t1_lib.c 82 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <openssl/objects.h>
  12. #include <openssl/evp.h>
  13. #include <openssl/hmac.h>
  14. #include <openssl/ocsp.h>
  15. #include <openssl/conf.h>
  16. #include <openssl/x509v3.h>
  17. #include <openssl/dh.h>
  18. #include <openssl/bn.h>
  19. #include "internal/nelem.h"
  20. #include "ssl_locl.h"
  21. #include <openssl/ct.h>
  22. SSL3_ENC_METHOD const TLSv1_enc_data = {
  23. tls1_enc,
  24. tls1_mac,
  25. tls1_setup_key_block,
  26. tls1_generate_master_secret,
  27. tls1_change_cipher_state,
  28. tls1_final_finish_mac,
  29. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  30. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  31. tls1_alert_code,
  32. tls1_export_keying_material,
  33. 0,
  34. ssl3_set_handshake_header,
  35. tls_close_construct_packet,
  36. ssl3_handshake_write
  37. };
  38. SSL3_ENC_METHOD const TLSv1_1_enc_data = {
  39. tls1_enc,
  40. tls1_mac,
  41. tls1_setup_key_block,
  42. tls1_generate_master_secret,
  43. tls1_change_cipher_state,
  44. tls1_final_finish_mac,
  45. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  46. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  47. tls1_alert_code,
  48. tls1_export_keying_material,
  49. SSL_ENC_FLAG_EXPLICIT_IV,
  50. ssl3_set_handshake_header,
  51. tls_close_construct_packet,
  52. ssl3_handshake_write
  53. };
  54. SSL3_ENC_METHOD const TLSv1_2_enc_data = {
  55. tls1_enc,
  56. tls1_mac,
  57. tls1_setup_key_block,
  58. tls1_generate_master_secret,
  59. tls1_change_cipher_state,
  60. tls1_final_finish_mac,
  61. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  62. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  63. tls1_alert_code,
  64. tls1_export_keying_material,
  65. SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
  66. | SSL_ENC_FLAG_TLS1_2_CIPHERS,
  67. ssl3_set_handshake_header,
  68. tls_close_construct_packet,
  69. ssl3_handshake_write
  70. };
  71. SSL3_ENC_METHOD const TLSv1_3_enc_data = {
  72. tls13_enc,
  73. tls1_mac,
  74. tls13_setup_key_block,
  75. tls13_generate_master_secret,
  76. tls13_change_cipher_state,
  77. tls13_final_finish_mac,
  78. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  79. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  80. tls13_alert_code,
  81. tls13_export_keying_material,
  82. SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
  83. ssl3_set_handshake_header,
  84. tls_close_construct_packet,
  85. ssl3_handshake_write
  86. };
  87. long tls1_default_timeout(void)
  88. {
  89. /*
  90. * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
  91. * http, the cache would over fill
  92. */
  93. return (60 * 60 * 2);
  94. }
  95. int tls1_new(SSL *s)
  96. {
  97. if (!ssl3_new(s))
  98. return 0;
  99. if (!s->method->ssl_clear(s))
  100. return 0;
  101. return 1;
  102. }
  103. void tls1_free(SSL *s)
  104. {
  105. OPENSSL_free(s->ext.session_ticket);
  106. ssl3_free(s);
  107. }
  108. int tls1_clear(SSL *s)
  109. {
  110. if (!ssl3_clear(s))
  111. return 0;
  112. if (s->method->version == TLS_ANY_VERSION)
  113. s->version = TLS_MAX_VERSION;
  114. else
  115. s->version = s->method->version;
  116. return 1;
  117. }
  118. #ifndef OPENSSL_NO_EC
  119. /*
  120. * Table of curve information.
  121. * Do not delete entries or reorder this array! It is used as a lookup
  122. * table: the index of each entry is one less than the TLS curve id.
  123. */
  124. static const TLS_GROUP_INFO nid_list[] = {
  125. {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
  126. {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
  127. {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
  128. {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
  129. {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
  130. {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
  131. {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
  132. {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
  133. {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
  134. {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
  135. {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
  136. {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
  137. {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
  138. {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
  139. {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
  140. {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
  141. {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
  142. {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
  143. {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
  144. {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
  145. {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
  146. {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
  147. {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
  148. {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
  149. {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
  150. {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
  151. {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
  152. {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
  153. {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
  154. {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
  155. };
  156. static const unsigned char ecformats_default[] = {
  157. TLSEXT_ECPOINTFORMAT_uncompressed,
  158. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
  159. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
  160. };
  161. /* The default curves */
  162. static const uint16_t eccurves_default[] = {
  163. 29, /* X25519 (29) */
  164. 23, /* secp256r1 (23) */
  165. 30, /* X448 (30) */
  166. 25, /* secp521r1 (25) */
  167. 24, /* secp384r1 (24) */
  168. };
  169. static const uint16_t suiteb_curves[] = {
  170. TLSEXT_curve_P_256,
  171. TLSEXT_curve_P_384
  172. };
  173. const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
  174. {
  175. /* ECC curves from RFC 4492 and RFC 7027 */
  176. if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
  177. return NULL;
  178. return &nid_list[group_id - 1];
  179. }
  180. static uint16_t tls1_nid2group_id(int nid)
  181. {
  182. size_t i;
  183. for (i = 0; i < OSSL_NELEM(nid_list); i++) {
  184. if (nid_list[i].nid == nid)
  185. return (uint16_t)(i + 1);
  186. }
  187. return 0;
  188. }
  189. /*
  190. * Set *pgroups to the supported groups list and *pgroupslen to
  191. * the number of groups supported.
  192. */
  193. void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
  194. size_t *pgroupslen)
  195. {
  196. /* For Suite B mode only include P-256, P-384 */
  197. switch (tls1_suiteb(s)) {
  198. case SSL_CERT_FLAG_SUITEB_128_LOS:
  199. *pgroups = suiteb_curves;
  200. *pgroupslen = OSSL_NELEM(suiteb_curves);
  201. break;
  202. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  203. *pgroups = suiteb_curves;
  204. *pgroupslen = 1;
  205. break;
  206. case SSL_CERT_FLAG_SUITEB_192_LOS:
  207. *pgroups = suiteb_curves + 1;
  208. *pgroupslen = 1;
  209. break;
  210. default:
  211. if (s->ext.supportedgroups == NULL) {
  212. *pgroups = eccurves_default;
  213. *pgroupslen = OSSL_NELEM(eccurves_default);
  214. } else {
  215. *pgroups = s->ext.supportedgroups;
  216. *pgroupslen = s->ext.supportedgroups_len;
  217. }
  218. break;
  219. }
  220. }
  221. /* See if curve is allowed by security callback */
  222. int tls_curve_allowed(SSL *s, uint16_t curve, int op)
  223. {
  224. const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
  225. unsigned char ctmp[2];
  226. if (cinfo == NULL)
  227. return 0;
  228. # ifdef OPENSSL_NO_EC2M
  229. if (cinfo->flags & TLS_CURVE_CHAR2)
  230. return 0;
  231. # endif
  232. ctmp[0] = curve >> 8;
  233. ctmp[1] = curve & 0xff;
  234. return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
  235. }
  236. /* Return 1 if "id" is in "list" */
  237. static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
  238. {
  239. size_t i;
  240. for (i = 0; i < listlen; i++)
  241. if (list[i] == id)
  242. return 1;
  243. return 0;
  244. }
  245. /*-
  246. * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
  247. * if there is no match.
  248. * For nmatch == -1, return number of matches
  249. * For nmatch == -2, return the id of the group to use for
  250. * a tmp key, or 0 if there is no match.
  251. */
  252. uint16_t tls1_shared_group(SSL *s, int nmatch)
  253. {
  254. const uint16_t *pref, *supp;
  255. size_t num_pref, num_supp, i;
  256. int k;
  257. /* Can't do anything on client side */
  258. if (s->server == 0)
  259. return 0;
  260. if (nmatch == -2) {
  261. if (tls1_suiteb(s)) {
  262. /*
  263. * For Suite B ciphersuite determines curve: we already know
  264. * these are acceptable due to previous checks.
  265. */
  266. unsigned long cid = s->s3->tmp.new_cipher->id;
  267. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  268. return TLSEXT_curve_P_256;
  269. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  270. return TLSEXT_curve_P_384;
  271. /* Should never happen */
  272. return 0;
  273. }
  274. /* If not Suite B just return first preference shared curve */
  275. nmatch = 0;
  276. }
  277. /*
  278. * If server preference set, our groups are the preference order
  279. * otherwise peer decides.
  280. */
  281. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  282. tls1_get_supported_groups(s, &pref, &num_pref);
  283. tls1_get_peer_groups(s, &supp, &num_supp);
  284. } else {
  285. tls1_get_peer_groups(s, &pref, &num_pref);
  286. tls1_get_supported_groups(s, &supp, &num_supp);
  287. }
  288. for (k = 0, i = 0; i < num_pref; i++) {
  289. uint16_t id = pref[i];
  290. if (!tls1_in_list(id, supp, num_supp)
  291. || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
  292. continue;
  293. if (nmatch == k)
  294. return id;
  295. k++;
  296. }
  297. if (nmatch == -1)
  298. return k;
  299. /* Out of range (nmatch > k). */
  300. return 0;
  301. }
  302. int tls1_set_groups(uint16_t **pext, size_t *pextlen,
  303. int *groups, size_t ngroups)
  304. {
  305. uint16_t *glist;
  306. size_t i;
  307. /*
  308. * Bitmap of groups included to detect duplicates: only works while group
  309. * ids < 32
  310. */
  311. unsigned long dup_list = 0;
  312. glist = OPENSSL_malloc(ngroups * sizeof(*glist));
  313. if (glist == NULL)
  314. return 0;
  315. for (i = 0; i < ngroups; i++) {
  316. unsigned long idmask;
  317. uint16_t id;
  318. /* TODO(TLS1.3): Convert for DH groups */
  319. id = tls1_nid2group_id(groups[i]);
  320. idmask = 1L << id;
  321. if (!id || (dup_list & idmask)) {
  322. OPENSSL_free(glist);
  323. return 0;
  324. }
  325. dup_list |= idmask;
  326. glist[i] = id;
  327. }
  328. OPENSSL_free(*pext);
  329. *pext = glist;
  330. *pextlen = ngroups;
  331. return 1;
  332. }
  333. # define MAX_CURVELIST 28
  334. typedef struct {
  335. size_t nidcnt;
  336. int nid_arr[MAX_CURVELIST];
  337. } nid_cb_st;
  338. static int nid_cb(const char *elem, int len, void *arg)
  339. {
  340. nid_cb_st *narg = arg;
  341. size_t i;
  342. int nid;
  343. char etmp[20];
  344. if (elem == NULL)
  345. return 0;
  346. if (narg->nidcnt == MAX_CURVELIST)
  347. return 0;
  348. if (len > (int)(sizeof(etmp) - 1))
  349. return 0;
  350. memcpy(etmp, elem, len);
  351. etmp[len] = 0;
  352. nid = EC_curve_nist2nid(etmp);
  353. if (nid == NID_undef)
  354. nid = OBJ_sn2nid(etmp);
  355. if (nid == NID_undef)
  356. nid = OBJ_ln2nid(etmp);
  357. if (nid == NID_undef)
  358. return 0;
  359. for (i = 0; i < narg->nidcnt; i++)
  360. if (narg->nid_arr[i] == nid)
  361. return 0;
  362. narg->nid_arr[narg->nidcnt++] = nid;
  363. return 1;
  364. }
  365. /* Set groups based on a colon separate list */
  366. int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
  367. {
  368. nid_cb_st ncb;
  369. ncb.nidcnt = 0;
  370. if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
  371. return 0;
  372. if (pext == NULL)
  373. return 1;
  374. return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
  375. }
  376. /* Return group id of a key */
  377. static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
  378. {
  379. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  380. const EC_GROUP *grp;
  381. if (ec == NULL)
  382. return 0;
  383. grp = EC_KEY_get0_group(ec);
  384. return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
  385. }
  386. /* Check a key is compatible with compression extension */
  387. static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
  388. {
  389. const EC_KEY *ec;
  390. const EC_GROUP *grp;
  391. unsigned char comp_id;
  392. size_t i;
  393. /* If not an EC key nothing to check */
  394. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  395. return 1;
  396. ec = EVP_PKEY_get0_EC_KEY(pkey);
  397. grp = EC_KEY_get0_group(ec);
  398. /* Get required compression id */
  399. if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
  400. comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
  401. } else if (SSL_IS_TLS13(s)) {
  402. /* Compression not allowed in TLS 1.3 */
  403. return 0;
  404. } else {
  405. int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));
  406. if (field_type == NID_X9_62_prime_field)
  407. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  408. else if (field_type == NID_X9_62_characteristic_two_field)
  409. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  410. else
  411. return 0;
  412. }
  413. /*
  414. * If point formats extension present check it, otherwise everything is
  415. * supported (see RFC4492).
  416. */
  417. if (s->session->ext.ecpointformats == NULL)
  418. return 1;
  419. for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
  420. if (s->session->ext.ecpointformats[i] == comp_id)
  421. return 1;
  422. }
  423. return 0;
  424. }
  425. /* Check a group id matches preferences */
  426. int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
  427. {
  428. const uint16_t *groups;
  429. size_t groups_len;
  430. if (group_id == 0)
  431. return 0;
  432. /* Check for Suite B compliance */
  433. if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
  434. unsigned long cid = s->s3->tmp.new_cipher->id;
  435. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
  436. if (group_id != TLSEXT_curve_P_256)
  437. return 0;
  438. } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
  439. if (group_id != TLSEXT_curve_P_384)
  440. return 0;
  441. } else {
  442. /* Should never happen */
  443. return 0;
  444. }
  445. }
  446. if (check_own_groups) {
  447. /* Check group is one of our preferences */
  448. tls1_get_supported_groups(s, &groups, &groups_len);
  449. if (!tls1_in_list(group_id, groups, groups_len))
  450. return 0;
  451. }
  452. if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
  453. return 0;
  454. /* For clients, nothing more to check */
  455. if (!s->server)
  456. return 1;
  457. /* Check group is one of peers preferences */
  458. tls1_get_peer_groups(s, &groups, &groups_len);
  459. /*
  460. * RFC 4492 does not require the supported elliptic curves extension
  461. * so if it is not sent we can just choose any curve.
  462. * It is invalid to send an empty list in the supported groups
  463. * extension, so groups_len == 0 always means no extension.
  464. */
  465. if (groups_len == 0)
  466. return 1;
  467. return tls1_in_list(group_id, groups, groups_len);
  468. }
  469. void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
  470. size_t *num_formats)
  471. {
  472. /*
  473. * If we have a custom point format list use it otherwise use default
  474. */
  475. if (s->ext.ecpointformats) {
  476. *pformats = s->ext.ecpointformats;
  477. *num_formats = s->ext.ecpointformats_len;
  478. } else {
  479. *pformats = ecformats_default;
  480. /* For Suite B we don't support char2 fields */
  481. if (tls1_suiteb(s))
  482. *num_formats = sizeof(ecformats_default) - 1;
  483. else
  484. *num_formats = sizeof(ecformats_default);
  485. }
  486. }
  487. /*
  488. * Check cert parameters compatible with extensions: currently just checks EC
  489. * certificates have compatible curves and compression.
  490. */
  491. static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
  492. {
  493. uint16_t group_id;
  494. EVP_PKEY *pkey;
  495. pkey = X509_get0_pubkey(x);
  496. if (pkey == NULL)
  497. return 0;
  498. /* If not EC nothing to do */
  499. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  500. return 1;
  501. /* Check compression */
  502. if (!tls1_check_pkey_comp(s, pkey))
  503. return 0;
  504. group_id = tls1_get_group_id(pkey);
  505. /*
  506. * For a server we allow the certificate to not be in our list of supported
  507. * groups.
  508. */
  509. if (!tls1_check_group_id(s, group_id, !s->server))
  510. return 0;
  511. /*
  512. * Special case for suite B. We *MUST* sign using SHA256+P-256 or
  513. * SHA384+P-384.
  514. */
  515. if (check_ee_md && tls1_suiteb(s)) {
  516. int check_md;
  517. size_t i;
  518. CERT *c = s->cert;
  519. /* Check to see we have necessary signing algorithm */
  520. if (group_id == TLSEXT_curve_P_256)
  521. check_md = NID_ecdsa_with_SHA256;
  522. else if (group_id == TLSEXT_curve_P_384)
  523. check_md = NID_ecdsa_with_SHA384;
  524. else
  525. return 0; /* Should never happen */
  526. for (i = 0; i < c->shared_sigalgslen; i++) {
  527. if (check_md == c->shared_sigalgs[i]->sigandhash)
  528. return 1;;
  529. }
  530. return 0;
  531. }
  532. return 1;
  533. }
  534. /*
  535. * tls1_check_ec_tmp_key - Check EC temporary key compatibility
  536. * @s: SSL connection
  537. * @cid: Cipher ID we're considering using
  538. *
  539. * Checks that the kECDHE cipher suite we're considering using
  540. * is compatible with the client extensions.
  541. *
  542. * Returns 0 when the cipher can't be used or 1 when it can.
  543. */
  544. int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
  545. {
  546. /* If not Suite B just need a shared group */
  547. if (!tls1_suiteb(s))
  548. return tls1_shared_group(s, 0) != 0;
  549. /*
  550. * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
  551. * curves permitted.
  552. */
  553. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  554. return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
  555. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  556. return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
  557. return 0;
  558. }
  559. #else
  560. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  561. {
  562. return 1;
  563. }
  564. #endif /* OPENSSL_NO_EC */
  565. /* Default sigalg schemes */
  566. static const uint16_t tls12_sigalgs[] = {
  567. #ifndef OPENSSL_NO_EC
  568. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  569. TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  570. TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  571. TLSEXT_SIGALG_ed25519,
  572. TLSEXT_SIGALG_ed448,
  573. #endif
  574. TLSEXT_SIGALG_rsa_pss_pss_sha256,
  575. TLSEXT_SIGALG_rsa_pss_pss_sha384,
  576. TLSEXT_SIGALG_rsa_pss_pss_sha512,
  577. TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  578. TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  579. TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  580. TLSEXT_SIGALG_rsa_pkcs1_sha256,
  581. TLSEXT_SIGALG_rsa_pkcs1_sha384,
  582. TLSEXT_SIGALG_rsa_pkcs1_sha512,
  583. #ifndef OPENSSL_NO_EC
  584. TLSEXT_SIGALG_ecdsa_sha224,
  585. TLSEXT_SIGALG_ecdsa_sha1,
  586. #endif
  587. TLSEXT_SIGALG_rsa_pkcs1_sha224,
  588. TLSEXT_SIGALG_rsa_pkcs1_sha1,
  589. #ifndef OPENSSL_NO_DSA
  590. TLSEXT_SIGALG_dsa_sha224,
  591. TLSEXT_SIGALG_dsa_sha1,
  592. TLSEXT_SIGALG_dsa_sha256,
  593. TLSEXT_SIGALG_dsa_sha384,
  594. TLSEXT_SIGALG_dsa_sha512
  595. #endif
  596. };
  597. #ifndef OPENSSL_NO_EC
  598. static const uint16_t suiteb_sigalgs[] = {
  599. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  600. TLSEXT_SIGALG_ecdsa_secp384r1_sha384
  601. };
  602. #endif
  603. static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
  604. #ifndef OPENSSL_NO_EC
  605. {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  606. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  607. NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
  608. {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  609. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  610. NID_ecdsa_with_SHA384, NID_secp384r1},
  611. {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  612. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  613. NID_ecdsa_with_SHA512, NID_secp521r1},
  614. {"ed25519", TLSEXT_SIGALG_ed25519,
  615. NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
  616. NID_undef, NID_undef},
  617. {"ed448", TLSEXT_SIGALG_ed448,
  618. NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
  619. NID_undef, NID_undef},
  620. {NULL, TLSEXT_SIGALG_ecdsa_sha224,
  621. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  622. NID_ecdsa_with_SHA224, NID_undef},
  623. {NULL, TLSEXT_SIGALG_ecdsa_sha1,
  624. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  625. NID_ecdsa_with_SHA1, NID_undef},
  626. #endif
  627. {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  628. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  629. NID_undef, NID_undef},
  630. {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  631. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  632. NID_undef, NID_undef},
  633. {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  634. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  635. NID_undef, NID_undef},
  636. {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
  637. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  638. NID_undef, NID_undef},
  639. {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
  640. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  641. NID_undef, NID_undef},
  642. {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
  643. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  644. NID_undef, NID_undef},
  645. {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
  646. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  647. NID_sha256WithRSAEncryption, NID_undef},
  648. {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
  649. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  650. NID_sha384WithRSAEncryption, NID_undef},
  651. {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
  652. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  653. NID_sha512WithRSAEncryption, NID_undef},
  654. {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
  655. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  656. NID_sha224WithRSAEncryption, NID_undef},
  657. {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
  658. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  659. NID_sha1WithRSAEncryption, NID_undef},
  660. #ifndef OPENSSL_NO_DSA
  661. {NULL, TLSEXT_SIGALG_dsa_sha256,
  662. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  663. NID_dsa_with_SHA256, NID_undef},
  664. {NULL, TLSEXT_SIGALG_dsa_sha384,
  665. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  666. NID_undef, NID_undef},
  667. {NULL, TLSEXT_SIGALG_dsa_sha512,
  668. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  669. NID_undef, NID_undef},
  670. {NULL, TLSEXT_SIGALG_dsa_sha224,
  671. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  672. NID_undef, NID_undef},
  673. {NULL, TLSEXT_SIGALG_dsa_sha1,
  674. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  675. NID_dsaWithSHA1, NID_undef},
  676. #endif
  677. #ifndef OPENSSL_NO_GOST
  678. {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  679. NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
  680. NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
  681. NID_undef, NID_undef},
  682. {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  683. NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
  684. NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
  685. NID_undef, NID_undef},
  686. {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
  687. NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
  688. NID_id_GostR3410_2001, SSL_PKEY_GOST01,
  689. NID_undef, NID_undef}
  690. #endif
  691. };
  692. /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
  693. static const SIGALG_LOOKUP legacy_rsa_sigalg = {
  694. "rsa_pkcs1_md5_sha1", 0,
  695. NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
  696. EVP_PKEY_RSA, SSL_PKEY_RSA,
  697. NID_undef, NID_undef
  698. };
  699. /*
  700. * Default signature algorithm values used if signature algorithms not present.
  701. * From RFC5246. Note: order must match certificate index order.
  702. */
  703. static const uint16_t tls_default_sigalg[] = {
  704. TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
  705. 0, /* SSL_PKEY_RSA_PSS_SIGN */
  706. TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
  707. TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
  708. TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
  709. TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
  710. TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
  711. 0, /* SSL_PKEY_ED25519 */
  712. 0, /* SSL_PKEY_ED448 */
  713. };
  714. /* Lookup TLS signature algorithm */
  715. static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
  716. {
  717. size_t i;
  718. const SIGALG_LOOKUP *s;
  719. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  720. i++, s++) {
  721. if (s->sigalg == sigalg)
  722. return s;
  723. }
  724. return NULL;
  725. }
  726. /* Lookup hash: return 0 if invalid or not enabled */
  727. int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
  728. {
  729. const EVP_MD *md;
  730. if (lu == NULL)
  731. return 0;
  732. /* lu->hash == NID_undef means no associated digest */
  733. if (lu->hash == NID_undef) {
  734. md = NULL;
  735. } else {
  736. md = ssl_md(lu->hash_idx);
  737. if (md == NULL)
  738. return 0;
  739. }
  740. if (pmd)
  741. *pmd = md;
  742. return 1;
  743. }
  744. /*
  745. * Check if key is large enough to generate RSA-PSS signature.
  746. *
  747. * The key must greater than or equal to 2 * hash length + 2.
  748. * SHA512 has a hash length of 64 bytes, which is incompatible
  749. * with a 128 byte (1024 bit) key.
  750. */
  751. #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
  752. static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
  753. {
  754. const EVP_MD *md;
  755. if (rsa == NULL)
  756. return 0;
  757. if (!tls1_lookup_md(lu, &md) || md == NULL)
  758. return 0;
  759. if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
  760. return 0;
  761. return 1;
  762. }
  763. /*
  764. * Return a signature algorithm for TLS < 1.2 where the signature type
  765. * is fixed by the certificate type.
  766. */
  767. static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
  768. {
  769. if (idx == -1) {
  770. if (s->server) {
  771. size_t i;
  772. /* Work out index corresponding to ciphersuite */
  773. for (i = 0; i < SSL_PKEY_NUM; i++) {
  774. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);
  775. if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
  776. idx = i;
  777. break;
  778. }
  779. }
  780. } else {
  781. idx = s->cert->key - s->cert->pkeys;
  782. }
  783. }
  784. if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
  785. return NULL;
  786. if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
  787. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
  788. if (!tls1_lookup_md(lu, NULL))
  789. return NULL;
  790. return lu;
  791. }
  792. return &legacy_rsa_sigalg;
  793. }
  794. /* Set peer sigalg based key type */
  795. int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
  796. {
  797. size_t idx;
  798. const SIGALG_LOOKUP *lu;
  799. if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
  800. return 0;
  801. lu = tls1_get_legacy_sigalg(s, idx);
  802. if (lu == NULL)
  803. return 0;
  804. s->s3->tmp.peer_sigalg = lu;
  805. return 1;
  806. }
  807. size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
  808. {
  809. /*
  810. * If Suite B mode use Suite B sigalgs only, ignore any other
  811. * preferences.
  812. */
  813. #ifndef OPENSSL_NO_EC
  814. switch (tls1_suiteb(s)) {
  815. case SSL_CERT_FLAG_SUITEB_128_LOS:
  816. *psigs = suiteb_sigalgs;
  817. return OSSL_NELEM(suiteb_sigalgs);
  818. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  819. *psigs = suiteb_sigalgs;
  820. return 1;
  821. case SSL_CERT_FLAG_SUITEB_192_LOS:
  822. *psigs = suiteb_sigalgs + 1;
  823. return 1;
  824. }
  825. #endif
  826. /*
  827. * We use client_sigalgs (if not NULL) if we're a server
  828. * and sending a certificate request or if we're a client and
  829. * determining which shared algorithm to use.
  830. */
  831. if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
  832. *psigs = s->cert->client_sigalgs;
  833. return s->cert->client_sigalgslen;
  834. } else if (s->cert->conf_sigalgs) {
  835. *psigs = s->cert->conf_sigalgs;
  836. return s->cert->conf_sigalgslen;
  837. } else {
  838. *psigs = tls12_sigalgs;
  839. return OSSL_NELEM(tls12_sigalgs);
  840. }
  841. }
  842. /*
  843. * Check signature algorithm is consistent with sent supported signature
  844. * algorithms and if so set relevant digest and signature scheme in
  845. * s.
  846. */
  847. int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
  848. {
  849. const uint16_t *sent_sigs;
  850. const EVP_MD *md = NULL;
  851. char sigalgstr[2];
  852. size_t sent_sigslen, i;
  853. int pkeyid = EVP_PKEY_id(pkey);
  854. const SIGALG_LOOKUP *lu;
  855. /* Should never happen */
  856. if (pkeyid == -1)
  857. return -1;
  858. if (SSL_IS_TLS13(s)) {
  859. /* Disallow DSA for TLS 1.3 */
  860. if (pkeyid == EVP_PKEY_DSA) {
  861. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  862. SSL_R_WRONG_SIGNATURE_TYPE);
  863. return 0;
  864. }
  865. /* Only allow PSS for TLS 1.3 */
  866. if (pkeyid == EVP_PKEY_RSA)
  867. pkeyid = EVP_PKEY_RSA_PSS;
  868. }
  869. lu = tls1_lookup_sigalg(sig);
  870. /*
  871. * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
  872. * is consistent with signature: RSA keys can be used for RSA-PSS
  873. */
  874. if (lu == NULL
  875. || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
  876. || (pkeyid != lu->sig
  877. && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
  878. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  879. SSL_R_WRONG_SIGNATURE_TYPE);
  880. return 0;
  881. }
  882. #ifndef OPENSSL_NO_EC
  883. if (pkeyid == EVP_PKEY_EC) {
  884. /* Check point compression is permitted */
  885. if (!tls1_check_pkey_comp(s, pkey)) {
  886. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  887. SSL_F_TLS12_CHECK_PEER_SIGALG,
  888. SSL_R_ILLEGAL_POINT_COMPRESSION);
  889. return 0;
  890. }
  891. /* For TLS 1.3 or Suite B check curve matches signature algorithm */
  892. if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
  893. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  894. int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  895. if (lu->curve != NID_undef && curve != lu->curve) {
  896. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  897. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  898. return 0;
  899. }
  900. }
  901. if (!SSL_IS_TLS13(s)) {
  902. /* Check curve matches extensions */
  903. if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
  904. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  905. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  906. return 0;
  907. }
  908. if (tls1_suiteb(s)) {
  909. /* Check sigalg matches a permissible Suite B value */
  910. if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
  911. && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
  912. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  913. SSL_F_TLS12_CHECK_PEER_SIGALG,
  914. SSL_R_WRONG_SIGNATURE_TYPE);
  915. return 0;
  916. }
  917. }
  918. }
  919. } else if (tls1_suiteb(s)) {
  920. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  921. SSL_R_WRONG_SIGNATURE_TYPE);
  922. return 0;
  923. }
  924. #endif
  925. /* Check signature matches a type we sent */
  926. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  927. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  928. if (sig == *sent_sigs)
  929. break;
  930. }
  931. /* Allow fallback to SHA1 if not strict mode */
  932. if (i == sent_sigslen && (lu->hash != NID_sha1
  933. || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
  934. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  935. SSL_R_WRONG_SIGNATURE_TYPE);
  936. return 0;
  937. }
  938. if (!tls1_lookup_md(lu, &md)) {
  939. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  940. SSL_R_UNKNOWN_DIGEST);
  941. return 0;
  942. }
  943. if (md != NULL) {
  944. /*
  945. * Make sure security callback allows algorithm. For historical
  946. * reasons we have to pass the sigalg as a two byte char array.
  947. */
  948. sigalgstr[0] = (sig >> 8) & 0xff;
  949. sigalgstr[1] = sig & 0xff;
  950. if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
  951. EVP_MD_size(md) * 4, EVP_MD_type(md),
  952. (void *)sigalgstr)) {
  953. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  954. SSL_R_WRONG_SIGNATURE_TYPE);
  955. return 0;
  956. }
  957. }
  958. /* Store the sigalg the peer uses */
  959. s->s3->tmp.peer_sigalg = lu;
  960. return 1;
  961. }
  962. int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
  963. {
  964. if (s->s3->tmp.peer_sigalg == NULL)
  965. return 0;
  966. *pnid = s->s3->tmp.peer_sigalg->sig;
  967. return 1;
  968. }
  969. /*
  970. * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
  971. * supported, doesn't appear in supported signature algorithms, isn't supported
  972. * by the enabled protocol versions or by the security level.
  973. *
  974. * This function should only be used for checking which ciphers are supported
  975. * by the client.
  976. *
  977. * Call ssl_cipher_disabled() to check that it's enabled or not.
  978. */
  979. int ssl_set_client_disabled(SSL *s)
  980. {
  981. s->s3->tmp.mask_a = 0;
  982. s->s3->tmp.mask_k = 0;
  983. ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
  984. if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver,
  985. &s->s3->tmp.max_ver) != 0)
  986. return 0;
  987. #ifndef OPENSSL_NO_PSK
  988. /* with PSK there must be client callback set */
  989. if (!s->psk_client_callback) {
  990. s->s3->tmp.mask_a |= SSL_aPSK;
  991. s->s3->tmp.mask_k |= SSL_PSK;
  992. }
  993. #endif /* OPENSSL_NO_PSK */
  994. #ifndef OPENSSL_NO_SRP
  995. if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
  996. s->s3->tmp.mask_a |= SSL_aSRP;
  997. s->s3->tmp.mask_k |= SSL_kSRP;
  998. }
  999. #endif
  1000. return 1;
  1001. }
  1002. /*
  1003. * ssl_cipher_disabled - check that a cipher is disabled or not
  1004. * @s: SSL connection that you want to use the cipher on
  1005. * @c: cipher to check
  1006. * @op: Security check that you want to do
  1007. * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
  1008. *
  1009. * Returns 1 when it's disabled, 0 when enabled.
  1010. */
  1011. int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
  1012. {
  1013. if (c->algorithm_mkey & s->s3->tmp.mask_k
  1014. || c->algorithm_auth & s->s3->tmp.mask_a)
  1015. return 1;
  1016. if (s->s3->tmp.max_ver == 0)
  1017. return 1;
  1018. if (!SSL_IS_DTLS(s)) {
  1019. int min_tls = c->min_tls;
  1020. /*
  1021. * For historical reasons we will allow ECHDE to be selected by a server
  1022. * in SSLv3 if we are a client
  1023. */
  1024. if (min_tls == TLS1_VERSION && ecdhe
  1025. && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
  1026. min_tls = SSL3_VERSION;
  1027. if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
  1028. return 1;
  1029. }
  1030. if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
  1031. || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
  1032. return 1;
  1033. return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
  1034. }
  1035. int tls_use_ticket(SSL *s)
  1036. {
  1037. if ((s->options & SSL_OP_NO_TICKET))
  1038. return 0;
  1039. return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
  1040. }
  1041. int tls1_set_server_sigalgs(SSL *s)
  1042. {
  1043. size_t i;
  1044. /* Clear any shared signature algorithms */
  1045. OPENSSL_free(s->cert->shared_sigalgs);
  1046. s->cert->shared_sigalgs = NULL;
  1047. s->cert->shared_sigalgslen = 0;
  1048. /* Clear certificate validity flags */
  1049. for (i = 0; i < SSL_PKEY_NUM; i++)
  1050. s->s3->tmp.valid_flags[i] = 0;
  1051. /*
  1052. * If peer sent no signature algorithms check to see if we support
  1053. * the default algorithm for each certificate type
  1054. */
  1055. if (s->s3->tmp.peer_cert_sigalgs == NULL
  1056. && s->s3->tmp.peer_sigalgs == NULL) {
  1057. const uint16_t *sent_sigs;
  1058. size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  1059. for (i = 0; i < SSL_PKEY_NUM; i++) {
  1060. const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
  1061. size_t j;
  1062. if (lu == NULL)
  1063. continue;
  1064. /* Check default matches a type we sent */
  1065. for (j = 0; j < sent_sigslen; j++) {
  1066. if (lu->sigalg == sent_sigs[j]) {
  1067. s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
  1068. break;
  1069. }
  1070. }
  1071. }
  1072. return 1;
  1073. }
  1074. if (!tls1_process_sigalgs(s)) {
  1075. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1076. SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
  1077. return 0;
  1078. }
  1079. if (s->cert->shared_sigalgs != NULL)
  1080. return 1;
  1081. /* Fatal error if no shared signature algorithms */
  1082. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
  1083. SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
  1084. return 0;
  1085. }
  1086. /*-
  1087. * Gets the ticket information supplied by the client if any.
  1088. *
  1089. * hello: The parsed ClientHello data
  1090. * ret: (output) on return, if a ticket was decrypted, then this is set to
  1091. * point to the resulting session.
  1092. *
  1093. * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
  1094. * ciphersuite, in which case we have no use for session tickets and one will
  1095. * never be decrypted, nor will s->ext.ticket_expected be set to 1.
  1096. *
  1097. * Returns:
  1098. * -1: fatal error, either from parsing or decrypting the ticket.
  1099. * 0: no ticket was found (or was ignored, based on settings).
  1100. * 1: a zero length extension was found, indicating that the client supports
  1101. * session tickets but doesn't currently have one to offer.
  1102. * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
  1103. * couldn't be decrypted because of a non-fatal error.
  1104. * 3: a ticket was successfully decrypted and *ret was set.
  1105. *
  1106. * Side effects:
  1107. * Sets s->ext.ticket_expected to 1 if the server will have to issue
  1108. * a new session ticket to the client because the client indicated support
  1109. * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
  1110. * a session ticket or we couldn't use the one it gave us, or if
  1111. * s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
  1112. * Otherwise, s->ext.ticket_expected is set to 0.
  1113. */
  1114. SSL_TICKET_RETURN tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
  1115. SSL_SESSION **ret)
  1116. {
  1117. int retv;
  1118. size_t size;
  1119. RAW_EXTENSION *ticketext;
  1120. *ret = NULL;
  1121. s->ext.ticket_expected = 0;
  1122. /*
  1123. * If tickets disabled or not supported by the protocol version
  1124. * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
  1125. * resumption.
  1126. */
  1127. if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
  1128. return SSL_TICKET_NONE;
  1129. ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
  1130. if (!ticketext->present)
  1131. return SSL_TICKET_NONE;
  1132. size = PACKET_remaining(&ticketext->data);
  1133. if (size == 0) {
  1134. /*
  1135. * The client will accept a ticket but doesn't currently have
  1136. * one.
  1137. */
  1138. s->ext.ticket_expected = 1;
  1139. return SSL_TICKET_EMPTY;
  1140. }
  1141. if (s->ext.session_secret_cb) {
  1142. /*
  1143. * Indicate that the ticket couldn't be decrypted rather than
  1144. * generating the session from ticket now, trigger
  1145. * abbreviated handshake based on external mechanism to
  1146. * calculate the master secret later.
  1147. */
  1148. return SSL_TICKET_NO_DECRYPT;
  1149. }
  1150. retv = tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
  1151. hello->session_id, hello->session_id_len, ret);
  1152. /*
  1153. * If set, the decrypt_ticket_cb() is always called regardless of the
  1154. * return from tls_decrypt_ticket(). The callback is responsible for
  1155. * checking |retv| before it performs any action
  1156. */
  1157. if (s->session_ctx->decrypt_ticket_cb != NULL) {
  1158. size_t keyname_len = size;
  1159. if (keyname_len > TLSEXT_KEYNAME_LENGTH)
  1160. keyname_len = TLSEXT_KEYNAME_LENGTH;
  1161. retv = s->session_ctx->decrypt_ticket_cb(s, *ret,
  1162. PACKET_data(&ticketext->data),
  1163. keyname_len,
  1164. retv, s->session_ctx->ticket_cb_data);
  1165. }
  1166. switch (retv) {
  1167. case SSL_TICKET_NO_DECRYPT:
  1168. s->ext.ticket_expected = 1;
  1169. return SSL_TICKET_NO_DECRYPT;
  1170. case SSL_TICKET_SUCCESS:
  1171. return SSL_TICKET_SUCCESS;
  1172. case SSL_TICKET_SUCCESS_RENEW:
  1173. s->ext.ticket_expected = 1;
  1174. return SSL_TICKET_SUCCESS;
  1175. case SSL_TICKET_EMPTY:
  1176. s->ext.ticket_expected = 1;
  1177. return SSL_TICKET_EMPTY;
  1178. case SSL_TICKET_NONE:
  1179. return SSL_TICKET_NONE;
  1180. default:
  1181. return SSL_TICKET_FATAL_ERR_OTHER;
  1182. }
  1183. }
  1184. /*-
  1185. * tls_decrypt_ticket attempts to decrypt a session ticket.
  1186. *
  1187. * etick: points to the body of the session ticket extension.
  1188. * eticklen: the length of the session tickets extension.
  1189. * sess_id: points at the session ID.
  1190. * sesslen: the length of the session ID.
  1191. * psess: (output) on return, if a ticket was decrypted, then this is set to
  1192. * point to the resulting session.
  1193. */
  1194. SSL_TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
  1195. size_t eticklen, const unsigned char *sess_id,
  1196. size_t sesslen, SSL_SESSION **psess)
  1197. {
  1198. SSL_SESSION *sess;
  1199. unsigned char *sdec;
  1200. const unsigned char *p;
  1201. int slen, renew_ticket = 0, declen;
  1202. SSL_TICKET_RETURN ret = SSL_TICKET_FATAL_ERR_OTHER;
  1203. size_t mlen;
  1204. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  1205. HMAC_CTX *hctx = NULL;
  1206. EVP_CIPHER_CTX *ctx = NULL;
  1207. SSL_CTX *tctx = s->session_ctx;
  1208. /* Need at least keyname + iv */
  1209. if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
  1210. ret = SSL_TICKET_NO_DECRYPT;
  1211. goto err;
  1212. }
  1213. /* Initialize session ticket encryption and HMAC contexts */
  1214. hctx = HMAC_CTX_new();
  1215. if (hctx == NULL)
  1216. return SSL_TICKET_FATAL_ERR_MALLOC;
  1217. ctx = EVP_CIPHER_CTX_new();
  1218. if (ctx == NULL) {
  1219. ret = SSL_TICKET_FATAL_ERR_MALLOC;
  1220. goto err;
  1221. }
  1222. if (tctx->ext.ticket_key_cb) {
  1223. unsigned char *nctick = (unsigned char *)etick;
  1224. int rv = tctx->ext.ticket_key_cb(s, nctick,
  1225. nctick + TLSEXT_KEYNAME_LENGTH,
  1226. ctx, hctx, 0);
  1227. if (rv < 0)
  1228. goto err;
  1229. if (rv == 0) {
  1230. ret = SSL_TICKET_NO_DECRYPT;
  1231. goto err;
  1232. }
  1233. if (rv == 2)
  1234. renew_ticket = 1;
  1235. } else {
  1236. /* Check key name matches */
  1237. if (memcmp(etick, tctx->ext.tick_key_name,
  1238. TLSEXT_KEYNAME_LENGTH) != 0) {
  1239. ret = SSL_TICKET_NO_DECRYPT;
  1240. goto err;
  1241. }
  1242. if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  1243. sizeof(tctx->ext.secure->tick_hmac_key),
  1244. EVP_sha256(), NULL) <= 0
  1245. || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
  1246. tctx->ext.secure->tick_aes_key,
  1247. etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
  1248. goto err;
  1249. }
  1250. }
  1251. /*
  1252. * Attempt to process session ticket, first conduct sanity and integrity
  1253. * checks on ticket.
  1254. */
  1255. mlen = HMAC_size(hctx);
  1256. if (mlen == 0) {
  1257. goto err;
  1258. }
  1259. /* Sanity check ticket length: must exceed keyname + IV + HMAC */
  1260. if (eticklen <=
  1261. TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
  1262. ret = SSL_TICKET_NO_DECRYPT;
  1263. goto err;
  1264. }
  1265. eticklen -= mlen;
  1266. /* Check HMAC of encrypted ticket */
  1267. if (HMAC_Update(hctx, etick, eticklen) <= 0
  1268. || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
  1269. goto err;
  1270. }
  1271. HMAC_CTX_free(hctx);
  1272. if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
  1273. EVP_CIPHER_CTX_free(ctx);
  1274. return SSL_TICKET_NO_DECRYPT;
  1275. }
  1276. /* Attempt to decrypt session data */
  1277. /* Move p after IV to start of encrypted ticket, update length */
  1278. p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1279. eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1280. sdec = OPENSSL_malloc(eticklen);
  1281. if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
  1282. (int)eticklen) <= 0) {
  1283. EVP_CIPHER_CTX_free(ctx);
  1284. OPENSSL_free(sdec);
  1285. return SSL_TICKET_FATAL_ERR_OTHER;
  1286. }
  1287. if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
  1288. EVP_CIPHER_CTX_free(ctx);
  1289. OPENSSL_free(sdec);
  1290. return SSL_TICKET_NO_DECRYPT;
  1291. }
  1292. slen += declen;
  1293. EVP_CIPHER_CTX_free(ctx);
  1294. ctx = NULL;
  1295. p = sdec;
  1296. sess = d2i_SSL_SESSION(NULL, &p, slen);
  1297. slen -= p - sdec;
  1298. OPENSSL_free(sdec);
  1299. if (sess) {
  1300. /* Some additional consistency checks */
  1301. if (slen != 0) {
  1302. SSL_SESSION_free(sess);
  1303. return SSL_TICKET_NO_DECRYPT;
  1304. }
  1305. /*
  1306. * The session ID, if non-empty, is used by some clients to detect
  1307. * that the ticket has been accepted. So we copy it to the session
  1308. * structure. If it is empty set length to zero as required by
  1309. * standard.
  1310. */
  1311. if (sesslen) {
  1312. memcpy(sess->session_id, sess_id, sesslen);
  1313. sess->session_id_length = sesslen;
  1314. }
  1315. *psess = sess;
  1316. if (renew_ticket)
  1317. return SSL_TICKET_SUCCESS_RENEW;
  1318. else
  1319. return SSL_TICKET_SUCCESS;
  1320. }
  1321. ERR_clear_error();
  1322. /*
  1323. * For session parse failure, indicate that we need to send a new ticket.
  1324. */
  1325. return SSL_TICKET_NO_DECRYPT;
  1326. err:
  1327. EVP_CIPHER_CTX_free(ctx);
  1328. HMAC_CTX_free(hctx);
  1329. return ret;
  1330. }
  1331. /* Check to see if a signature algorithm is allowed */
  1332. static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
  1333. {
  1334. unsigned char sigalgstr[2];
  1335. int secbits;
  1336. /* See if sigalgs is recognised and if hash is enabled */
  1337. if (!tls1_lookup_md(lu, NULL))
  1338. return 0;
  1339. /* DSA is not allowed in TLS 1.3 */
  1340. if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
  1341. return 0;
  1342. /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
  1343. if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
  1344. && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
  1345. || lu->hash_idx == SSL_MD_MD5_IDX
  1346. || lu->hash_idx == SSL_MD_SHA224_IDX))
  1347. return 0;
  1348. /* See if public key algorithm allowed */
  1349. if (ssl_cert_is_disabled(lu->sig_idx))
  1350. return 0;
  1351. if (lu->hash == NID_undef)
  1352. return 1;
  1353. /* Security bits: half digest bits */
  1354. secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
  1355. /* Finally see if security callback allows it */
  1356. sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
  1357. sigalgstr[1] = lu->sigalg & 0xff;
  1358. return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
  1359. }
  1360. /*
  1361. * Get a mask of disabled public key algorithms based on supported signature
  1362. * algorithms. For example if no signature algorithm supports RSA then RSA is
  1363. * disabled.
  1364. */
  1365. void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
  1366. {
  1367. const uint16_t *sigalgs;
  1368. size_t i, sigalgslen;
  1369. uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
  1370. /*
  1371. * Go through all signature algorithms seeing if we support any
  1372. * in disabled_mask.
  1373. */
  1374. sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
  1375. for (i = 0; i < sigalgslen; i++, sigalgs++) {
  1376. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
  1377. const SSL_CERT_LOOKUP *clu;
  1378. if (lu == NULL)
  1379. continue;
  1380. clu = ssl_cert_lookup_by_idx(lu->sig_idx);
  1381. if (clu == NULL)
  1382. continue;
  1383. /* If algorithm is disabled see if we can enable it */
  1384. if ((clu->amask & disabled_mask) != 0
  1385. && tls12_sigalg_allowed(s, op, lu))
  1386. disabled_mask &= ~clu->amask;
  1387. }
  1388. *pmask_a |= disabled_mask;
  1389. }
  1390. int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
  1391. const uint16_t *psig, size_t psiglen)
  1392. {
  1393. size_t i;
  1394. int rv = 0;
  1395. for (i = 0; i < psiglen; i++, psig++) {
  1396. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);
  1397. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
  1398. continue;
  1399. if (!WPACKET_put_bytes_u16(pkt, *psig))
  1400. return 0;
  1401. /*
  1402. * If TLS 1.3 must have at least one valid TLS 1.3 message
  1403. * signing algorithm: i.e. neither RSA nor SHA1/SHA224
  1404. */
  1405. if (rv == 0 && (!SSL_IS_TLS13(s)
  1406. || (lu->sig != EVP_PKEY_RSA
  1407. && lu->hash != NID_sha1
  1408. && lu->hash != NID_sha224)))
  1409. rv = 1;
  1410. }
  1411. if (rv == 0)
  1412. SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  1413. return rv;
  1414. }
  1415. /* Given preference and allowed sigalgs set shared sigalgs */
  1416. static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
  1417. const uint16_t *pref, size_t preflen,
  1418. const uint16_t *allow, size_t allowlen)
  1419. {
  1420. const uint16_t *ptmp, *atmp;
  1421. size_t i, j, nmatch = 0;
  1422. for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
  1423. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);
  1424. /* Skip disabled hashes or signature algorithms */
  1425. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
  1426. continue;
  1427. for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
  1428. if (*ptmp == *atmp) {
  1429. nmatch++;
  1430. if (shsig)
  1431. *shsig++ = lu;
  1432. break;
  1433. }
  1434. }
  1435. }
  1436. return nmatch;
  1437. }
  1438. /* Set shared signature algorithms for SSL structures */
  1439. static int tls1_set_shared_sigalgs(SSL *s)
  1440. {
  1441. const uint16_t *pref, *allow, *conf;
  1442. size_t preflen, allowlen, conflen;
  1443. size_t nmatch;
  1444. const SIGALG_LOOKUP **salgs = NULL;
  1445. CERT *c = s->cert;
  1446. unsigned int is_suiteb = tls1_suiteb(s);
  1447. OPENSSL_free(c->shared_sigalgs);
  1448. c->shared_sigalgs = NULL;
  1449. c->shared_sigalgslen = 0;
  1450. /* If client use client signature algorithms if not NULL */
  1451. if (!s->server && c->client_sigalgs && !is_suiteb) {
  1452. conf = c->client_sigalgs;
  1453. conflen = c->client_sigalgslen;
  1454. } else if (c->conf_sigalgs && !is_suiteb) {
  1455. conf = c->conf_sigalgs;
  1456. conflen = c->conf_sigalgslen;
  1457. } else
  1458. conflen = tls12_get_psigalgs(s, 0, &conf);
  1459. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
  1460. pref = conf;
  1461. preflen = conflen;
  1462. allow = s->s3->tmp.peer_sigalgs;
  1463. allowlen = s->s3->tmp.peer_sigalgslen;
  1464. } else {
  1465. allow = conf;
  1466. allowlen = conflen;
  1467. pref = s->s3->tmp.peer_sigalgs;
  1468. preflen = s->s3->tmp.peer_sigalgslen;
  1469. }
  1470. nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
  1471. if (nmatch) {
  1472. salgs = OPENSSL_malloc(nmatch * sizeof(*salgs));
  1473. if (salgs == NULL)
  1474. return 0;
  1475. nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
  1476. } else {
  1477. salgs = NULL;
  1478. }
  1479. c->shared_sigalgs = salgs;
  1480. c->shared_sigalgslen = nmatch;
  1481. return 1;
  1482. }
  1483. int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
  1484. {
  1485. unsigned int stmp;
  1486. size_t size, i;
  1487. uint16_t *buf;
  1488. size = PACKET_remaining(pkt);
  1489. /* Invalid data length */
  1490. if (size == 0 || (size & 1) != 0)
  1491. return 0;
  1492. size >>= 1;
  1493. buf = OPENSSL_malloc(size * sizeof(*buf));
  1494. if (buf == NULL)
  1495. return 0;
  1496. for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
  1497. buf[i] = stmp;
  1498. if (i != size) {
  1499. OPENSSL_free(buf);
  1500. return 0;
  1501. }
  1502. OPENSSL_free(*pdest);
  1503. *pdest = buf;
  1504. *pdestlen = size;
  1505. return 1;
  1506. }
  1507. int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert)
  1508. {
  1509. /* Extension ignored for inappropriate versions */
  1510. if (!SSL_USE_SIGALGS(s))
  1511. return 1;
  1512. /* Should never happen */
  1513. if (s->cert == NULL)
  1514. return 0;
  1515. if (cert)
  1516. return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs,
  1517. &s->s3->tmp.peer_cert_sigalgslen);
  1518. else
  1519. return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
  1520. &s->s3->tmp.peer_sigalgslen);
  1521. }
  1522. /* Set preferred digest for each key type */
  1523. int tls1_process_sigalgs(SSL *s)
  1524. {
  1525. size_t i;
  1526. uint32_t *pvalid = s->s3->tmp.valid_flags;
  1527. CERT *c = s->cert;
  1528. if (!tls1_set_shared_sigalgs(s))
  1529. return 0;
  1530. for (i = 0; i < SSL_PKEY_NUM; i++)
  1531. pvalid[i] = 0;
  1532. for (i = 0; i < c->shared_sigalgslen; i++) {
  1533. const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
  1534. int idx = sigptr->sig_idx;
  1535. /* Ignore PKCS1 based sig algs in TLSv1.3 */
  1536. if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
  1537. continue;
  1538. /* If not disabled indicate we can explicitly sign */
  1539. if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
  1540. pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  1541. }
  1542. return 1;
  1543. }
  1544. int SSL_get_sigalgs(SSL *s, int idx,
  1545. int *psign, int *phash, int *psignhash,
  1546. unsigned char *rsig, unsigned char *rhash)
  1547. {
  1548. uint16_t *psig = s->s3->tmp.peer_sigalgs;
  1549. size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
  1550. if (psig == NULL || numsigalgs > INT_MAX)
  1551. return 0;
  1552. if (idx >= 0) {
  1553. const SIGALG_LOOKUP *lu;
  1554. if (idx >= (int)numsigalgs)
  1555. return 0;
  1556. psig += idx;
  1557. if (rhash != NULL)
  1558. *rhash = (unsigned char)((*psig >> 8) & 0xff);
  1559. if (rsig != NULL)
  1560. *rsig = (unsigned char)(*psig & 0xff);
  1561. lu = tls1_lookup_sigalg(*psig);
  1562. if (psign != NULL)
  1563. *psign = lu != NULL ? lu->sig : NID_undef;
  1564. if (phash != NULL)
  1565. *phash = lu != NULL ? lu->hash : NID_undef;
  1566. if (psignhash != NULL)
  1567. *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
  1568. }
  1569. return (int)numsigalgs;
  1570. }
  1571. int SSL_get_shared_sigalgs(SSL *s, int idx,
  1572. int *psign, int *phash, int *psignhash,
  1573. unsigned char *rsig, unsigned char *rhash)
  1574. {
  1575. const SIGALG_LOOKUP *shsigalgs;
  1576. if (s->cert->shared_sigalgs == NULL
  1577. || idx < 0
  1578. || idx >= (int)s->cert->shared_sigalgslen
  1579. || s->cert->shared_sigalgslen > INT_MAX)
  1580. return 0;
  1581. shsigalgs = s->cert->shared_sigalgs[idx];
  1582. if (phash != NULL)
  1583. *phash = shsigalgs->hash;
  1584. if (psign != NULL)
  1585. *psign = shsigalgs->sig;
  1586. if (psignhash != NULL)
  1587. *psignhash = shsigalgs->sigandhash;
  1588. if (rsig != NULL)
  1589. *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
  1590. if (rhash != NULL)
  1591. *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
  1592. return (int)s->cert->shared_sigalgslen;
  1593. }
  1594. /* Maximum possible number of unique entries in sigalgs array */
  1595. #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
  1596. typedef struct {
  1597. size_t sigalgcnt;
  1598. /* TLSEXT_SIGALG_XXX values */
  1599. uint16_t sigalgs[TLS_MAX_SIGALGCNT];
  1600. } sig_cb_st;
  1601. static void get_sigorhash(int *psig, int *phash, const char *str)
  1602. {
  1603. if (strcmp(str, "RSA") == 0) {
  1604. *psig = EVP_PKEY_RSA;
  1605. } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
  1606. *psig = EVP_PKEY_RSA_PSS;
  1607. } else if (strcmp(str, "DSA") == 0) {
  1608. *psig = EVP_PKEY_DSA;
  1609. } else if (strcmp(str, "ECDSA") == 0) {
  1610. *psig = EVP_PKEY_EC;
  1611. } else {
  1612. *phash = OBJ_sn2nid(str);
  1613. if (*phash == NID_undef)
  1614. *phash = OBJ_ln2nid(str);
  1615. }
  1616. }
  1617. /* Maximum length of a signature algorithm string component */
  1618. #define TLS_MAX_SIGSTRING_LEN 40
  1619. static int sig_cb(const char *elem, int len, void *arg)
  1620. {
  1621. sig_cb_st *sarg = arg;
  1622. size_t i;
  1623. const SIGALG_LOOKUP *s;
  1624. char etmp[TLS_MAX_SIGSTRING_LEN], *p;
  1625. int sig_alg = NID_undef, hash_alg = NID_undef;
  1626. if (elem == NULL)
  1627. return 0;
  1628. if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
  1629. return 0;
  1630. if (len > (int)(sizeof(etmp) - 1))
  1631. return 0;
  1632. memcpy(etmp, elem, len);
  1633. etmp[len] = 0;
  1634. p = strchr(etmp, '+');
  1635. /*
  1636. * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
  1637. * if there's no '+' in the provided name, look for the new-style combined
  1638. * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP.
  1639. * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
  1640. * rsa_pss_rsae_* that differ only by public key OID; in such cases
  1641. * we will pick the _rsae_ variant, by virtue of them appearing earlier
  1642. * in the table.
  1643. */
  1644. if (p == NULL) {
  1645. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1646. i++, s++) {
  1647. if (s->name != NULL && strcmp(etmp, s->name) == 0) {
  1648. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1649. break;
  1650. }
  1651. }
  1652. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1653. return 0;
  1654. } else {
  1655. *p = 0;
  1656. p++;
  1657. if (*p == 0)
  1658. return 0;
  1659. get_sigorhash(&sig_alg, &hash_alg, etmp);
  1660. get_sigorhash(&sig_alg, &hash_alg, p);
  1661. if (sig_alg == NID_undef || hash_alg == NID_undef)
  1662. return 0;
  1663. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1664. i++, s++) {
  1665. if (s->hash == hash_alg && s->sig == sig_alg) {
  1666. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1667. break;
  1668. }
  1669. }
  1670. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1671. return 0;
  1672. }
  1673. /* Reject duplicates */
  1674. for (i = 0; i < sarg->sigalgcnt - 1; i++) {
  1675. if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
  1676. sarg->sigalgcnt--;
  1677. return 0;
  1678. }
  1679. }
  1680. return 1;
  1681. }
  1682. /*
  1683. * Set supported signature algorithms based on a colon separated list of the
  1684. * form sig+hash e.g. RSA+SHA512:DSA+SHA512
  1685. */
  1686. int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
  1687. {
  1688. sig_cb_st sig;
  1689. sig.sigalgcnt = 0;
  1690. if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
  1691. return 0;
  1692. if (c == NULL)
  1693. return 1;
  1694. return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
  1695. }
  1696. int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
  1697. int client)
  1698. {
  1699. uint16_t *sigalgs;
  1700. sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs));
  1701. if (sigalgs == NULL)
  1702. return 0;
  1703. memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
  1704. if (client) {
  1705. OPENSSL_free(c->client_sigalgs);
  1706. c->client_sigalgs = sigalgs;
  1707. c->client_sigalgslen = salglen;
  1708. } else {
  1709. OPENSSL_free(c->conf_sigalgs);
  1710. c->conf_sigalgs = sigalgs;
  1711. c->conf_sigalgslen = salglen;
  1712. }
  1713. return 1;
  1714. }
  1715. int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
  1716. {
  1717. uint16_t *sigalgs, *sptr;
  1718. size_t i;
  1719. if (salglen & 1)
  1720. return 0;
  1721. sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs));
  1722. if (sigalgs == NULL)
  1723. return 0;
  1724. for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
  1725. size_t j;
  1726. const SIGALG_LOOKUP *curr;
  1727. int md_id = *psig_nids++;
  1728. int sig_id = *psig_nids++;
  1729. for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
  1730. j++, curr++) {
  1731. if (curr->hash == md_id && curr->sig == sig_id) {
  1732. *sptr++ = curr->sigalg;
  1733. break;
  1734. }
  1735. }
  1736. if (j == OSSL_NELEM(sigalg_lookup_tbl))
  1737. goto err;
  1738. }
  1739. if (client) {
  1740. OPENSSL_free(c->client_sigalgs);
  1741. c->client_sigalgs = sigalgs;
  1742. c->client_sigalgslen = salglen / 2;
  1743. } else {
  1744. OPENSSL_free(c->conf_sigalgs);
  1745. c->conf_sigalgs = sigalgs;
  1746. c->conf_sigalgslen = salglen / 2;
  1747. }
  1748. return 1;
  1749. err:
  1750. OPENSSL_free(sigalgs);
  1751. return 0;
  1752. }
  1753. static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
  1754. {
  1755. int sig_nid;
  1756. size_t i;
  1757. if (default_nid == -1)
  1758. return 1;
  1759. sig_nid = X509_get_signature_nid(x);
  1760. if (default_nid)
  1761. return sig_nid == default_nid ? 1 : 0;
  1762. for (i = 0; i < c->shared_sigalgslen; i++)
  1763. if (sig_nid == c->shared_sigalgs[i]->sigandhash)
  1764. return 1;
  1765. return 0;
  1766. }
  1767. /* Check to see if a certificate issuer name matches list of CA names */
  1768. static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
  1769. {
  1770. X509_NAME *nm;
  1771. int i;
  1772. nm = X509_get_issuer_name(x);
  1773. for (i = 0; i < sk_X509_NAME_num(names); i++) {
  1774. if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
  1775. return 1;
  1776. }
  1777. return 0;
  1778. }
  1779. /*
  1780. * Check certificate chain is consistent with TLS extensions and is usable by
  1781. * server. This servers two purposes: it allows users to check chains before
  1782. * passing them to the server and it allows the server to check chains before
  1783. * attempting to use them.
  1784. */
  1785. /* Flags which need to be set for a certificate when strict mode not set */
  1786. #define CERT_PKEY_VALID_FLAGS \
  1787. (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
  1788. /* Strict mode flags */
  1789. #define CERT_PKEY_STRICT_FLAGS \
  1790. (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
  1791. | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
  1792. int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
  1793. int idx)
  1794. {
  1795. int i;
  1796. int rv = 0;
  1797. int check_flags = 0, strict_mode;
  1798. CERT_PKEY *cpk = NULL;
  1799. CERT *c = s->cert;
  1800. uint32_t *pvalid;
  1801. unsigned int suiteb_flags = tls1_suiteb(s);
  1802. /* idx == -1 means checking server chains */
  1803. if (idx != -1) {
  1804. /* idx == -2 means checking client certificate chains */
  1805. if (idx == -2) {
  1806. cpk = c->key;
  1807. idx = (int)(cpk - c->pkeys);
  1808. } else
  1809. cpk = c->pkeys + idx;
  1810. pvalid = s->s3->tmp.valid_flags + idx;
  1811. x = cpk->x509;
  1812. pk = cpk->privatekey;
  1813. chain = cpk->chain;
  1814. strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
  1815. /* If no cert or key, forget it */
  1816. if (!x || !pk)
  1817. goto end;
  1818. } else {
  1819. size_t certidx;
  1820. if (!x || !pk)
  1821. return 0;
  1822. if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
  1823. return 0;
  1824. idx = certidx;
  1825. pvalid = s->s3->tmp.valid_flags + idx;
  1826. if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
  1827. check_flags = CERT_PKEY_STRICT_FLAGS;
  1828. else
  1829. check_flags = CERT_PKEY_VALID_FLAGS;
  1830. strict_mode = 1;
  1831. }
  1832. if (suiteb_flags) {
  1833. int ok;
  1834. if (check_flags)
  1835. check_flags |= CERT_PKEY_SUITEB;
  1836. ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
  1837. if (ok == X509_V_OK)
  1838. rv |= CERT_PKEY_SUITEB;
  1839. else if (!check_flags)
  1840. goto end;
  1841. }
  1842. /*
  1843. * Check all signature algorithms are consistent with signature
  1844. * algorithms extension if TLS 1.2 or later and strict mode.
  1845. */
  1846. if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
  1847. int default_nid;
  1848. int rsign = 0;
  1849. if (s->s3->tmp.peer_cert_sigalgs != NULL
  1850. || s->s3->tmp.peer_sigalgs != NULL) {
  1851. default_nid = 0;
  1852. /* If no sigalgs extension use defaults from RFC5246 */
  1853. } else {
  1854. switch (idx) {
  1855. case SSL_PKEY_RSA:
  1856. rsign = EVP_PKEY_RSA;
  1857. default_nid = NID_sha1WithRSAEncryption;
  1858. break;
  1859. case SSL_PKEY_DSA_SIGN:
  1860. rsign = EVP_PKEY_DSA;
  1861. default_nid = NID_dsaWithSHA1;
  1862. break;
  1863. case SSL_PKEY_ECC:
  1864. rsign = EVP_PKEY_EC;
  1865. default_nid = NID_ecdsa_with_SHA1;
  1866. break;
  1867. case SSL_PKEY_GOST01:
  1868. rsign = NID_id_GostR3410_2001;
  1869. default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
  1870. break;
  1871. case SSL_PKEY_GOST12_256:
  1872. rsign = NID_id_GostR3410_2012_256;
  1873. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
  1874. break;
  1875. case SSL_PKEY_GOST12_512:
  1876. rsign = NID_id_GostR3410_2012_512;
  1877. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
  1878. break;
  1879. default:
  1880. default_nid = -1;
  1881. break;
  1882. }
  1883. }
  1884. /*
  1885. * If peer sent no signature algorithms extension and we have set
  1886. * preferred signature algorithms check we support sha1.
  1887. */
  1888. if (default_nid > 0 && c->conf_sigalgs) {
  1889. size_t j;
  1890. const uint16_t *p = c->conf_sigalgs;
  1891. for (j = 0; j < c->conf_sigalgslen; j++, p++) {
  1892. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);
  1893. if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
  1894. break;
  1895. }
  1896. if (j == c->conf_sigalgslen) {
  1897. if (check_flags)
  1898. goto skip_sigs;
  1899. else
  1900. goto end;
  1901. }
  1902. }
  1903. /* Check signature algorithm of each cert in chain */
  1904. if (!tls1_check_sig_alg(c, x, default_nid)) {
  1905. if (!check_flags)
  1906. goto end;
  1907. } else
  1908. rv |= CERT_PKEY_EE_SIGNATURE;
  1909. rv |= CERT_PKEY_CA_SIGNATURE;
  1910. for (i = 0; i < sk_X509_num(chain); i++) {
  1911. if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
  1912. if (check_flags) {
  1913. rv &= ~CERT_PKEY_CA_SIGNATURE;
  1914. break;
  1915. } else
  1916. goto end;
  1917. }
  1918. }
  1919. }
  1920. /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
  1921. else if (check_flags)
  1922. rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
  1923. skip_sigs:
  1924. /* Check cert parameters are consistent */
  1925. if (tls1_check_cert_param(s, x, 1))
  1926. rv |= CERT_PKEY_EE_PARAM;
  1927. else if (!check_flags)
  1928. goto end;
  1929. if (!s->server)
  1930. rv |= CERT_PKEY_CA_PARAM;
  1931. /* In strict mode check rest of chain too */
  1932. else if (strict_mode) {
  1933. rv |= CERT_PKEY_CA_PARAM;
  1934. for (i = 0; i < sk_X509_num(chain); i++) {
  1935. X509 *ca = sk_X509_value(chain, i);
  1936. if (!tls1_check_cert_param(s, ca, 0)) {
  1937. if (check_flags) {
  1938. rv &= ~CERT_PKEY_CA_PARAM;
  1939. break;
  1940. } else
  1941. goto end;
  1942. }
  1943. }
  1944. }
  1945. if (!s->server && strict_mode) {
  1946. STACK_OF(X509_NAME) *ca_dn;
  1947. int check_type = 0;
  1948. switch (EVP_PKEY_id(pk)) {
  1949. case EVP_PKEY_RSA:
  1950. check_type = TLS_CT_RSA_SIGN;
  1951. break;
  1952. case EVP_PKEY_DSA:
  1953. check_type = TLS_CT_DSS_SIGN;
  1954. break;
  1955. case EVP_PKEY_EC:
  1956. check_type = TLS_CT_ECDSA_SIGN;
  1957. break;
  1958. }
  1959. if (check_type) {
  1960. const uint8_t *ctypes = s->s3->tmp.ctype;
  1961. size_t j;
  1962. for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
  1963. if (*ctypes == check_type) {
  1964. rv |= CERT_PKEY_CERT_TYPE;
  1965. break;
  1966. }
  1967. }
  1968. if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
  1969. goto end;
  1970. } else {
  1971. rv |= CERT_PKEY_CERT_TYPE;
  1972. }
  1973. ca_dn = s->s3->tmp.peer_ca_names;
  1974. if (!sk_X509_NAME_num(ca_dn))
  1975. rv |= CERT_PKEY_ISSUER_NAME;
  1976. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  1977. if (ssl_check_ca_name(ca_dn, x))
  1978. rv |= CERT_PKEY_ISSUER_NAME;
  1979. }
  1980. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  1981. for (i = 0; i < sk_X509_num(chain); i++) {
  1982. X509 *xtmp = sk_X509_value(chain, i);
  1983. if (ssl_check_ca_name(ca_dn, xtmp)) {
  1984. rv |= CERT_PKEY_ISSUER_NAME;
  1985. break;
  1986. }
  1987. }
  1988. }
  1989. if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
  1990. goto end;
  1991. } else
  1992. rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
  1993. if (!check_flags || (rv & check_flags) == check_flags)
  1994. rv |= CERT_PKEY_VALID;
  1995. end:
  1996. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  1997. rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
  1998. else
  1999. rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
  2000. /*
  2001. * When checking a CERT_PKEY structure all flags are irrelevant if the
  2002. * chain is invalid.
  2003. */
  2004. if (!check_flags) {
  2005. if (rv & CERT_PKEY_VALID) {
  2006. *pvalid = rv;
  2007. } else {
  2008. /* Preserve sign and explicit sign flag, clear rest */
  2009. *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  2010. return 0;
  2011. }
  2012. }
  2013. return rv;
  2014. }
  2015. /* Set validity of certificates in an SSL structure */
  2016. void tls1_set_cert_validity(SSL *s)
  2017. {
  2018. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
  2019. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
  2020. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
  2021. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
  2022. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
  2023. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
  2024. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
  2025. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
  2026. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
  2027. }
  2028. /* User level utility function to check a chain is suitable */
  2029. int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  2030. {
  2031. return tls1_check_chain(s, x, pk, chain, -1);
  2032. }
  2033. #ifndef OPENSSL_NO_DH
  2034. DH *ssl_get_auto_dh(SSL *s)
  2035. {
  2036. int dh_secbits = 80;
  2037. if (s->cert->dh_tmp_auto == 2)
  2038. return DH_get_1024_160();
  2039. if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
  2040. if (s->s3->tmp.new_cipher->strength_bits == 256)
  2041. dh_secbits = 128;
  2042. else
  2043. dh_secbits = 80;
  2044. } else {
  2045. if (s->s3->tmp.cert == NULL)
  2046. return NULL;
  2047. dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
  2048. }
  2049. if (dh_secbits >= 128) {
  2050. DH *dhp = DH_new();
  2051. BIGNUM *p, *g;
  2052. if (dhp == NULL)
  2053. return NULL;
  2054. g = BN_new();
  2055. if (g != NULL)
  2056. BN_set_word(g, 2);
  2057. if (dh_secbits >= 192)
  2058. p = BN_get_rfc3526_prime_8192(NULL);
  2059. else
  2060. p = BN_get_rfc3526_prime_3072(NULL);
  2061. if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
  2062. DH_free(dhp);
  2063. BN_free(p);
  2064. BN_free(g);
  2065. return NULL;
  2066. }
  2067. return dhp;
  2068. }
  2069. if (dh_secbits >= 112)
  2070. return DH_get_2048_224();
  2071. return DH_get_1024_160();
  2072. }
  2073. #endif
  2074. static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2075. {
  2076. int secbits = -1;
  2077. EVP_PKEY *pkey = X509_get0_pubkey(x);
  2078. if (pkey) {
  2079. /*
  2080. * If no parameters this will return -1 and fail using the default
  2081. * security callback for any non-zero security level. This will
  2082. * reject keys which omit parameters but this only affects DSA and
  2083. * omission of parameters is never (?) done in practice.
  2084. */
  2085. secbits = EVP_PKEY_security_bits(pkey);
  2086. }
  2087. if (s)
  2088. return ssl_security(s, op, secbits, 0, x);
  2089. else
  2090. return ssl_ctx_security(ctx, op, secbits, 0, x);
  2091. }
  2092. static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2093. {
  2094. /* Lookup signature algorithm digest */
  2095. int secbits, nid, pknid;
  2096. /* Don't check signature if self signed */
  2097. if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
  2098. return 1;
  2099. if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
  2100. secbits = -1;
  2101. /* If digest NID not defined use signature NID */
  2102. if (nid == NID_undef)
  2103. nid = pknid;
  2104. if (s)
  2105. return ssl_security(s, op, secbits, nid, x);
  2106. else
  2107. return ssl_ctx_security(ctx, op, secbits, nid, x);
  2108. }
  2109. int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
  2110. {
  2111. if (vfy)
  2112. vfy = SSL_SECOP_PEER;
  2113. if (is_ee) {
  2114. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
  2115. return SSL_R_EE_KEY_TOO_SMALL;
  2116. } else {
  2117. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
  2118. return SSL_R_CA_KEY_TOO_SMALL;
  2119. }
  2120. if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
  2121. return SSL_R_CA_MD_TOO_WEAK;
  2122. return 1;
  2123. }
  2124. /*
  2125. * Check security of a chain, if |sk| includes the end entity certificate then
  2126. * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
  2127. * one to the peer. Return values: 1 if ok otherwise error code to use
  2128. */
  2129. int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
  2130. {
  2131. int rv, start_idx, i;
  2132. if (x == NULL) {
  2133. x = sk_X509_value(sk, 0);
  2134. start_idx = 1;
  2135. } else
  2136. start_idx = 0;
  2137. rv = ssl_security_cert(s, NULL, x, vfy, 1);
  2138. if (rv != 1)
  2139. return rv;
  2140. for (i = start_idx; i < sk_X509_num(sk); i++) {
  2141. x = sk_X509_value(sk, i);
  2142. rv = ssl_security_cert(s, NULL, x, vfy, 0);
  2143. if (rv != 1)
  2144. return rv;
  2145. }
  2146. return 1;
  2147. }
  2148. /*
  2149. * For TLS 1.2 servers check if we have a certificate which can be used
  2150. * with the signature algorithm "lu" and return index of certificate.
  2151. */
  2152. static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
  2153. {
  2154. int sig_idx = lu->sig_idx;
  2155. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
  2156. /* If not recognised or not supported by cipher mask it is not suitable */
  2157. if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
  2158. return -1;
  2159. return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
  2160. }
  2161. /*
  2162. * Returns true if |s| has a usable certificate configured for use
  2163. * with signature scheme |sig|.
  2164. * "Usable" includes a check for presence as well as applying
  2165. * the signature_algorithm_cert restrictions sent by the peer (if any).
  2166. * Returns false if no usable certificate is found.
  2167. */
  2168. static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
  2169. {
  2170. const SIGALG_LOOKUP *lu;
  2171. int mdnid, pknid;
  2172. size_t i;
  2173. /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
  2174. if (idx == -1)
  2175. idx = sig->sig_idx;
  2176. if (!ssl_has_cert(s, idx))
  2177. return 0;
  2178. if (s->s3->tmp.peer_cert_sigalgs != NULL) {
  2179. for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
  2180. lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
  2181. if (lu == NULL
  2182. || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
  2183. &pknid, NULL, NULL))
  2184. continue;
  2185. /*
  2186. * TODO this does not differentiate between the
  2187. * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
  2188. * have a chain here that lets us look at the key OID in the
  2189. * signing certificate.
  2190. */
  2191. if (mdnid == lu->hash && pknid == lu->sig)
  2192. return 1;
  2193. }
  2194. return 0;
  2195. }
  2196. return 1;
  2197. }
  2198. /*
  2199. * Choose an appropriate signature algorithm based on available certificates
  2200. * Sets chosen certificate and signature algorithm.
  2201. *
  2202. * For servers if we fail to find a required certificate it is a fatal error,
  2203. * an appropriate error code is set and a TLS alert is sent.
  2204. *
  2205. * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
  2206. * a fatal error: we will either try another certificate or not present one
  2207. * to the server. In this case no error is set.
  2208. */
  2209. int tls_choose_sigalg(SSL *s, int fatalerrs)
  2210. {
  2211. const SIGALG_LOOKUP *lu = NULL;
  2212. int sig_idx = -1;
  2213. s->s3->tmp.cert = NULL;
  2214. s->s3->tmp.sigalg = NULL;
  2215. if (SSL_IS_TLS13(s)) {
  2216. size_t i;
  2217. #ifndef OPENSSL_NO_EC
  2218. int curve = -1, skip_ec = 0;
  2219. #endif
  2220. /* Look for a certificate matching shared sigalgs */
  2221. for (i = 0; i < s->cert->shared_sigalgslen; i++) {
  2222. lu = s->cert->shared_sigalgs[i];
  2223. sig_idx = -1;
  2224. /* Skip SHA1, SHA224, DSA and RSA if not PSS */
  2225. if (lu->hash == NID_sha1
  2226. || lu->hash == NID_sha224
  2227. || lu->sig == EVP_PKEY_DSA
  2228. || lu->sig == EVP_PKEY_RSA)
  2229. continue;
  2230. /* Check that we have a cert, and signature_algorithms_cert */
  2231. if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1))
  2232. continue;
  2233. if (lu->sig == EVP_PKEY_EC) {
  2234. #ifndef OPENSSL_NO_EC
  2235. if (curve == -1) {
  2236. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  2237. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2238. if (EC_KEY_get_conv_form(ec)
  2239. != POINT_CONVERSION_UNCOMPRESSED)
  2240. skip_ec = 1;
  2241. }
  2242. if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
  2243. continue;
  2244. #else
  2245. continue;
  2246. #endif
  2247. } else if (lu->sig == EVP_PKEY_RSA_PSS) {
  2248. /* validate that key is large enough for the signature algorithm */
  2249. EVP_PKEY *pkey;
  2250. pkey = s->cert->pkeys[lu->sig_idx].privatekey;
  2251. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
  2252. continue;
  2253. }
  2254. break;
  2255. }
  2256. if (i == s->cert->shared_sigalgslen) {
  2257. if (!fatalerrs)
  2258. return 1;
  2259. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
  2260. SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  2261. return 0;
  2262. }
  2263. } else {
  2264. /* If ciphersuite doesn't require a cert nothing to do */
  2265. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
  2266. return 1;
  2267. if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
  2268. return 1;
  2269. if (SSL_USE_SIGALGS(s)) {
  2270. size_t i;
  2271. if (s->s3->tmp.peer_sigalgs != NULL) {
  2272. #ifndef OPENSSL_NO_EC
  2273. int curve;
  2274. /* For Suite B need to match signature algorithm to curve */
  2275. if (tls1_suiteb(s)) {
  2276. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  2277. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2278. } else {
  2279. curve = -1;
  2280. }
  2281. #endif
  2282. /*
  2283. * Find highest preference signature algorithm matching
  2284. * cert type
  2285. */
  2286. for (i = 0; i < s->cert->shared_sigalgslen; i++) {
  2287. lu = s->cert->shared_sigalgs[i];
  2288. if (s->server) {
  2289. if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
  2290. continue;
  2291. } else {
  2292. int cc_idx = s->cert->key - s->cert->pkeys;
  2293. sig_idx = lu->sig_idx;
  2294. if (cc_idx != sig_idx)
  2295. continue;
  2296. }
  2297. /* Check that we have a cert, and sig_algs_cert */
  2298. if (!has_usable_cert(s, lu, sig_idx))
  2299. continue;
  2300. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2301. /* validate that key is large enough for the signature algorithm */
  2302. EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
  2303. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
  2304. continue;
  2305. }
  2306. #ifndef OPENSSL_NO_EC
  2307. if (curve == -1 || lu->curve == curve)
  2308. #endif
  2309. break;
  2310. }
  2311. if (i == s->cert->shared_sigalgslen) {
  2312. if (!fatalerrs)
  2313. return 1;
  2314. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2315. ERR_R_INTERNAL_ERROR);
  2316. return 0;
  2317. }
  2318. } else {
  2319. /*
  2320. * If we have no sigalg use defaults
  2321. */
  2322. const uint16_t *sent_sigs;
  2323. size_t sent_sigslen;
  2324. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2325. if (!fatalerrs)
  2326. return 1;
  2327. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2328. ERR_R_INTERNAL_ERROR);
  2329. return 0;
  2330. }
  2331. /* Check signature matches a type we sent */
  2332. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  2333. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  2334. if (lu->sigalg == *sent_sigs
  2335. && has_usable_cert(s, lu, lu->sig_idx))
  2336. break;
  2337. }
  2338. if (i == sent_sigslen) {
  2339. if (!fatalerrs)
  2340. return 1;
  2341. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  2342. SSL_F_TLS_CHOOSE_SIGALG,
  2343. SSL_R_WRONG_SIGNATURE_TYPE);
  2344. return 0;
  2345. }
  2346. }
  2347. } else {
  2348. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2349. if (!fatalerrs)
  2350. return 1;
  2351. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2352. ERR_R_INTERNAL_ERROR);
  2353. return 0;
  2354. }
  2355. }
  2356. }
  2357. if (sig_idx == -1)
  2358. sig_idx = lu->sig_idx;
  2359. s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
  2360. s->cert->key = s->s3->tmp.cert;
  2361. s->s3->tmp.sigalg = lu;
  2362. return 1;
  2363. }
  2364. int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
  2365. {
  2366. if (mode != TLSEXT_max_fragment_length_DISABLED
  2367. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2368. SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2369. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2370. return 0;
  2371. }
  2372. ctx->ext.max_fragment_len_mode = mode;
  2373. return 1;
  2374. }
  2375. int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
  2376. {
  2377. if (mode != TLSEXT_max_fragment_length_DISABLED
  2378. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2379. SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2380. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2381. return 0;
  2382. }
  2383. ssl->ext.max_fragment_len_mode = mode;
  2384. return 1;
  2385. }
  2386. uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
  2387. {
  2388. return session->ext.max_fragment_len_mode;
  2389. }