1 /* 2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <openssl/objects.h> 13 #include <openssl/evp.h> 14 #include <openssl/hmac.h> 15 #include <openssl/core_names.h> 16 #include <openssl/ocsp.h> 17 #include <openssl/conf.h> 18 #include <openssl/x509v3.h> 19 #include <openssl/dh.h> 20 #include <openssl/bn.h> 21 #include <openssl/provider.h> 22 #include <openssl/param_build.h> 23 #include "internal/nelem.h" 24 #include "internal/sizes.h" 25 #include "internal/tlsgroups.h" 26 #include "ssl_local.h" 27 #include <openssl/ct.h> 28 29 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 30 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); 31 32 SSL3_ENC_METHOD const TLSv1_enc_data = { 33 tls1_enc, 34 tls1_mac, 35 tls1_setup_key_block, 36 tls1_generate_master_secret, 37 tls1_change_cipher_state, 38 tls1_final_finish_mac, 39 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 40 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 41 tls1_alert_code, 42 tls1_export_keying_material, 43 0, 44 ssl3_set_handshake_header, 45 tls_close_construct_packet, 46 ssl3_handshake_write 47 }; 48 49 SSL3_ENC_METHOD const TLSv1_1_enc_data = { 50 tls1_enc, 51 tls1_mac, 52 tls1_setup_key_block, 53 tls1_generate_master_secret, 54 tls1_change_cipher_state, 55 tls1_final_finish_mac, 56 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 57 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 58 tls1_alert_code, 59 tls1_export_keying_material, 60 SSL_ENC_FLAG_EXPLICIT_IV, 61 ssl3_set_handshake_header, 62 tls_close_construct_packet, 63 ssl3_handshake_write 64 }; 65 66 SSL3_ENC_METHOD const TLSv1_2_enc_data = { 67 tls1_enc, 68 tls1_mac, 69 tls1_setup_key_block, 70 tls1_generate_master_secret, 71 tls1_change_cipher_state, 72 tls1_final_finish_mac, 73 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 74 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 75 tls1_alert_code, 76 tls1_export_keying_material, 77 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 78 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 79 ssl3_set_handshake_header, 80 tls_close_construct_packet, 81 ssl3_handshake_write 82 }; 83 84 SSL3_ENC_METHOD const TLSv1_3_enc_data = { 85 tls13_enc, 86 tls1_mac, 87 tls13_setup_key_block, 88 tls13_generate_master_secret, 89 tls13_change_cipher_state, 90 tls13_final_finish_mac, 91 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 92 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 93 tls13_alert_code, 94 tls13_export_keying_material, 95 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 96 ssl3_set_handshake_header, 97 tls_close_construct_packet, 98 ssl3_handshake_write 99 }; 100 101 long tls1_default_timeout(void) 102 { 103 /* 104 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 105 * http, the cache would over fill 106 */ 107 return (60 * 60 * 2); 108 } 109 110 int tls1_new(SSL *s) 111 { 112 if (!ssl3_new(s)) 113 return 0; 114 if (!s->method->ssl_clear(s)) 115 return 0; 116 117 return 1; 118 } 119 120 void tls1_free(SSL *s) 121 { 122 OPENSSL_free(s->ext.session_ticket); 123 ssl3_free(s); 124 } 125 126 int tls1_clear(SSL *s) 127 { 128 if (!ssl3_clear(s)) 129 return 0; 130 131 if (s->method->version == TLS_ANY_VERSION) 132 s->version = TLS_MAX_VERSION_INTERNAL; 133 else 134 s->version = s->method->version; 135 136 return 1; 137 } 138 139 /* Legacy NID to group_id mapping. Only works for groups we know about */ 140 static struct { 141 int nid; 142 uint16_t group_id; 143 } nid_to_group[] = { 144 {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1}, 145 {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1}, 146 {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2}, 147 {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1}, 148 {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2}, 149 {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1}, 150 {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1}, 151 {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1}, 152 {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1}, 153 {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1}, 154 {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1}, 155 {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1}, 156 {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1}, 157 {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1}, 158 {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1}, 159 {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1}, 160 {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2}, 161 {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1}, 162 {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1}, 163 {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1}, 164 {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1}, 165 {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1}, 166 {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1}, 167 {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1}, 168 {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1}, 169 {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1}, 170 {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1}, 171 {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1}, 172 {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519}, 173 {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448}, 174 {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022}, 175 {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023}, 176 {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024}, 177 {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025}, 178 {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026}, 179 {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027}, 180 {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028}, 181 {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048}, 182 {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072}, 183 {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096}, 184 {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144}, 185 {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} 186 }; 187 188 static const unsigned char ecformats_default[] = { 189 TLSEXT_ECPOINTFORMAT_uncompressed, 190 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 191 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 192 }; 193 194 /* The default curves */ 195 static const uint16_t supported_groups_default[] = { 196 29, /* X25519 (29) */ 197 23, /* secp256r1 (23) */ 198 30, /* X448 (30) */ 199 25, /* secp521r1 (25) */ 200 24, /* secp384r1 (24) */ 201 34, /* GC256A (34) */ 202 35, /* GC256B (35) */ 203 36, /* GC256C (36) */ 204 37, /* GC256D (37) */ 205 38, /* GC512A (38) */ 206 39, /* GC512B (39) */ 207 40, /* GC512C (40) */ 208 0x100, /* ffdhe2048 (0x100) */ 209 0x101, /* ffdhe3072 (0x101) */ 210 0x102, /* ffdhe4096 (0x102) */ 211 0x103, /* ffdhe6144 (0x103) */ 212 0x104, /* ffdhe8192 (0x104) */ 213 }; 214 215 static const uint16_t suiteb_curves[] = { 216 TLSEXT_curve_P_256, 217 TLSEXT_curve_P_384 218 }; 219 220 struct provider_group_data_st { 221 SSL_CTX *ctx; 222 OSSL_PROVIDER *provider; 223 }; 224 225 #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 226 static OSSL_CALLBACK add_provider_groups; 227 static int add_provider_groups(const OSSL_PARAM params[], void *data) 228 { 229 struct provider_group_data_st *pgd = data; 230 SSL_CTX *ctx = pgd->ctx; 231 OSSL_PROVIDER *provider = pgd->provider; 232 const OSSL_PARAM *p; 233 TLS_GROUP_INFO *ginf = NULL; 234 EVP_KEYMGMT *keymgmt; 235 unsigned int gid; 236 unsigned int is_kem = 0; 237 int ret = 0; 238 239 if (ctx->group_list_max_len == ctx->group_list_len) { 240 TLS_GROUP_INFO *tmp = NULL; 241 242 if (ctx->group_list_max_len == 0) 243 tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) 244 * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 245 else 246 tmp = OPENSSL_realloc(ctx->group_list, 247 (ctx->group_list_max_len 248 + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) 249 * sizeof(TLS_GROUP_INFO)); 250 if (tmp == NULL) { 251 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 252 return 0; 253 } 254 ctx->group_list = tmp; 255 memset(tmp + ctx->group_list_max_len, 256 0, 257 sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 258 ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; 259 } 260 261 ginf = &ctx->group_list[ctx->group_list_len]; 262 263 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); 264 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 265 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 266 goto err; 267 } 268 ginf->tlsname = OPENSSL_strdup(p->data); 269 if (ginf->tlsname == NULL) { 270 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 271 goto err; 272 } 273 274 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); 275 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 276 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 277 goto err; 278 } 279 ginf->realname = OPENSSL_strdup(p->data); 280 if (ginf->realname == NULL) { 281 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 282 goto err; 283 } 284 285 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); 286 if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { 287 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 288 goto err; 289 } 290 ginf->group_id = (uint16_t)gid; 291 292 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); 293 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 294 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 295 goto err; 296 } 297 ginf->algorithm = OPENSSL_strdup(p->data); 298 if (ginf->algorithm == NULL) { 299 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 300 goto err; 301 } 302 303 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); 304 if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { 305 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 306 goto err; 307 } 308 309 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); 310 if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { 311 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 312 goto err; 313 } 314 ginf->is_kem = 1 & is_kem; 315 316 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); 317 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { 318 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 319 goto err; 320 } 321 322 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); 323 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { 324 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 325 goto err; 326 } 327 328 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); 329 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { 330 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 331 goto err; 332 } 333 334 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); 335 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { 336 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 337 goto err; 338 } 339 /* 340 * Now check that the algorithm is actually usable for our property query 341 * string. Regardless of the result we still return success because we have 342 * successfully processed this group, even though we may decide not to use 343 * it. 344 */ 345 ret = 1; 346 ERR_set_mark(); 347 keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); 348 if (keymgmt != NULL) { 349 /* 350 * We have successfully fetched the algorithm - however if the provider 351 * doesn't match this one then we ignore it. 352 * 353 * Note: We're cheating a little here. Technically if the same algorithm 354 * is available from more than one provider then it is undefined which 355 * implementation you will get back. Theoretically this could be 356 * different every time...we assume here that you'll always get the 357 * same one back if you repeat the exact same fetch. Is this a reasonable 358 * assumption to make (in which case perhaps we should document this 359 * behaviour)? 360 */ 361 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 362 /* We have a match - so we will use this group */ 363 ctx->group_list_len++; 364 ginf = NULL; 365 } 366 EVP_KEYMGMT_free(keymgmt); 367 } 368 ERR_pop_to_mark(); 369 err: 370 if (ginf != NULL) { 371 OPENSSL_free(ginf->tlsname); 372 OPENSSL_free(ginf->realname); 373 OPENSSL_free(ginf->algorithm); 374 ginf->algorithm = ginf->tlsname = ginf->realname = NULL; 375 } 376 return ret; 377 } 378 379 static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) 380 { 381 struct provider_group_data_st pgd; 382 383 pgd.ctx = vctx; 384 pgd.provider = provider; 385 return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", 386 add_provider_groups, &pgd); 387 } 388 389 int ssl_load_groups(SSL_CTX *ctx) 390 { 391 size_t i, j, num_deflt_grps = 0; 392 uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; 393 394 if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) 395 return 0; 396 397 for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { 398 for (j = 0; j < ctx->group_list_len; j++) { 399 if (ctx->group_list[j].group_id == supported_groups_default[i]) { 400 tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; 401 break; 402 } 403 } 404 } 405 406 if (num_deflt_grps == 0) 407 return 1; 408 409 ctx->ext.supported_groups_default 410 = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); 411 412 if (ctx->ext.supported_groups_default == NULL) { 413 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 414 return 0; 415 } 416 417 memcpy(ctx->ext.supported_groups_default, 418 tmp_supp_groups, 419 num_deflt_grps * sizeof(tmp_supp_groups[0])); 420 ctx->ext.supported_groups_default_len = num_deflt_grps; 421 422 return 1; 423 } 424 425 static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) 426 { 427 size_t i; 428 429 for (i = 0; i < ctx->group_list_len; i++) { 430 if (strcmp(ctx->group_list[i].tlsname, name) == 0 431 || strcmp(ctx->group_list[i].realname, name) == 0) 432 return ctx->group_list[i].group_id; 433 } 434 435 return 0; 436 } 437 438 const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) 439 { 440 size_t i; 441 442 for (i = 0; i < ctx->group_list_len; i++) { 443 if (ctx->group_list[i].group_id == group_id) 444 return &ctx->group_list[i]; 445 } 446 447 return NULL; 448 } 449 450 int tls1_group_id2nid(uint16_t group_id, int include_unknown) 451 { 452 size_t i; 453 454 if (group_id == 0) 455 return NID_undef; 456 457 /* 458 * Return well known Group NIDs - for backwards compatibility. This won't 459 * work for groups we don't know about. 460 */ 461 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 462 { 463 if (nid_to_group[i].group_id == group_id) 464 return nid_to_group[i].nid; 465 } 466 if (!include_unknown) 467 return NID_undef; 468 return TLSEXT_nid_unknown | (int)group_id; 469 } 470 471 uint16_t tls1_nid2group_id(int nid) 472 { 473 size_t i; 474 475 /* 476 * Return well known Group ids - for backwards compatibility. This won't 477 * work for groups we don't know about. 478 */ 479 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 480 { 481 if (nid_to_group[i].nid == nid) 482 return nid_to_group[i].group_id; 483 } 484 485 return 0; 486 } 487 488 /* 489 * Set *pgroups to the supported groups list and *pgroupslen to 490 * the number of groups supported. 491 */ 492 void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 493 size_t *pgroupslen) 494 { 495 /* For Suite B mode only include P-256, P-384 */ 496 switch (tls1_suiteb(s)) { 497 case SSL_CERT_FLAG_SUITEB_128_LOS: 498 *pgroups = suiteb_curves; 499 *pgroupslen = OSSL_NELEM(suiteb_curves); 500 break; 501 502 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 503 *pgroups = suiteb_curves; 504 *pgroupslen = 1; 505 break; 506 507 case SSL_CERT_FLAG_SUITEB_192_LOS: 508 *pgroups = suiteb_curves + 1; 509 *pgroupslen = 1; 510 break; 511 512 default: 513 if (s->ext.supportedgroups == NULL) { 514 *pgroups = s->ctx->ext.supported_groups_default; 515 *pgroupslen = s->ctx->ext.supported_groups_default_len; 516 } else { 517 *pgroups = s->ext.supportedgroups; 518 *pgroupslen = s->ext.supportedgroups_len; 519 } 520 break; 521 } 522 } 523 524 int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, 525 int isec, int *okfortls13) 526 { 527 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); 528 int ret; 529 530 if (okfortls13 != NULL) 531 *okfortls13 = 0; 532 533 if (ginfo == NULL) 534 return 0; 535 536 if (SSL_IS_DTLS(s)) { 537 if (ginfo->mindtls < 0 || ginfo->maxdtls < 0) 538 return 0; 539 if (ginfo->maxdtls == 0) 540 ret = 1; 541 else 542 ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls); 543 if (ginfo->mindtls > 0) 544 ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls); 545 } else { 546 if (ginfo->mintls < 0 || ginfo->maxtls < 0) 547 return 0; 548 if (ginfo->maxtls == 0) 549 ret = 1; 550 else 551 ret = (minversion <= ginfo->maxtls); 552 if (ginfo->mintls > 0) 553 ret &= (maxversion >= ginfo->mintls); 554 if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) 555 *okfortls13 = (ginfo->maxtls == 0) 556 || (ginfo->maxtls >= TLS1_3_VERSION); 557 } 558 ret &= !isec 559 || strcmp(ginfo->algorithm, "EC") == 0 560 || strcmp(ginfo->algorithm, "X25519") == 0 561 || strcmp(ginfo->algorithm, "X448") == 0; 562 563 return ret; 564 } 565 566 /* See if group is allowed by security callback */ 567 int tls_group_allowed(SSL *s, uint16_t group, int op) 568 { 569 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group); 570 unsigned char gtmp[2]; 571 572 if (ginfo == NULL) 573 return 0; 574 575 gtmp[0] = group >> 8; 576 gtmp[1] = group & 0xff; 577 return ssl_security(s, op, ginfo->secbits, 578 tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); 579 } 580 581 /* Return 1 if "id" is in "list" */ 582 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 583 { 584 size_t i; 585 for (i = 0; i < listlen; i++) 586 if (list[i] == id) 587 return 1; 588 return 0; 589 } 590 591 /*- 592 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 593 * if there is no match. 594 * For nmatch == -1, return number of matches 595 * For nmatch == -2, return the id of the group to use for 596 * a tmp key, or 0 if there is no match. 597 */ 598 uint16_t tls1_shared_group(SSL *s, int nmatch) 599 { 600 const uint16_t *pref, *supp; 601 size_t num_pref, num_supp, i; 602 int k; 603 604 /* Can't do anything on client side */ 605 if (s->server == 0) 606 return 0; 607 if (nmatch == -2) { 608 if (tls1_suiteb(s)) { 609 /* 610 * For Suite B ciphersuite determines curve: we already know 611 * these are acceptable due to previous checks. 612 */ 613 unsigned long cid = s->s3.tmp.new_cipher->id; 614 615 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 616 return TLSEXT_curve_P_256; 617 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 618 return TLSEXT_curve_P_384; 619 /* Should never happen */ 620 return 0; 621 } 622 /* If not Suite B just return first preference shared curve */ 623 nmatch = 0; 624 } 625 /* 626 * If server preference set, our groups are the preference order 627 * otherwise peer decides. 628 */ 629 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 630 tls1_get_supported_groups(s, &pref, &num_pref); 631 tls1_get_peer_groups(s, &supp, &num_supp); 632 } else { 633 tls1_get_peer_groups(s, &pref, &num_pref); 634 tls1_get_supported_groups(s, &supp, &num_supp); 635 } 636 637 for (k = 0, i = 0; i < num_pref; i++) { 638 uint16_t id = pref[i]; 639 640 if (!tls1_in_list(id, supp, num_supp) 641 || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 642 continue; 643 if (nmatch == k) 644 return id; 645 k++; 646 } 647 if (nmatch == -1) 648 return k; 649 /* Out of range (nmatch > k). */ 650 return 0; 651 } 652 653 int tls1_set_groups(uint16_t **pext, size_t *pextlen, 654 int *groups, size_t ngroups) 655 { 656 uint16_t *glist; 657 size_t i; 658 /* 659 * Bitmap of groups included to detect duplicates: two variables are added 660 * to detect duplicates as some values are more than 32. 661 */ 662 unsigned long *dup_list = NULL; 663 unsigned long dup_list_egrp = 0; 664 unsigned long dup_list_dhgrp = 0; 665 666 if (ngroups == 0) { 667 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 668 return 0; 669 } 670 if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 671 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 672 return 0; 673 } 674 for (i = 0; i < ngroups; i++) { 675 unsigned long idmask; 676 uint16_t id; 677 id = tls1_nid2group_id(groups[i]); 678 if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) 679 goto err; 680 idmask = 1L << (id & 0x00FF); 681 dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; 682 if (!id || ((*dup_list) & idmask)) 683 goto err; 684 *dup_list |= idmask; 685 glist[i] = id; 686 } 687 OPENSSL_free(*pext); 688 *pext = glist; 689 *pextlen = ngroups; 690 return 1; 691 err: 692 OPENSSL_free(glist); 693 return 0; 694 } 695 696 # define GROUPLIST_INCREMENT 40 697 # define GROUP_NAME_BUFFER_LENGTH 64 698 typedef struct { 699 SSL_CTX *ctx; 700 size_t gidcnt; 701 size_t gidmax; 702 uint16_t *gid_arr; 703 } gid_cb_st; 704 705 static int gid_cb(const char *elem, int len, void *arg) 706 { 707 gid_cb_st *garg = arg; 708 size_t i; 709 uint16_t gid = 0; 710 char etmp[GROUP_NAME_BUFFER_LENGTH]; 711 712 if (elem == NULL) 713 return 0; 714 if (garg->gidcnt == garg->gidmax) { 715 uint16_t *tmp = 716 OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); 717 if (tmp == NULL) 718 return 0; 719 garg->gidmax += GROUPLIST_INCREMENT; 720 garg->gid_arr = tmp; 721 } 722 if (len > (int)(sizeof(etmp) - 1)) 723 return 0; 724 memcpy(etmp, elem, len); 725 etmp[len] = 0; 726 727 gid = tls1_group_name2id(garg->ctx, etmp); 728 if (gid == 0) { 729 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 730 "group '%s' cannot be set", etmp); 731 return 0; 732 } 733 for (i = 0; i < garg->gidcnt; i++) 734 if (garg->gid_arr[i] == gid) 735 return 0; 736 garg->gid_arr[garg->gidcnt++] = gid; 737 return 1; 738 } 739 740 /* Set groups based on a colon separated list */ 741 int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, 742 const char *str) 743 { 744 gid_cb_st gcb; 745 uint16_t *tmparr; 746 int ret = 0; 747 748 gcb.gidcnt = 0; 749 gcb.gidmax = GROUPLIST_INCREMENT; 750 gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); 751 if (gcb.gid_arr == NULL) 752 return 0; 753 gcb.ctx = ctx; 754 if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) 755 goto end; 756 if (pext == NULL) { 757 ret = 1; 758 goto end; 759 } 760 761 /* 762 * gid_cb ensurse there are no duplicates so we can just go ahead and set 763 * the result 764 */ 765 tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); 766 if (tmparr == NULL) 767 goto end; 768 OPENSSL_free(*pext); 769 *pext = tmparr; 770 *pextlen = gcb.gidcnt; 771 ret = 1; 772 end: 773 OPENSSL_free(gcb.gid_arr); 774 return ret; 775 } 776 777 /* Check a group id matches preferences */ 778 int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 779 { 780 const uint16_t *groups; 781 size_t groups_len; 782 783 if (group_id == 0) 784 return 0; 785 786 /* Check for Suite B compliance */ 787 if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { 788 unsigned long cid = s->s3.tmp.new_cipher->id; 789 790 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 791 if (group_id != TLSEXT_curve_P_256) 792 return 0; 793 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 794 if (group_id != TLSEXT_curve_P_384) 795 return 0; 796 } else { 797 /* Should never happen */ 798 return 0; 799 } 800 } 801 802 if (check_own_groups) { 803 /* Check group is one of our preferences */ 804 tls1_get_supported_groups(s, &groups, &groups_len); 805 if (!tls1_in_list(group_id, groups, groups_len)) 806 return 0; 807 } 808 809 if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 810 return 0; 811 812 /* For clients, nothing more to check */ 813 if (!s->server) 814 return 1; 815 816 /* Check group is one of peers preferences */ 817 tls1_get_peer_groups(s, &groups, &groups_len); 818 819 /* 820 * RFC 4492 does not require the supported elliptic curves extension 821 * so if it is not sent we can just choose any curve. 822 * It is invalid to send an empty list in the supported groups 823 * extension, so groups_len == 0 always means no extension. 824 */ 825 if (groups_len == 0) 826 return 1; 827 return tls1_in_list(group_id, groups, groups_len); 828 } 829 830 void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 831 size_t *num_formats) 832 { 833 /* 834 * If we have a custom point format list use it otherwise use default 835 */ 836 if (s->ext.ecpointformats) { 837 *pformats = s->ext.ecpointformats; 838 *num_formats = s->ext.ecpointformats_len; 839 } else { 840 *pformats = ecformats_default; 841 /* For Suite B we don't support char2 fields */ 842 if (tls1_suiteb(s)) 843 *num_formats = sizeof(ecformats_default) - 1; 844 else 845 *num_formats = sizeof(ecformats_default); 846 } 847 } 848 849 /* Check a key is compatible with compression extension */ 850 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 851 { 852 unsigned char comp_id; 853 size_t i; 854 int point_conv; 855 856 /* If not an EC key nothing to check */ 857 if (!EVP_PKEY_is_a(pkey, "EC")) 858 return 1; 859 860 861 /* Get required compression id */ 862 point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); 863 if (point_conv == 0) 864 return 0; 865 if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { 866 comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 867 } else if (SSL_IS_TLS13(s)) { 868 /* 869 * ec_point_formats extension is not used in TLSv1.3 so we ignore 870 * this check. 871 */ 872 return 1; 873 } else { 874 int field_type = EVP_PKEY_get_field_type(pkey); 875 876 if (field_type == NID_X9_62_prime_field) 877 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 878 else if (field_type == NID_X9_62_characteristic_two_field) 879 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 880 else 881 return 0; 882 } 883 /* 884 * If point formats extension present check it, otherwise everything is 885 * supported (see RFC4492). 886 */ 887 if (s->ext.peer_ecpointformats == NULL) 888 return 1; 889 890 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 891 if (s->ext.peer_ecpointformats[i] == comp_id) 892 return 1; 893 } 894 return 0; 895 } 896 897 /* Return group id of a key */ 898 static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 899 { 900 int curve_nid = ssl_get_EC_curve_nid(pkey); 901 902 if (curve_nid == NID_undef) 903 return 0; 904 return tls1_nid2group_id(curve_nid); 905 } 906 907 /* 908 * Check cert parameters compatible with extensions: currently just checks EC 909 * certificates have compatible curves and compression. 910 */ 911 static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 912 { 913 uint16_t group_id; 914 EVP_PKEY *pkey; 915 pkey = X509_get0_pubkey(x); 916 if (pkey == NULL) 917 return 0; 918 /* If not EC nothing to do */ 919 if (!EVP_PKEY_is_a(pkey, "EC")) 920 return 1; 921 /* Check compression */ 922 if (!tls1_check_pkey_comp(s, pkey)) 923 return 0; 924 group_id = tls1_get_group_id(pkey); 925 /* 926 * For a server we allow the certificate to not be in our list of supported 927 * groups. 928 */ 929 if (!tls1_check_group_id(s, group_id, !s->server)) 930 return 0; 931 /* 932 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 933 * SHA384+P-384. 934 */ 935 if (check_ee_md && tls1_suiteb(s)) { 936 int check_md; 937 size_t i; 938 939 /* Check to see we have necessary signing algorithm */ 940 if (group_id == TLSEXT_curve_P_256) 941 check_md = NID_ecdsa_with_SHA256; 942 else if (group_id == TLSEXT_curve_P_384) 943 check_md = NID_ecdsa_with_SHA384; 944 else 945 return 0; /* Should never happen */ 946 for (i = 0; i < s->shared_sigalgslen; i++) { 947 if (check_md == s->shared_sigalgs[i]->sigandhash) 948 return 1;; 949 } 950 return 0; 951 } 952 return 1; 953 } 954 955 /* 956 * tls1_check_ec_tmp_key - Check EC temporary key compatibility 957 * @s: SSL connection 958 * @cid: Cipher ID we're considering using 959 * 960 * Checks that the kECDHE cipher suite we're considering using 961 * is compatible with the client extensions. 962 * 963 * Returns 0 when the cipher can't be used or 1 when it can. 964 */ 965 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 966 { 967 /* If not Suite B just need a shared group */ 968 if (!tls1_suiteb(s)) 969 return tls1_shared_group(s, 0) != 0; 970 /* 971 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 972 * curves permitted. 973 */ 974 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 975 return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 976 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 977 return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 978 979 return 0; 980 } 981 982 /* Default sigalg schemes */ 983 static const uint16_t tls12_sigalgs[] = { 984 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 985 TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 986 TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 987 TLSEXT_SIGALG_ed25519, 988 TLSEXT_SIGALG_ed448, 989 990 TLSEXT_SIGALG_rsa_pss_pss_sha256, 991 TLSEXT_SIGALG_rsa_pss_pss_sha384, 992 TLSEXT_SIGALG_rsa_pss_pss_sha512, 993 TLSEXT_SIGALG_rsa_pss_rsae_sha256, 994 TLSEXT_SIGALG_rsa_pss_rsae_sha384, 995 TLSEXT_SIGALG_rsa_pss_rsae_sha512, 996 997 TLSEXT_SIGALG_rsa_pkcs1_sha256, 998 TLSEXT_SIGALG_rsa_pkcs1_sha384, 999 TLSEXT_SIGALG_rsa_pkcs1_sha512, 1000 1001 TLSEXT_SIGALG_ecdsa_sha224, 1002 TLSEXT_SIGALG_ecdsa_sha1, 1003 1004 TLSEXT_SIGALG_rsa_pkcs1_sha224, 1005 TLSEXT_SIGALG_rsa_pkcs1_sha1, 1006 1007 TLSEXT_SIGALG_dsa_sha224, 1008 TLSEXT_SIGALG_dsa_sha1, 1009 1010 TLSEXT_SIGALG_dsa_sha256, 1011 TLSEXT_SIGALG_dsa_sha384, 1012 TLSEXT_SIGALG_dsa_sha512, 1013 1014 #ifndef OPENSSL_NO_GOST 1015 TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1016 TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1017 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1018 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1019 TLSEXT_SIGALG_gostr34102001_gostr3411, 1020 #endif 1021 }; 1022 1023 1024 static const uint16_t suiteb_sigalgs[] = { 1025 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1026 TLSEXT_SIGALG_ecdsa_secp384r1_sha384 1027 }; 1028 1029 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 1030 {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1031 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1032 NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1}, 1033 {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1034 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1035 NID_ecdsa_with_SHA384, NID_secp384r1, 1}, 1036 {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1037 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1038 NID_ecdsa_with_SHA512, NID_secp521r1, 1}, 1039 {"ed25519", TLSEXT_SIGALG_ed25519, 1040 NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 1041 NID_undef, NID_undef, 1}, 1042 {"ed448", TLSEXT_SIGALG_ed448, 1043 NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 1044 NID_undef, NID_undef, 1}, 1045 {NULL, TLSEXT_SIGALG_ecdsa_sha224, 1046 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1047 NID_ecdsa_with_SHA224, NID_undef, 1}, 1048 {NULL, TLSEXT_SIGALG_ecdsa_sha1, 1049 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1050 NID_ecdsa_with_SHA1, NID_undef, 1}, 1051 {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1052 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1053 NID_undef, NID_undef, 1}, 1054 {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1055 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1056 NID_undef, NID_undef, 1}, 1057 {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1058 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1059 NID_undef, NID_undef, 1}, 1060 {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 1061 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1062 NID_undef, NID_undef, 1}, 1063 {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 1064 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1065 NID_undef, NID_undef, 1}, 1066 {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 1067 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1068 NID_undef, NID_undef, 1}, 1069 {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 1070 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1071 NID_sha256WithRSAEncryption, NID_undef, 1}, 1072 {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 1073 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1074 NID_sha384WithRSAEncryption, NID_undef, 1}, 1075 {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 1076 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1077 NID_sha512WithRSAEncryption, NID_undef, 1}, 1078 {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 1079 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1080 NID_sha224WithRSAEncryption, NID_undef, 1}, 1081 {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 1082 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1083 NID_sha1WithRSAEncryption, NID_undef, 1}, 1084 {NULL, TLSEXT_SIGALG_dsa_sha256, 1085 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1086 NID_dsa_with_SHA256, NID_undef, 1}, 1087 {NULL, TLSEXT_SIGALG_dsa_sha384, 1088 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1089 NID_undef, NID_undef, 1}, 1090 {NULL, TLSEXT_SIGALG_dsa_sha512, 1091 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1092 NID_undef, NID_undef, 1}, 1093 {NULL, TLSEXT_SIGALG_dsa_sha224, 1094 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1095 NID_undef, NID_undef, 1}, 1096 {NULL, TLSEXT_SIGALG_dsa_sha1, 1097 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1098 NID_dsaWithSHA1, NID_undef, 1}, 1099 #ifndef OPENSSL_NO_GOST 1100 {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1101 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1102 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1103 NID_undef, NID_undef, 1}, 1104 {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1105 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1106 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1107 NID_undef, NID_undef, 1}, 1108 {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1109 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1110 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1111 NID_undef, NID_undef, 1}, 1112 {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1113 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1114 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1115 NID_undef, NID_undef, 1}, 1116 {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 1117 NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 1118 NID_id_GostR3410_2001, SSL_PKEY_GOST01, 1119 NID_undef, NID_undef, 1} 1120 #endif 1121 }; 1122 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 1123 static const SIGALG_LOOKUP legacy_rsa_sigalg = { 1124 "rsa_pkcs1_md5_sha1", 0, 1125 NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 1126 EVP_PKEY_RSA, SSL_PKEY_RSA, 1127 NID_undef, NID_undef, 1 1128 }; 1129 1130 /* 1131 * Default signature algorithm values used if signature algorithms not present. 1132 * From RFC5246. Note: order must match certificate index order. 1133 */ 1134 static const uint16_t tls_default_sigalg[] = { 1135 TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 1136 0, /* SSL_PKEY_RSA_PSS_SIGN */ 1137 TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 1138 TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 1139 TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 1140 TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ 1141 TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ 1142 0, /* SSL_PKEY_ED25519 */ 1143 0, /* SSL_PKEY_ED448 */ 1144 }; 1145 1146 int ssl_setup_sig_algs(SSL_CTX *ctx) 1147 { 1148 size_t i; 1149 const SIGALG_LOOKUP *lu; 1150 SIGALG_LOOKUP *cache 1151 = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); 1152 EVP_PKEY *tmpkey = EVP_PKEY_new(); 1153 int ret = 0; 1154 1155 if (cache == NULL || tmpkey == NULL) 1156 goto err; 1157 1158 ERR_set_mark(); 1159 for (i = 0, lu = sigalg_lookup_tbl; 1160 i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 1161 EVP_PKEY_CTX *pctx; 1162 1163 cache[i] = *lu; 1164 1165 /* 1166 * Check hash is available. 1167 * This test is not perfect. A provider could have support 1168 * for a signature scheme, but not a particular hash. However the hash 1169 * could be available from some other loaded provider. In that case it 1170 * could be that the signature is available, and the hash is available 1171 * independently - but not as a combination. We ignore this for now. 1172 */ 1173 if (lu->hash != NID_undef 1174 && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { 1175 cache[i].enabled = 0; 1176 continue; 1177 } 1178 1179 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 1180 cache[i].enabled = 0; 1181 continue; 1182 } 1183 pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); 1184 /* If unable to create pctx we assume the sig algorithm is unavailable */ 1185 if (pctx == NULL) 1186 cache[i].enabled = 0; 1187 EVP_PKEY_CTX_free(pctx); 1188 } 1189 ERR_pop_to_mark(); 1190 ctx->sigalg_lookup_cache = cache; 1191 cache = NULL; 1192 1193 ret = 1; 1194 err: 1195 OPENSSL_free(cache); 1196 EVP_PKEY_free(tmpkey); 1197 return ret; 1198 } 1199 1200 /* Lookup TLS signature algorithm */ 1201 static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg) 1202 { 1203 size_t i; 1204 const SIGALG_LOOKUP *lu; 1205 1206 for (i = 0, lu = s->ctx->sigalg_lookup_cache; 1207 /* cache should have the same number of elements as sigalg_lookup_tbl */ 1208 i < OSSL_NELEM(sigalg_lookup_tbl); 1209 lu++, i++) { 1210 if (lu->sigalg == sigalg) { 1211 if (!lu->enabled) 1212 return NULL; 1213 return lu; 1214 } 1215 } 1216 return NULL; 1217 } 1218 /* Lookup hash: return 0 if invalid or not enabled */ 1219 int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 1220 { 1221 const EVP_MD *md; 1222 if (lu == NULL) 1223 return 0; 1224 /* lu->hash == NID_undef means no associated digest */ 1225 if (lu->hash == NID_undef) { 1226 md = NULL; 1227 } else { 1228 md = ssl_md(ctx, lu->hash_idx); 1229 if (md == NULL) 1230 return 0; 1231 } 1232 if (pmd) 1233 *pmd = md; 1234 return 1; 1235 } 1236 1237 /* 1238 * Check if key is large enough to generate RSA-PSS signature. 1239 * 1240 * The key must greater than or equal to 2 * hash length + 2. 1241 * SHA512 has a hash length of 64 bytes, which is incompatible 1242 * with a 128 byte (1024 bit) key. 1243 */ 1244 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) 1245 static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, 1246 const SIGALG_LOOKUP *lu) 1247 { 1248 const EVP_MD *md; 1249 1250 if (pkey == NULL) 1251 return 0; 1252 if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) 1253 return 0; 1254 if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 1255 return 0; 1256 return 1; 1257 } 1258 1259 /* 1260 * Returns a signature algorithm when the peer did not send a list of supported 1261 * signature algorithms. The signature algorithm is fixed for the certificate 1262 * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 1263 * certificate type from |s| will be used. 1264 * Returns the signature algorithm to use, or NULL on error. 1265 */ 1266 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 1267 { 1268 if (idx == -1) { 1269 if (s->server) { 1270 size_t i; 1271 1272 /* Work out index corresponding to ciphersuite */ 1273 for (i = 0; i < SSL_PKEY_NUM; i++) { 1274 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 1275 1276 if (clu == NULL) 1277 continue; 1278 if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { 1279 idx = i; 1280 break; 1281 } 1282 } 1283 1284 /* 1285 * Some GOST ciphersuites allow more than one signature algorithms 1286 * */ 1287 if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 1288 int real_idx; 1289 1290 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 1291 real_idx--) { 1292 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1293 idx = real_idx; 1294 break; 1295 } 1296 } 1297 } 1298 /* 1299 * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used 1300 * with new (aGOST12-only) ciphersuites, we should find out which one is available really. 1301 */ 1302 else if (idx == SSL_PKEY_GOST12_256) { 1303 int real_idx; 1304 1305 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; 1306 real_idx--) { 1307 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1308 idx = real_idx; 1309 break; 1310 } 1311 } 1312 } 1313 } else { 1314 idx = s->cert->key - s->cert->pkeys; 1315 } 1316 } 1317 if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 1318 return NULL; 1319 if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 1320 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]); 1321 1322 if (lu == NULL) 1323 return NULL; 1324 if (!tls1_lookup_md(s->ctx, lu, NULL)) 1325 return NULL; 1326 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1327 return NULL; 1328 return lu; 1329 } 1330 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 1331 return NULL; 1332 return &legacy_rsa_sigalg; 1333 } 1334 /* Set peer sigalg based key type */ 1335 int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 1336 { 1337 size_t idx; 1338 const SIGALG_LOOKUP *lu; 1339 1340 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 1341 return 0; 1342 lu = tls1_get_legacy_sigalg(s, idx); 1343 if (lu == NULL) 1344 return 0; 1345 s->s3.tmp.peer_sigalg = lu; 1346 return 1; 1347 } 1348 1349 size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 1350 { 1351 /* 1352 * If Suite B mode use Suite B sigalgs only, ignore any other 1353 * preferences. 1354 */ 1355 switch (tls1_suiteb(s)) { 1356 case SSL_CERT_FLAG_SUITEB_128_LOS: 1357 *psigs = suiteb_sigalgs; 1358 return OSSL_NELEM(suiteb_sigalgs); 1359 1360 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 1361 *psigs = suiteb_sigalgs; 1362 return 1; 1363 1364 case SSL_CERT_FLAG_SUITEB_192_LOS: 1365 *psigs = suiteb_sigalgs + 1; 1366 return 1; 1367 } 1368 /* 1369 * We use client_sigalgs (if not NULL) if we're a server 1370 * and sending a certificate request or if we're a client and 1371 * determining which shared algorithm to use. 1372 */ 1373 if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 1374 *psigs = s->cert->client_sigalgs; 1375 return s->cert->client_sigalgslen; 1376 } else if (s->cert->conf_sigalgs) { 1377 *psigs = s->cert->conf_sigalgs; 1378 return s->cert->conf_sigalgslen; 1379 } else { 1380 *psigs = tls12_sigalgs; 1381 return OSSL_NELEM(tls12_sigalgs); 1382 } 1383 } 1384 1385 /* 1386 * Called by servers only. Checks that we have a sig alg that supports the 1387 * specified EC curve. 1388 */ 1389 int tls_check_sigalg_curve(const SSL *s, int curve) 1390 { 1391 const uint16_t *sigs; 1392 size_t siglen, i; 1393 1394 if (s->cert->conf_sigalgs) { 1395 sigs = s->cert->conf_sigalgs; 1396 siglen = s->cert->conf_sigalgslen; 1397 } else { 1398 sigs = tls12_sigalgs; 1399 siglen = OSSL_NELEM(tls12_sigalgs); 1400 } 1401 1402 for (i = 0; i < siglen; i++) { 1403 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, sigs[i]); 1404 1405 if (lu == NULL) 1406 continue; 1407 if (lu->sig == EVP_PKEY_EC 1408 && lu->curve != NID_undef 1409 && curve == lu->curve) 1410 return 1; 1411 } 1412 1413 return 0; 1414 } 1415 1416 /* 1417 * Return the number of security bits for the signature algorithm, or 0 on 1418 * error. 1419 */ 1420 static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) 1421 { 1422 const EVP_MD *md = NULL; 1423 int secbits = 0; 1424 1425 if (!tls1_lookup_md(ctx, lu, &md)) 1426 return 0; 1427 if (md != NULL) 1428 { 1429 int md_type = EVP_MD_get_type(md); 1430 1431 /* Security bits: half digest bits */ 1432 secbits = EVP_MD_get_size(md) * 4; 1433 /* 1434 * SHA1 and MD5 are known to be broken. Reduce security bits so that 1435 * they're no longer accepted at security level 1. The real values don't 1436 * really matter as long as they're lower than 80, which is our 1437 * security level 1. 1438 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for 1439 * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 1440 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 1441 * puts a chosen-prefix attack for MD5 at 2^39. 1442 */ 1443 if (md_type == NID_sha1) 1444 secbits = 64; 1445 else if (md_type == NID_md5_sha1) 1446 secbits = 67; 1447 else if (md_type == NID_md5) 1448 secbits = 39; 1449 } else { 1450 /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 1451 if (lu->sigalg == TLSEXT_SIGALG_ed25519) 1452 secbits = 128; 1453 else if (lu->sigalg == TLSEXT_SIGALG_ed448) 1454 secbits = 224; 1455 } 1456 return secbits; 1457 } 1458 1459 /* 1460 * Check signature algorithm is consistent with sent supported signature 1461 * algorithms and if so set relevant digest and signature scheme in 1462 * s. 1463 */ 1464 int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 1465 { 1466 const uint16_t *sent_sigs; 1467 const EVP_MD *md = NULL; 1468 char sigalgstr[2]; 1469 size_t sent_sigslen, i, cidx; 1470 int pkeyid = -1; 1471 const SIGALG_LOOKUP *lu; 1472 int secbits = 0; 1473 1474 pkeyid = EVP_PKEY_get_id(pkey); 1475 /* Should never happen */ 1476 if (pkeyid == -1) 1477 return -1; 1478 if (SSL_IS_TLS13(s)) { 1479 /* Disallow DSA for TLS 1.3 */ 1480 if (pkeyid == EVP_PKEY_DSA) { 1481 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1482 return 0; 1483 } 1484 /* Only allow PSS for TLS 1.3 */ 1485 if (pkeyid == EVP_PKEY_RSA) 1486 pkeyid = EVP_PKEY_RSA_PSS; 1487 } 1488 lu = tls1_lookup_sigalg(s, sig); 1489 /* 1490 * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1491 * is consistent with signature: RSA keys can be used for RSA-PSS 1492 */ 1493 if (lu == NULL 1494 || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1495 || (pkeyid != lu->sig 1496 && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1497 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1498 return 0; 1499 } 1500 /* Check the sigalg is consistent with the key OID */ 1501 if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx) 1502 || lu->sig_idx != (int)cidx) { 1503 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1504 return 0; 1505 } 1506 1507 if (pkeyid == EVP_PKEY_EC) { 1508 1509 /* Check point compression is permitted */ 1510 if (!tls1_check_pkey_comp(s, pkey)) { 1511 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1512 SSL_R_ILLEGAL_POINT_COMPRESSION); 1513 return 0; 1514 } 1515 1516 /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1517 if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1518 int curve = ssl_get_EC_curve_nid(pkey); 1519 1520 if (lu->curve != NID_undef && curve != lu->curve) { 1521 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1522 return 0; 1523 } 1524 } 1525 if (!SSL_IS_TLS13(s)) { 1526 /* Check curve matches extensions */ 1527 if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1528 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1529 return 0; 1530 } 1531 if (tls1_suiteb(s)) { 1532 /* Check sigalg matches a permissible Suite B value */ 1533 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1534 && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1535 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1536 SSL_R_WRONG_SIGNATURE_TYPE); 1537 return 0; 1538 } 1539 } 1540 } 1541 } else if (tls1_suiteb(s)) { 1542 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1543 return 0; 1544 } 1545 1546 /* Check signature matches a type we sent */ 1547 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1548 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1549 if (sig == *sent_sigs) 1550 break; 1551 } 1552 /* Allow fallback to SHA1 if not strict mode */ 1553 if (i == sent_sigslen && (lu->hash != NID_sha1 1554 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1555 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1556 return 0; 1557 } 1558 if (!tls1_lookup_md(s->ctx, lu, &md)) { 1559 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); 1560 return 0; 1561 } 1562 /* 1563 * Make sure security callback allows algorithm. For historical 1564 * reasons we have to pass the sigalg as a two byte char array. 1565 */ 1566 sigalgstr[0] = (sig >> 8) & 0xff; 1567 sigalgstr[1] = sig & 0xff; 1568 secbits = sigalg_security_bits(s->ctx, lu); 1569 if (secbits == 0 || 1570 !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, 1571 md != NULL ? EVP_MD_get_type(md) : NID_undef, 1572 (void *)sigalgstr)) { 1573 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1574 return 0; 1575 } 1576 /* Store the sigalg the peer uses */ 1577 s->s3.tmp.peer_sigalg = lu; 1578 return 1; 1579 } 1580 1581 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1582 { 1583 if (s->s3.tmp.peer_sigalg == NULL) 1584 return 0; 1585 *pnid = s->s3.tmp.peer_sigalg->sig; 1586 return 1; 1587 } 1588 1589 int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1590 { 1591 if (s->s3.tmp.sigalg == NULL) 1592 return 0; 1593 *pnid = s->s3.tmp.sigalg->sig; 1594 return 1; 1595 } 1596 1597 /* 1598 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1599 * supported, doesn't appear in supported signature algorithms, isn't supported 1600 * by the enabled protocol versions or by the security level. 1601 * 1602 * This function should only be used for checking which ciphers are supported 1603 * by the client. 1604 * 1605 * Call ssl_cipher_disabled() to check that it's enabled or not. 1606 */ 1607 int ssl_set_client_disabled(SSL *s) 1608 { 1609 s->s3.tmp.mask_a = 0; 1610 s->s3.tmp.mask_k = 0; 1611 ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1612 if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, 1613 &s->s3.tmp.max_ver, NULL) != 0) 1614 return 0; 1615 #ifndef OPENSSL_NO_PSK 1616 /* with PSK there must be client callback set */ 1617 if (!s->psk_client_callback) { 1618 s->s3.tmp.mask_a |= SSL_aPSK; 1619 s->s3.tmp.mask_k |= SSL_PSK; 1620 } 1621 #endif /* OPENSSL_NO_PSK */ 1622 #ifndef OPENSSL_NO_SRP 1623 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1624 s->s3.tmp.mask_a |= SSL_aSRP; 1625 s->s3.tmp.mask_k |= SSL_kSRP; 1626 } 1627 #endif 1628 return 1; 1629 } 1630 1631 /* 1632 * ssl_cipher_disabled - check that a cipher is disabled or not 1633 * @s: SSL connection that you want to use the cipher on 1634 * @c: cipher to check 1635 * @op: Security check that you want to do 1636 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 1637 * 1638 * Returns 1 when it's disabled, 0 when enabled. 1639 */ 1640 int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1641 { 1642 if (c->algorithm_mkey & s->s3.tmp.mask_k 1643 || c->algorithm_auth & s->s3.tmp.mask_a) 1644 return 1; 1645 if (s->s3.tmp.max_ver == 0) 1646 return 1; 1647 if (!SSL_IS_DTLS(s)) { 1648 int min_tls = c->min_tls; 1649 1650 /* 1651 * For historical reasons we will allow ECHDE to be selected by a server 1652 * in SSLv3 if we are a client 1653 */ 1654 if (min_tls == TLS1_VERSION && ecdhe 1655 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1656 min_tls = SSL3_VERSION; 1657 1658 if ((min_tls > s->s3.tmp.max_ver) || (c->max_tls < s->s3.tmp.min_ver)) 1659 return 1; 1660 } 1661 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3.tmp.max_ver) 1662 || DTLS_VERSION_LT(c->max_dtls, s->s3.tmp.min_ver))) 1663 return 1; 1664 1665 return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 1666 } 1667 1668 int tls_use_ticket(SSL *s) 1669 { 1670 if ((s->options & SSL_OP_NO_TICKET)) 1671 return 0; 1672 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1673 } 1674 1675 int tls1_set_server_sigalgs(SSL *s) 1676 { 1677 size_t i; 1678 1679 /* Clear any shared signature algorithms */ 1680 OPENSSL_free(s->shared_sigalgs); 1681 s->shared_sigalgs = NULL; 1682 s->shared_sigalgslen = 0; 1683 /* Clear certificate validity flags */ 1684 for (i = 0; i < SSL_PKEY_NUM; i++) 1685 s->s3.tmp.valid_flags[i] = 0; 1686 /* 1687 * If peer sent no signature algorithms check to see if we support 1688 * the default algorithm for each certificate type 1689 */ 1690 if (s->s3.tmp.peer_cert_sigalgs == NULL 1691 && s->s3.tmp.peer_sigalgs == NULL) { 1692 const uint16_t *sent_sigs; 1693 size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1694 1695 for (i = 0; i < SSL_PKEY_NUM; i++) { 1696 const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1697 size_t j; 1698 1699 if (lu == NULL) 1700 continue; 1701 /* Check default matches a type we sent */ 1702 for (j = 0; j < sent_sigslen; j++) { 1703 if (lu->sigalg == sent_sigs[j]) { 1704 s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; 1705 break; 1706 } 1707 } 1708 } 1709 return 1; 1710 } 1711 1712 if (!tls1_process_sigalgs(s)) { 1713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1714 return 0; 1715 } 1716 if (s->shared_sigalgs != NULL) 1717 return 1; 1718 1719 /* Fatal error if no shared signature algorithms */ 1720 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1721 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 1722 return 0; 1723 } 1724 1725 /*- 1726 * Gets the ticket information supplied by the client if any. 1727 * 1728 * hello: The parsed ClientHello data 1729 * ret: (output) on return, if a ticket was decrypted, then this is set to 1730 * point to the resulting session. 1731 */ 1732 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1733 SSL_SESSION **ret) 1734 { 1735 size_t size; 1736 RAW_EXTENSION *ticketext; 1737 1738 *ret = NULL; 1739 s->ext.ticket_expected = 0; 1740 1741 /* 1742 * If tickets disabled or not supported by the protocol version 1743 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1744 * resumption. 1745 */ 1746 if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1747 return SSL_TICKET_NONE; 1748 1749 ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1750 if (!ticketext->present) 1751 return SSL_TICKET_NONE; 1752 1753 size = PACKET_remaining(&ticketext->data); 1754 1755 return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1756 hello->session_id, hello->session_id_len, ret); 1757 } 1758 1759 /*- 1760 * tls_decrypt_ticket attempts to decrypt a session ticket. 1761 * 1762 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1763 * expecting a pre-shared key ciphersuite, in which case we have no use for 1764 * session tickets and one will never be decrypted, nor will 1765 * s->ext.ticket_expected be set to 1. 1766 * 1767 * Side effects: 1768 * Sets s->ext.ticket_expected to 1 if the server will have to issue 1769 * a new session ticket to the client because the client indicated support 1770 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1771 * a session ticket or we couldn't use the one it gave us, or if 1772 * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1773 * Otherwise, s->ext.ticket_expected is set to 0. 1774 * 1775 * etick: points to the body of the session ticket extension. 1776 * eticklen: the length of the session tickets extension. 1777 * sess_id: points at the session ID. 1778 * sesslen: the length of the session ID. 1779 * psess: (output) on return, if a ticket was decrypted, then this is set to 1780 * point to the resulting session. 1781 */ 1782 SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1783 size_t eticklen, const unsigned char *sess_id, 1784 size_t sesslen, SSL_SESSION **psess) 1785 { 1786 SSL_SESSION *sess = NULL; 1787 unsigned char *sdec; 1788 const unsigned char *p; 1789 int slen, ivlen, renew_ticket = 0, declen; 1790 SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1791 size_t mlen; 1792 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1793 SSL_HMAC *hctx = NULL; 1794 EVP_CIPHER_CTX *ctx = NULL; 1795 SSL_CTX *tctx = s->session_ctx; 1796 1797 if (eticklen == 0) { 1798 /* 1799 * The client will accept a ticket but doesn't currently have 1800 * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 1801 */ 1802 ret = SSL_TICKET_EMPTY; 1803 goto end; 1804 } 1805 if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 1806 /* 1807 * Indicate that the ticket couldn't be decrypted rather than 1808 * generating the session from ticket now, trigger 1809 * abbreviated handshake based on external mechanism to 1810 * calculate the master secret later. 1811 */ 1812 ret = SSL_TICKET_NO_DECRYPT; 1813 goto end; 1814 } 1815 1816 /* Need at least keyname + iv */ 1817 if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1818 ret = SSL_TICKET_NO_DECRYPT; 1819 goto end; 1820 } 1821 1822 /* Initialize session ticket encryption and HMAC contexts */ 1823 hctx = ssl_hmac_new(tctx); 1824 if (hctx == NULL) { 1825 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1826 goto end; 1827 } 1828 ctx = EVP_CIPHER_CTX_new(); 1829 if (ctx == NULL) { 1830 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1831 goto end; 1832 } 1833 #ifndef OPENSSL_NO_DEPRECATED_3_0 1834 if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) 1835 #else 1836 if (tctx->ext.ticket_key_evp_cb != NULL) 1837 #endif 1838 { 1839 unsigned char *nctick = (unsigned char *)etick; 1840 int rv = 0; 1841 1842 if (tctx->ext.ticket_key_evp_cb != NULL) 1843 rv = tctx->ext.ticket_key_evp_cb(s, nctick, 1844 nctick + TLSEXT_KEYNAME_LENGTH, 1845 ctx, 1846 ssl_hmac_get0_EVP_MAC_CTX(hctx), 1847 0); 1848 #ifndef OPENSSL_NO_DEPRECATED_3_0 1849 else if (tctx->ext.ticket_key_cb != NULL) 1850 /* if 0 is returned, write an empty ticket */ 1851 rv = tctx->ext.ticket_key_cb(s, nctick, 1852 nctick + TLSEXT_KEYNAME_LENGTH, 1853 ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); 1854 #endif 1855 if (rv < 0) { 1856 ret = SSL_TICKET_FATAL_ERR_OTHER; 1857 goto end; 1858 } 1859 if (rv == 0) { 1860 ret = SSL_TICKET_NO_DECRYPT; 1861 goto end; 1862 } 1863 if (rv == 2) 1864 renew_ticket = 1; 1865 } else { 1866 EVP_CIPHER *aes256cbc = NULL; 1867 1868 /* Check key name matches */ 1869 if (memcmp(etick, tctx->ext.tick_key_name, 1870 TLSEXT_KEYNAME_LENGTH) != 0) { 1871 ret = SSL_TICKET_NO_DECRYPT; 1872 goto end; 1873 } 1874 1875 aes256cbc = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", 1876 s->ctx->propq); 1877 if (aes256cbc == NULL 1878 || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, 1879 sizeof(tctx->ext.secure->tick_hmac_key), 1880 "SHA256") <= 0 1881 || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, 1882 tctx->ext.secure->tick_aes_key, 1883 etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1884 EVP_CIPHER_free(aes256cbc); 1885 ret = SSL_TICKET_FATAL_ERR_OTHER; 1886 goto end; 1887 } 1888 EVP_CIPHER_free(aes256cbc); 1889 if (SSL_IS_TLS13(s)) 1890 renew_ticket = 1; 1891 } 1892 /* 1893 * Attempt to process session ticket, first conduct sanity and integrity 1894 * checks on ticket. 1895 */ 1896 mlen = ssl_hmac_size(hctx); 1897 if (mlen == 0) { 1898 ret = SSL_TICKET_FATAL_ERR_OTHER; 1899 goto end; 1900 } 1901 1902 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 1903 if (ivlen < 0) { 1904 ret = SSL_TICKET_FATAL_ERR_OTHER; 1905 goto end; 1906 } 1907 1908 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1909 if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { 1910 ret = SSL_TICKET_NO_DECRYPT; 1911 goto end; 1912 } 1913 eticklen -= mlen; 1914 /* Check HMAC of encrypted ticket */ 1915 if (ssl_hmac_update(hctx, etick, eticklen) <= 0 1916 || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { 1917 ret = SSL_TICKET_FATAL_ERR_OTHER; 1918 goto end; 1919 } 1920 1921 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1922 ret = SSL_TICKET_NO_DECRYPT; 1923 goto end; 1924 } 1925 /* Attempt to decrypt session data */ 1926 /* Move p after IV to start of encrypted ticket, update length */ 1927 p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; 1928 eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; 1929 sdec = OPENSSL_malloc(eticklen); 1930 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1931 (int)eticklen) <= 0) { 1932 OPENSSL_free(sdec); 1933 ret = SSL_TICKET_FATAL_ERR_OTHER; 1934 goto end; 1935 } 1936 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1937 OPENSSL_free(sdec); 1938 ret = SSL_TICKET_NO_DECRYPT; 1939 goto end; 1940 } 1941 slen += declen; 1942 p = sdec; 1943 1944 sess = d2i_SSL_SESSION(NULL, &p, slen); 1945 slen -= p - sdec; 1946 OPENSSL_free(sdec); 1947 if (sess) { 1948 /* Some additional consistency checks */ 1949 if (slen != 0) { 1950 SSL_SESSION_free(sess); 1951 sess = NULL; 1952 ret = SSL_TICKET_NO_DECRYPT; 1953 goto end; 1954 } 1955 /* 1956 * The session ID, if non-empty, is used by some clients to detect 1957 * that the ticket has been accepted. So we copy it to the session 1958 * structure. If it is empty set length to zero as required by 1959 * standard. 1960 */ 1961 if (sesslen) { 1962 memcpy(sess->session_id, sess_id, sesslen); 1963 sess->session_id_length = sesslen; 1964 } 1965 if (renew_ticket) 1966 ret = SSL_TICKET_SUCCESS_RENEW; 1967 else 1968 ret = SSL_TICKET_SUCCESS; 1969 goto end; 1970 } 1971 ERR_clear_error(); 1972 /* 1973 * For session parse failure, indicate that we need to send a new ticket. 1974 */ 1975 ret = SSL_TICKET_NO_DECRYPT; 1976 1977 end: 1978 EVP_CIPHER_CTX_free(ctx); 1979 ssl_hmac_free(hctx); 1980 1981 /* 1982 * If set, the decrypt_ticket_cb() is called unless a fatal error was 1983 * detected above. The callback is responsible for checking |ret| before it 1984 * performs any action 1985 */ 1986 if (s->session_ctx->decrypt_ticket_cb != NULL 1987 && (ret == SSL_TICKET_EMPTY 1988 || ret == SSL_TICKET_NO_DECRYPT 1989 || ret == SSL_TICKET_SUCCESS 1990 || ret == SSL_TICKET_SUCCESS_RENEW)) { 1991 size_t keyname_len = eticklen; 1992 int retcb; 1993 1994 if (keyname_len > TLSEXT_KEYNAME_LENGTH) 1995 keyname_len = TLSEXT_KEYNAME_LENGTH; 1996 retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 1997 ret, 1998 s->session_ctx->ticket_cb_data); 1999 switch (retcb) { 2000 case SSL_TICKET_RETURN_ABORT: 2001 ret = SSL_TICKET_FATAL_ERR_OTHER; 2002 break; 2003 2004 case SSL_TICKET_RETURN_IGNORE: 2005 ret = SSL_TICKET_NONE; 2006 SSL_SESSION_free(sess); 2007 sess = NULL; 2008 break; 2009 2010 case SSL_TICKET_RETURN_IGNORE_RENEW: 2011 if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 2012 ret = SSL_TICKET_NO_DECRYPT; 2013 /* else the value of |ret| will already do the right thing */ 2014 SSL_SESSION_free(sess); 2015 sess = NULL; 2016 break; 2017 2018 case SSL_TICKET_RETURN_USE: 2019 case SSL_TICKET_RETURN_USE_RENEW: 2020 if (ret != SSL_TICKET_SUCCESS 2021 && ret != SSL_TICKET_SUCCESS_RENEW) 2022 ret = SSL_TICKET_FATAL_ERR_OTHER; 2023 else if (retcb == SSL_TICKET_RETURN_USE) 2024 ret = SSL_TICKET_SUCCESS; 2025 else 2026 ret = SSL_TICKET_SUCCESS_RENEW; 2027 break; 2028 2029 default: 2030 ret = SSL_TICKET_FATAL_ERR_OTHER; 2031 } 2032 } 2033 2034 if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 2035 switch (ret) { 2036 case SSL_TICKET_NO_DECRYPT: 2037 case SSL_TICKET_SUCCESS_RENEW: 2038 case SSL_TICKET_EMPTY: 2039 s->ext.ticket_expected = 1; 2040 } 2041 } 2042 2043 *psess = sess; 2044 2045 return ret; 2046 } 2047 2048 /* Check to see if a signature algorithm is allowed */ 2049 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) 2050 { 2051 unsigned char sigalgstr[2]; 2052 int secbits; 2053 2054 if (lu == NULL || !lu->enabled) 2055 return 0; 2056 /* DSA is not allowed in TLS 1.3 */ 2057 if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 2058 return 0; 2059 /* 2060 * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 2061 * spec 2062 */ 2063 if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION 2064 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 2065 || lu->hash_idx == SSL_MD_MD5_IDX 2066 || lu->hash_idx == SSL_MD_SHA224_IDX)) 2067 return 0; 2068 2069 /* See if public key algorithm allowed */ 2070 if (ssl_cert_is_disabled(s->ctx, lu->sig_idx)) 2071 return 0; 2072 2073 if (lu->sig == NID_id_GostR3410_2012_256 2074 || lu->sig == NID_id_GostR3410_2012_512 2075 || lu->sig == NID_id_GostR3410_2001) { 2076 /* We never allow GOST sig algs on the server with TLSv1.3 */ 2077 if (s->server && SSL_IS_TLS13(s)) 2078 return 0; 2079 if (!s->server 2080 && s->method->version == TLS_ANY_VERSION 2081 && s->s3.tmp.max_ver >= TLS1_3_VERSION) { 2082 int i, num; 2083 STACK_OF(SSL_CIPHER) *sk; 2084 2085 /* 2086 * We're a client that could negotiate TLSv1.3. We only allow GOST 2087 * sig algs if we could negotiate TLSv1.2 or below and we have GOST 2088 * ciphersuites enabled. 2089 */ 2090 2091 if (s->s3.tmp.min_ver >= TLS1_3_VERSION) 2092 return 0; 2093 2094 sk = SSL_get_ciphers(s); 2095 num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 2096 for (i = 0; i < num; i++) { 2097 const SSL_CIPHER *c; 2098 2099 c = sk_SSL_CIPHER_value(sk, i); 2100 /* Skip disabled ciphers */ 2101 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 2102 continue; 2103 2104 if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) 2105 break; 2106 } 2107 if (i == num) 2108 return 0; 2109 } 2110 } 2111 2112 /* Finally see if security callback allows it */ 2113 secbits = sigalg_security_bits(s->ctx, lu); 2114 sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 2115 sigalgstr[1] = lu->sigalg & 0xff; 2116 return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 2117 } 2118 2119 /* 2120 * Get a mask of disabled public key algorithms based on supported signature 2121 * algorithms. For example if no signature algorithm supports RSA then RSA is 2122 * disabled. 2123 */ 2124 2125 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 2126 { 2127 const uint16_t *sigalgs; 2128 size_t i, sigalgslen; 2129 uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 2130 /* 2131 * Go through all signature algorithms seeing if we support any 2132 * in disabled_mask. 2133 */ 2134 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 2135 for (i = 0; i < sigalgslen; i++, sigalgs++) { 2136 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *sigalgs); 2137 const SSL_CERT_LOOKUP *clu; 2138 2139 if (lu == NULL) 2140 continue; 2141 2142 clu = ssl_cert_lookup_by_idx(lu->sig_idx); 2143 if (clu == NULL) 2144 continue; 2145 2146 /* If algorithm is disabled see if we can enable it */ 2147 if ((clu->amask & disabled_mask) != 0 2148 && tls12_sigalg_allowed(s, op, lu)) 2149 disabled_mask &= ~clu->amask; 2150 } 2151 *pmask_a |= disabled_mask; 2152 } 2153 2154 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 2155 const uint16_t *psig, size_t psiglen) 2156 { 2157 size_t i; 2158 int rv = 0; 2159 2160 for (i = 0; i < psiglen; i++, psig++) { 2161 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig); 2162 2163 if (lu == NULL 2164 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2165 continue; 2166 if (!WPACKET_put_bytes_u16(pkt, *psig)) 2167 return 0; 2168 /* 2169 * If TLS 1.3 must have at least one valid TLS 1.3 message 2170 * signing algorithm: i.e. neither RSA nor SHA1/SHA224 2171 */ 2172 if (rv == 0 && (!SSL_IS_TLS13(s) 2173 || (lu->sig != EVP_PKEY_RSA 2174 && lu->hash != NID_sha1 2175 && lu->hash != NID_sha224))) 2176 rv = 1; 2177 } 2178 if (rv == 0) 2179 ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2180 return rv; 2181 } 2182 2183 /* Given preference and allowed sigalgs set shared sigalgs */ 2184 static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 2185 const uint16_t *pref, size_t preflen, 2186 const uint16_t *allow, size_t allowlen) 2187 { 2188 const uint16_t *ptmp, *atmp; 2189 size_t i, j, nmatch = 0; 2190 for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 2191 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp); 2192 2193 /* Skip disabled hashes or signature algorithms */ 2194 if (lu == NULL 2195 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 2196 continue; 2197 for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 2198 if (*ptmp == *atmp) { 2199 nmatch++; 2200 if (shsig) 2201 *shsig++ = lu; 2202 break; 2203 } 2204 } 2205 } 2206 return nmatch; 2207 } 2208 2209 /* Set shared signature algorithms for SSL structures */ 2210 static int tls1_set_shared_sigalgs(SSL *s) 2211 { 2212 const uint16_t *pref, *allow, *conf; 2213 size_t preflen, allowlen, conflen; 2214 size_t nmatch; 2215 const SIGALG_LOOKUP **salgs = NULL; 2216 CERT *c = s->cert; 2217 unsigned int is_suiteb = tls1_suiteb(s); 2218 2219 OPENSSL_free(s->shared_sigalgs); 2220 s->shared_sigalgs = NULL; 2221 s->shared_sigalgslen = 0; 2222 /* If client use client signature algorithms if not NULL */ 2223 if (!s->server && c->client_sigalgs && !is_suiteb) { 2224 conf = c->client_sigalgs; 2225 conflen = c->client_sigalgslen; 2226 } else if (c->conf_sigalgs && !is_suiteb) { 2227 conf = c->conf_sigalgs; 2228 conflen = c->conf_sigalgslen; 2229 } else 2230 conflen = tls12_get_psigalgs(s, 0, &conf); 2231 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 2232 pref = conf; 2233 preflen = conflen; 2234 allow = s->s3.tmp.peer_sigalgs; 2235 allowlen = s->s3.tmp.peer_sigalgslen; 2236 } else { 2237 allow = conf; 2238 allowlen = conflen; 2239 pref = s->s3.tmp.peer_sigalgs; 2240 preflen = s->s3.tmp.peer_sigalgslen; 2241 } 2242 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 2243 if (nmatch) { 2244 if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 2245 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2246 return 0; 2247 } 2248 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 2249 } else { 2250 salgs = NULL; 2251 } 2252 s->shared_sigalgs = salgs; 2253 s->shared_sigalgslen = nmatch; 2254 return 1; 2255 } 2256 2257 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 2258 { 2259 unsigned int stmp; 2260 size_t size, i; 2261 uint16_t *buf; 2262 2263 size = PACKET_remaining(pkt); 2264 2265 /* Invalid data length */ 2266 if (size == 0 || (size & 1) != 0) 2267 return 0; 2268 2269 size >>= 1; 2270 2271 if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 2272 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2273 return 0; 2274 } 2275 for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 2276 buf[i] = stmp; 2277 2278 if (i != size) { 2279 OPENSSL_free(buf); 2280 return 0; 2281 } 2282 2283 OPENSSL_free(*pdest); 2284 *pdest = buf; 2285 *pdestlen = size; 2286 2287 return 1; 2288 } 2289 2290 int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 2291 { 2292 /* Extension ignored for inappropriate versions */ 2293 if (!SSL_USE_SIGALGS(s)) 2294 return 1; 2295 /* Should never happen */ 2296 if (s->cert == NULL) 2297 return 0; 2298 2299 if (cert) 2300 return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, 2301 &s->s3.tmp.peer_cert_sigalgslen); 2302 else 2303 return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, 2304 &s->s3.tmp.peer_sigalgslen); 2305 2306 } 2307 2308 /* Set preferred digest for each key type */ 2309 2310 int tls1_process_sigalgs(SSL *s) 2311 { 2312 size_t i; 2313 uint32_t *pvalid = s->s3.tmp.valid_flags; 2314 2315 if (!tls1_set_shared_sigalgs(s)) 2316 return 0; 2317 2318 for (i = 0; i < SSL_PKEY_NUM; i++) 2319 pvalid[i] = 0; 2320 2321 for (i = 0; i < s->shared_sigalgslen; i++) { 2322 const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 2323 int idx = sigptr->sig_idx; 2324 2325 /* Ignore PKCS1 based sig algs in TLSv1.3 */ 2326 if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 2327 continue; 2328 /* If not disabled indicate we can explicitly sign */ 2329 if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx)) 2330 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2331 } 2332 return 1; 2333 } 2334 2335 int SSL_get_sigalgs(SSL *s, int idx, 2336 int *psign, int *phash, int *psignhash, 2337 unsigned char *rsig, unsigned char *rhash) 2338 { 2339 uint16_t *psig = s->s3.tmp.peer_sigalgs; 2340 size_t numsigalgs = s->s3.tmp.peer_sigalgslen; 2341 if (psig == NULL || numsigalgs > INT_MAX) 2342 return 0; 2343 if (idx >= 0) { 2344 const SIGALG_LOOKUP *lu; 2345 2346 if (idx >= (int)numsigalgs) 2347 return 0; 2348 psig += idx; 2349 if (rhash != NULL) 2350 *rhash = (unsigned char)((*psig >> 8) & 0xff); 2351 if (rsig != NULL) 2352 *rsig = (unsigned char)(*psig & 0xff); 2353 lu = tls1_lookup_sigalg(s, *psig); 2354 if (psign != NULL) 2355 *psign = lu != NULL ? lu->sig : NID_undef; 2356 if (phash != NULL) 2357 *phash = lu != NULL ? lu->hash : NID_undef; 2358 if (psignhash != NULL) 2359 *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 2360 } 2361 return (int)numsigalgs; 2362 } 2363 2364 int SSL_get_shared_sigalgs(SSL *s, int idx, 2365 int *psign, int *phash, int *psignhash, 2366 unsigned char *rsig, unsigned char *rhash) 2367 { 2368 const SIGALG_LOOKUP *shsigalgs; 2369 if (s->shared_sigalgs == NULL 2370 || idx < 0 2371 || idx >= (int)s->shared_sigalgslen 2372 || s->shared_sigalgslen > INT_MAX) 2373 return 0; 2374 shsigalgs = s->shared_sigalgs[idx]; 2375 if (phash != NULL) 2376 *phash = shsigalgs->hash; 2377 if (psign != NULL) 2378 *psign = shsigalgs->sig; 2379 if (psignhash != NULL) 2380 *psignhash = shsigalgs->sigandhash; 2381 if (rsig != NULL) 2382 *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 2383 if (rhash != NULL) 2384 *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 2385 return (int)s->shared_sigalgslen; 2386 } 2387 2388 /* Maximum possible number of unique entries in sigalgs array */ 2389 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 2390 2391 typedef struct { 2392 size_t sigalgcnt; 2393 /* TLSEXT_SIGALG_XXX values */ 2394 uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 2395 } sig_cb_st; 2396 2397 static void get_sigorhash(int *psig, int *phash, const char *str) 2398 { 2399 if (strcmp(str, "RSA") == 0) { 2400 *psig = EVP_PKEY_RSA; 2401 } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 2402 *psig = EVP_PKEY_RSA_PSS; 2403 } else if (strcmp(str, "DSA") == 0) { 2404 *psig = EVP_PKEY_DSA; 2405 } else if (strcmp(str, "ECDSA") == 0) { 2406 *psig = EVP_PKEY_EC; 2407 } else { 2408 *phash = OBJ_sn2nid(str); 2409 if (*phash == NID_undef) 2410 *phash = OBJ_ln2nid(str); 2411 } 2412 } 2413 /* Maximum length of a signature algorithm string component */ 2414 #define TLS_MAX_SIGSTRING_LEN 40 2415 2416 static int sig_cb(const char *elem, int len, void *arg) 2417 { 2418 sig_cb_st *sarg = arg; 2419 size_t i; 2420 const SIGALG_LOOKUP *s; 2421 char etmp[TLS_MAX_SIGSTRING_LEN], *p; 2422 int sig_alg = NID_undef, hash_alg = NID_undef; 2423 if (elem == NULL) 2424 return 0; 2425 if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 2426 return 0; 2427 if (len > (int)(sizeof(etmp) - 1)) 2428 return 0; 2429 memcpy(etmp, elem, len); 2430 etmp[len] = 0; 2431 p = strchr(etmp, '+'); 2432 /* 2433 * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 2434 * if there's no '+' in the provided name, look for the new-style combined 2435 * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 2436 * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 2437 * rsa_pss_rsae_* that differ only by public key OID; in such cases 2438 * we will pick the _rsae_ variant, by virtue of them appearing earlier 2439 * in the table. 2440 */ 2441 if (p == NULL) { 2442 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2443 i++, s++) { 2444 if (s->name != NULL && strcmp(etmp, s->name) == 0) { 2445 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2446 break; 2447 } 2448 } 2449 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2450 return 0; 2451 } else { 2452 *p = 0; 2453 p++; 2454 if (*p == 0) 2455 return 0; 2456 get_sigorhash(&sig_alg, &hash_alg, etmp); 2457 get_sigorhash(&sig_alg, &hash_alg, p); 2458 if (sig_alg == NID_undef || hash_alg == NID_undef) 2459 return 0; 2460 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2461 i++, s++) { 2462 if (s->hash == hash_alg && s->sig == sig_alg) { 2463 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2464 break; 2465 } 2466 } 2467 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2468 return 0; 2469 } 2470 2471 /* Reject duplicates */ 2472 for (i = 0; i < sarg->sigalgcnt - 1; i++) { 2473 if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 2474 sarg->sigalgcnt--; 2475 return 0; 2476 } 2477 } 2478 return 1; 2479 } 2480 2481 /* 2482 * Set supported signature algorithms based on a colon separated list of the 2483 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 2484 */ 2485 int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 2486 { 2487 sig_cb_st sig; 2488 sig.sigalgcnt = 0; 2489 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 2490 return 0; 2491 if (c == NULL) 2492 return 1; 2493 return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 2494 } 2495 2496 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 2497 int client) 2498 { 2499 uint16_t *sigalgs; 2500 2501 if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2502 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2503 return 0; 2504 } 2505 memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 2506 2507 if (client) { 2508 OPENSSL_free(c->client_sigalgs); 2509 c->client_sigalgs = sigalgs; 2510 c->client_sigalgslen = salglen; 2511 } else { 2512 OPENSSL_free(c->conf_sigalgs); 2513 c->conf_sigalgs = sigalgs; 2514 c->conf_sigalgslen = salglen; 2515 } 2516 2517 return 1; 2518 } 2519 2520 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2521 { 2522 uint16_t *sigalgs, *sptr; 2523 size_t i; 2524 2525 if (salglen & 1) 2526 return 0; 2527 if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2528 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2529 return 0; 2530 } 2531 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2532 size_t j; 2533 const SIGALG_LOOKUP *curr; 2534 int md_id = *psig_nids++; 2535 int sig_id = *psig_nids++; 2536 2537 for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2538 j++, curr++) { 2539 if (curr->hash == md_id && curr->sig == sig_id) { 2540 *sptr++ = curr->sigalg; 2541 break; 2542 } 2543 } 2544 2545 if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2546 goto err; 2547 } 2548 2549 if (client) { 2550 OPENSSL_free(c->client_sigalgs); 2551 c->client_sigalgs = sigalgs; 2552 c->client_sigalgslen = salglen / 2; 2553 } else { 2554 OPENSSL_free(c->conf_sigalgs); 2555 c->conf_sigalgs = sigalgs; 2556 c->conf_sigalgslen = salglen / 2; 2557 } 2558 2559 return 1; 2560 2561 err: 2562 OPENSSL_free(sigalgs); 2563 return 0; 2564 } 2565 2566 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 2567 { 2568 int sig_nid, use_pc_sigalgs = 0; 2569 size_t i; 2570 const SIGALG_LOOKUP *sigalg; 2571 size_t sigalgslen; 2572 if (default_nid == -1) 2573 return 1; 2574 sig_nid = X509_get_signature_nid(x); 2575 if (default_nid) 2576 return sig_nid == default_nid ? 1 : 0; 2577 2578 if (SSL_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { 2579 /* 2580 * If we're in TLSv1.3 then we only get here if we're checking the 2581 * chain. If the peer has specified peer_cert_sigalgs then we use them 2582 * otherwise we default to normal sigalgs. 2583 */ 2584 sigalgslen = s->s3.tmp.peer_cert_sigalgslen; 2585 use_pc_sigalgs = 1; 2586 } else { 2587 sigalgslen = s->shared_sigalgslen; 2588 } 2589 for (i = 0; i < sigalgslen; i++) { 2590 sigalg = use_pc_sigalgs 2591 ? tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]) 2592 : s->shared_sigalgs[i]; 2593 if (sigalg != NULL && sig_nid == sigalg->sigandhash) 2594 return 1; 2595 } 2596 return 0; 2597 } 2598 2599 /* Check to see if a certificate issuer name matches list of CA names */ 2600 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 2601 { 2602 const X509_NAME *nm; 2603 int i; 2604 nm = X509_get_issuer_name(x); 2605 for (i = 0; i < sk_X509_NAME_num(names); i++) { 2606 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 2607 return 1; 2608 } 2609 return 0; 2610 } 2611 2612 /* 2613 * Check certificate chain is consistent with TLS extensions and is usable by 2614 * server. This servers two purposes: it allows users to check chains before 2615 * passing them to the server and it allows the server to check chains before 2616 * attempting to use them. 2617 */ 2618 2619 /* Flags which need to be set for a certificate when strict mode not set */ 2620 2621 #define CERT_PKEY_VALID_FLAGS \ 2622 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 2623 /* Strict mode flags */ 2624 #define CERT_PKEY_STRICT_FLAGS \ 2625 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 2626 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 2627 2628 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 2629 int idx) 2630 { 2631 int i; 2632 int rv = 0; 2633 int check_flags = 0, strict_mode; 2634 CERT_PKEY *cpk = NULL; 2635 CERT *c = s->cert; 2636 uint32_t *pvalid; 2637 unsigned int suiteb_flags = tls1_suiteb(s); 2638 /* idx == -1 means checking server chains */ 2639 if (idx != -1) { 2640 /* idx == -2 means checking client certificate chains */ 2641 if (idx == -2) { 2642 cpk = c->key; 2643 idx = (int)(cpk - c->pkeys); 2644 } else 2645 cpk = c->pkeys + idx; 2646 pvalid = s->s3.tmp.valid_flags + idx; 2647 x = cpk->x509; 2648 pk = cpk->privatekey; 2649 chain = cpk->chain; 2650 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 2651 /* If no cert or key, forget it */ 2652 if (!x || !pk) 2653 goto end; 2654 } else { 2655 size_t certidx; 2656 2657 if (!x || !pk) 2658 return 0; 2659 2660 if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 2661 return 0; 2662 idx = certidx; 2663 pvalid = s->s3.tmp.valid_flags + idx; 2664 2665 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 2666 check_flags = CERT_PKEY_STRICT_FLAGS; 2667 else 2668 check_flags = CERT_PKEY_VALID_FLAGS; 2669 strict_mode = 1; 2670 } 2671 2672 if (suiteb_flags) { 2673 int ok; 2674 if (check_flags) 2675 check_flags |= CERT_PKEY_SUITEB; 2676 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 2677 if (ok == X509_V_OK) 2678 rv |= CERT_PKEY_SUITEB; 2679 else if (!check_flags) 2680 goto end; 2681 } 2682 2683 /* 2684 * Check all signature algorithms are consistent with signature 2685 * algorithms extension if TLS 1.2 or later and strict mode. 2686 */ 2687 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 2688 int default_nid; 2689 int rsign = 0; 2690 if (s->s3.tmp.peer_cert_sigalgs != NULL 2691 || s->s3.tmp.peer_sigalgs != NULL) { 2692 default_nid = 0; 2693 /* If no sigalgs extension use defaults from RFC5246 */ 2694 } else { 2695 switch (idx) { 2696 case SSL_PKEY_RSA: 2697 rsign = EVP_PKEY_RSA; 2698 default_nid = NID_sha1WithRSAEncryption; 2699 break; 2700 2701 case SSL_PKEY_DSA_SIGN: 2702 rsign = EVP_PKEY_DSA; 2703 default_nid = NID_dsaWithSHA1; 2704 break; 2705 2706 case SSL_PKEY_ECC: 2707 rsign = EVP_PKEY_EC; 2708 default_nid = NID_ecdsa_with_SHA1; 2709 break; 2710 2711 case SSL_PKEY_GOST01: 2712 rsign = NID_id_GostR3410_2001; 2713 default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2714 break; 2715 2716 case SSL_PKEY_GOST12_256: 2717 rsign = NID_id_GostR3410_2012_256; 2718 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2719 break; 2720 2721 case SSL_PKEY_GOST12_512: 2722 rsign = NID_id_GostR3410_2012_512; 2723 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2724 break; 2725 2726 default: 2727 default_nid = -1; 2728 break; 2729 } 2730 } 2731 /* 2732 * If peer sent no signature algorithms extension and we have set 2733 * preferred signature algorithms check we support sha1. 2734 */ 2735 if (default_nid > 0 && c->conf_sigalgs) { 2736 size_t j; 2737 const uint16_t *p = c->conf_sigalgs; 2738 for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2739 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *p); 2740 2741 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 2742 break; 2743 } 2744 if (j == c->conf_sigalgslen) { 2745 if (check_flags) 2746 goto skip_sigs; 2747 else 2748 goto end; 2749 } 2750 } 2751 /* Check signature algorithm of each cert in chain */ 2752 if (SSL_IS_TLS13(s)) { 2753 /* 2754 * We only get here if the application has called SSL_check_chain(), 2755 * so check_flags is always set. 2756 */ 2757 if (find_sig_alg(s, x, pk) != NULL) 2758 rv |= CERT_PKEY_EE_SIGNATURE; 2759 } else if (!tls1_check_sig_alg(s, x, default_nid)) { 2760 if (!check_flags) 2761 goto end; 2762 } else 2763 rv |= CERT_PKEY_EE_SIGNATURE; 2764 rv |= CERT_PKEY_CA_SIGNATURE; 2765 for (i = 0; i < sk_X509_num(chain); i++) { 2766 if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 2767 if (check_flags) { 2768 rv &= ~CERT_PKEY_CA_SIGNATURE; 2769 break; 2770 } else 2771 goto end; 2772 } 2773 } 2774 } 2775 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 2776 else if (check_flags) 2777 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 2778 skip_sigs: 2779 /* Check cert parameters are consistent */ 2780 if (tls1_check_cert_param(s, x, 1)) 2781 rv |= CERT_PKEY_EE_PARAM; 2782 else if (!check_flags) 2783 goto end; 2784 if (!s->server) 2785 rv |= CERT_PKEY_CA_PARAM; 2786 /* In strict mode check rest of chain too */ 2787 else if (strict_mode) { 2788 rv |= CERT_PKEY_CA_PARAM; 2789 for (i = 0; i < sk_X509_num(chain); i++) { 2790 X509 *ca = sk_X509_value(chain, i); 2791 if (!tls1_check_cert_param(s, ca, 0)) { 2792 if (check_flags) { 2793 rv &= ~CERT_PKEY_CA_PARAM; 2794 break; 2795 } else 2796 goto end; 2797 } 2798 } 2799 } 2800 if (!s->server && strict_mode) { 2801 STACK_OF(X509_NAME) *ca_dn; 2802 int check_type = 0; 2803 2804 if (EVP_PKEY_is_a(pk, "RSA")) 2805 check_type = TLS_CT_RSA_SIGN; 2806 else if (EVP_PKEY_is_a(pk, "DSA")) 2807 check_type = TLS_CT_DSS_SIGN; 2808 else if (EVP_PKEY_is_a(pk, "EC")) 2809 check_type = TLS_CT_ECDSA_SIGN; 2810 2811 if (check_type) { 2812 const uint8_t *ctypes = s->s3.tmp.ctype; 2813 size_t j; 2814 2815 for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { 2816 if (*ctypes == check_type) { 2817 rv |= CERT_PKEY_CERT_TYPE; 2818 break; 2819 } 2820 } 2821 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 2822 goto end; 2823 } else { 2824 rv |= CERT_PKEY_CERT_TYPE; 2825 } 2826 2827 ca_dn = s->s3.tmp.peer_ca_names; 2828 2829 if (ca_dn == NULL 2830 || sk_X509_NAME_num(ca_dn) == 0 2831 || ssl_check_ca_name(ca_dn, x)) 2832 rv |= CERT_PKEY_ISSUER_NAME; 2833 else 2834 for (i = 0; i < sk_X509_num(chain); i++) { 2835 X509 *xtmp = sk_X509_value(chain, i); 2836 2837 if (ssl_check_ca_name(ca_dn, xtmp)) { 2838 rv |= CERT_PKEY_ISSUER_NAME; 2839 break; 2840 } 2841 } 2842 2843 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 2844 goto end; 2845 } else 2846 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 2847 2848 if (!check_flags || (rv & check_flags) == check_flags) 2849 rv |= CERT_PKEY_VALID; 2850 2851 end: 2852 2853 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2854 rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2855 else 2856 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 2857 2858 /* 2859 * When checking a CERT_PKEY structure all flags are irrelevant if the 2860 * chain is invalid. 2861 */ 2862 if (!check_flags) { 2863 if (rv & CERT_PKEY_VALID) { 2864 *pvalid = rv; 2865 } else { 2866 /* Preserve sign and explicit sign flag, clear rest */ 2867 *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2868 return 0; 2869 } 2870 } 2871 return rv; 2872 } 2873 2874 /* Set validity of certificates in an SSL structure */ 2875 void tls1_set_cert_validity(SSL *s) 2876 { 2877 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2878 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 2879 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 2880 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2881 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2882 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2883 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2884 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2885 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 2886 } 2887 2888 /* User level utility function to check a chain is suitable */ 2889 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 2890 { 2891 return tls1_check_chain(s, x, pk, chain, -1); 2892 } 2893 2894 EVP_PKEY *ssl_get_auto_dh(SSL *s) 2895 { 2896 EVP_PKEY *dhp = NULL; 2897 BIGNUM *p; 2898 int dh_secbits = 80, sec_level_bits; 2899 EVP_PKEY_CTX *pctx = NULL; 2900 OSSL_PARAM_BLD *tmpl = NULL; 2901 OSSL_PARAM *params = NULL; 2902 2903 if (s->cert->dh_tmp_auto != 2) { 2904 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2905 if (s->s3.tmp.new_cipher->strength_bits == 256) 2906 dh_secbits = 128; 2907 else 2908 dh_secbits = 80; 2909 } else { 2910 if (s->s3.tmp.cert == NULL) 2911 return NULL; 2912 dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); 2913 } 2914 } 2915 2916 /* Do not pick a prime that is too weak for the current security level */ 2917 sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); 2918 if (dh_secbits < sec_level_bits) 2919 dh_secbits = sec_level_bits; 2920 2921 if (dh_secbits >= 192) 2922 p = BN_get_rfc3526_prime_8192(NULL); 2923 else if (dh_secbits >= 152) 2924 p = BN_get_rfc3526_prime_4096(NULL); 2925 else if (dh_secbits >= 128) 2926 p = BN_get_rfc3526_prime_3072(NULL); 2927 else if (dh_secbits >= 112) 2928 p = BN_get_rfc3526_prime_2048(NULL); 2929 else 2930 p = BN_get_rfc2409_prime_1024(NULL); 2931 if (p == NULL) 2932 goto err; 2933 2934 pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); 2935 if (pctx == NULL 2936 || EVP_PKEY_fromdata_init(pctx) != 1) 2937 goto err; 2938 2939 tmpl = OSSL_PARAM_BLD_new(); 2940 if (tmpl == NULL 2941 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 2942 || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) 2943 goto err; 2944 2945 params = OSSL_PARAM_BLD_to_param(tmpl); 2946 if (params == NULL 2947 || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) 2948 goto err; 2949 2950 err: 2951 OSSL_PARAM_free(params); 2952 OSSL_PARAM_BLD_free(tmpl); 2953 EVP_PKEY_CTX_free(pctx); 2954 BN_free(p); 2955 return dhp; 2956 } 2957 2958 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2959 { 2960 int secbits = -1; 2961 EVP_PKEY *pkey = X509_get0_pubkey(x); 2962 if (pkey) { 2963 /* 2964 * If no parameters this will return -1 and fail using the default 2965 * security callback for any non-zero security level. This will 2966 * reject keys which omit parameters but this only affects DSA and 2967 * omission of parameters is never (?) done in practice. 2968 */ 2969 secbits = EVP_PKEY_get_security_bits(pkey); 2970 } 2971 if (s) 2972 return ssl_security(s, op, secbits, 0, x); 2973 else 2974 return ssl_ctx_security(ctx, op, secbits, 0, x); 2975 } 2976 2977 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2978 { 2979 /* Lookup signature algorithm digest */ 2980 int secbits, nid, pknid; 2981 /* Don't check signature if self signed */ 2982 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 2983 return 1; 2984 if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 2985 secbits = -1; 2986 /* If digest NID not defined use signature NID */ 2987 if (nid == NID_undef) 2988 nid = pknid; 2989 if (s) 2990 return ssl_security(s, op, secbits, nid, x); 2991 else 2992 return ssl_ctx_security(ctx, op, secbits, nid, x); 2993 } 2994 2995 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 2996 { 2997 if (vfy) 2998 vfy = SSL_SECOP_PEER; 2999 if (is_ee) { 3000 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 3001 return SSL_R_EE_KEY_TOO_SMALL; 3002 } else { 3003 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 3004 return SSL_R_CA_KEY_TOO_SMALL; 3005 } 3006 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 3007 return SSL_R_CA_MD_TOO_WEAK; 3008 return 1; 3009 } 3010 3011 /* 3012 * Check security of a chain, if |sk| includes the end entity certificate then 3013 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 3014 * one to the peer. Return values: 1 if ok otherwise error code to use 3015 */ 3016 3017 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 3018 { 3019 int rv, start_idx, i; 3020 if (x == NULL) { 3021 x = sk_X509_value(sk, 0); 3022 if (x == NULL) 3023 return ERR_R_INTERNAL_ERROR; 3024 start_idx = 1; 3025 } else 3026 start_idx = 0; 3027 3028 rv = ssl_security_cert(s, NULL, x, vfy, 1); 3029 if (rv != 1) 3030 return rv; 3031 3032 for (i = start_idx; i < sk_X509_num(sk); i++) { 3033 x = sk_X509_value(sk, i); 3034 rv = ssl_security_cert(s, NULL, x, vfy, 0); 3035 if (rv != 1) 3036 return rv; 3037 } 3038 return 1; 3039 } 3040 3041 /* 3042 * For TLS 1.2 servers check if we have a certificate which can be used 3043 * with the signature algorithm "lu" and return index of certificate. 3044 */ 3045 3046 static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 3047 { 3048 int sig_idx = lu->sig_idx; 3049 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 3050 3051 /* If not recognised or not supported by cipher mask it is not suitable */ 3052 if (clu == NULL 3053 || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 3054 || (clu->nid == EVP_PKEY_RSA_PSS 3055 && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 3056 return -1; 3057 3058 return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 3059 } 3060 3061 /* 3062 * Checks the given cert against signature_algorithm_cert restrictions sent by 3063 * the peer (if any) as well as whether the hash from the sigalg is usable with 3064 * the key. 3065 * Returns true if the cert is usable and false otherwise. 3066 */ 3067 static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3068 EVP_PKEY *pkey) 3069 { 3070 const SIGALG_LOOKUP *lu; 3071 int mdnid, pknid, supported; 3072 size_t i; 3073 const char *mdname = NULL; 3074 3075 /* 3076 * If the given EVP_PKEY cannot support signing with this digest, 3077 * the answer is simply 'no'. 3078 */ 3079 if (sig->hash != NID_undef) 3080 mdname = OBJ_nid2sn(sig->hash); 3081 supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx, 3082 mdname, 3083 s->ctx->propq); 3084 if (supported <= 0) 3085 return 0; 3086 3087 /* 3088 * The TLS 1.3 signature_algorithms_cert extension places restrictions 3089 * on the sigalg with which the certificate was signed (by its issuer). 3090 */ 3091 if (s->s3.tmp.peer_cert_sigalgs != NULL) { 3092 if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 3093 return 0; 3094 for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { 3095 lu = tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]); 3096 if (lu == NULL) 3097 continue; 3098 3099 /* 3100 * This does not differentiate between the 3101 * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 3102 * have a chain here that lets us look at the key OID in the 3103 * signing certificate. 3104 */ 3105 if (mdnid == lu->hash && pknid == lu->sig) 3106 return 1; 3107 } 3108 return 0; 3109 } 3110 3111 /* 3112 * Without signat_algorithms_cert, any certificate for which we have 3113 * a viable public key is permitted. 3114 */ 3115 return 1; 3116 } 3117 3118 /* 3119 * Returns true if |s| has a usable certificate configured for use 3120 * with signature scheme |sig|. 3121 * "Usable" includes a check for presence as well as applying 3122 * the signature_algorithm_cert restrictions sent by the peer (if any). 3123 * Returns false if no usable certificate is found. 3124 */ 3125 static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 3126 { 3127 /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 3128 if (idx == -1) 3129 idx = sig->sig_idx; 3130 if (!ssl_has_cert(s, idx)) 3131 return 0; 3132 3133 return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 3134 s->cert->pkeys[idx].privatekey); 3135 } 3136 3137 /* 3138 * Returns true if the supplied cert |x| and key |pkey| is usable with the 3139 * specified signature scheme |sig|, or false otherwise. 3140 */ 3141 static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3142 EVP_PKEY *pkey) 3143 { 3144 size_t idx; 3145 3146 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 3147 return 0; 3148 3149 /* Check the key is consistent with the sig alg */ 3150 if ((int)idx != sig->sig_idx) 3151 return 0; 3152 3153 return check_cert_usable(s, sig, x, pkey); 3154 } 3155 3156 /* 3157 * Find a signature scheme that works with the supplied certificate |x| and key 3158 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 3159 * available certs/keys to find one that works. 3160 */ 3161 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 3162 { 3163 const SIGALG_LOOKUP *lu = NULL; 3164 size_t i; 3165 int curve = -1; 3166 EVP_PKEY *tmppkey; 3167 3168 /* Look for a shared sigalgs matching possible certificates */ 3169 for (i = 0; i < s->shared_sigalgslen; i++) { 3170 lu = s->shared_sigalgs[i]; 3171 3172 /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 3173 if (lu->hash == NID_sha1 3174 || lu->hash == NID_sha224 3175 || lu->sig == EVP_PKEY_DSA 3176 || lu->sig == EVP_PKEY_RSA) 3177 continue; 3178 /* Check that we have a cert, and signature_algorithms_cert */ 3179 if (!tls1_lookup_md(s->ctx, lu, NULL)) 3180 continue; 3181 if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 3182 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 3183 continue; 3184 3185 tmppkey = (pkey != NULL) ? pkey 3186 : s->cert->pkeys[lu->sig_idx].privatekey; 3187 3188 if (lu->sig == EVP_PKEY_EC) { 3189 if (curve == -1) 3190 curve = ssl_get_EC_curve_nid(tmppkey); 3191 if (lu->curve != NID_undef && curve != lu->curve) 3192 continue; 3193 } else if (lu->sig == EVP_PKEY_RSA_PSS) { 3194 /* validate that key is large enough for the signature algorithm */ 3195 if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu)) 3196 continue; 3197 } 3198 break; 3199 } 3200 3201 if (i == s->shared_sigalgslen) 3202 return NULL; 3203 3204 return lu; 3205 } 3206 3207 /* 3208 * Choose an appropriate signature algorithm based on available certificates 3209 * Sets chosen certificate and signature algorithm. 3210 * 3211 * For servers if we fail to find a required certificate it is a fatal error, 3212 * an appropriate error code is set and a TLS alert is sent. 3213 * 3214 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 3215 * a fatal error: we will either try another certificate or not present one 3216 * to the server. In this case no error is set. 3217 */ 3218 int tls_choose_sigalg(SSL *s, int fatalerrs) 3219 { 3220 const SIGALG_LOOKUP *lu = NULL; 3221 int sig_idx = -1; 3222 3223 s->s3.tmp.cert = NULL; 3224 s->s3.tmp.sigalg = NULL; 3225 3226 if (SSL_IS_TLS13(s)) { 3227 lu = find_sig_alg(s, NULL, NULL); 3228 if (lu == NULL) { 3229 if (!fatalerrs) 3230 return 1; 3231 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3232 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3233 return 0; 3234 } 3235 } else { 3236 /* If ciphersuite doesn't require a cert nothing to do */ 3237 if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) 3238 return 1; 3239 if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 3240 return 1; 3241 3242 if (SSL_USE_SIGALGS(s)) { 3243 size_t i; 3244 if (s->s3.tmp.peer_sigalgs != NULL) { 3245 int curve = -1; 3246 3247 /* For Suite B need to match signature algorithm to curve */ 3248 if (tls1_suiteb(s)) 3249 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] 3250 .privatekey); 3251 3252 /* 3253 * Find highest preference signature algorithm matching 3254 * cert type 3255 */ 3256 for (i = 0; i < s->shared_sigalgslen; i++) { 3257 lu = s->shared_sigalgs[i]; 3258 3259 if (s->server) { 3260 if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 3261 continue; 3262 } else { 3263 int cc_idx = s->cert->key - s->cert->pkeys; 3264 3265 sig_idx = lu->sig_idx; 3266 if (cc_idx != sig_idx) 3267 continue; 3268 } 3269 /* Check that we have a cert, and sig_algs_cert */ 3270 if (!has_usable_cert(s, lu, sig_idx)) 3271 continue; 3272 if (lu->sig == EVP_PKEY_RSA_PSS) { 3273 /* validate that key is large enough for the signature algorithm */ 3274 EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 3275 3276 if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu)) 3277 continue; 3278 } 3279 if (curve == -1 || lu->curve == curve) 3280 break; 3281 } 3282 #ifndef OPENSSL_NO_GOST 3283 /* 3284 * Some Windows-based implementations do not send GOST algorithms indication 3285 * in supported_algorithms extension, so when we have GOST-based ciphersuite, 3286 * we have to assume GOST support. 3287 */ 3288 if (i == s->shared_sigalgslen && s->s3.tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { 3289 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3290 if (!fatalerrs) 3291 return 1; 3292 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3293 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3294 return 0; 3295 } else { 3296 i = 0; 3297 sig_idx = lu->sig_idx; 3298 } 3299 } 3300 #endif 3301 if (i == s->shared_sigalgslen) { 3302 if (!fatalerrs) 3303 return 1; 3304 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3305 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3306 return 0; 3307 } 3308 } else { 3309 /* 3310 * If we have no sigalg use defaults 3311 */ 3312 const uint16_t *sent_sigs; 3313 size_t sent_sigslen; 3314 3315 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3316 if (!fatalerrs) 3317 return 1; 3318 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3319 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3320 return 0; 3321 } 3322 3323 /* Check signature matches a type we sent */ 3324 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 3325 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 3326 if (lu->sigalg == *sent_sigs 3327 && has_usable_cert(s, lu, lu->sig_idx)) 3328 break; 3329 } 3330 if (i == sent_sigslen) { 3331 if (!fatalerrs) 3332 return 1; 3333 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3334 SSL_R_WRONG_SIGNATURE_TYPE); 3335 return 0; 3336 } 3337 } 3338 } else { 3339 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3340 if (!fatalerrs) 3341 return 1; 3342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3343 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3344 return 0; 3345 } 3346 } 3347 } 3348 if (sig_idx == -1) 3349 sig_idx = lu->sig_idx; 3350 s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; 3351 s->cert->key = s->s3.tmp.cert; 3352 s->s3.tmp.sigalg = lu; 3353 return 1; 3354 } 3355 3356 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 3357 { 3358 if (mode != TLSEXT_max_fragment_length_DISABLED 3359 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3360 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3361 return 0; 3362 } 3363 3364 ctx->ext.max_fragment_len_mode = mode; 3365 return 1; 3366 } 3367 3368 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 3369 { 3370 if (mode != TLSEXT_max_fragment_length_DISABLED 3371 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3372 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3373 return 0; 3374 } 3375 3376 ssl->ext.max_fragment_len_mode = mode; 3377 return 1; 3378 } 3379 3380 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 3381 { 3382 return session->ext.max_fragment_len_mode; 3383 } 3384 3385 /* 3386 * Helper functions for HMAC access with legacy support included. 3387 */ 3388 SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) 3389 { 3390 SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); 3391 EVP_MAC *mac = NULL; 3392 3393 if (ret == NULL) 3394 return NULL; 3395 #ifndef OPENSSL_NO_DEPRECATED_3_0 3396 if (ctx->ext.ticket_key_evp_cb == NULL 3397 && ctx->ext.ticket_key_cb != NULL) { 3398 if (!ssl_hmac_old_new(ret)) 3399 goto err; 3400 return ret; 3401 } 3402 #endif 3403 mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); 3404 if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) 3405 goto err; 3406 EVP_MAC_free(mac); 3407 return ret; 3408 err: 3409 EVP_MAC_CTX_free(ret->ctx); 3410 EVP_MAC_free(mac); 3411 OPENSSL_free(ret); 3412 return NULL; 3413 } 3414 3415 void ssl_hmac_free(SSL_HMAC *ctx) 3416 { 3417 if (ctx != NULL) { 3418 EVP_MAC_CTX_free(ctx->ctx); 3419 #ifndef OPENSSL_NO_DEPRECATED_3_0 3420 ssl_hmac_old_free(ctx); 3421 #endif 3422 OPENSSL_free(ctx); 3423 } 3424 } 3425 3426 EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) 3427 { 3428 return ctx->ctx; 3429 } 3430 3431 int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 3432 { 3433 OSSL_PARAM params[2], *p = params; 3434 3435 if (ctx->ctx != NULL) { 3436 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); 3437 *p = OSSL_PARAM_construct_end(); 3438 if (EVP_MAC_init(ctx->ctx, key, len, params)) 3439 return 1; 3440 } 3441 #ifndef OPENSSL_NO_DEPRECATED_3_0 3442 if (ctx->old_ctx != NULL) 3443 return ssl_hmac_old_init(ctx, key, len, md); 3444 #endif 3445 return 0; 3446 } 3447 3448 int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 3449 { 3450 if (ctx->ctx != NULL) 3451 return EVP_MAC_update(ctx->ctx, data, len); 3452 #ifndef OPENSSL_NO_DEPRECATED_3_0 3453 if (ctx->old_ctx != NULL) 3454 return ssl_hmac_old_update(ctx, data, len); 3455 #endif 3456 return 0; 3457 } 3458 3459 int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, 3460 size_t max_size) 3461 { 3462 if (ctx->ctx != NULL) 3463 return EVP_MAC_final(ctx->ctx, md, len, max_size); 3464 #ifndef OPENSSL_NO_DEPRECATED_3_0 3465 if (ctx->old_ctx != NULL) 3466 return ssl_hmac_old_final(ctx, md, len); 3467 #endif 3468 return 0; 3469 } 3470 3471 size_t ssl_hmac_size(const SSL_HMAC *ctx) 3472 { 3473 if (ctx->ctx != NULL) 3474 return EVP_MAC_CTX_get_mac_size(ctx->ctx); 3475 #ifndef OPENSSL_NO_DEPRECATED_3_0 3476 if (ctx->old_ctx != NULL) 3477 return ssl_hmac_old_size(ctx); 3478 #endif 3479 return 0; 3480 } 3481 3482 int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) 3483 { 3484 char gname[OSSL_MAX_NAME_SIZE]; 3485 3486 if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) 3487 return OBJ_txt2nid(gname); 3488 3489 return NID_undef; 3490 } 3491 3492 __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, 3493 const unsigned char *enckey, 3494 size_t enckeylen) 3495 { 3496 if (EVP_PKEY_is_a(pkey, "DH")) { 3497 int bits = EVP_PKEY_get_bits(pkey); 3498 3499 if (bits <= 0 || enckeylen != (size_t)bits / 8) 3500 /* the encoded key must be padded to the length of the p */ 3501 return 0; 3502 } else if (EVP_PKEY_is_a(pkey, "EC")) { 3503 if (enckeylen < 3 /* point format and at least 1 byte for x and y */ 3504 || enckey[0] != 0x04) 3505 return 0; 3506 } 3507 3508 return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); 3509 } 3510