xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision e12ff891366cf94db4bfe4c2c810b26a5531053d)
1 /*
2  * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <openssl/objects.h>
13 #include <openssl/evp.h>
14 #include <openssl/hmac.h>
15 #include <openssl/ocsp.h>
16 #include <openssl/conf.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/dh.h>
19 #include <openssl/bn.h>
20 #include "internal/nelem.h"
21 #include "ssl_locl.h"
22 #include <openssl/ct.h>
23 
24 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
25 
26 SSL3_ENC_METHOD const TLSv1_enc_data = {
27     tls1_enc,
28     tls1_mac,
29     tls1_setup_key_block,
30     tls1_generate_master_secret,
31     tls1_change_cipher_state,
32     tls1_final_finish_mac,
33     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
34     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
35     tls1_alert_code,
36     tls1_export_keying_material,
37     0,
38     ssl3_set_handshake_header,
39     tls_close_construct_packet,
40     ssl3_handshake_write
41 };
42 
43 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
44     tls1_enc,
45     tls1_mac,
46     tls1_setup_key_block,
47     tls1_generate_master_secret,
48     tls1_change_cipher_state,
49     tls1_final_finish_mac,
50     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
51     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
52     tls1_alert_code,
53     tls1_export_keying_material,
54     SSL_ENC_FLAG_EXPLICIT_IV,
55     ssl3_set_handshake_header,
56     tls_close_construct_packet,
57     ssl3_handshake_write
58 };
59 
60 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
61     tls1_enc,
62     tls1_mac,
63     tls1_setup_key_block,
64     tls1_generate_master_secret,
65     tls1_change_cipher_state,
66     tls1_final_finish_mac,
67     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
68     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
69     tls1_alert_code,
70     tls1_export_keying_material,
71     SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
72         | SSL_ENC_FLAG_TLS1_2_CIPHERS,
73     ssl3_set_handshake_header,
74     tls_close_construct_packet,
75     ssl3_handshake_write
76 };
77 
78 SSL3_ENC_METHOD const TLSv1_3_enc_data = {
79     tls13_enc,
80     tls1_mac,
81     tls13_setup_key_block,
82     tls13_generate_master_secret,
83     tls13_change_cipher_state,
84     tls13_final_finish_mac,
85     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
86     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
87     tls13_alert_code,
88     tls13_export_keying_material,
89     SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
90     ssl3_set_handshake_header,
91     tls_close_construct_packet,
92     ssl3_handshake_write
93 };
94 
95 long tls1_default_timeout(void)
96 {
97     /*
98      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
99      * http, the cache would over fill
100      */
101     return (60 * 60 * 2);
102 }
103 
104 int tls1_new(SSL *s)
105 {
106     if (!ssl3_new(s))
107         return 0;
108     if (!s->method->ssl_clear(s))
109         return 0;
110 
111     return 1;
112 }
113 
114 void tls1_free(SSL *s)
115 {
116     OPENSSL_free(s->ext.session_ticket);
117     ssl3_free(s);
118 }
119 
120 int tls1_clear(SSL *s)
121 {
122     if (!ssl3_clear(s))
123         return 0;
124 
125     if (s->method->version == TLS_ANY_VERSION)
126         s->version = TLS_MAX_VERSION;
127     else
128         s->version = s->method->version;
129 
130     return 1;
131 }
132 
133 #ifndef OPENSSL_NO_EC
134 
135 /*
136  * Table of curve information.
137  * Do not delete entries or reorder this array! It is used as a lookup
138  * table: the index of each entry is one less than the TLS curve id.
139  */
140 static const TLS_GROUP_INFO nid_list[] = {
141     {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
142     {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
143     {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
144     {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
145     {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
146     {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
147     {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
148     {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
149     {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
150     {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
151     {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
152     {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
153     {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
154     {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
155     {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
156     {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
157     {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
158     {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
159     {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
160     {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
161     {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
162     {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
163     {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
164     {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
165     {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
166     {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
167     {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
168     {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
169     {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
170     {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
171 };
172 
173 static const unsigned char ecformats_default[] = {
174     TLSEXT_ECPOINTFORMAT_uncompressed,
175     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
176     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
177 };
178 
179 /* The default curves */
180 static const uint16_t eccurves_default[] = {
181     29,                      /* X25519 (29) */
182     23,                      /* secp256r1 (23) */
183     30,                      /* X448 (30) */
184     25,                      /* secp521r1 (25) */
185     24,                      /* secp384r1 (24) */
186 };
187 
188 static const uint16_t suiteb_curves[] = {
189     TLSEXT_curve_P_256,
190     TLSEXT_curve_P_384
191 };
192 
193 const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
194 {
195     /* ECC curves from RFC 4492 and RFC 7027 */
196     if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
197         return NULL;
198     return &nid_list[group_id - 1];
199 }
200 
201 static uint16_t tls1_nid2group_id(int nid)
202 {
203     size_t i;
204     for (i = 0; i < OSSL_NELEM(nid_list); i++) {
205         if (nid_list[i].nid == nid)
206             return (uint16_t)(i + 1);
207     }
208     return 0;
209 }
210 
211 /*
212  * Set *pgroups to the supported groups list and *pgroupslen to
213  * the number of groups supported.
214  */
215 void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
216                                size_t *pgroupslen)
217 {
218 
219     /* For Suite B mode only include P-256, P-384 */
220     switch (tls1_suiteb(s)) {
221     case SSL_CERT_FLAG_SUITEB_128_LOS:
222         *pgroups = suiteb_curves;
223         *pgroupslen = OSSL_NELEM(suiteb_curves);
224         break;
225 
226     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
227         *pgroups = suiteb_curves;
228         *pgroupslen = 1;
229         break;
230 
231     case SSL_CERT_FLAG_SUITEB_192_LOS:
232         *pgroups = suiteb_curves + 1;
233         *pgroupslen = 1;
234         break;
235 
236     default:
237         if (s->ext.supportedgroups == NULL) {
238             *pgroups = eccurves_default;
239             *pgroupslen = OSSL_NELEM(eccurves_default);
240         } else {
241             *pgroups = s->ext.supportedgroups;
242             *pgroupslen = s->ext.supportedgroups_len;
243         }
244         break;
245     }
246 }
247 
248 /* See if curve is allowed by security callback */
249 int tls_curve_allowed(SSL *s, uint16_t curve, int op)
250 {
251     const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
252     unsigned char ctmp[2];
253 
254     if (cinfo == NULL)
255         return 0;
256 # ifdef OPENSSL_NO_EC2M
257     if (cinfo->flags & TLS_CURVE_CHAR2)
258         return 0;
259 # endif
260     ctmp[0] = curve >> 8;
261     ctmp[1] = curve & 0xff;
262     return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
263 }
264 
265 /* Return 1 if "id" is in "list" */
266 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
267 {
268     size_t i;
269     for (i = 0; i < listlen; i++)
270         if (list[i] == id)
271             return 1;
272     return 0;
273 }
274 
275 /*-
276  * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
277  * if there is no match.
278  * For nmatch == -1, return number of matches
279  * For nmatch == -2, return the id of the group to use for
280  * a tmp key, or 0 if there is no match.
281  */
282 uint16_t tls1_shared_group(SSL *s, int nmatch)
283 {
284     const uint16_t *pref, *supp;
285     size_t num_pref, num_supp, i;
286     int k;
287 
288     /* Can't do anything on client side */
289     if (s->server == 0)
290         return 0;
291     if (nmatch == -2) {
292         if (tls1_suiteb(s)) {
293             /*
294              * For Suite B ciphersuite determines curve: we already know
295              * these are acceptable due to previous checks.
296              */
297             unsigned long cid = s->s3->tmp.new_cipher->id;
298 
299             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
300                 return TLSEXT_curve_P_256;
301             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
302                 return TLSEXT_curve_P_384;
303             /* Should never happen */
304             return 0;
305         }
306         /* If not Suite B just return first preference shared curve */
307         nmatch = 0;
308     }
309     /*
310      * If server preference set, our groups are the preference order
311      * otherwise peer decides.
312      */
313     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
314         tls1_get_supported_groups(s, &pref, &num_pref);
315         tls1_get_peer_groups(s, &supp, &num_supp);
316     } else {
317         tls1_get_peer_groups(s, &pref, &num_pref);
318         tls1_get_supported_groups(s, &supp, &num_supp);
319     }
320 
321     for (k = 0, i = 0; i < num_pref; i++) {
322         uint16_t id = pref[i];
323 
324         if (!tls1_in_list(id, supp, num_supp)
325             || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
326                     continue;
327         if (nmatch == k)
328             return id;
329          k++;
330     }
331     if (nmatch == -1)
332         return k;
333     /* Out of range (nmatch > k). */
334     return 0;
335 }
336 
337 int tls1_set_groups(uint16_t **pext, size_t *pextlen,
338                     int *groups, size_t ngroups)
339 {
340     uint16_t *glist;
341     size_t i;
342     /*
343      * Bitmap of groups included to detect duplicates: only works while group
344      * ids < 32
345      */
346     unsigned long dup_list = 0;
347 
348     if (ngroups == 0) {
349         SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH);
350         return 0;
351     }
352     if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
353         SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE);
354         return 0;
355     }
356     for (i = 0; i < ngroups; i++) {
357         unsigned long idmask;
358         uint16_t id;
359         /* TODO(TLS1.3): Convert for DH groups */
360         id = tls1_nid2group_id(groups[i]);
361         idmask = 1L << id;
362         if (!id || (dup_list & idmask)) {
363             OPENSSL_free(glist);
364             return 0;
365         }
366         dup_list |= idmask;
367         glist[i] = id;
368     }
369     OPENSSL_free(*pext);
370     *pext = glist;
371     *pextlen = ngroups;
372     return 1;
373 }
374 
375 # define MAX_CURVELIST   OSSL_NELEM(nid_list)
376 
377 typedef struct {
378     size_t nidcnt;
379     int nid_arr[MAX_CURVELIST];
380 } nid_cb_st;
381 
382 static int nid_cb(const char *elem, int len, void *arg)
383 {
384     nid_cb_st *narg = arg;
385     size_t i;
386     int nid;
387     char etmp[20];
388     if (elem == NULL)
389         return 0;
390     if (narg->nidcnt == MAX_CURVELIST)
391         return 0;
392     if (len > (int)(sizeof(etmp) - 1))
393         return 0;
394     memcpy(etmp, elem, len);
395     etmp[len] = 0;
396     nid = EC_curve_nist2nid(etmp);
397     if (nid == NID_undef)
398         nid = OBJ_sn2nid(etmp);
399     if (nid == NID_undef)
400         nid = OBJ_ln2nid(etmp);
401     if (nid == NID_undef)
402         return 0;
403     for (i = 0; i < narg->nidcnt; i++)
404         if (narg->nid_arr[i] == nid)
405             return 0;
406     narg->nid_arr[narg->nidcnt++] = nid;
407     return 1;
408 }
409 
410 /* Set groups based on a colon separate list */
411 int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
412 {
413     nid_cb_st ncb;
414     ncb.nidcnt = 0;
415     if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
416         return 0;
417     if (pext == NULL)
418         return 1;
419     return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
420 }
421 /* Return group id of a key */
422 static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
423 {
424     EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
425     const EC_GROUP *grp;
426 
427     if (ec == NULL)
428         return 0;
429     grp = EC_KEY_get0_group(ec);
430     return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
431 }
432 
433 /* Check a key is compatible with compression extension */
434 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
435 {
436     const EC_KEY *ec;
437     const EC_GROUP *grp;
438     unsigned char comp_id;
439     size_t i;
440 
441     /* If not an EC key nothing to check */
442     if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
443         return 1;
444     ec = EVP_PKEY_get0_EC_KEY(pkey);
445     grp = EC_KEY_get0_group(ec);
446 
447     /* Get required compression id */
448     if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
449             comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
450     } else if (SSL_IS_TLS13(s)) {
451             /*
452              * ec_point_formats extension is not used in TLSv1.3 so we ignore
453              * this check.
454              */
455             return 1;
456     } else {
457         int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));
458 
459         if (field_type == NID_X9_62_prime_field)
460             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
461         else if (field_type == NID_X9_62_characteristic_two_field)
462             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
463         else
464             return 0;
465     }
466     /*
467      * If point formats extension present check it, otherwise everything is
468      * supported (see RFC4492).
469      */
470     if (s->ext.peer_ecpointformats == NULL)
471         return 1;
472 
473     for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
474         if (s->ext.peer_ecpointformats[i] == comp_id)
475             return 1;
476     }
477     return 0;
478 }
479 
480 /* Check a group id matches preferences */
481 int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
482     {
483     const uint16_t *groups;
484     size_t groups_len;
485 
486     if (group_id == 0)
487         return 0;
488 
489     /* Check for Suite B compliance */
490     if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
491         unsigned long cid = s->s3->tmp.new_cipher->id;
492 
493         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
494             if (group_id != TLSEXT_curve_P_256)
495                 return 0;
496         } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
497             if (group_id != TLSEXT_curve_P_384)
498                 return 0;
499         } else {
500             /* Should never happen */
501             return 0;
502         }
503     }
504 
505     if (check_own_groups) {
506         /* Check group is one of our preferences */
507         tls1_get_supported_groups(s, &groups, &groups_len);
508         if (!tls1_in_list(group_id, groups, groups_len))
509             return 0;
510     }
511 
512     if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
513         return 0;
514 
515     /* For clients, nothing more to check */
516     if (!s->server)
517         return 1;
518 
519     /* Check group is one of peers preferences */
520     tls1_get_peer_groups(s, &groups, &groups_len);
521 
522     /*
523      * RFC 4492 does not require the supported elliptic curves extension
524      * so if it is not sent we can just choose any curve.
525      * It is invalid to send an empty list in the supported groups
526      * extension, so groups_len == 0 always means no extension.
527      */
528     if (groups_len == 0)
529             return 1;
530     return tls1_in_list(group_id, groups, groups_len);
531 }
532 
533 void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
534                          size_t *num_formats)
535 {
536     /*
537      * If we have a custom point format list use it otherwise use default
538      */
539     if (s->ext.ecpointformats) {
540         *pformats = s->ext.ecpointformats;
541         *num_formats = s->ext.ecpointformats_len;
542     } else {
543         *pformats = ecformats_default;
544         /* For Suite B we don't support char2 fields */
545         if (tls1_suiteb(s))
546             *num_formats = sizeof(ecformats_default) - 1;
547         else
548             *num_formats = sizeof(ecformats_default);
549     }
550 }
551 
552 /*
553  * Check cert parameters compatible with extensions: currently just checks EC
554  * certificates have compatible curves and compression.
555  */
556 static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
557 {
558     uint16_t group_id;
559     EVP_PKEY *pkey;
560     pkey = X509_get0_pubkey(x);
561     if (pkey == NULL)
562         return 0;
563     /* If not EC nothing to do */
564     if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
565         return 1;
566     /* Check compression */
567     if (!tls1_check_pkey_comp(s, pkey))
568         return 0;
569     group_id = tls1_get_group_id(pkey);
570     /*
571      * For a server we allow the certificate to not be in our list of supported
572      * groups.
573      */
574     if (!tls1_check_group_id(s, group_id, !s->server))
575         return 0;
576     /*
577      * Special case for suite B. We *MUST* sign using SHA256+P-256 or
578      * SHA384+P-384.
579      */
580     if (check_ee_md && tls1_suiteb(s)) {
581         int check_md;
582         size_t i;
583 
584         /* Check to see we have necessary signing algorithm */
585         if (group_id == TLSEXT_curve_P_256)
586             check_md = NID_ecdsa_with_SHA256;
587         else if (group_id == TLSEXT_curve_P_384)
588             check_md = NID_ecdsa_with_SHA384;
589         else
590             return 0;           /* Should never happen */
591         for (i = 0; i < s->shared_sigalgslen; i++) {
592             if (check_md == s->shared_sigalgs[i]->sigandhash)
593                 return 1;;
594         }
595         return 0;
596     }
597     return 1;
598 }
599 
600 /*
601  * tls1_check_ec_tmp_key - Check EC temporary key compatibility
602  * @s: SSL connection
603  * @cid: Cipher ID we're considering using
604  *
605  * Checks that the kECDHE cipher suite we're considering using
606  * is compatible with the client extensions.
607  *
608  * Returns 0 when the cipher can't be used or 1 when it can.
609  */
610 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
611 {
612     /* If not Suite B just need a shared group */
613     if (!tls1_suiteb(s))
614         return tls1_shared_group(s, 0) != 0;
615     /*
616      * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
617      * curves permitted.
618      */
619     if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
620         return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
621     if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
622         return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
623 
624     return 0;
625 }
626 
627 #else
628 
629 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
630 {
631     return 1;
632 }
633 
634 #endif                          /* OPENSSL_NO_EC */
635 
636 /* Default sigalg schemes */
637 static const uint16_t tls12_sigalgs[] = {
638 #ifndef OPENSSL_NO_EC
639     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
640     TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
641     TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
642     TLSEXT_SIGALG_ed25519,
643     TLSEXT_SIGALG_ed448,
644 #endif
645 
646     TLSEXT_SIGALG_rsa_pss_pss_sha256,
647     TLSEXT_SIGALG_rsa_pss_pss_sha384,
648     TLSEXT_SIGALG_rsa_pss_pss_sha512,
649     TLSEXT_SIGALG_rsa_pss_rsae_sha256,
650     TLSEXT_SIGALG_rsa_pss_rsae_sha384,
651     TLSEXT_SIGALG_rsa_pss_rsae_sha512,
652 
653     TLSEXT_SIGALG_rsa_pkcs1_sha256,
654     TLSEXT_SIGALG_rsa_pkcs1_sha384,
655     TLSEXT_SIGALG_rsa_pkcs1_sha512,
656 
657 #ifndef OPENSSL_NO_EC
658     TLSEXT_SIGALG_ecdsa_sha224,
659     TLSEXT_SIGALG_ecdsa_sha1,
660 #endif
661     TLSEXT_SIGALG_rsa_pkcs1_sha224,
662     TLSEXT_SIGALG_rsa_pkcs1_sha1,
663 #ifndef OPENSSL_NO_DSA
664     TLSEXT_SIGALG_dsa_sha224,
665     TLSEXT_SIGALG_dsa_sha1,
666 
667     TLSEXT_SIGALG_dsa_sha256,
668     TLSEXT_SIGALG_dsa_sha384,
669     TLSEXT_SIGALG_dsa_sha512,
670 #endif
671 #ifndef OPENSSL_NO_GOST
672     TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
673     TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
674     TLSEXT_SIGALG_gostr34102001_gostr3411,
675 #endif
676 };
677 
678 #ifndef OPENSSL_NO_EC
679 static const uint16_t suiteb_sigalgs[] = {
680     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
681     TLSEXT_SIGALG_ecdsa_secp384r1_sha384
682 };
683 #endif
684 
685 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
686 #ifndef OPENSSL_NO_EC
687     {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
688      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
689      NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
690     {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
691      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
692      NID_ecdsa_with_SHA384, NID_secp384r1},
693     {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
694      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
695      NID_ecdsa_with_SHA512, NID_secp521r1},
696     {"ed25519", TLSEXT_SIGALG_ed25519,
697      NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
698      NID_undef, NID_undef},
699     {"ed448", TLSEXT_SIGALG_ed448,
700      NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
701      NID_undef, NID_undef},
702     {NULL, TLSEXT_SIGALG_ecdsa_sha224,
703      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
704      NID_ecdsa_with_SHA224, NID_undef},
705     {NULL, TLSEXT_SIGALG_ecdsa_sha1,
706      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
707      NID_ecdsa_with_SHA1, NID_undef},
708 #endif
709     {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
710      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
711      NID_undef, NID_undef},
712     {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
713      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
714      NID_undef, NID_undef},
715     {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
716      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
717      NID_undef, NID_undef},
718     {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
719      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
720      NID_undef, NID_undef},
721     {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
722      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
723      NID_undef, NID_undef},
724     {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
725      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
726      NID_undef, NID_undef},
727     {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
728      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
729      NID_sha256WithRSAEncryption, NID_undef},
730     {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
731      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
732      NID_sha384WithRSAEncryption, NID_undef},
733     {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
734      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
735      NID_sha512WithRSAEncryption, NID_undef},
736     {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
737      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
738      NID_sha224WithRSAEncryption, NID_undef},
739     {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
740      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
741      NID_sha1WithRSAEncryption, NID_undef},
742 #ifndef OPENSSL_NO_DSA
743     {NULL, TLSEXT_SIGALG_dsa_sha256,
744      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
745      NID_dsa_with_SHA256, NID_undef},
746     {NULL, TLSEXT_SIGALG_dsa_sha384,
747      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
748      NID_undef, NID_undef},
749     {NULL, TLSEXT_SIGALG_dsa_sha512,
750      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
751      NID_undef, NID_undef},
752     {NULL, TLSEXT_SIGALG_dsa_sha224,
753      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
754      NID_undef, NID_undef},
755     {NULL, TLSEXT_SIGALG_dsa_sha1,
756      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
757      NID_dsaWithSHA1, NID_undef},
758 #endif
759 #ifndef OPENSSL_NO_GOST
760     {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
761      NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
762      NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
763      NID_undef, NID_undef},
764     {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
765      NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
766      NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
767      NID_undef, NID_undef},
768     {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
769      NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
770      NID_id_GostR3410_2001, SSL_PKEY_GOST01,
771      NID_undef, NID_undef}
772 #endif
773 };
774 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
775 static const SIGALG_LOOKUP legacy_rsa_sigalg = {
776     "rsa_pkcs1_md5_sha1", 0,
777      NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
778      EVP_PKEY_RSA, SSL_PKEY_RSA,
779      NID_undef, NID_undef
780 };
781 
782 /*
783  * Default signature algorithm values used if signature algorithms not present.
784  * From RFC5246. Note: order must match certificate index order.
785  */
786 static const uint16_t tls_default_sigalg[] = {
787     TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
788     0, /* SSL_PKEY_RSA_PSS_SIGN */
789     TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
790     TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
791     TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
792     TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
793     TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
794     0, /* SSL_PKEY_ED25519 */
795     0, /* SSL_PKEY_ED448 */
796 };
797 
798 /* Lookup TLS signature algorithm */
799 static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
800 {
801     size_t i;
802     const SIGALG_LOOKUP *s;
803 
804     for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
805          i++, s++) {
806         if (s->sigalg == sigalg)
807             return s;
808     }
809     return NULL;
810 }
811 /* Lookup hash: return 0 if invalid or not enabled */
812 int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
813 {
814     const EVP_MD *md;
815     if (lu == NULL)
816         return 0;
817     /* lu->hash == NID_undef means no associated digest */
818     if (lu->hash == NID_undef) {
819         md = NULL;
820     } else {
821         md = ssl_md(lu->hash_idx);
822         if (md == NULL)
823             return 0;
824     }
825     if (pmd)
826         *pmd = md;
827     return 1;
828 }
829 
830 /*
831  * Check if key is large enough to generate RSA-PSS signature.
832  *
833  * The key must greater than or equal to 2 * hash length + 2.
834  * SHA512 has a hash length of 64 bytes, which is incompatible
835  * with a 128 byte (1024 bit) key.
836  */
837 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
838 static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
839 {
840     const EVP_MD *md;
841 
842     if (rsa == NULL)
843         return 0;
844     if (!tls1_lookup_md(lu, &md) || md == NULL)
845         return 0;
846     if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
847         return 0;
848     return 1;
849 }
850 
851 /*
852  * Return a signature algorithm for TLS < 1.2 where the signature type
853  * is fixed by the certificate type.
854  */
855 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
856 {
857     if (idx == -1) {
858         if (s->server) {
859             size_t i;
860 
861             /* Work out index corresponding to ciphersuite */
862             for (i = 0; i < SSL_PKEY_NUM; i++) {
863                 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);
864 
865                 if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
866                     idx = i;
867                     break;
868                 }
869             }
870 
871             /*
872              * Some GOST ciphersuites allow more than one signature algorithms
873              * */
874             if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
875                 int real_idx;
876 
877                 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
878                      real_idx--) {
879                     if (s->cert->pkeys[real_idx].privatekey != NULL) {
880                         idx = real_idx;
881                         break;
882                     }
883                 }
884             }
885         } else {
886             idx = s->cert->key - s->cert->pkeys;
887         }
888     }
889     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
890         return NULL;
891     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
892         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
893 
894         if (!tls1_lookup_md(lu, NULL))
895             return NULL;
896         return lu;
897     }
898     return &legacy_rsa_sigalg;
899 }
900 /* Set peer sigalg based key type */
901 int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
902 {
903     size_t idx;
904     const SIGALG_LOOKUP *lu;
905 
906     if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
907         return 0;
908     lu = tls1_get_legacy_sigalg(s, idx);
909     if (lu == NULL)
910         return 0;
911     s->s3->tmp.peer_sigalg = lu;
912     return 1;
913 }
914 
915 size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
916 {
917     /*
918      * If Suite B mode use Suite B sigalgs only, ignore any other
919      * preferences.
920      */
921 #ifndef OPENSSL_NO_EC
922     switch (tls1_suiteb(s)) {
923     case SSL_CERT_FLAG_SUITEB_128_LOS:
924         *psigs = suiteb_sigalgs;
925         return OSSL_NELEM(suiteb_sigalgs);
926 
927     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
928         *psigs = suiteb_sigalgs;
929         return 1;
930 
931     case SSL_CERT_FLAG_SUITEB_192_LOS:
932         *psigs = suiteb_sigalgs + 1;
933         return 1;
934     }
935 #endif
936     /*
937      *  We use client_sigalgs (if not NULL) if we're a server
938      *  and sending a certificate request or if we're a client and
939      *  determining which shared algorithm to use.
940      */
941     if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
942         *psigs = s->cert->client_sigalgs;
943         return s->cert->client_sigalgslen;
944     } else if (s->cert->conf_sigalgs) {
945         *psigs = s->cert->conf_sigalgs;
946         return s->cert->conf_sigalgslen;
947     } else {
948         *psigs = tls12_sigalgs;
949         return OSSL_NELEM(tls12_sigalgs);
950     }
951 }
952 
953 #ifndef OPENSSL_NO_EC
954 /*
955  * Called by servers only. Checks that we have a sig alg that supports the
956  * specified EC curve.
957  */
958 int tls_check_sigalg_curve(const SSL *s, int curve)
959 {
960    const uint16_t *sigs;
961    size_t siglen, i;
962 
963     if (s->cert->conf_sigalgs) {
964         sigs = s->cert->conf_sigalgs;
965         siglen = s->cert->conf_sigalgslen;
966     } else {
967         sigs = tls12_sigalgs;
968         siglen = OSSL_NELEM(tls12_sigalgs);
969     }
970 
971     for (i = 0; i < siglen; i++) {
972         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]);
973 
974         if (lu == NULL)
975             continue;
976         if (lu->sig == EVP_PKEY_EC
977                 && lu->curve != NID_undef
978                 && curve == lu->curve)
979             return 1;
980     }
981 
982     return 0;
983 }
984 #endif
985 
986 /*
987  * Check signature algorithm is consistent with sent supported signature
988  * algorithms and if so set relevant digest and signature scheme in
989  * s.
990  */
991 int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
992 {
993     const uint16_t *sent_sigs;
994     const EVP_MD *md = NULL;
995     char sigalgstr[2];
996     size_t sent_sigslen, i, cidx;
997     int pkeyid = EVP_PKEY_id(pkey);
998     const SIGALG_LOOKUP *lu;
999 
1000     /* Should never happen */
1001     if (pkeyid == -1)
1002         return -1;
1003     if (SSL_IS_TLS13(s)) {
1004         /* Disallow DSA for TLS 1.3 */
1005         if (pkeyid == EVP_PKEY_DSA) {
1006             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
1007                      SSL_R_WRONG_SIGNATURE_TYPE);
1008             return 0;
1009         }
1010         /* Only allow PSS for TLS 1.3 */
1011         if (pkeyid == EVP_PKEY_RSA)
1012             pkeyid = EVP_PKEY_RSA_PSS;
1013     }
1014     lu = tls1_lookup_sigalg(sig);
1015     /*
1016      * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
1017      * is consistent with signature: RSA keys can be used for RSA-PSS
1018      */
1019     if (lu == NULL
1020         || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
1021         || (pkeyid != lu->sig
1022         && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
1023         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
1024                  SSL_R_WRONG_SIGNATURE_TYPE);
1025         return 0;
1026     }
1027     /* Check the sigalg is consistent with the key OID */
1028     if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx)
1029             || lu->sig_idx != (int)cidx) {
1030         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
1031                  SSL_R_WRONG_SIGNATURE_TYPE);
1032         return 0;
1033     }
1034 
1035 #ifndef OPENSSL_NO_EC
1036     if (pkeyid == EVP_PKEY_EC) {
1037 
1038         /* Check point compression is permitted */
1039         if (!tls1_check_pkey_comp(s, pkey)) {
1040             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1041                      SSL_F_TLS12_CHECK_PEER_SIGALG,
1042                      SSL_R_ILLEGAL_POINT_COMPRESSION);
1043             return 0;
1044         }
1045 
1046         /* For TLS 1.3 or Suite B check curve matches signature algorithm */
1047         if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
1048             EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
1049             int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
1050 
1051             if (lu->curve != NID_undef && curve != lu->curve) {
1052                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1053                          SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1054                 return 0;
1055             }
1056         }
1057         if (!SSL_IS_TLS13(s)) {
1058             /* Check curve matches extensions */
1059             if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
1060                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1061                          SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1062                 return 0;
1063             }
1064             if (tls1_suiteb(s)) {
1065                 /* Check sigalg matches a permissible Suite B value */
1066                 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
1067                     && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
1068                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1069                              SSL_F_TLS12_CHECK_PEER_SIGALG,
1070                              SSL_R_WRONG_SIGNATURE_TYPE);
1071                     return 0;
1072                 }
1073             }
1074         }
1075     } else if (tls1_suiteb(s)) {
1076         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
1077                  SSL_R_WRONG_SIGNATURE_TYPE);
1078         return 0;
1079     }
1080 #endif
1081 
1082     /* Check signature matches a type we sent */
1083     sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1084     for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
1085         if (sig == *sent_sigs)
1086             break;
1087     }
1088     /* Allow fallback to SHA1 if not strict mode */
1089     if (i == sent_sigslen && (lu->hash != NID_sha1
1090         || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1091         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
1092                  SSL_R_WRONG_SIGNATURE_TYPE);
1093         return 0;
1094     }
1095     if (!tls1_lookup_md(lu, &md)) {
1096         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
1097                  SSL_R_UNKNOWN_DIGEST);
1098         return 0;
1099     }
1100     if (md != NULL) {
1101         /*
1102          * Make sure security callback allows algorithm. For historical
1103          * reasons we have to pass the sigalg as a two byte char array.
1104          */
1105         sigalgstr[0] = (sig >> 8) & 0xff;
1106         sigalgstr[1] = sig & 0xff;
1107         if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1108                     EVP_MD_size(md) * 4, EVP_MD_type(md),
1109                     (void *)sigalgstr)) {
1110             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
1111                      SSL_R_WRONG_SIGNATURE_TYPE);
1112             return 0;
1113         }
1114     }
1115     /* Store the sigalg the peer uses */
1116     s->s3->tmp.peer_sigalg = lu;
1117     return 1;
1118 }
1119 
1120 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
1121 {
1122     if (s->s3->tmp.peer_sigalg == NULL)
1123         return 0;
1124     *pnid = s->s3->tmp.peer_sigalg->sig;
1125     return 1;
1126 }
1127 
1128 int SSL_get_signature_type_nid(const SSL *s, int *pnid)
1129 {
1130     if (s->s3->tmp.sigalg == NULL)
1131         return 0;
1132     *pnid = s->s3->tmp.sigalg->sig;
1133     return 1;
1134 }
1135 
1136 /*
1137  * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
1138  * supported, doesn't appear in supported signature algorithms, isn't supported
1139  * by the enabled protocol versions or by the security level.
1140  *
1141  * This function should only be used for checking which ciphers are supported
1142  * by the client.
1143  *
1144  * Call ssl_cipher_disabled() to check that it's enabled or not.
1145  */
1146 int ssl_set_client_disabled(SSL *s)
1147 {
1148     s->s3->tmp.mask_a = 0;
1149     s->s3->tmp.mask_k = 0;
1150     ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
1151     if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver,
1152                                 &s->s3->tmp.max_ver, NULL) != 0)
1153         return 0;
1154 #ifndef OPENSSL_NO_PSK
1155     /* with PSK there must be client callback set */
1156     if (!s->psk_client_callback) {
1157         s->s3->tmp.mask_a |= SSL_aPSK;
1158         s->s3->tmp.mask_k |= SSL_PSK;
1159     }
1160 #endif                          /* OPENSSL_NO_PSK */
1161 #ifndef OPENSSL_NO_SRP
1162     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1163         s->s3->tmp.mask_a |= SSL_aSRP;
1164         s->s3->tmp.mask_k |= SSL_kSRP;
1165     }
1166 #endif
1167     return 1;
1168 }
1169 
1170 /*
1171  * ssl_cipher_disabled - check that a cipher is disabled or not
1172  * @s: SSL connection that you want to use the cipher on
1173  * @c: cipher to check
1174  * @op: Security check that you want to do
1175  * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
1176  *
1177  * Returns 1 when it's disabled, 0 when enabled.
1178  */
1179 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
1180 {
1181     if (c->algorithm_mkey & s->s3->tmp.mask_k
1182         || c->algorithm_auth & s->s3->tmp.mask_a)
1183         return 1;
1184     if (s->s3->tmp.max_ver == 0)
1185         return 1;
1186     if (!SSL_IS_DTLS(s)) {
1187         int min_tls = c->min_tls;
1188 
1189         /*
1190          * For historical reasons we will allow ECHDE to be selected by a server
1191          * in SSLv3 if we are a client
1192          */
1193         if (min_tls == TLS1_VERSION && ecdhe
1194                 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
1195             min_tls = SSL3_VERSION;
1196 
1197         if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
1198             return 1;
1199     }
1200     if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
1201                            || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
1202         return 1;
1203 
1204     return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1205 }
1206 
1207 int tls_use_ticket(SSL *s)
1208 {
1209     if ((s->options & SSL_OP_NO_TICKET))
1210         return 0;
1211     return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1212 }
1213 
1214 int tls1_set_server_sigalgs(SSL *s)
1215 {
1216     size_t i;
1217 
1218     /* Clear any shared signature algorithms */
1219     OPENSSL_free(s->shared_sigalgs);
1220     s->shared_sigalgs = NULL;
1221     s->shared_sigalgslen = 0;
1222     /* Clear certificate validity flags */
1223     for (i = 0; i < SSL_PKEY_NUM; i++)
1224         s->s3->tmp.valid_flags[i] = 0;
1225     /*
1226      * If peer sent no signature algorithms check to see if we support
1227      * the default algorithm for each certificate type
1228      */
1229     if (s->s3->tmp.peer_cert_sigalgs == NULL
1230             && s->s3->tmp.peer_sigalgs == NULL) {
1231         const uint16_t *sent_sigs;
1232         size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1233 
1234         for (i = 0; i < SSL_PKEY_NUM; i++) {
1235             const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
1236             size_t j;
1237 
1238             if (lu == NULL)
1239                 continue;
1240             /* Check default matches a type we sent */
1241             for (j = 0; j < sent_sigslen; j++) {
1242                 if (lu->sigalg == sent_sigs[j]) {
1243                         s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
1244                         break;
1245                 }
1246             }
1247         }
1248         return 1;
1249     }
1250 
1251     if (!tls1_process_sigalgs(s)) {
1252         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1253                  SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
1254         return 0;
1255     }
1256     if (s->shared_sigalgs != NULL)
1257         return 1;
1258 
1259     /* Fatal error if no shared signature algorithms */
1260     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
1261              SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
1262     return 0;
1263 }
1264 
1265 /*-
1266  * Gets the ticket information supplied by the client if any.
1267  *
1268  *   hello: The parsed ClientHello data
1269  *   ret: (output) on return, if a ticket was decrypted, then this is set to
1270  *       point to the resulting session.
1271  */
1272 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
1273                                              SSL_SESSION **ret)
1274 {
1275     size_t size;
1276     RAW_EXTENSION *ticketext;
1277 
1278     *ret = NULL;
1279     s->ext.ticket_expected = 0;
1280 
1281     /*
1282      * If tickets disabled or not supported by the protocol version
1283      * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
1284      * resumption.
1285      */
1286     if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
1287         return SSL_TICKET_NONE;
1288 
1289     ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
1290     if (!ticketext->present)
1291         return SSL_TICKET_NONE;
1292 
1293     size = PACKET_remaining(&ticketext->data);
1294 
1295     return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
1296                               hello->session_id, hello->session_id_len, ret);
1297 }
1298 
1299 /*-
1300  * tls_decrypt_ticket attempts to decrypt a session ticket.
1301  *
1302  * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are
1303  * expecting a pre-shared key ciphersuite, in which case we have no use for
1304  * session tickets and one will never be decrypted, nor will
1305  * s->ext.ticket_expected be set to 1.
1306  *
1307  * Side effects:
1308  *   Sets s->ext.ticket_expected to 1 if the server will have to issue
1309  *   a new session ticket to the client because the client indicated support
1310  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1311  *   a session ticket or we couldn't use the one it gave us, or if
1312  *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
1313  *   Otherwise, s->ext.ticket_expected is set to 0.
1314  *
1315  *   etick: points to the body of the session ticket extension.
1316  *   eticklen: the length of the session tickets extension.
1317  *   sess_id: points at the session ID.
1318  *   sesslen: the length of the session ID.
1319  *   psess: (output) on return, if a ticket was decrypted, then this is set to
1320  *       point to the resulting session.
1321  */
1322 SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
1323                                      size_t eticklen, const unsigned char *sess_id,
1324                                      size_t sesslen, SSL_SESSION **psess)
1325 {
1326     SSL_SESSION *sess = NULL;
1327     unsigned char *sdec;
1328     const unsigned char *p;
1329     int slen, renew_ticket = 0, declen;
1330     SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
1331     size_t mlen;
1332     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1333     HMAC_CTX *hctx = NULL;
1334     EVP_CIPHER_CTX *ctx = NULL;
1335     SSL_CTX *tctx = s->session_ctx;
1336 
1337     if (eticklen == 0) {
1338         /*
1339          * The client will accept a ticket but doesn't currently have
1340          * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3
1341          */
1342         ret = SSL_TICKET_EMPTY;
1343         goto end;
1344     }
1345     if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) {
1346         /*
1347          * Indicate that the ticket couldn't be decrypted rather than
1348          * generating the session from ticket now, trigger
1349          * abbreviated handshake based on external mechanism to
1350          * calculate the master secret later.
1351          */
1352         ret = SSL_TICKET_NO_DECRYPT;
1353         goto end;
1354     }
1355 
1356     /* Need at least keyname + iv */
1357     if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
1358         ret = SSL_TICKET_NO_DECRYPT;
1359         goto end;
1360     }
1361 
1362     /* Initialize session ticket encryption and HMAC contexts */
1363     hctx = HMAC_CTX_new();
1364     if (hctx == NULL) {
1365         ret = SSL_TICKET_FATAL_ERR_MALLOC;
1366         goto end;
1367     }
1368     ctx = EVP_CIPHER_CTX_new();
1369     if (ctx == NULL) {
1370         ret = SSL_TICKET_FATAL_ERR_MALLOC;
1371         goto end;
1372     }
1373     if (tctx->ext.ticket_key_cb) {
1374         unsigned char *nctick = (unsigned char *)etick;
1375         int rv = tctx->ext.ticket_key_cb(s, nctick,
1376                                          nctick + TLSEXT_KEYNAME_LENGTH,
1377                                          ctx, hctx, 0);
1378         if (rv < 0) {
1379             ret = SSL_TICKET_FATAL_ERR_OTHER;
1380             goto end;
1381         }
1382         if (rv == 0) {
1383             ret = SSL_TICKET_NO_DECRYPT;
1384             goto end;
1385         }
1386         if (rv == 2)
1387             renew_ticket = 1;
1388     } else {
1389         /* Check key name matches */
1390         if (memcmp(etick, tctx->ext.tick_key_name,
1391                    TLSEXT_KEYNAME_LENGTH) != 0) {
1392             ret = SSL_TICKET_NO_DECRYPT;
1393             goto end;
1394         }
1395         if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
1396                          sizeof(tctx->ext.secure->tick_hmac_key),
1397                          EVP_sha256(), NULL) <= 0
1398             || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
1399                                   tctx->ext.secure->tick_aes_key,
1400                                   etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
1401             ret = SSL_TICKET_FATAL_ERR_OTHER;
1402             goto end;
1403         }
1404         if (SSL_IS_TLS13(s))
1405             renew_ticket = 1;
1406     }
1407     /*
1408      * Attempt to process session ticket, first conduct sanity and integrity
1409      * checks on ticket.
1410      */
1411     mlen = HMAC_size(hctx);
1412     if (mlen == 0) {
1413         ret = SSL_TICKET_FATAL_ERR_OTHER;
1414         goto end;
1415     }
1416 
1417     /* Sanity check ticket length: must exceed keyname + IV + HMAC */
1418     if (eticklen <=
1419         TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
1420         ret = SSL_TICKET_NO_DECRYPT;
1421         goto end;
1422     }
1423     eticklen -= mlen;
1424     /* Check HMAC of encrypted ticket */
1425     if (HMAC_Update(hctx, etick, eticklen) <= 0
1426         || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
1427         ret = SSL_TICKET_FATAL_ERR_OTHER;
1428         goto end;
1429     }
1430 
1431     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
1432         ret = SSL_TICKET_NO_DECRYPT;
1433         goto end;
1434     }
1435     /* Attempt to decrypt session data */
1436     /* Move p after IV to start of encrypted ticket, update length */
1437     p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
1438     eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
1439     sdec = OPENSSL_malloc(eticklen);
1440     if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
1441                                           (int)eticklen) <= 0) {
1442         OPENSSL_free(sdec);
1443         ret = SSL_TICKET_FATAL_ERR_OTHER;
1444         goto end;
1445     }
1446     if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
1447         OPENSSL_free(sdec);
1448         ret = SSL_TICKET_NO_DECRYPT;
1449         goto end;
1450     }
1451     slen += declen;
1452     p = sdec;
1453 
1454     sess = d2i_SSL_SESSION(NULL, &p, slen);
1455     slen -= p - sdec;
1456     OPENSSL_free(sdec);
1457     if (sess) {
1458         /* Some additional consistency checks */
1459         if (slen != 0) {
1460             SSL_SESSION_free(sess);
1461             sess = NULL;
1462             ret = SSL_TICKET_NO_DECRYPT;
1463             goto end;
1464         }
1465         /*
1466          * The session ID, if non-empty, is used by some clients to detect
1467          * that the ticket has been accepted. So we copy it to the session
1468          * structure. If it is empty set length to zero as required by
1469          * standard.
1470          */
1471         if (sesslen) {
1472             memcpy(sess->session_id, sess_id, sesslen);
1473             sess->session_id_length = sesslen;
1474         }
1475         if (renew_ticket)
1476             ret = SSL_TICKET_SUCCESS_RENEW;
1477         else
1478             ret = SSL_TICKET_SUCCESS;
1479         goto end;
1480     }
1481     ERR_clear_error();
1482     /*
1483      * For session parse failure, indicate that we need to send a new ticket.
1484      */
1485     ret = SSL_TICKET_NO_DECRYPT;
1486 
1487  end:
1488     EVP_CIPHER_CTX_free(ctx);
1489     HMAC_CTX_free(hctx);
1490 
1491     /*
1492      * If set, the decrypt_ticket_cb() is called unless a fatal error was
1493      * detected above. The callback is responsible for checking |ret| before it
1494      * performs any action
1495      */
1496     if (s->session_ctx->decrypt_ticket_cb != NULL
1497             && (ret == SSL_TICKET_EMPTY
1498                 || ret == SSL_TICKET_NO_DECRYPT
1499                 || ret == SSL_TICKET_SUCCESS
1500                 || ret == SSL_TICKET_SUCCESS_RENEW)) {
1501         size_t keyname_len = eticklen;
1502         int retcb;
1503 
1504         if (keyname_len > TLSEXT_KEYNAME_LENGTH)
1505             keyname_len = TLSEXT_KEYNAME_LENGTH;
1506         retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len,
1507                                                   ret,
1508                                                   s->session_ctx->ticket_cb_data);
1509         switch (retcb) {
1510         case SSL_TICKET_RETURN_ABORT:
1511             ret = SSL_TICKET_FATAL_ERR_OTHER;
1512             break;
1513 
1514         case SSL_TICKET_RETURN_IGNORE:
1515             ret = SSL_TICKET_NONE;
1516             SSL_SESSION_free(sess);
1517             sess = NULL;
1518             break;
1519 
1520         case SSL_TICKET_RETURN_IGNORE_RENEW:
1521             if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT)
1522                 ret = SSL_TICKET_NO_DECRYPT;
1523             /* else the value of |ret| will already do the right thing */
1524             SSL_SESSION_free(sess);
1525             sess = NULL;
1526             break;
1527 
1528         case SSL_TICKET_RETURN_USE:
1529         case SSL_TICKET_RETURN_USE_RENEW:
1530             if (ret != SSL_TICKET_SUCCESS
1531                     && ret != SSL_TICKET_SUCCESS_RENEW)
1532                 ret = SSL_TICKET_FATAL_ERR_OTHER;
1533             else if (retcb == SSL_TICKET_RETURN_USE)
1534                 ret = SSL_TICKET_SUCCESS;
1535             else
1536                 ret = SSL_TICKET_SUCCESS_RENEW;
1537             break;
1538 
1539         default:
1540             ret = SSL_TICKET_FATAL_ERR_OTHER;
1541         }
1542     }
1543 
1544     if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
1545         switch (ret) {
1546         case SSL_TICKET_NO_DECRYPT:
1547         case SSL_TICKET_SUCCESS_RENEW:
1548         case SSL_TICKET_EMPTY:
1549             s->ext.ticket_expected = 1;
1550         }
1551     }
1552 
1553     *psess = sess;
1554 
1555     return ret;
1556 }
1557 
1558 /* Check to see if a signature algorithm is allowed */
1559 static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
1560 {
1561     unsigned char sigalgstr[2];
1562     int secbits;
1563 
1564     /* See if sigalgs is recognised and if hash is enabled */
1565     if (!tls1_lookup_md(lu, NULL))
1566         return 0;
1567     /* DSA is not allowed in TLS 1.3 */
1568     if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
1569         return 0;
1570     /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
1571     if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
1572         && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
1573             || lu->hash_idx == SSL_MD_MD5_IDX
1574             || lu->hash_idx == SSL_MD_SHA224_IDX))
1575         return 0;
1576 
1577     /* See if public key algorithm allowed */
1578     if (ssl_cert_is_disabled(lu->sig_idx))
1579         return 0;
1580 
1581     if (lu->sig == NID_id_GostR3410_2012_256
1582             || lu->sig == NID_id_GostR3410_2012_512
1583             || lu->sig == NID_id_GostR3410_2001) {
1584         /* We never allow GOST sig algs on the server with TLSv1.3 */
1585         if (s->server && SSL_IS_TLS13(s))
1586             return 0;
1587         if (!s->server
1588                 && s->method->version == TLS_ANY_VERSION
1589                 && s->s3->tmp.max_ver >= TLS1_3_VERSION) {
1590             int i, num;
1591             STACK_OF(SSL_CIPHER) *sk;
1592 
1593             /*
1594              * We're a client that could negotiate TLSv1.3. We only allow GOST
1595              * sig algs if we could negotiate TLSv1.2 or below and we have GOST
1596              * ciphersuites enabled.
1597              */
1598 
1599             if (s->s3->tmp.min_ver >= TLS1_3_VERSION)
1600                 return 0;
1601 
1602             sk = SSL_get_ciphers(s);
1603             num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0;
1604             for (i = 0; i < num; i++) {
1605                 const SSL_CIPHER *c;
1606 
1607                 c = sk_SSL_CIPHER_value(sk, i);
1608                 /* Skip disabled ciphers */
1609                 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
1610                     continue;
1611 
1612                 if ((c->algorithm_mkey & SSL_kGOST) != 0)
1613                     break;
1614             }
1615             if (i == num)
1616                 return 0;
1617         }
1618     }
1619 
1620     if (lu->hash == NID_undef)
1621         return 1;
1622     /* Security bits: half digest bits */
1623     secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
1624     /* Finally see if security callback allows it */
1625     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
1626     sigalgstr[1] = lu->sigalg & 0xff;
1627     return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
1628 }
1629 
1630 /*
1631  * Get a mask of disabled public key algorithms based on supported signature
1632  * algorithms. For example if no signature algorithm supports RSA then RSA is
1633  * disabled.
1634  */
1635 
1636 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
1637 {
1638     const uint16_t *sigalgs;
1639     size_t i, sigalgslen;
1640     uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
1641     /*
1642      * Go through all signature algorithms seeing if we support any
1643      * in disabled_mask.
1644      */
1645     sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
1646     for (i = 0; i < sigalgslen; i++, sigalgs++) {
1647         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
1648         const SSL_CERT_LOOKUP *clu;
1649 
1650         if (lu == NULL)
1651             continue;
1652 
1653         clu = ssl_cert_lookup_by_idx(lu->sig_idx);
1654 	if (clu == NULL)
1655 		continue;
1656 
1657         /* If algorithm is disabled see if we can enable it */
1658         if ((clu->amask & disabled_mask) != 0
1659                 && tls12_sigalg_allowed(s, op, lu))
1660             disabled_mask &= ~clu->amask;
1661     }
1662     *pmask_a |= disabled_mask;
1663 }
1664 
1665 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
1666                        const uint16_t *psig, size_t psiglen)
1667 {
1668     size_t i;
1669     int rv = 0;
1670 
1671     for (i = 0; i < psiglen; i++, psig++) {
1672         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);
1673 
1674         if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
1675             continue;
1676         if (!WPACKET_put_bytes_u16(pkt, *psig))
1677             return 0;
1678         /*
1679          * If TLS 1.3 must have at least one valid TLS 1.3 message
1680          * signing algorithm: i.e. neither RSA nor SHA1/SHA224
1681          */
1682         if (rv == 0 && (!SSL_IS_TLS13(s)
1683             || (lu->sig != EVP_PKEY_RSA
1684                 && lu->hash != NID_sha1
1685                 && lu->hash != NID_sha224)))
1686             rv = 1;
1687     }
1688     if (rv == 0)
1689         SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
1690     return rv;
1691 }
1692 
1693 /* Given preference and allowed sigalgs set shared sigalgs */
1694 static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
1695                                    const uint16_t *pref, size_t preflen,
1696                                    const uint16_t *allow, size_t allowlen)
1697 {
1698     const uint16_t *ptmp, *atmp;
1699     size_t i, j, nmatch = 0;
1700     for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
1701         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);
1702 
1703         /* Skip disabled hashes or signature algorithms */
1704         if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
1705             continue;
1706         for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
1707             if (*ptmp == *atmp) {
1708                 nmatch++;
1709                 if (shsig)
1710                     *shsig++ = lu;
1711                 break;
1712             }
1713         }
1714     }
1715     return nmatch;
1716 }
1717 
1718 /* Set shared signature algorithms for SSL structures */
1719 static int tls1_set_shared_sigalgs(SSL *s)
1720 {
1721     const uint16_t *pref, *allow, *conf;
1722     size_t preflen, allowlen, conflen;
1723     size_t nmatch;
1724     const SIGALG_LOOKUP **salgs = NULL;
1725     CERT *c = s->cert;
1726     unsigned int is_suiteb = tls1_suiteb(s);
1727 
1728     OPENSSL_free(s->shared_sigalgs);
1729     s->shared_sigalgs = NULL;
1730     s->shared_sigalgslen = 0;
1731     /* If client use client signature algorithms if not NULL */
1732     if (!s->server && c->client_sigalgs && !is_suiteb) {
1733         conf = c->client_sigalgs;
1734         conflen = c->client_sigalgslen;
1735     } else if (c->conf_sigalgs && !is_suiteb) {
1736         conf = c->conf_sigalgs;
1737         conflen = c->conf_sigalgslen;
1738     } else
1739         conflen = tls12_get_psigalgs(s, 0, &conf);
1740     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
1741         pref = conf;
1742         preflen = conflen;
1743         allow = s->s3->tmp.peer_sigalgs;
1744         allowlen = s->s3->tmp.peer_sigalgslen;
1745     } else {
1746         allow = conf;
1747         allowlen = conflen;
1748         pref = s->s3->tmp.peer_sigalgs;
1749         preflen = s->s3->tmp.peer_sigalgslen;
1750     }
1751     nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
1752     if (nmatch) {
1753         if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) {
1754             SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE);
1755             return 0;
1756         }
1757         nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
1758     } else {
1759         salgs = NULL;
1760     }
1761     s->shared_sigalgs = salgs;
1762     s->shared_sigalgslen = nmatch;
1763     return 1;
1764 }
1765 
1766 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
1767 {
1768     unsigned int stmp;
1769     size_t size, i;
1770     uint16_t *buf;
1771 
1772     size = PACKET_remaining(pkt);
1773 
1774     /* Invalid data length */
1775     if (size == 0 || (size & 1) != 0)
1776         return 0;
1777 
1778     size >>= 1;
1779 
1780     if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL)  {
1781         SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE);
1782         return 0;
1783     }
1784     for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
1785         buf[i] = stmp;
1786 
1787     if (i != size) {
1788         OPENSSL_free(buf);
1789         return 0;
1790     }
1791 
1792     OPENSSL_free(*pdest);
1793     *pdest = buf;
1794     *pdestlen = size;
1795 
1796     return 1;
1797 }
1798 
1799 int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert)
1800 {
1801     /* Extension ignored for inappropriate versions */
1802     if (!SSL_USE_SIGALGS(s))
1803         return 1;
1804     /* Should never happen */
1805     if (s->cert == NULL)
1806         return 0;
1807 
1808     if (cert)
1809         return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs,
1810                              &s->s3->tmp.peer_cert_sigalgslen);
1811     else
1812         return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
1813                              &s->s3->tmp.peer_sigalgslen);
1814 
1815 }
1816 
1817 /* Set preferred digest for each key type */
1818 
1819 int tls1_process_sigalgs(SSL *s)
1820 {
1821     size_t i;
1822     uint32_t *pvalid = s->s3->tmp.valid_flags;
1823 
1824     if (!tls1_set_shared_sigalgs(s))
1825         return 0;
1826 
1827     for (i = 0; i < SSL_PKEY_NUM; i++)
1828         pvalid[i] = 0;
1829 
1830     for (i = 0; i < s->shared_sigalgslen; i++) {
1831         const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
1832         int idx = sigptr->sig_idx;
1833 
1834         /* Ignore PKCS1 based sig algs in TLSv1.3 */
1835         if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
1836             continue;
1837         /* If not disabled indicate we can explicitly sign */
1838         if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
1839             pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
1840     }
1841     return 1;
1842 }
1843 
1844 int SSL_get_sigalgs(SSL *s, int idx,
1845                     int *psign, int *phash, int *psignhash,
1846                     unsigned char *rsig, unsigned char *rhash)
1847 {
1848     uint16_t *psig = s->s3->tmp.peer_sigalgs;
1849     size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
1850     if (psig == NULL || numsigalgs > INT_MAX)
1851         return 0;
1852     if (idx >= 0) {
1853         const SIGALG_LOOKUP *lu;
1854 
1855         if (idx >= (int)numsigalgs)
1856             return 0;
1857         psig += idx;
1858         if (rhash != NULL)
1859             *rhash = (unsigned char)((*psig >> 8) & 0xff);
1860         if (rsig != NULL)
1861             *rsig = (unsigned char)(*psig & 0xff);
1862         lu = tls1_lookup_sigalg(*psig);
1863         if (psign != NULL)
1864             *psign = lu != NULL ? lu->sig : NID_undef;
1865         if (phash != NULL)
1866             *phash = lu != NULL ? lu->hash : NID_undef;
1867         if (psignhash != NULL)
1868             *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
1869     }
1870     return (int)numsigalgs;
1871 }
1872 
1873 int SSL_get_shared_sigalgs(SSL *s, int idx,
1874                            int *psign, int *phash, int *psignhash,
1875                            unsigned char *rsig, unsigned char *rhash)
1876 {
1877     const SIGALG_LOOKUP *shsigalgs;
1878     if (s->shared_sigalgs == NULL
1879         || idx < 0
1880         || idx >= (int)s->shared_sigalgslen
1881         || s->shared_sigalgslen > INT_MAX)
1882         return 0;
1883     shsigalgs = s->shared_sigalgs[idx];
1884     if (phash != NULL)
1885         *phash = shsigalgs->hash;
1886     if (psign != NULL)
1887         *psign = shsigalgs->sig;
1888     if (psignhash != NULL)
1889         *psignhash = shsigalgs->sigandhash;
1890     if (rsig != NULL)
1891         *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
1892     if (rhash != NULL)
1893         *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
1894     return (int)s->shared_sigalgslen;
1895 }
1896 
1897 /* Maximum possible number of unique entries in sigalgs array */
1898 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
1899 
1900 typedef struct {
1901     size_t sigalgcnt;
1902     /* TLSEXT_SIGALG_XXX values */
1903     uint16_t sigalgs[TLS_MAX_SIGALGCNT];
1904 } sig_cb_st;
1905 
1906 static void get_sigorhash(int *psig, int *phash, const char *str)
1907 {
1908     if (strcmp(str, "RSA") == 0) {
1909         *psig = EVP_PKEY_RSA;
1910     } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
1911         *psig = EVP_PKEY_RSA_PSS;
1912     } else if (strcmp(str, "DSA") == 0) {
1913         *psig = EVP_PKEY_DSA;
1914     } else if (strcmp(str, "ECDSA") == 0) {
1915         *psig = EVP_PKEY_EC;
1916     } else {
1917         *phash = OBJ_sn2nid(str);
1918         if (*phash == NID_undef)
1919             *phash = OBJ_ln2nid(str);
1920     }
1921 }
1922 /* Maximum length of a signature algorithm string component */
1923 #define TLS_MAX_SIGSTRING_LEN   40
1924 
1925 static int sig_cb(const char *elem, int len, void *arg)
1926 {
1927     sig_cb_st *sarg = arg;
1928     size_t i;
1929     const SIGALG_LOOKUP *s;
1930     char etmp[TLS_MAX_SIGSTRING_LEN], *p;
1931     int sig_alg = NID_undef, hash_alg = NID_undef;
1932     if (elem == NULL)
1933         return 0;
1934     if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
1935         return 0;
1936     if (len > (int)(sizeof(etmp) - 1))
1937         return 0;
1938     memcpy(etmp, elem, len);
1939     etmp[len] = 0;
1940     p = strchr(etmp, '+');
1941     /*
1942      * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
1943      * if there's no '+' in the provided name, look for the new-style combined
1944      * name.  If not, match both sig+hash to find the needed SIGALG_LOOKUP.
1945      * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
1946      * rsa_pss_rsae_* that differ only by public key OID; in such cases
1947      * we will pick the _rsae_ variant, by virtue of them appearing earlier
1948      * in the table.
1949      */
1950     if (p == NULL) {
1951         for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
1952              i++, s++) {
1953             if (s->name != NULL && strcmp(etmp, s->name) == 0) {
1954                 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
1955                 break;
1956             }
1957         }
1958         if (i == OSSL_NELEM(sigalg_lookup_tbl))
1959             return 0;
1960     } else {
1961         *p = 0;
1962         p++;
1963         if (*p == 0)
1964             return 0;
1965         get_sigorhash(&sig_alg, &hash_alg, etmp);
1966         get_sigorhash(&sig_alg, &hash_alg, p);
1967         if (sig_alg == NID_undef || hash_alg == NID_undef)
1968             return 0;
1969         for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
1970              i++, s++) {
1971             if (s->hash == hash_alg && s->sig == sig_alg) {
1972                 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
1973                 break;
1974             }
1975         }
1976         if (i == OSSL_NELEM(sigalg_lookup_tbl))
1977             return 0;
1978     }
1979 
1980     /* Reject duplicates */
1981     for (i = 0; i < sarg->sigalgcnt - 1; i++) {
1982         if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
1983             sarg->sigalgcnt--;
1984             return 0;
1985         }
1986     }
1987     return 1;
1988 }
1989 
1990 /*
1991  * Set supported signature algorithms based on a colon separated list of the
1992  * form sig+hash e.g. RSA+SHA512:DSA+SHA512
1993  */
1994 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
1995 {
1996     sig_cb_st sig;
1997     sig.sigalgcnt = 0;
1998     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
1999         return 0;
2000     if (c == NULL)
2001         return 1;
2002     return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
2003 }
2004 
2005 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
2006                      int client)
2007 {
2008     uint16_t *sigalgs;
2009 
2010     if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) {
2011         SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE);
2012         return 0;
2013     }
2014     memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
2015 
2016     if (client) {
2017         OPENSSL_free(c->client_sigalgs);
2018         c->client_sigalgs = sigalgs;
2019         c->client_sigalgslen = salglen;
2020     } else {
2021         OPENSSL_free(c->conf_sigalgs);
2022         c->conf_sigalgs = sigalgs;
2023         c->conf_sigalgslen = salglen;
2024     }
2025 
2026     return 1;
2027 }
2028 
2029 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
2030 {
2031     uint16_t *sigalgs, *sptr;
2032     size_t i;
2033 
2034     if (salglen & 1)
2035         return 0;
2036     if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) {
2037         SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE);
2038         return 0;
2039     }
2040     for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
2041         size_t j;
2042         const SIGALG_LOOKUP *curr;
2043         int md_id = *psig_nids++;
2044         int sig_id = *psig_nids++;
2045 
2046         for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
2047              j++, curr++) {
2048             if (curr->hash == md_id && curr->sig == sig_id) {
2049                 *sptr++ = curr->sigalg;
2050                 break;
2051             }
2052         }
2053 
2054         if (j == OSSL_NELEM(sigalg_lookup_tbl))
2055             goto err;
2056     }
2057 
2058     if (client) {
2059         OPENSSL_free(c->client_sigalgs);
2060         c->client_sigalgs = sigalgs;
2061         c->client_sigalgslen = salglen / 2;
2062     } else {
2063         OPENSSL_free(c->conf_sigalgs);
2064         c->conf_sigalgs = sigalgs;
2065         c->conf_sigalgslen = salglen / 2;
2066     }
2067 
2068     return 1;
2069 
2070  err:
2071     OPENSSL_free(sigalgs);
2072     return 0;
2073 }
2074 
2075 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
2076 {
2077     int sig_nid, use_pc_sigalgs = 0;
2078     size_t i;
2079     const SIGALG_LOOKUP *sigalg;
2080     size_t sigalgslen;
2081     if (default_nid == -1)
2082         return 1;
2083     sig_nid = X509_get_signature_nid(x);
2084     if (default_nid)
2085         return sig_nid == default_nid ? 1 : 0;
2086 
2087     if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) {
2088         /*
2089          * If we're in TLSv1.3 then we only get here if we're checking the
2090          * chain. If the peer has specified peer_cert_sigalgs then we use them
2091          * otherwise we default to normal sigalgs.
2092          */
2093         sigalgslen = s->s3->tmp.peer_cert_sigalgslen;
2094         use_pc_sigalgs = 1;
2095     } else {
2096         sigalgslen = s->shared_sigalgslen;
2097     }
2098     for (i = 0; i < sigalgslen; i++) {
2099         sigalg = use_pc_sigalgs
2100                  ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
2101                  : s->shared_sigalgs[i];
2102         if (sig_nid == sigalg->sigandhash)
2103             return 1;
2104     }
2105     return 0;
2106 }
2107 
2108 /* Check to see if a certificate issuer name matches list of CA names */
2109 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
2110 {
2111     X509_NAME *nm;
2112     int i;
2113     nm = X509_get_issuer_name(x);
2114     for (i = 0; i < sk_X509_NAME_num(names); i++) {
2115         if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
2116             return 1;
2117     }
2118     return 0;
2119 }
2120 
2121 /*
2122  * Check certificate chain is consistent with TLS extensions and is usable by
2123  * server. This servers two purposes: it allows users to check chains before
2124  * passing them to the server and it allows the server to check chains before
2125  * attempting to use them.
2126  */
2127 
2128 /* Flags which need to be set for a certificate when strict mode not set */
2129 
2130 #define CERT_PKEY_VALID_FLAGS \
2131         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
2132 /* Strict mode flags */
2133 #define CERT_PKEY_STRICT_FLAGS \
2134          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
2135          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
2136 
2137 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
2138                      int idx)
2139 {
2140     int i;
2141     int rv = 0;
2142     int check_flags = 0, strict_mode;
2143     CERT_PKEY *cpk = NULL;
2144     CERT *c = s->cert;
2145     uint32_t *pvalid;
2146     unsigned int suiteb_flags = tls1_suiteb(s);
2147     /* idx == -1 means checking server chains */
2148     if (idx != -1) {
2149         /* idx == -2 means checking client certificate chains */
2150         if (idx == -2) {
2151             cpk = c->key;
2152             idx = (int)(cpk - c->pkeys);
2153         } else
2154             cpk = c->pkeys + idx;
2155         pvalid = s->s3->tmp.valid_flags + idx;
2156         x = cpk->x509;
2157         pk = cpk->privatekey;
2158         chain = cpk->chain;
2159         strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
2160         /* If no cert or key, forget it */
2161         if (!x || !pk)
2162             goto end;
2163     } else {
2164         size_t certidx;
2165 
2166         if (!x || !pk)
2167             return 0;
2168 
2169         if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
2170             return 0;
2171         idx = certidx;
2172         pvalid = s->s3->tmp.valid_flags + idx;
2173 
2174         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
2175             check_flags = CERT_PKEY_STRICT_FLAGS;
2176         else
2177             check_flags = CERT_PKEY_VALID_FLAGS;
2178         strict_mode = 1;
2179     }
2180 
2181     if (suiteb_flags) {
2182         int ok;
2183         if (check_flags)
2184             check_flags |= CERT_PKEY_SUITEB;
2185         ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
2186         if (ok == X509_V_OK)
2187             rv |= CERT_PKEY_SUITEB;
2188         else if (!check_flags)
2189             goto end;
2190     }
2191 
2192     /*
2193      * Check all signature algorithms are consistent with signature
2194      * algorithms extension if TLS 1.2 or later and strict mode.
2195      */
2196     if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
2197         int default_nid;
2198         int rsign = 0;
2199         if (s->s3->tmp.peer_cert_sigalgs != NULL
2200                 || s->s3->tmp.peer_sigalgs != NULL) {
2201             default_nid = 0;
2202         /* If no sigalgs extension use defaults from RFC5246 */
2203         } else {
2204             switch (idx) {
2205             case SSL_PKEY_RSA:
2206                 rsign = EVP_PKEY_RSA;
2207                 default_nid = NID_sha1WithRSAEncryption;
2208                 break;
2209 
2210             case SSL_PKEY_DSA_SIGN:
2211                 rsign = EVP_PKEY_DSA;
2212                 default_nid = NID_dsaWithSHA1;
2213                 break;
2214 
2215             case SSL_PKEY_ECC:
2216                 rsign = EVP_PKEY_EC;
2217                 default_nid = NID_ecdsa_with_SHA1;
2218                 break;
2219 
2220             case SSL_PKEY_GOST01:
2221                 rsign = NID_id_GostR3410_2001;
2222                 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
2223                 break;
2224 
2225             case SSL_PKEY_GOST12_256:
2226                 rsign = NID_id_GostR3410_2012_256;
2227                 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
2228                 break;
2229 
2230             case SSL_PKEY_GOST12_512:
2231                 rsign = NID_id_GostR3410_2012_512;
2232                 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
2233                 break;
2234 
2235             default:
2236                 default_nid = -1;
2237                 break;
2238             }
2239         }
2240         /*
2241          * If peer sent no signature algorithms extension and we have set
2242          * preferred signature algorithms check we support sha1.
2243          */
2244         if (default_nid > 0 && c->conf_sigalgs) {
2245             size_t j;
2246             const uint16_t *p = c->conf_sigalgs;
2247             for (j = 0; j < c->conf_sigalgslen; j++, p++) {
2248                 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);
2249 
2250                 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
2251                     break;
2252             }
2253             if (j == c->conf_sigalgslen) {
2254                 if (check_flags)
2255                     goto skip_sigs;
2256                 else
2257                     goto end;
2258             }
2259         }
2260         /* Check signature algorithm of each cert in chain */
2261         if (SSL_IS_TLS13(s)) {
2262             /*
2263              * We only get here if the application has called SSL_check_chain(),
2264              * so check_flags is always set.
2265              */
2266             if (find_sig_alg(s, x, pk) != NULL)
2267                 rv |= CERT_PKEY_EE_SIGNATURE;
2268         } else if (!tls1_check_sig_alg(s, x, default_nid)) {
2269             if (!check_flags)
2270                 goto end;
2271         } else
2272             rv |= CERT_PKEY_EE_SIGNATURE;
2273         rv |= CERT_PKEY_CA_SIGNATURE;
2274         for (i = 0; i < sk_X509_num(chain); i++) {
2275             if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
2276                 if (check_flags) {
2277                     rv &= ~CERT_PKEY_CA_SIGNATURE;
2278                     break;
2279                 } else
2280                     goto end;
2281             }
2282         }
2283     }
2284     /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
2285     else if (check_flags)
2286         rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
2287  skip_sigs:
2288     /* Check cert parameters are consistent */
2289     if (tls1_check_cert_param(s, x, 1))
2290         rv |= CERT_PKEY_EE_PARAM;
2291     else if (!check_flags)
2292         goto end;
2293     if (!s->server)
2294         rv |= CERT_PKEY_CA_PARAM;
2295     /* In strict mode check rest of chain too */
2296     else if (strict_mode) {
2297         rv |= CERT_PKEY_CA_PARAM;
2298         for (i = 0; i < sk_X509_num(chain); i++) {
2299             X509 *ca = sk_X509_value(chain, i);
2300             if (!tls1_check_cert_param(s, ca, 0)) {
2301                 if (check_flags) {
2302                     rv &= ~CERT_PKEY_CA_PARAM;
2303                     break;
2304                 } else
2305                     goto end;
2306             }
2307         }
2308     }
2309     if (!s->server && strict_mode) {
2310         STACK_OF(X509_NAME) *ca_dn;
2311         int check_type = 0;
2312         switch (EVP_PKEY_id(pk)) {
2313         case EVP_PKEY_RSA:
2314             check_type = TLS_CT_RSA_SIGN;
2315             break;
2316         case EVP_PKEY_DSA:
2317             check_type = TLS_CT_DSS_SIGN;
2318             break;
2319         case EVP_PKEY_EC:
2320             check_type = TLS_CT_ECDSA_SIGN;
2321             break;
2322         }
2323         if (check_type) {
2324             const uint8_t *ctypes = s->s3->tmp.ctype;
2325             size_t j;
2326 
2327             for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
2328                 if (*ctypes == check_type) {
2329                     rv |= CERT_PKEY_CERT_TYPE;
2330                     break;
2331                 }
2332             }
2333             if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
2334                 goto end;
2335         } else {
2336             rv |= CERT_PKEY_CERT_TYPE;
2337         }
2338 
2339         ca_dn = s->s3->tmp.peer_ca_names;
2340 
2341         if (!sk_X509_NAME_num(ca_dn))
2342             rv |= CERT_PKEY_ISSUER_NAME;
2343 
2344         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
2345             if (ssl_check_ca_name(ca_dn, x))
2346                 rv |= CERT_PKEY_ISSUER_NAME;
2347         }
2348         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
2349             for (i = 0; i < sk_X509_num(chain); i++) {
2350                 X509 *xtmp = sk_X509_value(chain, i);
2351                 if (ssl_check_ca_name(ca_dn, xtmp)) {
2352                     rv |= CERT_PKEY_ISSUER_NAME;
2353                     break;
2354                 }
2355             }
2356         }
2357         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
2358             goto end;
2359     } else
2360         rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
2361 
2362     if (!check_flags || (rv & check_flags) == check_flags)
2363         rv |= CERT_PKEY_VALID;
2364 
2365  end:
2366 
2367     if (TLS1_get_version(s) >= TLS1_2_VERSION)
2368         rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
2369     else
2370         rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
2371 
2372     /*
2373      * When checking a CERT_PKEY structure all flags are irrelevant if the
2374      * chain is invalid.
2375      */
2376     if (!check_flags) {
2377         if (rv & CERT_PKEY_VALID) {
2378             *pvalid = rv;
2379         } else {
2380             /* Preserve sign and explicit sign flag, clear rest */
2381             *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2382             return 0;
2383         }
2384     }
2385     return rv;
2386 }
2387 
2388 /* Set validity of certificates in an SSL structure */
2389 void tls1_set_cert_validity(SSL *s)
2390 {
2391     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
2392     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
2393     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
2394     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
2395     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
2396     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
2397     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
2398     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
2399     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
2400 }
2401 
2402 /* User level utility function to check a chain is suitable */
2403 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
2404 {
2405     return tls1_check_chain(s, x, pk, chain, -1);
2406 }
2407 
2408 #ifndef OPENSSL_NO_DH
2409 DH *ssl_get_auto_dh(SSL *s)
2410 {
2411     int dh_secbits = 80;
2412     if (s->cert->dh_tmp_auto == 2)
2413         return DH_get_1024_160();
2414     if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
2415         if (s->s3->tmp.new_cipher->strength_bits == 256)
2416             dh_secbits = 128;
2417         else
2418             dh_secbits = 80;
2419     } else {
2420         if (s->s3->tmp.cert == NULL)
2421             return NULL;
2422         dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
2423     }
2424 
2425     if (dh_secbits >= 128) {
2426         DH *dhp = DH_new();
2427         BIGNUM *p, *g;
2428         if (dhp == NULL)
2429             return NULL;
2430         g = BN_new();
2431         if (g == NULL || !BN_set_word(g, 2)) {
2432             DH_free(dhp);
2433             BN_free(g);
2434             return NULL;
2435         }
2436         if (dh_secbits >= 192)
2437             p = BN_get_rfc3526_prime_8192(NULL);
2438         else
2439             p = BN_get_rfc3526_prime_3072(NULL);
2440         if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
2441             DH_free(dhp);
2442             BN_free(p);
2443             BN_free(g);
2444             return NULL;
2445         }
2446         return dhp;
2447     }
2448     if (dh_secbits >= 112)
2449         return DH_get_2048_224();
2450     return DH_get_1024_160();
2451 }
2452 #endif
2453 
2454 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2455 {
2456     int secbits = -1;
2457     EVP_PKEY *pkey = X509_get0_pubkey(x);
2458     if (pkey) {
2459         /*
2460          * If no parameters this will return -1 and fail using the default
2461          * security callback for any non-zero security level. This will
2462          * reject keys which omit parameters but this only affects DSA and
2463          * omission of parameters is never (?) done in practice.
2464          */
2465         secbits = EVP_PKEY_security_bits(pkey);
2466     }
2467     if (s)
2468         return ssl_security(s, op, secbits, 0, x);
2469     else
2470         return ssl_ctx_security(ctx, op, secbits, 0, x);
2471 }
2472 
2473 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2474 {
2475     /* Lookup signature algorithm digest */
2476     int secbits, nid, pknid;
2477     /* Don't check signature if self signed */
2478     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
2479         return 1;
2480     if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
2481         secbits = -1;
2482     /* If digest NID not defined use signature NID */
2483     if (nid == NID_undef)
2484         nid = pknid;
2485     if (s)
2486         return ssl_security(s, op, secbits, nid, x);
2487     else
2488         return ssl_ctx_security(ctx, op, secbits, nid, x);
2489 }
2490 
2491 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
2492 {
2493     if (vfy)
2494         vfy = SSL_SECOP_PEER;
2495     if (is_ee) {
2496         if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
2497             return SSL_R_EE_KEY_TOO_SMALL;
2498     } else {
2499         if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
2500             return SSL_R_CA_KEY_TOO_SMALL;
2501     }
2502     if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
2503         return SSL_R_CA_MD_TOO_WEAK;
2504     return 1;
2505 }
2506 
2507 /*
2508  * Check security of a chain, if |sk| includes the end entity certificate then
2509  * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
2510  * one to the peer. Return values: 1 if ok otherwise error code to use
2511  */
2512 
2513 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
2514 {
2515     int rv, start_idx, i;
2516     if (x == NULL) {
2517         x = sk_X509_value(sk, 0);
2518         start_idx = 1;
2519     } else
2520         start_idx = 0;
2521 
2522     rv = ssl_security_cert(s, NULL, x, vfy, 1);
2523     if (rv != 1)
2524         return rv;
2525 
2526     for (i = start_idx; i < sk_X509_num(sk); i++) {
2527         x = sk_X509_value(sk, i);
2528         rv = ssl_security_cert(s, NULL, x, vfy, 0);
2529         if (rv != 1)
2530             return rv;
2531     }
2532     return 1;
2533 }
2534 
2535 /*
2536  * For TLS 1.2 servers check if we have a certificate which can be used
2537  * with the signature algorithm "lu" and return index of certificate.
2538  */
2539 
2540 static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
2541 {
2542     int sig_idx = lu->sig_idx;
2543     const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
2544 
2545     /* If not recognised or not supported by cipher mask it is not suitable */
2546     if (clu == NULL
2547             || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0
2548             || (clu->nid == EVP_PKEY_RSA_PSS
2549                 && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0))
2550         return -1;
2551 
2552     return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
2553 }
2554 
2555 /*
2556  * Checks the given cert against signature_algorithm_cert restrictions sent by
2557  * the peer (if any) as well as whether the hash from the sigalg is usable with
2558  * the key.
2559  * Returns true if the cert is usable and false otherwise.
2560  */
2561 static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
2562                              EVP_PKEY *pkey)
2563 {
2564     const SIGALG_LOOKUP *lu;
2565     int mdnid, pknid, default_mdnid;
2566     size_t i;
2567 
2568     /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
2569     ERR_set_mark();
2570     if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 &&
2571         sig->hash != default_mdnid)
2572             return 0;
2573 
2574     /* If it didn't report a mandatory NID, for whatever reasons,
2575      * just clear the error and allow all hashes to be used. */
2576     ERR_pop_to_mark();
2577 
2578     if (s->s3->tmp.peer_cert_sigalgs != NULL) {
2579         for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
2580             lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
2581             if (lu == NULL
2582                 || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
2583                 continue;
2584             /*
2585              * TODO this does not differentiate between the
2586              * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
2587              * have a chain here that lets us look at the key OID in the
2588              * signing certificate.
2589              */
2590             if (mdnid == lu->hash && pknid == lu->sig)
2591                 return 1;
2592         }
2593         return 0;
2594     }
2595     return 1;
2596 }
2597 
2598 /*
2599  * Returns true if |s| has a usable certificate configured for use
2600  * with signature scheme |sig|.
2601  * "Usable" includes a check for presence as well as applying
2602  * the signature_algorithm_cert restrictions sent by the peer (if any).
2603  * Returns false if no usable certificate is found.
2604  */
2605 static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
2606 {
2607     /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
2608     if (idx == -1)
2609         idx = sig->sig_idx;
2610     if (!ssl_has_cert(s, idx))
2611         return 0;
2612 
2613     return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
2614                              s->cert->pkeys[idx].privatekey);
2615 }
2616 
2617 /*
2618  * Returns true if the supplied cert |x| and key |pkey| is usable with the
2619  * specified signature scheme |sig|, or false otherwise.
2620  */
2621 static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
2622                           EVP_PKEY *pkey)
2623 {
2624     size_t idx;
2625 
2626     if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
2627         return 0;
2628 
2629     /* Check the key is consistent with the sig alg */
2630     if ((int)idx != sig->sig_idx)
2631         return 0;
2632 
2633     return check_cert_usable(s, sig, x, pkey);
2634 }
2635 
2636 /*
2637  * Find a signature scheme that works with the supplied certificate |x| and key
2638  * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
2639  * available certs/keys to find one that works.
2640  */
2641 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
2642 {
2643     const SIGALG_LOOKUP *lu = NULL;
2644     size_t i;
2645 #ifndef OPENSSL_NO_EC
2646     int curve = -1;
2647 #endif
2648     EVP_PKEY *tmppkey;
2649 
2650     /* Look for a shared sigalgs matching possible certificates */
2651     for (i = 0; i < s->shared_sigalgslen; i++) {
2652         lu = s->shared_sigalgs[i];
2653 
2654         /* Skip SHA1, SHA224, DSA and RSA if not PSS */
2655         if (lu->hash == NID_sha1
2656             || lu->hash == NID_sha224
2657             || lu->sig == EVP_PKEY_DSA
2658             || lu->sig == EVP_PKEY_RSA)
2659             continue;
2660         /* Check that we have a cert, and signature_algorithms_cert */
2661         if (!tls1_lookup_md(lu, NULL))
2662             continue;
2663         if ((pkey == NULL && !has_usable_cert(s, lu, -1))
2664                 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
2665             continue;
2666 
2667         tmppkey = (pkey != NULL) ? pkey
2668                                  : s->cert->pkeys[lu->sig_idx].privatekey;
2669 
2670         if (lu->sig == EVP_PKEY_EC) {
2671 #ifndef OPENSSL_NO_EC
2672             if (curve == -1) {
2673                 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
2674                 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
2675             }
2676             if (lu->curve != NID_undef && curve != lu->curve)
2677                 continue;
2678 #else
2679             continue;
2680 #endif
2681         } else if (lu->sig == EVP_PKEY_RSA_PSS) {
2682             /* validate that key is large enough for the signature algorithm */
2683             if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
2684                 continue;
2685         }
2686         break;
2687     }
2688 
2689     if (i == s->shared_sigalgslen)
2690         return NULL;
2691 
2692     return lu;
2693 }
2694 
2695 /*
2696  * Choose an appropriate signature algorithm based on available certificates
2697  * Sets chosen certificate and signature algorithm.
2698  *
2699  * For servers if we fail to find a required certificate it is a fatal error,
2700  * an appropriate error code is set and a TLS alert is sent.
2701  *
2702  * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
2703  * a fatal error: we will either try another certificate or not present one
2704  * to the server. In this case no error is set.
2705  */
2706 int tls_choose_sigalg(SSL *s, int fatalerrs)
2707 {
2708     const SIGALG_LOOKUP *lu = NULL;
2709     int sig_idx = -1;
2710 
2711     s->s3->tmp.cert = NULL;
2712     s->s3->tmp.sigalg = NULL;
2713 
2714     if (SSL_IS_TLS13(s)) {
2715         lu = find_sig_alg(s, NULL, NULL);
2716         if (lu == NULL) {
2717             if (!fatalerrs)
2718                 return 1;
2719             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
2720                      SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
2721             return 0;
2722         }
2723     } else {
2724         /* If ciphersuite doesn't require a cert nothing to do */
2725         if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
2726             return 1;
2727         if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
2728                 return 1;
2729 
2730         if (SSL_USE_SIGALGS(s)) {
2731             size_t i;
2732             if (s->s3->tmp.peer_sigalgs != NULL) {
2733 #ifndef OPENSSL_NO_EC
2734                 int curve;
2735 
2736                 /* For Suite B need to match signature algorithm to curve */
2737                 if (tls1_suiteb(s)) {
2738                     EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2739                     curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
2740                 } else {
2741                     curve = -1;
2742                 }
2743 #endif
2744 
2745                 /*
2746                  * Find highest preference signature algorithm matching
2747                  * cert type
2748                  */
2749                 for (i = 0; i < s->shared_sigalgslen; i++) {
2750                     lu = s->shared_sigalgs[i];
2751 
2752                     if (s->server) {
2753                         if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
2754                             continue;
2755                     } else {
2756                         int cc_idx = s->cert->key - s->cert->pkeys;
2757 
2758                         sig_idx = lu->sig_idx;
2759                         if (cc_idx != sig_idx)
2760                             continue;
2761                     }
2762                     /* Check that we have a cert, and sig_algs_cert */
2763                     if (!has_usable_cert(s, lu, sig_idx))
2764                         continue;
2765                     if (lu->sig == EVP_PKEY_RSA_PSS) {
2766                         /* validate that key is large enough for the signature algorithm */
2767                         EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
2768 
2769                         if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
2770                             continue;
2771                     }
2772 #ifndef OPENSSL_NO_EC
2773                     if (curve == -1 || lu->curve == curve)
2774 #endif
2775                         break;
2776                 }
2777                 if (i == s->shared_sigalgslen) {
2778                     if (!fatalerrs)
2779                         return 1;
2780                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2781                              SSL_F_TLS_CHOOSE_SIGALG,
2782                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
2783                     return 0;
2784                 }
2785             } else {
2786                 /*
2787                  * If we have no sigalg use defaults
2788                  */
2789                 const uint16_t *sent_sigs;
2790                 size_t sent_sigslen;
2791 
2792                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2793                     if (!fatalerrs)
2794                         return 1;
2795                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
2796                              ERR_R_INTERNAL_ERROR);
2797                     return 0;
2798                 }
2799 
2800                 /* Check signature matches a type we sent */
2801                 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
2802                 for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
2803                     if (lu->sigalg == *sent_sigs
2804                             && has_usable_cert(s, lu, lu->sig_idx))
2805                         break;
2806                 }
2807                 if (i == sent_sigslen) {
2808                     if (!fatalerrs)
2809                         return 1;
2810                     SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2811                              SSL_F_TLS_CHOOSE_SIGALG,
2812                              SSL_R_WRONG_SIGNATURE_TYPE);
2813                     return 0;
2814                 }
2815             }
2816         } else {
2817             if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2818                 if (!fatalerrs)
2819                     return 1;
2820                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
2821                          ERR_R_INTERNAL_ERROR);
2822                 return 0;
2823             }
2824         }
2825     }
2826     if (sig_idx == -1)
2827         sig_idx = lu->sig_idx;
2828     s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
2829     s->cert->key = s->s3->tmp.cert;
2830     s->s3->tmp.sigalg = lu;
2831     return 1;
2832 }
2833 
2834 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
2835 {
2836     if (mode != TLSEXT_max_fragment_length_DISABLED
2837             && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
2838         SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
2839                SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
2840         return 0;
2841     }
2842 
2843     ctx->ext.max_fragment_len_mode = mode;
2844     return 1;
2845 }
2846 
2847 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
2848 {
2849     if (mode != TLSEXT_max_fragment_length_DISABLED
2850             && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
2851         SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
2852                SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
2853         return 0;
2854     }
2855 
2856     ssl->ext.max_fragment_len_mode = mode;
2857     return 1;
2858 }
2859 
2860 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
2861 {
2862     return session->ext.max_fragment_len_mode;
2863 }
2864