2
0

t1_lib.c 84 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <openssl/objects.h>
  12. #include <openssl/evp.h>
  13. #include <openssl/hmac.h>
  14. #include <openssl/ocsp.h>
  15. #include <openssl/conf.h>
  16. #include <openssl/x509v3.h>
  17. #include <openssl/dh.h>
  18. #include <openssl/bn.h>
  19. #include "internal/nelem.h"
  20. #include "ssl_locl.h"
  21. #include <openssl/ct.h>
  22. SSL3_ENC_METHOD const TLSv1_enc_data = {
  23. tls1_enc,
  24. tls1_mac,
  25. tls1_setup_key_block,
  26. tls1_generate_master_secret,
  27. tls1_change_cipher_state,
  28. tls1_final_finish_mac,
  29. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  30. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  31. tls1_alert_code,
  32. tls1_export_keying_material,
  33. 0,
  34. ssl3_set_handshake_header,
  35. tls_close_construct_packet,
  36. ssl3_handshake_write
  37. };
  38. SSL3_ENC_METHOD const TLSv1_1_enc_data = {
  39. tls1_enc,
  40. tls1_mac,
  41. tls1_setup_key_block,
  42. tls1_generate_master_secret,
  43. tls1_change_cipher_state,
  44. tls1_final_finish_mac,
  45. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  46. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  47. tls1_alert_code,
  48. tls1_export_keying_material,
  49. SSL_ENC_FLAG_EXPLICIT_IV,
  50. ssl3_set_handshake_header,
  51. tls_close_construct_packet,
  52. ssl3_handshake_write
  53. };
  54. SSL3_ENC_METHOD const TLSv1_2_enc_data = {
  55. tls1_enc,
  56. tls1_mac,
  57. tls1_setup_key_block,
  58. tls1_generate_master_secret,
  59. tls1_change_cipher_state,
  60. tls1_final_finish_mac,
  61. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  62. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  63. tls1_alert_code,
  64. tls1_export_keying_material,
  65. SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
  66. | SSL_ENC_FLAG_TLS1_2_CIPHERS,
  67. ssl3_set_handshake_header,
  68. tls_close_construct_packet,
  69. ssl3_handshake_write
  70. };
  71. SSL3_ENC_METHOD const TLSv1_3_enc_data = {
  72. tls13_enc,
  73. tls1_mac,
  74. tls13_setup_key_block,
  75. tls13_generate_master_secret,
  76. tls13_change_cipher_state,
  77. tls13_final_finish_mac,
  78. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  79. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  80. tls13_alert_code,
  81. tls13_export_keying_material,
  82. SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
  83. ssl3_set_handshake_header,
  84. tls_close_construct_packet,
  85. ssl3_handshake_write
  86. };
  87. long tls1_default_timeout(void)
  88. {
  89. /*
  90. * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
  91. * http, the cache would over fill
  92. */
  93. return (60 * 60 * 2);
  94. }
  95. int tls1_new(SSL *s)
  96. {
  97. if (!ssl3_new(s))
  98. return 0;
  99. if (!s->method->ssl_clear(s))
  100. return 0;
  101. return 1;
  102. }
  103. void tls1_free(SSL *s)
  104. {
  105. OPENSSL_free(s->ext.session_ticket);
  106. ssl3_free(s);
  107. }
  108. int tls1_clear(SSL *s)
  109. {
  110. if (!ssl3_clear(s))
  111. return 0;
  112. if (s->method->version == TLS_ANY_VERSION)
  113. s->version = TLS_MAX_VERSION;
  114. else
  115. s->version = s->method->version;
  116. return 1;
  117. }
  118. #ifndef OPENSSL_NO_EC
  119. /*
  120. * Table of curve information.
  121. * Do not delete entries or reorder this array! It is used as a lookup
  122. * table: the index of each entry is one less than the TLS curve id.
  123. */
  124. static const TLS_GROUP_INFO nid_list[] = {
  125. {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
  126. {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
  127. {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
  128. {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
  129. {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
  130. {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
  131. {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
  132. {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
  133. {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
  134. {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
  135. {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
  136. {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
  137. {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
  138. {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
  139. {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
  140. {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
  141. {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
  142. {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
  143. {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
  144. {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
  145. {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
  146. {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
  147. {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
  148. {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
  149. {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
  150. {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
  151. {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
  152. {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
  153. {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
  154. {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
  155. };
  156. static const unsigned char ecformats_default[] = {
  157. TLSEXT_ECPOINTFORMAT_uncompressed,
  158. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
  159. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
  160. };
  161. /* The default curves */
  162. static const uint16_t eccurves_default[] = {
  163. 29, /* X25519 (29) */
  164. 23, /* secp256r1 (23) */
  165. 30, /* X448 (30) */
  166. 25, /* secp521r1 (25) */
  167. 24, /* secp384r1 (24) */
  168. };
  169. static const uint16_t suiteb_curves[] = {
  170. TLSEXT_curve_P_256,
  171. TLSEXT_curve_P_384
  172. };
  173. const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
  174. {
  175. /* ECC curves from RFC 4492 and RFC 7027 */
  176. if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
  177. return NULL;
  178. return &nid_list[group_id - 1];
  179. }
  180. static uint16_t tls1_nid2group_id(int nid)
  181. {
  182. size_t i;
  183. for (i = 0; i < OSSL_NELEM(nid_list); i++) {
  184. if (nid_list[i].nid == nid)
  185. return (uint16_t)(i + 1);
  186. }
  187. return 0;
  188. }
  189. /*
  190. * Set *pgroups to the supported groups list and *pgroupslen to
  191. * the number of groups supported.
  192. */
  193. void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
  194. size_t *pgroupslen)
  195. {
  196. /* For Suite B mode only include P-256, P-384 */
  197. switch (tls1_suiteb(s)) {
  198. case SSL_CERT_FLAG_SUITEB_128_LOS:
  199. *pgroups = suiteb_curves;
  200. *pgroupslen = OSSL_NELEM(suiteb_curves);
  201. break;
  202. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  203. *pgroups = suiteb_curves;
  204. *pgroupslen = 1;
  205. break;
  206. case SSL_CERT_FLAG_SUITEB_192_LOS:
  207. *pgroups = suiteb_curves + 1;
  208. *pgroupslen = 1;
  209. break;
  210. default:
  211. if (s->ext.supportedgroups == NULL) {
  212. *pgroups = eccurves_default;
  213. *pgroupslen = OSSL_NELEM(eccurves_default);
  214. } else {
  215. *pgroups = s->ext.supportedgroups;
  216. *pgroupslen = s->ext.supportedgroups_len;
  217. }
  218. break;
  219. }
  220. }
  221. /* See if curve is allowed by security callback */
  222. int tls_curve_allowed(SSL *s, uint16_t curve, int op)
  223. {
  224. const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
  225. unsigned char ctmp[2];
  226. if (cinfo == NULL)
  227. return 0;
  228. # ifdef OPENSSL_NO_EC2M
  229. if (cinfo->flags & TLS_CURVE_CHAR2)
  230. return 0;
  231. # endif
  232. ctmp[0] = curve >> 8;
  233. ctmp[1] = curve & 0xff;
  234. return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
  235. }
  236. /* Return 1 if "id" is in "list" */
  237. static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
  238. {
  239. size_t i;
  240. for (i = 0; i < listlen; i++)
  241. if (list[i] == id)
  242. return 1;
  243. return 0;
  244. }
  245. /*-
  246. * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
  247. * if there is no match.
  248. * For nmatch == -1, return number of matches
  249. * For nmatch == -2, return the id of the group to use for
  250. * a tmp key, or 0 if there is no match.
  251. */
  252. uint16_t tls1_shared_group(SSL *s, int nmatch)
  253. {
  254. const uint16_t *pref, *supp;
  255. size_t num_pref, num_supp, i;
  256. int k;
  257. /* Can't do anything on client side */
  258. if (s->server == 0)
  259. return 0;
  260. if (nmatch == -2) {
  261. if (tls1_suiteb(s)) {
  262. /*
  263. * For Suite B ciphersuite determines curve: we already know
  264. * these are acceptable due to previous checks.
  265. */
  266. unsigned long cid = s->s3->tmp.new_cipher->id;
  267. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  268. return TLSEXT_curve_P_256;
  269. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  270. return TLSEXT_curve_P_384;
  271. /* Should never happen */
  272. return 0;
  273. }
  274. /* If not Suite B just return first preference shared curve */
  275. nmatch = 0;
  276. }
  277. /*
  278. * If server preference set, our groups are the preference order
  279. * otherwise peer decides.
  280. */
  281. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  282. tls1_get_supported_groups(s, &pref, &num_pref);
  283. tls1_get_peer_groups(s, &supp, &num_supp);
  284. } else {
  285. tls1_get_peer_groups(s, &pref, &num_pref);
  286. tls1_get_supported_groups(s, &supp, &num_supp);
  287. }
  288. for (k = 0, i = 0; i < num_pref; i++) {
  289. uint16_t id = pref[i];
  290. if (!tls1_in_list(id, supp, num_supp)
  291. || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
  292. continue;
  293. if (nmatch == k)
  294. return id;
  295. k++;
  296. }
  297. if (nmatch == -1)
  298. return k;
  299. /* Out of range (nmatch > k). */
  300. return 0;
  301. }
  302. int tls1_set_groups(uint16_t **pext, size_t *pextlen,
  303. int *groups, size_t ngroups)
  304. {
  305. uint16_t *glist;
  306. size_t i;
  307. /*
  308. * Bitmap of groups included to detect duplicates: only works while group
  309. * ids < 32
  310. */
  311. unsigned long dup_list = 0;
  312. if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
  313. SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE);
  314. return 0;
  315. }
  316. for (i = 0; i < ngroups; i++) {
  317. unsigned long idmask;
  318. uint16_t id;
  319. /* TODO(TLS1.3): Convert for DH groups */
  320. id = tls1_nid2group_id(groups[i]);
  321. idmask = 1L << id;
  322. if (!id || (dup_list & idmask)) {
  323. OPENSSL_free(glist);
  324. return 0;
  325. }
  326. dup_list |= idmask;
  327. glist[i] = id;
  328. }
  329. OPENSSL_free(*pext);
  330. *pext = glist;
  331. *pextlen = ngroups;
  332. return 1;
  333. }
  334. # define MAX_CURVELIST OSSL_NELEM(nid_list)
  335. typedef struct {
  336. size_t nidcnt;
  337. int nid_arr[MAX_CURVELIST];
  338. } nid_cb_st;
  339. static int nid_cb(const char *elem, int len, void *arg)
  340. {
  341. nid_cb_st *narg = arg;
  342. size_t i;
  343. int nid;
  344. char etmp[20];
  345. if (elem == NULL)
  346. return 0;
  347. if (narg->nidcnt == MAX_CURVELIST)
  348. return 0;
  349. if (len > (int)(sizeof(etmp) - 1))
  350. return 0;
  351. memcpy(etmp, elem, len);
  352. etmp[len] = 0;
  353. nid = EC_curve_nist2nid(etmp);
  354. if (nid == NID_undef)
  355. nid = OBJ_sn2nid(etmp);
  356. if (nid == NID_undef)
  357. nid = OBJ_ln2nid(etmp);
  358. if (nid == NID_undef)
  359. return 0;
  360. for (i = 0; i < narg->nidcnt; i++)
  361. if (narg->nid_arr[i] == nid)
  362. return 0;
  363. narg->nid_arr[narg->nidcnt++] = nid;
  364. return 1;
  365. }
  366. /* Set groups based on a colon separate list */
  367. int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
  368. {
  369. nid_cb_st ncb;
  370. ncb.nidcnt = 0;
  371. if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
  372. return 0;
  373. if (pext == NULL)
  374. return 1;
  375. return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
  376. }
  377. /* Return group id of a key */
  378. static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
  379. {
  380. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  381. const EC_GROUP *grp;
  382. if (ec == NULL)
  383. return 0;
  384. grp = EC_KEY_get0_group(ec);
  385. return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
  386. }
  387. /* Check a key is compatible with compression extension */
  388. static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
  389. {
  390. const EC_KEY *ec;
  391. const EC_GROUP *grp;
  392. unsigned char comp_id;
  393. size_t i;
  394. /* If not an EC key nothing to check */
  395. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  396. return 1;
  397. ec = EVP_PKEY_get0_EC_KEY(pkey);
  398. grp = EC_KEY_get0_group(ec);
  399. /* Get required compression id */
  400. if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
  401. comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
  402. } else if (SSL_IS_TLS13(s)) {
  403. /*
  404. * ec_point_formats extension is not used in TLSv1.3 so we ignore
  405. * this check.
  406. */
  407. return 1;
  408. } else {
  409. int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));
  410. if (field_type == NID_X9_62_prime_field)
  411. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  412. else if (field_type == NID_X9_62_characteristic_two_field)
  413. comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  414. else
  415. return 0;
  416. }
  417. /*
  418. * If point formats extension present check it, otherwise everything is
  419. * supported (see RFC4492).
  420. */
  421. if (s->session->ext.ecpointformats == NULL)
  422. return 1;
  423. for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
  424. if (s->session->ext.ecpointformats[i] == comp_id)
  425. return 1;
  426. }
  427. return 0;
  428. }
  429. /* Check a group id matches preferences */
  430. int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
  431. {
  432. const uint16_t *groups;
  433. size_t groups_len;
  434. if (group_id == 0)
  435. return 0;
  436. /* Check for Suite B compliance */
  437. if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
  438. unsigned long cid = s->s3->tmp.new_cipher->id;
  439. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
  440. if (group_id != TLSEXT_curve_P_256)
  441. return 0;
  442. } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
  443. if (group_id != TLSEXT_curve_P_384)
  444. return 0;
  445. } else {
  446. /* Should never happen */
  447. return 0;
  448. }
  449. }
  450. if (check_own_groups) {
  451. /* Check group is one of our preferences */
  452. tls1_get_supported_groups(s, &groups, &groups_len);
  453. if (!tls1_in_list(group_id, groups, groups_len))
  454. return 0;
  455. }
  456. if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
  457. return 0;
  458. /* For clients, nothing more to check */
  459. if (!s->server)
  460. return 1;
  461. /* Check group is one of peers preferences */
  462. tls1_get_peer_groups(s, &groups, &groups_len);
  463. /*
  464. * RFC 4492 does not require the supported elliptic curves extension
  465. * so if it is not sent we can just choose any curve.
  466. * It is invalid to send an empty list in the supported groups
  467. * extension, so groups_len == 0 always means no extension.
  468. */
  469. if (groups_len == 0)
  470. return 1;
  471. return tls1_in_list(group_id, groups, groups_len);
  472. }
  473. void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
  474. size_t *num_formats)
  475. {
  476. /*
  477. * If we have a custom point format list use it otherwise use default
  478. */
  479. if (s->ext.ecpointformats) {
  480. *pformats = s->ext.ecpointformats;
  481. *num_formats = s->ext.ecpointformats_len;
  482. } else {
  483. *pformats = ecformats_default;
  484. /* For Suite B we don't support char2 fields */
  485. if (tls1_suiteb(s))
  486. *num_formats = sizeof(ecformats_default) - 1;
  487. else
  488. *num_formats = sizeof(ecformats_default);
  489. }
  490. }
  491. /*
  492. * Check cert parameters compatible with extensions: currently just checks EC
  493. * certificates have compatible curves and compression.
  494. */
  495. static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
  496. {
  497. uint16_t group_id;
  498. EVP_PKEY *pkey;
  499. pkey = X509_get0_pubkey(x);
  500. if (pkey == NULL)
  501. return 0;
  502. /* If not EC nothing to do */
  503. if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  504. return 1;
  505. /* Check compression */
  506. if (!tls1_check_pkey_comp(s, pkey))
  507. return 0;
  508. group_id = tls1_get_group_id(pkey);
  509. /*
  510. * For a server we allow the certificate to not be in our list of supported
  511. * groups.
  512. */
  513. if (!tls1_check_group_id(s, group_id, !s->server))
  514. return 0;
  515. /*
  516. * Special case for suite B. We *MUST* sign using SHA256+P-256 or
  517. * SHA384+P-384.
  518. */
  519. if (check_ee_md && tls1_suiteb(s)) {
  520. int check_md;
  521. size_t i;
  522. CERT *c = s->cert;
  523. /* Check to see we have necessary signing algorithm */
  524. if (group_id == TLSEXT_curve_P_256)
  525. check_md = NID_ecdsa_with_SHA256;
  526. else if (group_id == TLSEXT_curve_P_384)
  527. check_md = NID_ecdsa_with_SHA384;
  528. else
  529. return 0; /* Should never happen */
  530. for (i = 0; i < c->shared_sigalgslen; i++) {
  531. if (check_md == c->shared_sigalgs[i]->sigandhash)
  532. return 1;;
  533. }
  534. return 0;
  535. }
  536. return 1;
  537. }
  538. /*
  539. * tls1_check_ec_tmp_key - Check EC temporary key compatibility
  540. * @s: SSL connection
  541. * @cid: Cipher ID we're considering using
  542. *
  543. * Checks that the kECDHE cipher suite we're considering using
  544. * is compatible with the client extensions.
  545. *
  546. * Returns 0 when the cipher can't be used or 1 when it can.
  547. */
  548. int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
  549. {
  550. /* If not Suite B just need a shared group */
  551. if (!tls1_suiteb(s))
  552. return tls1_shared_group(s, 0) != 0;
  553. /*
  554. * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
  555. * curves permitted.
  556. */
  557. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  558. return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
  559. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  560. return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
  561. return 0;
  562. }
  563. #else
  564. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  565. {
  566. return 1;
  567. }
  568. #endif /* OPENSSL_NO_EC */
  569. /* Default sigalg schemes */
  570. static const uint16_t tls12_sigalgs[] = {
  571. #ifndef OPENSSL_NO_EC
  572. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  573. TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  574. TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  575. TLSEXT_SIGALG_ed25519,
  576. TLSEXT_SIGALG_ed448,
  577. #endif
  578. TLSEXT_SIGALG_rsa_pss_pss_sha256,
  579. TLSEXT_SIGALG_rsa_pss_pss_sha384,
  580. TLSEXT_SIGALG_rsa_pss_pss_sha512,
  581. TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  582. TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  583. TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  584. TLSEXT_SIGALG_rsa_pkcs1_sha256,
  585. TLSEXT_SIGALG_rsa_pkcs1_sha384,
  586. TLSEXT_SIGALG_rsa_pkcs1_sha512,
  587. #ifndef OPENSSL_NO_EC
  588. TLSEXT_SIGALG_ecdsa_sha224,
  589. TLSEXT_SIGALG_ecdsa_sha1,
  590. #endif
  591. TLSEXT_SIGALG_rsa_pkcs1_sha224,
  592. TLSEXT_SIGALG_rsa_pkcs1_sha1,
  593. #ifndef OPENSSL_NO_DSA
  594. TLSEXT_SIGALG_dsa_sha224,
  595. TLSEXT_SIGALG_dsa_sha1,
  596. TLSEXT_SIGALG_dsa_sha256,
  597. TLSEXT_SIGALG_dsa_sha384,
  598. TLSEXT_SIGALG_dsa_sha512,
  599. #endif
  600. #ifndef OPENSSL_NO_GOST
  601. TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  602. TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  603. TLSEXT_SIGALG_gostr34102001_gostr3411,
  604. #endif
  605. };
  606. #ifndef OPENSSL_NO_EC
  607. static const uint16_t suiteb_sigalgs[] = {
  608. TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  609. TLSEXT_SIGALG_ecdsa_secp384r1_sha384
  610. };
  611. #endif
  612. static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
  613. #ifndef OPENSSL_NO_EC
  614. {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  615. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  616. NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
  617. {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  618. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  619. NID_ecdsa_with_SHA384, NID_secp384r1},
  620. {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  621. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  622. NID_ecdsa_with_SHA512, NID_secp521r1},
  623. {"ed25519", TLSEXT_SIGALG_ed25519,
  624. NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
  625. NID_undef, NID_undef},
  626. {"ed448", TLSEXT_SIGALG_ed448,
  627. NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
  628. NID_undef, NID_undef},
  629. {NULL, TLSEXT_SIGALG_ecdsa_sha224,
  630. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  631. NID_ecdsa_with_SHA224, NID_undef},
  632. {NULL, TLSEXT_SIGALG_ecdsa_sha1,
  633. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  634. NID_ecdsa_with_SHA1, NID_undef},
  635. #endif
  636. {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  637. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  638. NID_undef, NID_undef},
  639. {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  640. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  641. NID_undef, NID_undef},
  642. {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  643. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  644. NID_undef, NID_undef},
  645. {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
  646. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  647. NID_undef, NID_undef},
  648. {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
  649. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  650. NID_undef, NID_undef},
  651. {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
  652. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  653. NID_undef, NID_undef},
  654. {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
  655. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  656. NID_sha256WithRSAEncryption, NID_undef},
  657. {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
  658. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  659. NID_sha384WithRSAEncryption, NID_undef},
  660. {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
  661. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  662. NID_sha512WithRSAEncryption, NID_undef},
  663. {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
  664. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  665. NID_sha224WithRSAEncryption, NID_undef},
  666. {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
  667. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  668. NID_sha1WithRSAEncryption, NID_undef},
  669. #ifndef OPENSSL_NO_DSA
  670. {NULL, TLSEXT_SIGALG_dsa_sha256,
  671. NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  672. NID_dsa_with_SHA256, NID_undef},
  673. {NULL, TLSEXT_SIGALG_dsa_sha384,
  674. NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  675. NID_undef, NID_undef},
  676. {NULL, TLSEXT_SIGALG_dsa_sha512,
  677. NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  678. NID_undef, NID_undef},
  679. {NULL, TLSEXT_SIGALG_dsa_sha224,
  680. NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  681. NID_undef, NID_undef},
  682. {NULL, TLSEXT_SIGALG_dsa_sha1,
  683. NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  684. NID_dsaWithSHA1, NID_undef},
  685. #endif
  686. #ifndef OPENSSL_NO_GOST
  687. {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  688. NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
  689. NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
  690. NID_undef, NID_undef},
  691. {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  692. NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
  693. NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
  694. NID_undef, NID_undef},
  695. {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
  696. NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
  697. NID_id_GostR3410_2001, SSL_PKEY_GOST01,
  698. NID_undef, NID_undef}
  699. #endif
  700. };
  701. /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
  702. static const SIGALG_LOOKUP legacy_rsa_sigalg = {
  703. "rsa_pkcs1_md5_sha1", 0,
  704. NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
  705. EVP_PKEY_RSA, SSL_PKEY_RSA,
  706. NID_undef, NID_undef
  707. };
  708. /*
  709. * Default signature algorithm values used if signature algorithms not present.
  710. * From RFC5246. Note: order must match certificate index order.
  711. */
  712. static const uint16_t tls_default_sigalg[] = {
  713. TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
  714. 0, /* SSL_PKEY_RSA_PSS_SIGN */
  715. TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
  716. TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
  717. TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
  718. TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
  719. TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
  720. 0, /* SSL_PKEY_ED25519 */
  721. 0, /* SSL_PKEY_ED448 */
  722. };
  723. /* Lookup TLS signature algorithm */
  724. static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
  725. {
  726. size_t i;
  727. const SIGALG_LOOKUP *s;
  728. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  729. i++, s++) {
  730. if (s->sigalg == sigalg)
  731. return s;
  732. }
  733. return NULL;
  734. }
  735. /* Lookup hash: return 0 if invalid or not enabled */
  736. int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
  737. {
  738. const EVP_MD *md;
  739. if (lu == NULL)
  740. return 0;
  741. /* lu->hash == NID_undef means no associated digest */
  742. if (lu->hash == NID_undef) {
  743. md = NULL;
  744. } else {
  745. md = ssl_md(lu->hash_idx);
  746. if (md == NULL)
  747. return 0;
  748. }
  749. if (pmd)
  750. *pmd = md;
  751. return 1;
  752. }
  753. /*
  754. * Check if key is large enough to generate RSA-PSS signature.
  755. *
  756. * The key must greater than or equal to 2 * hash length + 2.
  757. * SHA512 has a hash length of 64 bytes, which is incompatible
  758. * with a 128 byte (1024 bit) key.
  759. */
  760. #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
  761. static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
  762. {
  763. const EVP_MD *md;
  764. if (rsa == NULL)
  765. return 0;
  766. if (!tls1_lookup_md(lu, &md) || md == NULL)
  767. return 0;
  768. if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
  769. return 0;
  770. return 1;
  771. }
  772. /*
  773. * Return a signature algorithm for TLS < 1.2 where the signature type
  774. * is fixed by the certificate type.
  775. */
  776. static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
  777. {
  778. if (idx == -1) {
  779. if (s->server) {
  780. size_t i;
  781. /* Work out index corresponding to ciphersuite */
  782. for (i = 0; i < SSL_PKEY_NUM; i++) {
  783. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);
  784. if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
  785. idx = i;
  786. break;
  787. }
  788. }
  789. /*
  790. * Some GOST ciphersuites allow more than one signature algorithms
  791. * */
  792. if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
  793. int real_idx;
  794. for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
  795. real_idx--) {
  796. if (s->cert->pkeys[real_idx].privatekey != NULL) {
  797. idx = real_idx;
  798. break;
  799. }
  800. }
  801. }
  802. } else {
  803. idx = s->cert->key - s->cert->pkeys;
  804. }
  805. }
  806. if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
  807. return NULL;
  808. if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
  809. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
  810. if (!tls1_lookup_md(lu, NULL))
  811. return NULL;
  812. return lu;
  813. }
  814. return &legacy_rsa_sigalg;
  815. }
  816. /* Set peer sigalg based key type */
  817. int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
  818. {
  819. size_t idx;
  820. const SIGALG_LOOKUP *lu;
  821. if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
  822. return 0;
  823. lu = tls1_get_legacy_sigalg(s, idx);
  824. if (lu == NULL)
  825. return 0;
  826. s->s3->tmp.peer_sigalg = lu;
  827. return 1;
  828. }
  829. size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
  830. {
  831. /*
  832. * If Suite B mode use Suite B sigalgs only, ignore any other
  833. * preferences.
  834. */
  835. #ifndef OPENSSL_NO_EC
  836. switch (tls1_suiteb(s)) {
  837. case SSL_CERT_FLAG_SUITEB_128_LOS:
  838. *psigs = suiteb_sigalgs;
  839. return OSSL_NELEM(suiteb_sigalgs);
  840. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  841. *psigs = suiteb_sigalgs;
  842. return 1;
  843. case SSL_CERT_FLAG_SUITEB_192_LOS:
  844. *psigs = suiteb_sigalgs + 1;
  845. return 1;
  846. }
  847. #endif
  848. /*
  849. * We use client_sigalgs (if not NULL) if we're a server
  850. * and sending a certificate request or if we're a client and
  851. * determining which shared algorithm to use.
  852. */
  853. if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
  854. *psigs = s->cert->client_sigalgs;
  855. return s->cert->client_sigalgslen;
  856. } else if (s->cert->conf_sigalgs) {
  857. *psigs = s->cert->conf_sigalgs;
  858. return s->cert->conf_sigalgslen;
  859. } else {
  860. *psigs = tls12_sigalgs;
  861. return OSSL_NELEM(tls12_sigalgs);
  862. }
  863. }
  864. /*
  865. * Check signature algorithm is consistent with sent supported signature
  866. * algorithms and if so set relevant digest and signature scheme in
  867. * s.
  868. */
  869. int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
  870. {
  871. const uint16_t *sent_sigs;
  872. const EVP_MD *md = NULL;
  873. char sigalgstr[2];
  874. size_t sent_sigslen, i;
  875. int pkeyid = EVP_PKEY_id(pkey);
  876. const SIGALG_LOOKUP *lu;
  877. /* Should never happen */
  878. if (pkeyid == -1)
  879. return -1;
  880. if (SSL_IS_TLS13(s)) {
  881. /* Disallow DSA for TLS 1.3 */
  882. if (pkeyid == EVP_PKEY_DSA) {
  883. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  884. SSL_R_WRONG_SIGNATURE_TYPE);
  885. return 0;
  886. }
  887. /* Only allow PSS for TLS 1.3 */
  888. if (pkeyid == EVP_PKEY_RSA)
  889. pkeyid = EVP_PKEY_RSA_PSS;
  890. }
  891. lu = tls1_lookup_sigalg(sig);
  892. /*
  893. * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
  894. * is consistent with signature: RSA keys can be used for RSA-PSS
  895. */
  896. if (lu == NULL
  897. || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
  898. || (pkeyid != lu->sig
  899. && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
  900. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
  901. SSL_R_WRONG_SIGNATURE_TYPE);
  902. return 0;
  903. }
  904. #ifndef OPENSSL_NO_EC
  905. if (pkeyid == EVP_PKEY_EC) {
  906. /* Check point compression is permitted */
  907. if (!tls1_check_pkey_comp(s, pkey)) {
  908. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  909. SSL_F_TLS12_CHECK_PEER_SIGALG,
  910. SSL_R_ILLEGAL_POINT_COMPRESSION);
  911. return 0;
  912. }
  913. /* For TLS 1.3 or Suite B check curve matches signature algorithm */
  914. if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
  915. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  916. int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  917. if (lu->curve != NID_undef && curve != lu->curve) {
  918. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  919. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  920. return 0;
  921. }
  922. }
  923. if (!SSL_IS_TLS13(s)) {
  924. /* Check curve matches extensions */
  925. if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
  926. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  927. SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  928. return 0;
  929. }
  930. if (tls1_suiteb(s)) {
  931. /* Check sigalg matches a permissible Suite B value */
  932. if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
  933. && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
  934. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  935. SSL_F_TLS12_CHECK_PEER_SIGALG,
  936. SSL_R_WRONG_SIGNATURE_TYPE);
  937. return 0;
  938. }
  939. }
  940. }
  941. } else if (tls1_suiteb(s)) {
  942. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  943. SSL_R_WRONG_SIGNATURE_TYPE);
  944. return 0;
  945. }
  946. #endif
  947. /* Check signature matches a type we sent */
  948. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  949. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  950. if (sig == *sent_sigs)
  951. break;
  952. }
  953. /* Allow fallback to SHA1 if not strict mode */
  954. if (i == sent_sigslen && (lu->hash != NID_sha1
  955. || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
  956. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  957. SSL_R_WRONG_SIGNATURE_TYPE);
  958. return 0;
  959. }
  960. if (!tls1_lookup_md(lu, &md)) {
  961. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  962. SSL_R_UNKNOWN_DIGEST);
  963. return 0;
  964. }
  965. if (md != NULL) {
  966. /*
  967. * Make sure security callback allows algorithm. For historical
  968. * reasons we have to pass the sigalg as a two byte char array.
  969. */
  970. sigalgstr[0] = (sig >> 8) & 0xff;
  971. sigalgstr[1] = sig & 0xff;
  972. if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
  973. EVP_MD_size(md) * 4, EVP_MD_type(md),
  974. (void *)sigalgstr)) {
  975. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
  976. SSL_R_WRONG_SIGNATURE_TYPE);
  977. return 0;
  978. }
  979. }
  980. /* Store the sigalg the peer uses */
  981. s->s3->tmp.peer_sigalg = lu;
  982. return 1;
  983. }
  984. int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
  985. {
  986. if (s->s3->tmp.peer_sigalg == NULL)
  987. return 0;
  988. *pnid = s->s3->tmp.peer_sigalg->sig;
  989. return 1;
  990. }
  991. /*
  992. * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
  993. * supported, doesn't appear in supported signature algorithms, isn't supported
  994. * by the enabled protocol versions or by the security level.
  995. *
  996. * This function should only be used for checking which ciphers are supported
  997. * by the client.
  998. *
  999. * Call ssl_cipher_disabled() to check that it's enabled or not.
  1000. */
  1001. int ssl_set_client_disabled(SSL *s)
  1002. {
  1003. s->s3->tmp.mask_a = 0;
  1004. s->s3->tmp.mask_k = 0;
  1005. ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
  1006. if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver,
  1007. &s->s3->tmp.max_ver) != 0)
  1008. return 0;
  1009. #ifndef OPENSSL_NO_PSK
  1010. /* with PSK there must be client callback set */
  1011. if (!s->psk_client_callback) {
  1012. s->s3->tmp.mask_a |= SSL_aPSK;
  1013. s->s3->tmp.mask_k |= SSL_PSK;
  1014. }
  1015. #endif /* OPENSSL_NO_PSK */
  1016. #ifndef OPENSSL_NO_SRP
  1017. if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
  1018. s->s3->tmp.mask_a |= SSL_aSRP;
  1019. s->s3->tmp.mask_k |= SSL_kSRP;
  1020. }
  1021. #endif
  1022. return 1;
  1023. }
  1024. /*
  1025. * ssl_cipher_disabled - check that a cipher is disabled or not
  1026. * @s: SSL connection that you want to use the cipher on
  1027. * @c: cipher to check
  1028. * @op: Security check that you want to do
  1029. * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
  1030. *
  1031. * Returns 1 when it's disabled, 0 when enabled.
  1032. */
  1033. int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
  1034. {
  1035. if (c->algorithm_mkey & s->s3->tmp.mask_k
  1036. || c->algorithm_auth & s->s3->tmp.mask_a)
  1037. return 1;
  1038. if (s->s3->tmp.max_ver == 0)
  1039. return 1;
  1040. if (!SSL_IS_DTLS(s)) {
  1041. int min_tls = c->min_tls;
  1042. /*
  1043. * For historical reasons we will allow ECHDE to be selected by a server
  1044. * in SSLv3 if we are a client
  1045. */
  1046. if (min_tls == TLS1_VERSION && ecdhe
  1047. && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
  1048. min_tls = SSL3_VERSION;
  1049. if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
  1050. return 1;
  1051. }
  1052. if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
  1053. || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
  1054. return 1;
  1055. return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
  1056. }
  1057. int tls_use_ticket(SSL *s)
  1058. {
  1059. if ((s->options & SSL_OP_NO_TICKET))
  1060. return 0;
  1061. return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
  1062. }
  1063. int tls1_set_server_sigalgs(SSL *s)
  1064. {
  1065. size_t i;
  1066. /* Clear any shared signature algorithms */
  1067. OPENSSL_free(s->cert->shared_sigalgs);
  1068. s->cert->shared_sigalgs = NULL;
  1069. s->cert->shared_sigalgslen = 0;
  1070. /* Clear certificate validity flags */
  1071. for (i = 0; i < SSL_PKEY_NUM; i++)
  1072. s->s3->tmp.valid_flags[i] = 0;
  1073. /*
  1074. * If peer sent no signature algorithms check to see if we support
  1075. * the default algorithm for each certificate type
  1076. */
  1077. if (s->s3->tmp.peer_cert_sigalgs == NULL
  1078. && s->s3->tmp.peer_sigalgs == NULL) {
  1079. const uint16_t *sent_sigs;
  1080. size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  1081. for (i = 0; i < SSL_PKEY_NUM; i++) {
  1082. const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
  1083. size_t j;
  1084. if (lu == NULL)
  1085. continue;
  1086. /* Check default matches a type we sent */
  1087. for (j = 0; j < sent_sigslen; j++) {
  1088. if (lu->sigalg == sent_sigs[j]) {
  1089. s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
  1090. break;
  1091. }
  1092. }
  1093. }
  1094. return 1;
  1095. }
  1096. if (!tls1_process_sigalgs(s)) {
  1097. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1098. SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
  1099. return 0;
  1100. }
  1101. if (s->cert->shared_sigalgs != NULL)
  1102. return 1;
  1103. /* Fatal error if no shared signature algorithms */
  1104. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
  1105. SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
  1106. return 0;
  1107. }
  1108. /*-
  1109. * Gets the ticket information supplied by the client if any.
  1110. *
  1111. * hello: The parsed ClientHello data
  1112. * ret: (output) on return, if a ticket was decrypted, then this is set to
  1113. * point to the resulting session.
  1114. */
  1115. SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
  1116. SSL_SESSION **ret)
  1117. {
  1118. size_t size;
  1119. RAW_EXTENSION *ticketext;
  1120. *ret = NULL;
  1121. s->ext.ticket_expected = 0;
  1122. /*
  1123. * If tickets disabled or not supported by the protocol version
  1124. * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
  1125. * resumption.
  1126. */
  1127. if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
  1128. return SSL_TICKET_NONE;
  1129. ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
  1130. if (!ticketext->present)
  1131. return SSL_TICKET_NONE;
  1132. size = PACKET_remaining(&ticketext->data);
  1133. return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
  1134. hello->session_id, hello->session_id_len, ret);
  1135. }
  1136. /*-
  1137. * tls_decrypt_ticket attempts to decrypt a session ticket.
  1138. *
  1139. * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are
  1140. * expecting a pre-shared key ciphersuite, in which case we have no use for
  1141. * session tickets and one will never be decrypted, nor will
  1142. * s->ext.ticket_expected be set to 1.
  1143. *
  1144. * Side effects:
  1145. * Sets s->ext.ticket_expected to 1 if the server will have to issue
  1146. * a new session ticket to the client because the client indicated support
  1147. * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
  1148. * a session ticket or we couldn't use the one it gave us, or if
  1149. * s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
  1150. * Otherwise, s->ext.ticket_expected is set to 0.
  1151. *
  1152. * etick: points to the body of the session ticket extension.
  1153. * eticklen: the length of the session tickets extension.
  1154. * sess_id: points at the session ID.
  1155. * sesslen: the length of the session ID.
  1156. * psess: (output) on return, if a ticket was decrypted, then this is set to
  1157. * point to the resulting session.
  1158. */
  1159. SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
  1160. size_t eticklen, const unsigned char *sess_id,
  1161. size_t sesslen, SSL_SESSION **psess)
  1162. {
  1163. SSL_SESSION *sess = NULL;
  1164. unsigned char *sdec;
  1165. const unsigned char *p;
  1166. int slen, renew_ticket = 0, declen;
  1167. SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
  1168. size_t mlen;
  1169. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  1170. HMAC_CTX *hctx = NULL;
  1171. EVP_CIPHER_CTX *ctx = NULL;
  1172. SSL_CTX *tctx = s->session_ctx;
  1173. if (eticklen == 0) {
  1174. /*
  1175. * The client will accept a ticket but doesn't currently have
  1176. * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3
  1177. */
  1178. ret = SSL_TICKET_EMPTY;
  1179. goto end;
  1180. }
  1181. if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) {
  1182. /*
  1183. * Indicate that the ticket couldn't be decrypted rather than
  1184. * generating the session from ticket now, trigger
  1185. * abbreviated handshake based on external mechanism to
  1186. * calculate the master secret later.
  1187. */
  1188. ret = SSL_TICKET_NO_DECRYPT;
  1189. goto end;
  1190. }
  1191. /* Need at least keyname + iv */
  1192. if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
  1193. ret = SSL_TICKET_NO_DECRYPT;
  1194. goto end;
  1195. }
  1196. /* Initialize session ticket encryption and HMAC contexts */
  1197. hctx = HMAC_CTX_new();
  1198. if (hctx == NULL) {
  1199. ret = SSL_TICKET_FATAL_ERR_MALLOC;
  1200. goto end;
  1201. }
  1202. ctx = EVP_CIPHER_CTX_new();
  1203. if (ctx == NULL) {
  1204. ret = SSL_TICKET_FATAL_ERR_MALLOC;
  1205. goto end;
  1206. }
  1207. if (tctx->ext.ticket_key_cb) {
  1208. unsigned char *nctick = (unsigned char *)etick;
  1209. int rv = tctx->ext.ticket_key_cb(s, nctick,
  1210. nctick + TLSEXT_KEYNAME_LENGTH,
  1211. ctx, hctx, 0);
  1212. if (rv < 0) {
  1213. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1214. goto end;
  1215. }
  1216. if (rv == 0) {
  1217. ret = SSL_TICKET_NO_DECRYPT;
  1218. goto end;
  1219. }
  1220. if (rv == 2)
  1221. renew_ticket = 1;
  1222. } else {
  1223. /* Check key name matches */
  1224. if (memcmp(etick, tctx->ext.tick_key_name,
  1225. TLSEXT_KEYNAME_LENGTH) != 0) {
  1226. ret = SSL_TICKET_NO_DECRYPT;
  1227. goto end;
  1228. }
  1229. if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  1230. sizeof(tctx->ext.secure->tick_hmac_key),
  1231. EVP_sha256(), NULL) <= 0
  1232. || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
  1233. tctx->ext.secure->tick_aes_key,
  1234. etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
  1235. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1236. goto end;
  1237. }
  1238. if (SSL_IS_TLS13(s))
  1239. renew_ticket = 1;
  1240. }
  1241. /*
  1242. * Attempt to process session ticket, first conduct sanity and integrity
  1243. * checks on ticket.
  1244. */
  1245. mlen = HMAC_size(hctx);
  1246. if (mlen == 0) {
  1247. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1248. goto end;
  1249. }
  1250. /* Sanity check ticket length: must exceed keyname + IV + HMAC */
  1251. if (eticklen <=
  1252. TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
  1253. ret = SSL_TICKET_NO_DECRYPT;
  1254. goto end;
  1255. }
  1256. eticklen -= mlen;
  1257. /* Check HMAC of encrypted ticket */
  1258. if (HMAC_Update(hctx, etick, eticklen) <= 0
  1259. || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
  1260. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1261. goto end;
  1262. }
  1263. if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
  1264. ret = SSL_TICKET_NO_DECRYPT;
  1265. goto end;
  1266. }
  1267. /* Attempt to decrypt session data */
  1268. /* Move p after IV to start of encrypted ticket, update length */
  1269. p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1270. eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
  1271. sdec = OPENSSL_malloc(eticklen);
  1272. if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
  1273. (int)eticklen) <= 0) {
  1274. OPENSSL_free(sdec);
  1275. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1276. goto end;
  1277. }
  1278. if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
  1279. OPENSSL_free(sdec);
  1280. ret = SSL_TICKET_NO_DECRYPT;
  1281. goto end;
  1282. }
  1283. slen += declen;
  1284. p = sdec;
  1285. sess = d2i_SSL_SESSION(NULL, &p, slen);
  1286. slen -= p - sdec;
  1287. OPENSSL_free(sdec);
  1288. if (sess) {
  1289. /* Some additional consistency checks */
  1290. if (slen != 0) {
  1291. SSL_SESSION_free(sess);
  1292. sess = NULL;
  1293. ret = SSL_TICKET_NO_DECRYPT;
  1294. goto end;
  1295. }
  1296. /*
  1297. * The session ID, if non-empty, is used by some clients to detect
  1298. * that the ticket has been accepted. So we copy it to the session
  1299. * structure. If it is empty set length to zero as required by
  1300. * standard.
  1301. */
  1302. if (sesslen) {
  1303. memcpy(sess->session_id, sess_id, sesslen);
  1304. sess->session_id_length = sesslen;
  1305. }
  1306. if (renew_ticket)
  1307. ret = SSL_TICKET_SUCCESS_RENEW;
  1308. else
  1309. ret = SSL_TICKET_SUCCESS;
  1310. goto end;
  1311. }
  1312. ERR_clear_error();
  1313. /*
  1314. * For session parse failure, indicate that we need to send a new ticket.
  1315. */
  1316. ret = SSL_TICKET_NO_DECRYPT;
  1317. end:
  1318. EVP_CIPHER_CTX_free(ctx);
  1319. HMAC_CTX_free(hctx);
  1320. /*
  1321. * If set, the decrypt_ticket_cb() is called unless a fatal error was
  1322. * detected above. The callback is responsible for checking |ret| before it
  1323. * performs any action
  1324. */
  1325. if (s->session_ctx->decrypt_ticket_cb != NULL
  1326. && (ret == SSL_TICKET_EMPTY
  1327. || ret == SSL_TICKET_NO_DECRYPT
  1328. || ret == SSL_TICKET_SUCCESS
  1329. || ret == SSL_TICKET_SUCCESS_RENEW)) {
  1330. size_t keyname_len = eticklen;
  1331. int retcb;
  1332. if (keyname_len > TLSEXT_KEYNAME_LENGTH)
  1333. keyname_len = TLSEXT_KEYNAME_LENGTH;
  1334. retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len,
  1335. ret,
  1336. s->session_ctx->ticket_cb_data);
  1337. switch (retcb) {
  1338. case SSL_TICKET_RETURN_ABORT:
  1339. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1340. break;
  1341. case SSL_TICKET_RETURN_IGNORE:
  1342. ret = SSL_TICKET_NONE;
  1343. SSL_SESSION_free(sess);
  1344. sess = NULL;
  1345. break;
  1346. case SSL_TICKET_RETURN_IGNORE_RENEW:
  1347. if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT)
  1348. ret = SSL_TICKET_NO_DECRYPT;
  1349. /* else the value of |ret| will already do the right thing */
  1350. SSL_SESSION_free(sess);
  1351. sess = NULL;
  1352. break;
  1353. case SSL_TICKET_RETURN_USE:
  1354. case SSL_TICKET_RETURN_USE_RENEW:
  1355. if (ret != SSL_TICKET_SUCCESS
  1356. && ret != SSL_TICKET_SUCCESS_RENEW)
  1357. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1358. else if (retcb == SSL_TICKET_RETURN_USE)
  1359. ret = SSL_TICKET_SUCCESS;
  1360. else
  1361. ret = SSL_TICKET_SUCCESS_RENEW;
  1362. break;
  1363. default:
  1364. ret = SSL_TICKET_FATAL_ERR_OTHER;
  1365. }
  1366. }
  1367. if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
  1368. switch (ret) {
  1369. case SSL_TICKET_NO_DECRYPT:
  1370. case SSL_TICKET_SUCCESS_RENEW:
  1371. case SSL_TICKET_EMPTY:
  1372. s->ext.ticket_expected = 1;
  1373. }
  1374. }
  1375. *psess = sess;
  1376. return ret;
  1377. }
  1378. /* Check to see if a signature algorithm is allowed */
  1379. static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
  1380. {
  1381. unsigned char sigalgstr[2];
  1382. int secbits;
  1383. /* See if sigalgs is recognised and if hash is enabled */
  1384. if (!tls1_lookup_md(lu, NULL))
  1385. return 0;
  1386. /* DSA is not allowed in TLS 1.3 */
  1387. if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
  1388. return 0;
  1389. /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
  1390. if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
  1391. && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
  1392. || lu->hash_idx == SSL_MD_MD5_IDX
  1393. || lu->hash_idx == SSL_MD_SHA224_IDX))
  1394. return 0;
  1395. /* See if public key algorithm allowed */
  1396. if (ssl_cert_is_disabled(lu->sig_idx))
  1397. return 0;
  1398. if (lu->hash == NID_undef)
  1399. return 1;
  1400. /* Security bits: half digest bits */
  1401. secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
  1402. /* Finally see if security callback allows it */
  1403. sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
  1404. sigalgstr[1] = lu->sigalg & 0xff;
  1405. return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
  1406. }
  1407. /*
  1408. * Get a mask of disabled public key algorithms based on supported signature
  1409. * algorithms. For example if no signature algorithm supports RSA then RSA is
  1410. * disabled.
  1411. */
  1412. void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
  1413. {
  1414. const uint16_t *sigalgs;
  1415. size_t i, sigalgslen;
  1416. uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
  1417. /*
  1418. * Go through all signature algorithms seeing if we support any
  1419. * in disabled_mask.
  1420. */
  1421. sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
  1422. for (i = 0; i < sigalgslen; i++, sigalgs++) {
  1423. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
  1424. const SSL_CERT_LOOKUP *clu;
  1425. if (lu == NULL)
  1426. continue;
  1427. clu = ssl_cert_lookup_by_idx(lu->sig_idx);
  1428. if (clu == NULL)
  1429. continue;
  1430. /* If algorithm is disabled see if we can enable it */
  1431. if ((clu->amask & disabled_mask) != 0
  1432. && tls12_sigalg_allowed(s, op, lu))
  1433. disabled_mask &= ~clu->amask;
  1434. }
  1435. *pmask_a |= disabled_mask;
  1436. }
  1437. int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
  1438. const uint16_t *psig, size_t psiglen)
  1439. {
  1440. size_t i;
  1441. int rv = 0;
  1442. for (i = 0; i < psiglen; i++, psig++) {
  1443. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);
  1444. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
  1445. continue;
  1446. if (!WPACKET_put_bytes_u16(pkt, *psig))
  1447. return 0;
  1448. /*
  1449. * If TLS 1.3 must have at least one valid TLS 1.3 message
  1450. * signing algorithm: i.e. neither RSA nor SHA1/SHA224
  1451. */
  1452. if (rv == 0 && (!SSL_IS_TLS13(s)
  1453. || (lu->sig != EVP_PKEY_RSA
  1454. && lu->hash != NID_sha1
  1455. && lu->hash != NID_sha224)))
  1456. rv = 1;
  1457. }
  1458. if (rv == 0)
  1459. SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  1460. return rv;
  1461. }
  1462. /* Given preference and allowed sigalgs set shared sigalgs */
  1463. static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
  1464. const uint16_t *pref, size_t preflen,
  1465. const uint16_t *allow, size_t allowlen)
  1466. {
  1467. const uint16_t *ptmp, *atmp;
  1468. size_t i, j, nmatch = 0;
  1469. for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
  1470. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);
  1471. /* Skip disabled hashes or signature algorithms */
  1472. if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
  1473. continue;
  1474. for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
  1475. if (*ptmp == *atmp) {
  1476. nmatch++;
  1477. if (shsig)
  1478. *shsig++ = lu;
  1479. break;
  1480. }
  1481. }
  1482. }
  1483. return nmatch;
  1484. }
  1485. /* Set shared signature algorithms for SSL structures */
  1486. static int tls1_set_shared_sigalgs(SSL *s)
  1487. {
  1488. const uint16_t *pref, *allow, *conf;
  1489. size_t preflen, allowlen, conflen;
  1490. size_t nmatch;
  1491. const SIGALG_LOOKUP **salgs = NULL;
  1492. CERT *c = s->cert;
  1493. unsigned int is_suiteb = tls1_suiteb(s);
  1494. OPENSSL_free(c->shared_sigalgs);
  1495. c->shared_sigalgs = NULL;
  1496. c->shared_sigalgslen = 0;
  1497. /* If client use client signature algorithms if not NULL */
  1498. if (!s->server && c->client_sigalgs && !is_suiteb) {
  1499. conf = c->client_sigalgs;
  1500. conflen = c->client_sigalgslen;
  1501. } else if (c->conf_sigalgs && !is_suiteb) {
  1502. conf = c->conf_sigalgs;
  1503. conflen = c->conf_sigalgslen;
  1504. } else
  1505. conflen = tls12_get_psigalgs(s, 0, &conf);
  1506. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
  1507. pref = conf;
  1508. preflen = conflen;
  1509. allow = s->s3->tmp.peer_sigalgs;
  1510. allowlen = s->s3->tmp.peer_sigalgslen;
  1511. } else {
  1512. allow = conf;
  1513. allowlen = conflen;
  1514. pref = s->s3->tmp.peer_sigalgs;
  1515. preflen = s->s3->tmp.peer_sigalgslen;
  1516. }
  1517. nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
  1518. if (nmatch) {
  1519. if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) {
  1520. SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE);
  1521. return 0;
  1522. }
  1523. nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
  1524. } else {
  1525. salgs = NULL;
  1526. }
  1527. c->shared_sigalgs = salgs;
  1528. c->shared_sigalgslen = nmatch;
  1529. return 1;
  1530. }
  1531. int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
  1532. {
  1533. unsigned int stmp;
  1534. size_t size, i;
  1535. uint16_t *buf;
  1536. size = PACKET_remaining(pkt);
  1537. /* Invalid data length */
  1538. if (size == 0 || (size & 1) != 0)
  1539. return 0;
  1540. size >>= 1;
  1541. if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) {
  1542. SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE);
  1543. return 0;
  1544. }
  1545. for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
  1546. buf[i] = stmp;
  1547. if (i != size) {
  1548. OPENSSL_free(buf);
  1549. return 0;
  1550. }
  1551. OPENSSL_free(*pdest);
  1552. *pdest = buf;
  1553. *pdestlen = size;
  1554. return 1;
  1555. }
  1556. int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert)
  1557. {
  1558. /* Extension ignored for inappropriate versions */
  1559. if (!SSL_USE_SIGALGS(s))
  1560. return 1;
  1561. /* Should never happen */
  1562. if (s->cert == NULL)
  1563. return 0;
  1564. if (cert)
  1565. return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs,
  1566. &s->s3->tmp.peer_cert_sigalgslen);
  1567. else
  1568. return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
  1569. &s->s3->tmp.peer_sigalgslen);
  1570. }
  1571. /* Set preferred digest for each key type */
  1572. int tls1_process_sigalgs(SSL *s)
  1573. {
  1574. size_t i;
  1575. uint32_t *pvalid = s->s3->tmp.valid_flags;
  1576. CERT *c = s->cert;
  1577. if (!tls1_set_shared_sigalgs(s))
  1578. return 0;
  1579. for (i = 0; i < SSL_PKEY_NUM; i++)
  1580. pvalid[i] = 0;
  1581. for (i = 0; i < c->shared_sigalgslen; i++) {
  1582. const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
  1583. int idx = sigptr->sig_idx;
  1584. /* Ignore PKCS1 based sig algs in TLSv1.3 */
  1585. if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
  1586. continue;
  1587. /* If not disabled indicate we can explicitly sign */
  1588. if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
  1589. pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  1590. }
  1591. return 1;
  1592. }
  1593. int SSL_get_sigalgs(SSL *s, int idx,
  1594. int *psign, int *phash, int *psignhash,
  1595. unsigned char *rsig, unsigned char *rhash)
  1596. {
  1597. uint16_t *psig = s->s3->tmp.peer_sigalgs;
  1598. size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
  1599. if (psig == NULL || numsigalgs > INT_MAX)
  1600. return 0;
  1601. if (idx >= 0) {
  1602. const SIGALG_LOOKUP *lu;
  1603. if (idx >= (int)numsigalgs)
  1604. return 0;
  1605. psig += idx;
  1606. if (rhash != NULL)
  1607. *rhash = (unsigned char)((*psig >> 8) & 0xff);
  1608. if (rsig != NULL)
  1609. *rsig = (unsigned char)(*psig & 0xff);
  1610. lu = tls1_lookup_sigalg(*psig);
  1611. if (psign != NULL)
  1612. *psign = lu != NULL ? lu->sig : NID_undef;
  1613. if (phash != NULL)
  1614. *phash = lu != NULL ? lu->hash : NID_undef;
  1615. if (psignhash != NULL)
  1616. *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
  1617. }
  1618. return (int)numsigalgs;
  1619. }
  1620. int SSL_get_shared_sigalgs(SSL *s, int idx,
  1621. int *psign, int *phash, int *psignhash,
  1622. unsigned char *rsig, unsigned char *rhash)
  1623. {
  1624. const SIGALG_LOOKUP *shsigalgs;
  1625. if (s->cert->shared_sigalgs == NULL
  1626. || idx < 0
  1627. || idx >= (int)s->cert->shared_sigalgslen
  1628. || s->cert->shared_sigalgslen > INT_MAX)
  1629. return 0;
  1630. shsigalgs = s->cert->shared_sigalgs[idx];
  1631. if (phash != NULL)
  1632. *phash = shsigalgs->hash;
  1633. if (psign != NULL)
  1634. *psign = shsigalgs->sig;
  1635. if (psignhash != NULL)
  1636. *psignhash = shsigalgs->sigandhash;
  1637. if (rsig != NULL)
  1638. *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
  1639. if (rhash != NULL)
  1640. *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
  1641. return (int)s->cert->shared_sigalgslen;
  1642. }
  1643. /* Maximum possible number of unique entries in sigalgs array */
  1644. #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
  1645. typedef struct {
  1646. size_t sigalgcnt;
  1647. /* TLSEXT_SIGALG_XXX values */
  1648. uint16_t sigalgs[TLS_MAX_SIGALGCNT];
  1649. } sig_cb_st;
  1650. static void get_sigorhash(int *psig, int *phash, const char *str)
  1651. {
  1652. if (strcmp(str, "RSA") == 0) {
  1653. *psig = EVP_PKEY_RSA;
  1654. } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
  1655. *psig = EVP_PKEY_RSA_PSS;
  1656. } else if (strcmp(str, "DSA") == 0) {
  1657. *psig = EVP_PKEY_DSA;
  1658. } else if (strcmp(str, "ECDSA") == 0) {
  1659. *psig = EVP_PKEY_EC;
  1660. } else {
  1661. *phash = OBJ_sn2nid(str);
  1662. if (*phash == NID_undef)
  1663. *phash = OBJ_ln2nid(str);
  1664. }
  1665. }
  1666. /* Maximum length of a signature algorithm string component */
  1667. #define TLS_MAX_SIGSTRING_LEN 40
  1668. static int sig_cb(const char *elem, int len, void *arg)
  1669. {
  1670. sig_cb_st *sarg = arg;
  1671. size_t i;
  1672. const SIGALG_LOOKUP *s;
  1673. char etmp[TLS_MAX_SIGSTRING_LEN], *p;
  1674. int sig_alg = NID_undef, hash_alg = NID_undef;
  1675. if (elem == NULL)
  1676. return 0;
  1677. if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
  1678. return 0;
  1679. if (len > (int)(sizeof(etmp) - 1))
  1680. return 0;
  1681. memcpy(etmp, elem, len);
  1682. etmp[len] = 0;
  1683. p = strchr(etmp, '+');
  1684. /*
  1685. * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
  1686. * if there's no '+' in the provided name, look for the new-style combined
  1687. * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP.
  1688. * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
  1689. * rsa_pss_rsae_* that differ only by public key OID; in such cases
  1690. * we will pick the _rsae_ variant, by virtue of them appearing earlier
  1691. * in the table.
  1692. */
  1693. if (p == NULL) {
  1694. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1695. i++, s++) {
  1696. if (s->name != NULL && strcmp(etmp, s->name) == 0) {
  1697. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1698. break;
  1699. }
  1700. }
  1701. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1702. return 0;
  1703. } else {
  1704. *p = 0;
  1705. p++;
  1706. if (*p == 0)
  1707. return 0;
  1708. get_sigorhash(&sig_alg, &hash_alg, etmp);
  1709. get_sigorhash(&sig_alg, &hash_alg, p);
  1710. if (sig_alg == NID_undef || hash_alg == NID_undef)
  1711. return 0;
  1712. for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  1713. i++, s++) {
  1714. if (s->hash == hash_alg && s->sig == sig_alg) {
  1715. sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
  1716. break;
  1717. }
  1718. }
  1719. if (i == OSSL_NELEM(sigalg_lookup_tbl))
  1720. return 0;
  1721. }
  1722. /* Reject duplicates */
  1723. for (i = 0; i < sarg->sigalgcnt - 1; i++) {
  1724. if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
  1725. sarg->sigalgcnt--;
  1726. return 0;
  1727. }
  1728. }
  1729. return 1;
  1730. }
  1731. /*
  1732. * Set supported signature algorithms based on a colon separated list of the
  1733. * form sig+hash e.g. RSA+SHA512:DSA+SHA512
  1734. */
  1735. int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
  1736. {
  1737. sig_cb_st sig;
  1738. sig.sigalgcnt = 0;
  1739. if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
  1740. return 0;
  1741. if (c == NULL)
  1742. return 1;
  1743. return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
  1744. }
  1745. int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
  1746. int client)
  1747. {
  1748. uint16_t *sigalgs;
  1749. if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) {
  1750. SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE);
  1751. return 0;
  1752. }
  1753. memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
  1754. if (client) {
  1755. OPENSSL_free(c->client_sigalgs);
  1756. c->client_sigalgs = sigalgs;
  1757. c->client_sigalgslen = salglen;
  1758. } else {
  1759. OPENSSL_free(c->conf_sigalgs);
  1760. c->conf_sigalgs = sigalgs;
  1761. c->conf_sigalgslen = salglen;
  1762. }
  1763. return 1;
  1764. }
  1765. int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
  1766. {
  1767. uint16_t *sigalgs, *sptr;
  1768. size_t i;
  1769. if (salglen & 1)
  1770. return 0;
  1771. if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) {
  1772. SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE);
  1773. return 0;
  1774. }
  1775. for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
  1776. size_t j;
  1777. const SIGALG_LOOKUP *curr;
  1778. int md_id = *psig_nids++;
  1779. int sig_id = *psig_nids++;
  1780. for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
  1781. j++, curr++) {
  1782. if (curr->hash == md_id && curr->sig == sig_id) {
  1783. *sptr++ = curr->sigalg;
  1784. break;
  1785. }
  1786. }
  1787. if (j == OSSL_NELEM(sigalg_lookup_tbl))
  1788. goto err;
  1789. }
  1790. if (client) {
  1791. OPENSSL_free(c->client_sigalgs);
  1792. c->client_sigalgs = sigalgs;
  1793. c->client_sigalgslen = salglen / 2;
  1794. } else {
  1795. OPENSSL_free(c->conf_sigalgs);
  1796. c->conf_sigalgs = sigalgs;
  1797. c->conf_sigalgslen = salglen / 2;
  1798. }
  1799. return 1;
  1800. err:
  1801. OPENSSL_free(sigalgs);
  1802. return 0;
  1803. }
  1804. static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
  1805. {
  1806. int sig_nid;
  1807. size_t i;
  1808. if (default_nid == -1)
  1809. return 1;
  1810. sig_nid = X509_get_signature_nid(x);
  1811. if (default_nid)
  1812. return sig_nid == default_nid ? 1 : 0;
  1813. for (i = 0; i < c->shared_sigalgslen; i++)
  1814. if (sig_nid == c->shared_sigalgs[i]->sigandhash)
  1815. return 1;
  1816. return 0;
  1817. }
  1818. /* Check to see if a certificate issuer name matches list of CA names */
  1819. static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
  1820. {
  1821. X509_NAME *nm;
  1822. int i;
  1823. nm = X509_get_issuer_name(x);
  1824. for (i = 0; i < sk_X509_NAME_num(names); i++) {
  1825. if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
  1826. return 1;
  1827. }
  1828. return 0;
  1829. }
  1830. /*
  1831. * Check certificate chain is consistent with TLS extensions and is usable by
  1832. * server. This servers two purposes: it allows users to check chains before
  1833. * passing them to the server and it allows the server to check chains before
  1834. * attempting to use them.
  1835. */
  1836. /* Flags which need to be set for a certificate when strict mode not set */
  1837. #define CERT_PKEY_VALID_FLAGS \
  1838. (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
  1839. /* Strict mode flags */
  1840. #define CERT_PKEY_STRICT_FLAGS \
  1841. (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
  1842. | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
  1843. int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
  1844. int idx)
  1845. {
  1846. int i;
  1847. int rv = 0;
  1848. int check_flags = 0, strict_mode;
  1849. CERT_PKEY *cpk = NULL;
  1850. CERT *c = s->cert;
  1851. uint32_t *pvalid;
  1852. unsigned int suiteb_flags = tls1_suiteb(s);
  1853. /* idx == -1 means checking server chains */
  1854. if (idx != -1) {
  1855. /* idx == -2 means checking client certificate chains */
  1856. if (idx == -2) {
  1857. cpk = c->key;
  1858. idx = (int)(cpk - c->pkeys);
  1859. } else
  1860. cpk = c->pkeys + idx;
  1861. pvalid = s->s3->tmp.valid_flags + idx;
  1862. x = cpk->x509;
  1863. pk = cpk->privatekey;
  1864. chain = cpk->chain;
  1865. strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
  1866. /* If no cert or key, forget it */
  1867. if (!x || !pk)
  1868. goto end;
  1869. } else {
  1870. size_t certidx;
  1871. if (!x || !pk)
  1872. return 0;
  1873. if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
  1874. return 0;
  1875. idx = certidx;
  1876. pvalid = s->s3->tmp.valid_flags + idx;
  1877. if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
  1878. check_flags = CERT_PKEY_STRICT_FLAGS;
  1879. else
  1880. check_flags = CERT_PKEY_VALID_FLAGS;
  1881. strict_mode = 1;
  1882. }
  1883. if (suiteb_flags) {
  1884. int ok;
  1885. if (check_flags)
  1886. check_flags |= CERT_PKEY_SUITEB;
  1887. ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
  1888. if (ok == X509_V_OK)
  1889. rv |= CERT_PKEY_SUITEB;
  1890. else if (!check_flags)
  1891. goto end;
  1892. }
  1893. /*
  1894. * Check all signature algorithms are consistent with signature
  1895. * algorithms extension if TLS 1.2 or later and strict mode.
  1896. */
  1897. if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
  1898. int default_nid;
  1899. int rsign = 0;
  1900. if (s->s3->tmp.peer_cert_sigalgs != NULL
  1901. || s->s3->tmp.peer_sigalgs != NULL) {
  1902. default_nid = 0;
  1903. /* If no sigalgs extension use defaults from RFC5246 */
  1904. } else {
  1905. switch (idx) {
  1906. case SSL_PKEY_RSA:
  1907. rsign = EVP_PKEY_RSA;
  1908. default_nid = NID_sha1WithRSAEncryption;
  1909. break;
  1910. case SSL_PKEY_DSA_SIGN:
  1911. rsign = EVP_PKEY_DSA;
  1912. default_nid = NID_dsaWithSHA1;
  1913. break;
  1914. case SSL_PKEY_ECC:
  1915. rsign = EVP_PKEY_EC;
  1916. default_nid = NID_ecdsa_with_SHA1;
  1917. break;
  1918. case SSL_PKEY_GOST01:
  1919. rsign = NID_id_GostR3410_2001;
  1920. default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
  1921. break;
  1922. case SSL_PKEY_GOST12_256:
  1923. rsign = NID_id_GostR3410_2012_256;
  1924. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
  1925. break;
  1926. case SSL_PKEY_GOST12_512:
  1927. rsign = NID_id_GostR3410_2012_512;
  1928. default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
  1929. break;
  1930. default:
  1931. default_nid = -1;
  1932. break;
  1933. }
  1934. }
  1935. /*
  1936. * If peer sent no signature algorithms extension and we have set
  1937. * preferred signature algorithms check we support sha1.
  1938. */
  1939. if (default_nid > 0 && c->conf_sigalgs) {
  1940. size_t j;
  1941. const uint16_t *p = c->conf_sigalgs;
  1942. for (j = 0; j < c->conf_sigalgslen; j++, p++) {
  1943. const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);
  1944. if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
  1945. break;
  1946. }
  1947. if (j == c->conf_sigalgslen) {
  1948. if (check_flags)
  1949. goto skip_sigs;
  1950. else
  1951. goto end;
  1952. }
  1953. }
  1954. /* Check signature algorithm of each cert in chain */
  1955. if (!tls1_check_sig_alg(c, x, default_nid)) {
  1956. if (!check_flags)
  1957. goto end;
  1958. } else
  1959. rv |= CERT_PKEY_EE_SIGNATURE;
  1960. rv |= CERT_PKEY_CA_SIGNATURE;
  1961. for (i = 0; i < sk_X509_num(chain); i++) {
  1962. if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
  1963. if (check_flags) {
  1964. rv &= ~CERT_PKEY_CA_SIGNATURE;
  1965. break;
  1966. } else
  1967. goto end;
  1968. }
  1969. }
  1970. }
  1971. /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
  1972. else if (check_flags)
  1973. rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
  1974. skip_sigs:
  1975. /* Check cert parameters are consistent */
  1976. if (tls1_check_cert_param(s, x, 1))
  1977. rv |= CERT_PKEY_EE_PARAM;
  1978. else if (!check_flags)
  1979. goto end;
  1980. if (!s->server)
  1981. rv |= CERT_PKEY_CA_PARAM;
  1982. /* In strict mode check rest of chain too */
  1983. else if (strict_mode) {
  1984. rv |= CERT_PKEY_CA_PARAM;
  1985. for (i = 0; i < sk_X509_num(chain); i++) {
  1986. X509 *ca = sk_X509_value(chain, i);
  1987. if (!tls1_check_cert_param(s, ca, 0)) {
  1988. if (check_flags) {
  1989. rv &= ~CERT_PKEY_CA_PARAM;
  1990. break;
  1991. } else
  1992. goto end;
  1993. }
  1994. }
  1995. }
  1996. if (!s->server && strict_mode) {
  1997. STACK_OF(X509_NAME) *ca_dn;
  1998. int check_type = 0;
  1999. switch (EVP_PKEY_id(pk)) {
  2000. case EVP_PKEY_RSA:
  2001. check_type = TLS_CT_RSA_SIGN;
  2002. break;
  2003. case EVP_PKEY_DSA:
  2004. check_type = TLS_CT_DSS_SIGN;
  2005. break;
  2006. case EVP_PKEY_EC:
  2007. check_type = TLS_CT_ECDSA_SIGN;
  2008. break;
  2009. }
  2010. if (check_type) {
  2011. const uint8_t *ctypes = s->s3->tmp.ctype;
  2012. size_t j;
  2013. for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
  2014. if (*ctypes == check_type) {
  2015. rv |= CERT_PKEY_CERT_TYPE;
  2016. break;
  2017. }
  2018. }
  2019. if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
  2020. goto end;
  2021. } else {
  2022. rv |= CERT_PKEY_CERT_TYPE;
  2023. }
  2024. ca_dn = s->s3->tmp.peer_ca_names;
  2025. if (!sk_X509_NAME_num(ca_dn))
  2026. rv |= CERT_PKEY_ISSUER_NAME;
  2027. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  2028. if (ssl_check_ca_name(ca_dn, x))
  2029. rv |= CERT_PKEY_ISSUER_NAME;
  2030. }
  2031. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  2032. for (i = 0; i < sk_X509_num(chain); i++) {
  2033. X509 *xtmp = sk_X509_value(chain, i);
  2034. if (ssl_check_ca_name(ca_dn, xtmp)) {
  2035. rv |= CERT_PKEY_ISSUER_NAME;
  2036. break;
  2037. }
  2038. }
  2039. }
  2040. if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
  2041. goto end;
  2042. } else
  2043. rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
  2044. if (!check_flags || (rv & check_flags) == check_flags)
  2045. rv |= CERT_PKEY_VALID;
  2046. end:
  2047. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  2048. rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
  2049. else
  2050. rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
  2051. /*
  2052. * When checking a CERT_PKEY structure all flags are irrelevant if the
  2053. * chain is invalid.
  2054. */
  2055. if (!check_flags) {
  2056. if (rv & CERT_PKEY_VALID) {
  2057. *pvalid = rv;
  2058. } else {
  2059. /* Preserve sign and explicit sign flag, clear rest */
  2060. *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  2061. return 0;
  2062. }
  2063. }
  2064. return rv;
  2065. }
  2066. /* Set validity of certificates in an SSL structure */
  2067. void tls1_set_cert_validity(SSL *s)
  2068. {
  2069. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
  2070. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
  2071. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
  2072. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
  2073. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
  2074. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
  2075. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
  2076. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
  2077. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
  2078. }
  2079. /* User level utility function to check a chain is suitable */
  2080. int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  2081. {
  2082. return tls1_check_chain(s, x, pk, chain, -1);
  2083. }
  2084. #ifndef OPENSSL_NO_DH
  2085. DH *ssl_get_auto_dh(SSL *s)
  2086. {
  2087. int dh_secbits = 80;
  2088. if (s->cert->dh_tmp_auto == 2)
  2089. return DH_get_1024_160();
  2090. if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
  2091. if (s->s3->tmp.new_cipher->strength_bits == 256)
  2092. dh_secbits = 128;
  2093. else
  2094. dh_secbits = 80;
  2095. } else {
  2096. if (s->s3->tmp.cert == NULL)
  2097. return NULL;
  2098. dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
  2099. }
  2100. if (dh_secbits >= 128) {
  2101. DH *dhp = DH_new();
  2102. BIGNUM *p, *g;
  2103. if (dhp == NULL)
  2104. return NULL;
  2105. g = BN_new();
  2106. if (g != NULL)
  2107. BN_set_word(g, 2);
  2108. if (dh_secbits >= 192)
  2109. p = BN_get_rfc3526_prime_8192(NULL);
  2110. else
  2111. p = BN_get_rfc3526_prime_3072(NULL);
  2112. if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
  2113. DH_free(dhp);
  2114. BN_free(p);
  2115. BN_free(g);
  2116. return NULL;
  2117. }
  2118. return dhp;
  2119. }
  2120. if (dh_secbits >= 112)
  2121. return DH_get_2048_224();
  2122. return DH_get_1024_160();
  2123. }
  2124. #endif
  2125. static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2126. {
  2127. int secbits = -1;
  2128. EVP_PKEY *pkey = X509_get0_pubkey(x);
  2129. if (pkey) {
  2130. /*
  2131. * If no parameters this will return -1 and fail using the default
  2132. * security callback for any non-zero security level. This will
  2133. * reject keys which omit parameters but this only affects DSA and
  2134. * omission of parameters is never (?) done in practice.
  2135. */
  2136. secbits = EVP_PKEY_security_bits(pkey);
  2137. }
  2138. if (s)
  2139. return ssl_security(s, op, secbits, 0, x);
  2140. else
  2141. return ssl_ctx_security(ctx, op, secbits, 0, x);
  2142. }
  2143. static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  2144. {
  2145. /* Lookup signature algorithm digest */
  2146. int secbits, nid, pknid;
  2147. /* Don't check signature if self signed */
  2148. if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
  2149. return 1;
  2150. if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
  2151. secbits = -1;
  2152. /* If digest NID not defined use signature NID */
  2153. if (nid == NID_undef)
  2154. nid = pknid;
  2155. if (s)
  2156. return ssl_security(s, op, secbits, nid, x);
  2157. else
  2158. return ssl_ctx_security(ctx, op, secbits, nid, x);
  2159. }
  2160. int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
  2161. {
  2162. if (vfy)
  2163. vfy = SSL_SECOP_PEER;
  2164. if (is_ee) {
  2165. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
  2166. return SSL_R_EE_KEY_TOO_SMALL;
  2167. } else {
  2168. if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
  2169. return SSL_R_CA_KEY_TOO_SMALL;
  2170. }
  2171. if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
  2172. return SSL_R_CA_MD_TOO_WEAK;
  2173. return 1;
  2174. }
  2175. /*
  2176. * Check security of a chain, if |sk| includes the end entity certificate then
  2177. * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
  2178. * one to the peer. Return values: 1 if ok otherwise error code to use
  2179. */
  2180. int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
  2181. {
  2182. int rv, start_idx, i;
  2183. if (x == NULL) {
  2184. x = sk_X509_value(sk, 0);
  2185. start_idx = 1;
  2186. } else
  2187. start_idx = 0;
  2188. rv = ssl_security_cert(s, NULL, x, vfy, 1);
  2189. if (rv != 1)
  2190. return rv;
  2191. for (i = start_idx; i < sk_X509_num(sk); i++) {
  2192. x = sk_X509_value(sk, i);
  2193. rv = ssl_security_cert(s, NULL, x, vfy, 0);
  2194. if (rv != 1)
  2195. return rv;
  2196. }
  2197. return 1;
  2198. }
  2199. /*
  2200. * For TLS 1.2 servers check if we have a certificate which can be used
  2201. * with the signature algorithm "lu" and return index of certificate.
  2202. */
  2203. static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
  2204. {
  2205. int sig_idx = lu->sig_idx;
  2206. const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
  2207. /* If not recognised or not supported by cipher mask it is not suitable */
  2208. if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
  2209. return -1;
  2210. return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
  2211. }
  2212. /*
  2213. * Returns true if |s| has a usable certificate configured for use
  2214. * with signature scheme |sig|.
  2215. * "Usable" includes a check for presence as well as applying
  2216. * the signature_algorithm_cert restrictions sent by the peer (if any).
  2217. * Returns false if no usable certificate is found.
  2218. */
  2219. static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
  2220. {
  2221. const SIGALG_LOOKUP *lu;
  2222. int mdnid, pknid;
  2223. size_t i;
  2224. /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
  2225. if (idx == -1)
  2226. idx = sig->sig_idx;
  2227. if (!ssl_has_cert(s, idx))
  2228. return 0;
  2229. if (s->s3->tmp.peer_cert_sigalgs != NULL) {
  2230. for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
  2231. lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
  2232. if (lu == NULL
  2233. || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
  2234. &pknid, NULL, NULL))
  2235. continue;
  2236. /*
  2237. * TODO this does not differentiate between the
  2238. * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
  2239. * have a chain here that lets us look at the key OID in the
  2240. * signing certificate.
  2241. */
  2242. if (mdnid == lu->hash && pknid == lu->sig)
  2243. return 1;
  2244. }
  2245. return 0;
  2246. }
  2247. return 1;
  2248. }
  2249. /*
  2250. * Choose an appropriate signature algorithm based on available certificates
  2251. * Sets chosen certificate and signature algorithm.
  2252. *
  2253. * For servers if we fail to find a required certificate it is a fatal error,
  2254. * an appropriate error code is set and a TLS alert is sent.
  2255. *
  2256. * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
  2257. * a fatal error: we will either try another certificate or not present one
  2258. * to the server. In this case no error is set.
  2259. */
  2260. int tls_choose_sigalg(SSL *s, int fatalerrs)
  2261. {
  2262. const SIGALG_LOOKUP *lu = NULL;
  2263. int sig_idx = -1;
  2264. s->s3->tmp.cert = NULL;
  2265. s->s3->tmp.sigalg = NULL;
  2266. if (SSL_IS_TLS13(s)) {
  2267. size_t i;
  2268. #ifndef OPENSSL_NO_EC
  2269. int curve = -1;
  2270. #endif
  2271. /* Look for a certificate matching shared sigalgs */
  2272. for (i = 0; i < s->cert->shared_sigalgslen; i++) {
  2273. lu = s->cert->shared_sigalgs[i];
  2274. sig_idx = -1;
  2275. /* Skip SHA1, SHA224, DSA and RSA if not PSS */
  2276. if (lu->hash == NID_sha1
  2277. || lu->hash == NID_sha224
  2278. || lu->sig == EVP_PKEY_DSA
  2279. || lu->sig == EVP_PKEY_RSA)
  2280. continue;
  2281. /* Check that we have a cert, and signature_algorithms_cert */
  2282. if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1))
  2283. continue;
  2284. if (lu->sig == EVP_PKEY_EC) {
  2285. #ifndef OPENSSL_NO_EC
  2286. if (curve == -1) {
  2287. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  2288. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2289. }
  2290. if (lu->curve != NID_undef && curve != lu->curve)
  2291. continue;
  2292. #else
  2293. continue;
  2294. #endif
  2295. } else if (lu->sig == EVP_PKEY_RSA_PSS) {
  2296. /* validate that key is large enough for the signature algorithm */
  2297. EVP_PKEY *pkey;
  2298. pkey = s->cert->pkeys[lu->sig_idx].privatekey;
  2299. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
  2300. continue;
  2301. }
  2302. break;
  2303. }
  2304. if (i == s->cert->shared_sigalgslen) {
  2305. if (!fatalerrs)
  2306. return 1;
  2307. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
  2308. SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
  2309. return 0;
  2310. }
  2311. } else {
  2312. /* If ciphersuite doesn't require a cert nothing to do */
  2313. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
  2314. return 1;
  2315. if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
  2316. return 1;
  2317. if (SSL_USE_SIGALGS(s)) {
  2318. size_t i;
  2319. if (s->s3->tmp.peer_sigalgs != NULL) {
  2320. #ifndef OPENSSL_NO_EC
  2321. int curve;
  2322. /* For Suite B need to match signature algorithm to curve */
  2323. if (tls1_suiteb(s)) {
  2324. EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  2325. curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  2326. } else {
  2327. curve = -1;
  2328. }
  2329. #endif
  2330. /*
  2331. * Find highest preference signature algorithm matching
  2332. * cert type
  2333. */
  2334. for (i = 0; i < s->cert->shared_sigalgslen; i++) {
  2335. lu = s->cert->shared_sigalgs[i];
  2336. if (s->server) {
  2337. if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
  2338. continue;
  2339. } else {
  2340. int cc_idx = s->cert->key - s->cert->pkeys;
  2341. sig_idx = lu->sig_idx;
  2342. if (cc_idx != sig_idx)
  2343. continue;
  2344. }
  2345. /* Check that we have a cert, and sig_algs_cert */
  2346. if (!has_usable_cert(s, lu, sig_idx))
  2347. continue;
  2348. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2349. /* validate that key is large enough for the signature algorithm */
  2350. EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
  2351. if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
  2352. continue;
  2353. }
  2354. #ifndef OPENSSL_NO_EC
  2355. if (curve == -1 || lu->curve == curve)
  2356. #endif
  2357. break;
  2358. }
  2359. if (i == s->cert->shared_sigalgslen) {
  2360. if (!fatalerrs)
  2361. return 1;
  2362. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2363. ERR_R_INTERNAL_ERROR);
  2364. return 0;
  2365. }
  2366. } else {
  2367. /*
  2368. * If we have no sigalg use defaults
  2369. */
  2370. const uint16_t *sent_sigs;
  2371. size_t sent_sigslen;
  2372. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2373. if (!fatalerrs)
  2374. return 1;
  2375. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2376. ERR_R_INTERNAL_ERROR);
  2377. return 0;
  2378. }
  2379. /* Check signature matches a type we sent */
  2380. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  2381. for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
  2382. if (lu->sigalg == *sent_sigs
  2383. && has_usable_cert(s, lu, lu->sig_idx))
  2384. break;
  2385. }
  2386. if (i == sent_sigslen) {
  2387. if (!fatalerrs)
  2388. return 1;
  2389. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  2390. SSL_F_TLS_CHOOSE_SIGALG,
  2391. SSL_R_WRONG_SIGNATURE_TYPE);
  2392. return 0;
  2393. }
  2394. }
  2395. } else {
  2396. if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
  2397. if (!fatalerrs)
  2398. return 1;
  2399. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
  2400. ERR_R_INTERNAL_ERROR);
  2401. return 0;
  2402. }
  2403. }
  2404. }
  2405. if (sig_idx == -1)
  2406. sig_idx = lu->sig_idx;
  2407. s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
  2408. s->cert->key = s->s3->tmp.cert;
  2409. s->s3->tmp.sigalg = lu;
  2410. return 1;
  2411. }
  2412. int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
  2413. {
  2414. if (mode != TLSEXT_max_fragment_length_DISABLED
  2415. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2416. SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2417. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2418. return 0;
  2419. }
  2420. ctx->ext.max_fragment_len_mode = mode;
  2421. return 1;
  2422. }
  2423. int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
  2424. {
  2425. if (mode != TLSEXT_max_fragment_length_DISABLED
  2426. && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
  2427. SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
  2428. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  2429. return 0;
  2430. }
  2431. ssl->ext.max_fragment_len_mode = mode;
  2432. return 1;
  2433. }
  2434. uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
  2435. {
  2436. return session->ext.max_fragment_len_mode;
  2437. }