2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/objects.h>
14 #include <openssl/evp.h>
15 #include <openssl/hmac.h>
16 #include <openssl/core_names.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/conf.h>
19 #include <openssl/x509v3.h>
20 #include <openssl/dh.h>
21 #include <openssl/bn.h>
22 #include <openssl/provider.h>
23 #include <openssl/param_build.h>
24 #include "internal/nelem.h"
25 #include "internal/sizes.h"
26 #include "internal/tlsgroups.h"
27 #include "internal/ssl_unwrap.h"
28 #include "ssl_local.h"
29 #include "quic/quic_local.h"
30 #include <openssl/ct.h>
32 static const SIGALG_LOOKUP
*find_sig_alg(SSL_CONNECTION
*s
, X509
*x
, EVP_PKEY
*pkey
);
33 static int tls12_sigalg_allowed(const SSL_CONNECTION
*s
, int op
, const SIGALG_LOOKUP
*lu
);
35 SSL3_ENC_METHOD
const TLSv1_enc_data
= {
37 tls1_generate_master_secret
,
38 tls1_change_cipher_state
,
39 tls1_final_finish_mac
,
40 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
41 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
43 tls1_export_keying_material
,
45 ssl3_set_handshake_header
,
46 tls_close_construct_packet
,
50 SSL3_ENC_METHOD
const TLSv1_1_enc_data
= {
52 tls1_generate_master_secret
,
53 tls1_change_cipher_state
,
54 tls1_final_finish_mac
,
55 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
56 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
58 tls1_export_keying_material
,
60 ssl3_set_handshake_header
,
61 tls_close_construct_packet
,
65 SSL3_ENC_METHOD
const TLSv1_2_enc_data
= {
67 tls1_generate_master_secret
,
68 tls1_change_cipher_state
,
69 tls1_final_finish_mac
,
70 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
71 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
73 tls1_export_keying_material
,
74 SSL_ENC_FLAG_SIGALGS
| SSL_ENC_FLAG_SHA256_PRF
75 | SSL_ENC_FLAG_TLS1_2_CIPHERS
,
76 ssl3_set_handshake_header
,
77 tls_close_construct_packet
,
81 SSL3_ENC_METHOD
const TLSv1_3_enc_data
= {
82 tls13_setup_key_block
,
83 tls13_generate_master_secret
,
84 tls13_change_cipher_state
,
85 tls13_final_finish_mac
,
86 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
87 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
89 tls13_export_keying_material
,
90 SSL_ENC_FLAG_SIGALGS
| SSL_ENC_FLAG_SHA256_PRF
,
91 ssl3_set_handshake_header
,
92 tls_close_construct_packet
,
96 OSSL_TIME
tls1_default_timeout(void)
99 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
100 * http, the cache would over fill
102 return ossl_seconds2time(60 * 60 * 2);
109 if (!s
->method
->ssl_clear(s
))
115 void tls1_free(SSL
*s
)
117 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL(s
);
122 OPENSSL_free(sc
->ext
.session_ticket
);
126 int tls1_clear(SSL
*s
)
128 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL(s
);
136 if (s
->method
->version
== TLS_ANY_VERSION
)
137 sc
->version
= TLS_MAX_VERSION_INTERNAL
;
139 sc
->version
= s
->method
->version
;
144 /* Legacy NID to group_id mapping. Only works for groups we know about */
145 static const struct {
149 {NID_sect163k1
, OSSL_TLS_GROUP_ID_sect163k1
},
150 {NID_sect163r1
, OSSL_TLS_GROUP_ID_sect163r1
},
151 {NID_sect163r2
, OSSL_TLS_GROUP_ID_sect163r2
},
152 {NID_sect193r1
, OSSL_TLS_GROUP_ID_sect193r1
},
153 {NID_sect193r2
, OSSL_TLS_GROUP_ID_sect193r2
},
154 {NID_sect233k1
, OSSL_TLS_GROUP_ID_sect233k1
},
155 {NID_sect233r1
, OSSL_TLS_GROUP_ID_sect233r1
},
156 {NID_sect239k1
, OSSL_TLS_GROUP_ID_sect239k1
},
157 {NID_sect283k1
, OSSL_TLS_GROUP_ID_sect283k1
},
158 {NID_sect283r1
, OSSL_TLS_GROUP_ID_sect283r1
},
159 {NID_sect409k1
, OSSL_TLS_GROUP_ID_sect409k1
},
160 {NID_sect409r1
, OSSL_TLS_GROUP_ID_sect409r1
},
161 {NID_sect571k1
, OSSL_TLS_GROUP_ID_sect571k1
},
162 {NID_sect571r1
, OSSL_TLS_GROUP_ID_sect571r1
},
163 {NID_secp160k1
, OSSL_TLS_GROUP_ID_secp160k1
},
164 {NID_secp160r1
, OSSL_TLS_GROUP_ID_secp160r1
},
165 {NID_secp160r2
, OSSL_TLS_GROUP_ID_secp160r2
},
166 {NID_secp192k1
, OSSL_TLS_GROUP_ID_secp192k1
},
167 {NID_X9_62_prime192v1
, OSSL_TLS_GROUP_ID_secp192r1
},
168 {NID_secp224k1
, OSSL_TLS_GROUP_ID_secp224k1
},
169 {NID_secp224r1
, OSSL_TLS_GROUP_ID_secp224r1
},
170 {NID_secp256k1
, OSSL_TLS_GROUP_ID_secp256k1
},
171 {NID_X9_62_prime256v1
, OSSL_TLS_GROUP_ID_secp256r1
},
172 {NID_secp384r1
, OSSL_TLS_GROUP_ID_secp384r1
},
173 {NID_secp521r1
, OSSL_TLS_GROUP_ID_secp521r1
},
174 {NID_brainpoolP256r1
, OSSL_TLS_GROUP_ID_brainpoolP256r1
},
175 {NID_brainpoolP384r1
, OSSL_TLS_GROUP_ID_brainpoolP384r1
},
176 {NID_brainpoolP512r1
, OSSL_TLS_GROUP_ID_brainpoolP512r1
},
177 {EVP_PKEY_X25519
, OSSL_TLS_GROUP_ID_x25519
},
178 {EVP_PKEY_X448
, OSSL_TLS_GROUP_ID_x448
},
179 {NID_brainpoolP256r1tls13
, OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13
},
180 {NID_brainpoolP384r1tls13
, OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13
},
181 {NID_brainpoolP512r1tls13
, OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13
},
182 {NID_id_tc26_gost_3410_2012_256_paramSetA
, OSSL_TLS_GROUP_ID_gc256A
},
183 {NID_id_tc26_gost_3410_2012_256_paramSetB
, OSSL_TLS_GROUP_ID_gc256B
},
184 {NID_id_tc26_gost_3410_2012_256_paramSetC
, OSSL_TLS_GROUP_ID_gc256C
},
185 {NID_id_tc26_gost_3410_2012_256_paramSetD
, OSSL_TLS_GROUP_ID_gc256D
},
186 {NID_id_tc26_gost_3410_2012_512_paramSetA
, OSSL_TLS_GROUP_ID_gc512A
},
187 {NID_id_tc26_gost_3410_2012_512_paramSetB
, OSSL_TLS_GROUP_ID_gc512B
},
188 {NID_id_tc26_gost_3410_2012_512_paramSetC
, OSSL_TLS_GROUP_ID_gc512C
},
189 {NID_ffdhe2048
, OSSL_TLS_GROUP_ID_ffdhe2048
},
190 {NID_ffdhe3072
, OSSL_TLS_GROUP_ID_ffdhe3072
},
191 {NID_ffdhe4096
, OSSL_TLS_GROUP_ID_ffdhe4096
},
192 {NID_ffdhe6144
, OSSL_TLS_GROUP_ID_ffdhe6144
},
193 {NID_ffdhe8192
, OSSL_TLS_GROUP_ID_ffdhe8192
}
196 static const unsigned char ecformats_default
[] = {
197 TLSEXT_ECPOINTFORMAT_uncompressed
200 static const unsigned char ecformats_all
[] = {
201 TLSEXT_ECPOINTFORMAT_uncompressed
,
202 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
,
203 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
206 /* Group list string of the built-in pseudo group DEFAULT */
207 #define DEFAULT_GROUP_NAME "DEFAULT"
208 #define TLS_DEFAULT_GROUP_LIST \
209 "?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072"
211 static const uint16_t suiteb_curves
[] = {
212 OSSL_TLS_GROUP_ID_secp256r1
,
213 OSSL_TLS_GROUP_ID_secp384r1
,
216 /* Group list string of the built-in pseudo group DEFAULT_SUITE_B */
217 #define SUITE_B_GROUP_NAME "DEFAULT_SUITE_B"
218 #define SUITE_B_GROUP_LIST "secp256r1:secp384r1",
220 struct provider_ctx_data_st
{
222 OSSL_PROVIDER
*provider
;
225 #define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10
226 static OSSL_CALLBACK add_provider_groups
;
227 static int add_provider_groups(const OSSL_PARAM params
[], void *data
)
229 struct provider_ctx_data_st
*pgd
= data
;
230 SSL_CTX
*ctx
= pgd
->ctx
;
232 TLS_GROUP_INFO
*ginf
= NULL
;
233 EVP_KEYMGMT
*keymgmt
;
235 unsigned int is_kem
= 0;
238 if (ctx
->group_list_max_len
== ctx
->group_list_len
) {
239 TLS_GROUP_INFO
*tmp
= NULL
;
241 if (ctx
->group_list_max_len
== 0)
242 tmp
= OPENSSL_malloc(sizeof(TLS_GROUP_INFO
)
243 * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE
);
245 tmp
= OPENSSL_realloc(ctx
->group_list
,
246 (ctx
->group_list_max_len
247 + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE
)
248 * sizeof(TLS_GROUP_INFO
));
251 ctx
->group_list
= tmp
;
252 memset(tmp
+ ctx
->group_list_max_len
,
254 sizeof(TLS_GROUP_INFO
) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE
);
255 ctx
->group_list_max_len
+= TLS_GROUP_LIST_MALLOC_BLOCK_SIZE
;
258 ginf
= &ctx
->group_list
[ctx
->group_list_len
];
260 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_NAME
);
261 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
262 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
265 ginf
->tlsname
= OPENSSL_strdup(p
->data
);
266 if (ginf
->tlsname
== NULL
)
269 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL
);
270 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
271 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
274 ginf
->realname
= OPENSSL_strdup(p
->data
);
275 if (ginf
->realname
== NULL
)
278 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_ID
);
279 if (p
== NULL
|| !OSSL_PARAM_get_uint(p
, &gid
) || gid
> UINT16_MAX
) {
280 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
283 ginf
->group_id
= (uint16_t)gid
;
285 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_ALG
);
286 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
287 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
290 ginf
->algorithm
= OPENSSL_strdup(p
->data
);
291 if (ginf
->algorithm
== NULL
)
294 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS
);
295 if (p
== NULL
|| !OSSL_PARAM_get_uint(p
, &ginf
->secbits
)) {
296 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
300 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_IS_KEM
);
301 if (p
!= NULL
&& (!OSSL_PARAM_get_uint(p
, &is_kem
) || is_kem
> 1)) {
302 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
305 ginf
->is_kem
= 1 & is_kem
;
307 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS
);
308 if (p
== NULL
|| !OSSL_PARAM_get_int(p
, &ginf
->mintls
)) {
309 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
313 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS
);
314 if (p
== NULL
|| !OSSL_PARAM_get_int(p
, &ginf
->maxtls
)) {
315 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
319 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS
);
320 if (p
== NULL
|| !OSSL_PARAM_get_int(p
, &ginf
->mindtls
)) {
321 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
325 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS
);
326 if (p
== NULL
|| !OSSL_PARAM_get_int(p
, &ginf
->maxdtls
)) {
327 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
331 * Now check that the algorithm is actually usable for our property query
332 * string. Regardless of the result we still return success because we have
333 * successfully processed this group, even though we may decide not to use
338 keymgmt
= EVP_KEYMGMT_fetch(ctx
->libctx
, ginf
->algorithm
, ctx
->propq
);
339 if (keymgmt
!= NULL
) {
340 /* We have successfully fetched the algorithm, we can use the group. */
341 ctx
->group_list_len
++;
343 EVP_KEYMGMT_free(keymgmt
);
348 OPENSSL_free(ginf
->tlsname
);
349 OPENSSL_free(ginf
->realname
);
350 OPENSSL_free(ginf
->algorithm
);
351 ginf
->algorithm
= ginf
->tlsname
= ginf
->realname
= NULL
;
356 static int discover_provider_groups(OSSL_PROVIDER
*provider
, void *vctx
)
358 struct provider_ctx_data_st pgd
;
361 pgd
.provider
= provider
;
362 return OSSL_PROVIDER_get_capabilities(provider
, "TLS-GROUP",
363 add_provider_groups
, &pgd
);
366 int ssl_load_groups(SSL_CTX
*ctx
)
368 if (!OSSL_PROVIDER_do_all(ctx
->libctx
, discover_provider_groups
, ctx
))
371 return SSL_CTX_set1_groups_list(ctx
, TLS_DEFAULT_GROUP_LIST
);
374 #define TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE 10
375 static OSSL_CALLBACK add_provider_sigalgs
;
376 static int add_provider_sigalgs(const OSSL_PARAM params
[], void *data
)
378 struct provider_ctx_data_st
*pgd
= data
;
379 SSL_CTX
*ctx
= pgd
->ctx
;
380 OSSL_PROVIDER
*provider
= pgd
->provider
;
382 TLS_SIGALG_INFO
*sinf
= NULL
;
383 EVP_KEYMGMT
*keymgmt
;
385 unsigned int code_point
= 0;
388 if (ctx
->sigalg_list_max_len
== ctx
->sigalg_list_len
) {
389 TLS_SIGALG_INFO
*tmp
= NULL
;
391 if (ctx
->sigalg_list_max_len
== 0)
392 tmp
= OPENSSL_malloc(sizeof(TLS_SIGALG_INFO
)
393 * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE
);
395 tmp
= OPENSSL_realloc(ctx
->sigalg_list
,
396 (ctx
->sigalg_list_max_len
397 + TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE
)
398 * sizeof(TLS_SIGALG_INFO
));
401 ctx
->sigalg_list
= tmp
;
402 memset(tmp
+ ctx
->sigalg_list_max_len
, 0,
403 sizeof(TLS_SIGALG_INFO
) * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE
);
404 ctx
->sigalg_list_max_len
+= TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE
;
407 sinf
= &ctx
->sigalg_list
[ctx
->sigalg_list_len
];
409 /* First, mandatory parameters */
410 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_NAME
);
411 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
412 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
415 OPENSSL_free(sinf
->sigalg_name
);
416 sinf
->sigalg_name
= OPENSSL_strdup(p
->data
);
417 if (sinf
->sigalg_name
== NULL
)
420 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME
);
421 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
422 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
425 OPENSSL_free(sinf
->name
);
426 sinf
->name
= OPENSSL_strdup(p
->data
);
427 if (sinf
->name
== NULL
)
430 p
= OSSL_PARAM_locate_const(params
,
431 OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT
);
433 || !OSSL_PARAM_get_uint(p
, &code_point
)
434 || code_point
> UINT16_MAX
) {
435 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
438 sinf
->code_point
= (uint16_t)code_point
;
440 p
= OSSL_PARAM_locate_const(params
,
441 OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS
);
442 if (p
== NULL
|| !OSSL_PARAM_get_uint(p
, &sinf
->secbits
)) {
443 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
447 /* Now, optional parameters */
448 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_OID
);
450 sinf
->sigalg_oid
= NULL
;
451 } else if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
454 OPENSSL_free(sinf
->sigalg_oid
);
455 sinf
->sigalg_oid
= OPENSSL_strdup(p
->data
);
456 if (sinf
->sigalg_oid
== NULL
)
460 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME
);
462 sinf
->sig_name
= NULL
;
463 } else if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
466 OPENSSL_free(sinf
->sig_name
);
467 sinf
->sig_name
= OPENSSL_strdup(p
->data
);
468 if (sinf
->sig_name
== NULL
)
472 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_SIG_OID
);
474 sinf
->sig_oid
= NULL
;
475 } else if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
478 OPENSSL_free(sinf
->sig_oid
);
479 sinf
->sig_oid
= OPENSSL_strdup(p
->data
);
480 if (sinf
->sig_oid
== NULL
)
484 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME
);
486 sinf
->hash_name
= NULL
;
487 } else if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
490 OPENSSL_free(sinf
->hash_name
);
491 sinf
->hash_name
= OPENSSL_strdup(p
->data
);
492 if (sinf
->hash_name
== NULL
)
496 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_HASH_OID
);
498 sinf
->hash_oid
= NULL
;
499 } else if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
502 OPENSSL_free(sinf
->hash_oid
);
503 sinf
->hash_oid
= OPENSSL_strdup(p
->data
);
504 if (sinf
->hash_oid
== NULL
)
508 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE
);
510 sinf
->keytype
= NULL
;
511 } else if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
514 OPENSSL_free(sinf
->keytype
);
515 sinf
->keytype
= OPENSSL_strdup(p
->data
);
516 if (sinf
->keytype
== NULL
)
520 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID
);
522 sinf
->keytype_oid
= NULL
;
523 } else if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
) {
526 OPENSSL_free(sinf
->keytype_oid
);
527 sinf
->keytype_oid
= OPENSSL_strdup(p
->data
);
528 if (sinf
->keytype_oid
== NULL
)
532 /* Optional, not documented prior to 3.5 */
533 sinf
->mindtls
= sinf
->maxdtls
= -1;
534 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS
);
535 if (p
!= NULL
&& !OSSL_PARAM_get_int(p
, &sinf
->mindtls
)) {
536 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
539 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS
);
540 if (p
!= NULL
&& !OSSL_PARAM_get_int(p
, &sinf
->maxdtls
)) {
541 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
544 /* DTLS version numbers grow downward */
545 if ((sinf
->maxdtls
!= 0) && (sinf
->maxdtls
!= -1) &&
546 ((sinf
->maxdtls
> sinf
->mindtls
))) {
547 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
550 /* No provider sigalgs are supported in DTLS, reset after checking. */
551 sinf
->mindtls
= sinf
->maxdtls
= -1;
553 /* The remaining parameters below are mandatory again */
554 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS
);
555 if (p
== NULL
|| !OSSL_PARAM_get_int(p
, &sinf
->mintls
)) {
556 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
559 p
= OSSL_PARAM_locate_const(params
, OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS
);
560 if (p
== NULL
|| !OSSL_PARAM_get_int(p
, &sinf
->maxtls
)) {
561 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
564 if ((sinf
->maxtls
!= 0) && (sinf
->maxtls
!= -1) &&
565 ((sinf
->maxtls
< sinf
->mintls
))) {
566 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
569 if ((sinf
->mintls
!= 0) && (sinf
->mintls
!= -1) &&
570 ((sinf
->mintls
> TLS1_3_VERSION
)))
571 sinf
->mintls
= sinf
->maxtls
= -1;
572 if ((sinf
->maxtls
!= 0) && (sinf
->maxtls
!= -1) &&
573 ((sinf
->maxtls
< TLS1_3_VERSION
)))
574 sinf
->mintls
= sinf
->maxtls
= -1;
576 /* Ignore unusable sigalgs */
577 if (sinf
->mintls
== -1 && sinf
->mindtls
== -1) {
583 * Now check that the algorithm is actually usable for our property query
584 * string. Regardless of the result we still return success because we have
585 * successfully processed this signature, even though we may decide not to
590 keytype
= (sinf
->keytype
!= NULL
592 : (sinf
->sig_name
!= NULL
594 : sinf
->sigalg_name
));
595 keymgmt
= EVP_KEYMGMT_fetch(ctx
->libctx
, keytype
, ctx
->propq
);
596 if (keymgmt
!= NULL
) {
598 * We have successfully fetched the algorithm - however if the provider
599 * doesn't match this one then we ignore it.
601 * Note: We're cheating a little here. Technically if the same algorithm
602 * is available from more than one provider then it is undefined which
603 * implementation you will get back. Theoretically this could be
604 * different every time...we assume here that you'll always get the
605 * same one back if you repeat the exact same fetch. Is this a reasonable
606 * assumption to make (in which case perhaps we should document this
609 if (EVP_KEYMGMT_get0_provider(keymgmt
) == provider
) {
611 * We have a match - so we could use this signature;
612 * Check proper object registration first, though.
613 * Don't care about return value as this may have been
614 * done within providers or previous calls to
615 * add_provider_sigalgs.
617 OBJ_create(sinf
->sigalg_oid
, sinf
->sigalg_name
, NULL
);
618 /* sanity check: Without successful registration don't use alg */
619 if ((OBJ_txt2nid(sinf
->sigalg_name
) == NID_undef
) ||
620 (OBJ_nid2obj(OBJ_txt2nid(sinf
->sigalg_name
)) == NULL
)) {
621 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
624 if (sinf
->sig_name
!= NULL
)
625 OBJ_create(sinf
->sig_oid
, sinf
->sig_name
, NULL
);
626 if (sinf
->keytype
!= NULL
)
627 OBJ_create(sinf
->keytype_oid
, sinf
->keytype
, NULL
);
628 if (sinf
->hash_name
!= NULL
)
629 OBJ_create(sinf
->hash_oid
, sinf
->hash_name
, NULL
);
630 OBJ_add_sigid(OBJ_txt2nid(sinf
->sigalg_name
),
631 (sinf
->hash_name
!= NULL
632 ? OBJ_txt2nid(sinf
->hash_name
)
634 OBJ_txt2nid(keytype
));
635 ctx
->sigalg_list_len
++;
638 EVP_KEYMGMT_free(keymgmt
);
643 OPENSSL_free(sinf
->name
);
645 OPENSSL_free(sinf
->sigalg_name
);
646 sinf
->sigalg_name
= NULL
;
647 OPENSSL_free(sinf
->sigalg_oid
);
648 sinf
->sigalg_oid
= NULL
;
649 OPENSSL_free(sinf
->sig_name
);
650 sinf
->sig_name
= NULL
;
651 OPENSSL_free(sinf
->sig_oid
);
652 sinf
->sig_oid
= NULL
;
653 OPENSSL_free(sinf
->hash_name
);
654 sinf
->hash_name
= NULL
;
655 OPENSSL_free(sinf
->hash_oid
);
656 sinf
->hash_oid
= NULL
;
657 OPENSSL_free(sinf
->keytype
);
658 sinf
->keytype
= NULL
;
659 OPENSSL_free(sinf
->keytype_oid
);
660 sinf
->keytype_oid
= NULL
;
665 static int discover_provider_sigalgs(OSSL_PROVIDER
*provider
, void *vctx
)
667 struct provider_ctx_data_st pgd
;
670 pgd
.provider
= provider
;
671 OSSL_PROVIDER_get_capabilities(provider
, "TLS-SIGALG",
672 add_provider_sigalgs
, &pgd
);
674 * Always OK, even if provider doesn't support the capability:
675 * Reconsider testing retval when legacy sigalgs are also loaded this way.
680 int ssl_load_sigalgs(SSL_CTX
*ctx
)
685 if (!OSSL_PROVIDER_do_all(ctx
->libctx
, discover_provider_sigalgs
, ctx
))
688 /* now populate ctx->ssl_cert_info */
689 if (ctx
->sigalg_list_len
> 0) {
690 OPENSSL_free(ctx
->ssl_cert_info
);
691 ctx
->ssl_cert_info
= OPENSSL_zalloc(sizeof(lu
) * ctx
->sigalg_list_len
);
692 if (ctx
->ssl_cert_info
== NULL
)
694 for(i
= 0; i
< ctx
->sigalg_list_len
; i
++) {
695 ctx
->ssl_cert_info
[i
].nid
= OBJ_txt2nid(ctx
->sigalg_list
[i
].sigalg_name
);
696 ctx
->ssl_cert_info
[i
].amask
= SSL_aANY
;
701 * For now, leave it at this: legacy sigalgs stay in their own
702 * data structures until "legacy cleanup" occurs.
708 static uint16_t tls1_group_name2id(SSL_CTX
*ctx
, const char *name
)
712 for (i
= 0; i
< ctx
->group_list_len
; i
++) {
713 if (OPENSSL_strcasecmp(ctx
->group_list
[i
].tlsname
, name
) == 0
714 || OPENSSL_strcasecmp(ctx
->group_list
[i
].realname
, name
) == 0)
715 return ctx
->group_list
[i
].group_id
;
721 const TLS_GROUP_INFO
*tls1_group_id_lookup(SSL_CTX
*ctx
, uint16_t group_id
)
725 for (i
= 0; i
< ctx
->group_list_len
; i
++) {
726 if (ctx
->group_list
[i
].group_id
== group_id
)
727 return &ctx
->group_list
[i
];
733 const char *tls1_group_id2name(SSL_CTX
*ctx
, uint16_t group_id
)
735 const TLS_GROUP_INFO
*tls_group_info
= tls1_group_id_lookup(ctx
, group_id
);
737 if (tls_group_info
== NULL
)
740 return tls_group_info
->tlsname
;
743 int tls1_group_id2nid(uint16_t group_id
, int include_unknown
)
751 * Return well known Group NIDs - for backwards compatibility. This won't
752 * work for groups we don't know about.
754 for (i
= 0; i
< OSSL_NELEM(nid_to_group
); i
++)
756 if (nid_to_group
[i
].group_id
== group_id
)
757 return nid_to_group
[i
].nid
;
759 if (!include_unknown
)
761 return TLSEXT_nid_unknown
| (int)group_id
;
764 uint16_t tls1_nid2group_id(int nid
)
769 * Return well known Group ids - for backwards compatibility. This won't
770 * work for groups we don't know about.
772 for (i
= 0; i
< OSSL_NELEM(nid_to_group
); i
++)
774 if (nid_to_group
[i
].nid
== nid
)
775 return nid_to_group
[i
].group_id
;
782 * Set *pgroups to the supported groups list and *pgroupslen to
783 * the number of groups supported.
785 void tls1_get_supported_groups(SSL_CONNECTION
*s
, const uint16_t **pgroups
,
788 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
790 /* For Suite B mode only include P-256, P-384 */
791 switch (tls1_suiteb(s
)) {
792 case SSL_CERT_FLAG_SUITEB_128_LOS
:
793 *pgroups
= suiteb_curves
;
794 *pgroupslen
= OSSL_NELEM(suiteb_curves
);
797 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY
:
798 *pgroups
= suiteb_curves
;
802 case SSL_CERT_FLAG_SUITEB_192_LOS
:
803 *pgroups
= suiteb_curves
+ 1;
808 if (s
->ext
.supportedgroups
== NULL
) {
809 *pgroups
= sctx
->ext
.supportedgroups
;
810 *pgroupslen
= sctx
->ext
.supportedgroups_len
;
812 *pgroups
= s
->ext
.supportedgroups
;
813 *pgroupslen
= s
->ext
.supportedgroups_len
;
820 * Some comments for the function below:
821 * s->ext.supportedgroups == NULL means legacy syntax (no [*,/,-]) from built-in group array.
822 * In this case, we need to send exactly one key share, which MUST be the first (leftmost)
823 * eligible group from the legacy list. Therefore, we provide the entire list of supported
824 * groups in this case.
826 * A 'flag' to indicate legacy syntax is created by setting the number of key shares to 1,
827 * but the groupID to 0.
828 * The 'flag' is checked right at the beginning in tls_construct_ctos_key_share and either
829 * the "list of requested key share groups" is used, or the "list of supported groups" in
830 * combination with setting add_only_one = 1 is applied.
832 void tls1_get_requested_keyshare_groups(SSL_CONNECTION
*s
, const uint16_t **pgroups
,
835 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
837 if (s
->ext
.supportedgroups
== NULL
) {
838 *pgroups
= sctx
->ext
.supportedgroups
;
839 *pgroupslen
= sctx
->ext
.supportedgroups_len
;
841 *pgroups
= s
->ext
.keyshares
;
842 *pgroupslen
= s
->ext
.keyshares_len
;
846 void tls1_get_group_tuples(SSL_CONNECTION
*s
, const size_t **ptuples
,
849 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
851 if (s
->ext
.supportedgroups
== NULL
) {
852 *ptuples
= sctx
->ext
.tuples
;
853 *ptupleslen
= sctx
->ext
.tuples_len
;
855 *ptuples
= s
->ext
.tuples
;
856 *ptupleslen
= s
->ext
.tuples_len
;
860 int tls_valid_group(SSL_CONNECTION
*s
, uint16_t group_id
,
861 int minversion
, int maxversion
,
862 int isec
, int *okfortls13
)
864 const TLS_GROUP_INFO
*ginfo
= tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s
),
867 int group_minversion
, group_maxversion
;
869 if (okfortls13
!= NULL
)
875 group_minversion
= SSL_CONNECTION_IS_DTLS(s
) ? ginfo
->mindtls
: ginfo
->mintls
;
876 group_maxversion
= SSL_CONNECTION_IS_DTLS(s
) ? ginfo
->maxdtls
: ginfo
->maxtls
;
878 if (group_minversion
< 0 || group_maxversion
< 0)
880 if (group_maxversion
== 0)
883 ret
= (ssl_version_cmp(s
, minversion
, group_maxversion
) <= 0);
884 if (group_minversion
> 0)
885 ret
&= (ssl_version_cmp(s
, maxversion
, group_minversion
) >= 0);
887 if (!SSL_CONNECTION_IS_DTLS(s
)) {
888 if (ret
&& okfortls13
!= NULL
&& maxversion
== TLS1_3_VERSION
)
889 *okfortls13
= (group_maxversion
== 0)
890 || (group_maxversion
>= TLS1_3_VERSION
);
893 || strcmp(ginfo
->algorithm
, "EC") == 0
894 || strcmp(ginfo
->algorithm
, "X25519") == 0
895 || strcmp(ginfo
->algorithm
, "X448") == 0;
900 /* See if group is allowed by security callback */
901 int tls_group_allowed(SSL_CONNECTION
*s
, uint16_t group
, int op
)
903 const TLS_GROUP_INFO
*ginfo
= tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s
),
905 unsigned char gtmp
[2];
910 gtmp
[0] = group
>> 8;
911 gtmp
[1] = group
& 0xff;
912 return ssl_security(s
, op
, ginfo
->secbits
,
913 tls1_group_id2nid(ginfo
->group_id
, 0), (void *)gtmp
);
916 /* Return 1 if "id" is in "list" */
917 static int tls1_in_list(uint16_t id
, const uint16_t *list
, size_t listlen
)
920 for (i
= 0; i
< listlen
; i
++)
931 DEFINE_STACK_OF(TLS_GROUP_IX
)
933 static void free_wrapper(TLS_GROUP_IX
*a
)
938 static int tls_group_ix_cmp(const TLS_GROUP_IX
*const *a
,
939 const TLS_GROUP_IX
*const *b
)
941 int idcmpab
= (*a
)->grp
->group_id
< (*b
)->grp
->group_id
;
942 int idcmpba
= (*b
)->grp
->group_id
< (*a
)->grp
->group_id
;
943 int ixcmpab
= (*a
)->ix
< (*b
)->ix
;
944 int ixcmpba
= (*b
)->ix
< (*a
)->ix
;
946 /* Ascending by group id */
947 if (idcmpab
!= idcmpba
)
948 return (idcmpba
- idcmpab
);
949 /* Ascending by original appearance index */
950 return ixcmpba
- ixcmpab
;
953 int tls1_get0_implemented_groups(int min_proto_version
, int max_proto_version
,
954 TLS_GROUP_INFO
*grps
, size_t num
, long all
,
955 STACK_OF(OPENSSL_CSTRING
) *out
)
957 STACK_OF(TLS_GROUP_IX
) *collect
= NULL
;
963 if (grps
== NULL
|| out
== NULL
|| num
> INT_MAX
)
965 if ((collect
= sk_TLS_GROUP_IX_new(tls_group_ix_cmp
)) == NULL
)
967 for (ix
= 0; ix
< (int)num
; ++ix
, ++grps
) {
968 if (grps
->mintls
> 0 && max_proto_version
> 0
969 && grps
->mintls
> max_proto_version
)
971 if (grps
->maxtls
> 0 && min_proto_version
> 0
972 && grps
->maxtls
< min_proto_version
)
975 if ((gix
= OPENSSL_malloc(sizeof(*gix
))) == NULL
)
979 if (sk_TLS_GROUP_IX_push(collect
, gix
) <= 0) {
985 sk_TLS_GROUP_IX_sort(collect
);
986 num
= sk_TLS_GROUP_IX_num(collect
);
987 for (ix
= 0; ix
< (int)num
; ++ix
) {
988 gix
= sk_TLS_GROUP_IX_value(collect
, ix
);
989 if (!all
&& gix
->grp
->group_id
== id
)
991 id
= gix
->grp
->group_id
;
992 if (sk_OPENSSL_CSTRING_push(out
, gix
->grp
->tlsname
) <= 0)
998 sk_TLS_GROUP_IX_pop_free(collect
, free_wrapper
);
1003 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
1004 * if there is no match.
1005 * For nmatch == -1, return number of matches
1006 * For nmatch == -2, return the id of the group to use for
1007 * a tmp key, or 0 if there is no match.
1009 uint16_t tls1_shared_group(SSL_CONNECTION
*s
, int nmatch
)
1011 const uint16_t *pref
, *supp
;
1012 size_t num_pref
, num_supp
, i
;
1014 SSL_CTX
*ctx
= SSL_CONNECTION_GET_CTX(s
);
1016 /* Can't do anything on client side */
1020 if (tls1_suiteb(s
)) {
1022 * For Suite B ciphersuite determines curve: we already know
1023 * these are acceptable due to previous checks.
1025 unsigned long cid
= s
->s3
.tmp
.new_cipher
->id
;
1027 if (cid
== TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
)
1028 return OSSL_TLS_GROUP_ID_secp256r1
;
1029 if (cid
== TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
)
1030 return OSSL_TLS_GROUP_ID_secp384r1
;
1031 /* Should never happen */
1034 /* If not Suite B just return first preference shared curve */
1038 * If server preference set, our groups are the preference order
1039 * otherwise peer decides.
1041 if (s
->options
& SSL_OP_CIPHER_SERVER_PREFERENCE
) {
1042 tls1_get_supported_groups(s
, &pref
, &num_pref
);
1043 tls1_get_peer_groups(s
, &supp
, &num_supp
);
1045 tls1_get_peer_groups(s
, &pref
, &num_pref
);
1046 tls1_get_supported_groups(s
, &supp
, &num_supp
);
1049 for (k
= 0, i
= 0; i
< num_pref
; i
++) {
1050 uint16_t id
= pref
[i
];
1051 const TLS_GROUP_INFO
*inf
;
1052 int minversion
, maxversion
;
1054 if (!tls1_in_list(id
, supp
, num_supp
)
1055 || !tls_group_allowed(s
, id
, SSL_SECOP_CURVE_SHARED
))
1057 inf
= tls1_group_id_lookup(ctx
, id
);
1058 if (!ossl_assert(inf
!= NULL
))
1061 minversion
= SSL_CONNECTION_IS_DTLS(s
)
1062 ? inf
->mindtls
: inf
->mintls
;
1063 maxversion
= SSL_CONNECTION_IS_DTLS(s
)
1064 ? inf
->maxdtls
: inf
->maxtls
;
1065 if (maxversion
== -1)
1067 if ((minversion
!= 0 && ssl_version_cmp(s
, s
->version
, minversion
) < 0)
1069 && ssl_version_cmp(s
, s
->version
, maxversion
) > 0))
1078 /* Out of range (nmatch > k). */
1082 int tls1_set_groups(uint16_t **grpext
, size_t *grpextlen
,
1083 uint16_t **ksext
, size_t *ksextlen
,
1084 size_t **tplext
, size_t *tplextlen
,
1085 int *groups
, size_t ngroups
)
1087 uint16_t *glist
= NULL
, *kslist
= NULL
;
1088 size_t *tpllist
= NULL
;
1091 * Bitmap of groups included to detect duplicates: two variables are added
1092 * to detect duplicates as some values are more than 32.
1094 unsigned long *dup_list
= NULL
;
1095 unsigned long dup_list_egrp
= 0;
1096 unsigned long dup_list_dhgrp
= 0;
1099 ERR_raise(ERR_LIB_SSL
, SSL_R_BAD_LENGTH
);
1102 if ((glist
= OPENSSL_malloc(ngroups
* sizeof(*glist
))) == NULL
)
1104 if ((kslist
= OPENSSL_malloc(1 * sizeof(*kslist
))) == NULL
)
1106 if ((tpllist
= OPENSSL_malloc(1 * sizeof(*tpllist
))) == NULL
)
1108 for (i
= 0; i
< ngroups
; i
++) {
1109 unsigned long idmask
;
1111 id
= tls1_nid2group_id(groups
[i
]);
1112 if ((id
& 0x00FF) >= (sizeof(unsigned long) * 8))
1114 idmask
= 1L << (id
& 0x00FF);
1115 dup_list
= (id
< 0x100) ? &dup_list_egrp
: &dup_list_dhgrp
;
1116 if (!id
|| ((*dup_list
) & idmask
))
1118 *dup_list
|= idmask
;
1121 OPENSSL_free(*grpext
);
1122 OPENSSL_free(*ksext
);
1123 OPENSSL_free(*tplext
);
1125 *grpextlen
= ngroups
;
1126 kslist
[0] = glist
[0];
1129 tpllist
[0] = ngroups
;
1134 OPENSSL_free(glist
);
1135 OPENSSL_free(kslist
);
1136 OPENSSL_free(tpllist
);
1141 * Definition of DEFAULT[_XYZ] pseudo group names.
1142 * A pseudo group name is actually a full list of groups, including prefixes
1143 * and or tuple delimiters. It can be hierarchically defined (for potential future use).
1144 * IMPORTANT REMARK: For ease of use, in the built-in lists of groups, unknown groups or
1145 * groups not backed by a provider will always silently be ignored, even without '?' prefix
1148 const char *list_name
; /* The name of this pseudo group */
1149 const char *group_string
; /* The group string of this pseudo group */
1150 } default_group_string_st
; /* (can include '?', '*'. '-', '/' as needed) */
1152 /* Built-in pseudo group-names must start with a (D or d) */
1153 static const char *DEFAULT_GROUPNAME_FIRST_CHARACTER
= "D";
1155 /* The list of all built-in pseudo-group-name structures */
1156 static const default_group_string_st default_group_strings
[] = {
1157 {DEFAULT_GROUP_NAME
, TLS_DEFAULT_GROUP_LIST
},
1158 {SUITE_B_GROUP_NAME
, SUITE_B_GROUP_LIST
}
1162 * Some GOST names are not resolved by tls1_group_name2id,
1163 * hence we'll check for those manually
1166 const char *group_name
;
1169 static const name2id_st name2id_arr
[] = {
1170 {"GC256A", OSSL_TLS_GROUP_ID_gc256A
},
1171 {"GC256B", OSSL_TLS_GROUP_ID_gc256B
},
1172 {"GC256C", OSSL_TLS_GROUP_ID_gc256C
},
1173 {"GC256D", OSSL_TLS_GROUP_ID_gc256D
},
1174 {"GC512A", OSSL_TLS_GROUP_ID_gc512A
},
1175 {"GC512B", OSSL_TLS_GROUP_ID_gc512B
},
1176 {"GC512C", OSSL_TLS_GROUP_ID_gc512C
},
1180 * Group list management:
1181 * We establish three lists along with their related size counters:
1182 * 1) List of (unique) groups
1183 * 2) List of number of groups per group-priority-tuple
1184 * 3) List of (unique) key share groups
1186 #define GROUPLIST_INCREMENT 32 /* Memory allocation chunk size (64 Bytes chunks ~= cache line) */
1187 #define GROUP_NAME_BUFFER_LENGTH 64 /* Max length of a group name */
1190 * Preparation of the prefix used to indicate the desire to send a key share,
1191 * the characters used as separators between groups or tuples of groups, the
1192 * character to indicate that an unknown group should be ignored, and the
1193 * character to indicate that a group should be deleted from a list
1195 #ifndef TUPLE_DELIMITER_CHARACTER
1196 /* The prefix characters to indicate group tuple boundaries */
1197 # define TUPLE_DELIMITER_CHARACTER '/'
1199 #ifndef GROUP_DELIMITER_CHARACTER
1200 /* The prefix characters to indicate group tuple boundaries */
1201 # define GROUP_DELIMITER_CHARACTER ':'
1203 #ifndef IGNORE_UNKNOWN_GROUP_CHARACTER
1204 /* The prefix character to ignore unknown groups */
1205 # define IGNORE_UNKNOWN_GROUP_CHARACTER '?'
1207 #ifndef KEY_SHARE_INDICATOR_CHARACTER
1208 /* The prefix character to trigger a key share addition */
1209 # define KEY_SHARE_INDICATOR_CHARACTER '*'
1211 #ifndef REMOVE_GROUP_INDICATOR_CHARACTER
1212 /* The prefix character to trigger a key share removal */
1213 # define REMOVE_GROUP_INDICATOR_CHARACTER '-'
1215 static const char prefixes
[] = {TUPLE_DELIMITER_CHARACTER
,
1216 GROUP_DELIMITER_CHARACTER
,
1217 IGNORE_UNKNOWN_GROUP_CHARACTER
,
1218 KEY_SHARE_INDICATOR_CHARACTER
,
1219 REMOVE_GROUP_INDICATOR_CHARACTER
,
1223 * High-level description of how group strings are analyzed:
1224 * A first call back function (tuple_cb) is used to process group tuples, and a
1225 * second callback function (gid_cb) is used to process the groups inside a tuple.
1226 * Those callback functions are (indirectly) called by CONF_parse_list with
1227 * different separators (nominally ':' or '/'), a variable based on gid_cb_st
1228 * is used to keep track of the parsing results between the various calls
1233 /* Variables to hold the three lists (groups, requested keyshares, tuple structure) */
1234 size_t gidmax
; /* The memory allocation chunk size for the group IDs */
1235 size_t gidcnt
; /* Number of groups */
1236 uint16_t *gid_arr
; /* The IDs of the supported groups (flat list) */
1237 size_t tplmax
; /* The memory allocation chunk size for the tuple counters */
1238 size_t tplcnt
; /* Number of tuples */
1239 size_t *tuplcnt_arr
; /* The number of groups inside a tuple */
1240 size_t ksidmax
; /* The memory allocation chunk size */
1241 size_t ksidcnt
; /* Number of key shares */
1242 uint16_t *ksid_arr
; /* The IDs of the key share groups (flat list) */
1243 /* Variable to keep state between execution of callback or helper functions */
1244 size_t tuple_mode
; /* Keeps track whether tuple_cb called from 'the top' or from gid_cb */
1245 int ignore_unknown_default
; /* Flag such that unknown groups for DEFAULT[_XYZ] are ignored */
1248 /* Forward declaration of tuple callback function */
1249 static int tuple_cb(const char *tuple
, int len
, void *arg
);
1252 * Extract and process the individual groups (and their prefixes if present)
1253 * present in a tuple. Note: The argument 'elem' is a NON-\0-terminated string
1254 * and must be appended by a \0 if used as \0-terminated string
1256 static int gid_cb(const char *elem
, int len
, void *arg
)
1258 gid_cb_st
*garg
= arg
;
1261 int found_group
= 0;
1262 char etmp
[GROUP_NAME_BUFFER_LENGTH
];
1263 int retval
= 1; /* We assume success */
1264 char *current_prefix
;
1265 int ignore_unknown
= 0;
1266 int add_keyshare
= 0;
1267 int remove_group
= 0;
1268 size_t restored_prefix_index
= 0;
1269 char *restored_default_group_string
;
1270 int continue_while_loop
= 1;
1273 if (garg
== NULL
|| elem
== NULL
|| len
<= 0) {
1274 ERR_raise(ERR_LIB_SSL
, SSL_R_UNSUPPORTED_CONFIG_VALUE
);
1278 /* Check the possible prefixes (remark: Leading and trailing spaces already cleared) */
1279 while (continue_while_loop
&& len
> 0
1280 && ((current_prefix
= strchr(prefixes
, elem
[0])) != NULL
1281 || OPENSSL_strncasecmp(current_prefix
= (char *)DEFAULT_GROUPNAME_FIRST_CHARACTER
, elem
, 1) == 0)) {
1283 switch (*current_prefix
) {
1284 case TUPLE_DELIMITER_CHARACTER
:
1285 /* tuple delimiter not allowed here -> syntax error */
1288 case GROUP_DELIMITER_CHARACTER
:
1289 return -1; /* Not a valid prefix for a single group name-> syntax error */
1291 case KEY_SHARE_INDICATOR_CHARACTER
:
1293 return -1; /* Only single key share prefix allowed -> syntax error */
1298 case REMOVE_GROUP_INDICATOR_CHARACTER
:
1300 return -1; /* Only single remove group prefix allowed -> syntax error */
1305 case IGNORE_UNKNOWN_GROUP_CHARACTER
:
1307 return -1; /* Only single ? allowed -> syntax error */
1314 * Check whether a DEFAULT[_XYZ] 'pseudo group' (= a built-in
1315 * list of groups) should be added
1317 for (i
= 0; i
< OSSL_NELEM(default_group_strings
); i
++) {
1318 if ((size_t)len
== (strlen(default_group_strings
[i
].list_name
))
1319 && OPENSSL_strncasecmp(default_group_strings
[i
].list_name
, elem
, len
) == 0) {
1321 * We're asked to insert an entire list of groups from a
1322 * DEFAULT[_XYZ] 'pseudo group' which we do by
1323 * recursively calling this function (indirectly via
1324 * CONF_parse_list and tuple_cb); essentially, we treat a DEFAULT
1325 * group string like a tuple which is appended to the current tuple
1326 * rather then starting a new tuple. Variable tuple_mode is the flag which
1327 * controls append tuple vs start new tuple.
1330 if (ignore_unknown
|| remove_group
)
1331 return -1; /* removal or ignore not allowed here -> syntax error */
1334 * First, we restore any keyshare prefix in a new zero-terminated string
1335 * (if not already present)
1337 restored_default_group_string
= OPENSSL_malloc((1 /* max prefix length */ +
1338 strlen(default_group_strings
[i
].group_string
) +
1339 1 /* \0 */) * sizeof(char));
1340 if (restored_default_group_string
== NULL
)
1343 /* Remark: we tolerate a duplicated keyshare indicator here */
1344 && default_group_strings
[i
].group_string
[0]
1345 != KEY_SHARE_INDICATOR_CHARACTER
)
1346 restored_default_group_string
[restored_prefix_index
++] =
1347 KEY_SHARE_INDICATOR_CHARACTER
;
1349 memcpy(restored_default_group_string
+ restored_prefix_index
,
1350 default_group_strings
[i
].group_string
,
1351 strlen(default_group_strings
[i
].group_string
));
1352 restored_default_group_string
[strlen(default_group_strings
[i
].group_string
) +
1353 restored_prefix_index
] = '\0';
1354 /* We execute the recursive call */
1355 garg
->ignore_unknown_default
= 1; /* We ignore unknown groups for DEFAULT_XYZ */
1356 /* we enforce group mode (= append tuple) for DEFAULT_XYZ group lists */
1357 garg
->tuple_mode
= 0;
1358 /* We use the tuple_cb callback to process the pseudo group tuple */
1359 retval
= CONF_parse_list(restored_default_group_string
,
1360 TUPLE_DELIMITER_CHARACTER
, 1, tuple_cb
, garg
);
1361 garg
->tuple_mode
= 1; /* next call to tuple_cb will again start new tuple */
1362 garg
->ignore_unknown_default
= 0; /* reset to original value */
1363 /* We don't need the \0-terminated string anymore */
1364 OPENSSL_free(restored_default_group_string
);
1370 * If we reached this point, a group name started with a 'd' or 'D', but no request
1371 * for a DEFAULT[_XYZ] 'pseudo group' was detected, hence processing of the group
1372 * name can continue as usual (= the while loop checking prefixes can end)
1374 continue_while_loop
= 0;
1380 return -1; /* Seems we have prefxes without a group name -> syntax error */
1382 if (garg
->ignore_unknown_default
== 1) /* Always ignore unknown groups for DEFAULT[_XYZ] */
1385 /* Memory management in case more groups are present compared to initial allocation */
1386 if (garg
->gidcnt
== garg
->gidmax
) {
1388 OPENSSL_realloc(garg
->gid_arr
,
1389 (garg
->gidmax
+ GROUPLIST_INCREMENT
) * sizeof(*garg
->gid_arr
));
1394 garg
->gidmax
+= GROUPLIST_INCREMENT
;
1395 garg
->gid_arr
= tmp
;
1397 /* Memory management for key share groups */
1398 if (garg
->ksidcnt
== garg
->ksidmax
) {
1400 OPENSSL_realloc(garg
->ksid_arr
,
1401 (garg
->ksidmax
+ GROUPLIST_INCREMENT
) * sizeof(*garg
->ksid_arr
));
1405 garg
->ksidmax
+= GROUPLIST_INCREMENT
;
1406 garg
->ksid_arr
= tmp
;
1409 if (len
> (int)(sizeof(etmp
) - 1))
1410 return -1; /* group name to long -> syntax error */
1413 * Prepare addition or removal of a single group by converting
1414 * a group name into its groupID equivalent
1417 /* Create a \0-terminated string and get the gid for this group if possible */
1418 memcpy(etmp
, elem
, len
);
1421 /* Get the groupID */
1422 gid
= tls1_group_name2id(garg
->ctx
, etmp
);
1424 * Handle the case where no valid groupID was returned
1425 * e.g. for an unknown group, which we'd ignore (only) if relevant prefix was set
1428 /* Is it one of the GOST groups ? */
1429 for (i
= 0; i
< OSSL_NELEM(name2id_arr
); i
++) {
1430 if (OPENSSL_strcasecmp(etmp
, name2id_arr
[i
].group_name
) == 0) {
1431 gid
= name2id_arr
[i
].groupID
;
1435 if (gid
== 0) { /* still not found */
1436 /* Unknown group - ignore if ignore_unknown; trigger error otherwise */
1437 retval
= ignore_unknown
;
1442 /* Make sure that at least one provider is supporting this groupID */
1444 for (j
= 0; j
< garg
->ctx
->group_list_len
; j
++)
1445 if (garg
->ctx
->group_list
[j
].group_id
== gid
) {
1451 * No provider supports this group - ignore if
1452 * ignore_unknown; trigger error otherwise
1454 if (found_group
== 0) {
1455 retval
= ignore_unknown
;
1458 /* Remove group (and keyshare) from anywhere in the list if present, ignore if not present */
1460 /* Is the current group specified anywhere in the entire list so far? */
1462 for (i
= 0; i
< garg
->gidcnt
; i
++)
1463 if (garg
->gid_arr
[i
] == gid
) {
1467 /* The group to remove is at position i in the list of (zero indexed) groups */
1469 /* We remove that group from its position (which is at i)... */
1470 for (j
= i
; j
< (garg
->gidcnt
- 1); j
++)
1471 garg
->gid_arr
[j
] = garg
->gid_arr
[j
+ 1]; /* ...shift remaining groups left ... */
1472 garg
->gidcnt
--; /* ..and update the book keeping for the number of groups */
1475 * We also must update the number of groups either in a previous tuple (which we
1476 * must identify and check whether it becomes empty due to the deletion) or in
1477 * the current tuple, pending where the deleted group resides
1480 for (j
= 0; j
< garg
->tplcnt
; j
++) {
1481 k
+= garg
->tuplcnt_arr
[j
];
1482 /* Remark: i is zero-indexed, k is one-indexed */
1483 if (k
> i
) { /* remove from one of the previous tuples */
1484 garg
->tuplcnt_arr
[j
]--;
1485 break; /* We took care not to have group duplicates, hence we can stop here */
1488 if (k
<= i
) /* remove from current tuple */
1489 garg
->tuplcnt_arr
[j
]--;
1491 /* We also remove the group from the list of keyshares (if present) */
1493 for (i
= 0; i
< garg
->ksidcnt
; i
++)
1494 if (garg
->ksid_arr
[i
] == gid
) {
1499 /* Found, hence we remove that keyshare from its position (which is at i)... */
1500 for (j
= i
; j
< (garg
->ksidcnt
- 1); j
++)
1501 garg
->ksid_arr
[j
] = garg
->ksid_arr
[j
+ 1]; /* shift remaining key shares */
1502 /* ... and update the book keeping */
1506 } else { /* Processing addition of a single new group */
1508 /* Check for duplicates */
1509 for (i
= 0; i
< garg
->gidcnt
; i
++)
1510 if (garg
->gid_arr
[i
] == gid
) {
1511 /* Duplicate group anywhere in the list of groups - ignore */
1515 /* Add the current group to the 'flat' list of groups */
1516 garg
->gid_arr
[garg
->gidcnt
++] = gid
;
1517 /* and update the book keeping for the number of groups in current tuple */
1518 garg
->tuplcnt_arr
[garg
->tplcnt
]++;
1520 /* We memorize if needed that we want to add a key share for the current group */
1522 garg
->ksid_arr
[garg
->ksidcnt
++] = gid
;
1529 /* Extract and process a tuple of groups */
1530 static int tuple_cb(const char *tuple
, int len
, void *arg
)
1532 gid_cb_st
*garg
= arg
;
1533 int retval
= 1; /* We assume success */
1534 char *restored_tuple_string
;
1537 if (garg
== NULL
|| tuple
== NULL
|| len
<= 0) {
1538 ERR_raise(ERR_LIB_SSL
, SSL_R_UNSUPPORTED_CONFIG_VALUE
);
1542 /* Memory management for tuples */
1543 if (garg
->tplcnt
== garg
->tplmax
) {
1545 OPENSSL_realloc(garg
->tuplcnt_arr
,
1546 (garg
->tplmax
+ GROUPLIST_INCREMENT
) * sizeof(*garg
->tuplcnt_arr
));
1550 garg
->tplmax
+= GROUPLIST_INCREMENT
;
1551 garg
->tuplcnt_arr
= tmp
;
1554 /* Convert to \0-terminated string */
1555 restored_tuple_string
= OPENSSL_malloc((len
+ 1 /* \0 */) * sizeof(char));
1556 if (restored_tuple_string
== NULL
)
1558 memcpy(restored_tuple_string
, tuple
, len
);
1559 restored_tuple_string
[len
] = '\0';
1561 /* Analyze group list of this tuple */
1562 retval
= CONF_parse_list(restored_tuple_string
, GROUP_DELIMITER_CHARACTER
, 1, gid_cb
, arg
);
1564 /* We don't need the \o-terminated string anymore */
1565 OPENSSL_free(restored_tuple_string
);
1567 if (garg
->tuplcnt_arr
[garg
->tplcnt
] > 0) { /* Some valid groups are present in current tuple... */
1568 if (garg
->tuple_mode
) {
1569 /* We 'close' the tuple */
1571 garg
->tuplcnt_arr
[garg
->tplcnt
] = 0; /* Next tuple is initialized to be empty */
1572 garg
->tuple_mode
= 1; /* next call will start a tuple (unless overridden in gid_cb) */
1580 * Set groups and prepare generation of keyshares based on a string of groupnames,
1581 * names separated by the group or the tuple delimiter, with per-group prefixes to
1582 * (1) add a key share for this group, (2) ignore the group if unkown to the current
1583 * context, (3) delete a previous occurrence of the group in the current tuple.
1585 * The list parsing is done in two hierachical steps: The top-level step extracts the
1586 * string of a tuple using tuple_cb, while the next lower step uses gid_cb to
1587 * parse and process the groups inside a tuple
1589 int tls1_set_groups_list(SSL_CTX
*ctx
,
1590 uint16_t **grpext
, size_t *grpextlen
,
1591 uint16_t **ksext
, size_t *ksextlen
,
1592 size_t **tplext
, size_t *tplextlen
,
1596 int ret
= 0, parse_ret
= 0;
1601 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_NULL_PARAMETER
);
1605 memset(&gcb
, 0, sizeof(gcb
));
1606 gcb
.tuple_mode
= 1; /* We prepare to collect the first tuple */
1607 gcb
.ignore_unknown_default
= 0;
1608 gcb
.gidmax
= GROUPLIST_INCREMENT
;
1609 gcb
.tplmax
= GROUPLIST_INCREMENT
;
1610 gcb
.ksidmax
= GROUPLIST_INCREMENT
;
1613 /* Prepare initial chunks of memory for groups, tuples and keyshares groupIDs */
1614 gcb
.gid_arr
= OPENSSL_malloc(gcb
.gidmax
* sizeof(*gcb
.gid_arr
));
1615 if (gcb
.gid_arr
== NULL
)
1617 gcb
.tuplcnt_arr
= OPENSSL_malloc(gcb
.tplmax
* sizeof(*gcb
.tuplcnt_arr
));
1618 if (gcb
.tuplcnt_arr
== NULL
)
1620 gcb
.tuplcnt_arr
[0] = 0;
1621 gcb
.ksid_arr
= OPENSSL_malloc(gcb
.ksidmax
* sizeof(*gcb
.ksid_arr
));
1622 if (gcb
.ksid_arr
== NULL
)
1625 while (str
[0] != '\0' && isspace((unsigned char)*str
))
1631 * Start the (potentially recursive) tuple processing by calling CONF_parse_list
1632 * with the TUPLE_DELIMITER_CHARACTER (which will call tuple_cb after cleaning spaces)
1634 parse_ret
= CONF_parse_list(str
, TUPLE_DELIMITER_CHARACTER
, 1, tuple_cb
, &gcb
);
1638 if (parse_ret
== -1) {
1639 ERR_raise_data(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
,
1640 "Syntax error in '%s'", str
);
1645 * We check whether a tuple was completly emptied by using "-" prefix
1646 * excessively, in which case we remove the tuple
1648 for (i
= j
= 0; j
< gcb
.tplcnt
; j
++) {
1649 if (gcb
.tuplcnt_arr
[j
] == 0)
1651 /* If there's a gap, move to first unfilled slot */
1655 gcb
.tuplcnt_arr
[i
++] = gcb
.tuplcnt_arr
[j
];
1659 if (gcb
.ksidcnt
> OPENSSL_CLIENT_MAX_KEY_SHARES
) {
1660 ERR_raise_data(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
,
1661 "To many keyshares requested in '%s' (max = %d)",
1662 str
, OPENSSL_CLIENT_MAX_KEY_SHARES
);
1667 * For backward compatibility we let the rest of the code know that a key share
1668 * for the first valid group should be added if no "*" prefix was used anywhere
1670 if (gcb
.gidcnt
> 0 && gcb
.ksidcnt
== 0) {
1672 * No key share group prefix character was used, hence we indicate that a single
1673 * key share should be sent and flag that it should come from the supported_groups list
1676 gcb
.ksid_arr
[0] = 0;
1681 * A call to tls1_set_groups_list with any of the args (other than ctx) set
1682 * to NULL only does a syntax check, hence we're done here and report success
1684 if (grpext
== NULL
|| ksext
== NULL
|| tplext
== NULL
||
1685 grpextlen
== NULL
|| ksextlen
== NULL
|| tplextlen
== NULL
) {
1691 * tuple_cb and gid_cb combo ensures there are no duplicates or unknown groups so we
1692 * can just go ahead and set the results (after diposing the existing)
1694 OPENSSL_free(*grpext
);
1695 *grpext
= gcb
.gid_arr
;
1696 *grpextlen
= gcb
.gidcnt
;
1697 OPENSSL_free(*ksext
);
1698 *ksext
= gcb
.ksid_arr
;
1699 *ksextlen
= gcb
.ksidcnt
;
1700 OPENSSL_free(*tplext
);
1701 *tplext
= gcb
.tuplcnt_arr
;
1702 *tplextlen
= gcb
.tplcnt
;
1707 OPENSSL_free(gcb
.gid_arr
);
1708 OPENSSL_free(gcb
.tuplcnt_arr
);
1709 OPENSSL_free(gcb
.ksid_arr
);
1713 /* Check a group id matches preferences */
1714 int tls1_check_group_id(SSL_CONNECTION
*s
, uint16_t group_id
,
1715 int check_own_groups
)
1717 const uint16_t *groups
;
1723 /* Check for Suite B compliance */
1724 if (tls1_suiteb(s
) && s
->s3
.tmp
.new_cipher
!= NULL
) {
1725 unsigned long cid
= s
->s3
.tmp
.new_cipher
->id
;
1727 if (cid
== TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
) {
1728 if (group_id
!= OSSL_TLS_GROUP_ID_secp256r1
)
1730 } else if (cid
== TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
) {
1731 if (group_id
!= OSSL_TLS_GROUP_ID_secp384r1
)
1734 /* Should never happen */
1739 if (check_own_groups
) {
1740 /* Check group is one of our preferences */
1741 tls1_get_supported_groups(s
, &groups
, &groups_len
);
1742 if (!tls1_in_list(group_id
, groups
, groups_len
))
1746 if (!tls_group_allowed(s
, group_id
, SSL_SECOP_CURVE_CHECK
))
1749 /* For clients, nothing more to check */
1753 /* Check group is one of peers preferences */
1754 tls1_get_peer_groups(s
, &groups
, &groups_len
);
1757 * RFC 4492 does not require the supported elliptic curves extension
1758 * so if it is not sent we can just choose any curve.
1759 * It is invalid to send an empty list in the supported groups
1760 * extension, so groups_len == 0 always means no extension.
1762 if (groups_len
== 0)
1764 return tls1_in_list(group_id
, groups
, groups_len
);
1767 void tls1_get_formatlist(SSL_CONNECTION
*s
, const unsigned char **pformats
,
1768 size_t *num_formats
)
1771 * If we have a custom point format list use it otherwise use default
1773 if (s
->ext
.ecpointformats
) {
1774 *pformats
= s
->ext
.ecpointformats
;
1775 *num_formats
= s
->ext
.ecpointformats_len
;
1776 } else if ((s
->options
& SSL_OP_LEGACY_EC_POINT_FORMATS
) != 0) {
1777 *pformats
= ecformats_all
;
1778 /* For Suite B we don't support char2 fields */
1780 *num_formats
= sizeof(ecformats_all
) - 1;
1782 *num_formats
= sizeof(ecformats_all
);
1784 *pformats
= ecformats_default
;
1785 *num_formats
= sizeof(ecformats_default
);
1789 /* Check a key is compatible with compression extension */
1790 static int tls1_check_pkey_comp(SSL_CONNECTION
*s
, EVP_PKEY
*pkey
)
1792 unsigned char comp_id
;
1796 /* If not an EC key nothing to check */
1797 if (!EVP_PKEY_is_a(pkey
, "EC"))
1801 /* Get required compression id */
1802 point_conv
= EVP_PKEY_get_ec_point_conv_form(pkey
);
1803 if (point_conv
== 0)
1805 if (point_conv
== POINT_CONVERSION_UNCOMPRESSED
) {
1806 comp_id
= TLSEXT_ECPOINTFORMAT_uncompressed
;
1807 } else if (SSL_CONNECTION_IS_TLS13(s
)) {
1809 * ec_point_formats extension is not used in TLSv1.3 so we ignore
1814 int field_type
= EVP_PKEY_get_field_type(pkey
);
1816 if (field_type
== NID_X9_62_prime_field
)
1817 comp_id
= TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
;
1818 else if (field_type
== NID_X9_62_characteristic_two_field
)
1819 comp_id
= TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
;
1824 * If point formats extension present check it, otherwise everything is
1825 * supported (see RFC4492).
1827 if (s
->ext
.peer_ecpointformats
== NULL
)
1830 for (i
= 0; i
< s
->ext
.peer_ecpointformats_len
; i
++) {
1831 if (s
->ext
.peer_ecpointformats
[i
] == comp_id
)
1837 /* Return group id of a key */
1838 static uint16_t tls1_get_group_id(EVP_PKEY
*pkey
)
1840 int curve_nid
= ssl_get_EC_curve_nid(pkey
);
1842 if (curve_nid
== NID_undef
)
1844 return tls1_nid2group_id(curve_nid
);
1848 * Check cert parameters compatible with extensions: currently just checks EC
1849 * certificates have compatible curves and compression.
1851 static int tls1_check_cert_param(SSL_CONNECTION
*s
, X509
*x
, int check_ee_md
)
1855 pkey
= X509_get0_pubkey(x
);
1858 /* If not EC nothing to do */
1859 if (!EVP_PKEY_is_a(pkey
, "EC"))
1861 /* Check compression */
1862 if (!tls1_check_pkey_comp(s
, pkey
))
1864 group_id
= tls1_get_group_id(pkey
);
1866 * For a server we allow the certificate to not be in our list of supported
1869 if (!tls1_check_group_id(s
, group_id
, !s
->server
))
1872 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
1875 if (check_ee_md
&& tls1_suiteb(s
)) {
1879 /* Check to see we have necessary signing algorithm */
1880 if (group_id
== OSSL_TLS_GROUP_ID_secp256r1
)
1881 check_md
= NID_ecdsa_with_SHA256
;
1882 else if (group_id
== OSSL_TLS_GROUP_ID_secp384r1
)
1883 check_md
= NID_ecdsa_with_SHA384
;
1885 return 0; /* Should never happen */
1886 for (i
= 0; i
< s
->shared_sigalgslen
; i
++) {
1887 if (check_md
== s
->shared_sigalgs
[i
]->sigandhash
)
1896 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
1897 * @s: SSL connection
1898 * @cid: Cipher ID we're considering using
1900 * Checks that the kECDHE cipher suite we're considering using
1901 * is compatible with the client extensions.
1903 * Returns 0 when the cipher can't be used or 1 when it can.
1905 int tls1_check_ec_tmp_key(SSL_CONNECTION
*s
, unsigned long cid
)
1907 /* If not Suite B just need a shared group */
1908 if (!tls1_suiteb(s
))
1909 return tls1_shared_group(s
, 0) != 0;
1911 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
1914 if (cid
== TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
)
1915 return tls1_check_group_id(s
, OSSL_TLS_GROUP_ID_secp256r1
, 1);
1916 if (cid
== TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
)
1917 return tls1_check_group_id(s
, OSSL_TLS_GROUP_ID_secp384r1
, 1);
1922 /* Default sigalg schemes */
1923 static const uint16_t tls12_sigalgs
[] = {
1924 TLSEXT_SIGALG_mldsa65
,
1925 TLSEXT_SIGALG_mldsa87
,
1926 TLSEXT_SIGALG_mldsa44
,
1927 TLSEXT_SIGALG_ecdsa_secp256r1_sha256
,
1928 TLSEXT_SIGALG_ecdsa_secp384r1_sha384
,
1929 TLSEXT_SIGALG_ecdsa_secp521r1_sha512
,
1930 TLSEXT_SIGALG_ed25519
,
1931 TLSEXT_SIGALG_ed448
,
1932 TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256
,
1933 TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384
,
1934 TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512
,
1936 TLSEXT_SIGALG_rsa_pss_pss_sha256
,
1937 TLSEXT_SIGALG_rsa_pss_pss_sha384
,
1938 TLSEXT_SIGALG_rsa_pss_pss_sha512
,
1939 TLSEXT_SIGALG_rsa_pss_rsae_sha256
,
1940 TLSEXT_SIGALG_rsa_pss_rsae_sha384
,
1941 TLSEXT_SIGALG_rsa_pss_rsae_sha512
,
1943 TLSEXT_SIGALG_rsa_pkcs1_sha256
,
1944 TLSEXT_SIGALG_rsa_pkcs1_sha384
,
1945 TLSEXT_SIGALG_rsa_pkcs1_sha512
,
1947 TLSEXT_SIGALG_ecdsa_sha224
,
1948 TLSEXT_SIGALG_ecdsa_sha1
,
1950 TLSEXT_SIGALG_rsa_pkcs1_sha224
,
1951 TLSEXT_SIGALG_rsa_pkcs1_sha1
,
1953 TLSEXT_SIGALG_dsa_sha224
,
1954 TLSEXT_SIGALG_dsa_sha1
,
1956 TLSEXT_SIGALG_dsa_sha256
,
1957 TLSEXT_SIGALG_dsa_sha384
,
1958 TLSEXT_SIGALG_dsa_sha512
,
1960 #ifndef OPENSSL_NO_GOST
1961 TLSEXT_SIGALG_gostr34102012_256_intrinsic
,
1962 TLSEXT_SIGALG_gostr34102012_512_intrinsic
,
1963 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256
,
1964 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512
,
1965 TLSEXT_SIGALG_gostr34102001_gostr3411
,
1970 static const uint16_t suiteb_sigalgs
[] = {
1971 TLSEXT_SIGALG_ecdsa_secp256r1_sha256
,
1972 TLSEXT_SIGALG_ecdsa_secp384r1_sha384
1975 static const SIGALG_LOOKUP sigalg_lookup_tbl
[] = {
1976 {TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name
,
1977 "ECDSA+SHA256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256
,
1978 NID_sha256
, SSL_MD_SHA256_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
1979 NID_ecdsa_with_SHA256
, NID_X9_62_prime256v1
, 1, 0,
1980 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
1981 {TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name
,
1982 "ECDSA+SHA384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384
,
1983 NID_sha384
, SSL_MD_SHA384_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
1984 NID_ecdsa_with_SHA384
, NID_secp384r1
, 1, 0,
1985 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
1986 {TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name
,
1987 "ECDSA+SHA512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512
,
1988 NID_sha512
, SSL_MD_SHA512_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
1989 NID_ecdsa_with_SHA512
, NID_secp521r1
, 1, 0,
1990 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
1992 {TLSEXT_SIGALG_ed25519_name
,
1993 NULL
, TLSEXT_SIGALG_ed25519
,
1994 NID_undef
, -1, EVP_PKEY_ED25519
, SSL_PKEY_ED25519
,
1995 NID_undef
, NID_undef
, 1, 0,
1996 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
1997 {TLSEXT_SIGALG_ed448_name
,
1998 NULL
, TLSEXT_SIGALG_ed448
,
1999 NID_undef
, -1, EVP_PKEY_ED448
, SSL_PKEY_ED448
,
2000 NID_undef
, NID_undef
, 1, 0,
2001 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2003 {TLSEXT_SIGALG_ecdsa_sha224_name
,
2004 "ECDSA+SHA224", TLSEXT_SIGALG_ecdsa_sha224
,
2005 NID_sha224
, SSL_MD_SHA224_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
2006 NID_ecdsa_with_SHA224
, NID_undef
, 1, 0,
2007 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2008 {TLSEXT_SIGALG_ecdsa_sha1_name
,
2009 "ECDSA+SHA1", TLSEXT_SIGALG_ecdsa_sha1
,
2010 NID_sha1
, SSL_MD_SHA1_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
2011 NID_ecdsa_with_SHA1
, NID_undef
, 1, 0,
2012 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2014 {TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name
,
2015 TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_alias
,
2016 TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256
,
2017 NID_sha256
, SSL_MD_SHA256_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
2018 NID_ecdsa_with_SHA256
, NID_brainpoolP256r1
, 1, 0,
2019 TLS1_3_VERSION
, 0, -1, -1},
2020 {TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name
,
2021 TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_alias
,
2022 TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384
,
2023 NID_sha384
, SSL_MD_SHA384_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
2024 NID_ecdsa_with_SHA384
, NID_brainpoolP384r1
, 1, 0,
2025 TLS1_3_VERSION
, 0, -1, -1},
2026 {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name
,
2027 TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_alias
,
2028 TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512
,
2029 NID_sha512
, SSL_MD_SHA512_IDX
, EVP_PKEY_EC
, SSL_PKEY_ECC
,
2030 NID_ecdsa_with_SHA512
, NID_brainpoolP512r1
, 1, 0,
2031 TLS1_3_VERSION
, 0, -1, -1},
2033 {TLSEXT_SIGALG_rsa_pss_rsae_sha256_name
,
2034 "PSS+SHA256", TLSEXT_SIGALG_rsa_pss_rsae_sha256
,
2035 NID_sha256
, SSL_MD_SHA256_IDX
, EVP_PKEY_RSA_PSS
, SSL_PKEY_RSA
,
2036 NID_undef
, NID_undef
, 1, 0,
2037 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2038 {TLSEXT_SIGALG_rsa_pss_rsae_sha384_name
,
2039 "PSS+SHA384", TLSEXT_SIGALG_rsa_pss_rsae_sha384
,
2040 NID_sha384
, SSL_MD_SHA384_IDX
, EVP_PKEY_RSA_PSS
, SSL_PKEY_RSA
,
2041 NID_undef
, NID_undef
, 1, 0,
2042 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2043 {TLSEXT_SIGALG_rsa_pss_rsae_sha512_name
,
2044 "PSS+SHA512", TLSEXT_SIGALG_rsa_pss_rsae_sha512
,
2045 NID_sha512
, SSL_MD_SHA512_IDX
, EVP_PKEY_RSA_PSS
, SSL_PKEY_RSA
,
2046 NID_undef
, NID_undef
, 1, 0,
2047 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2049 {TLSEXT_SIGALG_rsa_pss_pss_sha256_name
,
2050 NULL
, TLSEXT_SIGALG_rsa_pss_pss_sha256
,
2051 NID_sha256
, SSL_MD_SHA256_IDX
, EVP_PKEY_RSA_PSS
, SSL_PKEY_RSA_PSS_SIGN
,
2052 NID_undef
, NID_undef
, 1, 0,
2053 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2054 {TLSEXT_SIGALG_rsa_pss_pss_sha384_name
,
2055 NULL
, TLSEXT_SIGALG_rsa_pss_pss_sha384
,
2056 NID_sha384
, SSL_MD_SHA384_IDX
, EVP_PKEY_RSA_PSS
, SSL_PKEY_RSA_PSS_SIGN
,
2057 NID_undef
, NID_undef
, 1, 0,
2058 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2059 {TLSEXT_SIGALG_rsa_pss_pss_sha512_name
,
2060 NULL
, TLSEXT_SIGALG_rsa_pss_pss_sha512
,
2061 NID_sha512
, SSL_MD_SHA512_IDX
, EVP_PKEY_RSA_PSS
, SSL_PKEY_RSA_PSS_SIGN
,
2062 NID_undef
, NID_undef
, 1, 0,
2063 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2065 {TLSEXT_SIGALG_rsa_pkcs1_sha256_name
,
2066 "RSA+SHA256", TLSEXT_SIGALG_rsa_pkcs1_sha256
,
2067 NID_sha256
, SSL_MD_SHA256_IDX
, EVP_PKEY_RSA
, SSL_PKEY_RSA
,
2068 NID_sha256WithRSAEncryption
, NID_undef
, 1, 0,
2069 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2070 {TLSEXT_SIGALG_rsa_pkcs1_sha384_name
,
2071 "RSA+SHA384", TLSEXT_SIGALG_rsa_pkcs1_sha384
,
2072 NID_sha384
, SSL_MD_SHA384_IDX
, EVP_PKEY_RSA
, SSL_PKEY_RSA
,
2073 NID_sha384WithRSAEncryption
, NID_undef
, 1, 0,
2074 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2075 {TLSEXT_SIGALG_rsa_pkcs1_sha512_name
,
2076 "RSA+SHA512", TLSEXT_SIGALG_rsa_pkcs1_sha512
,
2077 NID_sha512
, SSL_MD_SHA512_IDX
, EVP_PKEY_RSA
, SSL_PKEY_RSA
,
2078 NID_sha512WithRSAEncryption
, NID_undef
, 1, 0,
2079 TLS1_2_VERSION
, 0, DTLS1_2_VERSION
, 0},
2081 {TLSEXT_SIGALG_rsa_pkcs1_sha224_name
,
2082 "RSA+SHA224", TLSEXT_SIGALG_rsa_pkcs1_sha224
,
2083 NID_sha224
, SSL_MD_SHA224_IDX
, EVP_PKEY_RSA
, SSL_PKEY_RSA
,
2084 NID_sha224WithRSAEncryption
, NID_undef
, 1, 0,
2085 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2086 {TLSEXT_SIGALG_rsa_pkcs1_sha1_name
,
2087 "RSA+SHA1", TLSEXT_SIGALG_rsa_pkcs1_sha1
,
2088 NID_sha1
, SSL_MD_SHA1_IDX
, EVP_PKEY_RSA
, SSL_PKEY_RSA
,
2089 NID_sha1WithRSAEncryption
, NID_undef
, 1, 0,
2090 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2092 {TLSEXT_SIGALG_dsa_sha256_name
,
2093 "DSA+SHA256", TLSEXT_SIGALG_dsa_sha256
,
2094 NID_sha256
, SSL_MD_SHA256_IDX
, EVP_PKEY_DSA
, SSL_PKEY_DSA_SIGN
,
2095 NID_dsa_with_SHA256
, NID_undef
, 1, 0,
2096 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2097 {TLSEXT_SIGALG_dsa_sha384_name
,
2098 "DSA+SHA384", TLSEXT_SIGALG_dsa_sha384
,
2099 NID_sha384
, SSL_MD_SHA384_IDX
, EVP_PKEY_DSA
, SSL_PKEY_DSA_SIGN
,
2100 NID_undef
, NID_undef
, 1, 0,
2101 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2102 {TLSEXT_SIGALG_dsa_sha512_name
,
2103 "DSA+SHA512", TLSEXT_SIGALG_dsa_sha512
,
2104 NID_sha512
, SSL_MD_SHA512_IDX
, EVP_PKEY_DSA
, SSL_PKEY_DSA_SIGN
,
2105 NID_undef
, NID_undef
, 1, 0,
2106 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2107 {TLSEXT_SIGALG_dsa_sha224_name
,
2108 "DSA+SHA224", TLSEXT_SIGALG_dsa_sha224
,
2109 NID_sha224
, SSL_MD_SHA224_IDX
, EVP_PKEY_DSA
, SSL_PKEY_DSA_SIGN
,
2110 NID_undef
, NID_undef
, 1, 0,
2111 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2112 {TLSEXT_SIGALG_dsa_sha1_name
,
2113 "DSA+SHA1", TLSEXT_SIGALG_dsa_sha1
,
2114 NID_sha1
, SSL_MD_SHA1_IDX
, EVP_PKEY_DSA
, SSL_PKEY_DSA_SIGN
,
2115 NID_dsaWithSHA1
, NID_undef
, 1, 0,
2116 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2118 #ifndef OPENSSL_NO_GOST
2119 {TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias
, /* RFC9189 */
2120 TLSEXT_SIGALG_gostr34102012_256_intrinsic_name
,
2121 TLSEXT_SIGALG_gostr34102012_256_intrinsic
,
2122 NID_id_GostR3411_2012_256
, SSL_MD_GOST12_256_IDX
,
2123 NID_id_GostR3410_2012_256
, SSL_PKEY_GOST12_256
,
2124 NID_undef
, NID_undef
, 1, 0,
2125 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2126 {TLSEXT_SIGALG_gostr34102012_256_intrinsic_alias
, /* RFC9189 */
2127 TLSEXT_SIGALG_gostr34102012_256_intrinsic_name
,
2128 TLSEXT_SIGALG_gostr34102012_512_intrinsic
,
2129 NID_id_GostR3411_2012_512
, SSL_MD_GOST12_512_IDX
,
2130 NID_id_GostR3410_2012_512
, SSL_PKEY_GOST12_512
,
2131 NID_undef
, NID_undef
, 1, 0,
2132 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2134 {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name
,
2135 NULL
, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256
,
2136 NID_id_GostR3411_2012_256
, SSL_MD_GOST12_256_IDX
,
2137 NID_id_GostR3410_2012_256
, SSL_PKEY_GOST12_256
,
2138 NID_undef
, NID_undef
, 1, 0,
2139 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2140 {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name
,
2141 NULL
, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512
,
2142 NID_id_GostR3411_2012_512
, SSL_MD_GOST12_512_IDX
,
2143 NID_id_GostR3410_2012_512
, SSL_PKEY_GOST12_512
,
2144 NID_undef
, NID_undef
, 1, 0,
2145 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2146 {TLSEXT_SIGALG_gostr34102001_gostr3411_name
,
2147 NULL
, TLSEXT_SIGALG_gostr34102001_gostr3411
,
2148 NID_id_GostR3411_94
, SSL_MD_GOST94_IDX
,
2149 NID_id_GostR3410_2001
, SSL_PKEY_GOST01
,
2150 NID_undef
, NID_undef
, 1, 0,
2151 TLS1_2_VERSION
, TLS1_2_VERSION
, DTLS1_2_VERSION
, DTLS1_2_VERSION
},
2154 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
2155 static const SIGALG_LOOKUP legacy_rsa_sigalg
= {
2156 "rsa_pkcs1_md5_sha1", NULL
, 0,
2157 NID_md5_sha1
, SSL_MD_MD5_SHA1_IDX
,
2158 EVP_PKEY_RSA
, SSL_PKEY_RSA
,
2159 NID_undef
, NID_undef
, 1, 0,
2160 TLS1_VERSION
, TLS1_2_VERSION
, DTLS1_VERSION
, DTLS1_2_VERSION
2164 * Default signature algorithm values used if signature algorithms not present.
2165 * From RFC5246. Note: order must match certificate index order.
2167 static const uint16_t tls_default_sigalg
[] = {
2168 TLSEXT_SIGALG_rsa_pkcs1_sha1
, /* SSL_PKEY_RSA */
2169 0, /* SSL_PKEY_RSA_PSS_SIGN */
2170 TLSEXT_SIGALG_dsa_sha1
, /* SSL_PKEY_DSA_SIGN */
2171 TLSEXT_SIGALG_ecdsa_sha1
, /* SSL_PKEY_ECC */
2172 TLSEXT_SIGALG_gostr34102001_gostr3411
, /* SSL_PKEY_GOST01 */
2173 TLSEXT_SIGALG_gostr34102012_256_intrinsic
, /* SSL_PKEY_GOST12_256 */
2174 TLSEXT_SIGALG_gostr34102012_512_intrinsic
, /* SSL_PKEY_GOST12_512 */
2175 0, /* SSL_PKEY_ED25519 */
2176 0, /* SSL_PKEY_ED448 */
2179 int ssl_setup_sigalgs(SSL_CTX
*ctx
)
2181 size_t i
, cache_idx
, sigalgs_len
, enabled
;
2182 const SIGALG_LOOKUP
*lu
;
2183 SIGALG_LOOKUP
*cache
= NULL
;
2184 uint16_t *tls12_sigalgs_list
= NULL
;
2185 EVP_PKEY
*tmpkey
= EVP_PKEY_new();
2192 istls
= !SSL_CTX_IS_DTLS(ctx
);
2194 sigalgs_len
= OSSL_NELEM(sigalg_lookup_tbl
) + ctx
->sigalg_list_len
;
2196 cache
= OPENSSL_zalloc(sizeof(const SIGALG_LOOKUP
) * sigalgs_len
);
2197 if (cache
== NULL
|| tmpkey
== NULL
)
2200 tls12_sigalgs_list
= OPENSSL_zalloc(sizeof(uint16_t) * sigalgs_len
);
2201 if (tls12_sigalgs_list
== NULL
)
2205 /* First fill cache and tls12_sigalgs list from legacy algorithm list */
2206 for (i
= 0, lu
= sigalg_lookup_tbl
;
2207 i
< OSSL_NELEM(sigalg_lookup_tbl
); lu
++, i
++) {
2213 * Check hash is available.
2214 * This test is not perfect. A provider could have support
2215 * for a signature scheme, but not a particular hash. However the hash
2216 * could be available from some other loaded provider. In that case it
2217 * could be that the signature is available, and the hash is available
2218 * independently - but not as a combination. We ignore this for now.
2220 if (lu
->hash
!= NID_undef
2221 && ctx
->ssl_digest_methods
[lu
->hash_idx
] == NULL
) {
2222 cache
[i
].available
= 0;
2226 if (!EVP_PKEY_set_type(tmpkey
, lu
->sig
)) {
2227 cache
[i
].available
= 0;
2230 pctx
= EVP_PKEY_CTX_new_from_pkey(ctx
->libctx
, tmpkey
, ctx
->propq
);
2231 /* If unable to create pctx we assume the sig algorithm is unavailable */
2233 cache
[i
].available
= 0;
2234 EVP_PKEY_CTX_free(pctx
);
2237 /* Now complete cache and tls12_sigalgs list with provider sig information */
2238 cache_idx
= OSSL_NELEM(sigalg_lookup_tbl
);
2239 for (i
= 0; i
< ctx
->sigalg_list_len
; i
++) {
2240 TLS_SIGALG_INFO si
= ctx
->sigalg_list
[i
];
2241 cache
[cache_idx
].name
= si
.name
;
2242 cache
[cache_idx
].name12
= si
.sigalg_name
;
2243 cache
[cache_idx
].sigalg
= si
.code_point
;
2244 tls12_sigalgs_list
[cache_idx
] = si
.code_point
;
2245 cache
[cache_idx
].hash
= si
.hash_name
?OBJ_txt2nid(si
.hash_name
):NID_undef
;
2246 cache
[cache_idx
].hash_idx
= ssl_get_md_idx(cache
[cache_idx
].hash
);
2247 cache
[cache_idx
].sig
= OBJ_txt2nid(si
.sigalg_name
);
2248 cache
[cache_idx
].sig_idx
= (int)(i
+ SSL_PKEY_NUM
);
2249 cache
[cache_idx
].sigandhash
= OBJ_txt2nid(si
.sigalg_name
);
2250 cache
[cache_idx
].curve
= NID_undef
;
2251 cache
[cache_idx
].mintls
= TLS1_3_VERSION
;
2252 cache
[cache_idx
].maxtls
= TLS1_3_VERSION
;
2253 cache
[cache_idx
].mindtls
= -1;
2254 cache
[cache_idx
].maxdtls
= -1;
2255 /* Compatibility with TLS 1.3 is checked on load */
2256 cache
[cache_idx
].available
= istls
;
2257 cache
[cache_idx
].advertise
= 0;
2263 for (i
= 0; i
< OSSL_NELEM(tls12_sigalgs
); ++i
) {
2264 SIGALG_LOOKUP
*ent
= cache
;
2267 for (j
= 0; j
< sigalgs_len
; ent
++, j
++) {
2268 if (ent
->sigalg
!= tls12_sigalgs
[i
])
2270 /* Dedup by marking cache entry as default enabled. */
2271 if (ent
->available
&& !ent
->advertise
) {
2273 tls12_sigalgs_list
[enabled
++] = tls12_sigalgs
[i
];
2279 /* Append any provider sigalgs not yet handled */
2280 for (i
= OSSL_NELEM(sigalg_lookup_tbl
); i
< sigalgs_len
; ++i
) {
2281 SIGALG_LOOKUP
*ent
= &cache
[i
];
2283 if (ent
->available
&& !ent
->advertise
)
2284 tls12_sigalgs_list
[enabled
++] = ent
->sigalg
;
2287 ctx
->sigalg_lookup_cache
= cache
;
2288 ctx
->sigalg_lookup_cache_len
= sigalgs_len
;
2289 ctx
->tls12_sigalgs
= tls12_sigalgs_list
;
2290 ctx
->tls12_sigalgs_len
= enabled
;
2292 tls12_sigalgs_list
= NULL
;
2296 OPENSSL_free(cache
);
2297 OPENSSL_free(tls12_sigalgs_list
);
2298 EVP_PKEY_free(tmpkey
);
2302 #define SIGLEN_BUF_INCREMENT 100
2304 char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX
*libctx
)
2306 size_t i
, maxretlen
= SIGLEN_BUF_INCREMENT
;
2307 const SIGALG_LOOKUP
*lu
;
2308 EVP_PKEY
*tmpkey
= EVP_PKEY_new();
2309 char *retval
= OPENSSL_malloc(maxretlen
);
2314 /* ensure retval string is NUL terminated */
2315 retval
[0] = (char)0;
2317 for (i
= 0, lu
= sigalg_lookup_tbl
;
2318 i
< OSSL_NELEM(sigalg_lookup_tbl
); lu
++, i
++) {
2323 /* Check hash is available in some provider. */
2324 if (lu
->hash
!= NID_undef
) {
2325 EVP_MD
*hash
= EVP_MD_fetch(libctx
, OBJ_nid2ln(lu
->hash
), NULL
);
2327 /* If unable to create we assume the hash algorithm is unavailable */
2336 if (!EVP_PKEY_set_type(tmpkey
, lu
->sig
)) {
2341 pctx
= EVP_PKEY_CTX_new_from_pkey(libctx
, tmpkey
, NULL
);
2342 /* If unable to create pctx we assume the sig algorithm is unavailable */
2346 EVP_PKEY_CTX_free(pctx
);
2349 const char *sa
= lu
->name
;
2352 if (strlen(sa
) + strlen(retval
) + 1 >= maxretlen
) {
2355 maxretlen
+= SIGLEN_BUF_INCREMENT
;
2356 tmp
= OPENSSL_realloc(retval
, maxretlen
);
2358 OPENSSL_free(retval
);
2363 if (strlen(retval
) > 0)
2364 OPENSSL_strlcat(retval
, ":", maxretlen
);
2365 OPENSSL_strlcat(retval
, sa
, maxretlen
);
2367 /* lu->name must not be NULL */
2368 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
2373 EVP_PKEY_free(tmpkey
);
2377 /* Lookup TLS signature algorithm */
2378 static const SIGALG_LOOKUP
*tls1_lookup_sigalg(const SSL_CTX
*ctx
,
2382 const SIGALG_LOOKUP
*lu
= ctx
->sigalg_lookup_cache
;
2384 for (i
= 0; i
< ctx
->sigalg_lookup_cache_len
; lu
++, i
++) {
2385 if (lu
->sigalg
== sigalg
) {
2394 /* Lookup hash: return 0 if invalid or not enabled */
2395 int tls1_lookup_md(SSL_CTX
*ctx
, const SIGALG_LOOKUP
*lu
, const EVP_MD
**pmd
)
2401 /* lu->hash == NID_undef means no associated digest */
2402 if (lu
->hash
== NID_undef
) {
2405 md
= ssl_md(ctx
, lu
->hash_idx
);
2415 * Check if key is large enough to generate RSA-PSS signature.
2417 * The key must greater than or equal to 2 * hash length + 2.
2418 * SHA512 has a hash length of 64 bytes, which is incompatible
2419 * with a 128 byte (1024 bit) key.
2421 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2)
2422 static int rsa_pss_check_min_key_size(SSL_CTX
*ctx
, const EVP_PKEY
*pkey
,
2423 const SIGALG_LOOKUP
*lu
)
2429 if (!tls1_lookup_md(ctx
, lu
, &md
) || md
== NULL
)
2431 if (EVP_MD_get_size(md
) <= 0)
2433 if (EVP_PKEY_get_size(pkey
) < RSA_PSS_MINIMUM_KEY_SIZE(md
))
2439 * Returns a signature algorithm when the peer did not send a list of supported
2440 * signature algorithms. The signature algorithm is fixed for the certificate
2441 * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
2442 * certificate type from |s| will be used.
2443 * Returns the signature algorithm to use, or NULL on error.
2445 static const SIGALG_LOOKUP
*tls1_get_legacy_sigalg(const SSL_CONNECTION
*s
,
2452 /* Work out index corresponding to ciphersuite */
2453 for (i
= 0; i
< s
->ssl_pkey_num
; i
++) {
2454 const SSL_CERT_LOOKUP
*clu
2455 = ssl_cert_lookup_by_idx(i
, SSL_CONNECTION_GET_CTX(s
));
2459 if (clu
->amask
& s
->s3
.tmp
.new_cipher
->algorithm_auth
) {
2466 * Some GOST ciphersuites allow more than one signature algorithms
2468 if (idx
== SSL_PKEY_GOST01
&& s
->s3
.tmp
.new_cipher
->algorithm_auth
!= SSL_aGOST01
) {
2471 for (real_idx
= SSL_PKEY_GOST12_512
; real_idx
>= SSL_PKEY_GOST01
;
2473 if (s
->cert
->pkeys
[real_idx
].privatekey
!= NULL
) {
2480 * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used
2481 * with new (aGOST12-only) ciphersuites, we should find out which one is available really.
2483 else if (idx
== SSL_PKEY_GOST12_256
) {
2486 for (real_idx
= SSL_PKEY_GOST12_512
; real_idx
>= SSL_PKEY_GOST12_256
;
2488 if (s
->cert
->pkeys
[real_idx
].privatekey
!= NULL
) {
2495 idx
= (int)(s
->cert
->key
- s
->cert
->pkeys
);
2498 if (idx
< 0 || idx
>= (int)OSSL_NELEM(tls_default_sigalg
))
2501 if (SSL_USE_SIGALGS(s
) || idx
!= SSL_PKEY_RSA
) {
2502 const SIGALG_LOOKUP
*lu
=
2503 tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
),
2504 tls_default_sigalg
[idx
]);
2508 if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s
), lu
, NULL
))
2510 if (!tls12_sigalg_allowed(s
, SSL_SECOP_SIGALG_SUPPORTED
, lu
))
2514 if (!tls12_sigalg_allowed(s
, SSL_SECOP_SIGALG_SUPPORTED
, &legacy_rsa_sigalg
))
2516 return &legacy_rsa_sigalg
;
2518 /* Set peer sigalg based key type */
2519 int tls1_set_peer_legacy_sigalg(SSL_CONNECTION
*s
, const EVP_PKEY
*pkey
)
2522 const SIGALG_LOOKUP
*lu
;
2524 if (ssl_cert_lookup_by_pkey(pkey
, &idx
, SSL_CONNECTION_GET_CTX(s
)) == NULL
)
2526 lu
= tls1_get_legacy_sigalg(s
, (int)idx
);
2529 s
->s3
.tmp
.peer_sigalg
= lu
;
2533 size_t tls12_get_psigalgs(SSL_CONNECTION
*s
, int sent
, const uint16_t **psigs
)
2536 * If Suite B mode use Suite B sigalgs only, ignore any other
2539 switch (tls1_suiteb(s
)) {
2540 case SSL_CERT_FLAG_SUITEB_128_LOS
:
2541 *psigs
= suiteb_sigalgs
;
2542 return OSSL_NELEM(suiteb_sigalgs
);
2544 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY
:
2545 *psigs
= suiteb_sigalgs
;
2548 case SSL_CERT_FLAG_SUITEB_192_LOS
:
2549 *psigs
= suiteb_sigalgs
+ 1;
2553 * We use client_sigalgs (if not NULL) if we're a server
2554 * and sending a certificate request or if we're a client and
2555 * determining which shared algorithm to use.
2557 if ((s
->server
== sent
) && s
->cert
->client_sigalgs
!= NULL
) {
2558 *psigs
= s
->cert
->client_sigalgs
;
2559 return s
->cert
->client_sigalgslen
;
2560 } else if (s
->cert
->conf_sigalgs
) {
2561 *psigs
= s
->cert
->conf_sigalgs
;
2562 return s
->cert
->conf_sigalgslen
;
2564 *psigs
= SSL_CONNECTION_GET_CTX(s
)->tls12_sigalgs
;
2565 return SSL_CONNECTION_GET_CTX(s
)->tls12_sigalgs_len
;
2570 * Called by servers only. Checks that we have a sig alg that supports the
2571 * specified EC curve.
2573 int tls_check_sigalg_curve(const SSL_CONNECTION
*s
, int curve
)
2575 const uint16_t *sigs
;
2578 if (s
->cert
->conf_sigalgs
) {
2579 sigs
= s
->cert
->conf_sigalgs
;
2580 siglen
= s
->cert
->conf_sigalgslen
;
2582 sigs
= SSL_CONNECTION_GET_CTX(s
)->tls12_sigalgs
;
2583 siglen
= SSL_CONNECTION_GET_CTX(s
)->tls12_sigalgs_len
;
2586 for (i
= 0; i
< siglen
; i
++) {
2587 const SIGALG_LOOKUP
*lu
=
2588 tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
), sigs
[i
]);
2592 if (lu
->sig
== EVP_PKEY_EC
2593 && lu
->curve
!= NID_undef
2594 && curve
== lu
->curve
)
2602 * Return the number of security bits for the signature algorithm, or 0 on
2605 static int sigalg_security_bits(SSL_CTX
*ctx
, const SIGALG_LOOKUP
*lu
)
2607 const EVP_MD
*md
= NULL
;
2610 if (!tls1_lookup_md(ctx
, lu
, &md
))
2614 int md_type
= EVP_MD_get_type(md
);
2616 /* Security bits: half digest bits */
2617 secbits
= EVP_MD_get_size(md
) * 4;
2621 * SHA1 and MD5 are known to be broken. Reduce security bits so that
2622 * they're no longer accepted at security level 1. The real values don't
2623 * really matter as long as they're lower than 80, which is our
2625 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for
2626 * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2
2627 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
2628 * puts a chosen-prefix attack for MD5 at 2^39.
2630 if (md_type
== NID_sha1
)
2632 else if (md_type
== NID_md5_sha1
)
2634 else if (md_type
== NID_md5
)
2637 /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
2638 if (lu
->sigalg
== TLSEXT_SIGALG_ed25519
)
2640 else if (lu
->sigalg
== TLSEXT_SIGALG_ed448
)
2644 * For provider-based sigalgs we have secbits information available
2645 * in the (provider-loaded) sigalg_list structure
2647 if ((secbits
== 0) && (lu
->sig_idx
>= SSL_PKEY_NUM
)
2648 && ((lu
->sig_idx
- SSL_PKEY_NUM
) < (int)ctx
->sigalg_list_len
)) {
2649 secbits
= ctx
->sigalg_list
[lu
->sig_idx
- SSL_PKEY_NUM
].secbits
;
2654 static int tls_sigalg_compat(SSL_CONNECTION
*sc
, const SIGALG_LOOKUP
*lu
)
2656 int minversion
, maxversion
;
2657 int minproto
, maxproto
;
2662 if (SSL_CONNECTION_IS_DTLS(sc
)) {
2663 if (sc
->ssl
.method
->version
== DTLS_ANY_VERSION
) {
2664 minproto
= sc
->min_proto_version
;
2665 maxproto
= sc
->max_proto_version
;
2667 maxproto
= minproto
= sc
->version
;
2669 minversion
= lu
->mindtls
;
2670 maxversion
= lu
->maxdtls
;
2672 if (sc
->ssl
.method
->version
== TLS_ANY_VERSION
) {
2673 minproto
= sc
->min_proto_version
;
2674 maxproto
= sc
->max_proto_version
;
2676 maxproto
= minproto
= sc
->version
;
2678 minversion
= lu
->mintls
;
2679 maxversion
= lu
->maxtls
;
2681 if (minversion
== -1 || maxversion
== -1
2682 || (minversion
!= 0 && maxproto
!= 0
2683 && ssl_version_cmp(sc
, minversion
, maxproto
) > 0)
2684 || (maxversion
!= 0 && minproto
!= 0
2685 && ssl_version_cmp(sc
, maxversion
, minproto
) < 0)
2686 || !tls12_sigalg_allowed(sc
, SSL_SECOP_SIGALG_SUPPORTED
, lu
))
2692 * Check signature algorithm is consistent with sent supported signature
2693 * algorithms and if so set relevant digest and signature scheme in
2696 int tls12_check_peer_sigalg(SSL_CONNECTION
*s
, uint16_t sig
, EVP_PKEY
*pkey
)
2698 const uint16_t *sent_sigs
;
2699 const EVP_MD
*md
= NULL
;
2701 size_t sent_sigslen
, i
, cidx
;
2703 const SIGALG_LOOKUP
*lu
;
2706 pkeyid
= EVP_PKEY_get_id(pkey
);
2708 if (SSL_CONNECTION_IS_TLS13(s
)) {
2709 /* Disallow DSA for TLS 1.3 */
2710 if (pkeyid
== EVP_PKEY_DSA
) {
2711 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_SIGNATURE_TYPE
);
2714 /* Only allow PSS for TLS 1.3 */
2715 if (pkeyid
== EVP_PKEY_RSA
)
2716 pkeyid
= EVP_PKEY_RSA_PSS
;
2719 /* Is this code point available and compatible with the protocol */
2720 lu
= tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
), sig
);
2721 if (lu
== NULL
|| !tls_sigalg_compat(s
, lu
)) {
2722 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_SIGNATURE_TYPE
);
2726 /* if this sigalg is loaded, set so far unknown pkeyid to its sig NID */
2727 if (pkeyid
== EVP_PKEY_KEYMGMT
)
2730 /* Should never happen */
2732 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_SIGNATURE_TYPE
);
2737 * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
2738 * is consistent with signature: RSA keys can be used for RSA-PSS
2740 if ((SSL_CONNECTION_IS_TLS13(s
)
2741 && (lu
->hash
== NID_sha1
|| lu
->hash
== NID_sha224
))
2742 || (pkeyid
!= lu
->sig
2743 && (lu
->sig
!= EVP_PKEY_RSA_PSS
|| pkeyid
!= EVP_PKEY_RSA
))) {
2744 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_SIGNATURE_TYPE
);
2747 /* Check the sigalg is consistent with the key OID */
2748 if (!ssl_cert_lookup_by_nid(
2749 (pkeyid
== EVP_PKEY_RSA_PSS
) ? EVP_PKEY_get_id(pkey
) : pkeyid
,
2750 &cidx
, SSL_CONNECTION_GET_CTX(s
))
2751 || lu
->sig_idx
!= (int)cidx
) {
2752 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_SIGNATURE_TYPE
);
2756 if (pkeyid
== EVP_PKEY_EC
) {
2758 /* Check point compression is permitted */
2759 if (!tls1_check_pkey_comp(s
, pkey
)) {
2760 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
2761 SSL_R_ILLEGAL_POINT_COMPRESSION
);
2765 /* For TLS 1.3 or Suite B check curve matches signature algorithm */
2766 if (SSL_CONNECTION_IS_TLS13(s
) || tls1_suiteb(s
)) {
2767 int curve
= ssl_get_EC_curve_nid(pkey
);
2769 if (lu
->curve
!= NID_undef
&& curve
!= lu
->curve
) {
2770 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_CURVE
);
2774 if (!SSL_CONNECTION_IS_TLS13(s
)) {
2775 /* Check curve matches extensions */
2776 if (!tls1_check_group_id(s
, tls1_get_group_id(pkey
), 1)) {
2777 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_CURVE
);
2780 if (tls1_suiteb(s
)) {
2781 /* Check sigalg matches a permissible Suite B value */
2782 if (sig
!= TLSEXT_SIGALG_ecdsa_secp256r1_sha256
2783 && sig
!= TLSEXT_SIGALG_ecdsa_secp384r1_sha384
) {
2784 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
2785 SSL_R_WRONG_SIGNATURE_TYPE
);
2790 } else if (tls1_suiteb(s
)) {
2791 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_WRONG_SIGNATURE_TYPE
);
2795 /* Check signature matches a type we sent */
2796 sent_sigslen
= tls12_get_psigalgs(s
, 1, &sent_sigs
);
2797 for (i
= 0; i
< sent_sigslen
; i
++, sent_sigs
++) {
2798 if (sig
== *sent_sigs
)
2801 /* Allow fallback to SHA1 if not strict mode */
2802 if (i
== sent_sigslen
&& (lu
->hash
!= NID_sha1
2803 || s
->cert
->cert_flags
& SSL_CERT_FLAGS_CHECK_TLS_STRICT
)) {
2804 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_WRONG_SIGNATURE_TYPE
);
2807 if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s
), lu
, &md
)) {
2808 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_UNKNOWN_DIGEST
);
2812 * Make sure security callback allows algorithm. For historical
2813 * reasons we have to pass the sigalg as a two byte char array.
2815 sigalgstr
[0] = (sig
>> 8) & 0xff;
2816 sigalgstr
[1] = sig
& 0xff;
2817 secbits
= sigalg_security_bits(SSL_CONNECTION_GET_CTX(s
), lu
);
2819 !ssl_security(s
, SSL_SECOP_SIGALG_CHECK
, secbits
,
2820 md
!= NULL
? EVP_MD_get_type(md
) : NID_undef
,
2821 (void *)sigalgstr
)) {
2822 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_WRONG_SIGNATURE_TYPE
);
2825 /* Store the sigalg the peer uses */
2826 s
->s3
.tmp
.peer_sigalg
= lu
;
2830 int SSL_get_peer_signature_type_nid(const SSL
*s
, int *pnid
)
2832 const SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_CONST_SSL(s
);
2837 if (sc
->s3
.tmp
.peer_sigalg
== NULL
)
2839 *pnid
= sc
->s3
.tmp
.peer_sigalg
->sig
;
2843 int SSL_get_signature_type_nid(const SSL
*s
, int *pnid
)
2845 const SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_CONST_SSL(s
);
2850 if (sc
->s3
.tmp
.sigalg
== NULL
)
2852 *pnid
= sc
->s3
.tmp
.sigalg
->sig
;
2857 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
2858 * supported, doesn't appear in supported signature algorithms, isn't supported
2859 * by the enabled protocol versions or by the security level.
2861 * This function should only be used for checking which ciphers are supported
2864 * Call ssl_cipher_disabled() to check that it's enabled or not.
2866 int ssl_set_client_disabled(SSL_CONNECTION
*s
)
2868 s
->s3
.tmp
.mask_a
= 0;
2869 s
->s3
.tmp
.mask_k
= 0;
2870 ssl_set_sig_mask(&s
->s3
.tmp
.mask_a
, s
, SSL_SECOP_SIGALG_MASK
);
2871 if (ssl_get_min_max_version(s
, &s
->s3
.tmp
.min_ver
,
2872 &s
->s3
.tmp
.max_ver
, NULL
) != 0)
2874 #ifndef OPENSSL_NO_PSK
2875 /* with PSK there must be client callback set */
2876 if (!s
->psk_client_callback
) {
2877 s
->s3
.tmp
.mask_a
|= SSL_aPSK
;
2878 s
->s3
.tmp
.mask_k
|= SSL_PSK
;
2880 #endif /* OPENSSL_NO_PSK */
2881 #ifndef OPENSSL_NO_SRP
2882 if (!(s
->srp_ctx
.srp_Mask
& SSL_kSRP
)) {
2883 s
->s3
.tmp
.mask_a
|= SSL_aSRP
;
2884 s
->s3
.tmp
.mask_k
|= SSL_kSRP
;
2891 * ssl_cipher_disabled - check that a cipher is disabled or not
2892 * @s: SSL connection that you want to use the cipher on
2893 * @c: cipher to check
2894 * @op: Security check that you want to do
2895 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
2897 * Returns 1 when it's disabled, 0 when enabled.
2899 int ssl_cipher_disabled(const SSL_CONNECTION
*s
, const SSL_CIPHER
*c
,
2902 int minversion
= SSL_CONNECTION_IS_DTLS(s
) ? c
->min_dtls
: c
->min_tls
;
2903 int maxversion
= SSL_CONNECTION_IS_DTLS(s
) ? c
->max_dtls
: c
->max_tls
;
2905 if (c
->algorithm_mkey
& s
->s3
.tmp
.mask_k
2906 || c
->algorithm_auth
& s
->s3
.tmp
.mask_a
)
2908 if (s
->s3
.tmp
.max_ver
== 0)
2911 if (SSL_IS_QUIC_INT_HANDSHAKE(s
))
2912 /* For QUIC, only allow these ciphersuites. */
2913 switch (SSL_CIPHER_get_id(c
)) {
2914 case TLS1_3_CK_AES_128_GCM_SHA256
:
2915 case TLS1_3_CK_AES_256_GCM_SHA384
:
2916 case TLS1_3_CK_CHACHA20_POLY1305_SHA256
:
2923 * For historical reasons we will allow ECHDE to be selected by a server
2924 * in SSLv3 if we are a client
2926 if (minversion
== TLS1_VERSION
2928 && (c
->algorithm_mkey
& (SSL_kECDHE
| SSL_kECDHEPSK
)) != 0)
2929 minversion
= SSL3_VERSION
;
2931 if (ssl_version_cmp(s
, minversion
, s
->s3
.tmp
.max_ver
) > 0
2932 || ssl_version_cmp(s
, maxversion
, s
->s3
.tmp
.min_ver
) < 0)
2935 return !ssl_security(s
, op
, c
->strength_bits
, 0, (void *)c
);
2938 int tls_use_ticket(SSL_CONNECTION
*s
)
2940 if ((s
->options
& SSL_OP_NO_TICKET
))
2942 return ssl_security(s
, SSL_SECOP_TICKET
, 0, 0, NULL
);
2945 int tls1_set_server_sigalgs(SSL_CONNECTION
*s
)
2949 /* Clear any shared signature algorithms */
2950 OPENSSL_free(s
->shared_sigalgs
);
2951 s
->shared_sigalgs
= NULL
;
2952 s
->shared_sigalgslen
= 0;
2954 /* Clear certificate validity flags */
2955 if (s
->s3
.tmp
.valid_flags
)
2956 memset(s
->s3
.tmp
.valid_flags
, 0, s
->ssl_pkey_num
* sizeof(uint32_t));
2958 s
->s3
.tmp
.valid_flags
= OPENSSL_zalloc(s
->ssl_pkey_num
* sizeof(uint32_t));
2959 if (s
->s3
.tmp
.valid_flags
== NULL
)
2962 * If peer sent no signature algorithms check to see if we support
2963 * the default algorithm for each certificate type
2965 if (s
->s3
.tmp
.peer_cert_sigalgs
== NULL
2966 && s
->s3
.tmp
.peer_sigalgs
== NULL
) {
2967 const uint16_t *sent_sigs
;
2968 size_t sent_sigslen
= tls12_get_psigalgs(s
, 1, &sent_sigs
);
2970 for (i
= 0; i
< s
->ssl_pkey_num
; i
++) {
2971 const SIGALG_LOOKUP
*lu
= tls1_get_legacy_sigalg(s
, (int)i
);
2976 /* Check default matches a type we sent */
2977 for (j
= 0; j
< sent_sigslen
; j
++) {
2978 if (lu
->sigalg
== sent_sigs
[j
]) {
2979 s
->s3
.tmp
.valid_flags
[i
] = CERT_PKEY_SIGN
;
2987 if (!tls1_process_sigalgs(s
)) {
2988 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2991 if (s
->shared_sigalgs
!= NULL
)
2994 /* Fatal error if no shared signature algorithms */
2995 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
2996 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS
);
3001 * Gets the ticket information supplied by the client if any.
3003 * hello: The parsed ClientHello data
3004 * ret: (output) on return, if a ticket was decrypted, then this is set to
3005 * point to the resulting session.
3007 SSL_TICKET_STATUS
tls_get_ticket_from_client(SSL_CONNECTION
*s
,
3008 CLIENTHELLO_MSG
*hello
,
3012 RAW_EXTENSION
*ticketext
;
3015 s
->ext
.ticket_expected
= 0;
3018 * If tickets disabled or not supported by the protocol version
3019 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
3022 if (s
->version
<= SSL3_VERSION
|| !tls_use_ticket(s
))
3023 return SSL_TICKET_NONE
;
3025 ticketext
= &hello
->pre_proc_exts
[TLSEXT_IDX_session_ticket
];
3026 if (!ticketext
->present
)
3027 return SSL_TICKET_NONE
;
3029 size
= PACKET_remaining(&ticketext
->data
);
3031 return tls_decrypt_ticket(s
, PACKET_data(&ticketext
->data
), size
,
3032 hello
->session_id
, hello
->session_id_len
, ret
);
3036 * tls_decrypt_ticket attempts to decrypt a session ticket.
3038 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are
3039 * expecting a pre-shared key ciphersuite, in which case we have no use for
3040 * session tickets and one will never be decrypted, nor will
3041 * s->ext.ticket_expected be set to 1.
3044 * Sets s->ext.ticket_expected to 1 if the server will have to issue
3045 * a new session ticket to the client because the client indicated support
3046 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3047 * a session ticket or we couldn't use the one it gave us, or if
3048 * s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
3049 * Otherwise, s->ext.ticket_expected is set to 0.
3051 * etick: points to the body of the session ticket extension.
3052 * eticklen: the length of the session tickets extension.
3053 * sess_id: points at the session ID.
3054 * sesslen: the length of the session ID.
3055 * psess: (output) on return, if a ticket was decrypted, then this is set to
3056 * point to the resulting session.
3058 SSL_TICKET_STATUS
tls_decrypt_ticket(SSL_CONNECTION
*s
,
3059 const unsigned char *etick
,
3061 const unsigned char *sess_id
,
3062 size_t sesslen
, SSL_SESSION
**psess
)
3064 SSL_SESSION
*sess
= NULL
;
3065 unsigned char *sdec
;
3066 const unsigned char *p
;
3067 int slen
, ivlen
, renew_ticket
= 0, declen
;
3068 SSL_TICKET_STATUS ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3070 unsigned char tick_hmac
[EVP_MAX_MD_SIZE
];
3071 SSL_HMAC
*hctx
= NULL
;
3072 EVP_CIPHER_CTX
*ctx
= NULL
;
3073 SSL_CTX
*tctx
= s
->session_ctx
;
3074 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
3076 if (eticklen
== 0) {
3078 * The client will accept a ticket but doesn't currently have
3079 * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3
3081 ret
= SSL_TICKET_EMPTY
;
3084 if (!SSL_CONNECTION_IS_TLS13(s
) && s
->ext
.session_secret_cb
) {
3086 * Indicate that the ticket couldn't be decrypted rather than
3087 * generating the session from ticket now, trigger
3088 * abbreviated handshake based on external mechanism to
3089 * calculate the master secret later.
3091 ret
= SSL_TICKET_NO_DECRYPT
;
3095 /* Need at least keyname + iv */
3096 if (eticklen
< TLSEXT_KEYNAME_LENGTH
+ EVP_MAX_IV_LENGTH
) {
3097 ret
= SSL_TICKET_NO_DECRYPT
;
3101 /* Initialize session ticket encryption and HMAC contexts */
3102 hctx
= ssl_hmac_new(tctx
);
3104 ret
= SSL_TICKET_FATAL_ERR_MALLOC
;
3107 ctx
= EVP_CIPHER_CTX_new();
3109 ret
= SSL_TICKET_FATAL_ERR_MALLOC
;
3112 #ifndef OPENSSL_NO_DEPRECATED_3_0
3113 if (tctx
->ext
.ticket_key_evp_cb
!= NULL
|| tctx
->ext
.ticket_key_cb
!= NULL
)
3115 if (tctx
->ext
.ticket_key_evp_cb
!= NULL
)
3118 unsigned char *nctick
= (unsigned char *)etick
;
3121 if (tctx
->ext
.ticket_key_evp_cb
!= NULL
)
3122 rv
= tctx
->ext
.ticket_key_evp_cb(SSL_CONNECTION_GET_USER_SSL(s
),
3124 nctick
+ TLSEXT_KEYNAME_LENGTH
,
3126 ssl_hmac_get0_EVP_MAC_CTX(hctx
),
3128 #ifndef OPENSSL_NO_DEPRECATED_3_0
3129 else if (tctx
->ext
.ticket_key_cb
!= NULL
)
3130 /* if 0 is returned, write an empty ticket */
3131 rv
= tctx
->ext
.ticket_key_cb(SSL_CONNECTION_GET_USER_SSL(s
), nctick
,
3132 nctick
+ TLSEXT_KEYNAME_LENGTH
,
3133 ctx
, ssl_hmac_get0_HMAC_CTX(hctx
), 0);
3136 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3140 ret
= SSL_TICKET_NO_DECRYPT
;
3146 EVP_CIPHER
*aes256cbc
= NULL
;
3148 /* Check key name matches */
3149 if (memcmp(etick
, tctx
->ext
.tick_key_name
,
3150 TLSEXT_KEYNAME_LENGTH
) != 0) {
3151 ret
= SSL_TICKET_NO_DECRYPT
;
3155 aes256cbc
= EVP_CIPHER_fetch(sctx
->libctx
, "AES-256-CBC",
3157 if (aes256cbc
== NULL
3158 || ssl_hmac_init(hctx
, tctx
->ext
.secure
->tick_hmac_key
,
3159 sizeof(tctx
->ext
.secure
->tick_hmac_key
),
3161 || EVP_DecryptInit_ex(ctx
, aes256cbc
, NULL
,
3162 tctx
->ext
.secure
->tick_aes_key
,
3163 etick
+ TLSEXT_KEYNAME_LENGTH
) <= 0) {
3164 EVP_CIPHER_free(aes256cbc
);
3165 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3168 EVP_CIPHER_free(aes256cbc
);
3169 if (SSL_CONNECTION_IS_TLS13(s
))
3173 * Attempt to process session ticket, first conduct sanity and integrity
3176 mlen
= ssl_hmac_size(hctx
);
3178 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3182 ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
3184 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3188 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3189 if (eticklen
<= TLSEXT_KEYNAME_LENGTH
+ ivlen
+ mlen
) {
3190 ret
= SSL_TICKET_NO_DECRYPT
;
3194 /* Check HMAC of encrypted ticket */
3195 if (ssl_hmac_update(hctx
, etick
, eticklen
) <= 0
3196 || ssl_hmac_final(hctx
, tick_hmac
, NULL
, sizeof(tick_hmac
)) <= 0) {
3197 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3201 if (CRYPTO_memcmp(tick_hmac
, etick
+ eticklen
, mlen
)) {
3202 ret
= SSL_TICKET_NO_DECRYPT
;
3205 /* Attempt to decrypt session data */
3206 /* Move p after IV to start of encrypted ticket, update length */
3207 p
= etick
+ TLSEXT_KEYNAME_LENGTH
+ ivlen
;
3208 eticklen
-= TLSEXT_KEYNAME_LENGTH
+ ivlen
;
3209 sdec
= OPENSSL_malloc(eticklen
);
3210 if (sdec
== NULL
|| EVP_DecryptUpdate(ctx
, sdec
, &slen
, p
,
3211 (int)eticklen
) <= 0) {
3213 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3216 if (EVP_DecryptFinal(ctx
, sdec
+ slen
, &declen
) <= 0) {
3218 ret
= SSL_TICKET_NO_DECRYPT
;
3224 sess
= d2i_SSL_SESSION_ex(NULL
, &p
, slen
, sctx
->libctx
, sctx
->propq
);
3225 slen
-= (int)(p
- sdec
);
3228 /* Some additional consistency checks */
3230 SSL_SESSION_free(sess
);
3232 ret
= SSL_TICKET_NO_DECRYPT
;
3236 * The session ID, if non-empty, is used by some clients to detect
3237 * that the ticket has been accepted. So we copy it to the session
3238 * structure. If it is empty set length to zero as required by
3242 memcpy(sess
->session_id
, sess_id
, sesslen
);
3243 sess
->session_id_length
= sesslen
;
3246 ret
= SSL_TICKET_SUCCESS_RENEW
;
3248 ret
= SSL_TICKET_SUCCESS
;
3253 * For session parse failure, indicate that we need to send a new ticket.
3255 ret
= SSL_TICKET_NO_DECRYPT
;
3258 EVP_CIPHER_CTX_free(ctx
);
3259 ssl_hmac_free(hctx
);
3262 * If set, the decrypt_ticket_cb() is called unless a fatal error was
3263 * detected above. The callback is responsible for checking |ret| before it
3264 * performs any action
3266 if (s
->session_ctx
->decrypt_ticket_cb
!= NULL
3267 && (ret
== SSL_TICKET_EMPTY
3268 || ret
== SSL_TICKET_NO_DECRYPT
3269 || ret
== SSL_TICKET_SUCCESS
3270 || ret
== SSL_TICKET_SUCCESS_RENEW
)) {
3271 size_t keyname_len
= eticklen
;
3274 if (keyname_len
> TLSEXT_KEYNAME_LENGTH
)
3275 keyname_len
= TLSEXT_KEYNAME_LENGTH
;
3276 retcb
= s
->session_ctx
->decrypt_ticket_cb(SSL_CONNECTION_GET_SSL(s
),
3277 sess
, etick
, keyname_len
,
3279 s
->session_ctx
->ticket_cb_data
);
3281 case SSL_TICKET_RETURN_ABORT
:
3282 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3285 case SSL_TICKET_RETURN_IGNORE
:
3286 ret
= SSL_TICKET_NONE
;
3287 SSL_SESSION_free(sess
);
3291 case SSL_TICKET_RETURN_IGNORE_RENEW
:
3292 if (ret
!= SSL_TICKET_EMPTY
&& ret
!= SSL_TICKET_NO_DECRYPT
)
3293 ret
= SSL_TICKET_NO_DECRYPT
;
3294 /* else the value of |ret| will already do the right thing */
3295 SSL_SESSION_free(sess
);
3299 case SSL_TICKET_RETURN_USE
:
3300 case SSL_TICKET_RETURN_USE_RENEW
:
3301 if (ret
!= SSL_TICKET_SUCCESS
3302 && ret
!= SSL_TICKET_SUCCESS_RENEW
)
3303 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3304 else if (retcb
== SSL_TICKET_RETURN_USE
)
3305 ret
= SSL_TICKET_SUCCESS
;
3307 ret
= SSL_TICKET_SUCCESS_RENEW
;
3311 ret
= SSL_TICKET_FATAL_ERR_OTHER
;
3315 if (s
->ext
.session_secret_cb
== NULL
|| SSL_CONNECTION_IS_TLS13(s
)) {
3317 case SSL_TICKET_NO_DECRYPT
:
3318 case SSL_TICKET_SUCCESS_RENEW
:
3319 case SSL_TICKET_EMPTY
:
3320 s
->ext
.ticket_expected
= 1;
3329 /* Check to see if a signature algorithm is allowed */
3330 static int tls12_sigalg_allowed(const SSL_CONNECTION
*s
, int op
,
3331 const SIGALG_LOOKUP
*lu
)
3333 unsigned char sigalgstr
[2];
3336 if (lu
== NULL
|| !lu
->available
)
3338 /* DSA is not allowed in TLS 1.3 */
3339 if (SSL_CONNECTION_IS_TLS13(s
) && lu
->sig
== EVP_PKEY_DSA
)
3342 * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3
3345 if (!s
->server
&& !SSL_CONNECTION_IS_DTLS(s
)
3346 && s
->s3
.tmp
.min_ver
>= TLS1_3_VERSION
3347 && (lu
->sig
== EVP_PKEY_DSA
|| lu
->hash_idx
== SSL_MD_SHA1_IDX
3348 || lu
->hash_idx
== SSL_MD_MD5_IDX
3349 || lu
->hash_idx
== SSL_MD_SHA224_IDX
))
3352 /* See if public key algorithm allowed */
3353 if (ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s
), lu
->sig_idx
))
3356 if (lu
->sig
== NID_id_GostR3410_2012_256
3357 || lu
->sig
== NID_id_GostR3410_2012_512
3358 || lu
->sig
== NID_id_GostR3410_2001
) {
3359 /* We never allow GOST sig algs on the server with TLSv1.3 */
3360 if (s
->server
&& SSL_CONNECTION_IS_TLS13(s
))
3363 && SSL_CONNECTION_GET_SSL(s
)->method
->version
== TLS_ANY_VERSION
3364 && s
->s3
.tmp
.max_ver
>= TLS1_3_VERSION
) {
3366 STACK_OF(SSL_CIPHER
) *sk
;
3369 * We're a client that could negotiate TLSv1.3. We only allow GOST
3370 * sig algs if we could negotiate TLSv1.2 or below and we have GOST
3371 * ciphersuites enabled.
3374 if (s
->s3
.tmp
.min_ver
>= TLS1_3_VERSION
)
3377 sk
= SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s
));
3378 num
= sk
!= NULL
? sk_SSL_CIPHER_num(sk
) : 0;
3379 for (i
= 0; i
< num
; i
++) {
3380 const SSL_CIPHER
*c
;
3382 c
= sk_SSL_CIPHER_value(sk
, i
);
3383 /* Skip disabled ciphers */
3384 if (ssl_cipher_disabled(s
, c
, SSL_SECOP_CIPHER_SUPPORTED
, 0))
3387 if ((c
->algorithm_mkey
& (SSL_kGOST
| SSL_kGOST18
)) != 0)
3395 /* Finally see if security callback allows it */
3396 secbits
= sigalg_security_bits(SSL_CONNECTION_GET_CTX(s
), lu
);
3397 sigalgstr
[0] = (lu
->sigalg
>> 8) & 0xff;
3398 sigalgstr
[1] = lu
->sigalg
& 0xff;
3399 return ssl_security(s
, op
, secbits
, lu
->hash
, (void *)sigalgstr
);
3403 * Get a mask of disabled public key algorithms based on supported signature
3404 * algorithms. For example if no signature algorithm supports RSA then RSA is
3408 void ssl_set_sig_mask(uint32_t *pmask_a
, SSL_CONNECTION
*s
, int op
)
3410 const uint16_t *sigalgs
;
3411 size_t i
, sigalgslen
;
3412 uint32_t disabled_mask
= SSL_aRSA
| SSL_aDSS
| SSL_aECDSA
;
3414 * Go through all signature algorithms seeing if we support any
3417 sigalgslen
= tls12_get_psigalgs(s
, 1, &sigalgs
);
3418 for (i
= 0; i
< sigalgslen
; i
++, sigalgs
++) {
3419 const SIGALG_LOOKUP
*lu
=
3420 tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
), *sigalgs
);
3421 const SSL_CERT_LOOKUP
*clu
;
3426 clu
= ssl_cert_lookup_by_idx(lu
->sig_idx
,
3427 SSL_CONNECTION_GET_CTX(s
));
3431 /* If algorithm is disabled see if we can enable it */
3432 if ((clu
->amask
& disabled_mask
) != 0
3433 && tls12_sigalg_allowed(s
, op
, lu
))
3434 disabled_mask
&= ~clu
->amask
;
3436 *pmask_a
|= disabled_mask
;
3439 int tls12_copy_sigalgs(SSL_CONNECTION
*s
, WPACKET
*pkt
,
3440 const uint16_t *psig
, size_t psiglen
)
3445 for (i
= 0; i
< psiglen
; i
++, psig
++) {
3446 const SIGALG_LOOKUP
*lu
=
3447 tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
), *psig
);
3449 if (lu
== NULL
|| !tls_sigalg_compat(s
, lu
))
3451 if (!WPACKET_put_bytes_u16(pkt
, *psig
))
3454 * If TLS 1.3 must have at least one valid TLS 1.3 message
3455 * signing algorithm: i.e. neither RSA nor SHA1/SHA224
3457 if (rv
== 0 && (!SSL_CONNECTION_IS_TLS13(s
)
3458 || (lu
->sig
!= EVP_PKEY_RSA
3459 && lu
->hash
!= NID_sha1
3460 && lu
->hash
!= NID_sha224
)))
3464 ERR_raise(ERR_LIB_SSL
, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
);
3468 /* Given preference and allowed sigalgs set shared sigalgs */
3469 static size_t tls12_shared_sigalgs(SSL_CONNECTION
*s
,
3470 const SIGALG_LOOKUP
**shsig
,
3471 const uint16_t *pref
, size_t preflen
,
3472 const uint16_t *allow
, size_t allowlen
)
3474 const uint16_t *ptmp
, *atmp
;
3475 size_t i
, j
, nmatch
= 0;
3476 for (i
= 0, ptmp
= pref
; i
< preflen
; i
++, ptmp
++) {
3477 const SIGALG_LOOKUP
*lu
=
3478 tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
), *ptmp
);
3480 /* Skip disabled hashes or signature algorithms */
3482 || !tls12_sigalg_allowed(s
, SSL_SECOP_SIGALG_SHARED
, lu
))
3484 for (j
= 0, atmp
= allow
; j
< allowlen
; j
++, atmp
++) {
3485 if (*ptmp
== *atmp
) {
3496 /* Set shared signature algorithms for SSL structures */
3497 static int tls1_set_shared_sigalgs(SSL_CONNECTION
*s
)
3499 const uint16_t *pref
, *allow
, *conf
;
3500 size_t preflen
, allowlen
, conflen
;
3502 const SIGALG_LOOKUP
**salgs
= NULL
;
3504 unsigned int is_suiteb
= tls1_suiteb(s
);
3506 OPENSSL_free(s
->shared_sigalgs
);
3507 s
->shared_sigalgs
= NULL
;
3508 s
->shared_sigalgslen
= 0;
3509 /* If client use client signature algorithms if not NULL */
3510 if (!s
->server
&& c
->client_sigalgs
&& !is_suiteb
) {
3511 conf
= c
->client_sigalgs
;
3512 conflen
= c
->client_sigalgslen
;
3513 } else if (c
->conf_sigalgs
&& !is_suiteb
) {
3514 conf
= c
->conf_sigalgs
;
3515 conflen
= c
->conf_sigalgslen
;
3517 conflen
= tls12_get_psigalgs(s
, 0, &conf
);
3518 if (s
->options
& SSL_OP_CIPHER_SERVER_PREFERENCE
|| is_suiteb
) {
3521 allow
= s
->s3
.tmp
.peer_sigalgs
;
3522 allowlen
= s
->s3
.tmp
.peer_sigalgslen
;
3526 pref
= s
->s3
.tmp
.peer_sigalgs
;
3527 preflen
= s
->s3
.tmp
.peer_sigalgslen
;
3529 nmatch
= tls12_shared_sigalgs(s
, NULL
, pref
, preflen
, allow
, allowlen
);
3531 if ((salgs
= OPENSSL_malloc(nmatch
* sizeof(*salgs
))) == NULL
)
3533 nmatch
= tls12_shared_sigalgs(s
, salgs
, pref
, preflen
, allow
, allowlen
);
3537 s
->shared_sigalgs
= salgs
;
3538 s
->shared_sigalgslen
= nmatch
;
3542 int tls1_save_u16(PACKET
*pkt
, uint16_t **pdest
, size_t *pdestlen
)
3548 size
= PACKET_remaining(pkt
);
3550 /* Invalid data length */
3551 if (size
== 0 || (size
& 1) != 0)
3556 if ((buf
= OPENSSL_malloc(size
* sizeof(*buf
))) == NULL
)
3558 for (i
= 0; i
< size
&& PACKET_get_net_2(pkt
, &stmp
); i
++)
3566 OPENSSL_free(*pdest
);
3573 int tls1_save_sigalgs(SSL_CONNECTION
*s
, PACKET
*pkt
, int cert
)
3575 /* Extension ignored for inappropriate versions */
3576 if (!SSL_USE_SIGALGS(s
))
3578 /* Should never happen */
3579 if (s
->cert
== NULL
)
3583 return tls1_save_u16(pkt
, &s
->s3
.tmp
.peer_cert_sigalgs
,
3584 &s
->s3
.tmp
.peer_cert_sigalgslen
);
3586 return tls1_save_u16(pkt
, &s
->s3
.tmp
.peer_sigalgs
,
3587 &s
->s3
.tmp
.peer_sigalgslen
);
3591 /* Set preferred digest for each key type */
3593 int tls1_process_sigalgs(SSL_CONNECTION
*s
)
3596 uint32_t *pvalid
= s
->s3
.tmp
.valid_flags
;
3598 if (!tls1_set_shared_sigalgs(s
))
3601 for (i
= 0; i
< s
->ssl_pkey_num
; i
++)
3604 for (i
= 0; i
< s
->shared_sigalgslen
; i
++) {
3605 const SIGALG_LOOKUP
*sigptr
= s
->shared_sigalgs
[i
];
3606 int idx
= sigptr
->sig_idx
;
3608 /* Ignore PKCS1 based sig algs in TLSv1.3 */
3609 if (SSL_CONNECTION_IS_TLS13(s
) && sigptr
->sig
== EVP_PKEY_RSA
)
3611 /* If not disabled indicate we can explicitly sign */
3612 if (pvalid
[idx
] == 0
3613 && !ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s
), idx
))
3614 pvalid
[idx
] = CERT_PKEY_EXPLICIT_SIGN
| CERT_PKEY_SIGN
;
3619 int SSL_get_sigalgs(SSL
*s
, int idx
,
3620 int *psign
, int *phash
, int *psignhash
,
3621 unsigned char *rsig
, unsigned char *rhash
)
3625 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL(s
);
3630 psig
= sc
->s3
.tmp
.peer_sigalgs
;
3631 numsigalgs
= sc
->s3
.tmp
.peer_sigalgslen
;
3633 if (psig
== NULL
|| numsigalgs
> INT_MAX
)
3636 const SIGALG_LOOKUP
*lu
;
3638 if (idx
>= (int)numsigalgs
)
3642 *rhash
= (unsigned char)((*psig
>> 8) & 0xff);
3644 *rsig
= (unsigned char)(*psig
& 0xff);
3645 lu
= tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(sc
), *psig
);
3647 *psign
= lu
!= NULL
? lu
->sig
: NID_undef
;
3649 *phash
= lu
!= NULL
? lu
->hash
: NID_undef
;
3650 if (psignhash
!= NULL
)
3651 *psignhash
= lu
!= NULL
? lu
->sigandhash
: NID_undef
;
3653 return (int)numsigalgs
;
3656 int SSL_get_shared_sigalgs(SSL
*s
, int idx
,
3657 int *psign
, int *phash
, int *psignhash
,
3658 unsigned char *rsig
, unsigned char *rhash
)
3660 const SIGALG_LOOKUP
*shsigalgs
;
3661 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL(s
);
3666 if (sc
->shared_sigalgs
== NULL
3668 || idx
>= (int)sc
->shared_sigalgslen
3669 || sc
->shared_sigalgslen
> INT_MAX
)
3671 shsigalgs
= sc
->shared_sigalgs
[idx
];
3673 *phash
= shsigalgs
->hash
;
3675 *psign
= shsigalgs
->sig
;
3676 if (psignhash
!= NULL
)
3677 *psignhash
= shsigalgs
->sigandhash
;
3679 *rsig
= (unsigned char)(shsigalgs
->sigalg
& 0xff);
3681 *rhash
= (unsigned char)((shsigalgs
->sigalg
>> 8) & 0xff);
3682 return (int)sc
->shared_sigalgslen
;
3685 /* Maximum possible number of unique entries in sigalgs array */
3686 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
3690 /* TLSEXT_SIGALG_XXX values */
3691 uint16_t sigalgs
[TLS_MAX_SIGALGCNT
];
3695 static void get_sigorhash(int *psig
, int *phash
, const char *str
)
3697 if (OPENSSL_strcasecmp(str
, "RSA") == 0) {
3698 *psig
= EVP_PKEY_RSA
;
3699 } else if (OPENSSL_strcasecmp(str
, "RSA-PSS") == 0
3700 || OPENSSL_strcasecmp(str
, "PSS") == 0) {
3701 *psig
= EVP_PKEY_RSA_PSS
;
3702 } else if (OPENSSL_strcasecmp(str
, "DSA") == 0) {
3703 *psig
= EVP_PKEY_DSA
;
3704 } else if (OPENSSL_strcasecmp(str
, "ECDSA") == 0) {
3705 *psig
= EVP_PKEY_EC
;
3707 *phash
= OBJ_sn2nid(str
);
3708 if (*phash
== NID_undef
)
3709 *phash
= OBJ_ln2nid(str
);
3712 /* Maximum length of a signature algorithm string component */
3713 #define TLS_MAX_SIGSTRING_LEN 40
3715 static int sig_cb(const char *elem
, int len
, void *arg
)
3717 sig_cb_st
*sarg
= arg
;
3719 const SIGALG_LOOKUP
*s
;
3720 char etmp
[TLS_MAX_SIGSTRING_LEN
], *p
;
3721 const char *iana
, *alias
;
3722 int sig_alg
= NID_undef
, hash_alg
= NID_undef
;
3723 int ignore_unknown
= 0;
3727 if (elem
[0] == '?') {
3732 if (sarg
->sigalgcnt
== TLS_MAX_SIGALGCNT
)
3734 if (len
> (int)(sizeof(etmp
) - 1))
3736 memcpy(etmp
, elem
, len
);
3738 p
= strchr(etmp
, '+');
3740 * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
3741 * if there's no '+' in the provided name, look for the new-style combined
3742 * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP.
3743 * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
3744 * rsa_pss_rsae_* that differ only by public key OID; in such cases
3745 * we will pick the _rsae_ variant, by virtue of them appearing earlier
3749 if (sarg
->ctx
!= NULL
) {
3750 for (i
= 0; i
< sarg
->ctx
->sigalg_lookup_cache_len
; i
++) {
3751 iana
= sarg
->ctx
->sigalg_lookup_cache
[i
].name
;
3752 alias
= sarg
->ctx
->sigalg_lookup_cache
[i
].name12
;
3753 if ((alias
!= NULL
&& OPENSSL_strcasecmp(etmp
, alias
) == 0)
3754 || OPENSSL_strcasecmp(etmp
, iana
) == 0) {
3755 /* Ignore known, but unavailable sigalgs. */
3756 if (!sarg
->ctx
->sigalg_lookup_cache
[i
].available
)
3758 sarg
->sigalgs
[sarg
->sigalgcnt
++] =
3759 sarg
->ctx
->sigalg_lookup_cache
[i
].sigalg
;
3764 /* Syntax checks use the built-in sigalgs */
3765 for (i
= 0, s
= sigalg_lookup_tbl
;
3766 i
< OSSL_NELEM(sigalg_lookup_tbl
); i
++, s
++) {
3769 if ((alias
!= NULL
&& OPENSSL_strcasecmp(etmp
, alias
) == 0)
3770 || OPENSSL_strcasecmp(etmp
, iana
) == 0) {
3771 sarg
->sigalgs
[sarg
->sigalgcnt
++] = s
->sigalg
;
3781 get_sigorhash(&sig_alg
, &hash_alg
, etmp
);
3782 get_sigorhash(&sig_alg
, &hash_alg
, p
);
3783 if (sig_alg
!= NID_undef
&& hash_alg
!= NID_undef
) {
3784 if (sarg
->ctx
!= NULL
) {
3785 for (i
= 0; i
< sarg
->ctx
->sigalg_lookup_cache_len
; i
++) {
3786 s
= &sarg
->ctx
->sigalg_lookup_cache
[i
];
3787 if (s
->hash
== hash_alg
&& s
->sig
== sig_alg
) {
3788 /* Ignore known, but unavailable sigalgs. */
3789 if (!sarg
->ctx
->sigalg_lookup_cache
[i
].available
)
3791 sarg
->sigalgs
[sarg
->sigalgcnt
++] = s
->sigalg
;
3796 for (i
= 0; i
< OSSL_NELEM(sigalg_lookup_tbl
); i
++) {
3797 s
= &sigalg_lookup_tbl
[i
];
3798 if (s
->hash
== hash_alg
&& s
->sig
== sig_alg
) {
3799 sarg
->sigalgs
[sarg
->sigalgcnt
++] = s
->sigalg
;
3806 /* Ignore unknown algorithms if ignore_unknown */
3807 return ignore_unknown
;
3810 /* Ignore duplicates */
3811 for (i
= 0; i
< sarg
->sigalgcnt
- 1; i
++) {
3812 if (sarg
->sigalgs
[i
] == sarg
->sigalgs
[sarg
->sigalgcnt
- 1]) {
3821 * Set supported signature algorithms based on a colon separated list of the
3822 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3824 int tls1_set_sigalgs_list(SSL_CTX
*ctx
, CERT
*c
, const char *str
, int client
)
3831 if (!CONF_parse_list(str
, ':', 1, sig_cb
, &sig
))
3833 if (sig
.sigalgcnt
== 0) {
3834 ERR_raise_data(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
,
3835 "No valid signature algorithms in '%s'", str
);
3840 return tls1_set_raw_sigalgs(c
, sig
.sigalgs
, sig
.sigalgcnt
, client
);
3843 int tls1_set_raw_sigalgs(CERT
*c
, const uint16_t *psigs
, size_t salglen
,
3848 if ((sigalgs
= OPENSSL_malloc(salglen
* sizeof(*sigalgs
))) == NULL
)
3850 memcpy(sigalgs
, psigs
, salglen
* sizeof(*sigalgs
));
3853 OPENSSL_free(c
->client_sigalgs
);
3854 c
->client_sigalgs
= sigalgs
;
3855 c
->client_sigalgslen
= salglen
;
3857 OPENSSL_free(c
->conf_sigalgs
);
3858 c
->conf_sigalgs
= sigalgs
;
3859 c
->conf_sigalgslen
= salglen
;
3865 int tls1_set_sigalgs(CERT
*c
, const int *psig_nids
, size_t salglen
, int client
)
3867 uint16_t *sigalgs
, *sptr
;
3872 if ((sigalgs
= OPENSSL_malloc((salglen
/ 2) * sizeof(*sigalgs
))) == NULL
)
3874 for (i
= 0, sptr
= sigalgs
; i
< salglen
; i
+= 2) {
3876 const SIGALG_LOOKUP
*curr
;
3877 int md_id
= *psig_nids
++;
3878 int sig_id
= *psig_nids
++;
3880 for (j
= 0, curr
= sigalg_lookup_tbl
; j
< OSSL_NELEM(sigalg_lookup_tbl
);
3882 if (curr
->hash
== md_id
&& curr
->sig
== sig_id
) {
3883 *sptr
++ = curr
->sigalg
;
3888 if (j
== OSSL_NELEM(sigalg_lookup_tbl
))
3893 OPENSSL_free(c
->client_sigalgs
);
3894 c
->client_sigalgs
= sigalgs
;
3895 c
->client_sigalgslen
= salglen
/ 2;
3897 OPENSSL_free(c
->conf_sigalgs
);
3898 c
->conf_sigalgs
= sigalgs
;
3899 c
->conf_sigalgslen
= salglen
/ 2;
3905 OPENSSL_free(sigalgs
);
3909 static int tls1_check_sig_alg(SSL_CONNECTION
*s
, X509
*x
, int default_nid
)
3911 int sig_nid
, use_pc_sigalgs
= 0;
3913 const SIGALG_LOOKUP
*sigalg
;
3917 * RFC 8446, section 4.2.3:
3919 * The signatures on certificates that are self-signed or certificates
3920 * that are trust anchors are not validated, since they begin a
3921 * certification path (see [RFC5280], Section 3.2). A certificate that
3922 * begins a certification path MAY use a signature algorithm that is not
3923 * advertised as being supported in the "signature_algorithms"
3926 if (default_nid
== -1 || X509_self_signed(x
, 0))
3928 sig_nid
= X509_get_signature_nid(x
);
3930 return sig_nid
== default_nid
? 1 : 0;
3932 if (SSL_CONNECTION_IS_TLS13(s
) && s
->s3
.tmp
.peer_cert_sigalgs
!= NULL
) {
3934 * If we're in TLSv1.3 then we only get here if we're checking the
3935 * chain. If the peer has specified peer_cert_sigalgs then we use them
3936 * otherwise we default to normal sigalgs.
3938 sigalgslen
= s
->s3
.tmp
.peer_cert_sigalgslen
;
3941 sigalgslen
= s
->shared_sigalgslen
;
3943 for (i
= 0; i
< sigalgslen
; i
++) {
3946 sigalg
= use_pc_sigalgs
3947 ? tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
),
3948 s
->s3
.tmp
.peer_cert_sigalgs
[i
])
3949 : s
->shared_sigalgs
[i
];
3952 if (sig_nid
== sigalg
->sigandhash
)
3954 if (sigalg
->sig
!= EVP_PKEY_RSA_PSS
)
3957 * Accept RSA PKCS#1 signatures in certificates when the signature
3958 * algorithms include RSA-PSS with a matching digest algorithm.
3960 * When a TLS 1.3 peer inadvertently omits the legacy RSA PKCS#1 code
3961 * points, and we're doing strict checking of the certificate chain (in
3962 * a cert_cb via SSL_check_chain()) we may then reject RSA signed
3963 * certificates in the chain, but the TLS requirement on PSS should not
3964 * extend to certificates. Though the peer can in fact list the legacy
3965 * sigalgs for just this purpose, it is not likely that a better chain
3966 * signed with RSA-PSS is available.
3968 if (!OBJ_find_sigid_algs(sig_nid
, &mdnid
, &pknid
))
3970 if (pknid
== EVP_PKEY_RSA
&& mdnid
== sigalg
->hash
)
3976 /* Check to see if a certificate issuer name matches list of CA names */
3977 static int ssl_check_ca_name(STACK_OF(X509_NAME
) *names
, X509
*x
)
3979 const X509_NAME
*nm
;
3981 nm
= X509_get_issuer_name(x
);
3982 for (i
= 0; i
< sk_X509_NAME_num(names
); i
++) {
3983 if (!X509_NAME_cmp(nm
, sk_X509_NAME_value(names
, i
)))
3990 * Check certificate chain is consistent with TLS extensions and is usable by
3991 * server. This servers two purposes: it allows users to check chains before
3992 * passing them to the server and it allows the server to check chains before
3993 * attempting to use them.
3996 /* Flags which need to be set for a certificate when strict mode not set */
3998 #define CERT_PKEY_VALID_FLAGS \
3999 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4000 /* Strict mode flags */
4001 #define CERT_PKEY_STRICT_FLAGS \
4002 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4003 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4005 int tls1_check_chain(SSL_CONNECTION
*s
, X509
*x
, EVP_PKEY
*pk
,
4006 STACK_OF(X509
) *chain
, int idx
)
4010 int check_flags
= 0, strict_mode
;
4011 CERT_PKEY
*cpk
= NULL
;
4014 unsigned int suiteb_flags
= tls1_suiteb(s
);
4018 * idx == -1 means SSL_check_chain() invocation
4019 * idx == -2 means checking client certificate chains
4020 * idx >= 0 means checking SSL_PKEY index
4022 * For RPK, where there may be no cert, we ignore -1
4027 idx
= (int)(cpk
- c
->pkeys
);
4029 cpk
= c
->pkeys
+ idx
;
4030 pvalid
= s
->s3
.tmp
.valid_flags
+ idx
;
4032 pk
= cpk
->privatekey
;
4034 strict_mode
= c
->cert_flags
& SSL_CERT_FLAGS_CHECK_TLS_STRICT
;
4035 if (tls12_rpk_and_privkey(s
, idx
)) {
4036 if (EVP_PKEY_is_a(pk
, "EC") && !tls1_check_pkey_comp(s
, pk
))
4038 *pvalid
= rv
= CERT_PKEY_RPK
;
4041 /* If no cert or key, forget it */
4042 if (x
== NULL
|| pk
== NULL
)
4047 if (x
== NULL
|| pk
== NULL
)
4050 if (ssl_cert_lookup_by_pkey(pk
, &certidx
,
4051 SSL_CONNECTION_GET_CTX(s
)) == NULL
)
4054 pvalid
= s
->s3
.tmp
.valid_flags
+ idx
;
4056 if (c
->cert_flags
& SSL_CERT_FLAGS_CHECK_TLS_STRICT
)
4057 check_flags
= CERT_PKEY_STRICT_FLAGS
;
4059 check_flags
= CERT_PKEY_VALID_FLAGS
;
4066 check_flags
|= CERT_PKEY_SUITEB
;
4067 ok
= X509_chain_check_suiteb(NULL
, x
, chain
, suiteb_flags
);
4068 if (ok
== X509_V_OK
)
4069 rv
|= CERT_PKEY_SUITEB
;
4070 else if (!check_flags
)
4075 * Check all signature algorithms are consistent with signature
4076 * algorithms extension if TLS 1.2 or later and strict mode.
4078 if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s
)) >= TLS1_2_VERSION
4083 if (s
->s3
.tmp
.peer_cert_sigalgs
!= NULL
4084 || s
->s3
.tmp
.peer_sigalgs
!= NULL
) {
4086 /* If no sigalgs extension use defaults from RFC5246 */
4090 rsign
= EVP_PKEY_RSA
;
4091 default_nid
= NID_sha1WithRSAEncryption
;
4094 case SSL_PKEY_DSA_SIGN
:
4095 rsign
= EVP_PKEY_DSA
;
4096 default_nid
= NID_dsaWithSHA1
;
4100 rsign
= EVP_PKEY_EC
;
4101 default_nid
= NID_ecdsa_with_SHA1
;
4104 case SSL_PKEY_GOST01
:
4105 rsign
= NID_id_GostR3410_2001
;
4106 default_nid
= NID_id_GostR3411_94_with_GostR3410_2001
;
4109 case SSL_PKEY_GOST12_256
:
4110 rsign
= NID_id_GostR3410_2012_256
;
4111 default_nid
= NID_id_tc26_signwithdigest_gost3410_2012_256
;
4114 case SSL_PKEY_GOST12_512
:
4115 rsign
= NID_id_GostR3410_2012_512
;
4116 default_nid
= NID_id_tc26_signwithdigest_gost3410_2012_512
;
4125 * If peer sent no signature algorithms extension and we have set
4126 * preferred signature algorithms check we support sha1.
4128 if (default_nid
> 0 && c
->conf_sigalgs
) {
4130 const uint16_t *p
= c
->conf_sigalgs
;
4131 for (j
= 0; j
< c
->conf_sigalgslen
; j
++, p
++) {
4132 const SIGALG_LOOKUP
*lu
=
4133 tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
), *p
);
4135 if (lu
!= NULL
&& lu
->hash
== NID_sha1
&& lu
->sig
== rsign
)
4138 if (j
== c
->conf_sigalgslen
) {
4145 /* Check signature algorithm of each cert in chain */
4146 if (SSL_CONNECTION_IS_TLS13(s
)) {
4148 * We only get here if the application has called SSL_check_chain(),
4149 * so check_flags is always set.
4151 if (find_sig_alg(s
, x
, pk
) != NULL
)
4152 rv
|= CERT_PKEY_EE_SIGNATURE
;
4153 } else if (!tls1_check_sig_alg(s
, x
, default_nid
)) {
4157 rv
|= CERT_PKEY_EE_SIGNATURE
;
4158 rv
|= CERT_PKEY_CA_SIGNATURE
;
4159 for (i
= 0; i
< sk_X509_num(chain
); i
++) {
4160 if (!tls1_check_sig_alg(s
, sk_X509_value(chain
, i
), default_nid
)) {
4162 rv
&= ~CERT_PKEY_CA_SIGNATURE
;
4169 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4170 else if (check_flags
)
4171 rv
|= CERT_PKEY_EE_SIGNATURE
| CERT_PKEY_CA_SIGNATURE
;
4173 /* Check cert parameters are consistent */
4174 if (tls1_check_cert_param(s
, x
, 1))
4175 rv
|= CERT_PKEY_EE_PARAM
;
4176 else if (!check_flags
)
4179 rv
|= CERT_PKEY_CA_PARAM
;
4180 /* In strict mode check rest of chain too */
4181 else if (strict_mode
) {
4182 rv
|= CERT_PKEY_CA_PARAM
;
4183 for (i
= 0; i
< sk_X509_num(chain
); i
++) {
4184 X509
*ca
= sk_X509_value(chain
, i
);
4185 if (!tls1_check_cert_param(s
, ca
, 0)) {
4187 rv
&= ~CERT_PKEY_CA_PARAM
;
4194 if (!s
->server
&& strict_mode
) {
4195 STACK_OF(X509_NAME
) *ca_dn
;
4198 if (EVP_PKEY_is_a(pk
, "RSA"))
4199 check_type
= TLS_CT_RSA_SIGN
;
4200 else if (EVP_PKEY_is_a(pk
, "DSA"))
4201 check_type
= TLS_CT_DSS_SIGN
;
4202 else if (EVP_PKEY_is_a(pk
, "EC"))
4203 check_type
= TLS_CT_ECDSA_SIGN
;
4206 const uint8_t *ctypes
= s
->s3
.tmp
.ctype
;
4209 for (j
= 0; j
< s
->s3
.tmp
.ctype_len
; j
++, ctypes
++) {
4210 if (*ctypes
== check_type
) {
4211 rv
|= CERT_PKEY_CERT_TYPE
;
4215 if (!(rv
& CERT_PKEY_CERT_TYPE
) && !check_flags
)
4218 rv
|= CERT_PKEY_CERT_TYPE
;
4221 ca_dn
= s
->s3
.tmp
.peer_ca_names
;
4224 || sk_X509_NAME_num(ca_dn
) == 0
4225 || ssl_check_ca_name(ca_dn
, x
))
4226 rv
|= CERT_PKEY_ISSUER_NAME
;
4228 for (i
= 0; i
< sk_X509_num(chain
); i
++) {
4229 X509
*xtmp
= sk_X509_value(chain
, i
);
4231 if (ssl_check_ca_name(ca_dn
, xtmp
)) {
4232 rv
|= CERT_PKEY_ISSUER_NAME
;
4237 if (!check_flags
&& !(rv
& CERT_PKEY_ISSUER_NAME
))
4240 rv
|= CERT_PKEY_ISSUER_NAME
| CERT_PKEY_CERT_TYPE
;
4242 if (!check_flags
|| (rv
& check_flags
) == check_flags
)
4243 rv
|= CERT_PKEY_VALID
;
4247 if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s
)) >= TLS1_2_VERSION
)
4248 rv
|= *pvalid
& (CERT_PKEY_EXPLICIT_SIGN
| CERT_PKEY_SIGN
);
4250 rv
|= CERT_PKEY_SIGN
| CERT_PKEY_EXPLICIT_SIGN
;
4253 * When checking a CERT_PKEY structure all flags are irrelevant if the
4257 if (rv
& CERT_PKEY_VALID
) {
4260 /* Preserve sign and explicit sign flag, clear rest */
4261 *pvalid
&= CERT_PKEY_EXPLICIT_SIGN
| CERT_PKEY_SIGN
;
4268 /* Set validity of certificates in an SSL structure */
4269 void tls1_set_cert_validity(SSL_CONNECTION
*s
)
4271 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_RSA
);
4272 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_RSA_PSS_SIGN
);
4273 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_DSA_SIGN
);
4274 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_ECC
);
4275 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_GOST01
);
4276 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_GOST12_256
);
4277 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_GOST12_512
);
4278 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_ED25519
);
4279 tls1_check_chain(s
, NULL
, NULL
, NULL
, SSL_PKEY_ED448
);
4282 /* User level utility function to check a chain is suitable */
4283 int SSL_check_chain(SSL
*s
, X509
*x
, EVP_PKEY
*pk
, STACK_OF(X509
) *chain
)
4285 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL(s
);
4290 return tls1_check_chain(sc
, x
, pk
, chain
, -1);
4293 EVP_PKEY
*ssl_get_auto_dh(SSL_CONNECTION
*s
)
4295 EVP_PKEY
*dhp
= NULL
;
4297 int dh_secbits
= 80, sec_level_bits
;
4298 EVP_PKEY_CTX
*pctx
= NULL
;
4299 OSSL_PARAM_BLD
*tmpl
= NULL
;
4300 OSSL_PARAM
*params
= NULL
;
4301 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
4303 if (s
->cert
->dh_tmp_auto
!= 2) {
4304 if (s
->s3
.tmp
.new_cipher
->algorithm_auth
& (SSL_aNULL
| SSL_aPSK
)) {
4305 if (s
->s3
.tmp
.new_cipher
->strength_bits
== 256)
4310 if (s
->s3
.tmp
.cert
== NULL
)
4312 dh_secbits
= EVP_PKEY_get_security_bits(s
->s3
.tmp
.cert
->privatekey
);
4316 /* Do not pick a prime that is too weak for the current security level */
4317 sec_level_bits
= ssl_get_security_level_bits(SSL_CONNECTION_GET_SSL(s
),
4319 if (dh_secbits
< sec_level_bits
)
4320 dh_secbits
= sec_level_bits
;
4322 if (dh_secbits
>= 192)
4323 p
= BN_get_rfc3526_prime_8192(NULL
);
4324 else if (dh_secbits
>= 152)
4325 p
= BN_get_rfc3526_prime_4096(NULL
);
4326 else if (dh_secbits
>= 128)
4327 p
= BN_get_rfc3526_prime_3072(NULL
);
4328 else if (dh_secbits
>= 112)
4329 p
= BN_get_rfc3526_prime_2048(NULL
);
4331 p
= BN_get_rfc2409_prime_1024(NULL
);
4335 pctx
= EVP_PKEY_CTX_new_from_name(sctx
->libctx
, "DH", sctx
->propq
);
4337 || EVP_PKEY_fromdata_init(pctx
) != 1)
4340 tmpl
= OSSL_PARAM_BLD_new();
4342 || !OSSL_PARAM_BLD_push_BN(tmpl
, OSSL_PKEY_PARAM_FFC_P
, p
)
4343 || !OSSL_PARAM_BLD_push_uint(tmpl
, OSSL_PKEY_PARAM_FFC_G
, 2))
4346 params
= OSSL_PARAM_BLD_to_param(tmpl
);
4348 || EVP_PKEY_fromdata(pctx
, &dhp
, EVP_PKEY_KEY_PARAMETERS
, params
) != 1)
4352 OSSL_PARAM_free(params
);
4353 OSSL_PARAM_BLD_free(tmpl
);
4354 EVP_PKEY_CTX_free(pctx
);
4359 static int ssl_security_cert_key(SSL_CONNECTION
*s
, SSL_CTX
*ctx
, X509
*x
,
4363 EVP_PKEY
*pkey
= X509_get0_pubkey(x
);
4367 * If no parameters this will return -1 and fail using the default
4368 * security callback for any non-zero security level. This will
4369 * reject keys which omit parameters but this only affects DSA and
4370 * omission of parameters is never (?) done in practice.
4372 secbits
= EVP_PKEY_get_security_bits(pkey
);
4375 return ssl_security(s
, op
, secbits
, 0, x
);
4377 return ssl_ctx_security(ctx
, op
, secbits
, 0, x
);
4380 static int ssl_security_cert_sig(SSL_CONNECTION
*s
, SSL_CTX
*ctx
, X509
*x
,
4383 /* Lookup signature algorithm digest */
4384 int secbits
, nid
, pknid
;
4386 /* Don't check signature if self signed */
4387 if ((X509_get_extension_flags(x
) & EXFLAG_SS
) != 0)
4389 if (!X509_get_signature_info(x
, &nid
, &pknid
, &secbits
, NULL
))
4391 /* If digest NID not defined use signature NID */
4392 if (nid
== NID_undef
)
4395 return ssl_security(s
, op
, secbits
, nid
, x
);
4397 return ssl_ctx_security(ctx
, op
, secbits
, nid
, x
);
4400 int ssl_security_cert(SSL_CONNECTION
*s
, SSL_CTX
*ctx
, X509
*x
, int vfy
,
4404 vfy
= SSL_SECOP_PEER
;
4406 if (!ssl_security_cert_key(s
, ctx
, x
, SSL_SECOP_EE_KEY
| vfy
))
4407 return SSL_R_EE_KEY_TOO_SMALL
;
4409 if (!ssl_security_cert_key(s
, ctx
, x
, SSL_SECOP_CA_KEY
| vfy
))
4410 return SSL_R_CA_KEY_TOO_SMALL
;
4412 if (!ssl_security_cert_sig(s
, ctx
, x
, SSL_SECOP_CA_MD
| vfy
))
4413 return SSL_R_CA_MD_TOO_WEAK
;
4418 * Check security of a chain, if |sk| includes the end entity certificate then
4419 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
4420 * one to the peer. Return values: 1 if ok otherwise error code to use
4423 int ssl_security_cert_chain(SSL_CONNECTION
*s
, STACK_OF(X509
) *sk
,
4426 int rv
, start_idx
, i
;
4429 x
= sk_X509_value(sk
, 0);
4431 return ERR_R_INTERNAL_ERROR
;
4436 rv
= ssl_security_cert(s
, NULL
, x
, vfy
, 1);
4440 for (i
= start_idx
; i
< sk_X509_num(sk
); i
++) {
4441 x
= sk_X509_value(sk
, i
);
4442 rv
= ssl_security_cert(s
, NULL
, x
, vfy
, 0);
4450 * For TLS 1.2 servers check if we have a certificate which can be used
4451 * with the signature algorithm "lu" and return index of certificate.
4454 static int tls12_get_cert_sigalg_idx(const SSL_CONNECTION
*s
,
4455 const SIGALG_LOOKUP
*lu
)
4457 int sig_idx
= lu
->sig_idx
;
4458 const SSL_CERT_LOOKUP
*clu
= ssl_cert_lookup_by_idx(sig_idx
,
4459 SSL_CONNECTION_GET_CTX(s
));
4461 /* If not recognised or not supported by cipher mask it is not suitable */
4463 || (clu
->amask
& s
->s3
.tmp
.new_cipher
->algorithm_auth
) == 0
4464 || (clu
->nid
== EVP_PKEY_RSA_PSS
4465 && (s
->s3
.tmp
.new_cipher
->algorithm_mkey
& SSL_kRSA
) != 0))
4468 /* If doing RPK, the CERT_PKEY won't be "valid" */
4469 if (tls12_rpk_and_privkey(s
, sig_idx
))
4470 return s
->s3
.tmp
.valid_flags
[sig_idx
] & CERT_PKEY_RPK
? sig_idx
: -1;
4472 return s
->s3
.tmp
.valid_flags
[sig_idx
] & CERT_PKEY_VALID
? sig_idx
: -1;
4476 * Checks the given cert against signature_algorithm_cert restrictions sent by
4477 * the peer (if any) as well as whether the hash from the sigalg is usable with
4479 * Returns true if the cert is usable and false otherwise.
4481 static int check_cert_usable(SSL_CONNECTION
*s
, const SIGALG_LOOKUP
*sig
,
4482 X509
*x
, EVP_PKEY
*pkey
)
4484 const SIGALG_LOOKUP
*lu
;
4485 int mdnid
, pknid
, supported
;
4487 const char *mdname
= NULL
;
4488 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
4491 * If the given EVP_PKEY cannot support signing with this digest,
4492 * the answer is simply 'no'.
4494 if (sig
->hash
!= NID_undef
)
4495 mdname
= OBJ_nid2sn(sig
->hash
);
4496 supported
= EVP_PKEY_digestsign_supports_digest(pkey
, sctx
->libctx
,
4503 * The TLS 1.3 signature_algorithms_cert extension places restrictions
4504 * on the sigalg with which the certificate was signed (by its issuer).
4506 if (s
->s3
.tmp
.peer_cert_sigalgs
!= NULL
) {
4507 if (!X509_get_signature_info(x
, &mdnid
, &pknid
, NULL
, NULL
))
4509 for (i
= 0; i
< s
->s3
.tmp
.peer_cert_sigalgslen
; i
++) {
4510 lu
= tls1_lookup_sigalg(SSL_CONNECTION_GET_CTX(s
),
4511 s
->s3
.tmp
.peer_cert_sigalgs
[i
]);
4516 * This does not differentiate between the
4517 * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
4518 * have a chain here that lets us look at the key OID in the
4519 * signing certificate.
4521 if (mdnid
== lu
->hash
&& pknid
== lu
->sig
)
4528 * Without signat_algorithms_cert, any certificate for which we have
4529 * a viable public key is permitted.
4535 * Returns true if |s| has a usable certificate configured for use
4536 * with signature scheme |sig|.
4537 * "Usable" includes a check for presence as well as applying
4538 * the signature_algorithm_cert restrictions sent by the peer (if any).
4539 * Returns false if no usable certificate is found.
4541 static int has_usable_cert(SSL_CONNECTION
*s
, const SIGALG_LOOKUP
*sig
, int idx
)
4543 /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
4546 if (!ssl_has_cert(s
, idx
))
4549 return check_cert_usable(s
, sig
, s
->cert
->pkeys
[idx
].x509
,
4550 s
->cert
->pkeys
[idx
].privatekey
);
4554 * Returns true if the supplied cert |x| and key |pkey| is usable with the
4555 * specified signature scheme |sig|, or false otherwise.
4557 static int is_cert_usable(SSL_CONNECTION
*s
, const SIGALG_LOOKUP
*sig
, X509
*x
,
4562 if (ssl_cert_lookup_by_pkey(pkey
, &idx
, SSL_CONNECTION_GET_CTX(s
)) == NULL
)
4565 /* Check the key is consistent with the sig alg */
4566 if ((int)idx
!= sig
->sig_idx
)
4569 return check_cert_usable(s
, sig
, x
, pkey
);
4573 * Find a signature scheme that works with the supplied certificate |x| and key
4574 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
4575 * available certs/keys to find one that works.
4577 static const SIGALG_LOOKUP
*find_sig_alg(SSL_CONNECTION
*s
, X509
*x
,
4580 const SIGALG_LOOKUP
*lu
= NULL
;
4584 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
4586 /* Look for a shared sigalgs matching possible certificates */
4587 for (i
= 0; i
< s
->shared_sigalgslen
; i
++) {
4588 /* Skip SHA1, SHA224, DSA and RSA if not PSS */
4589 lu
= s
->shared_sigalgs
[i
];
4590 if (lu
->hash
== NID_sha1
4591 || lu
->hash
== NID_sha224
4592 || lu
->sig
== EVP_PKEY_DSA
4593 || lu
->sig
== EVP_PKEY_RSA
4594 || !tls_sigalg_compat(s
, lu
))
4597 /* Check that we have a cert, and signature_algorithms_cert */
4598 if (!tls1_lookup_md(sctx
, lu
, NULL
))
4600 if ((pkey
== NULL
&& !has_usable_cert(s
, lu
, -1))
4601 || (pkey
!= NULL
&& !is_cert_usable(s
, lu
, x
, pkey
)))
4604 tmppkey
= (pkey
!= NULL
) ? pkey
4605 : s
->cert
->pkeys
[lu
->sig_idx
].privatekey
;
4607 if (lu
->sig
== EVP_PKEY_EC
) {
4609 curve
= ssl_get_EC_curve_nid(tmppkey
);
4610 if (lu
->curve
!= NID_undef
&& curve
!= lu
->curve
)
4612 } else if (lu
->sig
== EVP_PKEY_RSA_PSS
) {
4613 /* validate that key is large enough for the signature algorithm */
4614 if (!rsa_pss_check_min_key_size(sctx
, tmppkey
, lu
))
4620 if (i
== s
->shared_sigalgslen
)
4627 * Choose an appropriate signature algorithm based on available certificates
4628 * Sets chosen certificate and signature algorithm.
4630 * For servers if we fail to find a required certificate it is a fatal error,
4631 * an appropriate error code is set and a TLS alert is sent.
4633 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
4634 * a fatal error: we will either try another certificate or not present one
4635 * to the server. In this case no error is set.
4637 int tls_choose_sigalg(SSL_CONNECTION
*s
, int fatalerrs
)
4639 const SIGALG_LOOKUP
*lu
= NULL
;
4642 s
->s3
.tmp
.cert
= NULL
;
4643 s
->s3
.tmp
.sigalg
= NULL
;
4645 if (SSL_CONNECTION_IS_TLS13(s
)) {
4646 lu
= find_sig_alg(s
, NULL
, NULL
);
4650 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
4651 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
);
4655 /* If ciphersuite doesn't require a cert nothing to do */
4656 if (!(s
->s3
.tmp
.new_cipher
->algorithm_auth
& SSL_aCERT
))
4658 if (!s
->server
&& !ssl_has_cert(s
, (int)(s
->cert
->key
- s
->cert
->pkeys
)))
4661 if (SSL_USE_SIGALGS(s
)) {
4663 if (s
->s3
.tmp
.peer_sigalgs
!= NULL
) {
4665 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
4667 /* For Suite B need to match signature algorithm to curve */
4669 curve
= ssl_get_EC_curve_nid(s
->cert
->pkeys
[SSL_PKEY_ECC
]
4673 * Find highest preference signature algorithm matching
4676 for (i
= 0; i
< s
->shared_sigalgslen
; i
++) {
4677 /* Check the sigalg version bounds */
4678 lu
= s
->shared_sigalgs
[i
];
4679 if (!tls_sigalg_compat(s
, lu
))
4682 if ((sig_idx
= tls12_get_cert_sigalg_idx(s
, lu
)) == -1)
4685 int cc_idx
= (int)(s
->cert
->key
- s
->cert
->pkeys
);
4687 sig_idx
= lu
->sig_idx
;
4688 if (cc_idx
!= sig_idx
)
4691 /* Check that we have a cert, and sig_algs_cert */
4692 if (!has_usable_cert(s
, lu
, sig_idx
))
4694 if (lu
->sig
== EVP_PKEY_RSA_PSS
) {
4695 /* validate that key is large enough for the signature algorithm */
4696 EVP_PKEY
*pkey
= s
->cert
->pkeys
[sig_idx
].privatekey
;
4698 if (!rsa_pss_check_min_key_size(sctx
, pkey
, lu
))
4701 if (curve
== -1 || lu
->curve
== curve
)
4704 #ifndef OPENSSL_NO_GOST
4706 * Some Windows-based implementations do not send GOST algorithms indication
4707 * in supported_algorithms extension, so when we have GOST-based ciphersuite,
4708 * we have to assume GOST support.
4710 if (i
== s
->shared_sigalgslen
4711 && (s
->s3
.tmp
.new_cipher
->algorithm_auth
4712 & (SSL_aGOST01
| SSL_aGOST12
)) != 0) {
4713 if ((lu
= tls1_get_legacy_sigalg(s
, -1)) == NULL
) {
4716 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
4717 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
);
4721 sig_idx
= lu
->sig_idx
;
4725 if (i
== s
->shared_sigalgslen
) {
4728 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
4729 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
);
4734 * If we have no sigalg use defaults
4736 const uint16_t *sent_sigs
;
4737 size_t sent_sigslen
;
4739 if ((lu
= tls1_get_legacy_sigalg(s
, -1)) == NULL
) {
4742 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
4743 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
);
4747 /* Check signature matches a type we sent */
4748 sent_sigslen
= tls12_get_psigalgs(s
, 1, &sent_sigs
);
4749 for (i
= 0; i
< sent_sigslen
; i
++, sent_sigs
++) {
4750 if (lu
->sigalg
== *sent_sigs
4751 && has_usable_cert(s
, lu
, lu
->sig_idx
))
4754 if (i
== sent_sigslen
) {
4757 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
4758 SSL_R_WRONG_SIGNATURE_TYPE
);
4763 if ((lu
= tls1_get_legacy_sigalg(s
, -1)) == NULL
) {
4766 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
4767 SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
);
4773 sig_idx
= lu
->sig_idx
;
4774 s
->s3
.tmp
.cert
= &s
->cert
->pkeys
[sig_idx
];
4775 s
->cert
->key
= s
->s3
.tmp
.cert
;
4776 s
->s3
.tmp
.sigalg
= lu
;
4780 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX
*ctx
, uint8_t mode
)
4782 if (mode
!= TLSEXT_max_fragment_length_DISABLED
4783 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode
)) {
4784 ERR_raise(ERR_LIB_SSL
, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH
);
4788 ctx
->ext
.max_fragment_len_mode
= mode
;
4792 int SSL_set_tlsext_max_fragment_length(SSL
*ssl
, uint8_t mode
)
4794 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL(ssl
);
4797 || (IS_QUIC(ssl
) && mode
!= TLSEXT_max_fragment_length_DISABLED
))
4800 if (mode
!= TLSEXT_max_fragment_length_DISABLED
4801 && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode
)) {
4802 ERR_raise(ERR_LIB_SSL
, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH
);
4806 sc
->ext
.max_fragment_len_mode
= mode
;
4810 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION
*session
)
4812 if (session
->ext
.max_fragment_len_mode
== TLSEXT_max_fragment_length_UNSPECIFIED
)
4813 return TLSEXT_max_fragment_length_DISABLED
;
4814 return session
->ext
.max_fragment_len_mode
;
4818 * Helper functions for HMAC access with legacy support included.
4820 SSL_HMAC
*ssl_hmac_new(const SSL_CTX
*ctx
)
4822 SSL_HMAC
*ret
= OPENSSL_zalloc(sizeof(*ret
));
4823 EVP_MAC
*mac
= NULL
;
4827 #ifndef OPENSSL_NO_DEPRECATED_3_0
4828 if (ctx
->ext
.ticket_key_evp_cb
== NULL
4829 && ctx
->ext
.ticket_key_cb
!= NULL
) {
4830 if (!ssl_hmac_old_new(ret
))
4835 mac
= EVP_MAC_fetch(ctx
->libctx
, "HMAC", ctx
->propq
);
4836 if (mac
== NULL
|| (ret
->ctx
= EVP_MAC_CTX_new(mac
)) == NULL
)
4841 EVP_MAC_CTX_free(ret
->ctx
);
4847 void ssl_hmac_free(SSL_HMAC
*ctx
)
4850 EVP_MAC_CTX_free(ctx
->ctx
);
4851 #ifndef OPENSSL_NO_DEPRECATED_3_0
4852 ssl_hmac_old_free(ctx
);
4858 EVP_MAC_CTX
*ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC
*ctx
)
4863 int ssl_hmac_init(SSL_HMAC
*ctx
, void *key
, size_t len
, char *md
)
4865 OSSL_PARAM params
[2], *p
= params
;
4867 if (ctx
->ctx
!= NULL
) {
4868 *p
++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
, md
, 0);
4869 *p
= OSSL_PARAM_construct_end();
4870 if (EVP_MAC_init(ctx
->ctx
, key
, len
, params
))
4873 #ifndef OPENSSL_NO_DEPRECATED_3_0
4874 if (ctx
->old_ctx
!= NULL
)
4875 return ssl_hmac_old_init(ctx
, key
, len
, md
);
4880 int ssl_hmac_update(SSL_HMAC
*ctx
, const unsigned char *data
, size_t len
)
4882 if (ctx
->ctx
!= NULL
)
4883 return EVP_MAC_update(ctx
->ctx
, data
, len
);
4884 #ifndef OPENSSL_NO_DEPRECATED_3_0
4885 if (ctx
->old_ctx
!= NULL
)
4886 return ssl_hmac_old_update(ctx
, data
, len
);
4891 int ssl_hmac_final(SSL_HMAC
*ctx
, unsigned char *md
, size_t *len
,
4894 if (ctx
->ctx
!= NULL
)
4895 return EVP_MAC_final(ctx
->ctx
, md
, len
, max_size
);
4896 #ifndef OPENSSL_NO_DEPRECATED_3_0
4897 if (ctx
->old_ctx
!= NULL
)
4898 return ssl_hmac_old_final(ctx
, md
, len
);
4903 size_t ssl_hmac_size(const SSL_HMAC
*ctx
)
4905 if (ctx
->ctx
!= NULL
)
4906 return EVP_MAC_CTX_get_mac_size(ctx
->ctx
);
4907 #ifndef OPENSSL_NO_DEPRECATED_3_0
4908 if (ctx
->old_ctx
!= NULL
)
4909 return ssl_hmac_old_size(ctx
);
4914 int ssl_get_EC_curve_nid(const EVP_PKEY
*pkey
)
4916 char gname
[OSSL_MAX_NAME_SIZE
];
4918 if (EVP_PKEY_get_group_name(pkey
, gname
, sizeof(gname
), NULL
) > 0)
4919 return OBJ_txt2nid(gname
);
4924 __owur
int tls13_set_encoded_pub_key(EVP_PKEY
*pkey
,
4925 const unsigned char *enckey
,
4928 if (EVP_PKEY_is_a(pkey
, "DH")) {
4929 int bits
= EVP_PKEY_get_bits(pkey
);
4931 if (bits
<= 0 || enckeylen
!= (size_t)bits
/ 8)
4932 /* the encoded key must be padded to the length of the p */
4934 } else if (EVP_PKEY_is_a(pkey
, "EC")) {
4935 if (enckeylen
< 3 /* point format and at least 1 byte for x and y */
4936 || enckey
[0] != 0x04)
4940 return EVP_PKEY_set1_encoded_public_key(pkey
, enckey
, enckeylen
);