15af53050Schristos /* 2b46c97feSchristos * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3a89c9211Schristos * 48fbed61eSchristos * Licensed under the Apache License 2.0 (the "License"). You may not use 55af53050Schristos * this file except in compliance with the License. You can obtain a copy 65af53050Schristos * in the file LICENSE in the source distribution or at 75af53050Schristos * https://www.openssl.org/source/license.html 8a89c9211Schristos */ 9a89c9211Schristos 10a89c9211Schristos #include <stdio.h> 115af53050Schristos #include <stdlib.h> 12a89c9211Schristos #include <openssl/objects.h> 13a89c9211Schristos #include <openssl/evp.h> 14a89c9211Schristos #include <openssl/hmac.h> 158fbed61eSchristos #include <openssl/core_names.h> 16a89c9211Schristos #include <openssl/ocsp.h> 175af53050Schristos #include <openssl/conf.h> 185af53050Schristos #include <openssl/x509v3.h> 195af53050Schristos #include <openssl/dh.h> 205af53050Schristos #include <openssl/bn.h> 218fbed61eSchristos #include <openssl/provider.h> 228fbed61eSchristos #include <openssl/param_build.h> 23e0ea3921Schristos #include "internal/nelem.h" 248fbed61eSchristos #include "internal/sizes.h" 258fbed61eSchristos #include "internal/tlsgroups.h" 268dcce544Schristos #include "internal/cryptlib.h" 2752629741Schristos #include "ssl_local.h" 285af53050Schristos #include <openssl/ct.h> 29a89c9211Schristos 30403eeac4Schristos static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 3152629741Schristos static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); 32403eeac4Schristos 335af53050Schristos SSL3_ENC_METHOD const TLSv1_enc_data = { 34a89c9211Schristos tls1_enc, 35a89c9211Schristos tls1_mac, 36a89c9211Schristos tls1_setup_key_block, 37a89c9211Schristos tls1_generate_master_secret, 38a89c9211Schristos tls1_change_cipher_state, 39a89c9211Schristos tls1_final_finish_mac, 40a89c9211Schristos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 41a89c9211Schristos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 42a89c9211Schristos tls1_alert_code, 43e3d33c04Schristos tls1_export_keying_material, 4431b855a0Sspz 0, 4531b855a0Sspz ssl3_set_handshake_header, 46e0ea3921Schristos tls_close_construct_packet, 4731b855a0Sspz ssl3_handshake_write 4831b855a0Sspz }; 4931b855a0Sspz 505af53050Schristos SSL3_ENC_METHOD const TLSv1_1_enc_data = { 5131b855a0Sspz tls1_enc, 5231b855a0Sspz tls1_mac, 5331b855a0Sspz tls1_setup_key_block, 5431b855a0Sspz tls1_generate_master_secret, 5531b855a0Sspz tls1_change_cipher_state, 5631b855a0Sspz tls1_final_finish_mac, 5731b855a0Sspz TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 5831b855a0Sspz TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 5931b855a0Sspz tls1_alert_code, 6031b855a0Sspz tls1_export_keying_material, 6131b855a0Sspz SSL_ENC_FLAG_EXPLICIT_IV, 6231b855a0Sspz ssl3_set_handshake_header, 63e0ea3921Schristos tls_close_construct_packet, 6431b855a0Sspz ssl3_handshake_write 6531b855a0Sspz }; 6631b855a0Sspz 675af53050Schristos SSL3_ENC_METHOD const TLSv1_2_enc_data = { 6831b855a0Sspz tls1_enc, 6931b855a0Sspz tls1_mac, 7031b855a0Sspz tls1_setup_key_block, 7131b855a0Sspz tls1_generate_master_secret, 7231b855a0Sspz tls1_change_cipher_state, 7331b855a0Sspz tls1_final_finish_mac, 7431b855a0Sspz TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 7531b855a0Sspz TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 7631b855a0Sspz tls1_alert_code, 7731b855a0Sspz tls1_export_keying_material, 7831b855a0Sspz SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 7931b855a0Sspz | SSL_ENC_FLAG_TLS1_2_CIPHERS, 8031b855a0Sspz ssl3_set_handshake_header, 81e0ea3921Schristos tls_close_construct_packet, 82e0ea3921Schristos ssl3_handshake_write 83e0ea3921Schristos }; 84e0ea3921Schristos 85e0ea3921Schristos SSL3_ENC_METHOD const TLSv1_3_enc_data = { 86e0ea3921Schristos tls13_enc, 87e0ea3921Schristos tls1_mac, 88e0ea3921Schristos tls13_setup_key_block, 89e0ea3921Schristos tls13_generate_master_secret, 90e0ea3921Schristos tls13_change_cipher_state, 91e0ea3921Schristos tls13_final_finish_mac, 92e0ea3921Schristos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 93e0ea3921Schristos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 94e0ea3921Schristos tls13_alert_code, 95e0ea3921Schristos tls13_export_keying_material, 96e0ea3921Schristos SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 97e0ea3921Schristos ssl3_set_handshake_header, 98e0ea3921Schristos tls_close_construct_packet, 9931b855a0Sspz ssl3_handshake_write 100a89c9211Schristos }; 101a89c9211Schristos 102a89c9211Schristos long tls1_default_timeout(void) 103a89c9211Schristos { 1049cef71b6Sspz /* 1059cef71b6Sspz * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 1069cef71b6Sspz * http, the cache would over fill 1079cef71b6Sspz */ 108a89c9211Schristos return (60 * 60 * 2); 109a89c9211Schristos } 110a89c9211Schristos 111a89c9211Schristos int tls1_new(SSL *s) 112a89c9211Schristos { 1139cef71b6Sspz if (!ssl3_new(s)) 114e0ea3921Schristos return 0; 115e0ea3921Schristos if (!s->method->ssl_clear(s)) 116e0ea3921Schristos return 0; 117e0ea3921Schristos 118e0ea3921Schristos return 1; 119a89c9211Schristos } 120a89c9211Schristos 121a89c9211Schristos void tls1_free(SSL *s) 122a89c9211Schristos { 123e0ea3921Schristos OPENSSL_free(s->ext.session_ticket); 124a89c9211Schristos ssl3_free(s); 125a89c9211Schristos } 126a89c9211Schristos 127e0ea3921Schristos int tls1_clear(SSL *s) 128a89c9211Schristos { 129e0ea3921Schristos if (!ssl3_clear(s)) 130e0ea3921Schristos return 0; 131e0ea3921Schristos 1325af53050Schristos if (s->method->version == TLS_ANY_VERSION) 1338fbed61eSchristos s->version = TLS_MAX_VERSION_INTERNAL; 1345af53050Schristos else 135cef2ee70Schristos s->version = s->method->version; 136e0ea3921Schristos 137e0ea3921Schristos return 1; 138a89c9211Schristos } 139a89c9211Schristos 1408fbed61eSchristos /* Legacy NID to group_id mapping. Only works for groups we know about */ 1418fbed61eSchristos static struct { 1428fbed61eSchristos int nid; 1438fbed61eSchristos uint16_t group_id; 1448fbed61eSchristos } nid_to_group[] = { 1458fbed61eSchristos {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1}, 1468fbed61eSchristos {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1}, 1478fbed61eSchristos {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2}, 1488fbed61eSchristos {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1}, 1498fbed61eSchristos {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2}, 1508fbed61eSchristos {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1}, 1518fbed61eSchristos {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1}, 1528fbed61eSchristos {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1}, 1538fbed61eSchristos {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1}, 1548fbed61eSchristos {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1}, 1558fbed61eSchristos {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1}, 1568fbed61eSchristos {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1}, 1578fbed61eSchristos {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1}, 1588fbed61eSchristos {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1}, 1598fbed61eSchristos {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1}, 1608fbed61eSchristos {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1}, 1618fbed61eSchristos {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2}, 1628fbed61eSchristos {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1}, 1638fbed61eSchristos {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1}, 1648fbed61eSchristos {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1}, 1658fbed61eSchristos {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1}, 1668fbed61eSchristos {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1}, 1678fbed61eSchristos {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1}, 1688fbed61eSchristos {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1}, 1698fbed61eSchristos {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1}, 1708fbed61eSchristos {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1}, 1718fbed61eSchristos {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1}, 1728fbed61eSchristos {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1}, 1738fbed61eSchristos {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519}, 1748fbed61eSchristos {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448}, 1758fbed61eSchristos {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022}, 1768fbed61eSchristos {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023}, 1778fbed61eSchristos {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024}, 1788fbed61eSchristos {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025}, 1798fbed61eSchristos {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026}, 1808fbed61eSchristos {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027}, 1818fbed61eSchristos {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028}, 1828fbed61eSchristos {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048}, 1838fbed61eSchristos {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072}, 1848fbed61eSchristos {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096}, 1858fbed61eSchristos {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144}, 1868fbed61eSchristos {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} 187a89c9211Schristos }; 188a89c9211Schristos 18931b855a0Sspz static const unsigned char ecformats_default[] = { 19031b855a0Sspz TLSEXT_ECPOINTFORMAT_uncompressed, 19131b855a0Sspz TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 19231b855a0Sspz TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 1935bf0fb60Sspz }; 1945bf0fb60Sspz 1955af53050Schristos /* The default curves */ 1968fbed61eSchristos static const uint16_t supported_groups_default[] = { 197e0ea3921Schristos 29, /* X25519 (29) */ 198e0ea3921Schristos 23, /* secp256r1 (23) */ 199e0ea3921Schristos 30, /* X448 (30) */ 200e0ea3921Schristos 25, /* secp521r1 (25) */ 201e0ea3921Schristos 24, /* secp384r1 (24) */ 2028fbed61eSchristos 34, /* GC256A (34) */ 2038fbed61eSchristos 35, /* GC256B (35) */ 2048fbed61eSchristos 36, /* GC256C (36) */ 2058fbed61eSchristos 37, /* GC256D (37) */ 2068fbed61eSchristos 38, /* GC512A (38) */ 2078fbed61eSchristos 39, /* GC512B (39) */ 2088fbed61eSchristos 40, /* GC512C (40) */ 2098fbed61eSchristos 0x100, /* ffdhe2048 (0x100) */ 2108fbed61eSchristos 0x101, /* ffdhe3072 (0x101) */ 2118fbed61eSchristos 0x102, /* ffdhe4096 (0x102) */ 2128fbed61eSchristos 0x103, /* ffdhe6144 (0x103) */ 2138fbed61eSchristos 0x104, /* ffdhe8192 (0x104) */ 21431b855a0Sspz }; 21531b855a0Sspz 216e0ea3921Schristos static const uint16_t suiteb_curves[] = { 217e0ea3921Schristos TLSEXT_curve_P_256, 218e0ea3921Schristos TLSEXT_curve_P_384 21931b855a0Sspz }; 22031b855a0Sspz 2218fbed61eSchristos struct provider_group_data_st { 2228fbed61eSchristos SSL_CTX *ctx; 2238fbed61eSchristos OSSL_PROVIDER *provider; 2248fbed61eSchristos }; 2258fbed61eSchristos 2268fbed61eSchristos #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 2278fbed61eSchristos static OSSL_CALLBACK add_provider_groups; 2288fbed61eSchristos static int add_provider_groups(const OSSL_PARAM params[], void *data) 229a89c9211Schristos { 2308fbed61eSchristos struct provider_group_data_st *pgd = data; 2318fbed61eSchristos SSL_CTX *ctx = pgd->ctx; 2328fbed61eSchristos OSSL_PROVIDER *provider = pgd->provider; 2338fbed61eSchristos const OSSL_PARAM *p; 2348fbed61eSchristos TLS_GROUP_INFO *ginf = NULL; 2358fbed61eSchristos EVP_KEYMGMT *keymgmt; 2368fbed61eSchristos unsigned int gid; 2378fbed61eSchristos unsigned int is_kem = 0; 2388fbed61eSchristos int ret = 0; 2398fbed61eSchristos 2408fbed61eSchristos if (ctx->group_list_max_len == ctx->group_list_len) { 2418fbed61eSchristos TLS_GROUP_INFO *tmp = NULL; 2428fbed61eSchristos 2438fbed61eSchristos if (ctx->group_list_max_len == 0) 2448fbed61eSchristos tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) 2458fbed61eSchristos * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 2468fbed61eSchristos else 2478fbed61eSchristos tmp = OPENSSL_realloc(ctx->group_list, 2488fbed61eSchristos (ctx->group_list_max_len 2498fbed61eSchristos + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) 2508fbed61eSchristos * sizeof(TLS_GROUP_INFO)); 2518fbed61eSchristos if (tmp == NULL) { 2528fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2538fbed61eSchristos return 0; 2548fbed61eSchristos } 2558fbed61eSchristos ctx->group_list = tmp; 2568fbed61eSchristos memset(tmp + ctx->group_list_max_len, 2578fbed61eSchristos 0, 2588fbed61eSchristos sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 2598fbed61eSchristos ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; 260a89c9211Schristos } 261a89c9211Schristos 2628fbed61eSchristos ginf = &ctx->group_list[ctx->group_list_len]; 2638fbed61eSchristos 2648fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); 2658fbed61eSchristos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 2668fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 2678fbed61eSchristos goto err; 2688fbed61eSchristos } 2698fbed61eSchristos ginf->tlsname = OPENSSL_strdup(p->data); 2708fbed61eSchristos if (ginf->tlsname == NULL) { 2718fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2728fbed61eSchristos goto err; 2738fbed61eSchristos } 2748fbed61eSchristos 2758fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); 2768fbed61eSchristos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 2778fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 2788fbed61eSchristos goto err; 2798fbed61eSchristos } 2808fbed61eSchristos ginf->realname = OPENSSL_strdup(p->data); 2818fbed61eSchristos if (ginf->realname == NULL) { 2828fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2838fbed61eSchristos goto err; 2848fbed61eSchristos } 2858fbed61eSchristos 2868fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); 2878fbed61eSchristos if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { 2888fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 2898fbed61eSchristos goto err; 2908fbed61eSchristos } 2918fbed61eSchristos ginf->group_id = (uint16_t)gid; 2928fbed61eSchristos 2938fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); 2948fbed61eSchristos if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 2958fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 2968fbed61eSchristos goto err; 2978fbed61eSchristos } 2988fbed61eSchristos ginf->algorithm = OPENSSL_strdup(p->data); 2998fbed61eSchristos if (ginf->algorithm == NULL) { 3008fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 3018fbed61eSchristos goto err; 3028fbed61eSchristos } 3038fbed61eSchristos 3048fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); 3058fbed61eSchristos if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { 3068fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 3078fbed61eSchristos goto err; 3088fbed61eSchristos } 3098fbed61eSchristos 3108fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); 3118fbed61eSchristos if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { 3128fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 3138fbed61eSchristos goto err; 3148fbed61eSchristos } 3158fbed61eSchristos ginf->is_kem = 1 & is_kem; 3168fbed61eSchristos 3178fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); 3188fbed61eSchristos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { 3198fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 3208fbed61eSchristos goto err; 3218fbed61eSchristos } 3228fbed61eSchristos 3238fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); 3248fbed61eSchristos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { 3258fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 3268fbed61eSchristos goto err; 3278fbed61eSchristos } 3288fbed61eSchristos 3298fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); 3308fbed61eSchristos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { 3318fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 3328fbed61eSchristos goto err; 3338fbed61eSchristos } 3348fbed61eSchristos 3358fbed61eSchristos p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); 3368fbed61eSchristos if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { 3378fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 3388fbed61eSchristos goto err; 3398fbed61eSchristos } 3408fbed61eSchristos /* 3418fbed61eSchristos * Now check that the algorithm is actually usable for our property query 3428fbed61eSchristos * string. Regardless of the result we still return success because we have 3438fbed61eSchristos * successfully processed this group, even though we may decide not to use 3448fbed61eSchristos * it. 3458fbed61eSchristos */ 3468fbed61eSchristos ret = 1; 3478fbed61eSchristos ERR_set_mark(); 3488fbed61eSchristos keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); 3498fbed61eSchristos if (keymgmt != NULL) { 3508fbed61eSchristos /* 3518fbed61eSchristos * We have successfully fetched the algorithm - however if the provider 3528fbed61eSchristos * doesn't match this one then we ignore it. 3538fbed61eSchristos * 3548fbed61eSchristos * Note: We're cheating a little here. Technically if the same algorithm 3558fbed61eSchristos * is available from more than one provider then it is undefined which 3568fbed61eSchristos * implementation you will get back. Theoretically this could be 3578fbed61eSchristos * different every time...we assume here that you'll always get the 3588fbed61eSchristos * same one back if you repeat the exact same fetch. Is this a reasonable 3598fbed61eSchristos * assumption to make (in which case perhaps we should document this 3608fbed61eSchristos * behaviour)? 3618fbed61eSchristos */ 3628fbed61eSchristos if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 3638fbed61eSchristos /* We have a match - so we will use this group */ 3648fbed61eSchristos ctx->group_list_len++; 3658fbed61eSchristos ginf = NULL; 3668fbed61eSchristos } 3678fbed61eSchristos EVP_KEYMGMT_free(keymgmt); 3688fbed61eSchristos } 3698fbed61eSchristos ERR_pop_to_mark(); 3708fbed61eSchristos err: 3718fbed61eSchristos if (ginf != NULL) { 3728fbed61eSchristos OPENSSL_free(ginf->tlsname); 3738fbed61eSchristos OPENSSL_free(ginf->realname); 3748fbed61eSchristos OPENSSL_free(ginf->algorithm); 3758fbed61eSchristos ginf->algorithm = ginf->tlsname = ginf->realname = NULL; 3768fbed61eSchristos } 3778fbed61eSchristos return ret; 3788fbed61eSchristos } 3798fbed61eSchristos 3808fbed61eSchristos static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) 3818fbed61eSchristos { 3828fbed61eSchristos struct provider_group_data_st pgd; 3838fbed61eSchristos 3848fbed61eSchristos pgd.ctx = vctx; 3858fbed61eSchristos pgd.provider = provider; 3868fbed61eSchristos return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", 3878fbed61eSchristos add_provider_groups, &pgd); 3888fbed61eSchristos } 3898fbed61eSchristos 3908fbed61eSchristos int ssl_load_groups(SSL_CTX *ctx) 3918fbed61eSchristos { 3928fbed61eSchristos size_t i, j, num_deflt_grps = 0; 3938fbed61eSchristos uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; 3948fbed61eSchristos 3958fbed61eSchristos if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) 3968fbed61eSchristos return 0; 3978fbed61eSchristos 3988fbed61eSchristos for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { 3998fbed61eSchristos for (j = 0; j < ctx->group_list_len; j++) { 4008fbed61eSchristos if (ctx->group_list[j].group_id == supported_groups_default[i]) { 4018fbed61eSchristos tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; 4028fbed61eSchristos break; 4038fbed61eSchristos } 4048fbed61eSchristos } 4058fbed61eSchristos } 4068fbed61eSchristos 4078fbed61eSchristos if (num_deflt_grps == 0) 4088fbed61eSchristos return 1; 4098fbed61eSchristos 4108fbed61eSchristos ctx->ext.supported_groups_default 4118fbed61eSchristos = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); 4128fbed61eSchristos 4138fbed61eSchristos if (ctx->ext.supported_groups_default == NULL) { 4148fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 4158fbed61eSchristos return 0; 4168fbed61eSchristos } 4178fbed61eSchristos 4188fbed61eSchristos memcpy(ctx->ext.supported_groups_default, 4198fbed61eSchristos tmp_supp_groups, 4208fbed61eSchristos num_deflt_grps * sizeof(tmp_supp_groups[0])); 4218fbed61eSchristos ctx->ext.supported_groups_default_len = num_deflt_grps; 4228fbed61eSchristos 4238fbed61eSchristos return 1; 4248fbed61eSchristos } 4258fbed61eSchristos 4268fbed61eSchristos static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) 427a89c9211Schristos { 4285af53050Schristos size_t i; 4298fbed61eSchristos 4308fbed61eSchristos for (i = 0; i < ctx->group_list_len; i++) { 4318fbed61eSchristos if (strcmp(ctx->group_list[i].tlsname, name) == 0 4328fbed61eSchristos || strcmp(ctx->group_list[i].realname, name) == 0) 4338fbed61eSchristos return ctx->group_list[i].group_id; 434a89c9211Schristos } 4358fbed61eSchristos 4368fbed61eSchristos return 0; 4378fbed61eSchristos } 4388fbed61eSchristos 4398fbed61eSchristos const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) 4408fbed61eSchristos { 4418fbed61eSchristos size_t i; 4428fbed61eSchristos 4438fbed61eSchristos for (i = 0; i < ctx->group_list_len; i++) { 4448fbed61eSchristos if (ctx->group_list[i].group_id == group_id) 4458fbed61eSchristos return &ctx->group_list[i]; 4468fbed61eSchristos } 4478fbed61eSchristos 4488fbed61eSchristos return NULL; 4498fbed61eSchristos } 4508fbed61eSchristos 4518fbed61eSchristos int tls1_group_id2nid(uint16_t group_id, int include_unknown) 4528fbed61eSchristos { 4538fbed61eSchristos size_t i; 4548fbed61eSchristos 4558fbed61eSchristos if (group_id == 0) 4568fbed61eSchristos return NID_undef; 4578fbed61eSchristos 4588fbed61eSchristos /* 4598fbed61eSchristos * Return well known Group NIDs - for backwards compatibility. This won't 4608fbed61eSchristos * work for groups we don't know about. 4618fbed61eSchristos */ 4628fbed61eSchristos for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 4638fbed61eSchristos { 4648fbed61eSchristos if (nid_to_group[i].group_id == group_id) 4658fbed61eSchristos return nid_to_group[i].nid; 4668fbed61eSchristos } 4678fbed61eSchristos if (!include_unknown) 4688fbed61eSchristos return NID_undef; 4698fbed61eSchristos return TLSEXT_nid_unknown | (int)group_id; 4708fbed61eSchristos } 4718fbed61eSchristos 4728fbed61eSchristos uint16_t tls1_nid2group_id(int nid) 4738fbed61eSchristos { 4748fbed61eSchristos size_t i; 4758fbed61eSchristos 4768fbed61eSchristos /* 4778fbed61eSchristos * Return well known Group ids - for backwards compatibility. This won't 4788fbed61eSchristos * work for groups we don't know about. 4798fbed61eSchristos */ 4808fbed61eSchristos for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 4818fbed61eSchristos { 4828fbed61eSchristos if (nid_to_group[i].nid == nid) 4838fbed61eSchristos return nid_to_group[i].group_id; 4848fbed61eSchristos } 4858fbed61eSchristos 4865af53050Schristos return 0; 487a89c9211Schristos } 48831b855a0Sspz 48931b855a0Sspz /* 490e0ea3921Schristos * Set *pgroups to the supported groups list and *pgroupslen to 491e0ea3921Schristos * the number of groups supported. 49231b855a0Sspz */ 493e0ea3921Schristos void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 494e0ea3921Schristos size_t *pgroupslen) 49531b855a0Sspz { 49631b855a0Sspz /* For Suite B mode only include P-256, P-384 */ 49731b855a0Sspz switch (tls1_suiteb(s)) { 49831b855a0Sspz case SSL_CERT_FLAG_SUITEB_128_LOS: 499e0ea3921Schristos *pgroups = suiteb_curves; 500e0ea3921Schristos *pgroupslen = OSSL_NELEM(suiteb_curves); 50131b855a0Sspz break; 50231b855a0Sspz 50331b855a0Sspz case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 504e0ea3921Schristos *pgroups = suiteb_curves; 505e0ea3921Schristos *pgroupslen = 1; 50631b855a0Sspz break; 50731b855a0Sspz 50831b855a0Sspz case SSL_CERT_FLAG_SUITEB_192_LOS: 509e0ea3921Schristos *pgroups = suiteb_curves + 1; 510e0ea3921Schristos *pgroupslen = 1; 51131b855a0Sspz break; 5125af53050Schristos 513e0ea3921Schristos default: 514e0ea3921Schristos if (s->ext.supportedgroups == NULL) { 5158fbed61eSchristos *pgroups = s->ctx->ext.supported_groups_default; 5168fbed61eSchristos *pgroupslen = s->ctx->ext.supported_groups_default_len; 517e0ea3921Schristos } else { 518e0ea3921Schristos *pgroups = s->ext.supportedgroups; 519e0ea3921Schristos *pgroupslen = s->ext.supportedgroups_len; 5205af53050Schristos } 521e0ea3921Schristos break; 522e0ea3921Schristos } 52331b855a0Sspz } 5245af53050Schristos 5258fbed61eSchristos int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, 5268fbed61eSchristos int isec, int *okfortls13) 5275af53050Schristos { 5288fbed61eSchristos const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); 5298fbed61eSchristos int ret; 530e0ea3921Schristos 5318fbed61eSchristos if (okfortls13 != NULL) 5328fbed61eSchristos *okfortls13 = 0; 5338fbed61eSchristos 5348fbed61eSchristos if (ginfo == NULL) 5355af53050Schristos return 0; 5368fbed61eSchristos 5378fbed61eSchristos if (SSL_IS_DTLS(s)) { 5388fbed61eSchristos if (ginfo->mindtls < 0 || ginfo->maxdtls < 0) 5395af53050Schristos return 0; 5408fbed61eSchristos if (ginfo->maxdtls == 0) 5418fbed61eSchristos ret = 1; 5428fbed61eSchristos else 5438fbed61eSchristos ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls); 5448fbed61eSchristos if (ginfo->mindtls > 0) 5458fbed61eSchristos ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls); 5468fbed61eSchristos } else { 5478fbed61eSchristos if (ginfo->mintls < 0 || ginfo->maxtls < 0) 5488fbed61eSchristos return 0; 5498fbed61eSchristos if (ginfo->maxtls == 0) 5508fbed61eSchristos ret = 1; 5518fbed61eSchristos else 5528fbed61eSchristos ret = (minversion <= ginfo->maxtls); 5538fbed61eSchristos if (ginfo->mintls > 0) 5548fbed61eSchristos ret &= (maxversion >= ginfo->mintls); 5558fbed61eSchristos if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) 5568fbed61eSchristos *okfortls13 = (ginfo->maxtls == 0) 5578fbed61eSchristos || (ginfo->maxtls >= TLS1_3_VERSION); 5588fbed61eSchristos } 5598fbed61eSchristos ret &= !isec 5608fbed61eSchristos || strcmp(ginfo->algorithm, "EC") == 0 5618fbed61eSchristos || strcmp(ginfo->algorithm, "X25519") == 0 5628fbed61eSchristos || strcmp(ginfo->algorithm, "X448") == 0; 5638fbed61eSchristos 5648fbed61eSchristos return ret; 5658fbed61eSchristos } 5668fbed61eSchristos 5678fbed61eSchristos /* See if group is allowed by security callback */ 5688fbed61eSchristos int tls_group_allowed(SSL *s, uint16_t group, int op) 5698fbed61eSchristos { 5708fbed61eSchristos const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group); 5718fbed61eSchristos unsigned char gtmp[2]; 5728fbed61eSchristos 5738fbed61eSchristos if (ginfo == NULL) 5748fbed61eSchristos return 0; 5758fbed61eSchristos 5768fbed61eSchristos gtmp[0] = group >> 8; 5778fbed61eSchristos gtmp[1] = group & 0xff; 5788fbed61eSchristos return ssl_security(s, op, ginfo->secbits, 5798fbed61eSchristos tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); 58031b855a0Sspz } 58131b855a0Sspz 582e0ea3921Schristos /* Return 1 if "id" is in "list" */ 583e0ea3921Schristos static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 58431b855a0Sspz { 585e0ea3921Schristos size_t i; 586e0ea3921Schristos for (i = 0; i < listlen; i++) 587e0ea3921Schristos if (list[i] == id) 588e0ea3921Schristos return 1; 58931b855a0Sspz return 0; 59031b855a0Sspz } 59131b855a0Sspz 59231b855a0Sspz /*- 593e0ea3921Schristos * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 5945af53050Schristos * if there is no match. 59531b855a0Sspz * For nmatch == -1, return number of matches 596e0ea3921Schristos * For nmatch == -2, return the id of the group to use for 597e0ea3921Schristos * a tmp key, or 0 if there is no match. 59831b855a0Sspz */ 599e0ea3921Schristos uint16_t tls1_shared_group(SSL *s, int nmatch) 60031b855a0Sspz { 601e0ea3921Schristos const uint16_t *pref, *supp; 602e0ea3921Schristos size_t num_pref, num_supp, i; 60331b855a0Sspz int k; 6048dcce544Schristos SSL_CTX *ctx = s->ctx; 6055af53050Schristos 60631b855a0Sspz /* Can't do anything on client side */ 60731b855a0Sspz if (s->server == 0) 608e0ea3921Schristos return 0; 60931b855a0Sspz if (nmatch == -2) { 61031b855a0Sspz if (tls1_suiteb(s)) { 61131b855a0Sspz /* 61231b855a0Sspz * For Suite B ciphersuite determines curve: we already know 61331b855a0Sspz * these are acceptable due to previous checks. 61431b855a0Sspz */ 6158fbed61eSchristos unsigned long cid = s->s3.tmp.new_cipher->id; 6165af53050Schristos 61731b855a0Sspz if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 618e0ea3921Schristos return TLSEXT_curve_P_256; 61931b855a0Sspz if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 620e0ea3921Schristos return TLSEXT_curve_P_384; 62131b855a0Sspz /* Should never happen */ 622e0ea3921Schristos return 0; 62331b855a0Sspz } 62431b855a0Sspz /* If not Suite B just return first preference shared curve */ 62531b855a0Sspz nmatch = 0; 62631b855a0Sspz } 62731b855a0Sspz /* 628e0ea3921Schristos * If server preference set, our groups are the preference order 629e0ea3921Schristos * otherwise peer decides. 63031b855a0Sspz */ 631e0ea3921Schristos if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 632e0ea3921Schristos tls1_get_supported_groups(s, &pref, &num_pref); 633e0ea3921Schristos tls1_get_peer_groups(s, &supp, &num_supp); 634e0ea3921Schristos } else { 635e0ea3921Schristos tls1_get_peer_groups(s, &pref, &num_pref); 636e0ea3921Schristos tls1_get_supported_groups(s, &supp, &num_supp); 637e0ea3921Schristos } 63831b855a0Sspz 639e0ea3921Schristos for (k = 0, i = 0; i < num_pref; i++) { 640e0ea3921Schristos uint16_t id = pref[i]; 6418dcce544Schristos const TLS_GROUP_INFO *inf; 6425af53050Schristos 643e0ea3921Schristos if (!tls1_in_list(id, supp, num_supp) 6448fbed61eSchristos || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 6455af53050Schristos continue; 6468dcce544Schristos inf = tls1_group_id_lookup(ctx, id); 6478dcce544Schristos if (!ossl_assert(inf != NULL)) 6488dcce544Schristos return 0; 6498dcce544Schristos if (SSL_IS_DTLS(s)) { 6508dcce544Schristos if (inf->maxdtls == -1) 6518dcce544Schristos continue; 6528dcce544Schristos if ((inf->mindtls != 0 && DTLS_VERSION_LT(s->version, inf->mindtls)) 6538dcce544Schristos || (inf->maxdtls != 0 6548dcce544Schristos && DTLS_VERSION_GT(s->version, inf->maxdtls))) 6558dcce544Schristos continue; 6568dcce544Schristos } else { 6578dcce544Schristos if (inf->maxtls == -1) 6588dcce544Schristos continue; 6598dcce544Schristos if ((inf->mintls != 0 && s->version < inf->mintls) 6608dcce544Schristos || (inf->maxtls != 0 && s->version > inf->maxtls)) 6618dcce544Schristos continue; 6628dcce544Schristos } 6638dcce544Schristos 664e0ea3921Schristos if (nmatch == k) 665e0ea3921Schristos return id; 66631b855a0Sspz k++; 66731b855a0Sspz } 66831b855a0Sspz if (nmatch == -1) 66931b855a0Sspz return k; 67031b855a0Sspz /* Out of range (nmatch > k). */ 671e0ea3921Schristos return 0; 67231b855a0Sspz } 67331b855a0Sspz 674e0ea3921Schristos int tls1_set_groups(uint16_t **pext, size_t *pextlen, 675e0ea3921Schristos int *groups, size_t ngroups) 67631b855a0Sspz { 677e0ea3921Schristos uint16_t *glist; 67831b855a0Sspz size_t i; 67931b855a0Sspz /* 6808fbed61eSchristos * Bitmap of groups included to detect duplicates: two variables are added 6818fbed61eSchristos * to detect duplicates as some values are more than 32. 68231b855a0Sspz */ 6838fbed61eSchristos unsigned long *dup_list = NULL; 6848fbed61eSchristos unsigned long dup_list_egrp = 0; 6858fbed61eSchristos unsigned long dup_list_dhgrp = 0; 686e0ea3921Schristos 687bf8eace1Schristos if (ngroups == 0) { 6888fbed61eSchristos ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 689bf8eace1Schristos return 0; 690bf8eace1Schristos } 691e0ea3921Schristos if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 6928fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 69331b855a0Sspz return 0; 694e0ea3921Schristos } 695e0ea3921Schristos for (i = 0; i < ngroups; i++) { 69631b855a0Sspz unsigned long idmask; 697e0ea3921Schristos uint16_t id; 698e0ea3921Schristos id = tls1_nid2group_id(groups[i]); 6998fbed61eSchristos if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) 7008fbed61eSchristos goto err; 7018fbed61eSchristos idmask = 1L << (id & 0x00FF); 7028fbed61eSchristos dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; 7038fbed61eSchristos if (!id || ((*dup_list) & idmask)) 7048fbed61eSchristos goto err; 7058fbed61eSchristos *dup_list |= idmask; 706e0ea3921Schristos glist[i] = id; 70731b855a0Sspz } 70831b855a0Sspz OPENSSL_free(*pext); 709e0ea3921Schristos *pext = glist; 710e0ea3921Schristos *pextlen = ngroups; 71131b855a0Sspz return 1; 7128fbed61eSchristos err: 7138fbed61eSchristos OPENSSL_free(glist); 7148fbed61eSchristos return 0; 71531b855a0Sspz } 71631b855a0Sspz 7178fbed61eSchristos # define GROUPLIST_INCREMENT 40 7188fbed61eSchristos # define GROUP_NAME_BUFFER_LENGTH 64 71931b855a0Sspz typedef struct { 7208fbed61eSchristos SSL_CTX *ctx; 7218fbed61eSchristos size_t gidcnt; 7228fbed61eSchristos size_t gidmax; 7238fbed61eSchristos uint16_t *gid_arr; 7248fbed61eSchristos } gid_cb_st; 72531b855a0Sspz 7268fbed61eSchristos static int gid_cb(const char *elem, int len, void *arg) 72731b855a0Sspz { 7288fbed61eSchristos gid_cb_st *garg = arg; 72931b855a0Sspz size_t i; 7308fbed61eSchristos uint16_t gid = 0; 7318fbed61eSchristos char etmp[GROUP_NAME_BUFFER_LENGTH]; 7328fbed61eSchristos 73331b855a0Sspz if (elem == NULL) 73431b855a0Sspz return 0; 7358fbed61eSchristos if (garg->gidcnt == garg->gidmax) { 7368fbed61eSchristos uint16_t *tmp = 737b46c97feSchristos OPENSSL_realloc(garg->gid_arr, 738b46c97feSchristos (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); 7398fbed61eSchristos if (tmp == NULL) 74031b855a0Sspz return 0; 7418fbed61eSchristos garg->gidmax += GROUPLIST_INCREMENT; 7428fbed61eSchristos garg->gid_arr = tmp; 7438fbed61eSchristos } 74431b855a0Sspz if (len > (int)(sizeof(etmp) - 1)) 74531b855a0Sspz return 0; 74631b855a0Sspz memcpy(etmp, elem, len); 74731b855a0Sspz etmp[len] = 0; 7488fbed61eSchristos 7498fbed61eSchristos gid = tls1_group_name2id(garg->ctx, etmp); 7508fbed61eSchristos if (gid == 0) { 7518fbed61eSchristos ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 7528fbed61eSchristos "group '%s' cannot be set", etmp); 75331b855a0Sspz return 0; 7548fbed61eSchristos } 7558fbed61eSchristos for (i = 0; i < garg->gidcnt; i++) 7568fbed61eSchristos if (garg->gid_arr[i] == gid) 75731b855a0Sspz return 0; 7588fbed61eSchristos garg->gid_arr[garg->gidcnt++] = gid; 75931b855a0Sspz return 1; 76031b855a0Sspz } 76131b855a0Sspz 7628fbed61eSchristos /* Set groups based on a colon separated list */ 7638fbed61eSchristos int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, 7648fbed61eSchristos const char *str) 76531b855a0Sspz { 7668fbed61eSchristos gid_cb_st gcb; 7678fbed61eSchristos uint16_t *tmparr; 7688fbed61eSchristos int ret = 0; 769e0ea3921Schristos 7708fbed61eSchristos gcb.gidcnt = 0; 7718fbed61eSchristos gcb.gidmax = GROUPLIST_INCREMENT; 7728fbed61eSchristos gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); 7738fbed61eSchristos if (gcb.gid_arr == NULL) 77431b855a0Sspz return 0; 7758fbed61eSchristos gcb.ctx = ctx; 7768fbed61eSchristos if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) 7778fbed61eSchristos goto end; 7788fbed61eSchristos if (pext == NULL) { 7798fbed61eSchristos ret = 1; 7808fbed61eSchristos goto end; 78131b855a0Sspz } 78231b855a0Sspz 783e0ea3921Schristos /* 7848fbed61eSchristos * gid_cb ensurse there are no duplicates so we can just go ahead and set 7858fbed61eSchristos * the result 786e0ea3921Schristos */ 7878fbed61eSchristos tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); 7888fbed61eSchristos if (tmparr == NULL) 7898fbed61eSchristos goto end; 790d6e24a89Schristos OPENSSL_free(*pext); 7918fbed61eSchristos *pext = tmparr; 7928fbed61eSchristos *pextlen = gcb.gidcnt; 7938fbed61eSchristos ret = 1; 7948fbed61eSchristos end: 7958fbed61eSchristos OPENSSL_free(gcb.gid_arr); 7968fbed61eSchristos return ret; 797e0ea3921Schristos } 798e0ea3921Schristos 799e0ea3921Schristos /* Check a group id matches preferences */ 800e0ea3921Schristos int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 801e0ea3921Schristos { 802e0ea3921Schristos const uint16_t *groups; 803e0ea3921Schristos size_t groups_len; 804e0ea3921Schristos 805e0ea3921Schristos if (group_id == 0) 806e0ea3921Schristos return 0; 807e0ea3921Schristos 808e0ea3921Schristos /* Check for Suite B compliance */ 8098fbed61eSchristos if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { 8108fbed61eSchristos unsigned long cid = s->s3.tmp.new_cipher->id; 811e0ea3921Schristos 812e0ea3921Schristos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 813e0ea3921Schristos if (group_id != TLSEXT_curve_P_256) 814e0ea3921Schristos return 0; 815e0ea3921Schristos } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 816e0ea3921Schristos if (group_id != TLSEXT_curve_P_384) 817e0ea3921Schristos return 0; 818e0ea3921Schristos } else { 819e0ea3921Schristos /* Should never happen */ 820e0ea3921Schristos return 0; 821e0ea3921Schristos } 822e0ea3921Schristos } 823e0ea3921Schristos 824e0ea3921Schristos if (check_own_groups) { 825e0ea3921Schristos /* Check group is one of our preferences */ 826e0ea3921Schristos tls1_get_supported_groups(s, &groups, &groups_len); 827e0ea3921Schristos if (!tls1_in_list(group_id, groups, groups_len)) 828e0ea3921Schristos return 0; 829e0ea3921Schristos } 830e0ea3921Schristos 8318fbed61eSchristos if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 832e0ea3921Schristos return 0; 833e0ea3921Schristos 834e0ea3921Schristos /* For clients, nothing more to check */ 835e0ea3921Schristos if (!s->server) 8362500041cSchristos return 1; 8372500041cSchristos 838e0ea3921Schristos /* Check group is one of peers preferences */ 839e0ea3921Schristos tls1_get_peer_groups(s, &groups, &groups_len); 840e0ea3921Schristos 84131b855a0Sspz /* 84231b855a0Sspz * RFC 4492 does not require the supported elliptic curves extension 84331b855a0Sspz * so if it is not sent we can just choose any curve. 844e0ea3921Schristos * It is invalid to send an empty list in the supported groups 845e0ea3921Schristos * extension, so groups_len == 0 always means no extension. 84631b855a0Sspz */ 847e0ea3921Schristos if (groups_len == 0) 84831b855a0Sspz return 1; 849e0ea3921Schristos return tls1_in_list(group_id, groups, groups_len); 85031b855a0Sspz } 85131b855a0Sspz 852e0ea3921Schristos void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 85331b855a0Sspz size_t *num_formats) 85431b855a0Sspz { 85531b855a0Sspz /* 85631b855a0Sspz * If we have a custom point format list use it otherwise use default 85731b855a0Sspz */ 858e0ea3921Schristos if (s->ext.ecpointformats) { 859e0ea3921Schristos *pformats = s->ext.ecpointformats; 860e0ea3921Schristos *num_formats = s->ext.ecpointformats_len; 86131b855a0Sspz } else { 86231b855a0Sspz *pformats = ecformats_default; 86331b855a0Sspz /* For Suite B we don't support char2 fields */ 86431b855a0Sspz if (tls1_suiteb(s)) 86531b855a0Sspz *num_formats = sizeof(ecformats_default) - 1; 86631b855a0Sspz else 86731b855a0Sspz *num_formats = sizeof(ecformats_default); 86831b855a0Sspz } 86931b855a0Sspz } 87031b855a0Sspz 8718fbed61eSchristos /* Check a key is compatible with compression extension */ 8728fbed61eSchristos static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 8738fbed61eSchristos { 8748fbed61eSchristos unsigned char comp_id; 8758fbed61eSchristos size_t i; 8768fbed61eSchristos int point_conv; 8778fbed61eSchristos 8788fbed61eSchristos /* If not an EC key nothing to check */ 8798fbed61eSchristos if (!EVP_PKEY_is_a(pkey, "EC")) 8808fbed61eSchristos return 1; 8818fbed61eSchristos 8828fbed61eSchristos 8838fbed61eSchristos /* Get required compression id */ 8848fbed61eSchristos point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); 8858fbed61eSchristos if (point_conv == 0) 8868fbed61eSchristos return 0; 8878fbed61eSchristos if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { 8888fbed61eSchristos comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 8898fbed61eSchristos } else if (SSL_IS_TLS13(s)) { 8908fbed61eSchristos /* 8918fbed61eSchristos * ec_point_formats extension is not used in TLSv1.3 so we ignore 8928fbed61eSchristos * this check. 8938fbed61eSchristos */ 8948fbed61eSchristos return 1; 8958fbed61eSchristos } else { 8968fbed61eSchristos int field_type = EVP_PKEY_get_field_type(pkey); 8978fbed61eSchristos 8988fbed61eSchristos if (field_type == NID_X9_62_prime_field) 8998fbed61eSchristos comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 9008fbed61eSchristos else if (field_type == NID_X9_62_characteristic_two_field) 9018fbed61eSchristos comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 9028fbed61eSchristos else 9038fbed61eSchristos return 0; 9048fbed61eSchristos } 9058fbed61eSchristos /* 9068fbed61eSchristos * If point formats extension present check it, otherwise everything is 9078fbed61eSchristos * supported (see RFC4492). 9088fbed61eSchristos */ 9098fbed61eSchristos if (s->ext.peer_ecpointformats == NULL) 9108fbed61eSchristos return 1; 9118fbed61eSchristos 9128fbed61eSchristos for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 9138fbed61eSchristos if (s->ext.peer_ecpointformats[i] == comp_id) 9148fbed61eSchristos return 1; 9158fbed61eSchristos } 9168fbed61eSchristos return 0; 9178fbed61eSchristos } 9188fbed61eSchristos 9198fbed61eSchristos /* Return group id of a key */ 9208fbed61eSchristos static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 9218fbed61eSchristos { 9228fbed61eSchristos int curve_nid = ssl_get_EC_curve_nid(pkey); 9238fbed61eSchristos 9248fbed61eSchristos if (curve_nid == NID_undef) 9258fbed61eSchristos return 0; 9268fbed61eSchristos return tls1_nid2group_id(curve_nid); 9278fbed61eSchristos } 9288fbed61eSchristos 92931b855a0Sspz /* 93031b855a0Sspz * Check cert parameters compatible with extensions: currently just checks EC 93131b855a0Sspz * certificates have compatible curves and compression. 93231b855a0Sspz */ 933e0ea3921Schristos static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 93431b855a0Sspz { 935e0ea3921Schristos uint16_t group_id; 93631b855a0Sspz EVP_PKEY *pkey; 9375af53050Schristos pkey = X509_get0_pubkey(x); 938e0ea3921Schristos if (pkey == NULL) 93931b855a0Sspz return 0; 94031b855a0Sspz /* If not EC nothing to do */ 9418fbed61eSchristos if (!EVP_PKEY_is_a(pkey, "EC")) 94231b855a0Sspz return 1; 943e0ea3921Schristos /* Check compression */ 944e0ea3921Schristos if (!tls1_check_pkey_comp(s, pkey)) 94531b855a0Sspz return 0; 946e0ea3921Schristos group_id = tls1_get_group_id(pkey); 94731b855a0Sspz /* 948e0ea3921Schristos * For a server we allow the certificate to not be in our list of supported 949e0ea3921Schristos * groups. 95031b855a0Sspz */ 951e0ea3921Schristos if (!tls1_check_group_id(s, group_id, !s->server)) 95231b855a0Sspz return 0; 95331b855a0Sspz /* 95431b855a0Sspz * Special case for suite B. We *MUST* sign using SHA256+P-256 or 955e0ea3921Schristos * SHA384+P-384. 95631b855a0Sspz */ 957e0ea3921Schristos if (check_ee_md && tls1_suiteb(s)) { 95831b855a0Sspz int check_md; 95931b855a0Sspz size_t i; 960e0ea3921Schristos 96131b855a0Sspz /* Check to see we have necessary signing algorithm */ 962e0ea3921Schristos if (group_id == TLSEXT_curve_P_256) 96331b855a0Sspz check_md = NID_ecdsa_with_SHA256; 964e0ea3921Schristos else if (group_id == TLSEXT_curve_P_384) 96531b855a0Sspz check_md = NID_ecdsa_with_SHA384; 96631b855a0Sspz else 96731b855a0Sspz return 0; /* Should never happen */ 968403eeac4Schristos for (i = 0; i < s->shared_sigalgslen; i++) { 969403eeac4Schristos if (check_md == s->shared_sigalgs[i]->sigandhash) 970e0ea3921Schristos return 1;; 971e0ea3921Schristos } 97231b855a0Sspz return 0; 97331b855a0Sspz } 974e0ea3921Schristos return 1; 97531b855a0Sspz } 97631b855a0Sspz 9775af53050Schristos /* 9785af53050Schristos * tls1_check_ec_tmp_key - Check EC temporary key compatibility 9795af53050Schristos * @s: SSL connection 9805af53050Schristos * @cid: Cipher ID we're considering using 9815af53050Schristos * 9825af53050Schristos * Checks that the kECDHE cipher suite we're considering using 9835af53050Schristos * is compatible with the client extensions. 9845af53050Schristos * 9855af53050Schristos * Returns 0 when the cipher can't be used or 1 when it can. 9865af53050Schristos */ 98731b855a0Sspz int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 98831b855a0Sspz { 989e0ea3921Schristos /* If not Suite B just need a shared group */ 990e0ea3921Schristos if (!tls1_suiteb(s)) 991e0ea3921Schristos return tls1_shared_group(s, 0) != 0; 99231b855a0Sspz /* 99331b855a0Sspz * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 99431b855a0Sspz * curves permitted. 99531b855a0Sspz */ 99631b855a0Sspz if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 997e0ea3921Schristos return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 998e0ea3921Schristos if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 999e0ea3921Schristos return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 1000e0ea3921Schristos 100131b855a0Sspz return 0; 100231b855a0Sspz } 100331b855a0Sspz 1004e0ea3921Schristos /* Default sigalg schemes */ 1005e0ea3921Schristos static const uint16_t tls12_sigalgs[] = { 1006e0ea3921Schristos TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1007e0ea3921Schristos TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1008e0ea3921Schristos TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1009e0ea3921Schristos TLSEXT_SIGALG_ed25519, 1010e0ea3921Schristos TLSEXT_SIGALG_ed448, 10115bf0fb60Sspz 1012e0ea3921Schristos TLSEXT_SIGALG_rsa_pss_pss_sha256, 1013e0ea3921Schristos TLSEXT_SIGALG_rsa_pss_pss_sha384, 1014e0ea3921Schristos TLSEXT_SIGALG_rsa_pss_pss_sha512, 1015e0ea3921Schristos TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1016e0ea3921Schristos TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1017e0ea3921Schristos TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1018e0ea3921Schristos 1019e0ea3921Schristos TLSEXT_SIGALG_rsa_pkcs1_sha256, 1020e0ea3921Schristos TLSEXT_SIGALG_rsa_pkcs1_sha384, 1021e0ea3921Schristos TLSEXT_SIGALG_rsa_pkcs1_sha512, 1022e0ea3921Schristos 1023e0ea3921Schristos TLSEXT_SIGALG_ecdsa_sha224, 1024e0ea3921Schristos TLSEXT_SIGALG_ecdsa_sha1, 10258fbed61eSchristos 1026e0ea3921Schristos TLSEXT_SIGALG_rsa_pkcs1_sha224, 1027e0ea3921Schristos TLSEXT_SIGALG_rsa_pkcs1_sha1, 10288fbed61eSchristos 1029e0ea3921Schristos TLSEXT_SIGALG_dsa_sha224, 1030e0ea3921Schristos TLSEXT_SIGALG_dsa_sha1, 10315bf0fb60Sspz 1032e0ea3921Schristos TLSEXT_SIGALG_dsa_sha256, 1033e0ea3921Schristos TLSEXT_SIGALG_dsa_sha384, 1034e0ea3921Schristos TLSEXT_SIGALG_dsa_sha512, 10358fbed61eSchristos 10365af53050Schristos #ifndef OPENSSL_NO_GOST 10378fbed61eSchristos TLSEXT_SIGALG_gostr34102012_256_intrinsic, 10388fbed61eSchristos TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1039e0ea3921Schristos TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1040e0ea3921Schristos TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1041e0ea3921Schristos TLSEXT_SIGALG_gostr34102001_gostr3411, 10425bf0fb60Sspz #endif 10435bf0fb60Sspz }; 10445bf0fb60Sspz 10458fbed61eSchristos 1046e0ea3921Schristos static const uint16_t suiteb_sigalgs[] = { 1047e0ea3921Schristos TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1048e0ea3921Schristos TLSEXT_SIGALG_ecdsa_secp384r1_sha384 104931b855a0Sspz }; 1050e0ea3921Schristos 1051e0ea3921Schristos static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 1052e0ea3921Schristos {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1053e0ea3921Schristos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 10548fbed61eSchristos NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1}, 1055e0ea3921Schristos {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1056e0ea3921Schristos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 10578fbed61eSchristos NID_ecdsa_with_SHA384, NID_secp384r1, 1}, 1058e0ea3921Schristos {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1059e0ea3921Schristos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 10608fbed61eSchristos NID_ecdsa_with_SHA512, NID_secp521r1, 1}, 1061e0ea3921Schristos {"ed25519", TLSEXT_SIGALG_ed25519, 1062e0ea3921Schristos NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 10638fbed61eSchristos NID_undef, NID_undef, 1}, 1064e0ea3921Schristos {"ed448", TLSEXT_SIGALG_ed448, 1065e0ea3921Schristos NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 10668fbed61eSchristos NID_undef, NID_undef, 1}, 1067e0ea3921Schristos {NULL, TLSEXT_SIGALG_ecdsa_sha224, 1068e0ea3921Schristos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 10698fbed61eSchristos NID_ecdsa_with_SHA224, NID_undef, 1}, 1070e0ea3921Schristos {NULL, TLSEXT_SIGALG_ecdsa_sha1, 1071e0ea3921Schristos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 10728fbed61eSchristos NID_ecdsa_with_SHA1, NID_undef, 1}, 1073e0ea3921Schristos {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1074e0ea3921Schristos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 10758fbed61eSchristos NID_undef, NID_undef, 1}, 1076e0ea3921Schristos {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1077e0ea3921Schristos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 10788fbed61eSchristos NID_undef, NID_undef, 1}, 1079e0ea3921Schristos {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1080e0ea3921Schristos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 10818fbed61eSchristos NID_undef, NID_undef, 1}, 1082e0ea3921Schristos {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 1083e0ea3921Schristos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 10848fbed61eSchristos NID_undef, NID_undef, 1}, 1085e0ea3921Schristos {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 1086e0ea3921Schristos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 10878fbed61eSchristos NID_undef, NID_undef, 1}, 1088e0ea3921Schristos {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 1089e0ea3921Schristos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 10908fbed61eSchristos NID_undef, NID_undef, 1}, 1091e0ea3921Schristos {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 1092e0ea3921Schristos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 10938fbed61eSchristos NID_sha256WithRSAEncryption, NID_undef, 1}, 1094e0ea3921Schristos {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 1095e0ea3921Schristos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 10968fbed61eSchristos NID_sha384WithRSAEncryption, NID_undef, 1}, 1097e0ea3921Schristos {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 1098e0ea3921Schristos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 10998fbed61eSchristos NID_sha512WithRSAEncryption, NID_undef, 1}, 1100e0ea3921Schristos {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 1101e0ea3921Schristos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 11028fbed61eSchristos NID_sha224WithRSAEncryption, NID_undef, 1}, 1103e0ea3921Schristos {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 1104e0ea3921Schristos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 11058fbed61eSchristos NID_sha1WithRSAEncryption, NID_undef, 1}, 1106e0ea3921Schristos {NULL, TLSEXT_SIGALG_dsa_sha256, 1107e0ea3921Schristos NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 11088fbed61eSchristos NID_dsa_with_SHA256, NID_undef, 1}, 1109e0ea3921Schristos {NULL, TLSEXT_SIGALG_dsa_sha384, 1110e0ea3921Schristos NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 11118fbed61eSchristos NID_undef, NID_undef, 1}, 1112e0ea3921Schristos {NULL, TLSEXT_SIGALG_dsa_sha512, 1113e0ea3921Schristos NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 11148fbed61eSchristos NID_undef, NID_undef, 1}, 1115e0ea3921Schristos {NULL, TLSEXT_SIGALG_dsa_sha224, 1116e0ea3921Schristos NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 11178fbed61eSchristos NID_undef, NID_undef, 1}, 1118e0ea3921Schristos {NULL, TLSEXT_SIGALG_dsa_sha1, 1119e0ea3921Schristos NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 11208fbed61eSchristos NID_dsaWithSHA1, NID_undef, 1}, 1121e0ea3921Schristos #ifndef OPENSSL_NO_GOST 11228fbed61eSchristos {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic, 11238fbed61eSchristos NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 11248fbed61eSchristos NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 11258fbed61eSchristos NID_undef, NID_undef, 1}, 11268fbed61eSchristos {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic, 11278fbed61eSchristos NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 11288fbed61eSchristos NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 11298fbed61eSchristos NID_undef, NID_undef, 1}, 1130e0ea3921Schristos {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1131e0ea3921Schristos NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1132e0ea3921Schristos NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 11338fbed61eSchristos NID_undef, NID_undef, 1}, 1134e0ea3921Schristos {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1135e0ea3921Schristos NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1136e0ea3921Schristos NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 11378fbed61eSchristos NID_undef, NID_undef, 1}, 1138e0ea3921Schristos {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 1139e0ea3921Schristos NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 1140e0ea3921Schristos NID_id_GostR3410_2001, SSL_PKEY_GOST01, 11418fbed61eSchristos NID_undef, NID_undef, 1} 1142e0ea3921Schristos #endif 1143e0ea3921Schristos }; 1144e0ea3921Schristos /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 1145e0ea3921Schristos static const SIGALG_LOOKUP legacy_rsa_sigalg = { 1146e0ea3921Schristos "rsa_pkcs1_md5_sha1", 0, 1147e0ea3921Schristos NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 1148e0ea3921Schristos EVP_PKEY_RSA, SSL_PKEY_RSA, 11498fbed61eSchristos NID_undef, NID_undef, 1 1150e0ea3921Schristos }; 1151e0ea3921Schristos 1152e0ea3921Schristos /* 1153e0ea3921Schristos * Default signature algorithm values used if signature algorithms not present. 1154e0ea3921Schristos * From RFC5246. Note: order must match certificate index order. 1155e0ea3921Schristos */ 1156e0ea3921Schristos static const uint16_t tls_default_sigalg[] = { 1157e0ea3921Schristos TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 1158e0ea3921Schristos 0, /* SSL_PKEY_RSA_PSS_SIGN */ 1159e0ea3921Schristos TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 1160e0ea3921Schristos TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 1161e0ea3921Schristos TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 11628fbed61eSchristos TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ 11638fbed61eSchristos TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ 1164e0ea3921Schristos 0, /* SSL_PKEY_ED25519 */ 1165e0ea3921Schristos 0, /* SSL_PKEY_ED448 */ 1166e0ea3921Schristos }; 1167e0ea3921Schristos 11688fbed61eSchristos int ssl_setup_sig_algs(SSL_CTX *ctx) 1169e0ea3921Schristos { 1170e0ea3921Schristos size_t i; 11718fbed61eSchristos const SIGALG_LOOKUP *lu; 11728fbed61eSchristos SIGALG_LOOKUP *cache 11738fbed61eSchristos = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); 11748fbed61eSchristos EVP_PKEY *tmpkey = EVP_PKEY_new(); 11758fbed61eSchristos int ret = 0; 1176e0ea3921Schristos 11778fbed61eSchristos if (cache == NULL || tmpkey == NULL) 11788fbed61eSchristos goto err; 11798fbed61eSchristos 11808fbed61eSchristos ERR_set_mark(); 11818fbed61eSchristos for (i = 0, lu = sigalg_lookup_tbl; 11828fbed61eSchristos i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 11838fbed61eSchristos EVP_PKEY_CTX *pctx; 11848fbed61eSchristos 11858fbed61eSchristos cache[i] = *lu; 11868fbed61eSchristos 11878fbed61eSchristos /* 11888fbed61eSchristos * Check hash is available. 11898fbed61eSchristos * This test is not perfect. A provider could have support 11908fbed61eSchristos * for a signature scheme, but not a particular hash. However the hash 11918fbed61eSchristos * could be available from some other loaded provider. In that case it 11928fbed61eSchristos * could be that the signature is available, and the hash is available 11938fbed61eSchristos * independently - but not as a combination. We ignore this for now. 11948fbed61eSchristos */ 11958fbed61eSchristos if (lu->hash != NID_undef 11968fbed61eSchristos && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { 11978fbed61eSchristos cache[i].enabled = 0; 11988fbed61eSchristos continue; 11998fbed61eSchristos } 12008fbed61eSchristos 12018fbed61eSchristos if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 12028fbed61eSchristos cache[i].enabled = 0; 12038fbed61eSchristos continue; 12048fbed61eSchristos } 12058fbed61eSchristos pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); 12068fbed61eSchristos /* If unable to create pctx we assume the sig algorithm is unavailable */ 12078fbed61eSchristos if (pctx == NULL) 12088fbed61eSchristos cache[i].enabled = 0; 12098fbed61eSchristos EVP_PKEY_CTX_free(pctx); 12108fbed61eSchristos } 12118fbed61eSchristos ERR_pop_to_mark(); 12128fbed61eSchristos ctx->sigalg_lookup_cache = cache; 12138fbed61eSchristos cache = NULL; 12148fbed61eSchristos 12158fbed61eSchristos ret = 1; 12168fbed61eSchristos err: 12178fbed61eSchristos OPENSSL_free(cache); 12188fbed61eSchristos EVP_PKEY_free(tmpkey); 12198fbed61eSchristos return ret; 12208fbed61eSchristos } 12218fbed61eSchristos 12228fbed61eSchristos /* Lookup TLS signature algorithm */ 12238fbed61eSchristos static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg) 12248fbed61eSchristos { 12258fbed61eSchristos size_t i; 12268fbed61eSchristos const SIGALG_LOOKUP *lu; 12278fbed61eSchristos 12288fbed61eSchristos for (i = 0, lu = s->ctx->sigalg_lookup_cache; 12298fbed61eSchristos /* cache should have the same number of elements as sigalg_lookup_tbl */ 12308fbed61eSchristos i < OSSL_NELEM(sigalg_lookup_tbl); 12318fbed61eSchristos lu++, i++) { 12328fbed61eSchristos if (lu->sigalg == sigalg) { 12338fbed61eSchristos if (!lu->enabled) 12348fbed61eSchristos return NULL; 12358fbed61eSchristos return lu; 12368fbed61eSchristos } 1237e0ea3921Schristos } 1238e0ea3921Schristos return NULL; 1239e0ea3921Schristos } 1240e0ea3921Schristos /* Lookup hash: return 0 if invalid or not enabled */ 12418fbed61eSchristos int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 1242e0ea3921Schristos { 1243e0ea3921Schristos const EVP_MD *md; 1244e0ea3921Schristos if (lu == NULL) 1245e0ea3921Schristos return 0; 1246e0ea3921Schristos /* lu->hash == NID_undef means no associated digest */ 1247e0ea3921Schristos if (lu->hash == NID_undef) { 1248e0ea3921Schristos md = NULL; 1249e0ea3921Schristos } else { 12508fbed61eSchristos md = ssl_md(ctx, lu->hash_idx); 1251e0ea3921Schristos if (md == NULL) 1252e0ea3921Schristos return 0; 1253e0ea3921Schristos } 1254e0ea3921Schristos if (pmd) 1255e0ea3921Schristos *pmd = md; 1256e0ea3921Schristos return 1; 1257e0ea3921Schristos } 1258e0ea3921Schristos 1259e0ea3921Schristos /* 1260e0ea3921Schristos * Check if key is large enough to generate RSA-PSS signature. 1261e0ea3921Schristos * 1262e0ea3921Schristos * The key must greater than or equal to 2 * hash length + 2. 1263e0ea3921Schristos * SHA512 has a hash length of 64 bytes, which is incompatible 1264e0ea3921Schristos * with a 128 byte (1024 bit) key. 1265e0ea3921Schristos */ 12668fbed61eSchristos #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) 12678fbed61eSchristos static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, 12688fbed61eSchristos const SIGALG_LOOKUP *lu) 1269e0ea3921Schristos { 1270e0ea3921Schristos const EVP_MD *md; 1271e0ea3921Schristos 12728fbed61eSchristos if (pkey == NULL) 1273e0ea3921Schristos return 0; 12748fbed61eSchristos if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) 1275e0ea3921Schristos return 0; 12768fbed61eSchristos if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 1277e0ea3921Schristos return 0; 1278e0ea3921Schristos return 1; 1279e0ea3921Schristos } 1280e0ea3921Schristos 1281e0ea3921Schristos /* 128252629741Schristos * Returns a signature algorithm when the peer did not send a list of supported 128352629741Schristos * signature algorithms. The signature algorithm is fixed for the certificate 128452629741Schristos * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 128552629741Schristos * certificate type from |s| will be used. 128652629741Schristos * Returns the signature algorithm to use, or NULL on error. 1287e0ea3921Schristos */ 1288e0ea3921Schristos static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 1289e0ea3921Schristos { 1290e0ea3921Schristos if (idx == -1) { 1291e0ea3921Schristos if (s->server) { 1292e0ea3921Schristos size_t i; 1293e0ea3921Schristos 1294e0ea3921Schristos /* Work out index corresponding to ciphersuite */ 1295e0ea3921Schristos for (i = 0; i < SSL_PKEY_NUM; i++) { 1296e0ea3921Schristos const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 1297e0ea3921Schristos 12988fbed61eSchristos if (clu == NULL) 12998fbed61eSchristos continue; 13008fbed61eSchristos if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { 1301e0ea3921Schristos idx = i; 1302e0ea3921Schristos break; 1303e0ea3921Schristos } 1304e0ea3921Schristos } 1305e0ea3921Schristos 1306e0ea3921Schristos /* 1307e0ea3921Schristos * Some GOST ciphersuites allow more than one signature algorithms 1308e0ea3921Schristos * */ 13098fbed61eSchristos if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 1310e0ea3921Schristos int real_idx; 1311e0ea3921Schristos 1312e0ea3921Schristos for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 1313e0ea3921Schristos real_idx--) { 1314e0ea3921Schristos if (s->cert->pkeys[real_idx].privatekey != NULL) { 1315e0ea3921Schristos idx = real_idx; 1316e0ea3921Schristos break; 1317e0ea3921Schristos } 1318e0ea3921Schristos } 1319e0ea3921Schristos } 13208fbed61eSchristos /* 13218fbed61eSchristos * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used 13228fbed61eSchristos * with new (aGOST12-only) ciphersuites, we should find out which one is available really. 13238fbed61eSchristos */ 13248fbed61eSchristos else if (idx == SSL_PKEY_GOST12_256) { 13258fbed61eSchristos int real_idx; 13268fbed61eSchristos 13278fbed61eSchristos for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; 13288fbed61eSchristos real_idx--) { 13298fbed61eSchristos if (s->cert->pkeys[real_idx].privatekey != NULL) { 13308fbed61eSchristos idx = real_idx; 13318fbed61eSchristos break; 13328fbed61eSchristos } 13338fbed61eSchristos } 13348fbed61eSchristos } 1335e0ea3921Schristos } else { 1336e0ea3921Schristos idx = s->cert->key - s->cert->pkeys; 1337e0ea3921Schristos } 1338e0ea3921Schristos } 1339e0ea3921Schristos if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 1340e0ea3921Schristos return NULL; 1341e0ea3921Schristos if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 13428fbed61eSchristos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]); 1343e0ea3921Schristos 13448fbed61eSchristos if (lu == NULL) 13458fbed61eSchristos return NULL; 13468fbed61eSchristos if (!tls1_lookup_md(s->ctx, lu, NULL)) 1347e0ea3921Schristos return NULL; 134852629741Schristos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 134952629741Schristos return NULL; 1350e0ea3921Schristos return lu; 1351e0ea3921Schristos } 135252629741Schristos if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 135352629741Schristos return NULL; 1354e0ea3921Schristos return &legacy_rsa_sigalg; 1355e0ea3921Schristos } 1356e0ea3921Schristos /* Set peer sigalg based key type */ 1357e0ea3921Schristos int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 1358e0ea3921Schristos { 1359e0ea3921Schristos size_t idx; 1360e0ea3921Schristos const SIGALG_LOOKUP *lu; 1361e0ea3921Schristos 1362e0ea3921Schristos if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 1363e0ea3921Schristos return 0; 1364e0ea3921Schristos lu = tls1_get_legacy_sigalg(s, idx); 1365e0ea3921Schristos if (lu == NULL) 1366e0ea3921Schristos return 0; 13678fbed61eSchristos s->s3.tmp.peer_sigalg = lu; 1368e0ea3921Schristos return 1; 1369e0ea3921Schristos } 1370e0ea3921Schristos 1371e0ea3921Schristos size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 13725bf0fb60Sspz { 137331b855a0Sspz /* 137431b855a0Sspz * If Suite B mode use Suite B sigalgs only, ignore any other 137531b855a0Sspz * preferences. 137631b855a0Sspz */ 137731b855a0Sspz switch (tls1_suiteb(s)) { 137831b855a0Sspz case SSL_CERT_FLAG_SUITEB_128_LOS: 137931b855a0Sspz *psigs = suiteb_sigalgs; 1380e0ea3921Schristos return OSSL_NELEM(suiteb_sigalgs); 138131b855a0Sspz 138231b855a0Sspz case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 138331b855a0Sspz *psigs = suiteb_sigalgs; 1384e0ea3921Schristos return 1; 138531b855a0Sspz 138631b855a0Sspz case SSL_CERT_FLAG_SUITEB_192_LOS: 1387e0ea3921Schristos *psigs = suiteb_sigalgs + 1; 1388e0ea3921Schristos return 1; 138931b855a0Sspz } 1390e0ea3921Schristos /* 1391e0ea3921Schristos * We use client_sigalgs (if not NULL) if we're a server 1392e0ea3921Schristos * and sending a certificate request or if we're a client and 1393e0ea3921Schristos * determining which shared algorithm to use. 1394e0ea3921Schristos */ 1395e0ea3921Schristos if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 139631b855a0Sspz *psigs = s->cert->client_sigalgs; 139731b855a0Sspz return s->cert->client_sigalgslen; 139831b855a0Sspz } else if (s->cert->conf_sigalgs) { 139931b855a0Sspz *psigs = s->cert->conf_sigalgs; 140031b855a0Sspz return s->cert->conf_sigalgslen; 140131b855a0Sspz } else { 140231b855a0Sspz *psigs = tls12_sigalgs; 1403e0ea3921Schristos return OSSL_NELEM(tls12_sigalgs); 140431b855a0Sspz } 140531b855a0Sspz } 140631b855a0Sspz 1407bf8eace1Schristos /* 1408bf8eace1Schristos * Called by servers only. Checks that we have a sig alg that supports the 1409bf8eace1Schristos * specified EC curve. 1410bf8eace1Schristos */ 1411bf8eace1Schristos int tls_check_sigalg_curve(const SSL *s, int curve) 1412bf8eace1Schristos { 1413bf8eace1Schristos const uint16_t *sigs; 1414bf8eace1Schristos size_t siglen, i; 1415bf8eace1Schristos 1416bf8eace1Schristos if (s->cert->conf_sigalgs) { 1417bf8eace1Schristos sigs = s->cert->conf_sigalgs; 1418bf8eace1Schristos siglen = s->cert->conf_sigalgslen; 1419bf8eace1Schristos } else { 1420bf8eace1Schristos sigs = tls12_sigalgs; 1421bf8eace1Schristos siglen = OSSL_NELEM(tls12_sigalgs); 1422bf8eace1Schristos } 1423bf8eace1Schristos 1424bf8eace1Schristos for (i = 0; i < siglen; i++) { 14258fbed61eSchristos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, sigs[i]); 1426bf8eace1Schristos 1427bf8eace1Schristos if (lu == NULL) 1428bf8eace1Schristos continue; 1429bf8eace1Schristos if (lu->sig == EVP_PKEY_EC 1430bf8eace1Schristos && lu->curve != NID_undef 1431bf8eace1Schristos && curve == lu->curve) 1432bf8eace1Schristos return 1; 1433bf8eace1Schristos } 1434bf8eace1Schristos 1435bf8eace1Schristos return 0; 1436bf8eace1Schristos } 1437bf8eace1Schristos 143831b855a0Sspz /* 143952629741Schristos * Return the number of security bits for the signature algorithm, or 0 on 144052629741Schristos * error. 144152629741Schristos */ 14428fbed61eSchristos static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) 144352629741Schristos { 144452629741Schristos const EVP_MD *md = NULL; 144552629741Schristos int secbits = 0; 144652629741Schristos 14478fbed61eSchristos if (!tls1_lookup_md(ctx, lu, &md)) 144852629741Schristos return 0; 144952629741Schristos if (md != NULL) 145052629741Schristos { 14518fbed61eSchristos int md_type = EVP_MD_get_type(md); 14528fbed61eSchristos 145352629741Schristos /* Security bits: half digest bits */ 14548fbed61eSchristos secbits = EVP_MD_get_size(md) * 4; 14558fbed61eSchristos /* 14568fbed61eSchristos * SHA1 and MD5 are known to be broken. Reduce security bits so that 14578fbed61eSchristos * they're no longer accepted at security level 1. The real values don't 14588fbed61eSchristos * really matter as long as they're lower than 80, which is our 14598fbed61eSchristos * security level 1. 14608fbed61eSchristos * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for 14618fbed61eSchristos * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 14628fbed61eSchristos * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 14638fbed61eSchristos * puts a chosen-prefix attack for MD5 at 2^39. 14648fbed61eSchristos */ 14658fbed61eSchristos if (md_type == NID_sha1) 14668fbed61eSchristos secbits = 64; 14678fbed61eSchristos else if (md_type == NID_md5_sha1) 14688fbed61eSchristos secbits = 67; 14698fbed61eSchristos else if (md_type == NID_md5) 14708fbed61eSchristos secbits = 39; 147152629741Schristos } else { 147252629741Schristos /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 147352629741Schristos if (lu->sigalg == TLSEXT_SIGALG_ed25519) 147452629741Schristos secbits = 128; 147552629741Schristos else if (lu->sigalg == TLSEXT_SIGALG_ed448) 147652629741Schristos secbits = 224; 147752629741Schristos } 147852629741Schristos return secbits; 147952629741Schristos } 148052629741Schristos 148152629741Schristos /* 1482e0ea3921Schristos * Check signature algorithm is consistent with sent supported signature 1483e0ea3921Schristos * algorithms and if so set relevant digest and signature scheme in 1484e0ea3921Schristos * s. 148531b855a0Sspz */ 1486e0ea3921Schristos int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 148731b855a0Sspz { 1488e0ea3921Schristos const uint16_t *sent_sigs; 1489e0ea3921Schristos const EVP_MD *md = NULL; 1490e0ea3921Schristos char sigalgstr[2]; 1491e0ea3921Schristos size_t sent_sigslen, i, cidx; 14928fbed61eSchristos int pkeyid = -1; 1493e0ea3921Schristos const SIGALG_LOOKUP *lu; 149452629741Schristos int secbits = 0; 1495e0ea3921Schristos 14968fbed61eSchristos pkeyid = EVP_PKEY_get_id(pkey); 149731b855a0Sspz /* Should never happen */ 1498e0ea3921Schristos if (pkeyid == -1) 149931b855a0Sspz return -1; 1500e0ea3921Schristos if (SSL_IS_TLS13(s)) { 1501e0ea3921Schristos /* Disallow DSA for TLS 1.3 */ 1502e0ea3921Schristos if (pkeyid == EVP_PKEY_DSA) { 15038fbed61eSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 150431b855a0Sspz return 0; 150531b855a0Sspz } 1506e0ea3921Schristos /* Only allow PSS for TLS 1.3 */ 1507e0ea3921Schristos if (pkeyid == EVP_PKEY_RSA) 1508e0ea3921Schristos pkeyid = EVP_PKEY_RSA_PSS; 1509e0ea3921Schristos } 15108fbed61eSchristos lu = tls1_lookup_sigalg(s, sig); 1511e0ea3921Schristos /* 1512e0ea3921Schristos * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1513e0ea3921Schristos * is consistent with signature: RSA keys can be used for RSA-PSS 1514e0ea3921Schristos */ 1515e0ea3921Schristos if (lu == NULL 1516e0ea3921Schristos || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1517e0ea3921Schristos || (pkeyid != lu->sig 1518e0ea3921Schristos && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 15198fbed61eSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1520e0ea3921Schristos return 0; 1521e0ea3921Schristos } 1522e0ea3921Schristos /* Check the sigalg is consistent with the key OID */ 15238fbed61eSchristos if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx) 1524e0ea3921Schristos || lu->sig_idx != (int)cidx) { 15258fbed61eSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1526e0ea3921Schristos return 0; 1527e0ea3921Schristos } 1528e0ea3921Schristos 1529e0ea3921Schristos if (pkeyid == EVP_PKEY_EC) { 1530e0ea3921Schristos 1531e0ea3921Schristos /* Check point compression is permitted */ 1532e0ea3921Schristos if (!tls1_check_pkey_comp(s, pkey)) { 1533e0ea3921Schristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1534e0ea3921Schristos SSL_R_ILLEGAL_POINT_COMPRESSION); 153531b855a0Sspz return 0; 153631b855a0Sspz } 1537e0ea3921Schristos 1538e0ea3921Schristos /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1539e0ea3921Schristos if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 15408fbed61eSchristos int curve = ssl_get_EC_curve_nid(pkey); 1541e0ea3921Schristos 1542e0ea3921Schristos if (lu->curve != NID_undef && curve != lu->curve) { 15438fbed61eSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1544e0ea3921Schristos return 0; 1545e0ea3921Schristos } 1546e0ea3921Schristos } 1547e0ea3921Schristos if (!SSL_IS_TLS13(s)) { 1548e0ea3921Schristos /* Check curve matches extensions */ 1549e0ea3921Schristos if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 15508fbed61eSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1551e0ea3921Schristos return 0; 1552e0ea3921Schristos } 155331b855a0Sspz if (tls1_suiteb(s)) { 1554e0ea3921Schristos /* Check sigalg matches a permissible Suite B value */ 1555e0ea3921Schristos if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1556e0ea3921Schristos && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1557e0ea3921Schristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1558e0ea3921Schristos SSL_R_WRONG_SIGNATURE_TYPE); 155931b855a0Sspz return 0; 156031b855a0Sspz } 1561e0ea3921Schristos } 1562e0ea3921Schristos } 1563e0ea3921Schristos } else if (tls1_suiteb(s)) { 15648fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 156531b855a0Sspz return 0; 156631b855a0Sspz } 156731b855a0Sspz 156831b855a0Sspz /* Check signature matches a type we sent */ 15695af53050Schristos sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1570e0ea3921Schristos for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1571e0ea3921Schristos if (sig == *sent_sigs) 157231b855a0Sspz break; 157331b855a0Sspz } 157431b855a0Sspz /* Allow fallback to SHA1 if not strict mode */ 1575e0ea3921Schristos if (i == sent_sigslen && (lu->hash != NID_sha1 157631b855a0Sspz || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 15778fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 157831b855a0Sspz return 0; 157931b855a0Sspz } 15808fbed61eSchristos if (!tls1_lookup_md(s->ctx, lu, &md)) { 15818fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); 158231b855a0Sspz return 0; 158331b855a0Sspz } 158431b855a0Sspz /* 1585e0ea3921Schristos * Make sure security callback allows algorithm. For historical 1586e0ea3921Schristos * reasons we have to pass the sigalg as a two byte char array. 158731b855a0Sspz */ 1588e0ea3921Schristos sigalgstr[0] = (sig >> 8) & 0xff; 1589e0ea3921Schristos sigalgstr[1] = sig & 0xff; 15908fbed61eSchristos secbits = sigalg_security_bits(s->ctx, lu); 159152629741Schristos if (secbits == 0 || 159252629741Schristos !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, 15938fbed61eSchristos md != NULL ? EVP_MD_get_type(md) : NID_undef, 1594e0ea3921Schristos (void *)sigalgstr)) { 15958fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1596e0ea3921Schristos return 0; 1597e0ea3921Schristos } 1598e0ea3921Schristos /* Store the sigalg the peer uses */ 15998fbed61eSchristos s->s3.tmp.peer_sigalg = lu; 1600e0ea3921Schristos return 1; 1601e0ea3921Schristos } 1602e0ea3921Schristos 1603e0ea3921Schristos int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1604e0ea3921Schristos { 16058fbed61eSchristos if (s->s3.tmp.peer_sigalg == NULL) 1606e0ea3921Schristos return 0; 16078fbed61eSchristos *pnid = s->s3.tmp.peer_sigalg->sig; 160831b855a0Sspz return 1; 160931b855a0Sspz } 161031b855a0Sspz 1611bf8eace1Schristos int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1612bf8eace1Schristos { 16138fbed61eSchristos if (s->s3.tmp.sigalg == NULL) 1614bf8eace1Schristos return 0; 16158fbed61eSchristos *pnid = s->s3.tmp.sigalg->sig; 1616bf8eace1Schristos return 1; 1617bf8eace1Schristos } 1618bf8eace1Schristos 161931b855a0Sspz /* 16205af53050Schristos * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 16215af53050Schristos * supported, doesn't appear in supported signature algorithms, isn't supported 16225af53050Schristos * by the enabled protocol versions or by the security level. 16235af53050Schristos * 16245af53050Schristos * This function should only be used for checking which ciphers are supported 16255af53050Schristos * by the client. 16265af53050Schristos * 16275af53050Schristos * Call ssl_cipher_disabled() to check that it's enabled or not. 162831b855a0Sspz */ 1629e0ea3921Schristos int ssl_set_client_disabled(SSL *s) 163031b855a0Sspz { 16318fbed61eSchristos s->s3.tmp.mask_a = 0; 16328fbed61eSchristos s->s3.tmp.mask_k = 0; 16338fbed61eSchristos ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 16348fbed61eSchristos if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, 16358fbed61eSchristos &s->s3.tmp.max_ver, NULL) != 0) 1636e0ea3921Schristos return 0; 163731b855a0Sspz #ifndef OPENSSL_NO_PSK 163831b855a0Sspz /* with PSK there must be client callback set */ 163931b855a0Sspz if (!s->psk_client_callback) { 16408fbed61eSchristos s->s3.tmp.mask_a |= SSL_aPSK; 16418fbed61eSchristos s->s3.tmp.mask_k |= SSL_PSK; 164231b855a0Sspz } 164331b855a0Sspz #endif /* OPENSSL_NO_PSK */ 164431b855a0Sspz #ifndef OPENSSL_NO_SRP 164531b855a0Sspz if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 16468fbed61eSchristos s->s3.tmp.mask_a |= SSL_aSRP; 16478fbed61eSchristos s->s3.tmp.mask_k |= SSL_kSRP; 164831b855a0Sspz } 164931b855a0Sspz #endif 1650e0ea3921Schristos return 1; 16515af53050Schristos } 16525af53050Schristos 16535af53050Schristos /* 16545af53050Schristos * ssl_cipher_disabled - check that a cipher is disabled or not 16555af53050Schristos * @s: SSL connection that you want to use the cipher on 16565af53050Schristos * @c: cipher to check 16575af53050Schristos * @op: Security check that you want to do 16585af53050Schristos * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 16595af53050Schristos * 16605af53050Schristos * Returns 1 when it's disabled, 0 when enabled. 16615af53050Schristos */ 166252629741Schristos int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 16635af53050Schristos { 16648fbed61eSchristos if (c->algorithm_mkey & s->s3.tmp.mask_k 16658fbed61eSchristos || c->algorithm_auth & s->s3.tmp.mask_a) 16665af53050Schristos return 1; 16678fbed61eSchristos if (s->s3.tmp.max_ver == 0) 16685af53050Schristos return 1; 16695af53050Schristos if (!SSL_IS_DTLS(s)) { 16705af53050Schristos int min_tls = c->min_tls; 16715af53050Schristos 16725af53050Schristos /* 16735af53050Schristos * For historical reasons we will allow ECHDE to be selected by a server 16745af53050Schristos * in SSLv3 if we are a client 16755af53050Schristos */ 16765af53050Schristos if (min_tls == TLS1_VERSION && ecdhe 16775af53050Schristos && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 16785af53050Schristos min_tls = SSL3_VERSION; 16795af53050Schristos 16808fbed61eSchristos if ((min_tls > s->s3.tmp.max_ver) || (c->max_tls < s->s3.tmp.min_ver)) 16815af53050Schristos return 1; 16825af53050Schristos } 16838fbed61eSchristos if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3.tmp.max_ver) 16848fbed61eSchristos || DTLS_VERSION_LT(c->max_dtls, s->s3.tmp.min_ver))) 16855af53050Schristos return 1; 16865af53050Schristos 16875af53050Schristos return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 16885af53050Schristos } 16895af53050Schristos 1690e0ea3921Schristos int tls_use_ticket(SSL *s) 16915af53050Schristos { 1692e0ea3921Schristos if ((s->options & SSL_OP_NO_TICKET)) 16935af53050Schristos return 0; 16945af53050Schristos return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 16955af53050Schristos } 16965af53050Schristos 169731b855a0Sspz int tls1_set_server_sigalgs(SSL *s) 169831b855a0Sspz { 169931b855a0Sspz size_t i; 17005af53050Schristos 17015af53050Schristos /* Clear any shared signature algorithms */ 1702403eeac4Schristos OPENSSL_free(s->shared_sigalgs); 1703403eeac4Schristos s->shared_sigalgs = NULL; 1704403eeac4Schristos s->shared_sigalgslen = 0; 1705e0ea3921Schristos /* Clear certificate validity flags */ 1706e0ea3921Schristos for (i = 0; i < SSL_PKEY_NUM; i++) 17078fbed61eSchristos s->s3.tmp.valid_flags[i] = 0; 1708e0ea3921Schristos /* 1709e0ea3921Schristos * If peer sent no signature algorithms check to see if we support 1710e0ea3921Schristos * the default algorithm for each certificate type 1711e0ea3921Schristos */ 17128fbed61eSchristos if (s->s3.tmp.peer_cert_sigalgs == NULL 17138fbed61eSchristos && s->s3.tmp.peer_sigalgs == NULL) { 1714e0ea3921Schristos const uint16_t *sent_sigs; 1715e0ea3921Schristos size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1716e0ea3921Schristos 1717e0ea3921Schristos for (i = 0; i < SSL_PKEY_NUM; i++) { 1718e0ea3921Schristos const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1719e0ea3921Schristos size_t j; 1720e0ea3921Schristos 1721e0ea3921Schristos if (lu == NULL) 1722e0ea3921Schristos continue; 1723e0ea3921Schristos /* Check default matches a type we sent */ 1724e0ea3921Schristos for (j = 0; j < sent_sigslen; j++) { 1725e0ea3921Schristos if (lu->sigalg == sent_sigs[j]) { 17268fbed61eSchristos s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; 1727e0ea3921Schristos break; 1728e0ea3921Schristos } 1729e0ea3921Schristos } 1730e0ea3921Schristos } 1731e0ea3921Schristos return 1; 173231b855a0Sspz } 173331b855a0Sspz 173431b855a0Sspz if (!tls1_process_sigalgs(s)) { 17358fbed61eSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1736e0ea3921Schristos return 0; 173731b855a0Sspz } 1738403eeac4Schristos if (s->shared_sigalgs != NULL) 1739e0ea3921Schristos return 1; 1740e0ea3921Schristos 1741e0ea3921Schristos /* Fatal error if no shared signature algorithms */ 17428fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 17435af53050Schristos SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 174431b855a0Sspz return 0; 174531b855a0Sspz } 174631b855a0Sspz 17479cef71b6Sspz /*- 1748e0ea3921Schristos * Gets the ticket information supplied by the client if any. 1749e3d33c04Schristos * 1750e0ea3921Schristos * hello: The parsed ClientHello data 1751e3d33c04Schristos * ret: (output) on return, if a ticket was decrypted, then this is set to 1752e3d33c04Schristos * point to the resulting session. 1753a89c9211Schristos */ 1754e0ea3921Schristos SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 17555af53050Schristos SSL_SESSION **ret) 1756a89c9211Schristos { 1757e0ea3921Schristos size_t size; 1758e0ea3921Schristos RAW_EXTENSION *ticketext; 1759a89c9211Schristos 1760e3d33c04Schristos *ret = NULL; 1761e0ea3921Schristos s->ext.ticket_expected = 0; 1762e3d33c04Schristos 17639cef71b6Sspz /* 1764e0ea3921Schristos * If tickets disabled or not supported by the protocol version 1765e0ea3921Schristos * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 17669cef71b6Sspz * resumption. 1767a89c9211Schristos */ 1768e0ea3921Schristos if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1769e0ea3921Schristos return SSL_TICKET_NONE; 177031b855a0Sspz 1771e0ea3921Schristos ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1772e0ea3921Schristos if (!ticketext->present) 1773e0ea3921Schristos return SSL_TICKET_NONE; 177431b855a0Sspz 1775e0ea3921Schristos size = PACKET_remaining(&ticketext->data); 17765af53050Schristos 1777e0ea3921Schristos return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1778e0ea3921Schristos hello->session_id, hello->session_id_len, ret); 1779a89c9211Schristos } 1780a89c9211Schristos 17819cef71b6Sspz /*- 17829cef71b6Sspz * tls_decrypt_ticket attempts to decrypt a session ticket. 1783e3d33c04Schristos * 1784e0ea3921Schristos * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1785e0ea3921Schristos * expecting a pre-shared key ciphersuite, in which case we have no use for 1786e0ea3921Schristos * session tickets and one will never be decrypted, nor will 1787e0ea3921Schristos * s->ext.ticket_expected be set to 1. 1788e0ea3921Schristos * 1789e0ea3921Schristos * Side effects: 1790e0ea3921Schristos * Sets s->ext.ticket_expected to 1 if the server will have to issue 1791e0ea3921Schristos * a new session ticket to the client because the client indicated support 1792e0ea3921Schristos * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1793e0ea3921Schristos * a session ticket or we couldn't use the one it gave us, or if 1794e0ea3921Schristos * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1795e0ea3921Schristos * Otherwise, s->ext.ticket_expected is set to 0. 1796e0ea3921Schristos * 1797e3d33c04Schristos * etick: points to the body of the session ticket extension. 17985af53050Schristos * eticklen: the length of the session tickets extension. 1799e3d33c04Schristos * sess_id: points at the session ID. 1800e3d33c04Schristos * sesslen: the length of the session ID. 1801e3d33c04Schristos * psess: (output) on return, if a ticket was decrypted, then this is set to 1802e3d33c04Schristos * point to the resulting session. 1803e3d33c04Schristos */ 1804e0ea3921Schristos SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1805e0ea3921Schristos size_t eticklen, const unsigned char *sess_id, 1806e0ea3921Schristos size_t sesslen, SSL_SESSION **psess) 1807a89c9211Schristos { 1808e0ea3921Schristos SSL_SESSION *sess = NULL; 1809a89c9211Schristos unsigned char *sdec; 1810a89c9211Schristos const unsigned char *p; 18118fbed61eSchristos int slen, ivlen, renew_ticket = 0, declen; 1812e0ea3921Schristos SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1813e0ea3921Schristos size_t mlen; 1814a89c9211Schristos unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 18158fbed61eSchristos SSL_HMAC *hctx = NULL; 181678327f04Schristos EVP_CIPHER_CTX *ctx = NULL; 18175af53050Schristos SSL_CTX *tctx = s->session_ctx; 181831b855a0Sspz 1819e0ea3921Schristos if (eticklen == 0) { 1820e0ea3921Schristos /* 1821e0ea3921Schristos * The client will accept a ticket but doesn't currently have 1822e0ea3921Schristos * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 1823e0ea3921Schristos */ 1824e0ea3921Schristos ret = SSL_TICKET_EMPTY; 1825e0ea3921Schristos goto end; 1826e0ea3921Schristos } 1827e0ea3921Schristos if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 1828e0ea3921Schristos /* 1829e0ea3921Schristos * Indicate that the ticket couldn't be decrypted rather than 1830e0ea3921Schristos * generating the session from ticket now, trigger 1831e0ea3921Schristos * abbreviated handshake based on external mechanism to 1832e0ea3921Schristos * calculate the master secret later. 1833e0ea3921Schristos */ 1834e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1835e0ea3921Schristos goto end; 1836e0ea3921Schristos } 1837e0ea3921Schristos 183878327f04Schristos /* Need at least keyname + iv */ 183978327f04Schristos if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1840e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1841e0ea3921Schristos goto end; 184278327f04Schristos } 184378327f04Schristos 1844a89c9211Schristos /* Initialize session ticket encryption and HMAC contexts */ 18458fbed61eSchristos hctx = ssl_hmac_new(tctx); 1846e0ea3921Schristos if (hctx == NULL) { 1847e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_MALLOC; 1848e0ea3921Schristos goto end; 1849e0ea3921Schristos } 18505af53050Schristos ctx = EVP_CIPHER_CTX_new(); 18515af53050Schristos if (ctx == NULL) { 1852e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_MALLOC; 1853e0ea3921Schristos goto end; 18545af53050Schristos } 18558fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 18568fbed61eSchristos if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) 18578fbed61eSchristos #else 18588fbed61eSchristos if (tctx->ext.ticket_key_evp_cb != NULL) 18598fbed61eSchristos #endif 18608fbed61eSchristos { 1861a89c9211Schristos unsigned char *nctick = (unsigned char *)etick; 18628fbed61eSchristos int rv = 0; 18638fbed61eSchristos 18648fbed61eSchristos if (tctx->ext.ticket_key_evp_cb != NULL) 18658fbed61eSchristos rv = tctx->ext.ticket_key_evp_cb(s, nctick, 186678327f04Schristos nctick + TLSEXT_KEYNAME_LENGTH, 18678fbed61eSchristos ctx, 18688fbed61eSchristos ssl_hmac_get0_EVP_MAC_CTX(hctx), 18698fbed61eSchristos 0); 18708fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 18718fbed61eSchristos else if (tctx->ext.ticket_key_cb != NULL) 18728fbed61eSchristos /* if 0 is returned, write an empty ticket */ 18738fbed61eSchristos rv = tctx->ext.ticket_key_cb(s, nctick, 18748fbed61eSchristos nctick + TLSEXT_KEYNAME_LENGTH, 18758fbed61eSchristos ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); 18768fbed61eSchristos #endif 1877e0ea3921Schristos if (rv < 0) { 1878e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 1879e0ea3921Schristos goto end; 1880e0ea3921Schristos } 18815af53050Schristos if (rv == 0) { 1882e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1883e0ea3921Schristos goto end; 18845af53050Schristos } 1885a89c9211Schristos if (rv == 2) 1886a89c9211Schristos renew_ticket = 1; 18879cef71b6Sspz } else { 18888fbed61eSchristos EVP_CIPHER *aes256cbc = NULL; 18898fbed61eSchristos 1890a89c9211Schristos /* Check key name matches */ 1891e0ea3921Schristos if (memcmp(etick, tctx->ext.tick_key_name, 189278327f04Schristos TLSEXT_KEYNAME_LENGTH) != 0) { 1893e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1894e0ea3921Schristos goto end; 18955af53050Schristos } 18968fbed61eSchristos 18978fbed61eSchristos aes256cbc = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", 18988fbed61eSchristos s->ctx->propq); 18998fbed61eSchristos if (aes256cbc == NULL 19008fbed61eSchristos || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, 1901e0ea3921Schristos sizeof(tctx->ext.secure->tick_hmac_key), 19028fbed61eSchristos "SHA256") <= 0 19038fbed61eSchristos || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, 1904e0ea3921Schristos tctx->ext.secure->tick_aes_key, 190578327f04Schristos etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 19068fbed61eSchristos EVP_CIPHER_free(aes256cbc); 1907e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 1908e0ea3921Schristos goto end; 1909261bb388Schristos } 19108fbed61eSchristos EVP_CIPHER_free(aes256cbc); 1911e0ea3921Schristos if (SSL_IS_TLS13(s)) 1912e0ea3921Schristos renew_ticket = 1; 1913a89c9211Schristos } 19149cef71b6Sspz /* 19159cef71b6Sspz * Attempt to process session ticket, first conduct sanity and integrity 19169cef71b6Sspz * checks on ticket. 1917a89c9211Schristos */ 19188fbed61eSchristos mlen = ssl_hmac_size(hctx); 1919e0ea3921Schristos if (mlen == 0) { 1920e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 1921e0ea3921Schristos goto end; 1922a89c9211Schristos } 1923e0ea3921Schristos 19248fbed61eSchristos ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 19258fbed61eSchristos if (ivlen < 0) { 19268fbed61eSchristos ret = SSL_TICKET_FATAL_ERR_OTHER; 19278fbed61eSchristos goto end; 19288fbed61eSchristos } 19298fbed61eSchristos 193031b855a0Sspz /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 19318fbed61eSchristos if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { 1932e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1933e0ea3921Schristos goto end; 1934261bb388Schristos } 19355af53050Schristos eticklen -= mlen; 19365af53050Schristos /* Check HMAC of encrypted ticket */ 19378fbed61eSchristos if (ssl_hmac_update(hctx, etick, eticklen) <= 0 19388fbed61eSchristos || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { 1939e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 1940e0ea3921Schristos goto end; 19415af53050Schristos } 1942e0ea3921Schristos 19439cef71b6Sspz if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1944e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1945e0ea3921Schristos goto end; 1946e289ce59Sspz } 1947a89c9211Schristos /* Attempt to decrypt session data */ 1948a89c9211Schristos /* Move p after IV to start of encrypted ticket, update length */ 19498fbed61eSchristos p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; 19508fbed61eSchristos eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; 1951a89c9211Schristos sdec = OPENSSL_malloc(eticklen); 1952e0ea3921Schristos if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1953e0ea3921Schristos (int)eticklen) <= 0) { 1954411ef98eSchristos OPENSSL_free(sdec); 1955e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 1956e0ea3921Schristos goto end; 1957a89c9211Schristos } 1958e0ea3921Schristos if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 19593beda010Sspz OPENSSL_free(sdec); 1960e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1961e0ea3921Schristos goto end; 19623beda010Sspz } 1963e0ea3921Schristos slen += declen; 1964a89c9211Schristos p = sdec; 1965a89c9211Schristos 1966a89c9211Schristos sess = d2i_SSL_SESSION(NULL, &p, slen); 19675af53050Schristos slen -= p - sdec; 1968a89c9211Schristos OPENSSL_free(sdec); 19699cef71b6Sspz if (sess) { 19705af53050Schristos /* Some additional consistency checks */ 1971e0ea3921Schristos if (slen != 0) { 19725af53050Schristos SSL_SESSION_free(sess); 1973e0ea3921Schristos sess = NULL; 1974e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1975e0ea3921Schristos goto end; 19765af53050Schristos } 19779cef71b6Sspz /* 19789cef71b6Sspz * The session ID, if non-empty, is used by some clients to detect 19799cef71b6Sspz * that the ticket has been accepted. So we copy it to the session 19809cef71b6Sspz * structure. If it is empty set length to zero as required by 19819cef71b6Sspz * standard. 1982a89c9211Schristos */ 1983e0ea3921Schristos if (sesslen) { 1984a89c9211Schristos memcpy(sess->session_id, sess_id, sesslen); 1985a89c9211Schristos sess->session_id_length = sesslen; 1986e0ea3921Schristos } 1987e3d33c04Schristos if (renew_ticket) 1988e0ea3921Schristos ret = SSL_TICKET_SUCCESS_RENEW; 1989e3d33c04Schristos else 1990e0ea3921Schristos ret = SSL_TICKET_SUCCESS; 1991e0ea3921Schristos goto end; 1992a89c9211Schristos } 1993e3d33c04Schristos ERR_clear_error(); 19949cef71b6Sspz /* 19959cef71b6Sspz * For session parse failure, indicate that we need to send a new ticket. 19969cef71b6Sspz */ 1997e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 1998e0ea3921Schristos 1999e0ea3921Schristos end: 20005af53050Schristos EVP_CIPHER_CTX_free(ctx); 20018fbed61eSchristos ssl_hmac_free(hctx); 2002e0ea3921Schristos 2003e0ea3921Schristos /* 2004e0ea3921Schristos * If set, the decrypt_ticket_cb() is called unless a fatal error was 2005e0ea3921Schristos * detected above. The callback is responsible for checking |ret| before it 2006e0ea3921Schristos * performs any action 2007e0ea3921Schristos */ 2008e0ea3921Schristos if (s->session_ctx->decrypt_ticket_cb != NULL 2009e0ea3921Schristos && (ret == SSL_TICKET_EMPTY 2010e0ea3921Schristos || ret == SSL_TICKET_NO_DECRYPT 2011e0ea3921Schristos || ret == SSL_TICKET_SUCCESS 2012e0ea3921Schristos || ret == SSL_TICKET_SUCCESS_RENEW)) { 2013e0ea3921Schristos size_t keyname_len = eticklen; 2014e0ea3921Schristos int retcb; 2015e0ea3921Schristos 2016e0ea3921Schristos if (keyname_len > TLSEXT_KEYNAME_LENGTH) 2017e0ea3921Schristos keyname_len = TLSEXT_KEYNAME_LENGTH; 2018e0ea3921Schristos retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 2019e0ea3921Schristos ret, 2020e0ea3921Schristos s->session_ctx->ticket_cb_data); 2021e0ea3921Schristos switch (retcb) { 2022e0ea3921Schristos case SSL_TICKET_RETURN_ABORT: 2023e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 2024e0ea3921Schristos break; 2025e0ea3921Schristos 2026e0ea3921Schristos case SSL_TICKET_RETURN_IGNORE: 2027e0ea3921Schristos ret = SSL_TICKET_NONE; 2028e0ea3921Schristos SSL_SESSION_free(sess); 2029e0ea3921Schristos sess = NULL; 2030e0ea3921Schristos break; 2031e0ea3921Schristos 2032e0ea3921Schristos case SSL_TICKET_RETURN_IGNORE_RENEW: 2033e0ea3921Schristos if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 2034e0ea3921Schristos ret = SSL_TICKET_NO_DECRYPT; 2035e0ea3921Schristos /* else the value of |ret| will already do the right thing */ 2036e0ea3921Schristos SSL_SESSION_free(sess); 2037e0ea3921Schristos sess = NULL; 2038e0ea3921Schristos break; 2039e0ea3921Schristos 2040e0ea3921Schristos case SSL_TICKET_RETURN_USE: 2041e0ea3921Schristos case SSL_TICKET_RETURN_USE_RENEW: 2042e0ea3921Schristos if (ret != SSL_TICKET_SUCCESS 2043e0ea3921Schristos && ret != SSL_TICKET_SUCCESS_RENEW) 2044e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 2045e0ea3921Schristos else if (retcb == SSL_TICKET_RETURN_USE) 2046e0ea3921Schristos ret = SSL_TICKET_SUCCESS; 2047e0ea3921Schristos else 2048e0ea3921Schristos ret = SSL_TICKET_SUCCESS_RENEW; 2049e0ea3921Schristos break; 2050e0ea3921Schristos 2051e0ea3921Schristos default: 2052e0ea3921Schristos ret = SSL_TICKET_FATAL_ERR_OTHER; 2053e0ea3921Schristos } 2054e0ea3921Schristos } 2055e0ea3921Schristos 2056e0ea3921Schristos if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 2057e0ea3921Schristos switch (ret) { 2058e0ea3921Schristos case SSL_TICKET_NO_DECRYPT: 2059e0ea3921Schristos case SSL_TICKET_SUCCESS_RENEW: 2060e0ea3921Schristos case SSL_TICKET_EMPTY: 2061e0ea3921Schristos s->ext.ticket_expected = 1; 2062e0ea3921Schristos } 2063e0ea3921Schristos } 2064e0ea3921Schristos 2065e0ea3921Schristos *psess = sess; 2066e0ea3921Schristos 20675af53050Schristos return ret; 2068a89c9211Schristos } 2069a89c9211Schristos 20705af53050Schristos /* Check to see if a signature algorithm is allowed */ 207152629741Schristos static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) 20725af53050Schristos { 2073e0ea3921Schristos unsigned char sigalgstr[2]; 2074e0ea3921Schristos int secbits; 2075e0ea3921Schristos 20768fbed61eSchristos if (lu == NULL || !lu->enabled) 20775af53050Schristos return 0; 2078e0ea3921Schristos /* DSA is not allowed in TLS 1.3 */ 2079e0ea3921Schristos if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 2080e0ea3921Schristos return 0; 20818fbed61eSchristos /* 20828fbed61eSchristos * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 20838fbed61eSchristos * spec 20848fbed61eSchristos */ 20858fbed61eSchristos if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION 2086e0ea3921Schristos && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 2087e0ea3921Schristos || lu->hash_idx == SSL_MD_MD5_IDX 2088e0ea3921Schristos || lu->hash_idx == SSL_MD_SHA224_IDX)) 2089e0ea3921Schristos return 0; 2090e0ea3921Schristos 20915af53050Schristos /* See if public key algorithm allowed */ 20928fbed61eSchristos if (ssl_cert_is_disabled(s->ctx, lu->sig_idx)) 20935af53050Schristos return 0; 2094e0ea3921Schristos 2095e0ea3921Schristos if (lu->sig == NID_id_GostR3410_2012_256 2096e0ea3921Schristos || lu->sig == NID_id_GostR3410_2012_512 2097e0ea3921Schristos || lu->sig == NID_id_GostR3410_2001) { 2098e0ea3921Schristos /* We never allow GOST sig algs on the server with TLSv1.3 */ 2099e0ea3921Schristos if (s->server && SSL_IS_TLS13(s)) 2100e0ea3921Schristos return 0; 2101e0ea3921Schristos if (!s->server 2102e0ea3921Schristos && s->method->version == TLS_ANY_VERSION 21038fbed61eSchristos && s->s3.tmp.max_ver >= TLS1_3_VERSION) { 2104e0ea3921Schristos int i, num; 2105e0ea3921Schristos STACK_OF(SSL_CIPHER) *sk; 2106e0ea3921Schristos 2107e0ea3921Schristos /* 2108e0ea3921Schristos * We're a client that could negotiate TLSv1.3. We only allow GOST 2109e0ea3921Schristos * sig algs if we could negotiate TLSv1.2 or below and we have GOST 2110e0ea3921Schristos * ciphersuites enabled. 2111e0ea3921Schristos */ 2112e0ea3921Schristos 21138fbed61eSchristos if (s->s3.tmp.min_ver >= TLS1_3_VERSION) 2114e0ea3921Schristos return 0; 2115e0ea3921Schristos 2116e0ea3921Schristos sk = SSL_get_ciphers(s); 2117e0ea3921Schristos num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 2118e0ea3921Schristos for (i = 0; i < num; i++) { 2119e0ea3921Schristos const SSL_CIPHER *c; 2120e0ea3921Schristos 2121e0ea3921Schristos c = sk_SSL_CIPHER_value(sk, i); 2122e0ea3921Schristos /* Skip disabled ciphers */ 2123e0ea3921Schristos if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 2124e0ea3921Schristos continue; 2125e0ea3921Schristos 21268fbed61eSchristos if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) 2127e0ea3921Schristos break; 2128e0ea3921Schristos } 2129e0ea3921Schristos if (i == num) 2130e0ea3921Schristos return 0; 2131e0ea3921Schristos } 2132e0ea3921Schristos } 2133e0ea3921Schristos 21345af53050Schristos /* Finally see if security callback allows it */ 21358fbed61eSchristos secbits = sigalg_security_bits(s->ctx, lu); 2136e0ea3921Schristos sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 2137e0ea3921Schristos sigalgstr[1] = lu->sigalg & 0xff; 2138e0ea3921Schristos return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 21395af53050Schristos } 21405af53050Schristos 21415af53050Schristos /* 21425af53050Schristos * Get a mask of disabled public key algorithms based on supported signature 21435af53050Schristos * algorithms. For example if no signature algorithm supports RSA then RSA is 21445af53050Schristos * disabled. 21455af53050Schristos */ 21465af53050Schristos 21475af53050Schristos void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 21485af53050Schristos { 2149e0ea3921Schristos const uint16_t *sigalgs; 21505af53050Schristos size_t i, sigalgslen; 2151e0ea3921Schristos uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 21525af53050Schristos /* 2153e0ea3921Schristos * Go through all signature algorithms seeing if we support any 2154e0ea3921Schristos * in disabled_mask. 21555af53050Schristos */ 21565af53050Schristos sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 2157e0ea3921Schristos for (i = 0; i < sigalgslen; i++, sigalgs++) { 21588fbed61eSchristos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *sigalgs); 2159e0ea3921Schristos const SSL_CERT_LOOKUP *clu; 2160e0ea3921Schristos 2161e0ea3921Schristos if (lu == NULL) 2162e0ea3921Schristos continue; 2163e0ea3921Schristos 2164e0ea3921Schristos clu = ssl_cert_lookup_by_idx(lu->sig_idx); 2165e0ea3921Schristos if (clu == NULL) 2166e0ea3921Schristos continue; 2167e0ea3921Schristos 2168e0ea3921Schristos /* If algorithm is disabled see if we can enable it */ 2169e0ea3921Schristos if ((clu->amask & disabled_mask) != 0 2170e0ea3921Schristos && tls12_sigalg_allowed(s, op, lu)) 2171e0ea3921Schristos disabled_mask &= ~clu->amask; 21725af53050Schristos } 2173e0ea3921Schristos *pmask_a |= disabled_mask; 21745af53050Schristos } 21755af53050Schristos 2176e0ea3921Schristos int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 2177e0ea3921Schristos const uint16_t *psig, size_t psiglen) 21785af53050Schristos { 21795af53050Schristos size_t i; 2180e0ea3921Schristos int rv = 0; 2181e0ea3921Schristos 2182e0ea3921Schristos for (i = 0; i < psiglen; i++, psig++) { 21838fbed61eSchristos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig); 2184e0ea3921Schristos 21858fbed61eSchristos if (lu == NULL 21868fbed61eSchristos || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2187e0ea3921Schristos continue; 2188e0ea3921Schristos if (!WPACKET_put_bytes_u16(pkt, *psig)) 2189e0ea3921Schristos return 0; 2190e0ea3921Schristos /* 2191e0ea3921Schristos * If TLS 1.3 must have at least one valid TLS 1.3 message 2192e0ea3921Schristos * signing algorithm: i.e. neither RSA nor SHA1/SHA224 2193e0ea3921Schristos */ 2194e0ea3921Schristos if (rv == 0 && (!SSL_IS_TLS13(s) 2195e0ea3921Schristos || (lu->sig != EVP_PKEY_RSA 2196e0ea3921Schristos && lu->hash != NID_sha1 2197e0ea3921Schristos && lu->hash != NID_sha224))) 2198e0ea3921Schristos rv = 1; 21995af53050Schristos } 2200e0ea3921Schristos if (rv == 0) 22018fbed61eSchristos ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2202e0ea3921Schristos return rv; 22035af53050Schristos } 22045af53050Schristos 220531b855a0Sspz /* Given preference and allowed sigalgs set shared sigalgs */ 2206e0ea3921Schristos static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 2207e0ea3921Schristos const uint16_t *pref, size_t preflen, 2208e0ea3921Schristos const uint16_t *allow, size_t allowlen) 220931b855a0Sspz { 2210e0ea3921Schristos const uint16_t *ptmp, *atmp; 221131b855a0Sspz size_t i, j, nmatch = 0; 2212e0ea3921Schristos for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 22138fbed61eSchristos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp); 2214e0ea3921Schristos 221531b855a0Sspz /* Skip disabled hashes or signature algorithms */ 22168fbed61eSchristos if (lu == NULL 22178fbed61eSchristos || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 221831b855a0Sspz continue; 2219e0ea3921Schristos for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 2220e0ea3921Schristos if (*ptmp == *atmp) { 222131b855a0Sspz nmatch++; 2222e0ea3921Schristos if (shsig) 2223e0ea3921Schristos *shsig++ = lu; 222431b855a0Sspz break; 222531b855a0Sspz } 222631b855a0Sspz } 222731b855a0Sspz } 222831b855a0Sspz return nmatch; 222931b855a0Sspz } 223031b855a0Sspz 223131b855a0Sspz /* Set shared signature algorithms for SSL structures */ 223231b855a0Sspz static int tls1_set_shared_sigalgs(SSL *s) 223331b855a0Sspz { 2234e0ea3921Schristos const uint16_t *pref, *allow, *conf; 223531b855a0Sspz size_t preflen, allowlen, conflen; 223631b855a0Sspz size_t nmatch; 2237e0ea3921Schristos const SIGALG_LOOKUP **salgs = NULL; 223831b855a0Sspz CERT *c = s->cert; 223931b855a0Sspz unsigned int is_suiteb = tls1_suiteb(s); 22405af53050Schristos 2241403eeac4Schristos OPENSSL_free(s->shared_sigalgs); 2242403eeac4Schristos s->shared_sigalgs = NULL; 2243403eeac4Schristos s->shared_sigalgslen = 0; 224431b855a0Sspz /* If client use client signature algorithms if not NULL */ 224531b855a0Sspz if (!s->server && c->client_sigalgs && !is_suiteb) { 224631b855a0Sspz conf = c->client_sigalgs; 224731b855a0Sspz conflen = c->client_sigalgslen; 224831b855a0Sspz } else if (c->conf_sigalgs && !is_suiteb) { 224931b855a0Sspz conf = c->conf_sigalgs; 225031b855a0Sspz conflen = c->conf_sigalgslen; 225131b855a0Sspz } else 22525af53050Schristos conflen = tls12_get_psigalgs(s, 0, &conf); 225331b855a0Sspz if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 225431b855a0Sspz pref = conf; 225531b855a0Sspz preflen = conflen; 22568fbed61eSchristos allow = s->s3.tmp.peer_sigalgs; 22578fbed61eSchristos allowlen = s->s3.tmp.peer_sigalgslen; 225831b855a0Sspz } else { 225931b855a0Sspz allow = conf; 226031b855a0Sspz allowlen = conflen; 22618fbed61eSchristos pref = s->s3.tmp.peer_sigalgs; 22628fbed61eSchristos preflen = s->s3.tmp.peer_sigalgslen; 226331b855a0Sspz } 22645af53050Schristos nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 226531b855a0Sspz if (nmatch) { 2266e0ea3921Schristos if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 22678fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 226831b855a0Sspz return 0; 2269e0ea3921Schristos } 22705af53050Schristos nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 227131b855a0Sspz } else { 227231b855a0Sspz salgs = NULL; 227331b855a0Sspz } 2274403eeac4Schristos s->shared_sigalgs = salgs; 2275403eeac4Schristos s->shared_sigalgslen = nmatch; 227631b855a0Sspz return 1; 227731b855a0Sspz } 227831b855a0Sspz 2279e0ea3921Schristos int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 22805bf0fb60Sspz { 2281e0ea3921Schristos unsigned int stmp; 2282e0ea3921Schristos size_t size, i; 2283e0ea3921Schristos uint16_t *buf; 2284e0ea3921Schristos 2285e0ea3921Schristos size = PACKET_remaining(pkt); 2286e0ea3921Schristos 2287e0ea3921Schristos /* Invalid data length */ 2288e0ea3921Schristos if (size == 0 || (size & 1) != 0) 2289e0ea3921Schristos return 0; 2290e0ea3921Schristos 2291e0ea3921Schristos size >>= 1; 2292e0ea3921Schristos 2293e0ea3921Schristos if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 22948fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2295e0ea3921Schristos return 0; 2296e0ea3921Schristos } 2297e0ea3921Schristos for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 2298e0ea3921Schristos buf[i] = stmp; 2299e0ea3921Schristos 2300e0ea3921Schristos if (i != size) { 2301e0ea3921Schristos OPENSSL_free(buf); 2302e0ea3921Schristos return 0; 2303e0ea3921Schristos } 2304e0ea3921Schristos 2305e0ea3921Schristos OPENSSL_free(*pdest); 2306e0ea3921Schristos *pdest = buf; 2307e0ea3921Schristos *pdestlen = size; 2308e0ea3921Schristos 2309e0ea3921Schristos return 1; 2310e0ea3921Schristos } 2311e0ea3921Schristos 2312e0ea3921Schristos int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 2313e0ea3921Schristos { 231431b855a0Sspz /* Extension ignored for inappropriate versions */ 231531b855a0Sspz if (!SSL_USE_SIGALGS(s)) 23165bf0fb60Sspz return 1; 23175bf0fb60Sspz /* Should never happen */ 2318e0ea3921Schristos if (s->cert == NULL) 23195bf0fb60Sspz return 0; 23205bf0fb60Sspz 2321e0ea3921Schristos if (cert) 23228fbed61eSchristos return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, 23238fbed61eSchristos &s->s3.tmp.peer_cert_sigalgslen); 2324e0ea3921Schristos else 23258fbed61eSchristos return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, 23268fbed61eSchristos &s->s3.tmp.peer_sigalgslen); 2327e0ea3921Schristos 23285bf0fb60Sspz } 23295bf0fb60Sspz 2330e0ea3921Schristos /* Set preferred digest for each key type */ 2331e0ea3921Schristos 233231b855a0Sspz int tls1_process_sigalgs(SSL *s) 233331b855a0Sspz { 233431b855a0Sspz size_t i; 23358fbed61eSchristos uint32_t *pvalid = s->s3.tmp.valid_flags; 2336e0ea3921Schristos 233731b855a0Sspz if (!tls1_set_shared_sigalgs(s)) 233831b855a0Sspz return 0; 233931b855a0Sspz 2340e0ea3921Schristos for (i = 0; i < SSL_PKEY_NUM; i++) 2341e0ea3921Schristos pvalid[i] = 0; 23425bf0fb60Sspz 2343403eeac4Schristos for (i = 0; i < s->shared_sigalgslen; i++) { 2344403eeac4Schristos const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 2345e0ea3921Schristos int idx = sigptr->sig_idx; 2346e0ea3921Schristos 2347e0ea3921Schristos /* Ignore PKCS1 based sig algs in TLSv1.3 */ 2348e0ea3921Schristos if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 2349e0ea3921Schristos continue; 2350e0ea3921Schristos /* If not disabled indicate we can explicitly sign */ 23518fbed61eSchristos if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx)) 2352e0ea3921Schristos pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 235331b855a0Sspz } 23545bf0fb60Sspz return 1; 23555bf0fb60Sspz } 23565bf0fb60Sspz 235731b855a0Sspz int SSL_get_sigalgs(SSL *s, int idx, 235831b855a0Sspz int *psign, int *phash, int *psignhash, 235931b855a0Sspz unsigned char *rsig, unsigned char *rhash) 236031b855a0Sspz { 23618fbed61eSchristos uint16_t *psig = s->s3.tmp.peer_sigalgs; 23628fbed61eSchristos size_t numsigalgs = s->s3.tmp.peer_sigalgslen; 2363e0ea3921Schristos if (psig == NULL || numsigalgs > INT_MAX) 236431b855a0Sspz return 0; 236531b855a0Sspz if (idx >= 0) { 2366e0ea3921Schristos const SIGALG_LOOKUP *lu; 2367e0ea3921Schristos 2368e0ea3921Schristos if (idx >= (int)numsigalgs) 236931b855a0Sspz return 0; 237031b855a0Sspz psig += idx; 2371e0ea3921Schristos if (rhash != NULL) 2372e0ea3921Schristos *rhash = (unsigned char)((*psig >> 8) & 0xff); 2373e0ea3921Schristos if (rsig != NULL) 2374e0ea3921Schristos *rsig = (unsigned char)(*psig & 0xff); 23758fbed61eSchristos lu = tls1_lookup_sigalg(s, *psig); 2376e0ea3921Schristos if (psign != NULL) 2377e0ea3921Schristos *psign = lu != NULL ? lu->sig : NID_undef; 2378e0ea3921Schristos if (phash != NULL) 2379e0ea3921Schristos *phash = lu != NULL ? lu->hash : NID_undef; 2380e0ea3921Schristos if (psignhash != NULL) 2381e0ea3921Schristos *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 238231b855a0Sspz } 2383e0ea3921Schristos return (int)numsigalgs; 238431b855a0Sspz } 238531b855a0Sspz 238631b855a0Sspz int SSL_get_shared_sigalgs(SSL *s, int idx, 238731b855a0Sspz int *psign, int *phash, int *psignhash, 238831b855a0Sspz unsigned char *rsig, unsigned char *rhash) 238931b855a0Sspz { 2390e0ea3921Schristos const SIGALG_LOOKUP *shsigalgs; 2391403eeac4Schristos if (s->shared_sigalgs == NULL 2392e0ea3921Schristos || idx < 0 2393403eeac4Schristos || idx >= (int)s->shared_sigalgslen 2394403eeac4Schristos || s->shared_sigalgslen > INT_MAX) 239531b855a0Sspz return 0; 2396403eeac4Schristos shsigalgs = s->shared_sigalgs[idx]; 2397e0ea3921Schristos if (phash != NULL) 2398e0ea3921Schristos *phash = shsigalgs->hash; 2399e0ea3921Schristos if (psign != NULL) 2400e0ea3921Schristos *psign = shsigalgs->sig; 2401e0ea3921Schristos if (psignhash != NULL) 2402e0ea3921Schristos *psignhash = shsigalgs->sigandhash; 2403e0ea3921Schristos if (rsig != NULL) 2404e0ea3921Schristos *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 2405e0ea3921Schristos if (rhash != NULL) 2406e0ea3921Schristos *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 2407403eeac4Schristos return (int)s->shared_sigalgslen; 240831b855a0Sspz } 2409e3d33c04Schristos 2410e0ea3921Schristos /* Maximum possible number of unique entries in sigalgs array */ 2411e0ea3921Schristos #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 241231b855a0Sspz 241331b855a0Sspz typedef struct { 241431b855a0Sspz size_t sigalgcnt; 2415e0ea3921Schristos /* TLSEXT_SIGALG_XXX values */ 2416e0ea3921Schristos uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 241731b855a0Sspz } sig_cb_st; 241831b855a0Sspz 24195af53050Schristos static void get_sigorhash(int *psig, int *phash, const char *str) 24205af53050Schristos { 24215af53050Schristos if (strcmp(str, "RSA") == 0) { 24225af53050Schristos *psig = EVP_PKEY_RSA; 2423e0ea3921Schristos } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 2424e0ea3921Schristos *psig = EVP_PKEY_RSA_PSS; 24255af53050Schristos } else if (strcmp(str, "DSA") == 0) { 24265af53050Schristos *psig = EVP_PKEY_DSA; 24275af53050Schristos } else if (strcmp(str, "ECDSA") == 0) { 24285af53050Schristos *psig = EVP_PKEY_EC; 24295af53050Schristos } else { 24305af53050Schristos *phash = OBJ_sn2nid(str); 24315af53050Schristos if (*phash == NID_undef) 24325af53050Schristos *phash = OBJ_ln2nid(str); 24335af53050Schristos } 24345af53050Schristos } 2435e0ea3921Schristos /* Maximum length of a signature algorithm string component */ 2436e0ea3921Schristos #define TLS_MAX_SIGSTRING_LEN 40 24375af53050Schristos 243831b855a0Sspz static int sig_cb(const char *elem, int len, void *arg) 243931b855a0Sspz { 244031b855a0Sspz sig_cb_st *sarg = arg; 244131b855a0Sspz size_t i; 2442e0ea3921Schristos const SIGALG_LOOKUP *s; 2443e0ea3921Schristos char etmp[TLS_MAX_SIGSTRING_LEN], *p; 24445af53050Schristos int sig_alg = NID_undef, hash_alg = NID_undef; 244531b855a0Sspz if (elem == NULL) 244631b855a0Sspz return 0; 2447e0ea3921Schristos if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 244831b855a0Sspz return 0; 244931b855a0Sspz if (len > (int)(sizeof(etmp) - 1)) 245031b855a0Sspz return 0; 245131b855a0Sspz memcpy(etmp, elem, len); 245231b855a0Sspz etmp[len] = 0; 245331b855a0Sspz p = strchr(etmp, '+'); 2454e0ea3921Schristos /* 2455e0ea3921Schristos * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 2456e0ea3921Schristos * if there's no '+' in the provided name, look for the new-style combined 2457e0ea3921Schristos * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 2458e0ea3921Schristos * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 2459e0ea3921Schristos * rsa_pss_rsae_* that differ only by public key OID; in such cases 2460e0ea3921Schristos * we will pick the _rsae_ variant, by virtue of them appearing earlier 2461e0ea3921Schristos * in the table. 2462e0ea3921Schristos */ 2463e0ea3921Schristos if (p == NULL) { 2464e0ea3921Schristos for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2465e0ea3921Schristos i++, s++) { 2466e0ea3921Schristos if (s->name != NULL && strcmp(etmp, s->name) == 0) { 2467e0ea3921Schristos sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2468e0ea3921Schristos break; 2469e0ea3921Schristos } 2470e0ea3921Schristos } 2471e0ea3921Schristos if (i == OSSL_NELEM(sigalg_lookup_tbl)) 247231b855a0Sspz return 0; 2473e0ea3921Schristos } else { 247431b855a0Sspz *p = 0; 247531b855a0Sspz p++; 2476e0ea3921Schristos if (*p == 0) 247731b855a0Sspz return 0; 24785af53050Schristos get_sigorhash(&sig_alg, &hash_alg, etmp); 24795af53050Schristos get_sigorhash(&sig_alg, &hash_alg, p); 24805af53050Schristos if (sig_alg == NID_undef || hash_alg == NID_undef) 248131b855a0Sspz return 0; 2482e0ea3921Schristos for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2483e0ea3921Schristos i++, s++) { 2484e0ea3921Schristos if (s->hash == hash_alg && s->sig == sig_alg) { 2485e0ea3921Schristos sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2486e0ea3921Schristos break; 2487e0ea3921Schristos } 2488e0ea3921Schristos } 2489e0ea3921Schristos if (i == OSSL_NELEM(sigalg_lookup_tbl)) 249031b855a0Sspz return 0; 249131b855a0Sspz } 2492e0ea3921Schristos 2493e0ea3921Schristos /* Reject duplicates */ 2494e0ea3921Schristos for (i = 0; i < sarg->sigalgcnt - 1; i++) { 2495e0ea3921Schristos if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 2496e0ea3921Schristos sarg->sigalgcnt--; 2497e0ea3921Schristos return 0; 2498e0ea3921Schristos } 2499e0ea3921Schristos } 250031b855a0Sspz return 1; 250131b855a0Sspz } 250231b855a0Sspz 250331b855a0Sspz /* 25045af53050Schristos * Set supported signature algorithms based on a colon separated list of the 250531b855a0Sspz * form sig+hash e.g. RSA+SHA512:DSA+SHA512 250631b855a0Sspz */ 250731b855a0Sspz int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 250831b855a0Sspz { 250931b855a0Sspz sig_cb_st sig; 251031b855a0Sspz sig.sigalgcnt = 0; 251131b855a0Sspz if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 251231b855a0Sspz return 0; 251331b855a0Sspz if (c == NULL) 251431b855a0Sspz return 1; 2515e0ea3921Schristos return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 251631b855a0Sspz } 251731b855a0Sspz 2518e0ea3921Schristos int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 2519e0ea3921Schristos int client) 252031b855a0Sspz { 2521e0ea3921Schristos uint16_t *sigalgs; 252231b855a0Sspz 2523e0ea3921Schristos if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 25248fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2525e0ea3921Schristos return 0; 252631b855a0Sspz } 2527e0ea3921Schristos memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 252831b855a0Sspz 252931b855a0Sspz if (client) { 253031b855a0Sspz OPENSSL_free(c->client_sigalgs); 253131b855a0Sspz c->client_sigalgs = sigalgs; 253231b855a0Sspz c->client_sigalgslen = salglen; 253331b855a0Sspz } else { 253431b855a0Sspz OPENSSL_free(c->conf_sigalgs); 253531b855a0Sspz c->conf_sigalgs = sigalgs; 253631b855a0Sspz c->conf_sigalgslen = salglen; 253731b855a0Sspz } 253831b855a0Sspz 253931b855a0Sspz return 1; 2540e0ea3921Schristos } 2541e0ea3921Schristos 2542e0ea3921Schristos int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2543e0ea3921Schristos { 2544e0ea3921Schristos uint16_t *sigalgs, *sptr; 2545e0ea3921Schristos size_t i; 2546e0ea3921Schristos 2547e0ea3921Schristos if (salglen & 1) 2548e0ea3921Schristos return 0; 2549e0ea3921Schristos if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 25508fbed61eSchristos ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2551e0ea3921Schristos return 0; 2552e0ea3921Schristos } 2553e0ea3921Schristos for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2554e0ea3921Schristos size_t j; 2555e0ea3921Schristos const SIGALG_LOOKUP *curr; 2556e0ea3921Schristos int md_id = *psig_nids++; 2557e0ea3921Schristos int sig_id = *psig_nids++; 2558e0ea3921Schristos 2559e0ea3921Schristos for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2560e0ea3921Schristos j++, curr++) { 2561e0ea3921Schristos if (curr->hash == md_id && curr->sig == sig_id) { 2562e0ea3921Schristos *sptr++ = curr->sigalg; 2563e0ea3921Schristos break; 2564e0ea3921Schristos } 2565e0ea3921Schristos } 2566e0ea3921Schristos 2567e0ea3921Schristos if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2568e0ea3921Schristos goto err; 2569e0ea3921Schristos } 2570e0ea3921Schristos 2571e0ea3921Schristos if (client) { 2572e0ea3921Schristos OPENSSL_free(c->client_sigalgs); 2573e0ea3921Schristos c->client_sigalgs = sigalgs; 2574e0ea3921Schristos c->client_sigalgslen = salglen / 2; 2575e0ea3921Schristos } else { 2576e0ea3921Schristos OPENSSL_free(c->conf_sigalgs); 2577e0ea3921Schristos c->conf_sigalgs = sigalgs; 2578e0ea3921Schristos c->conf_sigalgslen = salglen / 2; 2579e0ea3921Schristos } 2580e0ea3921Schristos 2581e0ea3921Schristos return 1; 258231b855a0Sspz 258331b855a0Sspz err: 258431b855a0Sspz OPENSSL_free(sigalgs); 258531b855a0Sspz return 0; 258631b855a0Sspz } 258731b855a0Sspz 2588403eeac4Schristos static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 258931b855a0Sspz { 2590403eeac4Schristos int sig_nid, use_pc_sigalgs = 0; 259131b855a0Sspz size_t i; 2592403eeac4Schristos const SIGALG_LOOKUP *sigalg; 2593403eeac4Schristos size_t sigalgslen; 259431b855a0Sspz if (default_nid == -1) 259531b855a0Sspz return 1; 259631b855a0Sspz sig_nid = X509_get_signature_nid(x); 259731b855a0Sspz if (default_nid) 259831b855a0Sspz return sig_nid == default_nid ? 1 : 0; 2599403eeac4Schristos 26008fbed61eSchristos if (SSL_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { 2601403eeac4Schristos /* 2602403eeac4Schristos * If we're in TLSv1.3 then we only get here if we're checking the 2603403eeac4Schristos * chain. If the peer has specified peer_cert_sigalgs then we use them 2604403eeac4Schristos * otherwise we default to normal sigalgs. 2605403eeac4Schristos */ 26068fbed61eSchristos sigalgslen = s->s3.tmp.peer_cert_sigalgslen; 2607403eeac4Schristos use_pc_sigalgs = 1; 2608403eeac4Schristos } else { 2609403eeac4Schristos sigalgslen = s->shared_sigalgslen; 2610403eeac4Schristos } 2611403eeac4Schristos for (i = 0; i < sigalgslen; i++) { 2612403eeac4Schristos sigalg = use_pc_sigalgs 26138fbed61eSchristos ? tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]) 2614403eeac4Schristos : s->shared_sigalgs[i]; 2615cd7cff00Schristos if (sigalg != NULL && sig_nid == sigalg->sigandhash) 261631b855a0Sspz return 1; 2617403eeac4Schristos } 261831b855a0Sspz return 0; 261931b855a0Sspz } 262031b855a0Sspz 262131b855a0Sspz /* Check to see if a certificate issuer name matches list of CA names */ 262231b855a0Sspz static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 262331b855a0Sspz { 26248fbed61eSchristos const X509_NAME *nm; 262531b855a0Sspz int i; 262631b855a0Sspz nm = X509_get_issuer_name(x); 262731b855a0Sspz for (i = 0; i < sk_X509_NAME_num(names); i++) { 262831b855a0Sspz if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 262931b855a0Sspz return 1; 263031b855a0Sspz } 263131b855a0Sspz return 0; 263231b855a0Sspz } 263331b855a0Sspz 263431b855a0Sspz /* 263531b855a0Sspz * Check certificate chain is consistent with TLS extensions and is usable by 263631b855a0Sspz * server. This servers two purposes: it allows users to check chains before 263731b855a0Sspz * passing them to the server and it allows the server to check chains before 263831b855a0Sspz * attempting to use them. 263931b855a0Sspz */ 264031b855a0Sspz 26415af53050Schristos /* Flags which need to be set for a certificate when strict mode not set */ 264231b855a0Sspz 264331b855a0Sspz #define CERT_PKEY_VALID_FLAGS \ 264431b855a0Sspz (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 264531b855a0Sspz /* Strict mode flags */ 264631b855a0Sspz #define CERT_PKEY_STRICT_FLAGS \ 264731b855a0Sspz (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 264831b855a0Sspz | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 264931b855a0Sspz 265031b855a0Sspz int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 265131b855a0Sspz int idx) 265231b855a0Sspz { 265331b855a0Sspz int i; 265431b855a0Sspz int rv = 0; 265531b855a0Sspz int check_flags = 0, strict_mode; 265631b855a0Sspz CERT_PKEY *cpk = NULL; 265731b855a0Sspz CERT *c = s->cert; 26585af53050Schristos uint32_t *pvalid; 265931b855a0Sspz unsigned int suiteb_flags = tls1_suiteb(s); 266031b855a0Sspz /* idx == -1 means checking server chains */ 266131b855a0Sspz if (idx != -1) { 266231b855a0Sspz /* idx == -2 means checking client certificate chains */ 266331b855a0Sspz if (idx == -2) { 266431b855a0Sspz cpk = c->key; 2665e0ea3921Schristos idx = (int)(cpk - c->pkeys); 266631b855a0Sspz } else 266731b855a0Sspz cpk = c->pkeys + idx; 26688fbed61eSchristos pvalid = s->s3.tmp.valid_flags + idx; 266931b855a0Sspz x = cpk->x509; 267031b855a0Sspz pk = cpk->privatekey; 267131b855a0Sspz chain = cpk->chain; 267231b855a0Sspz strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 267331b855a0Sspz /* If no cert or key, forget it */ 267431b855a0Sspz if (!x || !pk) 267531b855a0Sspz goto end; 267631b855a0Sspz } else { 2677e0ea3921Schristos size_t certidx; 2678e0ea3921Schristos 267931b855a0Sspz if (!x || !pk) 268031b855a0Sspz return 0; 2681e0ea3921Schristos 2682e0ea3921Schristos if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 268331b855a0Sspz return 0; 2684e0ea3921Schristos idx = certidx; 26858fbed61eSchristos pvalid = s->s3.tmp.valid_flags + idx; 26865af53050Schristos 268731b855a0Sspz if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 268831b855a0Sspz check_flags = CERT_PKEY_STRICT_FLAGS; 268931b855a0Sspz else 269031b855a0Sspz check_flags = CERT_PKEY_VALID_FLAGS; 269131b855a0Sspz strict_mode = 1; 269231b855a0Sspz } 269331b855a0Sspz 269431b855a0Sspz if (suiteb_flags) { 269531b855a0Sspz int ok; 269631b855a0Sspz if (check_flags) 269731b855a0Sspz check_flags |= CERT_PKEY_SUITEB; 269831b855a0Sspz ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 269931b855a0Sspz if (ok == X509_V_OK) 270031b855a0Sspz rv |= CERT_PKEY_SUITEB; 270131b855a0Sspz else if (!check_flags) 270231b855a0Sspz goto end; 270331b855a0Sspz } 270431b855a0Sspz 270531b855a0Sspz /* 270631b855a0Sspz * Check all signature algorithms are consistent with signature 270731b855a0Sspz * algorithms extension if TLS 1.2 or later and strict mode. 270831b855a0Sspz */ 270931b855a0Sspz if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 271031b855a0Sspz int default_nid; 2711e0ea3921Schristos int rsign = 0; 27128fbed61eSchristos if (s->s3.tmp.peer_cert_sigalgs != NULL 27138fbed61eSchristos || s->s3.tmp.peer_sigalgs != NULL) { 271431b855a0Sspz default_nid = 0; 271531b855a0Sspz /* If no sigalgs extension use defaults from RFC5246 */ 2716e0ea3921Schristos } else { 271731b855a0Sspz switch (idx) { 2718e0ea3921Schristos case SSL_PKEY_RSA: 2719e0ea3921Schristos rsign = EVP_PKEY_RSA; 272031b855a0Sspz default_nid = NID_sha1WithRSAEncryption; 272131b855a0Sspz break; 272231b855a0Sspz 272331b855a0Sspz case SSL_PKEY_DSA_SIGN: 2724e0ea3921Schristos rsign = EVP_PKEY_DSA; 272531b855a0Sspz default_nid = NID_dsaWithSHA1; 272631b855a0Sspz break; 272731b855a0Sspz 272831b855a0Sspz case SSL_PKEY_ECC: 2729e0ea3921Schristos rsign = EVP_PKEY_EC; 273031b855a0Sspz default_nid = NID_ecdsa_with_SHA1; 273131b855a0Sspz break; 273231b855a0Sspz 27335af53050Schristos case SSL_PKEY_GOST01: 2734e0ea3921Schristos rsign = NID_id_GostR3410_2001; 27355af53050Schristos default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 27365af53050Schristos break; 27375af53050Schristos 27385af53050Schristos case SSL_PKEY_GOST12_256: 2739e0ea3921Schristos rsign = NID_id_GostR3410_2012_256; 27405af53050Schristos default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 27415af53050Schristos break; 27425af53050Schristos 27435af53050Schristos case SSL_PKEY_GOST12_512: 2744e0ea3921Schristos rsign = NID_id_GostR3410_2012_512; 27455af53050Schristos default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 27465af53050Schristos break; 27475af53050Schristos 274831b855a0Sspz default: 274931b855a0Sspz default_nid = -1; 275031b855a0Sspz break; 275131b855a0Sspz } 275231b855a0Sspz } 275331b855a0Sspz /* 275431b855a0Sspz * If peer sent no signature algorithms extension and we have set 275531b855a0Sspz * preferred signature algorithms check we support sha1. 275631b855a0Sspz */ 275731b855a0Sspz if (default_nid > 0 && c->conf_sigalgs) { 275831b855a0Sspz size_t j; 2759e0ea3921Schristos const uint16_t *p = c->conf_sigalgs; 2760e0ea3921Schristos for (j = 0; j < c->conf_sigalgslen; j++, p++) { 27618fbed61eSchristos const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *p); 2762e0ea3921Schristos 2763e0ea3921Schristos if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 276431b855a0Sspz break; 276531b855a0Sspz } 276631b855a0Sspz if (j == c->conf_sigalgslen) { 276731b855a0Sspz if (check_flags) 276831b855a0Sspz goto skip_sigs; 276931b855a0Sspz else 277031b855a0Sspz goto end; 277131b855a0Sspz } 277231b855a0Sspz } 277331b855a0Sspz /* Check signature algorithm of each cert in chain */ 2774403eeac4Schristos if (SSL_IS_TLS13(s)) { 2775403eeac4Schristos /* 2776403eeac4Schristos * We only get here if the application has called SSL_check_chain(), 2777403eeac4Schristos * so check_flags is always set. 2778403eeac4Schristos */ 2779403eeac4Schristos if (find_sig_alg(s, x, pk) != NULL) 2780403eeac4Schristos rv |= CERT_PKEY_EE_SIGNATURE; 2781403eeac4Schristos } else if (!tls1_check_sig_alg(s, x, default_nid)) { 278231b855a0Sspz if (!check_flags) 278331b855a0Sspz goto end; 278431b855a0Sspz } else 278531b855a0Sspz rv |= CERT_PKEY_EE_SIGNATURE; 278631b855a0Sspz rv |= CERT_PKEY_CA_SIGNATURE; 278731b855a0Sspz for (i = 0; i < sk_X509_num(chain); i++) { 2788403eeac4Schristos if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 278931b855a0Sspz if (check_flags) { 279031b855a0Sspz rv &= ~CERT_PKEY_CA_SIGNATURE; 279131b855a0Sspz break; 279231b855a0Sspz } else 279331b855a0Sspz goto end; 279431b855a0Sspz } 279531b855a0Sspz } 279631b855a0Sspz } 279731b855a0Sspz /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 279831b855a0Sspz else if (check_flags) 279931b855a0Sspz rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 280031b855a0Sspz skip_sigs: 280131b855a0Sspz /* Check cert parameters are consistent */ 2802e0ea3921Schristos if (tls1_check_cert_param(s, x, 1)) 280331b855a0Sspz rv |= CERT_PKEY_EE_PARAM; 280431b855a0Sspz else if (!check_flags) 280531b855a0Sspz goto end; 280631b855a0Sspz if (!s->server) 280731b855a0Sspz rv |= CERT_PKEY_CA_PARAM; 280831b855a0Sspz /* In strict mode check rest of chain too */ 280931b855a0Sspz else if (strict_mode) { 281031b855a0Sspz rv |= CERT_PKEY_CA_PARAM; 281131b855a0Sspz for (i = 0; i < sk_X509_num(chain); i++) { 281231b855a0Sspz X509 *ca = sk_X509_value(chain, i); 281331b855a0Sspz if (!tls1_check_cert_param(s, ca, 0)) { 281431b855a0Sspz if (check_flags) { 281531b855a0Sspz rv &= ~CERT_PKEY_CA_PARAM; 281631b855a0Sspz break; 281731b855a0Sspz } else 281831b855a0Sspz goto end; 281931b855a0Sspz } 282031b855a0Sspz } 282131b855a0Sspz } 282231b855a0Sspz if (!s->server && strict_mode) { 282331b855a0Sspz STACK_OF(X509_NAME) *ca_dn; 282431b855a0Sspz int check_type = 0; 28258fbed61eSchristos 28268fbed61eSchristos if (EVP_PKEY_is_a(pk, "RSA")) 282731b855a0Sspz check_type = TLS_CT_RSA_SIGN; 28288fbed61eSchristos else if (EVP_PKEY_is_a(pk, "DSA")) 282931b855a0Sspz check_type = TLS_CT_DSS_SIGN; 28308fbed61eSchristos else if (EVP_PKEY_is_a(pk, "EC")) 283131b855a0Sspz check_type = TLS_CT_ECDSA_SIGN; 28328fbed61eSchristos 283331b855a0Sspz if (check_type) { 28348fbed61eSchristos const uint8_t *ctypes = s->s3.tmp.ctype; 2835e0ea3921Schristos size_t j; 2836e0ea3921Schristos 28378fbed61eSchristos for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { 2838e0ea3921Schristos if (*ctypes == check_type) { 283931b855a0Sspz rv |= CERT_PKEY_CERT_TYPE; 284031b855a0Sspz break; 284131b855a0Sspz } 284231b855a0Sspz } 284331b855a0Sspz if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 284431b855a0Sspz goto end; 2845e0ea3921Schristos } else { 284631b855a0Sspz rv |= CERT_PKEY_CERT_TYPE; 2847e0ea3921Schristos } 284831b855a0Sspz 28498fbed61eSchristos ca_dn = s->s3.tmp.peer_ca_names; 285031b855a0Sspz 2851be43b372Schristos if (ca_dn == NULL 2852be43b372Schristos || sk_X509_NAME_num(ca_dn) == 0 2853be43b372Schristos || ssl_check_ca_name(ca_dn, x)) 285431b855a0Sspz rv |= CERT_PKEY_ISSUER_NAME; 2855be43b372Schristos else 285631b855a0Sspz for (i = 0; i < sk_X509_num(chain); i++) { 285731b855a0Sspz X509 *xtmp = sk_X509_value(chain, i); 2858be43b372Schristos 285931b855a0Sspz if (ssl_check_ca_name(ca_dn, xtmp)) { 286031b855a0Sspz rv |= CERT_PKEY_ISSUER_NAME; 286131b855a0Sspz break; 286231b855a0Sspz } 286331b855a0Sspz } 2864be43b372Schristos 286531b855a0Sspz if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 286631b855a0Sspz goto end; 286731b855a0Sspz } else 286831b855a0Sspz rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 286931b855a0Sspz 287031b855a0Sspz if (!check_flags || (rv & check_flags) == check_flags) 287131b855a0Sspz rv |= CERT_PKEY_VALID; 287231b855a0Sspz 287331b855a0Sspz end: 287431b855a0Sspz 2875e0ea3921Schristos if (TLS1_get_version(s) >= TLS1_2_VERSION) 2876e0ea3921Schristos rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2877e0ea3921Schristos else 287831b855a0Sspz rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 287931b855a0Sspz 288031b855a0Sspz /* 288131b855a0Sspz * When checking a CERT_PKEY structure all flags are irrelevant if the 288231b855a0Sspz * chain is invalid. 288331b855a0Sspz */ 288431b855a0Sspz if (!check_flags) { 2885e0ea3921Schristos if (rv & CERT_PKEY_VALID) { 28865af53050Schristos *pvalid = rv; 2887e0ea3921Schristos } else { 2888e0ea3921Schristos /* Preserve sign and explicit sign flag, clear rest */ 2889e0ea3921Schristos *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 289031b855a0Sspz return 0; 289131b855a0Sspz } 289231b855a0Sspz } 289331b855a0Sspz return rv; 289431b855a0Sspz } 289531b855a0Sspz 289631b855a0Sspz /* Set validity of certificates in an SSL structure */ 289731b855a0Sspz void tls1_set_cert_validity(SSL *s) 289831b855a0Sspz { 2899e0ea3921Schristos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2900e0ea3921Schristos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 290131b855a0Sspz tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 290231b855a0Sspz tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 29035af53050Schristos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 29045af53050Schristos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 29055af53050Schristos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2906e0ea3921Schristos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2907e0ea3921Schristos tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 290831b855a0Sspz } 290931b855a0Sspz 29105af53050Schristos /* User level utility function to check a chain is suitable */ 291131b855a0Sspz int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 291231b855a0Sspz { 291331b855a0Sspz return tls1_check_chain(s, x, pk, chain, -1); 291431b855a0Sspz } 291531b855a0Sspz 29168fbed61eSchristos EVP_PKEY *ssl_get_auto_dh(SSL *s) 29175af53050Schristos { 29188fbed61eSchristos EVP_PKEY *dhp = NULL; 29198fbed61eSchristos BIGNUM *p; 2920fb48e4b2Schristos int dh_secbits = 80, sec_level_bits; 29218fbed61eSchristos EVP_PKEY_CTX *pctx = NULL; 29228fbed61eSchristos OSSL_PARAM_BLD *tmpl = NULL; 29238fbed61eSchristos OSSL_PARAM *params = NULL; 2924fb48e4b2Schristos 29254a7cf967Schristos if (s->cert->dh_tmp_auto != 2) { 29268fbed61eSchristos if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 29278fbed61eSchristos if (s->s3.tmp.new_cipher->strength_bits == 256) 29285af53050Schristos dh_secbits = 128; 29295af53050Schristos else 29305af53050Schristos dh_secbits = 80; 29315af53050Schristos } else { 29328fbed61eSchristos if (s->s3.tmp.cert == NULL) 2933e0ea3921Schristos return NULL; 29348fbed61eSchristos dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); 29355af53050Schristos } 29364a7cf967Schristos } 29375af53050Schristos 2938fb48e4b2Schristos /* Do not pick a prime that is too weak for the current security level */ 2939fb48e4b2Schristos sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); 2940fb48e4b2Schristos if (dh_secbits < sec_level_bits) 2941fb48e4b2Schristos dh_secbits = sec_level_bits; 2942fb48e4b2Schristos 29435af53050Schristos if (dh_secbits >= 192) 29445af53050Schristos p = BN_get_rfc3526_prime_8192(NULL); 29454a7cf967Schristos else if (dh_secbits >= 152) 29464a7cf967Schristos p = BN_get_rfc3526_prime_4096(NULL); 29474a7cf967Schristos else if (dh_secbits >= 128) 29485af53050Schristos p = BN_get_rfc3526_prime_3072(NULL); 29494a7cf967Schristos else if (dh_secbits >= 112) 29504a7cf967Schristos p = BN_get_rfc3526_prime_2048(NULL); 29514a7cf967Schristos else 29524a7cf967Schristos p = BN_get_rfc2409_prime_1024(NULL); 29538fbed61eSchristos if (p == NULL) 29548fbed61eSchristos goto err; 29558fbed61eSchristos 29568fbed61eSchristos pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); 29578fbed61eSchristos if (pctx == NULL 29588fbed61eSchristos || EVP_PKEY_fromdata_init(pctx) != 1) 29598fbed61eSchristos goto err; 29608fbed61eSchristos 29618fbed61eSchristos tmpl = OSSL_PARAM_BLD_new(); 29628fbed61eSchristos if (tmpl == NULL 29638fbed61eSchristos || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 29648fbed61eSchristos || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) 29658fbed61eSchristos goto err; 29668fbed61eSchristos 29678fbed61eSchristos params = OSSL_PARAM_BLD_to_param(tmpl); 29688fbed61eSchristos if (params == NULL 29698fbed61eSchristos || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) 29708fbed61eSchristos goto err; 29718fbed61eSchristos 29728fbed61eSchristos err: 29738fbed61eSchristos OSSL_PARAM_free(params); 29748fbed61eSchristos OSSL_PARAM_BLD_free(tmpl); 29758fbed61eSchristos EVP_PKEY_CTX_free(pctx); 29765af53050Schristos BN_free(p); 29775af53050Schristos return dhp; 29785af53050Schristos } 29795af53050Schristos 29805af53050Schristos static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 29815af53050Schristos { 29825af53050Schristos int secbits = -1; 29835af53050Schristos EVP_PKEY *pkey = X509_get0_pubkey(x); 29845af53050Schristos if (pkey) { 29855af53050Schristos /* 29865af53050Schristos * If no parameters this will return -1 and fail using the default 29875af53050Schristos * security callback for any non-zero security level. This will 29885af53050Schristos * reject keys which omit parameters but this only affects DSA and 29895af53050Schristos * omission of parameters is never (?) done in practice. 29905af53050Schristos */ 29918fbed61eSchristos secbits = EVP_PKEY_get_security_bits(pkey); 29925af53050Schristos } 29935af53050Schristos if (s) 29945af53050Schristos return ssl_security(s, op, secbits, 0, x); 29955af53050Schristos else 29965af53050Schristos return ssl_ctx_security(ctx, op, secbits, 0, x); 29975af53050Schristos } 29985af53050Schristos 29995af53050Schristos static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 30005af53050Schristos { 30015af53050Schristos /* Lookup signature algorithm digest */ 3002e0ea3921Schristos int secbits, nid, pknid; 30035af53050Schristos /* Don't check signature if self signed */ 30045af53050Schristos if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 30055af53050Schristos return 1; 3006e0ea3921Schristos if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 3007e0ea3921Schristos secbits = -1; 3008e0ea3921Schristos /* If digest NID not defined use signature NID */ 3009e0ea3921Schristos if (nid == NID_undef) 3010e0ea3921Schristos nid = pknid; 30115af53050Schristos if (s) 3012e0ea3921Schristos return ssl_security(s, op, secbits, nid, x); 30135af53050Schristos else 3014e0ea3921Schristos return ssl_ctx_security(ctx, op, secbits, nid, x); 30155af53050Schristos } 30165af53050Schristos 30175af53050Schristos int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 30185af53050Schristos { 30195af53050Schristos if (vfy) 30205af53050Schristos vfy = SSL_SECOP_PEER; 30215af53050Schristos if (is_ee) { 30225af53050Schristos if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 30235af53050Schristos return SSL_R_EE_KEY_TOO_SMALL; 30245af53050Schristos } else { 30255af53050Schristos if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 30265af53050Schristos return SSL_R_CA_KEY_TOO_SMALL; 30275af53050Schristos } 30285af53050Schristos if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 30295af53050Schristos return SSL_R_CA_MD_TOO_WEAK; 30305af53050Schristos return 1; 30315af53050Schristos } 30325af53050Schristos 30335af53050Schristos /* 30345af53050Schristos * Check security of a chain, if |sk| includes the end entity certificate then 30355af53050Schristos * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 30365af53050Schristos * one to the peer. Return values: 1 if ok otherwise error code to use 30375af53050Schristos */ 30385af53050Schristos 30395af53050Schristos int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 30405af53050Schristos { 30415af53050Schristos int rv, start_idx, i; 30425af53050Schristos if (x == NULL) { 30435af53050Schristos x = sk_X509_value(sk, 0); 3044be43b372Schristos if (x == NULL) 3045be43b372Schristos return ERR_R_INTERNAL_ERROR; 30465af53050Schristos start_idx = 1; 30475af53050Schristos } else 30485af53050Schristos start_idx = 0; 30495af53050Schristos 30505af53050Schristos rv = ssl_security_cert(s, NULL, x, vfy, 1); 30515af53050Schristos if (rv != 1) 30525af53050Schristos return rv; 30535af53050Schristos 30545af53050Schristos for (i = start_idx; i < sk_X509_num(sk); i++) { 30555af53050Schristos x = sk_X509_value(sk, i); 30565af53050Schristos rv = ssl_security_cert(s, NULL, x, vfy, 0); 30575af53050Schristos if (rv != 1) 30585af53050Schristos return rv; 30595af53050Schristos } 30605af53050Schristos return 1; 30615af53050Schristos } 3062e0ea3921Schristos 3063e0ea3921Schristos /* 3064e0ea3921Schristos * For TLS 1.2 servers check if we have a certificate which can be used 3065e0ea3921Schristos * with the signature algorithm "lu" and return index of certificate. 3066e0ea3921Schristos */ 3067e0ea3921Schristos 3068e0ea3921Schristos static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 3069e0ea3921Schristos { 3070e0ea3921Schristos int sig_idx = lu->sig_idx; 3071e0ea3921Schristos const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 3072e0ea3921Schristos 3073e0ea3921Schristos /* If not recognised or not supported by cipher mask it is not suitable */ 3074e0ea3921Schristos if (clu == NULL 30758fbed61eSchristos || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 3076e0ea3921Schristos || (clu->nid == EVP_PKEY_RSA_PSS 30778fbed61eSchristos && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 3078e0ea3921Schristos return -1; 3079e0ea3921Schristos 30808fbed61eSchristos return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 3081e0ea3921Schristos } 3082e0ea3921Schristos 3083e0ea3921Schristos /* 3084403eeac4Schristos * Checks the given cert against signature_algorithm_cert restrictions sent by 3085403eeac4Schristos * the peer (if any) as well as whether the hash from the sigalg is usable with 3086403eeac4Schristos * the key. 3087403eeac4Schristos * Returns true if the cert is usable and false otherwise. 3088e0ea3921Schristos */ 3089403eeac4Schristos static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3090403eeac4Schristos EVP_PKEY *pkey) 3091e0ea3921Schristos { 3092e0ea3921Schristos const SIGALG_LOOKUP *lu; 30938fbed61eSchristos int mdnid, pknid, supported; 3094e0ea3921Schristos size_t i; 30958fbed61eSchristos const char *mdname = NULL; 3096e0ea3921Schristos 30978fbed61eSchristos /* 30988fbed61eSchristos * If the given EVP_PKEY cannot support signing with this digest, 30998fbed61eSchristos * the answer is simply 'no'. 31008fbed61eSchristos */ 31018fbed61eSchristos if (sig->hash != NID_undef) 31028fbed61eSchristos mdname = OBJ_nid2sn(sig->hash); 31038fbed61eSchristos supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx, 31048fbed61eSchristos mdname, 31058fbed61eSchristos s->ctx->propq); 31068fbed61eSchristos if (supported <= 0) 3107403eeac4Schristos return 0; 3108403eeac4Schristos 3109e0ea3921Schristos /* 31108fbed61eSchristos * The TLS 1.3 signature_algorithms_cert extension places restrictions 31118fbed61eSchristos * on the sigalg with which the certificate was signed (by its issuer). 31128fbed61eSchristos */ 31138fbed61eSchristos if (s->s3.tmp.peer_cert_sigalgs != NULL) { 31148fbed61eSchristos if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 31158fbed61eSchristos return 0; 31168fbed61eSchristos for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { 31178fbed61eSchristos lu = tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]); 31188fbed61eSchristos if (lu == NULL) 31198fbed61eSchristos continue; 31208fbed61eSchristos 31218fbed61eSchristos /* 31228fbed61eSchristos * This does not differentiate between the 3123e0ea3921Schristos * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 3124e0ea3921Schristos * have a chain here that lets us look at the key OID in the 3125e0ea3921Schristos * signing certificate. 3126e0ea3921Schristos */ 3127e0ea3921Schristos if (mdnid == lu->hash && pknid == lu->sig) 3128e0ea3921Schristos return 1; 3129e0ea3921Schristos } 3130e0ea3921Schristos return 0; 3131e0ea3921Schristos } 31328fbed61eSchristos 31338fbed61eSchristos /* 31348fbed61eSchristos * Without signat_algorithms_cert, any certificate for which we have 31358fbed61eSchristos * a viable public key is permitted. 31368fbed61eSchristos */ 3137403eeac4Schristos return 1; 3138403eeac4Schristos } 3139403eeac4Schristos 3140403eeac4Schristos /* 3141403eeac4Schristos * Returns true if |s| has a usable certificate configured for use 3142403eeac4Schristos * with signature scheme |sig|. 3143403eeac4Schristos * "Usable" includes a check for presence as well as applying 3144403eeac4Schristos * the signature_algorithm_cert restrictions sent by the peer (if any). 3145403eeac4Schristos * Returns false if no usable certificate is found. 3146403eeac4Schristos */ 3147403eeac4Schristos static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 3148403eeac4Schristos { 3149403eeac4Schristos /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 3150403eeac4Schristos if (idx == -1) 3151403eeac4Schristos idx = sig->sig_idx; 3152403eeac4Schristos if (!ssl_has_cert(s, idx)) 3153403eeac4Schristos return 0; 3154403eeac4Schristos 3155403eeac4Schristos return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 3156403eeac4Schristos s->cert->pkeys[idx].privatekey); 3157403eeac4Schristos } 3158403eeac4Schristos 3159403eeac4Schristos /* 3160403eeac4Schristos * Returns true if the supplied cert |x| and key |pkey| is usable with the 3161403eeac4Schristos * specified signature scheme |sig|, or false otherwise. 3162403eeac4Schristos */ 3163403eeac4Schristos static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3164403eeac4Schristos EVP_PKEY *pkey) 3165403eeac4Schristos { 3166403eeac4Schristos size_t idx; 3167403eeac4Schristos 3168403eeac4Schristos if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 3169403eeac4Schristos return 0; 3170403eeac4Schristos 3171403eeac4Schristos /* Check the key is consistent with the sig alg */ 3172403eeac4Schristos if ((int)idx != sig->sig_idx) 3173403eeac4Schristos return 0; 3174403eeac4Schristos 3175403eeac4Schristos return check_cert_usable(s, sig, x, pkey); 3176403eeac4Schristos } 3177403eeac4Schristos 3178403eeac4Schristos /* 3179403eeac4Schristos * Find a signature scheme that works with the supplied certificate |x| and key 3180403eeac4Schristos * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 3181403eeac4Schristos * available certs/keys to find one that works. 3182403eeac4Schristos */ 3183403eeac4Schristos static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 3184403eeac4Schristos { 3185403eeac4Schristos const SIGALG_LOOKUP *lu = NULL; 3186403eeac4Schristos size_t i; 3187403eeac4Schristos int curve = -1; 3188403eeac4Schristos EVP_PKEY *tmppkey; 3189403eeac4Schristos 3190403eeac4Schristos /* Look for a shared sigalgs matching possible certificates */ 3191403eeac4Schristos for (i = 0; i < s->shared_sigalgslen; i++) { 3192403eeac4Schristos lu = s->shared_sigalgs[i]; 3193403eeac4Schristos 3194403eeac4Schristos /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 3195403eeac4Schristos if (lu->hash == NID_sha1 3196403eeac4Schristos || lu->hash == NID_sha224 3197403eeac4Schristos || lu->sig == EVP_PKEY_DSA 3198403eeac4Schristos || lu->sig == EVP_PKEY_RSA) 3199403eeac4Schristos continue; 3200403eeac4Schristos /* Check that we have a cert, and signature_algorithms_cert */ 32018fbed61eSchristos if (!tls1_lookup_md(s->ctx, lu, NULL)) 3202403eeac4Schristos continue; 3203403eeac4Schristos if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 3204403eeac4Schristos || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 3205403eeac4Schristos continue; 3206403eeac4Schristos 3207403eeac4Schristos tmppkey = (pkey != NULL) ? pkey 3208403eeac4Schristos : s->cert->pkeys[lu->sig_idx].privatekey; 3209403eeac4Schristos 3210403eeac4Schristos if (lu->sig == EVP_PKEY_EC) { 32118fbed61eSchristos if (curve == -1) 32128fbed61eSchristos curve = ssl_get_EC_curve_nid(tmppkey); 3213403eeac4Schristos if (lu->curve != NID_undef && curve != lu->curve) 3214403eeac4Schristos continue; 3215403eeac4Schristos } else if (lu->sig == EVP_PKEY_RSA_PSS) { 3216403eeac4Schristos /* validate that key is large enough for the signature algorithm */ 32178fbed61eSchristos if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu)) 3218403eeac4Schristos continue; 3219403eeac4Schristos } 3220403eeac4Schristos break; 3221403eeac4Schristos } 3222403eeac4Schristos 3223403eeac4Schristos if (i == s->shared_sigalgslen) 3224403eeac4Schristos return NULL; 3225403eeac4Schristos 3226403eeac4Schristos return lu; 3227e0ea3921Schristos } 3228e0ea3921Schristos 3229e0ea3921Schristos /* 3230e0ea3921Schristos * Choose an appropriate signature algorithm based on available certificates 3231e0ea3921Schristos * Sets chosen certificate and signature algorithm. 3232e0ea3921Schristos * 3233e0ea3921Schristos * For servers if we fail to find a required certificate it is a fatal error, 3234e0ea3921Schristos * an appropriate error code is set and a TLS alert is sent. 3235e0ea3921Schristos * 3236e0ea3921Schristos * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 3237e0ea3921Schristos * a fatal error: we will either try another certificate or not present one 3238e0ea3921Schristos * to the server. In this case no error is set. 3239e0ea3921Schristos */ 3240e0ea3921Schristos int tls_choose_sigalg(SSL *s, int fatalerrs) 3241e0ea3921Schristos { 3242e0ea3921Schristos const SIGALG_LOOKUP *lu = NULL; 3243e0ea3921Schristos int sig_idx = -1; 3244e0ea3921Schristos 32458fbed61eSchristos s->s3.tmp.cert = NULL; 32468fbed61eSchristos s->s3.tmp.sigalg = NULL; 3247e0ea3921Schristos 3248e0ea3921Schristos if (SSL_IS_TLS13(s)) { 3249403eeac4Schristos lu = find_sig_alg(s, NULL, NULL); 3250403eeac4Schristos if (lu == NULL) { 3251e0ea3921Schristos if (!fatalerrs) 3252e0ea3921Schristos return 1; 32538fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3254e0ea3921Schristos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3255e0ea3921Schristos return 0; 3256e0ea3921Schristos } 3257e0ea3921Schristos } else { 3258e0ea3921Schristos /* If ciphersuite doesn't require a cert nothing to do */ 32598fbed61eSchristos if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) 3260e0ea3921Schristos return 1; 3261e0ea3921Schristos if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 3262e0ea3921Schristos return 1; 3263e0ea3921Schristos 3264e0ea3921Schristos if (SSL_USE_SIGALGS(s)) { 3265e0ea3921Schristos size_t i; 32668fbed61eSchristos if (s->s3.tmp.peer_sigalgs != NULL) { 32678fbed61eSchristos int curve = -1; 3268e0ea3921Schristos 3269e0ea3921Schristos /* For Suite B need to match signature algorithm to curve */ 32708fbed61eSchristos if (tls1_suiteb(s)) 32718fbed61eSchristos curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] 32728fbed61eSchristos .privatekey); 3273e0ea3921Schristos 3274e0ea3921Schristos /* 3275e0ea3921Schristos * Find highest preference signature algorithm matching 3276e0ea3921Schristos * cert type 3277e0ea3921Schristos */ 3278403eeac4Schristos for (i = 0; i < s->shared_sigalgslen; i++) { 3279403eeac4Schristos lu = s->shared_sigalgs[i]; 3280e0ea3921Schristos 3281e0ea3921Schristos if (s->server) { 3282e0ea3921Schristos if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 3283e0ea3921Schristos continue; 3284e0ea3921Schristos } else { 3285e0ea3921Schristos int cc_idx = s->cert->key - s->cert->pkeys; 3286e0ea3921Schristos 3287e0ea3921Schristos sig_idx = lu->sig_idx; 3288e0ea3921Schristos if (cc_idx != sig_idx) 3289e0ea3921Schristos continue; 3290e0ea3921Schristos } 3291e0ea3921Schristos /* Check that we have a cert, and sig_algs_cert */ 3292e0ea3921Schristos if (!has_usable_cert(s, lu, sig_idx)) 3293e0ea3921Schristos continue; 3294e0ea3921Schristos if (lu->sig == EVP_PKEY_RSA_PSS) { 3295e0ea3921Schristos /* validate that key is large enough for the signature algorithm */ 3296e0ea3921Schristos EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 3297e0ea3921Schristos 32988fbed61eSchristos if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu)) 3299e0ea3921Schristos continue; 3300e0ea3921Schristos } 3301e0ea3921Schristos if (curve == -1 || lu->curve == curve) 3302e0ea3921Schristos break; 3303e0ea3921Schristos } 330452629741Schristos #ifndef OPENSSL_NO_GOST 330552629741Schristos /* 330652629741Schristos * Some Windows-based implementations do not send GOST algorithms indication 330752629741Schristos * in supported_algorithms extension, so when we have GOST-based ciphersuite, 330852629741Schristos * we have to assume GOST support. 330952629741Schristos */ 33108fbed61eSchristos if (i == s->shared_sigalgslen && s->s3.tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { 331152629741Schristos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 331252629741Schristos if (!fatalerrs) 331352629741Schristos return 1; 331452629741Schristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 331552629741Schristos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 331652629741Schristos return 0; 331752629741Schristos } else { 331852629741Schristos i = 0; 331952629741Schristos sig_idx = lu->sig_idx; 332052629741Schristos } 332152629741Schristos } 332252629741Schristos #endif 3323403eeac4Schristos if (i == s->shared_sigalgslen) { 3324e0ea3921Schristos if (!fatalerrs) 3325e0ea3921Schristos return 1; 3326e0ea3921Schristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3327e0ea3921Schristos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3328e0ea3921Schristos return 0; 3329e0ea3921Schristos } 3330e0ea3921Schristos } else { 3331e0ea3921Schristos /* 3332e0ea3921Schristos * If we have no sigalg use defaults 3333e0ea3921Schristos */ 3334e0ea3921Schristos const uint16_t *sent_sigs; 3335e0ea3921Schristos size_t sent_sigslen; 3336e0ea3921Schristos 3337e0ea3921Schristos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3338e0ea3921Schristos if (!fatalerrs) 3339e0ea3921Schristos return 1; 33408fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 33418fbed61eSchristos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3342e0ea3921Schristos return 0; 3343e0ea3921Schristos } 3344e0ea3921Schristos 3345e0ea3921Schristos /* Check signature matches a type we sent */ 3346e0ea3921Schristos sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 3347e0ea3921Schristos for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 3348e0ea3921Schristos if (lu->sigalg == *sent_sigs 3349e0ea3921Schristos && has_usable_cert(s, lu, lu->sig_idx)) 3350e0ea3921Schristos break; 3351e0ea3921Schristos } 3352e0ea3921Schristos if (i == sent_sigslen) { 3353e0ea3921Schristos if (!fatalerrs) 3354e0ea3921Schristos return 1; 33558fbed61eSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3356e0ea3921Schristos SSL_R_WRONG_SIGNATURE_TYPE); 3357e0ea3921Schristos return 0; 3358e0ea3921Schristos } 3359e0ea3921Schristos } 3360e0ea3921Schristos } else { 3361e0ea3921Schristos if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3362e0ea3921Schristos if (!fatalerrs) 3363e0ea3921Schristos return 1; 33648fbed61eSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 33658fbed61eSchristos SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3366e0ea3921Schristos return 0; 3367e0ea3921Schristos } 3368e0ea3921Schristos } 3369e0ea3921Schristos } 3370e0ea3921Schristos if (sig_idx == -1) 3371e0ea3921Schristos sig_idx = lu->sig_idx; 33728fbed61eSchristos s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; 33738fbed61eSchristos s->cert->key = s->s3.tmp.cert; 33748fbed61eSchristos s->s3.tmp.sigalg = lu; 3375e0ea3921Schristos return 1; 3376e0ea3921Schristos } 3377e0ea3921Schristos 3378e0ea3921Schristos int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 3379e0ea3921Schristos { 3380e0ea3921Schristos if (mode != TLSEXT_max_fragment_length_DISABLED 3381e0ea3921Schristos && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 33828fbed61eSchristos ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3383e0ea3921Schristos return 0; 3384e0ea3921Schristos } 3385e0ea3921Schristos 3386e0ea3921Schristos ctx->ext.max_fragment_len_mode = mode; 3387e0ea3921Schristos return 1; 3388e0ea3921Schristos } 3389e0ea3921Schristos 3390e0ea3921Schristos int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 3391e0ea3921Schristos { 3392e0ea3921Schristos if (mode != TLSEXT_max_fragment_length_DISABLED 3393e0ea3921Schristos && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 33948fbed61eSchristos ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3395e0ea3921Schristos return 0; 3396e0ea3921Schristos } 3397e0ea3921Schristos 3398e0ea3921Schristos ssl->ext.max_fragment_len_mode = mode; 3399e0ea3921Schristos return 1; 3400e0ea3921Schristos } 3401e0ea3921Schristos 3402e0ea3921Schristos uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 3403e0ea3921Schristos { 3404*7d9ffdb3Schristos if (session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) 3405*7d9ffdb3Schristos return TLSEXT_max_fragment_length_DISABLED; 3406e0ea3921Schristos return session->ext.max_fragment_len_mode; 3407e0ea3921Schristos } 34088fbed61eSchristos 34098fbed61eSchristos /* 34108fbed61eSchristos * Helper functions for HMAC access with legacy support included. 34118fbed61eSchristos */ 34128fbed61eSchristos SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) 34138fbed61eSchristos { 34148fbed61eSchristos SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); 34158fbed61eSchristos EVP_MAC *mac = NULL; 34168fbed61eSchristos 34178fbed61eSchristos if (ret == NULL) 34188fbed61eSchristos return NULL; 34198fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 34208fbed61eSchristos if (ctx->ext.ticket_key_evp_cb == NULL 34218fbed61eSchristos && ctx->ext.ticket_key_cb != NULL) { 34228fbed61eSchristos if (!ssl_hmac_old_new(ret)) 34238fbed61eSchristos goto err; 34248fbed61eSchristos return ret; 34258fbed61eSchristos } 34268fbed61eSchristos #endif 34278fbed61eSchristos mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); 34288fbed61eSchristos if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) 34298fbed61eSchristos goto err; 34308fbed61eSchristos EVP_MAC_free(mac); 34318fbed61eSchristos return ret; 34328fbed61eSchristos err: 34338fbed61eSchristos EVP_MAC_CTX_free(ret->ctx); 34348fbed61eSchristos EVP_MAC_free(mac); 34358fbed61eSchristos OPENSSL_free(ret); 34368fbed61eSchristos return NULL; 34378fbed61eSchristos } 34388fbed61eSchristos 34398fbed61eSchristos void ssl_hmac_free(SSL_HMAC *ctx) 34408fbed61eSchristos { 34418fbed61eSchristos if (ctx != NULL) { 34428fbed61eSchristos EVP_MAC_CTX_free(ctx->ctx); 34438fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 34448fbed61eSchristos ssl_hmac_old_free(ctx); 34458fbed61eSchristos #endif 34468fbed61eSchristos OPENSSL_free(ctx); 34478fbed61eSchristos } 34488fbed61eSchristos } 34498fbed61eSchristos 34508fbed61eSchristos EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) 34518fbed61eSchristos { 34528fbed61eSchristos return ctx->ctx; 34538fbed61eSchristos } 34548fbed61eSchristos 34558fbed61eSchristos int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 34568fbed61eSchristos { 34578fbed61eSchristos OSSL_PARAM params[2], *p = params; 34588fbed61eSchristos 34598fbed61eSchristos if (ctx->ctx != NULL) { 34608fbed61eSchristos *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); 34618fbed61eSchristos *p = OSSL_PARAM_construct_end(); 34628fbed61eSchristos if (EVP_MAC_init(ctx->ctx, key, len, params)) 34638fbed61eSchristos return 1; 34648fbed61eSchristos } 34658fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 34668fbed61eSchristos if (ctx->old_ctx != NULL) 34678fbed61eSchristos return ssl_hmac_old_init(ctx, key, len, md); 34688fbed61eSchristos #endif 34698fbed61eSchristos return 0; 34708fbed61eSchristos } 34718fbed61eSchristos 34728fbed61eSchristos int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 34738fbed61eSchristos { 34748fbed61eSchristos if (ctx->ctx != NULL) 34758fbed61eSchristos return EVP_MAC_update(ctx->ctx, data, len); 34768fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 34778fbed61eSchristos if (ctx->old_ctx != NULL) 34788fbed61eSchristos return ssl_hmac_old_update(ctx, data, len); 34798fbed61eSchristos #endif 34808fbed61eSchristos return 0; 34818fbed61eSchristos } 34828fbed61eSchristos 34838fbed61eSchristos int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, 34848fbed61eSchristos size_t max_size) 34858fbed61eSchristos { 34868fbed61eSchristos if (ctx->ctx != NULL) 34878fbed61eSchristos return EVP_MAC_final(ctx->ctx, md, len, max_size); 34888fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 34898fbed61eSchristos if (ctx->old_ctx != NULL) 34908fbed61eSchristos return ssl_hmac_old_final(ctx, md, len); 34918fbed61eSchristos #endif 34928fbed61eSchristos return 0; 34938fbed61eSchristos } 34948fbed61eSchristos 34958fbed61eSchristos size_t ssl_hmac_size(const SSL_HMAC *ctx) 34968fbed61eSchristos { 34978fbed61eSchristos if (ctx->ctx != NULL) 34988fbed61eSchristos return EVP_MAC_CTX_get_mac_size(ctx->ctx); 34998fbed61eSchristos #ifndef OPENSSL_NO_DEPRECATED_3_0 35008fbed61eSchristos if (ctx->old_ctx != NULL) 35018fbed61eSchristos return ssl_hmac_old_size(ctx); 35028fbed61eSchristos #endif 35038fbed61eSchristos return 0; 35048fbed61eSchristos } 35058fbed61eSchristos 35068fbed61eSchristos int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) 35078fbed61eSchristos { 35088fbed61eSchristos char gname[OSSL_MAX_NAME_SIZE]; 35098fbed61eSchristos 35108fbed61eSchristos if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) 35118fbed61eSchristos return OBJ_txt2nid(gname); 35128fbed61eSchristos 35138fbed61eSchristos return NID_undef; 35148fbed61eSchristos } 35158fbed61eSchristos 35168fbed61eSchristos __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, 35178fbed61eSchristos const unsigned char *enckey, 35188fbed61eSchristos size_t enckeylen) 35198fbed61eSchristos { 35208fbed61eSchristos if (EVP_PKEY_is_a(pkey, "DH")) { 35218fbed61eSchristos int bits = EVP_PKEY_get_bits(pkey); 35228fbed61eSchristos 35238fbed61eSchristos if (bits <= 0 || enckeylen != (size_t)bits / 8) 35248fbed61eSchristos /* the encoded key must be padded to the length of the p */ 35258fbed61eSchristos return 0; 35268fbed61eSchristos } else if (EVP_PKEY_is_a(pkey, "EC")) { 35278fbed61eSchristos if (enckeylen < 3 /* point format and at least 1 byte for x and y */ 35288fbed61eSchristos || enckey[0] != 0x04) 35298fbed61eSchristos return 0; 35308fbed61eSchristos } 35318fbed61eSchristos 35328fbed61eSchristos return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); 35338fbed61eSchristos } 3534