xref: /openbsd-src/lib/libssl/ssl_sigalgs.c (revision f1dd7b858388b4a23f4f67a4957ec5ff656ebbe8) 
1 /* $OpenBSD: ssl_sigalgs.c,v 1.24 2021/05/16 08:24:21 jsing Exp $ */
2 /*
3  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4  *
5  * Permission to use, copy, modify, and/or distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
12  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
14  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
15  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 #include <string.h>
18 #include <stdlib.h>
19 
20 #include <openssl/evp.h>
21 #include <openssl/opensslconf.h>
22 
23 #include "bytestring.h"
24 #include "ssl_locl.h"
25 #include "ssl_sigalgs.h"
26 #include "tls13_internal.h"
27 
28 const struct ssl_sigalg sigalgs[] = {
29 	{
30 		.value = SIGALG_RSA_PKCS1_SHA512,
31 		.md = EVP_sha512,
32 		.key_type = EVP_PKEY_RSA,
33 	},
34 	{
35 		.value = SIGALG_ECDSA_SECP521R1_SHA512,
36 		.md = EVP_sha512,
37 		.key_type = EVP_PKEY_EC,
38 		.curve_nid = NID_secp521r1,
39 	},
40 #ifndef OPENSSL_NO_GOST
41 	{
42 		.value = SIGALG_GOSTR12_512_STREEBOG_512,
43 		.md = EVP_streebog512,
44 		.key_type = EVP_PKEY_GOSTR12_512,
45 	},
46 #endif
47 	{
48 		.value = SIGALG_RSA_PKCS1_SHA384,
49 		.md = EVP_sha384,
50 		.key_type = EVP_PKEY_RSA,
51 	},
52 	{
53 		.value = SIGALG_ECDSA_SECP384R1_SHA384,
54 		.md = EVP_sha384,
55 		.key_type = EVP_PKEY_EC,
56 		.curve_nid = NID_secp384r1,
57 	},
58 	{
59 		.value = SIGALG_RSA_PKCS1_SHA256,
60 		.md = EVP_sha256,
61 		.key_type = EVP_PKEY_RSA,
62 	},
63 	{
64 		.value = SIGALG_ECDSA_SECP256R1_SHA256,
65 		.md = EVP_sha256,
66 		.key_type = EVP_PKEY_EC,
67 		.curve_nid = NID_X9_62_prime256v1,
68 	},
69 #ifndef OPENSSL_NO_GOST
70 	{
71 		.value = SIGALG_GOSTR12_256_STREEBOG_256,
72 		.md = EVP_streebog256,
73 		.key_type = EVP_PKEY_GOSTR12_256,
74 	},
75 	{
76 		.value = SIGALG_GOSTR01_GOST94,
77 		.md = EVP_gostr341194,
78 		.key_type = EVP_PKEY_GOSTR01,
79 	},
80 #endif
81 	{
82 		.value = SIGALG_RSA_PSS_RSAE_SHA256,
83 		.md = EVP_sha256,
84 		.key_type = EVP_PKEY_RSA,
85 		.flags = SIGALG_FLAG_RSA_PSS,
86 	},
87 	{
88 		.value = SIGALG_RSA_PSS_RSAE_SHA384,
89 		.md = EVP_sha384,
90 		.key_type = EVP_PKEY_RSA,
91 		.flags = SIGALG_FLAG_RSA_PSS,
92 	},
93 	{
94 		.value = SIGALG_RSA_PSS_RSAE_SHA512,
95 		.md = EVP_sha512,
96 		.key_type = EVP_PKEY_RSA,
97 		.flags = SIGALG_FLAG_RSA_PSS,
98 	},
99 	{
100 		.value = SIGALG_RSA_PSS_PSS_SHA256,
101 		.md = EVP_sha256,
102 		.key_type = EVP_PKEY_RSA,
103 		.flags = SIGALG_FLAG_RSA_PSS,
104 	},
105 	{
106 		.value = SIGALG_RSA_PSS_PSS_SHA384,
107 		.md = EVP_sha384,
108 		.key_type = EVP_PKEY_RSA,
109 		.flags = SIGALG_FLAG_RSA_PSS,
110 	},
111 	{
112 		.value = SIGALG_RSA_PSS_PSS_SHA512,
113 		.md = EVP_sha512,
114 		.key_type = EVP_PKEY_RSA,
115 		.flags = SIGALG_FLAG_RSA_PSS,
116 	},
117 	{
118 		.value = SIGALG_RSA_PKCS1_SHA224,
119 		.md = EVP_sha224,
120 		.key_type = EVP_PKEY_RSA,
121 	},
122 	{
123 		.value = SIGALG_ECDSA_SECP224R1_SHA224,
124 		.md = EVP_sha224,
125 		.key_type = EVP_PKEY_EC,
126 	},
127 	{
128 		.value = SIGALG_RSA_PKCS1_SHA1,
129 		.key_type = EVP_PKEY_RSA,
130 		.md = EVP_sha1,
131 	},
132 	{
133 		.value = SIGALG_ECDSA_SHA1,
134 		.key_type = EVP_PKEY_EC,
135 		.md = EVP_sha1,
136 	},
137 	{
138 		.value = SIGALG_RSA_PKCS1_MD5_SHA1,
139 		.key_type = EVP_PKEY_RSA,
140 		.md = EVP_md5_sha1,
141 	},
142 	{
143 		.value = SIGALG_NONE,
144 	},
145 };
146 
147 /* Sigalgs for tls 1.3, in preference order, */
148 const uint16_t tls13_sigalgs[] = {
149 	SIGALG_RSA_PSS_RSAE_SHA512,
150 	SIGALG_RSA_PKCS1_SHA512,
151 	SIGALG_ECDSA_SECP521R1_SHA512,
152 	SIGALG_RSA_PSS_RSAE_SHA384,
153 	SIGALG_RSA_PKCS1_SHA384,
154 	SIGALG_ECDSA_SECP384R1_SHA384,
155 	SIGALG_RSA_PSS_RSAE_SHA256,
156 	SIGALG_RSA_PKCS1_SHA256,
157 	SIGALG_ECDSA_SECP256R1_SHA256,
158 };
159 const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
160 
161 /* Sigalgs for tls 1.2, in preference order, */
162 const uint16_t tls12_sigalgs[] = {
163 	SIGALG_RSA_PSS_RSAE_SHA512,
164 	SIGALG_RSA_PKCS1_SHA512,
165 	SIGALG_ECDSA_SECP521R1_SHA512,
166 	SIGALG_RSA_PSS_RSAE_SHA384,
167 	SIGALG_RSA_PKCS1_SHA384,
168 	SIGALG_ECDSA_SECP384R1_SHA384,
169 	SIGALG_RSA_PSS_RSAE_SHA256,
170 	SIGALG_RSA_PKCS1_SHA256,
171 	SIGALG_ECDSA_SECP256R1_SHA256,
172 	SIGALG_RSA_PKCS1_SHA1, /* XXX */
173 	SIGALG_ECDSA_SHA1,     /* XXX */
174 };
175 const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
176 
177 const struct ssl_sigalg *
178 ssl_sigalg_lookup(uint16_t sigalg)
179 {
180 	int i;
181 
182 	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
183 		if (sigalgs[i].value == sigalg)
184 			return &sigalgs[i];
185 	}
186 
187 	return NULL;
188 }
189 
190 const struct ssl_sigalg *
191 ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len)
192 {
193 	int i;
194 
195 	for (i = 0; i < len; i++) {
196 		if (values[i] == sigalg)
197 			return ssl_sigalg_lookup(sigalg);
198 	}
199 
200 	return NULL;
201 }
202 
203 int
204 ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len)
205 {
206 	size_t i;
207 
208 	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++);
209 	if (len > i)
210 		return 0;
211 
212 	/* XXX check for duplicates and other sanity BS? */
213 
214 	/* Add values in order as long as they are supported. */
215 	for (i = 0; i < len; i++) {
216 		/* Do not allow the legacy value for < 1.2 to be used */
217 		if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
218 			return 0;
219 
220 		if (ssl_sigalg_lookup(values[i]) != NULL) {
221 			if (!CBB_add_u16(cbb, values[i]))
222 				return 0;
223 		} else
224 			return 0;
225 	}
226 	return 1;
227 }
228 
229 int
230 ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
231     int check_curve)
232 {
233 	if (sigalg == NULL || pkey == NULL)
234 		return 0;
235 	if (sigalg->key_type != pkey->type)
236 		return 0;
237 
238 	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
239 		/*
240 		 * RSA PSS Must have an RSA key that needs to be at
241 		 * least as big as twice the size of the hash + 2
242 		 */
243 		if (pkey->type != EVP_PKEY_RSA ||
244 		    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
245 			return 0;
246 	}
247 
248 	if (pkey->type == EVP_PKEY_EC && check_curve) {
249 		/* Curve must match for EC keys. */
250 		if (sigalg->curve_nid == 0)
251 			return 0;
252 		if (EC_GROUP_get_curve_name(EC_KEY_get0_group
253 		    (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) {
254 			return 0;
255 		}
256 	}
257 
258 	return 1;
259 }
260 
261 const struct ssl_sigalg *
262 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
263 {
264 	const uint16_t *tls_sigalgs = tls12_sigalgs;
265 	size_t tls_sigalgs_len = tls12_sigalgs_len;
266 	int check_curve = 0;
267 	CBS cbs;
268 
269 	if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
270 		tls_sigalgs = tls13_sigalgs;
271 		tls_sigalgs_len = tls13_sigalgs_len;
272 		check_curve = 1;
273 	}
274 
275 	/* Pre TLS 1.2 defaults */
276 	if (!SSL_USE_SIGALGS(s)) {
277 		switch (pkey->type) {
278 		case EVP_PKEY_RSA:
279 			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
280 		case EVP_PKEY_EC:
281 			return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
282 #ifndef OPENSSL_NO_GOST
283 		case EVP_PKEY_GOSTR01:
284 			return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
285 #endif
286 		}
287 		SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
288 		return (NULL);
289 	}
290 
291 	/*
292 	 * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in
293 	 * which case the server must use the the default.
294 	 */
295 	if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
296 	    S3I(s)->hs.sigalgs == NULL) {
297 		switch (pkey->type) {
298 		case EVP_PKEY_RSA:
299 			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
300 		case EVP_PKEY_EC:
301 			return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
302 #ifndef OPENSSL_NO_GOST
303 		case EVP_PKEY_GOSTR01:
304 			return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
305 #endif
306 		}
307 		SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
308 		return (NULL);
309 	}
310 
311 	/*
312 	 * If we get here, we have client or server sent sigalgs, use one.
313 	 */
314 	CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
315 	while (CBS_len(&cbs) > 0) {
316 		uint16_t sig_alg;
317 		const struct ssl_sigalg *sigalg;
318 
319 		if (!CBS_get_u16(&cbs, &sig_alg))
320 			return 0;
321 
322 		if ((sigalg = ssl_sigalg(sig_alg, tls_sigalgs,
323 		    tls_sigalgs_len)) == NULL)
324 			continue;
325 
326 		/* RSA cannot be used without PSS in TLSv1.3. */
327 		if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
328 		    sigalg->key_type == EVP_PKEY_RSA &&
329 		    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
330 			continue;
331 
332 		if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
333 			return sigalg;
334 	}
335 
336 	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
337 	return NULL;
338 }
339