1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <openssl/objects.h> 13 #include <openssl/evp.h> 14 #include <openssl/hmac.h> 15 #include <openssl/ocsp.h> 16 #include <openssl/conf.h> 17 #include <openssl/x509v3.h> 18 #include <openssl/dh.h> 19 #include <openssl/bn.h> 20 #include "internal/nelem.h" 21 #include "ssl_locl.h" 22 #include <openssl/ct.h> 23 24 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 25 26 SSL3_ENC_METHOD const TLSv1_enc_data = { 27 tls1_enc, 28 tls1_mac, 29 tls1_setup_key_block, 30 tls1_generate_master_secret, 31 tls1_change_cipher_state, 32 tls1_final_finish_mac, 33 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 34 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 35 tls1_alert_code, 36 tls1_export_keying_material, 37 0, 38 ssl3_set_handshake_header, 39 tls_close_construct_packet, 40 ssl3_handshake_write 41 }; 42 43 SSL3_ENC_METHOD const TLSv1_1_enc_data = { 44 tls1_enc, 45 tls1_mac, 46 tls1_setup_key_block, 47 tls1_generate_master_secret, 48 tls1_change_cipher_state, 49 tls1_final_finish_mac, 50 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 51 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 52 tls1_alert_code, 53 tls1_export_keying_material, 54 SSL_ENC_FLAG_EXPLICIT_IV, 55 ssl3_set_handshake_header, 56 tls_close_construct_packet, 57 ssl3_handshake_write 58 }; 59 60 SSL3_ENC_METHOD const TLSv1_2_enc_data = { 61 tls1_enc, 62 tls1_mac, 63 tls1_setup_key_block, 64 tls1_generate_master_secret, 65 tls1_change_cipher_state, 66 tls1_final_finish_mac, 67 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 68 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 69 tls1_alert_code, 70 tls1_export_keying_material, 71 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 72 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 73 ssl3_set_handshake_header, 74 tls_close_construct_packet, 75 ssl3_handshake_write 76 }; 77 78 SSL3_ENC_METHOD const TLSv1_3_enc_data = { 79 tls13_enc, 80 tls1_mac, 81 tls13_setup_key_block, 82 tls13_generate_master_secret, 83 tls13_change_cipher_state, 84 tls13_final_finish_mac, 85 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 86 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 87 tls13_alert_code, 88 tls13_export_keying_material, 89 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 90 ssl3_set_handshake_header, 91 tls_close_construct_packet, 92 ssl3_handshake_write 93 }; 94 95 long tls1_default_timeout(void) 96 { 97 /* 98 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 99 * http, the cache would over fill 100 */ 101 return (60 * 60 * 2); 102 } 103 104 int tls1_new(SSL *s) 105 { 106 if (!ssl3_new(s)) 107 return 0; 108 if (!s->method->ssl_clear(s)) 109 return 0; 110 111 return 1; 112 } 113 114 void tls1_free(SSL *s) 115 { 116 OPENSSL_free(s->ext.session_ticket); 117 ssl3_free(s); 118 } 119 120 int tls1_clear(SSL *s) 121 { 122 if (!ssl3_clear(s)) 123 return 0; 124 125 if (s->method->version == TLS_ANY_VERSION) 126 s->version = TLS_MAX_VERSION; 127 else 128 s->version = s->method->version; 129 130 return 1; 131 } 132 133 #ifndef OPENSSL_NO_EC 134 135 /* 136 * Table of curve information. 137 * Do not delete entries or reorder this array! It is used as a lookup 138 * table: the index of each entry is one less than the TLS curve id. 139 */ 140 static const TLS_GROUP_INFO nid_list[] = { 141 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ 142 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ 143 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ 144 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */ 145 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */ 146 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */ 147 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */ 148 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */ 149 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */ 150 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */ 151 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */ 152 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */ 153 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */ 154 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */ 155 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */ 156 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */ 157 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */ 158 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ 159 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ 160 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ 161 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ 162 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ 163 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ 164 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ 165 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ 166 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 167 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 168 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ 169 {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ 170 {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */ 171 }; 172 173 static const unsigned char ecformats_default[] = { 174 TLSEXT_ECPOINTFORMAT_uncompressed, 175 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 176 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 177 }; 178 179 /* The default curves */ 180 static const uint16_t eccurves_default[] = { 181 29, /* X25519 (29) */ 182 23, /* secp256r1 (23) */ 183 30, /* X448 (30) */ 184 25, /* secp521r1 (25) */ 185 24, /* secp384r1 (24) */ 186 }; 187 188 static const uint16_t suiteb_curves[] = { 189 TLSEXT_curve_P_256, 190 TLSEXT_curve_P_384 191 }; 192 193 const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) 194 { 195 /* ECC curves from RFC 4492 and RFC 7027 */ 196 if (group_id < 1 || group_id > OSSL_NELEM(nid_list)) 197 return NULL; 198 return &nid_list[group_id - 1]; 199 } 200 201 static uint16_t tls1_nid2group_id(int nid) 202 { 203 size_t i; 204 for (i = 0; i < OSSL_NELEM(nid_list); i++) { 205 if (nid_list[i].nid == nid) 206 return (uint16_t)(i + 1); 207 } 208 return 0; 209 } 210 211 /* 212 * Set *pgroups to the supported groups list and *pgroupslen to 213 * the number of groups supported. 214 */ 215 void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 216 size_t *pgroupslen) 217 { 218 219 /* For Suite B mode only include P-256, P-384 */ 220 switch (tls1_suiteb(s)) { 221 case SSL_CERT_FLAG_SUITEB_128_LOS: 222 *pgroups = suiteb_curves; 223 *pgroupslen = OSSL_NELEM(suiteb_curves); 224 break; 225 226 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 227 *pgroups = suiteb_curves; 228 *pgroupslen = 1; 229 break; 230 231 case SSL_CERT_FLAG_SUITEB_192_LOS: 232 *pgroups = suiteb_curves + 1; 233 *pgroupslen = 1; 234 break; 235 236 default: 237 if (s->ext.supportedgroups == NULL) { 238 *pgroups = eccurves_default; 239 *pgroupslen = OSSL_NELEM(eccurves_default); 240 } else { 241 *pgroups = s->ext.supportedgroups; 242 *pgroupslen = s->ext.supportedgroups_len; 243 } 244 break; 245 } 246 } 247 248 /* See if curve is allowed by security callback */ 249 int tls_curve_allowed(SSL *s, uint16_t curve, int op) 250 { 251 const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve); 252 unsigned char ctmp[2]; 253 254 if (cinfo == NULL) 255 return 0; 256 # ifdef OPENSSL_NO_EC2M 257 if (cinfo->flags & TLS_CURVE_CHAR2) 258 return 0; 259 # endif 260 ctmp[0] = curve >> 8; 261 ctmp[1] = curve & 0xff; 262 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); 263 } 264 265 /* Return 1 if "id" is in "list" */ 266 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 267 { 268 size_t i; 269 for (i = 0; i < listlen; i++) 270 if (list[i] == id) 271 return 1; 272 return 0; 273 } 274 275 /*- 276 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 277 * if there is no match. 278 * For nmatch == -1, return number of matches 279 * For nmatch == -2, return the id of the group to use for 280 * a tmp key, or 0 if there is no match. 281 */ 282 uint16_t tls1_shared_group(SSL *s, int nmatch) 283 { 284 const uint16_t *pref, *supp; 285 size_t num_pref, num_supp, i; 286 int k; 287 288 /* Can't do anything on client side */ 289 if (s->server == 0) 290 return 0; 291 if (nmatch == -2) { 292 if (tls1_suiteb(s)) { 293 /* 294 * For Suite B ciphersuite determines curve: we already know 295 * these are acceptable due to previous checks. 296 */ 297 unsigned long cid = s->s3->tmp.new_cipher->id; 298 299 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 300 return TLSEXT_curve_P_256; 301 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 302 return TLSEXT_curve_P_384; 303 /* Should never happen */ 304 return 0; 305 } 306 /* If not Suite B just return first preference shared curve */ 307 nmatch = 0; 308 } 309 /* 310 * If server preference set, our groups are the preference order 311 * otherwise peer decides. 312 */ 313 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 314 tls1_get_supported_groups(s, &pref, &num_pref); 315 tls1_get_peer_groups(s, &supp, &num_supp); 316 } else { 317 tls1_get_peer_groups(s, &pref, &num_pref); 318 tls1_get_supported_groups(s, &supp, &num_supp); 319 } 320 321 for (k = 0, i = 0; i < num_pref; i++) { 322 uint16_t id = pref[i]; 323 324 if (!tls1_in_list(id, supp, num_supp) 325 || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 326 continue; 327 if (nmatch == k) 328 return id; 329 k++; 330 } 331 if (nmatch == -1) 332 return k; 333 /* Out of range (nmatch > k). */ 334 return 0; 335 } 336 337 int tls1_set_groups(uint16_t **pext, size_t *pextlen, 338 int *groups, size_t ngroups) 339 { 340 uint16_t *glist; 341 size_t i; 342 /* 343 * Bitmap of groups included to detect duplicates: only works while group 344 * ids < 32 345 */ 346 unsigned long dup_list = 0; 347 348 if (ngroups == 0) { 349 SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); 350 return 0; 351 } 352 if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 353 SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); 354 return 0; 355 } 356 for (i = 0; i < ngroups; i++) { 357 unsigned long idmask; 358 uint16_t id; 359 /* TODO(TLS1.3): Convert for DH groups */ 360 id = tls1_nid2group_id(groups[i]); 361 idmask = 1L << id; 362 if (!id || (dup_list & idmask)) { 363 OPENSSL_free(glist); 364 return 0; 365 } 366 dup_list |= idmask; 367 glist[i] = id; 368 } 369 OPENSSL_free(*pext); 370 *pext = glist; 371 *pextlen = ngroups; 372 return 1; 373 } 374 375 # define MAX_CURVELIST OSSL_NELEM(nid_list) 376 377 typedef struct { 378 size_t nidcnt; 379 int nid_arr[MAX_CURVELIST]; 380 } nid_cb_st; 381 382 static int nid_cb(const char *elem, int len, void *arg) 383 { 384 nid_cb_st *narg = arg; 385 size_t i; 386 int nid; 387 char etmp[20]; 388 if (elem == NULL) 389 return 0; 390 if (narg->nidcnt == MAX_CURVELIST) 391 return 0; 392 if (len > (int)(sizeof(etmp) - 1)) 393 return 0; 394 memcpy(etmp, elem, len); 395 etmp[len] = 0; 396 nid = EC_curve_nist2nid(etmp); 397 if (nid == NID_undef) 398 nid = OBJ_sn2nid(etmp); 399 if (nid == NID_undef) 400 nid = OBJ_ln2nid(etmp); 401 if (nid == NID_undef) 402 return 0; 403 for (i = 0; i < narg->nidcnt; i++) 404 if (narg->nid_arr[i] == nid) 405 return 0; 406 narg->nid_arr[narg->nidcnt++] = nid; 407 return 1; 408 } 409 410 /* Set groups based on a colon separate list */ 411 int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) 412 { 413 nid_cb_st ncb; 414 ncb.nidcnt = 0; 415 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) 416 return 0; 417 if (pext == NULL) 418 return 1; 419 return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); 420 } 421 /* Return group id of a key */ 422 static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 423 { 424 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 425 const EC_GROUP *grp; 426 427 if (ec == NULL) 428 return 0; 429 grp = EC_KEY_get0_group(ec); 430 return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); 431 } 432 433 /* Check a key is compatible with compression extension */ 434 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 435 { 436 const EC_KEY *ec; 437 const EC_GROUP *grp; 438 unsigned char comp_id; 439 size_t i; 440 441 /* If not an EC key nothing to check */ 442 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 443 return 1; 444 ec = EVP_PKEY_get0_EC_KEY(pkey); 445 grp = EC_KEY_get0_group(ec); 446 447 /* Get required compression id */ 448 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { 449 comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 450 } else if (SSL_IS_TLS13(s)) { 451 /* 452 * ec_point_formats extension is not used in TLSv1.3 so we ignore 453 * this check. 454 */ 455 return 1; 456 } else { 457 int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); 458 459 if (field_type == NID_X9_62_prime_field) 460 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 461 else if (field_type == NID_X9_62_characteristic_two_field) 462 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 463 else 464 return 0; 465 } 466 /* 467 * If point formats extension present check it, otherwise everything is 468 * supported (see RFC4492). 469 */ 470 if (s->ext.peer_ecpointformats == NULL) 471 return 1; 472 473 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 474 if (s->ext.peer_ecpointformats[i] == comp_id) 475 return 1; 476 } 477 return 0; 478 } 479 480 /* Check a group id matches preferences */ 481 int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 482 { 483 const uint16_t *groups; 484 size_t groups_len; 485 486 if (group_id == 0) 487 return 0; 488 489 /* Check for Suite B compliance */ 490 if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) { 491 unsigned long cid = s->s3->tmp.new_cipher->id; 492 493 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 494 if (group_id != TLSEXT_curve_P_256) 495 return 0; 496 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 497 if (group_id != TLSEXT_curve_P_384) 498 return 0; 499 } else { 500 /* Should never happen */ 501 return 0; 502 } 503 } 504 505 if (check_own_groups) { 506 /* Check group is one of our preferences */ 507 tls1_get_supported_groups(s, &groups, &groups_len); 508 if (!tls1_in_list(group_id, groups, groups_len)) 509 return 0; 510 } 511 512 if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 513 return 0; 514 515 /* For clients, nothing more to check */ 516 if (!s->server) 517 return 1; 518 519 /* Check group is one of peers preferences */ 520 tls1_get_peer_groups(s, &groups, &groups_len); 521 522 /* 523 * RFC 4492 does not require the supported elliptic curves extension 524 * so if it is not sent we can just choose any curve. 525 * It is invalid to send an empty list in the supported groups 526 * extension, so groups_len == 0 always means no extension. 527 */ 528 if (groups_len == 0) 529 return 1; 530 return tls1_in_list(group_id, groups, groups_len); 531 } 532 533 void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 534 size_t *num_formats) 535 { 536 /* 537 * If we have a custom point format list use it otherwise use default 538 */ 539 if (s->ext.ecpointformats) { 540 *pformats = s->ext.ecpointformats; 541 *num_formats = s->ext.ecpointformats_len; 542 } else { 543 *pformats = ecformats_default; 544 /* For Suite B we don't support char2 fields */ 545 if (tls1_suiteb(s)) 546 *num_formats = sizeof(ecformats_default) - 1; 547 else 548 *num_formats = sizeof(ecformats_default); 549 } 550 } 551 552 /* 553 * Check cert parameters compatible with extensions: currently just checks EC 554 * certificates have compatible curves and compression. 555 */ 556 static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 557 { 558 uint16_t group_id; 559 EVP_PKEY *pkey; 560 pkey = X509_get0_pubkey(x); 561 if (pkey == NULL) 562 return 0; 563 /* If not EC nothing to do */ 564 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 565 return 1; 566 /* Check compression */ 567 if (!tls1_check_pkey_comp(s, pkey)) 568 return 0; 569 group_id = tls1_get_group_id(pkey); 570 /* 571 * For a server we allow the certificate to not be in our list of supported 572 * groups. 573 */ 574 if (!tls1_check_group_id(s, group_id, !s->server)) 575 return 0; 576 /* 577 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 578 * SHA384+P-384. 579 */ 580 if (check_ee_md && tls1_suiteb(s)) { 581 int check_md; 582 size_t i; 583 584 /* Check to see we have necessary signing algorithm */ 585 if (group_id == TLSEXT_curve_P_256) 586 check_md = NID_ecdsa_with_SHA256; 587 else if (group_id == TLSEXT_curve_P_384) 588 check_md = NID_ecdsa_with_SHA384; 589 else 590 return 0; /* Should never happen */ 591 for (i = 0; i < s->shared_sigalgslen; i++) { 592 if (check_md == s->shared_sigalgs[i]->sigandhash) 593 return 1;; 594 } 595 return 0; 596 } 597 return 1; 598 } 599 600 /* 601 * tls1_check_ec_tmp_key - Check EC temporary key compatibility 602 * @s: SSL connection 603 * @cid: Cipher ID we're considering using 604 * 605 * Checks that the kECDHE cipher suite we're considering using 606 * is compatible with the client extensions. 607 * 608 * Returns 0 when the cipher can't be used or 1 when it can. 609 */ 610 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 611 { 612 /* If not Suite B just need a shared group */ 613 if (!tls1_suiteb(s)) 614 return tls1_shared_group(s, 0) != 0; 615 /* 616 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 617 * curves permitted. 618 */ 619 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 620 return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 621 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 622 return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 623 624 return 0; 625 } 626 627 #else 628 629 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 630 { 631 return 1; 632 } 633 634 #endif /* OPENSSL_NO_EC */ 635 636 /* Default sigalg schemes */ 637 static const uint16_t tls12_sigalgs[] = { 638 #ifndef OPENSSL_NO_EC 639 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 640 TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 641 TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 642 TLSEXT_SIGALG_ed25519, 643 TLSEXT_SIGALG_ed448, 644 #endif 645 646 TLSEXT_SIGALG_rsa_pss_pss_sha256, 647 TLSEXT_SIGALG_rsa_pss_pss_sha384, 648 TLSEXT_SIGALG_rsa_pss_pss_sha512, 649 TLSEXT_SIGALG_rsa_pss_rsae_sha256, 650 TLSEXT_SIGALG_rsa_pss_rsae_sha384, 651 TLSEXT_SIGALG_rsa_pss_rsae_sha512, 652 653 TLSEXT_SIGALG_rsa_pkcs1_sha256, 654 TLSEXT_SIGALG_rsa_pkcs1_sha384, 655 TLSEXT_SIGALG_rsa_pkcs1_sha512, 656 657 #ifndef OPENSSL_NO_EC 658 TLSEXT_SIGALG_ecdsa_sha224, 659 TLSEXT_SIGALG_ecdsa_sha1, 660 #endif 661 TLSEXT_SIGALG_rsa_pkcs1_sha224, 662 TLSEXT_SIGALG_rsa_pkcs1_sha1, 663 #ifndef OPENSSL_NO_DSA 664 TLSEXT_SIGALG_dsa_sha224, 665 TLSEXT_SIGALG_dsa_sha1, 666 667 TLSEXT_SIGALG_dsa_sha256, 668 TLSEXT_SIGALG_dsa_sha384, 669 TLSEXT_SIGALG_dsa_sha512, 670 #endif 671 #ifndef OPENSSL_NO_GOST 672 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 673 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 674 TLSEXT_SIGALG_gostr34102001_gostr3411, 675 #endif 676 }; 677 678 #ifndef OPENSSL_NO_EC 679 static const uint16_t suiteb_sigalgs[] = { 680 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 681 TLSEXT_SIGALG_ecdsa_secp384r1_sha384 682 }; 683 #endif 684 685 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 686 #ifndef OPENSSL_NO_EC 687 {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 688 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 689 NID_ecdsa_with_SHA256, NID_X9_62_prime256v1}, 690 {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 691 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 692 NID_ecdsa_with_SHA384, NID_secp384r1}, 693 {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 694 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 695 NID_ecdsa_with_SHA512, NID_secp521r1}, 696 {"ed25519", TLSEXT_SIGALG_ed25519, 697 NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 698 NID_undef, NID_undef}, 699 {"ed448", TLSEXT_SIGALG_ed448, 700 NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 701 NID_undef, NID_undef}, 702 {NULL, TLSEXT_SIGALG_ecdsa_sha224, 703 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 704 NID_ecdsa_with_SHA224, NID_undef}, 705 {NULL, TLSEXT_SIGALG_ecdsa_sha1, 706 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 707 NID_ecdsa_with_SHA1, NID_undef}, 708 #endif 709 {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 710 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 711 NID_undef, NID_undef}, 712 {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 713 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 714 NID_undef, NID_undef}, 715 {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 716 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 717 NID_undef, NID_undef}, 718 {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 719 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 720 NID_undef, NID_undef}, 721 {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 722 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 723 NID_undef, NID_undef}, 724 {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 725 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 726 NID_undef, NID_undef}, 727 {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 728 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 729 NID_sha256WithRSAEncryption, NID_undef}, 730 {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 731 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 732 NID_sha384WithRSAEncryption, NID_undef}, 733 {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 734 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 735 NID_sha512WithRSAEncryption, NID_undef}, 736 {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 737 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 738 NID_sha224WithRSAEncryption, NID_undef}, 739 {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 740 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 741 NID_sha1WithRSAEncryption, NID_undef}, 742 #ifndef OPENSSL_NO_DSA 743 {NULL, TLSEXT_SIGALG_dsa_sha256, 744 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 745 NID_dsa_with_SHA256, NID_undef}, 746 {NULL, TLSEXT_SIGALG_dsa_sha384, 747 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 748 NID_undef, NID_undef}, 749 {NULL, TLSEXT_SIGALG_dsa_sha512, 750 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 751 NID_undef, NID_undef}, 752 {NULL, TLSEXT_SIGALG_dsa_sha224, 753 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 754 NID_undef, NID_undef}, 755 {NULL, TLSEXT_SIGALG_dsa_sha1, 756 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 757 NID_dsaWithSHA1, NID_undef}, 758 #endif 759 #ifndef OPENSSL_NO_GOST 760 {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 761 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 762 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 763 NID_undef, NID_undef}, 764 {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 765 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 766 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 767 NID_undef, NID_undef}, 768 {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 769 NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 770 NID_id_GostR3410_2001, SSL_PKEY_GOST01, 771 NID_undef, NID_undef} 772 #endif 773 }; 774 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 775 static const SIGALG_LOOKUP legacy_rsa_sigalg = { 776 "rsa_pkcs1_md5_sha1", 0, 777 NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 778 EVP_PKEY_RSA, SSL_PKEY_RSA, 779 NID_undef, NID_undef 780 }; 781 782 /* 783 * Default signature algorithm values used if signature algorithms not present. 784 * From RFC5246. Note: order must match certificate index order. 785 */ 786 static const uint16_t tls_default_sigalg[] = { 787 TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 788 0, /* SSL_PKEY_RSA_PSS_SIGN */ 789 TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 790 TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 791 TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 792 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */ 793 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */ 794 0, /* SSL_PKEY_ED25519 */ 795 0, /* SSL_PKEY_ED448 */ 796 }; 797 798 /* Lookup TLS signature algorithm */ 799 static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg) 800 { 801 size_t i; 802 const SIGALG_LOOKUP *s; 803 804 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 805 i++, s++) { 806 if (s->sigalg == sigalg) 807 return s; 808 } 809 return NULL; 810 } 811 /* Lookup hash: return 0 if invalid or not enabled */ 812 int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 813 { 814 const EVP_MD *md; 815 if (lu == NULL) 816 return 0; 817 /* lu->hash == NID_undef means no associated digest */ 818 if (lu->hash == NID_undef) { 819 md = NULL; 820 } else { 821 md = ssl_md(lu->hash_idx); 822 if (md == NULL) 823 return 0; 824 } 825 if (pmd) 826 *pmd = md; 827 return 1; 828 } 829 830 /* 831 * Check if key is large enough to generate RSA-PSS signature. 832 * 833 * The key must greater than or equal to 2 * hash length + 2. 834 * SHA512 has a hash length of 64 bytes, which is incompatible 835 * with a 128 byte (1024 bit) key. 836 */ 837 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2) 838 static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu) 839 { 840 const EVP_MD *md; 841 842 if (rsa == NULL) 843 return 0; 844 if (!tls1_lookup_md(lu, &md) || md == NULL) 845 return 0; 846 if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 847 return 0; 848 return 1; 849 } 850 851 /* 852 * Return a signature algorithm for TLS < 1.2 where the signature type 853 * is fixed by the certificate type. 854 */ 855 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 856 { 857 if (idx == -1) { 858 if (s->server) { 859 size_t i; 860 861 /* Work out index corresponding to ciphersuite */ 862 for (i = 0; i < SSL_PKEY_NUM; i++) { 863 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 864 865 if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) { 866 idx = i; 867 break; 868 } 869 } 870 871 /* 872 * Some GOST ciphersuites allow more than one signature algorithms 873 * */ 874 if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 875 int real_idx; 876 877 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 878 real_idx--) { 879 if (s->cert->pkeys[real_idx].privatekey != NULL) { 880 idx = real_idx; 881 break; 882 } 883 } 884 } 885 } else { 886 idx = s->cert->key - s->cert->pkeys; 887 } 888 } 889 if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 890 return NULL; 891 if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 892 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); 893 894 if (!tls1_lookup_md(lu, NULL)) 895 return NULL; 896 return lu; 897 } 898 return &legacy_rsa_sigalg; 899 } 900 /* Set peer sigalg based key type */ 901 int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 902 { 903 size_t idx; 904 const SIGALG_LOOKUP *lu; 905 906 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 907 return 0; 908 lu = tls1_get_legacy_sigalg(s, idx); 909 if (lu == NULL) 910 return 0; 911 s->s3->tmp.peer_sigalg = lu; 912 return 1; 913 } 914 915 size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 916 { 917 /* 918 * If Suite B mode use Suite B sigalgs only, ignore any other 919 * preferences. 920 */ 921 #ifndef OPENSSL_NO_EC 922 switch (tls1_suiteb(s)) { 923 case SSL_CERT_FLAG_SUITEB_128_LOS: 924 *psigs = suiteb_sigalgs; 925 return OSSL_NELEM(suiteb_sigalgs); 926 927 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 928 *psigs = suiteb_sigalgs; 929 return 1; 930 931 case SSL_CERT_FLAG_SUITEB_192_LOS: 932 *psigs = suiteb_sigalgs + 1; 933 return 1; 934 } 935 #endif 936 /* 937 * We use client_sigalgs (if not NULL) if we're a server 938 * and sending a certificate request or if we're a client and 939 * determining which shared algorithm to use. 940 */ 941 if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 942 *psigs = s->cert->client_sigalgs; 943 return s->cert->client_sigalgslen; 944 } else if (s->cert->conf_sigalgs) { 945 *psigs = s->cert->conf_sigalgs; 946 return s->cert->conf_sigalgslen; 947 } else { 948 *psigs = tls12_sigalgs; 949 return OSSL_NELEM(tls12_sigalgs); 950 } 951 } 952 953 #ifndef OPENSSL_NO_EC 954 /* 955 * Called by servers only. Checks that we have a sig alg that supports the 956 * specified EC curve. 957 */ 958 int tls_check_sigalg_curve(const SSL *s, int curve) 959 { 960 const uint16_t *sigs; 961 size_t siglen, i; 962 963 if (s->cert->conf_sigalgs) { 964 sigs = s->cert->conf_sigalgs; 965 siglen = s->cert->conf_sigalgslen; 966 } else { 967 sigs = tls12_sigalgs; 968 siglen = OSSL_NELEM(tls12_sigalgs); 969 } 970 971 for (i = 0; i < siglen; i++) { 972 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]); 973 974 if (lu == NULL) 975 continue; 976 if (lu->sig == EVP_PKEY_EC 977 && lu->curve != NID_undef 978 && curve == lu->curve) 979 return 1; 980 } 981 982 return 0; 983 } 984 #endif 985 986 /* 987 * Check signature algorithm is consistent with sent supported signature 988 * algorithms and if so set relevant digest and signature scheme in 989 * s. 990 */ 991 int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 992 { 993 const uint16_t *sent_sigs; 994 const EVP_MD *md = NULL; 995 char sigalgstr[2]; 996 size_t sent_sigslen, i, cidx; 997 int pkeyid = EVP_PKEY_id(pkey); 998 const SIGALG_LOOKUP *lu; 999 1000 /* Should never happen */ 1001 if (pkeyid == -1) 1002 return -1; 1003 if (SSL_IS_TLS13(s)) { 1004 /* Disallow DSA for TLS 1.3 */ 1005 if (pkeyid == EVP_PKEY_DSA) { 1006 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1007 SSL_R_WRONG_SIGNATURE_TYPE); 1008 return 0; 1009 } 1010 /* Only allow PSS for TLS 1.3 */ 1011 if (pkeyid == EVP_PKEY_RSA) 1012 pkeyid = EVP_PKEY_RSA_PSS; 1013 } 1014 lu = tls1_lookup_sigalg(sig); 1015 /* 1016 * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1017 * is consistent with signature: RSA keys can be used for RSA-PSS 1018 */ 1019 if (lu == NULL 1020 || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1021 || (pkeyid != lu->sig 1022 && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1023 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1024 SSL_R_WRONG_SIGNATURE_TYPE); 1025 return 0; 1026 } 1027 /* Check the sigalg is consistent with the key OID */ 1028 if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) 1029 || lu->sig_idx != (int)cidx) { 1030 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, 1031 SSL_R_WRONG_SIGNATURE_TYPE); 1032 return 0; 1033 } 1034 1035 #ifndef OPENSSL_NO_EC 1036 if (pkeyid == EVP_PKEY_EC) { 1037 1038 /* Check point compression is permitted */ 1039 if (!tls1_check_pkey_comp(s, pkey)) { 1040 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1041 SSL_F_TLS12_CHECK_PEER_SIGALG, 1042 SSL_R_ILLEGAL_POINT_COMPRESSION); 1043 return 0; 1044 } 1045 1046 /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1047 if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1048 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 1049 int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 1050 1051 if (lu->curve != NID_undef && curve != lu->curve) { 1052 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1053 SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1054 return 0; 1055 } 1056 } 1057 if (!SSL_IS_TLS13(s)) { 1058 /* Check curve matches extensions */ 1059 if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1060 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1061 SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1062 return 0; 1063 } 1064 if (tls1_suiteb(s)) { 1065 /* Check sigalg matches a permissible Suite B value */ 1066 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1067 && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1068 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1069 SSL_F_TLS12_CHECK_PEER_SIGALG, 1070 SSL_R_WRONG_SIGNATURE_TYPE); 1071 return 0; 1072 } 1073 } 1074 } 1075 } else if (tls1_suiteb(s)) { 1076 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1077 SSL_R_WRONG_SIGNATURE_TYPE); 1078 return 0; 1079 } 1080 #endif 1081 1082 /* Check signature matches a type we sent */ 1083 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1084 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1085 if (sig == *sent_sigs) 1086 break; 1087 } 1088 /* Allow fallback to SHA1 if not strict mode */ 1089 if (i == sent_sigslen && (lu->hash != NID_sha1 1090 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1091 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1092 SSL_R_WRONG_SIGNATURE_TYPE); 1093 return 0; 1094 } 1095 if (!tls1_lookup_md(lu, &md)) { 1096 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1097 SSL_R_UNKNOWN_DIGEST); 1098 return 0; 1099 } 1100 if (md != NULL) { 1101 /* 1102 * Make sure security callback allows algorithm. For historical 1103 * reasons we have to pass the sigalg as a two byte char array. 1104 */ 1105 sigalgstr[0] = (sig >> 8) & 0xff; 1106 sigalgstr[1] = sig & 0xff; 1107 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, 1108 EVP_MD_size(md) * 4, EVP_MD_type(md), 1109 (void *)sigalgstr)) { 1110 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, 1111 SSL_R_WRONG_SIGNATURE_TYPE); 1112 return 0; 1113 } 1114 } 1115 /* Store the sigalg the peer uses */ 1116 s->s3->tmp.peer_sigalg = lu; 1117 return 1; 1118 } 1119 1120 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1121 { 1122 if (s->s3->tmp.peer_sigalg == NULL) 1123 return 0; 1124 *pnid = s->s3->tmp.peer_sigalg->sig; 1125 return 1; 1126 } 1127 1128 int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1129 { 1130 if (s->s3->tmp.sigalg == NULL) 1131 return 0; 1132 *pnid = s->s3->tmp.sigalg->sig; 1133 return 1; 1134 } 1135 1136 /* 1137 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1138 * supported, doesn't appear in supported signature algorithms, isn't supported 1139 * by the enabled protocol versions or by the security level. 1140 * 1141 * This function should only be used for checking which ciphers are supported 1142 * by the client. 1143 * 1144 * Call ssl_cipher_disabled() to check that it's enabled or not. 1145 */ 1146 int ssl_set_client_disabled(SSL *s) 1147 { 1148 s->s3->tmp.mask_a = 0; 1149 s->s3->tmp.mask_k = 0; 1150 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1151 if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver, 1152 &s->s3->tmp.max_ver, NULL) != 0) 1153 return 0; 1154 #ifndef OPENSSL_NO_PSK 1155 /* with PSK there must be client callback set */ 1156 if (!s->psk_client_callback) { 1157 s->s3->tmp.mask_a |= SSL_aPSK; 1158 s->s3->tmp.mask_k |= SSL_PSK; 1159 } 1160 #endif /* OPENSSL_NO_PSK */ 1161 #ifndef OPENSSL_NO_SRP 1162 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1163 s->s3->tmp.mask_a |= SSL_aSRP; 1164 s->s3->tmp.mask_k |= SSL_kSRP; 1165 } 1166 #endif 1167 return 1; 1168 } 1169 1170 /* 1171 * ssl_cipher_disabled - check that a cipher is disabled or not 1172 * @s: SSL connection that you want to use the cipher on 1173 * @c: cipher to check 1174 * @op: Security check that you want to do 1175 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 1176 * 1177 * Returns 1 when it's disabled, 0 when enabled. 1178 */ 1179 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1180 { 1181 if (c->algorithm_mkey & s->s3->tmp.mask_k 1182 || c->algorithm_auth & s->s3->tmp.mask_a) 1183 return 1; 1184 if (s->s3->tmp.max_ver == 0) 1185 return 1; 1186 if (!SSL_IS_DTLS(s)) { 1187 int min_tls = c->min_tls; 1188 1189 /* 1190 * For historical reasons we will allow ECHDE to be selected by a server 1191 * in SSLv3 if we are a client 1192 */ 1193 if (min_tls == TLS1_VERSION && ecdhe 1194 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1195 min_tls = SSL3_VERSION; 1196 1197 if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver)) 1198 return 1; 1199 } 1200 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) 1201 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) 1202 return 1; 1203 1204 return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 1205 } 1206 1207 int tls_use_ticket(SSL *s) 1208 { 1209 if ((s->options & SSL_OP_NO_TICKET)) 1210 return 0; 1211 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1212 } 1213 1214 int tls1_set_server_sigalgs(SSL *s) 1215 { 1216 size_t i; 1217 1218 /* Clear any shared signature algorithms */ 1219 OPENSSL_free(s->shared_sigalgs); 1220 s->shared_sigalgs = NULL; 1221 s->shared_sigalgslen = 0; 1222 /* Clear certificate validity flags */ 1223 for (i = 0; i < SSL_PKEY_NUM; i++) 1224 s->s3->tmp.valid_flags[i] = 0; 1225 /* 1226 * If peer sent no signature algorithms check to see if we support 1227 * the default algorithm for each certificate type 1228 */ 1229 if (s->s3->tmp.peer_cert_sigalgs == NULL 1230 && s->s3->tmp.peer_sigalgs == NULL) { 1231 const uint16_t *sent_sigs; 1232 size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1233 1234 for (i = 0; i < SSL_PKEY_NUM; i++) { 1235 const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1236 size_t j; 1237 1238 if (lu == NULL) 1239 continue; 1240 /* Check default matches a type we sent */ 1241 for (j = 0; j < sent_sigslen; j++) { 1242 if (lu->sigalg == sent_sigs[j]) { 1243 s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN; 1244 break; 1245 } 1246 } 1247 } 1248 return 1; 1249 } 1250 1251 if (!tls1_process_sigalgs(s)) { 1252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1253 SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR); 1254 return 0; 1255 } 1256 if (s->shared_sigalgs != NULL) 1257 return 1; 1258 1259 /* Fatal error if no shared signature algorithms */ 1260 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS, 1261 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 1262 return 0; 1263 } 1264 1265 /*- 1266 * Gets the ticket information supplied by the client if any. 1267 * 1268 * hello: The parsed ClientHello data 1269 * ret: (output) on return, if a ticket was decrypted, then this is set to 1270 * point to the resulting session. 1271 */ 1272 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1273 SSL_SESSION **ret) 1274 { 1275 size_t size; 1276 RAW_EXTENSION *ticketext; 1277 1278 *ret = NULL; 1279 s->ext.ticket_expected = 0; 1280 1281 /* 1282 * If tickets disabled or not supported by the protocol version 1283 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1284 * resumption. 1285 */ 1286 if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1287 return SSL_TICKET_NONE; 1288 1289 ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1290 if (!ticketext->present) 1291 return SSL_TICKET_NONE; 1292 1293 size = PACKET_remaining(&ticketext->data); 1294 1295 return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1296 hello->session_id, hello->session_id_len, ret); 1297 } 1298 1299 /*- 1300 * tls_decrypt_ticket attempts to decrypt a session ticket. 1301 * 1302 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1303 * expecting a pre-shared key ciphersuite, in which case we have no use for 1304 * session tickets and one will never be decrypted, nor will 1305 * s->ext.ticket_expected be set to 1. 1306 * 1307 * Side effects: 1308 * Sets s->ext.ticket_expected to 1 if the server will have to issue 1309 * a new session ticket to the client because the client indicated support 1310 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1311 * a session ticket or we couldn't use the one it gave us, or if 1312 * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1313 * Otherwise, s->ext.ticket_expected is set to 0. 1314 * 1315 * etick: points to the body of the session ticket extension. 1316 * eticklen: the length of the session tickets extension. 1317 * sess_id: points at the session ID. 1318 * sesslen: the length of the session ID. 1319 * psess: (output) on return, if a ticket was decrypted, then this is set to 1320 * point to the resulting session. 1321 */ 1322 SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1323 size_t eticklen, const unsigned char *sess_id, 1324 size_t sesslen, SSL_SESSION **psess) 1325 { 1326 SSL_SESSION *sess = NULL; 1327 unsigned char *sdec; 1328 const unsigned char *p; 1329 int slen, renew_ticket = 0, declen; 1330 SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1331 size_t mlen; 1332 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1333 HMAC_CTX *hctx = NULL; 1334 EVP_CIPHER_CTX *ctx = NULL; 1335 SSL_CTX *tctx = s->session_ctx; 1336 1337 if (eticklen == 0) { 1338 /* 1339 * The client will accept a ticket but doesn't currently have 1340 * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 1341 */ 1342 ret = SSL_TICKET_EMPTY; 1343 goto end; 1344 } 1345 if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 1346 /* 1347 * Indicate that the ticket couldn't be decrypted rather than 1348 * generating the session from ticket now, trigger 1349 * abbreviated handshake based on external mechanism to 1350 * calculate the master secret later. 1351 */ 1352 ret = SSL_TICKET_NO_DECRYPT; 1353 goto end; 1354 } 1355 1356 /* Need at least keyname + iv */ 1357 if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1358 ret = SSL_TICKET_NO_DECRYPT; 1359 goto end; 1360 } 1361 1362 /* Initialize session ticket encryption and HMAC contexts */ 1363 hctx = HMAC_CTX_new(); 1364 if (hctx == NULL) { 1365 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1366 goto end; 1367 } 1368 ctx = EVP_CIPHER_CTX_new(); 1369 if (ctx == NULL) { 1370 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1371 goto end; 1372 } 1373 if (tctx->ext.ticket_key_cb) { 1374 unsigned char *nctick = (unsigned char *)etick; 1375 int rv = tctx->ext.ticket_key_cb(s, nctick, 1376 nctick + TLSEXT_KEYNAME_LENGTH, 1377 ctx, hctx, 0); 1378 if (rv < 0) { 1379 ret = SSL_TICKET_FATAL_ERR_OTHER; 1380 goto end; 1381 } 1382 if (rv == 0) { 1383 ret = SSL_TICKET_NO_DECRYPT; 1384 goto end; 1385 } 1386 if (rv == 2) 1387 renew_ticket = 1; 1388 } else { 1389 /* Check key name matches */ 1390 if (memcmp(etick, tctx->ext.tick_key_name, 1391 TLSEXT_KEYNAME_LENGTH) != 0) { 1392 ret = SSL_TICKET_NO_DECRYPT; 1393 goto end; 1394 } 1395 if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key, 1396 sizeof(tctx->ext.secure->tick_hmac_key), 1397 EVP_sha256(), NULL) <= 0 1398 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 1399 tctx->ext.secure->tick_aes_key, 1400 etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1401 ret = SSL_TICKET_FATAL_ERR_OTHER; 1402 goto end; 1403 } 1404 if (SSL_IS_TLS13(s)) 1405 renew_ticket = 1; 1406 } 1407 /* 1408 * Attempt to process session ticket, first conduct sanity and integrity 1409 * checks on ticket. 1410 */ 1411 mlen = HMAC_size(hctx); 1412 if (mlen == 0) { 1413 ret = SSL_TICKET_FATAL_ERR_OTHER; 1414 goto end; 1415 } 1416 1417 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1418 if (eticklen <= 1419 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { 1420 ret = SSL_TICKET_NO_DECRYPT; 1421 goto end; 1422 } 1423 eticklen -= mlen; 1424 /* Check HMAC of encrypted ticket */ 1425 if (HMAC_Update(hctx, etick, eticklen) <= 0 1426 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) { 1427 ret = SSL_TICKET_FATAL_ERR_OTHER; 1428 goto end; 1429 } 1430 1431 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1432 ret = SSL_TICKET_NO_DECRYPT; 1433 goto end; 1434 } 1435 /* Attempt to decrypt session data */ 1436 /* Move p after IV to start of encrypted ticket, update length */ 1437 p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1438 eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 1439 sdec = OPENSSL_malloc(eticklen); 1440 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1441 (int)eticklen) <= 0) { 1442 OPENSSL_free(sdec); 1443 ret = SSL_TICKET_FATAL_ERR_OTHER; 1444 goto end; 1445 } 1446 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1447 OPENSSL_free(sdec); 1448 ret = SSL_TICKET_NO_DECRYPT; 1449 goto end; 1450 } 1451 slen += declen; 1452 p = sdec; 1453 1454 sess = d2i_SSL_SESSION(NULL, &p, slen); 1455 slen -= p - sdec; 1456 OPENSSL_free(sdec); 1457 if (sess) { 1458 /* Some additional consistency checks */ 1459 if (slen != 0) { 1460 SSL_SESSION_free(sess); 1461 sess = NULL; 1462 ret = SSL_TICKET_NO_DECRYPT; 1463 goto end; 1464 } 1465 /* 1466 * The session ID, if non-empty, is used by some clients to detect 1467 * that the ticket has been accepted. So we copy it to the session 1468 * structure. If it is empty set length to zero as required by 1469 * standard. 1470 */ 1471 if (sesslen) { 1472 memcpy(sess->session_id, sess_id, sesslen); 1473 sess->session_id_length = sesslen; 1474 } 1475 if (renew_ticket) 1476 ret = SSL_TICKET_SUCCESS_RENEW; 1477 else 1478 ret = SSL_TICKET_SUCCESS; 1479 goto end; 1480 } 1481 ERR_clear_error(); 1482 /* 1483 * For session parse failure, indicate that we need to send a new ticket. 1484 */ 1485 ret = SSL_TICKET_NO_DECRYPT; 1486 1487 end: 1488 EVP_CIPHER_CTX_free(ctx); 1489 HMAC_CTX_free(hctx); 1490 1491 /* 1492 * If set, the decrypt_ticket_cb() is called unless a fatal error was 1493 * detected above. The callback is responsible for checking |ret| before it 1494 * performs any action 1495 */ 1496 if (s->session_ctx->decrypt_ticket_cb != NULL 1497 && (ret == SSL_TICKET_EMPTY 1498 || ret == SSL_TICKET_NO_DECRYPT 1499 || ret == SSL_TICKET_SUCCESS 1500 || ret == SSL_TICKET_SUCCESS_RENEW)) { 1501 size_t keyname_len = eticklen; 1502 int retcb; 1503 1504 if (keyname_len > TLSEXT_KEYNAME_LENGTH) 1505 keyname_len = TLSEXT_KEYNAME_LENGTH; 1506 retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 1507 ret, 1508 s->session_ctx->ticket_cb_data); 1509 switch (retcb) { 1510 case SSL_TICKET_RETURN_ABORT: 1511 ret = SSL_TICKET_FATAL_ERR_OTHER; 1512 break; 1513 1514 case SSL_TICKET_RETURN_IGNORE: 1515 ret = SSL_TICKET_NONE; 1516 SSL_SESSION_free(sess); 1517 sess = NULL; 1518 break; 1519 1520 case SSL_TICKET_RETURN_IGNORE_RENEW: 1521 if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 1522 ret = SSL_TICKET_NO_DECRYPT; 1523 /* else the value of |ret| will already do the right thing */ 1524 SSL_SESSION_free(sess); 1525 sess = NULL; 1526 break; 1527 1528 case SSL_TICKET_RETURN_USE: 1529 case SSL_TICKET_RETURN_USE_RENEW: 1530 if (ret != SSL_TICKET_SUCCESS 1531 && ret != SSL_TICKET_SUCCESS_RENEW) 1532 ret = SSL_TICKET_FATAL_ERR_OTHER; 1533 else if (retcb == SSL_TICKET_RETURN_USE) 1534 ret = SSL_TICKET_SUCCESS; 1535 else 1536 ret = SSL_TICKET_SUCCESS_RENEW; 1537 break; 1538 1539 default: 1540 ret = SSL_TICKET_FATAL_ERR_OTHER; 1541 } 1542 } 1543 1544 if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 1545 switch (ret) { 1546 case SSL_TICKET_NO_DECRYPT: 1547 case SSL_TICKET_SUCCESS_RENEW: 1548 case SSL_TICKET_EMPTY: 1549 s->ext.ticket_expected = 1; 1550 } 1551 } 1552 1553 *psess = sess; 1554 1555 return ret; 1556 } 1557 1558 /* Check to see if a signature algorithm is allowed */ 1559 static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) 1560 { 1561 unsigned char sigalgstr[2]; 1562 int secbits; 1563 1564 /* See if sigalgs is recognised and if hash is enabled */ 1565 if (!tls1_lookup_md(lu, NULL)) 1566 return 0; 1567 /* DSA is not allowed in TLS 1.3 */ 1568 if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 1569 return 0; 1570 /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ 1571 if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION 1572 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 1573 || lu->hash_idx == SSL_MD_MD5_IDX 1574 || lu->hash_idx == SSL_MD_SHA224_IDX)) 1575 return 0; 1576 1577 /* See if public key algorithm allowed */ 1578 if (ssl_cert_is_disabled(lu->sig_idx)) 1579 return 0; 1580 1581 if (lu->sig == NID_id_GostR3410_2012_256 1582 || lu->sig == NID_id_GostR3410_2012_512 1583 || lu->sig == NID_id_GostR3410_2001) { 1584 /* We never allow GOST sig algs on the server with TLSv1.3 */ 1585 if (s->server && SSL_IS_TLS13(s)) 1586 return 0; 1587 if (!s->server 1588 && s->method->version == TLS_ANY_VERSION 1589 && s->s3->tmp.max_ver >= TLS1_3_VERSION) { 1590 int i, num; 1591 STACK_OF(SSL_CIPHER) *sk; 1592 1593 /* 1594 * We're a client that could negotiate TLSv1.3. We only allow GOST 1595 * sig algs if we could negotiate TLSv1.2 or below and we have GOST 1596 * ciphersuites enabled. 1597 */ 1598 1599 if (s->s3->tmp.min_ver >= TLS1_3_VERSION) 1600 return 0; 1601 1602 sk = SSL_get_ciphers(s); 1603 num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 1604 for (i = 0; i < num; i++) { 1605 const SSL_CIPHER *c; 1606 1607 c = sk_SSL_CIPHER_value(sk, i); 1608 /* Skip disabled ciphers */ 1609 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 1610 continue; 1611 1612 if ((c->algorithm_mkey & SSL_kGOST) != 0) 1613 break; 1614 } 1615 if (i == num) 1616 return 0; 1617 } 1618 } 1619 1620 if (lu->hash == NID_undef) 1621 return 1; 1622 /* Security bits: half digest bits */ 1623 secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4; 1624 /* Finally see if security callback allows it */ 1625 sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 1626 sigalgstr[1] = lu->sigalg & 0xff; 1627 return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 1628 } 1629 1630 /* 1631 * Get a mask of disabled public key algorithms based on supported signature 1632 * algorithms. For example if no signature algorithm supports RSA then RSA is 1633 * disabled. 1634 */ 1635 1636 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 1637 { 1638 const uint16_t *sigalgs; 1639 size_t i, sigalgslen; 1640 uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 1641 /* 1642 * Go through all signature algorithms seeing if we support any 1643 * in disabled_mask. 1644 */ 1645 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 1646 for (i = 0; i < sigalgslen; i++, sigalgs++) { 1647 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); 1648 const SSL_CERT_LOOKUP *clu; 1649 1650 if (lu == NULL) 1651 continue; 1652 1653 clu = ssl_cert_lookup_by_idx(lu->sig_idx); 1654 if (clu == NULL) 1655 continue; 1656 1657 /* If algorithm is disabled see if we can enable it */ 1658 if ((clu->amask & disabled_mask) != 0 1659 && tls12_sigalg_allowed(s, op, lu)) 1660 disabled_mask &= ~clu->amask; 1661 } 1662 *pmask_a |= disabled_mask; 1663 } 1664 1665 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 1666 const uint16_t *psig, size_t psiglen) 1667 { 1668 size_t i; 1669 int rv = 0; 1670 1671 for (i = 0; i < psiglen; i++, psig++) { 1672 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig); 1673 1674 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1675 continue; 1676 if (!WPACKET_put_bytes_u16(pkt, *psig)) 1677 return 0; 1678 /* 1679 * If TLS 1.3 must have at least one valid TLS 1.3 message 1680 * signing algorithm: i.e. neither RSA nor SHA1/SHA224 1681 */ 1682 if (rv == 0 && (!SSL_IS_TLS13(s) 1683 || (lu->sig != EVP_PKEY_RSA 1684 && lu->hash != NID_sha1 1685 && lu->hash != NID_sha224))) 1686 rv = 1; 1687 } 1688 if (rv == 0) 1689 SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 1690 return rv; 1691 } 1692 1693 /* Given preference and allowed sigalgs set shared sigalgs */ 1694 static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 1695 const uint16_t *pref, size_t preflen, 1696 const uint16_t *allow, size_t allowlen) 1697 { 1698 const uint16_t *ptmp, *atmp; 1699 size_t i, j, nmatch = 0; 1700 for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 1701 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp); 1702 1703 /* Skip disabled hashes or signature algorithms */ 1704 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 1705 continue; 1706 for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 1707 if (*ptmp == *atmp) { 1708 nmatch++; 1709 if (shsig) 1710 *shsig++ = lu; 1711 break; 1712 } 1713 } 1714 } 1715 return nmatch; 1716 } 1717 1718 /* Set shared signature algorithms for SSL structures */ 1719 static int tls1_set_shared_sigalgs(SSL *s) 1720 { 1721 const uint16_t *pref, *allow, *conf; 1722 size_t preflen, allowlen, conflen; 1723 size_t nmatch; 1724 const SIGALG_LOOKUP **salgs = NULL; 1725 CERT *c = s->cert; 1726 unsigned int is_suiteb = tls1_suiteb(s); 1727 1728 OPENSSL_free(s->shared_sigalgs); 1729 s->shared_sigalgs = NULL; 1730 s->shared_sigalgslen = 0; 1731 /* If client use client signature algorithms if not NULL */ 1732 if (!s->server && c->client_sigalgs && !is_suiteb) { 1733 conf = c->client_sigalgs; 1734 conflen = c->client_sigalgslen; 1735 } else if (c->conf_sigalgs && !is_suiteb) { 1736 conf = c->conf_sigalgs; 1737 conflen = c->conf_sigalgslen; 1738 } else 1739 conflen = tls12_get_psigalgs(s, 0, &conf); 1740 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 1741 pref = conf; 1742 preflen = conflen; 1743 allow = s->s3->tmp.peer_sigalgs; 1744 allowlen = s->s3->tmp.peer_sigalgslen; 1745 } else { 1746 allow = conf; 1747 allowlen = conflen; 1748 pref = s->s3->tmp.peer_sigalgs; 1749 preflen = s->s3->tmp.peer_sigalgslen; 1750 } 1751 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 1752 if (nmatch) { 1753 if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 1754 SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE); 1755 return 0; 1756 } 1757 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 1758 } else { 1759 salgs = NULL; 1760 } 1761 s->shared_sigalgs = salgs; 1762 s->shared_sigalgslen = nmatch; 1763 return 1; 1764 } 1765 1766 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 1767 { 1768 unsigned int stmp; 1769 size_t size, i; 1770 uint16_t *buf; 1771 1772 size = PACKET_remaining(pkt); 1773 1774 /* Invalid data length */ 1775 if (size == 0 || (size & 1) != 0) 1776 return 0; 1777 1778 size >>= 1; 1779 1780 if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 1781 SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE); 1782 return 0; 1783 } 1784 for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 1785 buf[i] = stmp; 1786 1787 if (i != size) { 1788 OPENSSL_free(buf); 1789 return 0; 1790 } 1791 1792 OPENSSL_free(*pdest); 1793 *pdest = buf; 1794 *pdestlen = size; 1795 1796 return 1; 1797 } 1798 1799 int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 1800 { 1801 /* Extension ignored for inappropriate versions */ 1802 if (!SSL_USE_SIGALGS(s)) 1803 return 1; 1804 /* Should never happen */ 1805 if (s->cert == NULL) 1806 return 0; 1807 1808 if (cert) 1809 return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs, 1810 &s->s3->tmp.peer_cert_sigalgslen); 1811 else 1812 return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs, 1813 &s->s3->tmp.peer_sigalgslen); 1814 1815 } 1816 1817 /* Set preferred digest for each key type */ 1818 1819 int tls1_process_sigalgs(SSL *s) 1820 { 1821 size_t i; 1822 uint32_t *pvalid = s->s3->tmp.valid_flags; 1823 1824 if (!tls1_set_shared_sigalgs(s)) 1825 return 0; 1826 1827 for (i = 0; i < SSL_PKEY_NUM; i++) 1828 pvalid[i] = 0; 1829 1830 for (i = 0; i < s->shared_sigalgslen; i++) { 1831 const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 1832 int idx = sigptr->sig_idx; 1833 1834 /* Ignore PKCS1 based sig algs in TLSv1.3 */ 1835 if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 1836 continue; 1837 /* If not disabled indicate we can explicitly sign */ 1838 if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) 1839 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 1840 } 1841 return 1; 1842 } 1843 1844 int SSL_get_sigalgs(SSL *s, int idx, 1845 int *psign, int *phash, int *psignhash, 1846 unsigned char *rsig, unsigned char *rhash) 1847 { 1848 uint16_t *psig = s->s3->tmp.peer_sigalgs; 1849 size_t numsigalgs = s->s3->tmp.peer_sigalgslen; 1850 if (psig == NULL || numsigalgs > INT_MAX) 1851 return 0; 1852 if (idx >= 0) { 1853 const SIGALG_LOOKUP *lu; 1854 1855 if (idx >= (int)numsigalgs) 1856 return 0; 1857 psig += idx; 1858 if (rhash != NULL) 1859 *rhash = (unsigned char)((*psig >> 8) & 0xff); 1860 if (rsig != NULL) 1861 *rsig = (unsigned char)(*psig & 0xff); 1862 lu = tls1_lookup_sigalg(*psig); 1863 if (psign != NULL) 1864 *psign = lu != NULL ? lu->sig : NID_undef; 1865 if (phash != NULL) 1866 *phash = lu != NULL ? lu->hash : NID_undef; 1867 if (psignhash != NULL) 1868 *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 1869 } 1870 return (int)numsigalgs; 1871 } 1872 1873 int SSL_get_shared_sigalgs(SSL *s, int idx, 1874 int *psign, int *phash, int *psignhash, 1875 unsigned char *rsig, unsigned char *rhash) 1876 { 1877 const SIGALG_LOOKUP *shsigalgs; 1878 if (s->shared_sigalgs == NULL 1879 || idx < 0 1880 || idx >= (int)s->shared_sigalgslen 1881 || s->shared_sigalgslen > INT_MAX) 1882 return 0; 1883 shsigalgs = s->shared_sigalgs[idx]; 1884 if (phash != NULL) 1885 *phash = shsigalgs->hash; 1886 if (psign != NULL) 1887 *psign = shsigalgs->sig; 1888 if (psignhash != NULL) 1889 *psignhash = shsigalgs->sigandhash; 1890 if (rsig != NULL) 1891 *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 1892 if (rhash != NULL) 1893 *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 1894 return (int)s->shared_sigalgslen; 1895 } 1896 1897 /* Maximum possible number of unique entries in sigalgs array */ 1898 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 1899 1900 typedef struct { 1901 size_t sigalgcnt; 1902 /* TLSEXT_SIGALG_XXX values */ 1903 uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 1904 } sig_cb_st; 1905 1906 static void get_sigorhash(int *psig, int *phash, const char *str) 1907 { 1908 if (strcmp(str, "RSA") == 0) { 1909 *psig = EVP_PKEY_RSA; 1910 } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 1911 *psig = EVP_PKEY_RSA_PSS; 1912 } else if (strcmp(str, "DSA") == 0) { 1913 *psig = EVP_PKEY_DSA; 1914 } else if (strcmp(str, "ECDSA") == 0) { 1915 *psig = EVP_PKEY_EC; 1916 } else { 1917 *phash = OBJ_sn2nid(str); 1918 if (*phash == NID_undef) 1919 *phash = OBJ_ln2nid(str); 1920 } 1921 } 1922 /* Maximum length of a signature algorithm string component */ 1923 #define TLS_MAX_SIGSTRING_LEN 40 1924 1925 static int sig_cb(const char *elem, int len, void *arg) 1926 { 1927 sig_cb_st *sarg = arg; 1928 size_t i; 1929 const SIGALG_LOOKUP *s; 1930 char etmp[TLS_MAX_SIGSTRING_LEN], *p; 1931 int sig_alg = NID_undef, hash_alg = NID_undef; 1932 if (elem == NULL) 1933 return 0; 1934 if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 1935 return 0; 1936 if (len > (int)(sizeof(etmp) - 1)) 1937 return 0; 1938 memcpy(etmp, elem, len); 1939 etmp[len] = 0; 1940 p = strchr(etmp, '+'); 1941 /* 1942 * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 1943 * if there's no '+' in the provided name, look for the new-style combined 1944 * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 1945 * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 1946 * rsa_pss_rsae_* that differ only by public key OID; in such cases 1947 * we will pick the _rsae_ variant, by virtue of them appearing earlier 1948 * in the table. 1949 */ 1950 if (p == NULL) { 1951 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 1952 i++, s++) { 1953 if (s->name != NULL && strcmp(etmp, s->name) == 0) { 1954 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 1955 break; 1956 } 1957 } 1958 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 1959 return 0; 1960 } else { 1961 *p = 0; 1962 p++; 1963 if (*p == 0) 1964 return 0; 1965 get_sigorhash(&sig_alg, &hash_alg, etmp); 1966 get_sigorhash(&sig_alg, &hash_alg, p); 1967 if (sig_alg == NID_undef || hash_alg == NID_undef) 1968 return 0; 1969 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 1970 i++, s++) { 1971 if (s->hash == hash_alg && s->sig == sig_alg) { 1972 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 1973 break; 1974 } 1975 } 1976 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 1977 return 0; 1978 } 1979 1980 /* Reject duplicates */ 1981 for (i = 0; i < sarg->sigalgcnt - 1; i++) { 1982 if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 1983 sarg->sigalgcnt--; 1984 return 0; 1985 } 1986 } 1987 return 1; 1988 } 1989 1990 /* 1991 * Set supported signature algorithms based on a colon separated list of the 1992 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 1993 */ 1994 int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 1995 { 1996 sig_cb_st sig; 1997 sig.sigalgcnt = 0; 1998 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 1999 return 0; 2000 if (c == NULL) 2001 return 1; 2002 return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 2003 } 2004 2005 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 2006 int client) 2007 { 2008 uint16_t *sigalgs; 2009 2010 if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2011 SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE); 2012 return 0; 2013 } 2014 memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 2015 2016 if (client) { 2017 OPENSSL_free(c->client_sigalgs); 2018 c->client_sigalgs = sigalgs; 2019 c->client_sigalgslen = salglen; 2020 } else { 2021 OPENSSL_free(c->conf_sigalgs); 2022 c->conf_sigalgs = sigalgs; 2023 c->conf_sigalgslen = salglen; 2024 } 2025 2026 return 1; 2027 } 2028 2029 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2030 { 2031 uint16_t *sigalgs, *sptr; 2032 size_t i; 2033 2034 if (salglen & 1) 2035 return 0; 2036 if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2037 SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE); 2038 return 0; 2039 } 2040 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2041 size_t j; 2042 const SIGALG_LOOKUP *curr; 2043 int md_id = *psig_nids++; 2044 int sig_id = *psig_nids++; 2045 2046 for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2047 j++, curr++) { 2048 if (curr->hash == md_id && curr->sig == sig_id) { 2049 *sptr++ = curr->sigalg; 2050 break; 2051 } 2052 } 2053 2054 if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2055 goto err; 2056 } 2057 2058 if (client) { 2059 OPENSSL_free(c->client_sigalgs); 2060 c->client_sigalgs = sigalgs; 2061 c->client_sigalgslen = salglen / 2; 2062 } else { 2063 OPENSSL_free(c->conf_sigalgs); 2064 c->conf_sigalgs = sigalgs; 2065 c->conf_sigalgslen = salglen / 2; 2066 } 2067 2068 return 1; 2069 2070 err: 2071 OPENSSL_free(sigalgs); 2072 return 0; 2073 } 2074 2075 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 2076 { 2077 int sig_nid, use_pc_sigalgs = 0; 2078 size_t i; 2079 const SIGALG_LOOKUP *sigalg; 2080 size_t sigalgslen; 2081 if (default_nid == -1) 2082 return 1; 2083 sig_nid = X509_get_signature_nid(x); 2084 if (default_nid) 2085 return sig_nid == default_nid ? 1 : 0; 2086 2087 if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) { 2088 /* 2089 * If we're in TLSv1.3 then we only get here if we're checking the 2090 * chain. If the peer has specified peer_cert_sigalgs then we use them 2091 * otherwise we default to normal sigalgs. 2092 */ 2093 sigalgslen = s->s3->tmp.peer_cert_sigalgslen; 2094 use_pc_sigalgs = 1; 2095 } else { 2096 sigalgslen = s->shared_sigalgslen; 2097 } 2098 for (i = 0; i < sigalgslen; i++) { 2099 sigalg = use_pc_sigalgs 2100 ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) 2101 : s->shared_sigalgs[i]; 2102 if (sig_nid == sigalg->sigandhash) 2103 return 1; 2104 } 2105 return 0; 2106 } 2107 2108 /* Check to see if a certificate issuer name matches list of CA names */ 2109 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 2110 { 2111 X509_NAME *nm; 2112 int i; 2113 nm = X509_get_issuer_name(x); 2114 for (i = 0; i < sk_X509_NAME_num(names); i++) { 2115 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 2116 return 1; 2117 } 2118 return 0; 2119 } 2120 2121 /* 2122 * Check certificate chain is consistent with TLS extensions and is usable by 2123 * server. This servers two purposes: it allows users to check chains before 2124 * passing them to the server and it allows the server to check chains before 2125 * attempting to use them. 2126 */ 2127 2128 /* Flags which need to be set for a certificate when strict mode not set */ 2129 2130 #define CERT_PKEY_VALID_FLAGS \ 2131 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 2132 /* Strict mode flags */ 2133 #define CERT_PKEY_STRICT_FLAGS \ 2134 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 2135 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 2136 2137 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 2138 int idx) 2139 { 2140 int i; 2141 int rv = 0; 2142 int check_flags = 0, strict_mode; 2143 CERT_PKEY *cpk = NULL; 2144 CERT *c = s->cert; 2145 uint32_t *pvalid; 2146 unsigned int suiteb_flags = tls1_suiteb(s); 2147 /* idx == -1 means checking server chains */ 2148 if (idx != -1) { 2149 /* idx == -2 means checking client certificate chains */ 2150 if (idx == -2) { 2151 cpk = c->key; 2152 idx = (int)(cpk - c->pkeys); 2153 } else 2154 cpk = c->pkeys + idx; 2155 pvalid = s->s3->tmp.valid_flags + idx; 2156 x = cpk->x509; 2157 pk = cpk->privatekey; 2158 chain = cpk->chain; 2159 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 2160 /* If no cert or key, forget it */ 2161 if (!x || !pk) 2162 goto end; 2163 } else { 2164 size_t certidx; 2165 2166 if (!x || !pk) 2167 return 0; 2168 2169 if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 2170 return 0; 2171 idx = certidx; 2172 pvalid = s->s3->tmp.valid_flags + idx; 2173 2174 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 2175 check_flags = CERT_PKEY_STRICT_FLAGS; 2176 else 2177 check_flags = CERT_PKEY_VALID_FLAGS; 2178 strict_mode = 1; 2179 } 2180 2181 if (suiteb_flags) { 2182 int ok; 2183 if (check_flags) 2184 check_flags |= CERT_PKEY_SUITEB; 2185 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 2186 if (ok == X509_V_OK) 2187 rv |= CERT_PKEY_SUITEB; 2188 else if (!check_flags) 2189 goto end; 2190 } 2191 2192 /* 2193 * Check all signature algorithms are consistent with signature 2194 * algorithms extension if TLS 1.2 or later and strict mode. 2195 */ 2196 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 2197 int default_nid; 2198 int rsign = 0; 2199 if (s->s3->tmp.peer_cert_sigalgs != NULL 2200 || s->s3->tmp.peer_sigalgs != NULL) { 2201 default_nid = 0; 2202 /* If no sigalgs extension use defaults from RFC5246 */ 2203 } else { 2204 switch (idx) { 2205 case SSL_PKEY_RSA: 2206 rsign = EVP_PKEY_RSA; 2207 default_nid = NID_sha1WithRSAEncryption; 2208 break; 2209 2210 case SSL_PKEY_DSA_SIGN: 2211 rsign = EVP_PKEY_DSA; 2212 default_nid = NID_dsaWithSHA1; 2213 break; 2214 2215 case SSL_PKEY_ECC: 2216 rsign = EVP_PKEY_EC; 2217 default_nid = NID_ecdsa_with_SHA1; 2218 break; 2219 2220 case SSL_PKEY_GOST01: 2221 rsign = NID_id_GostR3410_2001; 2222 default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2223 break; 2224 2225 case SSL_PKEY_GOST12_256: 2226 rsign = NID_id_GostR3410_2012_256; 2227 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2228 break; 2229 2230 case SSL_PKEY_GOST12_512: 2231 rsign = NID_id_GostR3410_2012_512; 2232 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2233 break; 2234 2235 default: 2236 default_nid = -1; 2237 break; 2238 } 2239 } 2240 /* 2241 * If peer sent no signature algorithms extension and we have set 2242 * preferred signature algorithms check we support sha1. 2243 */ 2244 if (default_nid > 0 && c->conf_sigalgs) { 2245 size_t j; 2246 const uint16_t *p = c->conf_sigalgs; 2247 for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2248 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p); 2249 2250 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 2251 break; 2252 } 2253 if (j == c->conf_sigalgslen) { 2254 if (check_flags) 2255 goto skip_sigs; 2256 else 2257 goto end; 2258 } 2259 } 2260 /* Check signature algorithm of each cert in chain */ 2261 if (SSL_IS_TLS13(s)) { 2262 /* 2263 * We only get here if the application has called SSL_check_chain(), 2264 * so check_flags is always set. 2265 */ 2266 if (find_sig_alg(s, x, pk) != NULL) 2267 rv |= CERT_PKEY_EE_SIGNATURE; 2268 } else if (!tls1_check_sig_alg(s, x, default_nid)) { 2269 if (!check_flags) 2270 goto end; 2271 } else 2272 rv |= CERT_PKEY_EE_SIGNATURE; 2273 rv |= CERT_PKEY_CA_SIGNATURE; 2274 for (i = 0; i < sk_X509_num(chain); i++) { 2275 if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 2276 if (check_flags) { 2277 rv &= ~CERT_PKEY_CA_SIGNATURE; 2278 break; 2279 } else 2280 goto end; 2281 } 2282 } 2283 } 2284 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 2285 else if (check_flags) 2286 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 2287 skip_sigs: 2288 /* Check cert parameters are consistent */ 2289 if (tls1_check_cert_param(s, x, 1)) 2290 rv |= CERT_PKEY_EE_PARAM; 2291 else if (!check_flags) 2292 goto end; 2293 if (!s->server) 2294 rv |= CERT_PKEY_CA_PARAM; 2295 /* In strict mode check rest of chain too */ 2296 else if (strict_mode) { 2297 rv |= CERT_PKEY_CA_PARAM; 2298 for (i = 0; i < sk_X509_num(chain); i++) { 2299 X509 *ca = sk_X509_value(chain, i); 2300 if (!tls1_check_cert_param(s, ca, 0)) { 2301 if (check_flags) { 2302 rv &= ~CERT_PKEY_CA_PARAM; 2303 break; 2304 } else 2305 goto end; 2306 } 2307 } 2308 } 2309 if (!s->server && strict_mode) { 2310 STACK_OF(X509_NAME) *ca_dn; 2311 int check_type = 0; 2312 switch (EVP_PKEY_id(pk)) { 2313 case EVP_PKEY_RSA: 2314 check_type = TLS_CT_RSA_SIGN; 2315 break; 2316 case EVP_PKEY_DSA: 2317 check_type = TLS_CT_DSS_SIGN; 2318 break; 2319 case EVP_PKEY_EC: 2320 check_type = TLS_CT_ECDSA_SIGN; 2321 break; 2322 } 2323 if (check_type) { 2324 const uint8_t *ctypes = s->s3->tmp.ctype; 2325 size_t j; 2326 2327 for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) { 2328 if (*ctypes == check_type) { 2329 rv |= CERT_PKEY_CERT_TYPE; 2330 break; 2331 } 2332 } 2333 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 2334 goto end; 2335 } else { 2336 rv |= CERT_PKEY_CERT_TYPE; 2337 } 2338 2339 ca_dn = s->s3->tmp.peer_ca_names; 2340 2341 if (!sk_X509_NAME_num(ca_dn)) 2342 rv |= CERT_PKEY_ISSUER_NAME; 2343 2344 if (!(rv & CERT_PKEY_ISSUER_NAME)) { 2345 if (ssl_check_ca_name(ca_dn, x)) 2346 rv |= CERT_PKEY_ISSUER_NAME; 2347 } 2348 if (!(rv & CERT_PKEY_ISSUER_NAME)) { 2349 for (i = 0; i < sk_X509_num(chain); i++) { 2350 X509 *xtmp = sk_X509_value(chain, i); 2351 if (ssl_check_ca_name(ca_dn, xtmp)) { 2352 rv |= CERT_PKEY_ISSUER_NAME; 2353 break; 2354 } 2355 } 2356 } 2357 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 2358 goto end; 2359 } else 2360 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 2361 2362 if (!check_flags || (rv & check_flags) == check_flags) 2363 rv |= CERT_PKEY_VALID; 2364 2365 end: 2366 2367 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2368 rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2369 else 2370 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 2371 2372 /* 2373 * When checking a CERT_PKEY structure all flags are irrelevant if the 2374 * chain is invalid. 2375 */ 2376 if (!check_flags) { 2377 if (rv & CERT_PKEY_VALID) { 2378 *pvalid = rv; 2379 } else { 2380 /* Preserve sign and explicit sign flag, clear rest */ 2381 *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2382 return 0; 2383 } 2384 } 2385 return rv; 2386 } 2387 2388 /* Set validity of certificates in an SSL structure */ 2389 void tls1_set_cert_validity(SSL *s) 2390 { 2391 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2392 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 2393 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 2394 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2395 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2396 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2397 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2398 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2399 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 2400 } 2401 2402 /* User level utility function to check a chain is suitable */ 2403 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 2404 { 2405 return tls1_check_chain(s, x, pk, chain, -1); 2406 } 2407 2408 #ifndef OPENSSL_NO_DH 2409 DH *ssl_get_auto_dh(SSL *s) 2410 { 2411 int dh_secbits = 80; 2412 if (s->cert->dh_tmp_auto == 2) 2413 return DH_get_1024_160(); 2414 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2415 if (s->s3->tmp.new_cipher->strength_bits == 256) 2416 dh_secbits = 128; 2417 else 2418 dh_secbits = 80; 2419 } else { 2420 if (s->s3->tmp.cert == NULL) 2421 return NULL; 2422 dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); 2423 } 2424 2425 if (dh_secbits >= 128) { 2426 DH *dhp = DH_new(); 2427 BIGNUM *p, *g; 2428 if (dhp == NULL) 2429 return NULL; 2430 g = BN_new(); 2431 if (g == NULL || !BN_set_word(g, 2)) { 2432 DH_free(dhp); 2433 BN_free(g); 2434 return NULL; 2435 } 2436 if (dh_secbits >= 192) 2437 p = BN_get_rfc3526_prime_8192(NULL); 2438 else 2439 p = BN_get_rfc3526_prime_3072(NULL); 2440 if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { 2441 DH_free(dhp); 2442 BN_free(p); 2443 BN_free(g); 2444 return NULL; 2445 } 2446 return dhp; 2447 } 2448 if (dh_secbits >= 112) 2449 return DH_get_2048_224(); 2450 return DH_get_1024_160(); 2451 } 2452 #endif 2453 2454 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2455 { 2456 int secbits = -1; 2457 EVP_PKEY *pkey = X509_get0_pubkey(x); 2458 if (pkey) { 2459 /* 2460 * If no parameters this will return -1 and fail using the default 2461 * security callback for any non-zero security level. This will 2462 * reject keys which omit parameters but this only affects DSA and 2463 * omission of parameters is never (?) done in practice. 2464 */ 2465 secbits = EVP_PKEY_security_bits(pkey); 2466 } 2467 if (s) 2468 return ssl_security(s, op, secbits, 0, x); 2469 else 2470 return ssl_ctx_security(ctx, op, secbits, 0, x); 2471 } 2472 2473 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2474 { 2475 /* Lookup signature algorithm digest */ 2476 int secbits, nid, pknid; 2477 /* Don't check signature if self signed */ 2478 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 2479 return 1; 2480 if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 2481 secbits = -1; 2482 /* If digest NID not defined use signature NID */ 2483 if (nid == NID_undef) 2484 nid = pknid; 2485 if (s) 2486 return ssl_security(s, op, secbits, nid, x); 2487 else 2488 return ssl_ctx_security(ctx, op, secbits, nid, x); 2489 } 2490 2491 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 2492 { 2493 if (vfy) 2494 vfy = SSL_SECOP_PEER; 2495 if (is_ee) { 2496 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 2497 return SSL_R_EE_KEY_TOO_SMALL; 2498 } else { 2499 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 2500 return SSL_R_CA_KEY_TOO_SMALL; 2501 } 2502 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 2503 return SSL_R_CA_MD_TOO_WEAK; 2504 return 1; 2505 } 2506 2507 /* 2508 * Check security of a chain, if |sk| includes the end entity certificate then 2509 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 2510 * one to the peer. Return values: 1 if ok otherwise error code to use 2511 */ 2512 2513 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 2514 { 2515 int rv, start_idx, i; 2516 if (x == NULL) { 2517 x = sk_X509_value(sk, 0); 2518 start_idx = 1; 2519 } else 2520 start_idx = 0; 2521 2522 rv = ssl_security_cert(s, NULL, x, vfy, 1); 2523 if (rv != 1) 2524 return rv; 2525 2526 for (i = start_idx; i < sk_X509_num(sk); i++) { 2527 x = sk_X509_value(sk, i); 2528 rv = ssl_security_cert(s, NULL, x, vfy, 0); 2529 if (rv != 1) 2530 return rv; 2531 } 2532 return 1; 2533 } 2534 2535 /* 2536 * For TLS 1.2 servers check if we have a certificate which can be used 2537 * with the signature algorithm "lu" and return index of certificate. 2538 */ 2539 2540 static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 2541 { 2542 int sig_idx = lu->sig_idx; 2543 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 2544 2545 /* If not recognised or not supported by cipher mask it is not suitable */ 2546 if (clu == NULL 2547 || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0 2548 || (clu->nid == EVP_PKEY_RSA_PSS 2549 && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 2550 return -1; 2551 2552 return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 2553 } 2554 2555 /* 2556 * Checks the given cert against signature_algorithm_cert restrictions sent by 2557 * the peer (if any) as well as whether the hash from the sigalg is usable with 2558 * the key. 2559 * Returns true if the cert is usable and false otherwise. 2560 */ 2561 static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2562 EVP_PKEY *pkey) 2563 { 2564 const SIGALG_LOOKUP *lu; 2565 int mdnid, pknid, default_mdnid; 2566 size_t i; 2567 2568 /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */ 2569 ERR_set_mark(); 2570 if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 && 2571 sig->hash != default_mdnid) 2572 return 0; 2573 2574 /* If it didn't report a mandatory NID, for whatever reasons, 2575 * just clear the error and allow all hashes to be used. */ 2576 ERR_pop_to_mark(); 2577 2578 if (s->s3->tmp.peer_cert_sigalgs != NULL) { 2579 for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) { 2580 lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]); 2581 if (lu == NULL 2582 || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 2583 continue; 2584 /* 2585 * TODO this does not differentiate between the 2586 * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 2587 * have a chain here that lets us look at the key OID in the 2588 * signing certificate. 2589 */ 2590 if (mdnid == lu->hash && pknid == lu->sig) 2591 return 1; 2592 } 2593 return 0; 2594 } 2595 return 1; 2596 } 2597 2598 /* 2599 * Returns true if |s| has a usable certificate configured for use 2600 * with signature scheme |sig|. 2601 * "Usable" includes a check for presence as well as applying 2602 * the signature_algorithm_cert restrictions sent by the peer (if any). 2603 * Returns false if no usable certificate is found. 2604 */ 2605 static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 2606 { 2607 /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 2608 if (idx == -1) 2609 idx = sig->sig_idx; 2610 if (!ssl_has_cert(s, idx)) 2611 return 0; 2612 2613 return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 2614 s->cert->pkeys[idx].privatekey); 2615 } 2616 2617 /* 2618 * Returns true if the supplied cert |x| and key |pkey| is usable with the 2619 * specified signature scheme |sig|, or false otherwise. 2620 */ 2621 static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 2622 EVP_PKEY *pkey) 2623 { 2624 size_t idx; 2625 2626 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 2627 return 0; 2628 2629 /* Check the key is consistent with the sig alg */ 2630 if ((int)idx != sig->sig_idx) 2631 return 0; 2632 2633 return check_cert_usable(s, sig, x, pkey); 2634 } 2635 2636 /* 2637 * Find a signature scheme that works with the supplied certificate |x| and key 2638 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 2639 * available certs/keys to find one that works. 2640 */ 2641 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 2642 { 2643 const SIGALG_LOOKUP *lu = NULL; 2644 size_t i; 2645 #ifndef OPENSSL_NO_EC 2646 int curve = -1; 2647 #endif 2648 EVP_PKEY *tmppkey; 2649 2650 /* Look for a shared sigalgs matching possible certificates */ 2651 for (i = 0; i < s->shared_sigalgslen; i++) { 2652 lu = s->shared_sigalgs[i]; 2653 2654 /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 2655 if (lu->hash == NID_sha1 2656 || lu->hash == NID_sha224 2657 || lu->sig == EVP_PKEY_DSA 2658 || lu->sig == EVP_PKEY_RSA) 2659 continue; 2660 /* Check that we have a cert, and signature_algorithms_cert */ 2661 if (!tls1_lookup_md(lu, NULL)) 2662 continue; 2663 if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 2664 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 2665 continue; 2666 2667 tmppkey = (pkey != NULL) ? pkey 2668 : s->cert->pkeys[lu->sig_idx].privatekey; 2669 2670 if (lu->sig == EVP_PKEY_EC) { 2671 #ifndef OPENSSL_NO_EC 2672 if (curve == -1) { 2673 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey); 2674 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2675 } 2676 if (lu->curve != NID_undef && curve != lu->curve) 2677 continue; 2678 #else 2679 continue; 2680 #endif 2681 } else if (lu->sig == EVP_PKEY_RSA_PSS) { 2682 /* validate that key is large enough for the signature algorithm */ 2683 if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu)) 2684 continue; 2685 } 2686 break; 2687 } 2688 2689 if (i == s->shared_sigalgslen) 2690 return NULL; 2691 2692 return lu; 2693 } 2694 2695 /* 2696 * Choose an appropriate signature algorithm based on available certificates 2697 * Sets chosen certificate and signature algorithm. 2698 * 2699 * For servers if we fail to find a required certificate it is a fatal error, 2700 * an appropriate error code is set and a TLS alert is sent. 2701 * 2702 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 2703 * a fatal error: we will either try another certificate or not present one 2704 * to the server. In this case no error is set. 2705 */ 2706 int tls_choose_sigalg(SSL *s, int fatalerrs) 2707 { 2708 const SIGALG_LOOKUP *lu = NULL; 2709 int sig_idx = -1; 2710 2711 s->s3->tmp.cert = NULL; 2712 s->s3->tmp.sigalg = NULL; 2713 2714 if (SSL_IS_TLS13(s)) { 2715 lu = find_sig_alg(s, NULL, NULL); 2716 if (lu == NULL) { 2717 if (!fatalerrs) 2718 return 1; 2719 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG, 2720 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2721 return 0; 2722 } 2723 } else { 2724 /* If ciphersuite doesn't require a cert nothing to do */ 2725 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT)) 2726 return 1; 2727 if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 2728 return 1; 2729 2730 if (SSL_USE_SIGALGS(s)) { 2731 size_t i; 2732 if (s->s3->tmp.peer_sigalgs != NULL) { 2733 #ifndef OPENSSL_NO_EC 2734 int curve; 2735 2736 /* For Suite B need to match signature algorithm to curve */ 2737 if (tls1_suiteb(s)) { 2738 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 2739 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 2740 } else { 2741 curve = -1; 2742 } 2743 #endif 2744 2745 /* 2746 * Find highest preference signature algorithm matching 2747 * cert type 2748 */ 2749 for (i = 0; i < s->shared_sigalgslen; i++) { 2750 lu = s->shared_sigalgs[i]; 2751 2752 if (s->server) { 2753 if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 2754 continue; 2755 } else { 2756 int cc_idx = s->cert->key - s->cert->pkeys; 2757 2758 sig_idx = lu->sig_idx; 2759 if (cc_idx != sig_idx) 2760 continue; 2761 } 2762 /* Check that we have a cert, and sig_algs_cert */ 2763 if (!has_usable_cert(s, lu, sig_idx)) 2764 continue; 2765 if (lu->sig == EVP_PKEY_RSA_PSS) { 2766 /* validate that key is large enough for the signature algorithm */ 2767 EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 2768 2769 if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu)) 2770 continue; 2771 } 2772 #ifndef OPENSSL_NO_EC 2773 if (curve == -1 || lu->curve == curve) 2774 #endif 2775 break; 2776 } 2777 if (i == s->shared_sigalgslen) { 2778 if (!fatalerrs) 2779 return 1; 2780 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2781 SSL_F_TLS_CHOOSE_SIGALG, 2782 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2783 return 0; 2784 } 2785 } else { 2786 /* 2787 * If we have no sigalg use defaults 2788 */ 2789 const uint16_t *sent_sigs; 2790 size_t sent_sigslen; 2791 2792 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2793 if (!fatalerrs) 2794 return 1; 2795 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2796 ERR_R_INTERNAL_ERROR); 2797 return 0; 2798 } 2799 2800 /* Check signature matches a type we sent */ 2801 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 2802 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 2803 if (lu->sigalg == *sent_sigs 2804 && has_usable_cert(s, lu, lu->sig_idx)) 2805 break; 2806 } 2807 if (i == sent_sigslen) { 2808 if (!fatalerrs) 2809 return 1; 2810 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2811 SSL_F_TLS_CHOOSE_SIGALG, 2812 SSL_R_WRONG_SIGNATURE_TYPE); 2813 return 0; 2814 } 2815 } 2816 } else { 2817 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 2818 if (!fatalerrs) 2819 return 1; 2820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, 2821 ERR_R_INTERNAL_ERROR); 2822 return 0; 2823 } 2824 } 2825 } 2826 if (sig_idx == -1) 2827 sig_idx = lu->sig_idx; 2828 s->s3->tmp.cert = &s->cert->pkeys[sig_idx]; 2829 s->cert->key = s->s3->tmp.cert; 2830 s->s3->tmp.sigalg = lu; 2831 return 1; 2832 } 2833 2834 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 2835 { 2836 if (mode != TLSEXT_max_fragment_length_DISABLED 2837 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2838 SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2839 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2840 return 0; 2841 } 2842 2843 ctx->ext.max_fragment_len_mode = mode; 2844 return 1; 2845 } 2846 2847 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 2848 { 2849 if (mode != TLSEXT_max_fragment_length_DISABLED 2850 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 2851 SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 2852 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 2853 return 0; 2854 } 2855 2856 ssl->ext.max_fragment_len_mode = mode; 2857 return 1; 2858 } 2859 2860 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 2861 { 2862 return session->ext.max_fragment_len_mode; 2863 } 2864