1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <openssl/objects.h> 13 #include <openssl/evp.h> 14 #include <openssl/hmac.h> 15 #include <openssl/core_names.h> 16 #include <openssl/ocsp.h> 17 #include <openssl/conf.h> 18 #include <openssl/x509v3.h> 19 #include <openssl/dh.h> 20 #include <openssl/bn.h> 21 #include <openssl/provider.h> 22 #include <openssl/param_build.h> 23 #include "internal/nelem.h" 24 #include "internal/sizes.h" 25 #include "internal/tlsgroups.h" 26 #include "ssl_local.h" 27 #include <openssl/ct.h> 28 29 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 30 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); 31 32 SSL3_ENC_METHOD const TLSv1_enc_data = { 33 tls1_enc, 34 tls1_mac, 35 tls1_setup_key_block, 36 tls1_generate_master_secret, 37 tls1_change_cipher_state, 38 tls1_final_finish_mac, 39 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 40 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 41 tls1_alert_code, 42 tls1_export_keying_material, 43 0, 44 ssl3_set_handshake_header, 45 tls_close_construct_packet, 46 ssl3_handshake_write 47 }; 48 49 SSL3_ENC_METHOD const TLSv1_1_enc_data = { 50 tls1_enc, 51 tls1_mac, 52 tls1_setup_key_block, 53 tls1_generate_master_secret, 54 tls1_change_cipher_state, 55 tls1_final_finish_mac, 56 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 57 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 58 tls1_alert_code, 59 tls1_export_keying_material, 60 SSL_ENC_FLAG_EXPLICIT_IV, 61 ssl3_set_handshake_header, 62 tls_close_construct_packet, 63 ssl3_handshake_write 64 }; 65 66 SSL3_ENC_METHOD const TLSv1_2_enc_data = { 67 tls1_enc, 68 tls1_mac, 69 tls1_setup_key_block, 70 tls1_generate_master_secret, 71 tls1_change_cipher_state, 72 tls1_final_finish_mac, 73 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 74 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 75 tls1_alert_code, 76 tls1_export_keying_material, 77 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 78 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 79 ssl3_set_handshake_header, 80 tls_close_construct_packet, 81 ssl3_handshake_write 82 }; 83 84 SSL3_ENC_METHOD const TLSv1_3_enc_data = { 85 tls13_enc, 86 tls1_mac, 87 tls13_setup_key_block, 88 tls13_generate_master_secret, 89 tls13_change_cipher_state, 90 tls13_final_finish_mac, 91 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 92 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 93 tls13_alert_code, 94 tls13_export_keying_material, 95 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 96 ssl3_set_handshake_header, 97 tls_close_construct_packet, 98 ssl3_handshake_write 99 }; 100 101 long tls1_default_timeout(void) 102 { 103 /* 104 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 105 * http, the cache would over fill 106 */ 107 return (60 * 60 * 2); 108 } 109 110 int tls1_new(SSL *s) 111 { 112 if (!ssl3_new(s)) 113 return 0; 114 if (!s->method->ssl_clear(s)) 115 return 0; 116 117 return 1; 118 } 119 120 void tls1_free(SSL *s) 121 { 122 OPENSSL_free(s->ext.session_ticket); 123 ssl3_free(s); 124 } 125 126 int tls1_clear(SSL *s) 127 { 128 if (!ssl3_clear(s)) 129 return 0; 130 131 if (s->method->version == TLS_ANY_VERSION) 132 s->version = TLS_MAX_VERSION_INTERNAL; 133 else 134 s->version = s->method->version; 135 136 return 1; 137 } 138 139 /* Legacy NID to group_id mapping. Only works for groups we know about */ 140 static struct { 141 int nid; 142 uint16_t group_id; 143 } nid_to_group[] = { 144 {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1}, 145 {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1}, 146 {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2}, 147 {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1}, 148 {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2}, 149 {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1}, 150 {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1}, 151 {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1}, 152 {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1}, 153 {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1}, 154 {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1}, 155 {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1}, 156 {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1}, 157 {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1}, 158 {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1}, 159 {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1}, 160 {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2}, 161 {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1}, 162 {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1}, 163 {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1}, 164 {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1}, 165 {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1}, 166 {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1}, 167 {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1}, 168 {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1}, 169 {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1}, 170 {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1}, 171 {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1}, 172 {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519}, 173 {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448}, 174 {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022}, 175 {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023}, 176 {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024}, 177 {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025}, 178 {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026}, 179 {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027}, 180 {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028}, 181 {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048}, 182 {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072}, 183 {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096}, 184 {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144}, 185 {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} 186 }; 187 188 static const unsigned char ecformats_default[] = { 189 TLSEXT_ECPOINTFORMAT_uncompressed, 190 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 191 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 192 }; 193 194 /* The default curves */ 195 static const uint16_t supported_groups_default[] = { 196 29, /* X25519 (29) */ 197 23, /* secp256r1 (23) */ 198 30, /* X448 (30) */ 199 25, /* secp521r1 (25) */ 200 24, /* secp384r1 (24) */ 201 34, /* GC256A (34) */ 202 35, /* GC256B (35) */ 203 36, /* GC256C (36) */ 204 37, /* GC256D (37) */ 205 38, /* GC512A (38) */ 206 39, /* GC512B (39) */ 207 40, /* GC512C (40) */ 208 0x100, /* ffdhe2048 (0x100) */ 209 0x101, /* ffdhe3072 (0x101) */ 210 0x102, /* ffdhe4096 (0x102) */ 211 0x103, /* ffdhe6144 (0x103) */ 212 0x104, /* ffdhe8192 (0x104) */ 213 }; 214 215 static const uint16_t suiteb_curves[] = { 216 TLSEXT_curve_P_256, 217 TLSEXT_curve_P_384 218 }; 219 220 struct provider_group_data_st { 221 SSL_CTX *ctx; 222 OSSL_PROVIDER *provider; 223 }; 224 225 #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 226 static OSSL_CALLBACK add_provider_groups; 227 static int add_provider_groups(const OSSL_PARAM params[], void *data) 228 { 229 struct provider_group_data_st *pgd = data; 230 SSL_CTX *ctx = pgd->ctx; 231 OSSL_PROVIDER *provider = pgd->provider; 232 const OSSL_PARAM *p; 233 TLS_GROUP_INFO *ginf = NULL; 234 EVP_KEYMGMT *keymgmt; 235 unsigned int gid; 236 unsigned int is_kem = 0; 237 int ret = 0; 238 239 if (ctx->group_list_max_len == ctx->group_list_len) { 240 TLS_GROUP_INFO *tmp = NULL; 241 242 if (ctx->group_list_max_len == 0) 243 tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) 244 * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 245 else 246 tmp = OPENSSL_realloc(ctx->group_list, 247 (ctx->group_list_max_len 248 + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) 249 * sizeof(TLS_GROUP_INFO)); 250 if (tmp == NULL) { 251 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 252 return 0; 253 } 254 ctx->group_list = tmp; 255 memset(tmp + ctx->group_list_max_len, 256 0, 257 sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 258 ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; 259 } 260 261 ginf = &ctx->group_list[ctx->group_list_len]; 262 263 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); 264 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 265 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 266 goto err; 267 } 268 ginf->tlsname = OPENSSL_strdup(p->data); 269 if (ginf->tlsname == NULL) { 270 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 271 goto err; 272 } 273 274 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); 275 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 276 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 277 goto err; 278 } 279 ginf->realname = OPENSSL_strdup(p->data); 280 if (ginf->realname == NULL) { 281 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 282 goto err; 283 } 284 285 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); 286 if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { 287 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 288 goto err; 289 } 290 ginf->group_id = (uint16_t)gid; 291 292 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); 293 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 294 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 295 goto err; 296 } 297 ginf->algorithm = OPENSSL_strdup(p->data); 298 if (ginf->algorithm == NULL) { 299 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 300 goto err; 301 } 302 303 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); 304 if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { 305 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 306 goto err; 307 } 308 309 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); 310 if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { 311 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 312 goto err; 313 } 314 ginf->is_kem = 1 & is_kem; 315 316 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); 317 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { 318 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 319 goto err; 320 } 321 322 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); 323 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { 324 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 325 goto err; 326 } 327 328 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); 329 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { 330 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 331 goto err; 332 } 333 334 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); 335 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { 336 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 337 goto err; 338 } 339 /* 340 * Now check that the algorithm is actually usable for our property query 341 * string. Regardless of the result we still return success because we have 342 * successfully processed this group, even though we may decide not to use 343 * it. 344 */ 345 ret = 1; 346 ERR_set_mark(); 347 keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); 348 if (keymgmt != NULL) { 349 /* 350 * We have successfully fetched the algorithm - however if the provider 351 * doesn't match this one then we ignore it. 352 * 353 * Note: We're cheating a little here. Technically if the same algorithm 354 * is available from more than one provider then it is undefined which 355 * implementation you will get back. Theoretically this could be 356 * different every time...we assume here that you'll always get the 357 * same one back if you repeat the exact same fetch. Is this a reasonable 358 * assumption to make (in which case perhaps we should document this 359 * behaviour)? 360 */ 361 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 362 /* We have a match - so we will use this group */ 363 ctx->group_list_len++; 364 ginf = NULL; 365 } 366 EVP_KEYMGMT_free(keymgmt); 367 } 368 ERR_pop_to_mark(); 369 err: 370 if (ginf != NULL) { 371 OPENSSL_free(ginf->tlsname); 372 OPENSSL_free(ginf->realname); 373 OPENSSL_free(ginf->algorithm); 374 ginf->algorithm = ginf->tlsname = ginf->realname = NULL; 375 } 376 return ret; 377 } 378 379 static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) 380 { 381 struct provider_group_data_st pgd; 382 383 pgd.ctx = vctx; 384 pgd.provider = provider; 385 return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", 386 add_provider_groups, &pgd); 387 } 388 389 int ssl_load_groups(SSL_CTX *ctx) 390 { 391 size_t i, j, num_deflt_grps = 0; 392 uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; 393 394 if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) 395 return 0; 396 397 for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { 398 for (j = 0; j < ctx->group_list_len; j++) { 399 if (ctx->group_list[j].group_id == supported_groups_default[i]) { 400 tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; 401 break; 402 } 403 } 404 } 405 406 if (num_deflt_grps == 0) 407 return 1; 408 409 ctx->ext.supported_groups_default 410 = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); 411 412 if (ctx->ext.supported_groups_default == NULL) { 413 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 414 return 0; 415 } 416 417 memcpy(ctx->ext.supported_groups_default, 418 tmp_supp_groups, 419 num_deflt_grps * sizeof(tmp_supp_groups[0])); 420 ctx->ext.supported_groups_default_len = num_deflt_grps; 421 422 return 1; 423 } 424 425 static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) 426 { 427 size_t i; 428 429 for (i = 0; i < ctx->group_list_len; i++) { 430 if (strcmp(ctx->group_list[i].tlsname, name) == 0 431 || strcmp(ctx->group_list[i].realname, name) == 0) 432 return ctx->group_list[i].group_id; 433 } 434 435 return 0; 436 } 437 438 const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) 439 { 440 size_t i; 441 442 for (i = 0; i < ctx->group_list_len; i++) { 443 if (ctx->group_list[i].group_id == group_id) 444 return &ctx->group_list[i]; 445 } 446 447 return NULL; 448 } 449 450 int tls1_group_id2nid(uint16_t group_id, int include_unknown) 451 { 452 size_t i; 453 454 if (group_id == 0) 455 return NID_undef; 456 457 /* 458 * Return well known Group NIDs - for backwards compatibility. This won't 459 * work for groups we don't know about. 460 */ 461 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 462 { 463 if (nid_to_group[i].group_id == group_id) 464 return nid_to_group[i].nid; 465 } 466 if (!include_unknown) 467 return NID_undef; 468 return TLSEXT_nid_unknown | (int)group_id; 469 } 470 471 uint16_t tls1_nid2group_id(int nid) 472 { 473 size_t i; 474 475 /* 476 * Return well known Group ids - for backwards compatibility. This won't 477 * work for groups we don't know about. 478 */ 479 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 480 { 481 if (nid_to_group[i].nid == nid) 482 return nid_to_group[i].group_id; 483 } 484 485 return 0; 486 } 487 488 /* 489 * Set *pgroups to the supported groups list and *pgroupslen to 490 * the number of groups supported. 491 */ 492 void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 493 size_t *pgroupslen) 494 { 495 /* For Suite B mode only include P-256, P-384 */ 496 switch (tls1_suiteb(s)) { 497 case SSL_CERT_FLAG_SUITEB_128_LOS: 498 *pgroups = suiteb_curves; 499 *pgroupslen = OSSL_NELEM(suiteb_curves); 500 break; 501 502 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 503 *pgroups = suiteb_curves; 504 *pgroupslen = 1; 505 break; 506 507 case SSL_CERT_FLAG_SUITEB_192_LOS: 508 *pgroups = suiteb_curves + 1; 509 *pgroupslen = 1; 510 break; 511 512 default: 513 if (s->ext.supportedgroups == NULL) { 514 *pgroups = s->ctx->ext.supported_groups_default; 515 *pgroupslen = s->ctx->ext.supported_groups_default_len; 516 } else { 517 *pgroups = s->ext.supportedgroups; 518 *pgroupslen = s->ext.supportedgroups_len; 519 } 520 break; 521 } 522 } 523 524 int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, 525 int isec, int *okfortls13) 526 { 527 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); 528 int ret; 529 530 if (okfortls13 != NULL) 531 *okfortls13 = 0; 532 533 if (ginfo == NULL) 534 return 0; 535 536 if (SSL_IS_DTLS(s)) { 537 if (ginfo->mindtls < 0 || ginfo->maxdtls < 0) 538 return 0; 539 if (ginfo->maxdtls == 0) 540 ret = 1; 541 else 542 ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls); 543 if (ginfo->mindtls > 0) 544 ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls); 545 } else { 546 if (ginfo->mintls < 0 || ginfo->maxtls < 0) 547 return 0; 548 if (ginfo->maxtls == 0) 549 ret = 1; 550 else 551 ret = (minversion <= ginfo->maxtls); 552 if (ginfo->mintls > 0) 553 ret &= (maxversion >= ginfo->mintls); 554 if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) 555 *okfortls13 = (ginfo->maxtls == 0) 556 || (ginfo->maxtls >= TLS1_3_VERSION); 557 } 558 ret &= !isec 559 || strcmp(ginfo->algorithm, "EC") == 0 560 || strcmp(ginfo->algorithm, "X25519") == 0 561 || strcmp(ginfo->algorithm, "X448") == 0; 562 563 return ret; 564 } 565 566 /* See if group is allowed by security callback */ 567 int tls_group_allowed(SSL *s, uint16_t group, int op) 568 { 569 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group); 570 unsigned char gtmp[2]; 571 572 if (ginfo == NULL) 573 return 0; 574 575 gtmp[0] = group >> 8; 576 gtmp[1] = group & 0xff; 577 return ssl_security(s, op, ginfo->secbits, 578 tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); 579 } 580 581 /* Return 1 if "id" is in "list" */ 582 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 583 { 584 size_t i; 585 for (i = 0; i < listlen; i++) 586 if (list[i] == id) 587 return 1; 588 return 0; 589 } 590 591 /*- 592 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 593 * if there is no match. 594 * For nmatch == -1, return number of matches 595 * For nmatch == -2, return the id of the group to use for 596 * a tmp key, or 0 if there is no match. 597 */ 598 uint16_t tls1_shared_group(SSL *s, int nmatch) 599 { 600 const uint16_t *pref, *supp; 601 size_t num_pref, num_supp, i; 602 int k; 603 604 /* Can't do anything on client side */ 605 if (s->server == 0) 606 return 0; 607 if (nmatch == -2) { 608 if (tls1_suiteb(s)) { 609 /* 610 * For Suite B ciphersuite determines curve: we already know 611 * these are acceptable due to previous checks. 612 */ 613 unsigned long cid = s->s3.tmp.new_cipher->id; 614 615 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 616 return TLSEXT_curve_P_256; 617 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 618 return TLSEXT_curve_P_384; 619 /* Should never happen */ 620 return 0; 621 } 622 /* If not Suite B just return first preference shared curve */ 623 nmatch = 0; 624 } 625 /* 626 * If server preference set, our groups are the preference order 627 * otherwise peer decides. 628 */ 629 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 630 tls1_get_supported_groups(s, &pref, &num_pref); 631 tls1_get_peer_groups(s, &supp, &num_supp); 632 } else { 633 tls1_get_peer_groups(s, &pref, &num_pref); 634 tls1_get_supported_groups(s, &supp, &num_supp); 635 } 636 637 for (k = 0, i = 0; i < num_pref; i++) { 638 uint16_t id = pref[i]; 639 640 if (!tls1_in_list(id, supp, num_supp) 641 || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 642 continue; 643 if (nmatch == k) 644 return id; 645 k++; 646 } 647 if (nmatch == -1) 648 return k; 649 /* Out of range (nmatch > k). */ 650 return 0; 651 } 652 653 int tls1_set_groups(uint16_t **pext, size_t *pextlen, 654 int *groups, size_t ngroups) 655 { 656 uint16_t *glist; 657 size_t i; 658 /* 659 * Bitmap of groups included to detect duplicates: two variables are added 660 * to detect duplicates as some values are more than 32. 661 */ 662 unsigned long *dup_list = NULL; 663 unsigned long dup_list_egrp = 0; 664 unsigned long dup_list_dhgrp = 0; 665 666 if (ngroups == 0) { 667 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 668 return 0; 669 } 670 if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 671 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 672 return 0; 673 } 674 for (i = 0; i < ngroups; i++) { 675 unsigned long idmask; 676 uint16_t id; 677 id = tls1_nid2group_id(groups[i]); 678 if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) 679 goto err; 680 idmask = 1L << (id & 0x00FF); 681 dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; 682 if (!id || ((*dup_list) & idmask)) 683 goto err; 684 *dup_list |= idmask; 685 glist[i] = id; 686 } 687 OPENSSL_free(*pext); 688 *pext = glist; 689 *pextlen = ngroups; 690 return 1; 691 err: 692 OPENSSL_free(glist); 693 return 0; 694 } 695 696 # define GROUPLIST_INCREMENT 40 697 # define GROUP_NAME_BUFFER_LENGTH 64 698 typedef struct { 699 SSL_CTX *ctx; 700 size_t gidcnt; 701 size_t gidmax; 702 uint16_t *gid_arr; 703 } gid_cb_st; 704 705 static int gid_cb(const char *elem, int len, void *arg) 706 { 707 gid_cb_st *garg = arg; 708 size_t i; 709 uint16_t gid = 0; 710 char etmp[GROUP_NAME_BUFFER_LENGTH]; 711 712 if (elem == NULL) 713 return 0; 714 if (garg->gidcnt == garg->gidmax) { 715 uint16_t *tmp = 716 OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); 717 if (tmp == NULL) 718 return 0; 719 garg->gidmax += GROUPLIST_INCREMENT; 720 garg->gid_arr = tmp; 721 } 722 if (len > (int)(sizeof(etmp) - 1)) 723 return 0; 724 memcpy(etmp, elem, len); 725 etmp[len] = 0; 726 727 gid = tls1_group_name2id(garg->ctx, etmp); 728 if (gid == 0) { 729 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 730 "group '%s' cannot be set", etmp); 731 return 0; 732 } 733 for (i = 0; i < garg->gidcnt; i++) 734 if (garg->gid_arr[i] == gid) 735 return 0; 736 garg->gid_arr[garg->gidcnt++] = gid; 737 return 1; 738 } 739 740 /* Set groups based on a colon separated list */ 741 int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, 742 const char *str) 743 { 744 gid_cb_st gcb; 745 uint16_t *tmparr; 746 int ret = 0; 747 748 gcb.gidcnt = 0; 749 gcb.gidmax = GROUPLIST_INCREMENT; 750 gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); 751 if (gcb.gid_arr == NULL) 752 return 0; 753 gcb.ctx = ctx; 754 if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) 755 goto end; 756 if (pext == NULL) { 757 ret = 1; 758 goto end; 759 } 760 761 /* 762 * gid_cb ensurse there are no duplicates so we can just go ahead and set 763 * the result 764 */ 765 tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); 766 if (tmparr == NULL) 767 goto end; 768 *pext = tmparr; 769 *pextlen = gcb.gidcnt; 770 ret = 1; 771 end: 772 OPENSSL_free(gcb.gid_arr); 773 return ret; 774 } 775 776 /* Check a group id matches preferences */ 777 int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 778 { 779 const uint16_t *groups; 780 size_t groups_len; 781 782 if (group_id == 0) 783 return 0; 784 785 /* Check for Suite B compliance */ 786 if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { 787 unsigned long cid = s->s3.tmp.new_cipher->id; 788 789 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 790 if (group_id != TLSEXT_curve_P_256) 791 return 0; 792 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 793 if (group_id != TLSEXT_curve_P_384) 794 return 0; 795 } else { 796 /* Should never happen */ 797 return 0; 798 } 799 } 800 801 if (check_own_groups) { 802 /* Check group is one of our preferences */ 803 tls1_get_supported_groups(s, &groups, &groups_len); 804 if (!tls1_in_list(group_id, groups, groups_len)) 805 return 0; 806 } 807 808 if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 809 return 0; 810 811 /* For clients, nothing more to check */ 812 if (!s->server) 813 return 1; 814 815 /* Check group is one of peers preferences */ 816 tls1_get_peer_groups(s, &groups, &groups_len); 817 818 /* 819 * RFC 4492 does not require the supported elliptic curves extension 820 * so if it is not sent we can just choose any curve. 821 * It is invalid to send an empty list in the supported groups 822 * extension, so groups_len == 0 always means no extension. 823 */ 824 if (groups_len == 0) 825 return 1; 826 return tls1_in_list(group_id, groups, groups_len); 827 } 828 829 void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 830 size_t *num_formats) 831 { 832 /* 833 * If we have a custom point format list use it otherwise use default 834 */ 835 if (s->ext.ecpointformats) { 836 *pformats = s->ext.ecpointformats; 837 *num_formats = s->ext.ecpointformats_len; 838 } else { 839 *pformats = ecformats_default; 840 /* For Suite B we don't support char2 fields */ 841 if (tls1_suiteb(s)) 842 *num_formats = sizeof(ecformats_default) - 1; 843 else 844 *num_formats = sizeof(ecformats_default); 845 } 846 } 847 848 /* Check a key is compatible with compression extension */ 849 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 850 { 851 unsigned char comp_id; 852 size_t i; 853 int point_conv; 854 855 /* If not an EC key nothing to check */ 856 if (!EVP_PKEY_is_a(pkey, "EC")) 857 return 1; 858 859 860 /* Get required compression id */ 861 point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); 862 if (point_conv == 0) 863 return 0; 864 if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { 865 comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 866 } else if (SSL_IS_TLS13(s)) { 867 /* 868 * ec_point_formats extension is not used in TLSv1.3 so we ignore 869 * this check. 870 */ 871 return 1; 872 } else { 873 int field_type = EVP_PKEY_get_field_type(pkey); 874 875 if (field_type == NID_X9_62_prime_field) 876 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 877 else if (field_type == NID_X9_62_characteristic_two_field) 878 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 879 else 880 return 0; 881 } 882 /* 883 * If point formats extension present check it, otherwise everything is 884 * supported (see RFC4492). 885 */ 886 if (s->ext.peer_ecpointformats == NULL) 887 return 1; 888 889 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 890 if (s->ext.peer_ecpointformats[i] == comp_id) 891 return 1; 892 } 893 return 0; 894 } 895 896 /* Return group id of a key */ 897 static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 898 { 899 int curve_nid = ssl_get_EC_curve_nid(pkey); 900 901 if (curve_nid == NID_undef) 902 return 0; 903 return tls1_nid2group_id(curve_nid); 904 } 905 906 /* 907 * Check cert parameters compatible with extensions: currently just checks EC 908 * certificates have compatible curves and compression. 909 */ 910 static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 911 { 912 uint16_t group_id; 913 EVP_PKEY *pkey; 914 pkey = X509_get0_pubkey(x); 915 if (pkey == NULL) 916 return 0; 917 /* If not EC nothing to do */ 918 if (!EVP_PKEY_is_a(pkey, "EC")) 919 return 1; 920 /* Check compression */ 921 if (!tls1_check_pkey_comp(s, pkey)) 922 return 0; 923 group_id = tls1_get_group_id(pkey); 924 /* 925 * For a server we allow the certificate to not be in our list of supported 926 * groups. 927 */ 928 if (!tls1_check_group_id(s, group_id, !s->server)) 929 return 0; 930 /* 931 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 932 * SHA384+P-384. 933 */ 934 if (check_ee_md && tls1_suiteb(s)) { 935 int check_md; 936 size_t i; 937 938 /* Check to see we have necessary signing algorithm */ 939 if (group_id == TLSEXT_curve_P_256) 940 check_md = NID_ecdsa_with_SHA256; 941 else if (group_id == TLSEXT_curve_P_384) 942 check_md = NID_ecdsa_with_SHA384; 943 else 944 return 0; /* Should never happen */ 945 for (i = 0; i < s->shared_sigalgslen; i++) { 946 if (check_md == s->shared_sigalgs[i]->sigandhash) 947 return 1;; 948 } 949 return 0; 950 } 951 return 1; 952 } 953 954 /* 955 * tls1_check_ec_tmp_key - Check EC temporary key compatibility 956 * @s: SSL connection 957 * @cid: Cipher ID we're considering using 958 * 959 * Checks that the kECDHE cipher suite we're considering using 960 * is compatible with the client extensions. 961 * 962 * Returns 0 when the cipher can't be used or 1 when it can. 963 */ 964 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 965 { 966 /* If not Suite B just need a shared group */ 967 if (!tls1_suiteb(s)) 968 return tls1_shared_group(s, 0) != 0; 969 /* 970 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 971 * curves permitted. 972 */ 973 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 974 return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 975 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 976 return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 977 978 return 0; 979 } 980 981 /* Default sigalg schemes */ 982 static const uint16_t tls12_sigalgs[] = { 983 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 984 TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 985 TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 986 TLSEXT_SIGALG_ed25519, 987 TLSEXT_SIGALG_ed448, 988 989 TLSEXT_SIGALG_rsa_pss_pss_sha256, 990 TLSEXT_SIGALG_rsa_pss_pss_sha384, 991 TLSEXT_SIGALG_rsa_pss_pss_sha512, 992 TLSEXT_SIGALG_rsa_pss_rsae_sha256, 993 TLSEXT_SIGALG_rsa_pss_rsae_sha384, 994 TLSEXT_SIGALG_rsa_pss_rsae_sha512, 995 996 TLSEXT_SIGALG_rsa_pkcs1_sha256, 997 TLSEXT_SIGALG_rsa_pkcs1_sha384, 998 TLSEXT_SIGALG_rsa_pkcs1_sha512, 999 1000 TLSEXT_SIGALG_ecdsa_sha224, 1001 TLSEXT_SIGALG_ecdsa_sha1, 1002 1003 TLSEXT_SIGALG_rsa_pkcs1_sha224, 1004 TLSEXT_SIGALG_rsa_pkcs1_sha1, 1005 1006 TLSEXT_SIGALG_dsa_sha224, 1007 TLSEXT_SIGALG_dsa_sha1, 1008 1009 TLSEXT_SIGALG_dsa_sha256, 1010 TLSEXT_SIGALG_dsa_sha384, 1011 TLSEXT_SIGALG_dsa_sha512, 1012 1013 #ifndef OPENSSL_NO_GOST 1014 TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1015 TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1016 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1017 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1018 TLSEXT_SIGALG_gostr34102001_gostr3411, 1019 #endif 1020 }; 1021 1022 1023 static const uint16_t suiteb_sigalgs[] = { 1024 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1025 TLSEXT_SIGALG_ecdsa_secp384r1_sha384 1026 }; 1027 1028 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 1029 {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1030 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1031 NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1}, 1032 {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1033 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1034 NID_ecdsa_with_SHA384, NID_secp384r1, 1}, 1035 {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1036 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1037 NID_ecdsa_with_SHA512, NID_secp521r1, 1}, 1038 {"ed25519", TLSEXT_SIGALG_ed25519, 1039 NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 1040 NID_undef, NID_undef, 1}, 1041 {"ed448", TLSEXT_SIGALG_ed448, 1042 NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 1043 NID_undef, NID_undef, 1}, 1044 {NULL, TLSEXT_SIGALG_ecdsa_sha224, 1045 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1046 NID_ecdsa_with_SHA224, NID_undef, 1}, 1047 {NULL, TLSEXT_SIGALG_ecdsa_sha1, 1048 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1049 NID_ecdsa_with_SHA1, NID_undef, 1}, 1050 {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1051 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1052 NID_undef, NID_undef, 1}, 1053 {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1054 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1055 NID_undef, NID_undef, 1}, 1056 {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1057 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1058 NID_undef, NID_undef, 1}, 1059 {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 1060 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1061 NID_undef, NID_undef, 1}, 1062 {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 1063 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1064 NID_undef, NID_undef, 1}, 1065 {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 1066 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1067 NID_undef, NID_undef, 1}, 1068 {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 1069 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1070 NID_sha256WithRSAEncryption, NID_undef, 1}, 1071 {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 1072 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1073 NID_sha384WithRSAEncryption, NID_undef, 1}, 1074 {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 1075 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1076 NID_sha512WithRSAEncryption, NID_undef, 1}, 1077 {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 1078 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1079 NID_sha224WithRSAEncryption, NID_undef, 1}, 1080 {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 1081 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1082 NID_sha1WithRSAEncryption, NID_undef, 1}, 1083 {NULL, TLSEXT_SIGALG_dsa_sha256, 1084 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1085 NID_dsa_with_SHA256, NID_undef, 1}, 1086 {NULL, TLSEXT_SIGALG_dsa_sha384, 1087 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1088 NID_undef, NID_undef, 1}, 1089 {NULL, TLSEXT_SIGALG_dsa_sha512, 1090 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1091 NID_undef, NID_undef, 1}, 1092 {NULL, TLSEXT_SIGALG_dsa_sha224, 1093 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1094 NID_undef, NID_undef, 1}, 1095 {NULL, TLSEXT_SIGALG_dsa_sha1, 1096 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1097 NID_dsaWithSHA1, NID_undef, 1}, 1098 #ifndef OPENSSL_NO_GOST 1099 {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1100 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1101 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1102 NID_undef, NID_undef, 1}, 1103 {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1104 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1105 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1106 NID_undef, NID_undef, 1}, 1107 {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1108 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1109 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1110 NID_undef, NID_undef, 1}, 1111 {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1112 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1113 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1114 NID_undef, NID_undef, 1}, 1115 {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 1116 NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 1117 NID_id_GostR3410_2001, SSL_PKEY_GOST01, 1118 NID_undef, NID_undef, 1} 1119 #endif 1120 }; 1121 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 1122 static const SIGALG_LOOKUP legacy_rsa_sigalg = { 1123 "rsa_pkcs1_md5_sha1", 0, 1124 NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 1125 EVP_PKEY_RSA, SSL_PKEY_RSA, 1126 NID_undef, NID_undef, 1 1127 }; 1128 1129 /* 1130 * Default signature algorithm values used if signature algorithms not present. 1131 * From RFC5246. Note: order must match certificate index order. 1132 */ 1133 static const uint16_t tls_default_sigalg[] = { 1134 TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 1135 0, /* SSL_PKEY_RSA_PSS_SIGN */ 1136 TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 1137 TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 1138 TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 1139 TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ 1140 TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ 1141 0, /* SSL_PKEY_ED25519 */ 1142 0, /* SSL_PKEY_ED448 */ 1143 }; 1144 1145 int ssl_setup_sig_algs(SSL_CTX *ctx) 1146 { 1147 size_t i; 1148 const SIGALG_LOOKUP *lu; 1149 SIGALG_LOOKUP *cache 1150 = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); 1151 EVP_PKEY *tmpkey = EVP_PKEY_new(); 1152 int ret = 0; 1153 1154 if (cache == NULL || tmpkey == NULL) 1155 goto err; 1156 1157 ERR_set_mark(); 1158 for (i = 0, lu = sigalg_lookup_tbl; 1159 i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 1160 EVP_PKEY_CTX *pctx; 1161 1162 cache[i] = *lu; 1163 1164 /* 1165 * Check hash is available. 1166 * This test is not perfect. A provider could have support 1167 * for a signature scheme, but not a particular hash. However the hash 1168 * could be available from some other loaded provider. In that case it 1169 * could be that the signature is available, and the hash is available 1170 * independently - but not as a combination. We ignore this for now. 1171 */ 1172 if (lu->hash != NID_undef 1173 && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { 1174 cache[i].enabled = 0; 1175 continue; 1176 } 1177 1178 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 1179 cache[i].enabled = 0; 1180 continue; 1181 } 1182 pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); 1183 /* If unable to create pctx we assume the sig algorithm is unavailable */ 1184 if (pctx == NULL) 1185 cache[i].enabled = 0; 1186 EVP_PKEY_CTX_free(pctx); 1187 } 1188 ERR_pop_to_mark(); 1189 ctx->sigalg_lookup_cache = cache; 1190 cache = NULL; 1191 1192 ret = 1; 1193 err: 1194 OPENSSL_free(cache); 1195 EVP_PKEY_free(tmpkey); 1196 return ret; 1197 } 1198 1199 /* Lookup TLS signature algorithm */ 1200 static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg) 1201 { 1202 size_t i; 1203 const SIGALG_LOOKUP *lu; 1204 1205 for (i = 0, lu = s->ctx->sigalg_lookup_cache; 1206 /* cache should have the same number of elements as sigalg_lookup_tbl */ 1207 i < OSSL_NELEM(sigalg_lookup_tbl); 1208 lu++, i++) { 1209 if (lu->sigalg == sigalg) { 1210 if (!lu->enabled) 1211 return NULL; 1212 return lu; 1213 } 1214 } 1215 return NULL; 1216 } 1217 /* Lookup hash: return 0 if invalid or not enabled */ 1218 int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 1219 { 1220 const EVP_MD *md; 1221 if (lu == NULL) 1222 return 0; 1223 /* lu->hash == NID_undef means no associated digest */ 1224 if (lu->hash == NID_undef) { 1225 md = NULL; 1226 } else { 1227 md = ssl_md(ctx, lu->hash_idx); 1228 if (md == NULL) 1229 return 0; 1230 } 1231 if (pmd) 1232 *pmd = md; 1233 return 1; 1234 } 1235 1236 /* 1237 * Check if key is large enough to generate RSA-PSS signature. 1238 * 1239 * The key must greater than or equal to 2 * hash length + 2. 1240 * SHA512 has a hash length of 64 bytes, which is incompatible 1241 * with a 128 byte (1024 bit) key. 1242 */ 1243 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) 1244 static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, 1245 const SIGALG_LOOKUP *lu) 1246 { 1247 const EVP_MD *md; 1248 1249 if (pkey == NULL) 1250 return 0; 1251 if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) 1252 return 0; 1253 if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 1254 return 0; 1255 return 1; 1256 } 1257 1258 /* 1259 * Returns a signature algorithm when the peer did not send a list of supported 1260 * signature algorithms. The signature algorithm is fixed for the certificate 1261 * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 1262 * certificate type from |s| will be used. 1263 * Returns the signature algorithm to use, or NULL on error. 1264 */ 1265 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 1266 { 1267 if (idx == -1) { 1268 if (s->server) { 1269 size_t i; 1270 1271 /* Work out index corresponding to ciphersuite */ 1272 for (i = 0; i < SSL_PKEY_NUM; i++) { 1273 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 1274 1275 if (clu == NULL) 1276 continue; 1277 if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { 1278 idx = i; 1279 break; 1280 } 1281 } 1282 1283 /* 1284 * Some GOST ciphersuites allow more than one signature algorithms 1285 * */ 1286 if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 1287 int real_idx; 1288 1289 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 1290 real_idx--) { 1291 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1292 idx = real_idx; 1293 break; 1294 } 1295 } 1296 } 1297 /* 1298 * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used 1299 * with new (aGOST12-only) ciphersuites, we should find out which one is available really. 1300 */ 1301 else if (idx == SSL_PKEY_GOST12_256) { 1302 int real_idx; 1303 1304 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; 1305 real_idx--) { 1306 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1307 idx = real_idx; 1308 break; 1309 } 1310 } 1311 } 1312 } else { 1313 idx = s->cert->key - s->cert->pkeys; 1314 } 1315 } 1316 if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 1317 return NULL; 1318 if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 1319 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]); 1320 1321 if (lu == NULL) 1322 return NULL; 1323 if (!tls1_lookup_md(s->ctx, lu, NULL)) 1324 return NULL; 1325 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1326 return NULL; 1327 return lu; 1328 } 1329 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 1330 return NULL; 1331 return &legacy_rsa_sigalg; 1332 } 1333 /* Set peer sigalg based key type */ 1334 int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 1335 { 1336 size_t idx; 1337 const SIGALG_LOOKUP *lu; 1338 1339 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 1340 return 0; 1341 lu = tls1_get_legacy_sigalg(s, idx); 1342 if (lu == NULL) 1343 return 0; 1344 s->s3.tmp.peer_sigalg = lu; 1345 return 1; 1346 } 1347 1348 size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 1349 { 1350 /* 1351 * If Suite B mode use Suite B sigalgs only, ignore any other 1352 * preferences. 1353 */ 1354 switch (tls1_suiteb(s)) { 1355 case SSL_CERT_FLAG_SUITEB_128_LOS: 1356 *psigs = suiteb_sigalgs; 1357 return OSSL_NELEM(suiteb_sigalgs); 1358 1359 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 1360 *psigs = suiteb_sigalgs; 1361 return 1; 1362 1363 case SSL_CERT_FLAG_SUITEB_192_LOS: 1364 *psigs = suiteb_sigalgs + 1; 1365 return 1; 1366 } 1367 /* 1368 * We use client_sigalgs (if not NULL) if we're a server 1369 * and sending a certificate request or if we're a client and 1370 * determining which shared algorithm to use. 1371 */ 1372 if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 1373 *psigs = s->cert->client_sigalgs; 1374 return s->cert->client_sigalgslen; 1375 } else if (s->cert->conf_sigalgs) { 1376 *psigs = s->cert->conf_sigalgs; 1377 return s->cert->conf_sigalgslen; 1378 } else { 1379 *psigs = tls12_sigalgs; 1380 return OSSL_NELEM(tls12_sigalgs); 1381 } 1382 } 1383 1384 /* 1385 * Called by servers only. Checks that we have a sig alg that supports the 1386 * specified EC curve. 1387 */ 1388 int tls_check_sigalg_curve(const SSL *s, int curve) 1389 { 1390 const uint16_t *sigs; 1391 size_t siglen, i; 1392 1393 if (s->cert->conf_sigalgs) { 1394 sigs = s->cert->conf_sigalgs; 1395 siglen = s->cert->conf_sigalgslen; 1396 } else { 1397 sigs = tls12_sigalgs; 1398 siglen = OSSL_NELEM(tls12_sigalgs); 1399 } 1400 1401 for (i = 0; i < siglen; i++) { 1402 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, sigs[i]); 1403 1404 if (lu == NULL) 1405 continue; 1406 if (lu->sig == EVP_PKEY_EC 1407 && lu->curve != NID_undef 1408 && curve == lu->curve) 1409 return 1; 1410 } 1411 1412 return 0; 1413 } 1414 1415 /* 1416 * Return the number of security bits for the signature algorithm, or 0 on 1417 * error. 1418 */ 1419 static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) 1420 { 1421 const EVP_MD *md = NULL; 1422 int secbits = 0; 1423 1424 if (!tls1_lookup_md(ctx, lu, &md)) 1425 return 0; 1426 if (md != NULL) 1427 { 1428 int md_type = EVP_MD_get_type(md); 1429 1430 /* Security bits: half digest bits */ 1431 secbits = EVP_MD_get_size(md) * 4; 1432 /* 1433 * SHA1 and MD5 are known to be broken. Reduce security bits so that 1434 * they're no longer accepted at security level 1. The real values don't 1435 * really matter as long as they're lower than 80, which is our 1436 * security level 1. 1437 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for 1438 * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 1439 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 1440 * puts a chosen-prefix attack for MD5 at 2^39. 1441 */ 1442 if (md_type == NID_sha1) 1443 secbits = 64; 1444 else if (md_type == NID_md5_sha1) 1445 secbits = 67; 1446 else if (md_type == NID_md5) 1447 secbits = 39; 1448 } else { 1449 /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 1450 if (lu->sigalg == TLSEXT_SIGALG_ed25519) 1451 secbits = 128; 1452 else if (lu->sigalg == TLSEXT_SIGALG_ed448) 1453 secbits = 224; 1454 } 1455 return secbits; 1456 } 1457 1458 /* 1459 * Check signature algorithm is consistent with sent supported signature 1460 * algorithms and if so set relevant digest and signature scheme in 1461 * s. 1462 */ 1463 int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 1464 { 1465 const uint16_t *sent_sigs; 1466 const EVP_MD *md = NULL; 1467 char sigalgstr[2]; 1468 size_t sent_sigslen, i, cidx; 1469 int pkeyid = -1; 1470 const SIGALG_LOOKUP *lu; 1471 int secbits = 0; 1472 1473 pkeyid = EVP_PKEY_get_id(pkey); 1474 /* Should never happen */ 1475 if (pkeyid == -1) 1476 return -1; 1477 if (SSL_IS_TLS13(s)) { 1478 /* Disallow DSA for TLS 1.3 */ 1479 if (pkeyid == EVP_PKEY_DSA) { 1480 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1481 return 0; 1482 } 1483 /* Only allow PSS for TLS 1.3 */ 1484 if (pkeyid == EVP_PKEY_RSA) 1485 pkeyid = EVP_PKEY_RSA_PSS; 1486 } 1487 lu = tls1_lookup_sigalg(s, sig); 1488 /* 1489 * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1490 * is consistent with signature: RSA keys can be used for RSA-PSS 1491 */ 1492 if (lu == NULL 1493 || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1494 || (pkeyid != lu->sig 1495 && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1496 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1497 return 0; 1498 } 1499 /* Check the sigalg is consistent with the key OID */ 1500 if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx) 1501 || lu->sig_idx != (int)cidx) { 1502 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1503 return 0; 1504 } 1505 1506 if (pkeyid == EVP_PKEY_EC) { 1507 1508 /* Check point compression is permitted */ 1509 if (!tls1_check_pkey_comp(s, pkey)) { 1510 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1511 SSL_R_ILLEGAL_POINT_COMPRESSION); 1512 return 0; 1513 } 1514 1515 /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1516 if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1517 int curve = ssl_get_EC_curve_nid(pkey); 1518 1519 if (lu->curve != NID_undef && curve != lu->curve) { 1520 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1521 return 0; 1522 } 1523 } 1524 if (!SSL_IS_TLS13(s)) { 1525 /* Check curve matches extensions */ 1526 if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1527 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1528 return 0; 1529 } 1530 if (tls1_suiteb(s)) { 1531 /* Check sigalg matches a permissible Suite B value */ 1532 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1533 && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1534 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1535 SSL_R_WRONG_SIGNATURE_TYPE); 1536 return 0; 1537 } 1538 } 1539 } 1540 } else if (tls1_suiteb(s)) { 1541 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1542 return 0; 1543 } 1544 1545 /* Check signature matches a type we sent */ 1546 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1547 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1548 if (sig == *sent_sigs) 1549 break; 1550 } 1551 /* Allow fallback to SHA1 if not strict mode */ 1552 if (i == sent_sigslen && (lu->hash != NID_sha1 1553 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1554 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1555 return 0; 1556 } 1557 if (!tls1_lookup_md(s->ctx, lu, &md)) { 1558 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); 1559 return 0; 1560 } 1561 /* 1562 * Make sure security callback allows algorithm. For historical 1563 * reasons we have to pass the sigalg as a two byte char array. 1564 */ 1565 sigalgstr[0] = (sig >> 8) & 0xff; 1566 sigalgstr[1] = sig & 0xff; 1567 secbits = sigalg_security_bits(s->ctx, lu); 1568 if (secbits == 0 || 1569 !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, 1570 md != NULL ? EVP_MD_get_type(md) : NID_undef, 1571 (void *)sigalgstr)) { 1572 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1573 return 0; 1574 } 1575 /* Store the sigalg the peer uses */ 1576 s->s3.tmp.peer_sigalg = lu; 1577 return 1; 1578 } 1579 1580 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1581 { 1582 if (s->s3.tmp.peer_sigalg == NULL) 1583 return 0; 1584 *pnid = s->s3.tmp.peer_sigalg->sig; 1585 return 1; 1586 } 1587 1588 int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1589 { 1590 if (s->s3.tmp.sigalg == NULL) 1591 return 0; 1592 *pnid = s->s3.tmp.sigalg->sig; 1593 return 1; 1594 } 1595 1596 /* 1597 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1598 * supported, doesn't appear in supported signature algorithms, isn't supported 1599 * by the enabled protocol versions or by the security level. 1600 * 1601 * This function should only be used for checking which ciphers are supported 1602 * by the client. 1603 * 1604 * Call ssl_cipher_disabled() to check that it's enabled or not. 1605 */ 1606 int ssl_set_client_disabled(SSL *s) 1607 { 1608 s->s3.tmp.mask_a = 0; 1609 s->s3.tmp.mask_k = 0; 1610 ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1611 if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, 1612 &s->s3.tmp.max_ver, NULL) != 0) 1613 return 0; 1614 #ifndef OPENSSL_NO_PSK 1615 /* with PSK there must be client callback set */ 1616 if (!s->psk_client_callback) { 1617 s->s3.tmp.mask_a |= SSL_aPSK; 1618 s->s3.tmp.mask_k |= SSL_PSK; 1619 } 1620 #endif /* OPENSSL_NO_PSK */ 1621 #ifndef OPENSSL_NO_SRP 1622 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1623 s->s3.tmp.mask_a |= SSL_aSRP; 1624 s->s3.tmp.mask_k |= SSL_kSRP; 1625 } 1626 #endif 1627 return 1; 1628 } 1629 1630 /* 1631 * ssl_cipher_disabled - check that a cipher is disabled or not 1632 * @s: SSL connection that you want to use the cipher on 1633 * @c: cipher to check 1634 * @op: Security check that you want to do 1635 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 1636 * 1637 * Returns 1 when it's disabled, 0 when enabled. 1638 */ 1639 int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1640 { 1641 if (c->algorithm_mkey & s->s3.tmp.mask_k 1642 || c->algorithm_auth & s->s3.tmp.mask_a) 1643 return 1; 1644 if (s->s3.tmp.max_ver == 0) 1645 return 1; 1646 if (!SSL_IS_DTLS(s)) { 1647 int min_tls = c->min_tls; 1648 1649 /* 1650 * For historical reasons we will allow ECHDE to be selected by a server 1651 * in SSLv3 if we are a client 1652 */ 1653 if (min_tls == TLS1_VERSION && ecdhe 1654 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1655 min_tls = SSL3_VERSION; 1656 1657 if ((min_tls > s->s3.tmp.max_ver) || (c->max_tls < s->s3.tmp.min_ver)) 1658 return 1; 1659 } 1660 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3.tmp.max_ver) 1661 || DTLS_VERSION_LT(c->max_dtls, s->s3.tmp.min_ver))) 1662 return 1; 1663 1664 return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 1665 } 1666 1667 int tls_use_ticket(SSL *s) 1668 { 1669 if ((s->options & SSL_OP_NO_TICKET)) 1670 return 0; 1671 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1672 } 1673 1674 int tls1_set_server_sigalgs(SSL *s) 1675 { 1676 size_t i; 1677 1678 /* Clear any shared signature algorithms */ 1679 OPENSSL_free(s->shared_sigalgs); 1680 s->shared_sigalgs = NULL; 1681 s->shared_sigalgslen = 0; 1682 /* Clear certificate validity flags */ 1683 for (i = 0; i < SSL_PKEY_NUM; i++) 1684 s->s3.tmp.valid_flags[i] = 0; 1685 /* 1686 * If peer sent no signature algorithms check to see if we support 1687 * the default algorithm for each certificate type 1688 */ 1689 if (s->s3.tmp.peer_cert_sigalgs == NULL 1690 && s->s3.tmp.peer_sigalgs == NULL) { 1691 const uint16_t *sent_sigs; 1692 size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1693 1694 for (i = 0; i < SSL_PKEY_NUM; i++) { 1695 const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1696 size_t j; 1697 1698 if (lu == NULL) 1699 continue; 1700 /* Check default matches a type we sent */ 1701 for (j = 0; j < sent_sigslen; j++) { 1702 if (lu->sigalg == sent_sigs[j]) { 1703 s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; 1704 break; 1705 } 1706 } 1707 } 1708 return 1; 1709 } 1710 1711 if (!tls1_process_sigalgs(s)) { 1712 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1713 return 0; 1714 } 1715 if (s->shared_sigalgs != NULL) 1716 return 1; 1717 1718 /* Fatal error if no shared signature algorithms */ 1719 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1720 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 1721 return 0; 1722 } 1723 1724 /*- 1725 * Gets the ticket information supplied by the client if any. 1726 * 1727 * hello: The parsed ClientHello data 1728 * ret: (output) on return, if a ticket was decrypted, then this is set to 1729 * point to the resulting session. 1730 */ 1731 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1732 SSL_SESSION **ret) 1733 { 1734 size_t size; 1735 RAW_EXTENSION *ticketext; 1736 1737 *ret = NULL; 1738 s->ext.ticket_expected = 0; 1739 1740 /* 1741 * If tickets disabled or not supported by the protocol version 1742 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1743 * resumption. 1744 */ 1745 if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1746 return SSL_TICKET_NONE; 1747 1748 ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1749 if (!ticketext->present) 1750 return SSL_TICKET_NONE; 1751 1752 size = PACKET_remaining(&ticketext->data); 1753 1754 return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1755 hello->session_id, hello->session_id_len, ret); 1756 } 1757 1758 /*- 1759 * tls_decrypt_ticket attempts to decrypt a session ticket. 1760 * 1761 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1762 * expecting a pre-shared key ciphersuite, in which case we have no use for 1763 * session tickets and one will never be decrypted, nor will 1764 * s->ext.ticket_expected be set to 1. 1765 * 1766 * Side effects: 1767 * Sets s->ext.ticket_expected to 1 if the server will have to issue 1768 * a new session ticket to the client because the client indicated support 1769 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1770 * a session ticket or we couldn't use the one it gave us, or if 1771 * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1772 * Otherwise, s->ext.ticket_expected is set to 0. 1773 * 1774 * etick: points to the body of the session ticket extension. 1775 * eticklen: the length of the session tickets extension. 1776 * sess_id: points at the session ID. 1777 * sesslen: the length of the session ID. 1778 * psess: (output) on return, if a ticket was decrypted, then this is set to 1779 * point to the resulting session. 1780 */ 1781 SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1782 size_t eticklen, const unsigned char *sess_id, 1783 size_t sesslen, SSL_SESSION **psess) 1784 { 1785 SSL_SESSION *sess = NULL; 1786 unsigned char *sdec; 1787 const unsigned char *p; 1788 int slen, ivlen, renew_ticket = 0, declen; 1789 SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1790 size_t mlen; 1791 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1792 SSL_HMAC *hctx = NULL; 1793 EVP_CIPHER_CTX *ctx = NULL; 1794 SSL_CTX *tctx = s->session_ctx; 1795 1796 if (eticklen == 0) { 1797 /* 1798 * The client will accept a ticket but doesn't currently have 1799 * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 1800 */ 1801 ret = SSL_TICKET_EMPTY; 1802 goto end; 1803 } 1804 if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 1805 /* 1806 * Indicate that the ticket couldn't be decrypted rather than 1807 * generating the session from ticket now, trigger 1808 * abbreviated handshake based on external mechanism to 1809 * calculate the master secret later. 1810 */ 1811 ret = SSL_TICKET_NO_DECRYPT; 1812 goto end; 1813 } 1814 1815 /* Need at least keyname + iv */ 1816 if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1817 ret = SSL_TICKET_NO_DECRYPT; 1818 goto end; 1819 } 1820 1821 /* Initialize session ticket encryption and HMAC contexts */ 1822 hctx = ssl_hmac_new(tctx); 1823 if (hctx == NULL) { 1824 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1825 goto end; 1826 } 1827 ctx = EVP_CIPHER_CTX_new(); 1828 if (ctx == NULL) { 1829 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1830 goto end; 1831 } 1832 #ifndef OPENSSL_NO_DEPRECATED_3_0 1833 if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) 1834 #else 1835 if (tctx->ext.ticket_key_evp_cb != NULL) 1836 #endif 1837 { 1838 unsigned char *nctick = (unsigned char *)etick; 1839 int rv = 0; 1840 1841 if (tctx->ext.ticket_key_evp_cb != NULL) 1842 rv = tctx->ext.ticket_key_evp_cb(s, nctick, 1843 nctick + TLSEXT_KEYNAME_LENGTH, 1844 ctx, 1845 ssl_hmac_get0_EVP_MAC_CTX(hctx), 1846 0); 1847 #ifndef OPENSSL_NO_DEPRECATED_3_0 1848 else if (tctx->ext.ticket_key_cb != NULL) 1849 /* if 0 is returned, write an empty ticket */ 1850 rv = tctx->ext.ticket_key_cb(s, nctick, 1851 nctick + TLSEXT_KEYNAME_LENGTH, 1852 ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); 1853 #endif 1854 if (rv < 0) { 1855 ret = SSL_TICKET_FATAL_ERR_OTHER; 1856 goto end; 1857 } 1858 if (rv == 0) { 1859 ret = SSL_TICKET_NO_DECRYPT; 1860 goto end; 1861 } 1862 if (rv == 2) 1863 renew_ticket = 1; 1864 } else { 1865 EVP_CIPHER *aes256cbc = NULL; 1866 1867 /* Check key name matches */ 1868 if (memcmp(etick, tctx->ext.tick_key_name, 1869 TLSEXT_KEYNAME_LENGTH) != 0) { 1870 ret = SSL_TICKET_NO_DECRYPT; 1871 goto end; 1872 } 1873 1874 aes256cbc = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", 1875 s->ctx->propq); 1876 if (aes256cbc == NULL 1877 || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, 1878 sizeof(tctx->ext.secure->tick_hmac_key), 1879 "SHA256") <= 0 1880 || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, 1881 tctx->ext.secure->tick_aes_key, 1882 etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1883 EVP_CIPHER_free(aes256cbc); 1884 ret = SSL_TICKET_FATAL_ERR_OTHER; 1885 goto end; 1886 } 1887 EVP_CIPHER_free(aes256cbc); 1888 if (SSL_IS_TLS13(s)) 1889 renew_ticket = 1; 1890 } 1891 /* 1892 * Attempt to process session ticket, first conduct sanity and integrity 1893 * checks on ticket. 1894 */ 1895 mlen = ssl_hmac_size(hctx); 1896 if (mlen == 0) { 1897 ret = SSL_TICKET_FATAL_ERR_OTHER; 1898 goto end; 1899 } 1900 1901 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 1902 if (ivlen < 0) { 1903 ret = SSL_TICKET_FATAL_ERR_OTHER; 1904 goto end; 1905 } 1906 1907 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1908 if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { 1909 ret = SSL_TICKET_NO_DECRYPT; 1910 goto end; 1911 } 1912 eticklen -= mlen; 1913 /* Check HMAC of encrypted ticket */ 1914 if (ssl_hmac_update(hctx, etick, eticklen) <= 0 1915 || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { 1916 ret = SSL_TICKET_FATAL_ERR_OTHER; 1917 goto end; 1918 } 1919 1920 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1921 ret = SSL_TICKET_NO_DECRYPT; 1922 goto end; 1923 } 1924 /* Attempt to decrypt session data */ 1925 /* Move p after IV to start of encrypted ticket, update length */ 1926 p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; 1927 eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; 1928 sdec = OPENSSL_malloc(eticklen); 1929 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1930 (int)eticklen) <= 0) { 1931 OPENSSL_free(sdec); 1932 ret = SSL_TICKET_FATAL_ERR_OTHER; 1933 goto end; 1934 } 1935 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1936 OPENSSL_free(sdec); 1937 ret = SSL_TICKET_NO_DECRYPT; 1938 goto end; 1939 } 1940 slen += declen; 1941 p = sdec; 1942 1943 sess = d2i_SSL_SESSION(NULL, &p, slen); 1944 slen -= p - sdec; 1945 OPENSSL_free(sdec); 1946 if (sess) { 1947 /* Some additional consistency checks */ 1948 if (slen != 0) { 1949 SSL_SESSION_free(sess); 1950 sess = NULL; 1951 ret = SSL_TICKET_NO_DECRYPT; 1952 goto end; 1953 } 1954 /* 1955 * The session ID, if non-empty, is used by some clients to detect 1956 * that the ticket has been accepted. So we copy it to the session 1957 * structure. If it is empty set length to zero as required by 1958 * standard. 1959 */ 1960 if (sesslen) { 1961 memcpy(sess->session_id, sess_id, sesslen); 1962 sess->session_id_length = sesslen; 1963 } 1964 if (renew_ticket) 1965 ret = SSL_TICKET_SUCCESS_RENEW; 1966 else 1967 ret = SSL_TICKET_SUCCESS; 1968 goto end; 1969 } 1970 ERR_clear_error(); 1971 /* 1972 * For session parse failure, indicate that we need to send a new ticket. 1973 */ 1974 ret = SSL_TICKET_NO_DECRYPT; 1975 1976 end: 1977 EVP_CIPHER_CTX_free(ctx); 1978 ssl_hmac_free(hctx); 1979 1980 /* 1981 * If set, the decrypt_ticket_cb() is called unless a fatal error was 1982 * detected above. The callback is responsible for checking |ret| before it 1983 * performs any action 1984 */ 1985 if (s->session_ctx->decrypt_ticket_cb != NULL 1986 && (ret == SSL_TICKET_EMPTY 1987 || ret == SSL_TICKET_NO_DECRYPT 1988 || ret == SSL_TICKET_SUCCESS 1989 || ret == SSL_TICKET_SUCCESS_RENEW)) { 1990 size_t keyname_len = eticklen; 1991 int retcb; 1992 1993 if (keyname_len > TLSEXT_KEYNAME_LENGTH) 1994 keyname_len = TLSEXT_KEYNAME_LENGTH; 1995 retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 1996 ret, 1997 s->session_ctx->ticket_cb_data); 1998 switch (retcb) { 1999 case SSL_TICKET_RETURN_ABORT: 2000 ret = SSL_TICKET_FATAL_ERR_OTHER; 2001 break; 2002 2003 case SSL_TICKET_RETURN_IGNORE: 2004 ret = SSL_TICKET_NONE; 2005 SSL_SESSION_free(sess); 2006 sess = NULL; 2007 break; 2008 2009 case SSL_TICKET_RETURN_IGNORE_RENEW: 2010 if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 2011 ret = SSL_TICKET_NO_DECRYPT; 2012 /* else the value of |ret| will already do the right thing */ 2013 SSL_SESSION_free(sess); 2014 sess = NULL; 2015 break; 2016 2017 case SSL_TICKET_RETURN_USE: 2018 case SSL_TICKET_RETURN_USE_RENEW: 2019 if (ret != SSL_TICKET_SUCCESS 2020 && ret != SSL_TICKET_SUCCESS_RENEW) 2021 ret = SSL_TICKET_FATAL_ERR_OTHER; 2022 else if (retcb == SSL_TICKET_RETURN_USE) 2023 ret = SSL_TICKET_SUCCESS; 2024 else 2025 ret = SSL_TICKET_SUCCESS_RENEW; 2026 break; 2027 2028 default: 2029 ret = SSL_TICKET_FATAL_ERR_OTHER; 2030 } 2031 } 2032 2033 if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 2034 switch (ret) { 2035 case SSL_TICKET_NO_DECRYPT: 2036 case SSL_TICKET_SUCCESS_RENEW: 2037 case SSL_TICKET_EMPTY: 2038 s->ext.ticket_expected = 1; 2039 } 2040 } 2041 2042 *psess = sess; 2043 2044 return ret; 2045 } 2046 2047 /* Check to see if a signature algorithm is allowed */ 2048 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) 2049 { 2050 unsigned char sigalgstr[2]; 2051 int secbits; 2052 2053 if (lu == NULL || !lu->enabled) 2054 return 0; 2055 /* DSA is not allowed in TLS 1.3 */ 2056 if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 2057 return 0; 2058 /* 2059 * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 2060 * spec 2061 */ 2062 if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION 2063 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 2064 || lu->hash_idx == SSL_MD_MD5_IDX 2065 || lu->hash_idx == SSL_MD_SHA224_IDX)) 2066 return 0; 2067 2068 /* See if public key algorithm allowed */ 2069 if (ssl_cert_is_disabled(s->ctx, lu->sig_idx)) 2070 return 0; 2071 2072 if (lu->sig == NID_id_GostR3410_2012_256 2073 || lu->sig == NID_id_GostR3410_2012_512 2074 || lu->sig == NID_id_GostR3410_2001) { 2075 /* We never allow GOST sig algs on the server with TLSv1.3 */ 2076 if (s->server && SSL_IS_TLS13(s)) 2077 return 0; 2078 if (!s->server 2079 && s->method->version == TLS_ANY_VERSION 2080 && s->s3.tmp.max_ver >= TLS1_3_VERSION) { 2081 int i, num; 2082 STACK_OF(SSL_CIPHER) *sk; 2083 2084 /* 2085 * We're a client that could negotiate TLSv1.3. We only allow GOST 2086 * sig algs if we could negotiate TLSv1.2 or below and we have GOST 2087 * ciphersuites enabled. 2088 */ 2089 2090 if (s->s3.tmp.min_ver >= TLS1_3_VERSION) 2091 return 0; 2092 2093 sk = SSL_get_ciphers(s); 2094 num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 2095 for (i = 0; i < num; i++) { 2096 const SSL_CIPHER *c; 2097 2098 c = sk_SSL_CIPHER_value(sk, i); 2099 /* Skip disabled ciphers */ 2100 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 2101 continue; 2102 2103 if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) 2104 break; 2105 } 2106 if (i == num) 2107 return 0; 2108 } 2109 } 2110 2111 /* Finally see if security callback allows it */ 2112 secbits = sigalg_security_bits(s->ctx, lu); 2113 sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 2114 sigalgstr[1] = lu->sigalg & 0xff; 2115 return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 2116 } 2117 2118 /* 2119 * Get a mask of disabled public key algorithms based on supported signature 2120 * algorithms. For example if no signature algorithm supports RSA then RSA is 2121 * disabled. 2122 */ 2123 2124 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 2125 { 2126 const uint16_t *sigalgs; 2127 size_t i, sigalgslen; 2128 uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 2129 /* 2130 * Go through all signature algorithms seeing if we support any 2131 * in disabled_mask. 2132 */ 2133 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 2134 for (i = 0; i < sigalgslen; i++, sigalgs++) { 2135 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *sigalgs); 2136 const SSL_CERT_LOOKUP *clu; 2137 2138 if (lu == NULL) 2139 continue; 2140 2141 clu = ssl_cert_lookup_by_idx(lu->sig_idx); 2142 if (clu == NULL) 2143 continue; 2144 2145 /* If algorithm is disabled see if we can enable it */ 2146 if ((clu->amask & disabled_mask) != 0 2147 && tls12_sigalg_allowed(s, op, lu)) 2148 disabled_mask &= ~clu->amask; 2149 } 2150 *pmask_a |= disabled_mask; 2151 } 2152 2153 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 2154 const uint16_t *psig, size_t psiglen) 2155 { 2156 size_t i; 2157 int rv = 0; 2158 2159 for (i = 0; i < psiglen; i++, psig++) { 2160 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig); 2161 2162 if (lu == NULL 2163 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2164 continue; 2165 if (!WPACKET_put_bytes_u16(pkt, *psig)) 2166 return 0; 2167 /* 2168 * If TLS 1.3 must have at least one valid TLS 1.3 message 2169 * signing algorithm: i.e. neither RSA nor SHA1/SHA224 2170 */ 2171 if (rv == 0 && (!SSL_IS_TLS13(s) 2172 || (lu->sig != EVP_PKEY_RSA 2173 && lu->hash != NID_sha1 2174 && lu->hash != NID_sha224))) 2175 rv = 1; 2176 } 2177 if (rv == 0) 2178 ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2179 return rv; 2180 } 2181 2182 /* Given preference and allowed sigalgs set shared sigalgs */ 2183 static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 2184 const uint16_t *pref, size_t preflen, 2185 const uint16_t *allow, size_t allowlen) 2186 { 2187 const uint16_t *ptmp, *atmp; 2188 size_t i, j, nmatch = 0; 2189 for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 2190 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp); 2191 2192 /* Skip disabled hashes or signature algorithms */ 2193 if (lu == NULL 2194 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 2195 continue; 2196 for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 2197 if (*ptmp == *atmp) { 2198 nmatch++; 2199 if (shsig) 2200 *shsig++ = lu; 2201 break; 2202 } 2203 } 2204 } 2205 return nmatch; 2206 } 2207 2208 /* Set shared signature algorithms for SSL structures */ 2209 static int tls1_set_shared_sigalgs(SSL *s) 2210 { 2211 const uint16_t *pref, *allow, *conf; 2212 size_t preflen, allowlen, conflen; 2213 size_t nmatch; 2214 const SIGALG_LOOKUP **salgs = NULL; 2215 CERT *c = s->cert; 2216 unsigned int is_suiteb = tls1_suiteb(s); 2217 2218 OPENSSL_free(s->shared_sigalgs); 2219 s->shared_sigalgs = NULL; 2220 s->shared_sigalgslen = 0; 2221 /* If client use client signature algorithms if not NULL */ 2222 if (!s->server && c->client_sigalgs && !is_suiteb) { 2223 conf = c->client_sigalgs; 2224 conflen = c->client_sigalgslen; 2225 } else if (c->conf_sigalgs && !is_suiteb) { 2226 conf = c->conf_sigalgs; 2227 conflen = c->conf_sigalgslen; 2228 } else 2229 conflen = tls12_get_psigalgs(s, 0, &conf); 2230 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 2231 pref = conf; 2232 preflen = conflen; 2233 allow = s->s3.tmp.peer_sigalgs; 2234 allowlen = s->s3.tmp.peer_sigalgslen; 2235 } else { 2236 allow = conf; 2237 allowlen = conflen; 2238 pref = s->s3.tmp.peer_sigalgs; 2239 preflen = s->s3.tmp.peer_sigalgslen; 2240 } 2241 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 2242 if (nmatch) { 2243 if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 2244 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2245 return 0; 2246 } 2247 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 2248 } else { 2249 salgs = NULL; 2250 } 2251 s->shared_sigalgs = salgs; 2252 s->shared_sigalgslen = nmatch; 2253 return 1; 2254 } 2255 2256 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 2257 { 2258 unsigned int stmp; 2259 size_t size, i; 2260 uint16_t *buf; 2261 2262 size = PACKET_remaining(pkt); 2263 2264 /* Invalid data length */ 2265 if (size == 0 || (size & 1) != 0) 2266 return 0; 2267 2268 size >>= 1; 2269 2270 if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 2271 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2272 return 0; 2273 } 2274 for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 2275 buf[i] = stmp; 2276 2277 if (i != size) { 2278 OPENSSL_free(buf); 2279 return 0; 2280 } 2281 2282 OPENSSL_free(*pdest); 2283 *pdest = buf; 2284 *pdestlen = size; 2285 2286 return 1; 2287 } 2288 2289 int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 2290 { 2291 /* Extension ignored for inappropriate versions */ 2292 if (!SSL_USE_SIGALGS(s)) 2293 return 1; 2294 /* Should never happen */ 2295 if (s->cert == NULL) 2296 return 0; 2297 2298 if (cert) 2299 return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, 2300 &s->s3.tmp.peer_cert_sigalgslen); 2301 else 2302 return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, 2303 &s->s3.tmp.peer_sigalgslen); 2304 2305 } 2306 2307 /* Set preferred digest for each key type */ 2308 2309 int tls1_process_sigalgs(SSL *s) 2310 { 2311 size_t i; 2312 uint32_t *pvalid = s->s3.tmp.valid_flags; 2313 2314 if (!tls1_set_shared_sigalgs(s)) 2315 return 0; 2316 2317 for (i = 0; i < SSL_PKEY_NUM; i++) 2318 pvalid[i] = 0; 2319 2320 for (i = 0; i < s->shared_sigalgslen; i++) { 2321 const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 2322 int idx = sigptr->sig_idx; 2323 2324 /* Ignore PKCS1 based sig algs in TLSv1.3 */ 2325 if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 2326 continue; 2327 /* If not disabled indicate we can explicitly sign */ 2328 if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx)) 2329 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2330 } 2331 return 1; 2332 } 2333 2334 int SSL_get_sigalgs(SSL *s, int idx, 2335 int *psign, int *phash, int *psignhash, 2336 unsigned char *rsig, unsigned char *rhash) 2337 { 2338 uint16_t *psig = s->s3.tmp.peer_sigalgs; 2339 size_t numsigalgs = s->s3.tmp.peer_sigalgslen; 2340 if (psig == NULL || numsigalgs > INT_MAX) 2341 return 0; 2342 if (idx >= 0) { 2343 const SIGALG_LOOKUP *lu; 2344 2345 if (idx >= (int)numsigalgs) 2346 return 0; 2347 psig += idx; 2348 if (rhash != NULL) 2349 *rhash = (unsigned char)((*psig >> 8) & 0xff); 2350 if (rsig != NULL) 2351 *rsig = (unsigned char)(*psig & 0xff); 2352 lu = tls1_lookup_sigalg(s, *psig); 2353 if (psign != NULL) 2354 *psign = lu != NULL ? lu->sig : NID_undef; 2355 if (phash != NULL) 2356 *phash = lu != NULL ? lu->hash : NID_undef; 2357 if (psignhash != NULL) 2358 *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 2359 } 2360 return (int)numsigalgs; 2361 } 2362 2363 int SSL_get_shared_sigalgs(SSL *s, int idx, 2364 int *psign, int *phash, int *psignhash, 2365 unsigned char *rsig, unsigned char *rhash) 2366 { 2367 const SIGALG_LOOKUP *shsigalgs; 2368 if (s->shared_sigalgs == NULL 2369 || idx < 0 2370 || idx >= (int)s->shared_sigalgslen 2371 || s->shared_sigalgslen > INT_MAX) 2372 return 0; 2373 shsigalgs = s->shared_sigalgs[idx]; 2374 if (phash != NULL) 2375 *phash = shsigalgs->hash; 2376 if (psign != NULL) 2377 *psign = shsigalgs->sig; 2378 if (psignhash != NULL) 2379 *psignhash = shsigalgs->sigandhash; 2380 if (rsig != NULL) 2381 *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 2382 if (rhash != NULL) 2383 *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 2384 return (int)s->shared_sigalgslen; 2385 } 2386 2387 /* Maximum possible number of unique entries in sigalgs array */ 2388 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 2389 2390 typedef struct { 2391 size_t sigalgcnt; 2392 /* TLSEXT_SIGALG_XXX values */ 2393 uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 2394 } sig_cb_st; 2395 2396 static void get_sigorhash(int *psig, int *phash, const char *str) 2397 { 2398 if (strcmp(str, "RSA") == 0) { 2399 *psig = EVP_PKEY_RSA; 2400 } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 2401 *psig = EVP_PKEY_RSA_PSS; 2402 } else if (strcmp(str, "DSA") == 0) { 2403 *psig = EVP_PKEY_DSA; 2404 } else if (strcmp(str, "ECDSA") == 0) { 2405 *psig = EVP_PKEY_EC; 2406 } else { 2407 *phash = OBJ_sn2nid(str); 2408 if (*phash == NID_undef) 2409 *phash = OBJ_ln2nid(str); 2410 } 2411 } 2412 /* Maximum length of a signature algorithm string component */ 2413 #define TLS_MAX_SIGSTRING_LEN 40 2414 2415 static int sig_cb(const char *elem, int len, void *arg) 2416 { 2417 sig_cb_st *sarg = arg; 2418 size_t i; 2419 const SIGALG_LOOKUP *s; 2420 char etmp[TLS_MAX_SIGSTRING_LEN], *p; 2421 int sig_alg = NID_undef, hash_alg = NID_undef; 2422 if (elem == NULL) 2423 return 0; 2424 if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 2425 return 0; 2426 if (len > (int)(sizeof(etmp) - 1)) 2427 return 0; 2428 memcpy(etmp, elem, len); 2429 etmp[len] = 0; 2430 p = strchr(etmp, '+'); 2431 /* 2432 * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 2433 * if there's no '+' in the provided name, look for the new-style combined 2434 * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 2435 * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 2436 * rsa_pss_rsae_* that differ only by public key OID; in such cases 2437 * we will pick the _rsae_ variant, by virtue of them appearing earlier 2438 * in the table. 2439 */ 2440 if (p == NULL) { 2441 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2442 i++, s++) { 2443 if (s->name != NULL && strcmp(etmp, s->name) == 0) { 2444 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2445 break; 2446 } 2447 } 2448 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2449 return 0; 2450 } else { 2451 *p = 0; 2452 p++; 2453 if (*p == 0) 2454 return 0; 2455 get_sigorhash(&sig_alg, &hash_alg, etmp); 2456 get_sigorhash(&sig_alg, &hash_alg, p); 2457 if (sig_alg == NID_undef || hash_alg == NID_undef) 2458 return 0; 2459 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2460 i++, s++) { 2461 if (s->hash == hash_alg && s->sig == sig_alg) { 2462 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2463 break; 2464 } 2465 } 2466 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2467 return 0; 2468 } 2469 2470 /* Reject duplicates */ 2471 for (i = 0; i < sarg->sigalgcnt - 1; i++) { 2472 if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 2473 sarg->sigalgcnt--; 2474 return 0; 2475 } 2476 } 2477 return 1; 2478 } 2479 2480 /* 2481 * Set supported signature algorithms based on a colon separated list of the 2482 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 2483 */ 2484 int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 2485 { 2486 sig_cb_st sig; 2487 sig.sigalgcnt = 0; 2488 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 2489 return 0; 2490 if (c == NULL) 2491 return 1; 2492 return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 2493 } 2494 2495 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 2496 int client) 2497 { 2498 uint16_t *sigalgs; 2499 2500 if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2501 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2502 return 0; 2503 } 2504 memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 2505 2506 if (client) { 2507 OPENSSL_free(c->client_sigalgs); 2508 c->client_sigalgs = sigalgs; 2509 c->client_sigalgslen = salglen; 2510 } else { 2511 OPENSSL_free(c->conf_sigalgs); 2512 c->conf_sigalgs = sigalgs; 2513 c->conf_sigalgslen = salglen; 2514 } 2515 2516 return 1; 2517 } 2518 2519 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2520 { 2521 uint16_t *sigalgs, *sptr; 2522 size_t i; 2523 2524 if (salglen & 1) 2525 return 0; 2526 if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2527 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2528 return 0; 2529 } 2530 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2531 size_t j; 2532 const SIGALG_LOOKUP *curr; 2533 int md_id = *psig_nids++; 2534 int sig_id = *psig_nids++; 2535 2536 for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2537 j++, curr++) { 2538 if (curr->hash == md_id && curr->sig == sig_id) { 2539 *sptr++ = curr->sigalg; 2540 break; 2541 } 2542 } 2543 2544 if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2545 goto err; 2546 } 2547 2548 if (client) { 2549 OPENSSL_free(c->client_sigalgs); 2550 c->client_sigalgs = sigalgs; 2551 c->client_sigalgslen = salglen / 2; 2552 } else { 2553 OPENSSL_free(c->conf_sigalgs); 2554 c->conf_sigalgs = sigalgs; 2555 c->conf_sigalgslen = salglen / 2; 2556 } 2557 2558 return 1; 2559 2560 err: 2561 OPENSSL_free(sigalgs); 2562 return 0; 2563 } 2564 2565 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 2566 { 2567 int sig_nid, use_pc_sigalgs = 0; 2568 size_t i; 2569 const SIGALG_LOOKUP *sigalg; 2570 size_t sigalgslen; 2571 if (default_nid == -1) 2572 return 1; 2573 sig_nid = X509_get_signature_nid(x); 2574 if (default_nid) 2575 return sig_nid == default_nid ? 1 : 0; 2576 2577 if (SSL_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { 2578 /* 2579 * If we're in TLSv1.3 then we only get here if we're checking the 2580 * chain. If the peer has specified peer_cert_sigalgs then we use them 2581 * otherwise we default to normal sigalgs. 2582 */ 2583 sigalgslen = s->s3.tmp.peer_cert_sigalgslen; 2584 use_pc_sigalgs = 1; 2585 } else { 2586 sigalgslen = s->shared_sigalgslen; 2587 } 2588 for (i = 0; i < sigalgslen; i++) { 2589 sigalg = use_pc_sigalgs 2590 ? tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]) 2591 : s->shared_sigalgs[i]; 2592 if (sigalg != NULL && sig_nid == sigalg->sigandhash) 2593 return 1; 2594 } 2595 return 0; 2596 } 2597 2598 /* Check to see if a certificate issuer name matches list of CA names */ 2599 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 2600 { 2601 const X509_NAME *nm; 2602 int i; 2603 nm = X509_get_issuer_name(x); 2604 for (i = 0; i < sk_X509_NAME_num(names); i++) { 2605 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 2606 return 1; 2607 } 2608 return 0; 2609 } 2610 2611 /* 2612 * Check certificate chain is consistent with TLS extensions and is usable by 2613 * server. This servers two purposes: it allows users to check chains before 2614 * passing them to the server and it allows the server to check chains before 2615 * attempting to use them. 2616 */ 2617 2618 /* Flags which need to be set for a certificate when strict mode not set */ 2619 2620 #define CERT_PKEY_VALID_FLAGS \ 2621 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 2622 /* Strict mode flags */ 2623 #define CERT_PKEY_STRICT_FLAGS \ 2624 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 2625 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 2626 2627 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 2628 int idx) 2629 { 2630 int i; 2631 int rv = 0; 2632 int check_flags = 0, strict_mode; 2633 CERT_PKEY *cpk = NULL; 2634 CERT *c = s->cert; 2635 uint32_t *pvalid; 2636 unsigned int suiteb_flags = tls1_suiteb(s); 2637 /* idx == -1 means checking server chains */ 2638 if (idx != -1) { 2639 /* idx == -2 means checking client certificate chains */ 2640 if (idx == -2) { 2641 cpk = c->key; 2642 idx = (int)(cpk - c->pkeys); 2643 } else 2644 cpk = c->pkeys + idx; 2645 pvalid = s->s3.tmp.valid_flags + idx; 2646 x = cpk->x509; 2647 pk = cpk->privatekey; 2648 chain = cpk->chain; 2649 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 2650 /* If no cert or key, forget it */ 2651 if (!x || !pk) 2652 goto end; 2653 } else { 2654 size_t certidx; 2655 2656 if (!x || !pk) 2657 return 0; 2658 2659 if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 2660 return 0; 2661 idx = certidx; 2662 pvalid = s->s3.tmp.valid_flags + idx; 2663 2664 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 2665 check_flags = CERT_PKEY_STRICT_FLAGS; 2666 else 2667 check_flags = CERT_PKEY_VALID_FLAGS; 2668 strict_mode = 1; 2669 } 2670 2671 if (suiteb_flags) { 2672 int ok; 2673 if (check_flags) 2674 check_flags |= CERT_PKEY_SUITEB; 2675 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 2676 if (ok == X509_V_OK) 2677 rv |= CERT_PKEY_SUITEB; 2678 else if (!check_flags) 2679 goto end; 2680 } 2681 2682 /* 2683 * Check all signature algorithms are consistent with signature 2684 * algorithms extension if TLS 1.2 or later and strict mode. 2685 */ 2686 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 2687 int default_nid; 2688 int rsign = 0; 2689 if (s->s3.tmp.peer_cert_sigalgs != NULL 2690 || s->s3.tmp.peer_sigalgs != NULL) { 2691 default_nid = 0; 2692 /* If no sigalgs extension use defaults from RFC5246 */ 2693 } else { 2694 switch (idx) { 2695 case SSL_PKEY_RSA: 2696 rsign = EVP_PKEY_RSA; 2697 default_nid = NID_sha1WithRSAEncryption; 2698 break; 2699 2700 case SSL_PKEY_DSA_SIGN: 2701 rsign = EVP_PKEY_DSA; 2702 default_nid = NID_dsaWithSHA1; 2703 break; 2704 2705 case SSL_PKEY_ECC: 2706 rsign = EVP_PKEY_EC; 2707 default_nid = NID_ecdsa_with_SHA1; 2708 break; 2709 2710 case SSL_PKEY_GOST01: 2711 rsign = NID_id_GostR3410_2001; 2712 default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2713 break; 2714 2715 case SSL_PKEY_GOST12_256: 2716 rsign = NID_id_GostR3410_2012_256; 2717 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2718 break; 2719 2720 case SSL_PKEY_GOST12_512: 2721 rsign = NID_id_GostR3410_2012_512; 2722 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2723 break; 2724 2725 default: 2726 default_nid = -1; 2727 break; 2728 } 2729 } 2730 /* 2731 * If peer sent no signature algorithms extension and we have set 2732 * preferred signature algorithms check we support sha1. 2733 */ 2734 if (default_nid > 0 && c->conf_sigalgs) { 2735 size_t j; 2736 const uint16_t *p = c->conf_sigalgs; 2737 for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2738 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *p); 2739 2740 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 2741 break; 2742 } 2743 if (j == c->conf_sigalgslen) { 2744 if (check_flags) 2745 goto skip_sigs; 2746 else 2747 goto end; 2748 } 2749 } 2750 /* Check signature algorithm of each cert in chain */ 2751 if (SSL_IS_TLS13(s)) { 2752 /* 2753 * We only get here if the application has called SSL_check_chain(), 2754 * so check_flags is always set. 2755 */ 2756 if (find_sig_alg(s, x, pk) != NULL) 2757 rv |= CERT_PKEY_EE_SIGNATURE; 2758 } else if (!tls1_check_sig_alg(s, x, default_nid)) { 2759 if (!check_flags) 2760 goto end; 2761 } else 2762 rv |= CERT_PKEY_EE_SIGNATURE; 2763 rv |= CERT_PKEY_CA_SIGNATURE; 2764 for (i = 0; i < sk_X509_num(chain); i++) { 2765 if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 2766 if (check_flags) { 2767 rv &= ~CERT_PKEY_CA_SIGNATURE; 2768 break; 2769 } else 2770 goto end; 2771 } 2772 } 2773 } 2774 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 2775 else if (check_flags) 2776 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 2777 skip_sigs: 2778 /* Check cert parameters are consistent */ 2779 if (tls1_check_cert_param(s, x, 1)) 2780 rv |= CERT_PKEY_EE_PARAM; 2781 else if (!check_flags) 2782 goto end; 2783 if (!s->server) 2784 rv |= CERT_PKEY_CA_PARAM; 2785 /* In strict mode check rest of chain too */ 2786 else if (strict_mode) { 2787 rv |= CERT_PKEY_CA_PARAM; 2788 for (i = 0; i < sk_X509_num(chain); i++) { 2789 X509 *ca = sk_X509_value(chain, i); 2790 if (!tls1_check_cert_param(s, ca, 0)) { 2791 if (check_flags) { 2792 rv &= ~CERT_PKEY_CA_PARAM; 2793 break; 2794 } else 2795 goto end; 2796 } 2797 } 2798 } 2799 if (!s->server && strict_mode) { 2800 STACK_OF(X509_NAME) *ca_dn; 2801 int check_type = 0; 2802 2803 if (EVP_PKEY_is_a(pk, "RSA")) 2804 check_type = TLS_CT_RSA_SIGN; 2805 else if (EVP_PKEY_is_a(pk, "DSA")) 2806 check_type = TLS_CT_DSS_SIGN; 2807 else if (EVP_PKEY_is_a(pk, "EC")) 2808 check_type = TLS_CT_ECDSA_SIGN; 2809 2810 if (check_type) { 2811 const uint8_t *ctypes = s->s3.tmp.ctype; 2812 size_t j; 2813 2814 for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { 2815 if (*ctypes == check_type) { 2816 rv |= CERT_PKEY_CERT_TYPE; 2817 break; 2818 } 2819 } 2820 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 2821 goto end; 2822 } else { 2823 rv |= CERT_PKEY_CERT_TYPE; 2824 } 2825 2826 ca_dn = s->s3.tmp.peer_ca_names; 2827 2828 if (ca_dn == NULL 2829 || sk_X509_NAME_num(ca_dn) == 0 2830 || ssl_check_ca_name(ca_dn, x)) 2831 rv |= CERT_PKEY_ISSUER_NAME; 2832 else 2833 for (i = 0; i < sk_X509_num(chain); i++) { 2834 X509 *xtmp = sk_X509_value(chain, i); 2835 2836 if (ssl_check_ca_name(ca_dn, xtmp)) { 2837 rv |= CERT_PKEY_ISSUER_NAME; 2838 break; 2839 } 2840 } 2841 2842 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 2843 goto end; 2844 } else 2845 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 2846 2847 if (!check_flags || (rv & check_flags) == check_flags) 2848 rv |= CERT_PKEY_VALID; 2849 2850 end: 2851 2852 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2853 rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2854 else 2855 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 2856 2857 /* 2858 * When checking a CERT_PKEY structure all flags are irrelevant if the 2859 * chain is invalid. 2860 */ 2861 if (!check_flags) { 2862 if (rv & CERT_PKEY_VALID) { 2863 *pvalid = rv; 2864 } else { 2865 /* Preserve sign and explicit sign flag, clear rest */ 2866 *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2867 return 0; 2868 } 2869 } 2870 return rv; 2871 } 2872 2873 /* Set validity of certificates in an SSL structure */ 2874 void tls1_set_cert_validity(SSL *s) 2875 { 2876 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2877 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 2878 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 2879 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2880 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2881 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2882 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2883 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2884 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 2885 } 2886 2887 /* User level utility function to check a chain is suitable */ 2888 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 2889 { 2890 return tls1_check_chain(s, x, pk, chain, -1); 2891 } 2892 2893 EVP_PKEY *ssl_get_auto_dh(SSL *s) 2894 { 2895 EVP_PKEY *dhp = NULL; 2896 BIGNUM *p; 2897 int dh_secbits = 80, sec_level_bits; 2898 EVP_PKEY_CTX *pctx = NULL; 2899 OSSL_PARAM_BLD *tmpl = NULL; 2900 OSSL_PARAM *params = NULL; 2901 2902 if (s->cert->dh_tmp_auto != 2) { 2903 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2904 if (s->s3.tmp.new_cipher->strength_bits == 256) 2905 dh_secbits = 128; 2906 else 2907 dh_secbits = 80; 2908 } else { 2909 if (s->s3.tmp.cert == NULL) 2910 return NULL; 2911 dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); 2912 } 2913 } 2914 2915 /* Do not pick a prime that is too weak for the current security level */ 2916 sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); 2917 if (dh_secbits < sec_level_bits) 2918 dh_secbits = sec_level_bits; 2919 2920 if (dh_secbits >= 192) 2921 p = BN_get_rfc3526_prime_8192(NULL); 2922 else if (dh_secbits >= 152) 2923 p = BN_get_rfc3526_prime_4096(NULL); 2924 else if (dh_secbits >= 128) 2925 p = BN_get_rfc3526_prime_3072(NULL); 2926 else if (dh_secbits >= 112) 2927 p = BN_get_rfc3526_prime_2048(NULL); 2928 else 2929 p = BN_get_rfc2409_prime_1024(NULL); 2930 if (p == NULL) 2931 goto err; 2932 2933 pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); 2934 if (pctx == NULL 2935 || EVP_PKEY_fromdata_init(pctx) != 1) 2936 goto err; 2937 2938 tmpl = OSSL_PARAM_BLD_new(); 2939 if (tmpl == NULL 2940 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 2941 || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) 2942 goto err; 2943 2944 params = OSSL_PARAM_BLD_to_param(tmpl); 2945 if (params == NULL 2946 || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) 2947 goto err; 2948 2949 err: 2950 OSSL_PARAM_free(params); 2951 OSSL_PARAM_BLD_free(tmpl); 2952 EVP_PKEY_CTX_free(pctx); 2953 BN_free(p); 2954 return dhp; 2955 } 2956 2957 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2958 { 2959 int secbits = -1; 2960 EVP_PKEY *pkey = X509_get0_pubkey(x); 2961 if (pkey) { 2962 /* 2963 * If no parameters this will return -1 and fail using the default 2964 * security callback for any non-zero security level. This will 2965 * reject keys which omit parameters but this only affects DSA and 2966 * omission of parameters is never (?) done in practice. 2967 */ 2968 secbits = EVP_PKEY_get_security_bits(pkey); 2969 } 2970 if (s) 2971 return ssl_security(s, op, secbits, 0, x); 2972 else 2973 return ssl_ctx_security(ctx, op, secbits, 0, x); 2974 } 2975 2976 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2977 { 2978 /* Lookup signature algorithm digest */ 2979 int secbits, nid, pknid; 2980 /* Don't check signature if self signed */ 2981 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 2982 return 1; 2983 if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 2984 secbits = -1; 2985 /* If digest NID not defined use signature NID */ 2986 if (nid == NID_undef) 2987 nid = pknid; 2988 if (s) 2989 return ssl_security(s, op, secbits, nid, x); 2990 else 2991 return ssl_ctx_security(ctx, op, secbits, nid, x); 2992 } 2993 2994 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 2995 { 2996 if (vfy) 2997 vfy = SSL_SECOP_PEER; 2998 if (is_ee) { 2999 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 3000 return SSL_R_EE_KEY_TOO_SMALL; 3001 } else { 3002 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 3003 return SSL_R_CA_KEY_TOO_SMALL; 3004 } 3005 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 3006 return SSL_R_CA_MD_TOO_WEAK; 3007 return 1; 3008 } 3009 3010 /* 3011 * Check security of a chain, if |sk| includes the end entity certificate then 3012 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 3013 * one to the peer. Return values: 1 if ok otherwise error code to use 3014 */ 3015 3016 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 3017 { 3018 int rv, start_idx, i; 3019 if (x == NULL) { 3020 x = sk_X509_value(sk, 0); 3021 if (x == NULL) 3022 return ERR_R_INTERNAL_ERROR; 3023 start_idx = 1; 3024 } else 3025 start_idx = 0; 3026 3027 rv = ssl_security_cert(s, NULL, x, vfy, 1); 3028 if (rv != 1) 3029 return rv; 3030 3031 for (i = start_idx; i < sk_X509_num(sk); i++) { 3032 x = sk_X509_value(sk, i); 3033 rv = ssl_security_cert(s, NULL, x, vfy, 0); 3034 if (rv != 1) 3035 return rv; 3036 } 3037 return 1; 3038 } 3039 3040 /* 3041 * For TLS 1.2 servers check if we have a certificate which can be used 3042 * with the signature algorithm "lu" and return index of certificate. 3043 */ 3044 3045 static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 3046 { 3047 int sig_idx = lu->sig_idx; 3048 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 3049 3050 /* If not recognised or not supported by cipher mask it is not suitable */ 3051 if (clu == NULL 3052 || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 3053 || (clu->nid == EVP_PKEY_RSA_PSS 3054 && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 3055 return -1; 3056 3057 return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 3058 } 3059 3060 /* 3061 * Checks the given cert against signature_algorithm_cert restrictions sent by 3062 * the peer (if any) as well as whether the hash from the sigalg is usable with 3063 * the key. 3064 * Returns true if the cert is usable and false otherwise. 3065 */ 3066 static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3067 EVP_PKEY *pkey) 3068 { 3069 const SIGALG_LOOKUP *lu; 3070 int mdnid, pknid, supported; 3071 size_t i; 3072 const char *mdname = NULL; 3073 3074 /* 3075 * If the given EVP_PKEY cannot support signing with this digest, 3076 * the answer is simply 'no'. 3077 */ 3078 if (sig->hash != NID_undef) 3079 mdname = OBJ_nid2sn(sig->hash); 3080 supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx, 3081 mdname, 3082 s->ctx->propq); 3083 if (supported <= 0) 3084 return 0; 3085 3086 /* 3087 * The TLS 1.3 signature_algorithms_cert extension places restrictions 3088 * on the sigalg with which the certificate was signed (by its issuer). 3089 */ 3090 if (s->s3.tmp.peer_cert_sigalgs != NULL) { 3091 if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 3092 return 0; 3093 for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { 3094 lu = tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]); 3095 if (lu == NULL) 3096 continue; 3097 3098 /* 3099 * This does not differentiate between the 3100 * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 3101 * have a chain here that lets us look at the key OID in the 3102 * signing certificate. 3103 */ 3104 if (mdnid == lu->hash && pknid == lu->sig) 3105 return 1; 3106 } 3107 return 0; 3108 } 3109 3110 /* 3111 * Without signat_algorithms_cert, any certificate for which we have 3112 * a viable public key is permitted. 3113 */ 3114 return 1; 3115 } 3116 3117 /* 3118 * Returns true if |s| has a usable certificate configured for use 3119 * with signature scheme |sig|. 3120 * "Usable" includes a check for presence as well as applying 3121 * the signature_algorithm_cert restrictions sent by the peer (if any). 3122 * Returns false if no usable certificate is found. 3123 */ 3124 static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 3125 { 3126 /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 3127 if (idx == -1) 3128 idx = sig->sig_idx; 3129 if (!ssl_has_cert(s, idx)) 3130 return 0; 3131 3132 return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 3133 s->cert->pkeys[idx].privatekey); 3134 } 3135 3136 /* 3137 * Returns true if the supplied cert |x| and key |pkey| is usable with the 3138 * specified signature scheme |sig|, or false otherwise. 3139 */ 3140 static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3141 EVP_PKEY *pkey) 3142 { 3143 size_t idx; 3144 3145 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 3146 return 0; 3147 3148 /* Check the key is consistent with the sig alg */ 3149 if ((int)idx != sig->sig_idx) 3150 return 0; 3151 3152 return check_cert_usable(s, sig, x, pkey); 3153 } 3154 3155 /* 3156 * Find a signature scheme that works with the supplied certificate |x| and key 3157 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 3158 * available certs/keys to find one that works. 3159 */ 3160 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 3161 { 3162 const SIGALG_LOOKUP *lu = NULL; 3163 size_t i; 3164 int curve = -1; 3165 EVP_PKEY *tmppkey; 3166 3167 /* Look for a shared sigalgs matching possible certificates */ 3168 for (i = 0; i < s->shared_sigalgslen; i++) { 3169 lu = s->shared_sigalgs[i]; 3170 3171 /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 3172 if (lu->hash == NID_sha1 3173 || lu->hash == NID_sha224 3174 || lu->sig == EVP_PKEY_DSA 3175 || lu->sig == EVP_PKEY_RSA) 3176 continue; 3177 /* Check that we have a cert, and signature_algorithms_cert */ 3178 if (!tls1_lookup_md(s->ctx, lu, NULL)) 3179 continue; 3180 if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 3181 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 3182 continue; 3183 3184 tmppkey = (pkey != NULL) ? pkey 3185 : s->cert->pkeys[lu->sig_idx].privatekey; 3186 3187 if (lu->sig == EVP_PKEY_EC) { 3188 if (curve == -1) 3189 curve = ssl_get_EC_curve_nid(tmppkey); 3190 if (lu->curve != NID_undef && curve != lu->curve) 3191 continue; 3192 } else if (lu->sig == EVP_PKEY_RSA_PSS) { 3193 /* validate that key is large enough for the signature algorithm */ 3194 if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu)) 3195 continue; 3196 } 3197 break; 3198 } 3199 3200 if (i == s->shared_sigalgslen) 3201 return NULL; 3202 3203 return lu; 3204 } 3205 3206 /* 3207 * Choose an appropriate signature algorithm based on available certificates 3208 * Sets chosen certificate and signature algorithm. 3209 * 3210 * For servers if we fail to find a required certificate it is a fatal error, 3211 * an appropriate error code is set and a TLS alert is sent. 3212 * 3213 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 3214 * a fatal error: we will either try another certificate or not present one 3215 * to the server. In this case no error is set. 3216 */ 3217 int tls_choose_sigalg(SSL *s, int fatalerrs) 3218 { 3219 const SIGALG_LOOKUP *lu = NULL; 3220 int sig_idx = -1; 3221 3222 s->s3.tmp.cert = NULL; 3223 s->s3.tmp.sigalg = NULL; 3224 3225 if (SSL_IS_TLS13(s)) { 3226 lu = find_sig_alg(s, NULL, NULL); 3227 if (lu == NULL) { 3228 if (!fatalerrs) 3229 return 1; 3230 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3231 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3232 return 0; 3233 } 3234 } else { 3235 /* If ciphersuite doesn't require a cert nothing to do */ 3236 if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) 3237 return 1; 3238 if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 3239 return 1; 3240 3241 if (SSL_USE_SIGALGS(s)) { 3242 size_t i; 3243 if (s->s3.tmp.peer_sigalgs != NULL) { 3244 int curve = -1; 3245 3246 /* For Suite B need to match signature algorithm to curve */ 3247 if (tls1_suiteb(s)) 3248 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] 3249 .privatekey); 3250 3251 /* 3252 * Find highest preference signature algorithm matching 3253 * cert type 3254 */ 3255 for (i = 0; i < s->shared_sigalgslen; i++) { 3256 lu = s->shared_sigalgs[i]; 3257 3258 if (s->server) { 3259 if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 3260 continue; 3261 } else { 3262 int cc_idx = s->cert->key - s->cert->pkeys; 3263 3264 sig_idx = lu->sig_idx; 3265 if (cc_idx != sig_idx) 3266 continue; 3267 } 3268 /* Check that we have a cert, and sig_algs_cert */ 3269 if (!has_usable_cert(s, lu, sig_idx)) 3270 continue; 3271 if (lu->sig == EVP_PKEY_RSA_PSS) { 3272 /* validate that key is large enough for the signature algorithm */ 3273 EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 3274 3275 if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu)) 3276 continue; 3277 } 3278 if (curve == -1 || lu->curve == curve) 3279 break; 3280 } 3281 #ifndef OPENSSL_NO_GOST 3282 /* 3283 * Some Windows-based implementations do not send GOST algorithms indication 3284 * in supported_algorithms extension, so when we have GOST-based ciphersuite, 3285 * we have to assume GOST support. 3286 */ 3287 if (i == s->shared_sigalgslen && s->s3.tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { 3288 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3289 if (!fatalerrs) 3290 return 1; 3291 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3292 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3293 return 0; 3294 } else { 3295 i = 0; 3296 sig_idx = lu->sig_idx; 3297 } 3298 } 3299 #endif 3300 if (i == s->shared_sigalgslen) { 3301 if (!fatalerrs) 3302 return 1; 3303 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3304 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3305 return 0; 3306 } 3307 } else { 3308 /* 3309 * If we have no sigalg use defaults 3310 */ 3311 const uint16_t *sent_sigs; 3312 size_t sent_sigslen; 3313 3314 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3315 if (!fatalerrs) 3316 return 1; 3317 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3318 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3319 return 0; 3320 } 3321 3322 /* Check signature matches a type we sent */ 3323 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 3324 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 3325 if (lu->sigalg == *sent_sigs 3326 && has_usable_cert(s, lu, lu->sig_idx)) 3327 break; 3328 } 3329 if (i == sent_sigslen) { 3330 if (!fatalerrs) 3331 return 1; 3332 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3333 SSL_R_WRONG_SIGNATURE_TYPE); 3334 return 0; 3335 } 3336 } 3337 } else { 3338 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3339 if (!fatalerrs) 3340 return 1; 3341 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3342 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3343 return 0; 3344 } 3345 } 3346 } 3347 if (sig_idx == -1) 3348 sig_idx = lu->sig_idx; 3349 s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; 3350 s->cert->key = s->s3.tmp.cert; 3351 s->s3.tmp.sigalg = lu; 3352 return 1; 3353 } 3354 3355 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 3356 { 3357 if (mode != TLSEXT_max_fragment_length_DISABLED 3358 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3359 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3360 return 0; 3361 } 3362 3363 ctx->ext.max_fragment_len_mode = mode; 3364 return 1; 3365 } 3366 3367 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 3368 { 3369 if (mode != TLSEXT_max_fragment_length_DISABLED 3370 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3371 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3372 return 0; 3373 } 3374 3375 ssl->ext.max_fragment_len_mode = mode; 3376 return 1; 3377 } 3378 3379 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 3380 { 3381 return session->ext.max_fragment_len_mode; 3382 } 3383 3384 /* 3385 * Helper functions for HMAC access with legacy support included. 3386 */ 3387 SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) 3388 { 3389 SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); 3390 EVP_MAC *mac = NULL; 3391 3392 if (ret == NULL) 3393 return NULL; 3394 #ifndef OPENSSL_NO_DEPRECATED_3_0 3395 if (ctx->ext.ticket_key_evp_cb == NULL 3396 && ctx->ext.ticket_key_cb != NULL) { 3397 if (!ssl_hmac_old_new(ret)) 3398 goto err; 3399 return ret; 3400 } 3401 #endif 3402 mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); 3403 if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) 3404 goto err; 3405 EVP_MAC_free(mac); 3406 return ret; 3407 err: 3408 EVP_MAC_CTX_free(ret->ctx); 3409 EVP_MAC_free(mac); 3410 OPENSSL_free(ret); 3411 return NULL; 3412 } 3413 3414 void ssl_hmac_free(SSL_HMAC *ctx) 3415 { 3416 if (ctx != NULL) { 3417 EVP_MAC_CTX_free(ctx->ctx); 3418 #ifndef OPENSSL_NO_DEPRECATED_3_0 3419 ssl_hmac_old_free(ctx); 3420 #endif 3421 OPENSSL_free(ctx); 3422 } 3423 } 3424 3425 EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) 3426 { 3427 return ctx->ctx; 3428 } 3429 3430 int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 3431 { 3432 OSSL_PARAM params[2], *p = params; 3433 3434 if (ctx->ctx != NULL) { 3435 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); 3436 *p = OSSL_PARAM_construct_end(); 3437 if (EVP_MAC_init(ctx->ctx, key, len, params)) 3438 return 1; 3439 } 3440 #ifndef OPENSSL_NO_DEPRECATED_3_0 3441 if (ctx->old_ctx != NULL) 3442 return ssl_hmac_old_init(ctx, key, len, md); 3443 #endif 3444 return 0; 3445 } 3446 3447 int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 3448 { 3449 if (ctx->ctx != NULL) 3450 return EVP_MAC_update(ctx->ctx, data, len); 3451 #ifndef OPENSSL_NO_DEPRECATED_3_0 3452 if (ctx->old_ctx != NULL) 3453 return ssl_hmac_old_update(ctx, data, len); 3454 #endif 3455 return 0; 3456 } 3457 3458 int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, 3459 size_t max_size) 3460 { 3461 if (ctx->ctx != NULL) 3462 return EVP_MAC_final(ctx->ctx, md, len, max_size); 3463 #ifndef OPENSSL_NO_DEPRECATED_3_0 3464 if (ctx->old_ctx != NULL) 3465 return ssl_hmac_old_final(ctx, md, len); 3466 #endif 3467 return 0; 3468 } 3469 3470 size_t ssl_hmac_size(const SSL_HMAC *ctx) 3471 { 3472 if (ctx->ctx != NULL) 3473 return EVP_MAC_CTX_get_mac_size(ctx->ctx); 3474 #ifndef OPENSSL_NO_DEPRECATED_3_0 3475 if (ctx->old_ctx != NULL) 3476 return ssl_hmac_old_size(ctx); 3477 #endif 3478 return 0; 3479 } 3480 3481 int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) 3482 { 3483 char gname[OSSL_MAX_NAME_SIZE]; 3484 3485 if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) 3486 return OBJ_txt2nid(gname); 3487 3488 return NID_undef; 3489 } 3490 3491 __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, 3492 const unsigned char *enckey, 3493 size_t enckeylen) 3494 { 3495 if (EVP_PKEY_is_a(pkey, "DH")) { 3496 int bits = EVP_PKEY_get_bits(pkey); 3497 3498 if (bits <= 0 || enckeylen != (size_t)bits / 8) 3499 /* the encoded key must be padded to the length of the p */ 3500 return 0; 3501 } else if (EVP_PKEY_is_a(pkey, "EC")) { 3502 if (enckeylen < 3 /* point format and at least 1 byte for x and y */ 3503 || enckey[0] != 0x04) 3504 return 0; 3505 } 3506 3507 return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); 3508 } 3509