1e71b7053SJung-uk Kim /* 2*da327cd2SJung-uk Kim * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 374664626SKris Kennaway * 4e71b7053SJung-uk Kim * Licensed under the OpenSSL license (the "License"). You may not use 5e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 6e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 7e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 81f13597dSJung-uk Kim */ 974664626SKris Kennaway 1074664626SKris Kennaway #include <stdio.h> 11e71b7053SJung-uk Kim #include <stdlib.h> 1274664626SKris Kennaway #include <openssl/objects.h> 13db522d3aSSimon L. B. Nielsen #include <openssl/evp.h> 14db522d3aSSimon L. B. Nielsen #include <openssl/hmac.h> 15db522d3aSSimon L. B. Nielsen #include <openssl/ocsp.h> 16e71b7053SJung-uk Kim #include <openssl/conf.h> 17e71b7053SJung-uk Kim #include <openssl/x509v3.h> 18e71b7053SJung-uk Kim #include <openssl/dh.h> 19e71b7053SJung-uk Kim #include <openssl/bn.h> 20e71b7053SJung-uk Kim #include "internal/nelem.h" 2174664626SKris Kennaway #include "ssl_locl.h" 22e71b7053SJung-uk Kim #include <openssl/ct.h> 2374664626SKris Kennaway 24*da327cd2SJung-uk Kim static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 25*da327cd2SJung-uk Kim 26e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_enc_data = { 2774664626SKris Kennaway tls1_enc, 2874664626SKris Kennaway tls1_mac, 2974664626SKris Kennaway tls1_setup_key_block, 3074664626SKris Kennaway tls1_generate_master_secret, 3174664626SKris Kennaway tls1_change_cipher_state, 3274664626SKris Kennaway tls1_final_finish_mac, 3374664626SKris Kennaway TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 3474664626SKris Kennaway TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 3574664626SKris Kennaway tls1_alert_code, 361f13597dSJung-uk Kim tls1_export_keying_material, 377bded2dbSJung-uk Kim 0, 387bded2dbSJung-uk Kim ssl3_set_handshake_header, 39e71b7053SJung-uk Kim tls_close_construct_packet, 407bded2dbSJung-uk Kim ssl3_handshake_write 417bded2dbSJung-uk Kim }; 427bded2dbSJung-uk Kim 43e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_1_enc_data = { 447bded2dbSJung-uk Kim tls1_enc, 457bded2dbSJung-uk Kim tls1_mac, 467bded2dbSJung-uk Kim tls1_setup_key_block, 477bded2dbSJung-uk Kim tls1_generate_master_secret, 487bded2dbSJung-uk Kim tls1_change_cipher_state, 497bded2dbSJung-uk Kim tls1_final_finish_mac, 507bded2dbSJung-uk Kim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 517bded2dbSJung-uk Kim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 527bded2dbSJung-uk Kim tls1_alert_code, 537bded2dbSJung-uk Kim tls1_export_keying_material, 547bded2dbSJung-uk Kim SSL_ENC_FLAG_EXPLICIT_IV, 557bded2dbSJung-uk Kim ssl3_set_handshake_header, 56e71b7053SJung-uk Kim tls_close_construct_packet, 577bded2dbSJung-uk Kim ssl3_handshake_write 587bded2dbSJung-uk Kim }; 597bded2dbSJung-uk Kim 60e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_2_enc_data = { 617bded2dbSJung-uk Kim tls1_enc, 627bded2dbSJung-uk Kim tls1_mac, 637bded2dbSJung-uk Kim tls1_setup_key_block, 647bded2dbSJung-uk Kim tls1_generate_master_secret, 657bded2dbSJung-uk Kim tls1_change_cipher_state, 667bded2dbSJung-uk Kim tls1_final_finish_mac, 677bded2dbSJung-uk Kim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 687bded2dbSJung-uk Kim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 697bded2dbSJung-uk Kim tls1_alert_code, 707bded2dbSJung-uk Kim tls1_export_keying_material, 717bded2dbSJung-uk Kim SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 727bded2dbSJung-uk Kim | SSL_ENC_FLAG_TLS1_2_CIPHERS, 737bded2dbSJung-uk Kim ssl3_set_handshake_header, 74e71b7053SJung-uk Kim tls_close_construct_packet, 75e71b7053SJung-uk Kim ssl3_handshake_write 76e71b7053SJung-uk Kim }; 77e71b7053SJung-uk Kim 78e71b7053SJung-uk Kim SSL3_ENC_METHOD const TLSv1_3_enc_data = { 79e71b7053SJung-uk Kim tls13_enc, 80e71b7053SJung-uk Kim tls1_mac, 81e71b7053SJung-uk Kim tls13_setup_key_block, 82e71b7053SJung-uk Kim tls13_generate_master_secret, 83e71b7053SJung-uk Kim tls13_change_cipher_state, 84e71b7053SJung-uk Kim tls13_final_finish_mac, 85e71b7053SJung-uk Kim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 86e71b7053SJung-uk Kim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 87e71b7053SJung-uk Kim tls13_alert_code, 88e71b7053SJung-uk Kim tls13_export_keying_material, 89e71b7053SJung-uk Kim SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 90e71b7053SJung-uk Kim ssl3_set_handshake_header, 91e71b7053SJung-uk Kim tls_close_construct_packet, 927bded2dbSJung-uk Kim ssl3_handshake_write 9374664626SKris Kennaway }; 9474664626SKris Kennaway 953b4e3dcbSSimon L. B. Nielsen long tls1_default_timeout(void) 9674664626SKris Kennaway { 976f9291ceSJung-uk Kim /* 986f9291ceSJung-uk Kim * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 996f9291ceSJung-uk Kim * http, the cache would over fill 1006f9291ceSJung-uk Kim */ 10174664626SKris Kennaway return (60 * 60 * 2); 10274664626SKris Kennaway } 10374664626SKris Kennaway 10474664626SKris Kennaway int tls1_new(SSL *s) 10574664626SKris Kennaway { 1066f9291ceSJung-uk Kim if (!ssl3_new(s)) 107e71b7053SJung-uk Kim return 0; 108e71b7053SJung-uk Kim if (!s->method->ssl_clear(s)) 109e71b7053SJung-uk Kim return 0; 110e71b7053SJung-uk Kim 111e71b7053SJung-uk Kim return 1; 11274664626SKris Kennaway } 11374664626SKris Kennaway 11474664626SKris Kennaway void tls1_free(SSL *s) 11574664626SKris Kennaway { 116e71b7053SJung-uk Kim OPENSSL_free(s->ext.session_ticket); 11774664626SKris Kennaway ssl3_free(s); 11874664626SKris Kennaway } 11974664626SKris Kennaway 120e71b7053SJung-uk Kim int tls1_clear(SSL *s) 12174664626SKris Kennaway { 122e71b7053SJung-uk Kim if (!ssl3_clear(s)) 123e71b7053SJung-uk Kim return 0; 124e71b7053SJung-uk Kim 125e71b7053SJung-uk Kim if (s->method->version == TLS_ANY_VERSION) 126e71b7053SJung-uk Kim s->version = TLS_MAX_VERSION; 127e71b7053SJung-uk Kim else 1281f13597dSJung-uk Kim s->version = s->method->version; 129e71b7053SJung-uk Kim 130e71b7053SJung-uk Kim return 1; 13174664626SKris Kennaway } 13274664626SKris Kennaway 1331f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 1341f13597dSJung-uk Kim 135e71b7053SJung-uk Kim /* 136e71b7053SJung-uk Kim * Table of curve information. 137e71b7053SJung-uk Kim * Do not delete entries or reorder this array! It is used as a lookup 138e71b7053SJung-uk Kim * table: the index of each entry is one less than the TLS curve id. 139e71b7053SJung-uk Kim */ 140e71b7053SJung-uk Kim static const TLS_GROUP_INFO nid_list[] = { 141e71b7053SJung-uk Kim {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ 142e71b7053SJung-uk Kim {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ 143e71b7053SJung-uk Kim {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ 144e71b7053SJung-uk Kim {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */ 145e71b7053SJung-uk Kim {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */ 146e71b7053SJung-uk Kim {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */ 147e71b7053SJung-uk Kim {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */ 148e71b7053SJung-uk Kim {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */ 149e71b7053SJung-uk Kim {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */ 150e71b7053SJung-uk Kim {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */ 151e71b7053SJung-uk Kim {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */ 152e71b7053SJung-uk Kim {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */ 153e71b7053SJung-uk Kim {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */ 154e71b7053SJung-uk Kim {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */ 155e71b7053SJung-uk Kim {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */ 156e71b7053SJung-uk Kim {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */ 157e71b7053SJung-uk Kim {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */ 158e71b7053SJung-uk Kim {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ 159e71b7053SJung-uk Kim {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ 160e71b7053SJung-uk Kim {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ 161e71b7053SJung-uk Kim {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ 162e71b7053SJung-uk Kim {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ 163e71b7053SJung-uk Kim {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ 164e71b7053SJung-uk Kim {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ 165e71b7053SJung-uk Kim {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ 166e71b7053SJung-uk Kim {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 167e71b7053SJung-uk Kim {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 168e71b7053SJung-uk Kim {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ 169e71b7053SJung-uk Kim {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ 170e71b7053SJung-uk Kim {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */ 1711f13597dSJung-uk Kim }; 1721f13597dSJung-uk Kim 1737bded2dbSJung-uk Kim static const unsigned char ecformats_default[] = { 1747bded2dbSJung-uk Kim TLSEXT_ECPOINTFORMAT_uncompressed, 1757bded2dbSJung-uk Kim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 1767bded2dbSJung-uk Kim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 1771f13597dSJung-uk Kim }; 1781f13597dSJung-uk Kim 179e71b7053SJung-uk Kim /* The default curves */ 180e71b7053SJung-uk Kim static const uint16_t eccurves_default[] = { 181e71b7053SJung-uk Kim 29, /* X25519 (29) */ 182e71b7053SJung-uk Kim 23, /* secp256r1 (23) */ 183e71b7053SJung-uk Kim 30, /* X448 (30) */ 184e71b7053SJung-uk Kim 25, /* secp521r1 (25) */ 185e71b7053SJung-uk Kim 24, /* secp384r1 (24) */ 1867bded2dbSJung-uk Kim }; 1877bded2dbSJung-uk Kim 188e71b7053SJung-uk Kim static const uint16_t suiteb_curves[] = { 189e71b7053SJung-uk Kim TLSEXT_curve_P_256, 190e71b7053SJung-uk Kim TLSEXT_curve_P_384 1917bded2dbSJung-uk Kim }; 1927bded2dbSJung-uk Kim 193e71b7053SJung-uk Kim const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) 1941f13597dSJung-uk Kim { 1957bded2dbSJung-uk Kim /* ECC curves from RFC 4492 and RFC 7027 */ 196e71b7053SJung-uk Kim if (group_id < 1 || group_id > OSSL_NELEM(nid_list)) 197e71b7053SJung-uk Kim return NULL; 198e71b7053SJung-uk Kim return &nid_list[group_id - 1]; 19974664626SKris Kennaway } 200f579bf8eSKris Kennaway 201e71b7053SJung-uk Kim static uint16_t tls1_nid2group_id(int nid) 202f579bf8eSKris Kennaway { 203e71b7053SJung-uk Kim size_t i; 204e71b7053SJung-uk Kim for (i = 0; i < OSSL_NELEM(nid_list); i++) { 205e71b7053SJung-uk Kim if (nid_list[i].nid == nid) 206e71b7053SJung-uk Kim return (uint16_t)(i + 1); 207f579bf8eSKris Kennaway } 208e71b7053SJung-uk Kim return 0; 2091f13597dSJung-uk Kim } 2107bded2dbSJung-uk Kim 2117bded2dbSJung-uk Kim /* 212e71b7053SJung-uk Kim * Set *pgroups to the supported groups list and *pgroupslen to 213e71b7053SJung-uk Kim * the number of groups supported. 2147bded2dbSJung-uk Kim */ 215e71b7053SJung-uk Kim void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 216e71b7053SJung-uk Kim size_t *pgroupslen) 2177bded2dbSJung-uk Kim { 218e71b7053SJung-uk Kim 2197bded2dbSJung-uk Kim /* For Suite B mode only include P-256, P-384 */ 2207bded2dbSJung-uk Kim switch (tls1_suiteb(s)) { 2217bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS: 222e71b7053SJung-uk Kim *pgroups = suiteb_curves; 223e71b7053SJung-uk Kim *pgroupslen = OSSL_NELEM(suiteb_curves); 2247bded2dbSJung-uk Kim break; 2257bded2dbSJung-uk Kim 2267bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 227e71b7053SJung-uk Kim *pgroups = suiteb_curves; 228e71b7053SJung-uk Kim *pgroupslen = 1; 2297bded2dbSJung-uk Kim break; 2307bded2dbSJung-uk Kim 2317bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_192_LOS: 232e71b7053SJung-uk Kim *pgroups = suiteb_curves + 1; 233e71b7053SJung-uk Kim *pgroupslen = 1; 2347bded2dbSJung-uk Kim break; 235e71b7053SJung-uk Kim 2367bded2dbSJung-uk Kim default: 237e71b7053SJung-uk Kim if (s->ext.supportedgroups == NULL) { 238e71b7053SJung-uk Kim *pgroups = eccurves_default; 239e71b7053SJung-uk Kim *pgroupslen = OSSL_NELEM(eccurves_default); 2407bded2dbSJung-uk Kim } else { 241e71b7053SJung-uk Kim *pgroups = s->ext.supportedgroups; 242e71b7053SJung-uk Kim *pgroupslen = s->ext.supportedgroups_len; 2437bded2dbSJung-uk Kim } 244e71b7053SJung-uk Kim break; 2457bded2dbSJung-uk Kim } 2467bded2dbSJung-uk Kim } 2477bded2dbSJung-uk Kim 248e71b7053SJung-uk Kim /* See if curve is allowed by security callback */ 249e71b7053SJung-uk Kim int tls_curve_allowed(SSL *s, uint16_t curve, int op) 2507bded2dbSJung-uk Kim { 251e71b7053SJung-uk Kim const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve); 252e71b7053SJung-uk Kim unsigned char ctmp[2]; 253e71b7053SJung-uk Kim 254e71b7053SJung-uk Kim if (cinfo == NULL) 2557bded2dbSJung-uk Kim return 0; 256e71b7053SJung-uk Kim # ifdef OPENSSL_NO_EC2M 257e71b7053SJung-uk Kim if (cinfo->flags & TLS_CURVE_CHAR2) 2587bded2dbSJung-uk Kim return 0; 259e71b7053SJung-uk Kim # endif 260e71b7053SJung-uk Kim ctmp[0] = curve >> 8; 261e71b7053SJung-uk Kim ctmp[1] = curve & 0xff; 262e71b7053SJung-uk Kim return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); 2637bded2dbSJung-uk Kim } 264e71b7053SJung-uk Kim 265e71b7053SJung-uk Kim /* Return 1 if "id" is in "list" */ 266e71b7053SJung-uk Kim static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 267e71b7053SJung-uk Kim { 268e71b7053SJung-uk Kim size_t i; 269e71b7053SJung-uk Kim for (i = 0; i < listlen; i++) 270e71b7053SJung-uk Kim if (list[i] == id) 2717bded2dbSJung-uk Kim return 1; 2727bded2dbSJung-uk Kim return 0; 2737bded2dbSJung-uk Kim } 2747bded2dbSJung-uk Kim 2757bded2dbSJung-uk Kim /*- 276e71b7053SJung-uk Kim * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 277e71b7053SJung-uk Kim * if there is no match. 2787bded2dbSJung-uk Kim * For nmatch == -1, return number of matches 279e71b7053SJung-uk Kim * For nmatch == -2, return the id of the group to use for 280e71b7053SJung-uk Kim * a tmp key, or 0 if there is no match. 2817bded2dbSJung-uk Kim */ 282e71b7053SJung-uk Kim uint16_t tls1_shared_group(SSL *s, int nmatch) 2837bded2dbSJung-uk Kim { 284e71b7053SJung-uk Kim const uint16_t *pref, *supp; 285e71b7053SJung-uk Kim size_t num_pref, num_supp, i; 2867bded2dbSJung-uk Kim int k; 287e71b7053SJung-uk Kim 2887bded2dbSJung-uk Kim /* Can't do anything on client side */ 2897bded2dbSJung-uk Kim if (s->server == 0) 290e71b7053SJung-uk Kim return 0; 2917bded2dbSJung-uk Kim if (nmatch == -2) { 2927bded2dbSJung-uk Kim if (tls1_suiteb(s)) { 2937bded2dbSJung-uk Kim /* 2947bded2dbSJung-uk Kim * For Suite B ciphersuite determines curve: we already know 2957bded2dbSJung-uk Kim * these are acceptable due to previous checks. 2967bded2dbSJung-uk Kim */ 2977bded2dbSJung-uk Kim unsigned long cid = s->s3->tmp.new_cipher->id; 298e71b7053SJung-uk Kim 2997bded2dbSJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 300e71b7053SJung-uk Kim return TLSEXT_curve_P_256; 3017bded2dbSJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 302e71b7053SJung-uk Kim return TLSEXT_curve_P_384; 3037bded2dbSJung-uk Kim /* Should never happen */ 304e71b7053SJung-uk Kim return 0; 3057bded2dbSJung-uk Kim } 3067bded2dbSJung-uk Kim /* If not Suite B just return first preference shared curve */ 3077bded2dbSJung-uk Kim nmatch = 0; 3087bded2dbSJung-uk Kim } 3097bded2dbSJung-uk Kim /* 310e71b7053SJung-uk Kim * If server preference set, our groups are the preference order 311e71b7053SJung-uk Kim * otherwise peer decides. 3127bded2dbSJung-uk Kim */ 313e71b7053SJung-uk Kim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 314e71b7053SJung-uk Kim tls1_get_supported_groups(s, &pref, &num_pref); 315e71b7053SJung-uk Kim tls1_get_peer_groups(s, &supp, &num_supp); 316e71b7053SJung-uk Kim } else { 317e71b7053SJung-uk Kim tls1_get_peer_groups(s, &pref, &num_pref); 318e71b7053SJung-uk Kim tls1_get_supported_groups(s, &supp, &num_supp); 3197bded2dbSJung-uk Kim } 3207bded2dbSJung-uk Kim 321e71b7053SJung-uk Kim for (k = 0, i = 0; i < num_pref; i++) { 322e71b7053SJung-uk Kim uint16_t id = pref[i]; 323e71b7053SJung-uk Kim 324e71b7053SJung-uk Kim if (!tls1_in_list(id, supp, num_supp) 325e71b7053SJung-uk Kim || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 326e71b7053SJung-uk Kim continue; 327e71b7053SJung-uk Kim if (nmatch == k) 328e71b7053SJung-uk Kim return id; 3297bded2dbSJung-uk Kim k++; 3307bded2dbSJung-uk Kim } 3317bded2dbSJung-uk Kim if (nmatch == -1) 3327bded2dbSJung-uk Kim return k; 3337bded2dbSJung-uk Kim /* Out of range (nmatch > k). */ 334e71b7053SJung-uk Kim return 0; 3357bded2dbSJung-uk Kim } 3367bded2dbSJung-uk Kim 337e71b7053SJung-uk Kim int tls1_set_groups(uint16_t **pext, size_t *pextlen, 338e71b7053SJung-uk Kim int *groups, size_t ngroups) 3397bded2dbSJung-uk Kim { 340e71b7053SJung-uk Kim uint16_t *glist; 3417bded2dbSJung-uk Kim size_t i; 3427bded2dbSJung-uk Kim /* 343e71b7053SJung-uk Kim * Bitmap of groups included to detect duplicates: only works while group 3447bded2dbSJung-uk Kim * ids < 32 3457bded2dbSJung-uk Kim */ 3467bded2dbSJung-uk Kim unsigned long dup_list = 0; 3477bded2dbSJung-uk Kim 348c9cf7b5cSJung-uk Kim if (ngroups == 0) { 349c9cf7b5cSJung-uk Kim SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); 350c9cf7b5cSJung-uk Kim return 0; 351c9cf7b5cSJung-uk Kim } 352e71b7053SJung-uk Kim if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 353e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); 3547bded2dbSJung-uk Kim return 0; 3557bded2dbSJung-uk Kim } 356e71b7053SJung-uk Kim for (i = 0; i < ngroups; i++) { 357e71b7053SJung-uk Kim unsigned long idmask; 358e71b7053SJung-uk Kim uint16_t id; 359e71b7053SJung-uk Kim /* TODO(TLS1.3): Convert for DH groups */ 360e71b7053SJung-uk Kim id = tls1_nid2group_id(groups[i]); 3617bded2dbSJung-uk Kim idmask = 1L << id; 3627bded2dbSJung-uk Kim if (!id || (dup_list & idmask)) { 363e71b7053SJung-uk Kim OPENSSL_free(glist); 3647bded2dbSJung-uk Kim return 0; 3657bded2dbSJung-uk Kim } 3667bded2dbSJung-uk Kim dup_list |= idmask; 367e71b7053SJung-uk Kim glist[i] = id; 3687bded2dbSJung-uk Kim } 3697bded2dbSJung-uk Kim OPENSSL_free(*pext); 370e71b7053SJung-uk Kim *pext = glist; 371e71b7053SJung-uk Kim *pextlen = ngroups; 3727bded2dbSJung-uk Kim return 1; 3737bded2dbSJung-uk Kim } 3747bded2dbSJung-uk Kim 375e71b7053SJung-uk Kim # define MAX_CURVELIST OSSL_NELEM(nid_list) 3767bded2dbSJung-uk Kim 3777bded2dbSJung-uk Kim typedef struct { 3787bded2dbSJung-uk Kim size_t nidcnt; 3797bded2dbSJung-uk Kim int nid_arr[MAX_CURVELIST]; 3807bded2dbSJung-uk Kim } nid_cb_st; 3817bded2dbSJung-uk Kim 3827bded2dbSJung-uk Kim static int nid_cb(const char *elem, int len, void *arg) 3837bded2dbSJung-uk Kim { 3847bded2dbSJung-uk Kim nid_cb_st *narg = arg; 3857bded2dbSJung-uk Kim size_t i; 3867bded2dbSJung-uk Kim int nid; 3877bded2dbSJung-uk Kim char etmp[20]; 3887bded2dbSJung-uk Kim if (elem == NULL) 3897bded2dbSJung-uk Kim return 0; 3907bded2dbSJung-uk Kim if (narg->nidcnt == MAX_CURVELIST) 3917bded2dbSJung-uk Kim return 0; 3927bded2dbSJung-uk Kim if (len > (int)(sizeof(etmp) - 1)) 3937bded2dbSJung-uk Kim return 0; 3947bded2dbSJung-uk Kim memcpy(etmp, elem, len); 3957bded2dbSJung-uk Kim etmp[len] = 0; 3967bded2dbSJung-uk Kim nid = EC_curve_nist2nid(etmp); 3977bded2dbSJung-uk Kim if (nid == NID_undef) 3987bded2dbSJung-uk Kim nid = OBJ_sn2nid(etmp); 3997bded2dbSJung-uk Kim if (nid == NID_undef) 4007bded2dbSJung-uk Kim nid = OBJ_ln2nid(etmp); 4017bded2dbSJung-uk Kim if (nid == NID_undef) 4027bded2dbSJung-uk Kim return 0; 4037bded2dbSJung-uk Kim for (i = 0; i < narg->nidcnt; i++) 4047bded2dbSJung-uk Kim if (narg->nid_arr[i] == nid) 4057bded2dbSJung-uk Kim return 0; 4067bded2dbSJung-uk Kim narg->nid_arr[narg->nidcnt++] = nid; 4077bded2dbSJung-uk Kim return 1; 4087bded2dbSJung-uk Kim } 4097bded2dbSJung-uk Kim 410e71b7053SJung-uk Kim /* Set groups based on a colon separate list */ 411e71b7053SJung-uk Kim int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) 4127bded2dbSJung-uk Kim { 4137bded2dbSJung-uk Kim nid_cb_st ncb; 4147bded2dbSJung-uk Kim ncb.nidcnt = 0; 4157bded2dbSJung-uk Kim if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) 4167bded2dbSJung-uk Kim return 0; 4177bded2dbSJung-uk Kim if (pext == NULL) 4187bded2dbSJung-uk Kim return 1; 419e71b7053SJung-uk Kim return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); 4207bded2dbSJung-uk Kim } 421e71b7053SJung-uk Kim /* Return group id of a key */ 422e71b7053SJung-uk Kim static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 4237bded2dbSJung-uk Kim { 424e71b7053SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 4257bded2dbSJung-uk Kim const EC_GROUP *grp; 426e71b7053SJung-uk Kim 427e71b7053SJung-uk Kim if (ec == NULL) 4287bded2dbSJung-uk Kim return 0; 4297bded2dbSJung-uk Kim grp = EC_KEY_get0_group(ec); 430e71b7053SJung-uk Kim return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); 4317bded2dbSJung-uk Kim } 4327bded2dbSJung-uk Kim 433e71b7053SJung-uk Kim /* Check a key is compatible with compression extension */ 434e71b7053SJung-uk Kim static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 4357bded2dbSJung-uk Kim { 436e71b7053SJung-uk Kim const EC_KEY *ec; 437e71b7053SJung-uk Kim const EC_GROUP *grp; 438e71b7053SJung-uk Kim unsigned char comp_id; 439e71b7053SJung-uk Kim size_t i; 440e71b7053SJung-uk Kim 441e71b7053SJung-uk Kim /* If not an EC key nothing to check */ 442e71b7053SJung-uk Kim if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 443e71b7053SJung-uk Kim return 1; 444e71b7053SJung-uk Kim ec = EVP_PKEY_get0_EC_KEY(pkey); 445e71b7053SJung-uk Kim grp = EC_KEY_get0_group(ec); 446e71b7053SJung-uk Kim 447e71b7053SJung-uk Kim /* Get required compression id */ 448e71b7053SJung-uk Kim if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { 449e71b7053SJung-uk Kim comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 450e71b7053SJung-uk Kim } else if (SSL_IS_TLS13(s)) { 451e71b7053SJung-uk Kim /* 452e71b7053SJung-uk Kim * ec_point_formats extension is not used in TLSv1.3 so we ignore 453e71b7053SJung-uk Kim * this check. 454e71b7053SJung-uk Kim */ 455e71b7053SJung-uk Kim return 1; 456e71b7053SJung-uk Kim } else { 457e71b7053SJung-uk Kim int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); 458e71b7053SJung-uk Kim 459e71b7053SJung-uk Kim if (field_type == NID_X9_62_prime_field) 460e71b7053SJung-uk Kim comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 461e71b7053SJung-uk Kim else if (field_type == NID_X9_62_characteristic_two_field) 462e71b7053SJung-uk Kim comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 463e71b7053SJung-uk Kim else 464e71b7053SJung-uk Kim return 0; 465e71b7053SJung-uk Kim } 4667bded2dbSJung-uk Kim /* 4677bded2dbSJung-uk Kim * If point formats extension present check it, otherwise everything is 4687bded2dbSJung-uk Kim * supported (see RFC4492). 4697bded2dbSJung-uk Kim */ 470*da327cd2SJung-uk Kim if (s->ext.peer_ecpointformats == NULL) 4717bded2dbSJung-uk Kim return 1; 472e71b7053SJung-uk Kim 473*da327cd2SJung-uk Kim for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 474*da327cd2SJung-uk Kim if (s->ext.peer_ecpointformats[i] == comp_id) 4757bded2dbSJung-uk Kim return 1; 4767bded2dbSJung-uk Kim } 477e71b7053SJung-uk Kim return 0; 4787bded2dbSJung-uk Kim } 4797bded2dbSJung-uk Kim 480e71b7053SJung-uk Kim /* Check a group id matches preferences */ 481e71b7053SJung-uk Kim int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 482e71b7053SJung-uk Kim { 483e71b7053SJung-uk Kim const uint16_t *groups; 484e71b7053SJung-uk Kim size_t groups_len; 485e71b7053SJung-uk Kim 486e71b7053SJung-uk Kim if (group_id == 0) 487e71b7053SJung-uk Kim return 0; 488e71b7053SJung-uk Kim 489e71b7053SJung-uk Kim /* Check for Suite B compliance */ 490e71b7053SJung-uk Kim if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) { 491e71b7053SJung-uk Kim unsigned long cid = s->s3->tmp.new_cipher->id; 492e71b7053SJung-uk Kim 493e71b7053SJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 494e71b7053SJung-uk Kim if (group_id != TLSEXT_curve_P_256) 495e71b7053SJung-uk Kim return 0; 496e71b7053SJung-uk Kim } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 497e71b7053SJung-uk Kim if (group_id != TLSEXT_curve_P_384) 498e71b7053SJung-uk Kim return 0; 499e71b7053SJung-uk Kim } else { 500e71b7053SJung-uk Kim /* Should never happen */ 501e71b7053SJung-uk Kim return 0; 502e71b7053SJung-uk Kim } 503e71b7053SJung-uk Kim } 504e71b7053SJung-uk Kim 505e71b7053SJung-uk Kim if (check_own_groups) { 506e71b7053SJung-uk Kim /* Check group is one of our preferences */ 507e71b7053SJung-uk Kim tls1_get_supported_groups(s, &groups, &groups_len); 508e71b7053SJung-uk Kim if (!tls1_in_list(group_id, groups, groups_len)) 509e71b7053SJung-uk Kim return 0; 510e71b7053SJung-uk Kim } 511e71b7053SJung-uk Kim 512e71b7053SJung-uk Kim if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 513e71b7053SJung-uk Kim return 0; 514e71b7053SJung-uk Kim 515e71b7053SJung-uk Kim /* For clients, nothing more to check */ 516e71b7053SJung-uk Kim if (!s->server) 517e71b7053SJung-uk Kim return 1; 518e71b7053SJung-uk Kim 519e71b7053SJung-uk Kim /* Check group is one of peers preferences */ 520e71b7053SJung-uk Kim tls1_get_peer_groups(s, &groups, &groups_len); 521e71b7053SJung-uk Kim 522e71b7053SJung-uk Kim /* 523e71b7053SJung-uk Kim * RFC 4492 does not require the supported elliptic curves extension 524e71b7053SJung-uk Kim * so if it is not sent we can just choose any curve. 525e71b7053SJung-uk Kim * It is invalid to send an empty list in the supported groups 526e71b7053SJung-uk Kim * extension, so groups_len == 0 always means no extension. 527e71b7053SJung-uk Kim */ 528e71b7053SJung-uk Kim if (groups_len == 0) 529e71b7053SJung-uk Kim return 1; 530e71b7053SJung-uk Kim return tls1_in_list(group_id, groups, groups_len); 531e71b7053SJung-uk Kim } 532e71b7053SJung-uk Kim 533e71b7053SJung-uk Kim void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 5347bded2dbSJung-uk Kim size_t *num_formats) 5357bded2dbSJung-uk Kim { 5367bded2dbSJung-uk Kim /* 5377bded2dbSJung-uk Kim * If we have a custom point format list use it otherwise use default 5387bded2dbSJung-uk Kim */ 539e71b7053SJung-uk Kim if (s->ext.ecpointformats) { 540e71b7053SJung-uk Kim *pformats = s->ext.ecpointformats; 541e71b7053SJung-uk Kim *num_formats = s->ext.ecpointformats_len; 5427bded2dbSJung-uk Kim } else { 5437bded2dbSJung-uk Kim *pformats = ecformats_default; 5447bded2dbSJung-uk Kim /* For Suite B we don't support char2 fields */ 5457bded2dbSJung-uk Kim if (tls1_suiteb(s)) 5467bded2dbSJung-uk Kim *num_formats = sizeof(ecformats_default) - 1; 5477bded2dbSJung-uk Kim else 5487bded2dbSJung-uk Kim *num_formats = sizeof(ecformats_default); 5497bded2dbSJung-uk Kim } 5507bded2dbSJung-uk Kim } 5517bded2dbSJung-uk Kim 5527bded2dbSJung-uk Kim /* 5537bded2dbSJung-uk Kim * Check cert parameters compatible with extensions: currently just checks EC 5547bded2dbSJung-uk Kim * certificates have compatible curves and compression. 5557bded2dbSJung-uk Kim */ 556e71b7053SJung-uk Kim static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 5577bded2dbSJung-uk Kim { 558e71b7053SJung-uk Kim uint16_t group_id; 5597bded2dbSJung-uk Kim EVP_PKEY *pkey; 560e71b7053SJung-uk Kim pkey = X509_get0_pubkey(x); 561e71b7053SJung-uk Kim if (pkey == NULL) 5627bded2dbSJung-uk Kim return 0; 5637bded2dbSJung-uk Kim /* If not EC nothing to do */ 564e71b7053SJung-uk Kim if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 5657bded2dbSJung-uk Kim return 1; 566e71b7053SJung-uk Kim /* Check compression */ 567e71b7053SJung-uk Kim if (!tls1_check_pkey_comp(s, pkey)) 5687bded2dbSJung-uk Kim return 0; 569e71b7053SJung-uk Kim group_id = tls1_get_group_id(pkey); 5707bded2dbSJung-uk Kim /* 571e71b7053SJung-uk Kim * For a server we allow the certificate to not be in our list of supported 572e71b7053SJung-uk Kim * groups. 5737bded2dbSJung-uk Kim */ 574e71b7053SJung-uk Kim if (!tls1_check_group_id(s, group_id, !s->server)) 5757bded2dbSJung-uk Kim return 0; 5767bded2dbSJung-uk Kim /* 5777bded2dbSJung-uk Kim * Special case for suite B. We *MUST* sign using SHA256+P-256 or 578e71b7053SJung-uk Kim * SHA384+P-384. 5797bded2dbSJung-uk Kim */ 580e71b7053SJung-uk Kim if (check_ee_md && tls1_suiteb(s)) { 5817bded2dbSJung-uk Kim int check_md; 5827bded2dbSJung-uk Kim size_t i; 583e71b7053SJung-uk Kim 5847bded2dbSJung-uk Kim /* Check to see we have necessary signing algorithm */ 585e71b7053SJung-uk Kim if (group_id == TLSEXT_curve_P_256) 5867bded2dbSJung-uk Kim check_md = NID_ecdsa_with_SHA256; 587e71b7053SJung-uk Kim else if (group_id == TLSEXT_curve_P_384) 5887bded2dbSJung-uk Kim check_md = NID_ecdsa_with_SHA384; 5897bded2dbSJung-uk Kim else 5907bded2dbSJung-uk Kim return 0; /* Should never happen */ 591*da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 592*da327cd2SJung-uk Kim if (check_md == s->shared_sigalgs[i]->sigandhash) 593e71b7053SJung-uk Kim return 1;; 594e71b7053SJung-uk Kim } 5957bded2dbSJung-uk Kim return 0; 5967bded2dbSJung-uk Kim } 597e71b7053SJung-uk Kim return 1; 5987bded2dbSJung-uk Kim } 5997bded2dbSJung-uk Kim 600e71b7053SJung-uk Kim /* 601e71b7053SJung-uk Kim * tls1_check_ec_tmp_key - Check EC temporary key compatibility 602e71b7053SJung-uk Kim * @s: SSL connection 603e71b7053SJung-uk Kim * @cid: Cipher ID we're considering using 604e71b7053SJung-uk Kim * 605e71b7053SJung-uk Kim * Checks that the kECDHE cipher suite we're considering using 606e71b7053SJung-uk Kim * is compatible with the client extensions. 607e71b7053SJung-uk Kim * 608e71b7053SJung-uk Kim * Returns 0 when the cipher can't be used or 1 when it can. 609e71b7053SJung-uk Kim */ 6107bded2dbSJung-uk Kim int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 6117bded2dbSJung-uk Kim { 612e71b7053SJung-uk Kim /* If not Suite B just need a shared group */ 613e71b7053SJung-uk Kim if (!tls1_suiteb(s)) 614e71b7053SJung-uk Kim return tls1_shared_group(s, 0) != 0; 6157bded2dbSJung-uk Kim /* 6167bded2dbSJung-uk Kim * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 6177bded2dbSJung-uk Kim * curves permitted. 6187bded2dbSJung-uk Kim */ 6197bded2dbSJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 620e71b7053SJung-uk Kim return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 621e71b7053SJung-uk Kim if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 622e71b7053SJung-uk Kim return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 6237bded2dbSJung-uk Kim 6247bded2dbSJung-uk Kim return 0; 6257bded2dbSJung-uk Kim } 6267bded2dbSJung-uk Kim 6277bded2dbSJung-uk Kim #else 6287bded2dbSJung-uk Kim 6297bded2dbSJung-uk Kim static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 6307bded2dbSJung-uk Kim { 6317bded2dbSJung-uk Kim return 1; 6327bded2dbSJung-uk Kim } 6337bded2dbSJung-uk Kim 6341f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 635db522d3aSSimon L. B. Nielsen 636e71b7053SJung-uk Kim /* Default sigalg schemes */ 637e71b7053SJung-uk Kim static const uint16_t tls12_sigalgs[] = { 638e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 639e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 640e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 641e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 642e71b7053SJung-uk Kim TLSEXT_SIGALG_ed25519, 643e71b7053SJung-uk Kim TLSEXT_SIGALG_ed448, 644e71b7053SJung-uk Kim #endif 645e71b7053SJung-uk Kim 646e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_pss_sha256, 647e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_pss_sha384, 648e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_pss_sha512, 649e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_rsae_sha256, 650e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_rsae_sha384, 651e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pss_rsae_sha512, 652e71b7053SJung-uk Kim 653e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha256, 654e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha384, 655e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha512, 656e71b7053SJung-uk Kim 657e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 658e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_sha224, 659e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_sha1, 660e71b7053SJung-uk Kim #endif 661e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha224, 662e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha1, 663e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DSA 664e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha224, 665e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha1, 666e71b7053SJung-uk Kim 667e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha256, 668e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha384, 669e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha512, 670e71b7053SJung-uk Kim #endif 671e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 672e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 673e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 674e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102001_gostr3411, 675e71b7053SJung-uk Kim #endif 676e71b7053SJung-uk Kim }; 677e71b7053SJung-uk Kim 678e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 679e71b7053SJung-uk Kim static const uint16_t suiteb_sigalgs[] = { 680e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 681e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_secp384r1_sha384 682e71b7053SJung-uk Kim }; 683e71b7053SJung-uk Kim #endif 684e71b7053SJung-uk Kim 685e71b7053SJung-uk Kim static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 686e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 687e71b7053SJung-uk Kim {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 688e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 689e71b7053SJung-uk Kim NID_ecdsa_with_SHA256, NID_X9_62_prime256v1}, 690e71b7053SJung-uk Kim {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 691e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 692e71b7053SJung-uk Kim NID_ecdsa_with_SHA384, NID_secp384r1}, 693e71b7053SJung-uk Kim {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 694e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 695e71b7053SJung-uk Kim NID_ecdsa_with_SHA512, NID_secp521r1}, 696e71b7053SJung-uk Kim {"ed25519", TLSEXT_SIGALG_ed25519, 697e71b7053SJung-uk Kim NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 698e71b7053SJung-uk Kim NID_undef, NID_undef}, 699e71b7053SJung-uk Kim {"ed448", TLSEXT_SIGALG_ed448, 700e71b7053SJung-uk Kim NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 701e71b7053SJung-uk Kim NID_undef, NID_undef}, 702e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_ecdsa_sha224, 703e71b7053SJung-uk Kim NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 704e71b7053SJung-uk Kim NID_ecdsa_with_SHA224, NID_undef}, 705e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_ecdsa_sha1, 706e71b7053SJung-uk Kim NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 707e71b7053SJung-uk Kim NID_ecdsa_with_SHA1, NID_undef}, 708e71b7053SJung-uk Kim #endif 709e71b7053SJung-uk Kim {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 710e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 711e71b7053SJung-uk Kim NID_undef, NID_undef}, 712e71b7053SJung-uk Kim {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 713e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 714e71b7053SJung-uk Kim NID_undef, NID_undef}, 715e71b7053SJung-uk Kim {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 716e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 717e71b7053SJung-uk Kim NID_undef, NID_undef}, 718e71b7053SJung-uk Kim {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 719e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 720e71b7053SJung-uk Kim NID_undef, NID_undef}, 721e71b7053SJung-uk Kim {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 722e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 723e71b7053SJung-uk Kim NID_undef, NID_undef}, 724e71b7053SJung-uk Kim {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 725e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 726e71b7053SJung-uk Kim NID_undef, NID_undef}, 727e71b7053SJung-uk Kim {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 728e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 729e71b7053SJung-uk Kim NID_sha256WithRSAEncryption, NID_undef}, 730e71b7053SJung-uk Kim {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 731e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 732e71b7053SJung-uk Kim NID_sha384WithRSAEncryption, NID_undef}, 733e71b7053SJung-uk Kim {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 734e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 735e71b7053SJung-uk Kim NID_sha512WithRSAEncryption, NID_undef}, 736e71b7053SJung-uk Kim {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 737e71b7053SJung-uk Kim NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 738e71b7053SJung-uk Kim NID_sha224WithRSAEncryption, NID_undef}, 739e71b7053SJung-uk Kim {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 740e71b7053SJung-uk Kim NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 741e71b7053SJung-uk Kim NID_sha1WithRSAEncryption, NID_undef}, 742e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DSA 743e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha256, 744e71b7053SJung-uk Kim NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 745e71b7053SJung-uk Kim NID_dsa_with_SHA256, NID_undef}, 746e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha384, 747e71b7053SJung-uk Kim NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 748e71b7053SJung-uk Kim NID_undef, NID_undef}, 749e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha512, 750e71b7053SJung-uk Kim NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 751e71b7053SJung-uk Kim NID_undef, NID_undef}, 752e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha224, 753e71b7053SJung-uk Kim NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 754e71b7053SJung-uk Kim NID_undef, NID_undef}, 755e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_dsa_sha1, 756e71b7053SJung-uk Kim NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 757e71b7053SJung-uk Kim NID_dsaWithSHA1, NID_undef}, 758e71b7053SJung-uk Kim #endif 759e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 760e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 761e71b7053SJung-uk Kim NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 762e71b7053SJung-uk Kim NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 763e71b7053SJung-uk Kim NID_undef, NID_undef}, 764e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 765e71b7053SJung-uk Kim NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 766e71b7053SJung-uk Kim NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 767e71b7053SJung-uk Kim NID_undef, NID_undef}, 768e71b7053SJung-uk Kim {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 769e71b7053SJung-uk Kim NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 770e71b7053SJung-uk Kim NID_id_GostR3410_2001, SSL_PKEY_GOST01, 771e71b7053SJung-uk Kim NID_undef, NID_undef} 772e71b7053SJung-uk Kim #endif 773e71b7053SJung-uk Kim }; 774e71b7053SJung-uk Kim /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 775e71b7053SJung-uk Kim static const SIGALG_LOOKUP legacy_rsa_sigalg = { 776e71b7053SJung-uk Kim "rsa_pkcs1_md5_sha1", 0, 777e71b7053SJung-uk Kim NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 778e71b7053SJung-uk Kim EVP_PKEY_RSA, SSL_PKEY_RSA, 779e71b7053SJung-uk Kim NID_undef, NID_undef 780e71b7053SJung-uk Kim }; 7811f13597dSJung-uk Kim 7826f9291ceSJung-uk Kim /* 783e71b7053SJung-uk Kim * Default signature algorithm values used if signature algorithms not present. 784e71b7053SJung-uk Kim * From RFC5246. Note: order must match certificate index order. 7851f13597dSJung-uk Kim */ 786e71b7053SJung-uk Kim static const uint16_t tls_default_sigalg[] = { 787e71b7053SJung-uk Kim TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 788e71b7053SJung-uk Kim 0, /* SSL_PKEY_RSA_PSS_SIGN */ 789e71b7053SJung-uk Kim TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 790e71b7053SJung-uk Kim TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 791e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 792e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */ 793e71b7053SJung-uk Kim TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */ 794e71b7053SJung-uk Kim 0, /* SSL_PKEY_ED25519 */ 795e71b7053SJung-uk Kim 0, /* SSL_PKEY_ED448 */ 7961f13597dSJung-uk Kim }; 7971f13597dSJung-uk Kim 798e71b7053SJung-uk Kim /* Lookup TLS signature algorithm */ 799e71b7053SJung-uk Kim static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg) 800e71b7053SJung-uk Kim { 801e71b7053SJung-uk Kim size_t i; 802e71b7053SJung-uk Kim const SIGALG_LOOKUP *s; 803e71b7053SJung-uk Kim 804e71b7053SJung-uk Kim for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 805e71b7053SJung-uk Kim i++, s++) { 806e71b7053SJung-uk Kim if (s->sigalg == sigalg) 807e71b7053SJung-uk Kim return s; 808e71b7053SJung-uk Kim } 809e71b7053SJung-uk Kim return NULL; 810e71b7053SJung-uk Kim } 811e71b7053SJung-uk Kim /* Lookup hash: return 0 if invalid or not enabled */ 812e71b7053SJung-uk Kim int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 813e71b7053SJung-uk Kim { 814e71b7053SJung-uk Kim const EVP_MD *md; 815e71b7053SJung-uk Kim if (lu == NULL) 816e71b7053SJung-uk Kim return 0; 817e71b7053SJung-uk Kim /* lu->hash == NID_undef means no associated digest */ 818e71b7053SJung-uk Kim if (lu->hash == NID_undef) { 819e71b7053SJung-uk Kim md = NULL; 820e71b7053SJung-uk Kim } else { 821e71b7053SJung-uk Kim md = ssl_md(lu->hash_idx); 822e71b7053SJung-uk Kim if (md == NULL) 823e71b7053SJung-uk Kim return 0; 824e71b7053SJung-uk Kim } 825e71b7053SJung-uk Kim if (pmd) 826e71b7053SJung-uk Kim *pmd = md; 827e71b7053SJung-uk Kim return 1; 828e71b7053SJung-uk Kim } 829e71b7053SJung-uk Kim 830e71b7053SJung-uk Kim /* 831e71b7053SJung-uk Kim * Check if key is large enough to generate RSA-PSS signature. 832e71b7053SJung-uk Kim * 833e71b7053SJung-uk Kim * The key must greater than or equal to 2 * hash length + 2. 834e71b7053SJung-uk Kim * SHA512 has a hash length of 64 bytes, which is incompatible 835e71b7053SJung-uk Kim * with a 128 byte (1024 bit) key. 836e71b7053SJung-uk Kim */ 837e71b7053SJung-uk Kim #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2) 838e71b7053SJung-uk Kim static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu) 839e71b7053SJung-uk Kim { 840e71b7053SJung-uk Kim const EVP_MD *md; 841e71b7053SJung-uk Kim 842e71b7053SJung-uk Kim if (rsa == NULL) 843e71b7053SJung-uk Kim return 0; 844e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, &md) || md == NULL) 845e71b7053SJung-uk Kim return 0; 846e71b7053SJung-uk Kim if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 847e71b7053SJung-uk Kim return 0; 848e71b7053SJung-uk Kim return 1; 849e71b7053SJung-uk Kim } 850e71b7053SJung-uk Kim 851e71b7053SJung-uk Kim /* 852e71b7053SJung-uk Kim * Return a signature algorithm for TLS < 1.2 where the signature type 853e71b7053SJung-uk Kim * is fixed by the certificate type. 854e71b7053SJung-uk Kim */ 855e71b7053SJung-uk Kim static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 856e71b7053SJung-uk Kim { 857e71b7053SJung-uk Kim if (idx == -1) { 858e71b7053SJung-uk Kim if (s->server) { 859e71b7053SJung-uk Kim size_t i; 860e71b7053SJung-uk Kim 861e71b7053SJung-uk Kim /* Work out index corresponding to ciphersuite */ 862e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) { 863e71b7053SJung-uk Kim const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 864e71b7053SJung-uk Kim 865e71b7053SJung-uk Kim if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) { 866e71b7053SJung-uk Kim idx = i; 867e71b7053SJung-uk Kim break; 868e71b7053SJung-uk Kim } 869e71b7053SJung-uk Kim } 870e71b7053SJung-uk Kim 871e71b7053SJung-uk Kim /* 872e71b7053SJung-uk Kim * Some GOST ciphersuites allow more than one signature algorithms 873e71b7053SJung-uk Kim * */ 874e71b7053SJung-uk Kim if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 875e71b7053SJung-uk Kim int real_idx; 876e71b7053SJung-uk Kim 877e71b7053SJung-uk Kim for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 878e71b7053SJung-uk Kim real_idx--) { 879e71b7053SJung-uk Kim if (s->cert->pkeys[real_idx].privatekey != NULL) { 880e71b7053SJung-uk Kim idx = real_idx; 881e71b7053SJung-uk Kim break; 882e71b7053SJung-uk Kim } 883e71b7053SJung-uk Kim } 884e71b7053SJung-uk Kim } 885e71b7053SJung-uk Kim } else { 886e71b7053SJung-uk Kim idx = s->cert->key - s->cert->pkeys; 887e71b7053SJung-uk Kim } 888e71b7053SJung-uk Kim } 889e71b7053SJung-uk Kim if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 890e71b7053SJung-uk Kim return NULL; 891e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 892e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); 893e71b7053SJung-uk Kim 894e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, NULL)) 895e71b7053SJung-uk Kim return NULL; 896e71b7053SJung-uk Kim return lu; 897e71b7053SJung-uk Kim } 898e71b7053SJung-uk Kim return &legacy_rsa_sigalg; 899e71b7053SJung-uk Kim } 900e71b7053SJung-uk Kim /* Set peer sigalg based key type */ 901e71b7053SJung-uk Kim int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 902e71b7053SJung-uk Kim { 903e71b7053SJung-uk Kim size_t idx; 904e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 905e71b7053SJung-uk Kim 906e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 907e71b7053SJung-uk Kim return 0; 908e71b7053SJung-uk Kim lu = tls1_get_legacy_sigalg(s, idx); 909e71b7053SJung-uk Kim if (lu == NULL) 910e71b7053SJung-uk Kim return 0; 911e71b7053SJung-uk Kim s->s3->tmp.peer_sigalg = lu; 912e71b7053SJung-uk Kim return 1; 913e71b7053SJung-uk Kim } 914e71b7053SJung-uk Kim 915e71b7053SJung-uk Kim size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 9161f13597dSJung-uk Kim { 9177bded2dbSJung-uk Kim /* 9187bded2dbSJung-uk Kim * If Suite B mode use Suite B sigalgs only, ignore any other 9197bded2dbSJung-uk Kim * preferences. 9207bded2dbSJung-uk Kim */ 9217bded2dbSJung-uk Kim #ifndef OPENSSL_NO_EC 9227bded2dbSJung-uk Kim switch (tls1_suiteb(s)) { 9237bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS: 9247bded2dbSJung-uk Kim *psigs = suiteb_sigalgs; 925e71b7053SJung-uk Kim return OSSL_NELEM(suiteb_sigalgs); 9267bded2dbSJung-uk Kim 9277bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 9287bded2dbSJung-uk Kim *psigs = suiteb_sigalgs; 929e71b7053SJung-uk Kim return 1; 9307bded2dbSJung-uk Kim 9317bded2dbSJung-uk Kim case SSL_CERT_FLAG_SUITEB_192_LOS: 932e71b7053SJung-uk Kim *psigs = suiteb_sigalgs + 1; 933e71b7053SJung-uk Kim return 1; 9347bded2dbSJung-uk Kim } 9357bded2dbSJung-uk Kim #endif 936e71b7053SJung-uk Kim /* 937e71b7053SJung-uk Kim * We use client_sigalgs (if not NULL) if we're a server 938e71b7053SJung-uk Kim * and sending a certificate request or if we're a client and 939e71b7053SJung-uk Kim * determining which shared algorithm to use. 940e71b7053SJung-uk Kim */ 941e71b7053SJung-uk Kim if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 9427bded2dbSJung-uk Kim *psigs = s->cert->client_sigalgs; 9437bded2dbSJung-uk Kim return s->cert->client_sigalgslen; 9447bded2dbSJung-uk Kim } else if (s->cert->conf_sigalgs) { 9457bded2dbSJung-uk Kim *psigs = s->cert->conf_sigalgs; 9467bded2dbSJung-uk Kim return s->cert->conf_sigalgslen; 9477bded2dbSJung-uk Kim } else { 9487bded2dbSJung-uk Kim *psigs = tls12_sigalgs; 949e71b7053SJung-uk Kim return OSSL_NELEM(tls12_sigalgs); 9507bded2dbSJung-uk Kim } 9517bded2dbSJung-uk Kim } 9527bded2dbSJung-uk Kim 953c9cf7b5cSJung-uk Kim #ifndef OPENSSL_NO_EC 954c9cf7b5cSJung-uk Kim /* 955c9cf7b5cSJung-uk Kim * Called by servers only. Checks that we have a sig alg that supports the 956c9cf7b5cSJung-uk Kim * specified EC curve. 957c9cf7b5cSJung-uk Kim */ 958c9cf7b5cSJung-uk Kim int tls_check_sigalg_curve(const SSL *s, int curve) 959c9cf7b5cSJung-uk Kim { 960c9cf7b5cSJung-uk Kim const uint16_t *sigs; 961c9cf7b5cSJung-uk Kim size_t siglen, i; 962c9cf7b5cSJung-uk Kim 963c9cf7b5cSJung-uk Kim if (s->cert->conf_sigalgs) { 964c9cf7b5cSJung-uk Kim sigs = s->cert->conf_sigalgs; 965c9cf7b5cSJung-uk Kim siglen = s->cert->conf_sigalgslen; 966c9cf7b5cSJung-uk Kim } else { 967c9cf7b5cSJung-uk Kim sigs = tls12_sigalgs; 968c9cf7b5cSJung-uk Kim siglen = OSSL_NELEM(tls12_sigalgs); 969c9cf7b5cSJung-uk Kim } 970c9cf7b5cSJung-uk Kim 971c9cf7b5cSJung-uk Kim for (i = 0; i < siglen; i++) { 972c9cf7b5cSJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]); 973c9cf7b5cSJung-uk Kim 974c9cf7b5cSJung-uk Kim if (lu == NULL) 975c9cf7b5cSJung-uk Kim continue; 976c9cf7b5cSJung-uk Kim if (lu->sig == EVP_PKEY_EC 977c9cf7b5cSJung-uk Kim && lu->curve != NID_undef 978c9cf7b5cSJung-uk Kim && curve == lu->curve) 979c9cf7b5cSJung-uk Kim return 1; 980c9cf7b5cSJung-uk Kim } 981c9cf7b5cSJung-uk Kim 982c9cf7b5cSJung-uk Kim return 0; 983c9cf7b5cSJung-uk Kim } 984c9cf7b5cSJung-uk Kim #endif 985c9cf7b5cSJung-uk Kim 9867bded2dbSJung-uk Kim /* 9877bded2dbSJung-uk Kim * Check signature algorithm is consistent with sent supported signature 988e71b7053SJung-uk Kim * algorithms and if so set relevant digest and signature scheme in 989e71b7053SJung-uk Kim * s. 9907bded2dbSJung-uk Kim */ 991e71b7053SJung-uk Kim int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 9927bded2dbSJung-uk Kim { 993e71b7053SJung-uk Kim const uint16_t *sent_sigs; 994e71b7053SJung-uk Kim const EVP_MD *md = NULL; 995e71b7053SJung-uk Kim char sigalgstr[2]; 996e71b7053SJung-uk Kim size_t sent_sigslen, i, cidx; 997e71b7053SJung-uk Kim int pkeyid = EVP_PKEY_id(pkey); 998e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 999e71b7053SJung-uk Kim 10007bded2dbSJung-uk Kim /* Should never happen */ 1001e71b7053SJung-uk Kim if (pkeyid == -1) 10027bded2dbSJung-uk Kim return -1; 1003e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 1004e71b7053SJung-uk Kim /* Disallow DSA for TLS 1.3 */ 1005e71b7053SJung-uk Kim if (pkeyid == EVP_PKEY_DSA) { 1006e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1007e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 10087bded2dbSJung-uk Kim return 0; 10097bded2dbSJung-uk Kim } 1010e71b7053SJung-uk Kim /* Only allow PSS for TLS 1.3 */ 1011e71b7053SJung-uk Kim if (pkeyid == EVP_PKEY_RSA) 1012e71b7053SJung-uk Kim pkeyid = EVP_PKEY_RSA_PSS; 1013e71b7053SJung-uk Kim } 1014e71b7053SJung-uk Kim lu = tls1_lookup_sigalg(sig); 1015e71b7053SJung-uk Kim /* 1016e71b7053SJung-uk Kim * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1017e71b7053SJung-uk Kim * is consistent with signature: RSA keys can be used for RSA-PSS 1018e71b7053SJung-uk Kim */ 1019e71b7053SJung-uk Kim if (lu == NULL 1020e71b7053SJung-uk Kim || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1021e71b7053SJung-uk Kim || (pkeyid != lu->sig 1022e71b7053SJung-uk Kim && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1023e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1024e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 1025e71b7053SJung-uk Kim return 0; 1026e71b7053SJung-uk Kim } 1027e71b7053SJung-uk Kim /* Check the sigalg is consistent with the key OID */ 1028e71b7053SJung-uk Kim if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) 1029e71b7053SJung-uk Kim || lu->sig_idx != (int)cidx) { 1030e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1031e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 1032e71b7053SJung-uk Kim return 0; 1033e71b7053SJung-uk Kim } 1034e71b7053SJung-uk Kim 10357bded2dbSJung-uk Kim #ifndef OPENSSL_NO_EC 1036e71b7053SJung-uk Kim if (pkeyid == EVP_PKEY_EC) { 1037e71b7053SJung-uk Kim 1038e71b7053SJung-uk Kim /* Check point compression is permitted */ 1039e71b7053SJung-uk Kim if (!tls1_check_pkey_comp(s, pkey)) { 1040e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1041e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, 1042e71b7053SJung-uk Kim SSL_R_ILLEGAL_POINT_COMPRESSION); 10437bded2dbSJung-uk Kim return 0; 10447bded2dbSJung-uk Kim } 1045e71b7053SJung-uk Kim 1046e71b7053SJung-uk Kim /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1047e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1048e71b7053SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 1049e71b7053SJung-uk Kim int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 1050e71b7053SJung-uk Kim 1051e71b7053SJung-uk Kim if (lu->curve != NID_undef && curve != lu->curve) { 1052e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1053e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1054e71b7053SJung-uk Kim return 0; 1055e71b7053SJung-uk Kim } 1056e71b7053SJung-uk Kim } 1057e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) { 1058e71b7053SJung-uk Kim /* Check curve matches extensions */ 1059e71b7053SJung-uk Kim if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1060e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1061e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1062e71b7053SJung-uk Kim return 0; 1063e71b7053SJung-uk Kim } 10647bded2dbSJung-uk Kim if (tls1_suiteb(s)) { 1065e71b7053SJung-uk Kim /* Check sigalg matches a permissible Suite B value */ 1066e71b7053SJung-uk Kim if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1067e71b7053SJung-uk Kim && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1068e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1069e71b7053SJung-uk Kim SSL_F_TLS12_CHECK_PEER_SIGALG, 1070e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 10717bded2dbSJung-uk Kim return 0; 10727bded2dbSJung-uk Kim } 1073e71b7053SJung-uk Kim } 1074e71b7053SJung-uk Kim } 1075e71b7053SJung-uk Kim } else if (tls1_suiteb(s)) { 1076e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1077e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 10787bded2dbSJung-uk Kim return 0; 10797bded2dbSJung-uk Kim } 10807bded2dbSJung-uk Kim #endif 10817bded2dbSJung-uk Kim 10827bded2dbSJung-uk Kim /* Check signature matches a type we sent */ 1083ed7112f0SJung-uk Kim sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1084e71b7053SJung-uk Kim for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1085e71b7053SJung-uk Kim if (sig == *sent_sigs) 10867bded2dbSJung-uk Kim break; 10877bded2dbSJung-uk Kim } 10887bded2dbSJung-uk Kim /* Allow fallback to SHA1 if not strict mode */ 1089e71b7053SJung-uk Kim if (i == sent_sigslen && (lu->hash != NID_sha1 10907bded2dbSJung-uk Kim || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1091e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1092e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 10937bded2dbSJung-uk Kim return 0; 10947bded2dbSJung-uk Kim } 1095e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, &md)) { 1096e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1097e71b7053SJung-uk Kim SSL_R_UNKNOWN_DIGEST); 10987bded2dbSJung-uk Kim return 0; 10997bded2dbSJung-uk Kim } 1100e71b7053SJung-uk Kim if (md != NULL) { 11017bded2dbSJung-uk Kim /* 1102e71b7053SJung-uk Kim * Make sure security callback allows algorithm. For historical 1103e71b7053SJung-uk Kim * reasons we have to pass the sigalg as a two byte char array. 11047bded2dbSJung-uk Kim */ 1105e71b7053SJung-uk Kim sigalgstr[0] = (sig >> 8) & 0xff; 1106e71b7053SJung-uk Kim sigalgstr[1] = sig & 0xff; 1107e71b7053SJung-uk Kim if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, 1108e71b7053SJung-uk Kim EVP_MD_size(md) * 4, EVP_MD_type(md), 1109e71b7053SJung-uk Kim (void *)sigalgstr)) { 1110e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1111e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 1112e71b7053SJung-uk Kim return 0; 1113e71b7053SJung-uk Kim } 1114e71b7053SJung-uk Kim } 1115e71b7053SJung-uk Kim /* Store the sigalg the peer uses */ 1116e71b7053SJung-uk Kim s->s3->tmp.peer_sigalg = lu; 1117e71b7053SJung-uk Kim return 1; 1118e71b7053SJung-uk Kim } 1119e71b7053SJung-uk Kim 1120e71b7053SJung-uk Kim int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1121e71b7053SJung-uk Kim { 1122e71b7053SJung-uk Kim if (s->s3->tmp.peer_sigalg == NULL) 1123e71b7053SJung-uk Kim return 0; 1124e71b7053SJung-uk Kim *pnid = s->s3->tmp.peer_sigalg->sig; 11257bded2dbSJung-uk Kim return 1; 11267bded2dbSJung-uk Kim } 11277bded2dbSJung-uk Kim 1128c9cf7b5cSJung-uk Kim int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1129c9cf7b5cSJung-uk Kim { 1130c9cf7b5cSJung-uk Kim if (s->s3->tmp.sigalg == NULL) 1131c9cf7b5cSJung-uk Kim return 0; 1132c9cf7b5cSJung-uk Kim *pnid = s->s3->tmp.sigalg->sig; 1133c9cf7b5cSJung-uk Kim return 1; 1134c9cf7b5cSJung-uk Kim } 1135c9cf7b5cSJung-uk Kim 11367bded2dbSJung-uk Kim /* 1137e71b7053SJung-uk Kim * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1138e71b7053SJung-uk Kim * supported, doesn't appear in supported signature algorithms, isn't supported 1139e71b7053SJung-uk Kim * by the enabled protocol versions or by the security level. 1140e71b7053SJung-uk Kim * 1141e71b7053SJung-uk Kim * This function should only be used for checking which ciphers are supported 1142e71b7053SJung-uk Kim * by the client. 1143e71b7053SJung-uk Kim * 1144e71b7053SJung-uk Kim * Call ssl_cipher_disabled() to check that it's enabled or not. 11457bded2dbSJung-uk Kim */ 1146e71b7053SJung-uk Kim int ssl_set_client_disabled(SSL *s) 11477bded2dbSJung-uk Kim { 1148e71b7053SJung-uk Kim s->s3->tmp.mask_a = 0; 1149e71b7053SJung-uk Kim s->s3->tmp.mask_k = 0; 1150e71b7053SJung-uk Kim ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1151e71b7053SJung-uk Kim if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver, 1152e71b7053SJung-uk Kim &s->s3->tmp.max_ver, NULL) != 0) 1153e71b7053SJung-uk Kim return 0; 11547bded2dbSJung-uk Kim #ifndef OPENSSL_NO_PSK 11557bded2dbSJung-uk Kim /* with PSK there must be client callback set */ 11567bded2dbSJung-uk Kim if (!s->psk_client_callback) { 1157e71b7053SJung-uk Kim s->s3->tmp.mask_a |= SSL_aPSK; 1158e71b7053SJung-uk Kim s->s3->tmp.mask_k |= SSL_PSK; 11597bded2dbSJung-uk Kim } 11607bded2dbSJung-uk Kim #endif /* OPENSSL_NO_PSK */ 11617bded2dbSJung-uk Kim #ifndef OPENSSL_NO_SRP 11627bded2dbSJung-uk Kim if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1163e71b7053SJung-uk Kim s->s3->tmp.mask_a |= SSL_aSRP; 1164e71b7053SJung-uk Kim s->s3->tmp.mask_k |= SSL_kSRP; 11657bded2dbSJung-uk Kim } 11667bded2dbSJung-uk Kim #endif 1167e71b7053SJung-uk Kim return 1; 11681f13597dSJung-uk Kim } 11691f13597dSJung-uk Kim 11706f9291ceSJung-uk Kim /* 1171e71b7053SJung-uk Kim * ssl_cipher_disabled - check that a cipher is disabled or not 1172e71b7053SJung-uk Kim * @s: SSL connection that you want to use the cipher on 1173e71b7053SJung-uk Kim * @c: cipher to check 1174e71b7053SJung-uk Kim * @op: Security check that you want to do 1175e71b7053SJung-uk Kim * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 11766cf8931aSJung-uk Kim * 1177e71b7053SJung-uk Kim * Returns 1 when it's disabled, 0 when enabled. 11786cf8931aSJung-uk Kim */ 1179e71b7053SJung-uk Kim int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1180db522d3aSSimon L. B. Nielsen { 1181e71b7053SJung-uk Kim if (c->algorithm_mkey & s->s3->tmp.mask_k 1182e71b7053SJung-uk Kim || c->algorithm_auth & s->s3->tmp.mask_a) 1183e71b7053SJung-uk Kim return 1; 1184e71b7053SJung-uk Kim if (s->s3->tmp.max_ver == 0) 1185e71b7053SJung-uk Kim return 1; 1186e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s)) { 1187e71b7053SJung-uk Kim int min_tls = c->min_tls; 1188de78d5d8SJung-uk Kim 11897bded2dbSJung-uk Kim /* 1190e71b7053SJung-uk Kim * For historical reasons we will allow ECHDE to be selected by a server 1191e71b7053SJung-uk Kim * in SSLv3 if we are a client 11927bded2dbSJung-uk Kim */ 1193e71b7053SJung-uk Kim if (min_tls == TLS1_VERSION && ecdhe 1194e71b7053SJung-uk Kim && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1195e71b7053SJung-uk Kim min_tls = SSL3_VERSION; 11967bded2dbSJung-uk Kim 1197e71b7053SJung-uk Kim if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver)) 1198b8721c16SJung-uk Kim return 1; 1199b8721c16SJung-uk Kim } 1200e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) 1201e71b7053SJung-uk Kim || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) 12027bded2dbSJung-uk Kim return 1; 12037bded2dbSJung-uk Kim 1204e71b7053SJung-uk Kim return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 12057bded2dbSJung-uk Kim } 12067bded2dbSJung-uk Kim 1207e71b7053SJung-uk Kim int tls_use_ticket(SSL *s) 12087bded2dbSJung-uk Kim { 1209e71b7053SJung-uk Kim if ((s->options & SSL_OP_NO_TICKET)) 12107bded2dbSJung-uk Kim return 0; 1211e71b7053SJung-uk Kim return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1212db522d3aSSimon L. B. Nielsen } 1213db522d3aSSimon L. B. Nielsen 12147bded2dbSJung-uk Kim int tls1_set_server_sigalgs(SSL *s) 12157bded2dbSJung-uk Kim { 12167bded2dbSJung-uk Kim size_t i; 1217e71b7053SJung-uk Kim 1218e71b7053SJung-uk Kim /* Clear any shared signature algorithms */ 1219*da327cd2SJung-uk Kim OPENSSL_free(s->shared_sigalgs); 1220*da327cd2SJung-uk Kim s->shared_sigalgs = NULL; 1221*da327cd2SJung-uk Kim s->shared_sigalgslen = 0; 1222e71b7053SJung-uk Kim /* Clear certificate validity flags */ 1223e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) 1224e71b7053SJung-uk Kim s->s3->tmp.valid_flags[i] = 0; 1225e71b7053SJung-uk Kim /* 1226e71b7053SJung-uk Kim * If peer sent no signature algorithms check to see if we support 1227e71b7053SJung-uk Kim * the default algorithm for each certificate type 1228e71b7053SJung-uk Kim */ 1229e71b7053SJung-uk Kim if (s->s3->tmp.peer_cert_sigalgs == NULL 1230e71b7053SJung-uk Kim && s->s3->tmp.peer_sigalgs == NULL) { 1231e71b7053SJung-uk Kim const uint16_t *sent_sigs; 1232e71b7053SJung-uk Kim size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1233e71b7053SJung-uk Kim 12347bded2dbSJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) { 1235e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1236e71b7053SJung-uk Kim size_t j; 1237e71b7053SJung-uk Kim 1238e71b7053SJung-uk Kim if (lu == NULL) 1239e71b7053SJung-uk Kim continue; 1240e71b7053SJung-uk Kim /* Check default matches a type we sent */ 1241e71b7053SJung-uk Kim for (j = 0; j < sent_sigslen; j++) { 1242e71b7053SJung-uk Kim if (lu->sigalg == sent_sigs[j]) { 1243e71b7053SJung-uk Kim s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN; 1244e71b7053SJung-uk Kim break; 1245e71b7053SJung-uk Kim } 1246e71b7053SJung-uk Kim } 1247e71b7053SJung-uk Kim } 1248e71b7053SJung-uk Kim return 1; 12497bded2dbSJung-uk Kim } 12507bded2dbSJung-uk Kim 12517bded2dbSJung-uk Kim if (!tls1_process_sigalgs(s)) { 1252e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1253e71b7053SJung-uk Kim SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR); 12547bded2dbSJung-uk Kim return 0; 12557bded2dbSJung-uk Kim } 1256*da327cd2SJung-uk Kim if (s->shared_sigalgs != NULL) 1257e71b7053SJung-uk Kim return 1; 12587bded2dbSJung-uk Kim 1259e71b7053SJung-uk Kim /* Fatal error if no shared signature algorithms */ 1260e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS, 1261e71b7053SJung-uk Kim SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 12626cf8931aSJung-uk Kim return 0; 126309286989SJung-uk Kim } 12647bded2dbSJung-uk Kim 12656f9291ceSJung-uk Kim /*- 1266e71b7053SJung-uk Kim * Gets the ticket information supplied by the client if any. 12671f13597dSJung-uk Kim * 1268e71b7053SJung-uk Kim * hello: The parsed ClientHello data 12691f13597dSJung-uk Kim * ret: (output) on return, if a ticket was decrypted, then this is set to 12701f13597dSJung-uk Kim * point to the resulting session. 1271e71b7053SJung-uk Kim */ 1272e71b7053SJung-uk Kim SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1273e71b7053SJung-uk Kim SSL_SESSION **ret) 1274e71b7053SJung-uk Kim { 1275e71b7053SJung-uk Kim size_t size; 1276e71b7053SJung-uk Kim RAW_EXTENSION *ticketext; 1277e71b7053SJung-uk Kim 1278e71b7053SJung-uk Kim *ret = NULL; 1279e71b7053SJung-uk Kim s->ext.ticket_expected = 0; 1280e71b7053SJung-uk Kim 1281e71b7053SJung-uk Kim /* 1282e71b7053SJung-uk Kim * If tickets disabled or not supported by the protocol version 1283e71b7053SJung-uk Kim * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1284e71b7053SJung-uk Kim * resumption. 1285e71b7053SJung-uk Kim */ 1286e71b7053SJung-uk Kim if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1287e71b7053SJung-uk Kim return SSL_TICKET_NONE; 1288e71b7053SJung-uk Kim 1289e71b7053SJung-uk Kim ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1290e71b7053SJung-uk Kim if (!ticketext->present) 1291e71b7053SJung-uk Kim return SSL_TICKET_NONE; 1292e71b7053SJung-uk Kim 1293e71b7053SJung-uk Kim size = PACKET_remaining(&ticketext->data); 1294e71b7053SJung-uk Kim 1295e71b7053SJung-uk Kim return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1296e71b7053SJung-uk Kim hello->session_id, hello->session_id_len, ret); 1297e71b7053SJung-uk Kim } 1298e71b7053SJung-uk Kim 1299e71b7053SJung-uk Kim /*- 1300e71b7053SJung-uk Kim * tls_decrypt_ticket attempts to decrypt a session ticket. 13011f13597dSJung-uk Kim * 1302e71b7053SJung-uk Kim * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1303e71b7053SJung-uk Kim * expecting a pre-shared key ciphersuite, in which case we have no use for 1304e71b7053SJung-uk Kim * session tickets and one will never be decrypted, nor will 1305e71b7053SJung-uk Kim * s->ext.ticket_expected be set to 1. 13061f13597dSJung-uk Kim * 13071f13597dSJung-uk Kim * Side effects: 1308e71b7053SJung-uk Kim * Sets s->ext.ticket_expected to 1 if the server will have to issue 13091f13597dSJung-uk Kim * a new session ticket to the client because the client indicated support 13101f13597dSJung-uk Kim * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 13111f13597dSJung-uk Kim * a session ticket or we couldn't use the one it gave us, or if 1312e71b7053SJung-uk Kim * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1313e71b7053SJung-uk Kim * Otherwise, s->ext.ticket_expected is set to 0. 1314e71b7053SJung-uk Kim * 1315e71b7053SJung-uk Kim * etick: points to the body of the session ticket extension. 1316e71b7053SJung-uk Kim * eticklen: the length of the session tickets extension. 1317e71b7053SJung-uk Kim * sess_id: points at the session ID. 1318e71b7053SJung-uk Kim * sesslen: the length of the session ID. 1319e71b7053SJung-uk Kim * psess: (output) on return, if a ticket was decrypted, then this is set to 1320e71b7053SJung-uk Kim * point to the resulting session. 1321db522d3aSSimon L. B. Nielsen */ 1322e71b7053SJung-uk Kim SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1323e71b7053SJung-uk Kim size_t eticklen, const unsigned char *sess_id, 1324e71b7053SJung-uk Kim size_t sesslen, SSL_SESSION **psess) 1325db522d3aSSimon L. B. Nielsen { 1326e71b7053SJung-uk Kim SSL_SESSION *sess = NULL; 1327e71b7053SJung-uk Kim unsigned char *sdec; 1328e71b7053SJung-uk Kim const unsigned char *p; 1329e71b7053SJung-uk Kim int slen, renew_ticket = 0, declen; 1330e71b7053SJung-uk Kim SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1331e71b7053SJung-uk Kim size_t mlen; 1332e71b7053SJung-uk Kim unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1333e71b7053SJung-uk Kim HMAC_CTX *hctx = NULL; 1334e71b7053SJung-uk Kim EVP_CIPHER_CTX *ctx = NULL; 1335e71b7053SJung-uk Kim SSL_CTX *tctx = s->session_ctx; 1336db522d3aSSimon L. B. Nielsen 1337e71b7053SJung-uk Kim if (eticklen == 0) { 13386f9291ceSJung-uk Kim /* 13396f9291ceSJung-uk Kim * The client will accept a ticket but doesn't currently have 1340e71b7053SJung-uk Kim * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 13416f9291ceSJung-uk Kim */ 1342e71b7053SJung-uk Kim ret = SSL_TICKET_EMPTY; 1343e71b7053SJung-uk Kim goto end; 1344db522d3aSSimon L. B. Nielsen } 1345e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 13466f9291ceSJung-uk Kim /* 13476f9291ceSJung-uk Kim * Indicate that the ticket couldn't be decrypted rather than 13486f9291ceSJung-uk Kim * generating the session from ticket now, trigger 13496f9291ceSJung-uk Kim * abbreviated handshake based on external mechanism to 13506f9291ceSJung-uk Kim * calculate the master secret later. 13516f9291ceSJung-uk Kim */ 1352e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1353e71b7053SJung-uk Kim goto end; 13541f13597dSJung-uk Kim } 1355aeb5019cSJung-uk Kim 1356dee36b4fSJung-uk Kim /* Need at least keyname + iv */ 1357e71b7053SJung-uk Kim if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1358e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1359e71b7053SJung-uk Kim goto end; 1360e71b7053SJung-uk Kim } 1361dee36b4fSJung-uk Kim 1362db522d3aSSimon L. B. Nielsen /* Initialize session ticket encryption and HMAC contexts */ 1363e71b7053SJung-uk Kim hctx = HMAC_CTX_new(); 1364e71b7053SJung-uk Kim if (hctx == NULL) { 1365e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_MALLOC; 1366e71b7053SJung-uk Kim goto end; 1367e71b7053SJung-uk Kim } 1368e71b7053SJung-uk Kim ctx = EVP_CIPHER_CTX_new(); 1369e71b7053SJung-uk Kim if (ctx == NULL) { 1370e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_MALLOC; 1371e71b7053SJung-uk Kim goto end; 1372e71b7053SJung-uk Kim } 1373e71b7053SJung-uk Kim if (tctx->ext.ticket_key_cb) { 1374db522d3aSSimon L. B. Nielsen unsigned char *nctick = (unsigned char *)etick; 1375e71b7053SJung-uk Kim int rv = tctx->ext.ticket_key_cb(s, nctick, 1376e71b7053SJung-uk Kim nctick + TLSEXT_KEYNAME_LENGTH, 1377e71b7053SJung-uk Kim ctx, hctx, 0); 1378e71b7053SJung-uk Kim if (rv < 0) { 1379e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1380e71b7053SJung-uk Kim goto end; 1381e71b7053SJung-uk Kim } 1382dee36b4fSJung-uk Kim if (rv == 0) { 1383e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1384e71b7053SJung-uk Kim goto end; 1385dee36b4fSJung-uk Kim } 1386db522d3aSSimon L. B. Nielsen if (rv == 2) 1387db522d3aSSimon L. B. Nielsen renew_ticket = 1; 13886f9291ceSJung-uk Kim } else { 1389db522d3aSSimon L. B. Nielsen /* Check key name matches */ 1390e71b7053SJung-uk Kim if (memcmp(etick, tctx->ext.tick_key_name, 1391e71b7053SJung-uk Kim TLSEXT_KEYNAME_LENGTH) != 0) { 1392e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1393e71b7053SJung-uk Kim goto end; 139480815a77SJung-uk Kim } 1395e71b7053SJung-uk Kim if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key, 1396e71b7053SJung-uk Kim sizeof(tctx->ext.secure->tick_hmac_key), 1397e71b7053SJung-uk Kim EVP_sha256(), NULL) <= 0 1398e71b7053SJung-uk Kim || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 1399e71b7053SJung-uk Kim tctx->ext.secure->tick_aes_key, 1400e71b7053SJung-uk Kim etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1401e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1402e71b7053SJung-uk Kim goto end; 1403e71b7053SJung-uk Kim } 1404e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) 1405e71b7053SJung-uk Kim renew_ticket = 1; 1406db522d3aSSimon L. B. Nielsen } 14076f9291ceSJung-uk Kim /* 14086f9291ceSJung-uk Kim * Attempt to process session ticket, first conduct sanity and integrity 14096f9291ceSJung-uk Kim * checks on ticket. 1410db522d3aSSimon L. B. Nielsen */ 1411e71b7053SJung-uk Kim mlen = HMAC_size(hctx); 1412e71b7053SJung-uk Kim if (mlen == 0) { 1413e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1414e71b7053SJung-uk Kim goto end; 1415aeb5019cSJung-uk Kim } 1416aeb5019cSJung-uk Kim 1417e71b7053SJung-uk Kim /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1418e71b7053SJung-uk Kim if (eticklen <= 1419e71b7053SJung-uk Kim TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { 1420e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1421e71b7053SJung-uk Kim goto end; 1422e71b7053SJung-uk Kim } 1423db522d3aSSimon L. B. Nielsen eticklen -= mlen; 1424db522d3aSSimon L. B. Nielsen /* Check HMAC of encrypted ticket */ 1425e71b7053SJung-uk Kim if (HMAC_Update(hctx, etick, eticklen) <= 0 1426e71b7053SJung-uk Kim || HMAC_Final(hctx, tick_hmac, NULL) <= 0) { 1427e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1428e71b7053SJung-uk Kim goto end; 142980815a77SJung-uk Kim } 1430e71b7053SJung-uk Kim 14316f9291ceSJung-uk Kim if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1432e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1433e71b7053SJung-uk Kim goto end; 1434fa5fddf1SJung-uk Kim } 1435db522d3aSSimon L. B. Nielsen /* Attempt to decrypt session data */ 1436db522d3aSSimon L. B. Nielsen /* Move p after IV to start of encrypted ticket, update length */ 1437e71b7053SJung-uk Kim p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1438e71b7053SJung-uk Kim eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1439db522d3aSSimon L. B. Nielsen sdec = OPENSSL_malloc(eticklen); 1440e71b7053SJung-uk Kim if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1441e71b7053SJung-uk Kim (int)eticklen) <= 0) { 1442b8721c16SJung-uk Kim OPENSSL_free(sdec); 1443e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1444e71b7053SJung-uk Kim goto end; 1445db522d3aSSimon L. B. Nielsen } 1446e71b7053SJung-uk Kim if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1447a93cbc2bSJung-uk Kim OPENSSL_free(sdec); 1448e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1449e71b7053SJung-uk Kim goto end; 1450a93cbc2bSJung-uk Kim } 1451e71b7053SJung-uk Kim slen += declen; 1452db522d3aSSimon L. B. Nielsen p = sdec; 1453db522d3aSSimon L. B. Nielsen 1454db522d3aSSimon L. B. Nielsen sess = d2i_SSL_SESSION(NULL, &p, slen); 1455ed7112f0SJung-uk Kim slen -= p - sdec; 1456db522d3aSSimon L. B. Nielsen OPENSSL_free(sdec); 14576f9291ceSJung-uk Kim if (sess) { 1458ed7112f0SJung-uk Kim /* Some additional consistency checks */ 1459e71b7053SJung-uk Kim if (slen != 0) { 1460ed7112f0SJung-uk Kim SSL_SESSION_free(sess); 1461e71b7053SJung-uk Kim sess = NULL; 1462e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1463e71b7053SJung-uk Kim goto end; 1464ed7112f0SJung-uk Kim } 14656f9291ceSJung-uk Kim /* 14666f9291ceSJung-uk Kim * The session ID, if non-empty, is used by some clients to detect 14676f9291ceSJung-uk Kim * that the ticket has been accepted. So we copy it to the session 14686f9291ceSJung-uk Kim * structure. If it is empty set length to zero as required by 14696f9291ceSJung-uk Kim * standard. 1470db522d3aSSimon L. B. Nielsen */ 1471e71b7053SJung-uk Kim if (sesslen) { 1472db522d3aSSimon L. B. Nielsen memcpy(sess->session_id, sess_id, sesslen); 1473db522d3aSSimon L. B. Nielsen sess->session_id_length = sesslen; 1474e71b7053SJung-uk Kim } 14751f13597dSJung-uk Kim if (renew_ticket) 1476e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS_RENEW; 14771f13597dSJung-uk Kim else 1478e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS; 1479e71b7053SJung-uk Kim goto end; 14801f13597dSJung-uk Kim } 14811f13597dSJung-uk Kim ERR_clear_error(); 14826f9291ceSJung-uk Kim /* 14836f9291ceSJung-uk Kim * For session parse failure, indicate that we need to send a new ticket. 14846f9291ceSJung-uk Kim */ 1485e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 14861f13597dSJung-uk Kim 1487e71b7053SJung-uk Kim end: 1488e71b7053SJung-uk Kim EVP_CIPHER_CTX_free(ctx); 1489e71b7053SJung-uk Kim HMAC_CTX_free(hctx); 14901f13597dSJung-uk Kim 1491e71b7053SJung-uk Kim /* 1492e71b7053SJung-uk Kim * If set, the decrypt_ticket_cb() is called unless a fatal error was 1493e71b7053SJung-uk Kim * detected above. The callback is responsible for checking |ret| before it 1494e71b7053SJung-uk Kim * performs any action 1495e71b7053SJung-uk Kim */ 1496e71b7053SJung-uk Kim if (s->session_ctx->decrypt_ticket_cb != NULL 1497e71b7053SJung-uk Kim && (ret == SSL_TICKET_EMPTY 1498e71b7053SJung-uk Kim || ret == SSL_TICKET_NO_DECRYPT 1499e71b7053SJung-uk Kim || ret == SSL_TICKET_SUCCESS 1500e71b7053SJung-uk Kim || ret == SSL_TICKET_SUCCESS_RENEW)) { 1501e71b7053SJung-uk Kim size_t keyname_len = eticklen; 1502e71b7053SJung-uk Kim int retcb; 15031f13597dSJung-uk Kim 1504e71b7053SJung-uk Kim if (keyname_len > TLSEXT_KEYNAME_LENGTH) 1505e71b7053SJung-uk Kim keyname_len = TLSEXT_KEYNAME_LENGTH; 1506e71b7053SJung-uk Kim retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 1507e71b7053SJung-uk Kim ret, 1508e71b7053SJung-uk Kim s->session_ctx->ticket_cb_data); 1509e71b7053SJung-uk Kim switch (retcb) { 1510e71b7053SJung-uk Kim case SSL_TICKET_RETURN_ABORT: 1511e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1512e71b7053SJung-uk Kim break; 15131f13597dSJung-uk Kim 1514e71b7053SJung-uk Kim case SSL_TICKET_RETURN_IGNORE: 1515e71b7053SJung-uk Kim ret = SSL_TICKET_NONE; 1516e71b7053SJung-uk Kim SSL_SESSION_free(sess); 1517e71b7053SJung-uk Kim sess = NULL; 1518e71b7053SJung-uk Kim break; 15191f13597dSJung-uk Kim 1520e71b7053SJung-uk Kim case SSL_TICKET_RETURN_IGNORE_RENEW: 1521e71b7053SJung-uk Kim if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 1522e71b7053SJung-uk Kim ret = SSL_TICKET_NO_DECRYPT; 1523e71b7053SJung-uk Kim /* else the value of |ret| will already do the right thing */ 1524e71b7053SJung-uk Kim SSL_SESSION_free(sess); 1525e71b7053SJung-uk Kim sess = NULL; 1526e71b7053SJung-uk Kim break; 15276f9291ceSJung-uk Kim 1528e71b7053SJung-uk Kim case SSL_TICKET_RETURN_USE: 1529e71b7053SJung-uk Kim case SSL_TICKET_RETURN_USE_RENEW: 1530e71b7053SJung-uk Kim if (ret != SSL_TICKET_SUCCESS 1531e71b7053SJung-uk Kim && ret != SSL_TICKET_SUCCESS_RENEW) 1532e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 1533e71b7053SJung-uk Kim else if (retcb == SSL_TICKET_RETURN_USE) 1534e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS; 1535e71b7053SJung-uk Kim else 1536e71b7053SJung-uk Kim ret = SSL_TICKET_SUCCESS_RENEW; 1537e71b7053SJung-uk Kim break; 15381f13597dSJung-uk Kim 15391f13597dSJung-uk Kim default: 1540e71b7053SJung-uk Kim ret = SSL_TICKET_FATAL_ERR_OTHER; 15411f13597dSJung-uk Kim } 15421f13597dSJung-uk Kim } 15431f13597dSJung-uk Kim 1544e71b7053SJung-uk Kim if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 1545e71b7053SJung-uk Kim switch (ret) { 1546e71b7053SJung-uk Kim case SSL_TICKET_NO_DECRYPT: 1547e71b7053SJung-uk Kim case SSL_TICKET_SUCCESS_RENEW: 1548e71b7053SJung-uk Kim case SSL_TICKET_EMPTY: 1549e71b7053SJung-uk Kim s->ext.ticket_expected = 1; 1550e71b7053SJung-uk Kim } 1551e71b7053SJung-uk Kim } 1552e71b7053SJung-uk Kim 1553e71b7053SJung-uk Kim *psess = sess; 1554e71b7053SJung-uk Kim 1555e71b7053SJung-uk Kim return ret; 1556e71b7053SJung-uk Kim } 1557e71b7053SJung-uk Kim 1558e71b7053SJung-uk Kim /* Check to see if a signature algorithm is allowed */ 1559e71b7053SJung-uk Kim static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) 15607bded2dbSJung-uk Kim { 1561e71b7053SJung-uk Kim unsigned char sigalgstr[2]; 1562e71b7053SJung-uk Kim int secbits; 1563e71b7053SJung-uk Kim 1564e71b7053SJung-uk Kim /* See if sigalgs is recognised and if hash is enabled */ 1565e71b7053SJung-uk Kim if (!tls1_lookup_md(lu, NULL)) 1566e71b7053SJung-uk Kim return 0; 1567e71b7053SJung-uk Kim /* DSA is not allowed in TLS 1.3 */ 1568e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 1569e71b7053SJung-uk Kim return 0; 1570e71b7053SJung-uk Kim /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ 1571e71b7053SJung-uk Kim if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION 1572e71b7053SJung-uk Kim && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 1573e71b7053SJung-uk Kim || lu->hash_idx == SSL_MD_MD5_IDX 1574e71b7053SJung-uk Kim || lu->hash_idx == SSL_MD_SHA224_IDX)) 1575e71b7053SJung-uk Kim return 0; 1576e71b7053SJung-uk Kim 1577e71b7053SJung-uk Kim /* See if public key algorithm allowed */ 1578e71b7053SJung-uk Kim if (ssl_cert_is_disabled(lu->sig_idx)) 1579e71b7053SJung-uk Kim return 0; 1580e71b7053SJung-uk Kim 1581e71b7053SJung-uk Kim if (lu->sig == NID_id_GostR3410_2012_256 1582e71b7053SJung-uk Kim || lu->sig == NID_id_GostR3410_2012_512 1583e71b7053SJung-uk Kim || lu->sig == NID_id_GostR3410_2001) { 1584e71b7053SJung-uk Kim /* We never allow GOST sig algs on the server with TLSv1.3 */ 1585e71b7053SJung-uk Kim if (s->server && SSL_IS_TLS13(s)) 1586e71b7053SJung-uk Kim return 0; 1587e71b7053SJung-uk Kim if (!s->server 1588e71b7053SJung-uk Kim && s->method->version == TLS_ANY_VERSION 1589e71b7053SJung-uk Kim && s->s3->tmp.max_ver >= TLS1_3_VERSION) { 1590e71b7053SJung-uk Kim int i, num; 1591e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *sk; 1592e71b7053SJung-uk Kim 1593e71b7053SJung-uk Kim /* 1594e71b7053SJung-uk Kim * We're a client that could negotiate TLSv1.3. We only allow GOST 1595e71b7053SJung-uk Kim * sig algs if we could negotiate TLSv1.2 or below and we have GOST 1596e71b7053SJung-uk Kim * ciphersuites enabled. 1597e71b7053SJung-uk Kim */ 1598e71b7053SJung-uk Kim 1599e71b7053SJung-uk Kim if (s->s3->tmp.min_ver >= TLS1_3_VERSION) 1600e71b7053SJung-uk Kim return 0; 1601e71b7053SJung-uk Kim 1602e71b7053SJung-uk Kim sk = SSL_get_ciphers(s); 1603e71b7053SJung-uk Kim num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 1604e71b7053SJung-uk Kim for (i = 0; i < num; i++) { 1605e71b7053SJung-uk Kim const SSL_CIPHER *c; 1606e71b7053SJung-uk Kim 1607e71b7053SJung-uk Kim c = sk_SSL_CIPHER_value(sk, i); 1608e71b7053SJung-uk Kim /* Skip disabled ciphers */ 1609e71b7053SJung-uk Kim if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 1610e71b7053SJung-uk Kim continue; 1611e71b7053SJung-uk Kim 1612e71b7053SJung-uk Kim if ((c->algorithm_mkey & SSL_kGOST) != 0) 1613e71b7053SJung-uk Kim break; 16147bded2dbSJung-uk Kim } 1615e71b7053SJung-uk Kim if (i == num) 1616e71b7053SJung-uk Kim return 0; 1617e71b7053SJung-uk Kim } 16187bded2dbSJung-uk Kim } 16197bded2dbSJung-uk Kim 1620e71b7053SJung-uk Kim if (lu->hash == NID_undef) 1621e71b7053SJung-uk Kim return 1; 1622e71b7053SJung-uk Kim /* Security bits: half digest bits */ 1623e71b7053SJung-uk Kim secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4; 1624e71b7053SJung-uk Kim /* Finally see if security callback allows it */ 1625e71b7053SJung-uk Kim sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 1626e71b7053SJung-uk Kim sigalgstr[1] = lu->sigalg & 0xff; 1627e71b7053SJung-uk Kim return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 1628e71b7053SJung-uk Kim } 1629e71b7053SJung-uk Kim 1630e71b7053SJung-uk Kim /* 1631e71b7053SJung-uk Kim * Get a mask of disabled public key algorithms based on supported signature 1632e71b7053SJung-uk Kim * algorithms. For example if no signature algorithm supports RSA then RSA is 1633e71b7053SJung-uk Kim * disabled. 1634e71b7053SJung-uk Kim */ 1635e71b7053SJung-uk Kim 1636e71b7053SJung-uk Kim void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 16377bded2dbSJung-uk Kim { 1638e71b7053SJung-uk Kim const uint16_t *sigalgs; 1639e71b7053SJung-uk Kim size_t i, sigalgslen; 1640e71b7053SJung-uk Kim uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 1641e71b7053SJung-uk Kim /* 1642e71b7053SJung-uk Kim * Go through all signature algorithms seeing if we support any 1643e71b7053SJung-uk Kim * in disabled_mask. 1644e71b7053SJung-uk Kim */ 1645e71b7053SJung-uk Kim sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 1646e71b7053SJung-uk Kim for (i = 0; i < sigalgslen; i++, sigalgs++) { 1647e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); 1648e71b7053SJung-uk Kim const SSL_CERT_LOOKUP *clu; 1649e71b7053SJung-uk Kim 1650e71b7053SJung-uk Kim if (lu == NULL) 1651e71b7053SJung-uk Kim continue; 1652e71b7053SJung-uk Kim 1653e71b7053SJung-uk Kim clu = ssl_cert_lookup_by_idx(lu->sig_idx); 1654e71b7053SJung-uk Kim if (clu == NULL) 1655e71b7053SJung-uk Kim continue; 1656e71b7053SJung-uk Kim 1657e71b7053SJung-uk Kim /* If algorithm is disabled see if we can enable it */ 1658e71b7053SJung-uk Kim if ((clu->amask & disabled_mask) != 0 1659e71b7053SJung-uk Kim && tls12_sigalg_allowed(s, op, lu)) 1660e71b7053SJung-uk Kim disabled_mask &= ~clu->amask; 16617bded2dbSJung-uk Kim } 1662e71b7053SJung-uk Kim *pmask_a |= disabled_mask; 16637bded2dbSJung-uk Kim } 1664e71b7053SJung-uk Kim 1665e71b7053SJung-uk Kim int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 1666e71b7053SJung-uk Kim const uint16_t *psig, size_t psiglen) 1667e71b7053SJung-uk Kim { 1668e71b7053SJung-uk Kim size_t i; 1669e71b7053SJung-uk Kim int rv = 0; 1670e71b7053SJung-uk Kim 1671e71b7053SJung-uk Kim for (i = 0; i < psiglen; i++, psig++) { 1672e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig); 1673e71b7053SJung-uk Kim 1674e71b7053SJung-uk Kim if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1675e71b7053SJung-uk Kim continue; 1676e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, *psig)) 1677e71b7053SJung-uk Kim return 0; 1678e71b7053SJung-uk Kim /* 1679e71b7053SJung-uk Kim * If TLS 1.3 must have at least one valid TLS 1.3 message 1680e71b7053SJung-uk Kim * signing algorithm: i.e. neither RSA nor SHA1/SHA224 1681e71b7053SJung-uk Kim */ 1682e71b7053SJung-uk Kim if (rv == 0 && (!SSL_IS_TLS13(s) 1683e71b7053SJung-uk Kim || (lu->sig != EVP_PKEY_RSA 1684e71b7053SJung-uk Kim && lu->hash != NID_sha1 1685e71b7053SJung-uk Kim && lu->hash != NID_sha224))) 1686e71b7053SJung-uk Kim rv = 1; 16877bded2dbSJung-uk Kim } 1688e71b7053SJung-uk Kim if (rv == 0) 1689e71b7053SJung-uk Kim SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 1690e71b7053SJung-uk Kim return rv; 16917bded2dbSJung-uk Kim } 16927bded2dbSJung-uk Kim 16937bded2dbSJung-uk Kim /* Given preference and allowed sigalgs set shared sigalgs */ 1694e71b7053SJung-uk Kim static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 1695e71b7053SJung-uk Kim const uint16_t *pref, size_t preflen, 1696e71b7053SJung-uk Kim const uint16_t *allow, size_t allowlen) 16977bded2dbSJung-uk Kim { 1698e71b7053SJung-uk Kim const uint16_t *ptmp, *atmp; 16997bded2dbSJung-uk Kim size_t i, j, nmatch = 0; 1700e71b7053SJung-uk Kim for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 1701e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp); 1702e71b7053SJung-uk Kim 17037bded2dbSJung-uk Kim /* Skip disabled hashes or signature algorithms */ 1704e71b7053SJung-uk Kim if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 17057bded2dbSJung-uk Kim continue; 1706e71b7053SJung-uk Kim for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 1707e71b7053SJung-uk Kim if (*ptmp == *atmp) { 17087bded2dbSJung-uk Kim nmatch++; 1709e71b7053SJung-uk Kim if (shsig) 1710e71b7053SJung-uk Kim *shsig++ = lu; 17117bded2dbSJung-uk Kim break; 17127bded2dbSJung-uk Kim } 17137bded2dbSJung-uk Kim } 17147bded2dbSJung-uk Kim } 17157bded2dbSJung-uk Kim return nmatch; 17167bded2dbSJung-uk Kim } 17177bded2dbSJung-uk Kim 17187bded2dbSJung-uk Kim /* Set shared signature algorithms for SSL structures */ 17197bded2dbSJung-uk Kim static int tls1_set_shared_sigalgs(SSL *s) 17207bded2dbSJung-uk Kim { 1721e71b7053SJung-uk Kim const uint16_t *pref, *allow, *conf; 17227bded2dbSJung-uk Kim size_t preflen, allowlen, conflen; 17237bded2dbSJung-uk Kim size_t nmatch; 1724e71b7053SJung-uk Kim const SIGALG_LOOKUP **salgs = NULL; 17257bded2dbSJung-uk Kim CERT *c = s->cert; 17267bded2dbSJung-uk Kim unsigned int is_suiteb = tls1_suiteb(s); 1727e71b7053SJung-uk Kim 1728*da327cd2SJung-uk Kim OPENSSL_free(s->shared_sigalgs); 1729*da327cd2SJung-uk Kim s->shared_sigalgs = NULL; 1730*da327cd2SJung-uk Kim s->shared_sigalgslen = 0; 17317bded2dbSJung-uk Kim /* If client use client signature algorithms if not NULL */ 17327bded2dbSJung-uk Kim if (!s->server && c->client_sigalgs && !is_suiteb) { 17337bded2dbSJung-uk Kim conf = c->client_sigalgs; 17347bded2dbSJung-uk Kim conflen = c->client_sigalgslen; 17357bded2dbSJung-uk Kim } else if (c->conf_sigalgs && !is_suiteb) { 17367bded2dbSJung-uk Kim conf = c->conf_sigalgs; 17377bded2dbSJung-uk Kim conflen = c->conf_sigalgslen; 17387bded2dbSJung-uk Kim } else 1739ed7112f0SJung-uk Kim conflen = tls12_get_psigalgs(s, 0, &conf); 17407bded2dbSJung-uk Kim if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 17417bded2dbSJung-uk Kim pref = conf; 17427bded2dbSJung-uk Kim preflen = conflen; 1743e71b7053SJung-uk Kim allow = s->s3->tmp.peer_sigalgs; 1744e71b7053SJung-uk Kim allowlen = s->s3->tmp.peer_sigalgslen; 17457bded2dbSJung-uk Kim } else { 17467bded2dbSJung-uk Kim allow = conf; 17477bded2dbSJung-uk Kim allowlen = conflen; 1748e71b7053SJung-uk Kim pref = s->s3->tmp.peer_sigalgs; 1749e71b7053SJung-uk Kim preflen = s->s3->tmp.peer_sigalgslen; 17507bded2dbSJung-uk Kim } 1751e71b7053SJung-uk Kim nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 17527bded2dbSJung-uk Kim if (nmatch) { 1753e71b7053SJung-uk Kim if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 1754e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE); 17557bded2dbSJung-uk Kim return 0; 1756e71b7053SJung-uk Kim } 1757e71b7053SJung-uk Kim nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 17587bded2dbSJung-uk Kim } else { 17597bded2dbSJung-uk Kim salgs = NULL; 17607bded2dbSJung-uk Kim } 1761*da327cd2SJung-uk Kim s->shared_sigalgs = salgs; 1762*da327cd2SJung-uk Kim s->shared_sigalgslen = nmatch; 17637bded2dbSJung-uk Kim return 1; 17647bded2dbSJung-uk Kim } 17657bded2dbSJung-uk Kim 1766e71b7053SJung-uk Kim int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 17671f13597dSJung-uk Kim { 1768e71b7053SJung-uk Kim unsigned int stmp; 1769e71b7053SJung-uk Kim size_t size, i; 1770e71b7053SJung-uk Kim uint16_t *buf; 1771e71b7053SJung-uk Kim 1772e71b7053SJung-uk Kim size = PACKET_remaining(pkt); 1773e71b7053SJung-uk Kim 1774e71b7053SJung-uk Kim /* Invalid data length */ 1775e71b7053SJung-uk Kim if (size == 0 || (size & 1) != 0) 1776e71b7053SJung-uk Kim return 0; 1777e71b7053SJung-uk Kim 1778e71b7053SJung-uk Kim size >>= 1; 1779e71b7053SJung-uk Kim 1780e71b7053SJung-uk Kim if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 1781e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE); 1782e71b7053SJung-uk Kim return 0; 1783e71b7053SJung-uk Kim } 1784e71b7053SJung-uk Kim for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 1785e71b7053SJung-uk Kim buf[i] = stmp; 1786e71b7053SJung-uk Kim 1787e71b7053SJung-uk Kim if (i != size) { 1788e71b7053SJung-uk Kim OPENSSL_free(buf); 1789e71b7053SJung-uk Kim return 0; 1790e71b7053SJung-uk Kim } 1791e71b7053SJung-uk Kim 1792e71b7053SJung-uk Kim OPENSSL_free(*pdest); 1793e71b7053SJung-uk Kim *pdest = buf; 1794e71b7053SJung-uk Kim *pdestlen = size; 1795e71b7053SJung-uk Kim 1796e71b7053SJung-uk Kim return 1; 1797e71b7053SJung-uk Kim } 1798e71b7053SJung-uk Kim 1799e71b7053SJung-uk Kim int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 1800e71b7053SJung-uk Kim { 18017bded2dbSJung-uk Kim /* Extension ignored for inappropriate versions */ 18027bded2dbSJung-uk Kim if (!SSL_USE_SIGALGS(s)) 18031f13597dSJung-uk Kim return 1; 18041f13597dSJung-uk Kim /* Should never happen */ 1805e71b7053SJung-uk Kim if (s->cert == NULL) 18061f13597dSJung-uk Kim return 0; 18071f13597dSJung-uk Kim 1808e71b7053SJung-uk Kim if (cert) 1809e71b7053SJung-uk Kim return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs, 1810e71b7053SJung-uk Kim &s->s3->tmp.peer_cert_sigalgslen); 1811e71b7053SJung-uk Kim else 1812e71b7053SJung-uk Kim return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs, 1813e71b7053SJung-uk Kim &s->s3->tmp.peer_sigalgslen); 1814e71b7053SJung-uk Kim 18151f13597dSJung-uk Kim } 18161f13597dSJung-uk Kim 1817e71b7053SJung-uk Kim /* Set preferred digest for each key type */ 1818e71b7053SJung-uk Kim 18197bded2dbSJung-uk Kim int tls1_process_sigalgs(SSL *s) 18207bded2dbSJung-uk Kim { 18217bded2dbSJung-uk Kim size_t i; 1822e71b7053SJung-uk Kim uint32_t *pvalid = s->s3->tmp.valid_flags; 1823e71b7053SJung-uk Kim 18247bded2dbSJung-uk Kim if (!tls1_set_shared_sigalgs(s)) 18257bded2dbSJung-uk Kim return 0; 18267bded2dbSJung-uk Kim 1827e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) 1828e71b7053SJung-uk Kim pvalid[i] = 0; 18297bded2dbSJung-uk Kim 1830*da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 1831*da327cd2SJung-uk Kim const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 1832e71b7053SJung-uk Kim int idx = sigptr->sig_idx; 18331f13597dSJung-uk Kim 1834e71b7053SJung-uk Kim /* Ignore PKCS1 based sig algs in TLSv1.3 */ 1835e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 1836e71b7053SJung-uk Kim continue; 1837e71b7053SJung-uk Kim /* If not disabled indicate we can explicitly sign */ 1838e71b7053SJung-uk Kim if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) 1839e71b7053SJung-uk Kim pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 18407bded2dbSJung-uk Kim } 18411f13597dSJung-uk Kim return 1; 18421f13597dSJung-uk Kim } 18431f13597dSJung-uk Kim 18447bded2dbSJung-uk Kim int SSL_get_sigalgs(SSL *s, int idx, 18457bded2dbSJung-uk Kim int *psign, int *phash, int *psignhash, 18467bded2dbSJung-uk Kim unsigned char *rsig, unsigned char *rhash) 18477bded2dbSJung-uk Kim { 1848e71b7053SJung-uk Kim uint16_t *psig = s->s3->tmp.peer_sigalgs; 1849e71b7053SJung-uk Kim size_t numsigalgs = s->s3->tmp.peer_sigalgslen; 1850e71b7053SJung-uk Kim if (psig == NULL || numsigalgs > INT_MAX) 18517bded2dbSJung-uk Kim return 0; 18527bded2dbSJung-uk Kim if (idx >= 0) { 1853e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 1854e71b7053SJung-uk Kim 1855e71b7053SJung-uk Kim if (idx >= (int)numsigalgs) 18567bded2dbSJung-uk Kim return 0; 18577bded2dbSJung-uk Kim psig += idx; 1858e71b7053SJung-uk Kim if (rhash != NULL) 1859e71b7053SJung-uk Kim *rhash = (unsigned char)((*psig >> 8) & 0xff); 1860e71b7053SJung-uk Kim if (rsig != NULL) 1861e71b7053SJung-uk Kim *rsig = (unsigned char)(*psig & 0xff); 1862e71b7053SJung-uk Kim lu = tls1_lookup_sigalg(*psig); 1863e71b7053SJung-uk Kim if (psign != NULL) 1864e71b7053SJung-uk Kim *psign = lu != NULL ? lu->sig : NID_undef; 1865e71b7053SJung-uk Kim if (phash != NULL) 1866e71b7053SJung-uk Kim *phash = lu != NULL ? lu->hash : NID_undef; 1867e71b7053SJung-uk Kim if (psignhash != NULL) 1868e71b7053SJung-uk Kim *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 18697bded2dbSJung-uk Kim } 1870e71b7053SJung-uk Kim return (int)numsigalgs; 18717bded2dbSJung-uk Kim } 18727bded2dbSJung-uk Kim 18737bded2dbSJung-uk Kim int SSL_get_shared_sigalgs(SSL *s, int idx, 18747bded2dbSJung-uk Kim int *psign, int *phash, int *psignhash, 18757bded2dbSJung-uk Kim unsigned char *rsig, unsigned char *rhash) 18767bded2dbSJung-uk Kim { 1877e71b7053SJung-uk Kim const SIGALG_LOOKUP *shsigalgs; 1878*da327cd2SJung-uk Kim if (s->shared_sigalgs == NULL 1879e71b7053SJung-uk Kim || idx < 0 1880*da327cd2SJung-uk Kim || idx >= (int)s->shared_sigalgslen 1881*da327cd2SJung-uk Kim || s->shared_sigalgslen > INT_MAX) 18827bded2dbSJung-uk Kim return 0; 1883*da327cd2SJung-uk Kim shsigalgs = s->shared_sigalgs[idx]; 1884e71b7053SJung-uk Kim if (phash != NULL) 1885e71b7053SJung-uk Kim *phash = shsigalgs->hash; 1886e71b7053SJung-uk Kim if (psign != NULL) 1887e71b7053SJung-uk Kim *psign = shsigalgs->sig; 1888e71b7053SJung-uk Kim if (psignhash != NULL) 1889e71b7053SJung-uk Kim *psignhash = shsigalgs->sigandhash; 1890e71b7053SJung-uk Kim if (rsig != NULL) 1891e71b7053SJung-uk Kim *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 1892e71b7053SJung-uk Kim if (rhash != NULL) 1893e71b7053SJung-uk Kim *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 1894*da327cd2SJung-uk Kim return (int)s->shared_sigalgslen; 18957bded2dbSJung-uk Kim } 18961f13597dSJung-uk Kim 1897e71b7053SJung-uk Kim /* Maximum possible number of unique entries in sigalgs array */ 1898e71b7053SJung-uk Kim #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 18997bded2dbSJung-uk Kim 19007bded2dbSJung-uk Kim typedef struct { 19017bded2dbSJung-uk Kim size_t sigalgcnt; 1902e71b7053SJung-uk Kim /* TLSEXT_SIGALG_XXX values */ 1903e71b7053SJung-uk Kim uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 19047bded2dbSJung-uk Kim } sig_cb_st; 19057bded2dbSJung-uk Kim 1906e71b7053SJung-uk Kim static void get_sigorhash(int *psig, int *phash, const char *str) 1907e71b7053SJung-uk Kim { 1908e71b7053SJung-uk Kim if (strcmp(str, "RSA") == 0) { 1909e71b7053SJung-uk Kim *psig = EVP_PKEY_RSA; 1910e71b7053SJung-uk Kim } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 1911e71b7053SJung-uk Kim *psig = EVP_PKEY_RSA_PSS; 1912e71b7053SJung-uk Kim } else if (strcmp(str, "DSA") == 0) { 1913e71b7053SJung-uk Kim *psig = EVP_PKEY_DSA; 1914e71b7053SJung-uk Kim } else if (strcmp(str, "ECDSA") == 0) { 1915e71b7053SJung-uk Kim *psig = EVP_PKEY_EC; 1916e71b7053SJung-uk Kim } else { 1917e71b7053SJung-uk Kim *phash = OBJ_sn2nid(str); 1918e71b7053SJung-uk Kim if (*phash == NID_undef) 1919e71b7053SJung-uk Kim *phash = OBJ_ln2nid(str); 1920e71b7053SJung-uk Kim } 1921e71b7053SJung-uk Kim } 1922e71b7053SJung-uk Kim /* Maximum length of a signature algorithm string component */ 1923e71b7053SJung-uk Kim #define TLS_MAX_SIGSTRING_LEN 40 1924e71b7053SJung-uk Kim 19257bded2dbSJung-uk Kim static int sig_cb(const char *elem, int len, void *arg) 19267bded2dbSJung-uk Kim { 19277bded2dbSJung-uk Kim sig_cb_st *sarg = arg; 19287bded2dbSJung-uk Kim size_t i; 1929e71b7053SJung-uk Kim const SIGALG_LOOKUP *s; 1930e71b7053SJung-uk Kim char etmp[TLS_MAX_SIGSTRING_LEN], *p; 1931e71b7053SJung-uk Kim int sig_alg = NID_undef, hash_alg = NID_undef; 19327bded2dbSJung-uk Kim if (elem == NULL) 19337bded2dbSJung-uk Kim return 0; 1934e71b7053SJung-uk Kim if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 19357bded2dbSJung-uk Kim return 0; 19367bded2dbSJung-uk Kim if (len > (int)(sizeof(etmp) - 1)) 19377bded2dbSJung-uk Kim return 0; 19387bded2dbSJung-uk Kim memcpy(etmp, elem, len); 19397bded2dbSJung-uk Kim etmp[len] = 0; 19407bded2dbSJung-uk Kim p = strchr(etmp, '+'); 1941e71b7053SJung-uk Kim /* 1942e71b7053SJung-uk Kim * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 1943e71b7053SJung-uk Kim * if there's no '+' in the provided name, look for the new-style combined 1944e71b7053SJung-uk Kim * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 1945e71b7053SJung-uk Kim * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 1946e71b7053SJung-uk Kim * rsa_pss_rsae_* that differ only by public key OID; in such cases 1947e71b7053SJung-uk Kim * we will pick the _rsae_ variant, by virtue of them appearing earlier 1948e71b7053SJung-uk Kim * in the table. 1949e71b7053SJung-uk Kim */ 1950e71b7053SJung-uk Kim if (p == NULL) { 1951e71b7053SJung-uk Kim for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 1952e71b7053SJung-uk Kim i++, s++) { 1953e71b7053SJung-uk Kim if (s->name != NULL && strcmp(etmp, s->name) == 0) { 1954e71b7053SJung-uk Kim sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 1955e71b7053SJung-uk Kim break; 1956e71b7053SJung-uk Kim } 1957e71b7053SJung-uk Kim } 1958e71b7053SJung-uk Kim if (i == OSSL_NELEM(sigalg_lookup_tbl)) 19597bded2dbSJung-uk Kim return 0; 1960e71b7053SJung-uk Kim } else { 19617bded2dbSJung-uk Kim *p = 0; 19627bded2dbSJung-uk Kim p++; 1963e71b7053SJung-uk Kim if (*p == 0) 19647bded2dbSJung-uk Kim return 0; 1965e71b7053SJung-uk Kim get_sigorhash(&sig_alg, &hash_alg, etmp); 1966e71b7053SJung-uk Kim get_sigorhash(&sig_alg, &hash_alg, p); 1967e71b7053SJung-uk Kim if (sig_alg == NID_undef || hash_alg == NID_undef) 19687bded2dbSJung-uk Kim return 0; 1969e71b7053SJung-uk Kim for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 1970e71b7053SJung-uk Kim i++, s++) { 1971e71b7053SJung-uk Kim if (s->hash == hash_alg && s->sig == sig_alg) { 1972e71b7053SJung-uk Kim sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 1973e71b7053SJung-uk Kim break; 1974e71b7053SJung-uk Kim } 1975e71b7053SJung-uk Kim } 1976e71b7053SJung-uk Kim if (i == OSSL_NELEM(sigalg_lookup_tbl)) 19777bded2dbSJung-uk Kim return 0; 19787bded2dbSJung-uk Kim } 1979e71b7053SJung-uk Kim 1980e71b7053SJung-uk Kim /* Reject duplicates */ 1981e71b7053SJung-uk Kim for (i = 0; i < sarg->sigalgcnt - 1; i++) { 1982e71b7053SJung-uk Kim if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 1983e71b7053SJung-uk Kim sarg->sigalgcnt--; 1984e71b7053SJung-uk Kim return 0; 1985e71b7053SJung-uk Kim } 1986e71b7053SJung-uk Kim } 19877bded2dbSJung-uk Kim return 1; 19887bded2dbSJung-uk Kim } 19897bded2dbSJung-uk Kim 19907bded2dbSJung-uk Kim /* 1991e71b7053SJung-uk Kim * Set supported signature algorithms based on a colon separated list of the 19927bded2dbSJung-uk Kim * form sig+hash e.g. RSA+SHA512:DSA+SHA512 19937bded2dbSJung-uk Kim */ 19947bded2dbSJung-uk Kim int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 19957bded2dbSJung-uk Kim { 19967bded2dbSJung-uk Kim sig_cb_st sig; 19977bded2dbSJung-uk Kim sig.sigalgcnt = 0; 19987bded2dbSJung-uk Kim if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 19997bded2dbSJung-uk Kim return 0; 20007bded2dbSJung-uk Kim if (c == NULL) 20017bded2dbSJung-uk Kim return 1; 2002e71b7053SJung-uk Kim return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 20037bded2dbSJung-uk Kim } 20047bded2dbSJung-uk Kim 2005e71b7053SJung-uk Kim int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 20067bded2dbSJung-uk Kim int client) 20077bded2dbSJung-uk Kim { 2008e71b7053SJung-uk Kim uint16_t *sigalgs; 20097bded2dbSJung-uk Kim 2010e71b7053SJung-uk Kim if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2011e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE); 2012e71b7053SJung-uk Kim return 0; 20137bded2dbSJung-uk Kim } 2014e71b7053SJung-uk Kim memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 20157bded2dbSJung-uk Kim 20167bded2dbSJung-uk Kim if (client) { 20177bded2dbSJung-uk Kim OPENSSL_free(c->client_sigalgs); 20187bded2dbSJung-uk Kim c->client_sigalgs = sigalgs; 20197bded2dbSJung-uk Kim c->client_sigalgslen = salglen; 20207bded2dbSJung-uk Kim } else { 20217bded2dbSJung-uk Kim OPENSSL_free(c->conf_sigalgs); 20227bded2dbSJung-uk Kim c->conf_sigalgs = sigalgs; 20237bded2dbSJung-uk Kim c->conf_sigalgslen = salglen; 20247bded2dbSJung-uk Kim } 20257bded2dbSJung-uk Kim 20267bded2dbSJung-uk Kim return 1; 2027e71b7053SJung-uk Kim } 2028e71b7053SJung-uk Kim 2029e71b7053SJung-uk Kim int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2030e71b7053SJung-uk Kim { 2031e71b7053SJung-uk Kim uint16_t *sigalgs, *sptr; 2032e71b7053SJung-uk Kim size_t i; 2033e71b7053SJung-uk Kim 2034e71b7053SJung-uk Kim if (salglen & 1) 2035e71b7053SJung-uk Kim return 0; 2036e71b7053SJung-uk Kim if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2037e71b7053SJung-uk Kim SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE); 2038e71b7053SJung-uk Kim return 0; 2039e71b7053SJung-uk Kim } 2040e71b7053SJung-uk Kim for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2041e71b7053SJung-uk Kim size_t j; 2042e71b7053SJung-uk Kim const SIGALG_LOOKUP *curr; 2043e71b7053SJung-uk Kim int md_id = *psig_nids++; 2044e71b7053SJung-uk Kim int sig_id = *psig_nids++; 2045e71b7053SJung-uk Kim 2046e71b7053SJung-uk Kim for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2047e71b7053SJung-uk Kim j++, curr++) { 2048e71b7053SJung-uk Kim if (curr->hash == md_id && curr->sig == sig_id) { 2049e71b7053SJung-uk Kim *sptr++ = curr->sigalg; 2050e71b7053SJung-uk Kim break; 2051e71b7053SJung-uk Kim } 2052e71b7053SJung-uk Kim } 2053e71b7053SJung-uk Kim 2054e71b7053SJung-uk Kim if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2055e71b7053SJung-uk Kim goto err; 2056e71b7053SJung-uk Kim } 2057e71b7053SJung-uk Kim 2058e71b7053SJung-uk Kim if (client) { 2059e71b7053SJung-uk Kim OPENSSL_free(c->client_sigalgs); 2060e71b7053SJung-uk Kim c->client_sigalgs = sigalgs; 2061e71b7053SJung-uk Kim c->client_sigalgslen = salglen / 2; 2062e71b7053SJung-uk Kim } else { 2063e71b7053SJung-uk Kim OPENSSL_free(c->conf_sigalgs); 2064e71b7053SJung-uk Kim c->conf_sigalgs = sigalgs; 2065e71b7053SJung-uk Kim c->conf_sigalgslen = salglen / 2; 2066e71b7053SJung-uk Kim } 2067e71b7053SJung-uk Kim 2068e71b7053SJung-uk Kim return 1; 20697bded2dbSJung-uk Kim 20707bded2dbSJung-uk Kim err: 20717bded2dbSJung-uk Kim OPENSSL_free(sigalgs); 20727bded2dbSJung-uk Kim return 0; 20737bded2dbSJung-uk Kim } 20747bded2dbSJung-uk Kim 2075*da327cd2SJung-uk Kim static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 20767bded2dbSJung-uk Kim { 2077*da327cd2SJung-uk Kim int sig_nid, use_pc_sigalgs = 0; 20787bded2dbSJung-uk Kim size_t i; 2079*da327cd2SJung-uk Kim const SIGALG_LOOKUP *sigalg; 2080*da327cd2SJung-uk Kim size_t sigalgslen; 20817bded2dbSJung-uk Kim if (default_nid == -1) 20827bded2dbSJung-uk Kim return 1; 20837bded2dbSJung-uk Kim sig_nid = X509_get_signature_nid(x); 20847bded2dbSJung-uk Kim if (default_nid) 20857bded2dbSJung-uk Kim return sig_nid == default_nid ? 1 : 0; 2086*da327cd2SJung-uk Kim 2087*da327cd2SJung-uk Kim if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) { 2088*da327cd2SJung-uk Kim /* 2089*da327cd2SJung-uk Kim * If we're in TLSv1.3 then we only get here if we're checking the 2090*da327cd2SJung-uk Kim * chain. If the peer has specified peer_cert_sigalgs then we use them 2091*da327cd2SJung-uk Kim * otherwise we default to normal sigalgs. 2092*da327cd2SJung-uk Kim */ 2093*da327cd2SJung-uk Kim sigalgslen = s->s3->tmp.peer_cert_sigalgslen; 2094*da327cd2SJung-uk Kim use_pc_sigalgs = 1; 2095*da327cd2SJung-uk Kim } else { 2096*da327cd2SJung-uk Kim sigalgslen = s->shared_sigalgslen; 2097*da327cd2SJung-uk Kim } 2098*da327cd2SJung-uk Kim for (i = 0; i < sigalgslen; i++) { 2099*da327cd2SJung-uk Kim sigalg = use_pc_sigalgs 2100*da327cd2SJung-uk Kim ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) 2101*da327cd2SJung-uk Kim : s->shared_sigalgs[i]; 2102*da327cd2SJung-uk Kim if (sig_nid == sigalg->sigandhash) 21037bded2dbSJung-uk Kim return 1; 2104*da327cd2SJung-uk Kim } 21057bded2dbSJung-uk Kim return 0; 21067bded2dbSJung-uk Kim } 21077bded2dbSJung-uk Kim 21087bded2dbSJung-uk Kim /* Check to see if a certificate issuer name matches list of CA names */ 21097bded2dbSJung-uk Kim static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 21107bded2dbSJung-uk Kim { 21117bded2dbSJung-uk Kim X509_NAME *nm; 21127bded2dbSJung-uk Kim int i; 21137bded2dbSJung-uk Kim nm = X509_get_issuer_name(x); 21147bded2dbSJung-uk Kim for (i = 0; i < sk_X509_NAME_num(names); i++) { 21157bded2dbSJung-uk Kim if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 21167bded2dbSJung-uk Kim return 1; 21177bded2dbSJung-uk Kim } 21187bded2dbSJung-uk Kim return 0; 21197bded2dbSJung-uk Kim } 21207bded2dbSJung-uk Kim 21217bded2dbSJung-uk Kim /* 21227bded2dbSJung-uk Kim * Check certificate chain is consistent with TLS extensions and is usable by 21237bded2dbSJung-uk Kim * server. This servers two purposes: it allows users to check chains before 21247bded2dbSJung-uk Kim * passing them to the server and it allows the server to check chains before 21257bded2dbSJung-uk Kim * attempting to use them. 21267bded2dbSJung-uk Kim */ 21277bded2dbSJung-uk Kim 2128e71b7053SJung-uk Kim /* Flags which need to be set for a certificate when strict mode not set */ 21297bded2dbSJung-uk Kim 21307bded2dbSJung-uk Kim #define CERT_PKEY_VALID_FLAGS \ 21317bded2dbSJung-uk Kim (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 21327bded2dbSJung-uk Kim /* Strict mode flags */ 21337bded2dbSJung-uk Kim #define CERT_PKEY_STRICT_FLAGS \ 21347bded2dbSJung-uk Kim (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 21357bded2dbSJung-uk Kim | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 21367bded2dbSJung-uk Kim 21377bded2dbSJung-uk Kim int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 21387bded2dbSJung-uk Kim int idx) 21397bded2dbSJung-uk Kim { 21407bded2dbSJung-uk Kim int i; 21417bded2dbSJung-uk Kim int rv = 0; 21427bded2dbSJung-uk Kim int check_flags = 0, strict_mode; 21437bded2dbSJung-uk Kim CERT_PKEY *cpk = NULL; 21447bded2dbSJung-uk Kim CERT *c = s->cert; 2145e71b7053SJung-uk Kim uint32_t *pvalid; 21467bded2dbSJung-uk Kim unsigned int suiteb_flags = tls1_suiteb(s); 21477bded2dbSJung-uk Kim /* idx == -1 means checking server chains */ 21487bded2dbSJung-uk Kim if (idx != -1) { 21497bded2dbSJung-uk Kim /* idx == -2 means checking client certificate chains */ 21507bded2dbSJung-uk Kim if (idx == -2) { 21517bded2dbSJung-uk Kim cpk = c->key; 2152e71b7053SJung-uk Kim idx = (int)(cpk - c->pkeys); 21537bded2dbSJung-uk Kim } else 21547bded2dbSJung-uk Kim cpk = c->pkeys + idx; 2155e71b7053SJung-uk Kim pvalid = s->s3->tmp.valid_flags + idx; 21567bded2dbSJung-uk Kim x = cpk->x509; 21577bded2dbSJung-uk Kim pk = cpk->privatekey; 21587bded2dbSJung-uk Kim chain = cpk->chain; 21597bded2dbSJung-uk Kim strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 21607bded2dbSJung-uk Kim /* If no cert or key, forget it */ 21617bded2dbSJung-uk Kim if (!x || !pk) 21627bded2dbSJung-uk Kim goto end; 21637bded2dbSJung-uk Kim } else { 2164e71b7053SJung-uk Kim size_t certidx; 2165e71b7053SJung-uk Kim 21667bded2dbSJung-uk Kim if (!x || !pk) 21677bded2dbSJung-uk Kim return 0; 2168e71b7053SJung-uk Kim 2169e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 21707bded2dbSJung-uk Kim return 0; 2171e71b7053SJung-uk Kim idx = certidx; 2172e71b7053SJung-uk Kim pvalid = s->s3->tmp.valid_flags + idx; 2173e71b7053SJung-uk Kim 21747bded2dbSJung-uk Kim if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 21757bded2dbSJung-uk Kim check_flags = CERT_PKEY_STRICT_FLAGS; 21767bded2dbSJung-uk Kim else 21777bded2dbSJung-uk Kim check_flags = CERT_PKEY_VALID_FLAGS; 21787bded2dbSJung-uk Kim strict_mode = 1; 21797bded2dbSJung-uk Kim } 21807bded2dbSJung-uk Kim 21817bded2dbSJung-uk Kim if (suiteb_flags) { 21827bded2dbSJung-uk Kim int ok; 21837bded2dbSJung-uk Kim if (check_flags) 21847bded2dbSJung-uk Kim check_flags |= CERT_PKEY_SUITEB; 21857bded2dbSJung-uk Kim ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 21867bded2dbSJung-uk Kim if (ok == X509_V_OK) 21877bded2dbSJung-uk Kim rv |= CERT_PKEY_SUITEB; 21887bded2dbSJung-uk Kim else if (!check_flags) 21897bded2dbSJung-uk Kim goto end; 21907bded2dbSJung-uk Kim } 21917bded2dbSJung-uk Kim 21927bded2dbSJung-uk Kim /* 21937bded2dbSJung-uk Kim * Check all signature algorithms are consistent with signature 21947bded2dbSJung-uk Kim * algorithms extension if TLS 1.2 or later and strict mode. 21957bded2dbSJung-uk Kim */ 21967bded2dbSJung-uk Kim if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 21977bded2dbSJung-uk Kim int default_nid; 2198e71b7053SJung-uk Kim int rsign = 0; 2199e71b7053SJung-uk Kim if (s->s3->tmp.peer_cert_sigalgs != NULL 2200e71b7053SJung-uk Kim || s->s3->tmp.peer_sigalgs != NULL) { 22017bded2dbSJung-uk Kim default_nid = 0; 22027bded2dbSJung-uk Kim /* If no sigalgs extension use defaults from RFC5246 */ 2203e71b7053SJung-uk Kim } else { 22047bded2dbSJung-uk Kim switch (idx) { 2205e71b7053SJung-uk Kim case SSL_PKEY_RSA: 2206e71b7053SJung-uk Kim rsign = EVP_PKEY_RSA; 22077bded2dbSJung-uk Kim default_nid = NID_sha1WithRSAEncryption; 22087bded2dbSJung-uk Kim break; 22097bded2dbSJung-uk Kim 22107bded2dbSJung-uk Kim case SSL_PKEY_DSA_SIGN: 2211e71b7053SJung-uk Kim rsign = EVP_PKEY_DSA; 22127bded2dbSJung-uk Kim default_nid = NID_dsaWithSHA1; 22137bded2dbSJung-uk Kim break; 22147bded2dbSJung-uk Kim 22157bded2dbSJung-uk Kim case SSL_PKEY_ECC: 2216e71b7053SJung-uk Kim rsign = EVP_PKEY_EC; 22177bded2dbSJung-uk Kim default_nid = NID_ecdsa_with_SHA1; 22187bded2dbSJung-uk Kim break; 22197bded2dbSJung-uk Kim 2220e71b7053SJung-uk Kim case SSL_PKEY_GOST01: 2221e71b7053SJung-uk Kim rsign = NID_id_GostR3410_2001; 2222e71b7053SJung-uk Kim default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2223e71b7053SJung-uk Kim break; 2224e71b7053SJung-uk Kim 2225e71b7053SJung-uk Kim case SSL_PKEY_GOST12_256: 2226e71b7053SJung-uk Kim rsign = NID_id_GostR3410_2012_256; 2227e71b7053SJung-uk Kim default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2228e71b7053SJung-uk Kim break; 2229e71b7053SJung-uk Kim 2230e71b7053SJung-uk Kim case SSL_PKEY_GOST12_512: 2231e71b7053SJung-uk Kim rsign = NID_id_GostR3410_2012_512; 2232e71b7053SJung-uk Kim default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2233e71b7053SJung-uk Kim break; 2234e71b7053SJung-uk Kim 22357bded2dbSJung-uk Kim default: 22367bded2dbSJung-uk Kim default_nid = -1; 22377bded2dbSJung-uk Kim break; 22387bded2dbSJung-uk Kim } 22397bded2dbSJung-uk Kim } 22407bded2dbSJung-uk Kim /* 22417bded2dbSJung-uk Kim * If peer sent no signature algorithms extension and we have set 22427bded2dbSJung-uk Kim * preferred signature algorithms check we support sha1. 22437bded2dbSJung-uk Kim */ 22447bded2dbSJung-uk Kim if (default_nid > 0 && c->conf_sigalgs) { 22457bded2dbSJung-uk Kim size_t j; 2246e71b7053SJung-uk Kim const uint16_t *p = c->conf_sigalgs; 2247e71b7053SJung-uk Kim for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2248e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p); 2249e71b7053SJung-uk Kim 2250e71b7053SJung-uk Kim if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 22517bded2dbSJung-uk Kim break; 22527bded2dbSJung-uk Kim } 22537bded2dbSJung-uk Kim if (j == c->conf_sigalgslen) { 22547bded2dbSJung-uk Kim if (check_flags) 22557bded2dbSJung-uk Kim goto skip_sigs; 22567bded2dbSJung-uk Kim else 22577bded2dbSJung-uk Kim goto end; 22587bded2dbSJung-uk Kim } 22597bded2dbSJung-uk Kim } 22607bded2dbSJung-uk Kim /* Check signature algorithm of each cert in chain */ 2261*da327cd2SJung-uk Kim if (SSL_IS_TLS13(s)) { 2262*da327cd2SJung-uk Kim /* 2263*da327cd2SJung-uk Kim * We only get here if the application has called SSL_check_chain(), 2264*da327cd2SJung-uk Kim * so check_flags is always set. 2265*da327cd2SJung-uk Kim */ 2266*da327cd2SJung-uk Kim if (find_sig_alg(s, x, pk) != NULL) 2267*da327cd2SJung-uk Kim rv |= CERT_PKEY_EE_SIGNATURE; 2268*da327cd2SJung-uk Kim } else if (!tls1_check_sig_alg(s, x, default_nid)) { 22697bded2dbSJung-uk Kim if (!check_flags) 22707bded2dbSJung-uk Kim goto end; 22717bded2dbSJung-uk Kim } else 22727bded2dbSJung-uk Kim rv |= CERT_PKEY_EE_SIGNATURE; 22737bded2dbSJung-uk Kim rv |= CERT_PKEY_CA_SIGNATURE; 22747bded2dbSJung-uk Kim for (i = 0; i < sk_X509_num(chain); i++) { 2275*da327cd2SJung-uk Kim if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 22767bded2dbSJung-uk Kim if (check_flags) { 22777bded2dbSJung-uk Kim rv &= ~CERT_PKEY_CA_SIGNATURE; 22787bded2dbSJung-uk Kim break; 22797bded2dbSJung-uk Kim } else 22807bded2dbSJung-uk Kim goto end; 22817bded2dbSJung-uk Kim } 22827bded2dbSJung-uk Kim } 22837bded2dbSJung-uk Kim } 22847bded2dbSJung-uk Kim /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 22857bded2dbSJung-uk Kim else if (check_flags) 22867bded2dbSJung-uk Kim rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 22877bded2dbSJung-uk Kim skip_sigs: 22887bded2dbSJung-uk Kim /* Check cert parameters are consistent */ 2289e71b7053SJung-uk Kim if (tls1_check_cert_param(s, x, 1)) 22907bded2dbSJung-uk Kim rv |= CERT_PKEY_EE_PARAM; 22917bded2dbSJung-uk Kim else if (!check_flags) 22927bded2dbSJung-uk Kim goto end; 22937bded2dbSJung-uk Kim if (!s->server) 22947bded2dbSJung-uk Kim rv |= CERT_PKEY_CA_PARAM; 22957bded2dbSJung-uk Kim /* In strict mode check rest of chain too */ 22967bded2dbSJung-uk Kim else if (strict_mode) { 22977bded2dbSJung-uk Kim rv |= CERT_PKEY_CA_PARAM; 22987bded2dbSJung-uk Kim for (i = 0; i < sk_X509_num(chain); i++) { 22997bded2dbSJung-uk Kim X509 *ca = sk_X509_value(chain, i); 23007bded2dbSJung-uk Kim if (!tls1_check_cert_param(s, ca, 0)) { 23017bded2dbSJung-uk Kim if (check_flags) { 23027bded2dbSJung-uk Kim rv &= ~CERT_PKEY_CA_PARAM; 23037bded2dbSJung-uk Kim break; 23047bded2dbSJung-uk Kim } else 23057bded2dbSJung-uk Kim goto end; 23067bded2dbSJung-uk Kim } 23077bded2dbSJung-uk Kim } 23087bded2dbSJung-uk Kim } 23097bded2dbSJung-uk Kim if (!s->server && strict_mode) { 23107bded2dbSJung-uk Kim STACK_OF(X509_NAME) *ca_dn; 23117bded2dbSJung-uk Kim int check_type = 0; 2312e71b7053SJung-uk Kim switch (EVP_PKEY_id(pk)) { 23137bded2dbSJung-uk Kim case EVP_PKEY_RSA: 23147bded2dbSJung-uk Kim check_type = TLS_CT_RSA_SIGN; 23157bded2dbSJung-uk Kim break; 23167bded2dbSJung-uk Kim case EVP_PKEY_DSA: 23177bded2dbSJung-uk Kim check_type = TLS_CT_DSS_SIGN; 23187bded2dbSJung-uk Kim break; 23197bded2dbSJung-uk Kim case EVP_PKEY_EC: 23207bded2dbSJung-uk Kim check_type = TLS_CT_ECDSA_SIGN; 23217bded2dbSJung-uk Kim break; 23227bded2dbSJung-uk Kim } 23237bded2dbSJung-uk Kim if (check_type) { 2324e71b7053SJung-uk Kim const uint8_t *ctypes = s->s3->tmp.ctype; 2325e71b7053SJung-uk Kim size_t j; 2326e71b7053SJung-uk Kim 2327e71b7053SJung-uk Kim for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) { 2328e71b7053SJung-uk Kim if (*ctypes == check_type) { 23297bded2dbSJung-uk Kim rv |= CERT_PKEY_CERT_TYPE; 23307bded2dbSJung-uk Kim break; 23317bded2dbSJung-uk Kim } 23327bded2dbSJung-uk Kim } 23337bded2dbSJung-uk Kim if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 23347bded2dbSJung-uk Kim goto end; 2335e71b7053SJung-uk Kim } else { 23367bded2dbSJung-uk Kim rv |= CERT_PKEY_CERT_TYPE; 2337e71b7053SJung-uk Kim } 23387bded2dbSJung-uk Kim 2339e71b7053SJung-uk Kim ca_dn = s->s3->tmp.peer_ca_names; 23407bded2dbSJung-uk Kim 23417bded2dbSJung-uk Kim if (!sk_X509_NAME_num(ca_dn)) 23427bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME; 23437bded2dbSJung-uk Kim 23447bded2dbSJung-uk Kim if (!(rv & CERT_PKEY_ISSUER_NAME)) { 23457bded2dbSJung-uk Kim if (ssl_check_ca_name(ca_dn, x)) 23467bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME; 23477bded2dbSJung-uk Kim } 23487bded2dbSJung-uk Kim if (!(rv & CERT_PKEY_ISSUER_NAME)) { 23497bded2dbSJung-uk Kim for (i = 0; i < sk_X509_num(chain); i++) { 23507bded2dbSJung-uk Kim X509 *xtmp = sk_X509_value(chain, i); 23517bded2dbSJung-uk Kim if (ssl_check_ca_name(ca_dn, xtmp)) { 23527bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME; 23537bded2dbSJung-uk Kim break; 23547bded2dbSJung-uk Kim } 23557bded2dbSJung-uk Kim } 23567bded2dbSJung-uk Kim } 23577bded2dbSJung-uk Kim if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 23587bded2dbSJung-uk Kim goto end; 23597bded2dbSJung-uk Kim } else 23607bded2dbSJung-uk Kim rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 23617bded2dbSJung-uk Kim 23627bded2dbSJung-uk Kim if (!check_flags || (rv & check_flags) == check_flags) 23637bded2dbSJung-uk Kim rv |= CERT_PKEY_VALID; 23647bded2dbSJung-uk Kim 23657bded2dbSJung-uk Kim end: 23667bded2dbSJung-uk Kim 2367e71b7053SJung-uk Kim if (TLS1_get_version(s) >= TLS1_2_VERSION) 2368e71b7053SJung-uk Kim rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2369e71b7053SJung-uk Kim else 23707bded2dbSJung-uk Kim rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 23717bded2dbSJung-uk Kim 23727bded2dbSJung-uk Kim /* 23737bded2dbSJung-uk Kim * When checking a CERT_PKEY structure all flags are irrelevant if the 23747bded2dbSJung-uk Kim * chain is invalid. 23757bded2dbSJung-uk Kim */ 23767bded2dbSJung-uk Kim if (!check_flags) { 2377e71b7053SJung-uk Kim if (rv & CERT_PKEY_VALID) { 2378e71b7053SJung-uk Kim *pvalid = rv; 2379e71b7053SJung-uk Kim } else { 2380e71b7053SJung-uk Kim /* Preserve sign and explicit sign flag, clear rest */ 2381e71b7053SJung-uk Kim *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 23827bded2dbSJung-uk Kim return 0; 23837bded2dbSJung-uk Kim } 23847bded2dbSJung-uk Kim } 23857bded2dbSJung-uk Kim return rv; 23867bded2dbSJung-uk Kim } 23877bded2dbSJung-uk Kim 23887bded2dbSJung-uk Kim /* Set validity of certificates in an SSL structure */ 23897bded2dbSJung-uk Kim void tls1_set_cert_validity(SSL *s) 23907bded2dbSJung-uk Kim { 2391e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2392e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 23937bded2dbSJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 23947bded2dbSJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2395e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2396e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2397e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2398e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2399e71b7053SJung-uk Kim tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 24007bded2dbSJung-uk Kim } 24017bded2dbSJung-uk Kim 2402e71b7053SJung-uk Kim /* User level utility function to check a chain is suitable */ 24037bded2dbSJung-uk Kim int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 24047bded2dbSJung-uk Kim { 24057bded2dbSJung-uk Kim return tls1_check_chain(s, x, pk, chain, -1); 24067bded2dbSJung-uk Kim } 24077bded2dbSJung-uk Kim 2408e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DH 2409e71b7053SJung-uk Kim DH *ssl_get_auto_dh(SSL *s) 2410e71b7053SJung-uk Kim { 2411e71b7053SJung-uk Kim int dh_secbits = 80; 2412e71b7053SJung-uk Kim if (s->cert->dh_tmp_auto == 2) 2413e71b7053SJung-uk Kim return DH_get_1024_160(); 2414e71b7053SJung-uk Kim if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2415e71b7053SJung-uk Kim if (s->s3->tmp.new_cipher->strength_bits == 256) 2416e71b7053SJung-uk Kim dh_secbits = 128; 2417e71b7053SJung-uk Kim else 2418e71b7053SJung-uk Kim dh_secbits = 80; 2419e71b7053SJung-uk Kim } else { 2420e71b7053SJung-uk Kim if (s->s3->tmp.cert == NULL) 2421e71b7053SJung-uk Kim return NULL; 2422e71b7053SJung-uk Kim dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); 2423e71b7053SJung-uk Kim } 2424e71b7053SJung-uk Kim 2425e71b7053SJung-uk Kim if (dh_secbits >= 128) { 2426e71b7053SJung-uk Kim DH *dhp = DH_new(); 2427e71b7053SJung-uk Kim BIGNUM *p, *g; 2428e71b7053SJung-uk Kim if (dhp == NULL) 2429e71b7053SJung-uk Kim return NULL; 2430e71b7053SJung-uk Kim g = BN_new(); 2431e71b7053SJung-uk Kim if (g == NULL || !BN_set_word(g, 2)) { 2432e71b7053SJung-uk Kim DH_free(dhp); 2433e71b7053SJung-uk Kim BN_free(g); 2434e71b7053SJung-uk Kim return NULL; 2435e71b7053SJung-uk Kim } 2436e71b7053SJung-uk Kim if (dh_secbits >= 192) 2437e71b7053SJung-uk Kim p = BN_get_rfc3526_prime_8192(NULL); 2438e71b7053SJung-uk Kim else 2439e71b7053SJung-uk Kim p = BN_get_rfc3526_prime_3072(NULL); 2440e71b7053SJung-uk Kim if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { 2441e71b7053SJung-uk Kim DH_free(dhp); 2442e71b7053SJung-uk Kim BN_free(p); 2443e71b7053SJung-uk Kim BN_free(g); 2444e71b7053SJung-uk Kim return NULL; 2445e71b7053SJung-uk Kim } 2446e71b7053SJung-uk Kim return dhp; 2447e71b7053SJung-uk Kim } 2448e71b7053SJung-uk Kim if (dh_secbits >= 112) 2449e71b7053SJung-uk Kim return DH_get_2048_224(); 2450e71b7053SJung-uk Kim return DH_get_1024_160(); 2451e71b7053SJung-uk Kim } 24527bded2dbSJung-uk Kim #endif 2453e71b7053SJung-uk Kim 2454e71b7053SJung-uk Kim static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2455e71b7053SJung-uk Kim { 2456e71b7053SJung-uk Kim int secbits = -1; 2457e71b7053SJung-uk Kim EVP_PKEY *pkey = X509_get0_pubkey(x); 2458e71b7053SJung-uk Kim if (pkey) { 2459e71b7053SJung-uk Kim /* 2460e71b7053SJung-uk Kim * If no parameters this will return -1 and fail using the default 2461e71b7053SJung-uk Kim * security callback for any non-zero security level. This will 2462e71b7053SJung-uk Kim * reject keys which omit parameters but this only affects DSA and 2463e71b7053SJung-uk Kim * omission of parameters is never (?) done in practice. 2464e71b7053SJung-uk Kim */ 2465e71b7053SJung-uk Kim secbits = EVP_PKEY_security_bits(pkey); 2466e71b7053SJung-uk Kim } 2467e71b7053SJung-uk Kim if (s) 2468e71b7053SJung-uk Kim return ssl_security(s, op, secbits, 0, x); 2469e71b7053SJung-uk Kim else 2470e71b7053SJung-uk Kim return ssl_ctx_security(ctx, op, secbits, 0, x); 2471e71b7053SJung-uk Kim } 2472e71b7053SJung-uk Kim 2473e71b7053SJung-uk Kim static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2474e71b7053SJung-uk Kim { 2475e71b7053SJung-uk Kim /* Lookup signature algorithm digest */ 2476e71b7053SJung-uk Kim int secbits, nid, pknid; 2477e71b7053SJung-uk Kim /* Don't check signature if self signed */ 2478e71b7053SJung-uk Kim if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 2479e71b7053SJung-uk Kim return 1; 2480e71b7053SJung-uk Kim if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 2481e71b7053SJung-uk Kim secbits = -1; 2482e71b7053SJung-uk Kim /* If digest NID not defined use signature NID */ 2483e71b7053SJung-uk Kim if (nid == NID_undef) 2484e71b7053SJung-uk Kim nid = pknid; 2485e71b7053SJung-uk Kim if (s) 2486e71b7053SJung-uk Kim return ssl_security(s, op, secbits, nid, x); 2487e71b7053SJung-uk Kim else 2488e71b7053SJung-uk Kim return ssl_ctx_security(ctx, op, secbits, nid, x); 2489e71b7053SJung-uk Kim } 2490e71b7053SJung-uk Kim 2491e71b7053SJung-uk Kim int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 2492e71b7053SJung-uk Kim { 2493e71b7053SJung-uk Kim if (vfy) 2494e71b7053SJung-uk Kim vfy = SSL_SECOP_PEER; 2495e71b7053SJung-uk Kim if (is_ee) { 2496e71b7053SJung-uk Kim if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 2497e71b7053SJung-uk Kim return SSL_R_EE_KEY_TOO_SMALL; 2498e71b7053SJung-uk Kim } else { 2499e71b7053SJung-uk Kim if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 2500e71b7053SJung-uk Kim return SSL_R_CA_KEY_TOO_SMALL; 2501e71b7053SJung-uk Kim } 2502e71b7053SJung-uk Kim if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 2503e71b7053SJung-uk Kim return SSL_R_CA_MD_TOO_WEAK; 2504e71b7053SJung-uk Kim return 1; 2505e71b7053SJung-uk Kim } 2506e71b7053SJung-uk Kim 2507e71b7053SJung-uk Kim /* 2508e71b7053SJung-uk Kim * Check security of a chain, if |sk| includes the end entity certificate then 2509e71b7053SJung-uk Kim * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 2510e71b7053SJung-uk Kim * one to the peer. Return values: 1 if ok otherwise error code to use 2511e71b7053SJung-uk Kim */ 2512e71b7053SJung-uk Kim 2513e71b7053SJung-uk Kim int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 2514e71b7053SJung-uk Kim { 2515e71b7053SJung-uk Kim int rv, start_idx, i; 2516e71b7053SJung-uk Kim if (x == NULL) { 2517e71b7053SJung-uk Kim x = sk_X509_value(sk, 0); 2518e71b7053SJung-uk Kim start_idx = 1; 2519e71b7053SJung-uk Kim } else 2520e71b7053SJung-uk Kim start_idx = 0; 2521e71b7053SJung-uk Kim 2522e71b7053SJung-uk Kim rv = ssl_security_cert(s, NULL, x, vfy, 1); 2523e71b7053SJung-uk Kim if (rv != 1) 2524e71b7053SJung-uk Kim return rv; 2525e71b7053SJung-uk Kim 2526e71b7053SJung-uk Kim for (i = start_idx; i < sk_X509_num(sk); i++) { 2527e71b7053SJung-uk Kim x = sk_X509_value(sk, i); 2528e71b7053SJung-uk Kim rv = ssl_security_cert(s, NULL, x, vfy, 0); 2529e71b7053SJung-uk Kim if (rv != 1) 2530e71b7053SJung-uk Kim return rv; 2531e71b7053SJung-uk Kim } 2532e71b7053SJung-uk Kim return 1; 2533e71b7053SJung-uk Kim } 2534e71b7053SJung-uk Kim 2535e71b7053SJung-uk Kim /* 2536e71b7053SJung-uk Kim * For TLS 1.2 servers check if we have a certificate which can be used 2537e71b7053SJung-uk Kim * with the signature algorithm "lu" and return index of certificate. 2538e71b7053SJung-uk Kim */ 2539e71b7053SJung-uk Kim 2540e71b7053SJung-uk Kim static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 2541e71b7053SJung-uk Kim { 2542e71b7053SJung-uk Kim int sig_idx = lu->sig_idx; 2543e71b7053SJung-uk Kim const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 2544e71b7053SJung-uk Kim 2545e71b7053SJung-uk Kim /* If not recognised or not supported by cipher mask it is not suitable */ 2546e71b7053SJung-uk Kim if (clu == NULL 2547e71b7053SJung-uk Kim || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0 2548e71b7053SJung-uk Kim || (clu->nid == EVP_PKEY_RSA_PSS 2549e71b7053SJung-uk Kim && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 2550e71b7053SJung-uk Kim return -1; 2551e71b7053SJung-uk Kim 2552e71b7053SJung-uk Kim return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 2553e71b7053SJung-uk Kim } 2554e71b7053SJung-uk Kim 2555e71b7053SJung-uk Kim /* 2556*da327cd2SJung-uk Kim * Checks the given cert against signature_algorithm_cert restrictions sent by 2557*da327cd2SJung-uk Kim * the peer (if any) as well as whether the hash from the sigalg is usable with 2558*da327cd2SJung-uk Kim * the key. 2559*da327cd2SJung-uk Kim * Returns true if the cert is usable and false otherwise. 2560e71b7053SJung-uk Kim */ 2561*da327cd2SJung-uk Kim static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2562*da327cd2SJung-uk Kim EVP_PKEY *pkey) 2563e71b7053SJung-uk Kim { 2564e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu; 25656935a639SJung-uk Kim int mdnid, pknid, default_mdnid; 2566e71b7053SJung-uk Kim size_t i; 2567e71b7053SJung-uk Kim 25686935a639SJung-uk Kim /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */ 25696935a639SJung-uk Kim ERR_set_mark(); 2570*da327cd2SJung-uk Kim if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 && 2571*da327cd2SJung-uk Kim sig->hash != default_mdnid) 2572*da327cd2SJung-uk Kim return 0; 2573*da327cd2SJung-uk Kim 2574*da327cd2SJung-uk Kim /* If it didn't report a mandatory NID, for whatever reasons, 25756935a639SJung-uk Kim * just clear the error and allow all hashes to be used. */ 25766935a639SJung-uk Kim ERR_pop_to_mark(); 2577*da327cd2SJung-uk Kim 2578e71b7053SJung-uk Kim if (s->s3->tmp.peer_cert_sigalgs != NULL) { 2579e71b7053SJung-uk Kim for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) { 2580e71b7053SJung-uk Kim lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]); 2581e71b7053SJung-uk Kim if (lu == NULL 2582*da327cd2SJung-uk Kim || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 2583e71b7053SJung-uk Kim continue; 2584e71b7053SJung-uk Kim /* 2585e71b7053SJung-uk Kim * TODO this does not differentiate between the 2586e71b7053SJung-uk Kim * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 2587e71b7053SJung-uk Kim * have a chain here that lets us look at the key OID in the 2588e71b7053SJung-uk Kim * signing certificate. 2589e71b7053SJung-uk Kim */ 2590e71b7053SJung-uk Kim if (mdnid == lu->hash && pknid == lu->sig) 2591e71b7053SJung-uk Kim return 1; 2592e71b7053SJung-uk Kim } 2593e71b7053SJung-uk Kim return 0; 2594e71b7053SJung-uk Kim } 2595*da327cd2SJung-uk Kim return 1; 2596*da327cd2SJung-uk Kim } 2597*da327cd2SJung-uk Kim 2598*da327cd2SJung-uk Kim /* 2599*da327cd2SJung-uk Kim * Returns true if |s| has a usable certificate configured for use 2600*da327cd2SJung-uk Kim * with signature scheme |sig|. 2601*da327cd2SJung-uk Kim * "Usable" includes a check for presence as well as applying 2602*da327cd2SJung-uk Kim * the signature_algorithm_cert restrictions sent by the peer (if any). 2603*da327cd2SJung-uk Kim * Returns false if no usable certificate is found. 2604*da327cd2SJung-uk Kim */ 2605*da327cd2SJung-uk Kim static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 2606*da327cd2SJung-uk Kim { 2607*da327cd2SJung-uk Kim /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 2608*da327cd2SJung-uk Kim if (idx == -1) 2609*da327cd2SJung-uk Kim idx = sig->sig_idx; 2610*da327cd2SJung-uk Kim if (!ssl_has_cert(s, idx)) 2611*da327cd2SJung-uk Kim return 0; 2612*da327cd2SJung-uk Kim 2613*da327cd2SJung-uk Kim return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 2614*da327cd2SJung-uk Kim s->cert->pkeys[idx].privatekey); 2615*da327cd2SJung-uk Kim } 2616*da327cd2SJung-uk Kim 2617*da327cd2SJung-uk Kim /* 2618*da327cd2SJung-uk Kim * Returns true if the supplied cert |x| and key |pkey| is usable with the 2619*da327cd2SJung-uk Kim * specified signature scheme |sig|, or false otherwise. 2620*da327cd2SJung-uk Kim */ 2621*da327cd2SJung-uk Kim static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2622*da327cd2SJung-uk Kim EVP_PKEY *pkey) 2623*da327cd2SJung-uk Kim { 2624*da327cd2SJung-uk Kim size_t idx; 2625*da327cd2SJung-uk Kim 2626*da327cd2SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 2627*da327cd2SJung-uk Kim return 0; 2628*da327cd2SJung-uk Kim 2629*da327cd2SJung-uk Kim /* Check the key is consistent with the sig alg */ 2630*da327cd2SJung-uk Kim if ((int)idx != sig->sig_idx) 2631*da327cd2SJung-uk Kim return 0; 2632*da327cd2SJung-uk Kim 2633*da327cd2SJung-uk Kim return check_cert_usable(s, sig, x, pkey); 2634*da327cd2SJung-uk Kim } 2635*da327cd2SJung-uk Kim 2636*da327cd2SJung-uk Kim /* 2637*da327cd2SJung-uk Kim * Find a signature scheme that works with the supplied certificate |x| and key 2638*da327cd2SJung-uk Kim * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 2639*da327cd2SJung-uk Kim * available certs/keys to find one that works. 2640*da327cd2SJung-uk Kim */ 2641*da327cd2SJung-uk Kim static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 2642*da327cd2SJung-uk Kim { 2643*da327cd2SJung-uk Kim const SIGALG_LOOKUP *lu = NULL; 2644*da327cd2SJung-uk Kim size_t i; 2645*da327cd2SJung-uk Kim #ifndef OPENSSL_NO_EC 2646*da327cd2SJung-uk Kim int curve = -1; 2647*da327cd2SJung-uk Kim #endif 2648*da327cd2SJung-uk Kim EVP_PKEY *tmppkey; 2649*da327cd2SJung-uk Kim 2650*da327cd2SJung-uk Kim /* Look for a shared sigalgs matching possible certificates */ 2651*da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 2652*da327cd2SJung-uk Kim lu = s->shared_sigalgs[i]; 2653*da327cd2SJung-uk Kim 2654*da327cd2SJung-uk Kim /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 2655*da327cd2SJung-uk Kim if (lu->hash == NID_sha1 2656*da327cd2SJung-uk Kim || lu->hash == NID_sha224 2657*da327cd2SJung-uk Kim || lu->sig == EVP_PKEY_DSA 2658*da327cd2SJung-uk Kim || lu->sig == EVP_PKEY_RSA) 2659*da327cd2SJung-uk Kim continue; 2660*da327cd2SJung-uk Kim /* Check that we have a cert, and signature_algorithms_cert */ 2661*da327cd2SJung-uk Kim if (!tls1_lookup_md(lu, NULL)) 2662*da327cd2SJung-uk Kim continue; 2663*da327cd2SJung-uk Kim if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 2664*da327cd2SJung-uk Kim || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 2665*da327cd2SJung-uk Kim continue; 2666*da327cd2SJung-uk Kim 2667*da327cd2SJung-uk Kim tmppkey = (pkey != NULL) ? pkey 2668*da327cd2SJung-uk Kim : s->cert->pkeys[lu->sig_idx].privatekey; 2669*da327cd2SJung-uk Kim 2670*da327cd2SJung-uk Kim if (lu->sig == EVP_PKEY_EC) { 2671*da327cd2SJung-uk Kim #ifndef OPENSSL_NO_EC 2672*da327cd2SJung-uk Kim if (curve == -1) { 2673*da327cd2SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey); 2674*da327cd2SJung-uk Kim curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2675*da327cd2SJung-uk Kim } 2676*da327cd2SJung-uk Kim if (lu->curve != NID_undef && curve != lu->curve) 2677*da327cd2SJung-uk Kim continue; 2678*da327cd2SJung-uk Kim #else 2679*da327cd2SJung-uk Kim continue; 2680*da327cd2SJung-uk Kim #endif 2681*da327cd2SJung-uk Kim } else if (lu->sig == EVP_PKEY_RSA_PSS) { 2682*da327cd2SJung-uk Kim /* validate that key is large enough for the signature algorithm */ 2683*da327cd2SJung-uk Kim if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu)) 2684*da327cd2SJung-uk Kim continue; 2685*da327cd2SJung-uk Kim } 2686*da327cd2SJung-uk Kim break; 2687*da327cd2SJung-uk Kim } 2688*da327cd2SJung-uk Kim 2689*da327cd2SJung-uk Kim if (i == s->shared_sigalgslen) 2690*da327cd2SJung-uk Kim return NULL; 2691*da327cd2SJung-uk Kim 2692*da327cd2SJung-uk Kim return lu; 2693e71b7053SJung-uk Kim } 2694e71b7053SJung-uk Kim 2695e71b7053SJung-uk Kim /* 2696e71b7053SJung-uk Kim * Choose an appropriate signature algorithm based on available certificates 2697e71b7053SJung-uk Kim * Sets chosen certificate and signature algorithm. 2698e71b7053SJung-uk Kim * 2699e71b7053SJung-uk Kim * For servers if we fail to find a required certificate it is a fatal error, 2700e71b7053SJung-uk Kim * an appropriate error code is set and a TLS alert is sent. 2701e71b7053SJung-uk Kim * 2702e71b7053SJung-uk Kim * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 2703e71b7053SJung-uk Kim * a fatal error: we will either try another certificate or not present one 2704e71b7053SJung-uk Kim * to the server. In this case no error is set. 2705e71b7053SJung-uk Kim */ 2706e71b7053SJung-uk Kim int tls_choose_sigalg(SSL *s, int fatalerrs) 2707e71b7053SJung-uk Kim { 2708e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = NULL; 2709e71b7053SJung-uk Kim int sig_idx = -1; 2710e71b7053SJung-uk Kim 2711e71b7053SJung-uk Kim s->s3->tmp.cert = NULL; 2712e71b7053SJung-uk Kim s->s3->tmp.sigalg = NULL; 2713e71b7053SJung-uk Kim 2714e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 2715*da327cd2SJung-uk Kim lu = find_sig_alg(s, NULL, NULL); 2716*da327cd2SJung-uk Kim if (lu == NULL) { 2717e71b7053SJung-uk Kim if (!fatalerrs) 2718e71b7053SJung-uk Kim return 1; 2719e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG, 2720e71b7053SJung-uk Kim SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2721e71b7053SJung-uk Kim return 0; 2722e71b7053SJung-uk Kim } 2723e71b7053SJung-uk Kim } else { 2724e71b7053SJung-uk Kim /* If ciphersuite doesn't require a cert nothing to do */ 2725e71b7053SJung-uk Kim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT)) 2726e71b7053SJung-uk Kim return 1; 2727e71b7053SJung-uk Kim if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 2728e71b7053SJung-uk Kim return 1; 2729e71b7053SJung-uk Kim 2730e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) { 2731e71b7053SJung-uk Kim size_t i; 2732e71b7053SJung-uk Kim if (s->s3->tmp.peer_sigalgs != NULL) { 2733e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 2734e71b7053SJung-uk Kim int curve; 2735e71b7053SJung-uk Kim 2736e71b7053SJung-uk Kim /* For Suite B need to match signature algorithm to curve */ 2737e71b7053SJung-uk Kim if (tls1_suiteb(s)) { 2738e71b7053SJung-uk Kim EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 2739e71b7053SJung-uk Kim curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2740e71b7053SJung-uk Kim } else { 2741e71b7053SJung-uk Kim curve = -1; 2742e71b7053SJung-uk Kim } 2743e71b7053SJung-uk Kim #endif 2744e71b7053SJung-uk Kim 2745e71b7053SJung-uk Kim /* 2746e71b7053SJung-uk Kim * Find highest preference signature algorithm matching 2747e71b7053SJung-uk Kim * cert type 2748e71b7053SJung-uk Kim */ 2749*da327cd2SJung-uk Kim for (i = 0; i < s->shared_sigalgslen; i++) { 2750*da327cd2SJung-uk Kim lu = s->shared_sigalgs[i]; 2751e71b7053SJung-uk Kim 2752e71b7053SJung-uk Kim if (s->server) { 2753e71b7053SJung-uk Kim if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 2754e71b7053SJung-uk Kim continue; 2755e71b7053SJung-uk Kim } else { 2756e71b7053SJung-uk Kim int cc_idx = s->cert->key - s->cert->pkeys; 2757e71b7053SJung-uk Kim 2758e71b7053SJung-uk Kim sig_idx = lu->sig_idx; 2759e71b7053SJung-uk Kim if (cc_idx != sig_idx) 2760e71b7053SJung-uk Kim continue; 2761e71b7053SJung-uk Kim } 2762e71b7053SJung-uk Kim /* Check that we have a cert, and sig_algs_cert */ 2763e71b7053SJung-uk Kim if (!has_usable_cert(s, lu, sig_idx)) 2764e71b7053SJung-uk Kim continue; 2765e71b7053SJung-uk Kim if (lu->sig == EVP_PKEY_RSA_PSS) { 2766e71b7053SJung-uk Kim /* validate that key is large enough for the signature algorithm */ 2767e71b7053SJung-uk Kim EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 2768e71b7053SJung-uk Kim 2769e71b7053SJung-uk Kim if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu)) 2770e71b7053SJung-uk Kim continue; 2771e71b7053SJung-uk Kim } 2772e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 2773e71b7053SJung-uk Kim if (curve == -1 || lu->curve == curve) 2774e71b7053SJung-uk Kim #endif 2775e71b7053SJung-uk Kim break; 2776e71b7053SJung-uk Kim } 2777*da327cd2SJung-uk Kim if (i == s->shared_sigalgslen) { 2778e71b7053SJung-uk Kim if (!fatalerrs) 2779e71b7053SJung-uk Kim return 1; 2780e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2781e71b7053SJung-uk Kim SSL_F_TLS_CHOOSE_SIGALG, 2782e71b7053SJung-uk Kim SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2783e71b7053SJung-uk Kim return 0; 2784e71b7053SJung-uk Kim } 2785e71b7053SJung-uk Kim } else { 2786e71b7053SJung-uk Kim /* 2787e71b7053SJung-uk Kim * If we have no sigalg use defaults 2788e71b7053SJung-uk Kim */ 2789e71b7053SJung-uk Kim const uint16_t *sent_sigs; 2790e71b7053SJung-uk Kim size_t sent_sigslen; 2791e71b7053SJung-uk Kim 2792e71b7053SJung-uk Kim if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2793e71b7053SJung-uk Kim if (!fatalerrs) 2794e71b7053SJung-uk Kim return 1; 2795e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2796e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2797e71b7053SJung-uk Kim return 0; 2798e71b7053SJung-uk Kim } 2799e71b7053SJung-uk Kim 2800e71b7053SJung-uk Kim /* Check signature matches a type we sent */ 2801e71b7053SJung-uk Kim sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2802e71b7053SJung-uk Kim for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 2803e71b7053SJung-uk Kim if (lu->sigalg == *sent_sigs 2804e71b7053SJung-uk Kim && has_usable_cert(s, lu, lu->sig_idx)) 2805e71b7053SJung-uk Kim break; 2806e71b7053SJung-uk Kim } 2807e71b7053SJung-uk Kim if (i == sent_sigslen) { 2808e71b7053SJung-uk Kim if (!fatalerrs) 2809e71b7053SJung-uk Kim return 1; 2810e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2811e71b7053SJung-uk Kim SSL_F_TLS_CHOOSE_SIGALG, 2812e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_TYPE); 2813e71b7053SJung-uk Kim return 0; 2814e71b7053SJung-uk Kim } 2815e71b7053SJung-uk Kim } 2816e71b7053SJung-uk Kim } else { 2817e71b7053SJung-uk Kim if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2818e71b7053SJung-uk Kim if (!fatalerrs) 2819e71b7053SJung-uk Kim return 1; 2820e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2821e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2822e71b7053SJung-uk Kim return 0; 2823e71b7053SJung-uk Kim } 2824e71b7053SJung-uk Kim } 2825e71b7053SJung-uk Kim } 2826e71b7053SJung-uk Kim if (sig_idx == -1) 2827e71b7053SJung-uk Kim sig_idx = lu->sig_idx; 2828e71b7053SJung-uk Kim s->s3->tmp.cert = &s->cert->pkeys[sig_idx]; 2829e71b7053SJung-uk Kim s->cert->key = s->s3->tmp.cert; 2830e71b7053SJung-uk Kim s->s3->tmp.sigalg = lu; 2831e71b7053SJung-uk Kim return 1; 2832e71b7053SJung-uk Kim } 2833e71b7053SJung-uk Kim 2834e71b7053SJung-uk Kim int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 2835e71b7053SJung-uk Kim { 2836e71b7053SJung-uk Kim if (mode != TLSEXT_max_fragment_length_DISABLED 2837e71b7053SJung-uk Kim && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2838e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2839e71b7053SJung-uk Kim SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2840e71b7053SJung-uk Kim return 0; 2841e71b7053SJung-uk Kim } 2842e71b7053SJung-uk Kim 2843e71b7053SJung-uk Kim ctx->ext.max_fragment_len_mode = mode; 2844e71b7053SJung-uk Kim return 1; 2845e71b7053SJung-uk Kim } 2846e71b7053SJung-uk Kim 2847e71b7053SJung-uk Kim int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 2848e71b7053SJung-uk Kim { 2849e71b7053SJung-uk Kim if (mode != TLSEXT_max_fragment_length_DISABLED 2850e71b7053SJung-uk Kim && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2851e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2852e71b7053SJung-uk Kim SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2853e71b7053SJung-uk Kim return 0; 2854e71b7053SJung-uk Kim } 2855e71b7053SJung-uk Kim 2856e71b7053SJung-uk Kim ssl->ext.max_fragment_len_mode = mode; 2857e71b7053SJung-uk Kim return 1; 2858e71b7053SJung-uk Kim } 2859e71b7053SJung-uk Kim 2860e71b7053SJung-uk Kim uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 2861e71b7053SJung-uk Kim { 2862e71b7053SJung-uk Kim return session->ext.max_fragment_len_mode; 2863e71b7053SJung-uk Kim } 2864