t1_lib.c 82 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <openssl/objects.h>
  12. #include <openssl/evp.h>
  13. #include <openssl/hmac.h>
  14. #include <openssl/ocsp.h>
  15. #include <openssl/conf.h>
  16. #include <openssl/x509v3.h>
  17. #include <openssl/dh.h>
  18. #include <openssl/bn.h>
  19. #include "internal/nelem.h"
  20. #include "ssl_locl.h"
  21. #include <openssl/ct.h>
  22. SSL3_ENC_METHOD const TLSv1_enc_data = {
  23. tls1_enc,
  24. tls1_mac,
  25. tls1_setup_key_block,
  26. tls1_generate_master_secret,
  27. tls1_change_cipher_state,
  28. tls1_final_finish_mac,
  29. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  30. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  31. tls1_alert_code,
  32. tls1_export_keying_material,
  33. 0,
  34. ssl3_set_handshake_header,
  35. tls_close_construct_packet,
  36. ssl3_handshake_write
  37. };
  38. SSL3_ENC_METHOD const TLSv1_1_enc_data = {
  39. tls1_enc,
  40. tls1_mac,
  41. tls1_setup_key_block,
  42. tls1_generate_master_secret,
  43. tls1_change_cipher_state,
  44. tls1_final_finish_mac,
  45. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  46. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  47. tls1_alert_code,
  48. tls1_export_keying_material,
  49. SSL_ENC_FLAG_EXPLICIT_IV,
  50. ssl3_set_handshake_header,
  51. tls_close_construct_packet,
  52. ssl3_handshake_write
  53. };
  54. SSL3_ENC_METHOD const TLSv1_2_enc_data = {
  55. tls1_enc,
  56. tls1_mac,
  57. tls1_setup_key_block,
  58. tls1_generate_master_secret,
  59. tls1_change_cipher_state,
  60. tls1_final_finish_mac,
  61. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  62. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  63. tls1_alert_code,
  64. tls1_export_keying_material,
  65. SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
  66. | SSL_ENC_FLAG_TLS1_2_CIPHERS,
  67. ssl3_set_handshake_header,
  68. tls_close_construct_packet,
  69. ssl3_handshake_write
  70. };
  71. SSL3_ENC_METHOD const TLSv1_3_enc_data = {
  72. tls13_enc,
  73. tls1_mac,
  74. tls13_setup_key_block,
  75. tls13_generate_master_secret,
  76. tls13_change_cipher_state,
  77. tls13_final_finish_mac,
  78. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  79. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  80. tls13_alert_code,
  81. tls13_export_keying_material,
  82. SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
  83. ssl3_set_handshake_header,
  84. tls_close_construct_packet,
  85. ssl3_handshake_write
  86. };
  87. long tls1_default_timeout(void)
  88. {
  89. /*
  90. * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
  91. * http, the cache would over fill
  92. */
  93. return (60 * 60 * 2);
  94. }
  95. int tls1_new(SSL *s)
  96. {
  97. if (!ssl3_new(s))
  98. return 0;
  99. if (!s->method->ssl_clear(s))
  100. return 0;
  101. return 1;
  102. }
  103. void tls1_free(SSL *s)
  104. {
  105. OPENSSL_free(s->ext.session_ticket);
  106. ssl3_free(s);
  107. }
  108. int tls1_clear(SSL *s)
  109. {
  110. if (!ssl3_clear(s))
  111. return 0;
  112. if (s->method->version == TLS_ANY_VERSION)
  113. s->version = TLS_MAX_VERSION;
  114. else
  115. s->version = s->method->version;
  116. return 1;
  117. }
  118. #ifndef OPENSSL_NO_EC
  119. /*
  120. * Table of curve information.
  121. * Do not delete entries or reorder this array! It is used as a lookup
  122. * table: the index of each entry is one less than the TLS curve id.
  123. */
  124. static const TLS_GROUP_INFO nid_list[] = {
  125. {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
  126. {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
  127. {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
  128. {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
  129. {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
  130. {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
  131. {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
  132. {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
  133. {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
  134. {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
  135. {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
  136. {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
  137. {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
  138. {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
  139. {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
  140. {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
  141. {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
  142. {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
  143. {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
  144. {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
  145. {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
  146. {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
  147. {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
  148. {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
  149. {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
  150. {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
  151. {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
  152. {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
  153. {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
  154. {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
  155. };
  156. static const unsigned char ecformats_default[] = {
  157. TLSEXT_ECPOINTFORMAT_uncompressed,
  158. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
  159. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
  160. };
  161. /* The default curves */
  162. static const uint16_t eccurves_default[] = {
  163. 29, /* X25519 (29) */
  164. 23, /* secp256r1 (23) */
  165. 30, /* X448 (30) */
  166. 25, /* secp521r1 (25) */
  167. 24, /* secp384r1 (24) */
  168. };
  169. static const uint16_t suiteb_curves[] = {
  170. TLSEXT_curve_P_256,
  171. TLSEXT_curve_P_384
  172. };
  173. const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
  174. {
  175. /* ECC curves from RFC 4492 and RFC 7027 */
  176. if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
  177. return NULL;
  178. return &nid_list[group_id - 1];
  179. }
  180. static uint16_t tls1_nid2group_id(int nid)
  181. {
  182. size_t i;
  183. for (i = 0; i < OSSL_NELEM(nid_list); i++) {
  184. if (nid_list[i].nid == nid)
  185. return (uint16_t)(i + 1);
  186. }
  187. return 0;
  188. }
  189. /*
  190. * Set *pgroups to the supported groups list and *pgroupslen to
  191. * the number of groups supported.
  192. */
  193. void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
  194. size_t *pgroupslen)
  195. {
  196. /* For Suite B mode only include P-256, P-384 */
  197. switch (tls1_suiteb(s)) {
  198. case SSL_CERT_FLAG_SUITEB_128_LOS:
  199. *pgroups = suiteb_curves;
  200. *pgroupslen = OSSL_NELEM(suiteb_curves);
  201. break;
  202. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  203. *pgroups = suiteb_curves;
  204. *pgroupslen = 1;
  205. break;
  206. case SSL_CERT_FLAG_SUITEB_192_LOS:
  207. *pgroups = suiteb_curves + 1;
  208. *pgroupslen = 1;
  209. break;
  210. default:
  211. if (s->ext.supportedgroups == NULL) {
  212. *pgroups = eccurves_default;
  213. *pgroupslen = OSSL_NELEM(eccurves_default);
  214. } else {
  215. *pgroups = s->ext.supportedgroups;
  216. *pgroupslen = s->ext.supportedgroups_len;
  217. }
  218. break;
  219. }
  220. }
  221. /* See if curve is allowed by security callback */
  222. int tls_curve_allowed(SSL *s, uint16_t curve, int op)
  223. {
  224. const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
  225. unsigned char ctmp[2];
  226. if (cinfo == NULL)
  227. return 0;
  228. # ifdef OPENSSL_NO_EC2M
  229. if (cinfo->flags & TLS_CURVE_CHAR2)
  230. return 0;
  231. # endif
  232. ctmp[0] = curve >> 8;
  233. ctmp[1] = curve & 0xff;
  234. return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
  235. }
  236. /* Return 1 if "id" is in "list" */
  237. static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
  238. {
  239. size_t i;
  240. for (i = 0; i < listlen; i++)
  241. if (list[i] == id)
  242. return 1;
  243. return 0;
  244. }
  245. /*-
  246. * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
  247. * if there is no match.
  248. * For nmatch == -1, return number of matches
  249. * For nmatch == -2, return the id of the group to use for
  250. * a tmp key, or 0 if there is no match.
  251. */
  252. uint16_t tls1_shared_group(SSL *s, int nmatch)
  253. {
  254. const uint16_t *pref, *supp;
  255. size_t num_pref, num_supp, i;
  256. int k;
  257. /* Can't do anything on client side */
  258. if (s->server == 0)
  259. return 0;
  260. if (nmatch == -2) {
  261. if (tls1_suiteb(s)) {
  262. /*
  263. * For Suite B ciphersuite determines curve: we already know
  264. * these are acceptable due to previous checks.
  265. */
  266. unsigned long cid = s->s3->tmp.new_cipher->id;
  267. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  268. return TLSEXT_curve_P_256;
  269. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  270. return TLSEXT_curve_P_384;
  271. /* Should never happen */
  272. return 0;
  273. }
  274. /* If not Suite B just return first preference shared curve */
  275. nmatch = 0;
  276. }
  277. /*
  278. * If server preference set, our groups are the preference order
  279. * otherwise peer decides.
  280. */
  281. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  282. tls1_get_supported_groups(s, &pref, &num_pref);
  283. tls1_get_peer_groups(s, &supp, &num_supp);
  284. } else {
  285. tls1_get_peer_groups(s, &pref, &num_pref);
  286. tls1_get_supported_groups(s, &supp, &num_supp);
  287. }
  288. for (k = 0, i = 0; i < num_pref; i++) {
  289. uint16_t id = pref[i];
  290. if (!tls1_in_list(id, supp, num_supp)
  291. || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
  292. continue;
  293. if (nmatch == k)
  294. return id;
  295. k++;
  296. }
  297. if (nmatch == -1)
  298. return k;
  299. /* Out of range (nmatch > k). */
  300. return 0;
  301. }
  302. int tls1_set_groups(uint16_t **pext, size_t *pextlen,
  303. int *groups, size_t ngroups)
  304. {
  305. uint16_t *glist;
  306. size_t i;
  307. /*
  308. * Bitmap of groups included to detect duplicates: only works while group
  309. * ids < 32
  310. */
  311. unsigned long dup_list = 0;
  312. if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
  313. SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE);
  314. return 0;
  315. }
  316. for (i = 0; i < ngroups; i++) {
  317. unsigned long idmask;
  318. uint16_t id;
  319. /* TODO(TLS1.3): Convert for DH groups */
  320. id = tls1_nid2group_id(groups[i]);
  321. idmask = 1L << id;
  322. if (!id || (dup_list & idmask)) {
  323. OPENSSL_free(glist);
  324. return 0;
  325. }
  326. dup_list |= idmask;
  327. glist[i] = id;
  328. }
  329. OPENSSL_free(*pext);
  330. *pext = glist;
  331. *pextlen = ngroups;
  332. return 1;
  333. }
  334. # define MAX_CURVELIST OSSL_NELEM(nid_list)
  335. typedef struct {
  336. size_t nidcnt;
  337. int nid_arr[MAX_CURVELIST];
  338. } nid_cb_st;
  339. static int nid_cb(const char *elem, int len, void *arg)
  340. {
  341. nid_cb_st *narg = arg;
  342. size_t i;
  343. int nid;
  344. char etmp[20];
  345. if (elem == NULL)
  346. return 0;
  347. if (narg->nidcnt == MAX_CURVELIST)
  348. return 0;
  349. if (len > (int)(sizeof(etmp) - 1))
  350. return 0;
  351. memcpy(etmp, elem, len);
  352. etmp[len] = 0;
  353. nid = EC_curve_nist2nid(etmp);
  354. if (nid == NID_undef)
  355. nid = OBJ_sn2nid(etmp);
  356. if (nid == NID_undef)
  357. nid = OBJ_ln2nid(etmp);
  358. if (nid == NID_undef)
  359. return 0;
  360. for (i = 0; i < narg->nidcnt; i++)
  361. if (narg->nid_arr[i] == nid)
  362. return 0;
  363. narg->nid_arr[narg->nidcnt++] = nid;
  364. return 1;
  365. }
  366. /* Set groups based on a colon separate list */
  367. int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
  368. {
  369. nid_cb_st ncb;
  370. ncb.nidcnt = 0;
  371. if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
  372. return 0;
  373. if (pext == NULL)
  374. return 1;
  375. return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
  376. }
  377. /* Return group id of a key */
  378. static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
  379. {
  380. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  381. const EC_GROUP *grp;
  382. if (ec == NULL)
  383. return 0;
  384. grp = EC_KEY_get0_group(ec);
  385. return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
  386. }
  387. /* Check a key is compatible with compression extension */
  388. static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
  389. {
  390. const EC_KEY *ec;
  391. const EC_GROUP *grp;
  392. unsigned char comp_id;
  393. size_t i;
  394. /* If not an EC key nothing to check */
  395. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  396. return 1;
  397. ec = EVP_PKEY_get0_EC_KEY(pkey);
  398. grp = EC_KEY_get0_group(ec);
  399. /* Get required compression id */
  400. if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
  401. comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
  402. } else if (SSL_IS_TLS13(s)) {
  403. /*
  404. * ec_point_formats extension is not used in TLSv1.3 so we ignore
  405. * this check.
  406. */
  407. return 1;
  408. } else {
  409. int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));
  410. if (field_type == NID_X9_62_prime_field)
  411. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  412. else if (field_type == NID_X9_62_characteristic_two_field)
  413. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  414. else
  415. return 0;
  416. }
  417. /*
  418. * If point formats extension present check it, otherwise everything is
  419. * supported (see RFC4492).
  420. */
  421. if (s->session->ext.ecpointformats == NULL)
  422. return 1;
  423. for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
  424. if (s->session->ext.ecpointformats[i] == comp_id)
  425. return 1;
  426. }
  427. return 0;
  428. }
  429. /* Check a group id matches preferences */
  430. int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
  431. {
  432. const uint16_t *groups;
  433. size_t groups_len;
  434. if (group_id == 0)
  435. return 0;
  436. /* Check for Suite B compliance */
  437. if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
  438. unsigned long cid = s->s3->tmp.new_cipher->id;
  439. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
  440. if (group_id != TLSEXT_curve_P_256)
  441. return 0;
  442. } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
  443. if (group_id != TLSEXT_curve_P_384)
  444. return 0;
  445. } else {
  446. /* Should never happen */
  447. return 0;
  448. }
  449. }
  450. if (check_own_groups) {
  451. /* Check group is one of our preferences */
  452. tls1_get_supported_groups(s, &groups, &groups_len);
  453. if (!tls1_in_list(group_id, groups, groups_len))
  454. return 0;
  455. }
  456. if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
  457. return 0;
  458. /* For clients, nothing more to check */
  459. if (!s->server)
  460. return 1;
  461. /* Check group is one of peers preferences */
  462. tls1_get_peer_groups(s, &groups, &groups_len);
  463. /*
  464. * RFC 4492 does not require the supported elliptic curves extension
  465. * so if it is not sent we can just choose any curve.
  466. * It is invalid to send an empty list in the supported groups
  467. * extension, so groups_len == 0 always means no extension.
  468. */
  469. if (groups_len == 0)
  470. return 1;
  471. return tls1_in_list(group_id, groups, groups_len);
  472. }
  473. void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
  474. size_t *num_formats)
  475. {
  476. /*
  477. * If we have a custom point format list use it otherwise use default
  478. */
  479. if (s->ext.ecpointformats) {
  480. *pformats = s->ext.ecpointformats;
  481. *num_formats = s->ext.ecpointformats_len;
  482. } else {
  483. *pformats = ecformats_default;
  484. /* For Suite B we don't support char2 fields */
  485. if (tls1_suiteb(s))
  486. *num_formats = sizeof(ecformats_default) - 1;
  487. else
  488. *num_formats = sizeof(ecformats_default);
  489. }
  490. }
  491. /*
  492. * Check cert parameters compatible with extensions: currently just checks EC
  493. * certificates have compatible curves and compression.
  494. */
  495. static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
  496. {
  497. uint16_t group_id;
  498. EVP_PKEY *pkey;
  499. pkey = X509_get0_pubkey(x);
  500. if (pkey == NULL)
  501. return 0;
  502. /* If not EC nothing to do */
  503. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  504. return 1;
  505. /* Check compression */
  506. if (!tls1_check_pkey_comp(s, pkey))
  507. return 0;
  508. group_id = tls1_get_group_id(pkey);
  509. /*
  510. * For a server we allow the certificate to not be in our list of supported
  511. * groups.
  512. */
  513. if (!tls1_check_group_id(s, group_id, !s->server))
  514. return 0;
  515. /*
  516. * Special case for suite B. We *MUST* sign using SHA256+P-256 or
  517. * SHA384+P-384.
  518. */
  519. if (check_ee_md && tls1_suiteb(s)) {
  520. int check_md;
  521. size_t i;
  522. CERT *c = s->cert;
  523. /* Check to see we have necessary signing algorithm */
  524. if (group_id == TLSEXT_curve_P_256)
  525. check_md = NID_ecdsa_with_SHA256;
  526. else if (group_id == TLSEXT_curve_P_384)
  527. check_md = NID_ecdsa_with_SHA384;
  528. else
  529. return 0; /* Should never happen */
  530. for (i = 0; i < c->shared_sigalgslen; i++) {
  531. if (check_md == c->shared_sigalgs[i]->sigandhash)
  532. return 1;;
  533. }
  534. return 0;
  535. }
  536. return 1;
  537. }
  538. /*
  539. * tls1_check_ec_tmp_key - Check EC temporary key compatibility
  540. * @s: SSL connection
  541. * @cid: Cipher ID we're considering using
  542. *
  543. * Checks that the kECDHE cipher suite we're considering using
  544. * is compatible with the client extensions.
  545. *
  546. * Returns 0 when the cipher can't be used or 1 when it can.
  547. */
  548. int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
  549. {
  550. /* If not Suite B just need a shared group */
  551. if (!tls1_suiteb(s))
  552. return tls1_shared_group(s, 0) != 0;
  553. /*
  554. * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
  555. * curves permitted.
  556. */
  557. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  558. return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
  559. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  560. return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
  561. return 0;
  562. }
  563. #else
  564. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  565. {
  566. return 1;
  567. }
  568. #endif /* OPENSSL_NO_EC */
  569. /* Default sigalg schemes */
  570. static const uint16_t tls12_sigalgs[] = {
  571. #ifndef OPENSSL_NO_EC
  572. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  573. TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  574. TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  575. TLSEXT_SIGALG_ed25519,
  576. TLSEXT_SIGALG_ed448,
  577. #endif
  578. TLSEXT_SIGALG_rsa_pss_pss_sha256,
  579. TLSEXT_SIGALG_rsa_pss_pss_sha384,
  580. TLSEXT_SIGALG_rsa_pss_pss_sha512,
  581. TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  582. TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  583. TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  584. TLSEXT_SIGALG_rsa_pkcs1_sha256,
  585. TLSEXT_SIGALG_rsa_pkcs1_sha384,
  586. TLSEXT_SIGALG_rsa_pkcs1_sha512,
  587. #ifndef OPENSSL_NO_EC
  588. TLSEXT_SIGALG_ecdsa_sha224,
  589. TLSEXT_SIGALG_ecdsa_sha1,
  590. #endif
  591. TLSEXT_SIGALG_rsa_pkcs1_sha224,
  592. TLSEXT_SIGALG_rsa_pkcs1_sha1,
  593. #ifndef OPENSSL_NO_DSA
  594. TLSEXT_SIGALG_dsa_sha224,
  595. TLSEXT_SIGALG_dsa_sha1,
  596. TLSEXT_SIGALG_dsa_sha256,
  597. TLSEXT_SIGALG_dsa_sha384,
  598. TLSEXT_SIGALG_dsa_sha512
  599. #endif
  600. };
  601. #ifndef OPENSSL_NO_EC
  602. static const uint16_t suiteb_sigalgs[] = {
  603. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  604. TLSEXT_SIGALG_ecdsa_secp384r1_sha384
  605. };
  606. #endif
  607. static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
  608. #ifndef OPENSSL_NO_EC
  609. {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  610. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  611. NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
  612. {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  613. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  614. NID_ecdsa_with_SHA384, NID_secp384r1},
  615. {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  616. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  617. NID_ecdsa_with_SHA512, NID_secp521r1},
  618. {"ed25519", TLSEXT_SIGALG_ed25519,
  619. NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
  620. NID_undef, NID_undef},
  621. {"ed448", TLSEXT_SIGALG_ed448,
  622. NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
  623. NID_undef, NID_undef},
  624. {NULL, TLSEXT_SIGALG_ecdsa_sha224,
  625. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  626. NID_ecdsa_with_SHA224, NID_undef},
  627. {NULL, TLSEXT_SIGALG_ecdsa_sha1,
  628. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  629. NID_ecdsa_with_SHA1, NID_undef},
  630. #endif
  631. {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  632. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  633. NID_undef, NID_undef},
  634. {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  635. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  636. NID_undef, NID_undef},
  637. {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  638. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  639. NID_undef, NID_undef},
  640. {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
  641. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  642. NID_undef, NID_undef},
  643. {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
  644. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  645. NID_undef, NID_undef},
  646. {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
  647. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  648. NID_undef, NID_undef},
  649. {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
  650. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  651. NID_sha256WithRSAEncryption, NID_undef},
  652. {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
  653. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  654. NID_sha384WithRSAEncryption, NID_undef},
  655. {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
  656. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  657. NID_sha512WithRSAEncryption, NID_undef},
  658. {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
  659. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  660. NID_sha224WithRSAEncryption, NID_undef},
  661. {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
  662. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  663. NID_sha1WithRSAEncryption, NID_undef},
  664. #ifndef OPENSSL_NO_DSA
  665. {NULL, TLSEXT_SIGALG_dsa_sha256,
  666. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  667. NID_dsa_with_SHA256, NID_undef},
  668. {NULL, TLSEXT_SIGALG_dsa_sha384,
  669. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  670. NID_undef, NID_undef},
  671. {NULL, TLSEXT_SIGALG_dsa_sha512,
  672. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  673. NID_undef, NID_undef},
  674. {NULL, TLSEXT_SIGALG_dsa_sha224,
  675. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  676. NID_undef, NID_undef},
  677. {NULL, TLSEXT_SIGALG_dsa_sha1,
  678. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  679. NID_dsaWithSHA1, NID_undef},
  680. #endif
  681. #ifndef OPENSSL_NO_GOST
  682. {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  683. NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
  684. NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
  685. NID_undef, NID_undef},
  686. {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  687. NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
  688. NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
  689. NID_undef, NID_undef},
  690. {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
  691. NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
  692. NID_id_GostR3410_2001, SSL_PKEY_GOST01,
  693. NID_undef, NID_undef}
  694. #endif
  695. };
  696. /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
  697. static const SIGALG_LOOKUP legacy_rsa_sigalg = {
  698. "rsa_pkcs1_md5_sha1", 0,
  699. NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
  700. EVP_PKEY_RSA, SSL_PKEY_RSA,
  701. NID_undef, NID_undef
  702. };
  703. /*
  704. * Default signature algorithm values used if signature algorithms not present.
  705. * From RFC5246. Note: order must match certificate index order.
  706. */
  707. static const uint16_t tls_default_sigalg[] = {
  708. TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
  709. 0, /* SSL_PKEY_RSA_PSS_SIGN */
  710. TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
  711. TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
  712. TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
  713. TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
  714. TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
  715. 0, /* SSL_PKEY_ED25519 */
  716. 0, /* SSL_PKEY_ED448 */
  717. };
  718. /* Lookup TLS signature algorithm */
  719. static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
  720. {
  721. size_t i;
  722. const SIGALG_LOOKUP *s;
  723. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  724. i++, s++) {
  725. if (s->sigalg == sigalg)
  726. return s;
  727. }
  728. return NULL;
  729. }
  730. /* Lookup hash: return 0 if invalid or not enabled */
  731. int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
  732. {
  733. const EVP_MD *md;
  734. if (lu == NULL)
  735. return 0;
  736. /* lu->hash == NID_undef means no associated digest */
  737. if (lu->hash == NID_undef) {
  738. md = NULL;
  739. } else {
  740. md = ssl_md(lu->hash_idx);
  741. if (md == NULL)
  742. return 0;
  743. }
  744. if (pmd)
  745. *pmd = md;
  746. return 1;
  747. }
  748. /*
  749. * Check if key is large enough to generate RSA-PSS signature.
  750. *
  751. * The key must greater than or equal to 2 * hash length + 2.
  752. * SHA512 has a hash length of 64 bytes, which is incompatible
  753. * with a 128 byte (1024 bit) key.
  754. */
  755. #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
  756. static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
  757. {
  758. const EVP_MD *md;
  759. if (rsa == NULL)
  760. return 0;
  761. if (!tls1_lookup_md(lu, &md) || md == NULL)
  762. return 0;
  763. if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
  764. return 0;
  765. return 1;
  766. }
  767. /*
  768. * Return a signature algorithm for TLS < 1.2 where the signature type
  769. * is fixed by the certificate type.
  770. */
  771. static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
  772. {
  773. if (idx == -1) {
  774. if (s->server) {
  775. size_t i;
  776. /* Work out index corresponding to ciphersuite */
  777. for (i = 0; i < SSL_PKEY_NUM; i++) {
  778. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);
  779. if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
  780. idx = i;
  781. break;
  782. }
  783. }
  784. } else {
  785. idx = s->cert->key - s->cert->pkeys;
  786. }
  787. }
  788. if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
  789. return NULL;
  790. if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
  791. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
  792. if (!tls1_lookup_md(lu, NULL))
  793. return NULL;
  794. return lu;
  795. }
  796. return &legacy_rsa_sigalg;
  797. }
  798. /* Set peer sigalg based key type */
  799. int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
  800. {
  801. size_t idx;
  802. const SIGALG_LOOKUP *lu;
  803. if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
  804. return 0;
  805. lu = tls1_get_legacy_sigalg(s, idx);
  806. if (lu == NULL)
  807. return 0;
  808. s->s3->tmp.peer_sigalg = lu;
  809. return 1;
  810. }
  811. size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
  812. {
  813. /*
  814. * If Suite B mode use Suite B sigalgs only, ignore any other
  815. * preferences.
  816. */
  817. #ifndef OPENSSL_NO_EC
  818. switch (tls1_suiteb(s)) {
  819. case SSL_CERT_FLAG_SUITEB_128_LOS:
  820. *psigs = suiteb_sigalgs;
  821. return OSSL_NELEM(suiteb_sigalgs);
  822. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  823. *psigs = suiteb_sigalgs;
  824. return 1;
  825. case SSL_CERT_FLAG_SUITEB_192_LOS:
  826. *psigs = suiteb_sigalgs + 1;
  827. return 1;
  828. }
  829. #endif
  830. /*
  831. * We use client_sigalgs (if not NULL) if we're a server
  832. * and sending a certificate request or if we're a client and
  833. * determining which shared algorithm to use.
  834. */
  835. if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
  836. *psigs = s->cert->client_sigalgs;
  837. return s->cert->client_sigalgslen;
  838. } else if (s->cert->conf_sigalgs) {
  839. *psigs = s->cert->conf_sigalgs;
  840. return s->cert->conf_sigalgslen;
  841. } else {
  842. *psigs = tls12_sigalgs;
  843. return OSSL_NELEM(tls12_sigalgs);
  844. }
  845. }
  846. /*
  847. * Check signature algorithm is consistent with sent supported signature
  848. * algorithms and if so set relevant digest and signature scheme in
  849. * s.
  850. */
  851. int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
  852. {
  853. const uint16_t *sent_sigs;
  854. const EVP_MD *md = NULL;
  855. char sigalgstr[2];
  856. size_t sent_sigslen, i;
  857. int pkeyid = EVP_PKEY_id(pkey);
  858. const SIGALG_LOOKUP *lu;
  859. /* Should never happen */
  860. if (pkeyid == -1)
  861. return -1;
  862. if (SSL_IS_TLS13(s)) {
  863. /* Disallow DSA for TLS 1.3 */
  864. if (pkeyid == EVP_PKEY_DSA) {
  865. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  866. SSL_R_WRONG_SIGNATURE_TYPE);
  867. return 0;
  868. }
  869. /* Only allow PSS for TLS 1.3 */
  870. if (pkeyid == EVP_PKEY_RSA)
  871. pkeyid = EVP_PKEY_RSA_PSS;
  872. }
  873. lu = tls1_lookup_sigalg(sig);
  874. /*
  875. * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
  876. * is consistent with signature: RSA keys can be used for RSA-PSS
  877. */
  878. if (lu == NULL
  879. || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
  880. || (pkeyid != lu->sig
  881. && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
  882. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  883. SSL_R_WRONG_SIGNATURE_TYPE);
  884. return 0;
  885. }
  886. #ifndef OPENSSL_NO_EC
  887. if (pkeyid == EVP_PKEY_EC) {
  888. /* Check point compression is permitted */
  889. if (!tls1_check_pkey_comp(s, pkey)) {
  890. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  891. SSL_F_TLS12_CHECK_PEER_SIGALG,
  892. SSL_R_ILLEGAL_POINT_COMPRESSION);
  893. return 0;
  894. }
  895. /* For TLS 1.3 or Suite B check curve matches signature algorithm */
  896. if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
  897. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  898. int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  899. if (lu->curve != NID_undef && curve != lu->curve) {
  900. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  901. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  902. return 0;
  903. }
  904. }
  905. if (!SSL_IS_TLS13(s)) {
  906. /* Check curve matches extensions */
  907. if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
  908. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  909. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  910. return 0;
  911. }
  912. if (tls1_suiteb(s)) {
  913. /* Check sigalg matches a permissible Suite B value */
  914. if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
  915. && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
  916. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  917. SSL_F_TLS12_CHECK_PEER_SIGALG,
  918. SSL_R_WRONG_SIGNATURE_TYPE);
  919. return 0;
  920. }
  921. }
  922. }
  923. } else if (tls1_suiteb(s)) {
  924. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  925. SSL_R_WRONG_SIGNATURE_TYPE);
  926. return 0;
  927. }
  928. #endif
  929. /* Check signature matches a type we sent */
  930. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  931. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  932. if (sig == *sent_sigs)
  933. break;
  934. }
  935. /* Allow fallback to SHA1 if not strict mode */
  936. if (i == sent_sigslen && (lu->hash != NID_sha1
  937. || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
  938. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  939. SSL_R_WRONG_SIGNATURE_TYPE);
  940. return 0;
  941. }
  942. if (!tls1_lookup_md(lu, &md)) {
  943. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  944. SSL_R_UNKNOWN_DIGEST);
  945. return 0;
  946. }
  947. if (md != NULL) {
  948. /*
  949. * Make sure security callback allows algorithm. For historical
  950. * reasons we have to pass the sigalg as a two byte char array.
  951. */
  952. sigalgstr[0] = (sig >> 8) & 0xff;
  953. sigalgstr[1] = sig & 0xff;
  954. if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
  955. EVP_MD_size(md) * 4, EVP_MD_type(md),
  956. (void *)sigalgstr)) {
  957. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  958. SSL_R_WRONG_SIGNATURE_TYPE);
  959. return 0;
  960. }
  961. }
  962. /* Store the sigalg the peer uses */
  963. s->s3->tmp.peer_sigalg = lu;
  964. return 1;
  965. }
  966. int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
  967. {
  968. if (s->s3->tmp.peer_sigalg == NULL)
  969. return 0;
  970. *pnid = s->s3->tmp.peer_sigalg->sig;
  971. return 1;
  972. }
  973. /*
  974. * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
  975. * supported, doesn't appear in supported signature algorithms, isn't supported
  976. * by the enabled protocol versions or by the security level.
  977. *
  978. * This function should only be used for checking which ciphers are supported
  979. * by the client.
  980. *
  981. * Call ssl_cipher_disabled() to check that it's enabled or not.
  982. */
  983. int ssl_set_client_disabled(SSL *s)
  984. {
  985. s->s3->tmp.mask_a = 0;
  986. s->s3->tmp.mask_k = 0;
  987. ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
  988. if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver,
  989. &s->s3->tmp.max_ver) != 0)
  990. return 0;
  991. #ifndef OPENSSL_NO_PSK
  992. /* with PSK there must be client callback set */
  993. if (!s->psk_client_callback) {
  994. s->s3->tmp.mask_a |= SSL_aPSK;
  995. s->s3->tmp.mask_k |= SSL_PSK;
  996. }
  997. #endif /* OPENSSL_NO_PSK */
  998. #ifndef OPENSSL_NO_SRP
  999. if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
  1000. s->s3->tmp.mask_a |= SSL_aSRP;
  1001. s->s3->tmp.mask_k |= SSL_kSRP;
  1002. }
  1003. #endif
  1004. return 1;
  1005. }
  1006. /*
  1007. * ssl_cipher_disabled - check that a cipher is disabled or not
  1008. * @s: SSL connection that you want to use the cipher on
  1009. * @c: cipher to check
  1010. * @op: Security check that you want to do
  1011. * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
  1012. *
  1013. * Returns 1 when it's disabled, 0 when enabled.
  1014. */
  1015. int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
  1016. {
  1017. if (c->algorithm_mkey & s->s3->tmp.mask_k
  1018. || c->algorithm_auth & s->s3->tmp.mask_a)
  1019. return 1;
  1020. if (s->s3->tmp.max_ver == 0)
  1021. return 1;
  1022. if (!SSL_IS_DTLS(s)) {
  1023. int min_tls = c->min_tls;
  1024. /*
  1025. * For historical reasons we will allow ECHDE to be selected by a server
  1026. * in SSLv3 if we are a client
  1027. */
  1028. if (min_tls == TLS1_VERSION && ecdhe
  1029. && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
  1030. min_tls = SSL3_VERSION;
  1031. if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
  1032. return 1;
  1033. }
  1034. if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
  1035. || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
  1036. return 1;
  1037. return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
  1038. }
  1039. int tls_use_ticket(SSL *s)
  1040. {
  1041. if ((s->options & SSL_OP_NO_TICKET))
  1042. return 0;
  1043. return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
  1044. }
  1045. int tls1_set_server_sigalgs(SSL *s)
  1046. {
  1047. size_t i;
  1048. /* Clear any shared signature algorithms */
  1049. OPENSSL_free(s->cert->shared_sigalgs);
  1050. s->cert->shared_sigalgs = NULL;
  1051. s->cert->shared_sigalgslen = 0;
  1052. /* Clear certificate validity flags */
  1053. for (i = 0; i < SSL_PKEY_NUM; i++)
  1054. s->s3->tmp.valid_flags[i] = 0;
  1055. /*
  1056. * If peer sent no signature algorithms check to see if we support
  1057. * the default algorithm for each certificate type
  1058. */
  1059. if (s->s3->tmp.peer_cert_sigalgs == NULL
  1060. && s->s3->tmp.peer_sigalgs == NULL) {
  1061. const uint16_t *sent_sigs;
  1062. size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  1063. for (i = 0; i < SSL_PKEY_NUM; i++) {
  1064. const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
  1065. size_t j;
  1066. if (lu == NULL)
  1067. continue;
  1068. /* Check default matches a type we sent */
  1069. for (j = 0; j < sent_sigslen; j++) {
  1070. if (lu->sigalg == sent_sigs[j]) {
  1071. s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
  1072. break;
  1073. }
  1074. }
  1075. }
  1076. return 1;
  1077. }
  1078. if (!tls1_process_sigalgs(s)) {
  1079. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1080. SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
  1081. return 0;
  1082. }
  1083. if (s->cert->shared_sigalgs != NULL)
  1084. return 1;
  1085. /* Fatal error if no shared signature algorithms */
  1086. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
  1087. SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
  1088. return 0;
  1089. }
  1090. /*-
  1091. * Gets the ticket information supplied by the client if any.
  1092. *
  1093. * hello: The parsed ClientHello data
  1094. * ret: (output) on return, if a ticket was decrypted, then this is set to
  1095. * point to the resulting session.
  1096. *
  1097. * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
  1098. * ciphersuite, in which case we have no use for session tickets and one will
  1099. * never be decrypted, nor will s->ext.ticket_expected be set to 1.
  1100. *
  1101. * Returns:
  1102. * -1: fatal error, either from parsing or decrypting the ticket.
  1103. * 0: no ticket was found (or was ignored, based on settings).
  1104. * 1: a zero length extension was found, indicating that the client supports
  1105. * session tickets but doesn't currently have one to offer.
  1106. * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
  1107. * couldn't be decrypted because of a non-fatal error.
  1108. * 3: a ticket was successfully decrypted and *ret was set.
  1109. *
  1110. * Side effects:
  1111. * Sets s->ext.ticket_expected to 1 if the server will have to issue
  1112. * a new session ticket to the client because the client indicated support
  1113. * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
  1114. * a session ticket or we couldn't use the one it gave us, or if
  1115. * s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
  1116. * Otherwise, s->ext.ticket_expected is set to 0.
  1117. */
  1118. SSL_TICKET_RETURN tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
  1119. SSL_SESSION **ret)
  1120. {
  1121. int retv;
  1122. size_t size;
  1123. RAW_EXTENSION *ticketext;
  1124. *ret = NULL;
  1125. s->ext.ticket_expected = 0;
  1126. /*
  1127. * If tickets disabled or not supported by the protocol version
  1128. * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
  1129. * resumption.
  1130. */
  1131. if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
  1132. return SSL_TICKET_NONE;
  1133. ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
  1134. if (!ticketext->present)
  1135. return SSL_TICKET_NONE;
  1136. size = PACKET_remaining(&ticketext->data);
  1137. if (size == 0) {
  1138. /*
  1139. * The client will accept a ticket but doesn't currently have
  1140. * one.
  1141. */
  1142. s->ext.ticket_expected = 1;
  1143. return SSL_TICKET_EMPTY;
  1144. }
  1145. if (s->ext.session_secret_cb) {
  1146. /*
  1147. * Indicate that the ticket couldn't be decrypted rather than
  1148. * generating the session from ticket now, trigger
  1149. * abbreviated handshake based on external mechanism to
  1150. * calculate the master secret later.
  1151. */
  1152. return SSL_TICKET_NO_DECRYPT;
  1153. }
  1154. retv = tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
  1155. hello->session_id, hello->session_id_len, ret);
  1156. /*
  1157. * If set, the decrypt_ticket_cb() is always called regardless of the
  1158. * return from tls_decrypt_ticket(). The callback is responsible for
  1159. * checking |retv| before it performs any action
  1160. */
  1161. if (s->session_ctx->decrypt_ticket_cb != NULL) {
  1162. size_t keyname_len = size;
  1163. if (keyname_len > TLSEXT_KEYNAME_LENGTH)
  1164. keyname_len = TLSEXT_KEYNAME_LENGTH;
  1165. retv = s->session_ctx->decrypt_ticket_cb(s, *ret,
  1166. PACKET_data(&ticketext->data),
  1167. keyname_len,
  1168. retv, s->session_ctx->ticket_cb_data);
  1169. }
  1170. switch (retv) {
  1171. case SSL_TICKET_NO_DECRYPT:
  1172. s->ext.ticket_expected = 1;
  1173. return SSL_TICKET_NO_DECRYPT;
  1174. case SSL_TICKET_SUCCESS:
  1175. return SSL_TICKET_SUCCESS;
  1176. case SSL_TICKET_SUCCESS_RENEW:
  1177. s->ext.ticket_expected = 1;
  1178. return SSL_TICKET_SUCCESS;
  1179. case SSL_TICKET_EMPTY:
  1180. s->ext.ticket_expected = 1;
  1181. return SSL_TICKET_EMPTY;
  1182. case SSL_TICKET_NONE:
  1183. return SSL_TICKET_NONE;
  1184. default:
  1185. return SSL_TICKET_FATAL_ERR_OTHER;
  1186. }
  1187. }
  1188. /*-
  1189. * tls_decrypt_ticket attempts to decrypt a session ticket.
  1190. *
  1191. * etick: points to the body of the session ticket extension.
  1192. * eticklen: the length of the session tickets extension.
  1193. * sess_id: points at the session ID.
  1194. * sesslen: the length of the session ID.
  1195. * psess: (output) on return, if a ticket was decrypted, then this is set to
  1196. * point to the resulting session.
  1197. */
  1198. SSL_TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
  1199. size_t eticklen, const unsigned char *sess_id,
  1200. size_t sesslen, SSL_SESSION **psess)
  1201. {
  1202. SSL_SESSION *sess;
  1203. unsigned char *sdec;
  1204. const unsigned char *p;
  1205. int slen, renew_ticket = 0, declen;
  1206. SSL_TICKET_RETURN ret = SSL_TICKET_FATAL_ERR_OTHER;
  1207. size_t mlen;
  1208. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  1209. HMAC_CTX *hctx = NULL;
  1210. EVP_CIPHER_CTX *ctx = NULL;
  1211. SSL_CTX *tctx = s->session_ctx;
  1212. /* Need at least keyname + iv */
  1213. if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
  1214. ret = SSL_TICKET_NO_DECRYPT;
  1215. goto err;
  1216. }
  1217. /* Initialize session ticket encryption and HMAC contexts */
  1218. hctx = HMAC_CTX_new();
  1219. if (hctx == NULL)
  1220. return SSL_TICKET_FATAL_ERR_MALLOC;
  1221. ctx = EVP_CIPHER_CTX_new();
  1222. if (ctx == NULL) {
  1223. ret = SSL_TICKET_FATAL_ERR_MALLOC;
  1224. goto err;
  1225. }
  1226. if (tctx->ext.ticket_key_cb) {
  1227. unsigned char *nctick = (unsigned char *)etick;
  1228. int rv = tctx->ext.ticket_key_cb(s, nctick,
  1229. nctick + TLSEXT_KEYNAME_LENGTH,
  1230. ctx, hctx, 0);
  1231. if (rv < 0)
  1232. goto err;
  1233. if (rv == 0) {
  1234. ret = SSL_TICKET_NO_DECRYPT;
  1235. goto err;
  1236. }
  1237. if (rv == 2)
  1238. renew_ticket = 1;
  1239. } else {
  1240. /* Check key name matches */
  1241. if (memcmp(etick, tctx->ext.tick_key_name,
  1242. TLSEXT_KEYNAME_LENGTH) != 0) {
  1243. ret = SSL_TICKET_NO_DECRYPT;
  1244. goto err;
  1245. }
  1246. if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  1247. sizeof(tctx->ext.secure->tick_hmac_key),
  1248. EVP_sha256(), NULL) <= 0
  1249. || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
  1250. tctx->ext.secure->tick_aes_key,
  1251. etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
  1252. goto err;
  1253. }
  1254. }
  1255. /*
  1256. * Attempt to process session ticket, first conduct sanity and integrity
  1257. * checks on ticket.
  1258. */
  1259. mlen = HMAC_size(hctx);
  1260. if (mlen == 0) {
  1261. goto err;
  1262. }
  1263. /* Sanity check ticket length: must exceed keyname + IV + HMAC */
  1264. if (eticklen <=
  1265. TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
  1266. ret = SSL_TICKET_NO_DECRYPT;
  1267. goto err;
  1268. }
  1269. eticklen -= mlen;
  1270. /* Check HMAC of encrypted ticket */
  1271. if (HMAC_Update(hctx, etick, eticklen) <= 0
  1272. || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
  1273. goto err;
  1274. }
  1275. HMAC_CTX_free(hctx);
  1276. if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
  1277. EVP_CIPHER_CTX_free(ctx);
  1278. return SSL_TICKET_NO_DECRYPT;
  1279. }
  1280. /* Attempt to decrypt session data */
  1281. /* Move p after IV to start of encrypted ticket, update length */
  1282. p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1283. eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1284. sdec = OPENSSL_malloc(eticklen);
  1285. if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
  1286. (int)eticklen) <= 0) {
  1287. EVP_CIPHER_CTX_free(ctx);
  1288. OPENSSL_free(sdec);
  1289. return SSL_TICKET_FATAL_ERR_OTHER;
  1290. }
  1291. if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
  1292. EVP_CIPHER_CTX_free(ctx);
  1293. OPENSSL_free(sdec);
  1294. return SSL_TICKET_NO_DECRYPT;
  1295. }
  1296. slen += declen;
  1297. EVP_CIPHER_CTX_free(ctx);
  1298. ctx = NULL;
  1299. p = sdec;
  1300. sess = d2i_SSL_SESSION(NULL, &p, slen);
  1301. slen -= p - sdec;
  1302. OPENSSL_free(sdec);
  1303. if (sess) {
  1304. /* Some additional consistency checks */
  1305. if (slen != 0) {
  1306. SSL_SESSION_free(sess);
  1307. return SSL_TICKET_NO_DECRYPT;
  1308. }
  1309. /*
  1310. * The session ID, if non-empty, is used by some clients to detect
  1311. * that the ticket has been accepted. So we copy it to the session
  1312. * structure. If it is empty set length to zero as required by
  1313. * standard.
  1314. */
  1315. if (sesslen) {
  1316. memcpy(sess->session_id, sess_id, sesslen);
  1317. sess->session_id_length = sesslen;
  1318. }
  1319. *psess = sess;
  1320. if (renew_ticket)
  1321. return SSL_TICKET_SUCCESS_RENEW;
  1322. else
  1323. return SSL_TICKET_SUCCESS;
  1324. }
  1325. ERR_clear_error();
  1326. /*
  1327. * For session parse failure, indicate that we need to send a new ticket.
  1328. */
  1329. return SSL_TICKET_NO_DECRYPT;
  1330. err:
  1331. EVP_CIPHER_CTX_free(ctx);
  1332. HMAC_CTX_free(hctx);
  1333. return ret;
  1334. }
  1335. /* Check to see if a signature algorithm is allowed */
  1336. static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
  1337. {
  1338. unsigned char sigalgstr[2];
  1339. int secbits;
  1340. /* See if sigalgs is recognised and if hash is enabled */
  1341. if (!tls1_lookup_md(lu, NULL))
  1342. return 0;
  1343. /* DSA is not allowed in TLS 1.3 */
  1344. if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
  1345. return 0;
  1346. /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
  1347. if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
  1348. && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
  1349. || lu->hash_idx == SSL_MD_MD5_IDX
  1350. || lu->hash_idx == SSL_MD_SHA224_IDX))
  1351. return 0;
  1352. /* See if public key algorithm allowed */
  1353. if (ssl_cert_is_disabled(lu->sig_idx))
  1354. return 0;
  1355. if (lu->hash == NID_undef)
  1356. return 1;
  1357. /* Security bits: half digest bits */
  1358. secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
  1359. /* Finally see if security callback allows it */
  1360. sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
  1361. sigalgstr[1] = lu->sigalg & 0xff;
  1362. return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
  1363. }
  1364. /*
  1365. * Get a mask of disabled public key algorithms based on supported signature
  1366. * algorithms. For example if no signature algorithm supports RSA then RSA is
  1367. * disabled.
  1368. */
  1369. void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
  1370. {
  1371. const uint16_t *sigalgs;
  1372. size_t i, sigalgslen;
  1373. uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
  1374. /*
  1375. * Go through all signature algorithms seeing if we support any
  1376. * in disabled_mask.
  1377. */
  1378. sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
  1379. for (i = 0; i < sigalgslen; i++, sigalgs++) {
  1380. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
  1381. const SSL_CERT_LOOKUP *clu;
  1382. if (lu == NULL)
  1383. continue;
  1384. clu = ssl_cert_lookup_by_idx(lu->sig_idx);
  1385. if (clu == NULL)
  1386. continue;
  1387. /* If algorithm is disabled see if we can enable it */
  1388. if ((clu->amask & disabled_mask) != 0
  1389. && tls12_sigalg_allowed(s, op, lu))
  1390. disabled_mask &= ~clu->amask;
  1391. }
  1392. *pmask_a |= disabled_mask;
  1393. }
  1394. int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
  1395. const uint16_t *psig, size_t psiglen)
  1396. {
  1397. size_t i;
  1398. int rv = 0;
  1399. for (i = 0; i < psiglen; i++, psig++) {
  1400. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);
  1401. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
  1402. continue;
  1403. if (!WPACKET_put_bytes_u16(pkt, *psig))
  1404. return 0;
  1405. /*
  1406. * If TLS 1.3 must have at least one valid TLS 1.3 message
  1407. * signing algorithm: i.e. neither RSA nor SHA1/SHA224
  1408. */
  1409. if (rv == 0 && (!SSL_IS_TLS13(s)
  1410. || (lu->sig != EVP_PKEY_RSA
  1411. && lu->hash != NID_sha1
  1412. && lu->hash != NID_sha224)))
  1413. rv = 1;
  1414. }
  1415. if (rv == 0)
  1416. SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  1417. return rv;
  1418. }
  1419. /* Given preference and allowed sigalgs set shared sigalgs */
  1420. static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
  1421. const uint16_t *pref, size_t preflen,
  1422. const uint16_t *allow, size_t allowlen)
  1423. {
  1424. const uint16_t *ptmp, *atmp;
  1425. size_t i, j, nmatch = 0;
  1426. for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
  1427. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);
  1428. /* Skip disabled hashes or signature algorithms */
  1429. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
  1430. continue;
  1431. for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
  1432. if (*ptmp == *atmp) {
  1433. nmatch++;
  1434. if (shsig)
  1435. *shsig++ = lu;
  1436. break;
  1437. }
  1438. }
  1439. }
  1440. return nmatch;
  1441. }
  1442. /* Set shared signature algorithms for SSL structures */
  1443. static int tls1_set_shared_sigalgs(SSL *s)
  1444. {
  1445. const uint16_t *pref, *allow, *conf;
  1446. size_t preflen, allowlen, conflen;
  1447. size_t nmatch;
  1448. const SIGALG_LOOKUP **salgs = NULL;
  1449. CERT *c = s->cert;
  1450. unsigned int is_suiteb = tls1_suiteb(s);
  1451. OPENSSL_free(c->shared_sigalgs);
  1452. c->shared_sigalgs = NULL;
  1453. c->shared_sigalgslen = 0;
  1454. /* If client use client signature algorithms if not NULL */
  1455. if (!s->server && c->client_sigalgs && !is_suiteb) {
  1456. conf = c->client_sigalgs;
  1457. conflen = c->client_sigalgslen;
  1458. } else if (c->conf_sigalgs && !is_suiteb) {
  1459. conf = c->conf_sigalgs;
  1460. conflen = c->conf_sigalgslen;
  1461. } else
  1462. conflen = tls12_get_psigalgs(s, 0, &conf);
  1463. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
  1464. pref = conf;
  1465. preflen = conflen;
  1466. allow = s->s3->tmp.peer_sigalgs;
  1467. allowlen = s->s3->tmp.peer_sigalgslen;
  1468. } else {
  1469. allow = conf;
  1470. allowlen = conflen;
  1471. pref = s->s3->tmp.peer_sigalgs;
  1472. preflen = s->s3->tmp.peer_sigalgslen;
  1473. }
  1474. nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
  1475. if (nmatch) {
  1476. if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) {
  1477. SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE);
  1478. return 0;
  1479. }
  1480. nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
  1481. } else {
  1482. salgs = NULL;
  1483. }
  1484. c->shared_sigalgs = salgs;
  1485. c->shared_sigalgslen = nmatch;
  1486. return 1;
  1487. }
  1488. int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
  1489. {
  1490. unsigned int stmp;
  1491. size_t size, i;
  1492. uint16_t *buf;
  1493. size = PACKET_remaining(pkt);
  1494. /* Invalid data length */
  1495. if (size == 0 || (size & 1) != 0)
  1496. return 0;
  1497. size >>= 1;
  1498. if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) {
  1499. SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE);
  1500. return 0;
  1501. }
  1502. for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
  1503. buf[i] = stmp;
  1504. if (i != size) {
  1505. OPENSSL_free(buf);
  1506. return 0;
  1507. }
  1508. OPENSSL_free(*pdest);
  1509. *pdest = buf;
  1510. *pdestlen = size;
  1511. return 1;
  1512. }
  1513. int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert)
  1514. {
  1515. /* Extension ignored for inappropriate versions */
  1516. if (!SSL_USE_SIGALGS(s))
  1517. return 1;
  1518. /* Should never happen */
  1519. if (s->cert == NULL)
  1520. return 0;
  1521. if (cert)
  1522. return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs,
  1523. &s->s3->tmp.peer_cert_sigalgslen);
  1524. else
  1525. return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
  1526. &s->s3->tmp.peer_sigalgslen);
  1527. }
  1528. /* Set preferred digest for each key type */
  1529. int tls1_process_sigalgs(SSL *s)
  1530. {
  1531. size_t i;
  1532. uint32_t *pvalid = s->s3->tmp.valid_flags;
  1533. CERT *c = s->cert;
  1534. if (!tls1_set_shared_sigalgs(s))
  1535. return 0;
  1536. for (i = 0; i < SSL_PKEY_NUM; i++)
  1537. pvalid[i] = 0;
  1538. for (i = 0; i < c->shared_sigalgslen; i++) {
  1539. const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
  1540. int idx = sigptr->sig_idx;
  1541. /* Ignore PKCS1 based sig algs in TLSv1.3 */
  1542. if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
  1543. continue;
  1544. /* If not disabled indicate we can explicitly sign */
  1545. if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
  1546. pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  1547. }
  1548. return 1;
  1549. }
  1550. int SSL_get_sigalgs(SSL *s, int idx,
  1551. int *psign, int *phash, int *psignhash,
  1552. unsigned char *rsig, unsigned char *rhash)
  1553. {
  1554. uint16_t *psig = s->s3->tmp.peer_sigalgs;
  1555. size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
  1556. if (psig == NULL || numsigalgs > INT_MAX)
  1557. return 0;
  1558. if (idx >= 0) {
  1559. const SIGALG_LOOKUP *lu;
  1560. if (idx >= (int)numsigalgs)
  1561. return 0;
  1562. psig += idx;
  1563. if (rhash != NULL)
  1564. *rhash = (unsigned char)((*psig >> 8) & 0xff);
  1565. if (rsig != NULL)
  1566. *rsig = (unsigned char)(*psig & 0xff);
  1567. lu = tls1_lookup_sigalg(*psig);
  1568. if (psign != NULL)
  1569. *psign = lu != NULL ? lu->sig : NID_undef;
  1570. if (phash != NULL)
  1571. *phash = lu != NULL ? lu->hash : NID_undef;
  1572. if (psignhash != NULL)
  1573. *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
  1574. }
  1575. return (int)numsigalgs;
  1576. }
  1577. int SSL_get_shared_sigalgs(SSL *s, int idx,
  1578. int *psign, int *phash, int *psignhash,
  1579. unsigned char *rsig, unsigned char *rhash)
  1580. {
  1581. const SIGALG_LOOKUP *shsigalgs;
  1582. if (s->cert->shared_sigalgs == NULL
  1583. || idx < 0
  1584. || idx >= (int)s->cert->shared_sigalgslen
  1585. || s->cert->shared_sigalgslen > INT_MAX)
  1586. return 0;
  1587. shsigalgs = s->cert->shared_sigalgs[idx];
  1588. if (phash != NULL)
  1589. *phash = shsigalgs->hash;
  1590. if (psign != NULL)
  1591. *psign = shsigalgs->sig;
  1592. if (psignhash != NULL)
  1593. *psignhash = shsigalgs->sigandhash;
  1594. if (rsig != NULL)
  1595. *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
  1596. if (rhash != NULL)
  1597. *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
  1598. return (int)s->cert->shared_sigalgslen;
  1599. }
  1600. /* Maximum possible number of unique entries in sigalgs array */
  1601. #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
  1602. typedef struct {
  1603. size_t sigalgcnt;
  1604. /* TLSEXT_SIGALG_XXX values */
  1605. uint16_t sigalgs[TLS_MAX_SIGALGCNT];
  1606. } sig_cb_st;
  1607. static void get_sigorhash(int *psig, int *phash, const char *str)
  1608. {
  1609. if (strcmp(str, "RSA") == 0) {
  1610. *psig = EVP_PKEY_RSA;
  1611. } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
  1612. *psig = EVP_PKEY_RSA_PSS;
  1613. } else if (strcmp(str, "DSA") == 0) {
  1614. *psig = EVP_PKEY_DSA;
  1615. } else if (strcmp(str, "ECDSA") == 0) {
  1616. *psig = EVP_PKEY_EC;
  1617. } else {
  1618. *phash = OBJ_sn2nid(str);
  1619. if (*phash == NID_undef)
  1620. *phash = OBJ_ln2nid(str);
  1621. }
  1622. }
  1623. /* Maximum length of a signature algorithm string component */
  1624. #define TLS_MAX_SIGSTRING_LEN 40
  1625. static int sig_cb(const char *elem, int len, void *arg)
  1626. {
  1627. sig_cb_st *sarg = arg;
  1628. size_t i;
  1629. const SIGALG_LOOKUP *s;
  1630. char etmp[TLS_MAX_SIGSTRING_LEN], *p;
  1631. int sig_alg = NID_undef, hash_alg = NID_undef;
  1632. if (elem == NULL)
  1633. return 0;
  1634. if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
  1635. return 0;
  1636. if (len > (int)(sizeof(etmp) - 1))
  1637. return 0;
  1638. memcpy(etmp, elem, len);
  1639. etmp[len] = 0;
  1640. p = strchr(etmp, '+');
  1641. /*
  1642. * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
  1643. * if there's no '+' in the provided name, look for the new-style combined
  1644. * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP.
  1645. * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
  1646. * rsa_pss_rsae_* that differ only by public key OID; in such cases
  1647. * we will pick the _rsae_ variant, by virtue of them appearing earlier
  1648. * in the table.
  1649. */
  1650. if (p == NULL) {
  1651. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1652. i++, s++) {
  1653. if (s->name != NULL && strcmp(etmp, s->name) == 0) {
  1654. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1655. break;
  1656. }
  1657. }
  1658. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1659. return 0;
  1660. } else {
  1661. *p = 0;
  1662. p++;
  1663. if (*p == 0)
  1664. return 0;
  1665. get_sigorhash(&sig_alg, &hash_alg, etmp);
  1666. get_sigorhash(&sig_alg, &hash_alg, p);
  1667. if (sig_alg == NID_undef || hash_alg == NID_undef)
  1668. return 0;
  1669. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1670. i++, s++) {
  1671. if (s->hash == hash_alg && s->sig == sig_alg) {
  1672. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1673. break;
  1674. }
  1675. }
  1676. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1677. return 0;
  1678. }
  1679. /* Reject duplicates */
  1680. for (i = 0; i < sarg->sigalgcnt - 1; i++) {
  1681. if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
  1682. sarg->sigalgcnt--;
  1683. return 0;
  1684. }
  1685. }
  1686. return 1;
  1687. }
  1688. /*
  1689. * Set supported signature algorithms based on a colon separated list of the
  1690. * form sig+hash e.g. RSA+SHA512:DSA+SHA512
  1691. */
  1692. int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
  1693. {
  1694. sig_cb_st sig;
  1695. sig.sigalgcnt = 0;
  1696. if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
  1697. return 0;
  1698. if (c == NULL)
  1699. return 1;
  1700. return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
  1701. }
  1702. int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
  1703. int client)
  1704. {
  1705. uint16_t *sigalgs;
  1706. if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) {
  1707. SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE);
  1708. return 0;
  1709. }
  1710. memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
  1711. if (client) {
  1712. OPENSSL_free(c->client_sigalgs);
  1713. c->client_sigalgs = sigalgs;
  1714. c->client_sigalgslen = salglen;
  1715. } else {
  1716. OPENSSL_free(c->conf_sigalgs);
  1717. c->conf_sigalgs = sigalgs;
  1718. c->conf_sigalgslen = salglen;
  1719. }
  1720. return 1;
  1721. }
  1722. int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
  1723. {
  1724. uint16_t *sigalgs, *sptr;
  1725. size_t i;
  1726. if (salglen & 1)
  1727. return 0;
  1728. if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) {
  1729. SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE);
  1730. return 0;
  1731. }
  1732. for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
  1733. size_t j;
  1734. const SIGALG_LOOKUP *curr;
  1735. int md_id = *psig_nids++;
  1736. int sig_id = *psig_nids++;
  1737. for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
  1738. j++, curr++) {
  1739. if (curr->hash == md_id && curr->sig == sig_id) {
  1740. *sptr++ = curr->sigalg;
  1741. break;
  1742. }
  1743. }
  1744. if (j == OSSL_NELEM(sigalg_lookup_tbl))
  1745. goto err;
  1746. }
  1747. if (client) {
  1748. OPENSSL_free(c->client_sigalgs);
  1749. c->client_sigalgs = sigalgs;
  1750. c->client_sigalgslen = salglen / 2;
  1751. } else {
  1752. OPENSSL_free(c->conf_sigalgs);
  1753. c->conf_sigalgs = sigalgs;
  1754. c->conf_sigalgslen = salglen / 2;
  1755. }
  1756. return 1;
  1757. err:
  1758. OPENSSL_free(sigalgs);
  1759. return 0;
  1760. }
  1761. static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
  1762. {
  1763. int sig_nid;
  1764. size_t i;
  1765. if (default_nid == -1)
  1766. return 1;
  1767. sig_nid = X509_get_signature_nid(x);
  1768. if (default_nid)
  1769. return sig_nid == default_nid ? 1 : 0;
  1770. for (i = 0; i < c->shared_sigalgslen; i++)
  1771. if (sig_nid == c->shared_sigalgs[i]->sigandhash)
  1772. return 1;
  1773. return 0;
  1774. }
  1775. /* Check to see if a certificate issuer name matches list of CA names */
  1776. static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
  1777. {
  1778. X509_NAME *nm;
  1779. int i;
  1780. nm = X509_get_issuer_name(x);
  1781. for (i = 0; i < sk_X509_NAME_num(names); i++) {
  1782. if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
  1783. return 1;
  1784. }
  1785. return 0;
  1786. }
  1787. /*
  1788. * Check certificate chain is consistent with TLS extensions and is usable by
  1789. * server. This servers two purposes: it allows users to check chains before
  1790. * passing them to the server and it allows the server to check chains before
  1791. * attempting to use them.
  1792. */
  1793. /* Flags which need to be set for a certificate when strict mode not set */
  1794. #define CERT_PKEY_VALID_FLAGS \
  1795. (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
  1796. /* Strict mode flags */
  1797. #define CERT_PKEY_STRICT_FLAGS \
  1798. (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
  1799. | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
  1800. int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
  1801. int idx)
  1802. {
  1803. int i;
  1804. int rv = 0;
  1805. int check_flags = 0, strict_mode;
  1806. CERT_PKEY *cpk = NULL;
  1807. CERT *c = s->cert;
  1808. uint32_t *pvalid;
  1809. unsigned int suiteb_flags = tls1_suiteb(s);
  1810. /* idx == -1 means checking server chains */
  1811. if (idx != -1) {
  1812. /* idx == -2 means checking client certificate chains */
  1813. if (idx == -2) {
  1814. cpk = c->key;
  1815. idx = (int)(cpk - c->pkeys);
  1816. } else
  1817. cpk = c->pkeys + idx;
  1818. pvalid = s->s3->tmp.valid_flags + idx;
  1819. x = cpk->x509;
  1820. pk = cpk->privatekey;
  1821. chain = cpk->chain;
  1822. strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
  1823. /* If no cert or key, forget it */
  1824. if (!x || !pk)
  1825. goto end;
  1826. } else {
  1827. size_t certidx;
  1828. if (!x || !pk)
  1829. return 0;
  1830. if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
  1831. return 0;
  1832. idx = certidx;
  1833. pvalid = s->s3->tmp.valid_flags + idx;
  1834. if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
  1835. check_flags = CERT_PKEY_STRICT_FLAGS;
  1836. else
  1837. check_flags = CERT_PKEY_VALID_FLAGS;
  1838. strict_mode = 1;
  1839. }
  1840. if (suiteb_flags) {
  1841. int ok;
  1842. if (check_flags)
  1843. check_flags |= CERT_PKEY_SUITEB;
  1844. ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
  1845. if (ok == X509_V_OK)
  1846. rv |= CERT_PKEY_SUITEB;
  1847. else if (!check_flags)
  1848. goto end;
  1849. }
  1850. /*
  1851. * Check all signature algorithms are consistent with signature
  1852. * algorithms extension if TLS 1.2 or later and strict mode.
  1853. */
  1854. if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
  1855. int default_nid;
  1856. int rsign = 0;
  1857. if (s->s3->tmp.peer_cert_sigalgs != NULL
  1858. || s->s3->tmp.peer_sigalgs != NULL) {
  1859. default_nid = 0;
  1860. /* If no sigalgs extension use defaults from RFC5246 */
  1861. } else {
  1862. switch (idx) {
  1863. case SSL_PKEY_RSA:
  1864. rsign = EVP_PKEY_RSA;
  1865. default_nid = NID_sha1WithRSAEncryption;
  1866. break;
  1867. case SSL_PKEY_DSA_SIGN:
  1868. rsign = EVP_PKEY_DSA;
  1869. default_nid = NID_dsaWithSHA1;
  1870. break;
  1871. case SSL_PKEY_ECC:
  1872. rsign = EVP_PKEY_EC;
  1873. default_nid = NID_ecdsa_with_SHA1;
  1874. break;
  1875. case SSL_PKEY_GOST01:
  1876. rsign = NID_id_GostR3410_2001;
  1877. default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
  1878. break;
  1879. case SSL_PKEY_GOST12_256:
  1880. rsign = NID_id_GostR3410_2012_256;
  1881. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
  1882. break;
  1883. case SSL_PKEY_GOST12_512:
  1884. rsign = NID_id_GostR3410_2012_512;
  1885. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
  1886. break;
  1887. default:
  1888. default_nid = -1;
  1889. break;
  1890. }
  1891. }
  1892. /*
  1893. * If peer sent no signature algorithms extension and we have set
  1894. * preferred signature algorithms check we support sha1.
  1895. */
  1896. if (default_nid > 0 && c->conf_sigalgs) {
  1897. size_t j;
  1898. const uint16_t *p = c->conf_sigalgs;
  1899. for (j = 0; j < c->conf_sigalgslen; j++, p++) {
  1900. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);
  1901. if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
  1902. break;
  1903. }
  1904. if (j == c->conf_sigalgslen) {
  1905. if (check_flags)
  1906. goto skip_sigs;
  1907. else
  1908. goto end;
  1909. }
  1910. }
  1911. /* Check signature algorithm of each cert in chain */
  1912. if (!tls1_check_sig_alg(c, x, default_nid)) {
  1913. if (!check_flags)
  1914. goto end;
  1915. } else
  1916. rv |= CERT_PKEY_EE_SIGNATURE;
  1917. rv |= CERT_PKEY_CA_SIGNATURE;
  1918. for (i = 0; i < sk_X509_num(chain); i++) {
  1919. if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
  1920. if (check_flags) {
  1921. rv &= ~CERT_PKEY_CA_SIGNATURE;
  1922. break;
  1923. } else
  1924. goto end;
  1925. }
  1926. }
  1927. }
  1928. /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
  1929. else if (check_flags)
  1930. rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
  1931. skip_sigs:
  1932. /* Check cert parameters are consistent */
  1933. if (tls1_check_cert_param(s, x, 1))
  1934. rv |= CERT_PKEY_EE_PARAM;
  1935. else if (!check_flags)
  1936. goto end;
  1937. if (!s->server)
  1938. rv |= CERT_PKEY_CA_PARAM;
  1939. /* In strict mode check rest of chain too */
  1940. else if (strict_mode) {
  1941. rv |= CERT_PKEY_CA_PARAM;
  1942. for (i = 0; i < sk_X509_num(chain); i++) {
  1943. X509 *ca = sk_X509_value(chain, i);
  1944. if (!tls1_check_cert_param(s, ca, 0)) {
  1945. if (check_flags) {
  1946. rv &= ~CERT_PKEY_CA_PARAM;
  1947. break;
  1948. } else
  1949. goto end;
  1950. }
  1951. }
  1952. }
  1953. if (!s->server && strict_mode) {
  1954. STACK_OF(X509_NAME) *ca_dn;
  1955. int check_type = 0;
  1956. switch (EVP_PKEY_id(pk)) {
  1957. case EVP_PKEY_RSA:
  1958. check_type = TLS_CT_RSA_SIGN;
  1959. break;
  1960. case EVP_PKEY_DSA:
  1961. check_type = TLS_CT_DSS_SIGN;
  1962. break;
  1963. case EVP_PKEY_EC:
  1964. check_type = TLS_CT_ECDSA_SIGN;
  1965. break;
  1966. }
  1967. if (check_type) {
  1968. const uint8_t *ctypes = s->s3->tmp.ctype;
  1969. size_t j;
  1970. for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
  1971. if (*ctypes == check_type) {
  1972. rv |= CERT_PKEY_CERT_TYPE;
  1973. break;
  1974. }
  1975. }
  1976. if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
  1977. goto end;
  1978. } else {
  1979. rv |= CERT_PKEY_CERT_TYPE;
  1980. }
  1981. ca_dn = s->s3->tmp.peer_ca_names;
  1982. if (!sk_X509_NAME_num(ca_dn))
  1983. rv |= CERT_PKEY_ISSUER_NAME;
  1984. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  1985. if (ssl_check_ca_name(ca_dn, x))
  1986. rv |= CERT_PKEY_ISSUER_NAME;
  1987. }
  1988. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  1989. for (i = 0; i < sk_X509_num(chain); i++) {
  1990. X509 *xtmp = sk_X509_value(chain, i);
  1991. if (ssl_check_ca_name(ca_dn, xtmp)) {
  1992. rv |= CERT_PKEY_ISSUER_NAME;
  1993. break;
  1994. }
  1995. }
  1996. }
  1997. if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
  1998. goto end;
  1999. } else
  2000. rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
  2001. if (!check_flags || (rv & check_flags) == check_flags)
  2002. rv |= CERT_PKEY_VALID;
  2003. end:
  2004. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  2005. rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
  2006. else
  2007. rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
  2008. /*
  2009. * When checking a CERT_PKEY structure all flags are irrelevant if the
  2010. * chain is invalid.
  2011. */
  2012. if (!check_flags) {
  2013. if (rv & CERT_PKEY_VALID) {
  2014. *pvalid = rv;
  2015. } else {
  2016. /* Preserve sign and explicit sign flag, clear rest */
  2017. *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  2018. return 0;
  2019. }
  2020. }
  2021. return rv;
  2022. }
  2023. /* Set validity of certificates in an SSL structure */
  2024. void tls1_set_cert_validity(SSL *s)
  2025. {
  2026. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
  2027. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
  2028. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
  2029. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
  2030. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
  2031. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
  2032. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
  2033. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
  2034. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
  2035. }
  2036. /* User level utility function to check a chain is suitable */
  2037. int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  2038. {
  2039. return tls1_check_chain(s, x, pk, chain, -1);
  2040. }
  2041. #ifndef OPENSSL_NO_DH
  2042. DH *ssl_get_auto_dh(SSL *s)
  2043. {
  2044. int dh_secbits = 80;
  2045. if (s->cert->dh_tmp_auto == 2)
  2046. return DH_get_1024_160();
  2047. if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
  2048. if (s->s3->tmp.new_cipher->strength_bits == 256)
  2049. dh_secbits = 128;
  2050. else
  2051. dh_secbits = 80;
  2052. } else {
  2053. if (s->s3->tmp.cert == NULL)
  2054. return NULL;
  2055. dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
  2056. }
  2057. if (dh_secbits >= 128) {
  2058. DH *dhp = DH_new();
  2059. BIGNUM *p, *g;
  2060. if (dhp == NULL)
  2061. return NULL;
  2062. g = BN_new();
  2063. if (g != NULL)
  2064. BN_set_word(g, 2);
  2065. if (dh_secbits >= 192)
  2066. p = BN_get_rfc3526_prime_8192(NULL);
  2067. else
  2068. p = BN_get_rfc3526_prime_3072(NULL);
  2069. if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
  2070. DH_free(dhp);
  2071. BN_free(p);
  2072. BN_free(g);
  2073. return NULL;
  2074. }
  2075. return dhp;
  2076. }
  2077. if (dh_secbits >= 112)
  2078. return DH_get_2048_224();
  2079. return DH_get_1024_160();
  2080. }
  2081. #endif
  2082. static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2083. {
  2084. int secbits = -1;
  2085. EVP_PKEY *pkey = X509_get0_pubkey(x);
  2086. if (pkey) {
  2087. /*
  2088. * If no parameters this will return -1 and fail using the default
  2089. * security callback for any non-zero security level. This will
  2090. * reject keys which omit parameters but this only affects DSA and
  2091. * omission of parameters is never (?) done in practice.
  2092. */
  2093. secbits = EVP_PKEY_security_bits(pkey);
  2094. }
  2095. if (s)
  2096. return ssl_security(s, op, secbits, 0, x);
  2097. else
  2098. return ssl_ctx_security(ctx, op, secbits, 0, x);
  2099. }
  2100. static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2101. {
  2102. /* Lookup signature algorithm digest */
  2103. int secbits, nid, pknid;
  2104. /* Don't check signature if self signed */
  2105. if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
  2106. return 1;
  2107. if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
  2108. secbits = -1;
  2109. /* If digest NID not defined use signature NID */
  2110. if (nid == NID_undef)
  2111. nid = pknid;
  2112. if (s)
  2113. return ssl_security(s, op, secbits, nid, x);
  2114. else
  2115. return ssl_ctx_security(ctx, op, secbits, nid, x);
  2116. }
  2117. int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
  2118. {
  2119. if (vfy)
  2120. vfy = SSL_SECOP_PEER;
  2121. if (is_ee) {
  2122. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
  2123. return SSL_R_EE_KEY_TOO_SMALL;
  2124. } else {
  2125. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
  2126. return SSL_R_CA_KEY_TOO_SMALL;
  2127. }
  2128. if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
  2129. return SSL_R_CA_MD_TOO_WEAK;
  2130. return 1;
  2131. }
  2132. /*
  2133. * Check security of a chain, if |sk| includes the end entity certificate then
  2134. * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
  2135. * one to the peer. Return values: 1 if ok otherwise error code to use
  2136. */
  2137. int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
  2138. {
  2139. int rv, start_idx, i;
  2140. if (x == NULL) {
  2141. x = sk_X509_value(sk, 0);
  2142. start_idx = 1;
  2143. } else
  2144. start_idx = 0;
  2145. rv = ssl_security_cert(s, NULL, x, vfy, 1);
  2146. if (rv != 1)
  2147. return rv;
  2148. for (i = start_idx; i < sk_X509_num(sk); i++) {
  2149. x = sk_X509_value(sk, i);
  2150. rv = ssl_security_cert(s, NULL, x, vfy, 0);
  2151. if (rv != 1)
  2152. return rv;
  2153. }
  2154. return 1;
  2155. }
  2156. /*
  2157. * For TLS 1.2 servers check if we have a certificate which can be used
  2158. * with the signature algorithm "lu" and return index of certificate.
  2159. */
  2160. static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
  2161. {
  2162. int sig_idx = lu->sig_idx;
  2163. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
  2164. /* If not recognised or not supported by cipher mask it is not suitable */
  2165. if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
  2166. return -1;
  2167. return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
  2168. }
  2169. /*
  2170. * Returns true if |s| has a usable certificate configured for use
  2171. * with signature scheme |sig|.
  2172. * "Usable" includes a check for presence as well as applying
  2173. * the signature_algorithm_cert restrictions sent by the peer (if any).
  2174. * Returns false if no usable certificate is found.
  2175. */
  2176. static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
  2177. {
  2178. const SIGALG_LOOKUP *lu;
  2179. int mdnid, pknid;
  2180. size_t i;
  2181. /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
  2182. if (idx == -1)
  2183. idx = sig->sig_idx;
  2184. if (!ssl_has_cert(s, idx))
  2185. return 0;
  2186. if (s->s3->tmp.peer_cert_sigalgs != NULL) {
  2187. for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
  2188. lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
  2189. if (lu == NULL
  2190. || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
  2191. &pknid, NULL, NULL))
  2192. continue;
  2193. /*
  2194. * TODO this does not differentiate between the
  2195. * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
  2196. * have a chain here that lets us look at the key OID in the
  2197. * signing certificate.
  2198. */
  2199. if (mdnid == lu->hash && pknid == lu->sig)
  2200. return 1;
  2201. }
  2202. return 0;
  2203. }
  2204. return 1;
  2205. }
  2206. /*
  2207. * Choose an appropriate signature algorithm based on available certificates
  2208. * Sets chosen certificate and signature algorithm.
  2209. *
  2210. * For servers if we fail to find a required certificate it is a fatal error,
  2211. * an appropriate error code is set and a TLS alert is sent.
  2212. *
  2213. * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
  2214. * a fatal error: we will either try another certificate or not present one
  2215. * to the server. In this case no error is set.
  2216. */
  2217. int tls_choose_sigalg(SSL *s, int fatalerrs)
  2218. {
  2219. const SIGALG_LOOKUP *lu = NULL;
  2220. int sig_idx = -1;
  2221. s->s3->tmp.cert = NULL;
  2222. s->s3->tmp.sigalg = NULL;
  2223. if (SSL_IS_TLS13(s)) {
  2224. size_t i;
  2225. #ifndef OPENSSL_NO_EC
  2226. int curve = -1;
  2227. #endif
  2228. /* Look for a certificate matching shared sigalgs */
  2229. for (i = 0; i < s->cert->shared_sigalgslen; i++) {
  2230. lu = s->cert->shared_sigalgs[i];
  2231. sig_idx = -1;
  2232. /* Skip SHA1, SHA224, DSA and RSA if not PSS */
  2233. if (lu->hash == NID_sha1
  2234. || lu->hash == NID_sha224
  2235. || lu->sig == EVP_PKEY_DSA
  2236. || lu->sig == EVP_PKEY_RSA)
  2237. continue;
  2238. /* Check that we have a cert, and signature_algorithms_cert */
  2239. if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1))
  2240. continue;
  2241. if (lu->sig == EVP_PKEY_EC) {
  2242. #ifndef OPENSSL_NO_EC
  2243. if (curve == -1) {
  2244. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  2245. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2246. }
  2247. if (lu->curve != NID_undef && curve != lu->curve)
  2248. continue;
  2249. #else
  2250. continue;
  2251. #endif
  2252. } else if (lu->sig == EVP_PKEY_RSA_PSS) {
  2253. /* validate that key is large enough for the signature algorithm */
  2254. EVP_PKEY *pkey;
  2255. pkey = s->cert->pkeys[lu->sig_idx].privatekey;
  2256. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
  2257. continue;
  2258. }
  2259. break;
  2260. }
  2261. if (i == s->cert->shared_sigalgslen) {
  2262. if (!fatalerrs)
  2263. return 1;
  2264. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
  2265. SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  2266. return 0;
  2267. }
  2268. } else {
  2269. /* If ciphersuite doesn't require a cert nothing to do */
  2270. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
  2271. return 1;
  2272. if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
  2273. return 1;
  2274. if (SSL_USE_SIGALGS(s)) {
  2275. size_t i;
  2276. if (s->s3->tmp.peer_sigalgs != NULL) {
  2277. #ifndef OPENSSL_NO_EC
  2278. int curve;
  2279. /* For Suite B need to match signature algorithm to curve */
  2280. if (tls1_suiteb(s)) {
  2281. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  2282. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2283. } else {
  2284. curve = -1;
  2285. }
  2286. #endif
  2287. /*
  2288. * Find highest preference signature algorithm matching
  2289. * cert type
  2290. */
  2291. for (i = 0; i < s->cert->shared_sigalgslen; i++) {
  2292. lu = s->cert->shared_sigalgs[i];
  2293. if (s->server) {
  2294. if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
  2295. continue;
  2296. } else {
  2297. int cc_idx = s->cert->key - s->cert->pkeys;
  2298. sig_idx = lu->sig_idx;
  2299. if (cc_idx != sig_idx)
  2300. continue;
  2301. }
  2302. /* Check that we have a cert, and sig_algs_cert */
  2303. if (!has_usable_cert(s, lu, sig_idx))
  2304. continue;
  2305. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2306. /* validate that key is large enough for the signature algorithm */
  2307. EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
  2308. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
  2309. continue;
  2310. }
  2311. #ifndef OPENSSL_NO_EC
  2312. if (curve == -1 || lu->curve == curve)
  2313. #endif
  2314. break;
  2315. }
  2316. if (i == s->cert->shared_sigalgslen) {
  2317. if (!fatalerrs)
  2318. return 1;
  2319. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2320. ERR_R_INTERNAL_ERROR);
  2321. return 0;
  2322. }
  2323. } else {
  2324. /*
  2325. * If we have no sigalg use defaults
  2326. */
  2327. const uint16_t *sent_sigs;
  2328. size_t sent_sigslen;
  2329. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2330. if (!fatalerrs)
  2331. return 1;
  2332. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2333. ERR_R_INTERNAL_ERROR);
  2334. return 0;
  2335. }
  2336. /* Check signature matches a type we sent */
  2337. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  2338. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  2339. if (lu->sigalg == *sent_sigs
  2340. && has_usable_cert(s, lu, lu->sig_idx))
  2341. break;
  2342. }
  2343. if (i == sent_sigslen) {
  2344. if (!fatalerrs)
  2345. return 1;
  2346. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  2347. SSL_F_TLS_CHOOSE_SIGALG,
  2348. SSL_R_WRONG_SIGNATURE_TYPE);
  2349. return 0;
  2350. }
  2351. }
  2352. } else {
  2353. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2354. if (!fatalerrs)
  2355. return 1;
  2356. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2357. ERR_R_INTERNAL_ERROR);
  2358. return 0;
  2359. }
  2360. }
  2361. }
  2362. if (sig_idx == -1)
  2363. sig_idx = lu->sig_idx;
  2364. s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
  2365. s->cert->key = s->s3->tmp.cert;
  2366. s->s3->tmp.sigalg = lu;
  2367. return 1;
  2368. }
  2369. int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
  2370. {
  2371. if (mode != TLSEXT_max_fragment_length_DISABLED
  2372. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2373. SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2374. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2375. return 0;
  2376. }
  2377. ctx->ext.max_fragment_len_mode = mode;
  2378. return 1;
  2379. }
  2380. int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
  2381. {
  2382. if (mode != TLSEXT_max_fragment_length_DISABLED
  2383. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2384. SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2385. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2386. return 0;
  2387. }
  2388. ssl->ext.max_fragment_len_mode = mode;
  2389. return 1;
  2390. }
  2391. uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
  2392. {
  2393. return session->ext.max_fragment_len_mode;
  2394. }