xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision 87b759f0fa1f7554d50ce640c40138512bbded44)
1 /*
2  * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <openssl/objects.h>
13 #include <openssl/evp.h>
14 #include <openssl/hmac.h>
15 #include <openssl/core_names.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/conf.h>
18 #include <openssl/x509v3.h>
19 #include <openssl/dh.h>
20 #include <openssl/bn.h>
21 #include <openssl/provider.h>
22 #include <openssl/param_build.h>
23 #include "internal/nelem.h"
24 #include "internal/sizes.h"
25 #include "internal/tlsgroups.h"
26 #include "internal/cryptlib.h"
27 #include "ssl_local.h"
28 #include <openssl/ct.h>
29 
30 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
31 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
32 
33 SSL3_ENC_METHOD const TLSv1_enc_data = {
34     tls1_enc,
35     tls1_mac,
36     tls1_setup_key_block,
37     tls1_generate_master_secret,
38     tls1_change_cipher_state,
39     tls1_final_finish_mac,
40     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
41     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
42     tls1_alert_code,
43     tls1_export_keying_material,
44     0,
45     ssl3_set_handshake_header,
46     tls_close_construct_packet,
47     ssl3_handshake_write
48 };
49 
50 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
51     tls1_enc,
52     tls1_mac,
53     tls1_setup_key_block,
54     tls1_generate_master_secret,
55     tls1_change_cipher_state,
56     tls1_final_finish_mac,
57     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
58     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
59     tls1_alert_code,
60     tls1_export_keying_material,
61     SSL_ENC_FLAG_EXPLICIT_IV,
62     ssl3_set_handshake_header,
63     tls_close_construct_packet,
64     ssl3_handshake_write
65 };
66 
67 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
68     tls1_enc,
69     tls1_mac,
70     tls1_setup_key_block,
71     tls1_generate_master_secret,
72     tls1_change_cipher_state,
73     tls1_final_finish_mac,
74     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
75     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
76     tls1_alert_code,
77     tls1_export_keying_material,
78     SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
79         | SSL_ENC_FLAG_TLS1_2_CIPHERS,
80     ssl3_set_handshake_header,
81     tls_close_construct_packet,
82     ssl3_handshake_write
83 };
84 
85 SSL3_ENC_METHOD const TLSv1_3_enc_data = {
86     tls13_enc,
87     tls1_mac,
88     tls13_setup_key_block,
89     tls13_generate_master_secret,
90     tls13_change_cipher_state,
91     tls13_final_finish_mac,
92     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
93     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
94     tls13_alert_code,
95     tls13_export_keying_material,
96     SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
97     ssl3_set_handshake_header,
98     tls_close_construct_packet,
99     ssl3_handshake_write
100 };
101 
102 long tls1_default_timeout(void)
103 {
104     /*
105      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
106      * http, the cache would over fill
107      */
108     return (60 * 60 * 2);
109 }
110 
111 int tls1_new(SSL *s)
112 {
113     if (!ssl3_new(s))
114         return 0;
115     if (!s->method->ssl_clear(s))
116         return 0;
117 
118     return 1;
119 }
120 
121 void tls1_free(SSL *s)
122 {
123     OPENSSL_free(s->ext.session_ticket);
124     ssl3_free(s);
125 }
126 
127 int tls1_clear(SSL *s)
128 {
129     if (!ssl3_clear(s))
130         return 0;
131 
132     if (s->method->version == TLS_ANY_VERSION)
133         s->version = TLS_MAX_VERSION_INTERNAL;
134     else
135         s->version = s->method->version;
136 
137     return 1;
138 }
139 
140 /* Legacy NID to group_id mapping. Only works for groups we know about */
141 static struct {
142     int nid;
143     uint16_t group_id;
144 } nid_to_group[] = {
145     {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1},
146     {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1},
147     {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2},
148     {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1},
149     {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2},
150     {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1},
151     {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1},
152     {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1},
153     {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1},
154     {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1},
155     {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1},
156     {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1},
157     {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1},
158     {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1},
159     {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1},
160     {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1},
161     {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2},
162     {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1},
163     {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1},
164     {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1},
165     {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1},
166     {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1},
167     {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1},
168     {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1},
169     {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1},
170     {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1},
171     {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1},
172     {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1},
173     {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519},
174     {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448},
175     {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022},
176     {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023},
177     {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024},
178     {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025},
179     {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026},
180     {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027},
181     {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028},
182     {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048},
183     {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072},
184     {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096},
185     {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144},
186     {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192}
187 };
188 
189 static const unsigned char ecformats_default[] = {
190     TLSEXT_ECPOINTFORMAT_uncompressed,
191     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
192     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
193 };
194 
195 /* The default curves */
196 static const uint16_t supported_groups_default[] = {
197     29,                      /* X25519 (29) */
198     23,                      /* secp256r1 (23) */
199     30,                      /* X448 (30) */
200     25,                      /* secp521r1 (25) */
201     24,                      /* secp384r1 (24) */
202     34,                      /* GC256A (34) */
203     35,                      /* GC256B (35) */
204     36,                      /* GC256C (36) */
205     37,                      /* GC256D (37) */
206     38,                      /* GC512A (38) */
207     39,                      /* GC512B (39) */
208     40,                      /* GC512C (40) */
209     0x100,                   /* ffdhe2048 (0x100) */
210     0x101,                   /* ffdhe3072 (0x101) */
211     0x102,                   /* ffdhe4096 (0x102) */
212     0x103,                   /* ffdhe6144 (0x103) */
213     0x104,                   /* ffdhe8192 (0x104) */
214 };
215 
216 static const uint16_t suiteb_curves[] = {
217     TLSEXT_curve_P_256,
218     TLSEXT_curve_P_384
219 };
220 
221 struct provider_group_data_st {
222     SSL_CTX *ctx;
223     OSSL_PROVIDER *provider;
224 };
225 
226 #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE        10
227 static OSSL_CALLBACK add_provider_groups;
228 static int add_provider_groups(const OSSL_PARAM params[], void *data)
229 {
230     struct provider_group_data_st *pgd = data;
231     SSL_CTX *ctx = pgd->ctx;
232     OSSL_PROVIDER *provider = pgd->provider;
233     const OSSL_PARAM *p;
234     TLS_GROUP_INFO *ginf = NULL;
235     EVP_KEYMGMT *keymgmt;
236     unsigned int gid;
237     unsigned int is_kem = 0;
238     int ret = 0;
239 
240     if (ctx->group_list_max_len == ctx->group_list_len) {
241         TLS_GROUP_INFO *tmp = NULL;
242 
243         if (ctx->group_list_max_len == 0)
244             tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO)
245                                  * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE);
246         else
247             tmp = OPENSSL_realloc(ctx->group_list,
248                                   (ctx->group_list_max_len
249                                    + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE)
250                                   * sizeof(TLS_GROUP_INFO));
251         if (tmp == NULL) {
252             ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
253             return 0;
254         }
255         ctx->group_list = tmp;
256         memset(tmp + ctx->group_list_max_len,
257                0,
258                sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE);
259         ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE;
260     }
261 
262     ginf = &ctx->group_list[ctx->group_list_len];
263 
264     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME);
265     if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
266         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
267         goto err;
268     }
269     ginf->tlsname = OPENSSL_strdup(p->data);
270     if (ginf->tlsname == NULL) {
271         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
272         goto err;
273     }
274 
275     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL);
276     if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
277         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
278         goto err;
279     }
280     ginf->realname = OPENSSL_strdup(p->data);
281     if (ginf->realname == NULL) {
282         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
283         goto err;
284     }
285 
286     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID);
287     if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) {
288         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
289         goto err;
290     }
291     ginf->group_id = (uint16_t)gid;
292 
293     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG);
294     if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
295         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
296         goto err;
297     }
298     ginf->algorithm = OPENSSL_strdup(p->data);
299     if (ginf->algorithm == NULL) {
300         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
301         goto err;
302     }
303 
304     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS);
305     if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) {
306         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
307         goto err;
308     }
309 
310     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM);
311     if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) {
312         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
313         goto err;
314     }
315     ginf->is_kem = 1 & is_kem;
316 
317     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS);
318     if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) {
319         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
320         goto err;
321     }
322 
323     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS);
324     if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) {
325         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
326         goto err;
327     }
328 
329     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS);
330     if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) {
331         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
332         goto err;
333     }
334 
335     p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS);
336     if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) {
337         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
338         goto err;
339     }
340     /*
341      * Now check that the algorithm is actually usable for our property query
342      * string. Regardless of the result we still return success because we have
343      * successfully processed this group, even though we may decide not to use
344      * it.
345      */
346     ret = 1;
347     ERR_set_mark();
348     keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq);
349     if (keymgmt != NULL) {
350         /*
351          * We have successfully fetched the algorithm - however if the provider
352          * doesn't match this one then we ignore it.
353          *
354          * Note: We're cheating a little here. Technically if the same algorithm
355          * is available from more than one provider then it is undefined which
356          * implementation you will get back. Theoretically this could be
357          * different every time...we assume here that you'll always get the
358          * same one back if you repeat the exact same fetch. Is this a reasonable
359          * assumption to make (in which case perhaps we should document this
360          * behaviour)?
361          */
362         if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
363             /* We have a match - so we will use this group */
364             ctx->group_list_len++;
365             ginf = NULL;
366         }
367         EVP_KEYMGMT_free(keymgmt);
368     }
369     ERR_pop_to_mark();
370  err:
371     if (ginf != NULL) {
372         OPENSSL_free(ginf->tlsname);
373         OPENSSL_free(ginf->realname);
374         OPENSSL_free(ginf->algorithm);
375         ginf->algorithm = ginf->tlsname = ginf->realname = NULL;
376     }
377     return ret;
378 }
379 
380 static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx)
381 {
382     struct provider_group_data_st pgd;
383 
384     pgd.ctx = vctx;
385     pgd.provider = provider;
386     return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP",
387                                           add_provider_groups, &pgd);
388 }
389 
390 int ssl_load_groups(SSL_CTX *ctx)
391 {
392     size_t i, j, num_deflt_grps = 0;
393     uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)];
394 
395     if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx))
396         return 0;
397 
398     for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) {
399         for (j = 0; j < ctx->group_list_len; j++) {
400             if (ctx->group_list[j].group_id == supported_groups_default[i]) {
401                 tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id;
402                 break;
403             }
404         }
405     }
406 
407     if (num_deflt_grps == 0)
408         return 1;
409 
410     ctx->ext.supported_groups_default
411         = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps);
412 
413     if (ctx->ext.supported_groups_default == NULL) {
414         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
415         return 0;
416     }
417 
418     memcpy(ctx->ext.supported_groups_default,
419            tmp_supp_groups,
420            num_deflt_grps * sizeof(tmp_supp_groups[0]));
421     ctx->ext.supported_groups_default_len = num_deflt_grps;
422 
423     return 1;
424 }
425 
426 static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name)
427 {
428     size_t i;
429 
430     for (i = 0; i < ctx->group_list_len; i++) {
431         if (strcmp(ctx->group_list[i].tlsname, name) == 0
432                 || strcmp(ctx->group_list[i].realname, name) == 0)
433             return ctx->group_list[i].group_id;
434     }
435 
436     return 0;
437 }
438 
439 const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id)
440 {
441     size_t i;
442 
443     for (i = 0; i < ctx->group_list_len; i++) {
444         if (ctx->group_list[i].group_id == group_id)
445             return &ctx->group_list[i];
446     }
447 
448     return NULL;
449 }
450 
451 int tls1_group_id2nid(uint16_t group_id, int include_unknown)
452 {
453     size_t i;
454 
455     if (group_id == 0)
456         return NID_undef;
457 
458     /*
459      * Return well known Group NIDs - for backwards compatibility. This won't
460      * work for groups we don't know about.
461      */
462     for (i = 0; i < OSSL_NELEM(nid_to_group); i++)
463     {
464         if (nid_to_group[i].group_id == group_id)
465             return nid_to_group[i].nid;
466     }
467     if (!include_unknown)
468         return NID_undef;
469     return TLSEXT_nid_unknown | (int)group_id;
470 }
471 
472 uint16_t tls1_nid2group_id(int nid)
473 {
474     size_t i;
475 
476     /*
477      * Return well known Group ids - for backwards compatibility. This won't
478      * work for groups we don't know about.
479      */
480     for (i = 0; i < OSSL_NELEM(nid_to_group); i++)
481     {
482         if (nid_to_group[i].nid == nid)
483             return nid_to_group[i].group_id;
484     }
485 
486     return 0;
487 }
488 
489 /*
490  * Set *pgroups to the supported groups list and *pgroupslen to
491  * the number of groups supported.
492  */
493 void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
494                                size_t *pgroupslen)
495 {
496     /* For Suite B mode only include P-256, P-384 */
497     switch (tls1_suiteb(s)) {
498     case SSL_CERT_FLAG_SUITEB_128_LOS:
499         *pgroups = suiteb_curves;
500         *pgroupslen = OSSL_NELEM(suiteb_curves);
501         break;
502 
503     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
504         *pgroups = suiteb_curves;
505         *pgroupslen = 1;
506         break;
507 
508     case SSL_CERT_FLAG_SUITEB_192_LOS:
509         *pgroups = suiteb_curves + 1;
510         *pgroupslen = 1;
511         break;
512 
513     default:
514         if (s->ext.supportedgroups == NULL) {
515             *pgroups = s->ctx->ext.supported_groups_default;
516             *pgroupslen = s->ctx->ext.supported_groups_default_len;
517         } else {
518             *pgroups = s->ext.supportedgroups;
519             *pgroupslen = s->ext.supportedgroups_len;
520         }
521         break;
522     }
523 }
524 
525 int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion,
526                     int isec, int *okfortls13)
527 {
528     const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id);
529     int ret;
530 
531     if (okfortls13 != NULL)
532         *okfortls13 = 0;
533 
534     if (ginfo == NULL)
535         return 0;
536 
537     if (SSL_IS_DTLS(s)) {
538         if (ginfo->mindtls < 0 || ginfo->maxdtls < 0)
539             return 0;
540         if (ginfo->maxdtls == 0)
541             ret = 1;
542         else
543             ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls);
544         if (ginfo->mindtls > 0)
545             ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls);
546     } else {
547         if (ginfo->mintls < 0 || ginfo->maxtls < 0)
548             return 0;
549         if (ginfo->maxtls == 0)
550             ret = 1;
551         else
552             ret = (minversion <= ginfo->maxtls);
553         if (ginfo->mintls > 0)
554             ret &= (maxversion >= ginfo->mintls);
555         if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION)
556             *okfortls13 = (ginfo->maxtls == 0)
557                           || (ginfo->maxtls >= TLS1_3_VERSION);
558     }
559     ret &= !isec
560            || strcmp(ginfo->algorithm, "EC") == 0
561            || strcmp(ginfo->algorithm, "X25519") == 0
562            || strcmp(ginfo->algorithm, "X448") == 0;
563 
564     return ret;
565 }
566 
567 /* See if group is allowed by security callback */
568 int tls_group_allowed(SSL *s, uint16_t group, int op)
569 {
570     const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group);
571     unsigned char gtmp[2];
572 
573     if (ginfo == NULL)
574         return 0;
575 
576     gtmp[0] = group >> 8;
577     gtmp[1] = group & 0xff;
578     return ssl_security(s, op, ginfo->secbits,
579                         tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp);
580 }
581 
582 /* Return 1 if "id" is in "list" */
583 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
584 {
585     size_t i;
586     for (i = 0; i < listlen; i++)
587         if (list[i] == id)
588             return 1;
589     return 0;
590 }
591 
592 /*-
593  * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
594  * if there is no match.
595  * For nmatch == -1, return number of matches
596  * For nmatch == -2, return the id of the group to use for
597  * a tmp key, or 0 if there is no match.
598  */
599 uint16_t tls1_shared_group(SSL *s, int nmatch)
600 {
601     const uint16_t *pref, *supp;
602     size_t num_pref, num_supp, i;
603     int k;
604     SSL_CTX *ctx = s->ctx;
605 
606     /* Can't do anything on client side */
607     if (s->server == 0)
608         return 0;
609     if (nmatch == -2) {
610         if (tls1_suiteb(s)) {
611             /*
612              * For Suite B ciphersuite determines curve: we already know
613              * these are acceptable due to previous checks.
614              */
615             unsigned long cid = s->s3.tmp.new_cipher->id;
616 
617             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
618                 return TLSEXT_curve_P_256;
619             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
620                 return TLSEXT_curve_P_384;
621             /* Should never happen */
622             return 0;
623         }
624         /* If not Suite B just return first preference shared curve */
625         nmatch = 0;
626     }
627     /*
628      * If server preference set, our groups are the preference order
629      * otherwise peer decides.
630      */
631     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
632         tls1_get_supported_groups(s, &pref, &num_pref);
633         tls1_get_peer_groups(s, &supp, &num_supp);
634     } else {
635         tls1_get_peer_groups(s, &pref, &num_pref);
636         tls1_get_supported_groups(s, &supp, &num_supp);
637     }
638 
639     for (k = 0, i = 0; i < num_pref; i++) {
640         uint16_t id = pref[i];
641         const TLS_GROUP_INFO *inf;
642 
643         if (!tls1_in_list(id, supp, num_supp)
644                 || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
645             continue;
646         inf = tls1_group_id_lookup(ctx, id);
647         if (!ossl_assert(inf != NULL))
648             return 0;
649         if (SSL_IS_DTLS(s)) {
650             if (inf->maxdtls == -1)
651                 continue;
652             if ((inf->mindtls != 0 && DTLS_VERSION_LT(s->version, inf->mindtls))
653                     || (inf->maxdtls != 0
654                         && DTLS_VERSION_GT(s->version, inf->maxdtls)))
655                 continue;
656         } else {
657             if (inf->maxtls == -1)
658                 continue;
659             if ((inf->mintls != 0 && s->version < inf->mintls)
660                     || (inf->maxtls != 0 && s->version > inf->maxtls))
661                 continue;
662         }
663 
664         if (nmatch == k)
665             return id;
666          k++;
667     }
668     if (nmatch == -1)
669         return k;
670     /* Out of range (nmatch > k). */
671     return 0;
672 }
673 
674 int tls1_set_groups(uint16_t **pext, size_t *pextlen,
675                     int *groups, size_t ngroups)
676 {
677     uint16_t *glist;
678     size_t i;
679     /*
680      * Bitmap of groups included to detect duplicates: two variables are added
681      * to detect duplicates as some values are more than 32.
682      */
683     unsigned long *dup_list = NULL;
684     unsigned long dup_list_egrp = 0;
685     unsigned long dup_list_dhgrp = 0;
686 
687     if (ngroups == 0) {
688         ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
689         return 0;
690     }
691     if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
692         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
693         return 0;
694     }
695     for (i = 0; i < ngroups; i++) {
696         unsigned long idmask;
697         uint16_t id;
698         id = tls1_nid2group_id(groups[i]);
699         if ((id & 0x00FF) >= (sizeof(unsigned long) * 8))
700             goto err;
701         idmask = 1L << (id & 0x00FF);
702         dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp;
703         if (!id || ((*dup_list) & idmask))
704             goto err;
705         *dup_list |= idmask;
706         glist[i] = id;
707     }
708     OPENSSL_free(*pext);
709     *pext = glist;
710     *pextlen = ngroups;
711     return 1;
712 err:
713     OPENSSL_free(glist);
714     return 0;
715 }
716 
717 # define GROUPLIST_INCREMENT   40
718 # define GROUP_NAME_BUFFER_LENGTH 64
719 typedef struct {
720     SSL_CTX *ctx;
721     size_t gidcnt;
722     size_t gidmax;
723     uint16_t *gid_arr;
724 } gid_cb_st;
725 
726 static int gid_cb(const char *elem, int len, void *arg)
727 {
728     gid_cb_st *garg = arg;
729     size_t i;
730     uint16_t gid = 0;
731     char etmp[GROUP_NAME_BUFFER_LENGTH];
732 
733     if (elem == NULL)
734         return 0;
735     if (garg->gidcnt == garg->gidmax) {
736         uint16_t *tmp =
737             OPENSSL_realloc(garg->gid_arr,
738                             (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr));
739         if (tmp == NULL)
740             return 0;
741         garg->gidmax += GROUPLIST_INCREMENT;
742         garg->gid_arr = tmp;
743     }
744     if (len > (int)(sizeof(etmp) - 1))
745         return 0;
746     memcpy(etmp, elem, len);
747     etmp[len] = 0;
748 
749     gid = tls1_group_name2id(garg->ctx, etmp);
750     if (gid == 0) {
751         ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
752                        "group '%s' cannot be set", etmp);
753         return 0;
754     }
755     for (i = 0; i < garg->gidcnt; i++)
756         if (garg->gid_arr[i] == gid)
757             return 0;
758     garg->gid_arr[garg->gidcnt++] = gid;
759     return 1;
760 }
761 
762 /* Set groups based on a colon separated list */
763 int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
764                          const char *str)
765 {
766     gid_cb_st gcb;
767     uint16_t *tmparr;
768     int ret = 0;
769 
770     gcb.gidcnt = 0;
771     gcb.gidmax = GROUPLIST_INCREMENT;
772     gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr));
773     if (gcb.gid_arr == NULL)
774         return 0;
775     gcb.ctx = ctx;
776     if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
777         goto end;
778     if (pext == NULL) {
779         ret = 1;
780         goto end;
781     }
782 
783     /*
784      * gid_cb ensurse there are no duplicates so we can just go ahead and set
785      * the result
786      */
787     tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr));
788     if (tmparr == NULL)
789         goto end;
790     OPENSSL_free(*pext);
791     *pext = tmparr;
792     *pextlen = gcb.gidcnt;
793     ret = 1;
794  end:
795     OPENSSL_free(gcb.gid_arr);
796     return ret;
797 }
798 
799 /* Check a group id matches preferences */
800 int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
801     {
802     const uint16_t *groups;
803     size_t groups_len;
804 
805     if (group_id == 0)
806         return 0;
807 
808     /* Check for Suite B compliance */
809     if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) {
810         unsigned long cid = s->s3.tmp.new_cipher->id;
811 
812         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
813             if (group_id != TLSEXT_curve_P_256)
814                 return 0;
815         } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
816             if (group_id != TLSEXT_curve_P_384)
817                 return 0;
818         } else {
819             /* Should never happen */
820             return 0;
821         }
822     }
823 
824     if (check_own_groups) {
825         /* Check group is one of our preferences */
826         tls1_get_supported_groups(s, &groups, &groups_len);
827         if (!tls1_in_list(group_id, groups, groups_len))
828             return 0;
829     }
830 
831     if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
832         return 0;
833 
834     /* For clients, nothing more to check */
835     if (!s->server)
836         return 1;
837 
838     /* Check group is one of peers preferences */
839     tls1_get_peer_groups(s, &groups, &groups_len);
840 
841     /*
842      * RFC 4492 does not require the supported elliptic curves extension
843      * so if it is not sent we can just choose any curve.
844      * It is invalid to send an empty list in the supported groups
845      * extension, so groups_len == 0 always means no extension.
846      */
847     if (groups_len == 0)
848             return 1;
849     return tls1_in_list(group_id, groups, groups_len);
850 }
851 
852 void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
853                          size_t *num_formats)
854 {
855     /*
856      * If we have a custom point format list use it otherwise use default
857      */
858     if (s->ext.ecpointformats) {
859         *pformats = s->ext.ecpointformats;
860         *num_formats = s->ext.ecpointformats_len;
861     } else {
862         *pformats = ecformats_default;
863         /* For Suite B we don't support char2 fields */
864         if (tls1_suiteb(s))
865             *num_formats = sizeof(ecformats_default) - 1;
866         else
867             *num_formats = sizeof(ecformats_default);
868     }
869 }
870 
871 /* Check a key is compatible with compression extension */
872 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
873 {
874     unsigned char comp_id;
875     size_t i;
876     int point_conv;
877 
878     /* If not an EC key nothing to check */
879     if (!EVP_PKEY_is_a(pkey, "EC"))
880         return 1;
881 
882 
883     /* Get required compression id */
884     point_conv = EVP_PKEY_get_ec_point_conv_form(pkey);
885     if (point_conv == 0)
886         return 0;
887     if (point_conv == POINT_CONVERSION_UNCOMPRESSED) {
888             comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
889     } else if (SSL_IS_TLS13(s)) {
890         /*
891          * ec_point_formats extension is not used in TLSv1.3 so we ignore
892          * this check.
893          */
894         return 1;
895     } else {
896         int field_type = EVP_PKEY_get_field_type(pkey);
897 
898         if (field_type == NID_X9_62_prime_field)
899             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
900         else if (field_type == NID_X9_62_characteristic_two_field)
901             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
902         else
903             return 0;
904     }
905     /*
906      * If point formats extension present check it, otherwise everything is
907      * supported (see RFC4492).
908      */
909     if (s->ext.peer_ecpointformats == NULL)
910         return 1;
911 
912     for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
913         if (s->ext.peer_ecpointformats[i] == comp_id)
914             return 1;
915     }
916     return 0;
917 }
918 
919 /* Return group id of a key */
920 static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
921 {
922     int curve_nid = ssl_get_EC_curve_nid(pkey);
923 
924     if (curve_nid == NID_undef)
925         return 0;
926     return tls1_nid2group_id(curve_nid);
927 }
928 
929 /*
930  * Check cert parameters compatible with extensions: currently just checks EC
931  * certificates have compatible curves and compression.
932  */
933 static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
934 {
935     uint16_t group_id;
936     EVP_PKEY *pkey;
937     pkey = X509_get0_pubkey(x);
938     if (pkey == NULL)
939         return 0;
940     /* If not EC nothing to do */
941     if (!EVP_PKEY_is_a(pkey, "EC"))
942         return 1;
943     /* Check compression */
944     if (!tls1_check_pkey_comp(s, pkey))
945         return 0;
946     group_id = tls1_get_group_id(pkey);
947     /*
948      * For a server we allow the certificate to not be in our list of supported
949      * groups.
950      */
951     if (!tls1_check_group_id(s, group_id, !s->server))
952         return 0;
953     /*
954      * Special case for suite B. We *MUST* sign using SHA256+P-256 or
955      * SHA384+P-384.
956      */
957     if (check_ee_md && tls1_suiteb(s)) {
958         int check_md;
959         size_t i;
960 
961         /* Check to see we have necessary signing algorithm */
962         if (group_id == TLSEXT_curve_P_256)
963             check_md = NID_ecdsa_with_SHA256;
964         else if (group_id == TLSEXT_curve_P_384)
965             check_md = NID_ecdsa_with_SHA384;
966         else
967             return 0;           /* Should never happen */
968         for (i = 0; i < s->shared_sigalgslen; i++) {
969             if (check_md == s->shared_sigalgs[i]->sigandhash)
970                 return 1;;
971         }
972         return 0;
973     }
974     return 1;
975 }
976 
977 /*
978  * tls1_check_ec_tmp_key - Check EC temporary key compatibility
979  * @s: SSL connection
980  * @cid: Cipher ID we're considering using
981  *
982  * Checks that the kECDHE cipher suite we're considering using
983  * is compatible with the client extensions.
984  *
985  * Returns 0 when the cipher can't be used or 1 when it can.
986  */
987 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
988 {
989     /* If not Suite B just need a shared group */
990     if (!tls1_suiteb(s))
991         return tls1_shared_group(s, 0) != 0;
992     /*
993      * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
994      * curves permitted.
995      */
996     if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
997         return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
998     if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
999         return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
1000 
1001     return 0;
1002 }
1003 
1004 /* Default sigalg schemes */
1005 static const uint16_t tls12_sigalgs[] = {
1006     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
1007     TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
1008     TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
1009     TLSEXT_SIGALG_ed25519,
1010     TLSEXT_SIGALG_ed448,
1011 
1012     TLSEXT_SIGALG_rsa_pss_pss_sha256,
1013     TLSEXT_SIGALG_rsa_pss_pss_sha384,
1014     TLSEXT_SIGALG_rsa_pss_pss_sha512,
1015     TLSEXT_SIGALG_rsa_pss_rsae_sha256,
1016     TLSEXT_SIGALG_rsa_pss_rsae_sha384,
1017     TLSEXT_SIGALG_rsa_pss_rsae_sha512,
1018 
1019     TLSEXT_SIGALG_rsa_pkcs1_sha256,
1020     TLSEXT_SIGALG_rsa_pkcs1_sha384,
1021     TLSEXT_SIGALG_rsa_pkcs1_sha512,
1022 
1023     TLSEXT_SIGALG_ecdsa_sha224,
1024     TLSEXT_SIGALG_ecdsa_sha1,
1025 
1026     TLSEXT_SIGALG_rsa_pkcs1_sha224,
1027     TLSEXT_SIGALG_rsa_pkcs1_sha1,
1028 
1029     TLSEXT_SIGALG_dsa_sha224,
1030     TLSEXT_SIGALG_dsa_sha1,
1031 
1032     TLSEXT_SIGALG_dsa_sha256,
1033     TLSEXT_SIGALG_dsa_sha384,
1034     TLSEXT_SIGALG_dsa_sha512,
1035 
1036 #ifndef OPENSSL_NO_GOST
1037     TLSEXT_SIGALG_gostr34102012_256_intrinsic,
1038     TLSEXT_SIGALG_gostr34102012_512_intrinsic,
1039     TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
1040     TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
1041     TLSEXT_SIGALG_gostr34102001_gostr3411,
1042 #endif
1043 };
1044 
1045 
1046 static const uint16_t suiteb_sigalgs[] = {
1047     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
1048     TLSEXT_SIGALG_ecdsa_secp384r1_sha384
1049 };
1050 
1051 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
1052     {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
1053      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1054      NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1},
1055     {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
1056      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1057      NID_ecdsa_with_SHA384, NID_secp384r1, 1},
1058     {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
1059      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1060      NID_ecdsa_with_SHA512, NID_secp521r1, 1},
1061     {"ed25519", TLSEXT_SIGALG_ed25519,
1062      NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
1063      NID_undef, NID_undef, 1},
1064     {"ed448", TLSEXT_SIGALG_ed448,
1065      NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
1066      NID_undef, NID_undef, 1},
1067     {NULL, TLSEXT_SIGALG_ecdsa_sha224,
1068      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1069      NID_ecdsa_with_SHA224, NID_undef, 1},
1070     {NULL, TLSEXT_SIGALG_ecdsa_sha1,
1071      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1072      NID_ecdsa_with_SHA1, NID_undef, 1},
1073     {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
1074      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
1075      NID_undef, NID_undef, 1},
1076     {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
1077      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
1078      NID_undef, NID_undef, 1},
1079     {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
1080      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
1081      NID_undef, NID_undef, 1},
1082     {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
1083      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
1084      NID_undef, NID_undef, 1},
1085     {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
1086      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
1087      NID_undef, NID_undef, 1},
1088     {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
1089      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
1090      NID_undef, NID_undef, 1},
1091     {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
1092      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1093      NID_sha256WithRSAEncryption, NID_undef, 1},
1094     {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
1095      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1096      NID_sha384WithRSAEncryption, NID_undef, 1},
1097     {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
1098      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1099      NID_sha512WithRSAEncryption, NID_undef, 1},
1100     {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
1101      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1102      NID_sha224WithRSAEncryption, NID_undef, 1},
1103     {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
1104      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1105      NID_sha1WithRSAEncryption, NID_undef, 1},
1106     {NULL, TLSEXT_SIGALG_dsa_sha256,
1107      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1108      NID_dsa_with_SHA256, NID_undef, 1},
1109     {NULL, TLSEXT_SIGALG_dsa_sha384,
1110      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1111      NID_undef, NID_undef, 1},
1112     {NULL, TLSEXT_SIGALG_dsa_sha512,
1113      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1114      NID_undef, NID_undef, 1},
1115     {NULL, TLSEXT_SIGALG_dsa_sha224,
1116      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1117      NID_undef, NID_undef, 1},
1118     {NULL, TLSEXT_SIGALG_dsa_sha1,
1119      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1120      NID_dsaWithSHA1, NID_undef, 1},
1121 #ifndef OPENSSL_NO_GOST
1122     {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic,
1123      NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
1124      NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
1125      NID_undef, NID_undef, 1},
1126     {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic,
1127      NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
1128      NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
1129      NID_undef, NID_undef, 1},
1130     {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
1131      NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
1132      NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
1133      NID_undef, NID_undef, 1},
1134     {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
1135      NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
1136      NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
1137      NID_undef, NID_undef, 1},
1138     {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
1139      NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
1140      NID_id_GostR3410_2001, SSL_PKEY_GOST01,
1141      NID_undef, NID_undef, 1}
1142 #endif
1143 };
1144 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
1145 static const SIGALG_LOOKUP legacy_rsa_sigalg = {
1146     "rsa_pkcs1_md5_sha1", 0,
1147      NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
1148      EVP_PKEY_RSA, SSL_PKEY_RSA,
1149      NID_undef, NID_undef, 1
1150 };
1151 
1152 /*
1153  * Default signature algorithm values used if signature algorithms not present.
1154  * From RFC5246. Note: order must match certificate index order.
1155  */
1156 static const uint16_t tls_default_sigalg[] = {
1157     TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
1158     0, /* SSL_PKEY_RSA_PSS_SIGN */
1159     TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
1160     TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
1161     TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
1162     TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */
1163     TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */
1164     0, /* SSL_PKEY_ED25519 */
1165     0, /* SSL_PKEY_ED448 */
1166 };
1167 
1168 int ssl_setup_sig_algs(SSL_CTX *ctx)
1169 {
1170     size_t i;
1171     const SIGALG_LOOKUP *lu;
1172     SIGALG_LOOKUP *cache
1173         = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
1174     EVP_PKEY *tmpkey = EVP_PKEY_new();
1175     int ret = 0;
1176 
1177     if (cache == NULL || tmpkey == NULL)
1178         goto err;
1179 
1180     ERR_set_mark();
1181     for (i = 0, lu = sigalg_lookup_tbl;
1182          i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
1183         EVP_PKEY_CTX *pctx;
1184 
1185         cache[i] = *lu;
1186 
1187         /*
1188          * Check hash is available.
1189          * This test is not perfect. A provider could have support
1190          * for a signature scheme, but not a particular hash. However the hash
1191          * could be available from some other loaded provider. In that case it
1192          * could be that the signature is available, and the hash is available
1193          * independently - but not as a combination. We ignore this for now.
1194          */
1195         if (lu->hash != NID_undef
1196                 && ctx->ssl_digest_methods[lu->hash_idx] == NULL) {
1197             cache[i].enabled = 0;
1198             continue;
1199         }
1200 
1201         if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
1202             cache[i].enabled = 0;
1203             continue;
1204         }
1205         pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq);
1206         /* If unable to create pctx we assume the sig algorithm is unavailable */
1207         if (pctx == NULL)
1208             cache[i].enabled = 0;
1209         EVP_PKEY_CTX_free(pctx);
1210     }
1211     ERR_pop_to_mark();
1212     ctx->sigalg_lookup_cache = cache;
1213     cache = NULL;
1214 
1215     ret = 1;
1216  err:
1217     OPENSSL_free(cache);
1218     EVP_PKEY_free(tmpkey);
1219     return ret;
1220 }
1221 
1222 /* Lookup TLS signature algorithm */
1223 static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg)
1224 {
1225     size_t i;
1226     const SIGALG_LOOKUP *lu;
1227 
1228     for (i = 0, lu = s->ctx->sigalg_lookup_cache;
1229          /* cache should have the same number of elements as sigalg_lookup_tbl */
1230          i < OSSL_NELEM(sigalg_lookup_tbl);
1231          lu++, i++) {
1232         if (lu->sigalg == sigalg) {
1233             if (!lu->enabled)
1234                 return NULL;
1235             return lu;
1236         }
1237     }
1238     return NULL;
1239 }
1240 /* Lookup hash: return 0 if invalid or not enabled */
1241 int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
1242 {
1243     const EVP_MD *md;
1244     if (lu == NULL)
1245         return 0;
1246     /* lu->hash == NID_undef means no associated digest */
1247     if (lu->hash == NID_undef) {
1248         md = NULL;
1249     } else {
1250         md = ssl_md(ctx, lu->hash_idx);
1251         if (md == NULL)
1252             return 0;
1253     }
1254     if (pmd)
1255         *pmd = md;
1256     return 1;
1257 }
1258 
1259 /*
1260  * Check if key is large enough to generate RSA-PSS signature.
1261  *
1262  * The key must greater than or equal to 2 * hash length + 2.
1263  * SHA512 has a hash length of 64 bytes, which is incompatible
1264  * with a 128 byte (1024 bit) key.
1265  */
1266 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2)
1267 static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey,
1268                                       const SIGALG_LOOKUP *lu)
1269 {
1270     const EVP_MD *md;
1271 
1272     if (pkey == NULL)
1273         return 0;
1274     if (!tls1_lookup_md(ctx, lu, &md) || md == NULL)
1275         return 0;
1276     if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md))
1277         return 0;
1278     return 1;
1279 }
1280 
1281 /*
1282  * Returns a signature algorithm when the peer did not send a list of supported
1283  * signature algorithms. The signature algorithm is fixed for the certificate
1284  * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
1285  * certificate type from |s| will be used.
1286  * Returns the signature algorithm to use, or NULL on error.
1287  */
1288 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
1289 {
1290     if (idx == -1) {
1291         if (s->server) {
1292             size_t i;
1293 
1294             /* Work out index corresponding to ciphersuite */
1295             for (i = 0; i < SSL_PKEY_NUM; i++) {
1296                 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);
1297 
1298                 if (clu == NULL)
1299                     continue;
1300                 if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) {
1301                     idx = i;
1302                     break;
1303                 }
1304             }
1305 
1306             /*
1307              * Some GOST ciphersuites allow more than one signature algorithms
1308              * */
1309             if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
1310                 int real_idx;
1311 
1312                 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
1313                      real_idx--) {
1314                     if (s->cert->pkeys[real_idx].privatekey != NULL) {
1315                         idx = real_idx;
1316                         break;
1317                     }
1318                 }
1319             }
1320             /*
1321              * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used
1322              * with new (aGOST12-only) ciphersuites, we should find out which one is available really.
1323              */
1324             else if (idx == SSL_PKEY_GOST12_256) {
1325                 int real_idx;
1326 
1327                 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256;
1328                      real_idx--) {
1329                      if (s->cert->pkeys[real_idx].privatekey != NULL) {
1330                          idx = real_idx;
1331                          break;
1332                      }
1333                 }
1334             }
1335         } else {
1336             idx = s->cert->key - s->cert->pkeys;
1337         }
1338     }
1339     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
1340         return NULL;
1341     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
1342         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]);
1343 
1344         if (lu == NULL)
1345             return NULL;
1346         if (!tls1_lookup_md(s->ctx, lu, NULL))
1347             return NULL;
1348         if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
1349             return NULL;
1350         return lu;
1351     }
1352     if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg))
1353         return NULL;
1354     return &legacy_rsa_sigalg;
1355 }
1356 /* Set peer sigalg based key type */
1357 int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
1358 {
1359     size_t idx;
1360     const SIGALG_LOOKUP *lu;
1361 
1362     if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
1363         return 0;
1364     lu = tls1_get_legacy_sigalg(s, idx);
1365     if (lu == NULL)
1366         return 0;
1367     s->s3.tmp.peer_sigalg = lu;
1368     return 1;
1369 }
1370 
1371 size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
1372 {
1373     /*
1374      * If Suite B mode use Suite B sigalgs only, ignore any other
1375      * preferences.
1376      */
1377     switch (tls1_suiteb(s)) {
1378     case SSL_CERT_FLAG_SUITEB_128_LOS:
1379         *psigs = suiteb_sigalgs;
1380         return OSSL_NELEM(suiteb_sigalgs);
1381 
1382     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1383         *psigs = suiteb_sigalgs;
1384         return 1;
1385 
1386     case SSL_CERT_FLAG_SUITEB_192_LOS:
1387         *psigs = suiteb_sigalgs + 1;
1388         return 1;
1389     }
1390     /*
1391      *  We use client_sigalgs (if not NULL) if we're a server
1392      *  and sending a certificate request or if we're a client and
1393      *  determining which shared algorithm to use.
1394      */
1395     if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
1396         *psigs = s->cert->client_sigalgs;
1397         return s->cert->client_sigalgslen;
1398     } else if (s->cert->conf_sigalgs) {
1399         *psigs = s->cert->conf_sigalgs;
1400         return s->cert->conf_sigalgslen;
1401     } else {
1402         *psigs = tls12_sigalgs;
1403         return OSSL_NELEM(tls12_sigalgs);
1404     }
1405 }
1406 
1407 /*
1408  * Called by servers only. Checks that we have a sig alg that supports the
1409  * specified EC curve.
1410  */
1411 int tls_check_sigalg_curve(const SSL *s, int curve)
1412 {
1413    const uint16_t *sigs;
1414    size_t siglen, i;
1415 
1416     if (s->cert->conf_sigalgs) {
1417         sigs = s->cert->conf_sigalgs;
1418         siglen = s->cert->conf_sigalgslen;
1419     } else {
1420         sigs = tls12_sigalgs;
1421         siglen = OSSL_NELEM(tls12_sigalgs);
1422     }
1423 
1424     for (i = 0; i < siglen; i++) {
1425         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, sigs[i]);
1426 
1427         if (lu == NULL)
1428             continue;
1429         if (lu->sig == EVP_PKEY_EC
1430                 && lu->curve != NID_undef
1431                 && curve == lu->curve)
1432             return 1;
1433     }
1434 
1435     return 0;
1436 }
1437 
1438 /*
1439  * Return the number of security bits for the signature algorithm, or 0 on
1440  * error.
1441  */
1442 static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu)
1443 {
1444     const EVP_MD *md = NULL;
1445     int secbits = 0;
1446 
1447     if (!tls1_lookup_md(ctx, lu, &md))
1448         return 0;
1449     if (md != NULL)
1450     {
1451         int md_type = EVP_MD_get_type(md);
1452 
1453         /* Security bits: half digest bits */
1454         secbits = EVP_MD_get_size(md) * 4;
1455         /*
1456          * SHA1 and MD5 are known to be broken. Reduce security bits so that
1457          * they're no longer accepted at security level 1. The real values don't
1458          * really matter as long as they're lower than 80, which is our
1459          * security level 1.
1460          * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for
1461          * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2
1462          * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
1463          * puts a chosen-prefix attack for MD5 at 2^39.
1464          */
1465         if (md_type == NID_sha1)
1466             secbits = 64;
1467         else if (md_type == NID_md5_sha1)
1468             secbits = 67;
1469         else if (md_type == NID_md5)
1470             secbits = 39;
1471     } else {
1472         /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
1473         if (lu->sigalg == TLSEXT_SIGALG_ed25519)
1474             secbits = 128;
1475         else if (lu->sigalg == TLSEXT_SIGALG_ed448)
1476             secbits = 224;
1477     }
1478     return secbits;
1479 }
1480 
1481 /*
1482  * Check signature algorithm is consistent with sent supported signature
1483  * algorithms and if so set relevant digest and signature scheme in
1484  * s.
1485  */
1486 int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
1487 {
1488     const uint16_t *sent_sigs;
1489     const EVP_MD *md = NULL;
1490     char sigalgstr[2];
1491     size_t sent_sigslen, i, cidx;
1492     int pkeyid = -1;
1493     const SIGALG_LOOKUP *lu;
1494     int secbits = 0;
1495 
1496     pkeyid = EVP_PKEY_get_id(pkey);
1497     /* Should never happen */
1498     if (pkeyid == -1)
1499         return -1;
1500     if (SSL_IS_TLS13(s)) {
1501         /* Disallow DSA for TLS 1.3 */
1502         if (pkeyid == EVP_PKEY_DSA) {
1503             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
1504             return 0;
1505         }
1506         /* Only allow PSS for TLS 1.3 */
1507         if (pkeyid == EVP_PKEY_RSA)
1508             pkeyid = EVP_PKEY_RSA_PSS;
1509     }
1510     lu = tls1_lookup_sigalg(s, sig);
1511     /*
1512      * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
1513      * is consistent with signature: RSA keys can be used for RSA-PSS
1514      */
1515     if (lu == NULL
1516         || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
1517         || (pkeyid != lu->sig
1518         && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
1519         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
1520         return 0;
1521     }
1522     /* Check the sigalg is consistent with the key OID */
1523     if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx)
1524             || lu->sig_idx != (int)cidx) {
1525         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
1526         return 0;
1527     }
1528 
1529     if (pkeyid == EVP_PKEY_EC) {
1530 
1531         /* Check point compression is permitted */
1532         if (!tls1_check_pkey_comp(s, pkey)) {
1533             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1534                      SSL_R_ILLEGAL_POINT_COMPRESSION);
1535             return 0;
1536         }
1537 
1538         /* For TLS 1.3 or Suite B check curve matches signature algorithm */
1539         if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
1540             int curve = ssl_get_EC_curve_nid(pkey);
1541 
1542             if (lu->curve != NID_undef && curve != lu->curve) {
1543                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
1544                 return 0;
1545             }
1546         }
1547         if (!SSL_IS_TLS13(s)) {
1548             /* Check curve matches extensions */
1549             if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
1550                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
1551                 return 0;
1552             }
1553             if (tls1_suiteb(s)) {
1554                 /* Check sigalg matches a permissible Suite B value */
1555                 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
1556                     && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
1557                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1558                              SSL_R_WRONG_SIGNATURE_TYPE);
1559                     return 0;
1560                 }
1561             }
1562         }
1563     } else if (tls1_suiteb(s)) {
1564         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
1565         return 0;
1566     }
1567 
1568     /* Check signature matches a type we sent */
1569     sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1570     for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
1571         if (sig == *sent_sigs)
1572             break;
1573     }
1574     /* Allow fallback to SHA1 if not strict mode */
1575     if (i == sent_sigslen && (lu->hash != NID_sha1
1576         || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1577         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
1578         return 0;
1579     }
1580     if (!tls1_lookup_md(s->ctx, lu, &md)) {
1581         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
1582         return 0;
1583     }
1584     /*
1585      * Make sure security callback allows algorithm. For historical
1586      * reasons we have to pass the sigalg as a two byte char array.
1587      */
1588     sigalgstr[0] = (sig >> 8) & 0xff;
1589     sigalgstr[1] = sig & 0xff;
1590     secbits = sigalg_security_bits(s->ctx, lu);
1591     if (secbits == 0 ||
1592         !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
1593                       md != NULL ? EVP_MD_get_type(md) : NID_undef,
1594                       (void *)sigalgstr)) {
1595         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
1596         return 0;
1597     }
1598     /* Store the sigalg the peer uses */
1599     s->s3.tmp.peer_sigalg = lu;
1600     return 1;
1601 }
1602 
1603 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
1604 {
1605     if (s->s3.tmp.peer_sigalg == NULL)
1606         return 0;
1607     *pnid = s->s3.tmp.peer_sigalg->sig;
1608     return 1;
1609 }
1610 
1611 int SSL_get_signature_type_nid(const SSL *s, int *pnid)
1612 {
1613     if (s->s3.tmp.sigalg == NULL)
1614         return 0;
1615     *pnid = s->s3.tmp.sigalg->sig;
1616     return 1;
1617 }
1618 
1619 /*
1620  * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
1621  * supported, doesn't appear in supported signature algorithms, isn't supported
1622  * by the enabled protocol versions or by the security level.
1623  *
1624  * This function should only be used for checking which ciphers are supported
1625  * by the client.
1626  *
1627  * Call ssl_cipher_disabled() to check that it's enabled or not.
1628  */
1629 int ssl_set_client_disabled(SSL *s)
1630 {
1631     s->s3.tmp.mask_a = 0;
1632     s->s3.tmp.mask_k = 0;
1633     ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
1634     if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver,
1635                                 &s->s3.tmp.max_ver, NULL) != 0)
1636         return 0;
1637 #ifndef OPENSSL_NO_PSK
1638     /* with PSK there must be client callback set */
1639     if (!s->psk_client_callback) {
1640         s->s3.tmp.mask_a |= SSL_aPSK;
1641         s->s3.tmp.mask_k |= SSL_PSK;
1642     }
1643 #endif                          /* OPENSSL_NO_PSK */
1644 #ifndef OPENSSL_NO_SRP
1645     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1646         s->s3.tmp.mask_a |= SSL_aSRP;
1647         s->s3.tmp.mask_k |= SSL_kSRP;
1648     }
1649 #endif
1650     return 1;
1651 }
1652 
1653 /*
1654  * ssl_cipher_disabled - check that a cipher is disabled or not
1655  * @s: SSL connection that you want to use the cipher on
1656  * @c: cipher to check
1657  * @op: Security check that you want to do
1658  * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
1659  *
1660  * Returns 1 when it's disabled, 0 when enabled.
1661  */
1662 int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
1663 {
1664     if (c->algorithm_mkey & s->s3.tmp.mask_k
1665         || c->algorithm_auth & s->s3.tmp.mask_a)
1666         return 1;
1667     if (s->s3.tmp.max_ver == 0)
1668         return 1;
1669     if (!SSL_IS_DTLS(s)) {
1670         int min_tls = c->min_tls;
1671 
1672         /*
1673          * For historical reasons we will allow ECHDE to be selected by a server
1674          * in SSLv3 if we are a client
1675          */
1676         if (min_tls == TLS1_VERSION && ecdhe
1677                 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
1678             min_tls = SSL3_VERSION;
1679 
1680         if ((min_tls > s->s3.tmp.max_ver) || (c->max_tls < s->s3.tmp.min_ver))
1681             return 1;
1682     }
1683     if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3.tmp.max_ver)
1684                            || DTLS_VERSION_LT(c->max_dtls, s->s3.tmp.min_ver)))
1685         return 1;
1686 
1687     return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1688 }
1689 
1690 int tls_use_ticket(SSL *s)
1691 {
1692     if ((s->options & SSL_OP_NO_TICKET))
1693         return 0;
1694     return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1695 }
1696 
1697 int tls1_set_server_sigalgs(SSL *s)
1698 {
1699     size_t i;
1700 
1701     /* Clear any shared signature algorithms */
1702     OPENSSL_free(s->shared_sigalgs);
1703     s->shared_sigalgs = NULL;
1704     s->shared_sigalgslen = 0;
1705     /* Clear certificate validity flags */
1706     for (i = 0; i < SSL_PKEY_NUM; i++)
1707         s->s3.tmp.valid_flags[i] = 0;
1708     /*
1709      * If peer sent no signature algorithms check to see if we support
1710      * the default algorithm for each certificate type
1711      */
1712     if (s->s3.tmp.peer_cert_sigalgs == NULL
1713             && s->s3.tmp.peer_sigalgs == NULL) {
1714         const uint16_t *sent_sigs;
1715         size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1716 
1717         for (i = 0; i < SSL_PKEY_NUM; i++) {
1718             const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
1719             size_t j;
1720 
1721             if (lu == NULL)
1722                 continue;
1723             /* Check default matches a type we sent */
1724             for (j = 0; j < sent_sigslen; j++) {
1725                 if (lu->sigalg == sent_sigs[j]) {
1726                         s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN;
1727                         break;
1728                 }
1729             }
1730         }
1731         return 1;
1732     }
1733 
1734     if (!tls1_process_sigalgs(s)) {
1735         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1736         return 0;
1737     }
1738     if (s->shared_sigalgs != NULL)
1739         return 1;
1740 
1741     /* Fatal error if no shared signature algorithms */
1742     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1743              SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
1744     return 0;
1745 }
1746 
1747 /*-
1748  * Gets the ticket information supplied by the client if any.
1749  *
1750  *   hello: The parsed ClientHello data
1751  *   ret: (output) on return, if a ticket was decrypted, then this is set to
1752  *       point to the resulting session.
1753  */
1754 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
1755                                              SSL_SESSION **ret)
1756 {
1757     size_t size;
1758     RAW_EXTENSION *ticketext;
1759 
1760     *ret = NULL;
1761     s->ext.ticket_expected = 0;
1762 
1763     /*
1764      * If tickets disabled or not supported by the protocol version
1765      * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
1766      * resumption.
1767      */
1768     if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
1769         return SSL_TICKET_NONE;
1770 
1771     ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
1772     if (!ticketext->present)
1773         return SSL_TICKET_NONE;
1774 
1775     size = PACKET_remaining(&ticketext->data);
1776 
1777     return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
1778                               hello->session_id, hello->session_id_len, ret);
1779 }
1780 
1781 /*-
1782  * tls_decrypt_ticket attempts to decrypt a session ticket.
1783  *
1784  * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are
1785  * expecting a pre-shared key ciphersuite, in which case we have no use for
1786  * session tickets and one will never be decrypted, nor will
1787  * s->ext.ticket_expected be set to 1.
1788  *
1789  * Side effects:
1790  *   Sets s->ext.ticket_expected to 1 if the server will have to issue
1791  *   a new session ticket to the client because the client indicated support
1792  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1793  *   a session ticket or we couldn't use the one it gave us, or if
1794  *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
1795  *   Otherwise, s->ext.ticket_expected is set to 0.
1796  *
1797  *   etick: points to the body of the session ticket extension.
1798  *   eticklen: the length of the session tickets extension.
1799  *   sess_id: points at the session ID.
1800  *   sesslen: the length of the session ID.
1801  *   psess: (output) on return, if a ticket was decrypted, then this is set to
1802  *       point to the resulting session.
1803  */
1804 SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
1805                                      size_t eticklen, const unsigned char *sess_id,
1806                                      size_t sesslen, SSL_SESSION **psess)
1807 {
1808     SSL_SESSION *sess = NULL;
1809     unsigned char *sdec;
1810     const unsigned char *p;
1811     int slen, ivlen, renew_ticket = 0, declen;
1812     SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
1813     size_t mlen;
1814     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1815     SSL_HMAC *hctx = NULL;
1816     EVP_CIPHER_CTX *ctx = NULL;
1817     SSL_CTX *tctx = s->session_ctx;
1818 
1819     if (eticklen == 0) {
1820         /*
1821          * The client will accept a ticket but doesn't currently have
1822          * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3
1823          */
1824         ret = SSL_TICKET_EMPTY;
1825         goto end;
1826     }
1827     if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) {
1828         /*
1829          * Indicate that the ticket couldn't be decrypted rather than
1830          * generating the session from ticket now, trigger
1831          * abbreviated handshake based on external mechanism to
1832          * calculate the master secret later.
1833          */
1834         ret = SSL_TICKET_NO_DECRYPT;
1835         goto end;
1836     }
1837 
1838     /* Need at least keyname + iv */
1839     if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
1840         ret = SSL_TICKET_NO_DECRYPT;
1841         goto end;
1842     }
1843 
1844     /* Initialize session ticket encryption and HMAC contexts */
1845     hctx = ssl_hmac_new(tctx);
1846     if (hctx == NULL) {
1847         ret = SSL_TICKET_FATAL_ERR_MALLOC;
1848         goto end;
1849     }
1850     ctx = EVP_CIPHER_CTX_new();
1851     if (ctx == NULL) {
1852         ret = SSL_TICKET_FATAL_ERR_MALLOC;
1853         goto end;
1854     }
1855 #ifndef OPENSSL_NO_DEPRECATED_3_0
1856     if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL)
1857 #else
1858     if (tctx->ext.ticket_key_evp_cb != NULL)
1859 #endif
1860     {
1861         unsigned char *nctick = (unsigned char *)etick;
1862         int rv = 0;
1863 
1864         if (tctx->ext.ticket_key_evp_cb != NULL)
1865             rv = tctx->ext.ticket_key_evp_cb(s, nctick,
1866                                              nctick + TLSEXT_KEYNAME_LENGTH,
1867                                              ctx,
1868                                              ssl_hmac_get0_EVP_MAC_CTX(hctx),
1869                                              0);
1870 #ifndef OPENSSL_NO_DEPRECATED_3_0
1871         else if (tctx->ext.ticket_key_cb != NULL)
1872             /* if 0 is returned, write an empty ticket */
1873             rv = tctx->ext.ticket_key_cb(s, nctick,
1874                                          nctick + TLSEXT_KEYNAME_LENGTH,
1875                                          ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0);
1876 #endif
1877         if (rv < 0) {
1878             ret = SSL_TICKET_FATAL_ERR_OTHER;
1879             goto end;
1880         }
1881         if (rv == 0) {
1882             ret = SSL_TICKET_NO_DECRYPT;
1883             goto end;
1884         }
1885         if (rv == 2)
1886             renew_ticket = 1;
1887     } else {
1888         EVP_CIPHER *aes256cbc = NULL;
1889 
1890         /* Check key name matches */
1891         if (memcmp(etick, tctx->ext.tick_key_name,
1892                    TLSEXT_KEYNAME_LENGTH) != 0) {
1893             ret = SSL_TICKET_NO_DECRYPT;
1894             goto end;
1895         }
1896 
1897         aes256cbc = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC",
1898                                      s->ctx->propq);
1899         if (aes256cbc == NULL
1900             || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
1901                              sizeof(tctx->ext.secure->tick_hmac_key),
1902                              "SHA256") <= 0
1903             || EVP_DecryptInit_ex(ctx, aes256cbc, NULL,
1904                                   tctx->ext.secure->tick_aes_key,
1905                                   etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
1906             EVP_CIPHER_free(aes256cbc);
1907             ret = SSL_TICKET_FATAL_ERR_OTHER;
1908             goto end;
1909         }
1910         EVP_CIPHER_free(aes256cbc);
1911         if (SSL_IS_TLS13(s))
1912             renew_ticket = 1;
1913     }
1914     /*
1915      * Attempt to process session ticket, first conduct sanity and integrity
1916      * checks on ticket.
1917      */
1918     mlen = ssl_hmac_size(hctx);
1919     if (mlen == 0) {
1920         ret = SSL_TICKET_FATAL_ERR_OTHER;
1921         goto end;
1922     }
1923 
1924     ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
1925     if (ivlen < 0) {
1926         ret = SSL_TICKET_FATAL_ERR_OTHER;
1927         goto end;
1928     }
1929 
1930     /* Sanity check ticket length: must exceed keyname + IV + HMAC */
1931     if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) {
1932         ret = SSL_TICKET_NO_DECRYPT;
1933         goto end;
1934     }
1935     eticklen -= mlen;
1936     /* Check HMAC of encrypted ticket */
1937     if (ssl_hmac_update(hctx, etick, eticklen) <= 0
1938         || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) {
1939         ret = SSL_TICKET_FATAL_ERR_OTHER;
1940         goto end;
1941     }
1942 
1943     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
1944         ret = SSL_TICKET_NO_DECRYPT;
1945         goto end;
1946     }
1947     /* Attempt to decrypt session data */
1948     /* Move p after IV to start of encrypted ticket, update length */
1949     p = etick + TLSEXT_KEYNAME_LENGTH + ivlen;
1950     eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen;
1951     sdec = OPENSSL_malloc(eticklen);
1952     if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
1953                                           (int)eticklen) <= 0) {
1954         OPENSSL_free(sdec);
1955         ret = SSL_TICKET_FATAL_ERR_OTHER;
1956         goto end;
1957     }
1958     if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
1959         OPENSSL_free(sdec);
1960         ret = SSL_TICKET_NO_DECRYPT;
1961         goto end;
1962     }
1963     slen += declen;
1964     p = sdec;
1965 
1966     sess = d2i_SSL_SESSION(NULL, &p, slen);
1967     slen -= p - sdec;
1968     OPENSSL_free(sdec);
1969     if (sess) {
1970         /* Some additional consistency checks */
1971         if (slen != 0) {
1972             SSL_SESSION_free(sess);
1973             sess = NULL;
1974             ret = SSL_TICKET_NO_DECRYPT;
1975             goto end;
1976         }
1977         /*
1978          * The session ID, if non-empty, is used by some clients to detect
1979          * that the ticket has been accepted. So we copy it to the session
1980          * structure. If it is empty set length to zero as required by
1981          * standard.
1982          */
1983         if (sesslen) {
1984             memcpy(sess->session_id, sess_id, sesslen);
1985             sess->session_id_length = sesslen;
1986         }
1987         if (renew_ticket)
1988             ret = SSL_TICKET_SUCCESS_RENEW;
1989         else
1990             ret = SSL_TICKET_SUCCESS;
1991         goto end;
1992     }
1993     ERR_clear_error();
1994     /*
1995      * For session parse failure, indicate that we need to send a new ticket.
1996      */
1997     ret = SSL_TICKET_NO_DECRYPT;
1998 
1999  end:
2000     EVP_CIPHER_CTX_free(ctx);
2001     ssl_hmac_free(hctx);
2002 
2003     /*
2004      * If set, the decrypt_ticket_cb() is called unless a fatal error was
2005      * detected above. The callback is responsible for checking |ret| before it
2006      * performs any action
2007      */
2008     if (s->session_ctx->decrypt_ticket_cb != NULL
2009             && (ret == SSL_TICKET_EMPTY
2010                 || ret == SSL_TICKET_NO_DECRYPT
2011                 || ret == SSL_TICKET_SUCCESS
2012                 || ret == SSL_TICKET_SUCCESS_RENEW)) {
2013         size_t keyname_len = eticklen;
2014         int retcb;
2015 
2016         if (keyname_len > TLSEXT_KEYNAME_LENGTH)
2017             keyname_len = TLSEXT_KEYNAME_LENGTH;
2018         retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len,
2019                                                   ret,
2020                                                   s->session_ctx->ticket_cb_data);
2021         switch (retcb) {
2022         case SSL_TICKET_RETURN_ABORT:
2023             ret = SSL_TICKET_FATAL_ERR_OTHER;
2024             break;
2025 
2026         case SSL_TICKET_RETURN_IGNORE:
2027             ret = SSL_TICKET_NONE;
2028             SSL_SESSION_free(sess);
2029             sess = NULL;
2030             break;
2031 
2032         case SSL_TICKET_RETURN_IGNORE_RENEW:
2033             if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT)
2034                 ret = SSL_TICKET_NO_DECRYPT;
2035             /* else the value of |ret| will already do the right thing */
2036             SSL_SESSION_free(sess);
2037             sess = NULL;
2038             break;
2039 
2040         case SSL_TICKET_RETURN_USE:
2041         case SSL_TICKET_RETURN_USE_RENEW:
2042             if (ret != SSL_TICKET_SUCCESS
2043                     && ret != SSL_TICKET_SUCCESS_RENEW)
2044                 ret = SSL_TICKET_FATAL_ERR_OTHER;
2045             else if (retcb == SSL_TICKET_RETURN_USE)
2046                 ret = SSL_TICKET_SUCCESS;
2047             else
2048                 ret = SSL_TICKET_SUCCESS_RENEW;
2049             break;
2050 
2051         default:
2052             ret = SSL_TICKET_FATAL_ERR_OTHER;
2053         }
2054     }
2055 
2056     if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
2057         switch (ret) {
2058         case SSL_TICKET_NO_DECRYPT:
2059         case SSL_TICKET_SUCCESS_RENEW:
2060         case SSL_TICKET_EMPTY:
2061             s->ext.ticket_expected = 1;
2062         }
2063     }
2064 
2065     *psess = sess;
2066 
2067     return ret;
2068 }
2069 
2070 /* Check to see if a signature algorithm is allowed */
2071 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
2072 {
2073     unsigned char sigalgstr[2];
2074     int secbits;
2075 
2076     if (lu == NULL || !lu->enabled)
2077         return 0;
2078     /* DSA is not allowed in TLS 1.3 */
2079     if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
2080         return 0;
2081     /*
2082      * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3
2083      * spec
2084      */
2085     if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION
2086         && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
2087             || lu->hash_idx == SSL_MD_MD5_IDX
2088             || lu->hash_idx == SSL_MD_SHA224_IDX))
2089         return 0;
2090 
2091     /* See if public key algorithm allowed */
2092     if (ssl_cert_is_disabled(s->ctx, lu->sig_idx))
2093         return 0;
2094 
2095     if (lu->sig == NID_id_GostR3410_2012_256
2096             || lu->sig == NID_id_GostR3410_2012_512
2097             || lu->sig == NID_id_GostR3410_2001) {
2098         /* We never allow GOST sig algs on the server with TLSv1.3 */
2099         if (s->server && SSL_IS_TLS13(s))
2100             return 0;
2101         if (!s->server
2102                 && s->method->version == TLS_ANY_VERSION
2103                 && s->s3.tmp.max_ver >= TLS1_3_VERSION) {
2104             int i, num;
2105             STACK_OF(SSL_CIPHER) *sk;
2106 
2107             /*
2108              * We're a client that could negotiate TLSv1.3. We only allow GOST
2109              * sig algs if we could negotiate TLSv1.2 or below and we have GOST
2110              * ciphersuites enabled.
2111              */
2112 
2113             if (s->s3.tmp.min_ver >= TLS1_3_VERSION)
2114                 return 0;
2115 
2116             sk = SSL_get_ciphers(s);
2117             num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0;
2118             for (i = 0; i < num; i++) {
2119                 const SSL_CIPHER *c;
2120 
2121                 c = sk_SSL_CIPHER_value(sk, i);
2122                 /* Skip disabled ciphers */
2123                 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
2124                     continue;
2125 
2126                 if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0)
2127                     break;
2128             }
2129             if (i == num)
2130                 return 0;
2131         }
2132     }
2133 
2134     /* Finally see if security callback allows it */
2135     secbits = sigalg_security_bits(s->ctx, lu);
2136     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
2137     sigalgstr[1] = lu->sigalg & 0xff;
2138     return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
2139 }
2140 
2141 /*
2142  * Get a mask of disabled public key algorithms based on supported signature
2143  * algorithms. For example if no signature algorithm supports RSA then RSA is
2144  * disabled.
2145  */
2146 
2147 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
2148 {
2149     const uint16_t *sigalgs;
2150     size_t i, sigalgslen;
2151     uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
2152     /*
2153      * Go through all signature algorithms seeing if we support any
2154      * in disabled_mask.
2155      */
2156     sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
2157     for (i = 0; i < sigalgslen; i++, sigalgs++) {
2158         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *sigalgs);
2159         const SSL_CERT_LOOKUP *clu;
2160 
2161         if (lu == NULL)
2162             continue;
2163 
2164         clu = ssl_cert_lookup_by_idx(lu->sig_idx);
2165         if (clu == NULL)
2166                 continue;
2167 
2168         /* If algorithm is disabled see if we can enable it */
2169         if ((clu->amask & disabled_mask) != 0
2170                 && tls12_sigalg_allowed(s, op, lu))
2171             disabled_mask &= ~clu->amask;
2172     }
2173     *pmask_a |= disabled_mask;
2174 }
2175 
2176 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
2177                        const uint16_t *psig, size_t psiglen)
2178 {
2179     size_t i;
2180     int rv = 0;
2181 
2182     for (i = 0; i < psiglen; i++, psig++) {
2183         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig);
2184 
2185         if (lu == NULL
2186                 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
2187             continue;
2188         if (!WPACKET_put_bytes_u16(pkt, *psig))
2189             return 0;
2190         /*
2191          * If TLS 1.3 must have at least one valid TLS 1.3 message
2192          * signing algorithm: i.e. neither RSA nor SHA1/SHA224
2193          */
2194         if (rv == 0 && (!SSL_IS_TLS13(s)
2195             || (lu->sig != EVP_PKEY_RSA
2196                 && lu->hash != NID_sha1
2197                 && lu->hash != NID_sha224)))
2198             rv = 1;
2199     }
2200     if (rv == 0)
2201         ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
2202     return rv;
2203 }
2204 
2205 /* Given preference and allowed sigalgs set shared sigalgs */
2206 static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
2207                                    const uint16_t *pref, size_t preflen,
2208                                    const uint16_t *allow, size_t allowlen)
2209 {
2210     const uint16_t *ptmp, *atmp;
2211     size_t i, j, nmatch = 0;
2212     for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
2213         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp);
2214 
2215         /* Skip disabled hashes or signature algorithms */
2216         if (lu == NULL
2217                 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
2218             continue;
2219         for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
2220             if (*ptmp == *atmp) {
2221                 nmatch++;
2222                 if (shsig)
2223                     *shsig++ = lu;
2224                 break;
2225             }
2226         }
2227     }
2228     return nmatch;
2229 }
2230 
2231 /* Set shared signature algorithms for SSL structures */
2232 static int tls1_set_shared_sigalgs(SSL *s)
2233 {
2234     const uint16_t *pref, *allow, *conf;
2235     size_t preflen, allowlen, conflen;
2236     size_t nmatch;
2237     const SIGALG_LOOKUP **salgs = NULL;
2238     CERT *c = s->cert;
2239     unsigned int is_suiteb = tls1_suiteb(s);
2240 
2241     OPENSSL_free(s->shared_sigalgs);
2242     s->shared_sigalgs = NULL;
2243     s->shared_sigalgslen = 0;
2244     /* If client use client signature algorithms if not NULL */
2245     if (!s->server && c->client_sigalgs && !is_suiteb) {
2246         conf = c->client_sigalgs;
2247         conflen = c->client_sigalgslen;
2248     } else if (c->conf_sigalgs && !is_suiteb) {
2249         conf = c->conf_sigalgs;
2250         conflen = c->conf_sigalgslen;
2251     } else
2252         conflen = tls12_get_psigalgs(s, 0, &conf);
2253     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
2254         pref = conf;
2255         preflen = conflen;
2256         allow = s->s3.tmp.peer_sigalgs;
2257         allowlen = s->s3.tmp.peer_sigalgslen;
2258     } else {
2259         allow = conf;
2260         allowlen = conflen;
2261         pref = s->s3.tmp.peer_sigalgs;
2262         preflen = s->s3.tmp.peer_sigalgslen;
2263     }
2264     nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
2265     if (nmatch) {
2266         if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) {
2267             ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
2268             return 0;
2269         }
2270         nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
2271     } else {
2272         salgs = NULL;
2273     }
2274     s->shared_sigalgs = salgs;
2275     s->shared_sigalgslen = nmatch;
2276     return 1;
2277 }
2278 
2279 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
2280 {
2281     unsigned int stmp;
2282     size_t size, i;
2283     uint16_t *buf;
2284 
2285     size = PACKET_remaining(pkt);
2286 
2287     /* Invalid data length */
2288     if (size == 0 || (size & 1) != 0)
2289         return 0;
2290 
2291     size >>= 1;
2292 
2293     if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL)  {
2294         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
2295         return 0;
2296     }
2297     for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
2298         buf[i] = stmp;
2299 
2300     if (i != size) {
2301         OPENSSL_free(buf);
2302         return 0;
2303     }
2304 
2305     OPENSSL_free(*pdest);
2306     *pdest = buf;
2307     *pdestlen = size;
2308 
2309     return 1;
2310 }
2311 
2312 int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert)
2313 {
2314     /* Extension ignored for inappropriate versions */
2315     if (!SSL_USE_SIGALGS(s))
2316         return 1;
2317     /* Should never happen */
2318     if (s->cert == NULL)
2319         return 0;
2320 
2321     if (cert)
2322         return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs,
2323                              &s->s3.tmp.peer_cert_sigalgslen);
2324     else
2325         return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs,
2326                              &s->s3.tmp.peer_sigalgslen);
2327 
2328 }
2329 
2330 /* Set preferred digest for each key type */
2331 
2332 int tls1_process_sigalgs(SSL *s)
2333 {
2334     size_t i;
2335     uint32_t *pvalid = s->s3.tmp.valid_flags;
2336 
2337     if (!tls1_set_shared_sigalgs(s))
2338         return 0;
2339 
2340     for (i = 0; i < SSL_PKEY_NUM; i++)
2341         pvalid[i] = 0;
2342 
2343     for (i = 0; i < s->shared_sigalgslen; i++) {
2344         const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
2345         int idx = sigptr->sig_idx;
2346 
2347         /* Ignore PKCS1 based sig algs in TLSv1.3 */
2348         if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
2349             continue;
2350         /* If not disabled indicate we can explicitly sign */
2351         if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx))
2352             pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2353     }
2354     return 1;
2355 }
2356 
2357 int SSL_get_sigalgs(SSL *s, int idx,
2358                     int *psign, int *phash, int *psignhash,
2359                     unsigned char *rsig, unsigned char *rhash)
2360 {
2361     uint16_t *psig = s->s3.tmp.peer_sigalgs;
2362     size_t numsigalgs = s->s3.tmp.peer_sigalgslen;
2363     if (psig == NULL || numsigalgs > INT_MAX)
2364         return 0;
2365     if (idx >= 0) {
2366         const SIGALG_LOOKUP *lu;
2367 
2368         if (idx >= (int)numsigalgs)
2369             return 0;
2370         psig += idx;
2371         if (rhash != NULL)
2372             *rhash = (unsigned char)((*psig >> 8) & 0xff);
2373         if (rsig != NULL)
2374             *rsig = (unsigned char)(*psig & 0xff);
2375         lu = tls1_lookup_sigalg(s, *psig);
2376         if (psign != NULL)
2377             *psign = lu != NULL ? lu->sig : NID_undef;
2378         if (phash != NULL)
2379             *phash = lu != NULL ? lu->hash : NID_undef;
2380         if (psignhash != NULL)
2381             *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
2382     }
2383     return (int)numsigalgs;
2384 }
2385 
2386 int SSL_get_shared_sigalgs(SSL *s, int idx,
2387                            int *psign, int *phash, int *psignhash,
2388                            unsigned char *rsig, unsigned char *rhash)
2389 {
2390     const SIGALG_LOOKUP *shsigalgs;
2391     if (s->shared_sigalgs == NULL
2392         || idx < 0
2393         || idx >= (int)s->shared_sigalgslen
2394         || s->shared_sigalgslen > INT_MAX)
2395         return 0;
2396     shsigalgs = s->shared_sigalgs[idx];
2397     if (phash != NULL)
2398         *phash = shsigalgs->hash;
2399     if (psign != NULL)
2400         *psign = shsigalgs->sig;
2401     if (psignhash != NULL)
2402         *psignhash = shsigalgs->sigandhash;
2403     if (rsig != NULL)
2404         *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
2405     if (rhash != NULL)
2406         *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
2407     return (int)s->shared_sigalgslen;
2408 }
2409 
2410 /* Maximum possible number of unique entries in sigalgs array */
2411 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
2412 
2413 typedef struct {
2414     size_t sigalgcnt;
2415     /* TLSEXT_SIGALG_XXX values */
2416     uint16_t sigalgs[TLS_MAX_SIGALGCNT];
2417 } sig_cb_st;
2418 
2419 static void get_sigorhash(int *psig, int *phash, const char *str)
2420 {
2421     if (strcmp(str, "RSA") == 0) {
2422         *psig = EVP_PKEY_RSA;
2423     } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
2424         *psig = EVP_PKEY_RSA_PSS;
2425     } else if (strcmp(str, "DSA") == 0) {
2426         *psig = EVP_PKEY_DSA;
2427     } else if (strcmp(str, "ECDSA") == 0) {
2428         *psig = EVP_PKEY_EC;
2429     } else {
2430         *phash = OBJ_sn2nid(str);
2431         if (*phash == NID_undef)
2432             *phash = OBJ_ln2nid(str);
2433     }
2434 }
2435 /* Maximum length of a signature algorithm string component */
2436 #define TLS_MAX_SIGSTRING_LEN   40
2437 
2438 static int sig_cb(const char *elem, int len, void *arg)
2439 {
2440     sig_cb_st *sarg = arg;
2441     size_t i;
2442     const SIGALG_LOOKUP *s;
2443     char etmp[TLS_MAX_SIGSTRING_LEN], *p;
2444     int sig_alg = NID_undef, hash_alg = NID_undef;
2445     if (elem == NULL)
2446         return 0;
2447     if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
2448         return 0;
2449     if (len > (int)(sizeof(etmp) - 1))
2450         return 0;
2451     memcpy(etmp, elem, len);
2452     etmp[len] = 0;
2453     p = strchr(etmp, '+');
2454     /*
2455      * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
2456      * if there's no '+' in the provided name, look for the new-style combined
2457      * name.  If not, match both sig+hash to find the needed SIGALG_LOOKUP.
2458      * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
2459      * rsa_pss_rsae_* that differ only by public key OID; in such cases
2460      * we will pick the _rsae_ variant, by virtue of them appearing earlier
2461      * in the table.
2462      */
2463     if (p == NULL) {
2464         for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
2465              i++, s++) {
2466             if (s->name != NULL && strcmp(etmp, s->name) == 0) {
2467                 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
2468                 break;
2469             }
2470         }
2471         if (i == OSSL_NELEM(sigalg_lookup_tbl))
2472             return 0;
2473     } else {
2474         *p = 0;
2475         p++;
2476         if (*p == 0)
2477             return 0;
2478         get_sigorhash(&sig_alg, &hash_alg, etmp);
2479         get_sigorhash(&sig_alg, &hash_alg, p);
2480         if (sig_alg == NID_undef || hash_alg == NID_undef)
2481             return 0;
2482         for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
2483              i++, s++) {
2484             if (s->hash == hash_alg && s->sig == sig_alg) {
2485                 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
2486                 break;
2487             }
2488         }
2489         if (i == OSSL_NELEM(sigalg_lookup_tbl))
2490             return 0;
2491     }
2492 
2493     /* Reject duplicates */
2494     for (i = 0; i < sarg->sigalgcnt - 1; i++) {
2495         if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
2496             sarg->sigalgcnt--;
2497             return 0;
2498         }
2499     }
2500     return 1;
2501 }
2502 
2503 /*
2504  * Set supported signature algorithms based on a colon separated list of the
2505  * form sig+hash e.g. RSA+SHA512:DSA+SHA512
2506  */
2507 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
2508 {
2509     sig_cb_st sig;
2510     sig.sigalgcnt = 0;
2511     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
2512         return 0;
2513     if (c == NULL)
2514         return 1;
2515     return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
2516 }
2517 
2518 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
2519                      int client)
2520 {
2521     uint16_t *sigalgs;
2522 
2523     if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) {
2524         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
2525         return 0;
2526     }
2527     memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
2528 
2529     if (client) {
2530         OPENSSL_free(c->client_sigalgs);
2531         c->client_sigalgs = sigalgs;
2532         c->client_sigalgslen = salglen;
2533     } else {
2534         OPENSSL_free(c->conf_sigalgs);
2535         c->conf_sigalgs = sigalgs;
2536         c->conf_sigalgslen = salglen;
2537     }
2538 
2539     return 1;
2540 }
2541 
2542 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
2543 {
2544     uint16_t *sigalgs, *sptr;
2545     size_t i;
2546 
2547     if (salglen & 1)
2548         return 0;
2549     if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) {
2550         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
2551         return 0;
2552     }
2553     for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
2554         size_t j;
2555         const SIGALG_LOOKUP *curr;
2556         int md_id = *psig_nids++;
2557         int sig_id = *psig_nids++;
2558 
2559         for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
2560              j++, curr++) {
2561             if (curr->hash == md_id && curr->sig == sig_id) {
2562                 *sptr++ = curr->sigalg;
2563                 break;
2564             }
2565         }
2566 
2567         if (j == OSSL_NELEM(sigalg_lookup_tbl))
2568             goto err;
2569     }
2570 
2571     if (client) {
2572         OPENSSL_free(c->client_sigalgs);
2573         c->client_sigalgs = sigalgs;
2574         c->client_sigalgslen = salglen / 2;
2575     } else {
2576         OPENSSL_free(c->conf_sigalgs);
2577         c->conf_sigalgs = sigalgs;
2578         c->conf_sigalgslen = salglen / 2;
2579     }
2580 
2581     return 1;
2582 
2583  err:
2584     OPENSSL_free(sigalgs);
2585     return 0;
2586 }
2587 
2588 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
2589 {
2590     int sig_nid, use_pc_sigalgs = 0;
2591     size_t i;
2592     const SIGALG_LOOKUP *sigalg;
2593     size_t sigalgslen;
2594     if (default_nid == -1)
2595         return 1;
2596     sig_nid = X509_get_signature_nid(x);
2597     if (default_nid)
2598         return sig_nid == default_nid ? 1 : 0;
2599 
2600     if (SSL_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) {
2601         /*
2602          * If we're in TLSv1.3 then we only get here if we're checking the
2603          * chain. If the peer has specified peer_cert_sigalgs then we use them
2604          * otherwise we default to normal sigalgs.
2605          */
2606         sigalgslen = s->s3.tmp.peer_cert_sigalgslen;
2607         use_pc_sigalgs = 1;
2608     } else {
2609         sigalgslen = s->shared_sigalgslen;
2610     }
2611     for (i = 0; i < sigalgslen; i++) {
2612         sigalg = use_pc_sigalgs
2613                  ? tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i])
2614                  : s->shared_sigalgs[i];
2615         if (sigalg != NULL && sig_nid == sigalg->sigandhash)
2616             return 1;
2617     }
2618     return 0;
2619 }
2620 
2621 /* Check to see if a certificate issuer name matches list of CA names */
2622 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
2623 {
2624     const X509_NAME *nm;
2625     int i;
2626     nm = X509_get_issuer_name(x);
2627     for (i = 0; i < sk_X509_NAME_num(names); i++) {
2628         if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
2629             return 1;
2630     }
2631     return 0;
2632 }
2633 
2634 /*
2635  * Check certificate chain is consistent with TLS extensions and is usable by
2636  * server. This servers two purposes: it allows users to check chains before
2637  * passing them to the server and it allows the server to check chains before
2638  * attempting to use them.
2639  */
2640 
2641 /* Flags which need to be set for a certificate when strict mode not set */
2642 
2643 #define CERT_PKEY_VALID_FLAGS \
2644         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
2645 /* Strict mode flags */
2646 #define CERT_PKEY_STRICT_FLAGS \
2647          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
2648          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
2649 
2650 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
2651                      int idx)
2652 {
2653     int i;
2654     int rv = 0;
2655     int check_flags = 0, strict_mode;
2656     CERT_PKEY *cpk = NULL;
2657     CERT *c = s->cert;
2658     uint32_t *pvalid;
2659     unsigned int suiteb_flags = tls1_suiteb(s);
2660     /* idx == -1 means checking server chains */
2661     if (idx != -1) {
2662         /* idx == -2 means checking client certificate chains */
2663         if (idx == -2) {
2664             cpk = c->key;
2665             idx = (int)(cpk - c->pkeys);
2666         } else
2667             cpk = c->pkeys + idx;
2668         pvalid = s->s3.tmp.valid_flags + idx;
2669         x = cpk->x509;
2670         pk = cpk->privatekey;
2671         chain = cpk->chain;
2672         strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
2673         /* If no cert or key, forget it */
2674         if (!x || !pk)
2675             goto end;
2676     } else {
2677         size_t certidx;
2678 
2679         if (!x || !pk)
2680             return 0;
2681 
2682         if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
2683             return 0;
2684         idx = certidx;
2685         pvalid = s->s3.tmp.valid_flags + idx;
2686 
2687         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
2688             check_flags = CERT_PKEY_STRICT_FLAGS;
2689         else
2690             check_flags = CERT_PKEY_VALID_FLAGS;
2691         strict_mode = 1;
2692     }
2693 
2694     if (suiteb_flags) {
2695         int ok;
2696         if (check_flags)
2697             check_flags |= CERT_PKEY_SUITEB;
2698         ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
2699         if (ok == X509_V_OK)
2700             rv |= CERT_PKEY_SUITEB;
2701         else if (!check_flags)
2702             goto end;
2703     }
2704 
2705     /*
2706      * Check all signature algorithms are consistent with signature
2707      * algorithms extension if TLS 1.2 or later and strict mode.
2708      */
2709     if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
2710         int default_nid;
2711         int rsign = 0;
2712         if (s->s3.tmp.peer_cert_sigalgs != NULL
2713                 || s->s3.tmp.peer_sigalgs != NULL) {
2714             default_nid = 0;
2715         /* If no sigalgs extension use defaults from RFC5246 */
2716         } else {
2717             switch (idx) {
2718             case SSL_PKEY_RSA:
2719                 rsign = EVP_PKEY_RSA;
2720                 default_nid = NID_sha1WithRSAEncryption;
2721                 break;
2722 
2723             case SSL_PKEY_DSA_SIGN:
2724                 rsign = EVP_PKEY_DSA;
2725                 default_nid = NID_dsaWithSHA1;
2726                 break;
2727 
2728             case SSL_PKEY_ECC:
2729                 rsign = EVP_PKEY_EC;
2730                 default_nid = NID_ecdsa_with_SHA1;
2731                 break;
2732 
2733             case SSL_PKEY_GOST01:
2734                 rsign = NID_id_GostR3410_2001;
2735                 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
2736                 break;
2737 
2738             case SSL_PKEY_GOST12_256:
2739                 rsign = NID_id_GostR3410_2012_256;
2740                 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
2741                 break;
2742 
2743             case SSL_PKEY_GOST12_512:
2744                 rsign = NID_id_GostR3410_2012_512;
2745                 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
2746                 break;
2747 
2748             default:
2749                 default_nid = -1;
2750                 break;
2751             }
2752         }
2753         /*
2754          * If peer sent no signature algorithms extension and we have set
2755          * preferred signature algorithms check we support sha1.
2756          */
2757         if (default_nid > 0 && c->conf_sigalgs) {
2758             size_t j;
2759             const uint16_t *p = c->conf_sigalgs;
2760             for (j = 0; j < c->conf_sigalgslen; j++, p++) {
2761                 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *p);
2762 
2763                 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
2764                     break;
2765             }
2766             if (j == c->conf_sigalgslen) {
2767                 if (check_flags)
2768                     goto skip_sigs;
2769                 else
2770                     goto end;
2771             }
2772         }
2773         /* Check signature algorithm of each cert in chain */
2774         if (SSL_IS_TLS13(s)) {
2775             /*
2776              * We only get here if the application has called SSL_check_chain(),
2777              * so check_flags is always set.
2778              */
2779             if (find_sig_alg(s, x, pk) != NULL)
2780                 rv |= CERT_PKEY_EE_SIGNATURE;
2781         } else if (!tls1_check_sig_alg(s, x, default_nid)) {
2782             if (!check_flags)
2783                 goto end;
2784         } else
2785             rv |= CERT_PKEY_EE_SIGNATURE;
2786         rv |= CERT_PKEY_CA_SIGNATURE;
2787         for (i = 0; i < sk_X509_num(chain); i++) {
2788             if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
2789                 if (check_flags) {
2790                     rv &= ~CERT_PKEY_CA_SIGNATURE;
2791                     break;
2792                 } else
2793                     goto end;
2794             }
2795         }
2796     }
2797     /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
2798     else if (check_flags)
2799         rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
2800  skip_sigs:
2801     /* Check cert parameters are consistent */
2802     if (tls1_check_cert_param(s, x, 1))
2803         rv |= CERT_PKEY_EE_PARAM;
2804     else if (!check_flags)
2805         goto end;
2806     if (!s->server)
2807         rv |= CERT_PKEY_CA_PARAM;
2808     /* In strict mode check rest of chain too */
2809     else if (strict_mode) {
2810         rv |= CERT_PKEY_CA_PARAM;
2811         for (i = 0; i < sk_X509_num(chain); i++) {
2812             X509 *ca = sk_X509_value(chain, i);
2813             if (!tls1_check_cert_param(s, ca, 0)) {
2814                 if (check_flags) {
2815                     rv &= ~CERT_PKEY_CA_PARAM;
2816                     break;
2817                 } else
2818                     goto end;
2819             }
2820         }
2821     }
2822     if (!s->server && strict_mode) {
2823         STACK_OF(X509_NAME) *ca_dn;
2824         int check_type = 0;
2825 
2826         if (EVP_PKEY_is_a(pk, "RSA"))
2827             check_type = TLS_CT_RSA_SIGN;
2828         else if (EVP_PKEY_is_a(pk, "DSA"))
2829             check_type = TLS_CT_DSS_SIGN;
2830         else if (EVP_PKEY_is_a(pk, "EC"))
2831             check_type = TLS_CT_ECDSA_SIGN;
2832 
2833         if (check_type) {
2834             const uint8_t *ctypes = s->s3.tmp.ctype;
2835             size_t j;
2836 
2837             for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) {
2838                 if (*ctypes == check_type) {
2839                     rv |= CERT_PKEY_CERT_TYPE;
2840                     break;
2841                 }
2842             }
2843             if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
2844                 goto end;
2845         } else {
2846             rv |= CERT_PKEY_CERT_TYPE;
2847         }
2848 
2849         ca_dn = s->s3.tmp.peer_ca_names;
2850 
2851         if (ca_dn == NULL
2852             || sk_X509_NAME_num(ca_dn) == 0
2853             || ssl_check_ca_name(ca_dn, x))
2854             rv |= CERT_PKEY_ISSUER_NAME;
2855         else
2856             for (i = 0; i < sk_X509_num(chain); i++) {
2857                 X509 *xtmp = sk_X509_value(chain, i);
2858 
2859                 if (ssl_check_ca_name(ca_dn, xtmp)) {
2860                     rv |= CERT_PKEY_ISSUER_NAME;
2861                     break;
2862                 }
2863             }
2864 
2865         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
2866             goto end;
2867     } else
2868         rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
2869 
2870     if (!check_flags || (rv & check_flags) == check_flags)
2871         rv |= CERT_PKEY_VALID;
2872 
2873  end:
2874 
2875     if (TLS1_get_version(s) >= TLS1_2_VERSION)
2876         rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
2877     else
2878         rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
2879 
2880     /*
2881      * When checking a CERT_PKEY structure all flags are irrelevant if the
2882      * chain is invalid.
2883      */
2884     if (!check_flags) {
2885         if (rv & CERT_PKEY_VALID) {
2886             *pvalid = rv;
2887         } else {
2888             /* Preserve sign and explicit sign flag, clear rest */
2889             *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2890             return 0;
2891         }
2892     }
2893     return rv;
2894 }
2895 
2896 /* Set validity of certificates in an SSL structure */
2897 void tls1_set_cert_validity(SSL *s)
2898 {
2899     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
2900     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
2901     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
2902     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
2903     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
2904     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
2905     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
2906     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
2907     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
2908 }
2909 
2910 /* User level utility function to check a chain is suitable */
2911 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
2912 {
2913     return tls1_check_chain(s, x, pk, chain, -1);
2914 }
2915 
2916 EVP_PKEY *ssl_get_auto_dh(SSL *s)
2917 {
2918     EVP_PKEY *dhp = NULL;
2919     BIGNUM *p;
2920     int dh_secbits = 80, sec_level_bits;
2921     EVP_PKEY_CTX *pctx = NULL;
2922     OSSL_PARAM_BLD *tmpl = NULL;
2923     OSSL_PARAM *params = NULL;
2924 
2925     if (s->cert->dh_tmp_auto != 2) {
2926         if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
2927             if (s->s3.tmp.new_cipher->strength_bits == 256)
2928                 dh_secbits = 128;
2929             else
2930                 dh_secbits = 80;
2931         } else {
2932             if (s->s3.tmp.cert == NULL)
2933                 return NULL;
2934             dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey);
2935         }
2936     }
2937 
2938     /* Do not pick a prime that is too weak for the current security level */
2939     sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL);
2940     if (dh_secbits < sec_level_bits)
2941         dh_secbits = sec_level_bits;
2942 
2943     if (dh_secbits >= 192)
2944         p = BN_get_rfc3526_prime_8192(NULL);
2945     else if (dh_secbits >= 152)
2946         p = BN_get_rfc3526_prime_4096(NULL);
2947     else if (dh_secbits >= 128)
2948         p = BN_get_rfc3526_prime_3072(NULL);
2949     else if (dh_secbits >= 112)
2950         p = BN_get_rfc3526_prime_2048(NULL);
2951     else
2952         p = BN_get_rfc2409_prime_1024(NULL);
2953     if (p == NULL)
2954         goto err;
2955 
2956     pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
2957     if (pctx == NULL
2958             || EVP_PKEY_fromdata_init(pctx) != 1)
2959         goto err;
2960 
2961     tmpl = OSSL_PARAM_BLD_new();
2962     if (tmpl == NULL
2963             || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
2964             || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2))
2965         goto err;
2966 
2967     params = OSSL_PARAM_BLD_to_param(tmpl);
2968     if (params == NULL
2969             || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1)
2970         goto err;
2971 
2972 err:
2973     OSSL_PARAM_free(params);
2974     OSSL_PARAM_BLD_free(tmpl);
2975     EVP_PKEY_CTX_free(pctx);
2976     BN_free(p);
2977     return dhp;
2978 }
2979 
2980 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2981 {
2982     int secbits = -1;
2983     EVP_PKEY *pkey = X509_get0_pubkey(x);
2984     if (pkey) {
2985         /*
2986          * If no parameters this will return -1 and fail using the default
2987          * security callback for any non-zero security level. This will
2988          * reject keys which omit parameters but this only affects DSA and
2989          * omission of parameters is never (?) done in practice.
2990          */
2991         secbits = EVP_PKEY_get_security_bits(pkey);
2992     }
2993     if (s)
2994         return ssl_security(s, op, secbits, 0, x);
2995     else
2996         return ssl_ctx_security(ctx, op, secbits, 0, x);
2997 }
2998 
2999 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
3000 {
3001     /* Lookup signature algorithm digest */
3002     int secbits, nid, pknid;
3003     /* Don't check signature if self signed */
3004     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
3005         return 1;
3006     if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
3007         secbits = -1;
3008     /* If digest NID not defined use signature NID */
3009     if (nid == NID_undef)
3010         nid = pknid;
3011     if (s)
3012         return ssl_security(s, op, secbits, nid, x);
3013     else
3014         return ssl_ctx_security(ctx, op, secbits, nid, x);
3015 }
3016 
3017 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
3018 {
3019     if (vfy)
3020         vfy = SSL_SECOP_PEER;
3021     if (is_ee) {
3022         if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
3023             return SSL_R_EE_KEY_TOO_SMALL;
3024     } else {
3025         if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
3026             return SSL_R_CA_KEY_TOO_SMALL;
3027     }
3028     if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
3029         return SSL_R_CA_MD_TOO_WEAK;
3030     return 1;
3031 }
3032 
3033 /*
3034  * Check security of a chain, if |sk| includes the end entity certificate then
3035  * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
3036  * one to the peer. Return values: 1 if ok otherwise error code to use
3037  */
3038 
3039 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
3040 {
3041     int rv, start_idx, i;
3042     if (x == NULL) {
3043         x = sk_X509_value(sk, 0);
3044         if (x == NULL)
3045             return ERR_R_INTERNAL_ERROR;
3046         start_idx = 1;
3047     } else
3048         start_idx = 0;
3049 
3050     rv = ssl_security_cert(s, NULL, x, vfy, 1);
3051     if (rv != 1)
3052         return rv;
3053 
3054     for (i = start_idx; i < sk_X509_num(sk); i++) {
3055         x = sk_X509_value(sk, i);
3056         rv = ssl_security_cert(s, NULL, x, vfy, 0);
3057         if (rv != 1)
3058             return rv;
3059     }
3060     return 1;
3061 }
3062 
3063 /*
3064  * For TLS 1.2 servers check if we have a certificate which can be used
3065  * with the signature algorithm "lu" and return index of certificate.
3066  */
3067 
3068 static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
3069 {
3070     int sig_idx = lu->sig_idx;
3071     const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
3072 
3073     /* If not recognised or not supported by cipher mask it is not suitable */
3074     if (clu == NULL
3075             || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0
3076             || (clu->nid == EVP_PKEY_RSA_PSS
3077                 && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0))
3078         return -1;
3079 
3080     return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
3081 }
3082 
3083 /*
3084  * Checks the given cert against signature_algorithm_cert restrictions sent by
3085  * the peer (if any) as well as whether the hash from the sigalg is usable with
3086  * the key.
3087  * Returns true if the cert is usable and false otherwise.
3088  */
3089 static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
3090                              EVP_PKEY *pkey)
3091 {
3092     const SIGALG_LOOKUP *lu;
3093     int mdnid, pknid, supported;
3094     size_t i;
3095     const char *mdname = NULL;
3096 
3097     /*
3098      * If the given EVP_PKEY cannot support signing with this digest,
3099      * the answer is simply 'no'.
3100      */
3101     if (sig->hash != NID_undef)
3102         mdname = OBJ_nid2sn(sig->hash);
3103     supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx,
3104                                                     mdname,
3105                                                     s->ctx->propq);
3106     if (supported <= 0)
3107         return 0;
3108 
3109     /*
3110      * The TLS 1.3 signature_algorithms_cert extension places restrictions
3111      * on the sigalg with which the certificate was signed (by its issuer).
3112      */
3113     if (s->s3.tmp.peer_cert_sigalgs != NULL) {
3114         if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
3115             return 0;
3116         for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) {
3117             lu = tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]);
3118             if (lu == NULL)
3119                 continue;
3120 
3121             /*
3122              * This does not differentiate between the
3123              * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
3124              * have a chain here that lets us look at the key OID in the
3125              * signing certificate.
3126              */
3127             if (mdnid == lu->hash && pknid == lu->sig)
3128                 return 1;
3129         }
3130         return 0;
3131     }
3132 
3133     /*
3134      * Without signat_algorithms_cert, any certificate for which we have
3135      * a viable public key is permitted.
3136      */
3137     return 1;
3138 }
3139 
3140 /*
3141  * Returns true if |s| has a usable certificate configured for use
3142  * with signature scheme |sig|.
3143  * "Usable" includes a check for presence as well as applying
3144  * the signature_algorithm_cert restrictions sent by the peer (if any).
3145  * Returns false if no usable certificate is found.
3146  */
3147 static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
3148 {
3149     /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
3150     if (idx == -1)
3151         idx = sig->sig_idx;
3152     if (!ssl_has_cert(s, idx))
3153         return 0;
3154 
3155     return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
3156                              s->cert->pkeys[idx].privatekey);
3157 }
3158 
3159 /*
3160  * Returns true if the supplied cert |x| and key |pkey| is usable with the
3161  * specified signature scheme |sig|, or false otherwise.
3162  */
3163 static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
3164                           EVP_PKEY *pkey)
3165 {
3166     size_t idx;
3167 
3168     if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
3169         return 0;
3170 
3171     /* Check the key is consistent with the sig alg */
3172     if ((int)idx != sig->sig_idx)
3173         return 0;
3174 
3175     return check_cert_usable(s, sig, x, pkey);
3176 }
3177 
3178 /*
3179  * Find a signature scheme that works with the supplied certificate |x| and key
3180  * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
3181  * available certs/keys to find one that works.
3182  */
3183 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
3184 {
3185     const SIGALG_LOOKUP *lu = NULL;
3186     size_t i;
3187     int curve = -1;
3188     EVP_PKEY *tmppkey;
3189 
3190     /* Look for a shared sigalgs matching possible certificates */
3191     for (i = 0; i < s->shared_sigalgslen; i++) {
3192         lu = s->shared_sigalgs[i];
3193 
3194         /* Skip SHA1, SHA224, DSA and RSA if not PSS */
3195         if (lu->hash == NID_sha1
3196             || lu->hash == NID_sha224
3197             || lu->sig == EVP_PKEY_DSA
3198             || lu->sig == EVP_PKEY_RSA)
3199             continue;
3200         /* Check that we have a cert, and signature_algorithms_cert */
3201         if (!tls1_lookup_md(s->ctx, lu, NULL))
3202             continue;
3203         if ((pkey == NULL && !has_usable_cert(s, lu, -1))
3204                 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
3205             continue;
3206 
3207         tmppkey = (pkey != NULL) ? pkey
3208                                  : s->cert->pkeys[lu->sig_idx].privatekey;
3209 
3210         if (lu->sig == EVP_PKEY_EC) {
3211             if (curve == -1)
3212                 curve = ssl_get_EC_curve_nid(tmppkey);
3213             if (lu->curve != NID_undef && curve != lu->curve)
3214                 continue;
3215         } else if (lu->sig == EVP_PKEY_RSA_PSS) {
3216             /* validate that key is large enough for the signature algorithm */
3217             if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu))
3218                 continue;
3219         }
3220         break;
3221     }
3222 
3223     if (i == s->shared_sigalgslen)
3224         return NULL;
3225 
3226     return lu;
3227 }
3228 
3229 /*
3230  * Choose an appropriate signature algorithm based on available certificates
3231  * Sets chosen certificate and signature algorithm.
3232  *
3233  * For servers if we fail to find a required certificate it is a fatal error,
3234  * an appropriate error code is set and a TLS alert is sent.
3235  *
3236  * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
3237  * a fatal error: we will either try another certificate or not present one
3238  * to the server. In this case no error is set.
3239  */
3240 int tls_choose_sigalg(SSL *s, int fatalerrs)
3241 {
3242     const SIGALG_LOOKUP *lu = NULL;
3243     int sig_idx = -1;
3244 
3245     s->s3.tmp.cert = NULL;
3246     s->s3.tmp.sigalg = NULL;
3247 
3248     if (SSL_IS_TLS13(s)) {
3249         lu = find_sig_alg(s, NULL, NULL);
3250         if (lu == NULL) {
3251             if (!fatalerrs)
3252                 return 1;
3253             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3254                      SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3255             return 0;
3256         }
3257     } else {
3258         /* If ciphersuite doesn't require a cert nothing to do */
3259         if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT))
3260             return 1;
3261         if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
3262                 return 1;
3263 
3264         if (SSL_USE_SIGALGS(s)) {
3265             size_t i;
3266             if (s->s3.tmp.peer_sigalgs != NULL) {
3267                 int curve = -1;
3268 
3269                 /* For Suite B need to match signature algorithm to curve */
3270                 if (tls1_suiteb(s))
3271                     curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
3272                                                  .privatekey);
3273 
3274                 /*
3275                  * Find highest preference signature algorithm matching
3276                  * cert type
3277                  */
3278                 for (i = 0; i < s->shared_sigalgslen; i++) {
3279                     lu = s->shared_sigalgs[i];
3280 
3281                     if (s->server) {
3282                         if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
3283                             continue;
3284                     } else {
3285                         int cc_idx = s->cert->key - s->cert->pkeys;
3286 
3287                         sig_idx = lu->sig_idx;
3288                         if (cc_idx != sig_idx)
3289                             continue;
3290                     }
3291                     /* Check that we have a cert, and sig_algs_cert */
3292                     if (!has_usable_cert(s, lu, sig_idx))
3293                         continue;
3294                     if (lu->sig == EVP_PKEY_RSA_PSS) {
3295                         /* validate that key is large enough for the signature algorithm */
3296                         EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
3297 
3298                         if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu))
3299                             continue;
3300                     }
3301                     if (curve == -1 || lu->curve == curve)
3302                         break;
3303                 }
3304 #ifndef OPENSSL_NO_GOST
3305                 /*
3306                  * Some Windows-based implementations do not send GOST algorithms indication
3307                  * in supported_algorithms extension, so when we have GOST-based ciphersuite,
3308                  * we have to assume GOST support.
3309                  */
3310                 if (i == s->shared_sigalgslen && s->s3.tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) {
3311                   if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
3312                     if (!fatalerrs)
3313                       return 1;
3314                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3315                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3316                     return 0;
3317                   } else {
3318                     i = 0;
3319                     sig_idx = lu->sig_idx;
3320                   }
3321                 }
3322 #endif
3323                 if (i == s->shared_sigalgslen) {
3324                     if (!fatalerrs)
3325                         return 1;
3326                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3327                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3328                     return 0;
3329                 }
3330             } else {
3331                 /*
3332                  * If we have no sigalg use defaults
3333                  */
3334                 const uint16_t *sent_sigs;
3335                 size_t sent_sigslen;
3336 
3337                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
3338                     if (!fatalerrs)
3339                         return 1;
3340                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3341                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3342                     return 0;
3343                 }
3344 
3345                 /* Check signature matches a type we sent */
3346                 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
3347                 for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
3348                     if (lu->sigalg == *sent_sigs
3349                             && has_usable_cert(s, lu, lu->sig_idx))
3350                         break;
3351                 }
3352                 if (i == sent_sigslen) {
3353                     if (!fatalerrs)
3354                         return 1;
3355                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3356                              SSL_R_WRONG_SIGNATURE_TYPE);
3357                     return 0;
3358                 }
3359             }
3360         } else {
3361             if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
3362                 if (!fatalerrs)
3363                     return 1;
3364                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3365                          SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3366                 return 0;
3367             }
3368         }
3369     }
3370     if (sig_idx == -1)
3371         sig_idx = lu->sig_idx;
3372     s->s3.tmp.cert = &s->cert->pkeys[sig_idx];
3373     s->cert->key = s->s3.tmp.cert;
3374     s->s3.tmp.sigalg = lu;
3375     return 1;
3376 }
3377 
3378 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
3379 {
3380     if (mode != TLSEXT_max_fragment_length_DISABLED
3381             && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
3382         ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
3383         return 0;
3384     }
3385 
3386     ctx->ext.max_fragment_len_mode = mode;
3387     return 1;
3388 }
3389 
3390 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
3391 {
3392     if (mode != TLSEXT_max_fragment_length_DISABLED
3393             && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
3394         ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
3395         return 0;
3396     }
3397 
3398     ssl->ext.max_fragment_len_mode = mode;
3399     return 1;
3400 }
3401 
3402 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
3403 {
3404     if (session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
3405         return TLSEXT_max_fragment_length_DISABLED;
3406     return session->ext.max_fragment_len_mode;
3407 }
3408 
3409 /*
3410  * Helper functions for HMAC access with legacy support included.
3411  */
3412 SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx)
3413 {
3414     SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret));
3415     EVP_MAC *mac = NULL;
3416 
3417     if (ret == NULL)
3418         return NULL;
3419 #ifndef OPENSSL_NO_DEPRECATED_3_0
3420     if (ctx->ext.ticket_key_evp_cb == NULL
3421             && ctx->ext.ticket_key_cb != NULL) {
3422         if (!ssl_hmac_old_new(ret))
3423             goto err;
3424         return ret;
3425     }
3426 #endif
3427     mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq);
3428     if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL)
3429         goto err;
3430     EVP_MAC_free(mac);
3431     return ret;
3432  err:
3433     EVP_MAC_CTX_free(ret->ctx);
3434     EVP_MAC_free(mac);
3435     OPENSSL_free(ret);
3436     return NULL;
3437 }
3438 
3439 void ssl_hmac_free(SSL_HMAC *ctx)
3440 {
3441     if (ctx != NULL) {
3442         EVP_MAC_CTX_free(ctx->ctx);
3443 #ifndef OPENSSL_NO_DEPRECATED_3_0
3444         ssl_hmac_old_free(ctx);
3445 #endif
3446         OPENSSL_free(ctx);
3447     }
3448 }
3449 
3450 EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx)
3451 {
3452     return ctx->ctx;
3453 }
3454 
3455 int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
3456 {
3457     OSSL_PARAM params[2], *p = params;
3458 
3459     if (ctx->ctx != NULL) {
3460         *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0);
3461         *p = OSSL_PARAM_construct_end();
3462         if (EVP_MAC_init(ctx->ctx, key, len, params))
3463             return 1;
3464     }
3465 #ifndef OPENSSL_NO_DEPRECATED_3_0
3466     if (ctx->old_ctx != NULL)
3467         return ssl_hmac_old_init(ctx, key, len, md);
3468 #endif
3469     return 0;
3470 }
3471 
3472 int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
3473 {
3474     if (ctx->ctx != NULL)
3475         return EVP_MAC_update(ctx->ctx, data, len);
3476 #ifndef OPENSSL_NO_DEPRECATED_3_0
3477     if (ctx->old_ctx != NULL)
3478         return ssl_hmac_old_update(ctx, data, len);
3479 #endif
3480     return 0;
3481 }
3482 
3483 int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len,
3484                    size_t max_size)
3485 {
3486     if (ctx->ctx != NULL)
3487         return EVP_MAC_final(ctx->ctx, md, len, max_size);
3488 #ifndef OPENSSL_NO_DEPRECATED_3_0
3489     if (ctx->old_ctx != NULL)
3490         return ssl_hmac_old_final(ctx, md, len);
3491 #endif
3492     return 0;
3493 }
3494 
3495 size_t ssl_hmac_size(const SSL_HMAC *ctx)
3496 {
3497     if (ctx->ctx != NULL)
3498         return EVP_MAC_CTX_get_mac_size(ctx->ctx);
3499 #ifndef OPENSSL_NO_DEPRECATED_3_0
3500     if (ctx->old_ctx != NULL)
3501         return ssl_hmac_old_size(ctx);
3502 #endif
3503     return 0;
3504 }
3505 
3506 int ssl_get_EC_curve_nid(const EVP_PKEY *pkey)
3507 {
3508     char gname[OSSL_MAX_NAME_SIZE];
3509 
3510     if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0)
3511         return OBJ_txt2nid(gname);
3512 
3513     return NID_undef;
3514 }
3515 
3516 __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey,
3517                                      const unsigned char *enckey,
3518                                      size_t enckeylen)
3519 {
3520     if (EVP_PKEY_is_a(pkey, "DH")) {
3521         int bits = EVP_PKEY_get_bits(pkey);
3522 
3523         if (bits <= 0 || enckeylen != (size_t)bits / 8)
3524             /* the encoded key must be padded to the length of the p */
3525             return 0;
3526     } else if (EVP_PKEY_is_a(pkey, "EC")) {
3527         if (enckeylen < 3 /* point format and at least 1 byte for x and y */
3528             || enckey[0] != 0x04)
3529             return 0;
3530     }
3531 
3532     return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen);
3533 }
3534