]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/t1_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Make asn1 fuzzer more reproducible
[thirdparty/openssl.git] / ssl / t1_lib.c
1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <openssl/objects.h>
13 #include <openssl/evp.h>
14 #include <openssl/hmac.h>
15 #include <openssl/ocsp.h>
16 #include <openssl/conf.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/dh.h>
19 #include <openssl/bn.h>
20 #include "ssl_locl.h"
21 #include <openssl/ct.h>
22
23 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, size_t ticklen,
24 const unsigned char *sess_id, size_t sesslen,
25 SSL_SESSION **psess);
26
27 SSL3_ENC_METHOD const TLSv1_enc_data = {
28 tls1_enc,
29 tls1_mac,
30 tls1_setup_key_block,
31 tls1_generate_master_secret,
32 tls1_change_cipher_state,
33 tls1_final_finish_mac,
34 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
35 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
36 tls1_alert_code,
37 tls1_export_keying_material,
38 0,
39 ssl3_set_handshake_header,
40 tls_close_construct_packet,
41 ssl3_handshake_write
42 };
43
44 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
45 tls1_enc,
46 tls1_mac,
47 tls1_setup_key_block,
48 tls1_generate_master_secret,
49 tls1_change_cipher_state,
50 tls1_final_finish_mac,
51 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
52 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
53 tls1_alert_code,
54 tls1_export_keying_material,
55 SSL_ENC_FLAG_EXPLICIT_IV,
56 ssl3_set_handshake_header,
57 tls_close_construct_packet,
58 ssl3_handshake_write
59 };
60
61 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
62 tls1_enc,
63 tls1_mac,
64 tls1_setup_key_block,
65 tls1_generate_master_secret,
66 tls1_change_cipher_state,
67 tls1_final_finish_mac,
68 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
69 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
70 tls1_alert_code,
71 tls1_export_keying_material,
72 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
73 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
74 ssl3_set_handshake_header,
75 tls_close_construct_packet,
76 ssl3_handshake_write
77 };
78
79 SSL3_ENC_METHOD const TLSv1_3_enc_data = {
80 tls13_enc,
81 tls1_mac,
82 tls13_setup_key_block,
83 tls13_generate_master_secret,
84 tls13_change_cipher_state,
85 tls13_final_finish_mac,
86 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
87 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
88 tls1_alert_code,
89 tls1_export_keying_material,
90 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
91 ssl3_set_handshake_header,
92 tls_close_construct_packet,
93 ssl3_handshake_write
94 };
95
96 long tls1_default_timeout(void)
97 {
98 /*
99 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
100 * http, the cache would over fill
101 */
102 return (60 * 60 * 2);
103 }
104
105 int tls1_new(SSL *s)
106 {
107 if (!ssl3_new(s))
108 return (0);
109 s->method->ssl_clear(s);
110 return (1);
111 }
112
113 void tls1_free(SSL *s)
114 {
115 OPENSSL_free(s->tlsext_session_ticket);
116 ssl3_free(s);
117 }
118
119 void tls1_clear(SSL *s)
120 {
121 ssl3_clear(s);
122 if (s->method->version == TLS_ANY_VERSION)
123 s->version = TLS_MAX_VERSION;
124 else
125 s->version = s->method->version;
126 }
127
128 #ifndef OPENSSL_NO_EC
129
130 typedef struct {
131 int nid; /* Curve NID */
132 int secbits; /* Bits of security (from SP800-57) */
133 unsigned int flags; /* Flags: currently just field type */
134 } tls_curve_info;
135
136 /*
137 * Table of curve information.
138 * Do not delete entries or reorder this array! It is used as a lookup
139 * table: the index of each entry is one less than the TLS curve id.
140 */
141 static const tls_curve_info nid_list[] = {
142 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
143 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
144 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
145 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
146 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
147 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
148 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
149 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
150 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
151 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
152 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
153 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
154 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
155 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
156 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
157 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
158 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
159 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
160 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
161 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
162 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
163 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
164 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
165 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
166 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
167 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
168 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
169 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
170 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
171 };
172
173 static const unsigned char ecformats_default[] = {
174 TLSEXT_ECPOINTFORMAT_uncompressed,
175 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
176 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
177 };
178
179 /* The default curves */
180 static const unsigned char eccurves_default[] = {
181 0, 29, /* X25519 (29) */
182 0, 23, /* secp256r1 (23) */
183 0, 25, /* secp521r1 (25) */
184 0, 24, /* secp384r1 (24) */
185 };
186
187 static const unsigned char eccurves_all[] = {
188 0, 29, /* X25519 (29) */
189 0, 23, /* secp256r1 (23) */
190 0, 25, /* secp521r1 (25) */
191 0, 24, /* secp384r1 (24) */
192 0, 26, /* brainpoolP256r1 (26) */
193 0, 27, /* brainpoolP384r1 (27) */
194 0, 28, /* brainpool512r1 (28) */
195
196 /*
197 * Remaining curves disabled by default but still permitted if set
198 * via an explicit callback or parameters.
199 */
200 0, 22, /* secp256k1 (22) */
201 0, 14, /* sect571r1 (14) */
202 0, 13, /* sect571k1 (13) */
203 0, 11, /* sect409k1 (11) */
204 0, 12, /* sect409r1 (12) */
205 0, 9, /* sect283k1 (9) */
206 0, 10, /* sect283r1 (10) */
207 0, 20, /* secp224k1 (20) */
208 0, 21, /* secp224r1 (21) */
209 0, 18, /* secp192k1 (18) */
210 0, 19, /* secp192r1 (19) */
211 0, 15, /* secp160k1 (15) */
212 0, 16, /* secp160r1 (16) */
213 0, 17, /* secp160r2 (17) */
214 0, 8, /* sect239k1 (8) */
215 0, 6, /* sect233k1 (6) */
216 0, 7, /* sect233r1 (7) */
217 0, 4, /* sect193r1 (4) */
218 0, 5, /* sect193r2 (5) */
219 0, 1, /* sect163k1 (1) */
220 0, 2, /* sect163r1 (2) */
221 0, 3, /* sect163r2 (3) */
222 };
223
224 static const unsigned char suiteb_curves[] = {
225 0, TLSEXT_curve_P_256,
226 0, TLSEXT_curve_P_384
227 };
228
229 int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
230 {
231 const tls_curve_info *cinfo;
232 /* ECC curves from RFC 4492 and RFC 7027 */
233 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
234 return 0;
235 cinfo = nid_list + curve_id - 1;
236 if (pflags)
237 *pflags = cinfo->flags;
238 return cinfo->nid;
239 }
240
241 int tls1_ec_nid2curve_id(int nid)
242 {
243 size_t i;
244 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
245 if (nid_list[i].nid == nid)
246 return (int)(i + 1);
247 }
248 return 0;
249 }
250
251 /*
252 * Get curves list, if "sess" is set return client curves otherwise
253 * preferred list.
254 * Sets |num_curves| to the number of curves in the list, i.e.,
255 * the length of |pcurves| is 2 * num_curves.
256 * Returns 1 on success and 0 if the client curves list has invalid format.
257 * The latter indicates an internal error: we should not be accepting such
258 * lists in the first place.
259 * TODO(emilia): we should really be storing the curves list in explicitly
260 * parsed form instead. (However, this would affect binary compatibility
261 * so cannot happen in the 1.0.x series.)
262 */
263 int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
264 size_t *num_curves)
265 {
266 size_t pcurveslen = 0;
267 if (sess) {
268 *pcurves = s->session->tlsext_supportedgroupslist;
269 pcurveslen = s->session->tlsext_supportedgroupslist_length;
270 } else {
271 /* For Suite B mode only include P-256, P-384 */
272 switch (tls1_suiteb(s)) {
273 case SSL_CERT_FLAG_SUITEB_128_LOS:
274 *pcurves = suiteb_curves;
275 pcurveslen = sizeof(suiteb_curves);
276 break;
277
278 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
279 *pcurves = suiteb_curves;
280 pcurveslen = 2;
281 break;
282
283 case SSL_CERT_FLAG_SUITEB_192_LOS:
284 *pcurves = suiteb_curves + 2;
285 pcurveslen = 2;
286 break;
287 default:
288 *pcurves = s->tlsext_supportedgroupslist;
289 pcurveslen = s->tlsext_supportedgroupslist_length;
290 }
291 if (!*pcurves) {
292 *pcurves = eccurves_default;
293 pcurveslen = sizeof(eccurves_default);
294 }
295 }
296
297 /* We do not allow odd length arrays to enter the system. */
298 if (pcurveslen & 1) {
299 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
300 *num_curves = 0;
301 return 0;
302 } else {
303 *num_curves = pcurveslen / 2;
304 return 1;
305 }
306 }
307
308 /* See if curve is allowed by security callback */
309 int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
310 {
311 const tls_curve_info *cinfo;
312 if (curve[0])
313 return 1;
314 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
315 return 0;
316 cinfo = &nid_list[curve[1] - 1];
317 # ifdef OPENSSL_NO_EC2M
318 if (cinfo->flags & TLS_CURVE_CHAR2)
319 return 0;
320 # endif
321 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
322 }
323
324 /* Check a curve is one of our preferences */
325 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
326 {
327 const unsigned char *curves;
328 size_t num_curves, i;
329 unsigned int suiteb_flags = tls1_suiteb(s);
330 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
331 return 0;
332 /* Check curve matches Suite B preferences */
333 if (suiteb_flags) {
334 unsigned long cid = s->s3->tmp.new_cipher->id;
335 if (p[1])
336 return 0;
337 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
338 if (p[2] != TLSEXT_curve_P_256)
339 return 0;
340 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
341 if (p[2] != TLSEXT_curve_P_384)
342 return 0;
343 } else /* Should never happen */
344 return 0;
345 }
346 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
347 return 0;
348 for (i = 0; i < num_curves; i++, curves += 2) {
349 if (p[1] == curves[0] && p[2] == curves[1])
350 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
351 }
352 return 0;
353 }
354
355 /*-
356 * For nmatch >= 0, return the NID of the |nmatch|th shared group or NID_undef
357 * if there is no match.
358 * For nmatch == -1, return number of matches
359 * For nmatch == -2, return the NID of the group to use for
360 * an EC tmp key, or NID_undef if there is no match.
361 */
362 int tls1_shared_group(SSL *s, int nmatch)
363 {
364 const unsigned char *pref, *supp;
365 size_t num_pref, num_supp, i, j;
366 int k;
367 /* Can't do anything on client side */
368 if (s->server == 0)
369 return -1;
370 if (nmatch == -2) {
371 if (tls1_suiteb(s)) {
372 /*
373 * For Suite B ciphersuite determines curve: we already know
374 * these are acceptable due to previous checks.
375 */
376 unsigned long cid = s->s3->tmp.new_cipher->id;
377 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
378 return NID_X9_62_prime256v1; /* P-256 */
379 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
380 return NID_secp384r1; /* P-384 */
381 /* Should never happen */
382 return NID_undef;
383 }
384 /* If not Suite B just return first preference shared curve */
385 nmatch = 0;
386 }
387 /*
388 * Avoid truncation. tls1_get_curvelist takes an int
389 * but s->options is a long...
390 */
391 if (!tls1_get_curvelist
392 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
393 &num_supp))
394 /* In practice, NID_undef == 0 but let's be precise. */
395 return nmatch == -1 ? 0 : NID_undef;
396 if (!tls1_get_curvelist
397 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
398 return nmatch == -1 ? 0 : NID_undef;
399
400 /*
401 * If the client didn't send the elliptic_curves extension all of them
402 * are allowed.
403 */
404 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
405 supp = eccurves_all;
406 num_supp = sizeof(eccurves_all) / 2;
407 } else if (num_pref == 0 &&
408 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
409 pref = eccurves_all;
410 num_pref = sizeof(eccurves_all) / 2;
411 }
412
413 k = 0;
414 for (i = 0; i < num_pref; i++, pref += 2) {
415 const unsigned char *tsupp = supp;
416 for (j = 0; j < num_supp; j++, tsupp += 2) {
417 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
418 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
419 continue;
420 if (nmatch == k) {
421 int id = (pref[0] << 8) | pref[1];
422 return tls1_ec_curve_id2nid(id, NULL);
423 }
424 k++;
425 }
426 }
427 }
428 if (nmatch == -1)
429 return k;
430 /* Out of range (nmatch > k). */
431 return NID_undef;
432 }
433
434 int tls1_set_groups(unsigned char **pext, size_t *pextlen,
435 int *groups, size_t ngroups)
436 {
437 unsigned char *glist, *p;
438 size_t i;
439 /*
440 * Bitmap of groups included to detect duplicates: only works while group
441 * ids < 32
442 */
443 unsigned long dup_list = 0;
444 glist = OPENSSL_malloc(ngroups * 2);
445 if (glist == NULL)
446 return 0;
447 for (i = 0, p = glist; i < ngroups; i++) {
448 unsigned long idmask;
449 int id;
450 /* TODO(TLS1.3): Convert for DH groups */
451 id = tls1_ec_nid2curve_id(groups[i]);
452 idmask = 1L << id;
453 if (!id || (dup_list & idmask)) {
454 OPENSSL_free(glist);
455 return 0;
456 }
457 dup_list |= idmask;
458 s2n(id, p);
459 }
460 OPENSSL_free(*pext);
461 *pext = glist;
462 *pextlen = ngroups * 2;
463 return 1;
464 }
465
466 # define MAX_CURVELIST 28
467
468 typedef struct {
469 size_t nidcnt;
470 int nid_arr[MAX_CURVELIST];
471 } nid_cb_st;
472
473 static int nid_cb(const char *elem, int len, void *arg)
474 {
475 nid_cb_st *narg = arg;
476 size_t i;
477 int nid;
478 char etmp[20];
479 if (elem == NULL)
480 return 0;
481 if (narg->nidcnt == MAX_CURVELIST)
482 return 0;
483 if (len > (int)(sizeof(etmp) - 1))
484 return 0;
485 memcpy(etmp, elem, len);
486 etmp[len] = 0;
487 nid = EC_curve_nist2nid(etmp);
488 if (nid == NID_undef)
489 nid = OBJ_sn2nid(etmp);
490 if (nid == NID_undef)
491 nid = OBJ_ln2nid(etmp);
492 if (nid == NID_undef)
493 return 0;
494 for (i = 0; i < narg->nidcnt; i++)
495 if (narg->nid_arr[i] == nid)
496 return 0;
497 narg->nid_arr[narg->nidcnt++] = nid;
498 return 1;
499 }
500
501 /* Set groups based on a colon separate list */
502 int tls1_set_groups_list(unsigned char **pext, size_t *pextlen, const char *str)
503 {
504 nid_cb_st ncb;
505 ncb.nidcnt = 0;
506 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
507 return 0;
508 if (pext == NULL)
509 return 1;
510 return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
511 }
512
513 /* For an EC key set TLS id and required compression based on parameters */
514 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
515 EC_KEY *ec)
516 {
517 int id;
518 const EC_GROUP *grp;
519 if (!ec)
520 return 0;
521 /* Determine if it is a prime field */
522 grp = EC_KEY_get0_group(ec);
523 if (!grp)
524 return 0;
525 /* Determine curve ID */
526 id = EC_GROUP_get_curve_name(grp);
527 id = tls1_ec_nid2curve_id(id);
528 /* If no id return error: we don't support arbitrary explicit curves */
529 if (id == 0)
530 return 0;
531 curve_id[0] = 0;
532 curve_id[1] = (unsigned char)id;
533 if (comp_id) {
534 if (EC_KEY_get0_public_key(ec) == NULL)
535 return 0;
536 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
537 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
538 } else {
539 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
540 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
541 else
542 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
543 }
544 }
545 return 1;
546 }
547
548 /* Check an EC key is compatible with extensions */
549 static int tls1_check_ec_key(SSL *s,
550 unsigned char *curve_id, unsigned char *comp_id)
551 {
552 const unsigned char *pformats, *pcurves;
553 size_t num_formats, num_curves, i;
554 int j;
555 /*
556 * If point formats extension present check it, otherwise everything is
557 * supported (see RFC4492).
558 */
559 if (comp_id && s->session->tlsext_ecpointformatlist) {
560 pformats = s->session->tlsext_ecpointformatlist;
561 num_formats = s->session->tlsext_ecpointformatlist_length;
562 for (i = 0; i < num_formats; i++, pformats++) {
563 if (*comp_id == *pformats)
564 break;
565 }
566 if (i == num_formats)
567 return 0;
568 }
569 if (!curve_id)
570 return 1;
571 /* Check curve is consistent with client and server preferences */
572 for (j = 0; j <= 1; j++) {
573 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
574 return 0;
575 if (j == 1 && num_curves == 0) {
576 /*
577 * If we've not received any curves then skip this check.
578 * RFC 4492 does not require the supported elliptic curves extension
579 * so if it is not sent we can just choose any curve.
580 * It is invalid to send an empty list in the elliptic curves
581 * extension, so num_curves == 0 always means no extension.
582 */
583 break;
584 }
585 for (i = 0; i < num_curves; i++, pcurves += 2) {
586 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
587 break;
588 }
589 if (i == num_curves)
590 return 0;
591 /* For clients can only check sent curve list */
592 if (!s->server)
593 break;
594 }
595 return 1;
596 }
597
598 void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
599 size_t *num_formats)
600 {
601 /*
602 * If we have a custom point format list use it otherwise use default
603 */
604 if (s->tlsext_ecpointformatlist) {
605 *pformats = s->tlsext_ecpointformatlist;
606 *num_formats = s->tlsext_ecpointformatlist_length;
607 } else {
608 *pformats = ecformats_default;
609 /* For Suite B we don't support char2 fields */
610 if (tls1_suiteb(s))
611 *num_formats = sizeof(ecformats_default) - 1;
612 else
613 *num_formats = sizeof(ecformats_default);
614 }
615 }
616
617 /*
618 * Check cert parameters compatible with extensions: currently just checks EC
619 * certificates have compatible curves and compression.
620 */
621 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
622 {
623 unsigned char comp_id, curve_id[2];
624 EVP_PKEY *pkey;
625 int rv;
626 pkey = X509_get0_pubkey(x);
627 if (!pkey)
628 return 0;
629 /* If not EC nothing to do */
630 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
631 return 1;
632 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
633 if (!rv)
634 return 0;
635 /*
636 * Can't check curve_id for client certs as we don't have a supported
637 * curves extension.
638 */
639 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
640 if (!rv)
641 return 0;
642 /*
643 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
644 * SHA384+P-384, adjust digest if necessary.
645 */
646 if (set_ee_md && tls1_suiteb(s)) {
647 int check_md;
648 size_t i;
649 CERT *c = s->cert;
650 if (curve_id[0])
651 return 0;
652 /* Check to see we have necessary signing algorithm */
653 if (curve_id[1] == TLSEXT_curve_P_256)
654 check_md = NID_ecdsa_with_SHA256;
655 else if (curve_id[1] == TLSEXT_curve_P_384)
656 check_md = NID_ecdsa_with_SHA384;
657 else
658 return 0; /* Should never happen */
659 for (i = 0; i < c->shared_sigalgslen; i++)
660 if (check_md == c->shared_sigalgs[i].signandhash_nid)
661 break;
662 if (i == c->shared_sigalgslen)
663 return 0;
664 if (set_ee_md == 2) {
665 if (check_md == NID_ecdsa_with_SHA256)
666 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
667 else
668 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
669 }
670 }
671 return rv;
672 }
673
674 # ifndef OPENSSL_NO_EC
675 /*
676 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
677 * @s: SSL connection
678 * @cid: Cipher ID we're considering using
679 *
680 * Checks that the kECDHE cipher suite we're considering using
681 * is compatible with the client extensions.
682 *
683 * Returns 0 when the cipher can't be used or 1 when it can.
684 */
685 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
686 {
687 /*
688 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
689 * curves permitted.
690 */
691 if (tls1_suiteb(s)) {
692 unsigned char curve_id[2];
693 /* Curve to check determined by ciphersuite */
694 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
695 curve_id[1] = TLSEXT_curve_P_256;
696 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
697 curve_id[1] = TLSEXT_curve_P_384;
698 else
699 return 0;
700 curve_id[0] = 0;
701 /* Check this curve is acceptable */
702 if (!tls1_check_ec_key(s, curve_id, NULL))
703 return 0;
704 return 1;
705 }
706 /* Need a shared curve */
707 if (tls1_shared_group(s, 0))
708 return 1;
709 return 0;
710 }
711 # endif /* OPENSSL_NO_EC */
712
713 #else
714
715 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
716 {
717 return 1;
718 }
719
720 #endif /* OPENSSL_NO_EC */
721
722 /*
723 * List of supported signature algorithms and hashes. Should make this
724 * customisable at some point, for now include everything we support.
725 */
726
727 #ifdef OPENSSL_NO_RSA
728 # define tlsext_sigalg_rsa(md) /* */
729 #else
730 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
731 #endif
732
733 #ifdef OPENSSL_NO_DSA
734 # define tlsext_sigalg_dsa(md) /* */
735 #else
736 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
737 #endif
738
739 #ifdef OPENSSL_NO_EC
740 # define tlsext_sigalg_ecdsa(md)/* */
741 #else
742 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
743 #endif
744
745 #define tlsext_sigalg(md) \
746 tlsext_sigalg_rsa(md) \
747 tlsext_sigalg_dsa(md) \
748 tlsext_sigalg_ecdsa(md)
749
750 static const unsigned char tls12_sigalgs[] = {
751 tlsext_sigalg(TLSEXT_hash_sha512)
752 tlsext_sigalg(TLSEXT_hash_sha384)
753 tlsext_sigalg(TLSEXT_hash_sha256)
754 tlsext_sigalg(TLSEXT_hash_sha224)
755 tlsext_sigalg(TLSEXT_hash_sha1)
756 #ifndef OPENSSL_NO_GOST
757 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
758 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
759 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
760 #endif
761 };
762
763 #ifndef OPENSSL_NO_EC
764 static const unsigned char suiteb_sigalgs[] = {
765 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
766 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
767 };
768 #endif
769 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
770 {
771 /*
772 * If Suite B mode use Suite B sigalgs only, ignore any other
773 * preferences.
774 */
775 #ifndef OPENSSL_NO_EC
776 switch (tls1_suiteb(s)) {
777 case SSL_CERT_FLAG_SUITEB_128_LOS:
778 *psigs = suiteb_sigalgs;
779 return sizeof(suiteb_sigalgs);
780
781 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
782 *psigs = suiteb_sigalgs;
783 return 2;
784
785 case SSL_CERT_FLAG_SUITEB_192_LOS:
786 *psigs = suiteb_sigalgs + 2;
787 return 2;
788 }
789 #endif
790 /* If server use client authentication sigalgs if not NULL */
791 if (s->server && s->cert->client_sigalgs) {
792 *psigs = s->cert->client_sigalgs;
793 return s->cert->client_sigalgslen;
794 } else if (s->cert->conf_sigalgs) {
795 *psigs = s->cert->conf_sigalgs;
796 return s->cert->conf_sigalgslen;
797 } else {
798 *psigs = tls12_sigalgs;
799 return sizeof(tls12_sigalgs);
800 }
801 }
802
803 /*
804 * Check signature algorithm is consistent with sent supported signature
805 * algorithms and if so return relevant digest.
806 */
807 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
808 const unsigned char *sig, EVP_PKEY *pkey)
809 {
810 const unsigned char *sent_sigs;
811 size_t sent_sigslen, i;
812 int sigalg = tls12_get_sigid(pkey);
813 /* Should never happen */
814 if (sigalg == -1)
815 return -1;
816 /* Check key type is consistent with signature */
817 if (sigalg != (int)sig[1]) {
818 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
819 return 0;
820 }
821 #ifndef OPENSSL_NO_EC
822 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
823 unsigned char curve_id[2], comp_id;
824 /* Check compression and curve matches extensions */
825 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
826 return 0;
827 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
828 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
829 return 0;
830 }
831 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
832 if (tls1_suiteb(s)) {
833 if (curve_id[0])
834 return 0;
835 if (curve_id[1] == TLSEXT_curve_P_256) {
836 if (sig[0] != TLSEXT_hash_sha256) {
837 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
838 SSL_R_ILLEGAL_SUITEB_DIGEST);
839 return 0;
840 }
841 } else if (curve_id[1] == TLSEXT_curve_P_384) {
842 if (sig[0] != TLSEXT_hash_sha384) {
843 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
844 SSL_R_ILLEGAL_SUITEB_DIGEST);
845 return 0;
846 }
847 } else
848 return 0;
849 }
850 } else if (tls1_suiteb(s))
851 return 0;
852 #endif
853
854 /* Check signature matches a type we sent */
855 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
856 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
857 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
858 break;
859 }
860 /* Allow fallback to SHA1 if not strict mode */
861 if (i == sent_sigslen
862 && (sig[0] != TLSEXT_hash_sha1
863 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
864 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
865 return 0;
866 }
867 *pmd = tls12_get_hash(sig[0]);
868 if (*pmd == NULL) {
869 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
870 return 0;
871 }
872 /* Make sure security callback allows algorithm */
873 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
874 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
875 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
876 return 0;
877 }
878 /*
879 * Store the digest used so applications can retrieve it if they wish.
880 */
881 s->s3->tmp.peer_md = *pmd;
882 return 1;
883 }
884
885 /*
886 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
887 * supported, doesn't appear in supported signature algorithms, isn't supported
888 * by the enabled protocol versions or by the security level.
889 *
890 * This function should only be used for checking which ciphers are supported
891 * by the client.
892 *
893 * Call ssl_cipher_disabled() to check that it's enabled or not.
894 */
895 void ssl_set_client_disabled(SSL *s)
896 {
897 s->s3->tmp.mask_a = 0;
898 s->s3->tmp.mask_k = 0;
899 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
900 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
901 #ifndef OPENSSL_NO_PSK
902 /* with PSK there must be client callback set */
903 if (!s->psk_client_callback) {
904 s->s3->tmp.mask_a |= SSL_aPSK;
905 s->s3->tmp.mask_k |= SSL_PSK;
906 }
907 #endif /* OPENSSL_NO_PSK */
908 #ifndef OPENSSL_NO_SRP
909 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
910 s->s3->tmp.mask_a |= SSL_aSRP;
911 s->s3->tmp.mask_k |= SSL_kSRP;
912 }
913 #endif
914 }
915
916 /*
917 * ssl_cipher_disabled - check that a cipher is disabled or not
918 * @s: SSL connection that you want to use the cipher on
919 * @c: cipher to check
920 * @op: Security check that you want to do
921 *
922 * Returns 1 when it's disabled, 0 when enabled.
923 */
924 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
925 {
926 if (c->algorithm_mkey & s->s3->tmp.mask_k
927 || c->algorithm_auth & s->s3->tmp.mask_a)
928 return 1;
929 if (s->s3->tmp.max_ver == 0)
930 return 1;
931 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
932 || (c->max_tls < s->s3->tmp.min_ver)))
933 return 1;
934 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
935 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
936 return 1;
937
938 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
939 }
940
941 int tls_use_ticket(SSL *s)
942 {
943 if ((s->options & SSL_OP_NO_TICKET) || SSL_IS_TLS13(s))
944 return 0;
945 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
946 }
947
948 /* Initialise digests to default values */
949 void ssl_set_default_md(SSL *s)
950 {
951 const EVP_MD **pmd = s->s3->tmp.md;
952 #ifndef OPENSSL_NO_DSA
953 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
954 #endif
955 #ifndef OPENSSL_NO_RSA
956 if (SSL_USE_SIGALGS(s))
957 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
958 else
959 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
960 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
961 #endif
962 #ifndef OPENSSL_NO_EC
963 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
964 #endif
965 #ifndef OPENSSL_NO_GOST
966 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
967 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
968 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
969 #endif
970 }
971
972 int tls1_set_server_sigalgs(SSL *s)
973 {
974 int al;
975 size_t i;
976
977 /* Clear any shared signature algorithms */
978 OPENSSL_free(s->cert->shared_sigalgs);
979 s->cert->shared_sigalgs = NULL;
980 s->cert->shared_sigalgslen = 0;
981 /* Clear certificate digests and validity flags */
982 for (i = 0; i < SSL_PKEY_NUM; i++) {
983 s->s3->tmp.md[i] = NULL;
984 s->s3->tmp.valid_flags[i] = 0;
985 }
986
987 /* If sigalgs received process it. */
988 if (s->s3->tmp.peer_sigalgs) {
989 if (!tls1_process_sigalgs(s)) {
990 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
991 al = SSL_AD_INTERNAL_ERROR;
992 goto err;
993 }
994 /* Fatal error is no shared signature algorithms */
995 if (!s->cert->shared_sigalgs) {
996 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
997 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
998 al = SSL_AD_ILLEGAL_PARAMETER;
999 goto err;
1000 }
1001 } else {
1002 ssl_set_default_md(s);
1003 }
1004 return 1;
1005 err:
1006 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1007 return 0;
1008 }
1009
1010 /*
1011 * Given a list of extensions that we collected earlier, find one of a given
1012 * type and return it.
1013 *
1014 * |exts| is the set of extensions previously collected.
1015 * |numexts| is the number of extensions that we have.
1016 * |type| the type of the extension that we are looking for.
1017 *
1018 * Returns a pointer to the found RAW_EXTENSION data, or NULL if not found.
1019 */
1020 RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
1021 unsigned int type)
1022 {
1023 size_t loop;
1024
1025 for (loop = 0; loop < numexts; loop++) {
1026 if (exts[loop].type == type)
1027 return &exts[loop];
1028 }
1029
1030 return NULL;
1031 }
1032
1033 /*-
1034 * Gets the ticket information supplied by the client if any.
1035 *
1036 * hello: The parsed ClientHello data
1037 * ret: (output) on return, if a ticket was decrypted, then this is set to
1038 * point to the resulting session.
1039 *
1040 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
1041 * ciphersuite, in which case we have no use for session tickets and one will
1042 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
1043 *
1044 * Returns:
1045 * -1: fatal error, either from parsing or decrypting the ticket.
1046 * 0: no ticket was found (or was ignored, based on settings).
1047 * 1: a zero length extension was found, indicating that the client supports
1048 * session tickets but doesn't currently have one to offer.
1049 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
1050 * couldn't be decrypted because of a non-fatal error.
1051 * 3: a ticket was successfully decrypted and *ret was set.
1052 *
1053 * Side effects:
1054 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
1055 * a new session ticket to the client because the client indicated support
1056 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1057 * a session ticket or we couldn't use the one it gave us, or if
1058 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
1059 * Otherwise, s->tlsext_ticket_expected is set to 0.
1060 */
1061 int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
1062 SSL_SESSION **ret)
1063 {
1064 int retv;
1065 size_t size;
1066 RAW_EXTENSION *ticketext;
1067
1068 *ret = NULL;
1069 s->tlsext_ticket_expected = 0;
1070
1071 /*
1072 * If tickets disabled or not supported by the protocol version
1073 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
1074 * resumption.
1075 */
1076 if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
1077 return 0;
1078
1079 ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
1080 if (!ticketext->present)
1081 return 0;
1082
1083 size = PACKET_remaining(&ticketext->data);
1084 if (size == 0) {
1085 /*
1086 * The client will accept a ticket but doesn't currently have
1087 * one.
1088 */
1089 s->tlsext_ticket_expected = 1;
1090 return 1;
1091 }
1092 if (s->tls_session_secret_cb) {
1093 /*
1094 * Indicate that the ticket couldn't be decrypted rather than
1095 * generating the session from ticket now, trigger
1096 * abbreviated handshake based on external mechanism to
1097 * calculate the master secret later.
1098 */
1099 return 2;
1100 }
1101
1102 retv = tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
1103 hello->session_id, hello->session_id_len, ret);
1104 switch (retv) {
1105 case 2: /* ticket couldn't be decrypted */
1106 s->tlsext_ticket_expected = 1;
1107 return 2;
1108
1109 case 3: /* ticket was decrypted */
1110 return 3;
1111
1112 case 4: /* ticket decrypted but need to renew */
1113 s->tlsext_ticket_expected = 1;
1114 return 3;
1115
1116 default: /* fatal error */
1117 return -1;
1118 }
1119 }
1120
1121 /*-
1122 * tls_decrypt_ticket attempts to decrypt a session ticket.
1123 *
1124 * etick: points to the body of the session ticket extension.
1125 * eticklen: the length of the session tickets extension.
1126 * sess_id: points at the session ID.
1127 * sesslen: the length of the session ID.
1128 * psess: (output) on return, if a ticket was decrypted, then this is set to
1129 * point to the resulting session.
1130 *
1131 * Returns:
1132 * -2: fatal error, malloc failure.
1133 * -1: fatal error, either from parsing or decrypting the ticket.
1134 * 2: the ticket couldn't be decrypted.
1135 * 3: a ticket was successfully decrypted and *psess was set.
1136 * 4: same as 3, but the ticket needs to be renewed.
1137 */
1138 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
1139 size_t eticklen, const unsigned char *sess_id,
1140 size_t sesslen, SSL_SESSION **psess)
1141 {
1142 SSL_SESSION *sess;
1143 unsigned char *sdec;
1144 const unsigned char *p;
1145 int slen, renew_ticket = 0, ret = -1, declen;
1146 size_t mlen;
1147 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1148 HMAC_CTX *hctx = NULL;
1149 EVP_CIPHER_CTX *ctx;
1150 SSL_CTX *tctx = s->initial_ctx;
1151
1152 /* Initialize session ticket encryption and HMAC contexts */
1153 hctx = HMAC_CTX_new();
1154 if (hctx == NULL)
1155 return -2;
1156 ctx = EVP_CIPHER_CTX_new();
1157 if (ctx == NULL) {
1158 ret = -2;
1159 goto err;
1160 }
1161 if (tctx->tlsext_ticket_key_cb) {
1162 unsigned char *nctick = (unsigned char *)etick;
1163 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1164 ctx, hctx, 0);
1165 if (rv < 0)
1166 goto err;
1167 if (rv == 0) {
1168 ret = 2;
1169 goto err;
1170 }
1171 if (rv == 2)
1172 renew_ticket = 1;
1173 } else {
1174 /* Check key name matches */
1175 if (memcmp(etick, tctx->tlsext_tick_key_name,
1176 sizeof(tctx->tlsext_tick_key_name)) != 0) {
1177 ret = 2;
1178 goto err;
1179 }
1180 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
1181 sizeof(tctx->tlsext_tick_hmac_key),
1182 EVP_sha256(), NULL) <= 0
1183 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
1184 tctx->tlsext_tick_aes_key,
1185 etick + sizeof(tctx->tlsext_tick_key_name)) <=
1186 0) {
1187 goto err;
1188 }
1189 }
1190 /*
1191 * Attempt to process session ticket, first conduct sanity and integrity
1192 * checks on ticket.
1193 */
1194 mlen = HMAC_size(hctx);
1195 if (mlen == 0) {
1196 goto err;
1197 }
1198 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
1199 if (eticklen <=
1200 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
1201 ret = 2;
1202 goto err;
1203 }
1204 eticklen -= mlen;
1205 /* Check HMAC of encrypted ticket */
1206 if (HMAC_Update(hctx, etick, eticklen) <= 0
1207 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
1208 goto err;
1209 }
1210 HMAC_CTX_free(hctx);
1211 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
1212 EVP_CIPHER_CTX_free(ctx);
1213 return 2;
1214 }
1215 /* Attempt to decrypt session data */
1216 /* Move p after IV to start of encrypted ticket, update length */
1217 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
1218 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
1219 sdec = OPENSSL_malloc(eticklen);
1220 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
1221 (int)eticklen) <= 0) {
1222 EVP_CIPHER_CTX_free(ctx);
1223 OPENSSL_free(sdec);
1224 return -1;
1225 }
1226 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
1227 EVP_CIPHER_CTX_free(ctx);
1228 OPENSSL_free(sdec);
1229 return 2;
1230 }
1231 slen += declen;
1232 EVP_CIPHER_CTX_free(ctx);
1233 ctx = NULL;
1234 p = sdec;
1235
1236 sess = d2i_SSL_SESSION(NULL, &p, slen);
1237 OPENSSL_free(sdec);
1238 if (sess) {
1239 /*
1240 * The session ID, if non-empty, is used by some clients to detect
1241 * that the ticket has been accepted. So we copy it to the session
1242 * structure. If it is empty set length to zero as required by
1243 * standard.
1244 */
1245 if (sesslen)
1246 memcpy(sess->session_id, sess_id, sesslen);
1247 sess->session_id_length = sesslen;
1248 *psess = sess;
1249 if (renew_ticket)
1250 return 4;
1251 else
1252 return 3;
1253 }
1254 ERR_clear_error();
1255 /*
1256 * For session parse failure, indicate that we need to send a new ticket.
1257 */
1258 return 2;
1259 err:
1260 EVP_CIPHER_CTX_free(ctx);
1261 HMAC_CTX_free(hctx);
1262 return ret;
1263 }
1264
1265 /* Tables to translate from NIDs to TLS v1.2 ids */
1266
1267 typedef struct {
1268 int nid;
1269 int id;
1270 } tls12_lookup;
1271
1272 static const tls12_lookup tls12_md[] = {
1273 {NID_md5, TLSEXT_hash_md5},
1274 {NID_sha1, TLSEXT_hash_sha1},
1275 {NID_sha224, TLSEXT_hash_sha224},
1276 {NID_sha256, TLSEXT_hash_sha256},
1277 {NID_sha384, TLSEXT_hash_sha384},
1278 {NID_sha512, TLSEXT_hash_sha512},
1279 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
1280 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
1281 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
1282 };
1283
1284 static const tls12_lookup tls12_sig[] = {
1285 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
1286 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
1287 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
1288 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
1289 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
1290 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
1291 };
1292
1293 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
1294 {
1295 size_t i;
1296 for (i = 0; i < tlen; i++) {
1297 if (table[i].nid == nid)
1298 return table[i].id;
1299 }
1300 return -1;
1301 }
1302
1303 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
1304 {
1305 size_t i;
1306 for (i = 0; i < tlen; i++) {
1307 if ((table[i].id) == id)
1308 return table[i].nid;
1309 }
1310 return NID_undef;
1311 }
1312
1313 int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk, const EVP_MD *md)
1314 {
1315 int sig_id, md_id;
1316
1317 if (md == NULL)
1318 return 0;
1319 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
1320 if (md_id == -1)
1321 return 0;
1322 sig_id = tls12_get_sigid(pk);
1323 if (sig_id == -1)
1324 return 0;
1325 if (!WPACKET_put_bytes_u8(pkt, md_id) || !WPACKET_put_bytes_u8(pkt, sig_id))
1326 return 0;
1327
1328 return 1;
1329 }
1330
1331 int tls12_get_sigid(const EVP_PKEY *pk)
1332 {
1333 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
1334 }
1335
1336 typedef struct {
1337 int nid;
1338 int secbits;
1339 int md_idx;
1340 unsigned char tlsext_hash;
1341 } tls12_hash_info;
1342
1343 static const tls12_hash_info tls12_md_info[] = {
1344 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
1345 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
1346 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
1347 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
1348 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
1349 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
1350 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
1351 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
1352 TLSEXT_hash_gostr34112012_256},
1353 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
1354 TLSEXT_hash_gostr34112012_512},
1355 };
1356
1357 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
1358 {
1359 unsigned int i;
1360 if (hash_alg == 0)
1361 return NULL;
1362
1363 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
1364 if (tls12_md_info[i].tlsext_hash == hash_alg)
1365 return tls12_md_info + i;
1366 }
1367
1368 return NULL;
1369 }
1370
1371 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
1372 {
1373 const tls12_hash_info *inf;
1374 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
1375 return NULL;
1376 inf = tls12_get_hash_info(hash_alg);
1377 if (!inf)
1378 return NULL;
1379 return ssl_md(inf->md_idx);
1380 }
1381
1382 static int tls12_get_pkey_idx(unsigned char sig_alg)
1383 {
1384 switch (sig_alg) {
1385 #ifndef OPENSSL_NO_RSA
1386 case TLSEXT_signature_rsa:
1387 return SSL_PKEY_RSA_SIGN;
1388 #endif
1389 #ifndef OPENSSL_NO_DSA
1390 case TLSEXT_signature_dsa:
1391 return SSL_PKEY_DSA_SIGN;
1392 #endif
1393 #ifndef OPENSSL_NO_EC
1394 case TLSEXT_signature_ecdsa:
1395 return SSL_PKEY_ECC;
1396 #endif
1397 #ifndef OPENSSL_NO_GOST
1398 case TLSEXT_signature_gostr34102001:
1399 return SSL_PKEY_GOST01;
1400
1401 case TLSEXT_signature_gostr34102012_256:
1402 return SSL_PKEY_GOST12_256;
1403
1404 case TLSEXT_signature_gostr34102012_512:
1405 return SSL_PKEY_GOST12_512;
1406 #endif
1407 }
1408 return -1;
1409 }
1410
1411 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
1412 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
1413 int *psignhash_nid, const unsigned char *data)
1414 {
1415 int sign_nid = NID_undef, hash_nid = NID_undef;
1416 if (!phash_nid && !psign_nid && !psignhash_nid)
1417 return;
1418 if (phash_nid || psignhash_nid) {
1419 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
1420 if (phash_nid)
1421 *phash_nid = hash_nid;
1422 }
1423 if (psign_nid || psignhash_nid) {
1424 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
1425 if (psign_nid)
1426 *psign_nid = sign_nid;
1427 }
1428 if (psignhash_nid) {
1429 if (sign_nid == NID_undef || hash_nid == NID_undef
1430 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
1431 *psignhash_nid = NID_undef;
1432 }
1433 }
1434
1435 /* Check to see if a signature algorithm is allowed */
1436 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
1437 {
1438 /* See if we have an entry in the hash table and it is enabled */
1439 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
1440 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
1441 return 0;
1442 /* See if public key algorithm allowed */
1443 if (tls12_get_pkey_idx(ptmp[1]) == -1)
1444 return 0;
1445 /* Finally see if security callback allows it */
1446 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
1447 }
1448
1449 /*
1450 * Get a mask of disabled public key algorithms based on supported signature
1451 * algorithms. For example if no signature algorithm supports RSA then RSA is
1452 * disabled.
1453 */
1454
1455 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
1456 {
1457 const unsigned char *sigalgs;
1458 size_t i, sigalgslen;
1459 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1460 /*
1461 * Now go through all signature algorithms seeing if we support any for
1462 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
1463 * down calls to security callback only check if we have to.
1464 */
1465 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1466 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
1467 switch (sigalgs[1]) {
1468 #ifndef OPENSSL_NO_RSA
1469 case TLSEXT_signature_rsa:
1470 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
1471 have_rsa = 1;
1472 break;
1473 #endif
1474 #ifndef OPENSSL_NO_DSA
1475 case TLSEXT_signature_dsa:
1476 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
1477 have_dsa = 1;
1478 break;
1479 #endif
1480 #ifndef OPENSSL_NO_EC
1481 case TLSEXT_signature_ecdsa:
1482 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
1483 have_ecdsa = 1;
1484 break;
1485 #endif
1486 }
1487 }
1488 if (!have_rsa)
1489 *pmask_a |= SSL_aRSA;
1490 if (!have_dsa)
1491 *pmask_a |= SSL_aDSS;
1492 if (!have_ecdsa)
1493 *pmask_a |= SSL_aECDSA;
1494 }
1495
1496 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
1497 const unsigned char *psig, size_t psiglen)
1498 {
1499 size_t i;
1500
1501 for (i = 0; i < psiglen; i += 2, psig += 2) {
1502 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
1503 if (!WPACKET_put_bytes_u8(pkt, psig[0])
1504 || !WPACKET_put_bytes_u8(pkt, psig[1]))
1505 return 0;
1506 }
1507 }
1508 return 1;
1509 }
1510
1511 /* Given preference and allowed sigalgs set shared sigalgs */
1512 static size_t tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
1513 const unsigned char *pref, size_t preflen,
1514 const unsigned char *allow, size_t allowlen)
1515 {
1516 const unsigned char *ptmp, *atmp;
1517 size_t i, j, nmatch = 0;
1518 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
1519 /* Skip disabled hashes or signature algorithms */
1520 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
1521 continue;
1522 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
1523 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
1524 nmatch++;
1525 if (shsig) {
1526 shsig->rhash = ptmp[0];
1527 shsig->rsign = ptmp[1];
1528 tls1_lookup_sigalg(&shsig->hash_nid,
1529 &shsig->sign_nid,
1530 &shsig->signandhash_nid, ptmp);
1531 shsig++;
1532 }
1533 break;
1534 }
1535 }
1536 }
1537 return nmatch;
1538 }
1539
1540 /* Set shared signature algorithms for SSL structures */
1541 static int tls1_set_shared_sigalgs(SSL *s)
1542 {
1543 const unsigned char *pref, *allow, *conf;
1544 size_t preflen, allowlen, conflen;
1545 size_t nmatch;
1546 TLS_SIGALGS *salgs = NULL;
1547 CERT *c = s->cert;
1548 unsigned int is_suiteb = tls1_suiteb(s);
1549
1550 OPENSSL_free(c->shared_sigalgs);
1551 c->shared_sigalgs = NULL;
1552 c->shared_sigalgslen = 0;
1553 /* If client use client signature algorithms if not NULL */
1554 if (!s->server && c->client_sigalgs && !is_suiteb) {
1555 conf = c->client_sigalgs;
1556 conflen = c->client_sigalgslen;
1557 } else if (c->conf_sigalgs && !is_suiteb) {
1558 conf = c->conf_sigalgs;
1559 conflen = c->conf_sigalgslen;
1560 } else
1561 conflen = tls12_get_psigalgs(s, &conf);
1562 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
1563 pref = conf;
1564 preflen = conflen;
1565 allow = s->s3->tmp.peer_sigalgs;
1566 allowlen = s->s3->tmp.peer_sigalgslen;
1567 } else {
1568 allow = conf;
1569 allowlen = conflen;
1570 pref = s->s3->tmp.peer_sigalgs;
1571 preflen = s->s3->tmp.peer_sigalgslen;
1572 }
1573 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
1574 if (nmatch) {
1575 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
1576 if (salgs == NULL)
1577 return 0;
1578 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
1579 } else {
1580 salgs = NULL;
1581 }
1582 c->shared_sigalgs = salgs;
1583 c->shared_sigalgslen = nmatch;
1584 return 1;
1585 }
1586
1587 /* Set preferred digest for each key type */
1588
1589 int tls1_save_sigalgs(SSL *s, const unsigned char *data, size_t dsize)
1590 {
1591 CERT *c = s->cert;
1592 /* Extension ignored for inappropriate versions */
1593 if (!SSL_USE_SIGALGS(s))
1594 return 1;
1595 /* Should never happen */
1596 if (!c)
1597 return 0;
1598
1599 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1600 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
1601 if (s->s3->tmp.peer_sigalgs == NULL)
1602 return 0;
1603 s->s3->tmp.peer_sigalgslen = dsize;
1604 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
1605 return 1;
1606 }
1607
1608 int tls1_process_sigalgs(SSL *s)
1609 {
1610 int idx;
1611 size_t i;
1612 const EVP_MD *md;
1613 const EVP_MD **pmd = s->s3->tmp.md;
1614 uint32_t *pvalid = s->s3->tmp.valid_flags;
1615 CERT *c = s->cert;
1616 TLS_SIGALGS *sigptr;
1617 if (!tls1_set_shared_sigalgs(s))
1618 return 0;
1619
1620 for (i = 0, sigptr = c->shared_sigalgs;
1621 i < c->shared_sigalgslen; i++, sigptr++) {
1622 idx = tls12_get_pkey_idx(sigptr->rsign);
1623 if (idx > 0 && pmd[idx] == NULL) {
1624 md = tls12_get_hash(sigptr->rhash);
1625 pmd[idx] = md;
1626 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
1627 if (idx == SSL_PKEY_RSA_SIGN) {
1628 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
1629 pmd[SSL_PKEY_RSA_ENC] = md;
1630 }
1631 }
1632
1633 }
1634 /*
1635 * In strict mode leave unset digests as NULL to indicate we can't use
1636 * the certificate for signing.
1637 */
1638 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1639 /*
1640 * Set any remaining keys to default values. NOTE: if alg is not
1641 * supported it stays as NULL.
1642 */
1643 #ifndef OPENSSL_NO_DSA
1644 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
1645 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
1646 #endif
1647 #ifndef OPENSSL_NO_RSA
1648 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
1649 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
1650 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
1651 }
1652 #endif
1653 #ifndef OPENSSL_NO_EC
1654 if (pmd[SSL_PKEY_ECC] == NULL)
1655 pmd[SSL_PKEY_ECC] = EVP_sha1();
1656 #endif
1657 #ifndef OPENSSL_NO_GOST
1658 if (pmd[SSL_PKEY_GOST01] == NULL)
1659 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
1660 if (pmd[SSL_PKEY_GOST12_256] == NULL)
1661 pmd[SSL_PKEY_GOST12_256] =
1662 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
1663 if (pmd[SSL_PKEY_GOST12_512] == NULL)
1664 pmd[SSL_PKEY_GOST12_512] =
1665 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
1666 #endif
1667 }
1668 return 1;
1669 }
1670
1671 int SSL_get_sigalgs(SSL *s, int idx,
1672 int *psign, int *phash, int *psignhash,
1673 unsigned char *rsig, unsigned char *rhash)
1674 {
1675 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
1676 size_t numsigalgs = s->s3->tmp.peer_sigalgslen / 2;
1677 if (psig == NULL || numsigalgs > INT_MAX)
1678 return 0;
1679 if (idx >= 0) {
1680 idx <<= 1;
1681 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
1682 return 0;
1683 psig += idx;
1684 if (rhash)
1685 *rhash = psig[0];
1686 if (rsig)
1687 *rsig = psig[1];
1688 tls1_lookup_sigalg(phash, psign, psignhash, psig);
1689 }
1690 return (int)numsigalgs;
1691 }
1692
1693 int SSL_get_shared_sigalgs(SSL *s, int idx,
1694 int *psign, int *phash, int *psignhash,
1695 unsigned char *rsig, unsigned char *rhash)
1696 {
1697 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
1698 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen
1699 || s->cert->shared_sigalgslen > INT_MAX)
1700 return 0;
1701 shsigalgs += idx;
1702 if (phash)
1703 *phash = shsigalgs->hash_nid;
1704 if (psign)
1705 *psign = shsigalgs->sign_nid;
1706 if (psignhash)
1707 *psignhash = shsigalgs->signandhash_nid;
1708 if (rsig)
1709 *rsig = shsigalgs->rsign;
1710 if (rhash)
1711 *rhash = shsigalgs->rhash;
1712 return (int)s->cert->shared_sigalgslen;
1713 }
1714
1715 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
1716
1717 typedef struct {
1718 size_t sigalgcnt;
1719 int sigalgs[MAX_SIGALGLEN];
1720 } sig_cb_st;
1721
1722 static void get_sigorhash(int *psig, int *phash, const char *str)
1723 {
1724 if (strcmp(str, "RSA") == 0) {
1725 *psig = EVP_PKEY_RSA;
1726 } else if (strcmp(str, "DSA") == 0) {
1727 *psig = EVP_PKEY_DSA;
1728 } else if (strcmp(str, "ECDSA") == 0) {
1729 *psig = EVP_PKEY_EC;
1730 } else {
1731 *phash = OBJ_sn2nid(str);
1732 if (*phash == NID_undef)
1733 *phash = OBJ_ln2nid(str);
1734 }
1735 }
1736
1737 static int sig_cb(const char *elem, int len, void *arg)
1738 {
1739 sig_cb_st *sarg = arg;
1740 size_t i;
1741 char etmp[20], *p;
1742 int sig_alg = NID_undef, hash_alg = NID_undef;
1743 if (elem == NULL)
1744 return 0;
1745 if (sarg->sigalgcnt == MAX_SIGALGLEN)
1746 return 0;
1747 if (len > (int)(sizeof(etmp) - 1))
1748 return 0;
1749 memcpy(etmp, elem, len);
1750 etmp[len] = 0;
1751 p = strchr(etmp, '+');
1752 if (!p)
1753 return 0;
1754 *p = 0;
1755 p++;
1756 if (!*p)
1757 return 0;
1758
1759 get_sigorhash(&sig_alg, &hash_alg, etmp);
1760 get_sigorhash(&sig_alg, &hash_alg, p);
1761
1762 if (sig_alg == NID_undef || hash_alg == NID_undef)
1763 return 0;
1764
1765 for (i = 0; i < sarg->sigalgcnt; i += 2) {
1766 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
1767 return 0;
1768 }
1769 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
1770 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
1771 return 1;
1772 }
1773
1774 /*
1775 * Set supported signature algorithms based on a colon separated list of the
1776 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
1777 */
1778 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
1779 {
1780 sig_cb_st sig;
1781 sig.sigalgcnt = 0;
1782 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
1783 return 0;
1784 if (c == NULL)
1785 return 1;
1786 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
1787 }
1788
1789 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
1790 {
1791 unsigned char *sigalgs, *sptr;
1792 int rhash, rsign;
1793 size_t i;
1794 if (salglen & 1)
1795 return 0;
1796 sigalgs = OPENSSL_malloc(salglen);
1797 if (sigalgs == NULL)
1798 return 0;
1799 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
1800 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
1801 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
1802
1803 if (rhash == -1 || rsign == -1)
1804 goto err;
1805 *sptr++ = rhash;
1806 *sptr++ = rsign;
1807 }
1808
1809 if (client) {
1810 OPENSSL_free(c->client_sigalgs);
1811 c->client_sigalgs = sigalgs;
1812 c->client_sigalgslen = salglen;
1813 } else {
1814 OPENSSL_free(c->conf_sigalgs);
1815 c->conf_sigalgs = sigalgs;
1816 c->conf_sigalgslen = salglen;
1817 }
1818
1819 return 1;
1820
1821 err:
1822 OPENSSL_free(sigalgs);
1823 return 0;
1824 }
1825
1826 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
1827 {
1828 int sig_nid;
1829 size_t i;
1830 if (default_nid == -1)
1831 return 1;
1832 sig_nid = X509_get_signature_nid(x);
1833 if (default_nid)
1834 return sig_nid == default_nid ? 1 : 0;
1835 for (i = 0; i < c->shared_sigalgslen; i++)
1836 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
1837 return 1;
1838 return 0;
1839 }
1840
1841 /* Check to see if a certificate issuer name matches list of CA names */
1842 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
1843 {
1844 X509_NAME *nm;
1845 int i;
1846 nm = X509_get_issuer_name(x);
1847 for (i = 0; i < sk_X509_NAME_num(names); i++) {
1848 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
1849 return 1;
1850 }
1851 return 0;
1852 }
1853
1854 /*
1855 * Check certificate chain is consistent with TLS extensions and is usable by
1856 * server. This servers two purposes: it allows users to check chains before
1857 * passing them to the server and it allows the server to check chains before
1858 * attempting to use them.
1859 */
1860
1861 /* Flags which need to be set for a certificate when stict mode not set */
1862
1863 #define CERT_PKEY_VALID_FLAGS \
1864 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
1865 /* Strict mode flags */
1866 #define CERT_PKEY_STRICT_FLAGS \
1867 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
1868 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
1869
1870 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
1871 int idx)
1872 {
1873 int i;
1874 int rv = 0;
1875 int check_flags = 0, strict_mode;
1876 CERT_PKEY *cpk = NULL;
1877 CERT *c = s->cert;
1878 uint32_t *pvalid;
1879 unsigned int suiteb_flags = tls1_suiteb(s);
1880 /* idx == -1 means checking server chains */
1881 if (idx != -1) {
1882 /* idx == -2 means checking client certificate chains */
1883 if (idx == -2) {
1884 cpk = c->key;
1885 idx = (int)(cpk - c->pkeys);
1886 } else
1887 cpk = c->pkeys + idx;
1888 pvalid = s->s3->tmp.valid_flags + idx;
1889 x = cpk->x509;
1890 pk = cpk->privatekey;
1891 chain = cpk->chain;
1892 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
1893 /* If no cert or key, forget it */
1894 if (!x || !pk)
1895 goto end;
1896 } else {
1897 if (!x || !pk)
1898 return 0;
1899 idx = ssl_cert_type(x, pk);
1900 if (idx == -1)
1901 return 0;
1902 pvalid = s->s3->tmp.valid_flags + idx;
1903
1904 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
1905 check_flags = CERT_PKEY_STRICT_FLAGS;
1906 else
1907 check_flags = CERT_PKEY_VALID_FLAGS;
1908 strict_mode = 1;
1909 }
1910
1911 if (suiteb_flags) {
1912 int ok;
1913 if (check_flags)
1914 check_flags |= CERT_PKEY_SUITEB;
1915 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
1916 if (ok == X509_V_OK)
1917 rv |= CERT_PKEY_SUITEB;
1918 else if (!check_flags)
1919 goto end;
1920 }
1921
1922 /*
1923 * Check all signature algorithms are consistent with signature
1924 * algorithms extension if TLS 1.2 or later and strict mode.
1925 */
1926 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
1927 int default_nid;
1928 unsigned char rsign = 0;
1929 if (s->s3->tmp.peer_sigalgs)
1930 default_nid = 0;
1931 /* If no sigalgs extension use defaults from RFC5246 */
1932 else {
1933 switch (idx) {
1934 case SSL_PKEY_RSA_ENC:
1935 case SSL_PKEY_RSA_SIGN:
1936 rsign = TLSEXT_signature_rsa;
1937 default_nid = NID_sha1WithRSAEncryption;
1938 break;
1939
1940 case SSL_PKEY_DSA_SIGN:
1941 rsign = TLSEXT_signature_dsa;
1942 default_nid = NID_dsaWithSHA1;
1943 break;
1944
1945 case SSL_PKEY_ECC:
1946 rsign = TLSEXT_signature_ecdsa;
1947 default_nid = NID_ecdsa_with_SHA1;
1948 break;
1949
1950 case SSL_PKEY_GOST01:
1951 rsign = TLSEXT_signature_gostr34102001;
1952 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
1953 break;
1954
1955 case SSL_PKEY_GOST12_256:
1956 rsign = TLSEXT_signature_gostr34102012_256;
1957 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
1958 break;
1959
1960 case SSL_PKEY_GOST12_512:
1961 rsign = TLSEXT_signature_gostr34102012_512;
1962 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
1963 break;
1964
1965 default:
1966 default_nid = -1;
1967 break;
1968 }
1969 }
1970 /*
1971 * If peer sent no signature algorithms extension and we have set
1972 * preferred signature algorithms check we support sha1.
1973 */
1974 if (default_nid > 0 && c->conf_sigalgs) {
1975 size_t j;
1976 const unsigned char *p = c->conf_sigalgs;
1977 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
1978 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
1979 break;
1980 }
1981 if (j == c->conf_sigalgslen) {
1982 if (check_flags)
1983 goto skip_sigs;
1984 else
1985 goto end;
1986 }
1987 }
1988 /* Check signature algorithm of each cert in chain */
1989 if (!tls1_check_sig_alg(c, x, default_nid)) {
1990 if (!check_flags)
1991 goto end;
1992 } else
1993 rv |= CERT_PKEY_EE_SIGNATURE;
1994 rv |= CERT_PKEY_CA_SIGNATURE;
1995 for (i = 0; i < sk_X509_num(chain); i++) {
1996 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
1997 if (check_flags) {
1998 rv &= ~CERT_PKEY_CA_SIGNATURE;
1999 break;
2000 } else
2001 goto end;
2002 }
2003 }
2004 }
2005 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
2006 else if (check_flags)
2007 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
2008 skip_sigs:
2009 /* Check cert parameters are consistent */
2010 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
2011 rv |= CERT_PKEY_EE_PARAM;
2012 else if (!check_flags)
2013 goto end;
2014 if (!s->server)
2015 rv |= CERT_PKEY_CA_PARAM;
2016 /* In strict mode check rest of chain too */
2017 else if (strict_mode) {
2018 rv |= CERT_PKEY_CA_PARAM;
2019 for (i = 0; i < sk_X509_num(chain); i++) {
2020 X509 *ca = sk_X509_value(chain, i);
2021 if (!tls1_check_cert_param(s, ca, 0)) {
2022 if (check_flags) {
2023 rv &= ~CERT_PKEY_CA_PARAM;
2024 break;
2025 } else
2026 goto end;
2027 }
2028 }
2029 }
2030 if (!s->server && strict_mode) {
2031 STACK_OF(X509_NAME) *ca_dn;
2032 int check_type = 0;
2033 switch (EVP_PKEY_id(pk)) {
2034 case EVP_PKEY_RSA:
2035 check_type = TLS_CT_RSA_SIGN;
2036 break;
2037 case EVP_PKEY_DSA:
2038 check_type = TLS_CT_DSS_SIGN;
2039 break;
2040 case EVP_PKEY_EC:
2041 check_type = TLS_CT_ECDSA_SIGN;
2042 break;
2043 }
2044 if (check_type) {
2045 const unsigned char *ctypes;
2046 int ctypelen;
2047 if (c->ctypes) {
2048 ctypes = c->ctypes;
2049 ctypelen = (int)c->ctype_num;
2050 } else {
2051 ctypes = (unsigned char *)s->s3->tmp.ctype;
2052 ctypelen = s->s3->tmp.ctype_num;
2053 }
2054 for (i = 0; i < ctypelen; i++) {
2055 if (ctypes[i] == check_type) {
2056 rv |= CERT_PKEY_CERT_TYPE;
2057 break;
2058 }
2059 }
2060 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
2061 goto end;
2062 } else
2063 rv |= CERT_PKEY_CERT_TYPE;
2064
2065 ca_dn = s->s3->tmp.ca_names;
2066
2067 if (!sk_X509_NAME_num(ca_dn))
2068 rv |= CERT_PKEY_ISSUER_NAME;
2069
2070 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
2071 if (ssl_check_ca_name(ca_dn, x))
2072 rv |= CERT_PKEY_ISSUER_NAME;
2073 }
2074 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
2075 for (i = 0; i < sk_X509_num(chain); i++) {
2076 X509 *xtmp = sk_X509_value(chain, i);
2077 if (ssl_check_ca_name(ca_dn, xtmp)) {
2078 rv |= CERT_PKEY_ISSUER_NAME;
2079 break;
2080 }
2081 }
2082 }
2083 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
2084 goto end;
2085 } else
2086 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
2087
2088 if (!check_flags || (rv & check_flags) == check_flags)
2089 rv |= CERT_PKEY_VALID;
2090
2091 end:
2092
2093 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2094 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
2095 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2096 else if (s->s3->tmp.md[idx] != NULL)
2097 rv |= CERT_PKEY_SIGN;
2098 } else
2099 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
2100
2101 /*
2102 * When checking a CERT_PKEY structure all flags are irrelevant if the
2103 * chain is invalid.
2104 */
2105 if (!check_flags) {
2106 if (rv & CERT_PKEY_VALID)
2107 *pvalid = rv;
2108 else {
2109 /* Preserve explicit sign flag, clear rest */
2110 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
2111 return 0;
2112 }
2113 }
2114 return rv;
2115 }
2116
2117 /* Set validity of certificates in an SSL structure */
2118 void tls1_set_cert_validity(SSL *s)
2119 {
2120 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
2121 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
2122 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
2123 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
2124 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
2125 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
2126 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
2127 }
2128
2129 /* User level utiity function to check a chain is suitable */
2130 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
2131 {
2132 return tls1_check_chain(s, x, pk, chain, -1);
2133 }
2134
2135 #ifndef OPENSSL_NO_DH
2136 DH *ssl_get_auto_dh(SSL *s)
2137 {
2138 int dh_secbits = 80;
2139 if (s->cert->dh_tmp_auto == 2)
2140 return DH_get_1024_160();
2141 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
2142 if (s->s3->tmp.new_cipher->strength_bits == 256)
2143 dh_secbits = 128;
2144 else
2145 dh_secbits = 80;
2146 } else {
2147 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
2148 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
2149 }
2150
2151 if (dh_secbits >= 128) {
2152 DH *dhp = DH_new();
2153 BIGNUM *p, *g;
2154 if (dhp == NULL)
2155 return NULL;
2156 g = BN_new();
2157 if (g != NULL)
2158 BN_set_word(g, 2);
2159 if (dh_secbits >= 192)
2160 p = BN_get_rfc3526_prime_8192(NULL);
2161 else
2162 p = BN_get_rfc3526_prime_3072(NULL);
2163 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
2164 DH_free(dhp);
2165 BN_free(p);
2166 BN_free(g);
2167 return NULL;
2168 }
2169 return dhp;
2170 }
2171 if (dh_secbits >= 112)
2172 return DH_get_2048_224();
2173 return DH_get_1024_160();
2174 }
2175 #endif
2176
2177 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2178 {
2179 int secbits = -1;
2180 EVP_PKEY *pkey = X509_get0_pubkey(x);
2181 if (pkey) {
2182 /*
2183 * If no parameters this will return -1 and fail using the default
2184 * security callback for any non-zero security level. This will
2185 * reject keys which omit parameters but this only affects DSA and
2186 * omission of parameters is never (?) done in practice.
2187 */
2188 secbits = EVP_PKEY_security_bits(pkey);
2189 }
2190 if (s)
2191 return ssl_security(s, op, secbits, 0, x);
2192 else
2193 return ssl_ctx_security(ctx, op, secbits, 0, x);
2194 }
2195
2196 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2197 {
2198 /* Lookup signature algorithm digest */
2199 int secbits = -1, md_nid = NID_undef, sig_nid;
2200 /* Don't check signature if self signed */
2201 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
2202 return 1;
2203 sig_nid = X509_get_signature_nid(x);
2204 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
2205 const EVP_MD *md;
2206 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
2207 secbits = EVP_MD_size(md) * 4;
2208 }
2209 if (s)
2210 return ssl_security(s, op, secbits, md_nid, x);
2211 else
2212 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
2213 }
2214
2215 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
2216 {
2217 if (vfy)
2218 vfy = SSL_SECOP_PEER;
2219 if (is_ee) {
2220 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
2221 return SSL_R_EE_KEY_TOO_SMALL;
2222 } else {
2223 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
2224 return SSL_R_CA_KEY_TOO_SMALL;
2225 }
2226 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
2227 return SSL_R_CA_MD_TOO_WEAK;
2228 return 1;
2229 }
2230
2231 /*
2232 * Check security of a chain, if sk includes the end entity certificate then
2233 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
2234 * one to the peer. Return values: 1 if ok otherwise error code to use
2235 */
2236
2237 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
2238 {
2239 int rv, start_idx, i;
2240 if (x == NULL) {
2241 x = sk_X509_value(sk, 0);
2242 start_idx = 1;
2243 } else
2244 start_idx = 0;
2245
2246 rv = ssl_security_cert(s, NULL, x, vfy, 1);
2247 if (rv != 1)
2248 return rv;
2249
2250 for (i = start_idx; i < sk_X509_num(sk); i++) {
2251 x = sk_X509_value(sk, i);
2252 rv = ssl_security_cert(s, NULL, x, vfy, 0);
2253 if (rv != 1)
2254 return rv;
2255 }
2256 return 1;
2257 }
A mirror of the official openssl repository