1/* 2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include <stdlib.h> 12#include <openssl/objects.h> 13#include <openssl/evp.h> 14#include <openssl/hmac.h> 15#include <openssl/core_names.h> 16#include <openssl/ocsp.h> 17#include <openssl/conf.h> 18#include <openssl/x509v3.h> 19#include <openssl/dh.h> 20#include <openssl/bn.h> 21#include <openssl/provider.h> 22#include <openssl/param_build.h> 23#include "internal/nelem.h" 24#include "internal/sizes.h" 25#include "internal/tlsgroups.h" 26#include "ssl_local.h" 27#include <openssl/ct.h> 28 29static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); 30static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); 31 32SSL3_ENC_METHOD const TLSv1_enc_data = { 33 tls1_enc, 34 tls1_mac, 35 tls1_setup_key_block, 36 tls1_generate_master_secret, 37 tls1_change_cipher_state, 38 tls1_final_finish_mac, 39 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 40 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 41 tls1_alert_code, 42 tls1_export_keying_material, 43 0, 44 ssl3_set_handshake_header, 45 tls_close_construct_packet, 46 ssl3_handshake_write 47}; 48 49SSL3_ENC_METHOD const TLSv1_1_enc_data = { 50 tls1_enc, 51 tls1_mac, 52 tls1_setup_key_block, 53 tls1_generate_master_secret, 54 tls1_change_cipher_state, 55 tls1_final_finish_mac, 56 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 57 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 58 tls1_alert_code, 59 tls1_export_keying_material, 60 SSL_ENC_FLAG_EXPLICIT_IV, 61 ssl3_set_handshake_header, 62 tls_close_construct_packet, 63 ssl3_handshake_write 64}; 65 66SSL3_ENC_METHOD const TLSv1_2_enc_data = { 67 tls1_enc, 68 tls1_mac, 69 tls1_setup_key_block, 70 tls1_generate_master_secret, 71 tls1_change_cipher_state, 72 tls1_final_finish_mac, 73 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 74 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 75 tls1_alert_code, 76 tls1_export_keying_material, 77 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 78 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 79 ssl3_set_handshake_header, 80 tls_close_construct_packet, 81 ssl3_handshake_write 82}; 83 84SSL3_ENC_METHOD const TLSv1_3_enc_data = { 85 tls13_enc, 86 tls1_mac, 87 tls13_setup_key_block, 88 tls13_generate_master_secret, 89 tls13_change_cipher_state, 90 tls13_final_finish_mac, 91 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 92 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 93 tls13_alert_code, 94 tls13_export_keying_material, 95 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, 96 ssl3_set_handshake_header, 97 tls_close_construct_packet, 98 ssl3_handshake_write 99}; 100 101long tls1_default_timeout(void) 102{ 103 /* 104 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 105 * http, the cache would over fill 106 */ 107 return (60 * 60 * 2); 108} 109 110int tls1_new(SSL *s) 111{ 112 if (!ssl3_new(s)) 113 return 0; 114 if (!s->method->ssl_clear(s)) 115 return 0; 116 117 return 1; 118} 119 120void tls1_free(SSL *s) 121{ 122 OPENSSL_free(s->ext.session_ticket); 123 ssl3_free(s); 124} 125 126int tls1_clear(SSL *s) 127{ 128 if (!ssl3_clear(s)) 129 return 0; 130 131 if (s->method->version == TLS_ANY_VERSION) 132 s->version = TLS_MAX_VERSION_INTERNAL; 133 else 134 s->version = s->method->version; 135 136 return 1; 137} 138 139/* Legacy NID to group_id mapping. Only works for groups we know about */ 140static struct { 141 int nid; 142 uint16_t group_id; 143} nid_to_group[] = { 144 {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1}, 145 {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1}, 146 {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2}, 147 {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1}, 148 {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2}, 149 {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1}, 150 {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1}, 151 {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1}, 152 {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1}, 153 {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1}, 154 {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1}, 155 {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1}, 156 {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1}, 157 {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1}, 158 {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1}, 159 {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1}, 160 {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2}, 161 {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1}, 162 {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1}, 163 {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1}, 164 {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1}, 165 {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1}, 166 {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1}, 167 {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1}, 168 {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1}, 169 {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1}, 170 {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1}, 171 {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1}, 172 {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519}, 173 {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448}, 174 {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022}, 175 {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023}, 176 {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024}, 177 {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025}, 178 {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026}, 179 {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027}, 180 {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028}, 181 {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048}, 182 {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072}, 183 {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096}, 184 {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144}, 185 {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} 186}; 187 188static const unsigned char ecformats_default[] = { 189 TLSEXT_ECPOINTFORMAT_uncompressed, 190 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 191 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 192}; 193 194/* The default curves */ 195static const uint16_t supported_groups_default[] = { 196 29, /* X25519 (29) */ 197 23, /* secp256r1 (23) */ 198 30, /* X448 (30) */ 199 25, /* secp521r1 (25) */ 200 24, /* secp384r1 (24) */ 201 34, /* GC256A (34) */ 202 35, /* GC256B (35) */ 203 36, /* GC256C (36) */ 204 37, /* GC256D (37) */ 205 38, /* GC512A (38) */ 206 39, /* GC512B (39) */ 207 40, /* GC512C (40) */ 208 0x100, /* ffdhe2048 (0x100) */ 209 0x101, /* ffdhe3072 (0x101) */ 210 0x102, /* ffdhe4096 (0x102) */ 211 0x103, /* ffdhe6144 (0x103) */ 212 0x104, /* ffdhe8192 (0x104) */ 213}; 214 215static const uint16_t suiteb_curves[] = { 216 TLSEXT_curve_P_256, 217 TLSEXT_curve_P_384 218}; 219 220struct provider_group_data_st { 221 SSL_CTX *ctx; 222 OSSL_PROVIDER *provider; 223}; 224 225#define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 226static OSSL_CALLBACK add_provider_groups; 227static int add_provider_groups(const OSSL_PARAM params[], void *data) 228{ 229 struct provider_group_data_st *pgd = data; 230 SSL_CTX *ctx = pgd->ctx; 231 OSSL_PROVIDER *provider = pgd->provider; 232 const OSSL_PARAM *p; 233 TLS_GROUP_INFO *ginf = NULL; 234 EVP_KEYMGMT *keymgmt; 235 unsigned int gid; 236 unsigned int is_kem = 0; 237 int ret = 0; 238 239 if (ctx->group_list_max_len == ctx->group_list_len) { 240 TLS_GROUP_INFO *tmp = NULL; 241 242 if (ctx->group_list_max_len == 0) 243 tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) 244 * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 245 else 246 tmp = OPENSSL_realloc(ctx->group_list, 247 (ctx->group_list_max_len 248 + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) 249 * sizeof(TLS_GROUP_INFO)); 250 if (tmp == NULL) { 251 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 252 return 0; 253 } 254 ctx->group_list = tmp; 255 memset(tmp + ctx->group_list_max_len, 256 0, 257 sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); 258 ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; 259 } 260 261 ginf = &ctx->group_list[ctx->group_list_len]; 262 263 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); 264 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 265 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 266 goto err; 267 } 268 ginf->tlsname = OPENSSL_strdup(p->data); 269 if (ginf->tlsname == NULL) { 270 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 271 goto err; 272 } 273 274 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); 275 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 276 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 277 goto err; 278 } 279 ginf->realname = OPENSSL_strdup(p->data); 280 if (ginf->realname == NULL) { 281 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 282 goto err; 283 } 284 285 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); 286 if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { 287 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 288 goto err; 289 } 290 ginf->group_id = (uint16_t)gid; 291 292 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); 293 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { 294 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 295 goto err; 296 } 297 ginf->algorithm = OPENSSL_strdup(p->data); 298 if (ginf->algorithm == NULL) { 299 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 300 goto err; 301 } 302 303 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); 304 if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { 305 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 306 goto err; 307 } 308 309 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); 310 if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { 311 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 312 goto err; 313 } 314 ginf->is_kem = 1 & is_kem; 315 316 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); 317 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { 318 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 319 goto err; 320 } 321 322 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); 323 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { 324 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 325 goto err; 326 } 327 328 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); 329 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { 330 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 331 goto err; 332 } 333 334 p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); 335 if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { 336 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 337 goto err; 338 } 339 /* 340 * Now check that the algorithm is actually usable for our property query 341 * string. Regardless of the result we still return success because we have 342 * successfully processed this group, even though we may decide not to use 343 * it. 344 */ 345 ret = 1; 346 ERR_set_mark(); 347 keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); 348 if (keymgmt != NULL) { 349 /* 350 * We have successfully fetched the algorithm - however if the provider 351 * doesn't match this one then we ignore it. 352 * 353 * Note: We're cheating a little here. Technically if the same algorithm 354 * is available from more than one provider then it is undefined which 355 * implementation you will get back. Theoretically this could be 356 * different every time...we assume here that you'll always get the 357 * same one back if you repeat the exact same fetch. Is this a reasonable 358 * assumption to make (in which case perhaps we should document this 359 * behaviour)? 360 */ 361 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 362 /* We have a match - so we will use this group */ 363 ctx->group_list_len++; 364 ginf = NULL; 365 } 366 EVP_KEYMGMT_free(keymgmt); 367 } 368 ERR_pop_to_mark(); 369 err: 370 if (ginf != NULL) { 371 OPENSSL_free(ginf->tlsname); 372 OPENSSL_free(ginf->realname); 373 OPENSSL_free(ginf->algorithm); 374 ginf->algorithm = ginf->tlsname = ginf->realname = NULL; 375 } 376 return ret; 377} 378 379static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) 380{ 381 struct provider_group_data_st pgd; 382 383 pgd.ctx = vctx; 384 pgd.provider = provider; 385 return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", 386 add_provider_groups, &pgd); 387} 388 389int ssl_load_groups(SSL_CTX *ctx) 390{ 391 size_t i, j, num_deflt_grps = 0; 392 uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; 393 394 if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) 395 return 0; 396 397 for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { 398 for (j = 0; j < ctx->group_list_len; j++) { 399 if (ctx->group_list[j].group_id == supported_groups_default[i]) { 400 tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; 401 break; 402 } 403 } 404 } 405 406 if (num_deflt_grps == 0) 407 return 1; 408 409 ctx->ext.supported_groups_default 410 = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); 411 412 if (ctx->ext.supported_groups_default == NULL) { 413 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 414 return 0; 415 } 416 417 memcpy(ctx->ext.supported_groups_default, 418 tmp_supp_groups, 419 num_deflt_grps * sizeof(tmp_supp_groups[0])); 420 ctx->ext.supported_groups_default_len = num_deflt_grps; 421 422 return 1; 423} 424 425static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) 426{ 427 size_t i; 428 429 for (i = 0; i < ctx->group_list_len; i++) { 430 if (strcmp(ctx->group_list[i].tlsname, name) == 0 431 || strcmp(ctx->group_list[i].realname, name) == 0) 432 return ctx->group_list[i].group_id; 433 } 434 435 return 0; 436} 437 438const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) 439{ 440 size_t i; 441 442 for (i = 0; i < ctx->group_list_len; i++) { 443 if (ctx->group_list[i].group_id == group_id) 444 return &ctx->group_list[i]; 445 } 446 447 return NULL; 448} 449 450int tls1_group_id2nid(uint16_t group_id, int include_unknown) 451{ 452 size_t i; 453 454 if (group_id == 0) 455 return NID_undef; 456 457 /* 458 * Return well known Group NIDs - for backwards compatibility. This won't 459 * work for groups we don't know about. 460 */ 461 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 462 { 463 if (nid_to_group[i].group_id == group_id) 464 return nid_to_group[i].nid; 465 } 466 if (!include_unknown) 467 return NID_undef; 468 return TLSEXT_nid_unknown | (int)group_id; 469} 470 471uint16_t tls1_nid2group_id(int nid) 472{ 473 size_t i; 474 475 /* 476 * Return well known Group ids - for backwards compatibility. This won't 477 * work for groups we don't know about. 478 */ 479 for (i = 0; i < OSSL_NELEM(nid_to_group); i++) 480 { 481 if (nid_to_group[i].nid == nid) 482 return nid_to_group[i].group_id; 483 } 484 485 return 0; 486} 487 488/* 489 * Set *pgroups to the supported groups list and *pgroupslen to 490 * the number of groups supported. 491 */ 492void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, 493 size_t *pgroupslen) 494{ 495 /* For Suite B mode only include P-256, P-384 */ 496 switch (tls1_suiteb(s)) { 497 case SSL_CERT_FLAG_SUITEB_128_LOS: 498 *pgroups = suiteb_curves; 499 *pgroupslen = OSSL_NELEM(suiteb_curves); 500 break; 501 502 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 503 *pgroups = suiteb_curves; 504 *pgroupslen = 1; 505 break; 506 507 case SSL_CERT_FLAG_SUITEB_192_LOS: 508 *pgroups = suiteb_curves + 1; 509 *pgroupslen = 1; 510 break; 511 512 default: 513 if (s->ext.supportedgroups == NULL) { 514 *pgroups = s->ctx->ext.supported_groups_default; 515 *pgroupslen = s->ctx->ext.supported_groups_default_len; 516 } else { 517 *pgroups = s->ext.supportedgroups; 518 *pgroupslen = s->ext.supportedgroups_len; 519 } 520 break; 521 } 522} 523 524int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, 525 int isec, int *okfortls13) 526{ 527 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); 528 int ret; 529 530 if (okfortls13 != NULL) 531 *okfortls13 = 0; 532 533 if (ginfo == NULL) 534 return 0; 535 536 if (SSL_IS_DTLS(s)) { 537 if (ginfo->mindtls < 0 || ginfo->maxdtls < 0) 538 return 0; 539 if (ginfo->maxdtls == 0) 540 ret = 1; 541 else 542 ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls); 543 if (ginfo->mindtls > 0) 544 ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls); 545 } else { 546 if (ginfo->mintls < 0 || ginfo->maxtls < 0) 547 return 0; 548 if (ginfo->maxtls == 0) 549 ret = 1; 550 else 551 ret = (minversion <= ginfo->maxtls); 552 if (ginfo->mintls > 0) 553 ret &= (maxversion >= ginfo->mintls); 554 if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) 555 *okfortls13 = (ginfo->maxtls == 0) 556 || (ginfo->maxtls >= TLS1_3_VERSION); 557 } 558 ret &= !isec 559 || strcmp(ginfo->algorithm, "EC") == 0 560 || strcmp(ginfo->algorithm, "X25519") == 0 561 || strcmp(ginfo->algorithm, "X448") == 0; 562 563 return ret; 564} 565 566/* See if group is allowed by security callback */ 567int tls_group_allowed(SSL *s, uint16_t group, int op) 568{ 569 const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group); 570 unsigned char gtmp[2]; 571 572 if (ginfo == NULL) 573 return 0; 574 575 gtmp[0] = group >> 8; 576 gtmp[1] = group & 0xff; 577 return ssl_security(s, op, ginfo->secbits, 578 tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); 579} 580 581/* Return 1 if "id" is in "list" */ 582static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) 583{ 584 size_t i; 585 for (i = 0; i < listlen; i++) 586 if (list[i] == id) 587 return 1; 588 return 0; 589} 590 591/*- 592 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 593 * if there is no match. 594 * For nmatch == -1, return number of matches 595 * For nmatch == -2, return the id of the group to use for 596 * a tmp key, or 0 if there is no match. 597 */ 598uint16_t tls1_shared_group(SSL *s, int nmatch) 599{ 600 const uint16_t *pref, *supp; 601 size_t num_pref, num_supp, i; 602 int k; 603 604 /* Can't do anything on client side */ 605 if (s->server == 0) 606 return 0; 607 if (nmatch == -2) { 608 if (tls1_suiteb(s)) { 609 /* 610 * For Suite B ciphersuite determines curve: we already know 611 * these are acceptable due to previous checks. 612 */ 613 unsigned long cid = s->s3.tmp.new_cipher->id; 614 615 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 616 return TLSEXT_curve_P_256; 617 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 618 return TLSEXT_curve_P_384; 619 /* Should never happen */ 620 return 0; 621 } 622 /* If not Suite B just return first preference shared curve */ 623 nmatch = 0; 624 } 625 /* 626 * If server preference set, our groups are the preference order 627 * otherwise peer decides. 628 */ 629 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 630 tls1_get_supported_groups(s, &pref, &num_pref); 631 tls1_get_peer_groups(s, &supp, &num_supp); 632 } else { 633 tls1_get_peer_groups(s, &pref, &num_pref); 634 tls1_get_supported_groups(s, &supp, &num_supp); 635 } 636 637 for (k = 0, i = 0; i < num_pref; i++) { 638 uint16_t id = pref[i]; 639 640 if (!tls1_in_list(id, supp, num_supp) 641 || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) 642 continue; 643 if (nmatch == k) 644 return id; 645 k++; 646 } 647 if (nmatch == -1) 648 return k; 649 /* Out of range (nmatch > k). */ 650 return 0; 651} 652 653int tls1_set_groups(uint16_t **pext, size_t *pextlen, 654 int *groups, size_t ngroups) 655{ 656 uint16_t *glist; 657 size_t i; 658 /* 659 * Bitmap of groups included to detect duplicates: two variables are added 660 * to detect duplicates as some values are more than 32. 661 */ 662 unsigned long *dup_list = NULL; 663 unsigned long dup_list_egrp = 0; 664 unsigned long dup_list_dhgrp = 0; 665 666 if (ngroups == 0) { 667 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 668 return 0; 669 } 670 if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { 671 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 672 return 0; 673 } 674 for (i = 0; i < ngroups; i++) { 675 unsigned long idmask; 676 uint16_t id; 677 id = tls1_nid2group_id(groups[i]); 678 if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) 679 goto err; 680 idmask = 1L << (id & 0x00FF); 681 dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; 682 if (!id || ((*dup_list) & idmask)) 683 goto err; 684 *dup_list |= idmask; 685 glist[i] = id; 686 } 687 OPENSSL_free(*pext); 688 *pext = glist; 689 *pextlen = ngroups; 690 return 1; 691err: 692 OPENSSL_free(glist); 693 return 0; 694} 695 696# define GROUPLIST_INCREMENT 40 697# define GROUP_NAME_BUFFER_LENGTH 64 698typedef struct { 699 SSL_CTX *ctx; 700 size_t gidcnt; 701 size_t gidmax; 702 uint16_t *gid_arr; 703} gid_cb_st; 704 705static int gid_cb(const char *elem, int len, void *arg) 706{ 707 gid_cb_st *garg = arg; 708 size_t i; 709 uint16_t gid = 0; 710 char etmp[GROUP_NAME_BUFFER_LENGTH]; 711 712 if (elem == NULL) 713 return 0; 714 if (garg->gidcnt == garg->gidmax) { 715 uint16_t *tmp = 716 OPENSSL_realloc(garg->gid_arr, 717 (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); 718 if (tmp == NULL) 719 return 0; 720 garg->gidmax += GROUPLIST_INCREMENT; 721 garg->gid_arr = tmp; 722 } 723 if (len > (int)(sizeof(etmp) - 1)) 724 return 0; 725 memcpy(etmp, elem, len); 726 etmp[len] = 0; 727 728 gid = tls1_group_name2id(garg->ctx, etmp); 729 if (gid == 0) { 730 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, 731 "group '%s' cannot be set", etmp); 732 return 0; 733 } 734 for (i = 0; i < garg->gidcnt; i++) 735 if (garg->gid_arr[i] == gid) 736 return 0; 737 garg->gid_arr[garg->gidcnt++] = gid; 738 return 1; 739} 740 741/* Set groups based on a colon separated list */ 742int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, 743 const char *str) 744{ 745 gid_cb_st gcb; 746 uint16_t *tmparr; 747 int ret = 0; 748 749 gcb.gidcnt = 0; 750 gcb.gidmax = GROUPLIST_INCREMENT; 751 gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); 752 if (gcb.gid_arr == NULL) 753 return 0; 754 gcb.ctx = ctx; 755 if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) 756 goto end; 757 if (pext == NULL) { 758 ret = 1; 759 goto end; 760 } 761 762 /* 763 * gid_cb ensurse there are no duplicates so we can just go ahead and set 764 * the result 765 */ 766 tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); 767 if (tmparr == NULL) 768 goto end; 769 OPENSSL_free(*pext); 770 *pext = tmparr; 771 *pextlen = gcb.gidcnt; 772 ret = 1; 773 end: 774 OPENSSL_free(gcb.gid_arr); 775 return ret; 776} 777 778/* Check a group id matches preferences */ 779int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) 780 { 781 const uint16_t *groups; 782 size_t groups_len; 783 784 if (group_id == 0) 785 return 0; 786 787 /* Check for Suite B compliance */ 788 if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { 789 unsigned long cid = s->s3.tmp.new_cipher->id; 790 791 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 792 if (group_id != TLSEXT_curve_P_256) 793 return 0; 794 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 795 if (group_id != TLSEXT_curve_P_384) 796 return 0; 797 } else { 798 /* Should never happen */ 799 return 0; 800 } 801 } 802 803 if (check_own_groups) { 804 /* Check group is one of our preferences */ 805 tls1_get_supported_groups(s, &groups, &groups_len); 806 if (!tls1_in_list(group_id, groups, groups_len)) 807 return 0; 808 } 809 810 if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) 811 return 0; 812 813 /* For clients, nothing more to check */ 814 if (!s->server) 815 return 1; 816 817 /* Check group is one of peers preferences */ 818 tls1_get_peer_groups(s, &groups, &groups_len); 819 820 /* 821 * RFC 4492 does not require the supported elliptic curves extension 822 * so if it is not sent we can just choose any curve. 823 * It is invalid to send an empty list in the supported groups 824 * extension, so groups_len == 0 always means no extension. 825 */ 826 if (groups_len == 0) 827 return 1; 828 return tls1_in_list(group_id, groups, groups_len); 829} 830 831void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 832 size_t *num_formats) 833{ 834 /* 835 * If we have a custom point format list use it otherwise use default 836 */ 837 if (s->ext.ecpointformats) { 838 *pformats = s->ext.ecpointformats; 839 *num_formats = s->ext.ecpointformats_len; 840 } else { 841 *pformats = ecformats_default; 842 /* For Suite B we don't support char2 fields */ 843 if (tls1_suiteb(s)) 844 *num_formats = sizeof(ecformats_default) - 1; 845 else 846 *num_formats = sizeof(ecformats_default); 847 } 848} 849 850/* Check a key is compatible with compression extension */ 851static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) 852{ 853 unsigned char comp_id; 854 size_t i; 855 int point_conv; 856 857 /* If not an EC key nothing to check */ 858 if (!EVP_PKEY_is_a(pkey, "EC")) 859 return 1; 860 861 862 /* Get required compression id */ 863 point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); 864 if (point_conv == 0) 865 return 0; 866 if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { 867 comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 868 } else if (SSL_IS_TLS13(s)) { 869 /* 870 * ec_point_formats extension is not used in TLSv1.3 so we ignore 871 * this check. 872 */ 873 return 1; 874 } else { 875 int field_type = EVP_PKEY_get_field_type(pkey); 876 877 if (field_type == NID_X9_62_prime_field) 878 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 879 else if (field_type == NID_X9_62_characteristic_two_field) 880 comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 881 else 882 return 0; 883 } 884 /* 885 * If point formats extension present check it, otherwise everything is 886 * supported (see RFC4492). 887 */ 888 if (s->ext.peer_ecpointformats == NULL) 889 return 1; 890 891 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 892 if (s->ext.peer_ecpointformats[i] == comp_id) 893 return 1; 894 } 895 return 0; 896} 897 898/* Return group id of a key */ 899static uint16_t tls1_get_group_id(EVP_PKEY *pkey) 900{ 901 int curve_nid = ssl_get_EC_curve_nid(pkey); 902 903 if (curve_nid == NID_undef) 904 return 0; 905 return tls1_nid2group_id(curve_nid); 906} 907 908/* 909 * Check cert parameters compatible with extensions: currently just checks EC 910 * certificates have compatible curves and compression. 911 */ 912static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) 913{ 914 uint16_t group_id; 915 EVP_PKEY *pkey; 916 pkey = X509_get0_pubkey(x); 917 if (pkey == NULL) 918 return 0; 919 /* If not EC nothing to do */ 920 if (!EVP_PKEY_is_a(pkey, "EC")) 921 return 1; 922 /* Check compression */ 923 if (!tls1_check_pkey_comp(s, pkey)) 924 return 0; 925 group_id = tls1_get_group_id(pkey); 926 /* 927 * For a server we allow the certificate to not be in our list of supported 928 * groups. 929 */ 930 if (!tls1_check_group_id(s, group_id, !s->server)) 931 return 0; 932 /* 933 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 934 * SHA384+P-384. 935 */ 936 if (check_ee_md && tls1_suiteb(s)) { 937 int check_md; 938 size_t i; 939 940 /* Check to see we have necessary signing algorithm */ 941 if (group_id == TLSEXT_curve_P_256) 942 check_md = NID_ecdsa_with_SHA256; 943 else if (group_id == TLSEXT_curve_P_384) 944 check_md = NID_ecdsa_with_SHA384; 945 else 946 return 0; /* Should never happen */ 947 for (i = 0; i < s->shared_sigalgslen; i++) { 948 if (check_md == s->shared_sigalgs[i]->sigandhash) 949 return 1;; 950 } 951 return 0; 952 } 953 return 1; 954} 955 956/* 957 * tls1_check_ec_tmp_key - Check EC temporary key compatibility 958 * @s: SSL connection 959 * @cid: Cipher ID we're considering using 960 * 961 * Checks that the kECDHE cipher suite we're considering using 962 * is compatible with the client extensions. 963 * 964 * Returns 0 when the cipher can't be used or 1 when it can. 965 */ 966int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 967{ 968 /* If not Suite B just need a shared group */ 969 if (!tls1_suiteb(s)) 970 return tls1_shared_group(s, 0) != 0; 971 /* 972 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 973 * curves permitted. 974 */ 975 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 976 return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); 977 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 978 return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); 979 980 return 0; 981} 982 983/* Default sigalg schemes */ 984static const uint16_t tls12_sigalgs[] = { 985 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 986 TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 987 TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 988 TLSEXT_SIGALG_ed25519, 989 TLSEXT_SIGALG_ed448, 990 991 TLSEXT_SIGALG_rsa_pss_pss_sha256, 992 TLSEXT_SIGALG_rsa_pss_pss_sha384, 993 TLSEXT_SIGALG_rsa_pss_pss_sha512, 994 TLSEXT_SIGALG_rsa_pss_rsae_sha256, 995 TLSEXT_SIGALG_rsa_pss_rsae_sha384, 996 TLSEXT_SIGALG_rsa_pss_rsae_sha512, 997 998 TLSEXT_SIGALG_rsa_pkcs1_sha256, 999 TLSEXT_SIGALG_rsa_pkcs1_sha384, 1000 TLSEXT_SIGALG_rsa_pkcs1_sha512, 1001 1002 TLSEXT_SIGALG_ecdsa_sha224, 1003 TLSEXT_SIGALG_ecdsa_sha1, 1004 1005 TLSEXT_SIGALG_rsa_pkcs1_sha224, 1006 TLSEXT_SIGALG_rsa_pkcs1_sha1, 1007 1008 TLSEXT_SIGALG_dsa_sha224, 1009 TLSEXT_SIGALG_dsa_sha1, 1010 1011 TLSEXT_SIGALG_dsa_sha256, 1012 TLSEXT_SIGALG_dsa_sha384, 1013 TLSEXT_SIGALG_dsa_sha512, 1014 1015#ifndef OPENSSL_NO_GOST 1016 TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1017 TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1018 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1019 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1020 TLSEXT_SIGALG_gostr34102001_gostr3411, 1021#endif 1022}; 1023 1024 1025static const uint16_t suiteb_sigalgs[] = { 1026 TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1027 TLSEXT_SIGALG_ecdsa_secp384r1_sha384 1028}; 1029 1030static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { 1031 {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, 1032 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1033 NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1}, 1034 {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, 1035 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1036 NID_ecdsa_with_SHA384, NID_secp384r1, 1}, 1037 {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, 1038 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1039 NID_ecdsa_with_SHA512, NID_secp521r1, 1}, 1040 {"ed25519", TLSEXT_SIGALG_ed25519, 1041 NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, 1042 NID_undef, NID_undef, 1}, 1043 {"ed448", TLSEXT_SIGALG_ed448, 1044 NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, 1045 NID_undef, NID_undef, 1}, 1046 {NULL, TLSEXT_SIGALG_ecdsa_sha224, 1047 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1048 NID_ecdsa_with_SHA224, NID_undef, 1}, 1049 {NULL, TLSEXT_SIGALG_ecdsa_sha1, 1050 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, 1051 NID_ecdsa_with_SHA1, NID_undef, 1}, 1052 {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, 1053 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1054 NID_undef, NID_undef, 1}, 1055 {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, 1056 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1057 NID_undef, NID_undef, 1}, 1058 {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, 1059 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, 1060 NID_undef, NID_undef, 1}, 1061 {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, 1062 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1063 NID_undef, NID_undef, 1}, 1064 {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, 1065 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1066 NID_undef, NID_undef, 1}, 1067 {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, 1068 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, 1069 NID_undef, NID_undef, 1}, 1070 {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, 1071 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1072 NID_sha256WithRSAEncryption, NID_undef, 1}, 1073 {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, 1074 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1075 NID_sha384WithRSAEncryption, NID_undef, 1}, 1076 {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, 1077 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1078 NID_sha512WithRSAEncryption, NID_undef, 1}, 1079 {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, 1080 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1081 NID_sha224WithRSAEncryption, NID_undef, 1}, 1082 {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, 1083 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, 1084 NID_sha1WithRSAEncryption, NID_undef, 1}, 1085 {NULL, TLSEXT_SIGALG_dsa_sha256, 1086 NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1087 NID_dsa_with_SHA256, NID_undef, 1}, 1088 {NULL, TLSEXT_SIGALG_dsa_sha384, 1089 NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1090 NID_undef, NID_undef, 1}, 1091 {NULL, TLSEXT_SIGALG_dsa_sha512, 1092 NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1093 NID_undef, NID_undef, 1}, 1094 {NULL, TLSEXT_SIGALG_dsa_sha224, 1095 NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1096 NID_undef, NID_undef, 1}, 1097 {NULL, TLSEXT_SIGALG_dsa_sha1, 1098 NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, 1099 NID_dsaWithSHA1, NID_undef, 1}, 1100#ifndef OPENSSL_NO_GOST 1101 {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic, 1102 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1103 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1104 NID_undef, NID_undef, 1}, 1105 {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic, 1106 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1107 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1108 NID_undef, NID_undef, 1}, 1109 {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, 1110 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, 1111 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, 1112 NID_undef, NID_undef, 1}, 1113 {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, 1114 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, 1115 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, 1116 NID_undef, NID_undef, 1}, 1117 {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, 1118 NID_id_GostR3411_94, SSL_MD_GOST94_IDX, 1119 NID_id_GostR3410_2001, SSL_PKEY_GOST01, 1120 NID_undef, NID_undef, 1} 1121#endif 1122}; 1123/* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ 1124static const SIGALG_LOOKUP legacy_rsa_sigalg = { 1125 "rsa_pkcs1_md5_sha1", 0, 1126 NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, 1127 EVP_PKEY_RSA, SSL_PKEY_RSA, 1128 NID_undef, NID_undef, 1 1129}; 1130 1131/* 1132 * Default signature algorithm values used if signature algorithms not present. 1133 * From RFC5246. Note: order must match certificate index order. 1134 */ 1135static const uint16_t tls_default_sigalg[] = { 1136 TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ 1137 0, /* SSL_PKEY_RSA_PSS_SIGN */ 1138 TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ 1139 TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ 1140 TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ 1141 TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ 1142 TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ 1143 0, /* SSL_PKEY_ED25519 */ 1144 0, /* SSL_PKEY_ED448 */ 1145}; 1146 1147int ssl_setup_sig_algs(SSL_CTX *ctx) 1148{ 1149 size_t i; 1150 const SIGALG_LOOKUP *lu; 1151 SIGALG_LOOKUP *cache 1152 = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); 1153 EVP_PKEY *tmpkey = EVP_PKEY_new(); 1154 int ret = 0; 1155 1156 if (cache == NULL || tmpkey == NULL) 1157 goto err; 1158 1159 ERR_set_mark(); 1160 for (i = 0, lu = sigalg_lookup_tbl; 1161 i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { 1162 EVP_PKEY_CTX *pctx; 1163 1164 cache[i] = *lu; 1165 1166 /* 1167 * Check hash is available. 1168 * This test is not perfect. A provider could have support 1169 * for a signature scheme, but not a particular hash. However the hash 1170 * could be available from some other loaded provider. In that case it 1171 * could be that the signature is available, and the hash is available 1172 * independently - but not as a combination. We ignore this for now. 1173 */ 1174 if (lu->hash != NID_undef 1175 && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { 1176 cache[i].enabled = 0; 1177 continue; 1178 } 1179 1180 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { 1181 cache[i].enabled = 0; 1182 continue; 1183 } 1184 pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); 1185 /* If unable to create pctx we assume the sig algorithm is unavailable */ 1186 if (pctx == NULL) 1187 cache[i].enabled = 0; 1188 EVP_PKEY_CTX_free(pctx); 1189 } 1190 ERR_pop_to_mark(); 1191 ctx->sigalg_lookup_cache = cache; 1192 cache = NULL; 1193 1194 ret = 1; 1195 err: 1196 OPENSSL_free(cache); 1197 EVP_PKEY_free(tmpkey); 1198 return ret; 1199} 1200 1201/* Lookup TLS signature algorithm */ 1202static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg) 1203{ 1204 size_t i; 1205 const SIGALG_LOOKUP *lu; 1206 1207 for (i = 0, lu = s->ctx->sigalg_lookup_cache; 1208 /* cache should have the same number of elements as sigalg_lookup_tbl */ 1209 i < OSSL_NELEM(sigalg_lookup_tbl); 1210 lu++, i++) { 1211 if (lu->sigalg == sigalg) { 1212 if (!lu->enabled) 1213 return NULL; 1214 return lu; 1215 } 1216 } 1217 return NULL; 1218} 1219/* Lookup hash: return 0 if invalid or not enabled */ 1220int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) 1221{ 1222 const EVP_MD *md; 1223 if (lu == NULL) 1224 return 0; 1225 /* lu->hash == NID_undef means no associated digest */ 1226 if (lu->hash == NID_undef) { 1227 md = NULL; 1228 } else { 1229 md = ssl_md(ctx, lu->hash_idx); 1230 if (md == NULL) 1231 return 0; 1232 } 1233 if (pmd) 1234 *pmd = md; 1235 return 1; 1236} 1237 1238/* 1239 * Check if key is large enough to generate RSA-PSS signature. 1240 * 1241 * The key must greater than or equal to 2 * hash length + 2. 1242 * SHA512 has a hash length of 64 bytes, which is incompatible 1243 * with a 128 byte (1024 bit) key. 1244 */ 1245#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) 1246static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, 1247 const SIGALG_LOOKUP *lu) 1248{ 1249 const EVP_MD *md; 1250 1251 if (pkey == NULL) 1252 return 0; 1253 if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) 1254 return 0; 1255 if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) 1256 return 0; 1257 return 1; 1258} 1259 1260/* 1261 * Returns a signature algorithm when the peer did not send a list of supported 1262 * signature algorithms. The signature algorithm is fixed for the certificate 1263 * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the 1264 * certificate type from |s| will be used. 1265 * Returns the signature algorithm to use, or NULL on error. 1266 */ 1267static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 1268{ 1269 if (idx == -1) { 1270 if (s->server) { 1271 size_t i; 1272 1273 /* Work out index corresponding to ciphersuite */ 1274 for (i = 0; i < SSL_PKEY_NUM; i++) { 1275 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); 1276 1277 if (clu == NULL) 1278 continue; 1279 if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { 1280 idx = i; 1281 break; 1282 } 1283 } 1284 1285 /* 1286 * Some GOST ciphersuites allow more than one signature algorithms 1287 * */ 1288 if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { 1289 int real_idx; 1290 1291 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; 1292 real_idx--) { 1293 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1294 idx = real_idx; 1295 break; 1296 } 1297 } 1298 } 1299 /* 1300 * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used 1301 * with new (aGOST12-only) ciphersuites, we should find out which one is available really. 1302 */ 1303 else if (idx == SSL_PKEY_GOST12_256) { 1304 int real_idx; 1305 1306 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; 1307 real_idx--) { 1308 if (s->cert->pkeys[real_idx].privatekey != NULL) { 1309 idx = real_idx; 1310 break; 1311 } 1312 } 1313 } 1314 } else { 1315 idx = s->cert->key - s->cert->pkeys; 1316 } 1317 } 1318 if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) 1319 return NULL; 1320 if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { 1321 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]); 1322 1323 if (lu == NULL) 1324 return NULL; 1325 if (!tls1_lookup_md(s->ctx, lu, NULL)) 1326 return NULL; 1327 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 1328 return NULL; 1329 return lu; 1330 } 1331 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) 1332 return NULL; 1333 return &legacy_rsa_sigalg; 1334} 1335/* Set peer sigalg based key type */ 1336int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) 1337{ 1338 size_t idx; 1339 const SIGALG_LOOKUP *lu; 1340 1341 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 1342 return 0; 1343 lu = tls1_get_legacy_sigalg(s, idx); 1344 if (lu == NULL) 1345 return 0; 1346 s->s3.tmp.peer_sigalg = lu; 1347 return 1; 1348} 1349 1350size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) 1351{ 1352 /* 1353 * If Suite B mode use Suite B sigalgs only, ignore any other 1354 * preferences. 1355 */ 1356 switch (tls1_suiteb(s)) { 1357 case SSL_CERT_FLAG_SUITEB_128_LOS: 1358 *psigs = suiteb_sigalgs; 1359 return OSSL_NELEM(suiteb_sigalgs); 1360 1361 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 1362 *psigs = suiteb_sigalgs; 1363 return 1; 1364 1365 case SSL_CERT_FLAG_SUITEB_192_LOS: 1366 *psigs = suiteb_sigalgs + 1; 1367 return 1; 1368 } 1369 /* 1370 * We use client_sigalgs (if not NULL) if we're a server 1371 * and sending a certificate request or if we're a client and 1372 * determining which shared algorithm to use. 1373 */ 1374 if ((s->server == sent) && s->cert->client_sigalgs != NULL) { 1375 *psigs = s->cert->client_sigalgs; 1376 return s->cert->client_sigalgslen; 1377 } else if (s->cert->conf_sigalgs) { 1378 *psigs = s->cert->conf_sigalgs; 1379 return s->cert->conf_sigalgslen; 1380 } else { 1381 *psigs = tls12_sigalgs; 1382 return OSSL_NELEM(tls12_sigalgs); 1383 } 1384} 1385 1386/* 1387 * Called by servers only. Checks that we have a sig alg that supports the 1388 * specified EC curve. 1389 */ 1390int tls_check_sigalg_curve(const SSL *s, int curve) 1391{ 1392 const uint16_t *sigs; 1393 size_t siglen, i; 1394 1395 if (s->cert->conf_sigalgs) { 1396 sigs = s->cert->conf_sigalgs; 1397 siglen = s->cert->conf_sigalgslen; 1398 } else { 1399 sigs = tls12_sigalgs; 1400 siglen = OSSL_NELEM(tls12_sigalgs); 1401 } 1402 1403 for (i = 0; i < siglen; i++) { 1404 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, sigs[i]); 1405 1406 if (lu == NULL) 1407 continue; 1408 if (lu->sig == EVP_PKEY_EC 1409 && lu->curve != NID_undef 1410 && curve == lu->curve) 1411 return 1; 1412 } 1413 1414 return 0; 1415} 1416 1417/* 1418 * Return the number of security bits for the signature algorithm, or 0 on 1419 * error. 1420 */ 1421static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) 1422{ 1423 const EVP_MD *md = NULL; 1424 int secbits = 0; 1425 1426 if (!tls1_lookup_md(ctx, lu, &md)) 1427 return 0; 1428 if (md != NULL) 1429 { 1430 int md_type = EVP_MD_get_type(md); 1431 1432 /* Security bits: half digest bits */ 1433 secbits = EVP_MD_get_size(md) * 4; 1434 /* 1435 * SHA1 and MD5 are known to be broken. Reduce security bits so that 1436 * they're no longer accepted at security level 1. The real values don't 1437 * really matter as long as they're lower than 80, which is our 1438 * security level 1. 1439 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for 1440 * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 1441 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 1442 * puts a chosen-prefix attack for MD5 at 2^39. 1443 */ 1444 if (md_type == NID_sha1) 1445 secbits = 64; 1446 else if (md_type == NID_md5_sha1) 1447 secbits = 67; 1448 else if (md_type == NID_md5) 1449 secbits = 39; 1450 } else { 1451 /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ 1452 if (lu->sigalg == TLSEXT_SIGALG_ed25519) 1453 secbits = 128; 1454 else if (lu->sigalg == TLSEXT_SIGALG_ed448) 1455 secbits = 224; 1456 } 1457 return secbits; 1458} 1459 1460/* 1461 * Check signature algorithm is consistent with sent supported signature 1462 * algorithms and if so set relevant digest and signature scheme in 1463 * s. 1464 */ 1465int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) 1466{ 1467 const uint16_t *sent_sigs; 1468 const EVP_MD *md = NULL; 1469 char sigalgstr[2]; 1470 size_t sent_sigslen, i, cidx; 1471 int pkeyid = -1; 1472 const SIGALG_LOOKUP *lu; 1473 int secbits = 0; 1474 1475 pkeyid = EVP_PKEY_get_id(pkey); 1476 /* Should never happen */ 1477 if (pkeyid == -1) 1478 return -1; 1479 if (SSL_IS_TLS13(s)) { 1480 /* Disallow DSA for TLS 1.3 */ 1481 if (pkeyid == EVP_PKEY_DSA) { 1482 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1483 return 0; 1484 } 1485 /* Only allow PSS for TLS 1.3 */ 1486 if (pkeyid == EVP_PKEY_RSA) 1487 pkeyid = EVP_PKEY_RSA_PSS; 1488 } 1489 lu = tls1_lookup_sigalg(s, sig); 1490 /* 1491 * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type 1492 * is consistent with signature: RSA keys can be used for RSA-PSS 1493 */ 1494 if (lu == NULL 1495 || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) 1496 || (pkeyid != lu->sig 1497 && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { 1498 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1499 return 0; 1500 } 1501 /* Check the sigalg is consistent with the key OID */ 1502 if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx) 1503 || lu->sig_idx != (int)cidx) { 1504 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); 1505 return 0; 1506 } 1507 1508 if (pkeyid == EVP_PKEY_EC) { 1509 1510 /* Check point compression is permitted */ 1511 if (!tls1_check_pkey_comp(s, pkey)) { 1512 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1513 SSL_R_ILLEGAL_POINT_COMPRESSION); 1514 return 0; 1515 } 1516 1517 /* For TLS 1.3 or Suite B check curve matches signature algorithm */ 1518 if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { 1519 int curve = ssl_get_EC_curve_nid(pkey); 1520 1521 if (lu->curve != NID_undef && curve != lu->curve) { 1522 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1523 return 0; 1524 } 1525 } 1526 if (!SSL_IS_TLS13(s)) { 1527 /* Check curve matches extensions */ 1528 if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { 1529 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 1530 return 0; 1531 } 1532 if (tls1_suiteb(s)) { 1533 /* Check sigalg matches a permissible Suite B value */ 1534 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 1535 && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { 1536 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1537 SSL_R_WRONG_SIGNATURE_TYPE); 1538 return 0; 1539 } 1540 } 1541 } 1542 } else if (tls1_suiteb(s)) { 1543 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1544 return 0; 1545 } 1546 1547 /* Check signature matches a type we sent */ 1548 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1549 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 1550 if (sig == *sent_sigs) 1551 break; 1552 } 1553 /* Allow fallback to SHA1 if not strict mode */ 1554 if (i == sent_sigslen && (lu->hash != NID_sha1 1555 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1556 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1557 return 0; 1558 } 1559 if (!tls1_lookup_md(s->ctx, lu, &md)) { 1560 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); 1561 return 0; 1562 } 1563 /* 1564 * Make sure security callback allows algorithm. For historical 1565 * reasons we have to pass the sigalg as a two byte char array. 1566 */ 1567 sigalgstr[0] = (sig >> 8) & 0xff; 1568 sigalgstr[1] = sig & 0xff; 1569 secbits = sigalg_security_bits(s->ctx, lu); 1570 if (secbits == 0 || 1571 !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, 1572 md != NULL ? EVP_MD_get_type(md) : NID_undef, 1573 (void *)sigalgstr)) { 1574 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); 1575 return 0; 1576 } 1577 /* Store the sigalg the peer uses */ 1578 s->s3.tmp.peer_sigalg = lu; 1579 return 1; 1580} 1581 1582int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) 1583{ 1584 if (s->s3.tmp.peer_sigalg == NULL) 1585 return 0; 1586 *pnid = s->s3.tmp.peer_sigalg->sig; 1587 return 1; 1588} 1589 1590int SSL_get_signature_type_nid(const SSL *s, int *pnid) 1591{ 1592 if (s->s3.tmp.sigalg == NULL) 1593 return 0; 1594 *pnid = s->s3.tmp.sigalg->sig; 1595 return 1; 1596} 1597 1598/* 1599 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 1600 * supported, doesn't appear in supported signature algorithms, isn't supported 1601 * by the enabled protocol versions or by the security level. 1602 * 1603 * This function should only be used for checking which ciphers are supported 1604 * by the client. 1605 * 1606 * Call ssl_cipher_disabled() to check that it's enabled or not. 1607 */ 1608int ssl_set_client_disabled(SSL *s) 1609{ 1610 s->s3.tmp.mask_a = 0; 1611 s->s3.tmp.mask_k = 0; 1612 ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 1613 if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, 1614 &s->s3.tmp.max_ver, NULL) != 0) 1615 return 0; 1616#ifndef OPENSSL_NO_PSK 1617 /* with PSK there must be client callback set */ 1618 if (!s->psk_client_callback) { 1619 s->s3.tmp.mask_a |= SSL_aPSK; 1620 s->s3.tmp.mask_k |= SSL_PSK; 1621 } 1622#endif /* OPENSSL_NO_PSK */ 1623#ifndef OPENSSL_NO_SRP 1624 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1625 s->s3.tmp.mask_a |= SSL_aSRP; 1626 s->s3.tmp.mask_k |= SSL_kSRP; 1627 } 1628#endif 1629 return 1; 1630} 1631 1632/* 1633 * ssl_cipher_disabled - check that a cipher is disabled or not 1634 * @s: SSL connection that you want to use the cipher on 1635 * @c: cipher to check 1636 * @op: Security check that you want to do 1637 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 1638 * 1639 * Returns 1 when it's disabled, 0 when enabled. 1640 */ 1641int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 1642{ 1643 if (c->algorithm_mkey & s->s3.tmp.mask_k 1644 || c->algorithm_auth & s->s3.tmp.mask_a) 1645 return 1; 1646 if (s->s3.tmp.max_ver == 0) 1647 return 1; 1648 if (!SSL_IS_DTLS(s)) { 1649 int min_tls = c->min_tls; 1650 1651 /* 1652 * For historical reasons we will allow ECHDE to be selected by a server 1653 * in SSLv3 if we are a client 1654 */ 1655 if (min_tls == TLS1_VERSION && ecdhe 1656 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 1657 min_tls = SSL3_VERSION; 1658 1659 if ((min_tls > s->s3.tmp.max_ver) || (c->max_tls < s->s3.tmp.min_ver)) 1660 return 1; 1661 } 1662 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3.tmp.max_ver) 1663 || DTLS_VERSION_LT(c->max_dtls, s->s3.tmp.min_ver))) 1664 return 1; 1665 1666 return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 1667} 1668 1669int tls_use_ticket(SSL *s) 1670{ 1671 if ((s->options & SSL_OP_NO_TICKET)) 1672 return 0; 1673 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 1674} 1675 1676int tls1_set_server_sigalgs(SSL *s) 1677{ 1678 size_t i; 1679 1680 /* Clear any shared signature algorithms */ 1681 OPENSSL_free(s->shared_sigalgs); 1682 s->shared_sigalgs = NULL; 1683 s->shared_sigalgslen = 0; 1684 /* Clear certificate validity flags */ 1685 for (i = 0; i < SSL_PKEY_NUM; i++) 1686 s->s3.tmp.valid_flags[i] = 0; 1687 /* 1688 * If peer sent no signature algorithms check to see if we support 1689 * the default algorithm for each certificate type 1690 */ 1691 if (s->s3.tmp.peer_cert_sigalgs == NULL 1692 && s->s3.tmp.peer_sigalgs == NULL) { 1693 const uint16_t *sent_sigs; 1694 size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 1695 1696 for (i = 0; i < SSL_PKEY_NUM; i++) { 1697 const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); 1698 size_t j; 1699 1700 if (lu == NULL) 1701 continue; 1702 /* Check default matches a type we sent */ 1703 for (j = 0; j < sent_sigslen; j++) { 1704 if (lu->sigalg == sent_sigs[j]) { 1705 s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; 1706 break; 1707 } 1708 } 1709 } 1710 return 1; 1711 } 1712 1713 if (!tls1_process_sigalgs(s)) { 1714 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1715 return 0; 1716 } 1717 if (s->shared_sigalgs != NULL) 1718 return 1; 1719 1720 /* Fatal error if no shared signature algorithms */ 1721 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1722 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 1723 return 0; 1724} 1725 1726/*- 1727 * Gets the ticket information supplied by the client if any. 1728 * 1729 * hello: The parsed ClientHello data 1730 * ret: (output) on return, if a ticket was decrypted, then this is set to 1731 * point to the resulting session. 1732 */ 1733SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, 1734 SSL_SESSION **ret) 1735{ 1736 size_t size; 1737 RAW_EXTENSION *ticketext; 1738 1739 *ret = NULL; 1740 s->ext.ticket_expected = 0; 1741 1742 /* 1743 * If tickets disabled or not supported by the protocol version 1744 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful 1745 * resumption. 1746 */ 1747 if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) 1748 return SSL_TICKET_NONE; 1749 1750 ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; 1751 if (!ticketext->present) 1752 return SSL_TICKET_NONE; 1753 1754 size = PACKET_remaining(&ticketext->data); 1755 1756 return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, 1757 hello->session_id, hello->session_id_len, ret); 1758} 1759 1760/*- 1761 * tls_decrypt_ticket attempts to decrypt a session ticket. 1762 * 1763 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are 1764 * expecting a pre-shared key ciphersuite, in which case we have no use for 1765 * session tickets and one will never be decrypted, nor will 1766 * s->ext.ticket_expected be set to 1. 1767 * 1768 * Side effects: 1769 * Sets s->ext.ticket_expected to 1 if the server will have to issue 1770 * a new session ticket to the client because the client indicated support 1771 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1772 * a session ticket or we couldn't use the one it gave us, or if 1773 * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. 1774 * Otherwise, s->ext.ticket_expected is set to 0. 1775 * 1776 * etick: points to the body of the session ticket extension. 1777 * eticklen: the length of the session tickets extension. 1778 * sess_id: points at the session ID. 1779 * sesslen: the length of the session ID. 1780 * psess: (output) on return, if a ticket was decrypted, then this is set to 1781 * point to the resulting session. 1782 */ 1783SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1784 size_t eticklen, const unsigned char *sess_id, 1785 size_t sesslen, SSL_SESSION **psess) 1786{ 1787 SSL_SESSION *sess = NULL; 1788 unsigned char *sdec; 1789 const unsigned char *p; 1790 int slen, ivlen, renew_ticket = 0, declen; 1791 SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; 1792 size_t mlen; 1793 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1794 SSL_HMAC *hctx = NULL; 1795 EVP_CIPHER_CTX *ctx = NULL; 1796 SSL_CTX *tctx = s->session_ctx; 1797 1798 if (eticklen == 0) { 1799 /* 1800 * The client will accept a ticket but doesn't currently have 1801 * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 1802 */ 1803 ret = SSL_TICKET_EMPTY; 1804 goto end; 1805 } 1806 if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { 1807 /* 1808 * Indicate that the ticket couldn't be decrypted rather than 1809 * generating the session from ticket now, trigger 1810 * abbreviated handshake based on external mechanism to 1811 * calculate the master secret later. 1812 */ 1813 ret = SSL_TICKET_NO_DECRYPT; 1814 goto end; 1815 } 1816 1817 /* Need at least keyname + iv */ 1818 if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 1819 ret = SSL_TICKET_NO_DECRYPT; 1820 goto end; 1821 } 1822 1823 /* Initialize session ticket encryption and HMAC contexts */ 1824 hctx = ssl_hmac_new(tctx); 1825 if (hctx == NULL) { 1826 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1827 goto end; 1828 } 1829 ctx = EVP_CIPHER_CTX_new(); 1830 if (ctx == NULL) { 1831 ret = SSL_TICKET_FATAL_ERR_MALLOC; 1832 goto end; 1833 } 1834#ifndef OPENSSL_NO_DEPRECATED_3_0 1835 if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) 1836#else 1837 if (tctx->ext.ticket_key_evp_cb != NULL) 1838#endif 1839 { 1840 unsigned char *nctick = (unsigned char *)etick; 1841 int rv = 0; 1842 1843 if (tctx->ext.ticket_key_evp_cb != NULL) 1844 rv = tctx->ext.ticket_key_evp_cb(s, nctick, 1845 nctick + TLSEXT_KEYNAME_LENGTH, 1846 ctx, 1847 ssl_hmac_get0_EVP_MAC_CTX(hctx), 1848 0); 1849#ifndef OPENSSL_NO_DEPRECATED_3_0 1850 else if (tctx->ext.ticket_key_cb != NULL) 1851 /* if 0 is returned, write an empty ticket */ 1852 rv = tctx->ext.ticket_key_cb(s, nctick, 1853 nctick + TLSEXT_KEYNAME_LENGTH, 1854 ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); 1855#endif 1856 if (rv < 0) { 1857 ret = SSL_TICKET_FATAL_ERR_OTHER; 1858 goto end; 1859 } 1860 if (rv == 0) { 1861 ret = SSL_TICKET_NO_DECRYPT; 1862 goto end; 1863 } 1864 if (rv == 2) 1865 renew_ticket = 1; 1866 } else { 1867 EVP_CIPHER *aes256cbc = NULL; 1868 1869 /* Check key name matches */ 1870 if (memcmp(etick, tctx->ext.tick_key_name, 1871 TLSEXT_KEYNAME_LENGTH) != 0) { 1872 ret = SSL_TICKET_NO_DECRYPT; 1873 goto end; 1874 } 1875 1876 aes256cbc = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", 1877 s->ctx->propq); 1878 if (aes256cbc == NULL 1879 || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, 1880 sizeof(tctx->ext.secure->tick_hmac_key), 1881 "SHA256") <= 0 1882 || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, 1883 tctx->ext.secure->tick_aes_key, 1884 etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 1885 EVP_CIPHER_free(aes256cbc); 1886 ret = SSL_TICKET_FATAL_ERR_OTHER; 1887 goto end; 1888 } 1889 EVP_CIPHER_free(aes256cbc); 1890 if (SSL_IS_TLS13(s)) 1891 renew_ticket = 1; 1892 } 1893 /* 1894 * Attempt to process session ticket, first conduct sanity and integrity 1895 * checks on ticket. 1896 */ 1897 mlen = ssl_hmac_size(hctx); 1898 if (mlen == 0) { 1899 ret = SSL_TICKET_FATAL_ERR_OTHER; 1900 goto end; 1901 } 1902 1903 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 1904 if (ivlen < 0) { 1905 ret = SSL_TICKET_FATAL_ERR_OTHER; 1906 goto end; 1907 } 1908 1909 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1910 if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { 1911 ret = SSL_TICKET_NO_DECRYPT; 1912 goto end; 1913 } 1914 eticklen -= mlen; 1915 /* Check HMAC of encrypted ticket */ 1916 if (ssl_hmac_update(hctx, etick, eticklen) <= 0 1917 || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { 1918 ret = SSL_TICKET_FATAL_ERR_OTHER; 1919 goto end; 1920 } 1921 1922 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1923 ret = SSL_TICKET_NO_DECRYPT; 1924 goto end; 1925 } 1926 /* Attempt to decrypt session data */ 1927 /* Move p after IV to start of encrypted ticket, update length */ 1928 p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; 1929 eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; 1930 sdec = OPENSSL_malloc(eticklen); 1931 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, 1932 (int)eticklen) <= 0) { 1933 OPENSSL_free(sdec); 1934 ret = SSL_TICKET_FATAL_ERR_OTHER; 1935 goto end; 1936 } 1937 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { 1938 OPENSSL_free(sdec); 1939 ret = SSL_TICKET_NO_DECRYPT; 1940 goto end; 1941 } 1942 slen += declen; 1943 p = sdec; 1944 1945 sess = d2i_SSL_SESSION(NULL, &p, slen); 1946 slen -= p - sdec; 1947 OPENSSL_free(sdec); 1948 if (sess) { 1949 /* Some additional consistency checks */ 1950 if (slen != 0) { 1951 SSL_SESSION_free(sess); 1952 sess = NULL; 1953 ret = SSL_TICKET_NO_DECRYPT; 1954 goto end; 1955 } 1956 /* 1957 * The session ID, if non-empty, is used by some clients to detect 1958 * that the ticket has been accepted. So we copy it to the session 1959 * structure. If it is empty set length to zero as required by 1960 * standard. 1961 */ 1962 if (sesslen) { 1963 memcpy(sess->session_id, sess_id, sesslen); 1964 sess->session_id_length = sesslen; 1965 } 1966 if (renew_ticket) 1967 ret = SSL_TICKET_SUCCESS_RENEW; 1968 else 1969 ret = SSL_TICKET_SUCCESS; 1970 goto end; 1971 } 1972 ERR_clear_error(); 1973 /* 1974 * For session parse failure, indicate that we need to send a new ticket. 1975 */ 1976 ret = SSL_TICKET_NO_DECRYPT; 1977 1978 end: 1979 EVP_CIPHER_CTX_free(ctx); 1980 ssl_hmac_free(hctx); 1981 1982 /* 1983 * If set, the decrypt_ticket_cb() is called unless a fatal error was 1984 * detected above. The callback is responsible for checking |ret| before it 1985 * performs any action 1986 */ 1987 if (s->session_ctx->decrypt_ticket_cb != NULL 1988 && (ret == SSL_TICKET_EMPTY 1989 || ret == SSL_TICKET_NO_DECRYPT 1990 || ret == SSL_TICKET_SUCCESS 1991 || ret == SSL_TICKET_SUCCESS_RENEW)) { 1992 size_t keyname_len = eticklen; 1993 int retcb; 1994 1995 if (keyname_len > TLSEXT_KEYNAME_LENGTH) 1996 keyname_len = TLSEXT_KEYNAME_LENGTH; 1997 retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, 1998 ret, 1999 s->session_ctx->ticket_cb_data); 2000 switch (retcb) { 2001 case SSL_TICKET_RETURN_ABORT: 2002 ret = SSL_TICKET_FATAL_ERR_OTHER; 2003 break; 2004 2005 case SSL_TICKET_RETURN_IGNORE: 2006 ret = SSL_TICKET_NONE; 2007 SSL_SESSION_free(sess); 2008 sess = NULL; 2009 break; 2010 2011 case SSL_TICKET_RETURN_IGNORE_RENEW: 2012 if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) 2013 ret = SSL_TICKET_NO_DECRYPT; 2014 /* else the value of |ret| will already do the right thing */ 2015 SSL_SESSION_free(sess); 2016 sess = NULL; 2017 break; 2018 2019 case SSL_TICKET_RETURN_USE: 2020 case SSL_TICKET_RETURN_USE_RENEW: 2021 if (ret != SSL_TICKET_SUCCESS 2022 && ret != SSL_TICKET_SUCCESS_RENEW) 2023 ret = SSL_TICKET_FATAL_ERR_OTHER; 2024 else if (retcb == SSL_TICKET_RETURN_USE) 2025 ret = SSL_TICKET_SUCCESS; 2026 else 2027 ret = SSL_TICKET_SUCCESS_RENEW; 2028 break; 2029 2030 default: 2031 ret = SSL_TICKET_FATAL_ERR_OTHER; 2032 } 2033 } 2034 2035 if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { 2036 switch (ret) { 2037 case SSL_TICKET_NO_DECRYPT: 2038 case SSL_TICKET_SUCCESS_RENEW: 2039 case SSL_TICKET_EMPTY: 2040 s->ext.ticket_expected = 1; 2041 } 2042 } 2043 2044 *psess = sess; 2045 2046 return ret; 2047} 2048 2049/* Check to see if a signature algorithm is allowed */ 2050static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) 2051{ 2052 unsigned char sigalgstr[2]; 2053 int secbits; 2054 2055 if (lu == NULL || !lu->enabled) 2056 return 0; 2057 /* DSA is not allowed in TLS 1.3 */ 2058 if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) 2059 return 0; 2060 /* 2061 * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 2062 * spec 2063 */ 2064 if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION 2065 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX 2066 || lu->hash_idx == SSL_MD_MD5_IDX 2067 || lu->hash_idx == SSL_MD_SHA224_IDX)) 2068 return 0; 2069 2070 /* See if public key algorithm allowed */ 2071 if (ssl_cert_is_disabled(s->ctx, lu->sig_idx)) 2072 return 0; 2073 2074 if (lu->sig == NID_id_GostR3410_2012_256 2075 || lu->sig == NID_id_GostR3410_2012_512 2076 || lu->sig == NID_id_GostR3410_2001) { 2077 /* We never allow GOST sig algs on the server with TLSv1.3 */ 2078 if (s->server && SSL_IS_TLS13(s)) 2079 return 0; 2080 if (!s->server 2081 && s->method->version == TLS_ANY_VERSION 2082 && s->s3.tmp.max_ver >= TLS1_3_VERSION) { 2083 int i, num; 2084 STACK_OF(SSL_CIPHER) *sk; 2085 2086 /* 2087 * We're a client that could negotiate TLSv1.3. We only allow GOST 2088 * sig algs if we could negotiate TLSv1.2 or below and we have GOST 2089 * ciphersuites enabled. 2090 */ 2091 2092 if (s->s3.tmp.min_ver >= TLS1_3_VERSION) 2093 return 0; 2094 2095 sk = SSL_get_ciphers(s); 2096 num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; 2097 for (i = 0; i < num; i++) { 2098 const SSL_CIPHER *c; 2099 2100 c = sk_SSL_CIPHER_value(sk, i); 2101 /* Skip disabled ciphers */ 2102 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 2103 continue; 2104 2105 if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) 2106 break; 2107 } 2108 if (i == num) 2109 return 0; 2110 } 2111 } 2112 2113 /* Finally see if security callback allows it */ 2114 secbits = sigalg_security_bits(s->ctx, lu); 2115 sigalgstr[0] = (lu->sigalg >> 8) & 0xff; 2116 sigalgstr[1] = lu->sigalg & 0xff; 2117 return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); 2118} 2119 2120/* 2121 * Get a mask of disabled public key algorithms based on supported signature 2122 * algorithms. For example if no signature algorithm supports RSA then RSA is 2123 * disabled. 2124 */ 2125 2126void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 2127{ 2128 const uint16_t *sigalgs; 2129 size_t i, sigalgslen; 2130 uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; 2131 /* 2132 * Go through all signature algorithms seeing if we support any 2133 * in disabled_mask. 2134 */ 2135 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 2136 for (i = 0; i < sigalgslen; i++, sigalgs++) { 2137 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *sigalgs); 2138 const SSL_CERT_LOOKUP *clu; 2139 2140 if (lu == NULL) 2141 continue; 2142 2143 clu = ssl_cert_lookup_by_idx(lu->sig_idx); 2144 if (clu == NULL) 2145 continue; 2146 2147 /* If algorithm is disabled see if we can enable it */ 2148 if ((clu->amask & disabled_mask) != 0 2149 && tls12_sigalg_allowed(s, op, lu)) 2150 disabled_mask &= ~clu->amask; 2151 } 2152 *pmask_a |= disabled_mask; 2153} 2154 2155int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, 2156 const uint16_t *psig, size_t psiglen) 2157{ 2158 size_t i; 2159 int rv = 0; 2160 2161 for (i = 0; i < psiglen; i++, psig++) { 2162 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig); 2163 2164 if (lu == NULL 2165 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) 2166 continue; 2167 if (!WPACKET_put_bytes_u16(pkt, *psig)) 2168 return 0; 2169 /* 2170 * If TLS 1.3 must have at least one valid TLS 1.3 message 2171 * signing algorithm: i.e. neither RSA nor SHA1/SHA224 2172 */ 2173 if (rv == 0 && (!SSL_IS_TLS13(s) 2174 || (lu->sig != EVP_PKEY_RSA 2175 && lu->hash != NID_sha1 2176 && lu->hash != NID_sha224))) 2177 rv = 1; 2178 } 2179 if (rv == 0) 2180 ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 2181 return rv; 2182} 2183 2184/* Given preference and allowed sigalgs set shared sigalgs */ 2185static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, 2186 const uint16_t *pref, size_t preflen, 2187 const uint16_t *allow, size_t allowlen) 2188{ 2189 const uint16_t *ptmp, *atmp; 2190 size_t i, j, nmatch = 0; 2191 for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { 2192 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp); 2193 2194 /* Skip disabled hashes or signature algorithms */ 2195 if (lu == NULL 2196 || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) 2197 continue; 2198 for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { 2199 if (*ptmp == *atmp) { 2200 nmatch++; 2201 if (shsig) 2202 *shsig++ = lu; 2203 break; 2204 } 2205 } 2206 } 2207 return nmatch; 2208} 2209 2210/* Set shared signature algorithms for SSL structures */ 2211static int tls1_set_shared_sigalgs(SSL *s) 2212{ 2213 const uint16_t *pref, *allow, *conf; 2214 size_t preflen, allowlen, conflen; 2215 size_t nmatch; 2216 const SIGALG_LOOKUP **salgs = NULL; 2217 CERT *c = s->cert; 2218 unsigned int is_suiteb = tls1_suiteb(s); 2219 2220 OPENSSL_free(s->shared_sigalgs); 2221 s->shared_sigalgs = NULL; 2222 s->shared_sigalgslen = 0; 2223 /* If client use client signature algorithms if not NULL */ 2224 if (!s->server && c->client_sigalgs && !is_suiteb) { 2225 conf = c->client_sigalgs; 2226 conflen = c->client_sigalgslen; 2227 } else if (c->conf_sigalgs && !is_suiteb) { 2228 conf = c->conf_sigalgs; 2229 conflen = c->conf_sigalgslen; 2230 } else 2231 conflen = tls12_get_psigalgs(s, 0, &conf); 2232 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 2233 pref = conf; 2234 preflen = conflen; 2235 allow = s->s3.tmp.peer_sigalgs; 2236 allowlen = s->s3.tmp.peer_sigalgslen; 2237 } else { 2238 allow = conf; 2239 allowlen = conflen; 2240 pref = s->s3.tmp.peer_sigalgs; 2241 preflen = s->s3.tmp.peer_sigalgslen; 2242 } 2243 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 2244 if (nmatch) { 2245 if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { 2246 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2247 return 0; 2248 } 2249 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 2250 } else { 2251 salgs = NULL; 2252 } 2253 s->shared_sigalgs = salgs; 2254 s->shared_sigalgslen = nmatch; 2255 return 1; 2256} 2257 2258int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) 2259{ 2260 unsigned int stmp; 2261 size_t size, i; 2262 uint16_t *buf; 2263 2264 size = PACKET_remaining(pkt); 2265 2266 /* Invalid data length */ 2267 if (size == 0 || (size & 1) != 0) 2268 return 0; 2269 2270 size >>= 1; 2271 2272 if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { 2273 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2274 return 0; 2275 } 2276 for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) 2277 buf[i] = stmp; 2278 2279 if (i != size) { 2280 OPENSSL_free(buf); 2281 return 0; 2282 } 2283 2284 OPENSSL_free(*pdest); 2285 *pdest = buf; 2286 *pdestlen = size; 2287 2288 return 1; 2289} 2290 2291int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) 2292{ 2293 /* Extension ignored for inappropriate versions */ 2294 if (!SSL_USE_SIGALGS(s)) 2295 return 1; 2296 /* Should never happen */ 2297 if (s->cert == NULL) 2298 return 0; 2299 2300 if (cert) 2301 return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, 2302 &s->s3.tmp.peer_cert_sigalgslen); 2303 else 2304 return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, 2305 &s->s3.tmp.peer_sigalgslen); 2306 2307} 2308 2309/* Set preferred digest for each key type */ 2310 2311int tls1_process_sigalgs(SSL *s) 2312{ 2313 size_t i; 2314 uint32_t *pvalid = s->s3.tmp.valid_flags; 2315 2316 if (!tls1_set_shared_sigalgs(s)) 2317 return 0; 2318 2319 for (i = 0; i < SSL_PKEY_NUM; i++) 2320 pvalid[i] = 0; 2321 2322 for (i = 0; i < s->shared_sigalgslen; i++) { 2323 const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; 2324 int idx = sigptr->sig_idx; 2325 2326 /* Ignore PKCS1 based sig algs in TLSv1.3 */ 2327 if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) 2328 continue; 2329 /* If not disabled indicate we can explicitly sign */ 2330 if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx)) 2331 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2332 } 2333 return 1; 2334} 2335 2336int SSL_get_sigalgs(SSL *s, int idx, 2337 int *psign, int *phash, int *psignhash, 2338 unsigned char *rsig, unsigned char *rhash) 2339{ 2340 uint16_t *psig = s->s3.tmp.peer_sigalgs; 2341 size_t numsigalgs = s->s3.tmp.peer_sigalgslen; 2342 if (psig == NULL || numsigalgs > INT_MAX) 2343 return 0; 2344 if (idx >= 0) { 2345 const SIGALG_LOOKUP *lu; 2346 2347 if (idx >= (int)numsigalgs) 2348 return 0; 2349 psig += idx; 2350 if (rhash != NULL) 2351 *rhash = (unsigned char)((*psig >> 8) & 0xff); 2352 if (rsig != NULL) 2353 *rsig = (unsigned char)(*psig & 0xff); 2354 lu = tls1_lookup_sigalg(s, *psig); 2355 if (psign != NULL) 2356 *psign = lu != NULL ? lu->sig : NID_undef; 2357 if (phash != NULL) 2358 *phash = lu != NULL ? lu->hash : NID_undef; 2359 if (psignhash != NULL) 2360 *psignhash = lu != NULL ? lu->sigandhash : NID_undef; 2361 } 2362 return (int)numsigalgs; 2363} 2364 2365int SSL_get_shared_sigalgs(SSL *s, int idx, 2366 int *psign, int *phash, int *psignhash, 2367 unsigned char *rsig, unsigned char *rhash) 2368{ 2369 const SIGALG_LOOKUP *shsigalgs; 2370 if (s->shared_sigalgs == NULL 2371 || idx < 0 2372 || idx >= (int)s->shared_sigalgslen 2373 || s->shared_sigalgslen > INT_MAX) 2374 return 0; 2375 shsigalgs = s->shared_sigalgs[idx]; 2376 if (phash != NULL) 2377 *phash = shsigalgs->hash; 2378 if (psign != NULL) 2379 *psign = shsigalgs->sig; 2380 if (psignhash != NULL) 2381 *psignhash = shsigalgs->sigandhash; 2382 if (rsig != NULL) 2383 *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); 2384 if (rhash != NULL) 2385 *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); 2386 return (int)s->shared_sigalgslen; 2387} 2388 2389/* Maximum possible number of unique entries in sigalgs array */ 2390#define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) 2391 2392typedef struct { 2393 size_t sigalgcnt; 2394 /* TLSEXT_SIGALG_XXX values */ 2395 uint16_t sigalgs[TLS_MAX_SIGALGCNT]; 2396} sig_cb_st; 2397 2398static void get_sigorhash(int *psig, int *phash, const char *str) 2399{ 2400 if (strcmp(str, "RSA") == 0) { 2401 *psig = EVP_PKEY_RSA; 2402 } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { 2403 *psig = EVP_PKEY_RSA_PSS; 2404 } else if (strcmp(str, "DSA") == 0) { 2405 *psig = EVP_PKEY_DSA; 2406 } else if (strcmp(str, "ECDSA") == 0) { 2407 *psig = EVP_PKEY_EC; 2408 } else { 2409 *phash = OBJ_sn2nid(str); 2410 if (*phash == NID_undef) 2411 *phash = OBJ_ln2nid(str); 2412 } 2413} 2414/* Maximum length of a signature algorithm string component */ 2415#define TLS_MAX_SIGSTRING_LEN 40 2416 2417static int sig_cb(const char *elem, int len, void *arg) 2418{ 2419 sig_cb_st *sarg = arg; 2420 size_t i; 2421 const SIGALG_LOOKUP *s; 2422 char etmp[TLS_MAX_SIGSTRING_LEN], *p; 2423 int sig_alg = NID_undef, hash_alg = NID_undef; 2424 if (elem == NULL) 2425 return 0; 2426 if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) 2427 return 0; 2428 if (len > (int)(sizeof(etmp) - 1)) 2429 return 0; 2430 memcpy(etmp, elem, len); 2431 etmp[len] = 0; 2432 p = strchr(etmp, '+'); 2433 /* 2434 * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; 2435 * if there's no '+' in the provided name, look for the new-style combined 2436 * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. 2437 * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and 2438 * rsa_pss_rsae_* that differ only by public key OID; in such cases 2439 * we will pick the _rsae_ variant, by virtue of them appearing earlier 2440 * in the table. 2441 */ 2442 if (p == NULL) { 2443 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2444 i++, s++) { 2445 if (s->name != NULL && strcmp(etmp, s->name) == 0) { 2446 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2447 break; 2448 } 2449 } 2450 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2451 return 0; 2452 } else { 2453 *p = 0; 2454 p++; 2455 if (*p == 0) 2456 return 0; 2457 get_sigorhash(&sig_alg, &hash_alg, etmp); 2458 get_sigorhash(&sig_alg, &hash_alg, p); 2459 if (sig_alg == NID_undef || hash_alg == NID_undef) 2460 return 0; 2461 for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); 2462 i++, s++) { 2463 if (s->hash == hash_alg && s->sig == sig_alg) { 2464 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; 2465 break; 2466 } 2467 } 2468 if (i == OSSL_NELEM(sigalg_lookup_tbl)) 2469 return 0; 2470 } 2471 2472 /* Reject duplicates */ 2473 for (i = 0; i < sarg->sigalgcnt - 1; i++) { 2474 if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { 2475 sarg->sigalgcnt--; 2476 return 0; 2477 } 2478 } 2479 return 1; 2480} 2481 2482/* 2483 * Set supported signature algorithms based on a colon separated list of the 2484 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 2485 */ 2486int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 2487{ 2488 sig_cb_st sig; 2489 sig.sigalgcnt = 0; 2490 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 2491 return 0; 2492 if (c == NULL) 2493 return 1; 2494 return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 2495} 2496 2497int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, 2498 int client) 2499{ 2500 uint16_t *sigalgs; 2501 2502 if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { 2503 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2504 return 0; 2505 } 2506 memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); 2507 2508 if (client) { 2509 OPENSSL_free(c->client_sigalgs); 2510 c->client_sigalgs = sigalgs; 2511 c->client_sigalgslen = salglen; 2512 } else { 2513 OPENSSL_free(c->conf_sigalgs); 2514 c->conf_sigalgs = sigalgs; 2515 c->conf_sigalgslen = salglen; 2516 } 2517 2518 return 1; 2519} 2520 2521int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 2522{ 2523 uint16_t *sigalgs, *sptr; 2524 size_t i; 2525 2526 if (salglen & 1) 2527 return 0; 2528 if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { 2529 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 2530 return 0; 2531 } 2532 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2533 size_t j; 2534 const SIGALG_LOOKUP *curr; 2535 int md_id = *psig_nids++; 2536 int sig_id = *psig_nids++; 2537 2538 for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); 2539 j++, curr++) { 2540 if (curr->hash == md_id && curr->sig == sig_id) { 2541 *sptr++ = curr->sigalg; 2542 break; 2543 } 2544 } 2545 2546 if (j == OSSL_NELEM(sigalg_lookup_tbl)) 2547 goto err; 2548 } 2549 2550 if (client) { 2551 OPENSSL_free(c->client_sigalgs); 2552 c->client_sigalgs = sigalgs; 2553 c->client_sigalgslen = salglen / 2; 2554 } else { 2555 OPENSSL_free(c->conf_sigalgs); 2556 c->conf_sigalgs = sigalgs; 2557 c->conf_sigalgslen = salglen / 2; 2558 } 2559 2560 return 1; 2561 2562 err: 2563 OPENSSL_free(sigalgs); 2564 return 0; 2565} 2566 2567static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) 2568{ 2569 int sig_nid, use_pc_sigalgs = 0; 2570 size_t i; 2571 const SIGALG_LOOKUP *sigalg; 2572 size_t sigalgslen; 2573 if (default_nid == -1) 2574 return 1; 2575 sig_nid = X509_get_signature_nid(x); 2576 if (default_nid) 2577 return sig_nid == default_nid ? 1 : 0; 2578 2579 if (SSL_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { 2580 /* 2581 * If we're in TLSv1.3 then we only get here if we're checking the 2582 * chain. If the peer has specified peer_cert_sigalgs then we use them 2583 * otherwise we default to normal sigalgs. 2584 */ 2585 sigalgslen = s->s3.tmp.peer_cert_sigalgslen; 2586 use_pc_sigalgs = 1; 2587 } else { 2588 sigalgslen = s->shared_sigalgslen; 2589 } 2590 for (i = 0; i < sigalgslen; i++) { 2591 sigalg = use_pc_sigalgs 2592 ? tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]) 2593 : s->shared_sigalgs[i]; 2594 if (sigalg != NULL && sig_nid == sigalg->sigandhash) 2595 return 1; 2596 } 2597 return 0; 2598} 2599 2600/* Check to see if a certificate issuer name matches list of CA names */ 2601static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 2602{ 2603 const X509_NAME *nm; 2604 int i; 2605 nm = X509_get_issuer_name(x); 2606 for (i = 0; i < sk_X509_NAME_num(names); i++) { 2607 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 2608 return 1; 2609 } 2610 return 0; 2611} 2612 2613/* 2614 * Check certificate chain is consistent with TLS extensions and is usable by 2615 * server. This servers two purposes: it allows users to check chains before 2616 * passing them to the server and it allows the server to check chains before 2617 * attempting to use them. 2618 */ 2619 2620/* Flags which need to be set for a certificate when strict mode not set */ 2621 2622#define CERT_PKEY_VALID_FLAGS \ 2623 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 2624/* Strict mode flags */ 2625#define CERT_PKEY_STRICT_FLAGS \ 2626 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 2627 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 2628 2629int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 2630 int idx) 2631{ 2632 int i; 2633 int rv = 0; 2634 int check_flags = 0, strict_mode; 2635 CERT_PKEY *cpk = NULL; 2636 CERT *c = s->cert; 2637 uint32_t *pvalid; 2638 unsigned int suiteb_flags = tls1_suiteb(s); 2639 /* idx == -1 means checking server chains */ 2640 if (idx != -1) { 2641 /* idx == -2 means checking client certificate chains */ 2642 if (idx == -2) { 2643 cpk = c->key; 2644 idx = (int)(cpk - c->pkeys); 2645 } else 2646 cpk = c->pkeys + idx; 2647 pvalid = s->s3.tmp.valid_flags + idx; 2648 x = cpk->x509; 2649 pk = cpk->privatekey; 2650 chain = cpk->chain; 2651 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 2652 /* If no cert or key, forget it */ 2653 if (!x || !pk) 2654 goto end; 2655 } else { 2656 size_t certidx; 2657 2658 if (!x || !pk) 2659 return 0; 2660 2661 if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) 2662 return 0; 2663 idx = certidx; 2664 pvalid = s->s3.tmp.valid_flags + idx; 2665 2666 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 2667 check_flags = CERT_PKEY_STRICT_FLAGS; 2668 else 2669 check_flags = CERT_PKEY_VALID_FLAGS; 2670 strict_mode = 1; 2671 } 2672 2673 if (suiteb_flags) { 2674 int ok; 2675 if (check_flags) 2676 check_flags |= CERT_PKEY_SUITEB; 2677 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 2678 if (ok == X509_V_OK) 2679 rv |= CERT_PKEY_SUITEB; 2680 else if (!check_flags) 2681 goto end; 2682 } 2683 2684 /* 2685 * Check all signature algorithms are consistent with signature 2686 * algorithms extension if TLS 1.2 or later and strict mode. 2687 */ 2688 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 2689 int default_nid; 2690 int rsign = 0; 2691 if (s->s3.tmp.peer_cert_sigalgs != NULL 2692 || s->s3.tmp.peer_sigalgs != NULL) { 2693 default_nid = 0; 2694 /* If no sigalgs extension use defaults from RFC5246 */ 2695 } else { 2696 switch (idx) { 2697 case SSL_PKEY_RSA: 2698 rsign = EVP_PKEY_RSA; 2699 default_nid = NID_sha1WithRSAEncryption; 2700 break; 2701 2702 case SSL_PKEY_DSA_SIGN: 2703 rsign = EVP_PKEY_DSA; 2704 default_nid = NID_dsaWithSHA1; 2705 break; 2706 2707 case SSL_PKEY_ECC: 2708 rsign = EVP_PKEY_EC; 2709 default_nid = NID_ecdsa_with_SHA1; 2710 break; 2711 2712 case SSL_PKEY_GOST01: 2713 rsign = NID_id_GostR3410_2001; 2714 default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 2715 break; 2716 2717 case SSL_PKEY_GOST12_256: 2718 rsign = NID_id_GostR3410_2012_256; 2719 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 2720 break; 2721 2722 case SSL_PKEY_GOST12_512: 2723 rsign = NID_id_GostR3410_2012_512; 2724 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 2725 break; 2726 2727 default: 2728 default_nid = -1; 2729 break; 2730 } 2731 } 2732 /* 2733 * If peer sent no signature algorithms extension and we have set 2734 * preferred signature algorithms check we support sha1. 2735 */ 2736 if (default_nid > 0 && c->conf_sigalgs) { 2737 size_t j; 2738 const uint16_t *p = c->conf_sigalgs; 2739 for (j = 0; j < c->conf_sigalgslen; j++, p++) { 2740 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *p); 2741 2742 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) 2743 break; 2744 } 2745 if (j == c->conf_sigalgslen) { 2746 if (check_flags) 2747 goto skip_sigs; 2748 else 2749 goto end; 2750 } 2751 } 2752 /* Check signature algorithm of each cert in chain */ 2753 if (SSL_IS_TLS13(s)) { 2754 /* 2755 * We only get here if the application has called SSL_check_chain(), 2756 * so check_flags is always set. 2757 */ 2758 if (find_sig_alg(s, x, pk) != NULL) 2759 rv |= CERT_PKEY_EE_SIGNATURE; 2760 } else if (!tls1_check_sig_alg(s, x, default_nid)) { 2761 if (!check_flags) 2762 goto end; 2763 } else 2764 rv |= CERT_PKEY_EE_SIGNATURE; 2765 rv |= CERT_PKEY_CA_SIGNATURE; 2766 for (i = 0; i < sk_X509_num(chain); i++) { 2767 if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { 2768 if (check_flags) { 2769 rv &= ~CERT_PKEY_CA_SIGNATURE; 2770 break; 2771 } else 2772 goto end; 2773 } 2774 } 2775 } 2776 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 2777 else if (check_flags) 2778 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 2779 skip_sigs: 2780 /* Check cert parameters are consistent */ 2781 if (tls1_check_cert_param(s, x, 1)) 2782 rv |= CERT_PKEY_EE_PARAM; 2783 else if (!check_flags) 2784 goto end; 2785 if (!s->server) 2786 rv |= CERT_PKEY_CA_PARAM; 2787 /* In strict mode check rest of chain too */ 2788 else if (strict_mode) { 2789 rv |= CERT_PKEY_CA_PARAM; 2790 for (i = 0; i < sk_X509_num(chain); i++) { 2791 X509 *ca = sk_X509_value(chain, i); 2792 if (!tls1_check_cert_param(s, ca, 0)) { 2793 if (check_flags) { 2794 rv &= ~CERT_PKEY_CA_PARAM; 2795 break; 2796 } else 2797 goto end; 2798 } 2799 } 2800 } 2801 if (!s->server && strict_mode) { 2802 STACK_OF(X509_NAME) *ca_dn; 2803 int check_type = 0; 2804 2805 if (EVP_PKEY_is_a(pk, "RSA")) 2806 check_type = TLS_CT_RSA_SIGN; 2807 else if (EVP_PKEY_is_a(pk, "DSA")) 2808 check_type = TLS_CT_DSS_SIGN; 2809 else if (EVP_PKEY_is_a(pk, "EC")) 2810 check_type = TLS_CT_ECDSA_SIGN; 2811 2812 if (check_type) { 2813 const uint8_t *ctypes = s->s3.tmp.ctype; 2814 size_t j; 2815 2816 for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { 2817 if (*ctypes == check_type) { 2818 rv |= CERT_PKEY_CERT_TYPE; 2819 break; 2820 } 2821 } 2822 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 2823 goto end; 2824 } else { 2825 rv |= CERT_PKEY_CERT_TYPE; 2826 } 2827 2828 ca_dn = s->s3.tmp.peer_ca_names; 2829 2830 if (ca_dn == NULL 2831 || sk_X509_NAME_num(ca_dn) == 0 2832 || ssl_check_ca_name(ca_dn, x)) 2833 rv |= CERT_PKEY_ISSUER_NAME; 2834 else 2835 for (i = 0; i < sk_X509_num(chain); i++) { 2836 X509 *xtmp = sk_X509_value(chain, i); 2837 2838 if (ssl_check_ca_name(ca_dn, xtmp)) { 2839 rv |= CERT_PKEY_ISSUER_NAME; 2840 break; 2841 } 2842 } 2843 2844 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 2845 goto end; 2846 } else 2847 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 2848 2849 if (!check_flags || (rv & check_flags) == check_flags) 2850 rv |= CERT_PKEY_VALID; 2851 2852 end: 2853 2854 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2855 rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); 2856 else 2857 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 2858 2859 /* 2860 * When checking a CERT_PKEY structure all flags are irrelevant if the 2861 * chain is invalid. 2862 */ 2863 if (!check_flags) { 2864 if (rv & CERT_PKEY_VALID) { 2865 *pvalid = rv; 2866 } else { 2867 /* Preserve sign and explicit sign flag, clear rest */ 2868 *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 2869 return 0; 2870 } 2871 } 2872 return rv; 2873} 2874 2875/* Set validity of certificates in an SSL structure */ 2876void tls1_set_cert_validity(SSL *s) 2877{ 2878 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); 2879 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); 2880 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 2881 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 2882 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 2883 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 2884 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 2885 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); 2886 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); 2887} 2888 2889/* User level utility function to check a chain is suitable */ 2890int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 2891{ 2892 return tls1_check_chain(s, x, pk, chain, -1); 2893} 2894 2895EVP_PKEY *ssl_get_auto_dh(SSL *s) 2896{ 2897 EVP_PKEY *dhp = NULL; 2898 BIGNUM *p; 2899 int dh_secbits = 80, sec_level_bits; 2900 EVP_PKEY_CTX *pctx = NULL; 2901 OSSL_PARAM_BLD *tmpl = NULL; 2902 OSSL_PARAM *params = NULL; 2903 2904 if (s->cert->dh_tmp_auto != 2) { 2905 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 2906 if (s->s3.tmp.new_cipher->strength_bits == 256) 2907 dh_secbits = 128; 2908 else 2909 dh_secbits = 80; 2910 } else { 2911 if (s->s3.tmp.cert == NULL) 2912 return NULL; 2913 dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); 2914 } 2915 } 2916 2917 /* Do not pick a prime that is too weak for the current security level */ 2918 sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); 2919 if (dh_secbits < sec_level_bits) 2920 dh_secbits = sec_level_bits; 2921 2922 if (dh_secbits >= 192) 2923 p = BN_get_rfc3526_prime_8192(NULL); 2924 else if (dh_secbits >= 152) 2925 p = BN_get_rfc3526_prime_4096(NULL); 2926 else if (dh_secbits >= 128) 2927 p = BN_get_rfc3526_prime_3072(NULL); 2928 else if (dh_secbits >= 112) 2929 p = BN_get_rfc3526_prime_2048(NULL); 2930 else 2931 p = BN_get_rfc2409_prime_1024(NULL); 2932 if (p == NULL) 2933 goto err; 2934 2935 pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); 2936 if (pctx == NULL 2937 || EVP_PKEY_fromdata_init(pctx) != 1) 2938 goto err; 2939 2940 tmpl = OSSL_PARAM_BLD_new(); 2941 if (tmpl == NULL 2942 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 2943 || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) 2944 goto err; 2945 2946 params = OSSL_PARAM_BLD_to_param(tmpl); 2947 if (params == NULL 2948 || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) 2949 goto err; 2950 2951err: 2952 OSSL_PARAM_free(params); 2953 OSSL_PARAM_BLD_free(tmpl); 2954 EVP_PKEY_CTX_free(pctx); 2955 BN_free(p); 2956 return dhp; 2957} 2958 2959static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2960{ 2961 int secbits = -1; 2962 EVP_PKEY *pkey = X509_get0_pubkey(x); 2963 if (pkey) { 2964 /* 2965 * If no parameters this will return -1 and fail using the default 2966 * security callback for any non-zero security level. This will 2967 * reject keys which omit parameters but this only affects DSA and 2968 * omission of parameters is never (?) done in practice. 2969 */ 2970 secbits = EVP_PKEY_get_security_bits(pkey); 2971 } 2972 if (s) 2973 return ssl_security(s, op, secbits, 0, x); 2974 else 2975 return ssl_ctx_security(ctx, op, secbits, 0, x); 2976} 2977 2978static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 2979{ 2980 /* Lookup signature algorithm digest */ 2981 int secbits, nid, pknid; 2982 /* Don't check signature if self signed */ 2983 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 2984 return 1; 2985 if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) 2986 secbits = -1; 2987 /* If digest NID not defined use signature NID */ 2988 if (nid == NID_undef) 2989 nid = pknid; 2990 if (s) 2991 return ssl_security(s, op, secbits, nid, x); 2992 else 2993 return ssl_ctx_security(ctx, op, secbits, nid, x); 2994} 2995 2996int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 2997{ 2998 if (vfy) 2999 vfy = SSL_SECOP_PEER; 3000 if (is_ee) { 3001 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 3002 return SSL_R_EE_KEY_TOO_SMALL; 3003 } else { 3004 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 3005 return SSL_R_CA_KEY_TOO_SMALL; 3006 } 3007 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 3008 return SSL_R_CA_MD_TOO_WEAK; 3009 return 1; 3010} 3011 3012/* 3013 * Check security of a chain, if |sk| includes the end entity certificate then 3014 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 3015 * one to the peer. Return values: 1 if ok otherwise error code to use 3016 */ 3017 3018int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 3019{ 3020 int rv, start_idx, i; 3021 if (x == NULL) { 3022 x = sk_X509_value(sk, 0); 3023 if (x == NULL) 3024 return ERR_R_INTERNAL_ERROR; 3025 start_idx = 1; 3026 } else 3027 start_idx = 0; 3028 3029 rv = ssl_security_cert(s, NULL, x, vfy, 1); 3030 if (rv != 1) 3031 return rv; 3032 3033 for (i = start_idx; i < sk_X509_num(sk); i++) { 3034 x = sk_X509_value(sk, i); 3035 rv = ssl_security_cert(s, NULL, x, vfy, 0); 3036 if (rv != 1) 3037 return rv; 3038 } 3039 return 1; 3040} 3041 3042/* 3043 * For TLS 1.2 servers check if we have a certificate which can be used 3044 * with the signature algorithm "lu" and return index of certificate. 3045 */ 3046 3047static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) 3048{ 3049 int sig_idx = lu->sig_idx; 3050 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); 3051 3052 /* If not recognised or not supported by cipher mask it is not suitable */ 3053 if (clu == NULL 3054 || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 3055 || (clu->nid == EVP_PKEY_RSA_PSS 3056 && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) 3057 return -1; 3058 3059 return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; 3060} 3061 3062/* 3063 * Checks the given cert against signature_algorithm_cert restrictions sent by 3064 * the peer (if any) as well as whether the hash from the sigalg is usable with 3065 * the key. 3066 * Returns true if the cert is usable and false otherwise. 3067 */ 3068static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3069 EVP_PKEY *pkey) 3070{ 3071 const SIGALG_LOOKUP *lu; 3072 int mdnid, pknid, supported; 3073 size_t i; 3074 const char *mdname = NULL; 3075 3076 /* 3077 * If the given EVP_PKEY cannot support signing with this digest, 3078 * the answer is simply 'no'. 3079 */ 3080 if (sig->hash != NID_undef) 3081 mdname = OBJ_nid2sn(sig->hash); 3082 supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx, 3083 mdname, 3084 s->ctx->propq); 3085 if (supported <= 0) 3086 return 0; 3087 3088 /* 3089 * The TLS 1.3 signature_algorithms_cert extension places restrictions 3090 * on the sigalg with which the certificate was signed (by its issuer). 3091 */ 3092 if (s->s3.tmp.peer_cert_sigalgs != NULL) { 3093 if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) 3094 return 0; 3095 for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { 3096 lu = tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]); 3097 if (lu == NULL) 3098 continue; 3099 3100 /* 3101 * This does not differentiate between the 3102 * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not 3103 * have a chain here that lets us look at the key OID in the 3104 * signing certificate. 3105 */ 3106 if (mdnid == lu->hash && pknid == lu->sig) 3107 return 1; 3108 } 3109 return 0; 3110 } 3111 3112 /* 3113 * Without signat_algorithms_cert, any certificate for which we have 3114 * a viable public key is permitted. 3115 */ 3116 return 1; 3117} 3118 3119/* 3120 * Returns true if |s| has a usable certificate configured for use 3121 * with signature scheme |sig|. 3122 * "Usable" includes a check for presence as well as applying 3123 * the signature_algorithm_cert restrictions sent by the peer (if any). 3124 * Returns false if no usable certificate is found. 3125 */ 3126static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) 3127{ 3128 /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ 3129 if (idx == -1) 3130 idx = sig->sig_idx; 3131 if (!ssl_has_cert(s, idx)) 3132 return 0; 3133 3134 return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, 3135 s->cert->pkeys[idx].privatekey); 3136} 3137 3138/* 3139 * Returns true if the supplied cert |x| and key |pkey| is usable with the 3140 * specified signature scheme |sig|, or false otherwise. 3141 */ 3142static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, 3143 EVP_PKEY *pkey) 3144{ 3145 size_t idx; 3146 3147 if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) 3148 return 0; 3149 3150 /* Check the key is consistent with the sig alg */ 3151 if ((int)idx != sig->sig_idx) 3152 return 0; 3153 3154 return check_cert_usable(s, sig, x, pkey); 3155} 3156 3157/* 3158 * Find a signature scheme that works with the supplied certificate |x| and key 3159 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our 3160 * available certs/keys to find one that works. 3161 */ 3162static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) 3163{ 3164 const SIGALG_LOOKUP *lu = NULL; 3165 size_t i; 3166 int curve = -1; 3167 EVP_PKEY *tmppkey; 3168 3169 /* Look for a shared sigalgs matching possible certificates */ 3170 for (i = 0; i < s->shared_sigalgslen; i++) { 3171 lu = s->shared_sigalgs[i]; 3172 3173 /* Skip SHA1, SHA224, DSA and RSA if not PSS */ 3174 if (lu->hash == NID_sha1 3175 || lu->hash == NID_sha224 3176 || lu->sig == EVP_PKEY_DSA 3177 || lu->sig == EVP_PKEY_RSA) 3178 continue; 3179 /* Check that we have a cert, and signature_algorithms_cert */ 3180 if (!tls1_lookup_md(s->ctx, lu, NULL)) 3181 continue; 3182 if ((pkey == NULL && !has_usable_cert(s, lu, -1)) 3183 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) 3184 continue; 3185 3186 tmppkey = (pkey != NULL) ? pkey 3187 : s->cert->pkeys[lu->sig_idx].privatekey; 3188 3189 if (lu->sig == EVP_PKEY_EC) { 3190 if (curve == -1) 3191 curve = ssl_get_EC_curve_nid(tmppkey); 3192 if (lu->curve != NID_undef && curve != lu->curve) 3193 continue; 3194 } else if (lu->sig == EVP_PKEY_RSA_PSS) { 3195 /* validate that key is large enough for the signature algorithm */ 3196 if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu)) 3197 continue; 3198 } 3199 break; 3200 } 3201 3202 if (i == s->shared_sigalgslen) 3203 return NULL; 3204 3205 return lu; 3206} 3207 3208/* 3209 * Choose an appropriate signature algorithm based on available certificates 3210 * Sets chosen certificate and signature algorithm. 3211 * 3212 * For servers if we fail to find a required certificate it is a fatal error, 3213 * an appropriate error code is set and a TLS alert is sent. 3214 * 3215 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not 3216 * a fatal error: we will either try another certificate or not present one 3217 * to the server. In this case no error is set. 3218 */ 3219int tls_choose_sigalg(SSL *s, int fatalerrs) 3220{ 3221 const SIGALG_LOOKUP *lu = NULL; 3222 int sig_idx = -1; 3223 3224 s->s3.tmp.cert = NULL; 3225 s->s3.tmp.sigalg = NULL; 3226 3227 if (SSL_IS_TLS13(s)) { 3228 lu = find_sig_alg(s, NULL, NULL); 3229 if (lu == NULL) { 3230 if (!fatalerrs) 3231 return 1; 3232 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3233 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3234 return 0; 3235 } 3236 } else { 3237 /* If ciphersuite doesn't require a cert nothing to do */ 3238 if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) 3239 return 1; 3240 if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) 3241 return 1; 3242 3243 if (SSL_USE_SIGALGS(s)) { 3244 size_t i; 3245 if (s->s3.tmp.peer_sigalgs != NULL) { 3246 int curve = -1; 3247 3248 /* For Suite B need to match signature algorithm to curve */ 3249 if (tls1_suiteb(s)) 3250 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] 3251 .privatekey); 3252 3253 /* 3254 * Find highest preference signature algorithm matching 3255 * cert type 3256 */ 3257 for (i = 0; i < s->shared_sigalgslen; i++) { 3258 lu = s->shared_sigalgs[i]; 3259 3260 if (s->server) { 3261 if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) 3262 continue; 3263 } else { 3264 int cc_idx = s->cert->key - s->cert->pkeys; 3265 3266 sig_idx = lu->sig_idx; 3267 if (cc_idx != sig_idx) 3268 continue; 3269 } 3270 /* Check that we have a cert, and sig_algs_cert */ 3271 if (!has_usable_cert(s, lu, sig_idx)) 3272 continue; 3273 if (lu->sig == EVP_PKEY_RSA_PSS) { 3274 /* validate that key is large enough for the signature algorithm */ 3275 EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; 3276 3277 if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu)) 3278 continue; 3279 } 3280 if (curve == -1 || lu->curve == curve) 3281 break; 3282 } 3283#ifndef OPENSSL_NO_GOST 3284 /* 3285 * Some Windows-based implementations do not send GOST algorithms indication 3286 * in supported_algorithms extension, so when we have GOST-based ciphersuite, 3287 * we have to assume GOST support. 3288 */ 3289 if (i == s->shared_sigalgslen && s->s3.tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { 3290 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3291 if (!fatalerrs) 3292 return 1; 3293 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3294 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3295 return 0; 3296 } else { 3297 i = 0; 3298 sig_idx = lu->sig_idx; 3299 } 3300 } 3301#endif 3302 if (i == s->shared_sigalgslen) { 3303 if (!fatalerrs) 3304 return 1; 3305 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3306 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3307 return 0; 3308 } 3309 } else { 3310 /* 3311 * If we have no sigalg use defaults 3312 */ 3313 const uint16_t *sent_sigs; 3314 size_t sent_sigslen; 3315 3316 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3317 if (!fatalerrs) 3318 return 1; 3319 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3320 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3321 return 0; 3322 } 3323 3324 /* Check signature matches a type we sent */ 3325 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 3326 for (i = 0; i < sent_sigslen; i++, sent_sigs++) { 3327 if (lu->sigalg == *sent_sigs 3328 && has_usable_cert(s, lu, lu->sig_idx)) 3329 break; 3330 } 3331 if (i == sent_sigslen) { 3332 if (!fatalerrs) 3333 return 1; 3334 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3335 SSL_R_WRONG_SIGNATURE_TYPE); 3336 return 0; 3337 } 3338 } 3339 } else { 3340 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { 3341 if (!fatalerrs) 3342 return 1; 3343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3344 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); 3345 return 0; 3346 } 3347 } 3348 } 3349 if (sig_idx == -1) 3350 sig_idx = lu->sig_idx; 3351 s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; 3352 s->cert->key = s->s3.tmp.cert; 3353 s->s3.tmp.sigalg = lu; 3354 return 1; 3355} 3356 3357int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) 3358{ 3359 if (mode != TLSEXT_max_fragment_length_DISABLED 3360 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3361 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3362 return 0; 3363 } 3364 3365 ctx->ext.max_fragment_len_mode = mode; 3366 return 1; 3367} 3368 3369int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) 3370{ 3371 if (mode != TLSEXT_max_fragment_length_DISABLED 3372 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { 3373 ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 3374 return 0; 3375 } 3376 3377 ssl->ext.max_fragment_len_mode = mode; 3378 return 1; 3379} 3380 3381uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) 3382{ 3383 return session->ext.max_fragment_len_mode; 3384} 3385 3386/* 3387 * Helper functions for HMAC access with legacy support included. 3388 */ 3389SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) 3390{ 3391 SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); 3392 EVP_MAC *mac = NULL; 3393 3394 if (ret == NULL) 3395 return NULL; 3396#ifndef OPENSSL_NO_DEPRECATED_3_0 3397 if (ctx->ext.ticket_key_evp_cb == NULL 3398 && ctx->ext.ticket_key_cb != NULL) { 3399 if (!ssl_hmac_old_new(ret)) 3400 goto err; 3401 return ret; 3402 } 3403#endif 3404 mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); 3405 if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) 3406 goto err; 3407 EVP_MAC_free(mac); 3408 return ret; 3409 err: 3410 EVP_MAC_CTX_free(ret->ctx); 3411 EVP_MAC_free(mac); 3412 OPENSSL_free(ret); 3413 return NULL; 3414} 3415 3416void ssl_hmac_free(SSL_HMAC *ctx) 3417{ 3418 if (ctx != NULL) { 3419 EVP_MAC_CTX_free(ctx->ctx); 3420#ifndef OPENSSL_NO_DEPRECATED_3_0 3421 ssl_hmac_old_free(ctx); 3422#endif 3423 OPENSSL_free(ctx); 3424 } 3425} 3426 3427EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) 3428{ 3429 return ctx->ctx; 3430} 3431 3432int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 3433{ 3434 OSSL_PARAM params[2], *p = params; 3435 3436 if (ctx->ctx != NULL) { 3437 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); 3438 *p = OSSL_PARAM_construct_end(); 3439 if (EVP_MAC_init(ctx->ctx, key, len, params)) 3440 return 1; 3441 } 3442#ifndef OPENSSL_NO_DEPRECATED_3_0 3443 if (ctx->old_ctx != NULL) 3444 return ssl_hmac_old_init(ctx, key, len, md); 3445#endif 3446 return 0; 3447} 3448 3449int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 3450{ 3451 if (ctx->ctx != NULL) 3452 return EVP_MAC_update(ctx->ctx, data, len); 3453#ifndef OPENSSL_NO_DEPRECATED_3_0 3454 if (ctx->old_ctx != NULL) 3455 return ssl_hmac_old_update(ctx, data, len); 3456#endif 3457 return 0; 3458} 3459 3460int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, 3461 size_t max_size) 3462{ 3463 if (ctx->ctx != NULL) 3464 return EVP_MAC_final(ctx->ctx, md, len, max_size); 3465#ifndef OPENSSL_NO_DEPRECATED_3_0 3466 if (ctx->old_ctx != NULL) 3467 return ssl_hmac_old_final(ctx, md, len); 3468#endif 3469 return 0; 3470} 3471 3472size_t ssl_hmac_size(const SSL_HMAC *ctx) 3473{ 3474 if (ctx->ctx != NULL) 3475 return EVP_MAC_CTX_get_mac_size(ctx->ctx); 3476#ifndef OPENSSL_NO_DEPRECATED_3_0 3477 if (ctx->old_ctx != NULL) 3478 return ssl_hmac_old_size(ctx); 3479#endif 3480 return 0; 3481} 3482 3483int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) 3484{ 3485 char gname[OSSL_MAX_NAME_SIZE]; 3486 3487 if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) 3488 return OBJ_txt2nid(gname); 3489 3490 return NID_undef; 3491} 3492 3493__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, 3494 const unsigned char *enckey, 3495 size_t enckeylen) 3496{ 3497 if (EVP_PKEY_is_a(pkey, "DH")) { 3498 int bits = EVP_PKEY_get_bits(pkey); 3499 3500 if (bits <= 0 || enckeylen != (size_t)bits / 8) 3501 /* the encoded key must be padded to the length of the p */ 3502 return 0; 3503 } else if (EVP_PKEY_is_a(pkey, "EC")) { 3504 if (enckeylen < 3 /* point format and at least 1 byte for x and y */ 3505 || enckey[0] != 0x04) 3506 return 0; 3507 } 3508 3509 return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); 3510} 3511