ 1586 char *restored_tuple_string; 1587 1588 /* Sanity checks */ 1589 if (garg == NULL || tuple == NULL || len <= 0) { 1590 ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_CONFIG_VALUE); 1591 return 0; 1592 } 1593 1594 if (garg->inner && !garg->first && !close_tuple(garg)) 1595 return 0; 1596 garg->first = 0; 1597 1598 /* Convert to \0-terminated string */ 1599 restored_tuple_string = OPENSSL_malloc((len + 1 /* \0 */) * sizeof(char)); 1600 if (restored_tuple_string == NULL) 1601 return 0; 1602 memcpy(restored_tuple_string, tuple, len); 1603 restored_tuple_string[len] = '\0'; 1604 1605 /* Analyze group list of this tuple */ 1606 retval = CONF_parse_list(restored_tuple_string, GROUP_DELIMITER_CHARACTER, 1, gid_cb, arg); 1607 1608 /* We don't need the \o-terminated string anymore */ 1609 OPENSSL_free(restored_tuple_string); 1610 1611 if (!garg->inner && !close_tuple(garg)) 1612 return 0; 1613 return retval; 1614 } 1615 1616 /* 1617 * Set groups and prepare generation of keyshares based on a string of groupnames, 1618 * names separated by the group or the tuple delimiter, with per-group prefixes to 1619 * (1) add a key share for this group, (2) ignore the group if unknown to the current 1620 * context, (3) delete a previous occurrence of the group in the current tuple. 1621 * 1622 * The list parsing is done in two hierarchical steps: The top-level step extracts the 1623 * string of a tuple using tuple_cb, while the next lower step uses gid_cb to 1624 * parse and process the groups inside a tuple 1625 */ 1626 int tls1_set_groups_list(SSL_CTX *ctx, 1627 uint16_t **grpext, size_t *grpextlen, 1628 uint16_t **ksext, size_t *ksextlen, 1629 size_t **tplext, size_t *tplextlen, 1630 const char *str) 1631 { 1632 size_t i = 0, j; 1633 int ret = 0, parse_ret = 0; 1634 gid_cb_st gcb; 1635 1636 /* Sanity check */ 1637 if (ctx == NULL) { 1638 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); 1639 return 0; 1640 } 1641 1642 memset(&gcb, 0, sizeof(gcb)); 1643 gcb.gidmax = GROUPLIST_INCREMENT; 1644 gcb.tplmax = GROUPLIST_INCREMENT; 1645 gcb.ksidmax = GROUPLIST_INCREMENT; 1646 gcb.ctx = ctx; 1647 1648 /* Prepare initial chunks of memory for groups, tuples and keyshares groupIDs */ 1649 gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); 1650 if (gcb.gid_arr == NULL) 1651 goto end; 1652 gcb.tuplcnt_arr = OPENSSL_malloc(gcb.tplmax * sizeof(*gcb.tuplcnt_arr)); 1653 if (gcb.tuplcnt_arr == NULL) 1654 goto end; 1655 gcb.tuplcnt_arr[0] = 0; 1656 gcb.ksid_arr = OPENSSL_malloc(gcb.ksidmax * sizeof(*gcb.ksid_arr)); 1657 if (gcb.ksid_arr == NULL) 1658 goto end; 1659 1660 while (str[0] != '\0' && isspace((unsigned char)*str)) 1661 str++; 1662 if (str[0] == '\0') 1663 goto empty_list; 1664 1665 /* 1666 * Start the (potentially recursive) tuple processing by calling CONF_parse_list 1667 * with the TUPLE_DELIMITER_CHARACTER (which will call tuple_cb after cleaning spaces) 1668 */ 1669 parse_ret = CONF_parse_list(str, TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, &gcb); 1670 1671 if (parse_ret == 0) 1672 goto end; 1673 if (parse_ret == -1) { 1674 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 1675 "Syntax error in '%s'", str); 1676 goto end; 1677 } 1678 1679 /* 1680 * We check whether a tuple was completely emptied by using "-" prefix 1681 * excessively, in which case we remove the tuple 1682 */ 1683 for (i = j = 0; j < gcb.tplcnt; j++) { 1684 if (gcb.tuplcnt_arr[j] == 0) 1685 continue; 1686 /* If there's a gap, move to first unfilled slot */ 1687 if (j == i) 1688 ++i; 1689 else 1690 gcb.tuplcnt_arr[i++] = gcb.tuplcnt_arr[j]; 1691 } 1692 gcb.tplcnt = i; 1693 1694 if (gcb.ksidcnt > OPENSSL_CLIENT_MAX_KEY_SHARES) { 1695 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 1696 "To many keyshares requested in '%s' (max = %d)", 1697 str, OPENSSL_CLIENT_MAX_KEY_SHARES); 1698 goto end; 1699 } 1700 1701 /* 1702 * For backward compatibility we let the rest of the code know that a key share 1703 * for the first valid group should be added if no "*" prefix was used anywhere 1704 */ 1705 if (gcb.gidcnt > 0 && gcb.ksidcnt == 0) { 1706 /* 1707 * No key share group prefix character was used, hence we indicate that a single 1708 * key share should be sent and flag that it should come from the supported_groups list 1709 */ 1710 gcb.ksidcnt = 1; 1711 gcb.ksid_arr[0] = 0; 1712 } 1713 1714 empty_list: 1715 /* 1716 * A call to tls1_set_groups_list with any of the args (other than ctx) set 1717 * to NULL only does a syntax check, hence we're done here and report success 1718 */ 1719 if (grpext == NULL || ksext == NULL || tplext == NULL || grpextlen == NULL || ksextlen == NULL || tplextlen == NULL) { 1720 ret = 1; 1721 goto end; 1722 } 1723 1724 /* 1725 * tuple_cb and gid_cb combo ensures there are no duplicates or unknown groups so we 1726 * can just go ahead and set the results (after disposing the existing) 1727 */ 1728 OPENSSL_free(*grpext); 1729 *grpext = gcb.gid_arr; 1730 *grpextlen = gcb.gidcnt; 1731 OPENSSL_free(*ksext); 1732 *ksext = gcb.ksid_arr; 1733 *ksextlen = gcb.ksidcnt; 1734 OPENSSL_free(*tplext); 1735 *tplext = gcb.tuplcnt_arr; 1736 *tplextlen = gcb.tplcnt; 1737 1738 return 1; 1739 1740 end: 1741 OPENSSL_free(gcb.gid_arr); 1742 OPENSSL_free(gcb.tuplcnt_arr); 1743 OPENSSL_free(gcb.ksid_arr); 1744 return ret; 1745 } 1746 1747 /* Check a group id matches preferences */ 1748 int tls1_check_group_id(SSL_CONNECTION *s, uint16_t group_id, 1749 int check_own_groups) 1750 { 1751 const uint16_t *groups; 1752 size_t groups_len; 1753 1754 if (group_id == 0) 1755 return 0; 1756 1757 /* Check for Suite B compliance */ 1758 if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { 1759 unsigned long cid = s->s3.tmp.new_cipher->id; 1760 1761 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 1762 if (group_id != OSSL_TLS_GROUP_ID_secp256r1) 1763 return 0; 1764 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 1765 if (group_id != OSSL_TLS_GROUP_ID_secp384r1) 1766 return 0; 1767 } else { 1768 /* Should never happen */ 1769 return 0; 1770 } 1771 } 1772 1773 if (check_own_groups) { 1774 /* Check group is one of our preferences */ 1775 tls1_get_supported_groups(s, &groups, &groups_len); 1776 if (!tls1_in_list(group_id, groups, groups_len)) 1777 return 0; 1778 } 1779 1780 if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 1781 return 0; 1782 1783 /* For clients, nothing more to check */ 1784 if (!s->server) 1785 return 1; 1786 1787 /* Check group is one of peers preferences */ 1788 tls1_get_peer_groups(s, &groups, &groups_len); 1789 1790 /* 1791 * RFC 4492 does not require the supported elliptic curves extension 1792 * so if it is not sent we can just choose any curve. 1793 * It is invalid to send an empty list in the supported groups 1794 * extension, so groups_len == 0 always means no extension. 1795 */ 1796 if (groups_len == 0) 1797 return 1; 1798 return tls1_in_list(group_id, groups, groups_len); 1799 } 1800 1801 void tls1_get_formatlist(SSL_CONNECTION *s, const unsigned char **pformats, 1802 size_t *num_formats) 1803 { 1804 /* 1805 * If we have a custom point format list use it otherwise use default 1806 */ 1807 if (s->ext.ecpointformats) { 1808 *pformats = s->ext.ecpointformats; 1809 *num_formats = s->ext.ecpointformats_len; 1810 } else { 1811 *pformats = ecformats_default; 1812 /* For Suite B we don't support char2 fields */ 1813 if (tls1_suiteb(s)) 1814 *num_formats = sizeof(ecformats_default) - 1; 1815 else 1816 *num_formats = sizeof(ecformats_default); 1817 } 1818 } 1819 1820 /* Check a key is compatible with compression extension */ 1821 static int tls1_check_pkey_comp(SSL_CONNECTION *s, EVP_PKEY *pkey) 1822 { 1823 unsigned char comp_id; 1824 size_t i; 1825 int point_conv; 1826 1827 /* If not an EC key nothing to check */ 1828 if (!EVP_PKEY_is_a(pkey, "EC")) 1829 return 1; 1830 1831 /* Get required compression id */ 1832 point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); 1833 if (point_conv == 0) 1834 return 0; 1835 if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { 1836 comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 1837 } else if (SSL_CONNECTION_IS_TLS13(s)) { 1838 /* 1839 * ec_point_formats extension is not used in TLSv1.3 so we ignore 1840 * this check. 1841 */ 1842 return 1; 1843 } else { 1844 int field_type = EVP_PKEY_get_field_type(pkey); 1845 1846 if (field_type == NID_X9_62_prime_field) 1847 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1848 else if (field_type == NID_X9_62_characteristic_two_field) 1849 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1850 else 1851 return 0; 1852 } 1853 /* 1854 * If point formats extension present check it, otherwise everything is 1855 * supported (see RFC4492). 1856 */ 1857 if (s->ext.peer_ecpointformats == NULL) 1858 return 1; 1859 1860 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 1861 if (s->ext.peer_ecpointformats[i] == comp_id) 1862 return 1; 1863 } 1864 return 0; 1865 } 1866 1867 /* Return group id of a key */ 1868 static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 1869 { 1870 int curve_nid = ssl_get_EC_curve_nid(pkey); 1871 1872 if (curve_nid == NID_undef) 1873 return 0; 1874 return tls1_nid2group_id(curve_nid); 1875 } 1876 1877 /* 1878 * Check cert parameters compatible with extensions: currently just checks EC 1879 * certificates have compatible curves and compression. 1880 */ 1881 static int tls1_check_cert_param(SSL_CONNECTION *s, X509 *x, int check_ee_md) 1882 { 1883 uint16_t group_id; 1884 EVP_PKEY *pkey; 1885 pkey = X509_get0_pubkey(x); 1886 if (pkey == NULL) 1887 return 0; 1888 /* If not EC nothing to do */ 1889 if (!EVP_PKEY_is_a(pkey, "EC")) 1890 return 1; 1891 /* Check compression */ 1892 if (!tls1_check_pkey_comp(s, pkey)) 1893 return 0; 1894 group_id = tls1_get_group_id(pkey); 1895 /* 1896 * For a server we allow the certificate to not be in our list of supported 1897 * groups. 1898 */ 1899 if (!tls1_check_group_id(s, group_id, !s->server)) 1900 return 0; 1901 /* 1902 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 1903 * SHA384+P-384. 1904 */ 1905 if (check_ee_md && tls1_suiteb(s)) { 1906 int check_md; 1907 size_t i; 1908 1909 /* Check to see we have necessary signing algorithm */ 1910 if (group_id == OSSL_TLS_GROUP_ID_secp256r1) 1911 check_md = NID_ecdsa_with_SHA256; 1912 else if (group_id == OSSL_TLS_GROUP_ID_secp384r1) 1913 check_md = NID_ecdsa_with_SHA384; 1914 else 1915 return 0; /* Should never happen */ 1916 for (i = 0; i < s->shared_sigalgslen; i++) { 1917 if (check_md == s->shared_sigalgs[i]->sigandhash) 1918 return 1; 1919 } 1920 return 0; 1921 } 1922 return 1; 1923 } 1924 1925 /* 1926 * tls1_check_ec_tmp_key - Check EC temporary key compatibility 1927 * @s: SSL connection 1928 * @cid: Cipher ID we're considering using 1929 * 1930 * Checks that the kECDHE cipher suite we're considering using 1931 * is compatible with the client extensions. 1932 * 1933 * Returns 0 when the cipher can't be used or 1 when it can. 1934 */ 1935 int tls1_check_ec_tmp_key(SSL_CONNECTION *s, unsigned long cid) 1936 { 1937 /* If not Suite B just need a shared group */ 1938 if (!tls1_suiteb(s)) 1939 return tls1_shared_group(s, 0) != 0; 1940 /* 1941 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 1942 * curves permitted. 1943 */ 1944 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 1945 return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp256r1, 1); 1946 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 1947 return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp384r1, 1); 1948 1949 return 0; 1950 } 1951 1952 /* Default sigalg schemes */ 1953 static const uint16_t tls12_sigalgs[] = { 1954 TLSEXT_SIGALG_mldsa65, 1955 TLSEXT_SIGALG_mldsa87, 1956 TLSEXT_SIGALG_mldsa44, 1957 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1958 TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1959 TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1960 TLSEXT_SIGALG_ed25519, 1961 TLSEXT_SIGALG_ed448, 1962 TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, 1963 TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, 1964 TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, 1965 1966 TLSEXT_SIGALG_rsa_pss_pss_sha256, 1967 TLSEXT_SIGALG_rsa_pss_pss_sha384, 1968 TLSEXT_SIGALG_rsa_pss_pss_sha512, 1969 TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1970 TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1971 TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1972 1973 TLSEXT_SIGALG_rsa_pkcs1_sha256, 1974 TLSEXT_SIGALG_rsa_pkcs1_sha384, 1975 TLSEXT_SIGALG_rsa_pkcs1_sha512, 1976 1977 TLSEXT_SIGALG_ecdsa_sha224, 1978 TLSEXT_SIGALG_ecdsa_sha1, 1979 1980 TLSEXT_SIGALG_rsa_pkcs1_sha224, 1981 TLSEXT_SIGALG_rsa_pkcs1_sha1, 1982 1983 TLSEXT_SIGALG_dsa_sha224, 1984 TLSEXT_SIGALG_dsa_sha1, 1985 1986 TLSEXT_SIGALG_dsa_sha256, 1987 TLSEXT_SIGALG_dsa_sha384, 1988 TLSEXT_SIGALG_dsa_sha512, 1989 1990 #ifndef OPENSSL_NO_GOST 1991 TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1992 TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1993 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1994 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1995 TLSEXT_SIGALG_gostr34102001_gostr3411, 1996 #endif 1997 }; 1998 1999 static const uint16_t suiteb_sigalgs[] = { 2000 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 2001 TLSEXT_SIGALG_ecdsa_secp384r1_sha384 2002 }; 2003 2004 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 2005 { TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name, 2006 "ECDSA+SHA256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 2007 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2008 NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1, 0, 2009 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2010 { TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name, 2011 "ECDSA+SHA384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 2012 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2013 NID_ecdsa_with_SHA384, NID_secp384r1, 1, 0, 2014 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2015 { TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name, 2016 "ECDSA+SHA512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 2017 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2018 NID_ecdsa_with_SHA512, NID_secp521r1, 1, 0, 2019 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2020 2021 { TLSEXT_SIGALG_ed25519_name, 2022 NULL, TLSEXT_SIGALG_ed25519, 2023 NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 2024 NID_undef, NID_undef, 1, 0, 2025 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2026 { TLSEXT_SIGALG_ed448_name, 2027 NULL, TLSEXT_SIGALG_ed448, 2028 NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 2029 NID_undef, NID_undef, 1, 0, 2030 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2031 2032 { TLSEXT_SIGALG_ecdsa_sha224_name, 2033 "ECDSA+SHA224", TLSEXT_SIGALG_ecdsa_sha224, 2034 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2035 NID_ecdsa_with_SHA224, NID_undef, 1, 0, 2036 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2037 { TLSEXT_SIGALG_ecdsa_sha1_name, 2038 "ECDSA+SHA1", TLSEXT_SIGALG_ecdsa_sha1, 2039 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2040 NID_ecdsa_with_SHA1, NID_undef, 1, 0, 2041 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2042 2043 { TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name, 2044 TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_alias, 2045 TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, 2046 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2047 NID_ecdsa_with_SHA256, NID_brainpoolP256r1, 1, 0, 2048 TLS1_3_VERSION, 0, -1, -1 }, 2049 { TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name, 2050 TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_alias, 2051 TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, 2052 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2053 NID_ecdsa_with_SHA384, NID_brainpoolP384r1, 1, 0, 2054 TLS1_3_VERSION, 0, -1, -1 }, 2055 { TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name, 2056 TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_alias, 2057 TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, 2058 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 2059 NID_ecdsa_with_SHA512, NID_brainpoolP512r1, 1, 0, 2060 TLS1_3_VERSION, 0, -1, -1 }, 2061 2062 { TLSEXT_SIGALG_rsa_pss_rsae_sha256_name, 2063 "PSS+SHA256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 2064 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 2065 NID_undef, NID_undef, 1, 0, 2066 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2067 { TLSEXT_SIGALG_rsa_pss_rsae_sha384_name, 2068 "PSS+SHA384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 2069 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 2070 NID_undef, NID_undef, 1, 0, 2071 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2072 { TLSEXT_SIGALG_rsa_pss_rsae_sha512_name, 2073 "PSS+SHA512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 2074 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 2075 NID_undef, NID_undef, 1, 0, 2076 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2077 2078 { TLSEXT_SIGALG_rsa_pss_pss_sha256_name, 2079 NULL, TLSEXT_SIGALG_rsa_pss_pss_sha256, 2080 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 2081 NID_undef, NID_undef, 1, 0, 2082 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2083 { TLSEXT_SIGALG_rsa_pss_pss_sha384_name, 2084 NULL, TLSEXT_SIGALG_rsa_pss_pss_sha384, 2085 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 2086 NID_undef, NID_undef, 1, 0, 2087 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2088 { TLSEXT_SIGALG_rsa_pss_pss_sha512_name, 2089 NULL, TLSEXT_SIGALG_rsa_pss_pss_sha512, 2090 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 2091 NID_undef, NID_undef, 1, 0, 2092 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2093 2094 { TLSEXT_SIGALG_rsa_pkcs1_sha256_name, 2095 "RSA+SHA256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 2096 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2097 NID_sha256WithRSAEncryption, NID_undef, 1, 0, 2098 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2099 { TLSEXT_SIGALG_rsa_pkcs1_sha384_name, 2100 "RSA+SHA384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 2101 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2102 NID_sha384WithRSAEncryption, NID_undef, 1, 0, 2103 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2104 { TLSEXT_SIGALG_rsa_pkcs1_sha512_name, 2105 "RSA+SHA512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 2106 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2107 NID_sha512WithRSAEncryption, NID_undef, 1, 0, 2108 TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0 }, 2109 2110 { TLSEXT_SIGALG_rsa_pkcs1_sha224_name, 2111 "RSA+SHA224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 2112 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2113 NID_sha224WithRSAEncryption, NID_undef, 1, 0, 2114 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2115 { TLSEXT_SIGALG_rsa_pkcs1_sha1_name, 2116 "RSA+SHA1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 2117 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 2118 NID_sha1WithRSAEncryption, NID_undef, 1, 0, 2119 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2120 2121 { TLSEXT_SIGALG_dsa_sha256_name, 2122 "DSA+SHA256", TLSEXT_SIGALG_dsa_sha256, 2123 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2124 NID_dsa_with_SHA256, NID_undef, 1, 0, 2125 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2126 { TLSEXT_SIGALG_dsa_sha384_name, 2127 "DSA+SHA384", TLSEXT_SIGALG_dsa_sha384, 2128 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2129 NID_undef, NID_undef, 1, 0, 2130 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2131 { TLSEXT_SIGALG_dsa_sha512_name, 2132 "DSA+SHA512", TLSEXT_SIGALG_dsa_sha512, 2133 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2134 NID_undef, NID_undef, 1, 0, 2135 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2136 { TLSEXT_SIGALG_dsa_sha224_name, 2137 "DSA+SHA224", TLSEXT_SIGALG_dsa_sha224, 2138 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2139 NID_undef, NID_undef, 1, 0, 2140 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2141 { TLSEXT_SIGALG_dsa_sha1_name, 2142 "DSA+SHA1", TLSEXT_SIGALG_dsa_sha1, 2143 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 2144 NID_dsaWithSHA1, NID_undef, 1, 0, 2145 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2146 2147 #ifndef OPENSSL_NO_GOST 2148 { TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias, /* RFC9189 */ 2149 TLSEXT_SIGALG_gostr34102012_256_intrinsic_name, 2150 TLSEXT_SIGALG_gostr34102012_256_intrinsic, 2151 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 2152 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 2153 NID_undef, NID_undef, 1, 0, 2154 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2155 { TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias, /* RFC9189 */ 2156 TLSEXT_SIGALG_gostr34102012_256_intrinsic_name, 2157 TLSEXT_SIGALG_gostr34102012_512_intrinsic, 2158 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 2159 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 2160 NID_undef, NID_undef, 1, 0, 2161 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2162 2163 { TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name, 2164 NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 2165 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 2166 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 2167 NID_undef, NID_undef, 1, 0, 2168 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2169 { TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name, 2170 NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 2171 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 2172 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 2173 NID_undef, NID_undef, 1, 0, 2174 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2175 { TLSEXT_SIGALG_gostr34102001_gostr3411_name, 2176 NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 2177 NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 2178 NID_id_GostR3410_2001, SSL_PKEY_GOST01, 2179 NID_undef, NID_undef, 1, 0, 2180 TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, 2181 #endif 2182 }; 2183 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 2184 static const SIGALG_LOOKUP legacy_rsa_sigalg = { 2185 "rsa_pkcs1_md5_sha1", NULL, 0, 2186 NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 2187 EVP_PKEY_RSA, SSL_PKEY_RSA, 2188 NID_undef, NID_undef, 1, 0, 2189 TLS1_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION 2190 }; 2191 2192 /* 2193 * Default signature algorithm values used if signature algorithms not present. 2194 * From RFC5246. Note: order must match certificate index order. 2195 */ 2196 static const uint16_t tls_default_sigalg[] = { 2197 TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 2198 0, /* SSL_PKEY_RSA_PSS_SIGN */ 2199 TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 2200 TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 2201 TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 2202 TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ 2203 TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ 2204 0, /* SSL_PKEY_ED25519 */ 2205 0, /* SSL_PKEY_ED448 */ 2206 }; 2207 2208 int ssl_setup_sigalgs(SSL_CTX *ctx) 2209 { 2210 size_t i, cache_idx, sigalgs_len, enabled; 2211 const SIGALG_LOOKUP *lu; 2212 SIGALG_LOOKUP *cache = NULL; 2213 uint16_t *tls12_sigalgs_list = NULL; 2214 EVP_PKEY *tmpkey = EVP_PKEY_new(); 2215 int istls; 2216 int ret = 0; 2217 2218 if (ctx == NULL) 2219 goto err; 2220 2221 istls = !SSL_CTX_IS_DTLS(ctx); 2222 2223 sigalgs_len = OSSL_NELEM(sigalg_lookup_tbl) + ctx->sigalg_list_len; 2224 2225 cache = OPENSSL_zalloc(sizeof(const SIGALG_LOOKUP) * sigalgs_len); 2226 if (cache == NULL || tmpkey == NULL) 2227 goto err; 2228 2229 tls12_sigalgs_list = OPENSSL_zalloc(sizeof(uint16_t) * sigalgs_len); 2230 if (tls12_sigalgs_list == NULL) 2231 goto err; 2232 2233 ERR_set_mark(); 2234 /* First fill cache and tls12_sigalgs list from legacy algorithm list */ 2235 for (i = 0, lu = sigalg_lookup_tbl; 2236 i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 2237 EVP_PKEY_CTX *pctx; 2238 2239 cache[i] = *lu; 2240 2241 /* 2242 * Check hash is available. 2243 * This test is not perfect. A provider could have support 2244 * for a signature scheme, but not a particular hash. However the hash 2245 * could be available from some other loaded provider. In that case it 2246 * could be that the signature is available, and the hash is available 2247 * independently - but not as a combination. We ignore this for now. 2248 */ 2249 if (lu->hash != NID_undef 2250 && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { 2251 cache[i].available = 0; 2252 continue; 2253 } 2254 2255 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 2256 cache[i].available = 0; 2257 continue; 2258 } 2259 pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); 2260 /* If unable to create pctx we assume the sig algorithm is unavailable */ 2261 if (pctx == NULL) 2262 cache[i].available = 0; 2263 EVP_PKEY_CTX_free(pctx); 2264 } 2265 2266 /* Now complete cache and tls12_sigalgs list with provider sig information */ 2267 cache_idx = OSSL_NELEM(sigalg_lookup_tbl); 2268 for (i = 0; i < ctx->sigalg_list_len; i++) { 2269 TLS_SIGALG_INFO si = ctx->sigalg_list[i]; 2270 cache[cache_idx].name = si.name; 2271 cache[cache_idx].name12 = si.sigalg_name; 2272 cache[cache_idx].sigalg = si.code_point; 2273 tls12_sigalgs_list[cache_idx] = si.code_point; 2274 cache[cache_idx].hash = si.hash_name ? OBJ_txt2nid(si.hash_name) : NID_undef; 2275 cache[cache_idx].hash_idx = ssl_get_md_idx(cache[cache_idx].hash); 2276 cache[cache_idx].sig = OBJ_txt2nid(si.sigalg_name); 2277 cache[cache_idx].sig_idx = i + SSL_PKEY_NUM; 2278 cache[cache_idx].sigandhash = OBJ_txt2nid(si.sigalg_name); 2279 cache[cache_idx].curve = NID_undef; 2280 cache[cache_idx].mintls = TLS1_3_VERSION; 2281 cache[cache_idx].maxtls = TLS1_3_VERSION; 2282 cache[cache_idx].mindtls = -1; 2283 cache[cache_idx].maxdtls = -1; 2284 /* Compatibility with TLS 1.3 is checked on load */ 2285 cache[cache_idx].available = istls; 2286 cache[cache_idx].advertise = 0; 2287 cache_idx++; 2288 } 2289 ERR_pop_to_mark(); 2290 2291 enabled = 0; 2292 for (i = 0; i < OSSL_NELEM(tls12_sigalgs); ++i) { 2293 SIGALG_LOOKUP *ent = cache; 2294 size_t j; 2295 2296 for (j = 0; j < sigalgs_len; ent++, j++) { 2297 if (ent->sigalg != tls12_sigalgs[i]) 2298 continue; 2299 /* Dedup by marking cache entry as default enabled. */ 2300 if (ent->available && !ent->advertise) { 2301 ent->advertise = 1; 2302 tls12_sigalgs_list[enabled++] = tls12_sigalgs[i]; 2303 } 2304 break; 2305 } 2306 } 2307 2308 /* Append any provider sigalgs not yet handled */ 2309 for (i = OSSL_NELEM(sigalg_lookup_tbl); i < sigalgs_len; ++i) { 2310 SIGALG_LOOKUP *ent = &cache[i]; 2311 2312 if (ent->available && !ent->advertise) 2313 tls12_sigalgs_list[enabled++] = ent->sigalg; 2314 } 2315 2316 ctx->sigalg_lookup_cache = cache; 2317 ctx->sigalg_lookup_cache_len = sigalgs_len; 2318 ctx->tls12_sigalgs = tls12_sigalgs_list; 2319 ctx->tls12_sigalgs_len = enabled; 2320 cache = NULL; 2321 tls12_sigalgs_list = NULL; 2322 2323 ret = 1; 2324 err: 2325 OPENSSL_free(cache); 2326 OPENSSL_free(tls12_sigalgs_list); 2327 EVP_PKEY_free(tmpkey); 2328 return ret; 2329 } 2330 2331 #define SIGLEN_BUF_INCREMENT 100 2332 2333 char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX *libctx) 2334 { 2335 size_t i, maxretlen = SIGLEN_BUF_INCREMENT; 2336 const SIGALG_LOOKUP *lu; 2337 EVP_PKEY *tmpkey = EVP_PKEY_new(); 2338 char *retval = OPENSSL_malloc(maxretlen); 2339 2340 if (retval == NULL) 2341 return NULL; 2342 2343 /* ensure retval string is NUL terminated */ 2344 retval[0] = (char)0; 2345 2346 for (i = 0, lu = sigalg_lookup_tbl; 2347 i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 2348 EVP_PKEY_CTX *pctx; 2349 int enabled = 1; 2350 2351 ERR_set_mark(); 2352 /* Check hash is available in some provider. */ 2353 if (lu->hash != NID_undef) { 2354 EVP_MD *hash = EVP_MD_fetch(libctx, OBJ_nid2ln(lu->hash), NULL); 2355 2356 /* If unable to create we assume the hash algorithm is unavailable */ 2357 if (hash == NULL) { 2358 enabled = 0; 2359 ERR_pop_to_mark(); 2360 continue; 2361 } 2362 EVP_MD_free(hash); 2363 } 2364 2365 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 2366 enabled = 0; 2367 ERR_pop_to_mark(); 2368 continue; 2369 } 2370 pctx = EVP_PKEY_CTX_new_from_pkey(libctx, tmpkey, NULL); 2371 /* If unable to create pctx we assume the sig algorithm is unavailable */ 2372 if (pctx == NULL) 2373 enabled = 0; 2374 ERR_pop_to_mark(); 2375 EVP_PKEY_CTX_free(pctx); 2376 2377 if (enabled) { 2378 const char *sa = lu->name; 2379 2380 if (sa != NULL) { 2381 if (strlen(sa) + strlen(retval) + 1 >= maxretlen) { 2382 char *tmp; 2383 2384 maxretlen += SIGLEN_BUF_INCREMENT; 2385 tmp = OPENSSL_realloc(retval, maxretlen); 2386 if (tmp == NULL) { 2387 OPENSSL_free(retval); 2388 return NULL; 2389 } 2390 retval = tmp; 2391 } 2392 if (strlen(retval) > 0) 2393 OPENSSL_strlcat(retval, ":", maxretlen); 2394 OPENSSL_strlcat(retval, sa, maxretlen); 2395 } else { 2396 /* lu->name must not be NULL */ 2397 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 2398 } 2399 } 2400 } 2401 2402 EVP_PKEY_free(tmpkey); 2403 return retval; 2404 } 2405 2406 /* Lookup TLS signature algorithm */ 2407 static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL_CTX *ctx, 2408 uint16_t sigalg) 2409 { 2410 size_t i; 2411 const SIGALG_LOOKUP *lu = ctx->sigalg_lookup_cache; 2412 2413 for (i = 0; i < ctx->sigalg_lookup_cache_len; lu++, i++) { 2414 if (lu->sigalg == sigalg) { 2415 if (!lu->available) 2416 return NULL; 2417 return lu; 2418 } 2419 } 2420 return NULL; 2421 } 2422 2423 /* Lookup hash: return 0 if invalid or not enabled */ 2424 int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 2425 { 2426 const EVP_MD *md; 2427 2428 if (lu == NULL) 2429 return 0; 2430 /* lu->hash == NID_undef means no associated digest */ 2431 if (lu->hash == NID_undef) { 2432 md = NULL; 2433 } else { 2434 md = ssl_md(ctx, lu->hash_idx); 2435 if (md == NULL) 2436 return 0; 2437 } 2438 if (pmd) 2439 *pmd = md; 2440 return 1; 2441 } 2442 2443 /* 2444 * Check if key is large enough to generate RSA-PSS signature. 2445 * 2446 * The key must greater than or equal to 2 * hash length + 2. 2447 * SHA512 has a hash length of 64 bytes, which is incompatible 2448 * with a 128 byte (1024 bit) key. 2449 */ 2450 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) 2451 static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, 2452 const SIGALG_LOOKUP *lu) 2453 { 2454 const EVP_MD *md; 2455 2456 if (pkey == NULL) 2457 return 0; 2458 if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) 2459 return 0; 2460 if (EVP_MD_get_size(md) <= 0) 2461 return 0; 2462 if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 2463 return 0; 2464 return 1; 2465 } 2466 2467 /* 2468 * Returns a signature algorithm when the peer did not send a list of supported 2469 * signature algorithms. The signature algorithm is fixed for the certificate 2470 * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 2471 * certificate type from |s| will be used. 2472 * Returns the signature algorithm to use, or NULL on error. 2473 */ 2474 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL_CONNECTION *s, 2475 int idx) 2476 { 2477 if (idx == -1) { 2478 if (s->server) { 2479 size_t i; 2480 2481 /* Work out index corresponding to ciphersuite */ 2482 for (i = 0; i < s->ssl_pkey_num; i++) { 2483 const SSL_CERT_LOOKUP *clu 2484 = ssl_cert_lookup_by_idx(i, SSL_CONNECTION_GET_CTX(s)); 2485 2486 if (clu == NULL) 2487 continue; 2488 if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { 2489 idx = i; 2490 break; 2491 } 2492 } 2493 2494 /* 2495 * Some GOST ciphersuites allow more than one signature algorithms 2496 * */ 2497 if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 2498 int real_idx; 2499 2500 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 2501 real_idx--) { 2502 if (s->cert->pkeys[real_idx].privatekey != NULL) { 2503 idx = real_idx; 2504 break; 2505 } 2506 } 2507 } 2508 /* 2509 * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used 2510 * with new (aGOST12-only) ciphersuites, we should find out which one is available really. 2511 */ 2512 else if (idx == SSL_PKEY_GOST12_256) { 2513 int real_idx; 2514 2515 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; 2516 real_idx--) { 2517 if (s->cert->pkeys[real_idx].privatekey != NULL) { 2518 idx = real_idx; 2519 break; 2520 } 2521 } 2522 } 2523 } else { 2524 idx = s->cert->key - s->cert->pkeys; 2525 } 2526 } 2527 if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 2528 return NULL; 2529 2530 if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 2531 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), 2532 tls_default_sigalg[idx]); 2533 2534 if (lu == NULL) 2535 return NULL; 2536 if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, NULL)) 2537 return NULL; 2538 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2539 return NULL; 2540 return lu; 2541 } 2542 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 2543 return NULL; 2544 return &legacy_rsa_sigalg; 2545 } 2546 /* Set peer sigalg based key type */ 2547 int tls1_set_peer_legacy_sigalg(SSL_CONNECTION *s, const EVP_PKEY *pkey) 2548 { 2549 size_t idx; 2550 const SIGALG_LOOKUP *lu; 2551 2552 if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL) 2553 return 0; 2554 lu = tls1_get_legacy_sigalg(s, idx); 2555 if (lu == NULL) 2556 return 0; 2557 s->s3.tmp.peer_sigalg = lu; 2558 return 1; 2559 } 2560 2561 size_t tls12_get_psigalgs(SSL_CONNECTION *s, int sent, const uint16_t **psigs) 2562 { 2563 /* 2564 * If Suite B mode use Suite B sigalgs only, ignore any other 2565 * preferences. 2566 */ 2567 switch (tls1_suiteb(s)) { 2568 case SSL_CERT_FLAG_SUITEB_128_LOS: 2569 *psigs = suiteb_sigalgs; 2570 return OSSL_NELEM(suiteb_sigalgs); 2571 2572 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 2573 *psigs = suiteb_sigalgs; 2574 return 1; 2575 2576 case SSL_CERT_FLAG_SUITEB_192_LOS: 2577 *psigs = suiteb_sigalgs + 1; 2578 return 1; 2579 } 2580 /* 2581 * We use client_sigalgs (if not NULL) if we're a server 2582 * and sending a certificate request or if we're a client and 2583 * determining which shared algorithm to use. 2584 */ 2585 if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 2586 *psigs = s->cert->client_sigalgs; 2587 return s->cert->client_sigalgslen; 2588 } else if (s->cert->conf_sigalgs) { 2589 *psigs = s->cert->conf_sigalgs; 2590 return s->cert->conf_sigalgslen; 2591 } else { 2592 *psigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs; 2593 return SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len; 2594 } 2595 } 2596 2597 /* 2598 * Called by servers only. Checks that we have a sig alg that supports the 2599 * specified EC curve. 2600 */ 2601 int tls_check_sigalg_curve(const SSL_CONNECTION *s, int curve) 2602 { 2603 const uint16_t *sigs; 2604 size_t siglen, i; 2605 2606 if (s->cert->conf_sigalgs) { 2607 sigs = s->cert->conf_sigalgs; 2608 siglen = s->cert->conf_sigalgslen; 2609 } else { 2610 sigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs; 2611 siglen = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len; 2612 } 2613 2614 for (i = 0; i < siglen; i++) { 2615 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), sigs[i]); 2616 2617 if (lu == NULL) 2618 continue; 2619 if (lu->sig == EVP_PKEY_EC 2620 && lu->curve != NID_undef 2621 && curve == lu->curve) 2622 return 1; 2623 } 2624 2625 return 0; 2626 } 2627 2628 /* 2629 * Return the number of security bits for the signature algorithm, or 0 on 2630 * error. 2631 */ 2632 static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) 2633 { 2634 const EVP_MD *md = NULL; 2635 int secbits = 0; 2636 2637 if (!tls1_lookup_md(ctx, lu, &md)) 2638 return 0; 2639 if (md != NULL) { 2640 int md_type = EVP_MD_get_type(md); 2641 2642 /* Security bits: half digest bits */ 2643 secbits = EVP_MD_get_size(md) * 4; 2644 if (secbits <= 0) 2645 return 0; 2646 /* 2647 * SHA1 and MD5 are known to be broken. Reduce security bits so that 2648 * they're no longer accepted at security level 1. The real values don't 2649 * really matter as long as they're lower than 80, which is our 2650 * security level 1. 2651 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for 2652 * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 2653 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 2654 * puts a chosen-prefix attack for MD5 at 2^39. 2655 */ 2656 if (md_type == NID_sha1) 2657 secbits = 64; 2658 else if (md_type == NID_md5_sha1) 2659 secbits = 67; 2660 else if (md_type == NID_md5) 2661 secbits = 39; 2662 } else { 2663 /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 2664 if (lu->sigalg == TLSEXT_SIGALG_ed25519) 2665 secbits = 128; 2666 else if (lu->sigalg == TLSEXT_SIGALG_ed448) 2667 secbits = 224; 2668 } 2669 /* 2670 * For provider-based sigalgs we have secbits information available 2671 * in the (provider-loaded) sigalg_list structure 2672 */ 2673 if ((secbits == 0) && (lu->sig_idx >= SSL_PKEY_NUM) 2674 && ((lu->sig_idx - SSL_PKEY_NUM) < (int)ctx->sigalg_list_len)) { 2675 secbits = ctx->sigalg_list[lu->sig_idx - SSL_PKEY_NUM].secbits; 2676 } 2677 return secbits; 2678 } 2679 2680 static int tls_sigalg_compat(SSL_CONNECTION *sc, const SIGALG_LOOKUP *lu) 2681 { 2682 int minversion, maxversion; 2683 int minproto, maxproto; 2684 2685 if (!lu->available) 2686 return 0; 2687 2688 if (SSL_CONNECTION_IS_DTLS(sc)) { 2689 if (sc->ssl.method->version == DTLS_ANY_VERSION) { 2690 minproto = sc->min_proto_version; 2691 maxproto = sc->max_proto_version; 2692 } else { 2693 maxproto = minproto = sc->version; 2694 } 2695 minversion = lu->mindtls; 2696 maxversion = lu->maxdtls; 2697 } else { 2698 if (sc->ssl.method->version == TLS_ANY_VERSION) { 2699 minproto = sc->min_proto_version; 2700 maxproto = sc->max_proto_version; 2701 } else { 2702 maxproto = minproto = sc->version; 2703 } 2704 minversion = lu->mintls; 2705 maxversion = lu->maxtls; 2706 } 2707 if (minversion == -1 || maxversion == -1 2708 || (minversion != 0 && maxproto != 0 2709 && ssl_version_cmp(sc, minversion, maxproto) > 0) 2710 || (maxversion != 0 && minproto != 0 2711 && ssl_version_cmp(sc, maxversion, minproto) < 0) 2712 || !tls12_sigalg_allowed(sc, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2713 return 0; 2714 return 1; 2715 } 2716 2717 /* 2718 * Check signature algorithm is consistent with sent supported signature 2719 * algorithms and if so set relevant digest and signature scheme in 2720 * s. 2721 */ 2722 int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey) 2723 { 2724 const uint16_t *sent_sigs; 2725 const EVP_MD *md = NULL; 2726 char sigalgstr[2]; 2727 size_t sent_sigslen, i, cidx; 2728 int pkeyid = -1; 2729 const SIGALG_LOOKUP *lu; 2730 int secbits = 0; 2731 2732 pkeyid = EVP_PKEY_get_id(pkey); 2733 2734 if (SSL_CONNECTION_IS_TLS13(s)) { 2735 /* Disallow DSA for TLS 1.3 */ 2736 if (pkeyid == EVP_PKEY_DSA) { 2737 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2738 return 0; 2739 } 2740 /* Only allow PSS for TLS 1.3 */ 2741 if (pkeyid == EVP_PKEY_RSA) 2742 pkeyid = EVP_PKEY_RSA_PSS; 2743 } 2744 2745 /* Is this code point available and compatible with the protocol */ 2746 lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), sig); 2747 if (lu == NULL || !tls_sigalg_compat(s, lu)) { 2748 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2749 return 0; 2750 } 2751 2752 /* If we don't know the pkey nid yet go and find it */ 2753 if (pkeyid == EVP_PKEY_KEYMGMT) { 2754 const SSL_CERT_LOOKUP *scl = ssl_cert_lookup_by_pkey(pkey, NULL, SSL_CONNECTION_GET_CTX(s)); 2755 2756 if (scl == NULL) { 2757 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2758 return 0; 2759 } 2760 pkeyid = scl->pkey_nid; 2761 } 2762 2763 /* Should never happen */ 2764 if (pkeyid == -1) { 2765 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2766 return -1; 2767 } 2768 2769 /* 2770 * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 2771 * is consistent with signature: RSA keys can be used for RSA-PSS 2772 */ 2773 if ((SSL_CONNECTION_IS_TLS13(s) 2774 && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 2775 || (pkeyid != lu->sig 2776 && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 2777 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2778 return 0; 2779 } 2780 /* Check the sigalg is consistent with the key OID */ 2781 if (!ssl_cert_lookup_by_nid( 2782 (pkeyid == EVP_PKEY_RSA_PSS) ? EVP_PKEY_get_id(pkey) : pkeyid, 2783 &cidx, SSL_CONNECTION_GET_CTX(s)) 2784 || lu->sig_idx != (int)cidx) { 2785 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 2786 return 0; 2787 } 2788 2789 if (pkeyid == EVP_PKEY_EC) { 2790 2791 /* Check point compression is permitted */ 2792 if (!tls1_check_pkey_comp(s, pkey)) { 2793 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2794 SSL_R_ILLEGAL_POINT_COMPRESSION); 2795 return 0; 2796 } 2797 2798 /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 2799 if (SSL_CONNECTION_IS_TLS13(s) || tls1_suiteb(s)) { 2800 int curve = ssl_get_EC_curve_nid(pkey); 2801 2802 if (lu->curve != NID_undef && curve != lu->curve) { 2803 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 2804 return 0; 2805 } 2806 } 2807 if (!SSL_CONNECTION_IS_TLS13(s)) { 2808 /* Check curve matches extensions */ 2809 if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 2810 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 2811 return 0; 2812 } 2813 if (tls1_suiteb(s)) { 2814 /* Check sigalg matches a permissible Suite B value */ 2815 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 2816 && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 2817 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2818 SSL_R_WRONG_SIGNATURE_TYPE); 2819 return 0; 2820 } 2821 } 2822 } 2823 } else if (tls1_suiteb(s)) { 2824 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 2825 return 0; 2826 } 2827 2828 /* Check signature matches a type we sent */ 2829 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2830 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 2831 if (sig == *sent_sigs) 2832 break; 2833 } 2834 /* Allow fallback to SHA1 if not strict mode */ 2835 if (i == sent_sigslen && (lu->hash != NID_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 2836 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 2837 return 0; 2838 } 2839 if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, &md)) { 2840 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); 2841 return 0; 2842 } 2843 /* 2844 * Make sure security callback allows algorithm. For historical 2845 * reasons we have to pass the sigalg as a two byte char array. 2846 */ 2847 sigalgstr[0] = (sig >> 8) & 0xff; 2848 sigalgstr[1] = sig & 0xff; 2849 secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); 2850 if (secbits == 0 || !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, md != NULL ? EVP_MD_get_type(md) : NID_undef, (void *)sigalgstr)) { 2851 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 2852 return 0; 2853 } 2854 /* Store the sigalg the peer uses */ 2855 s->s3.tmp.peer_sigalg = lu; 2856 return 1; 2857 } 2858 2859 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 2860 { 2861 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 2862 2863 if (sc == NULL) 2864 return 0; 2865 2866 if (sc->s3.tmp.peer_sigalg == NULL) 2867 return 0; 2868 *pnid = sc->s3.tmp.peer_sigalg->sig; 2869 return 1; 2870 } 2871 2872 int SSL_get_signature_type_nid(const SSL *s, int *pnid) 2873 { 2874 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 2875 2876 if (sc == NULL) 2877 return 0; 2878 2879 if (sc->s3.tmp.sigalg == NULL) 2880 return 0; 2881 *pnid = sc->s3.tmp.sigalg->sig; 2882 return 1; 2883 } 2884 2885 /* 2886 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 2887 * supported, doesn't appear in supported signature algorithms, isn't supported 2888 * by the enabled protocol versions or by the security level. 2889 * 2890 * This function should only be used for checking which ciphers are supported 2891 * by the client. 2892 * 2893 * Call ssl_cipher_disabled() to check that it's enabled or not. 2894 */ 2895 int ssl_set_client_disabled(SSL_CONNECTION *s) 2896 { 2897 s->s3.tmp.mask_a = 0; 2898 s->s3.tmp.mask_k = 0; 2899 ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 2900 if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, 2901 &s->s3.tmp.max_ver, NULL) 2902 != 0) 2903 return 0; 2904 #ifndef OPENSSL_NO_PSK 2905 /* with PSK there must be client callback set */ 2906 if (!s->psk_client_callback) { 2907 s->s3.tmp.mask_a |= SSL_aPSK; 2908 s->s3.tmp.mask_k |= SSL_PSK; 2909 } 2910 #endif /* OPENSSL_NO_PSK */ 2911 #ifndef OPENSSL_NO_SRP 2912 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 2913 s->s3.tmp.mask_a |= SSL_aSRP; 2914 s->s3.tmp.mask_k |= SSL_kSRP; 2915 } 2916 #endif 2917 return 1; 2918 } 2919 2920 /* 2921 * ssl_cipher_disabled - check that a cipher is disabled or not 2922 * @s: SSL connection that you want to use the cipher on 2923 * @c: cipher to check 2924 * @op: Security check that you want to do 2925 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 2926 * 2927 * Returns 1 when it's disabled, 0 when enabled. 2928 */ 2929 int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c, 2930 int op, int ecdhe) 2931 { 2932 int minversion = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; 2933 int maxversion = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; 2934 2935 if (c->algorithm_mkey & s->s3.tmp.mask_k 2936 || c->algorithm_auth & s->s3.tmp.mask_a) 2937 return 1; 2938 if (s->s3.tmp.max_ver == 0) 2939 return 1; 2940 2941 if (SSL_IS_QUIC_INT_HANDSHAKE(s)) 2942 /* For QUIC, only allow these ciphersuites. */ 2943 switch (SSL_CIPHER_get_id(c)) { 2944 case TLS1_3_CK_AES_128_GCM_SHA256: 2945 case TLS1_3_CK_AES_256_GCM_SHA384: 2946 case TLS1_3_CK_CHACHA20_POLY1305_SHA256: 2947 break; 2948 default: 2949 return 1; 2950 } 2951 2952 /* 2953 * For historical reasons we will allow ECHDE to be selected by a server 2954 * in SSLv3 if we are a client 2955 */ 2956 if (minversion == TLS1_VERSION 2957 && ecdhe 2958 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 2959 minversion = SSL3_VERSION; 2960 2961 if (ssl_version_cmp(s, minversion, s->s3.tmp.max_ver) > 0 2962 || ssl_version_cmp(s, maxversion, s->s3.tmp.min_ver) < 0) 2963 return 1; 2964 2965 return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 2966 } 2967 2968 int tls_use_ticket(SSL_CONNECTION *s) 2969 { 2970 if ((s->options & SSL_OP_NO_TICKET)) 2971 return 0; 2972 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 2973 } 2974 2975 int tls1_set_server_sigalgs(SSL_CONNECTION *s) 2976 { 2977 size_t i; 2978 2979 /* Clear any shared signature algorithms */ 2980 OPENSSL_free(s->shared_sigalgs); 2981 s->shared_sigalgs = NULL; 2982 s->shared_sigalgslen = 0; 2983 2984 /* Clear certificate validity flags */ 2985 if (s->s3.tmp.valid_flags) 2986 memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); 2987 else 2988 s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); 2989 if (s->s3.tmp.valid_flags == NULL) 2990 return 0; 2991 /* 2992 * If peer sent no signature algorithms check to see if we support 2993 * the default algorithm for each certificate type 2994 */ 2995 if (s->s3.tmp.peer_cert_sigalgs == NULL 2996 && s->s3.tmp.peer_sigalgs == NULL) { 2997 const uint16_t *sent_sigs; 2998 size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2999 3000 for (i = 0; i < s->ssl_pkey_num; i++) { 3001 const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 3002 size_t j; 3003 3004 if (lu == NULL) 3005 continue; 3006 /* Check default matches a type we sent */ 3007 for (j = 0; j < sent_sigslen; j++) { 3008 if (lu->sigalg == sent_sigs[j]) { 3009 s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; 3010 break; 3011 } 3012 } 3013 } 3014 return 1; 3015 } 3016 3017 if (!tls1_process_sigalgs(s)) { 3018 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3019 return 0; 3020 } 3021 if (s->shared_sigalgs != NULL) 3022 return 1; 3023 3024 /* Fatal error if no shared signature algorithms */ 3025 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3026 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 3027 return 0; 3028 } 3029 3030 /*- 3031 * Gets the ticket information supplied by the client if any. 3032 * 3033 * hello: The parsed ClientHello data 3034 * ret: (output) on return, if a ticket was decrypted, then this is set to 3035 * point to the resulting session. 3036 */ 3037 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s, 3038 CLIENTHELLO_MSG *hello, 3039 SSL_SESSION **ret) 3040 { 3041 size_t size; 3042 RAW_EXTENSION *ticketext; 3043 3044 *ret = NULL; 3045 s->ext.ticket_expected = 0; 3046 3047 /* 3048 * If tickets disabled or not supported by the protocol version 3049 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 3050 * resumption. 3051 */ 3052 if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 3053 return SSL_TICKET_NONE; 3054 3055 ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 3056 if (!ticketext->present) 3057 return SSL_TICKET_NONE; 3058 3059 size = PACKET_remaining(&ticketext->data); 3060 3061 return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 3062 hello->session_id, hello->session_id_len, ret); 3063 } 3064 3065 /*- 3066 * tls_decrypt_ticket attempts to decrypt a session ticket. 3067 * 3068 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 3069 * expecting a pre-shared key ciphersuite, in which case we have no use for 3070 * session tickets and one will never be decrypted, nor will 3071 * s->ext.ticket_expected be set to 1. 3072 * 3073 * Side effects: 3074 * Sets s->ext.ticket_expected to 1 if the server will have to issue 3075 * a new session ticket to the client because the client indicated support 3076 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 3077 * a session ticket or we couldn't use the one it gave us, or if 3078 * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 3079 * Otherwise, s->ext.ticket_expected is set to 0. 3080 * 3081 * etick: points to the body of the session ticket extension. 3082 * eticklen: the length of the session tickets extension. 3083 * sess_id: points at the session ID. 3084 * sesslen: the length of the session ID. 3085 * psess: (output) on return, if a ticket was decrypted, then this is set to 3086 * point to the resulting session. 3087 */ 3088 SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, 3089 const unsigned char *etick, 3090 size_t eticklen, 3091 const unsigned char *sess_id, 3092 size_t sesslen, SSL_SESSION **psess) 3093 { 3094 SSL_SESSION *sess = NULL; 3095 unsigned char *sdec; 3096 const unsigned char *p; 3097 int slen, ivlen, renew_ticket = 0, declen; 3098 SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 3099 size_t mlen; 3100 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 3101 SSL_HMAC *hctx = NULL; 3102 EVP_CIPHER_CTX *ctx = NULL; 3103 SSL_CTX *tctx = s->session_ctx; 3104 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3105 3106 if (eticklen == 0) { 3107 /* 3108 * The client will accept a ticket but doesn't currently have 3109 * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 3110 */ 3111 ret = SSL_TICKET_EMPTY; 3112 goto end; 3113 } 3114 if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) { 3115 /* 3116 * Indicate that the ticket couldn't be decrypted rather than 3117 * generating the session from ticket now, trigger 3118 * abbreviated handshake based on external mechanism to 3119 * calculate the master secret later. 3120 */ 3121 ret = SSL_TICKET_NO_DECRYPT; 3122 goto end; 3123 } 3124 3125 /* Need at least keyname + iv */ 3126 if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 3127 ret = SSL_TICKET_NO_DECRYPT; 3128 goto end; 3129 } 3130 3131 /* Initialize session ticket encryption and HMAC contexts */ 3132 hctx = ssl_hmac_new(tctx); 3133 if (hctx == NULL) { 3134 ret = SSL_TICKET_FATAL_ERR_MALLOC; 3135 goto end; 3136 } 3137 ctx = EVP_CIPHER_CTX_new(); 3138 if (ctx == NULL) { 3139 ret = SSL_TICKET_FATAL_ERR_MALLOC; 3140 goto end; 3141 } 3142 #ifndef OPENSSL_NO_DEPRECATED_3_0 3143 if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) 3144 #else 3145 if (tctx->ext.ticket_key_evp_cb != NULL) 3146 #endif 3147 { 3148 unsigned char *nctick = (unsigned char *)etick; 3149 int rv = 0; 3150 3151 if (tctx->ext.ticket_key_evp_cb != NULL) 3152 rv = tctx->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_USER_SSL(s), 3153 nctick, 3154 nctick + TLSEXT_KEYNAME_LENGTH, 3155 ctx, 3156 ssl_hmac_get0_EVP_MAC_CTX(hctx), 3157 0); 3158 #ifndef OPENSSL_NO_DEPRECATED_3_0 3159 else if (tctx->ext.ticket_key_cb != NULL) 3160 /* if 0 is returned, write an empty ticket */ 3161 rv = tctx->ext.ticket_key_cb(SSL_CONNECTION_GET_USER_SSL(s), nctick, 3162 nctick + TLSEXT_KEYNAME_LENGTH, 3163 ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); 3164 #endif 3165 if (rv < 0) { 3166 ret = SSL_TICKET_FATAL_ERR_OTHER; 3167 goto end; 3168 } 3169 if (rv == 0) { 3170 ret = SSL_TICKET_NO_DECRYPT; 3171 goto end; 3172 } 3173 if (rv == 2) 3174 renew_ticket = 1; 3175 } else { 3176 EVP_CIPHER *aes256cbc = NULL; 3177 3178 /* Check key name matches */ 3179 if (memcmp(etick, tctx->ext.tick_key_name, 3180 TLSEXT_KEYNAME_LENGTH) 3181 != 0) { 3182 ret = SSL_TICKET_NO_DECRYPT; 3183 goto end; 3184 } 3185 3186 aes256cbc = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC", 3187 sctx->propq); 3188 if (aes256cbc == NULL 3189 || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, 3190 sizeof(tctx->ext.secure->tick_hmac_key), 3191 "SHA256") 3192 <= 0 3193 || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, 3194 tctx->ext.secure->tick_aes_key, 3195 etick + TLSEXT_KEYNAME_LENGTH) 3196 <= 0) { 3197 EVP_CIPHER_free(aes256cbc); 3198 ret = SSL_TICKET_FATAL_ERR_OTHER; 3199 goto end; 3200 } 3201 EVP_CIPHER_free(aes256cbc); 3202 if (SSL_CONNECTION_IS_TLS13(s)) 3203 renew_ticket = 1; 3204 } 3205 /* 3206 * Attempt to process session ticket, first conduct sanity and integrity 3207 * checks on ticket. 3208 */ 3209 mlen = ssl_hmac_size(hctx); 3210 if (mlen == 0) { 3211 ret = SSL_TICKET_FATAL_ERR_OTHER; 3212 goto end; 3213 } 3214 3215 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 3216 if (ivlen < 0) { 3217 ret = SSL_TICKET_FATAL_ERR_OTHER; 3218 goto end; 3219 } 3220 3221 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 3222 if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { 3223 ret = SSL_TICKET_NO_DECRYPT; 3224 goto end; 3225 } 3226 eticklen -= mlen; 3227 /* Check HMAC of encrypted ticket */ 3228 if (ssl_hmac_update(hctx, etick, eticklen) <= 0 3229 || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { 3230 ret = SSL_TICKET_FATAL_ERR_OTHER; 3231 goto end; 3232 } 3233 3234 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 3235 ret = SSL_TICKET_NO_DECRYPT; 3236 goto end; 3237 } 3238 /* Attempt to decrypt session data */ 3239 /* Move p after IV to start of encrypted ticket, update length */ 3240 p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; 3241 eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; 3242 sdec = OPENSSL_malloc(eticklen); 3243 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, (int)eticklen) <= 0) { 3244 OPENSSL_free(sdec); 3245 ret = SSL_TICKET_FATAL_ERR_OTHER; 3246 goto end; 3247 } 3248 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 3249 OPENSSL_free(sdec); 3250 ret = SSL_TICKET_NO_DECRYPT; 3251 goto end; 3252 } 3253 slen += declen; 3254 p = sdec; 3255 3256 sess = d2i_SSL_SESSION_ex(NULL, &p, slen, sctx->libctx, sctx->propq); 3257 slen -= p - sdec; 3258 OPENSSL_free(sdec); 3259 if (sess) { 3260 /* Some additional consistency checks */ 3261 if (slen != 0) { 3262 SSL_SESSION_free(sess); 3263 sess = NULL; 3264 ret = SSL_TICKET_NO_DECRYPT; 3265 goto end; 3266 } 3267 /* 3268 * The session ID, if non-empty, is used by some clients to detect 3269 * that the ticket has been accepted. So we copy it to the session 3270 * structure. If it is empty set length to zero as required by 3271 * standard. 3272 */ 3273 if (sesslen) { 3274 memcpy(sess->session_id, sess_id, sesslen); 3275 sess->session_id_length = sesslen; 3276 } 3277 if (renew_ticket) 3278 ret = SSL_TICKET_SUCCESS_RENEW; 3279 else 3280 ret = SSL_TICKET_SUCCESS; 3281 goto end; 3282 } 3283 ERR_clear_error(); 3284 /* 3285 * For session parse failure, indicate that we need to send a new ticket. 3286 */ 3287 ret = SSL_TICKET_NO_DECRYPT; 3288 3289 end: 3290 EVP_CIPHER_CTX_free(ctx); 3291 ssl_hmac_free(hctx); 3292 3293 /* 3294 * If set, the decrypt_ticket_cb() is called unless a fatal error was 3295 * detected above. The callback is responsible for checking |ret| before it 3296 * performs any action 3297 */ 3298 if (s->session_ctx->decrypt_ticket_cb != NULL 3299 && (ret == SSL_TICKET_EMPTY 3300 || ret == SSL_TICKET_NO_DECRYPT 3301 || ret == SSL_TICKET_SUCCESS 3302 || ret == SSL_TICKET_SUCCESS_RENEW)) { 3303 size_t keyname_len = eticklen; 3304 int retcb; 3305 3306 if (keyname_len > TLSEXT_KEYNAME_LENGTH) 3307 keyname_len = TLSEXT_KEYNAME_LENGTH; 3308 retcb = s->session_ctx->decrypt_ticket_cb(SSL_CONNECTION_GET_SSL(s), 3309 sess, etick, keyname_len, 3310 ret, 3311 s->session_ctx->ticket_cb_data); 3312 switch (retcb) { 3313 case SSL_TICKET_RETURN_ABORT: 3314 ret = SSL_TICKET_FATAL_ERR_OTHER; 3315 break; 3316 3317 case SSL_TICKET_RETURN_IGNORE: 3318 ret = SSL_TICKET_NONE; 3319 SSL_SESSION_free(sess); 3320 sess = NULL; 3321 break; 3322 3323 case SSL_TICKET_RETURN_IGNORE_RENEW: 3324 if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 3325 ret = SSL_TICKET_NO_DECRYPT; 3326 /* else the value of |ret| will already do the right thing */ 3327 SSL_SESSION_free(sess); 3328 sess = NULL; 3329 break; 3330 3331 case SSL_TICKET_RETURN_USE: 3332 case SSL_TICKET_RETURN_USE_RENEW: 3333 if (ret != SSL_TICKET_SUCCESS 3334 && ret != SSL_TICKET_SUCCESS_RENEW) 3335 ret = SSL_TICKET_FATAL_ERR_OTHER; 3336 else if (retcb == SSL_TICKET_RETURN_USE) 3337 ret = SSL_TICKET_SUCCESS; 3338 else 3339 ret = SSL_TICKET_SUCCESS_RENEW; 3340 break; 3341 3342 default: 3343 ret = SSL_TICKET_FATAL_ERR_OTHER; 3344 } 3345 } 3346 3347 if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) { 3348 switch (ret) { 3349 case SSL_TICKET_NO_DECRYPT: 3350 case SSL_TICKET_SUCCESS_RENEW: 3351 case SSL_TICKET_EMPTY: 3352 s->ext.ticket_expected = 1; 3353 } 3354 } 3355 3356 *psess = sess; 3357 3358 return ret; 3359 } 3360 3361 /* Check to see if a signature algorithm is allowed */ 3362 static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, 3363 const SIGALG_LOOKUP *lu) 3364 { 3365 unsigned char sigalgstr[2]; 3366 int secbits; 3367 3368 if (lu == NULL || !lu->available) 3369 return 0; 3370 /* DSA is not allowed in TLS 1.3 */ 3371 if (SSL_CONNECTION_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 3372 return 0; 3373 /* 3374 * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 3375 * spec 3376 */ 3377 if (!s->server && !SSL_CONNECTION_IS_DTLS(s) 3378 && s->s3.tmp.min_ver >= TLS1_3_VERSION 3379 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 3380 || lu->hash_idx == SSL_MD_MD5_IDX 3381 || lu->hash_idx == SSL_MD_SHA224_IDX)) 3382 return 0; 3383 3384 /* See if public key algorithm allowed */ 3385 if (ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), lu->sig_idx)) 3386 return 0; 3387 3388 if (lu->sig == NID_id_GostR3410_2012_256 3389 || lu->sig == NID_id_GostR3410_2012_512 3390 || lu->sig == NID_id_GostR3410_2001) { 3391 /* We never allow GOST sig algs on the server with TLSv1.3 */ 3392 if (s->server && SSL_CONNECTION_IS_TLS13(s)) 3393 return 0; 3394 if (!s->server 3395 && SSL_CONNECTION_GET_SSL(s)->method->version == TLS_ANY_VERSION 3396 && s->s3.tmp.max_ver >= TLS1_3_VERSION) { 3397 int i, num; 3398 STACK_OF(SSL_CIPHER) *sk; 3399 3400 /* 3401 * We're a client that could negotiate TLSv1.3. We only allow GOST 3402 * sig algs if we could negotiate TLSv1.2 or below and we have GOST 3403 * ciphersuites enabled. 3404 */ 3405 3406 if (s->s3.tmp.min_ver >= TLS1_3_VERSION) 3407 return 0; 3408 3409 sk = SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)); 3410 num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 3411 for (i = 0; i < num; i++) { 3412 const SSL_CIPHER *c; 3413 3414 c = sk_SSL_CIPHER_value(sk, i); 3415 /* Skip disabled ciphers */ 3416 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 3417 continue; 3418 3419 if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) 3420 break; 3421 } 3422 if (i == num) 3423 return 0; 3424 } 3425 } 3426 3427 /* Finally see if security callback allows it */ 3428 secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); 3429 sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 3430 sigalgstr[1] = lu->sigalg & 0xff; 3431 return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 3432 } 3433 3434 /* 3435 * Get a mask of disabled public key algorithms based on supported signature 3436 * algorithms. For example if no signature algorithm supports RSA then RSA is 3437 * disabled. 3438 */ 3439 3440 void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op) 3441 { 3442 const uint16_t *sigalgs; 3443 size_t i, sigalgslen; 3444 uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 3445 /* 3446 * Go through all signature algorithms seeing if we support any 3447 * in disabled_mask. 3448 */ 3449 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 3450 for (i = 0; i < sigalgslen; i++, sigalgs++) { 3451 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *sigalgs); 3452 const SSL_CERT_LOOKUP *clu; 3453 3454 if (lu == NULL) 3455 continue; 3456 3457 clu = ssl_cert_lookup_by_idx(lu->sig_idx, 3458 SSL_CONNECTION_GET_CTX(s)); 3459 if (clu == NULL) 3460 continue; 3461 3462 /* If algorithm is disabled see if we can enable it */ 3463 if ((clu->amask & disabled_mask) != 0 3464 && tls12_sigalg_allowed(s, op, lu)) 3465 disabled_mask &= ~clu->amask; 3466 } 3467 *pmask_a |= disabled_mask; 3468 } 3469 3470 int tls12_copy_sigalgs(SSL_CONNECTION *s, WPACKET *pkt, 3471 const uint16_t *psig, size_t psiglen) 3472 { 3473 size_t i; 3474 int rv = 0; 3475 3476 for (i = 0; i < psiglen; i++, psig++) { 3477 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *psig); 3478 3479 if (lu == NULL || !tls_sigalg_compat(s, lu)) 3480 continue; 3481 if (!WPACKET_put_bytes_u16(pkt, *psig)) 3482 return 0; 3483 /* 3484 * If TLS 1.3 must have at least one valid TLS 1.3 message 3485 * signing algorithm: i.e. neither RSA nor SHA1/SHA224 3486 */ 3487 if (rv == 0 && (!SSL_CONNECTION_IS_TLS13(s) || (lu->sig != EVP_PKEY_RSA && lu->hash != NID_sha1 && lu->hash != NID_sha224))) 3488 rv = 1; 3489 } 3490 if (rv == 0) 3491 ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3492 return rv; 3493 } 3494 3495 /* Given preference and allowed sigalgs set shared sigalgs */ 3496 static size_t tls12_shared_sigalgs(SSL_CONNECTION *s, 3497 const SIGALG_LOOKUP **shsig, 3498 const uint16_t *pref, size_t preflen, 3499 const uint16_t *allow, size_t allowlen) 3500 { 3501 const uint16_t *ptmp, *atmp; 3502 size_t i, j, nmatch = 0; 3503 for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 3504 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *ptmp); 3505 3506 /* Skip disabled hashes or signature algorithms */ 3507 if (lu == NULL 3508 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 3509 continue; 3510 for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 3511 if (*ptmp == *atmp) { 3512 nmatch++; 3513 if (shsig) 3514 *shsig++ = lu; 3515 break; 3516 } 3517 } 3518 } 3519 return nmatch; 3520 } 3521 3522 /* Set shared signature algorithms for SSL structures */ 3523 static int tls1_set_shared_sigalgs(SSL_CONNECTION *s) 3524 { 3525 const uint16_t *pref, *allow, *conf; 3526 size_t preflen, allowlen, conflen; 3527 size_t nmatch; 3528 const SIGALG_LOOKUP **salgs = NULL; 3529 CERT *c = s->cert; 3530 unsigned int is_suiteb = tls1_suiteb(s); 3531 3532 OPENSSL_free(s->shared_sigalgs); 3533 s->shared_sigalgs = NULL; 3534 s->shared_sigalgslen = 0; 3535 /* If client use client signature algorithms if not NULL */ 3536 if (!s->server && c->client_sigalgs && !is_suiteb) { 3537 conf = c->client_sigalgs; 3538 conflen = c->client_sigalgslen; 3539 } else if (c->conf_sigalgs && !is_suiteb) { 3540 conf = c->conf_sigalgs; 3541 conflen = c->conf_sigalgslen; 3542 } else 3543 conflen = tls12_get_psigalgs(s, 0, &conf); 3544 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 3545 pref = conf; 3546 preflen = conflen; 3547 allow = s->s3.tmp.peer_sigalgs; 3548 allowlen = s->s3.tmp.peer_sigalgslen; 3549 } else { 3550 allow = conf; 3551 allowlen = conflen; 3552 pref = s->s3.tmp.peer_sigalgs; 3553 preflen = s->s3.tmp.peer_sigalgslen; 3554 } 3555 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 3556 if (nmatch) { 3557 if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) 3558 return 0; 3559 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 3560 } else { 3561 salgs = NULL; 3562 } 3563 s->shared_sigalgs = salgs; 3564 s->shared_sigalgslen = nmatch; 3565 return 1; 3566 } 3567 3568 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 3569 { 3570 unsigned int stmp; 3571 size_t size, i; 3572 uint16_t *buf; 3573 3574 size = PACKET_remaining(pkt); 3575 3576 /* Invalid data length */ 3577 if (size == 0 || (size & 1) != 0) 3578 return 0; 3579 3580 size >>= 1; 3581 3582 if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) 3583 return 0; 3584 for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 3585 buf[i] = stmp; 3586 3587 if (i != size) { 3588 OPENSSL_free(buf); 3589 return 0; 3590 } 3591 3592 OPENSSL_free(*pdest); 3593 *pdest = buf; 3594 *pdestlen = size; 3595 3596 return 1; 3597 } 3598 3599 int tls1_save_sigalgs(SSL_CONNECTION *s, PACKET *pkt, int cert) 3600 { 3601 /* Extension ignored for inappropriate versions */ 3602 if (!SSL_USE_SIGALGS(s)) 3603 return 1; 3604 /* Should never happen */ 3605 if (s->cert == NULL) 3606 return 0; 3607 3608 if (cert) 3609 return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, 3610 &s->s3.tmp.peer_cert_sigalgslen); 3611 else 3612 return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, 3613 &s->s3.tmp.peer_sigalgslen); 3614 } 3615 3616 /* Set preferred digest for each key type */ 3617 3618 int tls1_process_sigalgs(SSL_CONNECTION *s) 3619 { 3620 size_t i; 3621 uint32_t *pvalid = s->s3.tmp.valid_flags; 3622 3623 if (!tls1_set_shared_sigalgs(s)) 3624 return 0; 3625 3626 for (i = 0; i < s->ssl_pkey_num; i++) 3627 pvalid[i] = 0; 3628 3629 for (i = 0; i < s->shared_sigalgslen; i++) { 3630 const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 3631 int idx = sigptr->sig_idx; 3632 3633 /* Ignore PKCS1 based sig algs in TLSv1.3 */ 3634 if (SSL_CONNECTION_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 3635 continue; 3636 /* If not disabled indicate we can explicitly sign */ 3637 if (pvalid[idx] == 0 3638 && !ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), idx)) 3639 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 3640 } 3641 return 1; 3642 } 3643 3644 int SSL_get_sigalgs(SSL *s, int idx, 3645 int *psign, int *phash, int *psignhash, 3646 unsigned char *rsig, unsigned char *rhash) 3647 { 3648 uint16_t *psig; 3649 size_t numsigalgs; 3650 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 3651 3652 if (sc == NULL) 3653 return 0; 3654 3655 psig = sc->s3.tmp.peer_sigalgs; 3656 numsigalgs = sc->s3.tmp.peer_sigalgslen; 3657 3658 if (psig == NULL || numsigalgs > INT_MAX) 3659 return 0; 3660 if (idx >= 0) { 3661 const SIGALG_LOOKUP *lu; 3662 3663 if (idx >= (int)numsigalgs) 3664 return 0; 3665 psig += idx; 3666 if (rhash != NULL) 3667 *rhash = (unsigned char)((*psig >> 8) & 0xff); 3668 if (rsig != NULL) 3669 *rsig = (unsigned char)(*psig & 0xff); 3670 lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(sc), *psig); 3671 if (psign != NULL) 3672 *psign = lu != NULL ? lu->sig : NID_undef; 3673 if (phash != NULL) 3674 *phash = lu != NULL ? lu->hash : NID_undef; 3675 if (psignhash != NULL) 3676 *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 3677 } 3678 return (int)numsigalgs; 3679 } 3680 3681 int SSL_get_shared_sigalgs(SSL *s, int idx, 3682 int *psign, int *phash, int *psignhash, 3683 unsigned char *rsig, unsigned char *rhash) 3684 { 3685 const SIGALG_LOOKUP *shsigalgs; 3686 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 3687 3688 if (sc == NULL) 3689 return 0; 3690 3691 if (sc->shared_sigalgs == NULL 3692 || idx < 0 3693 || idx >= (int)sc->shared_sigalgslen 3694 || sc->shared_sigalgslen > INT_MAX) 3695 return 0; 3696 shsigalgs = sc->shared_sigalgs[idx]; 3697 if (phash != NULL) 3698 *phash = shsigalgs->hash; 3699 if (psign != NULL) 3700 *psign = shsigalgs->sig; 3701 if (psignhash != NULL) 3702 *psignhash = shsigalgs->sigandhash; 3703 if (rsig != NULL) 3704 *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 3705 if (rhash != NULL) 3706 *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 3707 return (int)sc->shared_sigalgslen; 3708 } 3709 3710 /* Maximum possible number of unique entries in sigalgs array */ 3711 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 3712 3713 typedef struct { 3714 size_t sigalgcnt; 3715 /* TLSEXT_SIGALG_XXX values */ 3716 uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 3717 SSL_CTX *ctx; 3718 } sig_cb_st; 3719 3720 static void get_sigorhash(int *psig, int *phash, const char *str) 3721 { 3722 if (OPENSSL_strcasecmp(str, "RSA") == 0) { 3723 *psig = EVP_PKEY_RSA; 3724 } else if (OPENSSL_strcasecmp(str, "RSA-PSS") == 0 3725 || OPENSSL_strcasecmp(str, "PSS") == 0) { 3726 *psig = EVP_PKEY_RSA_PSS; 3727 } else if (OPENSSL_strcasecmp(str, "DSA") == 0) { 3728 *psig = EVP_PKEY_DSA; 3729 } else if (OPENSSL_strcasecmp(str, "ECDSA") == 0) { 3730 *psig = EVP_PKEY_EC; 3731 } else { 3732 *phash = OBJ_sn2nid(str); 3733 if (*phash == NID_undef) 3734 *phash = OBJ_ln2nid(str); 3735 } 3736 } 3737 /* Maximum length of a signature algorithm string component */ 3738 #define TLS_MAX_SIGSTRING_LEN 40 3739 3740 static int sig_cb(const char *elem, int len, void *arg) 3741 { 3742 sig_cb_st *sarg = arg; 3743 size_t i = 0; 3744 const SIGALG_LOOKUP *s; 3745 char etmp[TLS_MAX_SIGSTRING_LEN], *p; 3746 const char *iana, *alias; 3747 int sig_alg = NID_undef, hash_alg = NID_undef; 3748 int ignore_unknown = 0; 3749 3750 if (elem == NULL) 3751 return 0; 3752 if (elem[0] == '?') { 3753 ignore_unknown = 1; 3754 ++elem; 3755 --len; 3756 } 3757 if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 3758 return 0; 3759 if (len > (int)(sizeof(etmp) - 1)) 3760 return 0; 3761 memcpy(etmp, elem, len); 3762 etmp[len] = 0; 3763 p = strchr(etmp, '+'); 3764 /* 3765 * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 3766 * if there's no '+' in the provided name, look for the new-style combined 3767 * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 3768 * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 3769 * rsa_pss_rsae_* that differ only by public key OID; in such cases 3770 * we will pick the _rsae_ variant, by virtue of them appearing earlier 3771 * in the table. 3772 */ 3773 if (p == NULL) { 3774 if (sarg->ctx != NULL) { 3775 for (i = 0; i < sarg->ctx->sigalg_lookup_cache_len; i++) { 3776 iana = sarg->ctx->sigalg_lookup_cache[i].name; 3777 alias = sarg->ctx->sigalg_lookup_cache[i].name12; 3778 if ((alias != NULL && OPENSSL_strcasecmp(etmp, alias) == 0) 3779 || OPENSSL_strcasecmp(etmp, iana) == 0) { 3780 /* Ignore known, but unavailable sigalgs. */ 3781 if (!sarg->ctx->sigalg_lookup_cache[i].available) 3782 return 1; 3783 sarg->sigalgs[sarg->sigalgcnt++] = sarg->ctx->sigalg_lookup_cache[i].sigalg; 3784 goto found; 3785 } 3786 } 3787 } else { 3788 /* Syntax checks use the built-in sigalgs */ 3789 for (i = 0, s = sigalg_lookup_tbl; 3790 i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { 3791 iana = s->name; 3792 alias = s->name12; 3793 if ((alias != NULL && OPENSSL_strcasecmp(etmp, alias) == 0) 3794 || OPENSSL_strcasecmp(etmp, iana) == 0) { 3795 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 3796 goto found; 3797 } 3798 } 3799 } 3800 } else { 3801 *p = 0; 3802 p++; 3803 if (*p == 0) 3804 return 0; 3805 get_sigorhash(&sig_alg, &hash_alg, etmp); 3806 get_sigorhash(&sig_alg, &hash_alg, p); 3807 if (sig_alg != NID_undef && hash_alg != NID_undef) { 3808 if (sarg->ctx != NULL) { 3809 for (i = 0; i < sarg->ctx->sigalg_lookup_cache_len; i++) { 3810 s = &sarg->ctx->sigalg_lookup_cache[i]; 3811 if (s->hash == hash_alg && s->sig == sig_alg) { 3812 /* Ignore known, but unavailable sigalgs. */ 3813 if (!sarg->ctx->sigalg_lookup_cache[i].available) 3814 return 1; 3815 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 3816 goto found; 3817 } 3818 } 3819 } else { 3820 for (i = 0; i < OSSL_NELEM(sigalg_lookup_tbl); i++) { 3821 s = &sigalg_lookup_tbl[i]; 3822 if (s->hash == hash_alg && s->sig == sig_alg) { 3823 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 3824 goto found; 3825 } 3826 } 3827 } 3828 } 3829 } 3830 /* Ignore unknown algorithms if ignore_unknown */ 3831 return ignore_unknown; 3832 3833 found: 3834 /* Ignore duplicates */ 3835 for (i = 0; i < sarg->sigalgcnt - 1; i++) { 3836 if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 3837 sarg->sigalgcnt--; 3838 return 1; 3839 } 3840 } 3841 return 1; 3842 } 3843 3844 /* 3845 * Set supported signature algorithms based on a colon separated list of the 3846 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 3847 */ 3848 int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) 3849 { 3850 sig_cb_st sig; 3851 sig.sigalgcnt = 0; 3852 3853 if (ctx != NULL) 3854 sig.ctx = ctx; 3855 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 3856 return 0; 3857 if (sig.sigalgcnt == 0) { 3858 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 3859 "No valid signature algorithms in '%s'", str); 3860 return 0; 3861 } 3862 if (c == NULL) 3863 return 1; 3864 return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 3865 } 3866 3867 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 3868 int client) 3869 { 3870 uint16_t *sigalgs; 3871 3872 if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) 3873 return 0; 3874 memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 3875 3876 if (client) { 3877 OPENSSL_free(c->client_sigalgs); 3878 c->client_sigalgs = sigalgs; 3879 c->client_sigalgslen = salglen; 3880 } else { 3881 OPENSSL_free(c->conf_sigalgs); 3882 c->conf_sigalgs = sigalgs; 3883 c->conf_sigalgslen = salglen; 3884 } 3885 3886 return 1; 3887 } 3888 3889 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 3890 { 3891 uint16_t *sigalgs, *sptr; 3892 size_t i; 3893 3894 if (salglen & 1) 3895 return 0; 3896 if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) 3897 return 0; 3898 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 3899 size_t j; 3900 const SIGALG_LOOKUP *curr; 3901 int md_id = *psig_nids++; 3902 int sig_id = *psig_nids++; 3903 3904 for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 3905 j++, curr++) { 3906 if (curr->hash == md_id && curr->sig == sig_id) { 3907 *sptr++ = curr->sigalg; 3908 break; 3909 } 3910 } 3911 3912 if (j == OSSL_NELEM(sigalg_lookup_tbl)) 3913 goto err; 3914 } 3915 3916 if (client) { 3917 OPENSSL_free(c->client_sigalgs); 3918 c->client_sigalgs = sigalgs; 3919 c->client_sigalgslen = salglen / 2; 3920 } else { 3921 OPENSSL_free(c->conf_sigalgs); 3922 c->conf_sigalgs = sigalgs; 3923 c->conf_sigalgslen = salglen / 2; 3924 } 3925 3926 return 1; 3927 3928 err: 3929 OPENSSL_free(sigalgs); 3930 return 0; 3931 } 3932 3933 static int tls1_check_sig_alg(SSL_CONNECTION *s, X509 *x, int default_nid) 3934 { 3935 int sig_nid, use_pc_sigalgs = 0; 3936 size_t i; 3937 const SIGALG_LOOKUP *sigalg; 3938 size_t sigalgslen; 3939 3940 /*- 3941 * RFC 8446, section 4.2.3: 3942 * 3943 * The signatures on certificates that are self-signed or certificates 3944 * that are trust anchors are not validated, since they begin a 3945 * certification path (see [RFC5280], Section 3.2). A certificate that 3946 * begins a certification path MAY use a signature algorithm that is not 3947 * advertised as being supported in the "signature_algorithms" 3948 * extension. 3949 */ 3950 if (default_nid == -1 || X509_self_signed(x, 0)) 3951 return 1; 3952 sig_nid = X509_get_signature_nid(x); 3953 if (default_nid) 3954 return sig_nid == default_nid ? 1 : 0; 3955 3956 if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { 3957 /* 3958 * If we're in TLSv1.3 then we only get here if we're checking the 3959 * chain. If the peer has specified peer_cert_sigalgs then we use them 3960 * otherwise we default to normal sigalgs. 3961 */ 3962 sigalgslen = s->s3.tmp.peer_cert_sigalgslen; 3963 use_pc_sigalgs = 1; 3964 } else { 3965 sigalgslen = s->shared_sigalgslen; 3966 } 3967 for (i = 0; i < sigalgslen; i++) { 3968 int mdnid, pknid; 3969 3970 sigalg = use_pc_sigalgs 3971 ? tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), 3972 s->s3.tmp.peer_cert_sigalgs[i]) 3973 : s->shared_sigalgs[i]; 3974 if (sigalg == NULL) 3975 continue; 3976 if (sig_nid == sigalg->sigandhash) 3977 return 1; 3978 if (sigalg->sig != EVP_PKEY_RSA_PSS) 3979 continue; 3980 /* 3981 * Accept RSA PKCS#1 signatures in certificates when the signature 3982 * algorithms include RSA-PSS with a matching digest algorithm. 3983 * 3984 * When a TLS 1.3 peer inadvertently omits the legacy RSA PKCS#1 code 3985 * points, and we're doing strict checking of the certificate chain (in 3986 * a cert_cb via SSL_check_chain()) we may then reject RSA signed 3987 * certificates in the chain, but the TLS requirement on PSS should not 3988 * extend to certificates. Though the peer can in fact list the legacy 3989 * sigalgs for just this purpose, it is not likely that a better chain 3990 * signed with RSA-PSS is available. 3991 */ 3992 if (!OBJ_find_sigid_algs(sig_nid, &mdnid, &pknid)) 3993 continue; 3994 if (pknid == EVP_PKEY_RSA && mdnid == sigalg->hash) 3995 return 1; 3996 } 3997 return 0; 3998 } 3999 4000 /* Check to see if a certificate issuer name matches list of CA names */ 4001 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 4002 { 4003 const X509_NAME *nm; 4004 int i; 4005 nm = X509_get_issuer_name(x); 4006 for (i = 0; i < sk_X509_NAME_num(names); i++) { 4007 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 4008 return 1; 4009 } 4010 return 0; 4011 } 4012 4013 /* 4014 * Check certificate chain is consistent with TLS extensions and is usable by 4015 * server. This servers two purposes: it allows users to check chains before 4016 * passing them to the server and it allows the server to check chains before 4017 * attempting to use them. 4018 */ 4019 4020 /* Flags which need to be set for a certificate when strict mode not set */ 4021 4022 #define CERT_PKEY_VALID_FLAGS \ 4023 (CERT_PKEY_EE_SIGNATURE | CERT_PKEY_EE_PARAM) 4024 /* Strict mode flags */ 4025 #define CERT_PKEY_STRICT_FLAGS \ 4026 (CERT_PKEY_VALID_FLAGS | CERT_PKEY_CA_SIGNATURE | CERT_PKEY_CA_PARAM \ 4027 | CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE) 4028 4029 int tls1_check_chain(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pk, 4030 STACK_OF(X509) *chain, int idx) 4031 { 4032 int i; 4033 int rv = 0; 4034 int check_flags = 0, strict_mode; 4035 CERT_PKEY *cpk = NULL; 4036 CERT *c = s->cert; 4037 uint32_t *pvalid; 4038 unsigned int suiteb_flags = tls1_suiteb(s); 4039 4040 /* 4041 * Meaning of idx: 4042 * idx == -1 means SSL_check_chain() invocation 4043 * idx == -2 means checking client certificate chains 4044 * idx >= 0 means checking SSL_PKEY index 4045 * 4046 * For RPK, where there may be no cert, we ignore -1 4047 */ 4048 if (idx != -1) { 4049 if (idx == -2) { 4050 cpk = c->key; 4051 idx = (int)(cpk - c->pkeys); 4052 } else 4053 cpk = c->pkeys + idx; 4054 pvalid = s->s3.tmp.valid_flags + idx; 4055 x = cpk->x509; 4056 pk = cpk->privatekey; 4057 chain = cpk->chain; 4058 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 4059 if (tls12_rpk_and_privkey(s, idx)) { 4060 if (EVP_PKEY_is_a(pk, "EC") && !tls1_check_pkey_comp(s, pk)) 4061 return 0; 4062 *pvalid = rv = CERT_PKEY_RPK; 4063 return rv; 4064 } 4065 /* If no cert or key, forget it */ 4066 if (x == NULL || pk == NULL) 4067 goto end; 4068 } else { 4069 size_t certidx; 4070 4071 if (x == NULL || pk == NULL) 4072 return 0; 4073 4074 if (ssl_cert_lookup_by_pkey(pk, &certidx, 4075 SSL_CONNECTION_GET_CTX(s)) 4076 == NULL) 4077 return 0; 4078 idx = certidx; 4079 pvalid = s->s3.tmp.valid_flags + idx; 4080 4081 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 4082 check_flags = CERT_PKEY_STRICT_FLAGS; 4083 else 4084 check_flags = CERT_PKEY_VALID_FLAGS; 4085 strict_mode = 1; 4086 } 4087 4088 if (suiteb_flags) { 4089 int ok; 4090 if (check_flags) 4091 check_flags |= CERT_PKEY_SUITEB; 4092 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 4093 if (ok == X509_V_OK) 4094 rv |= CERT_PKEY_SUITEB; 4095 else if (!check_flags) 4096 goto end; 4097 } 4098 4099 /* 4100 * Check all signature algorithms are consistent with signature 4101 * algorithms extension if TLS 1.2 or later and strict mode. 4102 */ 4103 if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION 4104 && strict_mode) { 4105 int default_nid; 4106 int rsign = 0; 4107 4108 if (s->s3.tmp.peer_cert_sigalgs != NULL 4109 || s->s3.tmp.peer_sigalgs != NULL) { 4110 default_nid = 0; 4111 /* If no sigalgs extension use defaults from RFC5246 */ 4112 } else { 4113 switch (idx) { 4114 case SSL_PKEY_RSA: 4115 rsign = EVP_PKEY_RSA; 4116 default_nid = NID_sha1WithRSAEncryption; 4117 break; 4118 4119 case SSL_PKEY_DSA_SIGN: 4120 rsign = EVP_PKEY_DSA; 4121 default_nid = NID_dsaWithSHA1; 4122 break; 4123 4124 case SSL_PKEY_ECC: 4125 rsign = EVP_PKEY_EC; 4126 default_nid = NID_ecdsa_with_SHA1; 4127 break; 4128 4129 case SSL_PKEY_GOST01: 4130 rsign = NID_id_GostR3410_2001; 4131 default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 4132 break; 4133 4134 case SSL_PKEY_GOST12_256: 4135 rsign = NID_id_GostR3410_2012_256; 4136 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 4137 break; 4138 4139 case SSL_PKEY_GOST12_512: 4140 rsign = NID_id_GostR3410_2012_512; 4141 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 4142 break; 4143 4144 default: 4145 default_nid = -1; 4146 break; 4147 } 4148 } 4149 /* 4150 * If peer sent no signature algorithms extension and we have set 4151 * preferred signature algorithms check we support sha1. 4152 */ 4153 if (default_nid > 0 && c->conf_sigalgs) { 4154 size_t j; 4155 const uint16_t *p = c->conf_sigalgs; 4156 for (j = 0; j < c->conf_sigalgslen; j++, p++) { 4157 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *p); 4158 4159 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 4160 break; 4161 } 4162 if (j == c->conf_sigalgslen) { 4163 if (check_flags) 4164 goto skip_sigs; 4165 else 4166 goto end; 4167 } 4168 } 4169 /* Check signature algorithm of each cert in chain */ 4170 if (SSL_CONNECTION_IS_TLS13(s)) { 4171 /* 4172 * We only get here if the application has called SSL_check_chain(), 4173 * so check_flags is always set. 4174 */ 4175 if (find_sig_alg(s, x, pk) != NULL) 4176 rv |= CERT_PKEY_EE_SIGNATURE; 4177 } else if (!tls1_check_sig_alg(s, x, default_nid)) { 4178 if (!check_flags) 4179 goto end; 4180 } else 4181 rv |= CERT_PKEY_EE_SIGNATURE; 4182 rv |= CERT_PKEY_CA_SIGNATURE; 4183 for (i = 0; i < sk_X509_num(chain); i++) { 4184 if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 4185 if (check_flags) { 4186 rv &= ~CERT_PKEY_CA_SIGNATURE; 4187 break; 4188 } else 4189 goto end; 4190 } 4191 } 4192 } 4193 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 4194 else if (check_flags) 4195 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 4196 skip_sigs: 4197 /* Check cert parameters are consistent */ 4198 if (tls1_check_cert_param(s, x, 1)) 4199 rv |= CERT_PKEY_EE_PARAM; 4200 else if (!check_flags) 4201 goto end; 4202 if (!s->server) 4203 rv |= CERT_PKEY_CA_PARAM; 4204 /* In strict mode check rest of chain too */ 4205 else if (strict_mode) { 4206 rv |= CERT_PKEY_CA_PARAM; 4207 for (i = 0; i < sk_X509_num(chain); i++) { 4208 X509 *ca = sk_X509_value(chain, i); 4209 if (!tls1_check_cert_param(s, ca, 0)) { 4210 if (check_flags) { 4211 rv &= ~CERT_PKEY_CA_PARAM; 4212 break; 4213 } else 4214 goto end; 4215 } 4216 } 4217 } 4218 if (!s->server && strict_mode) { 4219 STACK_OF(X509_NAME) *ca_dn; 4220 int check_type = 0; 4221 4222 if (EVP_PKEY_is_a(pk, "RSA")) 4223 check_type = TLS_CT_RSA_SIGN; 4224 else if (EVP_PKEY_is_a(pk, "DSA")) 4225 check_type = TLS_CT_DSS_SIGN; 4226 else if (EVP_PKEY_is_a(pk, "EC")) 4227 check_type = TLS_CT_ECDSA_SIGN; 4228 4229 if (check_type) { 4230 const uint8_t *ctypes = s->s3.tmp.ctype; 4231 size_t j; 4232 4233 for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { 4234 if (*ctypes == check_type) { 4235 rv |= CERT_PKEY_CERT_TYPE; 4236 break; 4237 } 4238 } 4239 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 4240 goto end; 4241 } else { 4242 rv |= CERT_PKEY_CERT_TYPE; 4243 } 4244 4245 ca_dn = s->s3.tmp.peer_ca_names; 4246 4247 if (ca_dn == NULL 4248 || sk_X509_NAME_num(ca_dn) == 0 4249 || ssl_check_ca_name(ca_dn, x)) 4250 rv |= CERT_PKEY_ISSUER_NAME; 4251 else 4252 for (i = 0; i < sk_X509_num(chain); i++) { 4253 X509 *xtmp = sk_X509_value(chain, i); 4254 4255 if (ssl_check_ca_name(ca_dn, xtmp)) { 4256 rv |= CERT_PKEY_ISSUER_NAME; 4257 break; 4258 } 4259 } 4260 4261 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 4262 goto end; 4263 } else 4264 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 4265 4266 if (!check_flags || (rv & check_flags) == check_flags) 4267 rv |= CERT_PKEY_VALID; 4268 4269 end: 4270 4271 if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION) 4272 rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 4273 else 4274 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 4275 4276 /* 4277 * When checking a CERT_PKEY structure all flags are irrelevant if the 4278 * chain is invalid. 4279 */ 4280 if (!check_flags) { 4281 if (rv & CERT_PKEY_VALID) { 4282 *pvalid = rv; 4283 } else { 4284 /* Preserve sign and explicit sign flag, clear rest */ 4285 *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 4286 return 0; 4287 } 4288 } 4289 return rv; 4290 } 4291 4292 /* Set validity of certificates in an SSL structure */ 4293 void tls1_set_cert_validity(SSL_CONNECTION *s) 4294 { 4295 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 4296 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 4297 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 4298 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 4299 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 4300 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 4301 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 4302 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 4303 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 4304 } 4305 4306 /* User level utility function to check a chain is suitable */ 4307 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 4308 { 4309 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 4310 4311 if (sc == NULL) 4312 return 0; 4313 4314 return tls1_check_chain(sc, x, pk, chain, -1); 4315 } 4316 4317 EVP_PKEY *ssl_get_auto_dh(SSL_CONNECTION *s) 4318 { 4319 EVP_PKEY *dhp = NULL; 4320 BIGNUM *p; 4321 int dh_secbits = 80, sec_level_bits; 4322 EVP_PKEY_CTX *pctx = NULL; 4323 OSSL_PARAM_BLD *tmpl = NULL; 4324 OSSL_PARAM *params = NULL; 4325 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4326 4327 if (s->cert->dh_tmp_auto != 2) { 4328 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 4329 if (s->s3.tmp.new_cipher->strength_bits == 256) 4330 dh_secbits = 128; 4331 else 4332 dh_secbits = 80; 4333 } else { 4334 if (s->s3.tmp.cert == NULL) 4335 return NULL; 4336 dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); 4337 } 4338 } 4339 4340 /* Do not pick a prime that is too weak for the current security level */ 4341 sec_level_bits = ssl_get_security_level_bits(SSL_CONNECTION_GET_SSL(s), 4342 NULL, NULL); 4343 if (dh_secbits < sec_level_bits) 4344 dh_secbits = sec_level_bits; 4345 4346 if (dh_secbits >= 192) 4347 p = BN_get_rfc3526_prime_8192(NULL); 4348 else if (dh_secbits >= 152) 4349 p = BN_get_rfc3526_prime_4096(NULL); 4350 else if (dh_secbits >= 128) 4351 p = BN_get_rfc3526_prime_3072(NULL); 4352 else if (dh_secbits >= 112) 4353 p = BN_get_rfc3526_prime_2048(NULL); 4354 else 4355 p = BN_get_rfc2409_prime_1024(NULL); 4356 if (p == NULL) 4357 goto err; 4358 4359 pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq); 4360 if (pctx == NULL 4361 || EVP_PKEY_fromdata_init(pctx) != 1) 4362 goto err; 4363 4364 tmpl = OSSL_PARAM_BLD_new(); 4365 if (tmpl == NULL 4366 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 4367 || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) 4368 goto err; 4369 4370 params = OSSL_PARAM_BLD_to_param(tmpl); 4371 if (params == NULL 4372 || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) 4373 goto err; 4374 4375 err: 4376 OSSL_PARAM_free(params); 4377 OSSL_PARAM_BLD_free(tmpl); 4378 EVP_PKEY_CTX_free(pctx); 4379 BN_free(p); 4380 return dhp; 4381 } 4382 4383 static int ssl_security_cert_key(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, 4384 int op) 4385 { 4386 int secbits = -1; 4387 EVP_PKEY *pkey = X509_get0_pubkey(x); 4388 4389 if (pkey) { 4390 /* 4391 * If no parameters this will return -1 and fail using the default 4392 * security callback for any non-zero security level. This will 4393 * reject keys which omit parameters but this only affects DSA and 4394 * omission of parameters is never (?) done in practice. 4395 */ 4396 secbits = EVP_PKEY_get_security_bits(pkey); 4397 } 4398 if (s != NULL) 4399 return ssl_security(s, op, secbits, 0, x); 4400 else 4401 return ssl_ctx_security(ctx, op, secbits, 0, x); 4402 } 4403 4404 static int ssl_security_cert_sig(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, 4405 int op) 4406 { 4407 /* Lookup signature algorithm digest */ 4408 int secbits, nid, pknid; 4409 4410 /* Don't check signature if self signed */ 4411 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 4412 return 1; 4413 if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 4414 secbits = -1; 4415 /* If digest NID not defined use signature NID */ 4416 if (nid == NID_undef) 4417 nid = pknid; 4418 if (s != NULL) 4419 return ssl_security(s, op, secbits, nid, x); 4420 else 4421 return ssl_ctx_security(ctx, op, secbits, nid, x); 4422 } 4423 4424 int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int vfy, 4425 int is_ee) 4426 { 4427 if (vfy) 4428 vfy = SSL_SECOP_PEER; 4429 if (is_ee) { 4430 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 4431 return SSL_R_EE_KEY_TOO_SMALL; 4432 } else { 4433 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 4434 return SSL_R_CA_KEY_TOO_SMALL; 4435 } 4436 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 4437 return SSL_R_CA_MD_TOO_WEAK; 4438 return 1; 4439 } 4440 4441 /* 4442 * Check security of a chain, if |sk| includes the end entity certificate then 4443 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 4444 * one to the peer. Return values: 1 if ok otherwise error code to use 4445 */ 4446 4447 int ssl_security_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk, 4448 X509 *x, int vfy) 4449 { 4450 int rv, start_idx, i; 4451 4452 if (x == NULL) { 4453 x = sk_X509_value(sk, 0); 4454 if (x == NULL) 4455 return ERR_R_INTERNAL_ERROR; 4456 start_idx = 1; 4457 } else 4458 start_idx = 0; 4459 4460 rv = ssl_security_cert(s, NULL, x, vfy, 1); 4461 if (rv != 1) 4462 return rv; 4463 4464 for (i = start_idx; i < sk_X509_num(sk); i++) { 4465 x = sk_X509_value(sk, i); 4466 rv = ssl_security_cert(s, NULL, x, vfy, 0); 4467 if (rv != 1) 4468 return rv; 4469 } 4470 return 1; 4471 } 4472 4473 /* 4474 * For TLS 1.2 servers check if we have a certificate which can be used 4475 * with the signature algorithm "lu" and return index of certificate. 4476 */ 4477 4478 static int tls12_get_cert_sigalg_idx(const SSL_CONNECTION *s, 4479 const SIGALG_LOOKUP *lu) 4480 { 4481 int sig_idx = lu->sig_idx; 4482 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx, 4483 SSL_CONNECTION_GET_CTX(s)); 4484 4485 /* If not recognised or not supported by cipher mask it is not suitable */ 4486 if (clu == NULL 4487 || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 4488 || (clu->pkey_nid == EVP_PKEY_RSA_PSS 4489 && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 4490 return -1; 4491 4492 /* If doing RPK, the CERT_PKEY won't be "valid" */ 4493 if (tls12_rpk_and_privkey(s, sig_idx)) 4494 return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_RPK ? sig_idx : -1; 4495 4496 return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 4497 } 4498 4499 /* 4500 * Checks the given cert against signature_algorithm_cert restrictions sent by 4501 * the peer (if any) as well as whether the hash from the sigalg is usable with 4502 * the key. 4503 * Returns true if the cert is usable and false otherwise. 4504 */ 4505 static int check_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, 4506 X509 *x, EVP_PKEY *pkey) 4507 { 4508 const SIGALG_LOOKUP *lu; 4509 int mdnid, pknid, supported; 4510 size_t i; 4511 const char *mdname = NULL; 4512 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4513 4514 /* 4515 * If the given EVP_PKEY cannot support signing with this digest, 4516 * the answer is simply 'no'. 4517 */ 4518 if (sig->hash != NID_undef) 4519 mdname = OBJ_nid2sn(sig->hash); 4520 supported = EVP_PKEY_digestsign_supports_digest(pkey, sctx->libctx, 4521 mdname, 4522 sctx->propq); 4523 if (supported <= 0) 4524 return 0; 4525 4526 /* 4527 * The TLS 1.3 signature_algorithms_cert extension places restrictions 4528 * on the sigalg with which the certificate was signed (by its issuer). 4529 */ 4530 if (s->s3.tmp.peer_cert_sigalgs != NULL) { 4531 if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 4532 return 0; 4533 for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { 4534 lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), 4535 s->s3.tmp.peer_cert_sigalgs[i]); 4536 if (lu == NULL) 4537 continue; 4538 4539 /* 4540 * This does not differentiate between the 4541 * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 4542 * have a chain here that lets us look at the key OID in the 4543 * signing certificate. 4544 */ 4545 if (mdnid == lu->hash && pknid == lu->sig) 4546 return 1; 4547 } 4548 return 0; 4549 } 4550 4551 /* 4552 * Without signat_algorithms_cert, any certificate for which we have 4553 * a viable public key is permitted. 4554 */ 4555 return 1; 4556 } 4557 4558 /* 4559 * Returns true if |s| has a usable certificate configured for use 4560 * with signature scheme |sig|. 4561 * "Usable" includes a check for presence as well as applying 4562 * the signature_algorithm_cert restrictions sent by the peer (if any). 4563 * Returns false if no usable certificate is found. 4564 */ 4565 static int has_usable_cert(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, int idx) 4566 { 4567 /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 4568 if (idx == -1) 4569 idx = sig->sig_idx; 4570 if (!ssl_has_cert(s, idx)) 4571 return 0; 4572 4573 return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 4574 s->cert->pkeys[idx].privatekey); 4575 } 4576 4577 /* 4578 * Returns true if the supplied cert |x| and key |pkey| is usable with the 4579 * specified signature scheme |sig|, or false otherwise. 4580 */ 4581 static int is_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, X509 *x, 4582 EVP_PKEY *pkey) 4583 { 4584 size_t idx; 4585 4586 if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL) 4587 return 0; 4588 4589 /* Check the key is consistent with the sig alg */ 4590 if ((int)idx != sig->sig_idx) 4591 return 0; 4592 4593 return check_cert_usable(s, sig, x, pkey); 4594 } 4595 4596 /* 4597 * Find a signature scheme that works with the supplied certificate |x| and key 4598 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 4599 * available certs/keys to find one that works. 4600 */ 4601 static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, 4602 EVP_PKEY *pkey) 4603 { 4604 const SIGALG_LOOKUP *lu = NULL; 4605 size_t i; 4606 int curve = -1; 4607 EVP_PKEY *tmppkey; 4608 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4609 4610 /* Look for a shared sigalgs matching possible certificates */ 4611 for (i = 0; i < s->shared_sigalgslen; i++) { 4612 /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 4613 lu = s->shared_sigalgs[i]; 4614 if (lu->hash == NID_sha1 4615 || lu->hash == NID_sha224 4616 || lu->sig == EVP_PKEY_DSA 4617 || lu->sig == EVP_PKEY_RSA 4618 || !tls_sigalg_compat(s, lu)) 4619 continue; 4620 4621 /* Check that we have a cert, and signature_algorithms_cert */ 4622 if (!tls1_lookup_md(sctx, lu, NULL)) 4623 continue; 4624 if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 4625 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 4626 continue; 4627 4628 tmppkey = (pkey != NULL) ? pkey 4629 : s->cert->pkeys[lu->sig_idx].privatekey; 4630 4631 if (lu->sig == EVP_PKEY_EC) { 4632 if (curve == -1) 4633 curve = ssl_get_EC_curve_nid(tmppkey); 4634 if (lu->curve != NID_undef && curve != lu->curve) 4635 continue; 4636 } else if (lu->sig == EVP_PKEY_RSA_PSS) { 4637 /* validate that key is large enough for the signature algorithm */ 4638 if (!rsa_pss_check_min_key_size(sctx, tmppkey, lu)) 4639 continue; 4640 } 4641 break; 4642 } 4643 4644 if (i == s->shared_sigalgslen) 4645 return NULL; 4646 4647 return lu; 4648 } 4649 4650 /* 4651 * Choose an appropriate signature algorithm based on available certificates 4652 * Sets chosen certificate and signature algorithm. 4653 * 4654 * For servers if we fail to find a required certificate it is a fatal error, 4655 * an appropriate error code is set and a TLS alert is sent. 4656 * 4657 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 4658 * a fatal error: we will either try another certificate or not present one 4659 * to the server. In this case no error is set. 4660 */ 4661 int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs) 4662 { 4663 const SIGALG_LOOKUP *lu = NULL; 4664 int sig_idx = -1; 4665 4666 s->s3.tmp.cert = NULL; 4667 s->s3.tmp.sigalg = NULL; 4668 4669 if (SSL_CONNECTION_IS_TLS13(s)) { 4670 lu = find_sig_alg(s, NULL, NULL); 4671 if (lu == NULL) { 4672 if (!fatalerrs) 4673 return 1; 4674 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4675 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4676 return 0; 4677 } 4678 } else { 4679 /* If ciphersuite doesn't require a cert nothing to do */ 4680 if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) 4681 return 1; 4682 if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 4683 return 1; 4684 4685 if (SSL_USE_SIGALGS(s)) { 4686 size_t i; 4687 if (s->s3.tmp.peer_sigalgs != NULL) { 4688 int curve = -1; 4689 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4690 4691 /* For Suite B need to match signature algorithm to curve */ 4692 if (tls1_suiteb(s)) 4693 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] 4694 .privatekey); 4695 4696 /* 4697 * Find highest preference signature algorithm matching 4698 * cert type 4699 */ 4700 for (i = 0; i < s->shared_sigalgslen; i++) { 4701 /* Check the sigalg version bounds */ 4702 lu = s->shared_sigalgs[i]; 4703 if (!tls_sigalg_compat(s, lu)) 4704 continue; 4705 if (s->server) { 4706 if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 4707 continue; 4708 } else { 4709 int cc_idx = s->cert->key - s->cert->pkeys; 4710 4711 sig_idx = lu->sig_idx; 4712 if (cc_idx != sig_idx) 4713 continue; 4714 } 4715 /* Check that we have a cert, and sig_algs_cert */ 4716 if (!has_usable_cert(s, lu, sig_idx)) 4717 continue; 4718 if (lu->sig == EVP_PKEY_RSA_PSS) { 4719 /* validate that key is large enough for the signature algorithm */ 4720 EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 4721 4722 if (!rsa_pss_check_min_key_size(sctx, pkey, lu)) 4723 continue; 4724 } 4725 if (curve == -1 || lu->curve == curve) 4726 break; 4727 } 4728 #ifndef OPENSSL_NO_GOST 4729 /* 4730 * Some Windows-based implementations do not send GOST algorithms indication 4731 * in supported_algorithms extension, so when we have GOST-based ciphersuite, 4732 * we have to assume GOST support. 4733 */ 4734 if (i == s->shared_sigalgslen 4735 && (s->s3.tmp.new_cipher->algorithm_auth 4736 & (SSL_aGOST01 | SSL_aGOST12)) 4737 != 0) { 4738 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 4739 if (!fatalerrs) 4740 return 1; 4741 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4742 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4743 return 0; 4744 } else { 4745 i = 0; 4746 sig_idx = lu->sig_idx; 4747 } 4748 } 4749 #endif 4750 if (i == s->shared_sigalgslen) { 4751 if (!fatalerrs) 4752 return 1; 4753 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4754 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4755 return 0; 4756 } 4757 } else { 4758 /* 4759 * If we have no sigalg use defaults 4760 */ 4761 const uint16_t *sent_sigs; 4762 size_t sent_sigslen; 4763 4764 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 4765 if (!fatalerrs) 4766 return 1; 4767 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4768 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4769 return 0; 4770 } 4771 4772 /* Check signature matches a type we sent */ 4773 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 4774 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 4775 if (lu->sigalg == *sent_sigs 4776 && has_usable_cert(s, lu, lu->sig_idx)) 4777 break; 4778 } 4779 if (i == sent_sigslen) { 4780 if (!fatalerrs) 4781 return 1; 4782 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 4783 SSL_R_WRONG_SIGNATURE_TYPE); 4784 return 0; 4785 } 4786 } 4787 } else { 4788 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 4789 if (!fatalerrs) 4790 return 1; 4791 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 4792 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 4793 return 0; 4794 } 4795 } 4796 } 4797 if (sig_idx == -1) 4798 sig_idx = lu->sig_idx; 4799 s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; 4800 s->cert->key = s->s3.tmp.cert; 4801 s->s3.tmp.sigalg = lu; 4802 return 1; 4803 } 4804 4805 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 4806 { 4807 if (mode != TLSEXT_max_fragment_length_DISABLED 4808 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 4809 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 4810 return 0; 4811 } 4812 4813 ctx->ext.max_fragment_len_mode = mode; 4814 return 1; 4815 } 4816 4817 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 4818 { 4819 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); 4820 4821 if (sc == NULL 4822 || (IS_QUIC(ssl) && mode != TLSEXT_max_fragment_length_DISABLED)) 4823 return 0; 4824 4825 if (mode != TLSEXT_max_fragment_length_DISABLED 4826 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 4827 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 4828 return 0; 4829 } 4830 4831 sc->ext.max_fragment_len_mode = mode; 4832 return 1; 4833 } 4834 4835 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 4836 { 4837 if (session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) 4838 return TLSEXT_max_fragment_length_DISABLED; 4839 return session->ext.max_fragment_len_mode; 4840 } 4841 4842 /* 4843 * Helper functions for HMAC access with legacy support included. 4844 */ 4845 SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) 4846 { 4847 SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); 4848 EVP_MAC *mac = NULL; 4849 4850 if (ret == NULL) 4851 return NULL; 4852 #ifndef OPENSSL_NO_DEPRECATED_3_0 4853 if (ctx->ext.ticket_key_evp_cb == NULL 4854 && ctx->ext.ticket_key_cb != NULL) { 4855 if (!ssl_hmac_old_new(ret)) 4856 goto err; 4857 return ret; 4858 } 4859 #endif 4860 mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); 4861 if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) 4862 goto err; 4863 EVP_MAC_free(mac); 4864 return ret; 4865 err: 4866 EVP_MAC_CTX_free(ret->ctx); 4867 EVP_MAC_free(mac); 4868 OPENSSL_free(ret); 4869 return NULL; 4870 } 4871 4872 void ssl_hmac_free(SSL_HMAC *ctx) 4873 { 4874 if (ctx != NULL) { 4875 EVP_MAC_CTX_free(ctx->ctx); 4876 #ifndef OPENSSL_NO_DEPRECATED_3_0 4877 ssl_hmac_old_free(ctx); 4878 #endif 4879 OPENSSL_free(ctx); 4880 } 4881 } 4882 4883 EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) 4884 { 4885 return ctx->ctx; 4886 } 4887 4888 int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 4889 { 4890 OSSL_PARAM params[2], *p = params; 4891 4892 if (ctx->ctx != NULL) { 4893 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); 4894 *p = OSSL_PARAM_construct_end(); 4895 if (EVP_MAC_init(ctx->ctx, key, len, params)) 4896 return 1; 4897 } 4898 #ifndef OPENSSL_NO_DEPRECATED_3_0 4899 if (ctx->old_ctx != NULL) 4900 return ssl_hmac_old_init(ctx, key, len, md); 4901 #endif 4902 return 0; 4903 } 4904 4905 int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 4906 { 4907 if (ctx->ctx != NULL) 4908 return EVP_MAC_update(ctx->ctx, data, len); 4909 #ifndef OPENSSL_NO_DEPRECATED_3_0 4910 if (ctx->old_ctx != NULL) 4911 return ssl_hmac_old_update(ctx, data, len); 4912 #endif 4913 return 0; 4914 } 4915 4916 int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, 4917 size_t max_size) 4918 { 4919 if (ctx->ctx != NULL) 4920 return EVP_MAC_final(ctx->ctx, md, len, max_size); 4921 #ifndef OPENSSL_NO_DEPRECATED_3_0 4922 if (ctx->old_ctx != NULL) 4923 return ssl_hmac_old_final(ctx, md, len); 4924 #endif 4925 return 0; 4926 } 4927 4928 size_t ssl_hmac_size(const SSL_HMAC *ctx) 4929 { 4930 if (ctx->ctx != NULL) 4931 return EVP_MAC_CTX_get_mac_size(ctx->ctx); 4932 #ifndef OPENSSL_NO_DEPRECATED_3_0 4933 if (ctx->old_ctx != NULL) 4934 return ssl_hmac_old_size(ctx); 4935 #endif 4936 return 0; 4937 } 4938 4939 int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) 4940 { 4941 char gname[OSSL_MAX_NAME_SIZE]; 4942 4943 if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) 4944 return OBJ_txt2nid(gname); 4945 4946 return NID_undef; 4947 } 4948 4949 __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, 4950 const unsigned char *enckey, 4951 size_t enckeylen) 4952 { 4953 if (EVP_PKEY_is_a(pkey, "DH")) { 4954 int bits = EVP_PKEY_get_bits(pkey); 4955 4956 if (bits <= 0 || enckeylen != (size_t)bits / 8) 4957 /* the encoded key must be padded to the length of the p */ 4958 return 0; 4959 } else if (EVP_PKEY_is_a(pkey, "EC")) { 4960 if (enckeylen < 3 /* point format and at least 1 byte for x and y */ 4961 || enckey[0] != 0x04) 4962 return 0; 4963 } 4964 4965 return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); 4966 } 4967