1 /* 2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <openssl/objects.h> 13 #include <openssl/evp.h> 14 #include <openssl/hmac.h> 15 #include <openssl/core_names.h> 16 #include <openssl/ocsp.h> 17 #include <openssl/conf.h> 18 #include <openssl/x509v3.h> 19 #include <openssl/dh.h> 20 #include <openssl/bn.h> 21 #include <openssl/provider.h> 22 #include <openssl/param_build.h> 23 #include "internal/nelem.h" 24 #include "internal/sizes.h" 25 #include "internal/tlsgroups.h" 26 #include "internal/cryptlib.h" 27 #include "ssl_local.h" 28 #include <openssl/ct.h> 29 30 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 31 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); 32 33 SSL3_ENC_METHOD const TLSv1_enc_data = { 34 tls1_enc, 35 tls1_mac, 36 tls1_setup_key_block, 37 tls1_generate_master_secret, 38 tls1_change_cipher_state, 39 tls1_final_finish_mac, 40 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 41 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 42 tls1_alert_code, 43 tls1_export_keying_material, 44 0, 45 ssl3_set_handshake_header, 46 tls_close_construct_packet, 47 ssl3_handshake_write 48 }; 49 50 SSL3_ENC_METHOD const TLSv1_1_enc_data = { 51 tls1_enc, 52 tls1_mac, 53 tls1_setup_key_block, 54 tls1_generate_master_secret, 55 tls1_change_cipher_state, 56 tls1_final_finish_mac, 57 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 58 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 59 tls1_alert_code, 60 tls1_export_keying_material, 61 SSL_ENC_FLAG_EXPLICIT_IV, 62 ssl3_set_handshake_header, 63 tls_close_construct_packet, 64 ssl3_handshake_write 65 }; 66 67 SSL3_ENC_METHOD const TLSv1_2_enc_data = { 68 tls1_enc, 69 tls1_mac, 70 tls1_setup_key_block, 71 tls1_generate_master_secret, 72 tls1_change_cipher_state, 73 tls1_final_finish_mac, 74 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 75 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 76 tls1_alert_code, 77 tls1_export_keying_material, 78 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 79 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 80 ssl3_set_handshake_header, 81 tls_close_construct_packet, 82 ssl3_handshake_write 83 }; 84 85 SSL3_ENC_METHOD const TLSv1_3_enc_data = { 86 tls13_enc, 87 tls1_mac, 88 tls13_setup_key_block, 89 tls13_generate_master_secret, 90 tls13_change_cipher_state, 91 tls13_final_finish_mac, 92 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 93 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 94 tls13_alert_code, 95 tls13_export_keying_material, 96 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 97 ssl3_set_handshake_header, 98 tls_close_construct_packet, 99 ssl3_handshake_write 100 }; 101 102 long tls1_default_timeout(void) 103 { 104 /* 105 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 106 * http, the cache would over fill 107 */ 108 return (60 * 60 * 2); 109 } 110 111 int tls1_new(SSL *s) 112 { 113 if (!ssl3_new(s)) 114 return 0; 115 if (!s->method->ssl_clear(s)) 116 return 0; 117 118 return 1; 119 } 120 121 void tls1_free(SSL *s) 122 { 123 OPENSSL_free(s->ext.session_ticket); 124 ssl3_free(s); 125 } 126 127 int tls1_clear(SSL *s) 128 { 129 if (!ssl3_clear(s)) 130 return 0; 131 132 if (s->method->version == TLS_ANY_VERSION) 133 s->version = TLS_MAX_VERSION_INTERNAL; 134 else 135 s->version = s->method->version; 136 137 return 1; 138 } 139 140 /* Legacy NID to group_id mapping. Only works for groups we know about */ 141 static struct { 142 int nid; 143 uint16_t group_id; 144 } nid_to_group[] = { 145 {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1}, 146 {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1}, 147 {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2}, 148 {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1}, 149 {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2}, 150 {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1}, 151 {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1}, 152 {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1}, 153 {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1}, 154 {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1}, 155 {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1}, 156 {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1}, 157 {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1}, 158 {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1}, 159 {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1}, 160 {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1}, 161 {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2}, 162 {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1}, 163 {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1}, 164 {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1}, 165 {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1}, 166 {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1}, 167 {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1}, 168 {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1}, 169 {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1}, 170 {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1}, 171 {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1}, 172 {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1}, 173 {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519}, 174 {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448}, 175 {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022}, 176 {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023}, 177 {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024}, 178 {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025}, 179 {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026}, 180 {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027}, 181 {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028}, 182 {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048}, 183 {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072}, 184 {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096}, 185 {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144}, 186 {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} 187 }; 188 189 static const unsigned char ecformats_default[] = { 190 TLSEXT_ECPOINTFORMAT_uncompressed, 191 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 192 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 193 }; 194 195 /* The default curves */ 196 static const uint16_t supported_groups_default[] = { 197 29, /* X25519 (29) */ 198 23, /* secp256r1 (23) */ 199 30, /* X448 (30) */ 200 25, /* secp521r1 (25) */ 201 24, /* secp384r1 (24) */ 202 34, /* GC256A (34) */ 203 35, /* GC256B (35) */ 204 36, /* GC256C (36) */ 205 37, /* GC256D (37) */ 206 38, /* GC512A (38) */ 207 39, /* GC512B (39) */ 208 40, /* GC512C (40) */ 209 0x100, /* ffdhe2048 (0x100) */ 210 0x101, /* ffdhe3072 (0x101) */ 211 0x102, /* ffdhe4096 (0x102) */ 212 0x103, /* ffdhe6144 (0x103) */ 213 0x104, /* ffdhe8192 (0x104) */ 214 }; 215 216 static const uint16_t suiteb_curves[] = { 217 TLSEXT_curve_P_256, 218 TLSEXT_curve_P_384 219 }; 220 221 struct provider_group_data_st { 222 SSL_CTX *ctx; 223 OSSL_PROVIDER *provider; 224 }; 225 226 #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 227 static OSSL_CALLBACK add_provider_groups; 228 static int add_provider_groups(const OSSL_PARAM params[], void *data) 229 { 230 struct provider_group_data_st *pgd = data; 231 SSL_CTX *ctx = pgd->ctx; 232 OSSL_PROVIDER *provider = pgd->provider; 233 const OSSL_PARAM *p; 234 TLS_GROUP_INFO *ginf = NULL; 235 EVP_KEYMGMT *keymgmt; 236 unsigned int gid; 237 unsigned int is_kem = 0; 238 int ret = 0; 239 240 if (ctx->group_list_max_len == ctx->group_list_len) { 241 TLS_GROUP_INFO *tmp = NULL; 242 243 if (ctx->group_list_max_len == 0) 244 tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) 245 * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 246 else 247 tmp = OPENSSL_realloc(ctx->group_list, 248 (ctx->group_list_max_len 249 + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) 250 * sizeof(TLS_GROUP_INFO)); 251 if (tmp == NULL) { 252 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 253 return 0; 254 } 255 ctx->group_list = tmp; 256 memset(tmp + ctx->group_list_max_len, 257 0, 258 sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 259 ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; 260 } 261 262 ginf = &ctx->group_list[ctx->group_list_len]; 263 264 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); 265 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 266 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 267 goto err; 268 } 269 ginf->tlsname = OPENSSL_strdup(p->data); 270 if (ginf->tlsname == NULL) { 271 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 272 goto err; 273 } 274 275 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); 276 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 277 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 278 goto err; 279 } 280 ginf->realname = OPENSSL_strdup(p->data); 281 if (ginf->realname == NULL) { 282 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 283 goto err; 284 } 285 286 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); 287 if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { 288 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 289 goto err; 290 } 291 ginf->group_id = (uint16_t)gid; 292 293 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); 294 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 295 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 296 goto err; 297 } 298 ginf->algorithm = OPENSSL_strdup(p->data); 299 if (ginf->algorithm == NULL) { 300 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 301 goto err; 302 } 303 304 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); 305 if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { 306 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 307 goto err; 308 } 309 310 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); 311 if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { 312 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 313 goto err; 314 } 315 ginf->is_kem = 1 & is_kem; 316 317 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); 318 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { 319 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 320 goto err; 321 } 322 323 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); 324 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { 325 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 326 goto err; 327 } 328 329 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); 330 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { 331 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 332 goto err; 333 } 334 335 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); 336 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { 337 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 338 goto err; 339 } 340 /* 341 * Now check that the algorithm is actually usable for our property query 342 * string. Regardless of the result we still return success because we have 343 * successfully processed this group, even though we may decide not to use 344 * it. 345 */ 346 ret = 1; 347 ERR_set_mark(); 348 keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); 349 if (keymgmt != NULL) { 350 /* 351 * We have successfully fetched the algorithm - however if the provider 352 * doesn't match this one then we ignore it. 353 * 354 * Note: We're cheating a little here. Technically if the same algorithm 355 * is available from more than one provider then it is undefined which 356 * implementation you will get back. Theoretically this could be 357 * different every time...we assume here that you'll always get the 358 * same one back if you repeat the exact same fetch. Is this a reasonable 359 * assumption to make (in which case perhaps we should document this 360 * behaviour)? 361 */ 362 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 363 /* We have a match - so we will use this group */ 364 ctx->group_list_len++; 365 ginf = NULL; 366 } 367 EVP_KEYMGMT_free(keymgmt); 368 } 369 ERR_pop_to_mark(); 370 err: 371 if (ginf != NULL) { 372 OPENSSL_free(ginf->tlsname); 373 OPENSSL_free(ginf->realname); 374 OPENSSL_free(ginf->algorithm); 375 ginf->algorithm = ginf->tlsname = ginf->realname = NULL; 376 } 377 return ret; 378 } 379 380 static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) 381 { 382 struct provider_group_data_st pgd; 383 384 pgd.ctx = vctx; 385 pgd.provider = provider; 386 return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", 387 add_provider_groups, &pgd); 388 } 389 390 int ssl_load_groups(SSL_CTX *ctx) 391 { 392 size_t i, j, num_deflt_grps = 0; 393 uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; 394 395 if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) 396 return 0; 397 398 for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { 399 for (j = 0; j < ctx->group_list_len; j++) { 400 if (ctx->group_list[j].group_id == supported_groups_default[i]) { 401 tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; 402 break; 403 } 404 } 405 } 406 407 if (num_deflt_grps == 0) 408 return 1; 409 410 ctx->ext.supported_groups_default 411 = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); 412 413 if (ctx->ext.supported_groups_default == NULL) { 414 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 415 return 0; 416 } 417 418 memcpy(ctx->ext.supported_groups_default, 419 tmp_supp_groups, 420 num_deflt_grps * sizeof(tmp_supp_groups[0])); 421 ctx->ext.supported_groups_default_len = num_deflt_grps; 422 423 return 1; 424 } 425 426 static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) 427 { 428 size_t i; 429 430 for (i = 0; i < ctx->group_list_len; i++) { 431 if (strcmp(ctx->group_list[i].tlsname, name) == 0 432 || strcmp(ctx->group_list[i].realname, name) == 0) 433 return ctx->group_list[i].group_id; 434 } 435 436 return 0; 437 } 438 439 const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) 440 { 441 size_t i; 442 443 for (i = 0; i < ctx->group_list_len; i++) { 444 if (ctx->group_list[i].group_id == group_id) 445 return &ctx->group_list[i]; 446 } 447 448 return NULL; 449 } 450 451 int tls1_group_id2nid(uint16_t group_id, int include_unknown) 452 { 453 size_t i; 454 455 if (group_id == 0) 456 return NID_undef; 457 458 /* 459 * Return well known Group NIDs - for backwards compatibility. This won't 460 * work for groups we don't know about. 461 */ 462 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 463 { 464 if (nid_to_group[i].group_id == group_id) 465 return nid_to_group[i].nid; 466 } 467 if (!include_unknown) 468 return NID_undef; 469 return TLSEXT_nid_unknown | (int)group_id; 470 } 471 472 uint16_t tls1_nid2group_id(int nid) 473 { 474 size_t i; 475 476 /* 477 * Return well known Group ids - for backwards compatibility. This won't 478 * work for groups we don't know about. 479 */ 480 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 481 { 482 if (nid_to_group[i].nid == nid) 483 return nid_to_group[i].group_id; 484 } 485 486 return 0; 487 } 488 489 /* 490 * Set *pgroups to the supported groups list and *pgroupslen to 491 * the number of groups supported. 492 */ 493 void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 494 size_t *pgroupslen) 495 { 496 /* For Suite B mode only include P-256, P-384 */ 497 switch (tls1_suiteb(s)) { 498 case SSL_CERT_FLAG_SUITEB_128_LOS: 499 *pgroups = suiteb_curves; 500 *pgroupslen = OSSL_NELEM(suiteb_curves); 501 break; 502 503 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 504 *pgroups = suiteb_curves; 505 *pgroupslen = 1; 506 break; 507 508 case SSL_CERT_FLAG_SUITEB_192_LOS: 509 *pgroups = suiteb_curves + 1; 510 *pgroupslen = 1; 511 break; 512 513 default: 514 if (s->ext.supportedgroups == NULL) { 515 *pgroups = s->ctx->ext.supported_groups_default; 516 *pgroupslen = s->ctx->ext.supported_groups_default_len; 517 } else { 518 *pgroups = s->ext.supportedgroups; 519 *pgroupslen = s->ext.supportedgroups_len; 520 } 521 break; 522 } 523 } 524 525 int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, 526 int isec, int *okfortls13) 527 { 528 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); 529 int ret; 530 531 if (okfortls13 != NULL) 532 *okfortls13 = 0; 533 534 if (ginfo == NULL) 535 return 0; 536 537 if (SSL_IS_DTLS(s)) { 538 if (ginfo->mindtls < 0 || ginfo->maxdtls < 0) 539 return 0; 540 if (ginfo->maxdtls == 0) 541 ret = 1; 542 else 543 ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls); 544 if (ginfo->mindtls > 0) 545 ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls); 546 } else { 547 if (ginfo->mintls < 0 || ginfo->maxtls < 0) 548 return 0; 549 if (ginfo->maxtls == 0) 550 ret = 1; 551 else 552 ret = (minversion <= ginfo->maxtls); 553 if (ginfo->mintls > 0) 554 ret &= (maxversion >= ginfo->mintls); 555 if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) 556 *okfortls13 = (ginfo->maxtls == 0) 557 || (ginfo->maxtls >= TLS1_3_VERSION); 558 } 559 ret &= !isec 560 || strcmp(ginfo->algorithm, "EC") == 0 561 || strcmp(ginfo->algorithm, "X25519") == 0 562 || strcmp(ginfo->algorithm, "X448") == 0; 563 564 return ret; 565 } 566 567 /* See if group is allowed by security callback */ 568 int tls_group_allowed(SSL *s, uint16_t group, int op) 569 { 570 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group); 571 unsigned char gtmp[2]; 572 573 if (ginfo == NULL) 574 return 0; 575 576 gtmp[0] = group >> 8; 577 gtmp[1] = group & 0xff; 578 return ssl_security(s, op, ginfo->secbits, 579 tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); 580 } 581 582 /* Return 1 if "id" is in "list" */ 583 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 584 { 585 size_t i; 586 for (i = 0; i < listlen; i++) 587 if (list[i] == id) 588 return 1; 589 return 0; 590 } 591 592 /*- 593 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 594 * if there is no match. 595 * For nmatch == -1, return number of matches 596 * For nmatch == -2, return the id of the group to use for 597 * a tmp key, or 0 if there is no match. 598 */ 599 uint16_t tls1_shared_group(SSL *s, int nmatch) 600 { 601 const uint16_t *pref, *supp; 602 size_t num_pref, num_supp, i; 603 int k; 604 SSL_CTX *ctx = s->ctx; 605 606 /* Can't do anything on client side */ 607 if (s->server == 0) 608 return 0; 609 if (nmatch == -2) { 610 if (tls1_suiteb(s)) { 611 /* 612 * For Suite B ciphersuite determines curve: we already know 613 * these are acceptable due to previous checks. 614 */ 615 unsigned long cid = s->s3.tmp.new_cipher->id; 616 617 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 618 return TLSEXT_curve_P_256; 619 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 620 return TLSEXT_curve_P_384; 621 /* Should never happen */ 622 return 0; 623 } 624 /* If not Suite B just return first preference shared curve */ 625 nmatch = 0; 626 } 627 /* 628 * If server preference set, our groups are the preference order 629 * otherwise peer decides. 630 */ 631 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 632 tls1_get_supported_groups(s, &pref, &num_pref); 633 tls1_get_peer_groups(s, &supp, &num_supp); 634 } else { 635 tls1_get_peer_groups(s, &pref, &num_pref); 636 tls1_get_supported_groups(s, &supp, &num_supp); 637 } 638 639 for (k = 0, i = 0; i < num_pref; i++) { 640 uint16_t id = pref[i]; 641 const TLS_GROUP_INFO *inf; 642 643 if (!tls1_in_list(id, supp, num_supp) 644 || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 645 continue; 646 inf = tls1_group_id_lookup(ctx, id); 647 if (!ossl_assert(inf != NULL)) 648 return 0; 649 if (SSL_IS_DTLS(s)) { 650 if (inf->maxdtls == -1) 651 continue; 652 if ((inf->mindtls != 0 && DTLS_VERSION_LT(s->version, inf->mindtls)) 653 || (inf->maxdtls != 0 654 && DTLS_VERSION_GT(s->version, inf->maxdtls))) 655 continue; 656 } else { 657 if (inf->maxtls == -1) 658 continue; 659 if ((inf->mintls != 0 && s->version < inf->mintls) 660 || (inf->maxtls != 0 && s->version > inf->maxtls)) 661 continue; 662 } 663 664 if (nmatch == k) 665 return id; 666 k++; 667 } 668 if (nmatch == -1) 669 return k; 670 /* Out of range (nmatch > k). */ 671 return 0; 672 } 673 674 int tls1_set_groups(uint16_t **pext, size_t *pextlen, 675 int *groups, size_t ngroups) 676 { 677 uint16_t *glist; 678 size_t i; 679 /* 680 * Bitmap of groups included to detect duplicates: two variables are added 681 * to detect duplicates as some values are more than 32. 682 */ 683 unsigned long *dup_list = NULL; 684 unsigned long dup_list_egrp = 0; 685 unsigned long dup_list_dhgrp = 0; 686 687 if (ngroups == 0) { 688 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 689 return 0; 690 } 691 if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 692 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 693 return 0; 694 } 695 for (i = 0; i < ngroups; i++) { 696 unsigned long idmask; 697 uint16_t id; 698 id = tls1_nid2group_id(groups[i]); 699 if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) 700 goto err; 701 idmask = 1L << (id & 0x00FF); 702 dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; 703 if (!id || ((*dup_list) & idmask)) 704 goto err; 705 *dup_list |= idmask; 706 glist[i] = id; 707 } 708 OPENSSL_free(*pext); 709 *pext = glist; 710 *pextlen = ngroups; 711 return 1; 712 err: 713 OPENSSL_free(glist); 714 return 0; 715 } 716 717 # define GROUPLIST_INCREMENT 40 718 # define GROUP_NAME_BUFFER_LENGTH 64 719 typedef struct { 720 SSL_CTX *ctx; 721 size_t gidcnt; 722 size_t gidmax; 723 uint16_t *gid_arr; 724 } gid_cb_st; 725 726 static int gid_cb(const char *elem, int len, void *arg) 727 { 728 gid_cb_st *garg = arg; 729 size_t i; 730 uint16_t gid = 0; 731 char etmp[GROUP_NAME_BUFFER_LENGTH]; 732 733 if (elem == NULL) 734 return 0; 735 if (garg->gidcnt == garg->gidmax) { 736 uint16_t *tmp = 737 OPENSSL_realloc(garg->gid_arr, 738 (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); 739 if (tmp == NULL) 740 return 0; 741 garg->gidmax += GROUPLIST_INCREMENT; 742 garg->gid_arr = tmp; 743 } 744 if (len > (int)(sizeof(etmp) - 1)) 745 return 0; 746 memcpy(etmp, elem, len); 747 etmp[len] = 0; 748 749 gid = tls1_group_name2id(garg->ctx, etmp); 750 if (gid == 0) { 751 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 752 "group '%s' cannot be set", etmp); 753 return 0; 754 } 755 for (i = 0; i < garg->gidcnt; i++) 756 if (garg->gid_arr[i] == gid) 757 return 0; 758 garg->gid_arr[garg->gidcnt++] = gid; 759 return 1; 760 } 761 762 /* Set groups based on a colon separated list */ 763 int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, 764 const char *str) 765 { 766 gid_cb_st gcb; 767 uint16_t *tmparr; 768 int ret = 0; 769 770 gcb.gidcnt = 0; 771 gcb.gidmax = GROUPLIST_INCREMENT; 772 gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); 773 if (gcb.gid_arr == NULL) 774 return 0; 775 gcb.ctx = ctx; 776 if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) 777 goto end; 778 if (pext == NULL) { 779 ret = 1; 780 goto end; 781 } 782 783 /* 784 * gid_cb ensurse there are no duplicates so we can just go ahead and set 785 * the result 786 */ 787 tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); 788 if (tmparr == NULL) 789 goto end; 790 OPENSSL_free(*pext); 791 *pext = tmparr; 792 *pextlen = gcb.gidcnt; 793 ret = 1; 794 end: 795 OPENSSL_free(gcb.gid_arr); 796 return ret; 797 } 798 799 /* Check a group id matches preferences */ 800 int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 801 { 802 const uint16_t *groups; 803 size_t groups_len; 804 805 if (group_id == 0) 806 return 0; 807 808 /* Check for Suite B compliance */ 809 if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { 810 unsigned long cid = s->s3.tmp.new_cipher->id; 811 812 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 813 if (group_id != TLSEXT_curve_P_256) 814 return 0; 815 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 816 if (group_id != TLSEXT_curve_P_384) 817 return 0; 818 } else { 819 /* Should never happen */ 820 return 0; 821 } 822 } 823 824 if (check_own_groups) { 825 /* Check group is one of our preferences */ 826 tls1_get_supported_groups(s, &groups, &groups_len); 827 if (!tls1_in_list(group_id, groups, groups_len)) 828 return 0; 829 } 830 831 if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 832 return 0; 833 834 /* For clients, nothing more to check */ 835 if (!s->server) 836 return 1; 837 838 /* Check group is one of peers preferences */ 839 tls1_get_peer_groups(s, &groups, &groups_len); 840 841 /* 842 * RFC 4492 does not require the supported elliptic curves extension 843 * so if it is not sent we can just choose any curve. 844 * It is invalid to send an empty list in the supported groups 845 * extension, so groups_len == 0 always means no extension. 846 */ 847 if (groups_len == 0) 848 return 1; 849 return tls1_in_list(group_id, groups, groups_len); 850 } 851 852 void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 853 size_t *num_formats) 854 { 855 /* 856 * If we have a custom point format list use it otherwise use default 857 */ 858 if (s->ext.ecpointformats) { 859 *pformats = s->ext.ecpointformats; 860 *num_formats = s->ext.ecpointformats_len; 861 } else { 862 *pformats = ecformats_default; 863 /* For Suite B we don't support char2 fields */ 864 if (tls1_suiteb(s)) 865 *num_formats = sizeof(ecformats_default) - 1; 866 else 867 *num_formats = sizeof(ecformats_default); 868 } 869 } 870 871 /* Check a key is compatible with compression extension */ 872 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 873 { 874 unsigned char comp_id; 875 size_t i; 876 int point_conv; 877 878 /* If not an EC key nothing to check */ 879 if (!EVP_PKEY_is_a(pkey, "EC")) 880 return 1; 881 882 883 /* Get required compression id */ 884 point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); 885 if (point_conv == 0) 886 return 0; 887 if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { 888 comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 889 } else if (SSL_IS_TLS13(s)) { 890 /* 891 * ec_point_formats extension is not used in TLSv1.3 so we ignore 892 * this check. 893 */ 894 return 1; 895 } else { 896 int field_type = EVP_PKEY_get_field_type(pkey); 897 898 if (field_type == NID_X9_62_prime_field) 899 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 900 else if (field_type == NID_X9_62_characteristic_two_field) 901 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 902 else 903 return 0; 904 } 905 /* 906 * If point formats extension present check it, otherwise everything is 907 * supported (see RFC4492). 908 */ 909 if (s->ext.peer_ecpointformats == NULL) 910 return 1; 911 912 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 913 if (s->ext.peer_ecpointformats[i] == comp_id) 914 return 1; 915 } 916 return 0; 917 } 918 919 /* Return group id of a key */ 920 static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 921 { 922 int curve_nid = ssl_get_EC_curve_nid(pkey); 923 924 if (curve_nid == NID_undef) 925 return 0; 926 return tls1_nid2group_id(curve_nid); 927 } 928 929 /* 930 * Check cert parameters compatible with extensions: currently just checks EC 931 * certificates have compatible curves and compression. 932 */ 933 static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 934 { 935 uint16_t group_id; 936 EVP_PKEY *pkey; 937 pkey = X509_get0_pubkey(x); 938 if (pkey == NULL) 939 return 0; 940 /* If not EC nothing to do */ 941 if (!EVP_PKEY_is_a(pkey, "EC")) 942 return 1; 943 /* Check compression */ 944 if (!tls1_check_pkey_comp(s, pkey)) 945 return 0; 946 group_id = tls1_get_group_id(pkey); 947 /* 948 * For a server we allow the certificate to not be in our list of supported 949 * groups. 950 */ 951 if (!tls1_check_group_id(s, group_id, !s->server)) 952 return 0; 953 /* 954 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 955 * SHA384+P-384. 956 */ 957 if (check_ee_md && tls1_suiteb(s)) { 958 int check_md; 959 size_t i; 960 961 /* Check to see we have necessary signing algorithm */ 962 if (group_id == TLSEXT_curve_P_256) 963 check_md = NID_ecdsa_with_SHA256; 964 else if (group_id == TLSEXT_curve_P_384) 965 check_md = NID_ecdsa_with_SHA384; 966 else 967 return 0; /* Should never happen */ 968 for (i = 0; i < s->shared_sigalgslen; i++) { 969 if (check_md == s->shared_sigalgs[i]->sigandhash) 970 return 1;; 971 } 972 return 0; 973 } 974 return 1; 975 } 976 977 /* 978 * tls1_check_ec_tmp_key - Check EC temporary key compatibility 979 * @s: SSL connection 980 * @cid: Cipher ID we're considering using 981 * 982 * Checks that the kECDHE cipher suite we're considering using 983 * is compatible with the client extensions. 984 * 985 * Returns 0 when the cipher can't be used or 1 when it can. 986 */ 987 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 988 { 989 /* If not Suite B just need a shared group */ 990 if (!tls1_suiteb(s)) 991 return tls1_shared_group(s, 0) != 0; 992 /* 993 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 994 * curves permitted. 995 */ 996 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 997 return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 998 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 999 return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 1000 1001 return 0; 1002 } 1003 1004 /* Default sigalg schemes */ 1005 static const uint16_t tls12_sigalgs[] = { 1006 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1007 TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1008 TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1009 TLSEXT_SIGALG_ed25519, 1010 TLSEXT_SIGALG_ed448, 1011 1012 TLSEXT_SIGALG_rsa_pss_pss_sha256, 1013 TLSEXT_SIGALG_rsa_pss_pss_sha384, 1014 TLSEXT_SIGALG_rsa_pss_pss_sha512, 1015 TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1016 TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1017 TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1018 1019 TLSEXT_SIGALG_rsa_pkcs1_sha256, 1020 TLSEXT_SIGALG_rsa_pkcs1_sha384, 1021 TLSEXT_SIGALG_rsa_pkcs1_sha512, 1022 1023 TLSEXT_SIGALG_ecdsa_sha224, 1024 TLSEXT_SIGALG_ecdsa_sha1, 1025 1026 TLSEXT_SIGALG_rsa_pkcs1_sha224, 1027 TLSEXT_SIGALG_rsa_pkcs1_sha1, 1028 1029 TLSEXT_SIGALG_dsa_sha224, 1030 TLSEXT_SIGALG_dsa_sha1, 1031 1032 TLSEXT_SIGALG_dsa_sha256, 1033 TLSEXT_SIGALG_dsa_sha384, 1034 TLSEXT_SIGALG_dsa_sha512, 1035 1036 #ifndef OPENSSL_NO_GOST 1037 TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1038 TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1039 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1040 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1041 TLSEXT_SIGALG_gostr34102001_gostr3411, 1042 #endif 1043 }; 1044 1045 1046 static const uint16_t suiteb_sigalgs[] = { 1047 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1048 TLSEXT_SIGALG_ecdsa_secp384r1_sha384 1049 }; 1050 1051 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 1052 {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1053 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1054 NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1}, 1055 {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1056 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1057 NID_ecdsa_with_SHA384, NID_secp384r1, 1}, 1058 {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1059 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1060 NID_ecdsa_with_SHA512, NID_secp521r1, 1}, 1061 {"ed25519", TLSEXT_SIGALG_ed25519, 1062 NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 1063 NID_undef, NID_undef, 1}, 1064 {"ed448", TLSEXT_SIGALG_ed448, 1065 NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 1066 NID_undef, NID_undef, 1}, 1067 {NULL, TLSEXT_SIGALG_ecdsa_sha224, 1068 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1069 NID_ecdsa_with_SHA224, NID_undef, 1}, 1070 {NULL, TLSEXT_SIGALG_ecdsa_sha1, 1071 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1072 NID_ecdsa_with_SHA1, NID_undef, 1}, 1073 {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1074 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1075 NID_undef, NID_undef, 1}, 1076 {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1077 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1078 NID_undef, NID_undef, 1}, 1079 {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1080 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1081 NID_undef, NID_undef, 1}, 1082 {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 1083 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1084 NID_undef, NID_undef, 1}, 1085 {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 1086 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1087 NID_undef, NID_undef, 1}, 1088 {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 1089 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1090 NID_undef, NID_undef, 1}, 1091 {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 1092 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1093 NID_sha256WithRSAEncryption, NID_undef, 1}, 1094 {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 1095 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1096 NID_sha384WithRSAEncryption, NID_undef, 1}, 1097 {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 1098 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1099 NID_sha512WithRSAEncryption, NID_undef, 1}, 1100 {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 1101 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1102 NID_sha224WithRSAEncryption, NID_undef, 1}, 1103 {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 1104 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1105 NID_sha1WithRSAEncryption, NID_undef, 1}, 1106 {NULL, TLSEXT_SIGALG_dsa_sha256, 1107 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1108 NID_dsa_with_SHA256, NID_undef, 1}, 1109 {NULL, TLSEXT_SIGALG_dsa_sha384, 1110 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1111 NID_undef, NID_undef, 1}, 1112 {NULL, TLSEXT_SIGALG_dsa_sha512, 1113 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1114 NID_undef, NID_undef, 1}, 1115 {NULL, TLSEXT_SIGALG_dsa_sha224, 1116 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1117 NID_undef, NID_undef, 1}, 1118 {NULL, TLSEXT_SIGALG_dsa_sha1, 1119 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1120 NID_dsaWithSHA1, NID_undef, 1}, 1121 #ifndef OPENSSL_NO_GOST 1122 {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1123 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1124 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1125 NID_undef, NID_undef, 1}, 1126 {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1127 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1128 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1129 NID_undef, NID_undef, 1}, 1130 {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1131 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1132 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1133 NID_undef, NID_undef, 1}, 1134 {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1135 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1136 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1137 NID_undef, NID_undef, 1}, 1138 {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 1139 NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 1140 NID_id_GostR3410_2001, SSL_PKEY_GOST01, 1141 NID_undef, NID_undef, 1} 1142 #endif 1143 }; 1144 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 1145 static const SIGALG_LOOKUP legacy_rsa_sigalg = { 1146 "rsa_pkcs1_md5_sha1", 0, 1147 NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 1148 EVP_PKEY_RSA, SSL_PKEY_RSA, 1149 NID_undef, NID_undef, 1 1150 }; 1151 1152 /* 1153 * Default signature algorithm values used if signature algorithms not present. 1154 * From RFC5246. Note: order must match certificate index order. 1155 */ 1156 static const uint16_t tls_default_sigalg[] = { 1157 TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 1158 0, /* SSL_PKEY_RSA_PSS_SIGN */ 1159 TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 1160 TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 1161 TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 1162 TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ 1163 TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ 1164 0, /* SSL_PKEY_ED25519 */ 1165 0, /* SSL_PKEY_ED448 */ 1166 }; 1167 1168 int ssl_setup_sig_algs(SSL_CTX *ctx) 1169 { 1170 size_t i; 1171 const SIGALG_LOOKUP *lu; 1172 SIGALG_LOOKUP *cache 1173 = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); 1174 EVP_PKEY *tmpkey = EVP_PKEY_new(); 1175 int ret = 0; 1176 1177 if (cache == NULL || tmpkey == NULL) 1178 goto err; 1179 1180 ERR_set_mark(); 1181 for (i = 0, lu = sigalg_lookup_tbl; 1182 i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 1183 EVP_PKEY_CTX *pctx; 1184 1185 cache[i] = *lu; 1186 1187 /* 1188 * Check hash is available. 1189 * This test is not perfect. A provider could have support 1190 * for a signature scheme, but not a particular hash. However the hash 1191 * could be available from some other loaded provider. In that case it 1192 * could be that the signature is available, and the hash is available 1193 * independently - but not as a combination. We ignore this for now. 1194 */ 1195 if (lu->hash != NID_undef 1196 && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { 1197 cache[i].enabled = 0; 1198 continue; 1199 } 1200 1201 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 1202 cache[i].enabled = 0; 1203 continue; 1204 } 1205 pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); 1206 /* If unable to create pctx we assume the sig algorithm is unavailable */ 1207 if (pctx == NULL) 1208 cache[i].enabled = 0; 1209 EVP_PKEY_CTX_free(pctx); 1210 } 1211 ERR_pop_to_mark(); 1212 ctx->sigalg_lookup_cache = cache; 1213 cache = NULL; 1214 1215 ret = 1; 1216 err: 1217 OPENSSL_free(cache); 1218 EVP_PKEY_free(tmpkey); 1219 return ret; 1220 } 1221 1222 /* Lookup TLS signature algorithm */ 1223 static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg) 1224 { 1225 size_t i; 1226 const SIGALG_LOOKUP *lu; 1227 1228 for (i = 0, lu = s->ctx->sigalg_lookup_cache; 1229 /* cache should have the same number of elements as sigalg_lookup_tbl */ 1230 i < OSSL_NELEM(sigalg_lookup_tbl); 1231 lu++, i++) { 1232 if (lu->sigalg == sigalg) { 1233 if (!lu->enabled) 1234 return NULL; 1235 return lu; 1236 } 1237 } 1238 return NULL; 1239 } 1240 /* Lookup hash: return 0 if invalid or not enabled */ 1241 int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 1242 { 1243 const EVP_MD *md; 1244 if (lu == NULL) 1245 return 0; 1246 /* lu->hash == NID_undef means no associated digest */ 1247 if (lu->hash == NID_undef) { 1248 md = NULL; 1249 } else { 1250 md = ssl_md(ctx, lu->hash_idx); 1251 if (md == NULL) 1252 return 0; 1253 } 1254 if (pmd) 1255 *pmd = md; 1256 return 1; 1257 } 1258 1259 /* 1260 * Check if key is large enough to generate RSA-PSS signature. 1261 * 1262 * The key must greater than or equal to 2 * hash length + 2. 1263 * SHA512 has a hash length of 64 bytes, which is incompatible 1264 * with a 128 byte (1024 bit) key. 1265 */ 1266 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) 1267 static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, 1268 const SIGALG_LOOKUP *lu) 1269 { 1270 const EVP_MD *md; 1271 1272 if (pkey == NULL) 1273 return 0; 1274 if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) 1275 return 0; 1276 if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 1277 return 0; 1278 return 1; 1279 } 1280 1281 /* 1282 * Returns a signature algorithm when the peer did not send a list of supported 1283 * signature algorithms. The signature algorithm is fixed for the certificate 1284 * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 1285 * certificate type from |s| will be used. 1286 * Returns the signature algorithm to use, or NULL on error. 1287 */ 1288 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 1289 { 1290 if (idx == -1) { 1291 if (s->server) { 1292 size_t i; 1293 1294 /* Work out index corresponding to ciphersuite */ 1295 for (i = 0; i < SSL_PKEY_NUM; i++) { 1296 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 1297 1298 if (clu == NULL) 1299 continue; 1300 if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { 1301 idx = i; 1302 break; 1303 } 1304 } 1305 1306 /* 1307 * Some GOST ciphersuites allow more than one signature algorithms 1308 * */ 1309 if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 1310 int real_idx; 1311 1312 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 1313 real_idx--) { 1314 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1315 idx = real_idx; 1316 break; 1317 } 1318 } 1319 } 1320 /* 1321 * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used 1322 * with new (aGOST12-only) ciphersuites, we should find out which one is available really. 1323 */ 1324 else if (idx == SSL_PKEY_GOST12_256) { 1325 int real_idx; 1326 1327 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; 1328 real_idx--) { 1329 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1330 idx = real_idx; 1331 break; 1332 } 1333 } 1334 } 1335 } else { 1336 idx = s->cert->key - s->cert->pkeys; 1337 } 1338 } 1339 if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 1340 return NULL; 1341 if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 1342 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]); 1343 1344 if (lu == NULL) 1345 return NULL; 1346 if (!tls1_lookup_md(s->ctx, lu, NULL)) 1347 return NULL; 1348 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1349 return NULL; 1350 return lu; 1351 } 1352 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 1353 return NULL; 1354 return &legacy_rsa_sigalg; 1355 } 1356 /* Set peer sigalg based key type */ 1357 int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 1358 { 1359 size_t idx; 1360 const SIGALG_LOOKUP *lu; 1361 1362 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 1363 return 0; 1364 lu = tls1_get_legacy_sigalg(s, idx); 1365 if (lu == NULL) 1366 return 0; 1367 s->s3.tmp.peer_sigalg = lu; 1368 return 1; 1369 } 1370 1371 size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 1372 { 1373 /* 1374 * If Suite B mode use Suite B sigalgs only, ignore any other 1375 * preferences. 1376 */ 1377 switch (tls1_suiteb(s)) { 1378 case SSL_CERT_FLAG_SUITEB_128_LOS: 1379 *psigs = suiteb_sigalgs; 1380 return OSSL_NELEM(suiteb_sigalgs); 1381 1382 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 1383 *psigs = suiteb_sigalgs; 1384 return 1; 1385 1386 case SSL_CERT_FLAG_SUITEB_192_LOS: 1387 *psigs = suiteb_sigalgs + 1; 1388 return 1; 1389 } 1390 /* 1391 * We use client_sigalgs (if not NULL) if we're a server 1392 * and sending a certificate request or if we're a client and 1393 * determining which shared algorithm to use. 1394 */ 1395 if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 1396 *psigs = s->cert->client_sigalgs; 1397 return s->cert->client_sigalgslen; 1398 } else if (s->cert->conf_sigalgs) { 1399 *psigs = s->cert->conf_sigalgs; 1400 return s->cert->conf_sigalgslen; 1401 } else { 1402 *psigs = tls12_sigalgs; 1403 return OSSL_NELEM(tls12_sigalgs); 1404 } 1405 } 1406 1407 /* 1408 * Called by servers only. Checks that we have a sig alg that supports the 1409 * specified EC curve. 1410 */ 1411 int tls_check_sigalg_curve(const SSL *s, int curve) 1412 { 1413 const uint16_t *sigs; 1414 size_t siglen, i; 1415 1416 if (s->cert->conf_sigalgs) { 1417 sigs = s->cert->conf_sigalgs; 1418 siglen = s->cert->conf_sigalgslen; 1419 } else { 1420 sigs = tls12_sigalgs; 1421 siglen = OSSL_NELEM(tls12_sigalgs); 1422 } 1423 1424 for (i = 0; i < siglen; i++) { 1425 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, sigs[i]); 1426 1427 if (lu == NULL) 1428 continue; 1429 if (lu->sig == EVP_PKEY_EC 1430 && lu->curve != NID_undef 1431 && curve == lu->curve) 1432 return 1; 1433 } 1434 1435 return 0; 1436 } 1437 1438 /* 1439 * Return the number of security bits for the signature algorithm, or 0 on 1440 * error. 1441 */ 1442 static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) 1443 { 1444 const EVP_MD *md = NULL; 1445 int secbits = 0; 1446 1447 if (!tls1_lookup_md(ctx, lu, &md)) 1448 return 0; 1449 if (md != NULL) 1450 { 1451 int md_type = EVP_MD_get_type(md); 1452 1453 /* Security bits: half digest bits */ 1454 secbits = EVP_MD_get_size(md) * 4; 1455 /* 1456 * SHA1 and MD5 are known to be broken. Reduce security bits so that 1457 * they're no longer accepted at security level 1. The real values don't 1458 * really matter as long as they're lower than 80, which is our 1459 * security level 1. 1460 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for 1461 * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 1462 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 1463 * puts a chosen-prefix attack for MD5 at 2^39. 1464 */ 1465 if (md_type == NID_sha1) 1466 secbits = 64; 1467 else if (md_type == NID_md5_sha1) 1468 secbits = 67; 1469 else if (md_type == NID_md5) 1470 secbits = 39; 1471 } else { 1472 /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 1473 if (lu->sigalg == TLSEXT_SIGALG_ed25519) 1474 secbits = 128; 1475 else if (lu->sigalg == TLSEXT_SIGALG_ed448) 1476 secbits = 224; 1477 } 1478 return secbits; 1479 } 1480 1481 /* 1482 * Check signature algorithm is consistent with sent supported signature 1483 * algorithms and if so set relevant digest and signature scheme in 1484 * s. 1485 */ 1486 int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 1487 { 1488 const uint16_t *sent_sigs; 1489 const EVP_MD *md = NULL; 1490 char sigalgstr[2]; 1491 size_t sent_sigslen, i, cidx; 1492 int pkeyid = -1; 1493 const SIGALG_LOOKUP *lu; 1494 int secbits = 0; 1495 1496 pkeyid = EVP_PKEY_get_id(pkey); 1497 /* Should never happen */ 1498 if (pkeyid == -1) 1499 return -1; 1500 if (SSL_IS_TLS13(s)) { 1501 /* Disallow DSA for TLS 1.3 */ 1502 if (pkeyid == EVP_PKEY_DSA) { 1503 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1504 return 0; 1505 } 1506 /* Only allow PSS for TLS 1.3 */ 1507 if (pkeyid == EVP_PKEY_RSA) 1508 pkeyid = EVP_PKEY_RSA_PSS; 1509 } 1510 lu = tls1_lookup_sigalg(s, sig); 1511 /* 1512 * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1513 * is consistent with signature: RSA keys can be used for RSA-PSS 1514 */ 1515 if (lu == NULL 1516 || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1517 || (pkeyid != lu->sig 1518 && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1519 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1520 return 0; 1521 } 1522 /* Check the sigalg is consistent with the key OID */ 1523 if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx) 1524 || lu->sig_idx != (int)cidx) { 1525 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1526 return 0; 1527 } 1528 1529 if (pkeyid == EVP_PKEY_EC) { 1530 1531 /* Check point compression is permitted */ 1532 if (!tls1_check_pkey_comp(s, pkey)) { 1533 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1534 SSL_R_ILLEGAL_POINT_COMPRESSION); 1535 return 0; 1536 } 1537 1538 /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1539 if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1540 int curve = ssl_get_EC_curve_nid(pkey); 1541 1542 if (lu->curve != NID_undef && curve != lu->curve) { 1543 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1544 return 0; 1545 } 1546 } 1547 if (!SSL_IS_TLS13(s)) { 1548 /* Check curve matches extensions */ 1549 if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1550 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1551 return 0; 1552 } 1553 if (tls1_suiteb(s)) { 1554 /* Check sigalg matches a permissible Suite B value */ 1555 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1556 && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1557 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1558 SSL_R_WRONG_SIGNATURE_TYPE); 1559 return 0; 1560 } 1561 } 1562 } 1563 } else if (tls1_suiteb(s)) { 1564 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1565 return 0; 1566 } 1567 1568 /* Check signature matches a type we sent */ 1569 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1570 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1571 if (sig == *sent_sigs) 1572 break; 1573 } 1574 /* Allow fallback to SHA1 if not strict mode */ 1575 if (i == sent_sigslen && (lu->hash != NID_sha1 1576 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1577 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1578 return 0; 1579 } 1580 if (!tls1_lookup_md(s->ctx, lu, &md)) { 1581 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); 1582 return 0; 1583 } 1584 /* 1585 * Make sure security callback allows algorithm. For historical 1586 * reasons we have to pass the sigalg as a two byte char array. 1587 */ 1588 sigalgstr[0] = (sig >> 8) & 0xff; 1589 sigalgstr[1] = sig & 0xff; 1590 secbits = sigalg_security_bits(s->ctx, lu); 1591 if (secbits == 0 || 1592 !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, 1593 md != NULL ? EVP_MD_get_type(md) : NID_undef, 1594 (void *)sigalgstr)) { 1595 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1596 return 0; 1597 } 1598 /* Store the sigalg the peer uses */ 1599 s->s3.tmp.peer_sigalg = lu; 1600 return 1; 1601 } 1602 1603 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1604 { 1605 if (s->s3.tmp.peer_sigalg == NULL) 1606 return 0; 1607 *pnid = s->s3.tmp.peer_sigalg->sig; 1608 return 1; 1609 } 1610 1611 int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1612 { 1613 if (s->s3.tmp.sigalg == NULL) 1614 return 0; 1615 *pnid = s->s3.tmp.sigalg->sig; 1616 return 1; 1617 } 1618 1619 /* 1620 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1621 * supported, doesn't appear in supported signature algorithms, isn't supported 1622 * by the enabled protocol versions or by the security level. 1623 * 1624 * This function should only be used for checking which ciphers are supported 1625 * by the client. 1626 * 1627 * Call ssl_cipher_disabled() to check that it's enabled or not. 1628 */ 1629 int ssl_set_client_disabled(SSL *s) 1630 { 1631 s->s3.tmp.mask_a = 0; 1632 s->s3.tmp.mask_k = 0; 1633 ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1634 if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, 1635 &s->s3.tmp.max_ver, NULL) != 0) 1636 return 0; 1637 #ifndef OPENSSL_NO_PSK 1638 /* with PSK there must be client callback set */ 1639 if (!s->psk_client_callback) { 1640 s->s3.tmp.mask_a |= SSL_aPSK; 1641 s->s3.tmp.mask_k |= SSL_PSK; 1642 } 1643 #endif /* OPENSSL_NO_PSK */ 1644 #ifndef OPENSSL_NO_SRP 1645 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1646 s->s3.tmp.mask_a |= SSL_aSRP; 1647 s->s3.tmp.mask_k |= SSL_kSRP; 1648 } 1649 #endif 1650 return 1; 1651 } 1652 1653 /* 1654 * ssl_cipher_disabled - check that a cipher is disabled or not 1655 * @s: SSL connection that you want to use the cipher on 1656 * @c: cipher to check 1657 * @op: Security check that you want to do 1658 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 1659 * 1660 * Returns 1 when it's disabled, 0 when enabled. 1661 */ 1662 int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1663 { 1664 if (c->algorithm_mkey & s->s3.tmp.mask_k 1665 || c->algorithm_auth & s->s3.tmp.mask_a) 1666 return 1; 1667 if (s->s3.tmp.max_ver == 0) 1668 return 1; 1669 if (!SSL_IS_DTLS(s)) { 1670 int min_tls = c->min_tls; 1671 1672 /* 1673 * For historical reasons we will allow ECHDE to be selected by a server 1674 * in SSLv3 if we are a client 1675 */ 1676 if (min_tls == TLS1_VERSION && ecdhe 1677 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1678 min_tls = SSL3_VERSION; 1679 1680 if ((min_tls > s->s3.tmp.max_ver) || (c->max_tls < s->s3.tmp.min_ver)) 1681 return 1; 1682 } 1683 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3.tmp.max_ver) 1684 || DTLS_VERSION_LT(c->max_dtls, s->s3.tmp.min_ver))) 1685 return 1; 1686 1687 return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 1688 } 1689 1690 int tls_use_ticket(SSL *s) 1691 { 1692 if ((s->options & SSL_OP_NO_TICKET)) 1693 return 0; 1694 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1695 } 1696 1697 int tls1_set_server_sigalgs(SSL *s) 1698 { 1699 size_t i; 1700 1701 /* Clear any shared signature algorithms */ 1702 OPENSSL_free(s->shared_sigalgs); 1703 s->shared_sigalgs = NULL; 1704 s->shared_sigalgslen = 0; 1705 /* Clear certificate validity flags */ 1706 for (i = 0; i < SSL_PKEY_NUM; i++) 1707 s->s3.tmp.valid_flags[i] = 0; 1708 /* 1709 * If peer sent no signature algorithms check to see if we support 1710 * the default algorithm for each certificate type 1711 */ 1712 if (s->s3.tmp.peer_cert_sigalgs == NULL 1713 && s->s3.tmp.peer_sigalgs == NULL) { 1714 const uint16_t *sent_sigs; 1715 size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1716 1717 for (i = 0; i < SSL_PKEY_NUM; i++) { 1718 const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1719 size_t j; 1720 1721 if (lu == NULL) 1722 continue; 1723 /* Check default matches a type we sent */ 1724 for (j = 0; j < sent_sigslen; j++) { 1725 if (lu->sigalg == sent_sigs[j]) { 1726 s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; 1727 break; 1728 } 1729 } 1730 } 1731 return 1; 1732 } 1733 1734 if (!tls1_process_sigalgs(s)) { 1735 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1736 return 0; 1737 } 1738 if (s->shared_sigalgs != NULL) 1739 return 1; 1740 1741 /* Fatal error if no shared signature algorithms */ 1742 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1743 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 1744 return 0; 1745 } 1746 1747 /*- 1748 * Gets the ticket information supplied by the client if any. 1749 * 1750 * hello: The parsed ClientHello data 1751 * ret: (output) on return, if a ticket was decrypted, then this is set to 1752 * point to the resulting session. 1753 */ 1754 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1755 SSL_SESSION **ret) 1756 { 1757 size_t size; 1758 RAW_EXTENSION *ticketext; 1759 1760 *ret = NULL; 1761 s->ext.ticket_expected = 0; 1762 1763 /* 1764 * If tickets disabled or not supported by the protocol version 1765 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1766 * resumption. 1767 */ 1768 if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1769 return SSL_TICKET_NONE; 1770 1771 ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1772 if (!ticketext->present) 1773 return SSL_TICKET_NONE; 1774 1775 size = PACKET_remaining(&ticketext->data); 1776 1777 return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1778 hello->session_id, hello->session_id_len, ret); 1779 } 1780 1781 /*- 1782 * tls_decrypt_ticket attempts to decrypt a session ticket. 1783 * 1784 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1785 * expecting a pre-shared key ciphersuite, in which case we have no use for 1786 * session tickets and one will never be decrypted, nor will 1787 * s->ext.ticket_expected be set to 1. 1788 * 1789 * Side effects: 1790 * Sets s->ext.ticket_expected to 1 if the server will have to issue 1791 * a new session ticket to the client because the client indicated support 1792 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1793 * a session ticket or we couldn't use the one it gave us, or if 1794 * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1795 * Otherwise, s->ext.ticket_expected is set to 0. 1796 * 1797 * etick: points to the body of the session ticket extension. 1798 * eticklen: the length of the session tickets extension. 1799 * sess_id: points at the session ID. 1800 * sesslen: the length of the session ID. 1801 * psess: (output) on return, if a ticket was decrypted, then this is set to 1802 * point to the resulting session. 1803 */ 1804 SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1805 size_t eticklen, const unsigned char *sess_id, 1806 size_t sesslen, SSL_SESSION **psess) 1807 { 1808 SSL_SESSION *sess = NULL; 1809 unsigned char *sdec; 1810 const unsigned char *p; 1811 int slen, ivlen, renew_ticket = 0, declen; 1812 SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1813 size_t mlen; 1814 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1815 SSL_HMAC *hctx = NULL; 1816 EVP_CIPHER_CTX *ctx = NULL; 1817 SSL_CTX *tctx = s->session_ctx; 1818 1819 if (eticklen == 0) { 1820 /* 1821 * The client will accept a ticket but doesn't currently have 1822 * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 1823 */ 1824 ret = SSL_TICKET_EMPTY; 1825 goto end; 1826 } 1827 if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 1828 /* 1829 * Indicate that the ticket couldn't be decrypted rather than 1830 * generating the session from ticket now, trigger 1831 * abbreviated handshake based on external mechanism to 1832 * calculate the master secret later. 1833 */ 1834 ret = SSL_TICKET_NO_DECRYPT; 1835 goto end; 1836 } 1837 1838 /* Need at least keyname + iv */ 1839 if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1840 ret = SSL_TICKET_NO_DECRYPT; 1841 goto end; 1842 } 1843 1844 /* Initialize session ticket encryption and HMAC contexts */ 1845 hctx = ssl_hmac_new(tctx); 1846 if (hctx == NULL) { 1847 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1848 goto end; 1849 } 1850 ctx = EVP_CIPHER_CTX_new(); 1851 if (ctx == NULL) { 1852 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1853 goto end; 1854 } 1855 #ifndef OPENSSL_NO_DEPRECATED_3_0 1856 if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) 1857 #else 1858 if (tctx->ext.ticket_key_evp_cb != NULL) 1859 #endif 1860 { 1861 unsigned char *nctick = (unsigned char *)etick; 1862 int rv = 0; 1863 1864 if (tctx->ext.ticket_key_evp_cb != NULL) 1865 rv = tctx->ext.ticket_key_evp_cb(s, nctick, 1866 nctick + TLSEXT_KEYNAME_LENGTH, 1867 ctx, 1868 ssl_hmac_get0_EVP_MAC_CTX(hctx), 1869 0); 1870 #ifndef OPENSSL_NO_DEPRECATED_3_0 1871 else if (tctx->ext.ticket_key_cb != NULL) 1872 /* if 0 is returned, write an empty ticket */ 1873 rv = tctx->ext.ticket_key_cb(s, nctick, 1874 nctick + TLSEXT_KEYNAME_LENGTH, 1875 ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); 1876 #endif 1877 if (rv < 0) { 1878 ret = SSL_TICKET_FATAL_ERR_OTHER; 1879 goto end; 1880 } 1881 if (rv == 0) { 1882 ret = SSL_TICKET_NO_DECRYPT; 1883 goto end; 1884 } 1885 if (rv == 2) 1886 renew_ticket = 1; 1887 } else { 1888 EVP_CIPHER *aes256cbc = NULL; 1889 1890 /* Check key name matches */ 1891 if (memcmp(etick, tctx->ext.tick_key_name, 1892 TLSEXT_KEYNAME_LENGTH) != 0) { 1893 ret = SSL_TICKET_NO_DECRYPT; 1894 goto end; 1895 } 1896 1897 aes256cbc = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", 1898 s->ctx->propq); 1899 if (aes256cbc == NULL 1900 || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, 1901 sizeof(tctx->ext.secure->tick_hmac_key), 1902 "SHA256") <= 0 1903 || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, 1904 tctx->ext.secure->tick_aes_key, 1905 etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1906 EVP_CIPHER_free(aes256cbc); 1907 ret = SSL_TICKET_FATAL_ERR_OTHER; 1908 goto end; 1909 } 1910 EVP_CIPHER_free(aes256cbc); 1911 if (SSL_IS_TLS13(s)) 1912 renew_ticket = 1; 1913 } 1914 /* 1915 * Attempt to process session ticket, first conduct sanity and integrity 1916 * checks on ticket. 1917 */ 1918 mlen = ssl_hmac_size(hctx); 1919 if (mlen == 0) { 1920 ret = SSL_TICKET_FATAL_ERR_OTHER; 1921 goto end; 1922 } 1923 1924 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 1925 if (ivlen < 0) { 1926 ret = SSL_TICKET_FATAL_ERR_OTHER; 1927 goto end; 1928 } 1929 1930 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1931 if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { 1932 ret = SSL_TICKET_NO_DECRYPT; 1933 goto end; 1934 } 1935 eticklen -= mlen; 1936 /* Check HMAC of encrypted ticket */ 1937 if (ssl_hmac_update(hctx, etick, eticklen) <= 0 1938 || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { 1939 ret = SSL_TICKET_FATAL_ERR_OTHER; 1940 goto end; 1941 } 1942 1943 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1944 ret = SSL_TICKET_NO_DECRYPT; 1945 goto end; 1946 } 1947 /* Attempt to decrypt session data */ 1948 /* Move p after IV to start of encrypted ticket, update length */ 1949 p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; 1950 eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; 1951 sdec = OPENSSL_malloc(eticklen); 1952 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1953 (int)eticklen) <= 0) { 1954 OPENSSL_free(sdec); 1955 ret = SSL_TICKET_FATAL_ERR_OTHER; 1956 goto end; 1957 } 1958 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1959 OPENSSL_free(sdec); 1960 ret = SSL_TICKET_NO_DECRYPT; 1961 goto end; 1962 } 1963 slen += declen; 1964 p = sdec; 1965 1966 sess = d2i_SSL_SESSION(NULL, &p, slen); 1967 slen -= p - sdec; 1968 OPENSSL_free(sdec); 1969 if (sess) { 1970 /* Some additional consistency checks */ 1971 if (slen != 0) { 1972 SSL_SESSION_free(sess); 1973 sess = NULL; 1974 ret = SSL_TICKET_NO_DECRYPT; 1975 goto end; 1976 } 1977 /* 1978 * The session ID, if non-empty, is used by some clients to detect 1979 * that the ticket has been accepted. So we copy it to the session 1980 * structure. If it is empty set length to zero as required by 1981 * standard. 1982 */ 1983 if (sesslen) { 1984 memcpy(sess->session_id, sess_id, sesslen); 1985 sess->session_id_length = sesslen; 1986 } 1987 if (renew_ticket) 1988 ret = SSL_TICKET_SUCCESS_RENEW; 1989 else 1990 ret = SSL_TICKET_SUCCESS; 1991 goto end; 1992 } 1993 ERR_clear_error(); 1994 /* 1995 * For session parse failure, indicate that we need to send a new ticket. 1996 */ 1997 ret = SSL_TICKET_NO_DECRYPT; 1998 1999 end: 2000 EVP_CIPHER_CTX_free(ctx); 2001 ssl_hmac_free(hctx); 2002 2003 /* 2004 * If set, the decrypt_ticket_cb() is called unless a fatal error was 2005 * detected above. The callback is responsible for checking |ret| before it 2006 * performs any action 2007 */ 2008 if (s->session_ctx->decrypt_ticket_cb != NULL 2009 && (ret == SSL_TICKET_EMPTY 2010 || ret == SSL_TICKET_NO_DECRYPT 2011 || ret == SSL_TICKET_SUCCESS 2012 || ret == SSL_TICKET_SUCCESS_RENEW)) { 2013 size_t keyname_len = eticklen; 2014 int retcb; 2015 2016 if (keyname_len > TLSEXT_KEYNAME_LENGTH) 2017 keyname_len = TLSEXT_KEYNAME_LENGTH; 2018 retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 2019 ret, 2020 s->session_ctx->ticket_cb_data); 2021 switch (retcb) { 2022 case SSL_TICKET_RETURN_ABORT: 2023 ret = SSL_TICKET_FATAL_ERR_OTHER; 2024 break; 2025 2026 case SSL_TICKET_RETURN_IGNORE: 2027 ret = SSL_TICKET_NONE; 2028 SSL_SESSION_free(sess); 2029 sess = NULL; 2030 break; 2031 2032 case SSL_TICKET_RETURN_IGNORE_RENEW: 2033 if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 2034 ret = SSL_TICKET_NO_DECRYPT; 2035 /* else the value of |ret| will already do the right thing */ 2036 SSL_SESSION_free(sess); 2037 sess = NULL; 2038 break; 2039 2040 case SSL_TICKET_RETURN_USE: 2041 case SSL_TICKET_RETURN_USE_RENEW: 2042 if (ret != SSL_TICKET_SUCCESS 2043 && ret != SSL_TICKET_SUCCESS_RENEW) 2044 ret = SSL_TICKET_FATAL_ERR_OTHER; 2045 else if (retcb == SSL_TICKET_RETURN_USE) 2046 ret = SSL_TICKET_SUCCESS; 2047 else 2048 ret = SSL_TICKET_SUCCESS_RENEW; 2049 break; 2050 2051 default: 2052 ret = SSL_TICKET_FATAL_ERR_OTHER; 2053 } 2054 } 2055 2056 if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 2057 switch (ret) { 2058 case SSL_TICKET_NO_DECRYPT: 2059 case SSL_TICKET_SUCCESS_RENEW: 2060 case SSL_TICKET_EMPTY: 2061 s->ext.ticket_expected = 1; 2062 } 2063 } 2064 2065 *psess = sess; 2066 2067 return ret; 2068 } 2069 2070 /* Check to see if a signature algorithm is allowed */ 2071 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) 2072 { 2073 unsigned char sigalgstr[2]; 2074 int secbits; 2075 2076 if (lu == NULL || !lu->enabled) 2077 return 0; 2078 /* DSA is not allowed in TLS 1.3 */ 2079 if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 2080 return 0; 2081 /* 2082 * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 2083 * spec 2084 */ 2085 if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION 2086 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 2087 || lu->hash_idx == SSL_MD_MD5_IDX 2088 || lu->hash_idx == SSL_MD_SHA224_IDX)) 2089 return 0; 2090 2091 /* See if public key algorithm allowed */ 2092 if (ssl_cert_is_disabled(s->ctx, lu->sig_idx)) 2093 return 0; 2094 2095 if (lu->sig == NID_id_GostR3410_2012_256 2096 || lu->sig == NID_id_GostR3410_2012_512 2097 || lu->sig == NID_id_GostR3410_2001) { 2098 /* We never allow GOST sig algs on the server with TLSv1.3 */ 2099 if (s->server && SSL_IS_TLS13(s)) 2100 return 0; 2101 if (!s->server 2102 && s->method->version == TLS_ANY_VERSION 2103 && s->s3.tmp.max_ver >= TLS1_3_VERSION) { 2104 int i, num; 2105 STACK_OF(SSL_CIPHER) *sk; 2106 2107 /* 2108 * We're a client that could negotiate TLSv1.3. We only allow GOST 2109 * sig algs if we could negotiate TLSv1.2 or below and we have GOST 2110 * ciphersuites enabled. 2111 */ 2112 2113 if (s->s3.tmp.min_ver >= TLS1_3_VERSION) 2114 return 0; 2115 2116 sk = SSL_get_ciphers(s); 2117 num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 2118 for (i = 0; i < num; i++) { 2119 const SSL_CIPHER *c; 2120 2121 c = sk_SSL_CIPHER_value(sk, i); 2122 /* Skip disabled ciphers */ 2123 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 2124 continue; 2125 2126 if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) 2127 break; 2128 } 2129 if (i == num) 2130 return 0; 2131 } 2132 } 2133 2134 /* Finally see if security callback allows it */ 2135 secbits = sigalg_security_bits(s->ctx, lu); 2136 sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 2137 sigalgstr[1] = lu->sigalg & 0xff; 2138 return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 2139 } 2140 2141 /* 2142 * Get a mask of disabled public key algorithms based on supported signature 2143 * algorithms. For example if no signature algorithm supports RSA then RSA is 2144 * disabled. 2145 */ 2146 2147 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 2148 { 2149 const uint16_t *sigalgs; 2150 size_t i, sigalgslen; 2151 uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 2152 /* 2153 * Go through all signature algorithms seeing if we support any 2154 * in disabled_mask. 2155 */ 2156 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 2157 for (i = 0; i < sigalgslen; i++, sigalgs++) { 2158 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *sigalgs); 2159 const SSL_CERT_LOOKUP *clu; 2160 2161 if (lu == NULL) 2162 continue; 2163 2164 clu = ssl_cert_lookup_by_idx(lu->sig_idx); 2165 if (clu == NULL) 2166 continue; 2167 2168 /* If algorithm is disabled see if we can enable it */ 2169 if ((clu->amask & disabled_mask) != 0 2170 && tls12_sigalg_allowed(s, op, lu)) 2171 disabled_mask &= ~clu->amask; 2172 } 2173 *pmask_a |= disabled_mask; 2174 } 2175 2176 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 2177 const uint16_t *psig, size_t psiglen) 2178 { 2179 size_t i; 2180 int rv = 0; 2181 2182 for (i = 0; i < psiglen; i++, psig++) { 2183 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig); 2184 2185 if (lu == NULL 2186 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2187 continue; 2188 if (!WPACKET_put_bytes_u16(pkt, *psig)) 2189 return 0; 2190 /* 2191 * If TLS 1.3 must have at least one valid TLS 1.3 message 2192 * signing algorithm: i.e. neither RSA nor SHA1/SHA224 2193 */ 2194 if (rv == 0 && (!SSL_IS_TLS13(s) 2195 || (lu->sig != EVP_PKEY_RSA 2196 && lu->hash != NID_sha1 2197 && lu->hash != NID_sha224))) 2198 rv = 1; 2199 } 2200 if (rv == 0) 2201 ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2202 return rv; 2203 } 2204 2205 /* Given preference and allowed sigalgs set shared sigalgs */ 2206 static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 2207 const uint16_t *pref, size_t preflen, 2208 const uint16_t *allow, size_t allowlen) 2209 { 2210 const uint16_t *ptmp, *atmp; 2211 size_t i, j, nmatch = 0; 2212 for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 2213 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp); 2214 2215 /* Skip disabled hashes or signature algorithms */ 2216 if (lu == NULL 2217 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 2218 continue; 2219 for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 2220 if (*ptmp == *atmp) { 2221 nmatch++; 2222 if (shsig) 2223 *shsig++ = lu; 2224 break; 2225 } 2226 } 2227 } 2228 return nmatch; 2229 } 2230 2231 /* Set shared signature algorithms for SSL structures */ 2232 static int tls1_set_shared_sigalgs(SSL *s) 2233 { 2234 const uint16_t *pref, *allow, *conf; 2235 size_t preflen, allowlen, conflen; 2236 size_t nmatch; 2237 const SIGALG_LOOKUP **salgs = NULL; 2238 CERT *c = s->cert; 2239 unsigned int is_suiteb = tls1_suiteb(s); 2240 2241 OPENSSL_free(s->shared_sigalgs); 2242 s->shared_sigalgs = NULL; 2243 s->shared_sigalgslen = 0; 2244 /* If client use client signature algorithms if not NULL */ 2245 if (!s->server && c->client_sigalgs && !is_suiteb) { 2246 conf = c->client_sigalgs; 2247 conflen = c->client_sigalgslen; 2248 } else if (c->conf_sigalgs && !is_suiteb) { 2249 conf = c->conf_sigalgs; 2250 conflen = c->conf_sigalgslen; 2251 } else 2252 conflen = tls12_get_psigalgs(s, 0, &conf); 2253 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 2254 pref = conf; 2255 preflen = conflen; 2256 allow = s->s3.tmp.peer_sigalgs; 2257 allowlen = s->s3.tmp.peer_sigalgslen; 2258 } else { 2259 allow = conf; 2260 allowlen = conflen; 2261 pref = s->s3.tmp.peer_sigalgs; 2262 preflen = s->s3.tmp.peer_sigalgslen; 2263 } 2264 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 2265 if (nmatch) { 2266 if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 2267 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2268 return 0; 2269 } 2270 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 2271 } else { 2272 salgs = NULL; 2273 } 2274 s->shared_sigalgs = salgs; 2275 s->shared_sigalgslen = nmatch; 2276 return 1; 2277 } 2278 2279 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 2280 { 2281 unsigned int stmp; 2282 size_t size, i; 2283 uint16_t *buf; 2284 2285 size = PACKET_remaining(pkt); 2286 2287 /* Invalid data length */ 2288 if (size == 0 || (size & 1) != 0) 2289 return 0; 2290 2291 size >>= 1; 2292 2293 if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 2294 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2295 return 0; 2296 } 2297 for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 2298 buf[i] = stmp; 2299 2300 if (i != size) { 2301 OPENSSL_free(buf); 2302 return 0; 2303 } 2304 2305 OPENSSL_free(*pdest); 2306 *pdest = buf; 2307 *pdestlen = size; 2308 2309 return 1; 2310 } 2311 2312 int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 2313 { 2314 /* Extension ignored for inappropriate versions */ 2315 if (!SSL_USE_SIGALGS(s)) 2316 return 1; 2317 /* Should never happen */ 2318 if (s->cert == NULL) 2319 return 0; 2320 2321 if (cert) 2322 return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, 2323 &s->s3.tmp.peer_cert_sigalgslen); 2324 else 2325 return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, 2326 &s->s3.tmp.peer_sigalgslen); 2327 2328 } 2329 2330 /* Set preferred digest for each key type */ 2331 2332 int tls1_process_sigalgs(SSL *s) 2333 { 2334 size_t i; 2335 uint32_t *pvalid = s->s3.tmp.valid_flags; 2336 2337 if (!tls1_set_shared_sigalgs(s)) 2338 return 0; 2339 2340 for (i = 0; i < SSL_PKEY_NUM; i++) 2341 pvalid[i] = 0; 2342 2343 for (i = 0; i < s->shared_sigalgslen; i++) { 2344 const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 2345 int idx = sigptr->sig_idx; 2346 2347 /* Ignore PKCS1 based sig algs in TLSv1.3 */ 2348 if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 2349 continue; 2350 /* If not disabled indicate we can explicitly sign */ 2351 if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx)) 2352 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2353 } 2354 return 1; 2355 } 2356 2357 int SSL_get_sigalgs(SSL *s, int idx, 2358 int *psign, int *phash, int *psignhash, 2359 unsigned char *rsig, unsigned char *rhash) 2360 { 2361 uint16_t *psig = s->s3.tmp.peer_sigalgs; 2362 size_t numsigalgs = s->s3.tmp.peer_sigalgslen; 2363 if (psig == NULL || numsigalgs > INT_MAX) 2364 return 0; 2365 if (idx >= 0) { 2366 const SIGALG_LOOKUP *lu; 2367 2368 if (idx >= (int)numsigalgs) 2369 return 0; 2370 psig += idx; 2371 if (rhash != NULL) 2372 *rhash = (unsigned char)((*psig >> 8) & 0xff); 2373 if (rsig != NULL) 2374 *rsig = (unsigned char)(*psig & 0xff); 2375 lu = tls1_lookup_sigalg(s, *psig); 2376 if (psign != NULL) 2377 *psign = lu != NULL ? lu->sig : NID_undef; 2378 if (phash != NULL) 2379 *phash = lu != NULL ? lu->hash : NID_undef; 2380 if (psignhash != NULL) 2381 *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 2382 } 2383 return (int)numsigalgs; 2384 } 2385 2386 int SSL_get_shared_sigalgs(SSL *s, int idx, 2387 int *psign, int *phash, int *psignhash, 2388 unsigned char *rsig, unsigned char *rhash) 2389 { 2390 const SIGALG_LOOKUP *shsigalgs; 2391 if (s->shared_sigalgs == NULL 2392 || idx < 0 2393 || idx >= (int)s->shared_sigalgslen 2394 || s->shared_sigalgslen > INT_MAX) 2395 return 0; 2396 shsigalgs = s->shared_sigalgs[idx]; 2397 if (phash != NULL) 2398 *phash = shsigalgs->hash; 2399 if (psign != NULL) 2400 *psign = shsigalgs->sig; 2401 if (psignhash != NULL) 2402 *psignhash = shsigalgs->sigandhash; 2403 if (rsig != NULL) 2404 *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 2405 if (rhash != NULL) 2406 *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 2407 return (int)s->shared_sigalgslen; 2408 } 2409 2410 /* Maximum possible number of unique entries in sigalgs array */ 2411 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 2412 2413 typedef struct { 2414 size_t sigalgcnt; 2415 /* TLSEXT_SIGALG_XXX values */ 2416 uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 2417 } sig_cb_st; 2418 2419 static void get_sigorhash(int *psig, int *phash, const char *str) 2420 { 2421 if (strcmp(str, "RSA") == 0) { 2422 *psig = EVP_PKEY_RSA; 2423 } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 2424 *psig = EVP_PKEY_RSA_PSS; 2425 } else if (strcmp(str, "DSA") == 0) { 2426 *psig = EVP_PKEY_DSA; 2427 } else if (strcmp(str, "ECDSA") == 0) { 2428 *psig = EVP_PKEY_EC; 2429 } else { 2430 *phash = OBJ_sn2nid(str); 2431 if (*phash == NID_undef) 2432 *phash = OBJ_ln2nid(str); 2433 } 2434 } 2435 /* Maximum length of a signature algorithm string component */ 2436 #define TLS_MAX_SIGSTRING_LEN 40 2437 2438 static int sig_cb(const char *elem, int len, void *arg) 2439 { 2440 sig_cb_st *sarg = arg; 2441 size_t i; 2442 const SIGALG_LOOKUP *s; 2443 char etmp[TLS_MAX_SIGSTRING_LEN], *p; 2444 int sig_alg = NID_undef, hash_alg = NID_undef; 2445 if (elem == NULL) 2446 return 0; 2447 if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 2448 return 0; 2449 if (len > (int)(sizeof(etmp) - 1)) 2450 return 0; 2451 memcpy(etmp, elem, len); 2452 etmp[len] = 0; 2453 p = strchr(etmp, '+'); 2454 /* 2455 * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 2456 * if there's no '+' in the provided name, look for the new-style combined 2457 * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 2458 * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 2459 * rsa_pss_rsae_* that differ only by public key OID; in such cases 2460 * we will pick the _rsae_ variant, by virtue of them appearing earlier 2461 * in the table. 2462 */ 2463 if (p == NULL) { 2464 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2465 i++, s++) { 2466 if (s->name != NULL && strcmp(etmp, s->name) == 0) { 2467 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2468 break; 2469 } 2470 } 2471 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2472 return 0; 2473 } else { 2474 *p = 0; 2475 p++; 2476 if (*p == 0) 2477 return 0; 2478 get_sigorhash(&sig_alg, &hash_alg, etmp); 2479 get_sigorhash(&sig_alg, &hash_alg, p); 2480 if (sig_alg == NID_undef || hash_alg == NID_undef) 2481 return 0; 2482 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2483 i++, s++) { 2484 if (s->hash == hash_alg && s->sig == sig_alg) { 2485 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2486 break; 2487 } 2488 } 2489 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2490 return 0; 2491 } 2492 2493 /* Reject duplicates */ 2494 for (i = 0; i < sarg->sigalgcnt - 1; i++) { 2495 if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 2496 sarg->sigalgcnt--; 2497 return 0; 2498 } 2499 } 2500 return 1; 2501 } 2502 2503 /* 2504 * Set supported signature algorithms based on a colon separated list of the 2505 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 2506 */ 2507 int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 2508 { 2509 sig_cb_st sig; 2510 sig.sigalgcnt = 0; 2511 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 2512 return 0; 2513 if (c == NULL) 2514 return 1; 2515 return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 2516 } 2517 2518 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 2519 int client) 2520 { 2521 uint16_t *sigalgs; 2522 2523 if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2524 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2525 return 0; 2526 } 2527 memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 2528 2529 if (client) { 2530 OPENSSL_free(c->client_sigalgs); 2531 c->client_sigalgs = sigalgs; 2532 c->client_sigalgslen = salglen; 2533 } else { 2534 OPENSSL_free(c->conf_sigalgs); 2535 c->conf_sigalgs = sigalgs; 2536 c->conf_sigalgslen = salglen; 2537 } 2538 2539 return 1; 2540 } 2541 2542 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2543 { 2544 uint16_t *sigalgs, *sptr; 2545 size_t i; 2546 2547 if (salglen & 1) 2548 return 0; 2549 if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2550 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2551 return 0; 2552 } 2553 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2554 size_t j; 2555 const SIGALG_LOOKUP *curr; 2556 int md_id = *psig_nids++; 2557 int sig_id = *psig_nids++; 2558 2559 for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2560 j++, curr++) { 2561 if (curr->hash == md_id && curr->sig == sig_id) { 2562 *sptr++ = curr->sigalg; 2563 break; 2564 } 2565 } 2566 2567 if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2568 goto err; 2569 } 2570 2571 if (client) { 2572 OPENSSL_free(c->client_sigalgs); 2573 c->client_sigalgs = sigalgs; 2574 c->client_sigalgslen = salglen / 2; 2575 } else { 2576 OPENSSL_free(c->conf_sigalgs); 2577 c->conf_sigalgs = sigalgs; 2578 c->conf_sigalgslen = salglen / 2; 2579 } 2580 2581 return 1; 2582 2583 err: 2584 OPENSSL_free(sigalgs); 2585 return 0; 2586 } 2587 2588 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 2589 { 2590 int sig_nid, use_pc_sigalgs = 0; 2591 size_t i; 2592 const SIGALG_LOOKUP *sigalg; 2593 size_t sigalgslen; 2594 if (default_nid == -1) 2595 return 1; 2596 sig_nid = X509_get_signature_nid(x); 2597 if (default_nid) 2598 return sig_nid == default_nid ? 1 : 0; 2599 2600 if (SSL_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { 2601 /* 2602 * If we're in TLSv1.3 then we only get here if we're checking the 2603 * chain. If the peer has specified peer_cert_sigalgs then we use them 2604 * otherwise we default to normal sigalgs. 2605 */ 2606 sigalgslen = s->s3.tmp.peer_cert_sigalgslen; 2607 use_pc_sigalgs = 1; 2608 } else { 2609 sigalgslen = s->shared_sigalgslen; 2610 } 2611 for (i = 0; i < sigalgslen; i++) { 2612 sigalg = use_pc_sigalgs 2613 ? tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]) 2614 : s->shared_sigalgs[i]; 2615 if (sigalg != NULL && sig_nid == sigalg->sigandhash) 2616 return 1; 2617 } 2618 return 0; 2619 } 2620 2621 /* Check to see if a certificate issuer name matches list of CA names */ 2622 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 2623 { 2624 const X509_NAME *nm; 2625 int i; 2626 nm = X509_get_issuer_name(x); 2627 for (i = 0; i < sk_X509_NAME_num(names); i++) { 2628 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 2629 return 1; 2630 } 2631 return 0; 2632 } 2633 2634 /* 2635 * Check certificate chain is consistent with TLS extensions and is usable by 2636 * server. This servers two purposes: it allows users to check chains before 2637 * passing them to the server and it allows the server to check chains before 2638 * attempting to use them. 2639 */ 2640 2641 /* Flags which need to be set for a certificate when strict mode not set */ 2642 2643 #define CERT_PKEY_VALID_FLAGS \ 2644 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 2645 /* Strict mode flags */ 2646 #define CERT_PKEY_STRICT_FLAGS \ 2647 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 2648 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 2649 2650 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 2651 int idx) 2652 { 2653 int i; 2654 int rv = 0; 2655 int check_flags = 0, strict_mode; 2656 CERT_PKEY *cpk = NULL; 2657 CERT *c = s->cert; 2658 uint32_t *pvalid; 2659 unsigned int suiteb_flags = tls1_suiteb(s); 2660 /* idx == -1 means checking server chains */ 2661 if (idx != -1) { 2662 /* idx == -2 means checking client certificate chains */ 2663 if (idx == -2) { 2664 cpk = c->key; 2665 idx = (int)(cpk - c->pkeys); 2666 } else 2667 cpk = c->pkeys + idx; 2668 pvalid = s->s3.tmp.valid_flags + idx; 2669 x = cpk->x509; 2670 pk = cpk->privatekey; 2671 chain = cpk->chain; 2672 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 2673 /* If no cert or key, forget it */ 2674 if (!x || !pk) 2675 goto end; 2676 } else { 2677 size_t certidx; 2678 2679 if (!x || !pk) 2680 return 0; 2681 2682 if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 2683 return 0; 2684 idx = certidx; 2685 pvalid = s->s3.tmp.valid_flags + idx; 2686 2687 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 2688 check_flags = CERT_PKEY_STRICT_FLAGS; 2689 else 2690 check_flags = CERT_PKEY_VALID_FLAGS; 2691 strict_mode = 1; 2692 } 2693 2694 if (suiteb_flags) { 2695 int ok; 2696 if (check_flags) 2697 check_flags |= CERT_PKEY_SUITEB; 2698 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 2699 if (ok == X509_V_OK) 2700 rv |= CERT_PKEY_SUITEB; 2701 else if (!check_flags) 2702 goto end; 2703 } 2704 2705 /* 2706 * Check all signature algorithms are consistent with signature 2707 * algorithms extension if TLS 1.2 or later and strict mode. 2708 */ 2709 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 2710 int default_nid; 2711 int rsign = 0; 2712 if (s->s3.tmp.peer_cert_sigalgs != NULL 2713 || s->s3.tmp.peer_sigalgs != NULL) { 2714 default_nid = 0; 2715 /* If no sigalgs extension use defaults from RFC5246 */ 2716 } else { 2717 switch (idx) { 2718 case SSL_PKEY_RSA: 2719 rsign = EVP_PKEY_RSA; 2720 default_nid = NID_sha1WithRSAEncryption; 2721 break; 2722 2723 case SSL_PKEY_DSA_SIGN: 2724 rsign = EVP_PKEY_DSA; 2725 default_nid = NID_dsaWithSHA1; 2726 break; 2727 2728 case SSL_PKEY_ECC: 2729 rsign = EVP_PKEY_EC; 2730 default_nid = NID_ecdsa_with_SHA1; 2731 break; 2732 2733 case SSL_PKEY_GOST01: 2734 rsign = NID_id_GostR3410_2001; 2735 default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2736 break; 2737 2738 case SSL_PKEY_GOST12_256: 2739 rsign = NID_id_GostR3410_2012_256; 2740 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2741 break; 2742 2743 case SSL_PKEY_GOST12_512: 2744 rsign = NID_id_GostR3410_2012_512; 2745 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2746 break; 2747 2748 default: 2749 default_nid = -1; 2750 break; 2751 } 2752 } 2753 /* 2754 * If peer sent no signature algorithms extension and we have set 2755 * preferred signature algorithms check we support sha1. 2756 */ 2757 if (default_nid > 0 && c->conf_sigalgs) { 2758 size_t j; 2759 const uint16_t *p = c->conf_sigalgs; 2760 for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2761 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *p); 2762 2763 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 2764 break; 2765 } 2766 if (j == c->conf_sigalgslen) { 2767 if (check_flags) 2768 goto skip_sigs; 2769 else 2770 goto end; 2771 } 2772 } 2773 /* Check signature algorithm of each cert in chain */ 2774 if (SSL_IS_TLS13(s)) { 2775 /* 2776 * We only get here if the application has called SSL_check_chain(), 2777 * so check_flags is always set. 2778 */ 2779 if (find_sig_alg(s, x, pk) != NULL) 2780 rv |= CERT_PKEY_EE_SIGNATURE; 2781 } else if (!tls1_check_sig_alg(s, x, default_nid)) { 2782 if (!check_flags) 2783 goto end; 2784 } else 2785 rv |= CERT_PKEY_EE_SIGNATURE; 2786 rv |= CERT_PKEY_CA_SIGNATURE; 2787 for (i = 0; i < sk_X509_num(chain); i++) { 2788 if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 2789 if (check_flags) { 2790 rv &= ~CERT_PKEY_CA_SIGNATURE; 2791 break; 2792 } else 2793 goto end; 2794 } 2795 } 2796 } 2797 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 2798 else if (check_flags) 2799 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 2800 skip_sigs: 2801 /* Check cert parameters are consistent */ 2802 if (tls1_check_cert_param(s, x, 1)) 2803 rv |= CERT_PKEY_EE_PARAM; 2804 else if (!check_flags) 2805 goto end; 2806 if (!s->server) 2807 rv |= CERT_PKEY_CA_PARAM; 2808 /* In strict mode check rest of chain too */ 2809 else if (strict_mode) { 2810 rv |= CERT_PKEY_CA_PARAM; 2811 for (i = 0; i < sk_X509_num(chain); i++) { 2812 X509 *ca = sk_X509_value(chain, i); 2813 if (!tls1_check_cert_param(s, ca, 0)) { 2814 if (check_flags) { 2815 rv &= ~CERT_PKEY_CA_PARAM; 2816 break; 2817 } else 2818 goto end; 2819 } 2820 } 2821 } 2822 if (!s->server && strict_mode) { 2823 STACK_OF(X509_NAME) *ca_dn; 2824 int check_type = 0; 2825 2826 if (EVP_PKEY_is_a(pk, "RSA")) 2827 check_type = TLS_CT_RSA_SIGN; 2828 else if (EVP_PKEY_is_a(pk, "DSA")) 2829 check_type = TLS_CT_DSS_SIGN; 2830 else if (EVP_PKEY_is_a(pk, "EC")) 2831 check_type = TLS_CT_ECDSA_SIGN; 2832 2833 if (check_type) { 2834 const uint8_t *ctypes = s->s3.tmp.ctype; 2835 size_t j; 2836 2837 for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { 2838 if (*ctypes == check_type) { 2839 rv |= CERT_PKEY_CERT_TYPE; 2840 break; 2841 } 2842 } 2843 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 2844 goto end; 2845 } else { 2846 rv |= CERT_PKEY_CERT_TYPE; 2847 } 2848 2849 ca_dn = s->s3.tmp.peer_ca_names; 2850 2851 if (ca_dn == NULL 2852 || sk_X509_NAME_num(ca_dn) == 0 2853 || ssl_check_ca_name(ca_dn, x)) 2854 rv |= CERT_PKEY_ISSUER_NAME; 2855 else 2856 for (i = 0; i < sk_X509_num(chain); i++) { 2857 X509 *xtmp = sk_X509_value(chain, i); 2858 2859 if (ssl_check_ca_name(ca_dn, xtmp)) { 2860 rv |= CERT_PKEY_ISSUER_NAME; 2861 break; 2862 } 2863 } 2864 2865 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 2866 goto end; 2867 } else 2868 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 2869 2870 if (!check_flags || (rv & check_flags) == check_flags) 2871 rv |= CERT_PKEY_VALID; 2872 2873 end: 2874 2875 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2876 rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2877 else 2878 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 2879 2880 /* 2881 * When checking a CERT_PKEY structure all flags are irrelevant if the 2882 * chain is invalid. 2883 */ 2884 if (!check_flags) { 2885 if (rv & CERT_PKEY_VALID) { 2886 *pvalid = rv; 2887 } else { 2888 /* Preserve sign and explicit sign flag, clear rest */ 2889 *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2890 return 0; 2891 } 2892 } 2893 return rv; 2894 } 2895 2896 /* Set validity of certificates in an SSL structure */ 2897 void tls1_set_cert_validity(SSL *s) 2898 { 2899 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2900 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 2901 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 2902 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2903 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2904 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2905 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2906 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2907 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 2908 } 2909 2910 /* User level utility function to check a chain is suitable */ 2911 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 2912 { 2913 return tls1_check_chain(s, x, pk, chain, -1); 2914 } 2915 2916 EVP_PKEY *ssl_get_auto_dh(SSL *s) 2917 { 2918 EVP_PKEY *dhp = NULL; 2919 BIGNUM *p; 2920 int dh_secbits = 80, sec_level_bits; 2921 EVP_PKEY_CTX *pctx = NULL; 2922 OSSL_PARAM_BLD *tmpl = NULL; 2923 OSSL_PARAM *params = NULL; 2924 2925 if (s->cert->dh_tmp_auto != 2) { 2926 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2927 if (s->s3.tmp.new_cipher->strength_bits == 256) 2928 dh_secbits = 128; 2929 else 2930 dh_secbits = 80; 2931 } else { 2932 if (s->s3.tmp.cert == NULL) 2933 return NULL; 2934 dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); 2935 } 2936 } 2937 2938 /* Do not pick a prime that is too weak for the current security level */ 2939 sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); 2940 if (dh_secbits < sec_level_bits) 2941 dh_secbits = sec_level_bits; 2942 2943 if (dh_secbits >= 192) 2944 p = BN_get_rfc3526_prime_8192(NULL); 2945 else if (dh_secbits >= 152) 2946 p = BN_get_rfc3526_prime_4096(NULL); 2947 else if (dh_secbits >= 128) 2948 p = BN_get_rfc3526_prime_3072(NULL); 2949 else if (dh_secbits >= 112) 2950 p = BN_get_rfc3526_prime_2048(NULL); 2951 else 2952 p = BN_get_rfc2409_prime_1024(NULL); 2953 if (p == NULL) 2954 goto err; 2955 2956 pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); 2957 if (pctx == NULL 2958 || EVP_PKEY_fromdata_init(pctx) != 1) 2959 goto err; 2960 2961 tmpl = OSSL_PARAM_BLD_new(); 2962 if (tmpl == NULL 2963 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 2964 || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) 2965 goto err; 2966 2967 params = OSSL_PARAM_BLD_to_param(tmpl); 2968 if (params == NULL 2969 || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) 2970 goto err; 2971 2972 err: 2973 OSSL_PARAM_free(params); 2974 OSSL_PARAM_BLD_free(tmpl); 2975 EVP_PKEY_CTX_free(pctx); 2976 BN_free(p); 2977 return dhp; 2978 } 2979 2980 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2981 { 2982 int secbits = -1; 2983 EVP_PKEY *pkey = X509_get0_pubkey(x); 2984 if (pkey) { 2985 /* 2986 * If no parameters this will return -1 and fail using the default 2987 * security callback for any non-zero security level. This will 2988 * reject keys which omit parameters but this only affects DSA and 2989 * omission of parameters is never (?) done in practice. 2990 */ 2991 secbits = EVP_PKEY_get_security_bits(pkey); 2992 } 2993 if (s) 2994 return ssl_security(s, op, secbits, 0, x); 2995 else 2996 return ssl_ctx_security(ctx, op, secbits, 0, x); 2997 } 2998 2999 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 3000 { 3001 /* Lookup signature algorithm digest */ 3002 int secbits, nid, pknid; 3003 /* Don't check signature if self signed */ 3004 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 3005 return 1; 3006 if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 3007 secbits = -1; 3008 /* If digest NID not defined use signature NID */ 3009 if (nid == NID_undef) 3010 nid = pknid; 3011 if (s) 3012 return ssl_security(s, op, secbits, nid, x); 3013 else 3014 return ssl_ctx_security(ctx, op, secbits, nid, x); 3015 } 3016 3017 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 3018 { 3019 if (vfy) 3020 vfy = SSL_SECOP_PEER; 3021 if (is_ee) { 3022 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 3023 return SSL_R_EE_KEY_TOO_SMALL; 3024 } else { 3025 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 3026 return SSL_R_CA_KEY_TOO_SMALL; 3027 } 3028 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 3029 return SSL_R_CA_MD_TOO_WEAK; 3030 return 1; 3031 } 3032 3033 /* 3034 * Check security of a chain, if |sk| includes the end entity certificate then 3035 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 3036 * one to the peer. Return values: 1 if ok otherwise error code to use 3037 */ 3038 3039 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 3040 { 3041 int rv, start_idx, i; 3042 if (x == NULL) { 3043 x = sk_X509_value(sk, 0); 3044 if (x == NULL) 3045 return ERR_R_INTERNAL_ERROR; 3046 start_idx = 1; 3047 } else 3048 start_idx = 0; 3049 3050 rv = ssl_security_cert(s, NULL, x, vfy, 1); 3051 if (rv != 1) 3052 return rv; 3053 3054 for (i = start_idx; i < sk_X509_num(sk); i++) { 3055 x = sk_X509_value(sk, i); 3056 rv = ssl_security_cert(s, NULL, x, vfy, 0); 3057 if (rv != 1) 3058 return rv; 3059 } 3060 return 1; 3061 } 3062 3063 /* 3064 * For TLS 1.2 servers check if we have a certificate which can be used 3065 * with the signature algorithm "lu" and return index of certificate. 3066 */ 3067 3068 static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 3069 { 3070 int sig_idx = lu->sig_idx; 3071 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 3072 3073 /* If not recognised or not supported by cipher mask it is not suitable */ 3074 if (clu == NULL 3075 || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 3076 || (clu->nid == EVP_PKEY_RSA_PSS 3077 && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 3078 return -1; 3079 3080 return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 3081 } 3082 3083 /* 3084 * Checks the given cert against signature_algorithm_cert restrictions sent by 3085 * the peer (if any) as well as whether the hash from the sigalg is usable with 3086 * the key. 3087 * Returns true if the cert is usable and false otherwise. 3088 */ 3089 static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3090 EVP_PKEY *pkey) 3091 { 3092 const SIGALG_LOOKUP *lu; 3093 int mdnid, pknid, supported; 3094 size_t i; 3095 const char *mdname = NULL; 3096 3097 /* 3098 * If the given EVP_PKEY cannot support signing with this digest, 3099 * the answer is simply 'no'. 3100 */ 3101 if (sig->hash != NID_undef) 3102 mdname = OBJ_nid2sn(sig->hash); 3103 supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx, 3104 mdname, 3105 s->ctx->propq); 3106 if (supported <= 0) 3107 return 0; 3108 3109 /* 3110 * The TLS 1.3 signature_algorithms_cert extension places restrictions 3111 * on the sigalg with which the certificate was signed (by its issuer). 3112 */ 3113 if (s->s3.tmp.peer_cert_sigalgs != NULL) { 3114 if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 3115 return 0; 3116 for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { 3117 lu = tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]); 3118 if (lu == NULL) 3119 continue; 3120 3121 /* 3122 * This does not differentiate between the 3123 * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 3124 * have a chain here that lets us look at the key OID in the 3125 * signing certificate. 3126 */ 3127 if (mdnid == lu->hash && pknid == lu->sig) 3128 return 1; 3129 } 3130 return 0; 3131 } 3132 3133 /* 3134 * Without signat_algorithms_cert, any certificate for which we have 3135 * a viable public key is permitted. 3136 */ 3137 return 1; 3138 } 3139 3140 /* 3141 * Returns true if |s| has a usable certificate configured for use 3142 * with signature scheme |sig|. 3143 * "Usable" includes a check for presence as well as applying 3144 * the signature_algorithm_cert restrictions sent by the peer (if any). 3145 * Returns false if no usable certificate is found. 3146 */ 3147 static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 3148 { 3149 /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 3150 if (idx == -1) 3151 idx = sig->sig_idx; 3152 if (!ssl_has_cert(s, idx)) 3153 return 0; 3154 3155 return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 3156 s->cert->pkeys[idx].privatekey); 3157 } 3158 3159 /* 3160 * Returns true if the supplied cert |x| and key |pkey| is usable with the 3161 * specified signature scheme |sig|, or false otherwise. 3162 */ 3163 static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3164 EVP_PKEY *pkey) 3165 { 3166 size_t idx; 3167 3168 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 3169 return 0; 3170 3171 /* Check the key is consistent with the sig alg */ 3172 if ((int)idx != sig->sig_idx) 3173 return 0; 3174 3175 return check_cert_usable(s, sig, x, pkey); 3176 } 3177 3178 /* 3179 * Find a signature scheme that works with the supplied certificate |x| and key 3180 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 3181 * available certs/keys to find one that works. 3182 */ 3183 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 3184 { 3185 const SIGALG_LOOKUP *lu = NULL; 3186 size_t i; 3187 int curve = -1; 3188 EVP_PKEY *tmppkey; 3189 3190 /* Look for a shared sigalgs matching possible certificates */ 3191 for (i = 0; i < s->shared_sigalgslen; i++) { 3192 lu = s->shared_sigalgs[i]; 3193 3194 /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 3195 if (lu->hash == NID_sha1 3196 || lu->hash == NID_sha224 3197 || lu->sig == EVP_PKEY_DSA 3198 || lu->sig == EVP_PKEY_RSA) 3199 continue; 3200 /* Check that we have a cert, and signature_algorithms_cert */ 3201 if (!tls1_lookup_md(s->ctx, lu, NULL)) 3202 continue; 3203 if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 3204 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 3205 continue; 3206 3207 tmppkey = (pkey != NULL) ? pkey 3208 : s->cert->pkeys[lu->sig_idx].privatekey; 3209 3210 if (lu->sig == EVP_PKEY_EC) { 3211 if (curve == -1) 3212 curve = ssl_get_EC_curve_nid(tmppkey); 3213 if (lu->curve != NID_undef && curve != lu->curve) 3214 continue; 3215 } else if (lu->sig == EVP_PKEY_RSA_PSS) { 3216 /* validate that key is large enough for the signature algorithm */ 3217 if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu)) 3218 continue; 3219 } 3220 break; 3221 } 3222 3223 if (i == s->shared_sigalgslen) 3224 return NULL; 3225 3226 return lu; 3227 } 3228 3229 /* 3230 * Choose an appropriate signature algorithm based on available certificates 3231 * Sets chosen certificate and signature algorithm. 3232 * 3233 * For servers if we fail to find a required certificate it is a fatal error, 3234 * an appropriate error code is set and a TLS alert is sent. 3235 * 3236 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 3237 * a fatal error: we will either try another certificate or not present one 3238 * to the server. In this case no error is set. 3239 */ 3240 int tls_choose_sigalg(SSL *s, int fatalerrs) 3241 { 3242 const SIGALG_LOOKUP *lu = NULL; 3243 int sig_idx = -1; 3244 3245 s->s3.tmp.cert = NULL; 3246 s->s3.tmp.sigalg = NULL; 3247 3248 if (SSL_IS_TLS13(s)) { 3249 lu = find_sig_alg(s, NULL, NULL); 3250 if (lu == NULL) { 3251 if (!fatalerrs) 3252 return 1; 3253 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3254 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3255 return 0; 3256 } 3257 } else { 3258 /* If ciphersuite doesn't require a cert nothing to do */ 3259 if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) 3260 return 1; 3261 if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 3262 return 1; 3263 3264 if (SSL_USE_SIGALGS(s)) { 3265 size_t i; 3266 if (s->s3.tmp.peer_sigalgs != NULL) { 3267 int curve = -1; 3268 3269 /* For Suite B need to match signature algorithm to curve */ 3270 if (tls1_suiteb(s)) 3271 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] 3272 .privatekey); 3273 3274 /* 3275 * Find highest preference signature algorithm matching 3276 * cert type 3277 */ 3278 for (i = 0; i < s->shared_sigalgslen; i++) { 3279 lu = s->shared_sigalgs[i]; 3280 3281 if (s->server) { 3282 if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 3283 continue; 3284 } else { 3285 int cc_idx = s->cert->key - s->cert->pkeys; 3286 3287 sig_idx = lu->sig_idx; 3288 if (cc_idx != sig_idx) 3289 continue; 3290 } 3291 /* Check that we have a cert, and sig_algs_cert */ 3292 if (!has_usable_cert(s, lu, sig_idx)) 3293 continue; 3294 if (lu->sig == EVP_PKEY_RSA_PSS) { 3295 /* validate that key is large enough for the signature algorithm */ 3296 EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 3297 3298 if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu)) 3299 continue; 3300 } 3301 if (curve == -1 || lu->curve == curve) 3302 break; 3303 } 3304 #ifndef OPENSSL_NO_GOST 3305 /* 3306 * Some Windows-based implementations do not send GOST algorithms indication 3307 * in supported_algorithms extension, so when we have GOST-based ciphersuite, 3308 * we have to assume GOST support. 3309 */ 3310 if (i == s->shared_sigalgslen && s->s3.tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { 3311 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3312 if (!fatalerrs) 3313 return 1; 3314 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3315 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3316 return 0; 3317 } else { 3318 i = 0; 3319 sig_idx = lu->sig_idx; 3320 } 3321 } 3322 #endif 3323 if (i == s->shared_sigalgslen) { 3324 if (!fatalerrs) 3325 return 1; 3326 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3327 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3328 return 0; 3329 } 3330 } else { 3331 /* 3332 * If we have no sigalg use defaults 3333 */ 3334 const uint16_t *sent_sigs; 3335 size_t sent_sigslen; 3336 3337 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3338 if (!fatalerrs) 3339 return 1; 3340 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3341 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3342 return 0; 3343 } 3344 3345 /* Check signature matches a type we sent */ 3346 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 3347 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 3348 if (lu->sigalg == *sent_sigs 3349 && has_usable_cert(s, lu, lu->sig_idx)) 3350 break; 3351 } 3352 if (i == sent_sigslen) { 3353 if (!fatalerrs) 3354 return 1; 3355 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3356 SSL_R_WRONG_SIGNATURE_TYPE); 3357 return 0; 3358 } 3359 } 3360 } else { 3361 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3362 if (!fatalerrs) 3363 return 1; 3364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3365 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3366 return 0; 3367 } 3368 } 3369 } 3370 if (sig_idx == -1) 3371 sig_idx = lu->sig_idx; 3372 s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; 3373 s->cert->key = s->s3.tmp.cert; 3374 s->s3.tmp.sigalg = lu; 3375 return 1; 3376 } 3377 3378 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 3379 { 3380 if (mode != TLSEXT_max_fragment_length_DISABLED 3381 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3382 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3383 return 0; 3384 } 3385 3386 ctx->ext.max_fragment_len_mode = mode; 3387 return 1; 3388 } 3389 3390 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 3391 { 3392 if (mode != TLSEXT_max_fragment_length_DISABLED 3393 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3394 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3395 return 0; 3396 } 3397 3398 ssl->ext.max_fragment_len_mode = mode; 3399 return 1; 3400 } 3401 3402 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 3403 { 3404 return session->ext.max_fragment_len_mode; 3405 } 3406 3407 /* 3408 * Helper functions for HMAC access with legacy support included. 3409 */ 3410 SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) 3411 { 3412 SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); 3413 EVP_MAC *mac = NULL; 3414 3415 if (ret == NULL) 3416 return NULL; 3417 #ifndef OPENSSL_NO_DEPRECATED_3_0 3418 if (ctx->ext.ticket_key_evp_cb == NULL 3419 && ctx->ext.ticket_key_cb != NULL) { 3420 if (!ssl_hmac_old_new(ret)) 3421 goto err; 3422 return ret; 3423 } 3424 #endif 3425 mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); 3426 if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) 3427 goto err; 3428 EVP_MAC_free(mac); 3429 return ret; 3430 err: 3431 EVP_MAC_CTX_free(ret->ctx); 3432 EVP_MAC_free(mac); 3433 OPENSSL_free(ret); 3434 return NULL; 3435 } 3436 3437 void ssl_hmac_free(SSL_HMAC *ctx) 3438 { 3439 if (ctx != NULL) { 3440 EVP_MAC_CTX_free(ctx->ctx); 3441 #ifndef OPENSSL_NO_DEPRECATED_3_0 3442 ssl_hmac_old_free(ctx); 3443 #endif 3444 OPENSSL_free(ctx); 3445 } 3446 } 3447 3448 EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) 3449 { 3450 return ctx->ctx; 3451 } 3452 3453 int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 3454 { 3455 OSSL_PARAM params[2], *p = params; 3456 3457 if (ctx->ctx != NULL) { 3458 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); 3459 *p = OSSL_PARAM_construct_end(); 3460 if (EVP_MAC_init(ctx->ctx, key, len, params)) 3461 return 1; 3462 } 3463 #ifndef OPENSSL_NO_DEPRECATED_3_0 3464 if (ctx->old_ctx != NULL) 3465 return ssl_hmac_old_init(ctx, key, len, md); 3466 #endif 3467 return 0; 3468 } 3469 3470 int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 3471 { 3472 if (ctx->ctx != NULL) 3473 return EVP_MAC_update(ctx->ctx, data, len); 3474 #ifndef OPENSSL_NO_DEPRECATED_3_0 3475 if (ctx->old_ctx != NULL) 3476 return ssl_hmac_old_update(ctx, data, len); 3477 #endif 3478 return 0; 3479 } 3480 3481 int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, 3482 size_t max_size) 3483 { 3484 if (ctx->ctx != NULL) 3485 return EVP_MAC_final(ctx->ctx, md, len, max_size); 3486 #ifndef OPENSSL_NO_DEPRECATED_3_0 3487 if (ctx->old_ctx != NULL) 3488 return ssl_hmac_old_final(ctx, md, len); 3489 #endif 3490 return 0; 3491 } 3492 3493 size_t ssl_hmac_size(const SSL_HMAC *ctx) 3494 { 3495 if (ctx->ctx != NULL) 3496 return EVP_MAC_CTX_get_mac_size(ctx->ctx); 3497 #ifndef OPENSSL_NO_DEPRECATED_3_0 3498 if (ctx->old_ctx != NULL) 3499 return ssl_hmac_old_size(ctx); 3500 #endif 3501 return 0; 3502 } 3503 3504 int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) 3505 { 3506 char gname[OSSL_MAX_NAME_SIZE]; 3507 3508 if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) 3509 return OBJ_txt2nid(gname); 3510 3511 return NID_undef; 3512 } 3513 3514 __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, 3515 const unsigned char *enckey, 3516 size_t enckeylen) 3517 { 3518 if (EVP_PKEY_is_a(pkey, "DH")) { 3519 int bits = EVP_PKEY_get_bits(pkey); 3520 3521 if (bits <= 0 || enckeylen != (size_t)bits / 8) 3522 /* the encoded key must be padded to the length of the p */ 3523 return 0; 3524 } else if (EVP_PKEY_is_a(pkey, "EC")) { 3525 if (enckeylen < 3 /* point format and at least 1 byte for x and y */ 3526 || enckey[0] != 0x04) 3527 return 0; 3528 } 3529 3530 return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); 3531 } 3532