1e71b7053SJung-uk Kim /* 2*17f01e99SJung-uk Kim * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 374664626SKris Kennaway * 4e71b7053SJung-uk Kim * Licensed under the OpenSSL license (the "License"). You may not use 5e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 6e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 7e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 81f13597dSJung-uk Kim */ 974664626SKris Kennaway 1074664626SKris Kennaway #include <stdio.h> 11e71b7053SJung-uk Kim #include <stdlib.h> 1274664626SKris Kennaway #include <openssl/objects.h> 13db522d3aSSimon L. B. Nielsen #include <openssl/evp.h> 14db522d3aSSimon L. B. Nielsen #include <openssl/hmac.h> 15db522d3aSSimon L. B. Nielsen #include <openssl/ocsp.h> 16e71b7053SJung-uk Kim #include <openssl/conf.h> 17e71b7053SJung-uk Kim #include <openssl/x509v3.h> 18e71b7053SJung-uk Kim #include <openssl/dh.h> 19e71b7053SJung-uk Kim #include <openssl/bn.h> 20e71b7053SJung-uk Kim #include "internal/nelem.h" 21*17f01e99SJung-uk Kim #include "ssl_local.h" 22e71b7053SJung-uk Kim #include <openssl/ct.h> 2374664626SKris Kennaway 24da327cd2SJung-uk Kim static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 25*17f01e99SJung-uk Kim static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); 26da327cd2SJung-uk Kim 27e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_enc_data = { 2874664626SKris Kennaway tls1_enc, 2974664626SKris Kennaway tls1_mac, 3074664626SKris Kennaway tls1_setup_key_block, 3174664626SKris Kennaway tls1_generate_master_secret, 3274664626SKris Kennaway tls1_change_cipher_state, 3374664626SKris Kennaway tls1_final_finish_mac, 3474664626SKris Kennaway TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 3574664626SKris Kennaway TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 3674664626SKris Kennaway tls1_alert_code, 371f13597dSJung-uk Kim tls1_export_keying_material, 387bded2dbSJung-uk Kim 0, 397bded2dbSJung-uk Kim ssl3_set_handshake_header, 40e71b7053SJung-uk Kim tls_close_construct_packet, 417bded2dbSJung-uk Kim ssl3_handshake_write 427bded2dbSJung-uk Kim }; 437bded2dbSJung-uk Kim 44e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_1_enc_data = { 457bded2dbSJung-uk Kim tls1_enc, 467bded2dbSJung-uk Kim tls1_mac, 477bded2dbSJung-uk Kim tls1_setup_key_block, 487bded2dbSJung-uk Kim tls1_generate_master_secret, 497bded2dbSJung-uk Kim tls1_change_cipher_state, 507bded2dbSJung-uk Kim tls1_final_finish_mac, 517bded2dbSJung-uk Kim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 527bded2dbSJung-uk Kim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 537bded2dbSJung-uk Kim tls1_alert_code, 547bded2dbSJung-uk Kim tls1_export_keying_material, 557bded2dbSJung-uk Kim SSL_ENC_FLAG_EXPLICIT_IV, 567bded2dbSJung-uk Kim ssl3_set_handshake_header, 57e71b7053SJung-uk Kim tls_close_construct_packet, 587bded2dbSJung-uk Kim ssl3_handshake_write 597bded2dbSJung-uk Kim }; 607bded2dbSJung-uk Kim 61e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_2_enc_data = { 627bded2dbSJung-uk Kim tls1_enc, 637bded2dbSJung-uk Kim tls1_mac, 647bded2dbSJung-uk Kim tls1_setup_key_block, 657bded2dbSJung-uk Kim tls1_generate_master_secret, 667bded2dbSJung-uk Kim tls1_change_cipher_state, 677bded2dbSJung-uk Kim tls1_final_finish_mac, 687bded2dbSJung-uk Kim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 697bded2dbSJung-uk Kim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 707bded2dbSJung-uk Kim tls1_alert_code, 717bded2dbSJung-uk Kim tls1_export_keying_material, 727bded2dbSJung-uk Kim SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 737bded2dbSJung-uk Kim | SSL_ENC_FLAG_TLS1_2_CIPHERS, 747bded2dbSJung-uk Kim ssl3_set_handshake_header, 75e71b7053SJung-uk Kim tls_close_construct_packet, 76e71b7053SJung-uk Kim ssl3_handshake_write 77e71b7053SJung-uk Kim }; 78e71b7053SJung-uk Kim 79e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_3_enc_data = { 80e71b7053SJung-uk Kim tls13_enc, 81e71b7053SJung-uk Kim tls1_mac, 82e71b7053SJung-uk Kim tls13_setup_key_block, 83e71b7053SJung-uk Kim tls13_generate_master_secret, 84e71b7053SJung-uk Kim tls13_change_cipher_state, 85e71b7053SJung-uk Kim tls13_final_finish_mac, 86e71b7053SJung-uk Kim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 87e71b7053SJung-uk Kim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 88e71b7053SJung-uk Kim tls13_alert_code, 89e71b7053SJung-uk Kim tls13_export_keying_material, 90e71b7053SJung-uk Kim SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 91e71b7053SJung-uk Kim ssl3_set_handshake_header, 92e71b7053SJung-uk Kim tls_close_construct_packet, 937bded2dbSJung-uk Kim ssl3_handshake_write 9474664626SKris Kennaway }; 9574664626SKris Kennaway 963b4e3dcbSSimon L. B. Nielsen long tls1_default_timeout(void) 9774664626SKris Kennaway { 986f9291ceSJung-uk Kim /* 996f9291ceSJung-uk Kim * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 1006f9291ceSJung-uk Kim * http, the cache would over fill 1016f9291ceSJung-uk Kim */ 10274664626SKris Kennaway return (60 * 60 * 2); 10374664626SKris Kennaway } 10474664626SKris Kennaway 10574664626SKris Kennaway int tls1_new(SSL *s) 10674664626SKris Kennaway { 1076f9291ceSJung-uk Kim if (!ssl3_new(s)) 108e71b7053SJung-uk Kim return 0; 109e71b7053SJung-uk Kim if (!s->method->ssl_clear(s)) 110e71b7053SJung-uk Kim return 0; 111e71b7053SJung-uk Kim 112e71b7053SJung-uk Kim return 1; 11374664626SKris Kennaway } 11474664626SKris Kennaway 11574664626SKris Kennaway void tls1_free(SSL *s) 11674664626SKris Kennaway { 117e71b7053SJung-uk Kim OPENSSL_free(s->ext.session_ticket); 11874664626SKris Kennaway ssl3_free(s); 11974664626SKris Kennaway } 12074664626SKris Kennaway 121e71b7053SJung-uk Kim int tls1_clear(SSL *s) 12274664626SKris Kennaway { 123e71b7053SJung-uk Kim if (!ssl3_clear(s)) 124e71b7053SJung-uk Kim return 0; 125e71b7053SJung-uk Kim 126e71b7053SJung-uk Kim if (s->method->version == TLS_ANY_VERSION) 127e71b7053SJung-uk Kim s->version = TLS_MAX_VERSION; 128e71b7053SJung-uk Kim else 1291f13597dSJung-uk Kim s->version = s->method->version; 130e71b7053SJung-uk Kim 131e71b7053SJung-uk Kim return 1; 13274664626SKris Kennaway } 13374664626SKris Kennaway 1341f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 1351f13597dSJung-uk Kim 136e71b7053SJung-uk Kim /* 137e71b7053SJung-uk Kim * Table of curve information. 138e71b7053SJung-uk Kim * Do not delete entries or reorder this array! It is used as a lookup 139e71b7053SJung-uk Kim * table: the index of each entry is one less than the TLS curve id. 140e71b7053SJung-uk Kim */ 141e71b7053SJung-uk Kim static const TLS_GROUP_INFO nid_list[] = { 142e71b7053SJung-uk Kim {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ 143e71b7053SJung-uk Kim {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ 144e71b7053SJung-uk Kim {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ 145e71b7053SJung-uk Kim {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */ 146e71b7053SJung-uk Kim {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */ 147e71b7053SJung-uk Kim {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */ 148e71b7053SJung-uk Kim {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */ 149e71b7053SJung-uk Kim {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */ 150e71b7053SJung-uk Kim {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */ 151e71b7053SJung-uk Kim {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */ 152e71b7053SJung-uk Kim {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */ 153e71b7053SJung-uk Kim {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */ 154e71b7053SJung-uk Kim {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */ 155e71b7053SJung-uk Kim {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */ 156e71b7053SJung-uk Kim {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */ 157e71b7053SJung-uk Kim {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */ 158e71b7053SJung-uk Kim {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */ 159e71b7053SJung-uk Kim {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ 160e71b7053SJung-uk Kim {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ 161e71b7053SJung-uk Kim {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ 162e71b7053SJung-uk Kim {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ 163e71b7053SJung-uk Kim {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ 164e71b7053SJung-uk Kim {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ 165e71b7053SJung-uk Kim {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ 166e71b7053SJung-uk Kim {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ 167e71b7053SJung-uk Kim {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 168e71b7053SJung-uk Kim {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 169e71b7053SJung-uk Kim {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ 170e71b7053SJung-uk Kim {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ 171e71b7053SJung-uk Kim {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */ 1721f13597dSJung-uk Kim }; 1731f13597dSJung-uk Kim 1747bded2dbSJung-uk Kim static const unsigned char ecformats_default[] = { 1757bded2dbSJung-uk Kim TLSEXT_ECPOINTFORMAT_uncompressed, 1767bded2dbSJung-uk Kim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 1777bded2dbSJung-uk Kim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 1781f13597dSJung-uk Kim }; 1791f13597dSJung-uk Kim 180e71b7053SJung-uk Kim /* The default curves */ 181e71b7053SJung-uk Kim static const uint16_t eccurves_default[] = { 182e71b7053SJung-uk Kim 29, /* X25519 (29) */ 183e71b7053SJung-uk Kim 23, /* secp256r1 (23) */ 184e71b7053SJung-uk Kim 30, /* X448 (30) */ 185e71b7053SJung-uk Kim 25, /* secp521r1 (25) */ 186e71b7053SJung-uk Kim 24, /* secp384r1 (24) */ 1877bded2dbSJung-uk Kim }; 1887bded2dbSJung-uk Kim 189e71b7053SJung-uk Kim static const uint16_t suiteb_curves[] = { 190e71b7053SJung-uk Kim TLSEXT_curve_P_256, 191e71b7053SJung-uk Kim TLSEXT_curve_P_384 1927bded2dbSJung-uk Kim }; 1937bded2dbSJung-uk Kim 194e71b7053SJung-uk Kim const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) 1951f13597dSJung-uk Kim { 1967bded2dbSJung-uk Kim /* ECC curves from RFC 4492 and RFC 7027 */ 197e71b7053SJung-uk Kim if (group_id < 1 || group_id > OSSL_NELEM(nid_list)) 198e71b7053SJung-uk Kim return NULL; 199e71b7053SJung-uk Kim return &nid_list[group_id - 1]; 20074664626SKris Kennaway } 201f579bf8eSKris Kennaway 202e71b7053SJung-uk Kim static uint16_t tls1_nid2group_id(int nid) 203f579bf8eSKris Kennaway { 204e71b7053SJung-uk Kim size_t i; 205e71b7053SJung-uk Kim for (i = 0; i < OSSL_NELEM(nid_list); i++) { 206e71b7053SJung-uk Kim if (nid_list[i].nid == nid) 207e71b7053SJung-uk Kim return (uint16_t)(i + 1); 208f579bf8eSKris Kennaway } 209e71b7053SJung-uk Kim return 0; 2101f13597dSJung-uk Kim } 2117bded2dbSJung-uk Kim 2127bded2dbSJung-uk Kim /* 213e71b7053SJung-uk Kim * Set *pgroups to the supported groups list and *pgroupslen to 214e71b7053SJung-uk Kim * the number of groups supported. 2157bded2dbSJung-uk Kim */ 216e71b7053SJung-uk Kim void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 217e71b7053SJung-uk Kim size_t *pgroupslen) 2187bded2dbSJung-uk Kim { 219e71b7053SJung-uk Kim 2207bded2dbSJung-uk Kim /* For Suite B mode only include P-256, P-384 */ 2217bded2dbSJung-uk Kim switch (tls1_suiteb(s)) { 2227bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS: 223e71b7053SJung-uk Kim *pgroups = suiteb_curves; 224e71b7053SJung-uk Kim *pgroupslen = OSSL_NELEM(suiteb_curves); 2257bded2dbSJung-uk Kim break; 2267bded2dbSJung-uk Kim 2277bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 228e71b7053SJung-uk Kim *pgroups = suiteb_curves; 229e71b7053SJung-uk Kim *pgroupslen = 1; 2307bded2dbSJung-uk Kim break; 2317bded2dbSJung-uk Kim 2327bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_192_LOS: 233e71b7053SJung-uk Kim *pgroups = suiteb_curves + 1; 234e71b7053SJung-uk Kim *pgroupslen = 1; 2357bded2dbSJung-uk Kim break; 236e71b7053SJung-uk Kim 2377bded2dbSJung-uk Kim default: 238e71b7053SJung-uk Kim if (s->ext.supportedgroups == NULL) { 239e71b7053SJung-uk Kim *pgroups = eccurves_default; 240e71b7053SJung-uk Kim *pgroupslen = OSSL_NELEM(eccurves_default); 2417bded2dbSJung-uk Kim } else { 242e71b7053SJung-uk Kim *pgroups = s->ext.supportedgroups; 243e71b7053SJung-uk Kim *pgroupslen = s->ext.supportedgroups_len; 2447bded2dbSJung-uk Kim } 245e71b7053SJung-uk Kim break; 2467bded2dbSJung-uk Kim } 2477bded2dbSJung-uk Kim } 2487bded2dbSJung-uk Kim 249e71b7053SJung-uk Kim /* See if curve is allowed by security callback */ 250e71b7053SJung-uk Kim int tls_curve_allowed(SSL *s, uint16_t curve, int op) 2517bded2dbSJung-uk Kim { 252e71b7053SJung-uk Kim const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve); 253e71b7053SJung-uk Kim unsigned char ctmp[2]; 254e71b7053SJung-uk Kim 255e71b7053SJung-uk Kim if (cinfo == NULL) 2567bded2dbSJung-uk Kim return 0; 257e71b7053SJung-uk Kim # ifdef OPENSSL_NO_EC2M 258e71b7053SJung-uk Kim if (cinfo->flags & TLS_CURVE_CHAR2) 2597bded2dbSJung-uk Kim return 0; 260e71b7053SJung-uk Kim # endif 261e71b7053SJung-uk Kim ctmp[0] = curve >> 8; 262e71b7053SJung-uk Kim ctmp[1] = curve & 0xff; 263e71b7053SJung-uk Kim return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); 2647bded2dbSJung-uk Kim } 265e71b7053SJung-uk Kim 266e71b7053SJung-uk Kim /* Return 1 if "id" is in "list" */ 267e71b7053SJung-uk Kim static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 268e71b7053SJung-uk Kim { 269e71b7053SJung-uk Kim size_t i; 270e71b7053SJung-uk Kim for (i = 0; i < listlen; i++) 271e71b7053SJung-uk Kim if (list[i] == id) 2727bded2dbSJung-uk Kim return 1; 2737bded2dbSJung-uk Kim return 0; 2747bded2dbSJung-uk Kim } 2757bded2dbSJung-uk Kim 2767bded2dbSJung-uk Kim /*- 277e71b7053SJung-uk Kim * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 278e71b7053SJung-uk Kim * if there is no match. 2797bded2dbSJung-uk Kim * For nmatch == -1, return number of matches 280e71b7053SJung-uk Kim * For nmatch == -2, return the id of the group to use for 281e71b7053SJung-uk Kim * a tmp key, or 0 if there is no match. 2827bded2dbSJung-uk Kim */ 283e71b7053SJung-uk Kim uint16_t tls1_shared_group(SSL *s, int nmatch) 2847bded2dbSJung-uk Kim { 285e71b7053SJung-uk Kim const uint16_t *pref, *supp; 286e71b7053SJung-uk Kim size_t num_pref, num_supp, i; 2877bded2dbSJung-uk Kim int k; 288e71b7053SJung-uk Kim 2897bded2dbSJung-uk Kim /* Can't do anything on client side */ 2907bded2dbSJung-uk Kim if (s->server == 0) 291e71b7053SJung-uk Kim return 0; 2927bded2dbSJung-uk Kim if (nmatch == -2) { 2937bded2dbSJung-uk Kim if (tls1_suiteb(s)) { 2947bded2dbSJung-uk Kim /* 2957bded2dbSJung-uk Kim * For Suite B ciphersuite determines curve: we already know 2967bded2dbSJung-uk Kim * these are acceptable due to previous checks. 2977bded2dbSJung-uk Kim */ 2987bded2dbSJung-uk Kim unsigned long cid = s->s3->tmp.new_cipher->id; 299e71b7053SJung-uk Kim 3007bded2dbSJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 301e71b7053SJung-uk Kim return TLSEXT_curve_P_256; 3027bded2dbSJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 303e71b7053SJung-uk Kim return TLSEXT_curve_P_384; 3047bded2dbSJung-uk Kim /* Should never happen */ 305e71b7053SJung-uk Kim return 0; 3067bded2dbSJung-uk Kim } 3077bded2dbSJung-uk Kim /* If not Suite B just return first preference shared curve */ 3087bded2dbSJung-uk Kim nmatch = 0; 3097bded2dbSJung-uk Kim } 3107bded2dbSJung-uk Kim /* 311e71b7053SJung-uk Kim * If server preference set, our groups are the preference order 312e71b7053SJung-uk Kim * otherwise peer decides. 3137bded2dbSJung-uk Kim */ 314e71b7053SJung-uk Kim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 315e71b7053SJung-uk Kim tls1_get_supported_groups(s, &pref, &num_pref); 316e71b7053SJung-uk Kim tls1_get_peer_groups(s, &supp, &num_supp); 317e71b7053SJung-uk Kim } else { 318e71b7053SJung-uk Kim tls1_get_peer_groups(s, &pref, &num_pref); 319e71b7053SJung-uk Kim tls1_get_supported_groups(s, &supp, &num_supp); 3207bded2dbSJung-uk Kim } 3217bded2dbSJung-uk Kim 322e71b7053SJung-uk Kim for (k = 0, i = 0; i < num_pref; i++) { 323e71b7053SJung-uk Kim uint16_t id = pref[i]; 324e71b7053SJung-uk Kim 325e71b7053SJung-uk Kim if (!tls1_in_list(id, supp, num_supp) 326e71b7053SJung-uk Kim || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 327e71b7053SJung-uk Kim continue; 328e71b7053SJung-uk Kim if (nmatch == k) 329e71b7053SJung-uk Kim return id; 3307bded2dbSJung-uk Kim k++; 3317bded2dbSJung-uk Kim } 3327bded2dbSJung-uk Kim if (nmatch == -1) 3337bded2dbSJung-uk Kim return k; 3347bded2dbSJung-uk Kim /* Out of range (nmatch > k). */ 335e71b7053SJung-uk Kim return 0; 3367bded2dbSJung-uk Kim } 3377bded2dbSJung-uk Kim 338e71b7053SJung-uk Kim int tls1_set_groups(uint16_t **pext, size_t *pextlen, 339e71b7053SJung-uk Kim int *groups, size_t ngroups) 3407bded2dbSJung-uk Kim { 341e71b7053SJung-uk Kim uint16_t *glist; 3427bded2dbSJung-uk Kim size_t i; 3437bded2dbSJung-uk Kim /* 344e71b7053SJung-uk Kim * Bitmap of groups included to detect duplicates: only works while group 3457bded2dbSJung-uk Kim * ids < 32 3467bded2dbSJung-uk Kim */ 3477bded2dbSJung-uk Kim unsigned long dup_list = 0; 3487bded2dbSJung-uk Kim 349c9cf7b5cSJung-uk Kim if (ngroups == 0) { 350c9cf7b5cSJung-uk Kim SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); 351c9cf7b5cSJung-uk Kim return 0; 352c9cf7b5cSJung-uk Kim } 353e71b7053SJung-uk Kim if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 354e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); 3557bded2dbSJung-uk Kim return 0; 3567bded2dbSJung-uk Kim } 357e71b7053SJung-uk Kim for (i = 0; i < ngroups; i++) { 358e71b7053SJung-uk Kim unsigned long idmask; 359e71b7053SJung-uk Kim uint16_t id; 360e71b7053SJung-uk Kim /* TODO(TLS1.3): Convert for DH groups */ 361e71b7053SJung-uk Kim id = tls1_nid2group_id(groups[i]); 3627bded2dbSJung-uk Kim idmask = 1L << id; 3637bded2dbSJung-uk Kim if (!id || (dup_list & idmask)) { 364e71b7053SJung-uk Kim OPENSSL_free(glist); 3657bded2dbSJung-uk Kim return 0; 3667bded2dbSJung-uk Kim } 3677bded2dbSJung-uk Kim dup_list |= idmask; 368e71b7053SJung-uk Kim glist[i] = id; 3697bded2dbSJung-uk Kim } 3707bded2dbSJung-uk Kim OPENSSL_free(*pext); 371e71b7053SJung-uk Kim *pext = glist; 372e71b7053SJung-uk Kim *pextlen = ngroups; 3737bded2dbSJung-uk Kim return 1; 3747bded2dbSJung-uk Kim } 3757bded2dbSJung-uk Kim 376e71b7053SJung-uk Kim # define MAX_CURVELIST OSSL_NELEM(nid_list) 3777bded2dbSJung-uk Kim 3787bded2dbSJung-uk Kim typedef struct { 3797bded2dbSJung-uk Kim size_t nidcnt; 3807bded2dbSJung-uk Kim int nid_arr[MAX_CURVELIST]; 3817bded2dbSJung-uk Kim } nid_cb_st; 3827bded2dbSJung-uk Kim 3837bded2dbSJung-uk Kim static int nid_cb(const char *elem, int len, void *arg) 3847bded2dbSJung-uk Kim { 3857bded2dbSJung-uk Kim nid_cb_st *narg = arg; 3867bded2dbSJung-uk Kim size_t i; 3877bded2dbSJung-uk Kim int nid; 3887bded2dbSJung-uk Kim char etmp[20]; 3897bded2dbSJung-uk Kim if (elem == NULL) 3907bded2dbSJung-uk Kim return 0; 3917bded2dbSJung-uk Kim if (narg->nidcnt == MAX_CURVELIST) 3927bded2dbSJung-uk Kim return 0; 3937bded2dbSJung-uk Kim if (len > (int)(sizeof(etmp) - 1)) 3947bded2dbSJung-uk Kim return 0; 3957bded2dbSJung-uk Kim memcpy(etmp, elem, len); 3967bded2dbSJung-uk Kim etmp[len] = 0; 3977bded2dbSJung-uk Kim nid = EC_curve_nist2nid(etmp); 3987bded2dbSJung-uk Kim if (nid == NID_undef) 3997bded2dbSJung-uk Kim nid = OBJ_sn2nid(etmp); 4007bded2dbSJung-uk Kim if (nid == NID_undef) 4017bded2dbSJung-uk Kim nid = OBJ_ln2nid(etmp); 4027bded2dbSJung-uk Kim if (nid == NID_undef) 4037bded2dbSJung-uk Kim return 0; 4047bded2dbSJung-uk Kim for (i = 0; i < narg->nidcnt; i++) 4057bded2dbSJung-uk Kim if (narg->nid_arr[i] == nid) 4067bded2dbSJung-uk Kim return 0; 4077bded2dbSJung-uk Kim narg->nid_arr[narg->nidcnt++] = nid; 4087bded2dbSJung-uk Kim return 1; 4097bded2dbSJung-uk Kim } 4107bded2dbSJung-uk Kim 411e71b7053SJung-uk Kim /* Set groups based on a colon separate list */ 412e71b7053SJung-uk Kim int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) 4137bded2dbSJung-uk Kim { 4147bded2dbSJung-uk Kim nid_cb_st ncb; 4157bded2dbSJung-uk Kim ncb.nidcnt = 0; 4167bded2dbSJung-uk Kim if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) 4177bded2dbSJung-uk Kim return 0; 4187bded2dbSJung-uk Kim if (pext == NULL) 4197bded2dbSJung-uk Kim return 1; 420e71b7053SJung-uk Kim return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); 4217bded2dbSJung-uk Kim } 422e71b7053SJung-uk Kim /* Return group id of a key */ 423e71b7053SJung-uk Kim static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 4247bded2dbSJung-uk Kim { 425e71b7053SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 4267bded2dbSJung-uk Kim const EC_GROUP *grp; 427e71b7053SJung-uk Kim 428e71b7053SJung-uk Kim if (ec == NULL) 4297bded2dbSJung-uk Kim return 0; 4307bded2dbSJung-uk Kim grp = EC_KEY_get0_group(ec); 431e71b7053SJung-uk Kim return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); 4327bded2dbSJung-uk Kim } 4337bded2dbSJung-uk Kim 434e71b7053SJung-uk Kim /* Check a key is compatible with compression extension */ 435e71b7053SJung-uk Kim static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 4367bded2dbSJung-uk Kim { 437e71b7053SJung-uk Kim const EC_KEY *ec; 438e71b7053SJung-uk Kim const EC_GROUP *grp; 439e71b7053SJung-uk Kim unsigned char comp_id; 440e71b7053SJung-uk Kim size_t i; 441e71b7053SJung-uk Kim 442e71b7053SJung-uk Kim /* If not an EC key nothing to check */ 443e71b7053SJung-uk Kim if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 444e71b7053SJung-uk Kim return 1; 445e71b7053SJung-uk Kim ec = EVP_PKEY_get0_EC_KEY(pkey); 446e71b7053SJung-uk Kim grp = EC_KEY_get0_group(ec); 447e71b7053SJung-uk Kim 448e71b7053SJung-uk Kim /* Get required compression id */ 449e71b7053SJung-uk Kim if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { 450e71b7053SJung-uk Kim comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 451e71b7053SJung-uk Kim } else if (SSL_IS_TLS13(s)) { 452e71b7053SJung-uk Kim /* 453e71b7053SJung-uk Kim * ec_point_formats extension is not used in TLSv1.3 so we ignore 454e71b7053SJung-uk Kim * this check. 455e71b7053SJung-uk Kim */ 456e71b7053SJung-uk Kim return 1; 457e71b7053SJung-uk Kim } else { 458e71b7053SJung-uk Kim int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); 459e71b7053SJung-uk Kim 460e71b7053SJung-uk Kim if (field_type == NID_X9_62_prime_field) 461e71b7053SJung-uk Kim comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 462e71b7053SJung-uk Kim else if (field_type == NID_X9_62_characteristic_two_field) 463e71b7053SJung-uk Kim comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 464e71b7053SJung-uk Kim else 465e71b7053SJung-uk Kim return 0; 466e71b7053SJung-uk Kim } 4677bded2dbSJung-uk Kim /* 4687bded2dbSJung-uk Kim * If point formats extension present check it, otherwise everything is 4697bded2dbSJung-uk Kim * supported (see RFC4492). 4707bded2dbSJung-uk Kim */ 471da327cd2SJung-uk Kim if (s->ext.peer_ecpointformats == NULL) 4727bded2dbSJung-uk Kim return 1; 473e71b7053SJung-uk Kim 474da327cd2SJung-uk Kim for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 475da327cd2SJung-uk Kim if (s->ext.peer_ecpointformats[i] == comp_id) 4767bded2dbSJung-uk Kim return 1; 4777bded2dbSJung-uk Kim } 478e71b7053SJung-uk Kim return 0; 4797bded2dbSJung-uk Kim } 4807bded2dbSJung-uk Kim 481e71b7053SJung-uk Kim /* Check a group id matches preferences */ 482e71b7053SJung-uk Kim int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 483e71b7053SJung-uk Kim { 484e71b7053SJung-uk Kim const uint16_t *groups; 485e71b7053SJung-uk Kim size_t groups_len; 486e71b7053SJung-uk Kim 487e71b7053SJung-uk Kim if (group_id == 0) 488e71b7053SJung-uk Kim return 0; 489e71b7053SJung-uk Kim 490e71b7053SJung-uk Kim /* Check for Suite B compliance */ 491e71b7053SJung-uk Kim if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) { 492e71b7053SJung-uk Kim unsigned long cid = s->s3->tmp.new_cipher->id; 493e71b7053SJung-uk Kim 494e71b7053SJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 495e71b7053SJung-uk Kim if (group_id != TLSEXT_curve_P_256) 496e71b7053SJung-uk Kim return 0; 497e71b7053SJung-uk Kim } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 498e71b7053SJung-uk Kim if (group_id != TLSEXT_curve_P_384) 499e71b7053SJung-uk Kim return 0; 500e71b7053SJung-uk Kim } else { 501e71b7053SJung-uk Kim /* Should never happen */ 502e71b7053SJung-uk Kim return 0; 503e71b7053SJung-uk Kim } 504e71b7053SJung-uk Kim } 505e71b7053SJung-uk Kim 506e71b7053SJung-uk Kim if (check_own_groups) { 507e71b7053SJung-uk Kim /* Check group is one of our preferences */ 508e71b7053SJung-uk Kim tls1_get_supported_groups(s, &groups, &groups_len); 509e71b7053SJung-uk Kim if (!tls1_in_list(group_id, groups, groups_len)) 510e71b7053SJung-uk Kim return 0; 511e71b7053SJung-uk Kim } 512e71b7053SJung-uk Kim 513e71b7053SJung-uk Kim if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 514e71b7053SJung-uk Kim return 0; 515e71b7053SJung-uk Kim 516e71b7053SJung-uk Kim /* For clients, nothing more to check */ 517e71b7053SJung-uk Kim if (!s->server) 518e71b7053SJung-uk Kim return 1; 519e71b7053SJung-uk Kim 520e71b7053SJung-uk Kim /* Check group is one of peers preferences */ 521e71b7053SJung-uk Kim tls1_get_peer_groups(s, &groups, &groups_len); 522e71b7053SJung-uk Kim 523e71b7053SJung-uk Kim /* 524e71b7053SJung-uk Kim * RFC 4492 does not require the supported elliptic curves extension 525e71b7053SJung-uk Kim * so if it is not sent we can just choose any curve. 526e71b7053SJung-uk Kim * It is invalid to send an empty list in the supported groups 527e71b7053SJung-uk Kim * extension, so groups_len == 0 always means no extension. 528e71b7053SJung-uk Kim */ 529e71b7053SJung-uk Kim if (groups_len == 0) 530e71b7053SJung-uk Kim return 1; 531e71b7053SJung-uk Kim return tls1_in_list(group_id, groups, groups_len); 532e71b7053SJung-uk Kim } 533e71b7053SJung-uk Kim 534e71b7053SJung-uk Kim void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 5357bded2dbSJung-uk Kim size_t *num_formats) 5367bded2dbSJung-uk Kim { 5377bded2dbSJung-uk Kim /* 5387bded2dbSJung-uk Kim * If we have a custom point format list use it otherwise use default 5397bded2dbSJung-uk Kim */ 540e71b7053SJung-uk Kim if (s->ext.ecpointformats) { 541e71b7053SJung-uk Kim *pformats = s->ext.ecpointformats; 542e71b7053SJung-uk Kim *num_formats = s->ext.ecpointformats_len; 5437bded2dbSJung-uk Kim } else { 5447bded2dbSJung-uk Kim *pformats = ecformats_default; 5457bded2dbSJung-uk Kim /* For Suite B we don't support char2 fields */ 5467bded2dbSJung-uk Kim if (tls1_suiteb(s)) 5477bded2dbSJung-uk Kim *num_formats = sizeof(ecformats_default) - 1; 5487bded2dbSJung-uk Kim else 5497bded2dbSJung-uk Kim *num_formats = sizeof(ecformats_default); 5507bded2dbSJung-uk Kim } 5517bded2dbSJung-uk Kim } 5527bded2dbSJung-uk Kim 5537bded2dbSJung-uk Kim /* 5547bded2dbSJung-uk Kim * Check cert parameters compatible with extensions: currently just checks EC 5557bded2dbSJung-uk Kim * certificates have compatible curves and compression. 5567bded2dbSJung-uk Kim */ 557e71b7053SJung-uk Kim static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 5587bded2dbSJung-uk Kim { 559e71b7053SJung-uk Kim uint16_t group_id; 5607bded2dbSJung-uk Kim EVP_PKEY *pkey; 561e71b7053SJung-uk Kim pkey = X509_get0_pubkey(x); 562e71b7053SJung-uk Kim if (pkey == NULL) 5637bded2dbSJung-uk Kim return 0; 5647bded2dbSJung-uk Kim /* If not EC nothing to do */ 565e71b7053SJung-uk Kim if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 5667bded2dbSJung-uk Kim return 1; 567e71b7053SJung-uk Kim /* Check compression */ 568e71b7053SJung-uk Kim if (!tls1_check_pkey_comp(s, pkey)) 5697bded2dbSJung-uk Kim return 0; 570e71b7053SJung-uk Kim group_id = tls1_get_group_id(pkey); 5717bded2dbSJung-uk Kim /* 572e71b7053SJung-uk Kim * For a server we allow the certificate to not be in our list of supported 573e71b7053SJung-uk Kim * groups. 5747bded2dbSJung-uk Kim */ 575e71b7053SJung-uk Kim if (!tls1_check_group_id(s, group_id, !s->server)) 5767bded2dbSJung-uk Kim return 0; 5777bded2dbSJung-uk Kim /* 5787bded2dbSJung-uk Kim * Special case for suite B. We *MUST* sign using SHA256+P-256 or 579e71b7053SJung-uk Kim * SHA384+P-384. 5807bded2dbSJung-uk Kim */ 581e71b7053SJung-uk Kim if (check_ee_md && tls1_suiteb(s)) { 5827bded2dbSJung-uk Kim int check_md; 5837bded2dbSJung-uk Kim size_t i; 584e71b7053SJung-uk Kim 5857bded2dbSJung-uk Kim /* Check to see we have necessary signing algorithm */ 586e71b7053SJung-uk Kim if (group_id == TLSEXT_curve_P_256) 5877bded2dbSJung-uk Kim check_md = NID_ecdsa_with_SHA256; 588e71b7053SJung-uk Kim else if (group_id == TLSEXT_curve_P_384) 5897bded2dbSJung-uk Kim check_md = NID_ecdsa_with_SHA384; 5907bded2dbSJung-uk Kim else 5917bded2dbSJung-uk Kim return 0; /* Should never happen */ 592da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 593da327cd2SJung-uk Kim if (check_md == s->shared_sigalgs[i]->sigandhash) 594e71b7053SJung-uk Kim return 1;; 595e71b7053SJung-uk Kim } 5967bded2dbSJung-uk Kim return 0; 5977bded2dbSJung-uk Kim } 598e71b7053SJung-uk Kim return 1; 5997bded2dbSJung-uk Kim } 6007bded2dbSJung-uk Kim 601e71b7053SJung-uk Kim /* 602e71b7053SJung-uk Kim * tls1_check_ec_tmp_key - Check EC temporary key compatibility 603e71b7053SJung-uk Kim * @s: SSL connection 604e71b7053SJung-uk Kim * @cid: Cipher ID we're considering using 605e71b7053SJung-uk Kim * 606e71b7053SJung-uk Kim * Checks that the kECDHE cipher suite we're considering using 607e71b7053SJung-uk Kim * is compatible with the client extensions. 608e71b7053SJung-uk Kim * 609e71b7053SJung-uk Kim * Returns 0 when the cipher can't be used or 1 when it can. 610e71b7053SJung-uk Kim */ 6117bded2dbSJung-uk Kim int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 6127bded2dbSJung-uk Kim { 613e71b7053SJung-uk Kim /* If not Suite B just need a shared group */ 614e71b7053SJung-uk Kim if (!tls1_suiteb(s)) 615e71b7053SJung-uk Kim return tls1_shared_group(s, 0) != 0; 6167bded2dbSJung-uk Kim /* 6177bded2dbSJung-uk Kim * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 6187bded2dbSJung-uk Kim * curves permitted. 6197bded2dbSJung-uk Kim */ 6207bded2dbSJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 621e71b7053SJung-uk Kim return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 622e71b7053SJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 623e71b7053SJung-uk Kim return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 6247bded2dbSJung-uk Kim 6257bded2dbSJung-uk Kim return 0; 6267bded2dbSJung-uk Kim } 6277bded2dbSJung-uk Kim 6287bded2dbSJung-uk Kim #else 6297bded2dbSJung-uk Kim 6307bded2dbSJung-uk Kim static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 6317bded2dbSJung-uk Kim { 6327bded2dbSJung-uk Kim return 1; 6337bded2dbSJung-uk Kim } 6347bded2dbSJung-uk Kim 6351f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 636db522d3aSSimon L. B. Nielsen 637e71b7053SJung-uk Kim /* Default sigalg schemes */ 638e71b7053SJung-uk Kim static const uint16_t tls12_sigalgs[] = { 639e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 640e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 641e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 642e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 643e71b7053SJung-uk Kim TLSEXT_SIGALG_ed25519, 644e71b7053SJung-uk Kim TLSEXT_SIGALG_ed448, 645e71b7053SJung-uk Kim #endif 646e71b7053SJung-uk Kim 647e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_pss_sha256, 648e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_pss_sha384, 649e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_pss_sha512, 650e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_rsae_sha256, 651e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_rsae_sha384, 652e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_rsae_sha512, 653e71b7053SJung-uk Kim 654e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha256, 655e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha384, 656e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha512, 657e71b7053SJung-uk Kim 658e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 659e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_sha224, 660e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_sha1, 661e71b7053SJung-uk Kim #endif 662e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha224, 663e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha1, 664e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DSA 665e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha224, 666e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha1, 667e71b7053SJung-uk Kim 668e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha256, 669e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha384, 670e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha512, 671e71b7053SJung-uk Kim #endif 672e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 673e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 674e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 675e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102001_gostr3411, 676e71b7053SJung-uk Kim #endif 677e71b7053SJung-uk Kim }; 678e71b7053SJung-uk Kim 679e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 680e71b7053SJung-uk Kim static const uint16_t suiteb_sigalgs[] = { 681e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 682e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp384r1_sha384 683e71b7053SJung-uk Kim }; 684e71b7053SJung-uk Kim #endif 685e71b7053SJung-uk Kim 686e71b7053SJung-uk Kim static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 687e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 688e71b7053SJung-uk Kim {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 689e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 690e71b7053SJung-uk Kim NID_ecdsa_with_SHA256, NID_X9_62_prime256v1}, 691e71b7053SJung-uk Kim {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 692e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 693e71b7053SJung-uk Kim NID_ecdsa_with_SHA384, NID_secp384r1}, 694e71b7053SJung-uk Kim {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 695e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 696e71b7053SJung-uk Kim NID_ecdsa_with_SHA512, NID_secp521r1}, 697e71b7053SJung-uk Kim {"ed25519", TLSEXT_SIGALG_ed25519, 698e71b7053SJung-uk Kim NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 699e71b7053SJung-uk Kim NID_undef, NID_undef}, 700e71b7053SJung-uk Kim {"ed448", TLSEXT_SIGALG_ed448, 701e71b7053SJung-uk Kim NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 702e71b7053SJung-uk Kim NID_undef, NID_undef}, 703e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_ecdsa_sha224, 704e71b7053SJung-uk Kim NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 705e71b7053SJung-uk Kim NID_ecdsa_with_SHA224, NID_undef}, 706e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_ecdsa_sha1, 707e71b7053SJung-uk Kim NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 708e71b7053SJung-uk Kim NID_ecdsa_with_SHA1, NID_undef}, 709e71b7053SJung-uk Kim #endif 710e71b7053SJung-uk Kim {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 711e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 712e71b7053SJung-uk Kim NID_undef, NID_undef}, 713e71b7053SJung-uk Kim {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 714e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 715e71b7053SJung-uk Kim NID_undef, NID_undef}, 716e71b7053SJung-uk Kim {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 717e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 718e71b7053SJung-uk Kim NID_undef, NID_undef}, 719e71b7053SJung-uk Kim {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 720e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 721e71b7053SJung-uk Kim NID_undef, NID_undef}, 722e71b7053SJung-uk Kim {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 723e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 724e71b7053SJung-uk Kim NID_undef, NID_undef}, 725e71b7053SJung-uk Kim {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 726e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 727e71b7053SJung-uk Kim NID_undef, NID_undef}, 728e71b7053SJung-uk Kim {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 729e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 730e71b7053SJung-uk Kim NID_sha256WithRSAEncryption, NID_undef}, 731e71b7053SJung-uk Kim {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 732e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 733e71b7053SJung-uk Kim NID_sha384WithRSAEncryption, NID_undef}, 734e71b7053SJung-uk Kim {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 735e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 736e71b7053SJung-uk Kim NID_sha512WithRSAEncryption, NID_undef}, 737e71b7053SJung-uk Kim {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 738e71b7053SJung-uk Kim NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 739e71b7053SJung-uk Kim NID_sha224WithRSAEncryption, NID_undef}, 740e71b7053SJung-uk Kim {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 741e71b7053SJung-uk Kim NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 742e71b7053SJung-uk Kim NID_sha1WithRSAEncryption, NID_undef}, 743e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DSA 744e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha256, 745e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 746e71b7053SJung-uk Kim NID_dsa_with_SHA256, NID_undef}, 747e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha384, 748e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 749e71b7053SJung-uk Kim NID_undef, NID_undef}, 750e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha512, 751e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 752e71b7053SJung-uk Kim NID_undef, NID_undef}, 753e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha224, 754e71b7053SJung-uk Kim NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 755e71b7053SJung-uk Kim NID_undef, NID_undef}, 756e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha1, 757e71b7053SJung-uk Kim NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 758e71b7053SJung-uk Kim NID_dsaWithSHA1, NID_undef}, 759e71b7053SJung-uk Kim #endif 760e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 761e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 762e71b7053SJung-uk Kim NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 763e71b7053SJung-uk Kim NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 764e71b7053SJung-uk Kim NID_undef, NID_undef}, 765e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 766e71b7053SJung-uk Kim NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 767e71b7053SJung-uk Kim NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 768e71b7053SJung-uk Kim NID_undef, NID_undef}, 769e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 770e71b7053SJung-uk Kim NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 771e71b7053SJung-uk Kim NID_id_GostR3410_2001, SSL_PKEY_GOST01, 772e71b7053SJung-uk Kim NID_undef, NID_undef} 773e71b7053SJung-uk Kim #endif 774e71b7053SJung-uk Kim }; 775e71b7053SJung-uk Kim /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 776e71b7053SJung-uk Kim static const SIGALG_LOOKUP legacy_rsa_sigalg = { 777e71b7053SJung-uk Kim "rsa_pkcs1_md5_sha1", 0, 778e71b7053SJung-uk Kim NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 779e71b7053SJung-uk Kim EVP_PKEY_RSA, SSL_PKEY_RSA, 780e71b7053SJung-uk Kim NID_undef, NID_undef 781e71b7053SJung-uk Kim }; 7821f13597dSJung-uk Kim 7836f9291ceSJung-uk Kim /* 784e71b7053SJung-uk Kim * Default signature algorithm values used if signature algorithms not present. 785e71b7053SJung-uk Kim * From RFC5246. Note: order must match certificate index order. 7861f13597dSJung-uk Kim */ 787e71b7053SJung-uk Kim static const uint16_t tls_default_sigalg[] = { 788e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 789e71b7053SJung-uk Kim 0, /* SSL_PKEY_RSA_PSS_SIGN */ 790e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 791e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 792e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 793e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */ 794e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */ 795e71b7053SJung-uk Kim 0, /* SSL_PKEY_ED25519 */ 796e71b7053SJung-uk Kim 0, /* SSL_PKEY_ED448 */ 7971f13597dSJung-uk Kim }; 7981f13597dSJung-uk Kim 799e71b7053SJung-uk Kim /* Lookup TLS signature algorithm */ 800e71b7053SJung-uk Kim static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg) 801e71b7053SJung-uk Kim { 802e71b7053SJung-uk Kim size_t i; 803e71b7053SJung-uk Kim const SIGALG_LOOKUP *s; 804e71b7053SJung-uk Kim 805e71b7053SJung-uk Kim for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 806e71b7053SJung-uk Kim i++, s++) { 807e71b7053SJung-uk Kim if (s->sigalg == sigalg) 808e71b7053SJung-uk Kim return s; 809e71b7053SJung-uk Kim } 810e71b7053SJung-uk Kim return NULL; 811e71b7053SJung-uk Kim } 812e71b7053SJung-uk Kim /* Lookup hash: return 0 if invalid or not enabled */ 813e71b7053SJung-uk Kim int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 814e71b7053SJung-uk Kim { 815e71b7053SJung-uk Kim const EVP_MD *md; 816e71b7053SJung-uk Kim if (lu == NULL) 817e71b7053SJung-uk Kim return 0; 818e71b7053SJung-uk Kim /* lu->hash == NID_undef means no associated digest */ 819e71b7053SJung-uk Kim if (lu->hash == NID_undef) { 820e71b7053SJung-uk Kim md = NULL; 821e71b7053SJung-uk Kim } else { 822e71b7053SJung-uk Kim md = ssl_md(lu->hash_idx); 823e71b7053SJung-uk Kim if (md == NULL) 824e71b7053SJung-uk Kim return 0; 825e71b7053SJung-uk Kim } 826e71b7053SJung-uk Kim if (pmd) 827e71b7053SJung-uk Kim *pmd = md; 828e71b7053SJung-uk Kim return 1; 829e71b7053SJung-uk Kim } 830e71b7053SJung-uk Kim 831e71b7053SJung-uk Kim /* 832e71b7053SJung-uk Kim * Check if key is large enough to generate RSA-PSS signature. 833e71b7053SJung-uk Kim * 834e71b7053SJung-uk Kim * The key must greater than or equal to 2 * hash length + 2. 835e71b7053SJung-uk Kim * SHA512 has a hash length of 64 bytes, which is incompatible 836e71b7053SJung-uk Kim * with a 128 byte (1024 bit) key. 837e71b7053SJung-uk Kim */ 838e71b7053SJung-uk Kim #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2) 839e71b7053SJung-uk Kim static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu) 840e71b7053SJung-uk Kim { 841e71b7053SJung-uk Kim const EVP_MD *md; 842e71b7053SJung-uk Kim 843e71b7053SJung-uk Kim if (rsa == NULL) 844e71b7053SJung-uk Kim return 0; 845e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, &md) || md == NULL) 846e71b7053SJung-uk Kim return 0; 847e71b7053SJung-uk Kim if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 848e71b7053SJung-uk Kim return 0; 849e71b7053SJung-uk Kim return 1; 850e71b7053SJung-uk Kim } 851e71b7053SJung-uk Kim 852e71b7053SJung-uk Kim /* 853*17f01e99SJung-uk Kim * Returns a signature algorithm when the peer did not send a list of supported 854*17f01e99SJung-uk Kim * signature algorithms. The signature algorithm is fixed for the certificate 855*17f01e99SJung-uk Kim * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 856*17f01e99SJung-uk Kim * certificate type from |s| will be used. 857*17f01e99SJung-uk Kim * Returns the signature algorithm to use, or NULL on error. 858e71b7053SJung-uk Kim */ 859e71b7053SJung-uk Kim static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 860e71b7053SJung-uk Kim { 861e71b7053SJung-uk Kim if (idx == -1) { 862e71b7053SJung-uk Kim if (s->server) { 863e71b7053SJung-uk Kim size_t i; 864e71b7053SJung-uk Kim 865e71b7053SJung-uk Kim /* Work out index corresponding to ciphersuite */ 866e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) { 867e71b7053SJung-uk Kim const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 868e71b7053SJung-uk Kim 869e71b7053SJung-uk Kim if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) { 870e71b7053SJung-uk Kim idx = i; 871e71b7053SJung-uk Kim break; 872e71b7053SJung-uk Kim } 873e71b7053SJung-uk Kim } 874e71b7053SJung-uk Kim 875e71b7053SJung-uk Kim /* 876e71b7053SJung-uk Kim * Some GOST ciphersuites allow more than one signature algorithms 877e71b7053SJung-uk Kim * */ 878e71b7053SJung-uk Kim if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 879e71b7053SJung-uk Kim int real_idx; 880e71b7053SJung-uk Kim 881e71b7053SJung-uk Kim for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 882e71b7053SJung-uk Kim real_idx--) { 883e71b7053SJung-uk Kim if (s->cert->pkeys[real_idx].privatekey != NULL) { 884e71b7053SJung-uk Kim idx = real_idx; 885e71b7053SJung-uk Kim break; 886e71b7053SJung-uk Kim } 887e71b7053SJung-uk Kim } 888e71b7053SJung-uk Kim } 889e71b7053SJung-uk Kim } else { 890e71b7053SJung-uk Kim idx = s->cert->key - s->cert->pkeys; 891e71b7053SJung-uk Kim } 892e71b7053SJung-uk Kim } 893e71b7053SJung-uk Kim if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 894e71b7053SJung-uk Kim return NULL; 895e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 896e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); 897e71b7053SJung-uk Kim 898e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, NULL)) 899e71b7053SJung-uk Kim return NULL; 900*17f01e99SJung-uk Kim if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 901*17f01e99SJung-uk Kim return NULL; 902e71b7053SJung-uk Kim return lu; 903e71b7053SJung-uk Kim } 904*17f01e99SJung-uk Kim if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 905*17f01e99SJung-uk Kim return NULL; 906e71b7053SJung-uk Kim return &legacy_rsa_sigalg; 907e71b7053SJung-uk Kim } 908e71b7053SJung-uk Kim /* Set peer sigalg based key type */ 909e71b7053SJung-uk Kim int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 910e71b7053SJung-uk Kim { 911e71b7053SJung-uk Kim size_t idx; 912e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 913e71b7053SJung-uk Kim 914e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 915e71b7053SJung-uk Kim return 0; 916e71b7053SJung-uk Kim lu = tls1_get_legacy_sigalg(s, idx); 917e71b7053SJung-uk Kim if (lu == NULL) 918e71b7053SJung-uk Kim return 0; 919e71b7053SJung-uk Kim s->s3->tmp.peer_sigalg = lu; 920e71b7053SJung-uk Kim return 1; 921e71b7053SJung-uk Kim } 922e71b7053SJung-uk Kim 923e71b7053SJung-uk Kim size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 9241f13597dSJung-uk Kim { 9257bded2dbSJung-uk Kim /* 9267bded2dbSJung-uk Kim * If Suite B mode use Suite B sigalgs only, ignore any other 9277bded2dbSJung-uk Kim * preferences. 9287bded2dbSJung-uk Kim */ 9297bded2dbSJung-uk Kim #ifndef OPENSSL_NO_EC 9307bded2dbSJung-uk Kim switch (tls1_suiteb(s)) { 9317bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS: 9327bded2dbSJung-uk Kim *psigs = suiteb_sigalgs; 933e71b7053SJung-uk Kim return OSSL_NELEM(suiteb_sigalgs); 9347bded2dbSJung-uk Kim 9357bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 9367bded2dbSJung-uk Kim *psigs = suiteb_sigalgs; 937e71b7053SJung-uk Kim return 1; 9387bded2dbSJung-uk Kim 9397bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_192_LOS: 940e71b7053SJung-uk Kim *psigs = suiteb_sigalgs + 1; 941e71b7053SJung-uk Kim return 1; 9427bded2dbSJung-uk Kim } 9437bded2dbSJung-uk Kim #endif 944e71b7053SJung-uk Kim /* 945e71b7053SJung-uk Kim * We use client_sigalgs (if not NULL) if we're a server 946e71b7053SJung-uk Kim * and sending a certificate request or if we're a client and 947e71b7053SJung-uk Kim * determining which shared algorithm to use. 948e71b7053SJung-uk Kim */ 949e71b7053SJung-uk Kim if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 9507bded2dbSJung-uk Kim *psigs = s->cert->client_sigalgs; 9517bded2dbSJung-uk Kim return s->cert->client_sigalgslen; 9527bded2dbSJung-uk Kim } else if (s->cert->conf_sigalgs) { 9537bded2dbSJung-uk Kim *psigs = s->cert->conf_sigalgs; 9547bded2dbSJung-uk Kim return s->cert->conf_sigalgslen; 9557bded2dbSJung-uk Kim } else { 9567bded2dbSJung-uk Kim *psigs = tls12_sigalgs; 957e71b7053SJung-uk Kim return OSSL_NELEM(tls12_sigalgs); 9587bded2dbSJung-uk Kim } 9597bded2dbSJung-uk Kim } 9607bded2dbSJung-uk Kim 961c9cf7b5cSJung-uk Kim #ifndef OPENSSL_NO_EC 962c9cf7b5cSJung-uk Kim /* 963c9cf7b5cSJung-uk Kim * Called by servers only. Checks that we have a sig alg that supports the 964c9cf7b5cSJung-uk Kim * specified EC curve. 965c9cf7b5cSJung-uk Kim */ 966c9cf7b5cSJung-uk Kim int tls_check_sigalg_curve(const SSL *s, int curve) 967c9cf7b5cSJung-uk Kim { 968c9cf7b5cSJung-uk Kim const uint16_t *sigs; 969c9cf7b5cSJung-uk Kim size_t siglen, i; 970c9cf7b5cSJung-uk Kim 971c9cf7b5cSJung-uk Kim if (s->cert->conf_sigalgs) { 972c9cf7b5cSJung-uk Kim sigs = s->cert->conf_sigalgs; 973c9cf7b5cSJung-uk Kim siglen = s->cert->conf_sigalgslen; 974c9cf7b5cSJung-uk Kim } else { 975c9cf7b5cSJung-uk Kim sigs = tls12_sigalgs; 976c9cf7b5cSJung-uk Kim siglen = OSSL_NELEM(tls12_sigalgs); 977c9cf7b5cSJung-uk Kim } 978c9cf7b5cSJung-uk Kim 979c9cf7b5cSJung-uk Kim for (i = 0; i < siglen; i++) { 980c9cf7b5cSJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]); 981c9cf7b5cSJung-uk Kim 982c9cf7b5cSJung-uk Kim if (lu == NULL) 983c9cf7b5cSJung-uk Kim continue; 984c9cf7b5cSJung-uk Kim if (lu->sig == EVP_PKEY_EC 985c9cf7b5cSJung-uk Kim && lu->curve != NID_undef 986c9cf7b5cSJung-uk Kim && curve == lu->curve) 987c9cf7b5cSJung-uk Kim return 1; 988c9cf7b5cSJung-uk Kim } 989c9cf7b5cSJung-uk Kim 990c9cf7b5cSJung-uk Kim return 0; 991c9cf7b5cSJung-uk Kim } 992c9cf7b5cSJung-uk Kim #endif 993c9cf7b5cSJung-uk Kim 9947bded2dbSJung-uk Kim /* 995*17f01e99SJung-uk Kim * Return the number of security bits for the signature algorithm, or 0 on 996*17f01e99SJung-uk Kim * error. 997*17f01e99SJung-uk Kim */ 998*17f01e99SJung-uk Kim static int sigalg_security_bits(const SIGALG_LOOKUP *lu) 999*17f01e99SJung-uk Kim { 1000*17f01e99SJung-uk Kim const EVP_MD *md = NULL; 1001*17f01e99SJung-uk Kim int secbits = 0; 1002*17f01e99SJung-uk Kim 1003*17f01e99SJung-uk Kim if (!tls1_lookup_md(lu, &md)) 1004*17f01e99SJung-uk Kim return 0; 1005*17f01e99SJung-uk Kim if (md != NULL) 1006*17f01e99SJung-uk Kim { 1007*17f01e99SJung-uk Kim /* Security bits: half digest bits */ 1008*17f01e99SJung-uk Kim secbits = EVP_MD_size(md) * 4; 1009*17f01e99SJung-uk Kim } else { 1010*17f01e99SJung-uk Kim /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 1011*17f01e99SJung-uk Kim if (lu->sigalg == TLSEXT_SIGALG_ed25519) 1012*17f01e99SJung-uk Kim secbits = 128; 1013*17f01e99SJung-uk Kim else if (lu->sigalg == TLSEXT_SIGALG_ed448) 1014*17f01e99SJung-uk Kim secbits = 224; 1015*17f01e99SJung-uk Kim } 1016*17f01e99SJung-uk Kim return secbits; 1017*17f01e99SJung-uk Kim } 1018*17f01e99SJung-uk Kim 1019*17f01e99SJung-uk Kim /* 10207bded2dbSJung-uk Kim * Check signature algorithm is consistent with sent supported signature 1021e71b7053SJung-uk Kim * algorithms and if so set relevant digest and signature scheme in 1022e71b7053SJung-uk Kim * s. 10237bded2dbSJung-uk Kim */ 1024e71b7053SJung-uk Kim int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 10257bded2dbSJung-uk Kim { 1026e71b7053SJung-uk Kim const uint16_t *sent_sigs; 1027e71b7053SJung-uk Kim const EVP_MD *md = NULL; 1028e71b7053SJung-uk Kim char sigalgstr[2]; 1029e71b7053SJung-uk Kim size_t sent_sigslen, i, cidx; 1030e71b7053SJung-uk Kim int pkeyid = EVP_PKEY_id(pkey); 1031e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 1032*17f01e99SJung-uk Kim int secbits = 0; 1033e71b7053SJung-uk Kim 10347bded2dbSJung-uk Kim /* Should never happen */ 1035e71b7053SJung-uk Kim if (pkeyid == -1) 10367bded2dbSJung-uk Kim return -1; 1037e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 1038e71b7053SJung-uk Kim /* Disallow DSA for TLS 1.3 */ 1039e71b7053SJung-uk Kim if (pkeyid == EVP_PKEY_DSA) { 1040e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1041e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 10427bded2dbSJung-uk Kim return 0; 10437bded2dbSJung-uk Kim } 1044e71b7053SJung-uk Kim /* Only allow PSS for TLS 1.3 */ 1045e71b7053SJung-uk Kim if (pkeyid == EVP_PKEY_RSA) 1046e71b7053SJung-uk Kim pkeyid = EVP_PKEY_RSA_PSS; 1047e71b7053SJung-uk Kim } 1048e71b7053SJung-uk Kim lu = tls1_lookup_sigalg(sig); 1049e71b7053SJung-uk Kim /* 1050e71b7053SJung-uk Kim * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1051e71b7053SJung-uk Kim * is consistent with signature: RSA keys can be used for RSA-PSS 1052e71b7053SJung-uk Kim */ 1053e71b7053SJung-uk Kim if (lu == NULL 1054e71b7053SJung-uk Kim || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1055e71b7053SJung-uk Kim || (pkeyid != lu->sig 1056e71b7053SJung-uk Kim && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1057e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1058e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 1059e71b7053SJung-uk Kim return 0; 1060e71b7053SJung-uk Kim } 1061e71b7053SJung-uk Kim /* Check the sigalg is consistent with the key OID */ 1062e71b7053SJung-uk Kim if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) 1063e71b7053SJung-uk Kim || lu->sig_idx != (int)cidx) { 1064e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1065e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 1066e71b7053SJung-uk Kim return 0; 1067e71b7053SJung-uk Kim } 1068e71b7053SJung-uk Kim 10697bded2dbSJung-uk Kim #ifndef OPENSSL_NO_EC 1070e71b7053SJung-uk Kim if (pkeyid == EVP_PKEY_EC) { 1071e71b7053SJung-uk Kim 1072e71b7053SJung-uk Kim /* Check point compression is permitted */ 1073e71b7053SJung-uk Kim if (!tls1_check_pkey_comp(s, pkey)) { 1074e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1075e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, 1076e71b7053SJung-uk Kim SSL_R_ILLEGAL_POINT_COMPRESSION); 10777bded2dbSJung-uk Kim return 0; 10787bded2dbSJung-uk Kim } 1079e71b7053SJung-uk Kim 1080e71b7053SJung-uk Kim /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1081e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1082e71b7053SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 1083e71b7053SJung-uk Kim int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 1084e71b7053SJung-uk Kim 1085e71b7053SJung-uk Kim if (lu->curve != NID_undef && curve != lu->curve) { 1086e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1087e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1088e71b7053SJung-uk Kim return 0; 1089e71b7053SJung-uk Kim } 1090e71b7053SJung-uk Kim } 1091e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) { 1092e71b7053SJung-uk Kim /* Check curve matches extensions */ 1093e71b7053SJung-uk Kim if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1094e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1095e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1096e71b7053SJung-uk Kim return 0; 1097e71b7053SJung-uk Kim } 10987bded2dbSJung-uk Kim if (tls1_suiteb(s)) { 1099e71b7053SJung-uk Kim /* Check sigalg matches a permissible Suite B value */ 1100e71b7053SJung-uk Kim if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1101e71b7053SJung-uk Kim && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1102e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1103e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, 1104e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 11057bded2dbSJung-uk Kim return 0; 11067bded2dbSJung-uk Kim } 1107e71b7053SJung-uk Kim } 1108e71b7053SJung-uk Kim } 1109e71b7053SJung-uk Kim } else if (tls1_suiteb(s)) { 1110e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1111e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 11127bded2dbSJung-uk Kim return 0; 11137bded2dbSJung-uk Kim } 11147bded2dbSJung-uk Kim #endif 11157bded2dbSJung-uk Kim 11167bded2dbSJung-uk Kim /* Check signature matches a type we sent */ 1117ed7112f0SJung-uk Kim sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1118e71b7053SJung-uk Kim for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1119e71b7053SJung-uk Kim if (sig == *sent_sigs) 11207bded2dbSJung-uk Kim break; 11217bded2dbSJung-uk Kim } 11227bded2dbSJung-uk Kim /* Allow fallback to SHA1 if not strict mode */ 1123e71b7053SJung-uk Kim if (i == sent_sigslen && (lu->hash != NID_sha1 11247bded2dbSJung-uk Kim || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1125e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1126e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 11277bded2dbSJung-uk Kim return 0; 11287bded2dbSJung-uk Kim } 1129e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, &md)) { 1130e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1131e71b7053SJung-uk Kim SSL_R_UNKNOWN_DIGEST); 11327bded2dbSJung-uk Kim return 0; 11337bded2dbSJung-uk Kim } 11347bded2dbSJung-uk Kim /* 1135e71b7053SJung-uk Kim * Make sure security callback allows algorithm. For historical 1136e71b7053SJung-uk Kim * reasons we have to pass the sigalg as a two byte char array. 11377bded2dbSJung-uk Kim */ 1138e71b7053SJung-uk Kim sigalgstr[0] = (sig >> 8) & 0xff; 1139e71b7053SJung-uk Kim sigalgstr[1] = sig & 0xff; 1140*17f01e99SJung-uk Kim secbits = sigalg_security_bits(lu); 1141*17f01e99SJung-uk Kim if (secbits == 0 || 1142*17f01e99SJung-uk Kim !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, 1143*17f01e99SJung-uk Kim md != NULL ? EVP_MD_type(md) : NID_undef, 1144e71b7053SJung-uk Kim (void *)sigalgstr)) { 1145e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1146e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 1147e71b7053SJung-uk Kim return 0; 1148e71b7053SJung-uk Kim } 1149e71b7053SJung-uk Kim /* Store the sigalg the peer uses */ 1150e71b7053SJung-uk Kim s->s3->tmp.peer_sigalg = lu; 1151e71b7053SJung-uk Kim return 1; 1152e71b7053SJung-uk Kim } 1153e71b7053SJung-uk Kim 1154e71b7053SJung-uk Kim int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1155e71b7053SJung-uk Kim { 1156e71b7053SJung-uk Kim if (s->s3->tmp.peer_sigalg == NULL) 1157e71b7053SJung-uk Kim return 0; 1158e71b7053SJung-uk Kim *pnid = s->s3->tmp.peer_sigalg->sig; 11597bded2dbSJung-uk Kim return 1; 11607bded2dbSJung-uk Kim } 11617bded2dbSJung-uk Kim 1162c9cf7b5cSJung-uk Kim int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1163c9cf7b5cSJung-uk Kim { 1164c9cf7b5cSJung-uk Kim if (s->s3->tmp.sigalg == NULL) 1165c9cf7b5cSJung-uk Kim return 0; 1166c9cf7b5cSJung-uk Kim *pnid = s->s3->tmp.sigalg->sig; 1167c9cf7b5cSJung-uk Kim return 1; 1168c9cf7b5cSJung-uk Kim } 1169c9cf7b5cSJung-uk Kim 11707bded2dbSJung-uk Kim /* 1171e71b7053SJung-uk Kim * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1172e71b7053SJung-uk Kim * supported, doesn't appear in supported signature algorithms, isn't supported 1173e71b7053SJung-uk Kim * by the enabled protocol versions or by the security level. 1174e71b7053SJung-uk Kim * 1175e71b7053SJung-uk Kim * This function should only be used for checking which ciphers are supported 1176e71b7053SJung-uk Kim * by the client. 1177e71b7053SJung-uk Kim * 1178e71b7053SJung-uk Kim * Call ssl_cipher_disabled() to check that it's enabled or not. 11797bded2dbSJung-uk Kim */ 1180e71b7053SJung-uk Kim int ssl_set_client_disabled(SSL *s) 11817bded2dbSJung-uk Kim { 1182e71b7053SJung-uk Kim s->s3->tmp.mask_a = 0; 1183e71b7053SJung-uk Kim s->s3->tmp.mask_k = 0; 1184e71b7053SJung-uk Kim ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1185e71b7053SJung-uk Kim if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver, 1186e71b7053SJung-uk Kim &s->s3->tmp.max_ver, NULL) != 0) 1187e71b7053SJung-uk Kim return 0; 11887bded2dbSJung-uk Kim #ifndef OPENSSL_NO_PSK 11897bded2dbSJung-uk Kim /* with PSK there must be client callback set */ 11907bded2dbSJung-uk Kim if (!s->psk_client_callback) { 1191e71b7053SJung-uk Kim s->s3->tmp.mask_a |= SSL_aPSK; 1192e71b7053SJung-uk Kim s->s3->tmp.mask_k |= SSL_PSK; 11937bded2dbSJung-uk Kim } 11947bded2dbSJung-uk Kim #endif /* OPENSSL_NO_PSK */ 11957bded2dbSJung-uk Kim #ifndef OPENSSL_NO_SRP 11967bded2dbSJung-uk Kim if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1197e71b7053SJung-uk Kim s->s3->tmp.mask_a |= SSL_aSRP; 1198e71b7053SJung-uk Kim s->s3->tmp.mask_k |= SSL_kSRP; 11997bded2dbSJung-uk Kim } 12007bded2dbSJung-uk Kim #endif 1201e71b7053SJung-uk Kim return 1; 12021f13597dSJung-uk Kim } 12031f13597dSJung-uk Kim 12046f9291ceSJung-uk Kim /* 1205e71b7053SJung-uk Kim * ssl_cipher_disabled - check that a cipher is disabled or not 1206e71b7053SJung-uk Kim * @s: SSL connection that you want to use the cipher on 1207e71b7053SJung-uk Kim * @c: cipher to check 1208e71b7053SJung-uk Kim * @op: Security check that you want to do 1209e71b7053SJung-uk Kim * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 12106cf8931aSJung-uk Kim * 1211e71b7053SJung-uk Kim * Returns 1 when it's disabled, 0 when enabled. 12126cf8931aSJung-uk Kim */ 1213*17f01e99SJung-uk Kim int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1214db522d3aSSimon L. B. Nielsen { 1215e71b7053SJung-uk Kim if (c->algorithm_mkey & s->s3->tmp.mask_k 1216e71b7053SJung-uk Kim || c->algorithm_auth & s->s3->tmp.mask_a) 1217e71b7053SJung-uk Kim return 1; 1218e71b7053SJung-uk Kim if (s->s3->tmp.max_ver == 0) 1219e71b7053SJung-uk Kim return 1; 1220e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s)) { 1221e71b7053SJung-uk Kim int min_tls = c->min_tls; 1222de78d5d8SJung-uk Kim 12237bded2dbSJung-uk Kim /* 1224e71b7053SJung-uk Kim * For historical reasons we will allow ECHDE to be selected by a server 1225e71b7053SJung-uk Kim * in SSLv3 if we are a client 12267bded2dbSJung-uk Kim */ 1227e71b7053SJung-uk Kim if (min_tls == TLS1_VERSION && ecdhe 1228e71b7053SJung-uk Kim && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1229e71b7053SJung-uk Kim min_tls = SSL3_VERSION; 12307bded2dbSJung-uk Kim 1231e71b7053SJung-uk Kim if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver)) 1232b8721c16SJung-uk Kim return 1; 1233b8721c16SJung-uk Kim } 1234e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) 1235e71b7053SJung-uk Kim || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) 12367bded2dbSJung-uk Kim return 1; 12377bded2dbSJung-uk Kim 1238e71b7053SJung-uk Kim return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 12397bded2dbSJung-uk Kim } 12407bded2dbSJung-uk Kim 1241e71b7053SJung-uk Kim int tls_use_ticket(SSL *s) 12427bded2dbSJung-uk Kim { 1243e71b7053SJung-uk Kim if ((s->options & SSL_OP_NO_TICKET)) 12447bded2dbSJung-uk Kim return 0; 1245e71b7053SJung-uk Kim return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1246db522d3aSSimon L. B. Nielsen } 1247db522d3aSSimon L. B. Nielsen 12487bded2dbSJung-uk Kim int tls1_set_server_sigalgs(SSL *s) 12497bded2dbSJung-uk Kim { 12507bded2dbSJung-uk Kim size_t i; 1251e71b7053SJung-uk Kim 1252e71b7053SJung-uk Kim /* Clear any shared signature algorithms */ 1253da327cd2SJung-uk Kim OPENSSL_free(s->shared_sigalgs); 1254da327cd2SJung-uk Kim s->shared_sigalgs = NULL; 1255da327cd2SJung-uk Kim s->shared_sigalgslen = 0; 1256e71b7053SJung-uk Kim /* Clear certificate validity flags */ 1257e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) 1258e71b7053SJung-uk Kim s->s3->tmp.valid_flags[i] = 0; 1259e71b7053SJung-uk Kim /* 1260e71b7053SJung-uk Kim * If peer sent no signature algorithms check to see if we support 1261e71b7053SJung-uk Kim * the default algorithm for each certificate type 1262e71b7053SJung-uk Kim */ 1263e71b7053SJung-uk Kim if (s->s3->tmp.peer_cert_sigalgs == NULL 1264e71b7053SJung-uk Kim && s->s3->tmp.peer_sigalgs == NULL) { 1265e71b7053SJung-uk Kim const uint16_t *sent_sigs; 1266e71b7053SJung-uk Kim size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1267e71b7053SJung-uk Kim 12687bded2dbSJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) { 1269e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1270e71b7053SJung-uk Kim size_t j; 1271e71b7053SJung-uk Kim 1272e71b7053SJung-uk Kim if (lu == NULL) 1273e71b7053SJung-uk Kim continue; 1274e71b7053SJung-uk Kim /* Check default matches a type we sent */ 1275e71b7053SJung-uk Kim for (j = 0; j < sent_sigslen; j++) { 1276e71b7053SJung-uk Kim if (lu->sigalg == sent_sigs[j]) { 1277e71b7053SJung-uk Kim s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN; 1278e71b7053SJung-uk Kim break; 1279e71b7053SJung-uk Kim } 1280e71b7053SJung-uk Kim } 1281e71b7053SJung-uk Kim } 1282e71b7053SJung-uk Kim return 1; 12837bded2dbSJung-uk Kim } 12847bded2dbSJung-uk Kim 12857bded2dbSJung-uk Kim if (!tls1_process_sigalgs(s)) { 1286e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1287e71b7053SJung-uk Kim SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR); 12887bded2dbSJung-uk Kim return 0; 12897bded2dbSJung-uk Kim } 1290da327cd2SJung-uk Kim if (s->shared_sigalgs != NULL) 1291e71b7053SJung-uk Kim return 1; 12927bded2dbSJung-uk Kim 1293e71b7053SJung-uk Kim /* Fatal error if no shared signature algorithms */ 1294e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS, 1295e71b7053SJung-uk Kim SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 12966cf8931aSJung-uk Kim return 0; 129709286989SJung-uk Kim } 12987bded2dbSJung-uk Kim 12996f9291ceSJung-uk Kim /*- 1300e71b7053SJung-uk Kim * Gets the ticket information supplied by the client if any. 13011f13597dSJung-uk Kim * 1302e71b7053SJung-uk Kim * hello: The parsed ClientHello data 13031f13597dSJung-uk Kim * ret: (output) on return, if a ticket was decrypted, then this is set to 13041f13597dSJung-uk Kim * point to the resulting session. 1305e71b7053SJung-uk Kim */ 1306e71b7053SJung-uk Kim SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1307e71b7053SJung-uk Kim SSL_SESSION **ret) 1308e71b7053SJung-uk Kim { 1309e71b7053SJung-uk Kim size_t size; 1310e71b7053SJung-uk Kim RAW_EXTENSION *ticketext; 1311e71b7053SJung-uk Kim 1312e71b7053SJung-uk Kim *ret = NULL; 1313e71b7053SJung-uk Kim s->ext.ticket_expected = 0; 1314e71b7053SJung-uk Kim 1315e71b7053SJung-uk Kim /* 1316e71b7053SJung-uk Kim * If tickets disabled or not supported by the protocol version 1317e71b7053SJung-uk Kim * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1318e71b7053SJung-uk Kim * resumption. 1319e71b7053SJung-uk Kim */ 1320e71b7053SJung-uk Kim if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1321e71b7053SJung-uk Kim return SSL_TICKET_NONE; 1322e71b7053SJung-uk Kim 1323e71b7053SJung-uk Kim ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1324e71b7053SJung-uk Kim if (!ticketext->present) 1325e71b7053SJung-uk Kim return SSL_TICKET_NONE; 1326e71b7053SJung-uk Kim 1327e71b7053SJung-uk Kim size = PACKET_remaining(&ticketext->data); 1328e71b7053SJung-uk Kim 1329e71b7053SJung-uk Kim return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1330e71b7053SJung-uk Kim hello->session_id, hello->session_id_len, ret); 1331e71b7053SJung-uk Kim } 1332e71b7053SJung-uk Kim 1333e71b7053SJung-uk Kim /*- 1334e71b7053SJung-uk Kim * tls_decrypt_ticket attempts to decrypt a session ticket. 13351f13597dSJung-uk Kim * 1336e71b7053SJung-uk Kim * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1337e71b7053SJung-uk Kim * expecting a pre-shared key ciphersuite, in which case we have no use for 1338e71b7053SJung-uk Kim * session tickets and one will never be decrypted, nor will 1339e71b7053SJung-uk Kim * s->ext.ticket_expected be set to 1. 13401f13597dSJung-uk Kim * 13411f13597dSJung-uk Kim * Side effects: 1342e71b7053SJung-uk Kim * Sets s->ext.ticket_expected to 1 if the server will have to issue 13431f13597dSJung-uk Kim * a new session ticket to the client because the client indicated support 13441f13597dSJung-uk Kim * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 13451f13597dSJung-uk Kim * a session ticket or we couldn't use the one it gave us, or if 1346e71b7053SJung-uk Kim * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1347e71b7053SJung-uk Kim * Otherwise, s->ext.ticket_expected is set to 0. 1348e71b7053SJung-uk Kim * 1349e71b7053SJung-uk Kim * etick: points to the body of the session ticket extension. 1350e71b7053SJung-uk Kim * eticklen: the length of the session tickets extension. 1351e71b7053SJung-uk Kim * sess_id: points at the session ID. 1352e71b7053SJung-uk Kim * sesslen: the length of the session ID. 1353e71b7053SJung-uk Kim * psess: (output) on return, if a ticket was decrypted, then this is set to 1354e71b7053SJung-uk Kim * point to the resulting session. 1355db522d3aSSimon L. B. Nielsen */ 1356e71b7053SJung-uk Kim SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1357e71b7053SJung-uk Kim size_t eticklen, const unsigned char *sess_id, 1358e71b7053SJung-uk Kim size_t sesslen, SSL_SESSION **psess) 1359db522d3aSSimon L. B. Nielsen { 1360e71b7053SJung-uk Kim SSL_SESSION *sess = NULL; 1361e71b7053SJung-uk Kim unsigned char *sdec; 1362e71b7053SJung-uk Kim const unsigned char *p; 1363e71b7053SJung-uk Kim int slen, renew_ticket = 0, declen; 1364e71b7053SJung-uk Kim SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1365e71b7053SJung-uk Kim size_t mlen; 1366e71b7053SJung-uk Kim unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1367e71b7053SJung-uk Kim HMAC_CTX *hctx = NULL; 1368e71b7053SJung-uk Kim EVP_CIPHER_CTX *ctx = NULL; 1369e71b7053SJung-uk Kim SSL_CTX *tctx = s->session_ctx; 1370db522d3aSSimon L. B. Nielsen 1371e71b7053SJung-uk Kim if (eticklen == 0) { 13726f9291ceSJung-uk Kim /* 13736f9291ceSJung-uk Kim * The client will accept a ticket but doesn't currently have 1374e71b7053SJung-uk Kim * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 13756f9291ceSJung-uk Kim */ 1376e71b7053SJung-uk Kim ret = SSL_TICKET_EMPTY; 1377e71b7053SJung-uk Kim goto end; 1378db522d3aSSimon L. B. Nielsen } 1379e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 13806f9291ceSJung-uk Kim /* 13816f9291ceSJung-uk Kim * Indicate that the ticket couldn't be decrypted rather than 13826f9291ceSJung-uk Kim * generating the session from ticket now, trigger 13836f9291ceSJung-uk Kim * abbreviated handshake based on external mechanism to 13846f9291ceSJung-uk Kim * calculate the master secret later. 13856f9291ceSJung-uk Kim */ 1386e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1387e71b7053SJung-uk Kim goto end; 13881f13597dSJung-uk Kim } 1389aeb5019cSJung-uk Kim 1390dee36b4fSJung-uk Kim /* Need at least keyname + iv */ 1391e71b7053SJung-uk Kim if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1392e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1393e71b7053SJung-uk Kim goto end; 1394e71b7053SJung-uk Kim } 1395dee36b4fSJung-uk Kim 1396db522d3aSSimon L. B. Nielsen /* Initialize session ticket encryption and HMAC contexts */ 1397e71b7053SJung-uk Kim hctx = HMAC_CTX_new(); 1398e71b7053SJung-uk Kim if (hctx == NULL) { 1399e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_MALLOC; 1400e71b7053SJung-uk Kim goto end; 1401e71b7053SJung-uk Kim } 1402e71b7053SJung-uk Kim ctx = EVP_CIPHER_CTX_new(); 1403e71b7053SJung-uk Kim if (ctx == NULL) { 1404e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_MALLOC; 1405e71b7053SJung-uk Kim goto end; 1406e71b7053SJung-uk Kim } 1407e71b7053SJung-uk Kim if (tctx->ext.ticket_key_cb) { 1408db522d3aSSimon L. B. Nielsen unsigned char *nctick = (unsigned char *)etick; 1409e71b7053SJung-uk Kim int rv = tctx->ext.ticket_key_cb(s, nctick, 1410e71b7053SJung-uk Kim nctick + TLSEXT_KEYNAME_LENGTH, 1411e71b7053SJung-uk Kim ctx, hctx, 0); 1412e71b7053SJung-uk Kim if (rv < 0) { 1413e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1414e71b7053SJung-uk Kim goto end; 1415e71b7053SJung-uk Kim } 1416dee36b4fSJung-uk Kim if (rv == 0) { 1417e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1418e71b7053SJung-uk Kim goto end; 1419dee36b4fSJung-uk Kim } 1420db522d3aSSimon L. B. Nielsen if (rv == 2) 1421db522d3aSSimon L. B. Nielsen renew_ticket = 1; 14226f9291ceSJung-uk Kim } else { 1423db522d3aSSimon L. B. Nielsen /* Check key name matches */ 1424e71b7053SJung-uk Kim if (memcmp(etick, tctx->ext.tick_key_name, 1425e71b7053SJung-uk Kim TLSEXT_KEYNAME_LENGTH) != 0) { 1426e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1427e71b7053SJung-uk Kim goto end; 142880815a77SJung-uk Kim } 1429e71b7053SJung-uk Kim if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key, 1430e71b7053SJung-uk Kim sizeof(tctx->ext.secure->tick_hmac_key), 1431e71b7053SJung-uk Kim EVP_sha256(), NULL) <= 0 1432e71b7053SJung-uk Kim || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 1433e71b7053SJung-uk Kim tctx->ext.secure->tick_aes_key, 1434e71b7053SJung-uk Kim etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1435e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1436e71b7053SJung-uk Kim goto end; 1437e71b7053SJung-uk Kim } 1438e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) 1439e71b7053SJung-uk Kim renew_ticket = 1; 1440db522d3aSSimon L. B. Nielsen } 14416f9291ceSJung-uk Kim /* 14426f9291ceSJung-uk Kim * Attempt to process session ticket, first conduct sanity and integrity 14436f9291ceSJung-uk Kim * checks on ticket. 1444db522d3aSSimon L. B. Nielsen */ 1445e71b7053SJung-uk Kim mlen = HMAC_size(hctx); 1446e71b7053SJung-uk Kim if (mlen == 0) { 1447e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1448e71b7053SJung-uk Kim goto end; 1449aeb5019cSJung-uk Kim } 1450aeb5019cSJung-uk Kim 1451e71b7053SJung-uk Kim /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1452e71b7053SJung-uk Kim if (eticklen <= 1453e71b7053SJung-uk Kim TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { 1454e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1455e71b7053SJung-uk Kim goto end; 1456e71b7053SJung-uk Kim } 1457db522d3aSSimon L. B. Nielsen eticklen -= mlen; 1458db522d3aSSimon L. B. Nielsen /* Check HMAC of encrypted ticket */ 1459e71b7053SJung-uk Kim if (HMAC_Update(hctx, etick, eticklen) <= 0 1460e71b7053SJung-uk Kim || HMAC_Final(hctx, tick_hmac, NULL) <= 0) { 1461e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1462e71b7053SJung-uk Kim goto end; 146380815a77SJung-uk Kim } 1464e71b7053SJung-uk Kim 14656f9291ceSJung-uk Kim if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1466e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1467e71b7053SJung-uk Kim goto end; 1468fa5fddf1SJung-uk Kim } 1469db522d3aSSimon L. B. Nielsen /* Attempt to decrypt session data */ 1470db522d3aSSimon L. B. Nielsen /* Move p after IV to start of encrypted ticket, update length */ 1471e71b7053SJung-uk Kim p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1472e71b7053SJung-uk Kim eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1473db522d3aSSimon L. B. Nielsen sdec = OPENSSL_malloc(eticklen); 1474e71b7053SJung-uk Kim if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1475e71b7053SJung-uk Kim (int)eticklen) <= 0) { 1476b8721c16SJung-uk Kim OPENSSL_free(sdec); 1477e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1478e71b7053SJung-uk Kim goto end; 1479db522d3aSSimon L. B. Nielsen } 1480e71b7053SJung-uk Kim if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1481a93cbc2bSJung-uk Kim OPENSSL_free(sdec); 1482e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1483e71b7053SJung-uk Kim goto end; 1484a93cbc2bSJung-uk Kim } 1485e71b7053SJung-uk Kim slen += declen; 1486db522d3aSSimon L. B. Nielsen p = sdec; 1487db522d3aSSimon L. B. Nielsen 1488db522d3aSSimon L. B. Nielsen sess = d2i_SSL_SESSION(NULL, &p, slen); 1489ed7112f0SJung-uk Kim slen -= p - sdec; 1490db522d3aSSimon L. B. Nielsen OPENSSL_free(sdec); 14916f9291ceSJung-uk Kim if (sess) { 1492ed7112f0SJung-uk Kim /* Some additional consistency checks */ 1493e71b7053SJung-uk Kim if (slen != 0) { 1494ed7112f0SJung-uk Kim SSL_SESSION_free(sess); 1495e71b7053SJung-uk Kim sess = NULL; 1496e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1497e71b7053SJung-uk Kim goto end; 1498ed7112f0SJung-uk Kim } 14996f9291ceSJung-uk Kim /* 15006f9291ceSJung-uk Kim * The session ID, if non-empty, is used by some clients to detect 15016f9291ceSJung-uk Kim * that the ticket has been accepted. So we copy it to the session 15026f9291ceSJung-uk Kim * structure. If it is empty set length to zero as required by 15036f9291ceSJung-uk Kim * standard. 1504db522d3aSSimon L. B. Nielsen */ 1505e71b7053SJung-uk Kim if (sesslen) { 1506db522d3aSSimon L. B. Nielsen memcpy(sess->session_id, sess_id, sesslen); 1507db522d3aSSimon L. B. Nielsen sess->session_id_length = sesslen; 1508e71b7053SJung-uk Kim } 15091f13597dSJung-uk Kim if (renew_ticket) 1510e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS_RENEW; 15111f13597dSJung-uk Kim else 1512e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS; 1513e71b7053SJung-uk Kim goto end; 15141f13597dSJung-uk Kim } 15151f13597dSJung-uk Kim ERR_clear_error(); 15166f9291ceSJung-uk Kim /* 15176f9291ceSJung-uk Kim * For session parse failure, indicate that we need to send a new ticket. 15186f9291ceSJung-uk Kim */ 1519e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 15201f13597dSJung-uk Kim 1521e71b7053SJung-uk Kim end: 1522e71b7053SJung-uk Kim EVP_CIPHER_CTX_free(ctx); 1523e71b7053SJung-uk Kim HMAC_CTX_free(hctx); 15241f13597dSJung-uk Kim 1525e71b7053SJung-uk Kim /* 1526e71b7053SJung-uk Kim * If set, the decrypt_ticket_cb() is called unless a fatal error was 1527e71b7053SJung-uk Kim * detected above. The callback is responsible for checking |ret| before it 1528e71b7053SJung-uk Kim * performs any action 1529e71b7053SJung-uk Kim */ 1530e71b7053SJung-uk Kim if (s->session_ctx->decrypt_ticket_cb != NULL 1531e71b7053SJung-uk Kim && (ret == SSL_TICKET_EMPTY 1532e71b7053SJung-uk Kim || ret == SSL_TICKET_NO_DECRYPT 1533e71b7053SJung-uk Kim || ret == SSL_TICKET_SUCCESS 1534e71b7053SJung-uk Kim || ret == SSL_TICKET_SUCCESS_RENEW)) { 1535e71b7053SJung-uk Kim size_t keyname_len = eticklen; 1536e71b7053SJung-uk Kim int retcb; 15371f13597dSJung-uk Kim 1538e71b7053SJung-uk Kim if (keyname_len > TLSEXT_KEYNAME_LENGTH) 1539e71b7053SJung-uk Kim keyname_len = TLSEXT_KEYNAME_LENGTH; 1540e71b7053SJung-uk Kim retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 1541e71b7053SJung-uk Kim ret, 1542e71b7053SJung-uk Kim s->session_ctx->ticket_cb_data); 1543e71b7053SJung-uk Kim switch (retcb) { 1544e71b7053SJung-uk Kim case SSL_TICKET_RETURN_ABORT: 1545e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1546e71b7053SJung-uk Kim break; 15471f13597dSJung-uk Kim 1548e71b7053SJung-uk Kim case SSL_TICKET_RETURN_IGNORE: 1549e71b7053SJung-uk Kim ret = SSL_TICKET_NONE; 1550e71b7053SJung-uk Kim SSL_SESSION_free(sess); 1551e71b7053SJung-uk Kim sess = NULL; 1552e71b7053SJung-uk Kim break; 15531f13597dSJung-uk Kim 1554e71b7053SJung-uk Kim case SSL_TICKET_RETURN_IGNORE_RENEW: 1555e71b7053SJung-uk Kim if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 1556e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1557e71b7053SJung-uk Kim /* else the value of |ret| will already do the right thing */ 1558e71b7053SJung-uk Kim SSL_SESSION_free(sess); 1559e71b7053SJung-uk Kim sess = NULL; 1560e71b7053SJung-uk Kim break; 15616f9291ceSJung-uk Kim 1562e71b7053SJung-uk Kim case SSL_TICKET_RETURN_USE: 1563e71b7053SJung-uk Kim case SSL_TICKET_RETURN_USE_RENEW: 1564e71b7053SJung-uk Kim if (ret != SSL_TICKET_SUCCESS 1565e71b7053SJung-uk Kim && ret != SSL_TICKET_SUCCESS_RENEW) 1566e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1567e71b7053SJung-uk Kim else if (retcb == SSL_TICKET_RETURN_USE) 1568e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS; 1569e71b7053SJung-uk Kim else 1570e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS_RENEW; 1571e71b7053SJung-uk Kim break; 15721f13597dSJung-uk Kim 15731f13597dSJung-uk Kim default: 1574e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 15751f13597dSJung-uk Kim } 15761f13597dSJung-uk Kim } 15771f13597dSJung-uk Kim 1578e71b7053SJung-uk Kim if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 1579e71b7053SJung-uk Kim switch (ret) { 1580e71b7053SJung-uk Kim case SSL_TICKET_NO_DECRYPT: 1581e71b7053SJung-uk Kim case SSL_TICKET_SUCCESS_RENEW: 1582e71b7053SJung-uk Kim case SSL_TICKET_EMPTY: 1583e71b7053SJung-uk Kim s->ext.ticket_expected = 1; 1584e71b7053SJung-uk Kim } 1585e71b7053SJung-uk Kim } 1586e71b7053SJung-uk Kim 1587e71b7053SJung-uk Kim *psess = sess; 1588e71b7053SJung-uk Kim 1589e71b7053SJung-uk Kim return ret; 1590e71b7053SJung-uk Kim } 1591e71b7053SJung-uk Kim 1592e71b7053SJung-uk Kim /* Check to see if a signature algorithm is allowed */ 1593*17f01e99SJung-uk Kim static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) 15947bded2dbSJung-uk Kim { 1595e71b7053SJung-uk Kim unsigned char sigalgstr[2]; 1596e71b7053SJung-uk Kim int secbits; 1597e71b7053SJung-uk Kim 1598e71b7053SJung-uk Kim /* See if sigalgs is recognised and if hash is enabled */ 1599e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, NULL)) 1600e71b7053SJung-uk Kim return 0; 1601e71b7053SJung-uk Kim /* DSA is not allowed in TLS 1.3 */ 1602e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 1603e71b7053SJung-uk Kim return 0; 1604e71b7053SJung-uk Kim /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ 1605e71b7053SJung-uk Kim if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION 1606e71b7053SJung-uk Kim && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 1607e71b7053SJung-uk Kim || lu->hash_idx == SSL_MD_MD5_IDX 1608e71b7053SJung-uk Kim || lu->hash_idx == SSL_MD_SHA224_IDX)) 1609e71b7053SJung-uk Kim return 0; 1610e71b7053SJung-uk Kim 1611e71b7053SJung-uk Kim /* See if public key algorithm allowed */ 1612e71b7053SJung-uk Kim if (ssl_cert_is_disabled(lu->sig_idx)) 1613e71b7053SJung-uk Kim return 0; 1614e71b7053SJung-uk Kim 1615e71b7053SJung-uk Kim if (lu->sig == NID_id_GostR3410_2012_256 1616e71b7053SJung-uk Kim || lu->sig == NID_id_GostR3410_2012_512 1617e71b7053SJung-uk Kim || lu->sig == NID_id_GostR3410_2001) { 1618e71b7053SJung-uk Kim /* We never allow GOST sig algs on the server with TLSv1.3 */ 1619e71b7053SJung-uk Kim if (s->server && SSL_IS_TLS13(s)) 1620e71b7053SJung-uk Kim return 0; 1621e71b7053SJung-uk Kim if (!s->server 1622e71b7053SJung-uk Kim && s->method->version == TLS_ANY_VERSION 1623e71b7053SJung-uk Kim && s->s3->tmp.max_ver >= TLS1_3_VERSION) { 1624e71b7053SJung-uk Kim int i, num; 1625e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *sk; 1626e71b7053SJung-uk Kim 1627e71b7053SJung-uk Kim /* 1628e71b7053SJung-uk Kim * We're a client that could negotiate TLSv1.3. We only allow GOST 1629e71b7053SJung-uk Kim * sig algs if we could negotiate TLSv1.2 or below and we have GOST 1630e71b7053SJung-uk Kim * ciphersuites enabled. 1631e71b7053SJung-uk Kim */ 1632e71b7053SJung-uk Kim 1633e71b7053SJung-uk Kim if (s->s3->tmp.min_ver >= TLS1_3_VERSION) 1634e71b7053SJung-uk Kim return 0; 1635e71b7053SJung-uk Kim 1636e71b7053SJung-uk Kim sk = SSL_get_ciphers(s); 1637e71b7053SJung-uk Kim num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 1638e71b7053SJung-uk Kim for (i = 0; i < num; i++) { 1639e71b7053SJung-uk Kim const SSL_CIPHER *c; 1640e71b7053SJung-uk Kim 1641e71b7053SJung-uk Kim c = sk_SSL_CIPHER_value(sk, i); 1642e71b7053SJung-uk Kim /* Skip disabled ciphers */ 1643e71b7053SJung-uk Kim if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 1644e71b7053SJung-uk Kim continue; 1645e71b7053SJung-uk Kim 1646e71b7053SJung-uk Kim if ((c->algorithm_mkey & SSL_kGOST) != 0) 1647e71b7053SJung-uk Kim break; 16487bded2dbSJung-uk Kim } 1649e71b7053SJung-uk Kim if (i == num) 1650e71b7053SJung-uk Kim return 0; 1651e71b7053SJung-uk Kim } 16527bded2dbSJung-uk Kim } 16537bded2dbSJung-uk Kim 1654e71b7053SJung-uk Kim /* Finally see if security callback allows it */ 1655*17f01e99SJung-uk Kim secbits = sigalg_security_bits(lu); 1656e71b7053SJung-uk Kim sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 1657e71b7053SJung-uk Kim sigalgstr[1] = lu->sigalg & 0xff; 1658e71b7053SJung-uk Kim return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 1659e71b7053SJung-uk Kim } 1660e71b7053SJung-uk Kim 1661e71b7053SJung-uk Kim /* 1662e71b7053SJung-uk Kim * Get a mask of disabled public key algorithms based on supported signature 1663e71b7053SJung-uk Kim * algorithms. For example if no signature algorithm supports RSA then RSA is 1664e71b7053SJung-uk Kim * disabled. 1665e71b7053SJung-uk Kim */ 1666e71b7053SJung-uk Kim 1667e71b7053SJung-uk Kim void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 16687bded2dbSJung-uk Kim { 1669e71b7053SJung-uk Kim const uint16_t *sigalgs; 1670e71b7053SJung-uk Kim size_t i, sigalgslen; 1671e71b7053SJung-uk Kim uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 1672e71b7053SJung-uk Kim /* 1673e71b7053SJung-uk Kim * Go through all signature algorithms seeing if we support any 1674e71b7053SJung-uk Kim * in disabled_mask. 1675e71b7053SJung-uk Kim */ 1676e71b7053SJung-uk Kim sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 1677e71b7053SJung-uk Kim for (i = 0; i < sigalgslen; i++, sigalgs++) { 1678e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); 1679e71b7053SJung-uk Kim const SSL_CERT_LOOKUP *clu; 1680e71b7053SJung-uk Kim 1681e71b7053SJung-uk Kim if (lu == NULL) 1682e71b7053SJung-uk Kim continue; 1683e71b7053SJung-uk Kim 1684e71b7053SJung-uk Kim clu = ssl_cert_lookup_by_idx(lu->sig_idx); 1685e71b7053SJung-uk Kim if (clu == NULL) 1686e71b7053SJung-uk Kim continue; 1687e71b7053SJung-uk Kim 1688e71b7053SJung-uk Kim /* If algorithm is disabled see if we can enable it */ 1689e71b7053SJung-uk Kim if ((clu->amask & disabled_mask) != 0 1690e71b7053SJung-uk Kim && tls12_sigalg_allowed(s, op, lu)) 1691e71b7053SJung-uk Kim disabled_mask &= ~clu->amask; 16927bded2dbSJung-uk Kim } 1693e71b7053SJung-uk Kim *pmask_a |= disabled_mask; 16947bded2dbSJung-uk Kim } 1695e71b7053SJung-uk Kim 1696e71b7053SJung-uk Kim int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 1697e71b7053SJung-uk Kim const uint16_t *psig, size_t psiglen) 1698e71b7053SJung-uk Kim { 1699e71b7053SJung-uk Kim size_t i; 1700e71b7053SJung-uk Kim int rv = 0; 1701e71b7053SJung-uk Kim 1702e71b7053SJung-uk Kim for (i = 0; i < psiglen; i++, psig++) { 1703e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig); 1704e71b7053SJung-uk Kim 1705e71b7053SJung-uk Kim if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1706e71b7053SJung-uk Kim continue; 1707e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, *psig)) 1708e71b7053SJung-uk Kim return 0; 1709e71b7053SJung-uk Kim /* 1710e71b7053SJung-uk Kim * If TLS 1.3 must have at least one valid TLS 1.3 message 1711e71b7053SJung-uk Kim * signing algorithm: i.e. neither RSA nor SHA1/SHA224 1712e71b7053SJung-uk Kim */ 1713e71b7053SJung-uk Kim if (rv == 0 && (!SSL_IS_TLS13(s) 1714e71b7053SJung-uk Kim || (lu->sig != EVP_PKEY_RSA 1715e71b7053SJung-uk Kim && lu->hash != NID_sha1 1716e71b7053SJung-uk Kim && lu->hash != NID_sha224))) 1717e71b7053SJung-uk Kim rv = 1; 17187bded2dbSJung-uk Kim } 1719e71b7053SJung-uk Kim if (rv == 0) 1720e71b7053SJung-uk Kim SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 1721e71b7053SJung-uk Kim return rv; 17227bded2dbSJung-uk Kim } 17237bded2dbSJung-uk Kim 17247bded2dbSJung-uk Kim /* Given preference and allowed sigalgs set shared sigalgs */ 1725e71b7053SJung-uk Kim static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 1726e71b7053SJung-uk Kim const uint16_t *pref, size_t preflen, 1727e71b7053SJung-uk Kim const uint16_t *allow, size_t allowlen) 17287bded2dbSJung-uk Kim { 1729e71b7053SJung-uk Kim const uint16_t *ptmp, *atmp; 17307bded2dbSJung-uk Kim size_t i, j, nmatch = 0; 1731e71b7053SJung-uk Kim for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 1732e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp); 1733e71b7053SJung-uk Kim 17347bded2dbSJung-uk Kim /* Skip disabled hashes or signature algorithms */ 1735e71b7053SJung-uk Kim if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 17367bded2dbSJung-uk Kim continue; 1737e71b7053SJung-uk Kim for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 1738e71b7053SJung-uk Kim if (*ptmp == *atmp) { 17397bded2dbSJung-uk Kim nmatch++; 1740e71b7053SJung-uk Kim if (shsig) 1741e71b7053SJung-uk Kim *shsig++ = lu; 17427bded2dbSJung-uk Kim break; 17437bded2dbSJung-uk Kim } 17447bded2dbSJung-uk Kim } 17457bded2dbSJung-uk Kim } 17467bded2dbSJung-uk Kim return nmatch; 17477bded2dbSJung-uk Kim } 17487bded2dbSJung-uk Kim 17497bded2dbSJung-uk Kim /* Set shared signature algorithms for SSL structures */ 17507bded2dbSJung-uk Kim static int tls1_set_shared_sigalgs(SSL *s) 17517bded2dbSJung-uk Kim { 1752e71b7053SJung-uk Kim const uint16_t *pref, *allow, *conf; 17537bded2dbSJung-uk Kim size_t preflen, allowlen, conflen; 17547bded2dbSJung-uk Kim size_t nmatch; 1755e71b7053SJung-uk Kim const SIGALG_LOOKUP **salgs = NULL; 17567bded2dbSJung-uk Kim CERT *c = s->cert; 17577bded2dbSJung-uk Kim unsigned int is_suiteb = tls1_suiteb(s); 1758e71b7053SJung-uk Kim 1759da327cd2SJung-uk Kim OPENSSL_free(s->shared_sigalgs); 1760da327cd2SJung-uk Kim s->shared_sigalgs = NULL; 1761da327cd2SJung-uk Kim s->shared_sigalgslen = 0; 17627bded2dbSJung-uk Kim /* If client use client signature algorithms if not NULL */ 17637bded2dbSJung-uk Kim if (!s->server && c->client_sigalgs && !is_suiteb) { 17647bded2dbSJung-uk Kim conf = c->client_sigalgs; 17657bded2dbSJung-uk Kim conflen = c->client_sigalgslen; 17667bded2dbSJung-uk Kim } else if (c->conf_sigalgs && !is_suiteb) { 17677bded2dbSJung-uk Kim conf = c->conf_sigalgs; 17687bded2dbSJung-uk Kim conflen = c->conf_sigalgslen; 17697bded2dbSJung-uk Kim } else 1770ed7112f0SJung-uk Kim conflen = tls12_get_psigalgs(s, 0, &conf); 17717bded2dbSJung-uk Kim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 17727bded2dbSJung-uk Kim pref = conf; 17737bded2dbSJung-uk Kim preflen = conflen; 1774e71b7053SJung-uk Kim allow = s->s3->tmp.peer_sigalgs; 1775e71b7053SJung-uk Kim allowlen = s->s3->tmp.peer_sigalgslen; 17767bded2dbSJung-uk Kim } else { 17777bded2dbSJung-uk Kim allow = conf; 17787bded2dbSJung-uk Kim allowlen = conflen; 1779e71b7053SJung-uk Kim pref = s->s3->tmp.peer_sigalgs; 1780e71b7053SJung-uk Kim preflen = s->s3->tmp.peer_sigalgslen; 17817bded2dbSJung-uk Kim } 1782e71b7053SJung-uk Kim nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 17837bded2dbSJung-uk Kim if (nmatch) { 1784e71b7053SJung-uk Kim if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 1785e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE); 17867bded2dbSJung-uk Kim return 0; 1787e71b7053SJung-uk Kim } 1788e71b7053SJung-uk Kim nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 17897bded2dbSJung-uk Kim } else { 17907bded2dbSJung-uk Kim salgs = NULL; 17917bded2dbSJung-uk Kim } 1792da327cd2SJung-uk Kim s->shared_sigalgs = salgs; 1793da327cd2SJung-uk Kim s->shared_sigalgslen = nmatch; 17947bded2dbSJung-uk Kim return 1; 17957bded2dbSJung-uk Kim } 17967bded2dbSJung-uk Kim 1797e71b7053SJung-uk Kim int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 17981f13597dSJung-uk Kim { 1799e71b7053SJung-uk Kim unsigned int stmp; 1800e71b7053SJung-uk Kim size_t size, i; 1801e71b7053SJung-uk Kim uint16_t *buf; 1802e71b7053SJung-uk Kim 1803e71b7053SJung-uk Kim size = PACKET_remaining(pkt); 1804e71b7053SJung-uk Kim 1805e71b7053SJung-uk Kim /* Invalid data length */ 1806e71b7053SJung-uk Kim if (size == 0 || (size & 1) != 0) 1807e71b7053SJung-uk Kim return 0; 1808e71b7053SJung-uk Kim 1809e71b7053SJung-uk Kim size >>= 1; 1810e71b7053SJung-uk Kim 1811e71b7053SJung-uk Kim if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 1812e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE); 1813e71b7053SJung-uk Kim return 0; 1814e71b7053SJung-uk Kim } 1815e71b7053SJung-uk Kim for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 1816e71b7053SJung-uk Kim buf[i] = stmp; 1817e71b7053SJung-uk Kim 1818e71b7053SJung-uk Kim if (i != size) { 1819e71b7053SJung-uk Kim OPENSSL_free(buf); 1820e71b7053SJung-uk Kim return 0; 1821e71b7053SJung-uk Kim } 1822e71b7053SJung-uk Kim 1823e71b7053SJung-uk Kim OPENSSL_free(*pdest); 1824e71b7053SJung-uk Kim *pdest = buf; 1825e71b7053SJung-uk Kim *pdestlen = size; 1826e71b7053SJung-uk Kim 1827e71b7053SJung-uk Kim return 1; 1828e71b7053SJung-uk Kim } 1829e71b7053SJung-uk Kim 1830e71b7053SJung-uk Kim int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 1831e71b7053SJung-uk Kim { 18327bded2dbSJung-uk Kim /* Extension ignored for inappropriate versions */ 18337bded2dbSJung-uk Kim if (!SSL_USE_SIGALGS(s)) 18341f13597dSJung-uk Kim return 1; 18351f13597dSJung-uk Kim /* Should never happen */ 1836e71b7053SJung-uk Kim if (s->cert == NULL) 18371f13597dSJung-uk Kim return 0; 18381f13597dSJung-uk Kim 1839e71b7053SJung-uk Kim if (cert) 1840e71b7053SJung-uk Kim return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs, 1841e71b7053SJung-uk Kim &s->s3->tmp.peer_cert_sigalgslen); 1842e71b7053SJung-uk Kim else 1843e71b7053SJung-uk Kim return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs, 1844e71b7053SJung-uk Kim &s->s3->tmp.peer_sigalgslen); 1845e71b7053SJung-uk Kim 18461f13597dSJung-uk Kim } 18471f13597dSJung-uk Kim 1848e71b7053SJung-uk Kim /* Set preferred digest for each key type */ 1849e71b7053SJung-uk Kim 18507bded2dbSJung-uk Kim int tls1_process_sigalgs(SSL *s) 18517bded2dbSJung-uk Kim { 18527bded2dbSJung-uk Kim size_t i; 1853e71b7053SJung-uk Kim uint32_t *pvalid = s->s3->tmp.valid_flags; 1854e71b7053SJung-uk Kim 18557bded2dbSJung-uk Kim if (!tls1_set_shared_sigalgs(s)) 18567bded2dbSJung-uk Kim return 0; 18577bded2dbSJung-uk Kim 1858e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) 1859e71b7053SJung-uk Kim pvalid[i] = 0; 18607bded2dbSJung-uk Kim 1861da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 1862da327cd2SJung-uk Kim const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 1863e71b7053SJung-uk Kim int idx = sigptr->sig_idx; 18641f13597dSJung-uk Kim 1865e71b7053SJung-uk Kim /* Ignore PKCS1 based sig algs in TLSv1.3 */ 1866e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 1867e71b7053SJung-uk Kim continue; 1868e71b7053SJung-uk Kim /* If not disabled indicate we can explicitly sign */ 1869e71b7053SJung-uk Kim if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) 1870e71b7053SJung-uk Kim pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 18717bded2dbSJung-uk Kim } 18721f13597dSJung-uk Kim return 1; 18731f13597dSJung-uk Kim } 18741f13597dSJung-uk Kim 18757bded2dbSJung-uk Kim int SSL_get_sigalgs(SSL *s, int idx, 18767bded2dbSJung-uk Kim int *psign, int *phash, int *psignhash, 18777bded2dbSJung-uk Kim unsigned char *rsig, unsigned char *rhash) 18787bded2dbSJung-uk Kim { 1879e71b7053SJung-uk Kim uint16_t *psig = s->s3->tmp.peer_sigalgs; 1880e71b7053SJung-uk Kim size_t numsigalgs = s->s3->tmp.peer_sigalgslen; 1881e71b7053SJung-uk Kim if (psig == NULL || numsigalgs > INT_MAX) 18827bded2dbSJung-uk Kim return 0; 18837bded2dbSJung-uk Kim if (idx >= 0) { 1884e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 1885e71b7053SJung-uk Kim 1886e71b7053SJung-uk Kim if (idx >= (int)numsigalgs) 18877bded2dbSJung-uk Kim return 0; 18887bded2dbSJung-uk Kim psig += idx; 1889e71b7053SJung-uk Kim if (rhash != NULL) 1890e71b7053SJung-uk Kim *rhash = (unsigned char)((*psig >> 8) & 0xff); 1891e71b7053SJung-uk Kim if (rsig != NULL) 1892e71b7053SJung-uk Kim *rsig = (unsigned char)(*psig & 0xff); 1893e71b7053SJung-uk Kim lu = tls1_lookup_sigalg(*psig); 1894e71b7053SJung-uk Kim if (psign != NULL) 1895e71b7053SJung-uk Kim *psign = lu != NULL ? lu->sig : NID_undef; 1896e71b7053SJung-uk Kim if (phash != NULL) 1897e71b7053SJung-uk Kim *phash = lu != NULL ? lu->hash : NID_undef; 1898e71b7053SJung-uk Kim if (psignhash != NULL) 1899e71b7053SJung-uk Kim *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 19007bded2dbSJung-uk Kim } 1901e71b7053SJung-uk Kim return (int)numsigalgs; 19027bded2dbSJung-uk Kim } 19037bded2dbSJung-uk Kim 19047bded2dbSJung-uk Kim int SSL_get_shared_sigalgs(SSL *s, int idx, 19057bded2dbSJung-uk Kim int *psign, int *phash, int *psignhash, 19067bded2dbSJung-uk Kim unsigned char *rsig, unsigned char *rhash) 19077bded2dbSJung-uk Kim { 1908e71b7053SJung-uk Kim const SIGALG_LOOKUP *shsigalgs; 1909da327cd2SJung-uk Kim if (s->shared_sigalgs == NULL 1910e71b7053SJung-uk Kim || idx < 0 1911da327cd2SJung-uk Kim || idx >= (int)s->shared_sigalgslen 1912da327cd2SJung-uk Kim || s->shared_sigalgslen > INT_MAX) 19137bded2dbSJung-uk Kim return 0; 1914da327cd2SJung-uk Kim shsigalgs = s->shared_sigalgs[idx]; 1915e71b7053SJung-uk Kim if (phash != NULL) 1916e71b7053SJung-uk Kim *phash = shsigalgs->hash; 1917e71b7053SJung-uk Kim if (psign != NULL) 1918e71b7053SJung-uk Kim *psign = shsigalgs->sig; 1919e71b7053SJung-uk Kim if (psignhash != NULL) 1920e71b7053SJung-uk Kim *psignhash = shsigalgs->sigandhash; 1921e71b7053SJung-uk Kim if (rsig != NULL) 1922e71b7053SJung-uk Kim *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 1923e71b7053SJung-uk Kim if (rhash != NULL) 1924e71b7053SJung-uk Kim *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 1925da327cd2SJung-uk Kim return (int)s->shared_sigalgslen; 19267bded2dbSJung-uk Kim } 19271f13597dSJung-uk Kim 1928e71b7053SJung-uk Kim /* Maximum possible number of unique entries in sigalgs array */ 1929e71b7053SJung-uk Kim #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 19307bded2dbSJung-uk Kim 19317bded2dbSJung-uk Kim typedef struct { 19327bded2dbSJung-uk Kim size_t sigalgcnt; 1933e71b7053SJung-uk Kim /* TLSEXT_SIGALG_XXX values */ 1934e71b7053SJung-uk Kim uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 19357bded2dbSJung-uk Kim } sig_cb_st; 19367bded2dbSJung-uk Kim 1937e71b7053SJung-uk Kim static void get_sigorhash(int *psig, int *phash, const char *str) 1938e71b7053SJung-uk Kim { 1939e71b7053SJung-uk Kim if (strcmp(str, "RSA") == 0) { 1940e71b7053SJung-uk Kim *psig = EVP_PKEY_RSA; 1941e71b7053SJung-uk Kim } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 1942e71b7053SJung-uk Kim *psig = EVP_PKEY_RSA_PSS; 1943e71b7053SJung-uk Kim } else if (strcmp(str, "DSA") == 0) { 1944e71b7053SJung-uk Kim *psig = EVP_PKEY_DSA; 1945e71b7053SJung-uk Kim } else if (strcmp(str, "ECDSA") == 0) { 1946e71b7053SJung-uk Kim *psig = EVP_PKEY_EC; 1947e71b7053SJung-uk Kim } else { 1948e71b7053SJung-uk Kim *phash = OBJ_sn2nid(str); 1949e71b7053SJung-uk Kim if (*phash == NID_undef) 1950e71b7053SJung-uk Kim *phash = OBJ_ln2nid(str); 1951e71b7053SJung-uk Kim } 1952e71b7053SJung-uk Kim } 1953e71b7053SJung-uk Kim /* Maximum length of a signature algorithm string component */ 1954e71b7053SJung-uk Kim #define TLS_MAX_SIGSTRING_LEN 40 1955e71b7053SJung-uk Kim 19567bded2dbSJung-uk Kim static int sig_cb(const char *elem, int len, void *arg) 19577bded2dbSJung-uk Kim { 19587bded2dbSJung-uk Kim sig_cb_st *sarg = arg; 19597bded2dbSJung-uk Kim size_t i; 1960e71b7053SJung-uk Kim const SIGALG_LOOKUP *s; 1961e71b7053SJung-uk Kim char etmp[TLS_MAX_SIGSTRING_LEN], *p; 1962e71b7053SJung-uk Kim int sig_alg = NID_undef, hash_alg = NID_undef; 19637bded2dbSJung-uk Kim if (elem == NULL) 19647bded2dbSJung-uk Kim return 0; 1965e71b7053SJung-uk Kim if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 19667bded2dbSJung-uk Kim return 0; 19677bded2dbSJung-uk Kim if (len > (int)(sizeof(etmp) - 1)) 19687bded2dbSJung-uk Kim return 0; 19697bded2dbSJung-uk Kim memcpy(etmp, elem, len); 19707bded2dbSJung-uk Kim etmp[len] = 0; 19717bded2dbSJung-uk Kim p = strchr(etmp, '+'); 1972e71b7053SJung-uk Kim /* 1973e71b7053SJung-uk Kim * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 1974e71b7053SJung-uk Kim * if there's no '+' in the provided name, look for the new-style combined 1975e71b7053SJung-uk Kim * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 1976e71b7053SJung-uk Kim * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 1977e71b7053SJung-uk Kim * rsa_pss_rsae_* that differ only by public key OID; in such cases 1978e71b7053SJung-uk Kim * we will pick the _rsae_ variant, by virtue of them appearing earlier 1979e71b7053SJung-uk Kim * in the table. 1980e71b7053SJung-uk Kim */ 1981e71b7053SJung-uk Kim if (p == NULL) { 1982e71b7053SJung-uk Kim for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 1983e71b7053SJung-uk Kim i++, s++) { 1984e71b7053SJung-uk Kim if (s->name != NULL && strcmp(etmp, s->name) == 0) { 1985e71b7053SJung-uk Kim sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 1986e71b7053SJung-uk Kim break; 1987e71b7053SJung-uk Kim } 1988e71b7053SJung-uk Kim } 1989e71b7053SJung-uk Kim if (i == OSSL_NELEM(sigalg_lookup_tbl)) 19907bded2dbSJung-uk Kim return 0; 1991e71b7053SJung-uk Kim } else { 19927bded2dbSJung-uk Kim *p = 0; 19937bded2dbSJung-uk Kim p++; 1994e71b7053SJung-uk Kim if (*p == 0) 19957bded2dbSJung-uk Kim return 0; 1996e71b7053SJung-uk Kim get_sigorhash(&sig_alg, &hash_alg, etmp); 1997e71b7053SJung-uk Kim get_sigorhash(&sig_alg, &hash_alg, p); 1998e71b7053SJung-uk Kim if (sig_alg == NID_undef || hash_alg == NID_undef) 19997bded2dbSJung-uk Kim return 0; 2000e71b7053SJung-uk Kim for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2001e71b7053SJung-uk Kim i++, s++) { 2002e71b7053SJung-uk Kim if (s->hash == hash_alg && s->sig == sig_alg) { 2003e71b7053SJung-uk Kim sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2004e71b7053SJung-uk Kim break; 2005e71b7053SJung-uk Kim } 2006e71b7053SJung-uk Kim } 2007e71b7053SJung-uk Kim if (i == OSSL_NELEM(sigalg_lookup_tbl)) 20087bded2dbSJung-uk Kim return 0; 20097bded2dbSJung-uk Kim } 2010e71b7053SJung-uk Kim 2011e71b7053SJung-uk Kim /* Reject duplicates */ 2012e71b7053SJung-uk Kim for (i = 0; i < sarg->sigalgcnt - 1; i++) { 2013e71b7053SJung-uk Kim if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 2014e71b7053SJung-uk Kim sarg->sigalgcnt--; 2015e71b7053SJung-uk Kim return 0; 2016e71b7053SJung-uk Kim } 2017e71b7053SJung-uk Kim } 20187bded2dbSJung-uk Kim return 1; 20197bded2dbSJung-uk Kim } 20207bded2dbSJung-uk Kim 20217bded2dbSJung-uk Kim /* 2022e71b7053SJung-uk Kim * Set supported signature algorithms based on a colon separated list of the 20237bded2dbSJung-uk Kim * form sig+hash e.g. RSA+SHA512:DSA+SHA512 20247bded2dbSJung-uk Kim */ 20257bded2dbSJung-uk Kim int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 20267bded2dbSJung-uk Kim { 20277bded2dbSJung-uk Kim sig_cb_st sig; 20287bded2dbSJung-uk Kim sig.sigalgcnt = 0; 20297bded2dbSJung-uk Kim if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 20307bded2dbSJung-uk Kim return 0; 20317bded2dbSJung-uk Kim if (c == NULL) 20327bded2dbSJung-uk Kim return 1; 2033e71b7053SJung-uk Kim return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 20347bded2dbSJung-uk Kim } 20357bded2dbSJung-uk Kim 2036e71b7053SJung-uk Kim int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 20377bded2dbSJung-uk Kim int client) 20387bded2dbSJung-uk Kim { 2039e71b7053SJung-uk Kim uint16_t *sigalgs; 20407bded2dbSJung-uk Kim 2041e71b7053SJung-uk Kim if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2042e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE); 2043e71b7053SJung-uk Kim return 0; 20447bded2dbSJung-uk Kim } 2045e71b7053SJung-uk Kim memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 20467bded2dbSJung-uk Kim 20477bded2dbSJung-uk Kim if (client) { 20487bded2dbSJung-uk Kim OPENSSL_free(c->client_sigalgs); 20497bded2dbSJung-uk Kim c->client_sigalgs = sigalgs; 20507bded2dbSJung-uk Kim c->client_sigalgslen = salglen; 20517bded2dbSJung-uk Kim } else { 20527bded2dbSJung-uk Kim OPENSSL_free(c->conf_sigalgs); 20537bded2dbSJung-uk Kim c->conf_sigalgs = sigalgs; 20547bded2dbSJung-uk Kim c->conf_sigalgslen = salglen; 20557bded2dbSJung-uk Kim } 20567bded2dbSJung-uk Kim 20577bded2dbSJung-uk Kim return 1; 2058e71b7053SJung-uk Kim } 2059e71b7053SJung-uk Kim 2060e71b7053SJung-uk Kim int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2061e71b7053SJung-uk Kim { 2062e71b7053SJung-uk Kim uint16_t *sigalgs, *sptr; 2063e71b7053SJung-uk Kim size_t i; 2064e71b7053SJung-uk Kim 2065e71b7053SJung-uk Kim if (salglen & 1) 2066e71b7053SJung-uk Kim return 0; 2067e71b7053SJung-uk Kim if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2068e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE); 2069e71b7053SJung-uk Kim return 0; 2070e71b7053SJung-uk Kim } 2071e71b7053SJung-uk Kim for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2072e71b7053SJung-uk Kim size_t j; 2073e71b7053SJung-uk Kim const SIGALG_LOOKUP *curr; 2074e71b7053SJung-uk Kim int md_id = *psig_nids++; 2075e71b7053SJung-uk Kim int sig_id = *psig_nids++; 2076e71b7053SJung-uk Kim 2077e71b7053SJung-uk Kim for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2078e71b7053SJung-uk Kim j++, curr++) { 2079e71b7053SJung-uk Kim if (curr->hash == md_id && curr->sig == sig_id) { 2080e71b7053SJung-uk Kim *sptr++ = curr->sigalg; 2081e71b7053SJung-uk Kim break; 2082e71b7053SJung-uk Kim } 2083e71b7053SJung-uk Kim } 2084e71b7053SJung-uk Kim 2085e71b7053SJung-uk Kim if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2086e71b7053SJung-uk Kim goto err; 2087e71b7053SJung-uk Kim } 2088e71b7053SJung-uk Kim 2089e71b7053SJung-uk Kim if (client) { 2090e71b7053SJung-uk Kim OPENSSL_free(c->client_sigalgs); 2091e71b7053SJung-uk Kim c->client_sigalgs = sigalgs; 2092e71b7053SJung-uk Kim c->client_sigalgslen = salglen / 2; 2093e71b7053SJung-uk Kim } else { 2094e71b7053SJung-uk Kim OPENSSL_free(c->conf_sigalgs); 2095e71b7053SJung-uk Kim c->conf_sigalgs = sigalgs; 2096e71b7053SJung-uk Kim c->conf_sigalgslen = salglen / 2; 2097e71b7053SJung-uk Kim } 2098e71b7053SJung-uk Kim 2099e71b7053SJung-uk Kim return 1; 21007bded2dbSJung-uk Kim 21017bded2dbSJung-uk Kim err: 21027bded2dbSJung-uk Kim OPENSSL_free(sigalgs); 21037bded2dbSJung-uk Kim return 0; 21047bded2dbSJung-uk Kim } 21057bded2dbSJung-uk Kim 2106da327cd2SJung-uk Kim static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 21077bded2dbSJung-uk Kim { 2108da327cd2SJung-uk Kim int sig_nid, use_pc_sigalgs = 0; 21097bded2dbSJung-uk Kim size_t i; 2110da327cd2SJung-uk Kim const SIGALG_LOOKUP *sigalg; 2111da327cd2SJung-uk Kim size_t sigalgslen; 21127bded2dbSJung-uk Kim if (default_nid == -1) 21137bded2dbSJung-uk Kim return 1; 21147bded2dbSJung-uk Kim sig_nid = X509_get_signature_nid(x); 21157bded2dbSJung-uk Kim if (default_nid) 21167bded2dbSJung-uk Kim return sig_nid == default_nid ? 1 : 0; 2117da327cd2SJung-uk Kim 2118da327cd2SJung-uk Kim if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) { 2119da327cd2SJung-uk Kim /* 2120da327cd2SJung-uk Kim * If we're in TLSv1.3 then we only get here if we're checking the 2121da327cd2SJung-uk Kim * chain. If the peer has specified peer_cert_sigalgs then we use them 2122da327cd2SJung-uk Kim * otherwise we default to normal sigalgs. 2123da327cd2SJung-uk Kim */ 2124da327cd2SJung-uk Kim sigalgslen = s->s3->tmp.peer_cert_sigalgslen; 2125da327cd2SJung-uk Kim use_pc_sigalgs = 1; 2126da327cd2SJung-uk Kim } else { 2127da327cd2SJung-uk Kim sigalgslen = s->shared_sigalgslen; 2128da327cd2SJung-uk Kim } 2129da327cd2SJung-uk Kim for (i = 0; i < sigalgslen; i++) { 2130da327cd2SJung-uk Kim sigalg = use_pc_sigalgs 2131da327cd2SJung-uk Kim ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) 2132da327cd2SJung-uk Kim : s->shared_sigalgs[i]; 2133da327cd2SJung-uk Kim if (sig_nid == sigalg->sigandhash) 21347bded2dbSJung-uk Kim return 1; 2135da327cd2SJung-uk Kim } 21367bded2dbSJung-uk Kim return 0; 21377bded2dbSJung-uk Kim } 21387bded2dbSJung-uk Kim 21397bded2dbSJung-uk Kim /* Check to see if a certificate issuer name matches list of CA names */ 21407bded2dbSJung-uk Kim static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 21417bded2dbSJung-uk Kim { 21427bded2dbSJung-uk Kim X509_NAME *nm; 21437bded2dbSJung-uk Kim int i; 21447bded2dbSJung-uk Kim nm = X509_get_issuer_name(x); 21457bded2dbSJung-uk Kim for (i = 0; i < sk_X509_NAME_num(names); i++) { 21467bded2dbSJung-uk Kim if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 21477bded2dbSJung-uk Kim return 1; 21487bded2dbSJung-uk Kim } 21497bded2dbSJung-uk Kim return 0; 21507bded2dbSJung-uk Kim } 21517bded2dbSJung-uk Kim 21527bded2dbSJung-uk Kim /* 21537bded2dbSJung-uk Kim * Check certificate chain is consistent with TLS extensions and is usable by 21547bded2dbSJung-uk Kim * server. This servers two purposes: it allows users to check chains before 21557bded2dbSJung-uk Kim * passing them to the server and it allows the server to check chains before 21567bded2dbSJung-uk Kim * attempting to use them. 21577bded2dbSJung-uk Kim */ 21587bded2dbSJung-uk Kim 2159e71b7053SJung-uk Kim /* Flags which need to be set for a certificate when strict mode not set */ 21607bded2dbSJung-uk Kim 21617bded2dbSJung-uk Kim #define CERT_PKEY_VALID_FLAGS \ 21627bded2dbSJung-uk Kim (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 21637bded2dbSJung-uk Kim /* Strict mode flags */ 21647bded2dbSJung-uk Kim #define CERT_PKEY_STRICT_FLAGS \ 21657bded2dbSJung-uk Kim (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 21667bded2dbSJung-uk Kim | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 21677bded2dbSJung-uk Kim 21687bded2dbSJung-uk Kim int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 21697bded2dbSJung-uk Kim int idx) 21707bded2dbSJung-uk Kim { 21717bded2dbSJung-uk Kim int i; 21727bded2dbSJung-uk Kim int rv = 0; 21737bded2dbSJung-uk Kim int check_flags = 0, strict_mode; 21747bded2dbSJung-uk Kim CERT_PKEY *cpk = NULL; 21757bded2dbSJung-uk Kim CERT *c = s->cert; 2176e71b7053SJung-uk Kim uint32_t *pvalid; 21777bded2dbSJung-uk Kim unsigned int suiteb_flags = tls1_suiteb(s); 21787bded2dbSJung-uk Kim /* idx == -1 means checking server chains */ 21797bded2dbSJung-uk Kim if (idx != -1) { 21807bded2dbSJung-uk Kim /* idx == -2 means checking client certificate chains */ 21817bded2dbSJung-uk Kim if (idx == -2) { 21827bded2dbSJung-uk Kim cpk = c->key; 2183e71b7053SJung-uk Kim idx = (int)(cpk - c->pkeys); 21847bded2dbSJung-uk Kim } else 21857bded2dbSJung-uk Kim cpk = c->pkeys + idx; 2186e71b7053SJung-uk Kim pvalid = s->s3->tmp.valid_flags + idx; 21877bded2dbSJung-uk Kim x = cpk->x509; 21887bded2dbSJung-uk Kim pk = cpk->privatekey; 21897bded2dbSJung-uk Kim chain = cpk->chain; 21907bded2dbSJung-uk Kim strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 21917bded2dbSJung-uk Kim /* If no cert or key, forget it */ 21927bded2dbSJung-uk Kim if (!x || !pk) 21937bded2dbSJung-uk Kim goto end; 21947bded2dbSJung-uk Kim } else { 2195e71b7053SJung-uk Kim size_t certidx; 2196e71b7053SJung-uk Kim 21977bded2dbSJung-uk Kim if (!x || !pk) 21987bded2dbSJung-uk Kim return 0; 2199e71b7053SJung-uk Kim 2200e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 22017bded2dbSJung-uk Kim return 0; 2202e71b7053SJung-uk Kim idx = certidx; 2203e71b7053SJung-uk Kim pvalid = s->s3->tmp.valid_flags + idx; 2204e71b7053SJung-uk Kim 22057bded2dbSJung-uk Kim if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 22067bded2dbSJung-uk Kim check_flags = CERT_PKEY_STRICT_FLAGS; 22077bded2dbSJung-uk Kim else 22087bded2dbSJung-uk Kim check_flags = CERT_PKEY_VALID_FLAGS; 22097bded2dbSJung-uk Kim strict_mode = 1; 22107bded2dbSJung-uk Kim } 22117bded2dbSJung-uk Kim 22127bded2dbSJung-uk Kim if (suiteb_flags) { 22137bded2dbSJung-uk Kim int ok; 22147bded2dbSJung-uk Kim if (check_flags) 22157bded2dbSJung-uk Kim check_flags |= CERT_PKEY_SUITEB; 22167bded2dbSJung-uk Kim ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 22177bded2dbSJung-uk Kim if (ok == X509_V_OK) 22187bded2dbSJung-uk Kim rv |= CERT_PKEY_SUITEB; 22197bded2dbSJung-uk Kim else if (!check_flags) 22207bded2dbSJung-uk Kim goto end; 22217bded2dbSJung-uk Kim } 22227bded2dbSJung-uk Kim 22237bded2dbSJung-uk Kim /* 22247bded2dbSJung-uk Kim * Check all signature algorithms are consistent with signature 22257bded2dbSJung-uk Kim * algorithms extension if TLS 1.2 or later and strict mode. 22267bded2dbSJung-uk Kim */ 22277bded2dbSJung-uk Kim if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 22287bded2dbSJung-uk Kim int default_nid; 2229e71b7053SJung-uk Kim int rsign = 0; 2230e71b7053SJung-uk Kim if (s->s3->tmp.peer_cert_sigalgs != NULL 2231e71b7053SJung-uk Kim || s->s3->tmp.peer_sigalgs != NULL) { 22327bded2dbSJung-uk Kim default_nid = 0; 22337bded2dbSJung-uk Kim /* If no sigalgs extension use defaults from RFC5246 */ 2234e71b7053SJung-uk Kim } else { 22357bded2dbSJung-uk Kim switch (idx) { 2236e71b7053SJung-uk Kim case SSL_PKEY_RSA: 2237e71b7053SJung-uk Kim rsign = EVP_PKEY_RSA; 22387bded2dbSJung-uk Kim default_nid = NID_sha1WithRSAEncryption; 22397bded2dbSJung-uk Kim break; 22407bded2dbSJung-uk Kim 22417bded2dbSJung-uk Kim case SSL_PKEY_DSA_SIGN: 2242e71b7053SJung-uk Kim rsign = EVP_PKEY_DSA; 22437bded2dbSJung-uk Kim default_nid = NID_dsaWithSHA1; 22447bded2dbSJung-uk Kim break; 22457bded2dbSJung-uk Kim 22467bded2dbSJung-uk Kim case SSL_PKEY_ECC: 2247e71b7053SJung-uk Kim rsign = EVP_PKEY_EC; 22487bded2dbSJung-uk Kim default_nid = NID_ecdsa_with_SHA1; 22497bded2dbSJung-uk Kim break; 22507bded2dbSJung-uk Kim 2251e71b7053SJung-uk Kim case SSL_PKEY_GOST01: 2252e71b7053SJung-uk Kim rsign = NID_id_GostR3410_2001; 2253e71b7053SJung-uk Kim default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2254e71b7053SJung-uk Kim break; 2255e71b7053SJung-uk Kim 2256e71b7053SJung-uk Kim case SSL_PKEY_GOST12_256: 2257e71b7053SJung-uk Kim rsign = NID_id_GostR3410_2012_256; 2258e71b7053SJung-uk Kim default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2259e71b7053SJung-uk Kim break; 2260e71b7053SJung-uk Kim 2261e71b7053SJung-uk Kim case SSL_PKEY_GOST12_512: 2262e71b7053SJung-uk Kim rsign = NID_id_GostR3410_2012_512; 2263e71b7053SJung-uk Kim default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2264e71b7053SJung-uk Kim break; 2265e71b7053SJung-uk Kim 22667bded2dbSJung-uk Kim default: 22677bded2dbSJung-uk Kim default_nid = -1; 22687bded2dbSJung-uk Kim break; 22697bded2dbSJung-uk Kim } 22707bded2dbSJung-uk Kim } 22717bded2dbSJung-uk Kim /* 22727bded2dbSJung-uk Kim * If peer sent no signature algorithms extension and we have set 22737bded2dbSJung-uk Kim * preferred signature algorithms check we support sha1. 22747bded2dbSJung-uk Kim */ 22757bded2dbSJung-uk Kim if (default_nid > 0 && c->conf_sigalgs) { 22767bded2dbSJung-uk Kim size_t j; 2277e71b7053SJung-uk Kim const uint16_t *p = c->conf_sigalgs; 2278e71b7053SJung-uk Kim for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2279e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p); 2280e71b7053SJung-uk Kim 2281e71b7053SJung-uk Kim if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 22827bded2dbSJung-uk Kim break; 22837bded2dbSJung-uk Kim } 22847bded2dbSJung-uk Kim if (j == c->conf_sigalgslen) { 22857bded2dbSJung-uk Kim if (check_flags) 22867bded2dbSJung-uk Kim goto skip_sigs; 22877bded2dbSJung-uk Kim else 22887bded2dbSJung-uk Kim goto end; 22897bded2dbSJung-uk Kim } 22907bded2dbSJung-uk Kim } 22917bded2dbSJung-uk Kim /* Check signature algorithm of each cert in chain */ 2292da327cd2SJung-uk Kim if (SSL_IS_TLS13(s)) { 2293da327cd2SJung-uk Kim /* 2294da327cd2SJung-uk Kim * We only get here if the application has called SSL_check_chain(), 2295da327cd2SJung-uk Kim * so check_flags is always set. 2296da327cd2SJung-uk Kim */ 2297da327cd2SJung-uk Kim if (find_sig_alg(s, x, pk) != NULL) 2298da327cd2SJung-uk Kim rv |= CERT_PKEY_EE_SIGNATURE; 2299da327cd2SJung-uk Kim } else if (!tls1_check_sig_alg(s, x, default_nid)) { 23007bded2dbSJung-uk Kim if (!check_flags) 23017bded2dbSJung-uk Kim goto end; 23027bded2dbSJung-uk Kim } else 23037bded2dbSJung-uk Kim rv |= CERT_PKEY_EE_SIGNATURE; 23047bded2dbSJung-uk Kim rv |= CERT_PKEY_CA_SIGNATURE; 23057bded2dbSJung-uk Kim for (i = 0; i < sk_X509_num(chain); i++) { 2306da327cd2SJung-uk Kim if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 23077bded2dbSJung-uk Kim if (check_flags) { 23087bded2dbSJung-uk Kim rv &= ~CERT_PKEY_CA_SIGNATURE; 23097bded2dbSJung-uk Kim break; 23107bded2dbSJung-uk Kim } else 23117bded2dbSJung-uk Kim goto end; 23127bded2dbSJung-uk Kim } 23137bded2dbSJung-uk Kim } 23147bded2dbSJung-uk Kim } 23157bded2dbSJung-uk Kim /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 23167bded2dbSJung-uk Kim else if (check_flags) 23177bded2dbSJung-uk Kim rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 23187bded2dbSJung-uk Kim skip_sigs: 23197bded2dbSJung-uk Kim /* Check cert parameters are consistent */ 2320e71b7053SJung-uk Kim if (tls1_check_cert_param(s, x, 1)) 23217bded2dbSJung-uk Kim rv |= CERT_PKEY_EE_PARAM; 23227bded2dbSJung-uk Kim else if (!check_flags) 23237bded2dbSJung-uk Kim goto end; 23247bded2dbSJung-uk Kim if (!s->server) 23257bded2dbSJung-uk Kim rv |= CERT_PKEY_CA_PARAM; 23267bded2dbSJung-uk Kim /* In strict mode check rest of chain too */ 23277bded2dbSJung-uk Kim else if (strict_mode) { 23287bded2dbSJung-uk Kim rv |= CERT_PKEY_CA_PARAM; 23297bded2dbSJung-uk Kim for (i = 0; i < sk_X509_num(chain); i++) { 23307bded2dbSJung-uk Kim X509 *ca = sk_X509_value(chain, i); 23317bded2dbSJung-uk Kim if (!tls1_check_cert_param(s, ca, 0)) { 23327bded2dbSJung-uk Kim if (check_flags) { 23337bded2dbSJung-uk Kim rv &= ~CERT_PKEY_CA_PARAM; 23347bded2dbSJung-uk Kim break; 23357bded2dbSJung-uk Kim } else 23367bded2dbSJung-uk Kim goto end; 23377bded2dbSJung-uk Kim } 23387bded2dbSJung-uk Kim } 23397bded2dbSJung-uk Kim } 23407bded2dbSJung-uk Kim if (!s->server && strict_mode) { 23417bded2dbSJung-uk Kim STACK_OF(X509_NAME) *ca_dn; 23427bded2dbSJung-uk Kim int check_type = 0; 2343e71b7053SJung-uk Kim switch (EVP_PKEY_id(pk)) { 23447bded2dbSJung-uk Kim case EVP_PKEY_RSA: 23457bded2dbSJung-uk Kim check_type = TLS_CT_RSA_SIGN; 23467bded2dbSJung-uk Kim break; 23477bded2dbSJung-uk Kim case EVP_PKEY_DSA: 23487bded2dbSJung-uk Kim check_type = TLS_CT_DSS_SIGN; 23497bded2dbSJung-uk Kim break; 23507bded2dbSJung-uk Kim case EVP_PKEY_EC: 23517bded2dbSJung-uk Kim check_type = TLS_CT_ECDSA_SIGN; 23527bded2dbSJung-uk Kim break; 23537bded2dbSJung-uk Kim } 23547bded2dbSJung-uk Kim if (check_type) { 2355e71b7053SJung-uk Kim const uint8_t *ctypes = s->s3->tmp.ctype; 2356e71b7053SJung-uk Kim size_t j; 2357e71b7053SJung-uk Kim 2358e71b7053SJung-uk Kim for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) { 2359e71b7053SJung-uk Kim if (*ctypes == check_type) { 23607bded2dbSJung-uk Kim rv |= CERT_PKEY_CERT_TYPE; 23617bded2dbSJung-uk Kim break; 23627bded2dbSJung-uk Kim } 23637bded2dbSJung-uk Kim } 23647bded2dbSJung-uk Kim if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 23657bded2dbSJung-uk Kim goto end; 2366e71b7053SJung-uk Kim } else { 23677bded2dbSJung-uk Kim rv |= CERT_PKEY_CERT_TYPE; 2368e71b7053SJung-uk Kim } 23697bded2dbSJung-uk Kim 2370e71b7053SJung-uk Kim ca_dn = s->s3->tmp.peer_ca_names; 23717bded2dbSJung-uk Kim 23727bded2dbSJung-uk Kim if (!sk_X509_NAME_num(ca_dn)) 23737bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME; 23747bded2dbSJung-uk Kim 23757bded2dbSJung-uk Kim if (!(rv & CERT_PKEY_ISSUER_NAME)) { 23767bded2dbSJung-uk Kim if (ssl_check_ca_name(ca_dn, x)) 23777bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME; 23787bded2dbSJung-uk Kim } 23797bded2dbSJung-uk Kim if (!(rv & CERT_PKEY_ISSUER_NAME)) { 23807bded2dbSJung-uk Kim for (i = 0; i < sk_X509_num(chain); i++) { 23817bded2dbSJung-uk Kim X509 *xtmp = sk_X509_value(chain, i); 23827bded2dbSJung-uk Kim if (ssl_check_ca_name(ca_dn, xtmp)) { 23837bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME; 23847bded2dbSJung-uk Kim break; 23857bded2dbSJung-uk Kim } 23867bded2dbSJung-uk Kim } 23877bded2dbSJung-uk Kim } 23887bded2dbSJung-uk Kim if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 23897bded2dbSJung-uk Kim goto end; 23907bded2dbSJung-uk Kim } else 23917bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 23927bded2dbSJung-uk Kim 23937bded2dbSJung-uk Kim if (!check_flags || (rv & check_flags) == check_flags) 23947bded2dbSJung-uk Kim rv |= CERT_PKEY_VALID; 23957bded2dbSJung-uk Kim 23967bded2dbSJung-uk Kim end: 23977bded2dbSJung-uk Kim 2398e71b7053SJung-uk Kim if (TLS1_get_version(s) >= TLS1_2_VERSION) 2399e71b7053SJung-uk Kim rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2400e71b7053SJung-uk Kim else 24017bded2dbSJung-uk Kim rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 24027bded2dbSJung-uk Kim 24037bded2dbSJung-uk Kim /* 24047bded2dbSJung-uk Kim * When checking a CERT_PKEY structure all flags are irrelevant if the 24057bded2dbSJung-uk Kim * chain is invalid. 24067bded2dbSJung-uk Kim */ 24077bded2dbSJung-uk Kim if (!check_flags) { 2408e71b7053SJung-uk Kim if (rv & CERT_PKEY_VALID) { 2409e71b7053SJung-uk Kim *pvalid = rv; 2410e71b7053SJung-uk Kim } else { 2411e71b7053SJung-uk Kim /* Preserve sign and explicit sign flag, clear rest */ 2412e71b7053SJung-uk Kim *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 24137bded2dbSJung-uk Kim return 0; 24147bded2dbSJung-uk Kim } 24157bded2dbSJung-uk Kim } 24167bded2dbSJung-uk Kim return rv; 24177bded2dbSJung-uk Kim } 24187bded2dbSJung-uk Kim 24197bded2dbSJung-uk Kim /* Set validity of certificates in an SSL structure */ 24207bded2dbSJung-uk Kim void tls1_set_cert_validity(SSL *s) 24217bded2dbSJung-uk Kim { 2422e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2423e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 24247bded2dbSJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 24257bded2dbSJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2426e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2427e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2428e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2429e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2430e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 24317bded2dbSJung-uk Kim } 24327bded2dbSJung-uk Kim 2433e71b7053SJung-uk Kim /* User level utility function to check a chain is suitable */ 24347bded2dbSJung-uk Kim int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 24357bded2dbSJung-uk Kim { 24367bded2dbSJung-uk Kim return tls1_check_chain(s, x, pk, chain, -1); 24377bded2dbSJung-uk Kim } 24387bded2dbSJung-uk Kim 2439e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DH 2440e71b7053SJung-uk Kim DH *ssl_get_auto_dh(SSL *s) 2441e71b7053SJung-uk Kim { 2442e71b7053SJung-uk Kim int dh_secbits = 80; 2443e71b7053SJung-uk Kim if (s->cert->dh_tmp_auto == 2) 2444e71b7053SJung-uk Kim return DH_get_1024_160(); 2445e71b7053SJung-uk Kim if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2446e71b7053SJung-uk Kim if (s->s3->tmp.new_cipher->strength_bits == 256) 2447e71b7053SJung-uk Kim dh_secbits = 128; 2448e71b7053SJung-uk Kim else 2449e71b7053SJung-uk Kim dh_secbits = 80; 2450e71b7053SJung-uk Kim } else { 2451e71b7053SJung-uk Kim if (s->s3->tmp.cert == NULL) 2452e71b7053SJung-uk Kim return NULL; 2453e71b7053SJung-uk Kim dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); 2454e71b7053SJung-uk Kim } 2455e71b7053SJung-uk Kim 2456e71b7053SJung-uk Kim if (dh_secbits >= 128) { 2457e71b7053SJung-uk Kim DH *dhp = DH_new(); 2458e71b7053SJung-uk Kim BIGNUM *p, *g; 2459e71b7053SJung-uk Kim if (dhp == NULL) 2460e71b7053SJung-uk Kim return NULL; 2461e71b7053SJung-uk Kim g = BN_new(); 2462e71b7053SJung-uk Kim if (g == NULL || !BN_set_word(g, 2)) { 2463e71b7053SJung-uk Kim DH_free(dhp); 2464e71b7053SJung-uk Kim BN_free(g); 2465e71b7053SJung-uk Kim return NULL; 2466e71b7053SJung-uk Kim } 2467e71b7053SJung-uk Kim if (dh_secbits >= 192) 2468e71b7053SJung-uk Kim p = BN_get_rfc3526_prime_8192(NULL); 2469e71b7053SJung-uk Kim else 2470e71b7053SJung-uk Kim p = BN_get_rfc3526_prime_3072(NULL); 2471e71b7053SJung-uk Kim if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { 2472e71b7053SJung-uk Kim DH_free(dhp); 2473e71b7053SJung-uk Kim BN_free(p); 2474e71b7053SJung-uk Kim BN_free(g); 2475e71b7053SJung-uk Kim return NULL; 2476e71b7053SJung-uk Kim } 2477e71b7053SJung-uk Kim return dhp; 2478e71b7053SJung-uk Kim } 2479e71b7053SJung-uk Kim if (dh_secbits >= 112) 2480e71b7053SJung-uk Kim return DH_get_2048_224(); 2481e71b7053SJung-uk Kim return DH_get_1024_160(); 2482e71b7053SJung-uk Kim } 24837bded2dbSJung-uk Kim #endif 2484e71b7053SJung-uk Kim 2485e71b7053SJung-uk Kim static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2486e71b7053SJung-uk Kim { 2487e71b7053SJung-uk Kim int secbits = -1; 2488e71b7053SJung-uk Kim EVP_PKEY *pkey = X509_get0_pubkey(x); 2489e71b7053SJung-uk Kim if (pkey) { 2490e71b7053SJung-uk Kim /* 2491e71b7053SJung-uk Kim * If no parameters this will return -1 and fail using the default 2492e71b7053SJung-uk Kim * security callback for any non-zero security level. This will 2493e71b7053SJung-uk Kim * reject keys which omit parameters but this only affects DSA and 2494e71b7053SJung-uk Kim * omission of parameters is never (?) done in practice. 2495e71b7053SJung-uk Kim */ 2496e71b7053SJung-uk Kim secbits = EVP_PKEY_security_bits(pkey); 2497e71b7053SJung-uk Kim } 2498e71b7053SJung-uk Kim if (s) 2499e71b7053SJung-uk Kim return ssl_security(s, op, secbits, 0, x); 2500e71b7053SJung-uk Kim else 2501e71b7053SJung-uk Kim return ssl_ctx_security(ctx, op, secbits, 0, x); 2502e71b7053SJung-uk Kim } 2503e71b7053SJung-uk Kim 2504e71b7053SJung-uk Kim static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2505e71b7053SJung-uk Kim { 2506e71b7053SJung-uk Kim /* Lookup signature algorithm digest */ 2507e71b7053SJung-uk Kim int secbits, nid, pknid; 2508e71b7053SJung-uk Kim /* Don't check signature if self signed */ 2509e71b7053SJung-uk Kim if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 2510e71b7053SJung-uk Kim return 1; 2511e71b7053SJung-uk Kim if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 2512e71b7053SJung-uk Kim secbits = -1; 2513e71b7053SJung-uk Kim /* If digest NID not defined use signature NID */ 2514e71b7053SJung-uk Kim if (nid == NID_undef) 2515e71b7053SJung-uk Kim nid = pknid; 2516e71b7053SJung-uk Kim if (s) 2517e71b7053SJung-uk Kim return ssl_security(s, op, secbits, nid, x); 2518e71b7053SJung-uk Kim else 2519e71b7053SJung-uk Kim return ssl_ctx_security(ctx, op, secbits, nid, x); 2520e71b7053SJung-uk Kim } 2521e71b7053SJung-uk Kim 2522e71b7053SJung-uk Kim int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 2523e71b7053SJung-uk Kim { 2524e71b7053SJung-uk Kim if (vfy) 2525e71b7053SJung-uk Kim vfy = SSL_SECOP_PEER; 2526e71b7053SJung-uk Kim if (is_ee) { 2527e71b7053SJung-uk Kim if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 2528e71b7053SJung-uk Kim return SSL_R_EE_KEY_TOO_SMALL; 2529e71b7053SJung-uk Kim } else { 2530e71b7053SJung-uk Kim if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 2531e71b7053SJung-uk Kim return SSL_R_CA_KEY_TOO_SMALL; 2532e71b7053SJung-uk Kim } 2533e71b7053SJung-uk Kim if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 2534e71b7053SJung-uk Kim return SSL_R_CA_MD_TOO_WEAK; 2535e71b7053SJung-uk Kim return 1; 2536e71b7053SJung-uk Kim } 2537e71b7053SJung-uk Kim 2538e71b7053SJung-uk Kim /* 2539e71b7053SJung-uk Kim * Check security of a chain, if |sk| includes the end entity certificate then 2540e71b7053SJung-uk Kim * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 2541e71b7053SJung-uk Kim * one to the peer. Return values: 1 if ok otherwise error code to use 2542e71b7053SJung-uk Kim */ 2543e71b7053SJung-uk Kim 2544e71b7053SJung-uk Kim int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 2545e71b7053SJung-uk Kim { 2546e71b7053SJung-uk Kim int rv, start_idx, i; 2547e71b7053SJung-uk Kim if (x == NULL) { 2548e71b7053SJung-uk Kim x = sk_X509_value(sk, 0); 2549e71b7053SJung-uk Kim start_idx = 1; 2550e71b7053SJung-uk Kim } else 2551e71b7053SJung-uk Kim start_idx = 0; 2552e71b7053SJung-uk Kim 2553e71b7053SJung-uk Kim rv = ssl_security_cert(s, NULL, x, vfy, 1); 2554e71b7053SJung-uk Kim if (rv != 1) 2555e71b7053SJung-uk Kim return rv; 2556e71b7053SJung-uk Kim 2557e71b7053SJung-uk Kim for (i = start_idx; i < sk_X509_num(sk); i++) { 2558e71b7053SJung-uk Kim x = sk_X509_value(sk, i); 2559e71b7053SJung-uk Kim rv = ssl_security_cert(s, NULL, x, vfy, 0); 2560e71b7053SJung-uk Kim if (rv != 1) 2561e71b7053SJung-uk Kim return rv; 2562e71b7053SJung-uk Kim } 2563e71b7053SJung-uk Kim return 1; 2564e71b7053SJung-uk Kim } 2565e71b7053SJung-uk Kim 2566e71b7053SJung-uk Kim /* 2567e71b7053SJung-uk Kim * For TLS 1.2 servers check if we have a certificate which can be used 2568e71b7053SJung-uk Kim * with the signature algorithm "lu" and return index of certificate. 2569e71b7053SJung-uk Kim */ 2570e71b7053SJung-uk Kim 2571e71b7053SJung-uk Kim static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 2572e71b7053SJung-uk Kim { 2573e71b7053SJung-uk Kim int sig_idx = lu->sig_idx; 2574e71b7053SJung-uk Kim const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 2575e71b7053SJung-uk Kim 2576e71b7053SJung-uk Kim /* If not recognised or not supported by cipher mask it is not suitable */ 2577e71b7053SJung-uk Kim if (clu == NULL 2578e71b7053SJung-uk Kim || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0 2579e71b7053SJung-uk Kim || (clu->nid == EVP_PKEY_RSA_PSS 2580e71b7053SJung-uk Kim && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 2581e71b7053SJung-uk Kim return -1; 2582e71b7053SJung-uk Kim 2583e71b7053SJung-uk Kim return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 2584e71b7053SJung-uk Kim } 2585e71b7053SJung-uk Kim 2586e71b7053SJung-uk Kim /* 2587da327cd2SJung-uk Kim * Checks the given cert against signature_algorithm_cert restrictions sent by 2588da327cd2SJung-uk Kim * the peer (if any) as well as whether the hash from the sigalg is usable with 2589da327cd2SJung-uk Kim * the key. 2590da327cd2SJung-uk Kim * Returns true if the cert is usable and false otherwise. 2591e71b7053SJung-uk Kim */ 2592da327cd2SJung-uk Kim static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2593da327cd2SJung-uk Kim EVP_PKEY *pkey) 2594e71b7053SJung-uk Kim { 2595e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 25966935a639SJung-uk Kim int mdnid, pknid, default_mdnid; 2597e71b7053SJung-uk Kim size_t i; 2598e71b7053SJung-uk Kim 25996935a639SJung-uk Kim /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */ 26006935a639SJung-uk Kim ERR_set_mark(); 2601da327cd2SJung-uk Kim if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 && 2602da327cd2SJung-uk Kim sig->hash != default_mdnid) 2603da327cd2SJung-uk Kim return 0; 2604da327cd2SJung-uk Kim 2605da327cd2SJung-uk Kim /* If it didn't report a mandatory NID, for whatever reasons, 26066935a639SJung-uk Kim * just clear the error and allow all hashes to be used. */ 26076935a639SJung-uk Kim ERR_pop_to_mark(); 2608da327cd2SJung-uk Kim 2609e71b7053SJung-uk Kim if (s->s3->tmp.peer_cert_sigalgs != NULL) { 2610e71b7053SJung-uk Kim for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) { 2611e71b7053SJung-uk Kim lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]); 2612e71b7053SJung-uk Kim if (lu == NULL 2613da327cd2SJung-uk Kim || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 2614e71b7053SJung-uk Kim continue; 2615e71b7053SJung-uk Kim /* 2616e71b7053SJung-uk Kim * TODO this does not differentiate between the 2617e71b7053SJung-uk Kim * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 2618e71b7053SJung-uk Kim * have a chain here that lets us look at the key OID in the 2619e71b7053SJung-uk Kim * signing certificate. 2620e71b7053SJung-uk Kim */ 2621e71b7053SJung-uk Kim if (mdnid == lu->hash && pknid == lu->sig) 2622e71b7053SJung-uk Kim return 1; 2623e71b7053SJung-uk Kim } 2624e71b7053SJung-uk Kim return 0; 2625e71b7053SJung-uk Kim } 2626da327cd2SJung-uk Kim return 1; 2627da327cd2SJung-uk Kim } 2628da327cd2SJung-uk Kim 2629da327cd2SJung-uk Kim /* 2630da327cd2SJung-uk Kim * Returns true if |s| has a usable certificate configured for use 2631da327cd2SJung-uk Kim * with signature scheme |sig|. 2632da327cd2SJung-uk Kim * "Usable" includes a check for presence as well as applying 2633da327cd2SJung-uk Kim * the signature_algorithm_cert restrictions sent by the peer (if any). 2634da327cd2SJung-uk Kim * Returns false if no usable certificate is found. 2635da327cd2SJung-uk Kim */ 2636da327cd2SJung-uk Kim static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 2637da327cd2SJung-uk Kim { 2638da327cd2SJung-uk Kim /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 2639da327cd2SJung-uk Kim if (idx == -1) 2640da327cd2SJung-uk Kim idx = sig->sig_idx; 2641da327cd2SJung-uk Kim if (!ssl_has_cert(s, idx)) 2642da327cd2SJung-uk Kim return 0; 2643da327cd2SJung-uk Kim 2644da327cd2SJung-uk Kim return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 2645da327cd2SJung-uk Kim s->cert->pkeys[idx].privatekey); 2646da327cd2SJung-uk Kim } 2647da327cd2SJung-uk Kim 2648da327cd2SJung-uk Kim /* 2649da327cd2SJung-uk Kim * Returns true if the supplied cert |x| and key |pkey| is usable with the 2650da327cd2SJung-uk Kim * specified signature scheme |sig|, or false otherwise. 2651da327cd2SJung-uk Kim */ 2652da327cd2SJung-uk Kim static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2653da327cd2SJung-uk Kim EVP_PKEY *pkey) 2654da327cd2SJung-uk Kim { 2655da327cd2SJung-uk Kim size_t idx; 2656da327cd2SJung-uk Kim 2657da327cd2SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 2658da327cd2SJung-uk Kim return 0; 2659da327cd2SJung-uk Kim 2660da327cd2SJung-uk Kim /* Check the key is consistent with the sig alg */ 2661da327cd2SJung-uk Kim if ((int)idx != sig->sig_idx) 2662da327cd2SJung-uk Kim return 0; 2663da327cd2SJung-uk Kim 2664da327cd2SJung-uk Kim return check_cert_usable(s, sig, x, pkey); 2665da327cd2SJung-uk Kim } 2666da327cd2SJung-uk Kim 2667da327cd2SJung-uk Kim /* 2668da327cd2SJung-uk Kim * Find a signature scheme that works with the supplied certificate |x| and key 2669da327cd2SJung-uk Kim * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 2670da327cd2SJung-uk Kim * available certs/keys to find one that works. 2671da327cd2SJung-uk Kim */ 2672da327cd2SJung-uk Kim static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 2673da327cd2SJung-uk Kim { 2674da327cd2SJung-uk Kim const SIGALG_LOOKUP *lu = NULL; 2675da327cd2SJung-uk Kim size_t i; 2676da327cd2SJung-uk Kim #ifndef OPENSSL_NO_EC 2677da327cd2SJung-uk Kim int curve = -1; 2678da327cd2SJung-uk Kim #endif 2679da327cd2SJung-uk Kim EVP_PKEY *tmppkey; 2680da327cd2SJung-uk Kim 2681da327cd2SJung-uk Kim /* Look for a shared sigalgs matching possible certificates */ 2682da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 2683da327cd2SJung-uk Kim lu = s->shared_sigalgs[i]; 2684da327cd2SJung-uk Kim 2685da327cd2SJung-uk Kim /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 2686da327cd2SJung-uk Kim if (lu->hash == NID_sha1 2687da327cd2SJung-uk Kim || lu->hash == NID_sha224 2688da327cd2SJung-uk Kim || lu->sig == EVP_PKEY_DSA 2689da327cd2SJung-uk Kim || lu->sig == EVP_PKEY_RSA) 2690da327cd2SJung-uk Kim continue; 2691da327cd2SJung-uk Kim /* Check that we have a cert, and signature_algorithms_cert */ 2692da327cd2SJung-uk Kim if (!tls1_lookup_md(lu, NULL)) 2693da327cd2SJung-uk Kim continue; 2694da327cd2SJung-uk Kim if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 2695da327cd2SJung-uk Kim || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 2696da327cd2SJung-uk Kim continue; 2697da327cd2SJung-uk Kim 2698da327cd2SJung-uk Kim tmppkey = (pkey != NULL) ? pkey 2699da327cd2SJung-uk Kim : s->cert->pkeys[lu->sig_idx].privatekey; 2700da327cd2SJung-uk Kim 2701da327cd2SJung-uk Kim if (lu->sig == EVP_PKEY_EC) { 2702da327cd2SJung-uk Kim #ifndef OPENSSL_NO_EC 2703da327cd2SJung-uk Kim if (curve == -1) { 2704da327cd2SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey); 2705da327cd2SJung-uk Kim curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2706da327cd2SJung-uk Kim } 2707da327cd2SJung-uk Kim if (lu->curve != NID_undef && curve != lu->curve) 2708da327cd2SJung-uk Kim continue; 2709da327cd2SJung-uk Kim #else 2710da327cd2SJung-uk Kim continue; 2711da327cd2SJung-uk Kim #endif 2712da327cd2SJung-uk Kim } else if (lu->sig == EVP_PKEY_RSA_PSS) { 2713da327cd2SJung-uk Kim /* validate that key is large enough for the signature algorithm */ 2714da327cd2SJung-uk Kim if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu)) 2715da327cd2SJung-uk Kim continue; 2716da327cd2SJung-uk Kim } 2717da327cd2SJung-uk Kim break; 2718da327cd2SJung-uk Kim } 2719da327cd2SJung-uk Kim 2720da327cd2SJung-uk Kim if (i == s->shared_sigalgslen) 2721da327cd2SJung-uk Kim return NULL; 2722da327cd2SJung-uk Kim 2723da327cd2SJung-uk Kim return lu; 2724e71b7053SJung-uk Kim } 2725e71b7053SJung-uk Kim 2726e71b7053SJung-uk Kim /* 2727e71b7053SJung-uk Kim * Choose an appropriate signature algorithm based on available certificates 2728e71b7053SJung-uk Kim * Sets chosen certificate and signature algorithm. 2729e71b7053SJung-uk Kim * 2730e71b7053SJung-uk Kim * For servers if we fail to find a required certificate it is a fatal error, 2731e71b7053SJung-uk Kim * an appropriate error code is set and a TLS alert is sent. 2732e71b7053SJung-uk Kim * 2733e71b7053SJung-uk Kim * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 2734e71b7053SJung-uk Kim * a fatal error: we will either try another certificate or not present one 2735e71b7053SJung-uk Kim * to the server. In this case no error is set. 2736e71b7053SJung-uk Kim */ 2737e71b7053SJung-uk Kim int tls_choose_sigalg(SSL *s, int fatalerrs) 2738e71b7053SJung-uk Kim { 2739e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = NULL; 2740e71b7053SJung-uk Kim int sig_idx = -1; 2741e71b7053SJung-uk Kim 2742e71b7053SJung-uk Kim s->s3->tmp.cert = NULL; 2743e71b7053SJung-uk Kim s->s3->tmp.sigalg = NULL; 2744e71b7053SJung-uk Kim 2745e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 2746da327cd2SJung-uk Kim lu = find_sig_alg(s, NULL, NULL); 2747da327cd2SJung-uk Kim if (lu == NULL) { 2748e71b7053SJung-uk Kim if (!fatalerrs) 2749e71b7053SJung-uk Kim return 1; 2750e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG, 2751e71b7053SJung-uk Kim SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2752e71b7053SJung-uk Kim return 0; 2753e71b7053SJung-uk Kim } 2754e71b7053SJung-uk Kim } else { 2755e71b7053SJung-uk Kim /* If ciphersuite doesn't require a cert nothing to do */ 2756e71b7053SJung-uk Kim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT)) 2757e71b7053SJung-uk Kim return 1; 2758e71b7053SJung-uk Kim if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 2759e71b7053SJung-uk Kim return 1; 2760e71b7053SJung-uk Kim 2761e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) { 2762e71b7053SJung-uk Kim size_t i; 2763e71b7053SJung-uk Kim if (s->s3->tmp.peer_sigalgs != NULL) { 2764e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 2765e71b7053SJung-uk Kim int curve; 2766e71b7053SJung-uk Kim 2767e71b7053SJung-uk Kim /* For Suite B need to match signature algorithm to curve */ 2768e71b7053SJung-uk Kim if (tls1_suiteb(s)) { 2769e71b7053SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 2770e71b7053SJung-uk Kim curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2771e71b7053SJung-uk Kim } else { 2772e71b7053SJung-uk Kim curve = -1; 2773e71b7053SJung-uk Kim } 2774e71b7053SJung-uk Kim #endif 2775e71b7053SJung-uk Kim 2776e71b7053SJung-uk Kim /* 2777e71b7053SJung-uk Kim * Find highest preference signature algorithm matching 2778e71b7053SJung-uk Kim * cert type 2779e71b7053SJung-uk Kim */ 2780da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 2781da327cd2SJung-uk Kim lu = s->shared_sigalgs[i]; 2782e71b7053SJung-uk Kim 2783e71b7053SJung-uk Kim if (s->server) { 2784e71b7053SJung-uk Kim if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 2785e71b7053SJung-uk Kim continue; 2786e71b7053SJung-uk Kim } else { 2787e71b7053SJung-uk Kim int cc_idx = s->cert->key - s->cert->pkeys; 2788e71b7053SJung-uk Kim 2789e71b7053SJung-uk Kim sig_idx = lu->sig_idx; 2790e71b7053SJung-uk Kim if (cc_idx != sig_idx) 2791e71b7053SJung-uk Kim continue; 2792e71b7053SJung-uk Kim } 2793e71b7053SJung-uk Kim /* Check that we have a cert, and sig_algs_cert */ 2794e71b7053SJung-uk Kim if (!has_usable_cert(s, lu, sig_idx)) 2795e71b7053SJung-uk Kim continue; 2796e71b7053SJung-uk Kim if (lu->sig == EVP_PKEY_RSA_PSS) { 2797e71b7053SJung-uk Kim /* validate that key is large enough for the signature algorithm */ 2798e71b7053SJung-uk Kim EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 2799e71b7053SJung-uk Kim 2800e71b7053SJung-uk Kim if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu)) 2801e71b7053SJung-uk Kim continue; 2802e71b7053SJung-uk Kim } 2803e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 2804e71b7053SJung-uk Kim if (curve == -1 || lu->curve == curve) 2805e71b7053SJung-uk Kim #endif 2806e71b7053SJung-uk Kim break; 2807e71b7053SJung-uk Kim } 2808*17f01e99SJung-uk Kim #ifndef OPENSSL_NO_GOST 2809*17f01e99SJung-uk Kim /* 2810*17f01e99SJung-uk Kim * Some Windows-based implementations do not send GOST algorithms indication 2811*17f01e99SJung-uk Kim * in supported_algorithms extension, so when we have GOST-based ciphersuite, 2812*17f01e99SJung-uk Kim * we have to assume GOST support. 2813*17f01e99SJung-uk Kim */ 2814*17f01e99SJung-uk Kim if (i == s->shared_sigalgslen && s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { 2815*17f01e99SJung-uk Kim if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2816*17f01e99SJung-uk Kim if (!fatalerrs) 2817*17f01e99SJung-uk Kim return 1; 2818*17f01e99SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2819*17f01e99SJung-uk Kim SSL_F_TLS_CHOOSE_SIGALG, 2820*17f01e99SJung-uk Kim SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2821*17f01e99SJung-uk Kim return 0; 2822*17f01e99SJung-uk Kim } else { 2823*17f01e99SJung-uk Kim i = 0; 2824*17f01e99SJung-uk Kim sig_idx = lu->sig_idx; 2825*17f01e99SJung-uk Kim } 2826*17f01e99SJung-uk Kim } 2827*17f01e99SJung-uk Kim #endif 2828da327cd2SJung-uk Kim if (i == s->shared_sigalgslen) { 2829e71b7053SJung-uk Kim if (!fatalerrs) 2830e71b7053SJung-uk Kim return 1; 2831e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2832e71b7053SJung-uk Kim SSL_F_TLS_CHOOSE_SIGALG, 2833e71b7053SJung-uk Kim SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2834e71b7053SJung-uk Kim return 0; 2835e71b7053SJung-uk Kim } 2836e71b7053SJung-uk Kim } else { 2837e71b7053SJung-uk Kim /* 2838e71b7053SJung-uk Kim * If we have no sigalg use defaults 2839e71b7053SJung-uk Kim */ 2840e71b7053SJung-uk Kim const uint16_t *sent_sigs; 2841e71b7053SJung-uk Kim size_t sent_sigslen; 2842e71b7053SJung-uk Kim 2843e71b7053SJung-uk Kim if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2844e71b7053SJung-uk Kim if (!fatalerrs) 2845e71b7053SJung-uk Kim return 1; 2846e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2847e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2848e71b7053SJung-uk Kim return 0; 2849e71b7053SJung-uk Kim } 2850e71b7053SJung-uk Kim 2851e71b7053SJung-uk Kim /* Check signature matches a type we sent */ 2852e71b7053SJung-uk Kim sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2853e71b7053SJung-uk Kim for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 2854e71b7053SJung-uk Kim if (lu->sigalg == *sent_sigs 2855e71b7053SJung-uk Kim && has_usable_cert(s, lu, lu->sig_idx)) 2856e71b7053SJung-uk Kim break; 2857e71b7053SJung-uk Kim } 2858e71b7053SJung-uk Kim if (i == sent_sigslen) { 2859e71b7053SJung-uk Kim if (!fatalerrs) 2860e71b7053SJung-uk Kim return 1; 2861e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2862e71b7053SJung-uk Kim SSL_F_TLS_CHOOSE_SIGALG, 2863e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 2864e71b7053SJung-uk Kim return 0; 2865e71b7053SJung-uk Kim } 2866e71b7053SJung-uk Kim } 2867e71b7053SJung-uk Kim } else { 2868e71b7053SJung-uk Kim if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2869e71b7053SJung-uk Kim if (!fatalerrs) 2870e71b7053SJung-uk Kim return 1; 2871e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2872e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2873e71b7053SJung-uk Kim return 0; 2874e71b7053SJung-uk Kim } 2875e71b7053SJung-uk Kim } 2876e71b7053SJung-uk Kim } 2877e71b7053SJung-uk Kim if (sig_idx == -1) 2878e71b7053SJung-uk Kim sig_idx = lu->sig_idx; 2879e71b7053SJung-uk Kim s->s3->tmp.cert = &s->cert->pkeys[sig_idx]; 2880e71b7053SJung-uk Kim s->cert->key = s->s3->tmp.cert; 2881e71b7053SJung-uk Kim s->s3->tmp.sigalg = lu; 2882e71b7053SJung-uk Kim return 1; 2883e71b7053SJung-uk Kim } 2884e71b7053SJung-uk Kim 2885e71b7053SJung-uk Kim int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 2886e71b7053SJung-uk Kim { 2887e71b7053SJung-uk Kim if (mode != TLSEXT_max_fragment_length_DISABLED 2888e71b7053SJung-uk Kim && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2889e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2890e71b7053SJung-uk Kim SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2891e71b7053SJung-uk Kim return 0; 2892e71b7053SJung-uk Kim } 2893e71b7053SJung-uk Kim 2894e71b7053SJung-uk Kim ctx->ext.max_fragment_len_mode = mode; 2895e71b7053SJung-uk Kim return 1; 2896e71b7053SJung-uk Kim } 2897e71b7053SJung-uk Kim 2898e71b7053SJung-uk Kim int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 2899e71b7053SJung-uk Kim { 2900e71b7053SJung-uk Kim if (mode != TLSEXT_max_fragment_length_DISABLED 2901e71b7053SJung-uk Kim && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2902e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2903e71b7053SJung-uk Kim SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2904e71b7053SJung-uk Kim return 0; 2905e71b7053SJung-uk Kim } 2906e71b7053SJung-uk Kim 2907e71b7053SJung-uk Kim ssl->ext.max_fragment_len_mode = mode; 2908e71b7053SJung-uk Kim return 1; 2909e71b7053SJung-uk Kim } 2910e71b7053SJung-uk Kim 2911e71b7053SJung-uk Kim uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 2912e71b7053SJung-uk Kim { 2913e71b7053SJung-uk Kim return session->ext.max_fragment_len_mode; 2914e71b7053SJung-uk Kim } 2915