t1_lib.c 92 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923
  1. /*
  2. * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <openssl/objects.h>
  12. #include <openssl/evp.h>
  13. #include <openssl/hmac.h>
  14. #include <openssl/ocsp.h>
  15. #include <openssl/conf.h>
  16. #include <openssl/x509v3.h>
  17. #include <openssl/dh.h>
  18. #include <openssl/bn.h>
  19. #include "internal/nelem.h"
  20. #include "ssl_local.h"
  21. #include <openssl/ct.h>
  22. static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
  23. static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
  24. SSL3_ENC_METHOD const TLSv1_enc_data = {
  25. tls1_enc,
  26. tls1_mac,
  27. tls1_setup_key_block,
  28. tls1_generate_master_secret,
  29. tls1_change_cipher_state,
  30. tls1_final_finish_mac,
  31. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  32. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  33. tls1_alert_code,
  34. tls1_export_keying_material,
  35. 0,
  36. ssl3_set_handshake_header,
  37. tls_close_construct_packet,
  38. ssl3_handshake_write
  39. };
  40. SSL3_ENC_METHOD const TLSv1_1_enc_data = {
  41. tls1_enc,
  42. tls1_mac,
  43. tls1_setup_key_block,
  44. tls1_generate_master_secret,
  45. tls1_change_cipher_state,
  46. tls1_final_finish_mac,
  47. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  48. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  49. tls1_alert_code,
  50. tls1_export_keying_material,
  51. SSL_ENC_FLAG_EXPLICIT_IV,
  52. ssl3_set_handshake_header,
  53. tls_close_construct_packet,
  54. ssl3_handshake_write
  55. };
  56. SSL3_ENC_METHOD const TLSv1_2_enc_data = {
  57. tls1_enc,
  58. tls1_mac,
  59. tls1_setup_key_block,
  60. tls1_generate_master_secret,
  61. tls1_change_cipher_state,
  62. tls1_final_finish_mac,
  63. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  64. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  65. tls1_alert_code,
  66. tls1_export_keying_material,
  67. SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
  68. | SSL_ENC_FLAG_TLS1_2_CIPHERS,
  69. ssl3_set_handshake_header,
  70. tls_close_construct_packet,
  71. ssl3_handshake_write
  72. };
  73. SSL3_ENC_METHOD const TLSv1_3_enc_data = {
  74. tls13_enc,
  75. tls1_mac,
  76. tls13_setup_key_block,
  77. tls13_generate_master_secret,
  78. tls13_change_cipher_state,
  79. tls13_final_finish_mac,
  80. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  81. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  82. tls13_alert_code,
  83. tls13_export_keying_material,
  84. SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
  85. ssl3_set_handshake_header,
  86. tls_close_construct_packet,
  87. ssl3_handshake_write
  88. };
  89. long tls1_default_timeout(void)
  90. {
  91. /*
  92. * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
  93. * http, the cache would over fill
  94. */
  95. return (60 * 60 * 2);
  96. }
  97. int tls1_new(SSL *s)
  98. {
  99. if (!ssl3_new(s))
  100. return 0;
  101. if (!s->method->ssl_clear(s))
  102. return 0;
  103. return 1;
  104. }
  105. void tls1_free(SSL *s)
  106. {
  107. OPENSSL_free(s->ext.session_ticket);
  108. ssl3_free(s);
  109. }
  110. int tls1_clear(SSL *s)
  111. {
  112. if (!ssl3_clear(s))
  113. return 0;
  114. if (s->method->version == TLS_ANY_VERSION)
  115. s->version = TLS_MAX_VERSION;
  116. else
  117. s->version = s->method->version;
  118. return 1;
  119. }
  120. #ifndef OPENSSL_NO_EC
  121. /*
  122. * Table of curve information.
  123. * Do not delete entries or reorder this array! It is used as a lookup
  124. * table: the index of each entry is one less than the TLS curve id.
  125. */
  126. static const TLS_GROUP_INFO nid_list[] = {
  127. {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
  128. {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
  129. {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
  130. {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
  131. {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
  132. {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
  133. {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
  134. {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
  135. {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
  136. {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
  137. {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
  138. {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
  139. {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
  140. {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
  141. {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
  142. {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
  143. {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
  144. {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
  145. {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
  146. {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
  147. {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
  148. {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
  149. {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
  150. {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
  151. {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
  152. {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
  153. {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
  154. {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
  155. {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
  156. {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
  157. };
  158. static const unsigned char ecformats_default[] = {
  159. TLSEXT_ECPOINTFORMAT_uncompressed,
  160. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
  161. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
  162. };
  163. /* The default curves */
  164. static const uint16_t eccurves_default[] = {
  165. 29, /* X25519 (29) */
  166. 23, /* secp256r1 (23) */
  167. 30, /* X448 (30) */
  168. 25, /* secp521r1 (25) */
  169. 24, /* secp384r1 (24) */
  170. };
  171. static const uint16_t suiteb_curves[] = {
  172. TLSEXT_curve_P_256,
  173. TLSEXT_curve_P_384
  174. };
  175. const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
  176. {
  177. /* ECC curves from RFC 4492 and RFC 7027 */
  178. if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
  179. return NULL;
  180. return &nid_list[group_id - 1];
  181. }
  182. static uint16_t tls1_nid2group_id(int nid)
  183. {
  184. size_t i;
  185. for (i = 0; i < OSSL_NELEM(nid_list); i++) {
  186. if (nid_list[i].nid == nid)
  187. return (uint16_t)(i + 1);
  188. }
  189. return 0;
  190. }
  191. /*
  192. * Set *pgroups to the supported groups list and *pgroupslen to
  193. * the number of groups supported.
  194. */
  195. void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
  196. size_t *pgroupslen)
  197. {
  198. /* For Suite B mode only include P-256, P-384 */
  199. switch (tls1_suiteb(s)) {
  200. case SSL_CERT_FLAG_SUITEB_128_LOS:
  201. *pgroups = suiteb_curves;
  202. *pgroupslen = OSSL_NELEM(suiteb_curves);
  203. break;
  204. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  205. *pgroups = suiteb_curves;
  206. *pgroupslen = 1;
  207. break;
  208. case SSL_CERT_FLAG_SUITEB_192_LOS:
  209. *pgroups = suiteb_curves + 1;
  210. *pgroupslen = 1;
  211. break;
  212. default:
  213. if (s->ext.supportedgroups == NULL) {
  214. *pgroups = eccurves_default;
  215. *pgroupslen = OSSL_NELEM(eccurves_default);
  216. } else {
  217. *pgroups = s->ext.supportedgroups;
  218. *pgroupslen = s->ext.supportedgroups_len;
  219. }
  220. break;
  221. }
  222. }
  223. /* See if curve is allowed by security callback */
  224. int tls_curve_allowed(SSL *s, uint16_t curve, int op)
  225. {
  226. const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
  227. unsigned char ctmp[2];
  228. if (cinfo == NULL)
  229. return 0;
  230. # ifdef OPENSSL_NO_EC2M
  231. if (cinfo->flags & TLS_CURVE_CHAR2)
  232. return 0;
  233. # endif
  234. ctmp[0] = curve >> 8;
  235. ctmp[1] = curve & 0xff;
  236. return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
  237. }
  238. /* Return 1 if "id" is in "list" */
  239. static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
  240. {
  241. size_t i;
  242. for (i = 0; i < listlen; i++)
  243. if (list[i] == id)
  244. return 1;
  245. return 0;
  246. }
  247. /*-
  248. * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
  249. * if there is no match.
  250. * For nmatch == -1, return number of matches
  251. * For nmatch == -2, return the id of the group to use for
  252. * a tmp key, or 0 if there is no match.
  253. */
  254. uint16_t tls1_shared_group(SSL *s, int nmatch)
  255. {
  256. const uint16_t *pref, *supp;
  257. size_t num_pref, num_supp, i;
  258. int k;
  259. /* Can't do anything on client side */
  260. if (s->server == 0)
  261. return 0;
  262. if (nmatch == -2) {
  263. if (tls1_suiteb(s)) {
  264. /*
  265. * For Suite B ciphersuite determines curve: we already know
  266. * these are acceptable due to previous checks.
  267. */
  268. unsigned long cid = s->s3->tmp.new_cipher->id;
  269. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  270. return TLSEXT_curve_P_256;
  271. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  272. return TLSEXT_curve_P_384;
  273. /* Should never happen */
  274. return 0;
  275. }
  276. /* If not Suite B just return first preference shared curve */
  277. nmatch = 0;
  278. }
  279. /*
  280. * If server preference set, our groups are the preference order
  281. * otherwise peer decides.
  282. */
  283. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  284. tls1_get_supported_groups(s, &pref, &num_pref);
  285. tls1_get_peer_groups(s, &supp, &num_supp);
  286. } else {
  287. tls1_get_peer_groups(s, &pref, &num_pref);
  288. tls1_get_supported_groups(s, &supp, &num_supp);
  289. }
  290. for (k = 0, i = 0; i < num_pref; i++) {
  291. uint16_t id = pref[i];
  292. if (!tls1_in_list(id, supp, num_supp)
  293. || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
  294. continue;
  295. if (nmatch == k)
  296. return id;
  297. k++;
  298. }
  299. if (nmatch == -1)
  300. return k;
  301. /* Out of range (nmatch > k). */
  302. return 0;
  303. }
  304. int tls1_set_groups(uint16_t **pext, size_t *pextlen,
  305. int *groups, size_t ngroups)
  306. {
  307. uint16_t *glist;
  308. size_t i;
  309. /*
  310. * Bitmap of groups included to detect duplicates: only works while group
  311. * ids < 32
  312. */
  313. unsigned long dup_list = 0;
  314. if (ngroups == 0) {
  315. SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH);
  316. return 0;
  317. }
  318. if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
  319. SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE);
  320. return 0;
  321. }
  322. for (i = 0; i < ngroups; i++) {
  323. unsigned long idmask;
  324. uint16_t id;
  325. /* TODO(TLS1.3): Convert for DH groups */
  326. id = tls1_nid2group_id(groups[i]);
  327. idmask = 1L << id;
  328. if (!id || (dup_list & idmask)) {
  329. OPENSSL_free(glist);
  330. return 0;
  331. }
  332. dup_list |= idmask;
  333. glist[i] = id;
  334. }
  335. OPENSSL_free(*pext);
  336. *pext = glist;
  337. *pextlen = ngroups;
  338. return 1;
  339. }
  340. # define MAX_CURVELIST OSSL_NELEM(nid_list)
  341. typedef struct {
  342. size_t nidcnt;
  343. int nid_arr[MAX_CURVELIST];
  344. } nid_cb_st;
  345. static int nid_cb(const char *elem, int len, void *arg)
  346. {
  347. nid_cb_st *narg = arg;
  348. size_t i;
  349. int nid;
  350. char etmp[20];
  351. if (elem == NULL)
  352. return 0;
  353. if (narg->nidcnt == MAX_CURVELIST)
  354. return 0;
  355. if (len > (int)(sizeof(etmp) - 1))
  356. return 0;
  357. memcpy(etmp, elem, len);
  358. etmp[len] = 0;
  359. nid = EC_curve_nist2nid(etmp);
  360. if (nid == NID_undef)
  361. nid = OBJ_sn2nid(etmp);
  362. if (nid == NID_undef)
  363. nid = OBJ_ln2nid(etmp);
  364. if (nid == NID_undef)
  365. return 0;
  366. for (i = 0; i < narg->nidcnt; i++)
  367. if (narg->nid_arr[i] == nid)
  368. return 0;
  369. narg->nid_arr[narg->nidcnt++] = nid;
  370. return 1;
  371. }
  372. /* Set groups based on a colon separate list */
  373. int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
  374. {
  375. nid_cb_st ncb;
  376. ncb.nidcnt = 0;
  377. if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
  378. return 0;
  379. if (pext == NULL)
  380. return 1;
  381. return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
  382. }
  383. /* Return group id of a key */
  384. static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
  385. {
  386. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  387. const EC_GROUP *grp;
  388. if (ec == NULL)
  389. return 0;
  390. grp = EC_KEY_get0_group(ec);
  391. return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
  392. }
  393. /* Check a key is compatible with compression extension */
  394. static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
  395. {
  396. const EC_KEY *ec;
  397. const EC_GROUP *grp;
  398. unsigned char comp_id;
  399. size_t i;
  400. /* If not an EC key nothing to check */
  401. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  402. return 1;
  403. ec = EVP_PKEY_get0_EC_KEY(pkey);
  404. grp = EC_KEY_get0_group(ec);
  405. /* Get required compression id */
  406. if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
  407. comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
  408. } else if (SSL_IS_TLS13(s)) {
  409. /*
  410. * ec_point_formats extension is not used in TLSv1.3 so we ignore
  411. * this check.
  412. */
  413. return 1;
  414. } else {
  415. int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));
  416. if (field_type == NID_X9_62_prime_field)
  417. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  418. else if (field_type == NID_X9_62_characteristic_two_field)
  419. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  420. else
  421. return 0;
  422. }
  423. /*
  424. * If point formats extension present check it, otherwise everything is
  425. * supported (see RFC4492).
  426. */
  427. if (s->ext.peer_ecpointformats == NULL)
  428. return 1;
  429. for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
  430. if (s->ext.peer_ecpointformats[i] == comp_id)
  431. return 1;
  432. }
  433. return 0;
  434. }
  435. /* Check a group id matches preferences */
  436. int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
  437. {
  438. const uint16_t *groups;
  439. size_t groups_len;
  440. if (group_id == 0)
  441. return 0;
  442. /* Check for Suite B compliance */
  443. if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
  444. unsigned long cid = s->s3->tmp.new_cipher->id;
  445. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
  446. if (group_id != TLSEXT_curve_P_256)
  447. return 0;
  448. } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
  449. if (group_id != TLSEXT_curve_P_384)
  450. return 0;
  451. } else {
  452. /* Should never happen */
  453. return 0;
  454. }
  455. }
  456. if (check_own_groups) {
  457. /* Check group is one of our preferences */
  458. tls1_get_supported_groups(s, &groups, &groups_len);
  459. if (!tls1_in_list(group_id, groups, groups_len))
  460. return 0;
  461. }
  462. if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
  463. return 0;
  464. /* For clients, nothing more to check */
  465. if (!s->server)
  466. return 1;
  467. /* Check group is one of peers preferences */
  468. tls1_get_peer_groups(s, &groups, &groups_len);
  469. /*
  470. * RFC 4492 does not require the supported elliptic curves extension
  471. * so if it is not sent we can just choose any curve.
  472. * It is invalid to send an empty list in the supported groups
  473. * extension, so groups_len == 0 always means no extension.
  474. */
  475. if (groups_len == 0)
  476. return 1;
  477. return tls1_in_list(group_id, groups, groups_len);
  478. }
  479. void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
  480. size_t *num_formats)
  481. {
  482. /*
  483. * If we have a custom point format list use it otherwise use default
  484. */
  485. if (s->ext.ecpointformats) {
  486. *pformats = s->ext.ecpointformats;
  487. *num_formats = s->ext.ecpointformats_len;
  488. } else {
  489. *pformats = ecformats_default;
  490. /* For Suite B we don't support char2 fields */
  491. if (tls1_suiteb(s))
  492. *num_formats = sizeof(ecformats_default) - 1;
  493. else
  494. *num_formats = sizeof(ecformats_default);
  495. }
  496. }
  497. /*
  498. * Check cert parameters compatible with extensions: currently just checks EC
  499. * certificates have compatible curves and compression.
  500. */
  501. static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
  502. {
  503. uint16_t group_id;
  504. EVP_PKEY *pkey;
  505. pkey = X509_get0_pubkey(x);
  506. if (pkey == NULL)
  507. return 0;
  508. /* If not EC nothing to do */
  509. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  510. return 1;
  511. /* Check compression */
  512. if (!tls1_check_pkey_comp(s, pkey))
  513. return 0;
  514. group_id = tls1_get_group_id(pkey);
  515. /*
  516. * For a server we allow the certificate to not be in our list of supported
  517. * groups.
  518. */
  519. if (!tls1_check_group_id(s, group_id, !s->server))
  520. return 0;
  521. /*
  522. * Special case for suite B. We *MUST* sign using SHA256+P-256 or
  523. * SHA384+P-384.
  524. */
  525. if (check_ee_md && tls1_suiteb(s)) {
  526. int check_md;
  527. size_t i;
  528. /* Check to see we have necessary signing algorithm */
  529. if (group_id == TLSEXT_curve_P_256)
  530. check_md = NID_ecdsa_with_SHA256;
  531. else if (group_id == TLSEXT_curve_P_384)
  532. check_md = NID_ecdsa_with_SHA384;
  533. else
  534. return 0; /* Should never happen */
  535. for (i = 0; i < s->shared_sigalgslen; i++) {
  536. if (check_md == s->shared_sigalgs[i]->sigandhash)
  537. return 1;;
  538. }
  539. return 0;
  540. }
  541. return 1;
  542. }
  543. /*
  544. * tls1_check_ec_tmp_key - Check EC temporary key compatibility
  545. * @s: SSL connection
  546. * @cid: Cipher ID we're considering using
  547. *
  548. * Checks that the kECDHE cipher suite we're considering using
  549. * is compatible with the client extensions.
  550. *
  551. * Returns 0 when the cipher can't be used or 1 when it can.
  552. */
  553. int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
  554. {
  555. /* If not Suite B just need a shared group */
  556. if (!tls1_suiteb(s))
  557. return tls1_shared_group(s, 0) != 0;
  558. /*
  559. * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
  560. * curves permitted.
  561. */
  562. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  563. return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
  564. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  565. return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
  566. return 0;
  567. }
  568. #else
  569. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  570. {
  571. return 1;
  572. }
  573. #endif /* OPENSSL_NO_EC */
  574. /* Default sigalg schemes */
  575. static const uint16_t tls12_sigalgs[] = {
  576. #ifndef OPENSSL_NO_EC
  577. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  578. TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  579. TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  580. TLSEXT_SIGALG_ed25519,
  581. TLSEXT_SIGALG_ed448,
  582. #endif
  583. TLSEXT_SIGALG_rsa_pss_pss_sha256,
  584. TLSEXT_SIGALG_rsa_pss_pss_sha384,
  585. TLSEXT_SIGALG_rsa_pss_pss_sha512,
  586. TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  587. TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  588. TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  589. TLSEXT_SIGALG_rsa_pkcs1_sha256,
  590. TLSEXT_SIGALG_rsa_pkcs1_sha384,
  591. TLSEXT_SIGALG_rsa_pkcs1_sha512,
  592. #ifndef OPENSSL_NO_EC
  593. TLSEXT_SIGALG_ecdsa_sha224,
  594. TLSEXT_SIGALG_ecdsa_sha1,
  595. #endif
  596. TLSEXT_SIGALG_rsa_pkcs1_sha224,
  597. TLSEXT_SIGALG_rsa_pkcs1_sha1,
  598. #ifndef OPENSSL_NO_DSA
  599. TLSEXT_SIGALG_dsa_sha224,
  600. TLSEXT_SIGALG_dsa_sha1,
  601. TLSEXT_SIGALG_dsa_sha256,
  602. TLSEXT_SIGALG_dsa_sha384,
  603. TLSEXT_SIGALG_dsa_sha512,
  604. #endif
  605. #ifndef OPENSSL_NO_GOST
  606. TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  607. TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  608. TLSEXT_SIGALG_gostr34102001_gostr3411,
  609. #endif
  610. };
  611. #ifndef OPENSSL_NO_EC
  612. static const uint16_t suiteb_sigalgs[] = {
  613. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  614. TLSEXT_SIGALG_ecdsa_secp384r1_sha384
  615. };
  616. #endif
  617. static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
  618. #ifndef OPENSSL_NO_EC
  619. {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  620. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  621. NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
  622. {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  623. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  624. NID_ecdsa_with_SHA384, NID_secp384r1},
  625. {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  626. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  627. NID_ecdsa_with_SHA512, NID_secp521r1},
  628. {"ed25519", TLSEXT_SIGALG_ed25519,
  629. NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
  630. NID_undef, NID_undef},
  631. {"ed448", TLSEXT_SIGALG_ed448,
  632. NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
  633. NID_undef, NID_undef},
  634. {NULL, TLSEXT_SIGALG_ecdsa_sha224,
  635. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  636. NID_ecdsa_with_SHA224, NID_undef},
  637. {NULL, TLSEXT_SIGALG_ecdsa_sha1,
  638. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  639. NID_ecdsa_with_SHA1, NID_undef},
  640. #endif
  641. {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  642. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  643. NID_undef, NID_undef},
  644. {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  645. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  646. NID_undef, NID_undef},
  647. {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  648. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  649. NID_undef, NID_undef},
  650. {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
  651. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  652. NID_undef, NID_undef},
  653. {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
  654. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  655. NID_undef, NID_undef},
  656. {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
  657. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  658. NID_undef, NID_undef},
  659. {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
  660. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  661. NID_sha256WithRSAEncryption, NID_undef},
  662. {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
  663. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  664. NID_sha384WithRSAEncryption, NID_undef},
  665. {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
  666. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  667. NID_sha512WithRSAEncryption, NID_undef},
  668. {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
  669. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  670. NID_sha224WithRSAEncryption, NID_undef},
  671. {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
  672. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  673. NID_sha1WithRSAEncryption, NID_undef},
  674. #ifndef OPENSSL_NO_DSA
  675. {NULL, TLSEXT_SIGALG_dsa_sha256,
  676. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  677. NID_dsa_with_SHA256, NID_undef},
  678. {NULL, TLSEXT_SIGALG_dsa_sha384,
  679. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  680. NID_undef, NID_undef},
  681. {NULL, TLSEXT_SIGALG_dsa_sha512,
  682. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  683. NID_undef, NID_undef},
  684. {NULL, TLSEXT_SIGALG_dsa_sha224,
  685. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  686. NID_undef, NID_undef},
  687. {NULL, TLSEXT_SIGALG_dsa_sha1,
  688. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  689. NID_dsaWithSHA1, NID_undef},
  690. #endif
  691. #ifndef OPENSSL_NO_GOST
  692. {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  693. NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
  694. NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
  695. NID_undef, NID_undef},
  696. {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  697. NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
  698. NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
  699. NID_undef, NID_undef},
  700. {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
  701. NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
  702. NID_id_GostR3410_2001, SSL_PKEY_GOST01,
  703. NID_undef, NID_undef}
  704. #endif
  705. };
  706. /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
  707. static const SIGALG_LOOKUP legacy_rsa_sigalg = {
  708. "rsa_pkcs1_md5_sha1", 0,
  709. NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
  710. EVP_PKEY_RSA, SSL_PKEY_RSA,
  711. NID_undef, NID_undef
  712. };
  713. /*
  714. * Default signature algorithm values used if signature algorithms not present.
  715. * From RFC5246. Note: order must match certificate index order.
  716. */
  717. static const uint16_t tls_default_sigalg[] = {
  718. TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
  719. 0, /* SSL_PKEY_RSA_PSS_SIGN */
  720. TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
  721. TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
  722. TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
  723. TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
  724. TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
  725. 0, /* SSL_PKEY_ED25519 */
  726. 0, /* SSL_PKEY_ED448 */
  727. };
  728. /* Lookup TLS signature algorithm */
  729. static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
  730. {
  731. size_t i;
  732. const SIGALG_LOOKUP *s;
  733. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  734. i++, s++) {
  735. if (s->sigalg == sigalg)
  736. return s;
  737. }
  738. return NULL;
  739. }
  740. /* Lookup hash: return 0 if invalid or not enabled */
  741. int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
  742. {
  743. const EVP_MD *md;
  744. if (lu == NULL)
  745. return 0;
  746. /* lu->hash == NID_undef means no associated digest */
  747. if (lu->hash == NID_undef) {
  748. md = NULL;
  749. } else {
  750. md = ssl_md(lu->hash_idx);
  751. if (md == NULL)
  752. return 0;
  753. }
  754. if (pmd)
  755. *pmd = md;
  756. return 1;
  757. }
  758. /*
  759. * Check if key is large enough to generate RSA-PSS signature.
  760. *
  761. * The key must greater than or equal to 2 * hash length + 2.
  762. * SHA512 has a hash length of 64 bytes, which is incompatible
  763. * with a 128 byte (1024 bit) key.
  764. */
  765. #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
  766. static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
  767. {
  768. const EVP_MD *md;
  769. if (rsa == NULL)
  770. return 0;
  771. if (!tls1_lookup_md(lu, &md) || md == NULL)
  772. return 0;
  773. if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
  774. return 0;
  775. return 1;
  776. }
  777. /*
  778. * Returns a signature algorithm when the peer did not send a list of supported
  779. * signature algorithms. The signature algorithm is fixed for the certificate
  780. * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
  781. * certificate type from |s| will be used.
  782. * Returns the signature algorithm to use, or NULL on error.
  783. */
  784. static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
  785. {
  786. if (idx == -1) {
  787. if (s->server) {
  788. size_t i;
  789. /* Work out index corresponding to ciphersuite */
  790. for (i = 0; i < SSL_PKEY_NUM; i++) {
  791. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);
  792. if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
  793. idx = i;
  794. break;
  795. }
  796. }
  797. /*
  798. * Some GOST ciphersuites allow more than one signature algorithms
  799. * */
  800. if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
  801. int real_idx;
  802. for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
  803. real_idx--) {
  804. if (s->cert->pkeys[real_idx].privatekey != NULL) {
  805. idx = real_idx;
  806. break;
  807. }
  808. }
  809. }
  810. } else {
  811. idx = s->cert->key - s->cert->pkeys;
  812. }
  813. }
  814. if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
  815. return NULL;
  816. if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
  817. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
  818. if (!tls1_lookup_md(lu, NULL))
  819. return NULL;
  820. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
  821. return NULL;
  822. return lu;
  823. }
  824. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg))
  825. return NULL;
  826. return &legacy_rsa_sigalg;
  827. }
  828. /* Set peer sigalg based key type */
  829. int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
  830. {
  831. size_t idx;
  832. const SIGALG_LOOKUP *lu;
  833. if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
  834. return 0;
  835. lu = tls1_get_legacy_sigalg(s, idx);
  836. if (lu == NULL)
  837. return 0;
  838. s->s3->tmp.peer_sigalg = lu;
  839. return 1;
  840. }
  841. size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
  842. {
  843. /*
  844. * If Suite B mode use Suite B sigalgs only, ignore any other
  845. * preferences.
  846. */
  847. #ifndef OPENSSL_NO_EC
  848. switch (tls1_suiteb(s)) {
  849. case SSL_CERT_FLAG_SUITEB_128_LOS:
  850. *psigs = suiteb_sigalgs;
  851. return OSSL_NELEM(suiteb_sigalgs);
  852. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  853. *psigs = suiteb_sigalgs;
  854. return 1;
  855. case SSL_CERT_FLAG_SUITEB_192_LOS:
  856. *psigs = suiteb_sigalgs + 1;
  857. return 1;
  858. }
  859. #endif
  860. /*
  861. * We use client_sigalgs (if not NULL) if we're a server
  862. * and sending a certificate request or if we're a client and
  863. * determining which shared algorithm to use.
  864. */
  865. if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
  866. *psigs = s->cert->client_sigalgs;
  867. return s->cert->client_sigalgslen;
  868. } else if (s->cert->conf_sigalgs) {
  869. *psigs = s->cert->conf_sigalgs;
  870. return s->cert->conf_sigalgslen;
  871. } else {
  872. *psigs = tls12_sigalgs;
  873. return OSSL_NELEM(tls12_sigalgs);
  874. }
  875. }
  876. #ifndef OPENSSL_NO_EC
  877. /*
  878. * Called by servers only. Checks that we have a sig alg that supports the
  879. * specified EC curve.
  880. */
  881. int tls_check_sigalg_curve(const SSL *s, int curve)
  882. {
  883. const uint16_t *sigs;
  884. size_t siglen, i;
  885. if (s->cert->conf_sigalgs) {
  886. sigs = s->cert->conf_sigalgs;
  887. siglen = s->cert->conf_sigalgslen;
  888. } else {
  889. sigs = tls12_sigalgs;
  890. siglen = OSSL_NELEM(tls12_sigalgs);
  891. }
  892. for (i = 0; i < siglen; i++) {
  893. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]);
  894. if (lu == NULL)
  895. continue;
  896. if (lu->sig == EVP_PKEY_EC
  897. && lu->curve != NID_undef
  898. && curve == lu->curve)
  899. return 1;
  900. }
  901. return 0;
  902. }
  903. #endif
  904. /*
  905. * Return the number of security bits for the signature algorithm, or 0 on
  906. * error.
  907. */
  908. static int sigalg_security_bits(const SIGALG_LOOKUP *lu)
  909. {
  910. const EVP_MD *md = NULL;
  911. int secbits = 0;
  912. if (!tls1_lookup_md(lu, &md))
  913. return 0;
  914. if (md != NULL)
  915. {
  916. /* Security bits: half digest bits */
  917. secbits = EVP_MD_size(md) * 4;
  918. } else {
  919. /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
  920. if (lu->sigalg == TLSEXT_SIGALG_ed25519)
  921. secbits = 128;
  922. else if (lu->sigalg == TLSEXT_SIGALG_ed448)
  923. secbits = 224;
  924. }
  925. return secbits;
  926. }
  927. /*
  928. * Check signature algorithm is consistent with sent supported signature
  929. * algorithms and if so set relevant digest and signature scheme in
  930. * s.
  931. */
  932. int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
  933. {
  934. const uint16_t *sent_sigs;
  935. const EVP_MD *md = NULL;
  936. char sigalgstr[2];
  937. size_t sent_sigslen, i, cidx;
  938. int pkeyid = EVP_PKEY_id(pkey);
  939. const SIGALG_LOOKUP *lu;
  940. int secbits = 0;
  941. /* Should never happen */
  942. if (pkeyid == -1)
  943. return -1;
  944. if (SSL_IS_TLS13(s)) {
  945. /* Disallow DSA for TLS 1.3 */
  946. if (pkeyid == EVP_PKEY_DSA) {
  947. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  948. SSL_R_WRONG_SIGNATURE_TYPE);
  949. return 0;
  950. }
  951. /* Only allow PSS for TLS 1.3 */
  952. if (pkeyid == EVP_PKEY_RSA)
  953. pkeyid = EVP_PKEY_RSA_PSS;
  954. }
  955. lu = tls1_lookup_sigalg(sig);
  956. /*
  957. * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
  958. * is consistent with signature: RSA keys can be used for RSA-PSS
  959. */
  960. if (lu == NULL
  961. || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
  962. || (pkeyid != lu->sig
  963. && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
  964. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  965. SSL_R_WRONG_SIGNATURE_TYPE);
  966. return 0;
  967. }
  968. /* Check the sigalg is consistent with the key OID */
  969. if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx)
  970. || lu->sig_idx != (int)cidx) {
  971. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  972. SSL_R_WRONG_SIGNATURE_TYPE);
  973. return 0;
  974. }
  975. #ifndef OPENSSL_NO_EC
  976. if (pkeyid == EVP_PKEY_EC) {
  977. /* Check point compression is permitted */
  978. if (!tls1_check_pkey_comp(s, pkey)) {
  979. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  980. SSL_F_TLS12_CHECK_PEER_SIGALG,
  981. SSL_R_ILLEGAL_POINT_COMPRESSION);
  982. return 0;
  983. }
  984. /* For TLS 1.3 or Suite B check curve matches signature algorithm */
  985. if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
  986. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  987. int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  988. if (lu->curve != NID_undef && curve != lu->curve) {
  989. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  990. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  991. return 0;
  992. }
  993. }
  994. if (!SSL_IS_TLS13(s)) {
  995. /* Check curve matches extensions */
  996. if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
  997. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  998. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  999. return 0;
  1000. }
  1001. if (tls1_suiteb(s)) {
  1002. /* Check sigalg matches a permissible Suite B value */
  1003. if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
  1004. && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
  1005. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1006. SSL_F_TLS12_CHECK_PEER_SIGALG,
  1007. SSL_R_WRONG_SIGNATURE_TYPE);
  1008. return 0;
  1009. }
  1010. }
  1011. }
  1012. } else if (tls1_suiteb(s)) {
  1013. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  1014. SSL_R_WRONG_SIGNATURE_TYPE);
  1015. return 0;
  1016. }
  1017. #endif
  1018. /* Check signature matches a type we sent */
  1019. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  1020. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  1021. if (sig == *sent_sigs)
  1022. break;
  1023. }
  1024. /* Allow fallback to SHA1 if not strict mode */
  1025. if (i == sent_sigslen && (lu->hash != NID_sha1
  1026. || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
  1027. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  1028. SSL_R_WRONG_SIGNATURE_TYPE);
  1029. return 0;
  1030. }
  1031. if (!tls1_lookup_md(lu, &md)) {
  1032. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  1033. SSL_R_UNKNOWN_DIGEST);
  1034. return 0;
  1035. }
  1036. /*
  1037. * Make sure security callback allows algorithm. For historical
  1038. * reasons we have to pass the sigalg as a two byte char array.
  1039. */
  1040. sigalgstr[0] = (sig >> 8) & 0xff;
  1041. sigalgstr[1] = sig & 0xff;
  1042. secbits = sigalg_security_bits(lu);
  1043. if (secbits == 0 ||
  1044. !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
  1045. md != NULL ? EVP_MD_type(md) : NID_undef,
  1046. (void *)sigalgstr)) {
  1047. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  1048. SSL_R_WRONG_SIGNATURE_TYPE);
  1049. return 0;
  1050. }
  1051. /* Store the sigalg the peer uses */
  1052. s->s3->tmp.peer_sigalg = lu;
  1053. return 1;
  1054. }
  1055. int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
  1056. {
  1057. if (s->s3->tmp.peer_sigalg == NULL)
  1058. return 0;
  1059. *pnid = s->s3->tmp.peer_sigalg->sig;
  1060. return 1;
  1061. }
  1062. int SSL_get_signature_type_nid(const SSL *s, int *pnid)
  1063. {
  1064. if (s->s3->tmp.sigalg == NULL)
  1065. return 0;
  1066. *pnid = s->s3->tmp.sigalg->sig;
  1067. return 1;
  1068. }
  1069. /*
  1070. * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
  1071. * supported, doesn't appear in supported signature algorithms, isn't supported
  1072. * by the enabled protocol versions or by the security level.
  1073. *
  1074. * This function should only be used for checking which ciphers are supported
  1075. * by the client.
  1076. *
  1077. * Call ssl_cipher_disabled() to check that it's enabled or not.
  1078. */
  1079. int ssl_set_client_disabled(SSL *s)
  1080. {
  1081. s->s3->tmp.mask_a = 0;
  1082. s->s3->tmp.mask_k = 0;
  1083. ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
  1084. if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver,
  1085. &s->s3->tmp.max_ver, NULL) != 0)
  1086. return 0;
  1087. #ifndef OPENSSL_NO_PSK
  1088. /* with PSK there must be client callback set */
  1089. if (!s->psk_client_callback) {
  1090. s->s3->tmp.mask_a |= SSL_aPSK;
  1091. s->s3->tmp.mask_k |= SSL_PSK;
  1092. }
  1093. #endif /* OPENSSL_NO_PSK */
  1094. #ifndef OPENSSL_NO_SRP
  1095. if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
  1096. s->s3->tmp.mask_a |= SSL_aSRP;
  1097. s->s3->tmp.mask_k |= SSL_kSRP;
  1098. }
  1099. #endif
  1100. return 1;
  1101. }
  1102. /*
  1103. * ssl_cipher_disabled - check that a cipher is disabled or not
  1104. * @s: SSL connection that you want to use the cipher on
  1105. * @c: cipher to check
  1106. * @op: Security check that you want to do
  1107. * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
  1108. *
  1109. * Returns 1 when it's disabled, 0 when enabled.
  1110. */
  1111. int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
  1112. {
  1113. if (c->algorithm_mkey & s->s3->tmp.mask_k
  1114. || c->algorithm_auth & s->s3->tmp.mask_a)
  1115. return 1;
  1116. if (s->s3->tmp.max_ver == 0)
  1117. return 1;
  1118. if (!SSL_IS_DTLS(s)) {
  1119. int min_tls = c->min_tls;
  1120. /*
  1121. * For historical reasons we will allow ECHDE to be selected by a server
  1122. * in SSLv3 if we are a client
  1123. */
  1124. if (min_tls == TLS1_VERSION && ecdhe
  1125. && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
  1126. min_tls = SSL3_VERSION;
  1127. if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
  1128. return 1;
  1129. }
  1130. if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
  1131. || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
  1132. return 1;
  1133. return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
  1134. }
  1135. int tls_use_ticket(SSL *s)
  1136. {
  1137. if ((s->options & SSL_OP_NO_TICKET))
  1138. return 0;
  1139. return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
  1140. }
  1141. int tls1_set_server_sigalgs(SSL *s)
  1142. {
  1143. size_t i;
  1144. /* Clear any shared signature algorithms */
  1145. OPENSSL_free(s->shared_sigalgs);
  1146. s->shared_sigalgs = NULL;
  1147. s->shared_sigalgslen = 0;
  1148. /* Clear certificate validity flags */
  1149. for (i = 0; i < SSL_PKEY_NUM; i++)
  1150. s->s3->tmp.valid_flags[i] = 0;
  1151. /*
  1152. * If peer sent no signature algorithms check to see if we support
  1153. * the default algorithm for each certificate type
  1154. */
  1155. if (s->s3->tmp.peer_cert_sigalgs == NULL
  1156. && s->s3->tmp.peer_sigalgs == NULL) {
  1157. const uint16_t *sent_sigs;
  1158. size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  1159. for (i = 0; i < SSL_PKEY_NUM; i++) {
  1160. const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
  1161. size_t j;
  1162. if (lu == NULL)
  1163. continue;
  1164. /* Check default matches a type we sent */
  1165. for (j = 0; j < sent_sigslen; j++) {
  1166. if (lu->sigalg == sent_sigs[j]) {
  1167. s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
  1168. break;
  1169. }
  1170. }
  1171. }
  1172. return 1;
  1173. }
  1174. if (!tls1_process_sigalgs(s)) {
  1175. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1176. SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
  1177. return 0;
  1178. }
  1179. if (s->shared_sigalgs != NULL)
  1180. return 1;
  1181. /* Fatal error if no shared signature algorithms */
  1182. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
  1183. SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
  1184. return 0;
  1185. }
  1186. /*-
  1187. * Gets the ticket information supplied by the client if any.
  1188. *
  1189. * hello: The parsed ClientHello data
  1190. * ret: (output) on return, if a ticket was decrypted, then this is set to
  1191. * point to the resulting session.
  1192. */
  1193. SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
  1194. SSL_SESSION **ret)
  1195. {
  1196. size_t size;
  1197. RAW_EXTENSION *ticketext;
  1198. *ret = NULL;
  1199. s->ext.ticket_expected = 0;
  1200. /*
  1201. * If tickets disabled or not supported by the protocol version
  1202. * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
  1203. * resumption.
  1204. */
  1205. if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
  1206. return SSL_TICKET_NONE;
  1207. ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
  1208. if (!ticketext->present)
  1209. return SSL_TICKET_NONE;
  1210. size = PACKET_remaining(&ticketext->data);
  1211. return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
  1212. hello->session_id, hello->session_id_len, ret);
  1213. }
  1214. /*-
  1215. * tls_decrypt_ticket attempts to decrypt a session ticket.
  1216. *
  1217. * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are
  1218. * expecting a pre-shared key ciphersuite, in which case we have no use for
  1219. * session tickets and one will never be decrypted, nor will
  1220. * s->ext.ticket_expected be set to 1.
  1221. *
  1222. * Side effects:
  1223. * Sets s->ext.ticket_expected to 1 if the server will have to issue
  1224. * a new session ticket to the client because the client indicated support
  1225. * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
  1226. * a session ticket or we couldn't use the one it gave us, or if
  1227. * s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
  1228. * Otherwise, s->ext.ticket_expected is set to 0.
  1229. *
  1230. * etick: points to the body of the session ticket extension.
  1231. * eticklen: the length of the session tickets extension.
  1232. * sess_id: points at the session ID.
  1233. * sesslen: the length of the session ID.
  1234. * psess: (output) on return, if a ticket was decrypted, then this is set to
  1235. * point to the resulting session.
  1236. */
  1237. SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
  1238. size_t eticklen, const unsigned char *sess_id,
  1239. size_t sesslen, SSL_SESSION **psess)
  1240. {
  1241. SSL_SESSION *sess = NULL;
  1242. unsigned char *sdec;
  1243. const unsigned char *p;
  1244. int slen, renew_ticket = 0, declen;
  1245. SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
  1246. size_t mlen;
  1247. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  1248. HMAC_CTX *hctx = NULL;
  1249. EVP_CIPHER_CTX *ctx = NULL;
  1250. SSL_CTX *tctx = s->session_ctx;
  1251. if (eticklen == 0) {
  1252. /*
  1253. * The client will accept a ticket but doesn't currently have
  1254. * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3
  1255. */
  1256. ret = SSL_TICKET_EMPTY;
  1257. goto end;
  1258. }
  1259. if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) {
  1260. /*
  1261. * Indicate that the ticket couldn't be decrypted rather than
  1262. * generating the session from ticket now, trigger
  1263. * abbreviated handshake based on external mechanism to
  1264. * calculate the master secret later.
  1265. */
  1266. ret = SSL_TICKET_NO_DECRYPT;
  1267. goto end;
  1268. }
  1269. /* Need at least keyname + iv */
  1270. if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
  1271. ret = SSL_TICKET_NO_DECRYPT;
  1272. goto end;
  1273. }
  1274. /* Initialize session ticket encryption and HMAC contexts */
  1275. hctx = HMAC_CTX_new();
  1276. if (hctx == NULL) {
  1277. ret = SSL_TICKET_FATAL_ERR_MALLOC;
  1278. goto end;
  1279. }
  1280. ctx = EVP_CIPHER_CTX_new();
  1281. if (ctx == NULL) {
  1282. ret = SSL_TICKET_FATAL_ERR_MALLOC;
  1283. goto end;
  1284. }
  1285. if (tctx->ext.ticket_key_cb) {
  1286. unsigned char *nctick = (unsigned char *)etick;
  1287. int rv = tctx->ext.ticket_key_cb(s, nctick,
  1288. nctick + TLSEXT_KEYNAME_LENGTH,
  1289. ctx, hctx, 0);
  1290. if (rv < 0) {
  1291. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1292. goto end;
  1293. }
  1294. if (rv == 0) {
  1295. ret = SSL_TICKET_NO_DECRYPT;
  1296. goto end;
  1297. }
  1298. if (rv == 2)
  1299. renew_ticket = 1;
  1300. } else {
  1301. /* Check key name matches */
  1302. if (memcmp(etick, tctx->ext.tick_key_name,
  1303. TLSEXT_KEYNAME_LENGTH) != 0) {
  1304. ret = SSL_TICKET_NO_DECRYPT;
  1305. goto end;
  1306. }
  1307. if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  1308. sizeof(tctx->ext.secure->tick_hmac_key),
  1309. EVP_sha256(), NULL) <= 0
  1310. || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
  1311. tctx->ext.secure->tick_aes_key,
  1312. etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
  1313. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1314. goto end;
  1315. }
  1316. if (SSL_IS_TLS13(s))
  1317. renew_ticket = 1;
  1318. }
  1319. /*
  1320. * Attempt to process session ticket, first conduct sanity and integrity
  1321. * checks on ticket.
  1322. */
  1323. mlen = HMAC_size(hctx);
  1324. if (mlen == 0) {
  1325. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1326. goto end;
  1327. }
  1328. /* Sanity check ticket length: must exceed keyname + IV + HMAC */
  1329. if (eticklen <=
  1330. TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
  1331. ret = SSL_TICKET_NO_DECRYPT;
  1332. goto end;
  1333. }
  1334. eticklen -= mlen;
  1335. /* Check HMAC of encrypted ticket */
  1336. if (HMAC_Update(hctx, etick, eticklen) <= 0
  1337. || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
  1338. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1339. goto end;
  1340. }
  1341. if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
  1342. ret = SSL_TICKET_NO_DECRYPT;
  1343. goto end;
  1344. }
  1345. /* Attempt to decrypt session data */
  1346. /* Move p after IV to start of encrypted ticket, update length */
  1347. p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1348. eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1349. sdec = OPENSSL_malloc(eticklen);
  1350. if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
  1351. (int)eticklen) <= 0) {
  1352. OPENSSL_free(sdec);
  1353. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1354. goto end;
  1355. }
  1356. if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
  1357. OPENSSL_free(sdec);
  1358. ret = SSL_TICKET_NO_DECRYPT;
  1359. goto end;
  1360. }
  1361. slen += declen;
  1362. p = sdec;
  1363. sess = d2i_SSL_SESSION(NULL, &p, slen);
  1364. slen -= p - sdec;
  1365. OPENSSL_free(sdec);
  1366. if (sess) {
  1367. /* Some additional consistency checks */
  1368. if (slen != 0) {
  1369. SSL_SESSION_free(sess);
  1370. sess = NULL;
  1371. ret = SSL_TICKET_NO_DECRYPT;
  1372. goto end;
  1373. }
  1374. /*
  1375. * The session ID, if non-empty, is used by some clients to detect
  1376. * that the ticket has been accepted. So we copy it to the session
  1377. * structure. If it is empty set length to zero as required by
  1378. * standard.
  1379. */
  1380. if (sesslen) {
  1381. memcpy(sess->session_id, sess_id, sesslen);
  1382. sess->session_id_length = sesslen;
  1383. }
  1384. if (renew_ticket)
  1385. ret = SSL_TICKET_SUCCESS_RENEW;
  1386. else
  1387. ret = SSL_TICKET_SUCCESS;
  1388. goto end;
  1389. }
  1390. ERR_clear_error();
  1391. /*
  1392. * For session parse failure, indicate that we need to send a new ticket.
  1393. */
  1394. ret = SSL_TICKET_NO_DECRYPT;
  1395. end:
  1396. EVP_CIPHER_CTX_free(ctx);
  1397. HMAC_CTX_free(hctx);
  1398. /*
  1399. * If set, the decrypt_ticket_cb() is called unless a fatal error was
  1400. * detected above. The callback is responsible for checking |ret| before it
  1401. * performs any action
  1402. */
  1403. if (s->session_ctx->decrypt_ticket_cb != NULL
  1404. && (ret == SSL_TICKET_EMPTY
  1405. || ret == SSL_TICKET_NO_DECRYPT
  1406. || ret == SSL_TICKET_SUCCESS
  1407. || ret == SSL_TICKET_SUCCESS_RENEW)) {
  1408. size_t keyname_len = eticklen;
  1409. int retcb;
  1410. if (keyname_len > TLSEXT_KEYNAME_LENGTH)
  1411. keyname_len = TLSEXT_KEYNAME_LENGTH;
  1412. retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len,
  1413. ret,
  1414. s->session_ctx->ticket_cb_data);
  1415. switch (retcb) {
  1416. case SSL_TICKET_RETURN_ABORT:
  1417. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1418. break;
  1419. case SSL_TICKET_RETURN_IGNORE:
  1420. ret = SSL_TICKET_NONE;
  1421. SSL_SESSION_free(sess);
  1422. sess = NULL;
  1423. break;
  1424. case SSL_TICKET_RETURN_IGNORE_RENEW:
  1425. if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT)
  1426. ret = SSL_TICKET_NO_DECRYPT;
  1427. /* else the value of |ret| will already do the right thing */
  1428. SSL_SESSION_free(sess);
  1429. sess = NULL;
  1430. break;
  1431. case SSL_TICKET_RETURN_USE:
  1432. case SSL_TICKET_RETURN_USE_RENEW:
  1433. if (ret != SSL_TICKET_SUCCESS
  1434. && ret != SSL_TICKET_SUCCESS_RENEW)
  1435. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1436. else if (retcb == SSL_TICKET_RETURN_USE)
  1437. ret = SSL_TICKET_SUCCESS;
  1438. else
  1439. ret = SSL_TICKET_SUCCESS_RENEW;
  1440. break;
  1441. default:
  1442. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1443. }
  1444. }
  1445. if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
  1446. switch (ret) {
  1447. case SSL_TICKET_NO_DECRYPT:
  1448. case SSL_TICKET_SUCCESS_RENEW:
  1449. case SSL_TICKET_EMPTY:
  1450. s->ext.ticket_expected = 1;
  1451. }
  1452. }
  1453. *psess = sess;
  1454. return ret;
  1455. }
  1456. /* Check to see if a signature algorithm is allowed */
  1457. static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
  1458. {
  1459. unsigned char sigalgstr[2];
  1460. int secbits;
  1461. /* See if sigalgs is recognised and if hash is enabled */
  1462. if (!tls1_lookup_md(lu, NULL))
  1463. return 0;
  1464. /* DSA is not allowed in TLS 1.3 */
  1465. if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
  1466. return 0;
  1467. /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
  1468. if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
  1469. && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
  1470. || lu->hash_idx == SSL_MD_MD5_IDX
  1471. || lu->hash_idx == SSL_MD_SHA224_IDX))
  1472. return 0;
  1473. /* See if public key algorithm allowed */
  1474. if (ssl_cert_is_disabled(lu->sig_idx))
  1475. return 0;
  1476. if (lu->sig == NID_id_GostR3410_2012_256
  1477. || lu->sig == NID_id_GostR3410_2012_512
  1478. || lu->sig == NID_id_GostR3410_2001) {
  1479. /* We never allow GOST sig algs on the server with TLSv1.3 */
  1480. if (s->server && SSL_IS_TLS13(s))
  1481. return 0;
  1482. if (!s->server
  1483. && s->method->version == TLS_ANY_VERSION
  1484. && s->s3->tmp.max_ver >= TLS1_3_VERSION) {
  1485. int i, num;
  1486. STACK_OF(SSL_CIPHER) *sk;
  1487. /*
  1488. * We're a client that could negotiate TLSv1.3. We only allow GOST
  1489. * sig algs if we could negotiate TLSv1.2 or below and we have GOST
  1490. * ciphersuites enabled.
  1491. */
  1492. if (s->s3->tmp.min_ver >= TLS1_3_VERSION)
  1493. return 0;
  1494. sk = SSL_get_ciphers(s);
  1495. num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0;
  1496. for (i = 0; i < num; i++) {
  1497. const SSL_CIPHER *c;
  1498. c = sk_SSL_CIPHER_value(sk, i);
  1499. /* Skip disabled ciphers */
  1500. if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
  1501. continue;
  1502. if ((c->algorithm_mkey & SSL_kGOST) != 0)
  1503. break;
  1504. }
  1505. if (i == num)
  1506. return 0;
  1507. }
  1508. }
  1509. /* Finally see if security callback allows it */
  1510. secbits = sigalg_security_bits(lu);
  1511. sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
  1512. sigalgstr[1] = lu->sigalg & 0xff;
  1513. return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
  1514. }
  1515. /*
  1516. * Get a mask of disabled public key algorithms based on supported signature
  1517. * algorithms. For example if no signature algorithm supports RSA then RSA is
  1518. * disabled.
  1519. */
  1520. void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
  1521. {
  1522. const uint16_t *sigalgs;
  1523. size_t i, sigalgslen;
  1524. uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
  1525. /*
  1526. * Go through all signature algorithms seeing if we support any
  1527. * in disabled_mask.
  1528. */
  1529. sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
  1530. for (i = 0; i < sigalgslen; i++, sigalgs++) {
  1531. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
  1532. const SSL_CERT_LOOKUP *clu;
  1533. if (lu == NULL)
  1534. continue;
  1535. clu = ssl_cert_lookup_by_idx(lu->sig_idx);
  1536. if (clu == NULL)
  1537. continue;
  1538. /* If algorithm is disabled see if we can enable it */
  1539. if ((clu->amask & disabled_mask) != 0
  1540. && tls12_sigalg_allowed(s, op, lu))
  1541. disabled_mask &= ~clu->amask;
  1542. }
  1543. *pmask_a |= disabled_mask;
  1544. }
  1545. int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
  1546. const uint16_t *psig, size_t psiglen)
  1547. {
  1548. size_t i;
  1549. int rv = 0;
  1550. for (i = 0; i < psiglen; i++, psig++) {
  1551. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);
  1552. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
  1553. continue;
  1554. if (!WPACKET_put_bytes_u16(pkt, *psig))
  1555. return 0;
  1556. /*
  1557. * If TLS 1.3 must have at least one valid TLS 1.3 message
  1558. * signing algorithm: i.e. neither RSA nor SHA1/SHA224
  1559. */
  1560. if (rv == 0 && (!SSL_IS_TLS13(s)
  1561. || (lu->sig != EVP_PKEY_RSA
  1562. && lu->hash != NID_sha1
  1563. && lu->hash != NID_sha224)))
  1564. rv = 1;
  1565. }
  1566. if (rv == 0)
  1567. SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  1568. return rv;
  1569. }
  1570. /* Given preference and allowed sigalgs set shared sigalgs */
  1571. static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
  1572. const uint16_t *pref, size_t preflen,
  1573. const uint16_t *allow, size_t allowlen)
  1574. {
  1575. const uint16_t *ptmp, *atmp;
  1576. size_t i, j, nmatch = 0;
  1577. for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
  1578. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);
  1579. /* Skip disabled hashes or signature algorithms */
  1580. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
  1581. continue;
  1582. for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
  1583. if (*ptmp == *atmp) {
  1584. nmatch++;
  1585. if (shsig)
  1586. *shsig++ = lu;
  1587. break;
  1588. }
  1589. }
  1590. }
  1591. return nmatch;
  1592. }
  1593. /* Set shared signature algorithms for SSL structures */
  1594. static int tls1_set_shared_sigalgs(SSL *s)
  1595. {
  1596. const uint16_t *pref, *allow, *conf;
  1597. size_t preflen, allowlen, conflen;
  1598. size_t nmatch;
  1599. const SIGALG_LOOKUP **salgs = NULL;
  1600. CERT *c = s->cert;
  1601. unsigned int is_suiteb = tls1_suiteb(s);
  1602. OPENSSL_free(s->shared_sigalgs);
  1603. s->shared_sigalgs = NULL;
  1604. s->shared_sigalgslen = 0;
  1605. /* If client use client signature algorithms if not NULL */
  1606. if (!s->server && c->client_sigalgs && !is_suiteb) {
  1607. conf = c->client_sigalgs;
  1608. conflen = c->client_sigalgslen;
  1609. } else if (c->conf_sigalgs && !is_suiteb) {
  1610. conf = c->conf_sigalgs;
  1611. conflen = c->conf_sigalgslen;
  1612. } else
  1613. conflen = tls12_get_psigalgs(s, 0, &conf);
  1614. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
  1615. pref = conf;
  1616. preflen = conflen;
  1617. allow = s->s3->tmp.peer_sigalgs;
  1618. allowlen = s->s3->tmp.peer_sigalgslen;
  1619. } else {
  1620. allow = conf;
  1621. allowlen = conflen;
  1622. pref = s->s3->tmp.peer_sigalgs;
  1623. preflen = s->s3->tmp.peer_sigalgslen;
  1624. }
  1625. nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
  1626. if (nmatch) {
  1627. if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) {
  1628. SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE);
  1629. return 0;
  1630. }
  1631. nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
  1632. } else {
  1633. salgs = NULL;
  1634. }
  1635. s->shared_sigalgs = salgs;
  1636. s->shared_sigalgslen = nmatch;
  1637. return 1;
  1638. }
  1639. int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
  1640. {
  1641. unsigned int stmp;
  1642. size_t size, i;
  1643. uint16_t *buf;
  1644. size = PACKET_remaining(pkt);
  1645. /* Invalid data length */
  1646. if (size == 0 || (size & 1) != 0)
  1647. return 0;
  1648. size >>= 1;
  1649. if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) {
  1650. SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE);
  1651. return 0;
  1652. }
  1653. for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
  1654. buf[i] = stmp;
  1655. if (i != size) {
  1656. OPENSSL_free(buf);
  1657. return 0;
  1658. }
  1659. OPENSSL_free(*pdest);
  1660. *pdest = buf;
  1661. *pdestlen = size;
  1662. return 1;
  1663. }
  1664. int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert)
  1665. {
  1666. /* Extension ignored for inappropriate versions */
  1667. if (!SSL_USE_SIGALGS(s))
  1668. return 1;
  1669. /* Should never happen */
  1670. if (s->cert == NULL)
  1671. return 0;
  1672. if (cert)
  1673. return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs,
  1674. &s->s3->tmp.peer_cert_sigalgslen);
  1675. else
  1676. return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
  1677. &s->s3->tmp.peer_sigalgslen);
  1678. }
  1679. /* Set preferred digest for each key type */
  1680. int tls1_process_sigalgs(SSL *s)
  1681. {
  1682. size_t i;
  1683. uint32_t *pvalid = s->s3->tmp.valid_flags;
  1684. if (!tls1_set_shared_sigalgs(s))
  1685. return 0;
  1686. for (i = 0; i < SSL_PKEY_NUM; i++)
  1687. pvalid[i] = 0;
  1688. for (i = 0; i < s->shared_sigalgslen; i++) {
  1689. const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
  1690. int idx = sigptr->sig_idx;
  1691. /* Ignore PKCS1 based sig algs in TLSv1.3 */
  1692. if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
  1693. continue;
  1694. /* If not disabled indicate we can explicitly sign */
  1695. if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
  1696. pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  1697. }
  1698. return 1;
  1699. }
  1700. int SSL_get_sigalgs(SSL *s, int idx,
  1701. int *psign, int *phash, int *psignhash,
  1702. unsigned char *rsig, unsigned char *rhash)
  1703. {
  1704. uint16_t *psig = s->s3->tmp.peer_sigalgs;
  1705. size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
  1706. if (psig == NULL || numsigalgs > INT_MAX)
  1707. return 0;
  1708. if (idx >= 0) {
  1709. const SIGALG_LOOKUP *lu;
  1710. if (idx >= (int)numsigalgs)
  1711. return 0;
  1712. psig += idx;
  1713. if (rhash != NULL)
  1714. *rhash = (unsigned char)((*psig >> 8) & 0xff);
  1715. if (rsig != NULL)
  1716. *rsig = (unsigned char)(*psig & 0xff);
  1717. lu = tls1_lookup_sigalg(*psig);
  1718. if (psign != NULL)
  1719. *psign = lu != NULL ? lu->sig : NID_undef;
  1720. if (phash != NULL)
  1721. *phash = lu != NULL ? lu->hash : NID_undef;
  1722. if (psignhash != NULL)
  1723. *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
  1724. }
  1725. return (int)numsigalgs;
  1726. }
  1727. int SSL_get_shared_sigalgs(SSL *s, int idx,
  1728. int *psign, int *phash, int *psignhash,
  1729. unsigned char *rsig, unsigned char *rhash)
  1730. {
  1731. const SIGALG_LOOKUP *shsigalgs;
  1732. if (s->shared_sigalgs == NULL
  1733. || idx < 0
  1734. || idx >= (int)s->shared_sigalgslen
  1735. || s->shared_sigalgslen > INT_MAX)
  1736. return 0;
  1737. shsigalgs = s->shared_sigalgs[idx];
  1738. if (phash != NULL)
  1739. *phash = shsigalgs->hash;
  1740. if (psign != NULL)
  1741. *psign = shsigalgs->sig;
  1742. if (psignhash != NULL)
  1743. *psignhash = shsigalgs->sigandhash;
  1744. if (rsig != NULL)
  1745. *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
  1746. if (rhash != NULL)
  1747. *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
  1748. return (int)s->shared_sigalgslen;
  1749. }
  1750. /* Maximum possible number of unique entries in sigalgs array */
  1751. #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
  1752. typedef struct {
  1753. size_t sigalgcnt;
  1754. /* TLSEXT_SIGALG_XXX values */
  1755. uint16_t sigalgs[TLS_MAX_SIGALGCNT];
  1756. } sig_cb_st;
  1757. static void get_sigorhash(int *psig, int *phash, const char *str)
  1758. {
  1759. if (strcmp(str, "RSA") == 0) {
  1760. *psig = EVP_PKEY_RSA;
  1761. } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
  1762. *psig = EVP_PKEY_RSA_PSS;
  1763. } else if (strcmp(str, "DSA") == 0) {
  1764. *psig = EVP_PKEY_DSA;
  1765. } else if (strcmp(str, "ECDSA") == 0) {
  1766. *psig = EVP_PKEY_EC;
  1767. } else {
  1768. *phash = OBJ_sn2nid(str);
  1769. if (*phash == NID_undef)
  1770. *phash = OBJ_ln2nid(str);
  1771. }
  1772. }
  1773. /* Maximum length of a signature algorithm string component */
  1774. #define TLS_MAX_SIGSTRING_LEN 40
  1775. static int sig_cb(const char *elem, int len, void *arg)
  1776. {
  1777. sig_cb_st *sarg = arg;
  1778. size_t i;
  1779. const SIGALG_LOOKUP *s;
  1780. char etmp[TLS_MAX_SIGSTRING_LEN], *p;
  1781. int sig_alg = NID_undef, hash_alg = NID_undef;
  1782. if (elem == NULL)
  1783. return 0;
  1784. if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
  1785. return 0;
  1786. if (len > (int)(sizeof(etmp) - 1))
  1787. return 0;
  1788. memcpy(etmp, elem, len);
  1789. etmp[len] = 0;
  1790. p = strchr(etmp, '+');
  1791. /*
  1792. * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
  1793. * if there's no '+' in the provided name, look for the new-style combined
  1794. * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP.
  1795. * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
  1796. * rsa_pss_rsae_* that differ only by public key OID; in such cases
  1797. * we will pick the _rsae_ variant, by virtue of them appearing earlier
  1798. * in the table.
  1799. */
  1800. if (p == NULL) {
  1801. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1802. i++, s++) {
  1803. if (s->name != NULL && strcmp(etmp, s->name) == 0) {
  1804. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1805. break;
  1806. }
  1807. }
  1808. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1809. return 0;
  1810. } else {
  1811. *p = 0;
  1812. p++;
  1813. if (*p == 0)
  1814. return 0;
  1815. get_sigorhash(&sig_alg, &hash_alg, etmp);
  1816. get_sigorhash(&sig_alg, &hash_alg, p);
  1817. if (sig_alg == NID_undef || hash_alg == NID_undef)
  1818. return 0;
  1819. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1820. i++, s++) {
  1821. if (s->hash == hash_alg && s->sig == sig_alg) {
  1822. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1823. break;
  1824. }
  1825. }
  1826. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1827. return 0;
  1828. }
  1829. /* Reject duplicates */
  1830. for (i = 0; i < sarg->sigalgcnt - 1; i++) {
  1831. if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
  1832. sarg->sigalgcnt--;
  1833. return 0;
  1834. }
  1835. }
  1836. return 1;
  1837. }
  1838. /*
  1839. * Set supported signature algorithms based on a colon separated list of the
  1840. * form sig+hash e.g. RSA+SHA512:DSA+SHA512
  1841. */
  1842. int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
  1843. {
  1844. sig_cb_st sig;
  1845. sig.sigalgcnt = 0;
  1846. if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
  1847. return 0;
  1848. if (c == NULL)
  1849. return 1;
  1850. return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
  1851. }
  1852. int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
  1853. int client)
  1854. {
  1855. uint16_t *sigalgs;
  1856. if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) {
  1857. SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE);
  1858. return 0;
  1859. }
  1860. memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
  1861. if (client) {
  1862. OPENSSL_free(c->client_sigalgs);
  1863. c->client_sigalgs = sigalgs;
  1864. c->client_sigalgslen = salglen;
  1865. } else {
  1866. OPENSSL_free(c->conf_sigalgs);
  1867. c->conf_sigalgs = sigalgs;
  1868. c->conf_sigalgslen = salglen;
  1869. }
  1870. return 1;
  1871. }
  1872. int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
  1873. {
  1874. uint16_t *sigalgs, *sptr;
  1875. size_t i;
  1876. if (salglen & 1)
  1877. return 0;
  1878. if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) {
  1879. SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE);
  1880. return 0;
  1881. }
  1882. for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
  1883. size_t j;
  1884. const SIGALG_LOOKUP *curr;
  1885. int md_id = *psig_nids++;
  1886. int sig_id = *psig_nids++;
  1887. for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
  1888. j++, curr++) {
  1889. if (curr->hash == md_id && curr->sig == sig_id) {
  1890. *sptr++ = curr->sigalg;
  1891. break;
  1892. }
  1893. }
  1894. if (j == OSSL_NELEM(sigalg_lookup_tbl))
  1895. goto err;
  1896. }
  1897. if (client) {
  1898. OPENSSL_free(c->client_sigalgs);
  1899. c->client_sigalgs = sigalgs;
  1900. c->client_sigalgslen = salglen / 2;
  1901. } else {
  1902. OPENSSL_free(c->conf_sigalgs);
  1903. c->conf_sigalgs = sigalgs;
  1904. c->conf_sigalgslen = salglen / 2;
  1905. }
  1906. return 1;
  1907. err:
  1908. OPENSSL_free(sigalgs);
  1909. return 0;
  1910. }
  1911. static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
  1912. {
  1913. int sig_nid, use_pc_sigalgs = 0;
  1914. size_t i;
  1915. const SIGALG_LOOKUP *sigalg;
  1916. size_t sigalgslen;
  1917. if (default_nid == -1)
  1918. return 1;
  1919. sig_nid = X509_get_signature_nid(x);
  1920. if (default_nid)
  1921. return sig_nid == default_nid ? 1 : 0;
  1922. if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) {
  1923. /*
  1924. * If we're in TLSv1.3 then we only get here if we're checking the
  1925. * chain. If the peer has specified peer_cert_sigalgs then we use them
  1926. * otherwise we default to normal sigalgs.
  1927. */
  1928. sigalgslen = s->s3->tmp.peer_cert_sigalgslen;
  1929. use_pc_sigalgs = 1;
  1930. } else {
  1931. sigalgslen = s->shared_sigalgslen;
  1932. }
  1933. for (i = 0; i < sigalgslen; i++) {
  1934. sigalg = use_pc_sigalgs
  1935. ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
  1936. : s->shared_sigalgs[i];
  1937. if (sigalg != NULL && sig_nid == sigalg->sigandhash)
  1938. return 1;
  1939. }
  1940. return 0;
  1941. }
  1942. /* Check to see if a certificate issuer name matches list of CA names */
  1943. static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
  1944. {
  1945. X509_NAME *nm;
  1946. int i;
  1947. nm = X509_get_issuer_name(x);
  1948. for (i = 0; i < sk_X509_NAME_num(names); i++) {
  1949. if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
  1950. return 1;
  1951. }
  1952. return 0;
  1953. }
  1954. /*
  1955. * Check certificate chain is consistent with TLS extensions and is usable by
  1956. * server. This servers two purposes: it allows users to check chains before
  1957. * passing them to the server and it allows the server to check chains before
  1958. * attempting to use them.
  1959. */
  1960. /* Flags which need to be set for a certificate when strict mode not set */
  1961. #define CERT_PKEY_VALID_FLAGS \
  1962. (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
  1963. /* Strict mode flags */
  1964. #define CERT_PKEY_STRICT_FLAGS \
  1965. (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
  1966. | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
  1967. int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
  1968. int idx)
  1969. {
  1970. int i;
  1971. int rv = 0;
  1972. int check_flags = 0, strict_mode;
  1973. CERT_PKEY *cpk = NULL;
  1974. CERT *c = s->cert;
  1975. uint32_t *pvalid;
  1976. unsigned int suiteb_flags = tls1_suiteb(s);
  1977. /* idx == -1 means checking server chains */
  1978. if (idx != -1) {
  1979. /* idx == -2 means checking client certificate chains */
  1980. if (idx == -2) {
  1981. cpk = c->key;
  1982. idx = (int)(cpk - c->pkeys);
  1983. } else
  1984. cpk = c->pkeys + idx;
  1985. pvalid = s->s3->tmp.valid_flags + idx;
  1986. x = cpk->x509;
  1987. pk = cpk->privatekey;
  1988. chain = cpk->chain;
  1989. strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
  1990. /* If no cert or key, forget it */
  1991. if (!x || !pk)
  1992. goto end;
  1993. } else {
  1994. size_t certidx;
  1995. if (!x || !pk)
  1996. return 0;
  1997. if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
  1998. return 0;
  1999. idx = certidx;
  2000. pvalid = s->s3->tmp.valid_flags + idx;
  2001. if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
  2002. check_flags = CERT_PKEY_STRICT_FLAGS;
  2003. else
  2004. check_flags = CERT_PKEY_VALID_FLAGS;
  2005. strict_mode = 1;
  2006. }
  2007. if (suiteb_flags) {
  2008. int ok;
  2009. if (check_flags)
  2010. check_flags |= CERT_PKEY_SUITEB;
  2011. ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
  2012. if (ok == X509_V_OK)
  2013. rv |= CERT_PKEY_SUITEB;
  2014. else if (!check_flags)
  2015. goto end;
  2016. }
  2017. /*
  2018. * Check all signature algorithms are consistent with signature
  2019. * algorithms extension if TLS 1.2 or later and strict mode.
  2020. */
  2021. if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
  2022. int default_nid;
  2023. int rsign = 0;
  2024. if (s->s3->tmp.peer_cert_sigalgs != NULL
  2025. || s->s3->tmp.peer_sigalgs != NULL) {
  2026. default_nid = 0;
  2027. /* If no sigalgs extension use defaults from RFC5246 */
  2028. } else {
  2029. switch (idx) {
  2030. case SSL_PKEY_RSA:
  2031. rsign = EVP_PKEY_RSA;
  2032. default_nid = NID_sha1WithRSAEncryption;
  2033. break;
  2034. case SSL_PKEY_DSA_SIGN:
  2035. rsign = EVP_PKEY_DSA;
  2036. default_nid = NID_dsaWithSHA1;
  2037. break;
  2038. case SSL_PKEY_ECC:
  2039. rsign = EVP_PKEY_EC;
  2040. default_nid = NID_ecdsa_with_SHA1;
  2041. break;
  2042. case SSL_PKEY_GOST01:
  2043. rsign = NID_id_GostR3410_2001;
  2044. default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
  2045. break;
  2046. case SSL_PKEY_GOST12_256:
  2047. rsign = NID_id_GostR3410_2012_256;
  2048. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
  2049. break;
  2050. case SSL_PKEY_GOST12_512:
  2051. rsign = NID_id_GostR3410_2012_512;
  2052. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
  2053. break;
  2054. default:
  2055. default_nid = -1;
  2056. break;
  2057. }
  2058. }
  2059. /*
  2060. * If peer sent no signature algorithms extension and we have set
  2061. * preferred signature algorithms check we support sha1.
  2062. */
  2063. if (default_nid > 0 && c->conf_sigalgs) {
  2064. size_t j;
  2065. const uint16_t *p = c->conf_sigalgs;
  2066. for (j = 0; j < c->conf_sigalgslen; j++, p++) {
  2067. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);
  2068. if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
  2069. break;
  2070. }
  2071. if (j == c->conf_sigalgslen) {
  2072. if (check_flags)
  2073. goto skip_sigs;
  2074. else
  2075. goto end;
  2076. }
  2077. }
  2078. /* Check signature algorithm of each cert in chain */
  2079. if (SSL_IS_TLS13(s)) {
  2080. /*
  2081. * We only get here if the application has called SSL_check_chain(),
  2082. * so check_flags is always set.
  2083. */
  2084. if (find_sig_alg(s, x, pk) != NULL)
  2085. rv |= CERT_PKEY_EE_SIGNATURE;
  2086. } else if (!tls1_check_sig_alg(s, x, default_nid)) {
  2087. if (!check_flags)
  2088. goto end;
  2089. } else
  2090. rv |= CERT_PKEY_EE_SIGNATURE;
  2091. rv |= CERT_PKEY_CA_SIGNATURE;
  2092. for (i = 0; i < sk_X509_num(chain); i++) {
  2093. if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
  2094. if (check_flags) {
  2095. rv &= ~CERT_PKEY_CA_SIGNATURE;
  2096. break;
  2097. } else
  2098. goto end;
  2099. }
  2100. }
  2101. }
  2102. /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
  2103. else if (check_flags)
  2104. rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
  2105. skip_sigs:
  2106. /* Check cert parameters are consistent */
  2107. if (tls1_check_cert_param(s, x, 1))
  2108. rv |= CERT_PKEY_EE_PARAM;
  2109. else if (!check_flags)
  2110. goto end;
  2111. if (!s->server)
  2112. rv |= CERT_PKEY_CA_PARAM;
  2113. /* In strict mode check rest of chain too */
  2114. else if (strict_mode) {
  2115. rv |= CERT_PKEY_CA_PARAM;
  2116. for (i = 0; i < sk_X509_num(chain); i++) {
  2117. X509 *ca = sk_X509_value(chain, i);
  2118. if (!tls1_check_cert_param(s, ca, 0)) {
  2119. if (check_flags) {
  2120. rv &= ~CERT_PKEY_CA_PARAM;
  2121. break;
  2122. } else
  2123. goto end;
  2124. }
  2125. }
  2126. }
  2127. if (!s->server && strict_mode) {
  2128. STACK_OF(X509_NAME) *ca_dn;
  2129. int check_type = 0;
  2130. switch (EVP_PKEY_id(pk)) {
  2131. case EVP_PKEY_RSA:
  2132. check_type = TLS_CT_RSA_SIGN;
  2133. break;
  2134. case EVP_PKEY_DSA:
  2135. check_type = TLS_CT_DSS_SIGN;
  2136. break;
  2137. case EVP_PKEY_EC:
  2138. check_type = TLS_CT_ECDSA_SIGN;
  2139. break;
  2140. }
  2141. if (check_type) {
  2142. const uint8_t *ctypes = s->s3->tmp.ctype;
  2143. size_t j;
  2144. for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
  2145. if (*ctypes == check_type) {
  2146. rv |= CERT_PKEY_CERT_TYPE;
  2147. break;
  2148. }
  2149. }
  2150. if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
  2151. goto end;
  2152. } else {
  2153. rv |= CERT_PKEY_CERT_TYPE;
  2154. }
  2155. ca_dn = s->s3->tmp.peer_ca_names;
  2156. if (!sk_X509_NAME_num(ca_dn))
  2157. rv |= CERT_PKEY_ISSUER_NAME;
  2158. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  2159. if (ssl_check_ca_name(ca_dn, x))
  2160. rv |= CERT_PKEY_ISSUER_NAME;
  2161. }
  2162. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  2163. for (i = 0; i < sk_X509_num(chain); i++) {
  2164. X509 *xtmp = sk_X509_value(chain, i);
  2165. if (ssl_check_ca_name(ca_dn, xtmp)) {
  2166. rv |= CERT_PKEY_ISSUER_NAME;
  2167. break;
  2168. }
  2169. }
  2170. }
  2171. if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
  2172. goto end;
  2173. } else
  2174. rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
  2175. if (!check_flags || (rv & check_flags) == check_flags)
  2176. rv |= CERT_PKEY_VALID;
  2177. end:
  2178. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  2179. rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
  2180. else
  2181. rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
  2182. /*
  2183. * When checking a CERT_PKEY structure all flags are irrelevant if the
  2184. * chain is invalid.
  2185. */
  2186. if (!check_flags) {
  2187. if (rv & CERT_PKEY_VALID) {
  2188. *pvalid = rv;
  2189. } else {
  2190. /* Preserve sign and explicit sign flag, clear rest */
  2191. *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  2192. return 0;
  2193. }
  2194. }
  2195. return rv;
  2196. }
  2197. /* Set validity of certificates in an SSL structure */
  2198. void tls1_set_cert_validity(SSL *s)
  2199. {
  2200. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
  2201. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
  2202. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
  2203. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
  2204. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
  2205. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
  2206. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
  2207. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
  2208. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
  2209. }
  2210. /* User level utility function to check a chain is suitable */
  2211. int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  2212. {
  2213. return tls1_check_chain(s, x, pk, chain, -1);
  2214. }
  2215. #ifndef OPENSSL_NO_DH
  2216. DH *ssl_get_auto_dh(SSL *s)
  2217. {
  2218. DH *dhp = NULL;
  2219. BIGNUM *p = NULL, *g = NULL;
  2220. int dh_secbits = 80, sec_level_bits;
  2221. if (s->cert->dh_tmp_auto != 2) {
  2222. if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
  2223. if (s->s3->tmp.new_cipher->strength_bits == 256)
  2224. dh_secbits = 128;
  2225. else
  2226. dh_secbits = 80;
  2227. } else {
  2228. if (s->s3->tmp.cert == NULL)
  2229. return NULL;
  2230. dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
  2231. }
  2232. }
  2233. dhp = DH_new();
  2234. if (dhp == NULL)
  2235. return NULL;
  2236. g = BN_new();
  2237. if (g == NULL || !BN_set_word(g, 2)) {
  2238. DH_free(dhp);
  2239. BN_free(g);
  2240. return NULL;
  2241. }
  2242. /* Do not pick a prime that is too weak for the current security level */
  2243. sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL);
  2244. if (dh_secbits < sec_level_bits)
  2245. dh_secbits = sec_level_bits;
  2246. if (dh_secbits >= 192)
  2247. p = BN_get_rfc3526_prime_8192(NULL);
  2248. else if (dh_secbits >= 152)
  2249. p = BN_get_rfc3526_prime_4096(NULL);
  2250. else if (dh_secbits >= 128)
  2251. p = BN_get_rfc3526_prime_3072(NULL);
  2252. else if (dh_secbits >= 112)
  2253. p = BN_get_rfc3526_prime_2048(NULL);
  2254. else
  2255. p = BN_get_rfc2409_prime_1024(NULL);
  2256. if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
  2257. DH_free(dhp);
  2258. BN_free(p);
  2259. BN_free(g);
  2260. return NULL;
  2261. }
  2262. return dhp;
  2263. }
  2264. #endif
  2265. static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2266. {
  2267. int secbits = -1;
  2268. EVP_PKEY *pkey = X509_get0_pubkey(x);
  2269. if (pkey) {
  2270. /*
  2271. * If no parameters this will return -1 and fail using the default
  2272. * security callback for any non-zero security level. This will
  2273. * reject keys which omit parameters but this only affects DSA and
  2274. * omission of parameters is never (?) done in practice.
  2275. */
  2276. secbits = EVP_PKEY_security_bits(pkey);
  2277. }
  2278. if (s)
  2279. return ssl_security(s, op, secbits, 0, x);
  2280. else
  2281. return ssl_ctx_security(ctx, op, secbits, 0, x);
  2282. }
  2283. static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2284. {
  2285. /* Lookup signature algorithm digest */
  2286. int secbits, nid, pknid;
  2287. /* Don't check signature if self signed */
  2288. if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
  2289. return 1;
  2290. if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
  2291. secbits = -1;
  2292. /* If digest NID not defined use signature NID */
  2293. if (nid == NID_undef)
  2294. nid = pknid;
  2295. if (s)
  2296. return ssl_security(s, op, secbits, nid, x);
  2297. else
  2298. return ssl_ctx_security(ctx, op, secbits, nid, x);
  2299. }
  2300. int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
  2301. {
  2302. if (vfy)
  2303. vfy = SSL_SECOP_PEER;
  2304. if (is_ee) {
  2305. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
  2306. return SSL_R_EE_KEY_TOO_SMALL;
  2307. } else {
  2308. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
  2309. return SSL_R_CA_KEY_TOO_SMALL;
  2310. }
  2311. if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
  2312. return SSL_R_CA_MD_TOO_WEAK;
  2313. return 1;
  2314. }
  2315. /*
  2316. * Check security of a chain, if |sk| includes the end entity certificate then
  2317. * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
  2318. * one to the peer. Return values: 1 if ok otherwise error code to use
  2319. */
  2320. int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
  2321. {
  2322. int rv, start_idx, i;
  2323. if (x == NULL) {
  2324. x = sk_X509_value(sk, 0);
  2325. start_idx = 1;
  2326. } else
  2327. start_idx = 0;
  2328. rv = ssl_security_cert(s, NULL, x, vfy, 1);
  2329. if (rv != 1)
  2330. return rv;
  2331. for (i = start_idx; i < sk_X509_num(sk); i++) {
  2332. x = sk_X509_value(sk, i);
  2333. rv = ssl_security_cert(s, NULL, x, vfy, 0);
  2334. if (rv != 1)
  2335. return rv;
  2336. }
  2337. return 1;
  2338. }
  2339. /*
  2340. * For TLS 1.2 servers check if we have a certificate which can be used
  2341. * with the signature algorithm "lu" and return index of certificate.
  2342. */
  2343. static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
  2344. {
  2345. int sig_idx = lu->sig_idx;
  2346. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
  2347. /* If not recognised or not supported by cipher mask it is not suitable */
  2348. if (clu == NULL
  2349. || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0
  2350. || (clu->nid == EVP_PKEY_RSA_PSS
  2351. && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0))
  2352. return -1;
  2353. return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
  2354. }
  2355. /*
  2356. * Checks the given cert against signature_algorithm_cert restrictions sent by
  2357. * the peer (if any) as well as whether the hash from the sigalg is usable with
  2358. * the key.
  2359. * Returns true if the cert is usable and false otherwise.
  2360. */
  2361. static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
  2362. EVP_PKEY *pkey)
  2363. {
  2364. const SIGALG_LOOKUP *lu;
  2365. int mdnid, pknid, default_mdnid;
  2366. size_t i;
  2367. /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
  2368. ERR_set_mark();
  2369. if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 &&
  2370. sig->hash != default_mdnid)
  2371. return 0;
  2372. /* If it didn't report a mandatory NID, for whatever reasons,
  2373. * just clear the error and allow all hashes to be used. */
  2374. ERR_pop_to_mark();
  2375. if (s->s3->tmp.peer_cert_sigalgs != NULL) {
  2376. for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
  2377. lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
  2378. if (lu == NULL
  2379. || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
  2380. continue;
  2381. /*
  2382. * TODO this does not differentiate between the
  2383. * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
  2384. * have a chain here that lets us look at the key OID in the
  2385. * signing certificate.
  2386. */
  2387. if (mdnid == lu->hash && pknid == lu->sig)
  2388. return 1;
  2389. }
  2390. return 0;
  2391. }
  2392. return 1;
  2393. }
  2394. /*
  2395. * Returns true if |s| has a usable certificate configured for use
  2396. * with signature scheme |sig|.
  2397. * "Usable" includes a check for presence as well as applying
  2398. * the signature_algorithm_cert restrictions sent by the peer (if any).
  2399. * Returns false if no usable certificate is found.
  2400. */
  2401. static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
  2402. {
  2403. /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
  2404. if (idx == -1)
  2405. idx = sig->sig_idx;
  2406. if (!ssl_has_cert(s, idx))
  2407. return 0;
  2408. return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
  2409. s->cert->pkeys[idx].privatekey);
  2410. }
  2411. /*
  2412. * Returns true if the supplied cert |x| and key |pkey| is usable with the
  2413. * specified signature scheme |sig|, or false otherwise.
  2414. */
  2415. static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
  2416. EVP_PKEY *pkey)
  2417. {
  2418. size_t idx;
  2419. if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
  2420. return 0;
  2421. /* Check the key is consistent with the sig alg */
  2422. if ((int)idx != sig->sig_idx)
  2423. return 0;
  2424. return check_cert_usable(s, sig, x, pkey);
  2425. }
  2426. /*
  2427. * Find a signature scheme that works with the supplied certificate |x| and key
  2428. * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
  2429. * available certs/keys to find one that works.
  2430. */
  2431. static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
  2432. {
  2433. const SIGALG_LOOKUP *lu = NULL;
  2434. size_t i;
  2435. #ifndef OPENSSL_NO_EC
  2436. int curve = -1;
  2437. #endif
  2438. EVP_PKEY *tmppkey;
  2439. /* Look for a shared sigalgs matching possible certificates */
  2440. for (i = 0; i < s->shared_sigalgslen; i++) {
  2441. lu = s->shared_sigalgs[i];
  2442. /* Skip SHA1, SHA224, DSA and RSA if not PSS */
  2443. if (lu->hash == NID_sha1
  2444. || lu->hash == NID_sha224
  2445. || lu->sig == EVP_PKEY_DSA
  2446. || lu->sig == EVP_PKEY_RSA)
  2447. continue;
  2448. /* Check that we have a cert, and signature_algorithms_cert */
  2449. if (!tls1_lookup_md(lu, NULL))
  2450. continue;
  2451. if ((pkey == NULL && !has_usable_cert(s, lu, -1))
  2452. || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
  2453. continue;
  2454. tmppkey = (pkey != NULL) ? pkey
  2455. : s->cert->pkeys[lu->sig_idx].privatekey;
  2456. if (lu->sig == EVP_PKEY_EC) {
  2457. #ifndef OPENSSL_NO_EC
  2458. if (curve == -1) {
  2459. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
  2460. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2461. }
  2462. if (lu->curve != NID_undef && curve != lu->curve)
  2463. continue;
  2464. #else
  2465. continue;
  2466. #endif
  2467. } else if (lu->sig == EVP_PKEY_RSA_PSS) {
  2468. /* validate that key is large enough for the signature algorithm */
  2469. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
  2470. continue;
  2471. }
  2472. break;
  2473. }
  2474. if (i == s->shared_sigalgslen)
  2475. return NULL;
  2476. return lu;
  2477. }
  2478. /*
  2479. * Choose an appropriate signature algorithm based on available certificates
  2480. * Sets chosen certificate and signature algorithm.
  2481. *
  2482. * For servers if we fail to find a required certificate it is a fatal error,
  2483. * an appropriate error code is set and a TLS alert is sent.
  2484. *
  2485. * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
  2486. * a fatal error: we will either try another certificate or not present one
  2487. * to the server. In this case no error is set.
  2488. */
  2489. int tls_choose_sigalg(SSL *s, int fatalerrs)
  2490. {
  2491. const SIGALG_LOOKUP *lu = NULL;
  2492. int sig_idx = -1;
  2493. s->s3->tmp.cert = NULL;
  2494. s->s3->tmp.sigalg = NULL;
  2495. if (SSL_IS_TLS13(s)) {
  2496. lu = find_sig_alg(s, NULL, NULL);
  2497. if (lu == NULL) {
  2498. if (!fatalerrs)
  2499. return 1;
  2500. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
  2501. SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  2502. return 0;
  2503. }
  2504. } else {
  2505. /* If ciphersuite doesn't require a cert nothing to do */
  2506. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
  2507. return 1;
  2508. if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
  2509. return 1;
  2510. if (SSL_USE_SIGALGS(s)) {
  2511. size_t i;
  2512. if (s->s3->tmp.peer_sigalgs != NULL) {
  2513. #ifndef OPENSSL_NO_EC
  2514. int curve;
  2515. /* For Suite B need to match signature algorithm to curve */
  2516. if (tls1_suiteb(s)) {
  2517. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  2518. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2519. } else {
  2520. curve = -1;
  2521. }
  2522. #endif
  2523. /*
  2524. * Find highest preference signature algorithm matching
  2525. * cert type
  2526. */
  2527. for (i = 0; i < s->shared_sigalgslen; i++) {
  2528. lu = s->shared_sigalgs[i];
  2529. if (s->server) {
  2530. if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
  2531. continue;
  2532. } else {
  2533. int cc_idx = s->cert->key - s->cert->pkeys;
  2534. sig_idx = lu->sig_idx;
  2535. if (cc_idx != sig_idx)
  2536. continue;
  2537. }
  2538. /* Check that we have a cert, and sig_algs_cert */
  2539. if (!has_usable_cert(s, lu, sig_idx))
  2540. continue;
  2541. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2542. /* validate that key is large enough for the signature algorithm */
  2543. EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
  2544. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
  2545. continue;
  2546. }
  2547. #ifndef OPENSSL_NO_EC
  2548. if (curve == -1 || lu->curve == curve)
  2549. #endif
  2550. break;
  2551. }
  2552. #ifndef OPENSSL_NO_GOST
  2553. /*
  2554. * Some Windows-based implementations do not send GOST algorithms indication
  2555. * in supported_algorithms extension, so when we have GOST-based ciphersuite,
  2556. * we have to assume GOST support.
  2557. */
  2558. if (i == s->shared_sigalgslen && s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) {
  2559. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2560. if (!fatalerrs)
  2561. return 1;
  2562. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2563. SSL_F_TLS_CHOOSE_SIGALG,
  2564. SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  2565. return 0;
  2566. } else {
  2567. i = 0;
  2568. sig_idx = lu->sig_idx;
  2569. }
  2570. }
  2571. #endif
  2572. if (i == s->shared_sigalgslen) {
  2573. if (!fatalerrs)
  2574. return 1;
  2575. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2576. SSL_F_TLS_CHOOSE_SIGALG,
  2577. SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  2578. return 0;
  2579. }
  2580. } else {
  2581. /*
  2582. * If we have no sigalg use defaults
  2583. */
  2584. const uint16_t *sent_sigs;
  2585. size_t sent_sigslen;
  2586. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2587. if (!fatalerrs)
  2588. return 1;
  2589. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2590. ERR_R_INTERNAL_ERROR);
  2591. return 0;
  2592. }
  2593. /* Check signature matches a type we sent */
  2594. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  2595. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  2596. if (lu->sigalg == *sent_sigs
  2597. && has_usable_cert(s, lu, lu->sig_idx))
  2598. break;
  2599. }
  2600. if (i == sent_sigslen) {
  2601. if (!fatalerrs)
  2602. return 1;
  2603. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  2604. SSL_F_TLS_CHOOSE_SIGALG,
  2605. SSL_R_WRONG_SIGNATURE_TYPE);
  2606. return 0;
  2607. }
  2608. }
  2609. } else {
  2610. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2611. if (!fatalerrs)
  2612. return 1;
  2613. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2614. ERR_R_INTERNAL_ERROR);
  2615. return 0;
  2616. }
  2617. }
  2618. }
  2619. if (sig_idx == -1)
  2620. sig_idx = lu->sig_idx;
  2621. s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
  2622. s->cert->key = s->s3->tmp.cert;
  2623. s->s3->tmp.sigalg = lu;
  2624. return 1;
  2625. }
  2626. int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
  2627. {
  2628. if (mode != TLSEXT_max_fragment_length_DISABLED
  2629. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2630. SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2631. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2632. return 0;
  2633. }
  2634. ctx->ext.max_fragment_len_mode = mode;
  2635. return 1;
  2636. }
  2637. int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
  2638. {
  2639. if (mode != TLSEXT_max_fragment_length_DISABLED
  2640. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2641. SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2642. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2643. return 0;
  2644. }
  2645. ssl->ext.max_fragment_len_mode = mode;
  2646. return 1;
  2647. }
  2648. uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
  2649. {
  2650. return session->ext.max_fragment_len_mode;
  2651. }