]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <stdio.h> | |
11 | #include <stdlib.h> | |
12 | #include <ctype.h> | |
13 | #include <openssl/objects.h> | |
14 | #include <openssl/evp.h> | |
15 | #include <openssl/hmac.h> | |
16 | #include <openssl/core_names.h> | |
17 | #include <openssl/ocsp.h> | |
18 | #include <openssl/conf.h> | |
19 | #include <openssl/x509v3.h> | |
20 | #include <openssl/dh.h> | |
21 | #include <openssl/bn.h> | |
22 | #include <openssl/provider.h> | |
23 | #include <openssl/param_build.h> | |
24 | #include "internal/nelem.h" | |
25 | #include "internal/sizes.h" | |
26 | #include "internal/tlsgroups.h" | |
27 | #include "internal/ssl_unwrap.h" | |
28 | #include "ssl_local.h" | |
29 | #include "quic/quic_local.h" | |
30 | #include <openssl/ct.h> | |
31 | ||
32 | static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pkey); | |
33 | static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, const SIGALG_LOOKUP *lu); | |
34 | ||
35 | SSL3_ENC_METHOD const TLSv1_enc_data = { | |
36 | tls1_setup_key_block, | |
37 | tls1_generate_master_secret, | |
38 | tls1_change_cipher_state, | |
39 | tls1_final_finish_mac, | |
40 | TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, | |
41 | TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, | |
42 | tls1_alert_code, | |
43 | tls1_export_keying_material, | |
44 | 0, | |
45 | ssl3_set_handshake_header, | |
46 | tls_close_construct_packet, | |
47 | ssl3_handshake_write | |
48 | }; | |
49 | ||
50 | SSL3_ENC_METHOD const TLSv1_1_enc_data = { | |
51 | tls1_setup_key_block, | |
52 | tls1_generate_master_secret, | |
53 | tls1_change_cipher_state, | |
54 | tls1_final_finish_mac, | |
55 | TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, | |
56 | TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, | |
57 | tls1_alert_code, | |
58 | tls1_export_keying_material, | |
59 | 0, | |
60 | ssl3_set_handshake_header, | |
61 | tls_close_construct_packet, | |
62 | ssl3_handshake_write | |
63 | }; | |
64 | ||
65 | SSL3_ENC_METHOD const TLSv1_2_enc_data = { | |
66 | tls1_setup_key_block, | |
67 | tls1_generate_master_secret, | |
68 | tls1_change_cipher_state, | |
69 | tls1_final_finish_mac, | |
70 | TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, | |
71 | TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, | |
72 | tls1_alert_code, | |
73 | tls1_export_keying_material, | |
74 | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF | |
75 | | SSL_ENC_FLAG_TLS1_2_CIPHERS, | |
76 | ssl3_set_handshake_header, | |
77 | tls_close_construct_packet, | |
78 | ssl3_handshake_write | |
79 | }; | |
80 | ||
81 | SSL3_ENC_METHOD const TLSv1_3_enc_data = { | |
82 | tls13_setup_key_block, | |
83 | tls13_generate_master_secret, | |
84 | tls13_change_cipher_state, | |
85 | tls13_final_finish_mac, | |
86 | TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, | |
87 | TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, | |
88 | tls13_alert_code, | |
89 | tls13_export_keying_material, | |
90 | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, | |
91 | ssl3_set_handshake_header, | |
92 | tls_close_construct_packet, | |
93 | ssl3_handshake_write | |
94 | }; | |
95 | ||
96 | OSSL_TIME tls1_default_timeout(void) | |
97 | { | |
98 | /* | |
99 | * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for | |
100 | * http, the cache would over fill | |
101 | */ | |
102 | return ossl_seconds2time(60 * 60 * 2); | |
103 | } | |
104 | ||
105 | int tls1_new(SSL *s) | |
106 | { | |
107 | if (!ssl3_new(s)) | |
108 | return 0; | |
109 | if (!s->method->ssl_clear(s)) | |
110 | return 0; | |
111 | ||
112 | return 1; | |
113 | } | |
114 | ||
115 | void tls1_free(SSL *s) | |
116 | { | |
117 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); | |
118 | ||
119 | if (sc == NULL) | |
120 | return; | |
121 | ||
122 | OPENSSL_free(sc->ext.session_ticket); | |
123 | ssl3_free(s); | |
124 | } | |
125 | ||
126 | int tls1_clear(SSL *s) | |
127 | { | |
128 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); | |
129 | ||
130 | if (sc == NULL) | |
131 | return 0; | |
132 | ||
133 | if (!ssl3_clear(s)) | |
134 | return 0; | |
135 | ||
136 | if (s->method->version == TLS_ANY_VERSION) | |
137 | sc->version = TLS_MAX_VERSION_INTERNAL; | |
138 | else | |
139 | sc->version = s->method->version; | |
140 | ||
141 | return 1; | |
142 | } | |
143 | ||
144 | /* Legacy NID to group_id mapping. Only works for groups we know about */ | |
145 | static const struct { | |
146 | int nid; | |
147 | uint16_t group_id; | |
148 | } nid_to_group[] = { | |
149 | {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1}, | |
150 | {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1}, | |
151 | {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2}, | |
152 | {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1}, | |
153 | {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2}, | |
154 | {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1}, | |
155 | {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1}, | |
156 | {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1}, | |
157 | {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1}, | |
158 | {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1}, | |
159 | {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1}, | |
160 | {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1}, | |
161 | {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1}, | |
162 | {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1}, | |
163 | {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1}, | |
164 | {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1}, | |
165 | {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2}, | |
166 | {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1}, | |
167 | {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1}, | |
168 | {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1}, | |
169 | {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1}, | |
170 | {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1}, | |
171 | {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1}, | |
172 | {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1}, | |
173 | {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1}, | |
174 | {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1}, | |
175 | {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1}, | |
176 | {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1}, | |
177 | {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519}, | |
178 | {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448}, | |
179 | {NID_brainpoolP256r1tls13, OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13}, | |
180 | {NID_brainpoolP384r1tls13, OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13}, | |
181 | {NID_brainpoolP512r1tls13, OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13}, | |
182 | {NID_id_tc26_gost_3410_2012_256_paramSetA, OSSL_TLS_GROUP_ID_gc256A}, | |
183 | {NID_id_tc26_gost_3410_2012_256_paramSetB, OSSL_TLS_GROUP_ID_gc256B}, | |
184 | {NID_id_tc26_gost_3410_2012_256_paramSetC, OSSL_TLS_GROUP_ID_gc256C}, | |
185 | {NID_id_tc26_gost_3410_2012_256_paramSetD, OSSL_TLS_GROUP_ID_gc256D}, | |
186 | {NID_id_tc26_gost_3410_2012_512_paramSetA, OSSL_TLS_GROUP_ID_gc512A}, | |
187 | {NID_id_tc26_gost_3410_2012_512_paramSetB, OSSL_TLS_GROUP_ID_gc512B}, | |
188 | {NID_id_tc26_gost_3410_2012_512_paramSetC, OSSL_TLS_GROUP_ID_gc512C}, | |
189 | {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048}, | |
190 | {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072}, | |
191 | {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096}, | |
192 | {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144}, | |
193 | {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} | |
194 | }; | |
195 | ||
196 | static const unsigned char ecformats_default[] = { | |
197 | TLSEXT_ECPOINTFORMAT_uncompressed | |
198 | }; | |
199 | ||
200 | static const unsigned char ecformats_all[] = { | |
201 | TLSEXT_ECPOINTFORMAT_uncompressed, | |
202 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, | |
203 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 | |
204 | }; | |
205 | ||
206 | /* Group list string of the built-in pseudo group DEFAULT */ | |
207 | #define DEFAULT_GROUP_NAME "DEFAULT" | |
208 | #define TLS_DEFAULT_GROUP_LIST \ | |
209 | "?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072" | |
210 | ||
211 | static const uint16_t suiteb_curves[] = { | |
212 | OSSL_TLS_GROUP_ID_secp256r1, | |
213 | OSSL_TLS_GROUP_ID_secp384r1, | |
214 | }; | |
215 | ||
216 | /* Group list string of the built-in pseudo group DEFAULT_SUITE_B */ | |
217 | #define SUITE_B_GROUP_NAME "DEFAULT_SUITE_B" | |
218 | #define SUITE_B_GROUP_LIST "secp256r1:secp384r1", | |
219 | ||
220 | struct provider_ctx_data_st { | |
221 | SSL_CTX *ctx; | |
222 | OSSL_PROVIDER *provider; | |
223 | }; | |
224 | ||
225 | #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 | |
226 | static OSSL_CALLBACK add_provider_groups; | |
227 | static int add_provider_groups(const OSSL_PARAM params[], void *data) | |
228 | { | |
229 | struct provider_ctx_data_st *pgd = data; | |
230 | SSL_CTX *ctx = pgd->ctx; | |
231 | const OSSL_PARAM *p; | |
232 | TLS_GROUP_INFO *ginf = NULL; | |
233 | EVP_KEYMGMT *keymgmt; | |
234 | unsigned int gid; | |
235 | unsigned int is_kem = 0; | |
236 | int ret = 0; | |
237 | ||
238 | if (ctx->group_list_max_len == ctx->group_list_len) { | |
239 | TLS_GROUP_INFO *tmp = NULL; | |
240 | ||
241 | if (ctx->group_list_max_len == 0) | |
242 | tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) | |
243 | * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); | |
244 | else | |
245 | tmp = OPENSSL_realloc(ctx->group_list, | |
246 | (ctx->group_list_max_len | |
247 | + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) | |
248 | * sizeof(TLS_GROUP_INFO)); | |
249 | if (tmp == NULL) | |
250 | return 0; | |
251 | ctx->group_list = tmp; | |
252 | memset(tmp + ctx->group_list_max_len, | |
253 | 0, | |
254 | sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); | |
255 | ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; | |
256 | } | |
257 | ||
258 | ginf = &ctx->group_list[ctx->group_list_len]; | |
259 | ||
260 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); | |
261 | if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { | |
262 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
263 | goto err; | |
264 | } | |
265 | ginf->tlsname = OPENSSL_strdup(p->data); | |
266 | if (ginf->tlsname == NULL) | |
267 | goto err; | |
268 | ||
269 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); | |
270 | if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { | |
271 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
272 | goto err; | |
273 | } | |
274 | ginf->realname = OPENSSL_strdup(p->data); | |
275 | if (ginf->realname == NULL) | |
276 | goto err; | |
277 | ||
278 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); | |
279 | if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { | |
280 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
281 | goto err; | |
282 | } | |
283 | ginf->group_id = (uint16_t)gid; | |
284 | ||
285 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); | |
286 | if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { | |
287 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
288 | goto err; | |
289 | } | |
290 | ginf->algorithm = OPENSSL_strdup(p->data); | |
291 | if (ginf->algorithm == NULL) | |
292 | goto err; | |
293 | ||
294 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); | |
295 | if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { | |
296 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
297 | goto err; | |
298 | } | |
299 | ||
300 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); | |
301 | if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { | |
302 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
303 | goto err; | |
304 | } | |
305 | ginf->is_kem = 1 & is_kem; | |
306 | ||
307 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); | |
308 | if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { | |
309 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
310 | goto err; | |
311 | } | |
312 | ||
313 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); | |
314 | if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { | |
315 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
316 | goto err; | |
317 | } | |
318 | ||
319 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); | |
320 | if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { | |
321 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
322 | goto err; | |
323 | } | |
324 | ||
325 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); | |
326 | if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { | |
327 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
328 | goto err; | |
329 | } | |
330 | /* | |
331 | * Now check that the algorithm is actually usable for our property query | |
332 | * string. Regardless of the result we still return success because we have | |
333 | * successfully processed this group, even though we may decide not to use | |
334 | * it. | |
335 | */ | |
336 | ret = 1; | |
337 | ERR_set_mark(); | |
338 | keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); | |
339 | if (keymgmt != NULL) { | |
340 | /* We have successfully fetched the algorithm, we can use the group. */ | |
341 | ctx->group_list_len++; | |
342 | ginf = NULL; | |
343 | EVP_KEYMGMT_free(keymgmt); | |
344 | } | |
345 | ERR_pop_to_mark(); | |
346 | err: | |
347 | if (ginf != NULL) { | |
348 | OPENSSL_free(ginf->tlsname); | |
349 | OPENSSL_free(ginf->realname); | |
350 | OPENSSL_free(ginf->algorithm); | |
351 | ginf->algorithm = ginf->tlsname = ginf->realname = NULL; | |
352 | } | |
353 | return ret; | |
354 | } | |
355 | ||
356 | static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) | |
357 | { | |
358 | struct provider_ctx_data_st pgd; | |
359 | ||
360 | pgd.ctx = vctx; | |
361 | pgd.provider = provider; | |
362 | return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", | |
363 | add_provider_groups, &pgd); | |
364 | } | |
365 | ||
366 | int ssl_load_groups(SSL_CTX *ctx) | |
367 | { | |
368 | if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) | |
369 | return 0; | |
370 | ||
371 | return SSL_CTX_set1_groups_list(ctx, TLS_DEFAULT_GROUP_LIST); | |
372 | } | |
373 | ||
374 | #define TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE 10 | |
375 | static OSSL_CALLBACK add_provider_sigalgs; | |
376 | static int add_provider_sigalgs(const OSSL_PARAM params[], void *data) | |
377 | { | |
378 | struct provider_ctx_data_st *pgd = data; | |
379 | SSL_CTX *ctx = pgd->ctx; | |
380 | OSSL_PROVIDER *provider = pgd->provider; | |
381 | const OSSL_PARAM *p; | |
382 | TLS_SIGALG_INFO *sinf = NULL; | |
383 | EVP_KEYMGMT *keymgmt; | |
384 | const char *keytype; | |
385 | unsigned int code_point = 0; | |
386 | int ret = 0; | |
387 | ||
388 | if (ctx->sigalg_list_max_len == ctx->sigalg_list_len) { | |
389 | TLS_SIGALG_INFO *tmp = NULL; | |
390 | ||
391 | if (ctx->sigalg_list_max_len == 0) | |
392 | tmp = OPENSSL_malloc(sizeof(TLS_SIGALG_INFO) | |
393 | * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE); | |
394 | else | |
395 | tmp = OPENSSL_realloc(ctx->sigalg_list, | |
396 | (ctx->sigalg_list_max_len | |
397 | + TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE) | |
398 | * sizeof(TLS_SIGALG_INFO)); | |
399 | if (tmp == NULL) | |
400 | return 0; | |
401 | ctx->sigalg_list = tmp; | |
402 | memset(tmp + ctx->sigalg_list_max_len, 0, | |
403 | sizeof(TLS_SIGALG_INFO) * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE); | |
404 | ctx->sigalg_list_max_len += TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE; | |
405 | } | |
406 | ||
407 | sinf = &ctx->sigalg_list[ctx->sigalg_list_len]; | |
408 | ||
409 | /* First, mandatory parameters */ | |
410 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_NAME); | |
411 | if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { | |
412 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
413 | goto err; | |
414 | } | |
415 | OPENSSL_free(sinf->sigalg_name); | |
416 | sinf->sigalg_name = OPENSSL_strdup(p->data); | |
417 | if (sinf->sigalg_name == NULL) | |
418 | goto err; | |
419 | ||
420 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME); | |
421 | if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { | |
422 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
423 | goto err; | |
424 | } | |
425 | OPENSSL_free(sinf->name); | |
426 | sinf->name = OPENSSL_strdup(p->data); | |
427 | if (sinf->name == NULL) | |
428 | goto err; | |
429 | ||
430 | p = OSSL_PARAM_locate_const(params, | |
431 | OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT); | |
432 | if (p == NULL | |
433 | || !OSSL_PARAM_get_uint(p, &code_point) | |
434 | || code_point > UINT16_MAX) { | |
435 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
436 | goto err; | |
437 | } | |
438 | sinf->code_point = (uint16_t)code_point; | |
439 | ||
440 | p = OSSL_PARAM_locate_const(params, | |
441 | OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS); | |
442 | if (p == NULL || !OSSL_PARAM_get_uint(p, &sinf->secbits)) { | |
443 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
444 | goto err; | |
445 | } | |
446 | ||
447 | /* Now, optional parameters */ | |
448 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_OID); | |
449 | if (p == NULL) { | |
450 | sinf->sigalg_oid = NULL; | |
451 | } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
452 | goto err; | |
453 | } else { | |
454 | OPENSSL_free(sinf->sigalg_oid); | |
455 | sinf->sigalg_oid = OPENSSL_strdup(p->data); | |
456 | if (sinf->sigalg_oid == NULL) | |
457 | goto err; | |
458 | } | |
459 | ||
460 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME); | |
461 | if (p == NULL) { | |
462 | sinf->sig_name = NULL; | |
463 | } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
464 | goto err; | |
465 | } else { | |
466 | OPENSSL_free(sinf->sig_name); | |
467 | sinf->sig_name = OPENSSL_strdup(p->data); | |
468 | if (sinf->sig_name == NULL) | |
469 | goto err; | |
470 | } | |
471 | ||
472 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_OID); | |
473 | if (p == NULL) { | |
474 | sinf->sig_oid = NULL; | |
475 | } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
476 | goto err; | |
477 | } else { | |
478 | OPENSSL_free(sinf->sig_oid); | |
479 | sinf->sig_oid = OPENSSL_strdup(p->data); | |
480 | if (sinf->sig_oid == NULL) | |
481 | goto err; | |
482 | } | |
483 | ||
484 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME); | |
485 | if (p == NULL) { | |
486 | sinf->hash_name = NULL; | |
487 | } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
488 | goto err; | |
489 | } else { | |
490 | OPENSSL_free(sinf->hash_name); | |
491 | sinf->hash_name = OPENSSL_strdup(p->data); | |
492 | if (sinf->hash_name == NULL) | |
493 | goto err; | |
494 | } | |
495 | ||
496 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_OID); | |
497 | if (p == NULL) { | |
498 | sinf->hash_oid = NULL; | |
499 | } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
500 | goto err; | |
501 | } else { | |
502 | OPENSSL_free(sinf->hash_oid); | |
503 | sinf->hash_oid = OPENSSL_strdup(p->data); | |
504 | if (sinf->hash_oid == NULL) | |
505 | goto err; | |
506 | } | |
507 | ||
508 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE); | |
509 | if (p == NULL) { | |
510 | sinf->keytype = NULL; | |
511 | } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
512 | goto err; | |
513 | } else { | |
514 | OPENSSL_free(sinf->keytype); | |
515 | sinf->keytype = OPENSSL_strdup(p->data); | |
516 | if (sinf->keytype == NULL) | |
517 | goto err; | |
518 | } | |
519 | ||
520 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID); | |
521 | if (p == NULL) { | |
522 | sinf->keytype_oid = NULL; | |
523 | } else if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
524 | goto err; | |
525 | } else { | |
526 | OPENSSL_free(sinf->keytype_oid); | |
527 | sinf->keytype_oid = OPENSSL_strdup(p->data); | |
528 | if (sinf->keytype_oid == NULL) | |
529 | goto err; | |
530 | } | |
531 | ||
532 | /* Optional, not documented prior to 3.5 */ | |
533 | sinf->mindtls = sinf->maxdtls = -1; | |
534 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS); | |
535 | if (p != NULL && !OSSL_PARAM_get_int(p, &sinf->mindtls)) { | |
536 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
537 | goto err; | |
538 | } | |
539 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS); | |
540 | if (p != NULL && !OSSL_PARAM_get_int(p, &sinf->maxdtls)) { | |
541 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
542 | goto err; | |
543 | } | |
544 | /* DTLS version numbers grow downward */ | |
545 | if ((sinf->maxdtls != 0) && (sinf->maxdtls != -1) && | |
546 | ((sinf->maxdtls > sinf->mindtls))) { | |
547 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
548 | goto err; | |
549 | } | |
550 | /* No provider sigalgs are supported in DTLS, reset after checking. */ | |
551 | sinf->mindtls = sinf->maxdtls = -1; | |
552 | ||
553 | /* The remaining parameters below are mandatory again */ | |
554 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS); | |
555 | if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->mintls)) { | |
556 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
557 | goto err; | |
558 | } | |
559 | p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS); | |
560 | if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->maxtls)) { | |
561 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
562 | goto err; | |
563 | } | |
564 | if ((sinf->maxtls != 0) && (sinf->maxtls != -1) && | |
565 | ((sinf->maxtls < sinf->mintls))) { | |
566 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
567 | goto err; | |
568 | } | |
569 | if ((sinf->mintls != 0) && (sinf->mintls != -1) && | |
570 | ((sinf->mintls > TLS1_3_VERSION))) | |
571 | sinf->mintls = sinf->maxtls = -1; | |
572 | if ((sinf->maxtls != 0) && (sinf->maxtls != -1) && | |
573 | ((sinf->maxtls < TLS1_3_VERSION))) | |
574 | sinf->mintls = sinf->maxtls = -1; | |
575 | ||
576 | /* Ignore unusable sigalgs */ | |
577 | if (sinf->mintls == -1 && sinf->mindtls == -1) { | |
578 | ret = 1; | |
579 | goto err; | |
580 | } | |
581 | ||
582 | /* | |
583 | * Now check that the algorithm is actually usable for our property query | |
584 | * string. Regardless of the result we still return success because we have | |
585 | * successfully processed this signature, even though we may decide not to | |
586 | * use it. | |
587 | */ | |
588 | ret = 1; | |
589 | ERR_set_mark(); | |
590 | keytype = (sinf->keytype != NULL | |
591 | ? sinf->keytype | |
592 | : (sinf->sig_name != NULL | |
593 | ? sinf->sig_name | |
594 | : sinf->sigalg_name)); | |
595 | keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, keytype, ctx->propq); | |
596 | if (keymgmt != NULL) { | |
597 | /* | |
598 | * We have successfully fetched the algorithm - however if the provider | |
599 | * doesn't match this one then we ignore it. | |
600 | * | |
601 | * Note: We're cheating a little here. Technically if the same algorithm | |
602 | * is available from more than one provider then it is undefined which | |
603 | * implementation you will get back. Theoretically this could be | |
604 | * different every time...we assume here that you'll always get the | |
605 | * same one back if you repeat the exact same fetch. Is this a reasonable | |
606 | * assumption to make (in which case perhaps we should document this | |
607 | * behaviour)? | |
608 | */ | |
609 | if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { | |
610 | /* | |
611 | * We have a match - so we could use this signature; | |
612 | * Check proper object registration first, though. | |
613 | * Don't care about return value as this may have been | |
614 | * done within providers or previous calls to | |
615 | * add_provider_sigalgs. | |
616 | */ | |
617 | OBJ_create(sinf->sigalg_oid, sinf->sigalg_name, NULL); | |
618 | /* sanity check: Without successful registration don't use alg */ | |
619 | if ((OBJ_txt2nid(sinf->sigalg_name) == NID_undef) || | |
620 | (OBJ_nid2obj(OBJ_txt2nid(sinf->sigalg_name)) == NULL)) { | |
621 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); | |
622 | goto err; | |
623 | } | |
624 | if (sinf->sig_name != NULL) | |
625 | OBJ_create(sinf->sig_oid, sinf->sig_name, NULL); | |
626 | if (sinf->keytype != NULL) | |
627 | OBJ_create(sinf->keytype_oid, sinf->keytype, NULL); | |
628 | if (sinf->hash_name != NULL) | |
629 | OBJ_create(sinf->hash_oid, sinf->hash_name, NULL); | |
630 | OBJ_add_sigid(OBJ_txt2nid(sinf->sigalg_name), | |
631 | (sinf->hash_name != NULL | |
632 | ? OBJ_txt2nid(sinf->hash_name) | |
633 | : NID_undef), | |
634 | OBJ_txt2nid(keytype)); | |
635 | ctx->sigalg_list_len++; | |
636 | sinf = NULL; | |
637 | } | |
638 | EVP_KEYMGMT_free(keymgmt); | |
639 | } | |
640 | ERR_pop_to_mark(); | |
641 | err: | |
642 | if (sinf != NULL) { | |
643 | OPENSSL_free(sinf->name); | |
644 | sinf->name = NULL; | |
645 | OPENSSL_free(sinf->sigalg_name); | |
646 | sinf->sigalg_name = NULL; | |
647 | OPENSSL_free(sinf->sigalg_oid); | |
648 | sinf->sigalg_oid = NULL; | |
649 | OPENSSL_free(sinf->sig_name); | |
650 | sinf->sig_name = NULL; | |
651 | OPENSSL_free(sinf->sig_oid); | |
652 | sinf->sig_oid = NULL; | |
653 | OPENSSL_free(sinf->hash_name); | |
654 | sinf->hash_name = NULL; | |
655 | OPENSSL_free(sinf->hash_oid); | |
656 | sinf->hash_oid = NULL; | |
657 | OPENSSL_free(sinf->keytype); | |
658 | sinf->keytype = NULL; | |
659 | OPENSSL_free(sinf->keytype_oid); | |
660 | sinf->keytype_oid = NULL; | |
661 | } | |
662 | return ret; | |
663 | } | |
664 | ||
665 | static int discover_provider_sigalgs(OSSL_PROVIDER *provider, void *vctx) | |
666 | { | |
667 | struct provider_ctx_data_st pgd; | |
668 | ||
669 | pgd.ctx = vctx; | |
670 | pgd.provider = provider; | |
671 | OSSL_PROVIDER_get_capabilities(provider, "TLS-SIGALG", | |
672 | add_provider_sigalgs, &pgd); | |
673 | /* | |
674 | * Always OK, even if provider doesn't support the capability: | |
675 | * Reconsider testing retval when legacy sigalgs are also loaded this way. | |
676 | */ | |
677 | return 1; | |
678 | } | |
679 | ||
680 | int ssl_load_sigalgs(SSL_CTX *ctx) | |
681 | { | |
682 | size_t i; | |
683 | SSL_CERT_LOOKUP lu; | |
684 | ||
685 | if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_sigalgs, ctx)) | |
686 | return 0; | |
687 | ||
688 | /* now populate ctx->ssl_cert_info */ | |
689 | if (ctx->sigalg_list_len > 0) { | |
690 | OPENSSL_free(ctx->ssl_cert_info); | |
691 | ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); | |
692 | if (ctx->ssl_cert_info == NULL) | |
693 | return 0; | |
694 | for(i = 0; i < ctx->sigalg_list_len; i++) { | |
695 | ctx->ssl_cert_info[i].nid = OBJ_txt2nid(ctx->sigalg_list[i].sigalg_name); | |
696 | ctx->ssl_cert_info[i].amask = SSL_aANY; | |
697 | } | |
698 | } | |
699 | ||
700 | /* | |
701 | * For now, leave it at this: legacy sigalgs stay in their own | |
702 | * data structures until "legacy cleanup" occurs. | |
703 | */ | |
704 | ||
705 | return 1; | |
706 | } | |
707 | ||
708 | static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) | |
709 | { | |
710 | size_t i; | |
711 | ||
712 | for (i = 0; i < ctx->group_list_len; i++) { | |
713 | if (OPENSSL_strcasecmp(ctx->group_list[i].tlsname, name) == 0 | |
714 | || OPENSSL_strcasecmp(ctx->group_list[i].realname, name) == 0) | |
715 | return ctx->group_list[i].group_id; | |
716 | } | |
717 | ||
718 | return 0; | |
719 | } | |
720 | ||
721 | const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) | |
722 | { | |
723 | size_t i; | |
724 | ||
725 | for (i = 0; i < ctx->group_list_len; i++) { | |
726 | if (ctx->group_list[i].group_id == group_id) | |
727 | return &ctx->group_list[i]; | |
728 | } | |
729 | ||
730 | return NULL; | |
731 | } | |
732 | ||
733 | const char *tls1_group_id2name(SSL_CTX *ctx, uint16_t group_id) | |
734 | { | |
735 | const TLS_GROUP_INFO *tls_group_info = tls1_group_id_lookup(ctx, group_id); | |
736 | ||
737 | if (tls_group_info == NULL) | |
738 | return NULL; | |
739 | ||
740 | return tls_group_info->tlsname; | |
741 | } | |
742 | ||
743 | int tls1_group_id2nid(uint16_t group_id, int include_unknown) | |
744 | { | |
745 | size_t i; | |
746 | ||
747 | if (group_id == 0) | |
748 | return NID_undef; | |
749 | ||
750 | /* | |
751 | * Return well known Group NIDs - for backwards compatibility. This won't | |
752 | * work for groups we don't know about. | |
753 | */ | |
754 | for (i = 0; i < OSSL_NELEM(nid_to_group); i++) | |
755 | { | |
756 | if (nid_to_group[i].group_id == group_id) | |
757 | return nid_to_group[i].nid; | |
758 | } | |
759 | if (!include_unknown) | |
760 | return NID_undef; | |
761 | return TLSEXT_nid_unknown | (int)group_id; | |
762 | } | |
763 | ||
764 | uint16_t tls1_nid2group_id(int nid) | |
765 | { | |
766 | size_t i; | |
767 | ||
768 | /* | |
769 | * Return well known Group ids - for backwards compatibility. This won't | |
770 | * work for groups we don't know about. | |
771 | */ | |
772 | for (i = 0; i < OSSL_NELEM(nid_to_group); i++) | |
773 | { | |
774 | if (nid_to_group[i].nid == nid) | |
775 | return nid_to_group[i].group_id; | |
776 | } | |
777 | ||
778 | return 0; | |
779 | } | |
780 | ||
781 | /* | |
782 | * Set *pgroups to the supported groups list and *pgroupslen to | |
783 | * the number of groups supported. | |
784 | */ | |
785 | void tls1_get_supported_groups(SSL_CONNECTION *s, const uint16_t **pgroups, | |
786 | size_t *pgroupslen) | |
787 | { | |
788 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
789 | ||
790 | /* For Suite B mode only include P-256, P-384 */ | |
791 | switch (tls1_suiteb(s)) { | |
792 | case SSL_CERT_FLAG_SUITEB_128_LOS: | |
793 | *pgroups = suiteb_curves; | |
794 | *pgroupslen = OSSL_NELEM(suiteb_curves); | |
795 | break; | |
796 | ||
797 | case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: | |
798 | *pgroups = suiteb_curves; | |
799 | *pgroupslen = 1; | |
800 | break; | |
801 | ||
802 | case SSL_CERT_FLAG_SUITEB_192_LOS: | |
803 | *pgroups = suiteb_curves + 1; | |
804 | *pgroupslen = 1; | |
805 | break; | |
806 | ||
807 | default: | |
808 | if (s->ext.supportedgroups == NULL) { | |
809 | *pgroups = sctx->ext.supportedgroups; | |
810 | *pgroupslen = sctx->ext.supportedgroups_len; | |
811 | } else { | |
812 | *pgroups = s->ext.supportedgroups; | |
813 | *pgroupslen = s->ext.supportedgroups_len; | |
814 | } | |
815 | break; | |
816 | } | |
817 | } | |
818 | ||
819 | /* | |
820 | * Some comments for the function below: | |
821 | * s->ext.supportedgroups == NULL means legacy syntax (no [*,/,-]) from built-in group array. | |
822 | * In this case, we need to send exactly one key share, which MUST be the first (leftmost) | |
823 | * eligible group from the legacy list. Therefore, we provide the entire list of supported | |
824 | * groups in this case. | |
825 | * | |
826 | * A 'flag' to indicate legacy syntax is created by setting the number of key shares to 1, | |
827 | * but the groupID to 0. | |
828 | * The 'flag' is checked right at the beginning in tls_construct_ctos_key_share and either | |
829 | * the "list of requested key share groups" is used, or the "list of supported groups" in | |
830 | * combination with setting add_only_one = 1 is applied. | |
831 | */ | |
832 | void tls1_get_requested_keyshare_groups(SSL_CONNECTION *s, const uint16_t **pgroups, | |
833 | size_t *pgroupslen) | |
834 | { | |
835 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
836 | ||
837 | if (s->ext.supportedgroups == NULL) { | |
838 | *pgroups = sctx->ext.supportedgroups; | |
839 | *pgroupslen = sctx->ext.supportedgroups_len; | |
840 | } else { | |
841 | *pgroups = s->ext.keyshares; | |
842 | *pgroupslen = s->ext.keyshares_len; | |
843 | } | |
844 | } | |
845 | ||
846 | void tls1_get_group_tuples(SSL_CONNECTION *s, const size_t **ptuples, | |
847 | size_t *ptupleslen) | |
848 | { | |
849 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
850 | ||
851 | if (s->ext.supportedgroups == NULL) { | |
852 | *ptuples = sctx->ext.tuples; | |
853 | *ptupleslen = sctx->ext.tuples_len; | |
854 | } else { | |
855 | *ptuples = s->ext.tuples; | |
856 | *ptupleslen = s->ext.tuples_len; | |
857 | } | |
858 | } | |
859 | ||
860 | int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id, | |
861 | int minversion, int maxversion, | |
862 | int isec, int *okfortls13) | |
863 | { | |
864 | const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), | |
865 | group_id); | |
866 | int ret; | |
867 | int group_minversion, group_maxversion; | |
868 | ||
869 | if (okfortls13 != NULL) | |
870 | *okfortls13 = 0; | |
871 | ||
872 | if (ginfo == NULL) | |
873 | return 0; | |
874 | ||
875 | group_minversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->mindtls : ginfo->mintls; | |
876 | group_maxversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->maxdtls : ginfo->maxtls; | |
877 | ||
878 | if (group_minversion < 0 || group_maxversion < 0) | |
879 | return 0; | |
880 | if (group_maxversion == 0) | |
881 | ret = 1; | |
882 | else | |
883 | ret = (ssl_version_cmp(s, minversion, group_maxversion) <= 0); | |
884 | if (group_minversion > 0) | |
885 | ret &= (ssl_version_cmp(s, maxversion, group_minversion) >= 0); | |
886 | ||
887 | if (!SSL_CONNECTION_IS_DTLS(s)) { | |
888 | if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) | |
889 | *okfortls13 = (group_maxversion == 0) | |
890 | || (group_maxversion >= TLS1_3_VERSION); | |
891 | } | |
892 | ret &= !isec | |
893 | || strcmp(ginfo->algorithm, "EC") == 0 | |
894 | || strcmp(ginfo->algorithm, "X25519") == 0 | |
895 | || strcmp(ginfo->algorithm, "X448") == 0; | |
896 | ||
897 | return ret; | |
898 | } | |
899 | ||
900 | /* See if group is allowed by security callback */ | |
901 | int tls_group_allowed(SSL_CONNECTION *s, uint16_t group, int op) | |
902 | { | |
903 | const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), | |
904 | group); | |
905 | unsigned char gtmp[2]; | |
906 | ||
907 | if (ginfo == NULL) | |
908 | return 0; | |
909 | ||
910 | gtmp[0] = group >> 8; | |
911 | gtmp[1] = group & 0xff; | |
912 | return ssl_security(s, op, ginfo->secbits, | |
913 | tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); | |
914 | } | |
915 | ||
916 | /* Return 1 if "id" is in "list" */ | |
917 | static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) | |
918 | { | |
919 | size_t i; | |
920 | for (i = 0; i < listlen; i++) | |
921 | if (list[i] == id) | |
922 | return 1; | |
923 | return 0; | |
924 | } | |
925 | ||
926 | typedef struct { | |
927 | TLS_GROUP_INFO *grp; | |
928 | size_t ix; | |
929 | } TLS_GROUP_IX; | |
930 | ||
931 | DEFINE_STACK_OF(TLS_GROUP_IX) | |
932 | ||
933 | static void free_wrapper(TLS_GROUP_IX *a) | |
934 | { | |
935 | OPENSSL_free(a); | |
936 | } | |
937 | ||
938 | static int tls_group_ix_cmp(const TLS_GROUP_IX *const *a, | |
939 | const TLS_GROUP_IX *const *b) | |
940 | { | |
941 | int idcmpab = (*a)->grp->group_id < (*b)->grp->group_id; | |
942 | int idcmpba = (*b)->grp->group_id < (*a)->grp->group_id; | |
943 | int ixcmpab = (*a)->ix < (*b)->ix; | |
944 | int ixcmpba = (*b)->ix < (*a)->ix; | |
945 | ||
946 | /* Ascending by group id */ | |
947 | if (idcmpab != idcmpba) | |
948 | return (idcmpba - idcmpab); | |
949 | /* Ascending by original appearance index */ | |
950 | return ixcmpba - ixcmpab; | |
951 | } | |
952 | ||
953 | int tls1_get0_implemented_groups(int min_proto_version, int max_proto_version, | |
954 | TLS_GROUP_INFO *grps, size_t num, long all, | |
955 | STACK_OF(OPENSSL_CSTRING) *out) | |
956 | { | |
957 | STACK_OF(TLS_GROUP_IX) *collect = NULL; | |
958 | TLS_GROUP_IX *gix; | |
959 | uint16_t id = 0; | |
960 | int ret = 0; | |
961 | int ix; | |
962 | ||
963 | if (grps == NULL || out == NULL || num > INT_MAX) | |
964 | return 0; | |
965 | if ((collect = sk_TLS_GROUP_IX_new(tls_group_ix_cmp)) == NULL) | |
966 | return 0; | |
967 | for (ix = 0; ix < (int)num; ++ix, ++grps) { | |
968 | if (grps->mintls > 0 && max_proto_version > 0 | |
969 | && grps->mintls > max_proto_version) | |
970 | continue; | |
971 | if (grps->maxtls > 0 && min_proto_version > 0 | |
972 | && grps->maxtls < min_proto_version) | |
973 | continue; | |
974 | ||
975 | if ((gix = OPENSSL_malloc(sizeof(*gix))) == NULL) | |
976 | goto end; | |
977 | gix->grp = grps; | |
978 | gix->ix = ix; | |
979 | if (sk_TLS_GROUP_IX_push(collect, gix) <= 0) { | |
980 | OPENSSL_free(gix); | |
981 | goto end; | |
982 | } | |
983 | } | |
984 | ||
985 | sk_TLS_GROUP_IX_sort(collect); | |
986 | num = sk_TLS_GROUP_IX_num(collect); | |
987 | for (ix = 0; ix < (int)num; ++ix) { | |
988 | gix = sk_TLS_GROUP_IX_value(collect, ix); | |
989 | if (!all && gix->grp->group_id == id) | |
990 | continue; | |
991 | id = gix->grp->group_id; | |
992 | if (sk_OPENSSL_CSTRING_push(out, gix->grp->tlsname) <= 0) | |
993 | goto end; | |
994 | } | |
995 | ret = 1; | |
996 | ||
997 | end: | |
998 | sk_TLS_GROUP_IX_pop_free(collect, free_wrapper); | |
999 | return ret; | |
1000 | } | |
1001 | ||
1002 | /*- | |
1003 | * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 | |
1004 | * if there is no match. | |
1005 | * For nmatch == -1, return number of matches | |
1006 | * For nmatch == -2, return the id of the group to use for | |
1007 | * a tmp key, or 0 if there is no match. | |
1008 | */ | |
1009 | uint16_t tls1_shared_group(SSL_CONNECTION *s, int nmatch) | |
1010 | { | |
1011 | const uint16_t *pref, *supp; | |
1012 | size_t num_pref, num_supp, i; | |
1013 | int k; | |
1014 | SSL_CTX *ctx = SSL_CONNECTION_GET_CTX(s); | |
1015 | ||
1016 | /* Can't do anything on client side */ | |
1017 | if (s->server == 0) | |
1018 | return 0; | |
1019 | if (nmatch == -2) { | |
1020 | if (tls1_suiteb(s)) { | |
1021 | /* | |
1022 | * For Suite B ciphersuite determines curve: we already know | |
1023 | * these are acceptable due to previous checks. | |
1024 | */ | |
1025 | unsigned long cid = s->s3.tmp.new_cipher->id; | |
1026 | ||
1027 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) | |
1028 | return OSSL_TLS_GROUP_ID_secp256r1; | |
1029 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) | |
1030 | return OSSL_TLS_GROUP_ID_secp384r1; | |
1031 | /* Should never happen */ | |
1032 | return 0; | |
1033 | } | |
1034 | /* If not Suite B just return first preference shared curve */ | |
1035 | nmatch = 0; | |
1036 | } | |
1037 | /* | |
1038 | * If server preference set, our groups are the preference order | |
1039 | * otherwise peer decides. | |
1040 | */ | |
1041 | if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { | |
1042 | tls1_get_supported_groups(s, &pref, &num_pref); | |
1043 | tls1_get_peer_groups(s, &supp, &num_supp); | |
1044 | } else { | |
1045 | tls1_get_peer_groups(s, &pref, &num_pref); | |
1046 | tls1_get_supported_groups(s, &supp, &num_supp); | |
1047 | } | |
1048 | ||
1049 | for (k = 0, i = 0; i < num_pref; i++) { | |
1050 | uint16_t id = pref[i]; | |
1051 | const TLS_GROUP_INFO *inf; | |
1052 | int minversion, maxversion; | |
1053 | ||
1054 | if (!tls1_in_list(id, supp, num_supp) | |
1055 | || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) | |
1056 | continue; | |
1057 | inf = tls1_group_id_lookup(ctx, id); | |
1058 | if (!ossl_assert(inf != NULL)) | |
1059 | return 0; | |
1060 | ||
1061 | minversion = SSL_CONNECTION_IS_DTLS(s) | |
1062 | ? inf->mindtls : inf->mintls; | |
1063 | maxversion = SSL_CONNECTION_IS_DTLS(s) | |
1064 | ? inf->maxdtls : inf->maxtls; | |
1065 | if (maxversion == -1) | |
1066 | continue; | |
1067 | if ((minversion != 0 && ssl_version_cmp(s, s->version, minversion) < 0) | |
1068 | || (maxversion != 0 | |
1069 | && ssl_version_cmp(s, s->version, maxversion) > 0)) | |
1070 | continue; | |
1071 | ||
1072 | if (nmatch == k) | |
1073 | return id; | |
1074 | k++; | |
1075 | } | |
1076 | if (nmatch == -1) | |
1077 | return k; | |
1078 | /* Out of range (nmatch > k). */ | |
1079 | return 0; | |
1080 | } | |
1081 | ||
1082 | int tls1_set_groups(uint16_t **grpext, size_t *grpextlen, | |
1083 | uint16_t **ksext, size_t *ksextlen, | |
1084 | size_t **tplext, size_t *tplextlen, | |
1085 | int *groups, size_t ngroups) | |
1086 | { | |
1087 | uint16_t *glist = NULL, *kslist = NULL; | |
1088 | size_t *tpllist = NULL; | |
1089 | size_t i; | |
1090 | /* | |
1091 | * Bitmap of groups included to detect duplicates: two variables are added | |
1092 | * to detect duplicates as some values are more than 32. | |
1093 | */ | |
1094 | unsigned long *dup_list = NULL; | |
1095 | unsigned long dup_list_egrp = 0; | |
1096 | unsigned long dup_list_dhgrp = 0; | |
1097 | ||
1098 | if (ngroups == 0) { | |
1099 | ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); | |
1100 | return 0; | |
1101 | } | |
1102 | if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) | |
1103 | goto err; | |
1104 | if ((kslist = OPENSSL_malloc(1 * sizeof(*kslist))) == NULL) | |
1105 | goto err; | |
1106 | if ((tpllist = OPENSSL_malloc(1 * sizeof(*tpllist))) == NULL) | |
1107 | goto err; | |
1108 | for (i = 0; i < ngroups; i++) { | |
1109 | unsigned long idmask; | |
1110 | uint16_t id; | |
1111 | id = tls1_nid2group_id(groups[i]); | |
1112 | if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) | |
1113 | goto err; | |
1114 | idmask = 1L << (id & 0x00FF); | |
1115 | dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; | |
1116 | if (!id || ((*dup_list) & idmask)) | |
1117 | goto err; | |
1118 | *dup_list |= idmask; | |
1119 | glist[i] = id; | |
1120 | } | |
1121 | OPENSSL_free(*grpext); | |
1122 | OPENSSL_free(*ksext); | |
1123 | OPENSSL_free(*tplext); | |
1124 | *grpext = glist; | |
1125 | *grpextlen = ngroups; | |
1126 | kslist[0] = glist[0]; | |
1127 | *ksext = kslist; | |
1128 | *ksextlen = 1; | |
1129 | tpllist[0] = ngroups; | |
1130 | *tplext = tpllist; | |
1131 | *tplextlen = 1; | |
1132 | return 1; | |
1133 | err: | |
1134 | OPENSSL_free(glist); | |
1135 | OPENSSL_free(kslist); | |
1136 | OPENSSL_free(tpllist); | |
1137 | return 0; | |
1138 | } | |
1139 | ||
1140 | /* | |
1141 | * Definition of DEFAULT[_XYZ] pseudo group names. | |
1142 | * A pseudo group name is actually a full list of groups, including prefixes | |
1143 | * and or tuple delimiters. It can be hierarchically defined (for potential future use). | |
1144 | * IMPORTANT REMARK: For ease of use, in the built-in lists of groups, unknown groups or | |
1145 | * groups not backed by a provider will always silently be ignored, even without '?' prefix | |
1146 | */ | |
1147 | typedef struct { | |
1148 | const char *list_name; /* The name of this pseudo group */ | |
1149 | const char *group_string; /* The group string of this pseudo group */ | |
1150 | } default_group_string_st; /* (can include '?', '*'. '-', '/' as needed) */ | |
1151 | ||
1152 | /* Built-in pseudo group-names must start with a (D or d) */ | |
1153 | static const char *DEFAULT_GROUPNAME_FIRST_CHARACTER = "D"; | |
1154 | ||
1155 | /* The list of all built-in pseudo-group-name structures */ | |
1156 | static const default_group_string_st default_group_strings[] = { | |
1157 | {DEFAULT_GROUP_NAME, TLS_DEFAULT_GROUP_LIST}, | |
1158 | {SUITE_B_GROUP_NAME, SUITE_B_GROUP_LIST} | |
1159 | }; | |
1160 | ||
1161 | /* | |
1162 | * Some GOST names are not resolved by tls1_group_name2id, | |
1163 | * hence we'll check for those manually | |
1164 | */ | |
1165 | typedef struct { | |
1166 | const char *group_name; | |
1167 | uint16_t groupID; | |
1168 | } name2id_st; | |
1169 | static const name2id_st name2id_arr[] = { | |
1170 | {"GC256A", OSSL_TLS_GROUP_ID_gc256A }, | |
1171 | {"GC256B", OSSL_TLS_GROUP_ID_gc256B }, | |
1172 | {"GC256C", OSSL_TLS_GROUP_ID_gc256C }, | |
1173 | {"GC256D", OSSL_TLS_GROUP_ID_gc256D }, | |
1174 | {"GC512A", OSSL_TLS_GROUP_ID_gc512A }, | |
1175 | {"GC512B", OSSL_TLS_GROUP_ID_gc512B }, | |
1176 | {"GC512C", OSSL_TLS_GROUP_ID_gc512C }, | |
1177 | }; | |
1178 | ||
1179 | /* | |
1180 | * Group list management: | |
1181 | * We establish three lists along with their related size counters: | |
1182 | * 1) List of (unique) groups | |
1183 | * 2) List of number of groups per group-priority-tuple | |
1184 | * 3) List of (unique) key share groups | |
1185 | */ | |
1186 | #define GROUPLIST_INCREMENT 32 /* Memory allocation chunk size (64 Bytes chunks ~= cache line) */ | |
1187 | #define GROUP_NAME_BUFFER_LENGTH 64 /* Max length of a group name */ | |
1188 | ||
1189 | /* | |
1190 | * Preparation of the prefix used to indicate the desire to send a key share, | |
1191 | * the characters used as separators between groups or tuples of groups, the | |
1192 | * character to indicate that an unknown group should be ignored, and the | |
1193 | * character to indicate that a group should be deleted from a list | |
1194 | */ | |
1195 | #ifndef TUPLE_DELIMITER_CHARACTER | |
1196 | /* The prefix characters to indicate group tuple boundaries */ | |
1197 | # define TUPLE_DELIMITER_CHARACTER '/' | |
1198 | #endif | |
1199 | #ifndef GROUP_DELIMITER_CHARACTER | |
1200 | /* The prefix characters to indicate group tuple boundaries */ | |
1201 | # define GROUP_DELIMITER_CHARACTER ':' | |
1202 | #endif | |
1203 | #ifndef IGNORE_UNKNOWN_GROUP_CHARACTER | |
1204 | /* The prefix character to ignore unknown groups */ | |
1205 | # define IGNORE_UNKNOWN_GROUP_CHARACTER '?' | |
1206 | #endif | |
1207 | #ifndef KEY_SHARE_INDICATOR_CHARACTER | |
1208 | /* The prefix character to trigger a key share addition */ | |
1209 | # define KEY_SHARE_INDICATOR_CHARACTER '*' | |
1210 | #endif | |
1211 | #ifndef REMOVE_GROUP_INDICATOR_CHARACTER | |
1212 | /* The prefix character to trigger a key share removal */ | |
1213 | # define REMOVE_GROUP_INDICATOR_CHARACTER '-' | |
1214 | #endif | |
1215 | static const char prefixes[] = {TUPLE_DELIMITER_CHARACTER, | |
1216 | GROUP_DELIMITER_CHARACTER, | |
1217 | IGNORE_UNKNOWN_GROUP_CHARACTER, | |
1218 | KEY_SHARE_INDICATOR_CHARACTER, | |
1219 | REMOVE_GROUP_INDICATOR_CHARACTER, | |
1220 | '\0'}; | |
1221 | ||
1222 | /* | |
1223 | * High-level description of how group strings are analyzed: | |
1224 | * A first call back function (tuple_cb) is used to process group tuples, and a | |
1225 | * second callback function (gid_cb) is used to process the groups inside a tuple. | |
1226 | * Those callback functions are (indirectly) called by CONF_parse_list with | |
1227 | * different separators (nominally ':' or '/'), a variable based on gid_cb_st | |
1228 | * is used to keep track of the parsing results between the various calls | |
1229 | */ | |
1230 | ||
1231 | typedef struct { | |
1232 | SSL_CTX *ctx; | |
1233 | /* Variables to hold the three lists (groups, requested keyshares, tuple structure) */ | |
1234 | size_t gidmax; /* The memory allocation chunk size for the group IDs */ | |
1235 | size_t gidcnt; /* Number of groups */ | |
1236 | uint16_t *gid_arr; /* The IDs of the supported groups (flat list) */ | |
1237 | size_t tplmax; /* The memory allocation chunk size for the tuple counters */ | |
1238 | size_t tplcnt; /* Number of tuples */ | |
1239 | size_t *tuplcnt_arr; /* The number of groups inside a tuple */ | |
1240 | size_t ksidmax; /* The memory allocation chunk size */ | |
1241 | size_t ksidcnt; /* Number of key shares */ | |
1242 | uint16_t *ksid_arr; /* The IDs of the key share groups (flat list) */ | |
1243 | /* Variable to keep state between execution of callback or helper functions */ | |
1244 | size_t tuple_mode; /* Keeps track whether tuple_cb called from 'the top' or from gid_cb */ | |
1245 | int ignore_unknown_default; /* Flag such that unknown groups for DEFAULT[_XYZ] are ignored */ | |
1246 | } gid_cb_st; | |
1247 | ||
1248 | /* Forward declaration of tuple callback function */ | |
1249 | static int tuple_cb(const char *tuple, int len, void *arg); | |
1250 | ||
1251 | /* | |
1252 | * Extract and process the individual groups (and their prefixes if present) | |
1253 | * present in a tuple. Note: The argument 'elem' is a NON-\0-terminated string | |
1254 | * and must be appended by a \0 if used as \0-terminated string | |
1255 | */ | |
1256 | static int gid_cb(const char *elem, int len, void *arg) | |
1257 | { | |
1258 | gid_cb_st *garg = arg; | |
1259 | size_t i, j, k; | |
1260 | uint16_t gid = 0; | |
1261 | int found_group = 0; | |
1262 | char etmp[GROUP_NAME_BUFFER_LENGTH]; | |
1263 | int retval = 1; /* We assume success */ | |
1264 | char *current_prefix; | |
1265 | int ignore_unknown = 0; | |
1266 | int add_keyshare = 0; | |
1267 | int remove_group = 0; | |
1268 | size_t restored_prefix_index = 0; | |
1269 | char *restored_default_group_string; | |
1270 | int continue_while_loop = 1; | |
1271 | ||
1272 | /* Sanity checks */ | |
1273 | if (garg == NULL || elem == NULL || len <= 0) { | |
1274 | ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_CONFIG_VALUE); | |
1275 | return 0; | |
1276 | } | |
1277 | ||
1278 | /* Check the possible prefixes (remark: Leading and trailing spaces already cleared) */ | |
1279 | while (continue_while_loop && len > 0 | |
1280 | && ((current_prefix = strchr(prefixes, elem[0])) != NULL | |
1281 | || OPENSSL_strncasecmp(current_prefix = (char *)DEFAULT_GROUPNAME_FIRST_CHARACTER, elem, 1) == 0)) { | |
1282 | ||
1283 | switch (*current_prefix) { | |
1284 | case TUPLE_DELIMITER_CHARACTER: | |
1285 | /* tuple delimiter not allowed here -> syntax error */ | |
1286 | return -1; | |
1287 | break; | |
1288 | case GROUP_DELIMITER_CHARACTER: | |
1289 | return -1; /* Not a valid prefix for a single group name-> syntax error */ | |
1290 | break; | |
1291 | case KEY_SHARE_INDICATOR_CHARACTER: | |
1292 | if (add_keyshare) | |
1293 | return -1; /* Only single key share prefix allowed -> syntax error */ | |
1294 | add_keyshare = 1; | |
1295 | ++elem; | |
1296 | --len; | |
1297 | break; | |
1298 | case REMOVE_GROUP_INDICATOR_CHARACTER: | |
1299 | if (remove_group) | |
1300 | return -1; /* Only single remove group prefix allowed -> syntax error */ | |
1301 | remove_group = 1; | |
1302 | ++elem; | |
1303 | --len; | |
1304 | break; | |
1305 | case IGNORE_UNKNOWN_GROUP_CHARACTER: | |
1306 | if (ignore_unknown) | |
1307 | return -1; /* Only single ? allowed -> syntax error */ | |
1308 | ignore_unknown = 1; | |
1309 | ++elem; | |
1310 | --len; | |
1311 | break; | |
1312 | default: | |
1313 | /* | |
1314 | * Check whether a DEFAULT[_XYZ] 'pseudo group' (= a built-in | |
1315 | * list of groups) should be added | |
1316 | */ | |
1317 | for (i = 0; i < OSSL_NELEM(default_group_strings); i++) { | |
1318 | if ((size_t)len == (strlen(default_group_strings[i].list_name)) | |
1319 | && OPENSSL_strncasecmp(default_group_strings[i].list_name, elem, len) == 0) { | |
1320 | /* | |
1321 | * We're asked to insert an entire list of groups from a | |
1322 | * DEFAULT[_XYZ] 'pseudo group' which we do by | |
1323 | * recursively calling this function (indirectly via | |
1324 | * CONF_parse_list and tuple_cb); essentially, we treat a DEFAULT | |
1325 | * group string like a tuple which is appended to the current tuple | |
1326 | * rather then starting a new tuple. Variable tuple_mode is the flag which | |
1327 | * controls append tuple vs start new tuple. | |
1328 | */ | |
1329 | ||
1330 | if (ignore_unknown || remove_group) | |
1331 | return -1; /* removal or ignore not allowed here -> syntax error */ | |
1332 | ||
1333 | /* | |
1334 | * First, we restore any keyshare prefix in a new zero-terminated string | |
1335 | * (if not already present) | |
1336 | */ | |
1337 | restored_default_group_string = OPENSSL_malloc((1 /* max prefix length */ + | |
1338 | strlen(default_group_strings[i].group_string) + | |
1339 | 1 /* \0 */) * sizeof(char)); | |
1340 | if (restored_default_group_string == NULL) | |
1341 | return 0; | |
1342 | if (add_keyshare | |
1343 | /* Remark: we tolerate a duplicated keyshare indicator here */ | |
1344 | && default_group_strings[i].group_string[0] | |
1345 | != KEY_SHARE_INDICATOR_CHARACTER) | |
1346 | restored_default_group_string[restored_prefix_index++] = | |
1347 | KEY_SHARE_INDICATOR_CHARACTER; | |
1348 | ||
1349 | memcpy(restored_default_group_string + restored_prefix_index, | |
1350 | default_group_strings[i].group_string, | |
1351 | strlen(default_group_strings[i].group_string)); | |
1352 | restored_default_group_string[strlen(default_group_strings[i].group_string) + | |
1353 | restored_prefix_index] = '\0'; | |
1354 | /* We execute the recursive call */ | |
1355 | garg->ignore_unknown_default = 1; /* We ignore unknown groups for DEFAULT_XYZ */ | |
1356 | /* we enforce group mode (= append tuple) for DEFAULT_XYZ group lists */ | |
1357 | garg->tuple_mode = 0; | |
1358 | /* We use the tuple_cb callback to process the pseudo group tuple */ | |
1359 | retval = CONF_parse_list(restored_default_group_string, | |
1360 | TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, garg); | |
1361 | garg->tuple_mode = 1; /* next call to tuple_cb will again start new tuple */ | |
1362 | garg->ignore_unknown_default = 0; /* reset to original value */ | |
1363 | /* We don't need the \0-terminated string anymore */ | |
1364 | OPENSSL_free(restored_default_group_string); | |
1365 | ||
1366 | return retval; | |
1367 | } | |
1368 | } | |
1369 | /* | |
1370 | * If we reached this point, a group name started with a 'd' or 'D', but no request | |
1371 | * for a DEFAULT[_XYZ] 'pseudo group' was detected, hence processing of the group | |
1372 | * name can continue as usual (= the while loop checking prefixes can end) | |
1373 | */ | |
1374 | continue_while_loop = 0; | |
1375 | break; | |
1376 | } | |
1377 | } | |
1378 | ||
1379 | if (len == 0) | |
1380 | return -1; /* Seems we have prefxes without a group name -> syntax error */ | |
1381 | ||
1382 | if (garg->ignore_unknown_default == 1) /* Always ignore unknown groups for DEFAULT[_XYZ] */ | |
1383 | ignore_unknown = 1; | |
1384 | ||
1385 | /* Memory management in case more groups are present compared to initial allocation */ | |
1386 | if (garg->gidcnt == garg->gidmax) { | |
1387 | uint16_t *tmp = | |
1388 | OPENSSL_realloc(garg->gid_arr, | |
1389 | (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); | |
1390 | ||
1391 | if (tmp == NULL) | |
1392 | return 0; | |
1393 | ||
1394 | garg->gidmax += GROUPLIST_INCREMENT; | |
1395 | garg->gid_arr = tmp; | |
1396 | } | |
1397 | /* Memory management for key share groups */ | |
1398 | if (garg->ksidcnt == garg->ksidmax) { | |
1399 | uint16_t *tmp = | |
1400 | OPENSSL_realloc(garg->ksid_arr, | |
1401 | (garg->ksidmax + GROUPLIST_INCREMENT) * sizeof(*garg->ksid_arr)); | |
1402 | ||
1403 | if (tmp == NULL) | |
1404 | return 0; | |
1405 | garg->ksidmax += GROUPLIST_INCREMENT; | |
1406 | garg->ksid_arr = tmp; | |
1407 | } | |
1408 | ||
1409 | if (len > (int)(sizeof(etmp) - 1)) | |
1410 | return -1; /* group name to long -> syntax error */ | |
1411 | ||
1412 | /* | |
1413 | * Prepare addition or removal of a single group by converting | |
1414 | * a group name into its groupID equivalent | |
1415 | */ | |
1416 | ||
1417 | /* Create a \0-terminated string and get the gid for this group if possible */ | |
1418 | memcpy(etmp, elem, len); | |
1419 | etmp[len] = 0; | |
1420 | ||
1421 | /* Get the groupID */ | |
1422 | gid = tls1_group_name2id(garg->ctx, etmp); | |
1423 | /* | |
1424 | * Handle the case where no valid groupID was returned | |
1425 | * e.g. for an unknown group, which we'd ignore (only) if relevant prefix was set | |
1426 | */ | |
1427 | if (gid == 0) { | |
1428 | /* Is it one of the GOST groups ? */ | |
1429 | for (i = 0; i < OSSL_NELEM(name2id_arr); i++) { | |
1430 | if (OPENSSL_strcasecmp(etmp, name2id_arr[i].group_name) == 0) { | |
1431 | gid = name2id_arr[i].groupID; | |
1432 | break; | |
1433 | } | |
1434 | } | |
1435 | if (gid == 0) { /* still not found */ | |
1436 | /* Unknown group - ignore if ignore_unknown; trigger error otherwise */ | |
1437 | retval = ignore_unknown; | |
1438 | goto done; | |
1439 | } | |
1440 | } | |
1441 | ||
1442 | /* Make sure that at least one provider is supporting this groupID */ | |
1443 | found_group = 0; | |
1444 | for (j = 0; j < garg->ctx->group_list_len; j++) | |
1445 | if (garg->ctx->group_list[j].group_id == gid) { | |
1446 | found_group = 1; | |
1447 | break; | |
1448 | } | |
1449 | ||
1450 | /* | |
1451 | * No provider supports this group - ignore if | |
1452 | * ignore_unknown; trigger error otherwise | |
1453 | */ | |
1454 | if (found_group == 0) { | |
1455 | retval = ignore_unknown; | |
1456 | goto done; | |
1457 | } | |
1458 | /* Remove group (and keyshare) from anywhere in the list if present, ignore if not present */ | |
1459 | if (remove_group) { | |
1460 | /* Is the current group specified anywhere in the entire list so far? */ | |
1461 | found_group = 0; | |
1462 | for (i = 0; i < garg->gidcnt; i++) | |
1463 | if (garg->gid_arr[i] == gid) { | |
1464 | found_group = 1; | |
1465 | break; | |
1466 | } | |
1467 | /* The group to remove is at position i in the list of (zero indexed) groups */ | |
1468 | if (found_group) { | |
1469 | /* We remove that group from its position (which is at i)... */ | |
1470 | for (j = i; j < (garg->gidcnt - 1); j++) | |
1471 | garg->gid_arr[j] = garg->gid_arr[j + 1]; /* ...shift remaining groups left ... */ | |
1472 | garg->gidcnt--; /* ..and update the book keeping for the number of groups */ | |
1473 | ||
1474 | /* | |
1475 | * We also must update the number of groups either in a previous tuple (which we | |
1476 | * must identify and check whether it becomes empty due to the deletion) or in | |
1477 | * the current tuple, pending where the deleted group resides | |
1478 | */ | |
1479 | k = 0; | |
1480 | for (j = 0; j < garg->tplcnt; j++) { | |
1481 | k += garg->tuplcnt_arr[j]; | |
1482 | /* Remark: i is zero-indexed, k is one-indexed */ | |
1483 | if (k > i) { /* remove from one of the previous tuples */ | |
1484 | garg->tuplcnt_arr[j]--; | |
1485 | break; /* We took care not to have group duplicates, hence we can stop here */ | |
1486 | } | |
1487 | } | |
1488 | if (k <= i) /* remove from current tuple */ | |
1489 | garg->tuplcnt_arr[j]--; | |
1490 | ||
1491 | /* We also remove the group from the list of keyshares (if present) */ | |
1492 | found_group = 0; | |
1493 | for (i = 0; i < garg->ksidcnt; i++) | |
1494 | if (garg->ksid_arr[i] == gid) { | |
1495 | found_group = 1; | |
1496 | break; | |
1497 | } | |
1498 | if (found_group) { | |
1499 | /* Found, hence we remove that keyshare from its position (which is at i)... */ | |
1500 | for (j = i; j < (garg->ksidcnt - 1); j++) | |
1501 | garg->ksid_arr[j] = garg->ksid_arr[j + 1]; /* shift remaining key shares */ | |
1502 | /* ... and update the book keeping */ | |
1503 | garg->ksidcnt--; | |
1504 | } | |
1505 | } | |
1506 | } else { /* Processing addition of a single new group */ | |
1507 | ||
1508 | /* Check for duplicates */ | |
1509 | for (i = 0; i < garg->gidcnt; i++) | |
1510 | if (garg->gid_arr[i] == gid) { | |
1511 | /* Duplicate group anywhere in the list of groups - ignore */ | |
1512 | goto done; | |
1513 | } | |
1514 | ||
1515 | /* Add the current group to the 'flat' list of groups */ | |
1516 | garg->gid_arr[garg->gidcnt++] = gid; | |
1517 | /* and update the book keeping for the number of groups in current tuple */ | |
1518 | garg->tuplcnt_arr[garg->tplcnt]++; | |
1519 | ||
1520 | /* We memorize if needed that we want to add a key share for the current group */ | |
1521 | if (add_keyshare) | |
1522 | garg->ksid_arr[garg->ksidcnt++] = gid; | |
1523 | } | |
1524 | ||
1525 | done: | |
1526 | return retval; | |
1527 | } | |
1528 | ||
1529 | /* Extract and process a tuple of groups */ | |
1530 | static int tuple_cb(const char *tuple, int len, void *arg) | |
1531 | { | |
1532 | gid_cb_st *garg = arg; | |
1533 | int retval = 1; /* We assume success */ | |
1534 | char *restored_tuple_string; | |
1535 | ||
1536 | /* Sanity checks */ | |
1537 | if (garg == NULL || tuple == NULL || len <= 0) { | |
1538 | ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_CONFIG_VALUE); | |
1539 | return 0; | |
1540 | } | |
1541 | ||
1542 | /* Memory management for tuples */ | |
1543 | if (garg->tplcnt == garg->tplmax) { | |
1544 | size_t *tmp = | |
1545 | OPENSSL_realloc(garg->tuplcnt_arr, | |
1546 | (garg->tplmax + GROUPLIST_INCREMENT) * sizeof(*garg->tuplcnt_arr)); | |
1547 | ||
1548 | if (tmp == NULL) | |
1549 | return 0; | |
1550 | garg->tplmax += GROUPLIST_INCREMENT; | |
1551 | garg->tuplcnt_arr = tmp; | |
1552 | } | |
1553 | ||
1554 | /* Convert to \0-terminated string */ | |
1555 | restored_tuple_string = OPENSSL_malloc((len + 1 /* \0 */) * sizeof(char)); | |
1556 | if (restored_tuple_string == NULL) | |
1557 | return 0; | |
1558 | memcpy(restored_tuple_string, tuple, len); | |
1559 | restored_tuple_string[len] = '\0'; | |
1560 | ||
1561 | /* Analyze group list of this tuple */ | |
1562 | retval = CONF_parse_list(restored_tuple_string, GROUP_DELIMITER_CHARACTER, 1, gid_cb, arg); | |
1563 | ||
1564 | /* We don't need the \o-terminated string anymore */ | |
1565 | OPENSSL_free(restored_tuple_string); | |
1566 | ||
1567 | if (garg->tuplcnt_arr[garg->tplcnt] > 0) { /* Some valid groups are present in current tuple... */ | |
1568 | if (garg->tuple_mode) { | |
1569 | /* We 'close' the tuple */ | |
1570 | garg->tplcnt++; | |
1571 | garg->tuplcnt_arr[garg->tplcnt] = 0; /* Next tuple is initialized to be empty */ | |
1572 | garg->tuple_mode = 1; /* next call will start a tuple (unless overridden in gid_cb) */ | |
1573 | } | |
1574 | } | |
1575 | ||
1576 | return retval; | |
1577 | } | |
1578 | ||
1579 | /* | |
1580 | * Set groups and prepare generation of keyshares based on a string of groupnames, | |
1581 | * names separated by the group or the tuple delimiter, with per-group prefixes to | |
1582 | * (1) add a key share for this group, (2) ignore the group if unkown to the current | |
1583 | * context, (3) delete a previous occurrence of the group in the current tuple. | |
1584 | * | |
1585 | * The list parsing is done in two hierachical steps: The top-level step extracts the | |
1586 | * string of a tuple using tuple_cb, while the next lower step uses gid_cb to | |
1587 | * parse and process the groups inside a tuple | |
1588 | */ | |
1589 | int tls1_set_groups_list(SSL_CTX *ctx, | |
1590 | uint16_t **grpext, size_t *grpextlen, | |
1591 | uint16_t **ksext, size_t *ksextlen, | |
1592 | size_t **tplext, size_t *tplextlen, | |
1593 | const char *str) | |
1594 | { | |
1595 | size_t i = 0, j; | |
1596 | int ret = 0, parse_ret = 0; | |
1597 | gid_cb_st gcb; | |
1598 | ||
1599 | /* Sanity check */ | |
1600 | if (ctx == NULL) { | |
1601 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); | |
1602 | return 0; | |
1603 | } | |
1604 | ||
1605 | memset(&gcb, 0, sizeof(gcb)); | |
1606 | gcb.tuple_mode = 1; /* We prepare to collect the first tuple */ | |
1607 | gcb.ignore_unknown_default = 0; | |
1608 | gcb.gidmax = GROUPLIST_INCREMENT; | |
1609 | gcb.tplmax = GROUPLIST_INCREMENT; | |
1610 | gcb.ksidmax = GROUPLIST_INCREMENT; | |
1611 | gcb.ctx = ctx; | |
1612 | ||
1613 | /* Prepare initial chunks of memory for groups, tuples and keyshares groupIDs */ | |
1614 | gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); | |
1615 | if (gcb.gid_arr == NULL) | |
1616 | goto end; | |
1617 | gcb.tuplcnt_arr = OPENSSL_malloc(gcb.tplmax * sizeof(*gcb.tuplcnt_arr)); | |
1618 | if (gcb.tuplcnt_arr == NULL) | |
1619 | goto end; | |
1620 | gcb.tuplcnt_arr[0] = 0; | |
1621 | gcb.ksid_arr = OPENSSL_malloc(gcb.ksidmax * sizeof(*gcb.ksid_arr)); | |
1622 | if (gcb.ksid_arr == NULL) | |
1623 | goto end; | |
1624 | ||
1625 | while (str[0] != '\0' && isspace((unsigned char)*str)) | |
1626 | str++; | |
1627 | if (str[0] == '\0') | |
1628 | goto empty_list; | |
1629 | ||
1630 | /* | |
1631 | * Start the (potentially recursive) tuple processing by calling CONF_parse_list | |
1632 | * with the TUPLE_DELIMITER_CHARACTER (which will call tuple_cb after cleaning spaces) | |
1633 | */ | |
1634 | parse_ret = CONF_parse_list(str, TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, &gcb); | |
1635 | ||
1636 | if (parse_ret == 0) | |
1637 | goto end; | |
1638 | if (parse_ret == -1) { | |
1639 | ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, | |
1640 | "Syntax error in '%s'", str); | |
1641 | goto end; | |
1642 | } | |
1643 | ||
1644 | /* | |
1645 | * We check whether a tuple was completly emptied by using "-" prefix | |
1646 | * excessively, in which case we remove the tuple | |
1647 | */ | |
1648 | for (i = j = 0; j < gcb.tplcnt; j++) { | |
1649 | if (gcb.tuplcnt_arr[j] == 0) | |
1650 | continue; | |
1651 | /* If there's a gap, move to first unfilled slot */ | |
1652 | if (j == i) | |
1653 | ++i; | |
1654 | else | |
1655 | gcb.tuplcnt_arr[i++] = gcb.tuplcnt_arr[j]; | |
1656 | } | |
1657 | gcb.tplcnt = i; | |
1658 | ||
1659 | if (gcb.ksidcnt > OPENSSL_CLIENT_MAX_KEY_SHARES) { | |
1660 | ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, | |
1661 | "To many keyshares requested in '%s' (max = %d)", | |
1662 | str, OPENSSL_CLIENT_MAX_KEY_SHARES); | |
1663 | goto end; | |
1664 | } | |
1665 | ||
1666 | /* | |
1667 | * For backward compatibility we let the rest of the code know that a key share | |
1668 | * for the first valid group should be added if no "*" prefix was used anywhere | |
1669 | */ | |
1670 | if (gcb.gidcnt > 0 && gcb.ksidcnt == 0) { | |
1671 | /* | |
1672 | * No key share group prefix character was used, hence we indicate that a single | |
1673 | * key share should be sent and flag that it should come from the supported_groups list | |
1674 | */ | |
1675 | gcb.ksidcnt = 1; | |
1676 | gcb.ksid_arr[0] = 0; | |
1677 | } | |
1678 | ||
1679 | empty_list: | |
1680 | /* | |
1681 | * A call to tls1_set_groups_list with any of the args (other than ctx) set | |
1682 | * to NULL only does a syntax check, hence we're done here and report success | |
1683 | */ | |
1684 | if (grpext == NULL || ksext == NULL || tplext == NULL || | |
1685 | grpextlen == NULL || ksextlen == NULL || tplextlen == NULL) { | |
1686 | ret = 1; | |
1687 | goto end; | |
1688 | } | |
1689 | ||
1690 | /* | |
1691 | * tuple_cb and gid_cb combo ensures there are no duplicates or unknown groups so we | |
1692 | * can just go ahead and set the results (after diposing the existing) | |
1693 | */ | |
1694 | OPENSSL_free(*grpext); | |
1695 | *grpext = gcb.gid_arr; | |
1696 | *grpextlen = gcb.gidcnt; | |
1697 | OPENSSL_free(*ksext); | |
1698 | *ksext = gcb.ksid_arr; | |
1699 | *ksextlen = gcb.ksidcnt; | |
1700 | OPENSSL_free(*tplext); | |
1701 | *tplext = gcb.tuplcnt_arr; | |
1702 | *tplextlen = gcb.tplcnt; | |
1703 | ||
1704 | return 1; | |
1705 | ||
1706 | end: | |
1707 | OPENSSL_free(gcb.gid_arr); | |
1708 | OPENSSL_free(gcb.tuplcnt_arr); | |
1709 | OPENSSL_free(gcb.ksid_arr); | |
1710 | return ret; | |
1711 | } | |
1712 | ||
1713 | /* Check a group id matches preferences */ | |
1714 | int tls1_check_group_id(SSL_CONNECTION *s, uint16_t group_id, | |
1715 | int check_own_groups) | |
1716 | { | |
1717 | const uint16_t *groups; | |
1718 | size_t groups_len; | |
1719 | ||
1720 | if (group_id == 0) | |
1721 | return 0; | |
1722 | ||
1723 | /* Check for Suite B compliance */ | |
1724 | if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) { | |
1725 | unsigned long cid = s->s3.tmp.new_cipher->id; | |
1726 | ||
1727 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { | |
1728 | if (group_id != OSSL_TLS_GROUP_ID_secp256r1) | |
1729 | return 0; | |
1730 | } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { | |
1731 | if (group_id != OSSL_TLS_GROUP_ID_secp384r1) | |
1732 | return 0; | |
1733 | } else { | |
1734 | /* Should never happen */ | |
1735 | return 0; | |
1736 | } | |
1737 | } | |
1738 | ||
1739 | if (check_own_groups) { | |
1740 | /* Check group is one of our preferences */ | |
1741 | tls1_get_supported_groups(s, &groups, &groups_len); | |
1742 | if (!tls1_in_list(group_id, groups, groups_len)) | |
1743 | return 0; | |
1744 | } | |
1745 | ||
1746 | if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) | |
1747 | return 0; | |
1748 | ||
1749 | /* For clients, nothing more to check */ | |
1750 | if (!s->server) | |
1751 | return 1; | |
1752 | ||
1753 | /* Check group is one of peers preferences */ | |
1754 | tls1_get_peer_groups(s, &groups, &groups_len); | |
1755 | ||
1756 | /* | |
1757 | * RFC 4492 does not require the supported elliptic curves extension | |
1758 | * so if it is not sent we can just choose any curve. | |
1759 | * It is invalid to send an empty list in the supported groups | |
1760 | * extension, so groups_len == 0 always means no extension. | |
1761 | */ | |
1762 | if (groups_len == 0) | |
1763 | return 1; | |
1764 | return tls1_in_list(group_id, groups, groups_len); | |
1765 | } | |
1766 | ||
1767 | void tls1_get_formatlist(SSL_CONNECTION *s, const unsigned char **pformats, | |
1768 | size_t *num_formats) | |
1769 | { | |
1770 | /* | |
1771 | * If we have a custom point format list use it otherwise use default | |
1772 | */ | |
1773 | if (s->ext.ecpointformats) { | |
1774 | *pformats = s->ext.ecpointformats; | |
1775 | *num_formats = s->ext.ecpointformats_len; | |
1776 | } else if ((s->options & SSL_OP_LEGACY_EC_POINT_FORMATS) != 0) { | |
1777 | *pformats = ecformats_all; | |
1778 | /* For Suite B we don't support char2 fields */ | |
1779 | if (tls1_suiteb(s)) | |
1780 | *num_formats = sizeof(ecformats_all) - 1; | |
1781 | else | |
1782 | *num_formats = sizeof(ecformats_all); | |
1783 | } else { | |
1784 | *pformats = ecformats_default; | |
1785 | *num_formats = sizeof(ecformats_default); | |
1786 | } | |
1787 | } | |
1788 | ||
1789 | /* Check a key is compatible with compression extension */ | |
1790 | static int tls1_check_pkey_comp(SSL_CONNECTION *s, EVP_PKEY *pkey) | |
1791 | { | |
1792 | unsigned char comp_id; | |
1793 | size_t i; | |
1794 | int point_conv; | |
1795 | ||
1796 | /* If not an EC key nothing to check */ | |
1797 | if (!EVP_PKEY_is_a(pkey, "EC")) | |
1798 | return 1; | |
1799 | ||
1800 | ||
1801 | /* Get required compression id */ | |
1802 | point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); | |
1803 | if (point_conv == 0) | |
1804 | return 0; | |
1805 | if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { | |
1806 | comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; | |
1807 | } else if (SSL_CONNECTION_IS_TLS13(s)) { | |
1808 | /* | |
1809 | * ec_point_formats extension is not used in TLSv1.3 so we ignore | |
1810 | * this check. | |
1811 | */ | |
1812 | return 1; | |
1813 | } else { | |
1814 | int field_type = EVP_PKEY_get_field_type(pkey); | |
1815 | ||
1816 | if (field_type == NID_X9_62_prime_field) | |
1817 | comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; | |
1818 | else if (field_type == NID_X9_62_characteristic_two_field) | |
1819 | comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; | |
1820 | else | |
1821 | return 0; | |
1822 | } | |
1823 | /* | |
1824 | * If point formats extension present check it, otherwise everything is | |
1825 | * supported (see RFC4492). | |
1826 | */ | |
1827 | if (s->ext.peer_ecpointformats == NULL) | |
1828 | return 1; | |
1829 | ||
1830 | for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { | |
1831 | if (s->ext.peer_ecpointformats[i] == comp_id) | |
1832 | return 1; | |
1833 | } | |
1834 | return 0; | |
1835 | } | |
1836 | ||
1837 | /* Return group id of a key */ | |
1838 | static uint16_t tls1_get_group_id(EVP_PKEY *pkey) | |
1839 | { | |
1840 | int curve_nid = ssl_get_EC_curve_nid(pkey); | |
1841 | ||
1842 | if (curve_nid == NID_undef) | |
1843 | return 0; | |
1844 | return tls1_nid2group_id(curve_nid); | |
1845 | } | |
1846 | ||
1847 | /* | |
1848 | * Check cert parameters compatible with extensions: currently just checks EC | |
1849 | * certificates have compatible curves and compression. | |
1850 | */ | |
1851 | static int tls1_check_cert_param(SSL_CONNECTION *s, X509 *x, int check_ee_md) | |
1852 | { | |
1853 | uint16_t group_id; | |
1854 | EVP_PKEY *pkey; | |
1855 | pkey = X509_get0_pubkey(x); | |
1856 | if (pkey == NULL) | |
1857 | return 0; | |
1858 | /* If not EC nothing to do */ | |
1859 | if (!EVP_PKEY_is_a(pkey, "EC")) | |
1860 | return 1; | |
1861 | /* Check compression */ | |
1862 | if (!tls1_check_pkey_comp(s, pkey)) | |
1863 | return 0; | |
1864 | group_id = tls1_get_group_id(pkey); | |
1865 | /* | |
1866 | * For a server we allow the certificate to not be in our list of supported | |
1867 | * groups. | |
1868 | */ | |
1869 | if (!tls1_check_group_id(s, group_id, !s->server)) | |
1870 | return 0; | |
1871 | /* | |
1872 | * Special case for suite B. We *MUST* sign using SHA256+P-256 or | |
1873 | * SHA384+P-384. | |
1874 | */ | |
1875 | if (check_ee_md && tls1_suiteb(s)) { | |
1876 | int check_md; | |
1877 | size_t i; | |
1878 | ||
1879 | /* Check to see we have necessary signing algorithm */ | |
1880 | if (group_id == OSSL_TLS_GROUP_ID_secp256r1) | |
1881 | check_md = NID_ecdsa_with_SHA256; | |
1882 | else if (group_id == OSSL_TLS_GROUP_ID_secp384r1) | |
1883 | check_md = NID_ecdsa_with_SHA384; | |
1884 | else | |
1885 | return 0; /* Should never happen */ | |
1886 | for (i = 0; i < s->shared_sigalgslen; i++) { | |
1887 | if (check_md == s->shared_sigalgs[i]->sigandhash) | |
1888 | return 1; | |
1889 | } | |
1890 | return 0; | |
1891 | } | |
1892 | return 1; | |
1893 | } | |
1894 | ||
1895 | /* | |
1896 | * tls1_check_ec_tmp_key - Check EC temporary key compatibility | |
1897 | * @s: SSL connection | |
1898 | * @cid: Cipher ID we're considering using | |
1899 | * | |
1900 | * Checks that the kECDHE cipher suite we're considering using | |
1901 | * is compatible with the client extensions. | |
1902 | * | |
1903 | * Returns 0 when the cipher can't be used or 1 when it can. | |
1904 | */ | |
1905 | int tls1_check_ec_tmp_key(SSL_CONNECTION *s, unsigned long cid) | |
1906 | { | |
1907 | /* If not Suite B just need a shared group */ | |
1908 | if (!tls1_suiteb(s)) | |
1909 | return tls1_shared_group(s, 0) != 0; | |
1910 | /* | |
1911 | * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other | |
1912 | * curves permitted. | |
1913 | */ | |
1914 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) | |
1915 | return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp256r1, 1); | |
1916 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) | |
1917 | return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp384r1, 1); | |
1918 | ||
1919 | return 0; | |
1920 | } | |
1921 | ||
1922 | /* Default sigalg schemes */ | |
1923 | static const uint16_t tls12_sigalgs[] = { | |
1924 | TLSEXT_SIGALG_mldsa65, | |
1925 | TLSEXT_SIGALG_mldsa87, | |
1926 | TLSEXT_SIGALG_mldsa44, | |
1927 | TLSEXT_SIGALG_ecdsa_secp256r1_sha256, | |
1928 | TLSEXT_SIGALG_ecdsa_secp384r1_sha384, | |
1929 | TLSEXT_SIGALG_ecdsa_secp521r1_sha512, | |
1930 | TLSEXT_SIGALG_ed25519, | |
1931 | TLSEXT_SIGALG_ed448, | |
1932 | TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, | |
1933 | TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, | |
1934 | TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, | |
1935 | ||
1936 | TLSEXT_SIGALG_rsa_pss_pss_sha256, | |
1937 | TLSEXT_SIGALG_rsa_pss_pss_sha384, | |
1938 | TLSEXT_SIGALG_rsa_pss_pss_sha512, | |
1939 | TLSEXT_SIGALG_rsa_pss_rsae_sha256, | |
1940 | TLSEXT_SIGALG_rsa_pss_rsae_sha384, | |
1941 | TLSEXT_SIGALG_rsa_pss_rsae_sha512, | |
1942 | ||
1943 | TLSEXT_SIGALG_rsa_pkcs1_sha256, | |
1944 | TLSEXT_SIGALG_rsa_pkcs1_sha384, | |
1945 | TLSEXT_SIGALG_rsa_pkcs1_sha512, | |
1946 | ||
1947 | TLSEXT_SIGALG_ecdsa_sha224, | |
1948 | TLSEXT_SIGALG_ecdsa_sha1, | |
1949 | ||
1950 | TLSEXT_SIGALG_rsa_pkcs1_sha224, | |
1951 | TLSEXT_SIGALG_rsa_pkcs1_sha1, | |
1952 | ||
1953 | TLSEXT_SIGALG_dsa_sha224, | |
1954 | TLSEXT_SIGALG_dsa_sha1, | |
1955 | ||
1956 | TLSEXT_SIGALG_dsa_sha256, | |
1957 | TLSEXT_SIGALG_dsa_sha384, | |
1958 | TLSEXT_SIGALG_dsa_sha512, | |
1959 | ||
1960 | #ifndef OPENSSL_NO_GOST | |
1961 | TLSEXT_SIGALG_gostr34102012_256_intrinsic, | |
1962 | TLSEXT_SIGALG_gostr34102012_512_intrinsic, | |
1963 | TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, | |
1964 | TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, | |
1965 | TLSEXT_SIGALG_gostr34102001_gostr3411, | |
1966 | #endif | |
1967 | }; | |
1968 | ||
1969 | ||
1970 | static const uint16_t suiteb_sigalgs[] = { | |
1971 | TLSEXT_SIGALG_ecdsa_secp256r1_sha256, | |
1972 | TLSEXT_SIGALG_ecdsa_secp384r1_sha384 | |
1973 | }; | |
1974 | ||
1975 | static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { | |
1976 | {TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name, | |
1977 | "ECDSA+SHA256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, | |
1978 | NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
1979 | NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1, 0, | |
1980 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
1981 | {TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name, | |
1982 | "ECDSA+SHA384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, | |
1983 | NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
1984 | NID_ecdsa_with_SHA384, NID_secp384r1, 1, 0, | |
1985 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
1986 | {TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name, | |
1987 | "ECDSA+SHA512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, | |
1988 | NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
1989 | NID_ecdsa_with_SHA512, NID_secp521r1, 1, 0, | |
1990 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
1991 | ||
1992 | {TLSEXT_SIGALG_ed25519_name, | |
1993 | NULL, TLSEXT_SIGALG_ed25519, | |
1994 | NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, | |
1995 | NID_undef, NID_undef, 1, 0, | |
1996 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
1997 | {TLSEXT_SIGALG_ed448_name, | |
1998 | NULL, TLSEXT_SIGALG_ed448, | |
1999 | NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, | |
2000 | NID_undef, NID_undef, 1, 0, | |
2001 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2002 | ||
2003 | {TLSEXT_SIGALG_ecdsa_sha224_name, | |
2004 | "ECDSA+SHA224", TLSEXT_SIGALG_ecdsa_sha224, | |
2005 | NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
2006 | NID_ecdsa_with_SHA224, NID_undef, 1, 0, | |
2007 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2008 | {TLSEXT_SIGALG_ecdsa_sha1_name, | |
2009 | "ECDSA+SHA1", TLSEXT_SIGALG_ecdsa_sha1, | |
2010 | NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
2011 | NID_ecdsa_with_SHA1, NID_undef, 1, 0, | |
2012 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2013 | ||
2014 | {TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name, | |
2015 | TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_alias, | |
2016 | TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, | |
2017 | NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
2018 | NID_ecdsa_with_SHA256, NID_brainpoolP256r1, 1, 0, | |
2019 | TLS1_3_VERSION, 0, -1, -1}, | |
2020 | {TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name, | |
2021 | TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_alias, | |
2022 | TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, | |
2023 | NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
2024 | NID_ecdsa_with_SHA384, NID_brainpoolP384r1, 1, 0, | |
2025 | TLS1_3_VERSION, 0, -1, -1}, | |
2026 | {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name, | |
2027 | TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_alias, | |
2028 | TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, | |
2029 | NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, | |
2030 | NID_ecdsa_with_SHA512, NID_brainpoolP512r1, 1, 0, | |
2031 | TLS1_3_VERSION, 0, -1, -1}, | |
2032 | ||
2033 | {TLSEXT_SIGALG_rsa_pss_rsae_sha256_name, | |
2034 | "PSS+SHA256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, | |
2035 | NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, | |
2036 | NID_undef, NID_undef, 1, 0, | |
2037 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2038 | {TLSEXT_SIGALG_rsa_pss_rsae_sha384_name, | |
2039 | "PSS+SHA384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, | |
2040 | NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, | |
2041 | NID_undef, NID_undef, 1, 0, | |
2042 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2043 | {TLSEXT_SIGALG_rsa_pss_rsae_sha512_name, | |
2044 | "PSS+SHA512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, | |
2045 | NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, | |
2046 | NID_undef, NID_undef, 1, 0, | |
2047 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2048 | ||
2049 | {TLSEXT_SIGALG_rsa_pss_pss_sha256_name, | |
2050 | NULL, TLSEXT_SIGALG_rsa_pss_pss_sha256, | |
2051 | NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, | |
2052 | NID_undef, NID_undef, 1, 0, | |
2053 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2054 | {TLSEXT_SIGALG_rsa_pss_pss_sha384_name, | |
2055 | NULL, TLSEXT_SIGALG_rsa_pss_pss_sha384, | |
2056 | NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, | |
2057 | NID_undef, NID_undef, 1, 0, | |
2058 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2059 | {TLSEXT_SIGALG_rsa_pss_pss_sha512_name, | |
2060 | NULL, TLSEXT_SIGALG_rsa_pss_pss_sha512, | |
2061 | NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, | |
2062 | NID_undef, NID_undef, 1, 0, | |
2063 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2064 | ||
2065 | {TLSEXT_SIGALG_rsa_pkcs1_sha256_name, | |
2066 | "RSA+SHA256", TLSEXT_SIGALG_rsa_pkcs1_sha256, | |
2067 | NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, | |
2068 | NID_sha256WithRSAEncryption, NID_undef, 1, 0, | |
2069 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2070 | {TLSEXT_SIGALG_rsa_pkcs1_sha384_name, | |
2071 | "RSA+SHA384", TLSEXT_SIGALG_rsa_pkcs1_sha384, | |
2072 | NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, | |
2073 | NID_sha384WithRSAEncryption, NID_undef, 1, 0, | |
2074 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2075 | {TLSEXT_SIGALG_rsa_pkcs1_sha512_name, | |
2076 | "RSA+SHA512", TLSEXT_SIGALG_rsa_pkcs1_sha512, | |
2077 | NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, | |
2078 | NID_sha512WithRSAEncryption, NID_undef, 1, 0, | |
2079 | TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, | |
2080 | ||
2081 | {TLSEXT_SIGALG_rsa_pkcs1_sha224_name, | |
2082 | "RSA+SHA224", TLSEXT_SIGALG_rsa_pkcs1_sha224, | |
2083 | NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, | |
2084 | NID_sha224WithRSAEncryption, NID_undef, 1, 0, | |
2085 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2086 | {TLSEXT_SIGALG_rsa_pkcs1_sha1_name, | |
2087 | "RSA+SHA1", TLSEXT_SIGALG_rsa_pkcs1_sha1, | |
2088 | NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, | |
2089 | NID_sha1WithRSAEncryption, NID_undef, 1, 0, | |
2090 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2091 | ||
2092 | {TLSEXT_SIGALG_dsa_sha256_name, | |
2093 | "DSA+SHA256", TLSEXT_SIGALG_dsa_sha256, | |
2094 | NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, | |
2095 | NID_dsa_with_SHA256, NID_undef, 1, 0, | |
2096 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2097 | {TLSEXT_SIGALG_dsa_sha384_name, | |
2098 | "DSA+SHA384", TLSEXT_SIGALG_dsa_sha384, | |
2099 | NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, | |
2100 | NID_undef, NID_undef, 1, 0, | |
2101 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2102 | {TLSEXT_SIGALG_dsa_sha512_name, | |
2103 | "DSA+SHA512", TLSEXT_SIGALG_dsa_sha512, | |
2104 | NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, | |
2105 | NID_undef, NID_undef, 1, 0, | |
2106 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2107 | {TLSEXT_SIGALG_dsa_sha224_name, | |
2108 | "DSA+SHA224", TLSEXT_SIGALG_dsa_sha224, | |
2109 | NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, | |
2110 | NID_undef, NID_undef, 1, 0, | |
2111 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2112 | {TLSEXT_SIGALG_dsa_sha1_name, | |
2113 | "DSA+SHA1", TLSEXT_SIGALG_dsa_sha1, | |
2114 | NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, | |
2115 | NID_dsaWithSHA1, NID_undef, 1, 0, | |
2116 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2117 | ||
2118 | #ifndef OPENSSL_NO_GOST | |
2119 | {TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias, /* RFC9189 */ | |
2120 | TLSEXT_SIGALG_gostr34102012_256_intrinsic_name, | |
2121 | TLSEXT_SIGALG_gostr34102012_256_intrinsic, | |
2122 | NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, | |
2123 | NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, | |
2124 | NID_undef, NID_undef, 1, 0, | |
2125 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2126 | {TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias, /* RFC9189 */ | |
2127 | TLSEXT_SIGALG_gostr34102012_256_intrinsic_name, | |
2128 | TLSEXT_SIGALG_gostr34102012_512_intrinsic, | |
2129 | NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, | |
2130 | NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, | |
2131 | NID_undef, NID_undef, 1, 0, | |
2132 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2133 | ||
2134 | {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name, | |
2135 | NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, | |
2136 | NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, | |
2137 | NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, | |
2138 | NID_undef, NID_undef, 1, 0, | |
2139 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2140 | {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name, | |
2141 | NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, | |
2142 | NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, | |
2143 | NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, | |
2144 | NID_undef, NID_undef, 1, 0, | |
2145 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2146 | {TLSEXT_SIGALG_gostr34102001_gostr3411_name, | |
2147 | NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, | |
2148 | NID_id_GostR3411_94, SSL_MD_GOST94_IDX, | |
2149 | NID_id_GostR3410_2001, SSL_PKEY_GOST01, | |
2150 | NID_undef, NID_undef, 1, 0, | |
2151 | TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION}, | |
2152 | #endif | |
2153 | }; | |
2154 | /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ | |
2155 | static const SIGALG_LOOKUP legacy_rsa_sigalg = { | |
2156 | "rsa_pkcs1_md5_sha1", NULL, 0, | |
2157 | NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, | |
2158 | EVP_PKEY_RSA, SSL_PKEY_RSA, | |
2159 | NID_undef, NID_undef, 1, 0, | |
2160 | TLS1_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION | |
2161 | }; | |
2162 | ||
2163 | /* | |
2164 | * Default signature algorithm values used if signature algorithms not present. | |
2165 | * From RFC5246. Note: order must match certificate index order. | |
2166 | */ | |
2167 | static const uint16_t tls_default_sigalg[] = { | |
2168 | TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ | |
2169 | 0, /* SSL_PKEY_RSA_PSS_SIGN */ | |
2170 | TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ | |
2171 | TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ | |
2172 | TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ | |
2173 | TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */ | |
2174 | TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */ | |
2175 | 0, /* SSL_PKEY_ED25519 */ | |
2176 | 0, /* SSL_PKEY_ED448 */ | |
2177 | }; | |
2178 | ||
2179 | int ssl_setup_sigalgs(SSL_CTX *ctx) | |
2180 | { | |
2181 | size_t i, cache_idx, sigalgs_len, enabled; | |
2182 | const SIGALG_LOOKUP *lu; | |
2183 | SIGALG_LOOKUP *cache = NULL; | |
2184 | uint16_t *tls12_sigalgs_list = NULL; | |
2185 | EVP_PKEY *tmpkey = EVP_PKEY_new(); | |
2186 | int istls; | |
2187 | int ret = 0; | |
2188 | ||
2189 | if (ctx == NULL) | |
2190 | goto err; | |
2191 | ||
2192 | istls = !SSL_CTX_IS_DTLS(ctx); | |
2193 | ||
2194 | sigalgs_len = OSSL_NELEM(sigalg_lookup_tbl) + ctx->sigalg_list_len; | |
2195 | ||
2196 | cache = OPENSSL_zalloc(sizeof(const SIGALG_LOOKUP) * sigalgs_len); | |
2197 | if (cache == NULL || tmpkey == NULL) | |
2198 | goto err; | |
2199 | ||
2200 | tls12_sigalgs_list = OPENSSL_zalloc(sizeof(uint16_t) * sigalgs_len); | |
2201 | if (tls12_sigalgs_list == NULL) | |
2202 | goto err; | |
2203 | ||
2204 | ERR_set_mark(); | |
2205 | /* First fill cache and tls12_sigalgs list from legacy algorithm list */ | |
2206 | for (i = 0, lu = sigalg_lookup_tbl; | |
2207 | i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { | |
2208 | EVP_PKEY_CTX *pctx; | |
2209 | ||
2210 | cache[i] = *lu; | |
2211 | ||
2212 | /* | |
2213 | * Check hash is available. | |
2214 | * This test is not perfect. A provider could have support | |
2215 | * for a signature scheme, but not a particular hash. However the hash | |
2216 | * could be available from some other loaded provider. In that case it | |
2217 | * could be that the signature is available, and the hash is available | |
2218 | * independently - but not as a combination. We ignore this for now. | |
2219 | */ | |
2220 | if (lu->hash != NID_undef | |
2221 | && ctx->ssl_digest_methods[lu->hash_idx] == NULL) { | |
2222 | cache[i].available = 0; | |
2223 | continue; | |
2224 | } | |
2225 | ||
2226 | if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { | |
2227 | cache[i].available = 0; | |
2228 | continue; | |
2229 | } | |
2230 | pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq); | |
2231 | /* If unable to create pctx we assume the sig algorithm is unavailable */ | |
2232 | if (pctx == NULL) | |
2233 | cache[i].available = 0; | |
2234 | EVP_PKEY_CTX_free(pctx); | |
2235 | } | |
2236 | ||
2237 | /* Now complete cache and tls12_sigalgs list with provider sig information */ | |
2238 | cache_idx = OSSL_NELEM(sigalg_lookup_tbl); | |
2239 | for (i = 0; i < ctx->sigalg_list_len; i++) { | |
2240 | TLS_SIGALG_INFO si = ctx->sigalg_list[i]; | |
2241 | cache[cache_idx].name = si.name; | |
2242 | cache[cache_idx].name12 = si.sigalg_name; | |
2243 | cache[cache_idx].sigalg = si.code_point; | |
2244 | tls12_sigalgs_list[cache_idx] = si.code_point; | |
2245 | cache[cache_idx].hash = si.hash_name?OBJ_txt2nid(si.hash_name):NID_undef; | |
2246 | cache[cache_idx].hash_idx = ssl_get_md_idx(cache[cache_idx].hash); | |
2247 | cache[cache_idx].sig = OBJ_txt2nid(si.sigalg_name); | |
2248 | cache[cache_idx].sig_idx = (int)(i + SSL_PKEY_NUM); | |
2249 | cache[cache_idx].sigandhash = OBJ_txt2nid(si.sigalg_name); | |
2250 | cache[cache_idx].curve = NID_undef; | |
2251 | cache[cache_idx].mintls = TLS1_3_VERSION; | |
2252 | cache[cache_idx].maxtls = TLS1_3_VERSION; | |
2253 | cache[cache_idx].mindtls = -1; | |
2254 | cache[cache_idx].maxdtls = -1; | |
2255 | /* Compatibility with TLS 1.3 is checked on load */ | |
2256 | cache[cache_idx].available = istls; | |
2257 | cache[cache_idx].advertise = 0; | |
2258 | cache_idx++; | |
2259 | } | |
2260 | ERR_pop_to_mark(); | |
2261 | ||
2262 | enabled = 0; | |
2263 | for (i = 0; i < OSSL_NELEM(tls12_sigalgs); ++i) { | |
2264 | SIGALG_LOOKUP *ent = cache; | |
2265 | size_t j; | |
2266 | ||
2267 | for (j = 0; j < sigalgs_len; ent++, j++) { | |
2268 | if (ent->sigalg != tls12_sigalgs[i]) | |
2269 | continue; | |
2270 | /* Dedup by marking cache entry as default enabled. */ | |
2271 | if (ent->available && !ent->advertise) { | |
2272 | ent->advertise = 1; | |
2273 | tls12_sigalgs_list[enabled++] = tls12_sigalgs[i]; | |
2274 | } | |
2275 | break; | |
2276 | } | |
2277 | } | |
2278 | ||
2279 | /* Append any provider sigalgs not yet handled */ | |
2280 | for (i = OSSL_NELEM(sigalg_lookup_tbl); i < sigalgs_len; ++i) { | |
2281 | SIGALG_LOOKUP *ent = &cache[i]; | |
2282 | ||
2283 | if (ent->available && !ent->advertise) | |
2284 | tls12_sigalgs_list[enabled++] = ent->sigalg; | |
2285 | } | |
2286 | ||
2287 | ctx->sigalg_lookup_cache = cache; | |
2288 | ctx->sigalg_lookup_cache_len = sigalgs_len; | |
2289 | ctx->tls12_sigalgs = tls12_sigalgs_list; | |
2290 | ctx->tls12_sigalgs_len = enabled; | |
2291 | cache = NULL; | |
2292 | tls12_sigalgs_list = NULL; | |
2293 | ||
2294 | ret = 1; | |
2295 | err: | |
2296 | OPENSSL_free(cache); | |
2297 | OPENSSL_free(tls12_sigalgs_list); | |
2298 | EVP_PKEY_free(tmpkey); | |
2299 | return ret; | |
2300 | } | |
2301 | ||
2302 | #define SIGLEN_BUF_INCREMENT 100 | |
2303 | ||
2304 | char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX *libctx) | |
2305 | { | |
2306 | size_t i, maxretlen = SIGLEN_BUF_INCREMENT; | |
2307 | const SIGALG_LOOKUP *lu; | |
2308 | EVP_PKEY *tmpkey = EVP_PKEY_new(); | |
2309 | char *retval = OPENSSL_malloc(maxretlen); | |
2310 | ||
2311 | if (retval == NULL) | |
2312 | return NULL; | |
2313 | ||
2314 | /* ensure retval string is NUL terminated */ | |
2315 | retval[0] = (char)0; | |
2316 | ||
2317 | for (i = 0, lu = sigalg_lookup_tbl; | |
2318 | i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { | |
2319 | EVP_PKEY_CTX *pctx; | |
2320 | int enabled = 1; | |
2321 | ||
2322 | ERR_set_mark(); | |
2323 | /* Check hash is available in some provider. */ | |
2324 | if (lu->hash != NID_undef) { | |
2325 | EVP_MD *hash = EVP_MD_fetch(libctx, OBJ_nid2ln(lu->hash), NULL); | |
2326 | ||
2327 | /* If unable to create we assume the hash algorithm is unavailable */ | |
2328 | if (hash == NULL) { | |
2329 | enabled = 0; | |
2330 | ERR_pop_to_mark(); | |
2331 | continue; | |
2332 | } | |
2333 | EVP_MD_free(hash); | |
2334 | } | |
2335 | ||
2336 | if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { | |
2337 | enabled = 0; | |
2338 | ERR_pop_to_mark(); | |
2339 | continue; | |
2340 | } | |
2341 | pctx = EVP_PKEY_CTX_new_from_pkey(libctx, tmpkey, NULL); | |
2342 | /* If unable to create pctx we assume the sig algorithm is unavailable */ | |
2343 | if (pctx == NULL) | |
2344 | enabled = 0; | |
2345 | ERR_pop_to_mark(); | |
2346 | EVP_PKEY_CTX_free(pctx); | |
2347 | ||
2348 | if (enabled) { | |
2349 | const char *sa = lu->name; | |
2350 | ||
2351 | if (sa != NULL) { | |
2352 | if (strlen(sa) + strlen(retval) + 1 >= maxretlen) { | |
2353 | char *tmp; | |
2354 | ||
2355 | maxretlen += SIGLEN_BUF_INCREMENT; | |
2356 | tmp = OPENSSL_realloc(retval, maxretlen); | |
2357 | if (tmp == NULL) { | |
2358 | OPENSSL_free(retval); | |
2359 | return NULL; | |
2360 | } | |
2361 | retval = tmp; | |
2362 | } | |
2363 | if (strlen(retval) > 0) | |
2364 | OPENSSL_strlcat(retval, ":", maxretlen); | |
2365 | OPENSSL_strlcat(retval, sa, maxretlen); | |
2366 | } else { | |
2367 | /* lu->name must not be NULL */ | |
2368 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); | |
2369 | } | |
2370 | } | |
2371 | } | |
2372 | ||
2373 | EVP_PKEY_free(tmpkey); | |
2374 | return retval; | |
2375 | } | |
2376 | ||
2377 | /* Lookup TLS signature algorithm */ | |
2378 | static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL_CTX *ctx, | |
2379 | uint16_t sigalg) | |
2380 | { | |
2381 | size_t i; | |
2382 | const SIGALG_LOOKUP *lu = ctx->sigalg_lookup_cache; | |
2383 | ||
2384 | for (i = 0; i < ctx->sigalg_lookup_cache_len; lu++, i++) { | |
2385 | if (lu->sigalg == sigalg) { | |
2386 | if (!lu->available) | |
2387 | return NULL; | |
2388 | return lu; | |
2389 | } | |
2390 | } | |
2391 | return NULL; | |
2392 | } | |
2393 | ||
2394 | /* Lookup hash: return 0 if invalid or not enabled */ | |
2395 | int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) | |
2396 | { | |
2397 | const EVP_MD *md; | |
2398 | ||
2399 | if (lu == NULL) | |
2400 | return 0; | |
2401 | /* lu->hash == NID_undef means no associated digest */ | |
2402 | if (lu->hash == NID_undef) { | |
2403 | md = NULL; | |
2404 | } else { | |
2405 | md = ssl_md(ctx, lu->hash_idx); | |
2406 | if (md == NULL) | |
2407 | return 0; | |
2408 | } | |
2409 | if (pmd) | |
2410 | *pmd = md; | |
2411 | return 1; | |
2412 | } | |
2413 | ||
2414 | /* | |
2415 | * Check if key is large enough to generate RSA-PSS signature. | |
2416 | * | |
2417 | * The key must greater than or equal to 2 * hash length + 2. | |
2418 | * SHA512 has a hash length of 64 bytes, which is incompatible | |
2419 | * with a 128 byte (1024 bit) key. | |
2420 | */ | |
2421 | #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) | |
2422 | static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, | |
2423 | const SIGALG_LOOKUP *lu) | |
2424 | { | |
2425 | const EVP_MD *md; | |
2426 | ||
2427 | if (pkey == NULL) | |
2428 | return 0; | |
2429 | if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) | |
2430 | return 0; | |
2431 | if (EVP_MD_get_size(md) <= 0) | |
2432 | return 0; | |
2433 | if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) | |
2434 | return 0; | |
2435 | return 1; | |
2436 | } | |
2437 | ||
2438 | /* | |
2439 | * Returns a signature algorithm when the peer did not send a list of supported | |
2440 | * signature algorithms. The signature algorithm is fixed for the certificate | |
2441 | * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the | |
2442 | * certificate type from |s| will be used. | |
2443 | * Returns the signature algorithm to use, or NULL on error. | |
2444 | */ | |
2445 | static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL_CONNECTION *s, | |
2446 | int idx) | |
2447 | { | |
2448 | if (idx == -1) { | |
2449 | if (s->server) { | |
2450 | size_t i; | |
2451 | ||
2452 | /* Work out index corresponding to ciphersuite */ | |
2453 | for (i = 0; i < s->ssl_pkey_num; i++) { | |
2454 | const SSL_CERT_LOOKUP *clu | |
2455 | = ssl_cert_lookup_by_idx(i, SSL_CONNECTION_GET_CTX(s)); | |
2456 | ||
2457 | if (clu == NULL) | |
2458 | continue; | |
2459 | if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { | |
2460 | idx = (int)i; | |
2461 | break; | |
2462 | } | |
2463 | } | |
2464 | ||
2465 | /* | |
2466 | * Some GOST ciphersuites allow more than one signature algorithms | |
2467 | * */ | |
2468 | if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) { | |
2469 | int real_idx; | |
2470 | ||
2471 | for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; | |
2472 | real_idx--) { | |
2473 | if (s->cert->pkeys[real_idx].privatekey != NULL) { | |
2474 | idx = real_idx; | |
2475 | break; | |
2476 | } | |
2477 | } | |
2478 | } | |
2479 | /* | |
2480 | * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used | |
2481 | * with new (aGOST12-only) ciphersuites, we should find out which one is available really. | |
2482 | */ | |
2483 | else if (idx == SSL_PKEY_GOST12_256) { | |
2484 | int real_idx; | |
2485 | ||
2486 | for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256; | |
2487 | real_idx--) { | |
2488 | if (s->cert->pkeys[real_idx].privatekey != NULL) { | |
2489 | idx = real_idx; | |
2490 | break; | |
2491 | } | |
2492 | } | |
2493 | } | |
2494 | } else { | |
2495 | idx = (int)(s->cert->key - s->cert->pkeys); | |
2496 | } | |
2497 | } | |
2498 | if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) | |
2499 | return NULL; | |
2500 | ||
2501 | if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { | |
2502 | const SIGALG_LOOKUP *lu = | |
2503 | tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), | |
2504 | tls_default_sigalg[idx]); | |
2505 | ||
2506 | if (lu == NULL) | |
2507 | return NULL; | |
2508 | if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, NULL)) | |
2509 | return NULL; | |
2510 | if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) | |
2511 | return NULL; | |
2512 | return lu; | |
2513 | } | |
2514 | if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) | |
2515 | return NULL; | |
2516 | return &legacy_rsa_sigalg; | |
2517 | } | |
2518 | /* Set peer sigalg based key type */ | |
2519 | int tls1_set_peer_legacy_sigalg(SSL_CONNECTION *s, const EVP_PKEY *pkey) | |
2520 | { | |
2521 | size_t idx; | |
2522 | const SIGALG_LOOKUP *lu; | |
2523 | ||
2524 | if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL) | |
2525 | return 0; | |
2526 | lu = tls1_get_legacy_sigalg(s, (int)idx); | |
2527 | if (lu == NULL) | |
2528 | return 0; | |
2529 | s->s3.tmp.peer_sigalg = lu; | |
2530 | return 1; | |
2531 | } | |
2532 | ||
2533 | size_t tls12_get_psigalgs(SSL_CONNECTION *s, int sent, const uint16_t **psigs) | |
2534 | { | |
2535 | /* | |
2536 | * If Suite B mode use Suite B sigalgs only, ignore any other | |
2537 | * preferences. | |
2538 | */ | |
2539 | switch (tls1_suiteb(s)) { | |
2540 | case SSL_CERT_FLAG_SUITEB_128_LOS: | |
2541 | *psigs = suiteb_sigalgs; | |
2542 | return OSSL_NELEM(suiteb_sigalgs); | |
2543 | ||
2544 | case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: | |
2545 | *psigs = suiteb_sigalgs; | |
2546 | return 1; | |
2547 | ||
2548 | case SSL_CERT_FLAG_SUITEB_192_LOS: | |
2549 | *psigs = suiteb_sigalgs + 1; | |
2550 | return 1; | |
2551 | } | |
2552 | /* | |
2553 | * We use client_sigalgs (if not NULL) if we're a server | |
2554 | * and sending a certificate request or if we're a client and | |
2555 | * determining which shared algorithm to use. | |
2556 | */ | |
2557 | if ((s->server == sent) && s->cert->client_sigalgs != NULL) { | |
2558 | *psigs = s->cert->client_sigalgs; | |
2559 | return s->cert->client_sigalgslen; | |
2560 | } else if (s->cert->conf_sigalgs) { | |
2561 | *psigs = s->cert->conf_sigalgs; | |
2562 | return s->cert->conf_sigalgslen; | |
2563 | } else { | |
2564 | *psigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs; | |
2565 | return SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len; | |
2566 | } | |
2567 | } | |
2568 | ||
2569 | /* | |
2570 | * Called by servers only. Checks that we have a sig alg that supports the | |
2571 | * specified EC curve. | |
2572 | */ | |
2573 | int tls_check_sigalg_curve(const SSL_CONNECTION *s, int curve) | |
2574 | { | |
2575 | const uint16_t *sigs; | |
2576 | size_t siglen, i; | |
2577 | ||
2578 | if (s->cert->conf_sigalgs) { | |
2579 | sigs = s->cert->conf_sigalgs; | |
2580 | siglen = s->cert->conf_sigalgslen; | |
2581 | } else { | |
2582 | sigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs; | |
2583 | siglen = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len; | |
2584 | } | |
2585 | ||
2586 | for (i = 0; i < siglen; i++) { | |
2587 | const SIGALG_LOOKUP *lu = | |
2588 | tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), sigs[i]); | |
2589 | ||
2590 | if (lu == NULL) | |
2591 | continue; | |
2592 | if (lu->sig == EVP_PKEY_EC | |
2593 | && lu->curve != NID_undef | |
2594 | && curve == lu->curve) | |
2595 | return 1; | |
2596 | } | |
2597 | ||
2598 | return 0; | |
2599 | } | |
2600 | ||
2601 | /* | |
2602 | * Return the number of security bits for the signature algorithm, or 0 on | |
2603 | * error. | |
2604 | */ | |
2605 | static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) | |
2606 | { | |
2607 | const EVP_MD *md = NULL; | |
2608 | int secbits = 0; | |
2609 | ||
2610 | if (!tls1_lookup_md(ctx, lu, &md)) | |
2611 | return 0; | |
2612 | if (md != NULL) | |
2613 | { | |
2614 | int md_type = EVP_MD_get_type(md); | |
2615 | ||
2616 | /* Security bits: half digest bits */ | |
2617 | secbits = EVP_MD_get_size(md) * 4; | |
2618 | if (secbits <= 0) | |
2619 | return 0; | |
2620 | /* | |
2621 | * SHA1 and MD5 are known to be broken. Reduce security bits so that | |
2622 | * they're no longer accepted at security level 1. The real values don't | |
2623 | * really matter as long as they're lower than 80, which is our | |
2624 | * security level 1. | |
2625 | * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for | |
2626 | * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 | |
2627 | * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf | |
2628 | * puts a chosen-prefix attack for MD5 at 2^39. | |
2629 | */ | |
2630 | if (md_type == NID_sha1) | |
2631 | secbits = 64; | |
2632 | else if (md_type == NID_md5_sha1) | |
2633 | secbits = 67; | |
2634 | else if (md_type == NID_md5) | |
2635 | secbits = 39; | |
2636 | } else { | |
2637 | /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ | |
2638 | if (lu->sigalg == TLSEXT_SIGALG_ed25519) | |
2639 | secbits = 128; | |
2640 | else if (lu->sigalg == TLSEXT_SIGALG_ed448) | |
2641 | secbits = 224; | |
2642 | } | |
2643 | /* | |
2644 | * For provider-based sigalgs we have secbits information available | |
2645 | * in the (provider-loaded) sigalg_list structure | |
2646 | */ | |
2647 | if ((secbits == 0) && (lu->sig_idx >= SSL_PKEY_NUM) | |
2648 | && ((lu->sig_idx - SSL_PKEY_NUM) < (int)ctx->sigalg_list_len)) { | |
2649 | secbits = ctx->sigalg_list[lu->sig_idx - SSL_PKEY_NUM].secbits; | |
2650 | } | |
2651 | return secbits; | |
2652 | } | |
2653 | ||
2654 | static int tls_sigalg_compat(SSL_CONNECTION *sc, const SIGALG_LOOKUP *lu) | |
2655 | { | |
2656 | int minversion, maxversion; | |
2657 | int minproto, maxproto; | |
2658 | ||
2659 | if (!lu->available) | |
2660 | return 0; | |
2661 | ||
2662 | if (SSL_CONNECTION_IS_DTLS(sc)) { | |
2663 | if (sc->ssl.method->version == DTLS_ANY_VERSION) { | |
2664 | minproto = sc->min_proto_version; | |
2665 | maxproto = sc->max_proto_version; | |
2666 | } else { | |
2667 | maxproto = minproto = sc->version; | |
2668 | } | |
2669 | minversion = lu->mindtls; | |
2670 | maxversion = lu->maxdtls; | |
2671 | } else { | |
2672 | if (sc->ssl.method->version == TLS_ANY_VERSION) { | |
2673 | minproto = sc->min_proto_version; | |
2674 | maxproto = sc->max_proto_version; | |
2675 | } else { | |
2676 | maxproto = minproto = sc->version; | |
2677 | } | |
2678 | minversion = lu->mintls; | |
2679 | maxversion = lu->maxtls; | |
2680 | } | |
2681 | if (minversion == -1 || maxversion == -1 | |
2682 | || (minversion != 0 && maxproto != 0 | |
2683 | && ssl_version_cmp(sc, minversion, maxproto) > 0) | |
2684 | || (maxversion != 0 && minproto != 0 | |
2685 | && ssl_version_cmp(sc, maxversion, minproto) < 0) | |
2686 | || !tls12_sigalg_allowed(sc, SSL_SECOP_SIGALG_SUPPORTED, lu)) | |
2687 | return 0; | |
2688 | return 1; | |
2689 | } | |
2690 | ||
2691 | /* | |
2692 | * Check signature algorithm is consistent with sent supported signature | |
2693 | * algorithms and if so set relevant digest and signature scheme in | |
2694 | * s. | |
2695 | */ | |
2696 | int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey) | |
2697 | { | |
2698 | const uint16_t *sent_sigs; | |
2699 | const EVP_MD *md = NULL; | |
2700 | char sigalgstr[2]; | |
2701 | size_t sent_sigslen, i, cidx; | |
2702 | int pkeyid = -1; | |
2703 | const SIGALG_LOOKUP *lu; | |
2704 | int secbits = 0; | |
2705 | ||
2706 | pkeyid = EVP_PKEY_get_id(pkey); | |
2707 | ||
2708 | if (SSL_CONNECTION_IS_TLS13(s)) { | |
2709 | /* Disallow DSA for TLS 1.3 */ | |
2710 | if (pkeyid == EVP_PKEY_DSA) { | |
2711 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); | |
2712 | return 0; | |
2713 | } | |
2714 | /* Only allow PSS for TLS 1.3 */ | |
2715 | if (pkeyid == EVP_PKEY_RSA) | |
2716 | pkeyid = EVP_PKEY_RSA_PSS; | |
2717 | } | |
2718 | ||
2719 | /* Is this code point available and compatible with the protocol */ | |
2720 | lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), sig); | |
2721 | if (lu == NULL || !tls_sigalg_compat(s, lu)) { | |
2722 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); | |
2723 | return 0; | |
2724 | } | |
2725 | ||
2726 | /* if this sigalg is loaded, set so far unknown pkeyid to its sig NID */ | |
2727 | if (pkeyid == EVP_PKEY_KEYMGMT) | |
2728 | pkeyid = lu->sig; | |
2729 | ||
2730 | /* Should never happen */ | |
2731 | if (pkeyid == -1) { | |
2732 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); | |
2733 | return -1; | |
2734 | } | |
2735 | ||
2736 | /* | |
2737 | * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type | |
2738 | * is consistent with signature: RSA keys can be used for RSA-PSS | |
2739 | */ | |
2740 | if ((SSL_CONNECTION_IS_TLS13(s) | |
2741 | && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) | |
2742 | || (pkeyid != lu->sig | |
2743 | && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { | |
2744 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); | |
2745 | return 0; | |
2746 | } | |
2747 | /* Check the sigalg is consistent with the key OID */ | |
2748 | if (!ssl_cert_lookup_by_nid( | |
2749 | (pkeyid == EVP_PKEY_RSA_PSS) ? EVP_PKEY_get_id(pkey) : pkeyid, | |
2750 | &cidx, SSL_CONNECTION_GET_CTX(s)) | |
2751 | || lu->sig_idx != (int)cidx) { | |
2752 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); | |
2753 | return 0; | |
2754 | } | |
2755 | ||
2756 | if (pkeyid == EVP_PKEY_EC) { | |
2757 | ||
2758 | /* Check point compression is permitted */ | |
2759 | if (!tls1_check_pkey_comp(s, pkey)) { | |
2760 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, | |
2761 | SSL_R_ILLEGAL_POINT_COMPRESSION); | |
2762 | return 0; | |
2763 | } | |
2764 | ||
2765 | /* For TLS 1.3 or Suite B check curve matches signature algorithm */ | |
2766 | if (SSL_CONNECTION_IS_TLS13(s) || tls1_suiteb(s)) { | |
2767 | int curve = ssl_get_EC_curve_nid(pkey); | |
2768 | ||
2769 | if (lu->curve != NID_undef && curve != lu->curve) { | |
2770 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); | |
2771 | return 0; | |
2772 | } | |
2773 | } | |
2774 | if (!SSL_CONNECTION_IS_TLS13(s)) { | |
2775 | /* Check curve matches extensions */ | |
2776 | if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { | |
2777 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); | |
2778 | return 0; | |
2779 | } | |
2780 | if (tls1_suiteb(s)) { | |
2781 | /* Check sigalg matches a permissible Suite B value */ | |
2782 | if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 | |
2783 | && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { | |
2784 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, | |
2785 | SSL_R_WRONG_SIGNATURE_TYPE); | |
2786 | return 0; | |
2787 | } | |
2788 | } | |
2789 | } | |
2790 | } else if (tls1_suiteb(s)) { | |
2791 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); | |
2792 | return 0; | |
2793 | } | |
2794 | ||
2795 | /* Check signature matches a type we sent */ | |
2796 | sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); | |
2797 | for (i = 0; i < sent_sigslen; i++, sent_sigs++) { | |
2798 | if (sig == *sent_sigs) | |
2799 | break; | |
2800 | } | |
2801 | /* Allow fallback to SHA1 if not strict mode */ | |
2802 | if (i == sent_sigslen && (lu->hash != NID_sha1 | |
2803 | || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { | |
2804 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); | |
2805 | return 0; | |
2806 | } | |
2807 | if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, &md)) { | |
2808 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); | |
2809 | return 0; | |
2810 | } | |
2811 | /* | |
2812 | * Make sure security callback allows algorithm. For historical | |
2813 | * reasons we have to pass the sigalg as a two byte char array. | |
2814 | */ | |
2815 | sigalgstr[0] = (sig >> 8) & 0xff; | |
2816 | sigalgstr[1] = sig & 0xff; | |
2817 | secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); | |
2818 | if (secbits == 0 || | |
2819 | !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, | |
2820 | md != NULL ? EVP_MD_get_type(md) : NID_undef, | |
2821 | (void *)sigalgstr)) { | |
2822 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); | |
2823 | return 0; | |
2824 | } | |
2825 | /* Store the sigalg the peer uses */ | |
2826 | s->s3.tmp.peer_sigalg = lu; | |
2827 | return 1; | |
2828 | } | |
2829 | ||
2830 | int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) | |
2831 | { | |
2832 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); | |
2833 | ||
2834 | if (sc == NULL) | |
2835 | return 0; | |
2836 | ||
2837 | if (sc->s3.tmp.peer_sigalg == NULL) | |
2838 | return 0; | |
2839 | *pnid = sc->s3.tmp.peer_sigalg->sig; | |
2840 | return 1; | |
2841 | } | |
2842 | ||
2843 | int SSL_get_signature_type_nid(const SSL *s, int *pnid) | |
2844 | { | |
2845 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); | |
2846 | ||
2847 | if (sc == NULL) | |
2848 | return 0; | |
2849 | ||
2850 | if (sc->s3.tmp.sigalg == NULL) | |
2851 | return 0; | |
2852 | *pnid = sc->s3.tmp.sigalg->sig; | |
2853 | return 1; | |
2854 | } | |
2855 | ||
2856 | /* | |
2857 | * Set a mask of disabled algorithms: an algorithm is disabled if it isn't | |
2858 | * supported, doesn't appear in supported signature algorithms, isn't supported | |
2859 | * by the enabled protocol versions or by the security level. | |
2860 | * | |
2861 | * This function should only be used for checking which ciphers are supported | |
2862 | * by the client. | |
2863 | * | |
2864 | * Call ssl_cipher_disabled() to check that it's enabled or not. | |
2865 | */ | |
2866 | int ssl_set_client_disabled(SSL_CONNECTION *s) | |
2867 | { | |
2868 | s->s3.tmp.mask_a = 0; | |
2869 | s->s3.tmp.mask_k = 0; | |
2870 | ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); | |
2871 | if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver, | |
2872 | &s->s3.tmp.max_ver, NULL) != 0) | |
2873 | return 0; | |
2874 | #ifndef OPENSSL_NO_PSK | |
2875 | /* with PSK there must be client callback set */ | |
2876 | if (!s->psk_client_callback) { | |
2877 | s->s3.tmp.mask_a |= SSL_aPSK; | |
2878 | s->s3.tmp.mask_k |= SSL_PSK; | |
2879 | } | |
2880 | #endif /* OPENSSL_NO_PSK */ | |
2881 | #ifndef OPENSSL_NO_SRP | |
2882 | if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { | |
2883 | s->s3.tmp.mask_a |= SSL_aSRP; | |
2884 | s->s3.tmp.mask_k |= SSL_kSRP; | |
2885 | } | |
2886 | #endif | |
2887 | return 1; | |
2888 | } | |
2889 | ||
2890 | /* | |
2891 | * ssl_cipher_disabled - check that a cipher is disabled or not | |
2892 | * @s: SSL connection that you want to use the cipher on | |
2893 | * @c: cipher to check | |
2894 | * @op: Security check that you want to do | |
2895 | * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 | |
2896 | * | |
2897 | * Returns 1 when it's disabled, 0 when enabled. | |
2898 | */ | |
2899 | int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c, | |
2900 | int op, int ecdhe) | |
2901 | { | |
2902 | int minversion = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; | |
2903 | int maxversion = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; | |
2904 | ||
2905 | if (c->algorithm_mkey & s->s3.tmp.mask_k | |
2906 | || c->algorithm_auth & s->s3.tmp.mask_a) | |
2907 | return 1; | |
2908 | if (s->s3.tmp.max_ver == 0) | |
2909 | return 1; | |
2910 | ||
2911 | if (SSL_IS_QUIC_INT_HANDSHAKE(s)) | |
2912 | /* For QUIC, only allow these ciphersuites. */ | |
2913 | switch (SSL_CIPHER_get_id(c)) { | |
2914 | case TLS1_3_CK_AES_128_GCM_SHA256: | |
2915 | case TLS1_3_CK_AES_256_GCM_SHA384: | |
2916 | case TLS1_3_CK_CHACHA20_POLY1305_SHA256: | |
2917 | break; | |
2918 | default: | |
2919 | return 1; | |
2920 | } | |
2921 | ||
2922 | /* | |
2923 | * For historical reasons we will allow ECHDE to be selected by a server | |
2924 | * in SSLv3 if we are a client | |
2925 | */ | |
2926 | if (minversion == TLS1_VERSION | |
2927 | && ecdhe | |
2928 | && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) | |
2929 | minversion = SSL3_VERSION; | |
2930 | ||
2931 | if (ssl_version_cmp(s, minversion, s->s3.tmp.max_ver) > 0 | |
2932 | || ssl_version_cmp(s, maxversion, s->s3.tmp.min_ver) < 0) | |
2933 | return 1; | |
2934 | ||
2935 | return !ssl_security(s, op, c->strength_bits, 0, (void *)c); | |
2936 | } | |
2937 | ||
2938 | int tls_use_ticket(SSL_CONNECTION *s) | |
2939 | { | |
2940 | if ((s->options & SSL_OP_NO_TICKET)) | |
2941 | return 0; | |
2942 | return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); | |
2943 | } | |
2944 | ||
2945 | int tls1_set_server_sigalgs(SSL_CONNECTION *s) | |
2946 | { | |
2947 | size_t i; | |
2948 | ||
2949 | /* Clear any shared signature algorithms */ | |
2950 | OPENSSL_free(s->shared_sigalgs); | |
2951 | s->shared_sigalgs = NULL; | |
2952 | s->shared_sigalgslen = 0; | |
2953 | ||
2954 | /* Clear certificate validity flags */ | |
2955 | if (s->s3.tmp.valid_flags) | |
2956 | memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); | |
2957 | else | |
2958 | s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); | |
2959 | if (s->s3.tmp.valid_flags == NULL) | |
2960 | return 0; | |
2961 | /* | |
2962 | * If peer sent no signature algorithms check to see if we support | |
2963 | * the default algorithm for each certificate type | |
2964 | */ | |
2965 | if (s->s3.tmp.peer_cert_sigalgs == NULL | |
2966 | && s->s3.tmp.peer_sigalgs == NULL) { | |
2967 | const uint16_t *sent_sigs; | |
2968 | size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); | |
2969 | ||
2970 | for (i = 0; i < s->ssl_pkey_num; i++) { | |
2971 | const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, (int)i); | |
2972 | size_t j; | |
2973 | ||
2974 | if (lu == NULL) | |
2975 | continue; | |
2976 | /* Check default matches a type we sent */ | |
2977 | for (j = 0; j < sent_sigslen; j++) { | |
2978 | if (lu->sigalg == sent_sigs[j]) { | |
2979 | s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN; | |
2980 | break; | |
2981 | } | |
2982 | } | |
2983 | } | |
2984 | return 1; | |
2985 | } | |
2986 | ||
2987 | if (!tls1_process_sigalgs(s)) { | |
2988 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
2989 | return 0; | |
2990 | } | |
2991 | if (s->shared_sigalgs != NULL) | |
2992 | return 1; | |
2993 | ||
2994 | /* Fatal error if no shared signature algorithms */ | |
2995 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, | |
2996 | SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); | |
2997 | return 0; | |
2998 | } | |
2999 | ||
3000 | /*- | |
3001 | * Gets the ticket information supplied by the client if any. | |
3002 | * | |
3003 | * hello: The parsed ClientHello data | |
3004 | * ret: (output) on return, if a ticket was decrypted, then this is set to | |
3005 | * point to the resulting session. | |
3006 | */ | |
3007 | SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s, | |
3008 | CLIENTHELLO_MSG *hello, | |
3009 | SSL_SESSION **ret) | |
3010 | { | |
3011 | size_t size; | |
3012 | RAW_EXTENSION *ticketext; | |
3013 | ||
3014 | *ret = NULL; | |
3015 | s->ext.ticket_expected = 0; | |
3016 | ||
3017 | /* | |
3018 | * If tickets disabled or not supported by the protocol version | |
3019 | * (e.g. TLSv1.3) behave as if no ticket present to permit stateful | |
3020 | * resumption. | |
3021 | */ | |
3022 | if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) | |
3023 | return SSL_TICKET_NONE; | |
3024 | ||
3025 | ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; | |
3026 | if (!ticketext->present) | |
3027 | return SSL_TICKET_NONE; | |
3028 | ||
3029 | size = PACKET_remaining(&ticketext->data); | |
3030 | ||
3031 | return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, | |
3032 | hello->session_id, hello->session_id_len, ret); | |
3033 | } | |
3034 | ||
3035 | /*- | |
3036 | * tls_decrypt_ticket attempts to decrypt a session ticket. | |
3037 | * | |
3038 | * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are | |
3039 | * expecting a pre-shared key ciphersuite, in which case we have no use for | |
3040 | * session tickets and one will never be decrypted, nor will | |
3041 | * s->ext.ticket_expected be set to 1. | |
3042 | * | |
3043 | * Side effects: | |
3044 | * Sets s->ext.ticket_expected to 1 if the server will have to issue | |
3045 | * a new session ticket to the client because the client indicated support | |
3046 | * (and s->tls_session_secret_cb is NULL) but the client either doesn't have | |
3047 | * a session ticket or we couldn't use the one it gave us, or if | |
3048 | * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. | |
3049 | * Otherwise, s->ext.ticket_expected is set to 0. | |
3050 | * | |
3051 | * etick: points to the body of the session ticket extension. | |
3052 | * eticklen: the length of the session tickets extension. | |
3053 | * sess_id: points at the session ID. | |
3054 | * sesslen: the length of the session ID. | |
3055 | * psess: (output) on return, if a ticket was decrypted, then this is set to | |
3056 | * point to the resulting session. | |
3057 | */ | |
3058 | SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, | |
3059 | const unsigned char *etick, | |
3060 | size_t eticklen, | |
3061 | const unsigned char *sess_id, | |
3062 | size_t sesslen, SSL_SESSION **psess) | |
3063 | { | |
3064 | SSL_SESSION *sess = NULL; | |
3065 | unsigned char *sdec; | |
3066 | const unsigned char *p; | |
3067 | int slen, ivlen, renew_ticket = 0, declen; | |
3068 | SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3069 | size_t mlen; | |
3070 | unsigned char tick_hmac[EVP_MAX_MD_SIZE]; | |
3071 | SSL_HMAC *hctx = NULL; | |
3072 | EVP_CIPHER_CTX *ctx = NULL; | |
3073 | SSL_CTX *tctx = s->session_ctx; | |
3074 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
3075 | ||
3076 | if (eticklen == 0) { | |
3077 | /* | |
3078 | * The client will accept a ticket but doesn't currently have | |
3079 | * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 | |
3080 | */ | |
3081 | ret = SSL_TICKET_EMPTY; | |
3082 | goto end; | |
3083 | } | |
3084 | if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) { | |
3085 | /* | |
3086 | * Indicate that the ticket couldn't be decrypted rather than | |
3087 | * generating the session from ticket now, trigger | |
3088 | * abbreviated handshake based on external mechanism to | |
3089 | * calculate the master secret later. | |
3090 | */ | |
3091 | ret = SSL_TICKET_NO_DECRYPT; | |
3092 | goto end; | |
3093 | } | |
3094 | ||
3095 | /* Need at least keyname + iv */ | |
3096 | if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { | |
3097 | ret = SSL_TICKET_NO_DECRYPT; | |
3098 | goto end; | |
3099 | } | |
3100 | ||
3101 | /* Initialize session ticket encryption and HMAC contexts */ | |
3102 | hctx = ssl_hmac_new(tctx); | |
3103 | if (hctx == NULL) { | |
3104 | ret = SSL_TICKET_FATAL_ERR_MALLOC; | |
3105 | goto end; | |
3106 | } | |
3107 | ctx = EVP_CIPHER_CTX_new(); | |
3108 | if (ctx == NULL) { | |
3109 | ret = SSL_TICKET_FATAL_ERR_MALLOC; | |
3110 | goto end; | |
3111 | } | |
3112 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
3113 | if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) | |
3114 | #else | |
3115 | if (tctx->ext.ticket_key_evp_cb != NULL) | |
3116 | #endif | |
3117 | { | |
3118 | unsigned char *nctick = (unsigned char *)etick; | |
3119 | int rv = 0; | |
3120 | ||
3121 | if (tctx->ext.ticket_key_evp_cb != NULL) | |
3122 | rv = tctx->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_USER_SSL(s), | |
3123 | nctick, | |
3124 | nctick + TLSEXT_KEYNAME_LENGTH, | |
3125 | ctx, | |
3126 | ssl_hmac_get0_EVP_MAC_CTX(hctx), | |
3127 | 0); | |
3128 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
3129 | else if (tctx->ext.ticket_key_cb != NULL) | |
3130 | /* if 0 is returned, write an empty ticket */ | |
3131 | rv = tctx->ext.ticket_key_cb(SSL_CONNECTION_GET_USER_SSL(s), nctick, | |
3132 | nctick + TLSEXT_KEYNAME_LENGTH, | |
3133 | ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); | |
3134 | #endif | |
3135 | if (rv < 0) { | |
3136 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3137 | goto end; | |
3138 | } | |
3139 | if (rv == 0) { | |
3140 | ret = SSL_TICKET_NO_DECRYPT; | |
3141 | goto end; | |
3142 | } | |
3143 | if (rv == 2) | |
3144 | renew_ticket = 1; | |
3145 | } else { | |
3146 | EVP_CIPHER *aes256cbc = NULL; | |
3147 | ||
3148 | /* Check key name matches */ | |
3149 | if (memcmp(etick, tctx->ext.tick_key_name, | |
3150 | TLSEXT_KEYNAME_LENGTH) != 0) { | |
3151 | ret = SSL_TICKET_NO_DECRYPT; | |
3152 | goto end; | |
3153 | } | |
3154 | ||
3155 | aes256cbc = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC", | |
3156 | sctx->propq); | |
3157 | if (aes256cbc == NULL | |
3158 | || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, | |
3159 | sizeof(tctx->ext.secure->tick_hmac_key), | |
3160 | "SHA256") <= 0 | |
3161 | || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, | |
3162 | tctx->ext.secure->tick_aes_key, | |
3163 | etick + TLSEXT_KEYNAME_LENGTH) <= 0) { | |
3164 | EVP_CIPHER_free(aes256cbc); | |
3165 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3166 | goto end; | |
3167 | } | |
3168 | EVP_CIPHER_free(aes256cbc); | |
3169 | if (SSL_CONNECTION_IS_TLS13(s)) | |
3170 | renew_ticket = 1; | |
3171 | } | |
3172 | /* | |
3173 | * Attempt to process session ticket, first conduct sanity and integrity | |
3174 | * checks on ticket. | |
3175 | */ | |
3176 | mlen = ssl_hmac_size(hctx); | |
3177 | if (mlen == 0) { | |
3178 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3179 | goto end; | |
3180 | } | |
3181 | ||
3182 | ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); | |
3183 | if (ivlen < 0) { | |
3184 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3185 | goto end; | |
3186 | } | |
3187 | ||
3188 | /* Sanity check ticket length: must exceed keyname + IV + HMAC */ | |
3189 | if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) { | |
3190 | ret = SSL_TICKET_NO_DECRYPT; | |
3191 | goto end; | |
3192 | } | |
3193 | eticklen -= mlen; | |
3194 | /* Check HMAC of encrypted ticket */ | |
3195 | if (ssl_hmac_update(hctx, etick, eticklen) <= 0 | |
3196 | || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) { | |
3197 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3198 | goto end; | |
3199 | } | |
3200 | ||
3201 | if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { | |
3202 | ret = SSL_TICKET_NO_DECRYPT; | |
3203 | goto end; | |
3204 | } | |
3205 | /* Attempt to decrypt session data */ | |
3206 | /* Move p after IV to start of encrypted ticket, update length */ | |
3207 | p = etick + TLSEXT_KEYNAME_LENGTH + ivlen; | |
3208 | eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen; | |
3209 | sdec = OPENSSL_malloc(eticklen); | |
3210 | if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, | |
3211 | (int)eticklen) <= 0) { | |
3212 | OPENSSL_free(sdec); | |
3213 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3214 | goto end; | |
3215 | } | |
3216 | if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { | |
3217 | OPENSSL_free(sdec); | |
3218 | ret = SSL_TICKET_NO_DECRYPT; | |
3219 | goto end; | |
3220 | } | |
3221 | slen += declen; | |
3222 | p = sdec; | |
3223 | ||
3224 | sess = d2i_SSL_SESSION_ex(NULL, &p, slen, sctx->libctx, sctx->propq); | |
3225 | slen -= (int)(p - sdec); | |
3226 | OPENSSL_free(sdec); | |
3227 | if (sess) { | |
3228 | /* Some additional consistency checks */ | |
3229 | if (slen != 0) { | |
3230 | SSL_SESSION_free(sess); | |
3231 | sess = NULL; | |
3232 | ret = SSL_TICKET_NO_DECRYPT; | |
3233 | goto end; | |
3234 | } | |
3235 | /* | |
3236 | * The session ID, if non-empty, is used by some clients to detect | |
3237 | * that the ticket has been accepted. So we copy it to the session | |
3238 | * structure. If it is empty set length to zero as required by | |
3239 | * standard. | |
3240 | */ | |
3241 | if (sesslen) { | |
3242 | memcpy(sess->session_id, sess_id, sesslen); | |
3243 | sess->session_id_length = sesslen; | |
3244 | } | |
3245 | if (renew_ticket) | |
3246 | ret = SSL_TICKET_SUCCESS_RENEW; | |
3247 | else | |
3248 | ret = SSL_TICKET_SUCCESS; | |
3249 | goto end; | |
3250 | } | |
3251 | ERR_clear_error(); | |
3252 | /* | |
3253 | * For session parse failure, indicate that we need to send a new ticket. | |
3254 | */ | |
3255 | ret = SSL_TICKET_NO_DECRYPT; | |
3256 | ||
3257 | end: | |
3258 | EVP_CIPHER_CTX_free(ctx); | |
3259 | ssl_hmac_free(hctx); | |
3260 | ||
3261 | /* | |
3262 | * If set, the decrypt_ticket_cb() is called unless a fatal error was | |
3263 | * detected above. The callback is responsible for checking |ret| before it | |
3264 | * performs any action | |
3265 | */ | |
3266 | if (s->session_ctx->decrypt_ticket_cb != NULL | |
3267 | && (ret == SSL_TICKET_EMPTY | |
3268 | || ret == SSL_TICKET_NO_DECRYPT | |
3269 | || ret == SSL_TICKET_SUCCESS | |
3270 | || ret == SSL_TICKET_SUCCESS_RENEW)) { | |
3271 | size_t keyname_len = eticklen; | |
3272 | int retcb; | |
3273 | ||
3274 | if (keyname_len > TLSEXT_KEYNAME_LENGTH) | |
3275 | keyname_len = TLSEXT_KEYNAME_LENGTH; | |
3276 | retcb = s->session_ctx->decrypt_ticket_cb(SSL_CONNECTION_GET_SSL(s), | |
3277 | sess, etick, keyname_len, | |
3278 | ret, | |
3279 | s->session_ctx->ticket_cb_data); | |
3280 | switch (retcb) { | |
3281 | case SSL_TICKET_RETURN_ABORT: | |
3282 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3283 | break; | |
3284 | ||
3285 | case SSL_TICKET_RETURN_IGNORE: | |
3286 | ret = SSL_TICKET_NONE; | |
3287 | SSL_SESSION_free(sess); | |
3288 | sess = NULL; | |
3289 | break; | |
3290 | ||
3291 | case SSL_TICKET_RETURN_IGNORE_RENEW: | |
3292 | if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) | |
3293 | ret = SSL_TICKET_NO_DECRYPT; | |
3294 | /* else the value of |ret| will already do the right thing */ | |
3295 | SSL_SESSION_free(sess); | |
3296 | sess = NULL; | |
3297 | break; | |
3298 | ||
3299 | case SSL_TICKET_RETURN_USE: | |
3300 | case SSL_TICKET_RETURN_USE_RENEW: | |
3301 | if (ret != SSL_TICKET_SUCCESS | |
3302 | && ret != SSL_TICKET_SUCCESS_RENEW) | |
3303 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3304 | else if (retcb == SSL_TICKET_RETURN_USE) | |
3305 | ret = SSL_TICKET_SUCCESS; | |
3306 | else | |
3307 | ret = SSL_TICKET_SUCCESS_RENEW; | |
3308 | break; | |
3309 | ||
3310 | default: | |
3311 | ret = SSL_TICKET_FATAL_ERR_OTHER; | |
3312 | } | |
3313 | } | |
3314 | ||
3315 | if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) { | |
3316 | switch (ret) { | |
3317 | case SSL_TICKET_NO_DECRYPT: | |
3318 | case SSL_TICKET_SUCCESS_RENEW: | |
3319 | case SSL_TICKET_EMPTY: | |
3320 | s->ext.ticket_expected = 1; | |
3321 | } | |
3322 | } | |
3323 | ||
3324 | *psess = sess; | |
3325 | ||
3326 | return ret; | |
3327 | } | |
3328 | ||
3329 | /* Check to see if a signature algorithm is allowed */ | |
3330 | static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, | |
3331 | const SIGALG_LOOKUP *lu) | |
3332 | { | |
3333 | unsigned char sigalgstr[2]; | |
3334 | int secbits; | |
3335 | ||
3336 | if (lu == NULL || !lu->available) | |
3337 | return 0; | |
3338 | /* DSA is not allowed in TLS 1.3 */ | |
3339 | if (SSL_CONNECTION_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) | |
3340 | return 0; | |
3341 | /* | |
3342 | * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 | |
3343 | * spec | |
3344 | */ | |
3345 | if (!s->server && !SSL_CONNECTION_IS_DTLS(s) | |
3346 | && s->s3.tmp.min_ver >= TLS1_3_VERSION | |
3347 | && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX | |
3348 | || lu->hash_idx == SSL_MD_MD5_IDX | |
3349 | || lu->hash_idx == SSL_MD_SHA224_IDX)) | |
3350 | return 0; | |
3351 | ||
3352 | /* See if public key algorithm allowed */ | |
3353 | if (ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), lu->sig_idx)) | |
3354 | return 0; | |
3355 | ||
3356 | if (lu->sig == NID_id_GostR3410_2012_256 | |
3357 | || lu->sig == NID_id_GostR3410_2012_512 | |
3358 | || lu->sig == NID_id_GostR3410_2001) { | |
3359 | /* We never allow GOST sig algs on the server with TLSv1.3 */ | |
3360 | if (s->server && SSL_CONNECTION_IS_TLS13(s)) | |
3361 | return 0; | |
3362 | if (!s->server | |
3363 | && SSL_CONNECTION_GET_SSL(s)->method->version == TLS_ANY_VERSION | |
3364 | && s->s3.tmp.max_ver >= TLS1_3_VERSION) { | |
3365 | int i, num; | |
3366 | STACK_OF(SSL_CIPHER) *sk; | |
3367 | ||
3368 | /* | |
3369 | * We're a client that could negotiate TLSv1.3. We only allow GOST | |
3370 | * sig algs if we could negotiate TLSv1.2 or below and we have GOST | |
3371 | * ciphersuites enabled. | |
3372 | */ | |
3373 | ||
3374 | if (s->s3.tmp.min_ver >= TLS1_3_VERSION) | |
3375 | return 0; | |
3376 | ||
3377 | sk = SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)); | |
3378 | num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; | |
3379 | for (i = 0; i < num; i++) { | |
3380 | const SSL_CIPHER *c; | |
3381 | ||
3382 | c = sk_SSL_CIPHER_value(sk, i); | |
3383 | /* Skip disabled ciphers */ | |
3384 | if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) | |
3385 | continue; | |
3386 | ||
3387 | if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0) | |
3388 | break; | |
3389 | } | |
3390 | if (i == num) | |
3391 | return 0; | |
3392 | } | |
3393 | } | |
3394 | ||
3395 | /* Finally see if security callback allows it */ | |
3396 | secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); | |
3397 | sigalgstr[0] = (lu->sigalg >> 8) & 0xff; | |
3398 | sigalgstr[1] = lu->sigalg & 0xff; | |
3399 | return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); | |
3400 | } | |
3401 | ||
3402 | /* | |
3403 | * Get a mask of disabled public key algorithms based on supported signature | |
3404 | * algorithms. For example if no signature algorithm supports RSA then RSA is | |
3405 | * disabled. | |
3406 | */ | |
3407 | ||
3408 | void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op) | |
3409 | { | |
3410 | const uint16_t *sigalgs; | |
3411 | size_t i, sigalgslen; | |
3412 | uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; | |
3413 | /* | |
3414 | * Go through all signature algorithms seeing if we support any | |
3415 | * in disabled_mask. | |
3416 | */ | |
3417 | sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); | |
3418 | for (i = 0; i < sigalgslen; i++, sigalgs++) { | |
3419 | const SIGALG_LOOKUP *lu = | |
3420 | tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *sigalgs); | |
3421 | const SSL_CERT_LOOKUP *clu; | |
3422 | ||
3423 | if (lu == NULL) | |
3424 | continue; | |
3425 | ||
3426 | clu = ssl_cert_lookup_by_idx(lu->sig_idx, | |
3427 | SSL_CONNECTION_GET_CTX(s)); | |
3428 | if (clu == NULL) | |
3429 | continue; | |
3430 | ||
3431 | /* If algorithm is disabled see if we can enable it */ | |
3432 | if ((clu->amask & disabled_mask) != 0 | |
3433 | && tls12_sigalg_allowed(s, op, lu)) | |
3434 | disabled_mask &= ~clu->amask; | |
3435 | } | |
3436 | *pmask_a |= disabled_mask; | |
3437 | } | |
3438 | ||
3439 | int tls12_copy_sigalgs(SSL_CONNECTION *s, WPACKET *pkt, | |
3440 | const uint16_t *psig, size_t psiglen) | |
3441 | { | |
3442 | size_t i; | |
3443 | int rv = 0; | |
3444 | ||
3445 | for (i = 0; i < psiglen; i++, psig++) { | |
3446 | const SIGALG_LOOKUP *lu = | |
3447 | tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *psig); | |
3448 | ||
3449 | if (lu == NULL || !tls_sigalg_compat(s, lu)) | |
3450 | continue; | |
3451 | if (!WPACKET_put_bytes_u16(pkt, *psig)) | |
3452 | return 0; | |
3453 | /* | |
3454 | * If TLS 1.3 must have at least one valid TLS 1.3 message | |
3455 | * signing algorithm: i.e. neither RSA nor SHA1/SHA224 | |
3456 | */ | |
3457 | if (rv == 0 && (!SSL_CONNECTION_IS_TLS13(s) | |
3458 | || (lu->sig != EVP_PKEY_RSA | |
3459 | && lu->hash != NID_sha1 | |
3460 | && lu->hash != NID_sha224))) | |
3461 | rv = 1; | |
3462 | } | |
3463 | if (rv == 0) | |
3464 | ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); | |
3465 | return rv; | |
3466 | } | |
3467 | ||
3468 | /* Given preference and allowed sigalgs set shared sigalgs */ | |
3469 | static size_t tls12_shared_sigalgs(SSL_CONNECTION *s, | |
3470 | const SIGALG_LOOKUP **shsig, | |
3471 | const uint16_t *pref, size_t preflen, | |
3472 | const uint16_t *allow, size_t allowlen) | |
3473 | { | |
3474 | const uint16_t *ptmp, *atmp; | |
3475 | size_t i, j, nmatch = 0; | |
3476 | for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { | |
3477 | const SIGALG_LOOKUP *lu = | |
3478 | tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *ptmp); | |
3479 | ||
3480 | /* Skip disabled hashes or signature algorithms */ | |
3481 | if (lu == NULL | |
3482 | || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) | |
3483 | continue; | |
3484 | for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { | |
3485 | if (*ptmp == *atmp) { | |
3486 | nmatch++; | |
3487 | if (shsig) | |
3488 | *shsig++ = lu; | |
3489 | break; | |
3490 | } | |
3491 | } | |
3492 | } | |
3493 | return nmatch; | |
3494 | } | |
3495 | ||
3496 | /* Set shared signature algorithms for SSL structures */ | |
3497 | static int tls1_set_shared_sigalgs(SSL_CONNECTION *s) | |
3498 | { | |
3499 | const uint16_t *pref, *allow, *conf; | |
3500 | size_t preflen, allowlen, conflen; | |
3501 | size_t nmatch; | |
3502 | const SIGALG_LOOKUP **salgs = NULL; | |
3503 | CERT *c = s->cert; | |
3504 | unsigned int is_suiteb = tls1_suiteb(s); | |
3505 | ||
3506 | OPENSSL_free(s->shared_sigalgs); | |
3507 | s->shared_sigalgs = NULL; | |
3508 | s->shared_sigalgslen = 0; | |
3509 | /* If client use client signature algorithms if not NULL */ | |
3510 | if (!s->server && c->client_sigalgs && !is_suiteb) { | |
3511 | conf = c->client_sigalgs; | |
3512 | conflen = c->client_sigalgslen; | |
3513 | } else if (c->conf_sigalgs && !is_suiteb) { | |
3514 | conf = c->conf_sigalgs; | |
3515 | conflen = c->conf_sigalgslen; | |
3516 | } else | |
3517 | conflen = tls12_get_psigalgs(s, 0, &conf); | |
3518 | if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { | |
3519 | pref = conf; | |
3520 | preflen = conflen; | |
3521 | allow = s->s3.tmp.peer_sigalgs; | |
3522 | allowlen = s->s3.tmp.peer_sigalgslen; | |
3523 | } else { | |
3524 | allow = conf; | |
3525 | allowlen = conflen; | |
3526 | pref = s->s3.tmp.peer_sigalgs; | |
3527 | preflen = s->s3.tmp.peer_sigalgslen; | |
3528 | } | |
3529 | nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); | |
3530 | if (nmatch) { | |
3531 | if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) | |
3532 | return 0; | |
3533 | nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); | |
3534 | } else { | |
3535 | salgs = NULL; | |
3536 | } | |
3537 | s->shared_sigalgs = salgs; | |
3538 | s->shared_sigalgslen = nmatch; | |
3539 | return 1; | |
3540 | } | |
3541 | ||
3542 | int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) | |
3543 | { | |
3544 | unsigned int stmp; | |
3545 | size_t size, i; | |
3546 | uint16_t *buf; | |
3547 | ||
3548 | size = PACKET_remaining(pkt); | |
3549 | ||
3550 | /* Invalid data length */ | |
3551 | if (size == 0 || (size & 1) != 0) | |
3552 | return 0; | |
3553 | ||
3554 | size >>= 1; | |
3555 | ||
3556 | if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) | |
3557 | return 0; | |
3558 | for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) | |
3559 | buf[i] = stmp; | |
3560 | ||
3561 | if (i != size) { | |
3562 | OPENSSL_free(buf); | |
3563 | return 0; | |
3564 | } | |
3565 | ||
3566 | OPENSSL_free(*pdest); | |
3567 | *pdest = buf; | |
3568 | *pdestlen = size; | |
3569 | ||
3570 | return 1; | |
3571 | } | |
3572 | ||
3573 | int tls1_save_sigalgs(SSL_CONNECTION *s, PACKET *pkt, int cert) | |
3574 | { | |
3575 | /* Extension ignored for inappropriate versions */ | |
3576 | if (!SSL_USE_SIGALGS(s)) | |
3577 | return 1; | |
3578 | /* Should never happen */ | |
3579 | if (s->cert == NULL) | |
3580 | return 0; | |
3581 | ||
3582 | if (cert) | |
3583 | return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs, | |
3584 | &s->s3.tmp.peer_cert_sigalgslen); | |
3585 | else | |
3586 | return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs, | |
3587 | &s->s3.tmp.peer_sigalgslen); | |
3588 | ||
3589 | } | |
3590 | ||
3591 | /* Set preferred digest for each key type */ | |
3592 | ||
3593 | int tls1_process_sigalgs(SSL_CONNECTION *s) | |
3594 | { | |
3595 | size_t i; | |
3596 | uint32_t *pvalid = s->s3.tmp.valid_flags; | |
3597 | ||
3598 | if (!tls1_set_shared_sigalgs(s)) | |
3599 | return 0; | |
3600 | ||
3601 | for (i = 0; i < s->ssl_pkey_num; i++) | |
3602 | pvalid[i] = 0; | |
3603 | ||
3604 | for (i = 0; i < s->shared_sigalgslen; i++) { | |
3605 | const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; | |
3606 | int idx = sigptr->sig_idx; | |
3607 | ||
3608 | /* Ignore PKCS1 based sig algs in TLSv1.3 */ | |
3609 | if (SSL_CONNECTION_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) | |
3610 | continue; | |
3611 | /* If not disabled indicate we can explicitly sign */ | |
3612 | if (pvalid[idx] == 0 | |
3613 | && !ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), idx)) | |
3614 | pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; | |
3615 | } | |
3616 | return 1; | |
3617 | } | |
3618 | ||
3619 | int SSL_get_sigalgs(SSL *s, int idx, | |
3620 | int *psign, int *phash, int *psignhash, | |
3621 | unsigned char *rsig, unsigned char *rhash) | |
3622 | { | |
3623 | uint16_t *psig; | |
3624 | size_t numsigalgs; | |
3625 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); | |
3626 | ||
3627 | if (sc == NULL) | |
3628 | return 0; | |
3629 | ||
3630 | psig = sc->s3.tmp.peer_sigalgs; | |
3631 | numsigalgs = sc->s3.tmp.peer_sigalgslen; | |
3632 | ||
3633 | if (psig == NULL || numsigalgs > INT_MAX) | |
3634 | return 0; | |
3635 | if (idx >= 0) { | |
3636 | const SIGALG_LOOKUP *lu; | |
3637 | ||
3638 | if (idx >= (int)numsigalgs) | |
3639 | return 0; | |
3640 | psig += idx; | |
3641 | if (rhash != NULL) | |
3642 | *rhash = (unsigned char)((*psig >> 8) & 0xff); | |
3643 | if (rsig != NULL) | |
3644 | *rsig = (unsigned char)(*psig & 0xff); | |
3645 | lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(sc), *psig); | |
3646 | if (psign != NULL) | |
3647 | *psign = lu != NULL ? lu->sig : NID_undef; | |
3648 | if (phash != NULL) | |
3649 | *phash = lu != NULL ? lu->hash : NID_undef; | |
3650 | if (psignhash != NULL) | |
3651 | *psignhash = lu != NULL ? lu->sigandhash : NID_undef; | |
3652 | } | |
3653 | return (int)numsigalgs; | |
3654 | } | |
3655 | ||
3656 | int SSL_get_shared_sigalgs(SSL *s, int idx, | |
3657 | int *psign, int *phash, int *psignhash, | |
3658 | unsigned char *rsig, unsigned char *rhash) | |
3659 | { | |
3660 | const SIGALG_LOOKUP *shsigalgs; | |
3661 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); | |
3662 | ||
3663 | if (sc == NULL) | |
3664 | return 0; | |
3665 | ||
3666 | if (sc->shared_sigalgs == NULL | |
3667 | || idx < 0 | |
3668 | || idx >= (int)sc->shared_sigalgslen | |
3669 | || sc->shared_sigalgslen > INT_MAX) | |
3670 | return 0; | |
3671 | shsigalgs = sc->shared_sigalgs[idx]; | |
3672 | if (phash != NULL) | |
3673 | *phash = shsigalgs->hash; | |
3674 | if (psign != NULL) | |
3675 | *psign = shsigalgs->sig; | |
3676 | if (psignhash != NULL) | |
3677 | *psignhash = shsigalgs->sigandhash; | |
3678 | if (rsig != NULL) | |
3679 | *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); | |
3680 | if (rhash != NULL) | |
3681 | *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); | |
3682 | return (int)sc->shared_sigalgslen; | |
3683 | } | |
3684 | ||
3685 | /* Maximum possible number of unique entries in sigalgs array */ | |
3686 | #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) | |
3687 | ||
3688 | typedef struct { | |
3689 | size_t sigalgcnt; | |
3690 | /* TLSEXT_SIGALG_XXX values */ | |
3691 | uint16_t sigalgs[TLS_MAX_SIGALGCNT]; | |
3692 | SSL_CTX *ctx; | |
3693 | } sig_cb_st; | |
3694 | ||
3695 | static void get_sigorhash(int *psig, int *phash, const char *str) | |
3696 | { | |
3697 | if (OPENSSL_strcasecmp(str, "RSA") == 0) { | |
3698 | *psig = EVP_PKEY_RSA; | |
3699 | } else if (OPENSSL_strcasecmp(str, "RSA-PSS") == 0 | |
3700 | || OPENSSL_strcasecmp(str, "PSS") == 0) { | |
3701 | *psig = EVP_PKEY_RSA_PSS; | |
3702 | } else if (OPENSSL_strcasecmp(str, "DSA") == 0) { | |
3703 | *psig = EVP_PKEY_DSA; | |
3704 | } else if (OPENSSL_strcasecmp(str, "ECDSA") == 0) { | |
3705 | *psig = EVP_PKEY_EC; | |
3706 | } else { | |
3707 | *phash = OBJ_sn2nid(str); | |
3708 | if (*phash == NID_undef) | |
3709 | *phash = OBJ_ln2nid(str); | |
3710 | } | |
3711 | } | |
3712 | /* Maximum length of a signature algorithm string component */ | |
3713 | #define TLS_MAX_SIGSTRING_LEN 40 | |
3714 | ||
3715 | static int sig_cb(const char *elem, int len, void *arg) | |
3716 | { | |
3717 | sig_cb_st *sarg = arg; | |
3718 | size_t i = 0; | |
3719 | const SIGALG_LOOKUP *s; | |
3720 | char etmp[TLS_MAX_SIGSTRING_LEN], *p; | |
3721 | const char *iana, *alias; | |
3722 | int sig_alg = NID_undef, hash_alg = NID_undef; | |
3723 | int ignore_unknown = 0; | |
3724 | ||
3725 | if (elem == NULL) | |
3726 | return 0; | |
3727 | if (elem[0] == '?') { | |
3728 | ignore_unknown = 1; | |
3729 | ++elem; | |
3730 | --len; | |
3731 | } | |
3732 | if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) | |
3733 | return 0; | |
3734 | if (len > (int)(sizeof(etmp) - 1)) | |
3735 | return 0; | |
3736 | memcpy(etmp, elem, len); | |
3737 | etmp[len] = 0; | |
3738 | p = strchr(etmp, '+'); | |
3739 | /* | |
3740 | * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; | |
3741 | * if there's no '+' in the provided name, look for the new-style combined | |
3742 | * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. | |
3743 | * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and | |
3744 | * rsa_pss_rsae_* that differ only by public key OID; in such cases | |
3745 | * we will pick the _rsae_ variant, by virtue of them appearing earlier | |
3746 | * in the table. | |
3747 | */ | |
3748 | if (p == NULL) { | |
3749 | if (sarg->ctx != NULL) { | |
3750 | for (i = 0; i < sarg->ctx->sigalg_lookup_cache_len; i++) { | |
3751 | iana = sarg->ctx->sigalg_lookup_cache[i].name; | |
3752 | alias = sarg->ctx->sigalg_lookup_cache[i].name12; | |
3753 | if ((alias != NULL && OPENSSL_strcasecmp(etmp, alias) == 0) | |
3754 | || OPENSSL_strcasecmp(etmp, iana) == 0) { | |
3755 | /* Ignore known, but unavailable sigalgs. */ | |
3756 | if (!sarg->ctx->sigalg_lookup_cache[i].available) | |
3757 | return 1; | |
3758 | sarg->sigalgs[sarg->sigalgcnt++] = | |
3759 | sarg->ctx->sigalg_lookup_cache[i].sigalg; | |
3760 | goto found; | |
3761 | } | |
3762 | } | |
3763 | } else { | |
3764 | /* Syntax checks use the built-in sigalgs */ | |
3765 | for (i = 0, s = sigalg_lookup_tbl; | |
3766 | i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { | |
3767 | iana = s->name; | |
3768 | alias = s->name12; | |
3769 | if ((alias != NULL && OPENSSL_strcasecmp(etmp, alias) == 0) | |
3770 | || OPENSSL_strcasecmp(etmp, iana) == 0) { | |
3771 | sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; | |
3772 | goto found; | |
3773 | } | |
3774 | } | |
3775 | } | |
3776 | } else { | |
3777 | *p = 0; | |
3778 | p++; | |
3779 | if (*p == 0) | |
3780 | return 0; | |
3781 | get_sigorhash(&sig_alg, &hash_alg, etmp); | |
3782 | get_sigorhash(&sig_alg, &hash_alg, p); | |
3783 | if (sig_alg != NID_undef && hash_alg != NID_undef) { | |
3784 | if (sarg->ctx != NULL) { | |
3785 | for (i = 0; i < sarg->ctx->sigalg_lookup_cache_len; i++) { | |
3786 | s = &sarg->ctx->sigalg_lookup_cache[i]; | |
3787 | if (s->hash == hash_alg && s->sig == sig_alg) { | |
3788 | /* Ignore known, but unavailable sigalgs. */ | |
3789 | if (!sarg->ctx->sigalg_lookup_cache[i].available) | |
3790 | return 1; | |
3791 | sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; | |
3792 | goto found; | |
3793 | } | |
3794 | } | |
3795 | } else { | |
3796 | for (i = 0; i < OSSL_NELEM(sigalg_lookup_tbl); i++) { | |
3797 | s = &sigalg_lookup_tbl[i]; | |
3798 | if (s->hash == hash_alg && s->sig == sig_alg) { | |
3799 | sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; | |
3800 | goto found; | |
3801 | } | |
3802 | } | |
3803 | } | |
3804 | } | |
3805 | } | |
3806 | /* Ignore unknown algorithms if ignore_unknown */ | |
3807 | return ignore_unknown; | |
3808 | ||
3809 | found: | |
3810 | /* Ignore duplicates */ | |
3811 | for (i = 0; i < sarg->sigalgcnt - 1; i++) { | |
3812 | if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { | |
3813 | sarg->sigalgcnt--; | |
3814 | return 1; | |
3815 | } | |
3816 | } | |
3817 | return 1; | |
3818 | } | |
3819 | ||
3820 | /* | |
3821 | * Set supported signature algorithms based on a colon separated list of the | |
3822 | * form sig+hash e.g. RSA+SHA512:DSA+SHA512 | |
3823 | */ | |
3824 | int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) | |
3825 | { | |
3826 | sig_cb_st sig; | |
3827 | sig.sigalgcnt = 0; | |
3828 | ||
3829 | if (ctx != NULL) | |
3830 | sig.ctx = ctx; | |
3831 | if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) | |
3832 | return 0; | |
3833 | if (sig.sigalgcnt == 0) { | |
3834 | ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, | |
3835 | "No valid signature algorithms in '%s'", str); | |
3836 | return 0; | |
3837 | } | |
3838 | if (c == NULL) | |
3839 | return 1; | |
3840 | return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); | |
3841 | } | |
3842 | ||
3843 | int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, | |
3844 | int client) | |
3845 | { | |
3846 | uint16_t *sigalgs; | |
3847 | ||
3848 | if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) | |
3849 | return 0; | |
3850 | memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); | |
3851 | ||
3852 | if (client) { | |
3853 | OPENSSL_free(c->client_sigalgs); | |
3854 | c->client_sigalgs = sigalgs; | |
3855 | c->client_sigalgslen = salglen; | |
3856 | } else { | |
3857 | OPENSSL_free(c->conf_sigalgs); | |
3858 | c->conf_sigalgs = sigalgs; | |
3859 | c->conf_sigalgslen = salglen; | |
3860 | } | |
3861 | ||
3862 | return 1; | |
3863 | } | |
3864 | ||
3865 | int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) | |
3866 | { | |
3867 | uint16_t *sigalgs, *sptr; | |
3868 | size_t i; | |
3869 | ||
3870 | if (salglen & 1) | |
3871 | return 0; | |
3872 | if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) | |
3873 | return 0; | |
3874 | for (i = 0, sptr = sigalgs; i < salglen; i += 2) { | |
3875 | size_t j; | |
3876 | const SIGALG_LOOKUP *curr; | |
3877 | int md_id = *psig_nids++; | |
3878 | int sig_id = *psig_nids++; | |
3879 | ||
3880 | for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); | |
3881 | j++, curr++) { | |
3882 | if (curr->hash == md_id && curr->sig == sig_id) { | |
3883 | *sptr++ = curr->sigalg; | |
3884 | break; | |
3885 | } | |
3886 | } | |
3887 | ||
3888 | if (j == OSSL_NELEM(sigalg_lookup_tbl)) | |
3889 | goto err; | |
3890 | } | |
3891 | ||
3892 | if (client) { | |
3893 | OPENSSL_free(c->client_sigalgs); | |
3894 | c->client_sigalgs = sigalgs; | |
3895 | c->client_sigalgslen = salglen / 2; | |
3896 | } else { | |
3897 | OPENSSL_free(c->conf_sigalgs); | |
3898 | c->conf_sigalgs = sigalgs; | |
3899 | c->conf_sigalgslen = salglen / 2; | |
3900 | } | |
3901 | ||
3902 | return 1; | |
3903 | ||
3904 | err: | |
3905 | OPENSSL_free(sigalgs); | |
3906 | return 0; | |
3907 | } | |
3908 | ||
3909 | static int tls1_check_sig_alg(SSL_CONNECTION *s, X509 *x, int default_nid) | |
3910 | { | |
3911 | int sig_nid, use_pc_sigalgs = 0; | |
3912 | size_t i; | |
3913 | const SIGALG_LOOKUP *sigalg; | |
3914 | size_t sigalgslen; | |
3915 | ||
3916 | /*- | |
3917 | * RFC 8446, section 4.2.3: | |
3918 | * | |
3919 | * The signatures on certificates that are self-signed or certificates | |
3920 | * that are trust anchors are not validated, since they begin a | |
3921 | * certification path (see [RFC5280], Section 3.2). A certificate that | |
3922 | * begins a certification path MAY use a signature algorithm that is not | |
3923 | * advertised as being supported in the "signature_algorithms" | |
3924 | * extension. | |
3925 | */ | |
3926 | if (default_nid == -1 || X509_self_signed(x, 0)) | |
3927 | return 1; | |
3928 | sig_nid = X509_get_signature_nid(x); | |
3929 | if (default_nid) | |
3930 | return sig_nid == default_nid ? 1 : 0; | |
3931 | ||
3932 | if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { | |
3933 | /* | |
3934 | * If we're in TLSv1.3 then we only get here if we're checking the | |
3935 | * chain. If the peer has specified peer_cert_sigalgs then we use them | |
3936 | * otherwise we default to normal sigalgs. | |
3937 | */ | |
3938 | sigalgslen = s->s3.tmp.peer_cert_sigalgslen; | |
3939 | use_pc_sigalgs = 1; | |
3940 | } else { | |
3941 | sigalgslen = s->shared_sigalgslen; | |
3942 | } | |
3943 | for (i = 0; i < sigalgslen; i++) { | |
3944 | int mdnid, pknid; | |
3945 | ||
3946 | sigalg = use_pc_sigalgs | |
3947 | ? tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), | |
3948 | s->s3.tmp.peer_cert_sigalgs[i]) | |
3949 | : s->shared_sigalgs[i]; | |
3950 | if (sigalg == NULL) | |
3951 | continue; | |
3952 | if (sig_nid == sigalg->sigandhash) | |
3953 | return 1; | |
3954 | if (sigalg->sig != EVP_PKEY_RSA_PSS) | |
3955 | continue; | |
3956 | /* | |
3957 | * Accept RSA PKCS#1 signatures in certificates when the signature | |
3958 | * algorithms include RSA-PSS with a matching digest algorithm. | |
3959 | * | |
3960 | * When a TLS 1.3 peer inadvertently omits the legacy RSA PKCS#1 code | |
3961 | * points, and we're doing strict checking of the certificate chain (in | |
3962 | * a cert_cb via SSL_check_chain()) we may then reject RSA signed | |
3963 | * certificates in the chain, but the TLS requirement on PSS should not | |
3964 | * extend to certificates. Though the peer can in fact list the legacy | |
3965 | * sigalgs for just this purpose, it is not likely that a better chain | |
3966 | * signed with RSA-PSS is available. | |
3967 | */ | |
3968 | if (!OBJ_find_sigid_algs(sig_nid, &mdnid, &pknid)) | |
3969 | continue; | |
3970 | if (pknid == EVP_PKEY_RSA && mdnid == sigalg->hash) | |
3971 | return 1; | |
3972 | } | |
3973 | return 0; | |
3974 | } | |
3975 | ||
3976 | /* Check to see if a certificate issuer name matches list of CA names */ | |
3977 | static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) | |
3978 | { | |
3979 | const X509_NAME *nm; | |
3980 | int i; | |
3981 | nm = X509_get_issuer_name(x); | |
3982 | for (i = 0; i < sk_X509_NAME_num(names); i++) { | |
3983 | if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) | |
3984 | return 1; | |
3985 | } | |
3986 | return 0; | |
3987 | } | |
3988 | ||
3989 | /* | |
3990 | * Check certificate chain is consistent with TLS extensions and is usable by | |
3991 | * server. This servers two purposes: it allows users to check chains before | |
3992 | * passing them to the server and it allows the server to check chains before | |
3993 | * attempting to use them. | |
3994 | */ | |
3995 | ||
3996 | /* Flags which need to be set for a certificate when strict mode not set */ | |
3997 | ||
3998 | #define CERT_PKEY_VALID_FLAGS \ | |
3999 | (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) | |
4000 | /* Strict mode flags */ | |
4001 | #define CERT_PKEY_STRICT_FLAGS \ | |
4002 | (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ | |
4003 | | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) | |
4004 | ||
4005 | int tls1_check_chain(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pk, | |
4006 | STACK_OF(X509) *chain, int idx) | |
4007 | { | |
4008 | int i; | |
4009 | int rv = 0; | |
4010 | int check_flags = 0, strict_mode; | |
4011 | CERT_PKEY *cpk = NULL; | |
4012 | CERT *c = s->cert; | |
4013 | uint32_t *pvalid; | |
4014 | unsigned int suiteb_flags = tls1_suiteb(s); | |
4015 | ||
4016 | /* | |
4017 | * Meaning of idx: | |
4018 | * idx == -1 means SSL_check_chain() invocation | |
4019 | * idx == -2 means checking client certificate chains | |
4020 | * idx >= 0 means checking SSL_PKEY index | |
4021 | * | |
4022 | * For RPK, where there may be no cert, we ignore -1 | |
4023 | */ | |
4024 | if (idx != -1) { | |
4025 | if (idx == -2) { | |
4026 | cpk = c->key; | |
4027 | idx = (int)(cpk - c->pkeys); | |
4028 | } else | |
4029 | cpk = c->pkeys + idx; | |
4030 | pvalid = s->s3.tmp.valid_flags + idx; | |
4031 | x = cpk->x509; | |
4032 | pk = cpk->privatekey; | |
4033 | chain = cpk->chain; | |
4034 | strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; | |
4035 | if (tls12_rpk_and_privkey(s, idx)) { | |
4036 | if (EVP_PKEY_is_a(pk, "EC") && !tls1_check_pkey_comp(s, pk)) | |
4037 | return 0; | |
4038 | *pvalid = rv = CERT_PKEY_RPK; | |
4039 | return rv; | |
4040 | } | |
4041 | /* If no cert or key, forget it */ | |
4042 | if (x == NULL || pk == NULL) | |
4043 | goto end; | |
4044 | } else { | |
4045 | size_t certidx; | |
4046 | ||
4047 | if (x == NULL || pk == NULL) | |
4048 | return 0; | |
4049 | ||
4050 | if (ssl_cert_lookup_by_pkey(pk, &certidx, | |
4051 | SSL_CONNECTION_GET_CTX(s)) == NULL) | |
4052 | return 0; | |
4053 | idx = (int)certidx; | |
4054 | pvalid = s->s3.tmp.valid_flags + idx; | |
4055 | ||
4056 | if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) | |
4057 | check_flags = CERT_PKEY_STRICT_FLAGS; | |
4058 | else | |
4059 | check_flags = CERT_PKEY_VALID_FLAGS; | |
4060 | strict_mode = 1; | |
4061 | } | |
4062 | ||
4063 | if (suiteb_flags) { | |
4064 | int ok; | |
4065 | if (check_flags) | |
4066 | check_flags |= CERT_PKEY_SUITEB; | |
4067 | ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); | |
4068 | if (ok == X509_V_OK) | |
4069 | rv |= CERT_PKEY_SUITEB; | |
4070 | else if (!check_flags) | |
4071 | goto end; | |
4072 | } | |
4073 | ||
4074 | /* | |
4075 | * Check all signature algorithms are consistent with signature | |
4076 | * algorithms extension if TLS 1.2 or later and strict mode. | |
4077 | */ | |
4078 | if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION | |
4079 | && strict_mode) { | |
4080 | int default_nid; | |
4081 | int rsign = 0; | |
4082 | ||
4083 | if (s->s3.tmp.peer_cert_sigalgs != NULL | |
4084 | || s->s3.tmp.peer_sigalgs != NULL) { | |
4085 | default_nid = 0; | |
4086 | /* If no sigalgs extension use defaults from RFC5246 */ | |
4087 | } else { | |
4088 | switch (idx) { | |
4089 | case SSL_PKEY_RSA: | |
4090 | rsign = EVP_PKEY_RSA; | |
4091 | default_nid = NID_sha1WithRSAEncryption; | |
4092 | break; | |
4093 | ||
4094 | case SSL_PKEY_DSA_SIGN: | |
4095 | rsign = EVP_PKEY_DSA; | |
4096 | default_nid = NID_dsaWithSHA1; | |
4097 | break; | |
4098 | ||
4099 | case SSL_PKEY_ECC: | |
4100 | rsign = EVP_PKEY_EC; | |
4101 | default_nid = NID_ecdsa_with_SHA1; | |
4102 | break; | |
4103 | ||
4104 | case SSL_PKEY_GOST01: | |
4105 | rsign = NID_id_GostR3410_2001; | |
4106 | default_nid = NID_id_GostR3411_94_with_GostR3410_2001; | |
4107 | break; | |
4108 | ||
4109 | case SSL_PKEY_GOST12_256: | |
4110 | rsign = NID_id_GostR3410_2012_256; | |
4111 | default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; | |
4112 | break; | |
4113 | ||
4114 | case SSL_PKEY_GOST12_512: | |
4115 | rsign = NID_id_GostR3410_2012_512; | |
4116 | default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; | |
4117 | break; | |
4118 | ||
4119 | default: | |
4120 | default_nid = -1; | |
4121 | break; | |
4122 | } | |
4123 | } | |
4124 | /* | |
4125 | * If peer sent no signature algorithms extension and we have set | |
4126 | * preferred signature algorithms check we support sha1. | |
4127 | */ | |
4128 | if (default_nid > 0 && c->conf_sigalgs) { | |
4129 | size_t j; | |
4130 | const uint16_t *p = c->conf_sigalgs; | |
4131 | for (j = 0; j < c->conf_sigalgslen; j++, p++) { | |
4132 | const SIGALG_LOOKUP *lu = | |
4133 | tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), *p); | |
4134 | ||
4135 | if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) | |
4136 | break; | |
4137 | } | |
4138 | if (j == c->conf_sigalgslen) { | |
4139 | if (check_flags) | |
4140 | goto skip_sigs; | |
4141 | else | |
4142 | goto end; | |
4143 | } | |
4144 | } | |
4145 | /* Check signature algorithm of each cert in chain */ | |
4146 | if (SSL_CONNECTION_IS_TLS13(s)) { | |
4147 | /* | |
4148 | * We only get here if the application has called SSL_check_chain(), | |
4149 | * so check_flags is always set. | |
4150 | */ | |
4151 | if (find_sig_alg(s, x, pk) != NULL) | |
4152 | rv |= CERT_PKEY_EE_SIGNATURE; | |
4153 | } else if (!tls1_check_sig_alg(s, x, default_nid)) { | |
4154 | if (!check_flags) | |
4155 | goto end; | |
4156 | } else | |
4157 | rv |= CERT_PKEY_EE_SIGNATURE; | |
4158 | rv |= CERT_PKEY_CA_SIGNATURE; | |
4159 | for (i = 0; i < sk_X509_num(chain); i++) { | |
4160 | if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { | |
4161 | if (check_flags) { | |
4162 | rv &= ~CERT_PKEY_CA_SIGNATURE; | |
4163 | break; | |
4164 | } else | |
4165 | goto end; | |
4166 | } | |
4167 | } | |
4168 | } | |
4169 | /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ | |
4170 | else if (check_flags) | |
4171 | rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; | |
4172 | skip_sigs: | |
4173 | /* Check cert parameters are consistent */ | |
4174 | if (tls1_check_cert_param(s, x, 1)) | |
4175 | rv |= CERT_PKEY_EE_PARAM; | |
4176 | else if (!check_flags) | |
4177 | goto end; | |
4178 | if (!s->server) | |
4179 | rv |= CERT_PKEY_CA_PARAM; | |
4180 | /* In strict mode check rest of chain too */ | |
4181 | else if (strict_mode) { | |
4182 | rv |= CERT_PKEY_CA_PARAM; | |
4183 | for (i = 0; i < sk_X509_num(chain); i++) { | |
4184 | X509 *ca = sk_X509_value(chain, i); | |
4185 | if (!tls1_check_cert_param(s, ca, 0)) { | |
4186 | if (check_flags) { | |
4187 | rv &= ~CERT_PKEY_CA_PARAM; | |
4188 | break; | |
4189 | } else | |
4190 | goto end; | |
4191 | } | |
4192 | } | |
4193 | } | |
4194 | if (!s->server && strict_mode) { | |
4195 | STACK_OF(X509_NAME) *ca_dn; | |
4196 | int check_type = 0; | |
4197 | ||
4198 | if (EVP_PKEY_is_a(pk, "RSA")) | |
4199 | check_type = TLS_CT_RSA_SIGN; | |
4200 | else if (EVP_PKEY_is_a(pk, "DSA")) | |
4201 | check_type = TLS_CT_DSS_SIGN; | |
4202 | else if (EVP_PKEY_is_a(pk, "EC")) | |
4203 | check_type = TLS_CT_ECDSA_SIGN; | |
4204 | ||
4205 | if (check_type) { | |
4206 | const uint8_t *ctypes = s->s3.tmp.ctype; | |
4207 | size_t j; | |
4208 | ||
4209 | for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) { | |
4210 | if (*ctypes == check_type) { | |
4211 | rv |= CERT_PKEY_CERT_TYPE; | |
4212 | break; | |
4213 | } | |
4214 | } | |
4215 | if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) | |
4216 | goto end; | |
4217 | } else { | |
4218 | rv |= CERT_PKEY_CERT_TYPE; | |
4219 | } | |
4220 | ||
4221 | ca_dn = s->s3.tmp.peer_ca_names; | |
4222 | ||
4223 | if (ca_dn == NULL | |
4224 | || sk_X509_NAME_num(ca_dn) == 0 | |
4225 | || ssl_check_ca_name(ca_dn, x)) | |
4226 | rv |= CERT_PKEY_ISSUER_NAME; | |
4227 | else | |
4228 | for (i = 0; i < sk_X509_num(chain); i++) { | |
4229 | X509 *xtmp = sk_X509_value(chain, i); | |
4230 | ||
4231 | if (ssl_check_ca_name(ca_dn, xtmp)) { | |
4232 | rv |= CERT_PKEY_ISSUER_NAME; | |
4233 | break; | |
4234 | } | |
4235 | } | |
4236 | ||
4237 | if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) | |
4238 | goto end; | |
4239 | } else | |
4240 | rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; | |
4241 | ||
4242 | if (!check_flags || (rv & check_flags) == check_flags) | |
4243 | rv |= CERT_PKEY_VALID; | |
4244 | ||
4245 | end: | |
4246 | ||
4247 | if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION) | |
4248 | rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); | |
4249 | else | |
4250 | rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; | |
4251 | ||
4252 | /* | |
4253 | * When checking a CERT_PKEY structure all flags are irrelevant if the | |
4254 | * chain is invalid. | |
4255 | */ | |
4256 | if (!check_flags) { | |
4257 | if (rv & CERT_PKEY_VALID) { | |
4258 | *pvalid = rv; | |
4259 | } else { | |
4260 | /* Preserve sign and explicit sign flag, clear rest */ | |
4261 | *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; | |
4262 | return 0; | |
4263 | } | |
4264 | } | |
4265 | return rv; | |
4266 | } | |
4267 | ||
4268 | /* Set validity of certificates in an SSL structure */ | |
4269 | void tls1_set_cert_validity(SSL_CONNECTION *s) | |
4270 | { | |
4271 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); | |
4272 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); | |
4273 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); | |
4274 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); | |
4275 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); | |
4276 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); | |
4277 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); | |
4278 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); | |
4279 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); | |
4280 | } | |
4281 | ||
4282 | /* User level utility function to check a chain is suitable */ | |
4283 | int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) | |
4284 | { | |
4285 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); | |
4286 | ||
4287 | if (sc == NULL) | |
4288 | return 0; | |
4289 | ||
4290 | return tls1_check_chain(sc, x, pk, chain, -1); | |
4291 | } | |
4292 | ||
4293 | EVP_PKEY *ssl_get_auto_dh(SSL_CONNECTION *s) | |
4294 | { | |
4295 | EVP_PKEY *dhp = NULL; | |
4296 | BIGNUM *p; | |
4297 | int dh_secbits = 80, sec_level_bits; | |
4298 | EVP_PKEY_CTX *pctx = NULL; | |
4299 | OSSL_PARAM_BLD *tmpl = NULL; | |
4300 | OSSL_PARAM *params = NULL; | |
4301 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
4302 | ||
4303 | if (s->cert->dh_tmp_auto != 2) { | |
4304 | if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { | |
4305 | if (s->s3.tmp.new_cipher->strength_bits == 256) | |
4306 | dh_secbits = 128; | |
4307 | else | |
4308 | dh_secbits = 80; | |
4309 | } else { | |
4310 | if (s->s3.tmp.cert == NULL) | |
4311 | return NULL; | |
4312 | dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); | |
4313 | } | |
4314 | } | |
4315 | ||
4316 | /* Do not pick a prime that is too weak for the current security level */ | |
4317 | sec_level_bits = ssl_get_security_level_bits(SSL_CONNECTION_GET_SSL(s), | |
4318 | NULL, NULL); | |
4319 | if (dh_secbits < sec_level_bits) | |
4320 | dh_secbits = sec_level_bits; | |
4321 | ||
4322 | if (dh_secbits >= 192) | |
4323 | p = BN_get_rfc3526_prime_8192(NULL); | |
4324 | else if (dh_secbits >= 152) | |
4325 | p = BN_get_rfc3526_prime_4096(NULL); | |
4326 | else if (dh_secbits >= 128) | |
4327 | p = BN_get_rfc3526_prime_3072(NULL); | |
4328 | else if (dh_secbits >= 112) | |
4329 | p = BN_get_rfc3526_prime_2048(NULL); | |
4330 | else | |
4331 | p = BN_get_rfc2409_prime_1024(NULL); | |
4332 | if (p == NULL) | |
4333 | goto err; | |
4334 | ||
4335 | pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq); | |
4336 | if (pctx == NULL | |
4337 | || EVP_PKEY_fromdata_init(pctx) != 1) | |
4338 | goto err; | |
4339 | ||
4340 | tmpl = OSSL_PARAM_BLD_new(); | |
4341 | if (tmpl == NULL | |
4342 | || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) | |
4343 | || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) | |
4344 | goto err; | |
4345 | ||
4346 | params = OSSL_PARAM_BLD_to_param(tmpl); | |
4347 | if (params == NULL | |
4348 | || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) | |
4349 | goto err; | |
4350 | ||
4351 | err: | |
4352 | OSSL_PARAM_free(params); | |
4353 | OSSL_PARAM_BLD_free(tmpl); | |
4354 | EVP_PKEY_CTX_free(pctx); | |
4355 | BN_free(p); | |
4356 | return dhp; | |
4357 | } | |
4358 | ||
4359 | static int ssl_security_cert_key(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, | |
4360 | int op) | |
4361 | { | |
4362 | int secbits = -1; | |
4363 | EVP_PKEY *pkey = X509_get0_pubkey(x); | |
4364 | ||
4365 | if (pkey) { | |
4366 | /* | |
4367 | * If no parameters this will return -1 and fail using the default | |
4368 | * security callback for any non-zero security level. This will | |
4369 | * reject keys which omit parameters but this only affects DSA and | |
4370 | * omission of parameters is never (?) done in practice. | |
4371 | */ | |
4372 | secbits = EVP_PKEY_get_security_bits(pkey); | |
4373 | } | |
4374 | if (s != NULL) | |
4375 | return ssl_security(s, op, secbits, 0, x); | |
4376 | else | |
4377 | return ssl_ctx_security(ctx, op, secbits, 0, x); | |
4378 | } | |
4379 | ||
4380 | static int ssl_security_cert_sig(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, | |
4381 | int op) | |
4382 | { | |
4383 | /* Lookup signature algorithm digest */ | |
4384 | int secbits, nid, pknid; | |
4385 | ||
4386 | /* Don't check signature if self signed */ | |
4387 | if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) | |
4388 | return 1; | |
4389 | if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) | |
4390 | secbits = -1; | |
4391 | /* If digest NID not defined use signature NID */ | |
4392 | if (nid == NID_undef) | |
4393 | nid = pknid; | |
4394 | if (s != NULL) | |
4395 | return ssl_security(s, op, secbits, nid, x); | |
4396 | else | |
4397 | return ssl_ctx_security(ctx, op, secbits, nid, x); | |
4398 | } | |
4399 | ||
4400 | int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int vfy, | |
4401 | int is_ee) | |
4402 | { | |
4403 | if (vfy) | |
4404 | vfy = SSL_SECOP_PEER; | |
4405 | if (is_ee) { | |
4406 | if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) | |
4407 | return SSL_R_EE_KEY_TOO_SMALL; | |
4408 | } else { | |
4409 | if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) | |
4410 | return SSL_R_CA_KEY_TOO_SMALL; | |
4411 | } | |
4412 | if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) | |
4413 | return SSL_R_CA_MD_TOO_WEAK; | |
4414 | return 1; | |
4415 | } | |
4416 | ||
4417 | /* | |
4418 | * Check security of a chain, if |sk| includes the end entity certificate then | |
4419 | * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending | |
4420 | * one to the peer. Return values: 1 if ok otherwise error code to use | |
4421 | */ | |
4422 | ||
4423 | int ssl_security_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk, | |
4424 | X509 *x, int vfy) | |
4425 | { | |
4426 | int rv, start_idx, i; | |
4427 | ||
4428 | if (x == NULL) { | |
4429 | x = sk_X509_value(sk, 0); | |
4430 | if (x == NULL) | |
4431 | return ERR_R_INTERNAL_ERROR; | |
4432 | start_idx = 1; | |
4433 | } else | |
4434 | start_idx = 0; | |
4435 | ||
4436 | rv = ssl_security_cert(s, NULL, x, vfy, 1); | |
4437 | if (rv != 1) | |
4438 | return rv; | |
4439 | ||
4440 | for (i = start_idx; i < sk_X509_num(sk); i++) { | |
4441 | x = sk_X509_value(sk, i); | |
4442 | rv = ssl_security_cert(s, NULL, x, vfy, 0); | |
4443 | if (rv != 1) | |
4444 | return rv; | |
4445 | } | |
4446 | return 1; | |
4447 | } | |
4448 | ||
4449 | /* | |
4450 | * For TLS 1.2 servers check if we have a certificate which can be used | |
4451 | * with the signature algorithm "lu" and return index of certificate. | |
4452 | */ | |
4453 | ||
4454 | static int tls12_get_cert_sigalg_idx(const SSL_CONNECTION *s, | |
4455 | const SIGALG_LOOKUP *lu) | |
4456 | { | |
4457 | int sig_idx = lu->sig_idx; | |
4458 | const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx, | |
4459 | SSL_CONNECTION_GET_CTX(s)); | |
4460 | ||
4461 | /* If not recognised or not supported by cipher mask it is not suitable */ | |
4462 | if (clu == NULL | |
4463 | || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0 | |
4464 | || (clu->nid == EVP_PKEY_RSA_PSS | |
4465 | && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) | |
4466 | return -1; | |
4467 | ||
4468 | /* If doing RPK, the CERT_PKEY won't be "valid" */ | |
4469 | if (tls12_rpk_and_privkey(s, sig_idx)) | |
4470 | return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_RPK ? sig_idx : -1; | |
4471 | ||
4472 | return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; | |
4473 | } | |
4474 | ||
4475 | /* | |
4476 | * Checks the given cert against signature_algorithm_cert restrictions sent by | |
4477 | * the peer (if any) as well as whether the hash from the sigalg is usable with | |
4478 | * the key. | |
4479 | * Returns true if the cert is usable and false otherwise. | |
4480 | */ | |
4481 | static int check_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, | |
4482 | X509 *x, EVP_PKEY *pkey) | |
4483 | { | |
4484 | const SIGALG_LOOKUP *lu; | |
4485 | int mdnid, pknid, supported; | |
4486 | size_t i; | |
4487 | const char *mdname = NULL; | |
4488 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
4489 | ||
4490 | /* | |
4491 | * If the given EVP_PKEY cannot support signing with this digest, | |
4492 | * the answer is simply 'no'. | |
4493 | */ | |
4494 | if (sig->hash != NID_undef) | |
4495 | mdname = OBJ_nid2sn(sig->hash); | |
4496 | supported = EVP_PKEY_digestsign_supports_digest(pkey, sctx->libctx, | |
4497 | mdname, | |
4498 | sctx->propq); | |
4499 | if (supported <= 0) | |
4500 | return 0; | |
4501 | ||
4502 | /* | |
4503 | * The TLS 1.3 signature_algorithms_cert extension places restrictions | |
4504 | * on the sigalg with which the certificate was signed (by its issuer). | |
4505 | */ | |
4506 | if (s->s3.tmp.peer_cert_sigalgs != NULL) { | |
4507 | if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) | |
4508 | return 0; | |
4509 | for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) { | |
4510 | lu = tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s), | |
4511 | s->s3.tmp.peer_cert_sigalgs[i]); | |
4512 | if (lu == NULL) | |
4513 | continue; | |
4514 | ||
4515 | /* | |
4516 | * This does not differentiate between the | |
4517 | * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not | |
4518 | * have a chain here that lets us look at the key OID in the | |
4519 | * signing certificate. | |
4520 | */ | |
4521 | if (mdnid == lu->hash && pknid == lu->sig) | |
4522 | return 1; | |
4523 | } | |
4524 | return 0; | |
4525 | } | |
4526 | ||
4527 | /* | |
4528 | * Without signat_algorithms_cert, any certificate for which we have | |
4529 | * a viable public key is permitted. | |
4530 | */ | |
4531 | return 1; | |
4532 | } | |
4533 | ||
4534 | /* | |
4535 | * Returns true if |s| has a usable certificate configured for use | |
4536 | * with signature scheme |sig|. | |
4537 | * "Usable" includes a check for presence as well as applying | |
4538 | * the signature_algorithm_cert restrictions sent by the peer (if any). | |
4539 | * Returns false if no usable certificate is found. | |
4540 | */ | |
4541 | static int has_usable_cert(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, int idx) | |
4542 | { | |
4543 | /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ | |
4544 | if (idx == -1) | |
4545 | idx = sig->sig_idx; | |
4546 | if (!ssl_has_cert(s, idx)) | |
4547 | return 0; | |
4548 | ||
4549 | return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, | |
4550 | s->cert->pkeys[idx].privatekey); | |
4551 | } | |
4552 | ||
4553 | /* | |
4554 | * Returns true if the supplied cert |x| and key |pkey| is usable with the | |
4555 | * specified signature scheme |sig|, or false otherwise. | |
4556 | */ | |
4557 | static int is_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, X509 *x, | |
4558 | EVP_PKEY *pkey) | |
4559 | { | |
4560 | size_t idx; | |
4561 | ||
4562 | if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL) | |
4563 | return 0; | |
4564 | ||
4565 | /* Check the key is consistent with the sig alg */ | |
4566 | if ((int)idx != sig->sig_idx) | |
4567 | return 0; | |
4568 | ||
4569 | return check_cert_usable(s, sig, x, pkey); | |
4570 | } | |
4571 | ||
4572 | /* | |
4573 | * Find a signature scheme that works with the supplied certificate |x| and key | |
4574 | * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our | |
4575 | * available certs/keys to find one that works. | |
4576 | */ | |
4577 | static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, | |
4578 | EVP_PKEY *pkey) | |
4579 | { | |
4580 | const SIGALG_LOOKUP *lu = NULL; | |
4581 | size_t i; | |
4582 | int curve = -1; | |
4583 | EVP_PKEY *tmppkey; | |
4584 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
4585 | ||
4586 | /* Look for a shared sigalgs matching possible certificates */ | |
4587 | for (i = 0; i < s->shared_sigalgslen; i++) { | |
4588 | /* Skip SHA1, SHA224, DSA and RSA if not PSS */ | |
4589 | lu = s->shared_sigalgs[i]; | |
4590 | if (lu->hash == NID_sha1 | |
4591 | || lu->hash == NID_sha224 | |
4592 | || lu->sig == EVP_PKEY_DSA | |
4593 | || lu->sig == EVP_PKEY_RSA | |
4594 | || !tls_sigalg_compat(s, lu)) | |
4595 | continue; | |
4596 | ||
4597 | /* Check that we have a cert, and signature_algorithms_cert */ | |
4598 | if (!tls1_lookup_md(sctx, lu, NULL)) | |
4599 | continue; | |
4600 | if ((pkey == NULL && !has_usable_cert(s, lu, -1)) | |
4601 | || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) | |
4602 | continue; | |
4603 | ||
4604 | tmppkey = (pkey != NULL) ? pkey | |
4605 | : s->cert->pkeys[lu->sig_idx].privatekey; | |
4606 | ||
4607 | if (lu->sig == EVP_PKEY_EC) { | |
4608 | if (curve == -1) | |
4609 | curve = ssl_get_EC_curve_nid(tmppkey); | |
4610 | if (lu->curve != NID_undef && curve != lu->curve) | |
4611 | continue; | |
4612 | } else if (lu->sig == EVP_PKEY_RSA_PSS) { | |
4613 | /* validate that key is large enough for the signature algorithm */ | |
4614 | if (!rsa_pss_check_min_key_size(sctx, tmppkey, lu)) | |
4615 | continue; | |
4616 | } | |
4617 | break; | |
4618 | } | |
4619 | ||
4620 | if (i == s->shared_sigalgslen) | |
4621 | return NULL; | |
4622 | ||
4623 | return lu; | |
4624 | } | |
4625 | ||
4626 | /* | |
4627 | * Choose an appropriate signature algorithm based on available certificates | |
4628 | * Sets chosen certificate and signature algorithm. | |
4629 | * | |
4630 | * For servers if we fail to find a required certificate it is a fatal error, | |
4631 | * an appropriate error code is set and a TLS alert is sent. | |
4632 | * | |
4633 | * For clients fatalerrs is set to 0. If a certificate is not suitable it is not | |
4634 | * a fatal error: we will either try another certificate or not present one | |
4635 | * to the server. In this case no error is set. | |
4636 | */ | |
4637 | int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs) | |
4638 | { | |
4639 | const SIGALG_LOOKUP *lu = NULL; | |
4640 | int sig_idx = -1; | |
4641 | ||
4642 | s->s3.tmp.cert = NULL; | |
4643 | s->s3.tmp.sigalg = NULL; | |
4644 | ||
4645 | if (SSL_CONNECTION_IS_TLS13(s)) { | |
4646 | lu = find_sig_alg(s, NULL, NULL); | |
4647 | if (lu == NULL) { | |
4648 | if (!fatalerrs) | |
4649 | return 1; | |
4650 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, | |
4651 | SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); | |
4652 | return 0; | |
4653 | } | |
4654 | } else { | |
4655 | /* If ciphersuite doesn't require a cert nothing to do */ | |
4656 | if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) | |
4657 | return 1; | |
4658 | if (!s->server && !ssl_has_cert(s, (int)(s->cert->key - s->cert->pkeys))) | |
4659 | return 1; | |
4660 | ||
4661 | if (SSL_USE_SIGALGS(s)) { | |
4662 | size_t i; | |
4663 | if (s->s3.tmp.peer_sigalgs != NULL) { | |
4664 | int curve = -1; | |
4665 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); | |
4666 | ||
4667 | /* For Suite B need to match signature algorithm to curve */ | |
4668 | if (tls1_suiteb(s)) | |
4669 | curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] | |
4670 | .privatekey); | |
4671 | ||
4672 | /* | |
4673 | * Find highest preference signature algorithm matching | |
4674 | * cert type | |
4675 | */ | |
4676 | for (i = 0; i < s->shared_sigalgslen; i++) { | |
4677 | /* Check the sigalg version bounds */ | |
4678 | lu = s->shared_sigalgs[i]; | |
4679 | if (!tls_sigalg_compat(s, lu)) | |
4680 | continue; | |
4681 | if (s->server) { | |
4682 | if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) | |
4683 | continue; | |
4684 | } else { | |
4685 | int cc_idx = (int)(s->cert->key - s->cert->pkeys); | |
4686 | ||
4687 | sig_idx = lu->sig_idx; | |
4688 | if (cc_idx != sig_idx) | |
4689 | continue; | |
4690 | } | |
4691 | /* Check that we have a cert, and sig_algs_cert */ | |
4692 | if (!has_usable_cert(s, lu, sig_idx)) | |
4693 | continue; | |
4694 | if (lu->sig == EVP_PKEY_RSA_PSS) { | |
4695 | /* validate that key is large enough for the signature algorithm */ | |
4696 | EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; | |
4697 | ||
4698 | if (!rsa_pss_check_min_key_size(sctx, pkey, lu)) | |
4699 | continue; | |
4700 | } | |
4701 | if (curve == -1 || lu->curve == curve) | |
4702 | break; | |
4703 | } | |
4704 | #ifndef OPENSSL_NO_GOST | |
4705 | /* | |
4706 | * Some Windows-based implementations do not send GOST algorithms indication | |
4707 | * in supported_algorithms extension, so when we have GOST-based ciphersuite, | |
4708 | * we have to assume GOST support. | |
4709 | */ | |
4710 | if (i == s->shared_sigalgslen | |
4711 | && (s->s3.tmp.new_cipher->algorithm_auth | |
4712 | & (SSL_aGOST01 | SSL_aGOST12)) != 0) { | |
4713 | if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { | |
4714 | if (!fatalerrs) | |
4715 | return 1; | |
4716 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, | |
4717 | SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); | |
4718 | return 0; | |
4719 | } else { | |
4720 | i = 0; | |
4721 | sig_idx = lu->sig_idx; | |
4722 | } | |
4723 | } | |
4724 | #endif | |
4725 | if (i == s->shared_sigalgslen) { | |
4726 | if (!fatalerrs) | |
4727 | return 1; | |
4728 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, | |
4729 | SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); | |
4730 | return 0; | |
4731 | } | |
4732 | } else { | |
4733 | /* | |
4734 | * If we have no sigalg use defaults | |
4735 | */ | |
4736 | const uint16_t *sent_sigs; | |
4737 | size_t sent_sigslen; | |
4738 | ||
4739 | if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { | |
4740 | if (!fatalerrs) | |
4741 | return 1; | |
4742 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, | |
4743 | SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); | |
4744 | return 0; | |
4745 | } | |
4746 | ||
4747 | /* Check signature matches a type we sent */ | |
4748 | sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); | |
4749 | for (i = 0; i < sent_sigslen; i++, sent_sigs++) { | |
4750 | if (lu->sigalg == *sent_sigs | |
4751 | && has_usable_cert(s, lu, lu->sig_idx)) | |
4752 | break; | |
4753 | } | |
4754 | if (i == sent_sigslen) { | |
4755 | if (!fatalerrs) | |
4756 | return 1; | |
4757 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, | |
4758 | SSL_R_WRONG_SIGNATURE_TYPE); | |
4759 | return 0; | |
4760 | } | |
4761 | } | |
4762 | } else { | |
4763 | if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { | |
4764 | if (!fatalerrs) | |
4765 | return 1; | |
4766 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
4767 | SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); | |
4768 | return 0; | |
4769 | } | |
4770 | } | |
4771 | } | |
4772 | if (sig_idx == -1) | |
4773 | sig_idx = lu->sig_idx; | |
4774 | s->s3.tmp.cert = &s->cert->pkeys[sig_idx]; | |
4775 | s->cert->key = s->s3.tmp.cert; | |
4776 | s->s3.tmp.sigalg = lu; | |
4777 | return 1; | |
4778 | } | |
4779 | ||
4780 | int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) | |
4781 | { | |
4782 | if (mode != TLSEXT_max_fragment_length_DISABLED | |
4783 | && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { | |
4784 | ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); | |
4785 | return 0; | |
4786 | } | |
4787 | ||
4788 | ctx->ext.max_fragment_len_mode = mode; | |
4789 | return 1; | |
4790 | } | |
4791 | ||
4792 | int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) | |
4793 | { | |
4794 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); | |
4795 | ||
4796 | if (sc == NULL | |
4797 | || (IS_QUIC(ssl) && mode != TLSEXT_max_fragment_length_DISABLED)) | |
4798 | return 0; | |
4799 | ||
4800 | if (mode != TLSEXT_max_fragment_length_DISABLED | |
4801 | && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { | |
4802 | ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); | |
4803 | return 0; | |
4804 | } | |
4805 | ||
4806 | sc->ext.max_fragment_len_mode = mode; | |
4807 | return 1; | |
4808 | } | |
4809 | ||
4810 | uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) | |
4811 | { | |
4812 | if (session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) | |
4813 | return TLSEXT_max_fragment_length_DISABLED; | |
4814 | return session->ext.max_fragment_len_mode; | |
4815 | } | |
4816 | ||
4817 | /* | |
4818 | * Helper functions for HMAC access with legacy support included. | |
4819 | */ | |
4820 | SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) | |
4821 | { | |
4822 | SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret)); | |
4823 | EVP_MAC *mac = NULL; | |
4824 | ||
4825 | if (ret == NULL) | |
4826 | return NULL; | |
4827 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
4828 | if (ctx->ext.ticket_key_evp_cb == NULL | |
4829 | && ctx->ext.ticket_key_cb != NULL) { | |
4830 | if (!ssl_hmac_old_new(ret)) | |
4831 | goto err; | |
4832 | return ret; | |
4833 | } | |
4834 | #endif | |
4835 | mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); | |
4836 | if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) | |
4837 | goto err; | |
4838 | EVP_MAC_free(mac); | |
4839 | return ret; | |
4840 | err: | |
4841 | EVP_MAC_CTX_free(ret->ctx); | |
4842 | EVP_MAC_free(mac); | |
4843 | OPENSSL_free(ret); | |
4844 | return NULL; | |
4845 | } | |
4846 | ||
4847 | void ssl_hmac_free(SSL_HMAC *ctx) | |
4848 | { | |
4849 | if (ctx != NULL) { | |
4850 | EVP_MAC_CTX_free(ctx->ctx); | |
4851 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
4852 | ssl_hmac_old_free(ctx); | |
4853 | #endif | |
4854 | OPENSSL_free(ctx); | |
4855 | } | |
4856 | } | |
4857 | ||
4858 | EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) | |
4859 | { | |
4860 | return ctx->ctx; | |
4861 | } | |
4862 | ||
4863 | int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) | |
4864 | { | |
4865 | OSSL_PARAM params[2], *p = params; | |
4866 | ||
4867 | if (ctx->ctx != NULL) { | |
4868 | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); | |
4869 | *p = OSSL_PARAM_construct_end(); | |
4870 | if (EVP_MAC_init(ctx->ctx, key, len, params)) | |
4871 | return 1; | |
4872 | } | |
4873 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
4874 | if (ctx->old_ctx != NULL) | |
4875 | return ssl_hmac_old_init(ctx, key, len, md); | |
4876 | #endif | |
4877 | return 0; | |
4878 | } | |
4879 | ||
4880 | int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) | |
4881 | { | |
4882 | if (ctx->ctx != NULL) | |
4883 | return EVP_MAC_update(ctx->ctx, data, len); | |
4884 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
4885 | if (ctx->old_ctx != NULL) | |
4886 | return ssl_hmac_old_update(ctx, data, len); | |
4887 | #endif | |
4888 | return 0; | |
4889 | } | |
4890 | ||
4891 | int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, | |
4892 | size_t max_size) | |
4893 | { | |
4894 | if (ctx->ctx != NULL) | |
4895 | return EVP_MAC_final(ctx->ctx, md, len, max_size); | |
4896 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
4897 | if (ctx->old_ctx != NULL) | |
4898 | return ssl_hmac_old_final(ctx, md, len); | |
4899 | #endif | |
4900 | return 0; | |
4901 | } | |
4902 | ||
4903 | size_t ssl_hmac_size(const SSL_HMAC *ctx) | |
4904 | { | |
4905 | if (ctx->ctx != NULL) | |
4906 | return EVP_MAC_CTX_get_mac_size(ctx->ctx); | |
4907 | #ifndef OPENSSL_NO_DEPRECATED_3_0 | |
4908 | if (ctx->old_ctx != NULL) | |
4909 | return ssl_hmac_old_size(ctx); | |
4910 | #endif | |
4911 | return 0; | |
4912 | } | |
4913 | ||
4914 | int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) | |
4915 | { | |
4916 | char gname[OSSL_MAX_NAME_SIZE]; | |
4917 | ||
4918 | if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) | |
4919 | return OBJ_txt2nid(gname); | |
4920 | ||
4921 | return NID_undef; | |
4922 | } | |
4923 | ||
4924 | __owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, | |
4925 | const unsigned char *enckey, | |
4926 | size_t enckeylen) | |
4927 | { | |
4928 | if (EVP_PKEY_is_a(pkey, "DH")) { | |
4929 | int bits = EVP_PKEY_get_bits(pkey); | |
4930 | ||
4931 | if (bits <= 0 || enckeylen != (size_t)bits / 8) | |
4932 | /* the encoded key must be padded to the length of the p */ | |
4933 | return 0; | |
4934 | } else if (EVP_PKEY_is_a(pkey, "EC")) { | |
4935 | if (enckeylen < 3 /* point format and at least 1 byte for x and y */ | |
4936 | || enckey[0] != 0x04) | |
4937 | return 0; | |
4938 | } | |
4939 | ||
4940 | return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); | |
4941 | } |