t1_lib.c 77.2 KB
Newer Older
R
Rich Salz 已提交
1
/*
2
 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
9 10

#include <stdio.h>
E
Emilia Kasper 已提交
11
#include <stdlib.h>
12
#include <openssl/objects.h>
13 14
#include <openssl/evp.h>
#include <openssl/hmac.h>
15
#include <openssl/ocsp.h>
16 17
#include <openssl/conf.h>
#include <openssl/x509v3.h>
R
Rich Salz 已提交
18 19
#include <openssl/dh.h>
#include <openssl/bn.h>
20
#include "internal/nelem.h"
21
#include "ssl_locl.h"
R
Rich Salz 已提交
22
#include <openssl/ct.h>
23

24 25 26 27 28 29 30 31 32 33 34 35
SSL3_ENC_METHOD const TLSv1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    0,
M
Matt Caswell 已提交
36
    ssl3_set_handshake_header,
37
    tls_close_construct_packet,
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
    ssl3_handshake_write
};

SSL3_ENC_METHOD const TLSv1_1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_EXPLICIT_IV,
M
Matt Caswell 已提交
53
    ssl3_set_handshake_header,
54
    tls_close_construct_packet,
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
    ssl3_handshake_write
};

SSL3_ENC_METHOD const TLSv1_2_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
        | SSL_ENC_FLAG_TLS1_2_CIPHERS,
M
Matt Caswell 已提交
71
    ssl3_set_handshake_header,
72
    tls_close_construct_packet,
73 74
    ssl3_handshake_write
};
75

76
SSL3_ENC_METHOD const TLSv1_3_enc_data = {
M
Matt Caswell 已提交
77
    tls13_enc,
78
    tls1_mac,
79 80 81 82
    tls13_setup_key_block,
    tls13_generate_master_secret,
    tls13_change_cipher_state,
    tls13_final_finish_mac,
83 84
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
85
    tls13_alert_code,
86
    tls13_export_keying_material,
M
Matt Caswell 已提交
87
    SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
88 89 90 91 92
    ssl3_set_handshake_header,
    tls_close_construct_packet,
    ssl3_handshake_write
};

93
long tls1_default_timeout(void)
94 95 96 97 98 99 100
{
    /*
     * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
     * http, the cache would over fill
     */
    return (60 * 60 * 2);
}
101

U
Ulf Möller 已提交
102
int tls1_new(SSL *s)
103 104
{
    if (!ssl3_new(s))
105 106 107 108 109
        return 0;
    if (!s->method->ssl_clear(s))
        return 0;

    return 1;
110
}
111

U
Ulf Möller 已提交
112
void tls1_free(SSL *s)
113
{
R
Rich Salz 已提交
114
    OPENSSL_free(s->ext.session_ticket);
115 116
    ssl3_free(s);
}
117

118
int tls1_clear(SSL *s)
119
{
120 121 122
    if (!ssl3_clear(s))
        return 0;

123 124 125 126
    if (s->method->version == TLS_ANY_VERSION)
        s->version = TLS_MAX_VERSION;
    else
        s->version = s->method->version;
127 128

    return 1;
129
}
130

131
#ifndef OPENSSL_NO_EC
132

133 134
/*
 * Table of curve information.
R
Rich Salz 已提交
135
 * Do not delete entries or reorder this array! It is used as a lookup
136 137
 * table: the index of each entry is one less than the TLS curve id.
 */
138
static const TLS_GROUP_INFO nid_list[] = {
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166
    {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
    {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
    {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
    {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
    {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
    {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
    {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
    {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
    {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
    {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
    {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
    {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
    {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
    {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
    {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
    {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
    {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
    {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
    {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
    {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
    {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
    {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
    {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
    {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
    {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
    {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
    {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
167
    {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
168 169 170 171 172 173 174 175
};

static const unsigned char ecformats_default[] = {
    TLSEXT_ECPOINTFORMAT_uncompressed,
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
};

176
/* The default curves */
D
Dr. Stephen Henson 已提交
177 178 179 180 181
static const uint16_t eccurves_default[] = {
    29,                      /* X25519 (29) */
    23,                      /* secp256r1 (23) */
    25,                      /* secp521r1 (25) */
    24,                      /* secp384r1 (24) */
182 183
};

D
Dr. Stephen Henson 已提交
184 185 186
static const uint16_t suiteb_curves[] = {
    TLSEXT_curve_P_256,
    TLSEXT_curve_P_384
187
};
188

189
const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
190 191
{
    /* ECC curves from RFC 4492 and RFC 7027 */
192
    if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
193
        return NULL;
194
    return &nid_list[group_id - 1];
195
}
196

197
static uint16_t tls1_nid2group_id(int nid)
198
{
199 200 201
    size_t i;
    for (i = 0; i < OSSL_NELEM(nid_list); i++) {
        if (nid_list[i].nid == nid)
202
            return (uint16_t)(i + 1);
203
    }
204
    return 0;
205 206
}

207
/*
208 209
 * Set *pgroups to the supported groups list and *pgroupslen to
 * the number of groups supported.
210
 */
211 212
void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
                               size_t *pgroupslen)
213
{
214

D
Dr. Stephen Henson 已提交
215 216 217
    /* For Suite B mode only include P-256, P-384 */
    switch (tls1_suiteb(s)) {
    case SSL_CERT_FLAG_SUITEB_128_LOS:
218 219
        *pgroups = suiteb_curves;
        *pgroupslen = OSSL_NELEM(suiteb_curves);
D
Dr. Stephen Henson 已提交
220 221 222
        break;

    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
223 224
        *pgroups = suiteb_curves;
        *pgroupslen = 1;
D
Dr. Stephen Henson 已提交
225 226 227
        break;

    case SSL_CERT_FLAG_SUITEB_192_LOS:
228 229
        *pgroups = suiteb_curves + 1;
        *pgroupslen = 1;
D
Dr. Stephen Henson 已提交
230 231 232 233
        break;

    default:
        if (s->ext.supportedgroups == NULL) {
234 235
            *pgroups = eccurves_default;
            *pgroupslen = OSSL_NELEM(eccurves_default);
D
Dr. Stephen Henson 已提交
236
        } else {
237 238
            *pgroups = s->ext.supportedgroups;
            *pgroupslen = s->ext.supportedgroups_len;
239
        }
D
Dr. Stephen Henson 已提交
240
        break;
241 242
    }
}
D
Dr. Stephen Henson 已提交
243 244

/* See if curve is allowed by security callback */
D
Dr. Stephen Henson 已提交
245
int tls_curve_allowed(SSL *s, uint16_t curve, int op)
246
{
247
    const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
D
Dr. Stephen Henson 已提交
248
    unsigned char ctmp[2];
249 250

    if (cinfo == NULL)
251 252 253 254 255
        return 0;
# ifdef OPENSSL_NO_EC2M
    if (cinfo->flags & TLS_CURVE_CHAR2)
        return 0;
# endif
D
Dr. Stephen Henson 已提交
256 257 258
    ctmp[0] = curve >> 8;
    ctmp[1] = curve & 0xff;
    return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
259
}
D
Dr. Stephen Henson 已提交
260

261 262 263 264 265 266 267 268 269 270
/* Return 1 if "id" is in "list" */
static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
{
    size_t i;
    for (i = 0; i < listlen; i++)
        if (list[i] == id)
            return 1;
    return 0;
}

271
/*-
272
 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
273 274
 * if there is no match.
 * For nmatch == -1, return number of matches
275
 * For nmatch == -2, return the id of the group to use for
276
 * a tmp key, or 0 if there is no match.
277
 */
278
uint16_t tls1_shared_group(SSL *s, int nmatch)
279
{
D
Dr. Stephen Henson 已提交
280
    const uint16_t *pref, *supp;
281
    size_t num_pref, num_supp, i;
282
    int k;
283

284 285
    /* Can't do anything on client side */
    if (s->server == 0)
286
        return 0;
287 288 289 290 291 292 293
    if (nmatch == -2) {
        if (tls1_suiteb(s)) {
            /*
             * For Suite B ciphersuite determines curve: we already know
             * these are acceptable due to previous checks.
             */
            unsigned long cid = s->s3->tmp.new_cipher->id;
294

295
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
296
                return TLSEXT_curve_P_256;
297
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
298
                return TLSEXT_curve_P_384;
299
            /* Should never happen */
300
            return 0;
301 302 303 304 305
        }
        /* If not Suite B just return first preference shared curve */
        nmatch = 0;
    }
    /*
306 307
     * If server preference set, our groups are the preference order
     * otherwise peer decides.
308
     */
309 310 311 312 313 314 315
    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
        tls1_get_supported_groups(s, &pref, &num_pref);
        tls1_get_peer_groups(s, &supp, &num_supp);
    } else {
        tls1_get_peer_groups(s, &pref, &num_pref);
        tls1_get_supported_groups(s, &supp, &num_supp);
    }
316

D
Dr. Stephen Henson 已提交
317 318
    for (k = 0, i = 0; i < num_pref; i++) {
        uint16_t id = pref[i];
319

320 321
        if (!tls1_in_list(id, supp, num_supp)
            || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
322
                    continue;
323 324 325
        if (nmatch == k)
            return id;
         k++;
326 327 328 329
    }
    if (nmatch == -1)
        return k;
    /* Out of range (nmatch > k). */
330
    return 0;
331
}
332

D
Dr. Stephen Henson 已提交
333
int tls1_set_groups(uint16_t **pext, size_t *pextlen,
334
                    int *groups, size_t ngroups)
335
{
D
Dr. Stephen Henson 已提交
336
    uint16_t *glist;
337 338
    size_t i;
    /*
339
     * Bitmap of groups included to detect duplicates: only works while group
340 341 342
     * ids < 32
     */
    unsigned long dup_list = 0;
D
Dr. Stephen Henson 已提交
343
    glist = OPENSSL_malloc(ngroups * sizeof(*glist));
344
    if (glist == NULL)
345
        return 0;
D
Dr. Stephen Henson 已提交
346
    for (i = 0; i < ngroups; i++) {
347
        unsigned long idmask;
D
Dr. Stephen Henson 已提交
348
        uint16_t id;
349
        /* TODO(TLS1.3): Convert for DH groups */
350
        id = tls1_nid2group_id(groups[i]);
351 352
        idmask = 1L << id;
        if (!id || (dup_list & idmask)) {
353
            OPENSSL_free(glist);
354 355 356
            return 0;
        }
        dup_list |= idmask;
D
Dr. Stephen Henson 已提交
357
        glist[i] = id;
358
    }
R
Rich Salz 已提交
359
    OPENSSL_free(*pext);
360
    *pext = glist;
D
Dr. Stephen Henson 已提交
361
    *pextlen = ngroups;
362 363 364 365 366 367 368 369 370
    return 1;
}

# define MAX_CURVELIST   28

typedef struct {
    size_t nidcnt;
    int nid_arr[MAX_CURVELIST];
} nid_cb_st;
371 372

static int nid_cb(const char *elem, int len, void *arg)
373 374 375 376 377
{
    nid_cb_st *narg = arg;
    size_t i;
    int nid;
    char etmp[20];
378 379
    if (elem == NULL)
        return 0;
380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
    if (narg->nidcnt == MAX_CURVELIST)
        return 0;
    if (len > (int)(sizeof(etmp) - 1))
        return 0;
    memcpy(etmp, elem, len);
    etmp[len] = 0;
    nid = EC_curve_nist2nid(etmp);
    if (nid == NID_undef)
        nid = OBJ_sn2nid(etmp);
    if (nid == NID_undef)
        nid = OBJ_ln2nid(etmp);
    if (nid == NID_undef)
        return 0;
    for (i = 0; i < narg->nidcnt; i++)
        if (narg->nid_arr[i] == nid)
            return 0;
    narg->nid_arr[narg->nidcnt++] = nid;
    return 1;
}

400
/* Set groups based on a colon separate list */
D
Dr. Stephen Henson 已提交
401
int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
402 403 404 405 406 407 408
{
    nid_cb_st ncb;
    ncb.nidcnt = 0;
    if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
        return 0;
    if (pext == NULL)
        return 1;
409
    return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
410
}
411 412
/* Return group id of a key */
static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
413
{
414
    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
415
    const EC_GROUP *grp;
416 417

    if (ec == NULL)
418 419
        return 0;
    grp = EC_KEY_get0_group(ec);
420
    return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
421 422
}

423 424
/* Check a key is compatible with compression extension */
static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
425
{
426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447
    const EC_KEY *ec;
    const EC_GROUP *grp;
    unsigned char comp_id;
    size_t i;

    /* If not an EC key nothing to check */
    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
        return 1;
    ec = EVP_PKEY_get0_EC_KEY(pkey);
    grp = EC_KEY_get0_group(ec);

    /* Get required compression id */
    if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
            comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
    } else if (SSL_IS_TLS13(s)) {
            /* Compression not allowed in TLS 1.3 */
            return 0;
    } else {
        int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));

        if (field_type == NID_X9_62_prime_field)
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
K
KaoruToda 已提交
448
        else if (field_type == NID_X9_62_characteristic_two_field)
449 450 451 452
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
        else
            return 0;
    }
453 454 455 456
    /*
     * If point formats extension present check it, otherwise everything is
     * supported (see RFC4492).
     */
457
    if (s->session->ext.ecpointformats == NULL)
458
        return 1;
459 460 461 462 463 464 465

    for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
        if (s->session->ext.ecpointformats[i] == comp_id)
            return 1;
    }
    return 0;
}
466

467
/* Check a group id matches preferences */
468
int tls1_check_group_id(SSL *s, uint16_t group_id)
469 470
    {
    const uint16_t *groups;
471
    size_t groups_len;
472 473 474 475

    if (group_id == 0)
        return 0;

476 477 478 479 480 481 482 483 484 485 486 487 488 489 490
    /* Check for Suite B compliance */
    if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
        unsigned long cid = s->s3->tmp.new_cipher->id;

        if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
            if (group_id != TLSEXT_curve_P_256)
                return 0;
        } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
            if (group_id != TLSEXT_curve_P_384)
                return 0;
        } else {
            /* Should never happen */
            return 0;
        }
    }
491

492
    /* Check group is one of our preferences */
493
    tls1_get_supported_groups(s, &groups, &groups_len);
494
    if (!tls1_in_list(group_id, groups, groups_len))
495 496
        return 0;

497 498 499
    if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
        return 0;

500 501 502 503 504
    /* For clients, nothing more to check */
    if (!s->server)
        return 1;

    /* Check group is one of peers preferences */
505
    tls1_get_peer_groups(s, &groups, &groups_len);
506 507 508 509 510 511 512 513 514

    /*
     * RFC 4492 does not require the supported elliptic curves extension
     * so if it is not sent we can just choose any curve.
     * It is invalid to send an empty list in the supported groups
     * extension, so groups_len == 0 always means no extension.
     */
    if (groups_len == 0)
            return 1;
515
    return tls1_in_list(group_id, groups, groups_len);
516
}
517

518 519
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
                         size_t *num_formats)
520 521 522 523
{
    /*
     * If we have a custom point format list use it otherwise use default
     */
R
Rich Salz 已提交
524 525 526
    if (s->ext.ecpointformats) {
        *pformats = s->ext.ecpointformats;
        *num_formats = s->ext.ecpointformats_len;
527 528 529 530 531 532 533 534 535 536 537 538 539
    } else {
        *pformats = ecformats_default;
        /* For Suite B we don't support char2 fields */
        if (tls1_suiteb(s))
            *num_formats = sizeof(ecformats_default) - 1;
        else
            *num_formats = sizeof(ecformats_default);
    }
}

/*
 * Check cert parameters compatible with extensions: currently just checks EC
 * certificates have compatible curves and compression.
540
 */
541
static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
542
{
543
    uint16_t group_id;
544
    EVP_PKEY *pkey;
545
    pkey = X509_get0_pubkey(x);
546
    if (pkey == NULL)
547 548
        return 0;
    /* If not EC nothing to do */
D
Dr. Stephen Henson 已提交
549
    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
550
        return 1;
551 552
    /* Check compression */
    if (!tls1_check_pkey_comp(s, pkey))
553
        return 0;
554 555
    group_id = tls1_get_group_id(pkey);
    if (!tls1_check_group_id(s, group_id))
556 557 558
        return 0;
    /*
     * Special case for suite B. We *MUST* sign using SHA256+P-256 or
559
     * SHA384+P-384.
560
     */
561
    if (check_ee_md && tls1_suiteb(s)) {
562 563 564
        int check_md;
        size_t i;
        CERT *c = s->cert;
D
Dr. Stephen Henson 已提交
565

566
        /* Check to see we have necessary signing algorithm */
567
        if (group_id == TLSEXT_curve_P_256)
568
            check_md = NID_ecdsa_with_SHA256;
569
        else if (group_id == TLSEXT_curve_P_384)
570 571 572
            check_md = NID_ecdsa_with_SHA384;
        else
            return 0;           /* Should never happen */
573
        for (i = 0; i < c->shared_sigalgslen; i++) {
574
            if (check_md == c->shared_sigalgs[i]->sigandhash)
575 576 577
                return 1;;
        }
        return 0;
578
    }
579
    return 1;
580 581
}

582
/*
F
FdaSilvaYY 已提交
583
 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
584 585 586 587 588 589 590 591
 * @s: SSL connection
 * @cid: Cipher ID we're considering using
 *
 * Checks that the kECDHE cipher suite we're considering using
 * is compatible with the client extensions.
 *
 * Returns 0 when the cipher can't be used or 1 when it can.
 */
592
int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
593
{
594 595 596
    /* If not Suite B just need a shared group */
    if (!tls1_suiteb(s))
        return tls1_shared_group(s, 0) != 0;
597 598 599 600
    /*
     * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
     * curves permitted.
     */
601 602 603 604 605 606
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
        return tls1_check_group_id(s, TLSEXT_curve_P_256);
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
        return tls1_check_group_id(s, TLSEXT_curve_P_384);

    return 0;
607
}
608

609 610 611
#else

static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
612 613 614
{
    return 1;
}
615

616
#endif                          /* OPENSSL_NO_EC */
617

618
/* Default sigalg schemes */
619
static const uint16_t tls12_sigalgs[] = {
620 621 622 623
#ifndef OPENSSL_NO_EC
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
624
    TLSEXT_SIGALG_ed25519,
625
#endif
626

627 628 629 630
    TLSEXT_SIGALG_rsa_pss_sha256,
    TLSEXT_SIGALG_rsa_pss_sha384,
    TLSEXT_SIGALG_rsa_pss_sha512,

631 632 633
    TLSEXT_SIGALG_rsa_pkcs1_sha256,
    TLSEXT_SIGALG_rsa_pkcs1_sha384,
    TLSEXT_SIGALG_rsa_pkcs1_sha512,
634

635
#ifndef OPENSSL_NO_EC
636
    TLSEXT_SIGALG_ecdsa_sha224,
M
Matt Caswell 已提交
637
    TLSEXT_SIGALG_ecdsa_sha1,
638
#endif
639
    TLSEXT_SIGALG_rsa_pkcs1_sha224,
M
Matt Caswell 已提交
640
    TLSEXT_SIGALG_rsa_pkcs1_sha1,
641
#ifndef OPENSSL_NO_DSA
642
    TLSEXT_SIGALG_dsa_sha224,
M
Matt Caswell 已提交
643 644
    TLSEXT_SIGALG_dsa_sha1,

645 646 647
    TLSEXT_SIGALG_dsa_sha256,
    TLSEXT_SIGALG_dsa_sha384,
    TLSEXT_SIGALG_dsa_sha512
648
#endif
649
};
650

651
#ifndef OPENSSL_NO_EC
652
static const uint16_t suiteb_sigalgs[] = {
653 654
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384
655
};
656
#endif
R
Rich Salz 已提交
657

658
static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
659
#ifndef OPENSSL_NO_EC
660
    {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
661 662
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
663
    {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
664 665
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA384, NID_secp384r1},
666
    {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
667 668
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA512, NID_secp521r1},
669
    {"ed25519", TLSEXT_SIGALG_ed25519,
670
     NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
671
     NID_undef, NID_undef},
672 673 674
    {NULL, TLSEXT_SIGALG_ecdsa_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA224, NID_undef},
675
    {NULL, TLSEXT_SIGALG_ecdsa_sha1,
676 677
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA1, NID_undef},
678
#endif
679
    {"rsa_pss_sha256", TLSEXT_SIGALG_rsa_pss_sha256,
680 681
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
682
    {"rsa_pss_sha384", TLSEXT_SIGALG_rsa_pss_sha384,
683 684
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
685
    {"rsa_pss_sha512", TLSEXT_SIGALG_rsa_pss_sha512,
686 687
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
688
    {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
689
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
690
     NID_sha256WithRSAEncryption, NID_undef},
691
    {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
692
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
693
     NID_sha384WithRSAEncryption, NID_undef},
694
    {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
695
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
696
     NID_sha512WithRSAEncryption, NID_undef},
697 698 699
    {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
     NID_sha224WithRSAEncryption, NID_undef},
700
    {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
701
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
702
     NID_sha1WithRSAEncryption, NID_undef},
703
#ifndef OPENSSL_NO_DSA
704
    {NULL, TLSEXT_SIGALG_dsa_sha256,
705 706
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_dsa_with_SHA256, NID_undef},
707
    {NULL, TLSEXT_SIGALG_dsa_sha384,
708 709
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
710
    {NULL, TLSEXT_SIGALG_dsa_sha512,
711 712
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
713 714 715
    {NULL, TLSEXT_SIGALG_dsa_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
716
    {NULL, TLSEXT_SIGALG_dsa_sha1,
717 718
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_dsaWithSHA1, NID_undef},
719 720
#endif
#ifndef OPENSSL_NO_GOST
721
    {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
722 723 724
     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
     NID_undef, NID_undef},
725
    {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
726 727 728
     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
     NID_undef, NID_undef},
729
    {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
730 731 732
     NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
     NID_id_GostR3410_2001, SSL_PKEY_GOST01,
     NID_undef, NID_undef}
733
#endif
734
};
735 736 737 738 739 740 741 742 743 744 745 746 747 748
/* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
static const SIGALG_LOOKUP legacy_rsa_sigalg = {
    "rsa_pkcs1_md5_sha1", 0,
     NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
     EVP_PKEY_RSA, SSL_PKEY_RSA,
     NID_undef, NID_undef
};

/*
 * Default signature algorithm values used if signature algorithms not present.
 * From RFC5246. Note: order must match certificate index order.
 */
static const uint16_t tls_default_sigalg[] = {
    TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
749
    0, /* SSL_PKEY_RSA_PSS_SIGN */
750 751 752 753
    TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
    TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
    TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
    TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
D
Dr. Stephen Henson 已提交
754 755
    TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
    0 /* SSL_PKEY_ED25519 */
756
};
757

758 759
/* Lookup TLS signature algorithm */
static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
760 761
{
    size_t i;
762
    const SIGALG_LOOKUP *s;
763

764 765 766 767
    for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
         i++, s++) {
        if (s->sigalg == sigalg)
            return s;
768
    }
769 770
    return NULL;
}
771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789
/* Lookup hash: return 0 if invalid or not enabled */
int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
{
    const EVP_MD *md;
    if (lu == NULL)
        return 0;
    /* lu->hash == NID_undef means no associated digest */
    if (lu->hash == NID_undef) {
        md = NULL;
    } else {
        md = ssl_md(lu->hash_idx);
        if (md == NULL)
            return 0;
    }
    if (pmd)
        *pmd = md;
    return 1;
}

790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810
/*
 * Check if key is large enough to generate RSA-PSS signature.
 *
 * The key must greater than or equal to 2 * hash length + 2.
 * SHA512 has a hash length of 64 bytes, which is incompatible
 * with a 128 byte (1024 bit) key.
 */
#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
{
    const EVP_MD *md;

    if (rsa == NULL)
        return 0;
    if (!tls1_lookup_md(lu, &md) || md == NULL)
        return 0;
    if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
        return 0;
    return 1;
}

811 812 813 814 815 816
/*
 * Return a signature algorithm for TLS < 1.2 where the signature type
 * is fixed by the certificate type.
 */
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
{
817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833
    if (idx == -1) {
        if (s->server) {
            size_t i;

            /* Work out index corresponding to ciphersuite */
            for (i = 0; i < SSL_PKEY_NUM; i++) {
                const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);

                if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
                    idx = i;
                    break;
                }
            }
        } else {
            idx = s->cert->key - s->cert->pkeys;
        }
    }
834 835 836 837 838
    if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
        return NULL;
    if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);

839
        if (!tls1_lookup_md(lu, NULL))
840 841 842 843 844 845 846 847
            return NULL;
        return lu;
    }
    return &legacy_rsa_sigalg;
}
/* Set peer sigalg based key type */
int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
{
848 849
    size_t idx;
    const SIGALG_LOOKUP *lu;
850

851 852 853
    if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
        return 0;
    lu = tls1_get_legacy_sigalg(s, idx);
854 855 856 857 858
    if (lu == NULL)
        return 0;
    s->s3->tmp.peer_sigalg = lu;
    return 1;
}
859

860
size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
861 862 863 864 865
{
    /*
     * If Suite B mode use Suite B sigalgs only, ignore any other
     * preferences.
     */
866
#ifndef OPENSSL_NO_EC
867 868 869
    switch (tls1_suiteb(s)) {
    case SSL_CERT_FLAG_SUITEB_128_LOS:
        *psigs = suiteb_sigalgs;
870
        return OSSL_NELEM(suiteb_sigalgs);
871 872 873

    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
        *psigs = suiteb_sigalgs;
874
        return 1;
875 876

    case SSL_CERT_FLAG_SUITEB_192_LOS:
877 878
        *psigs = suiteb_sigalgs + 1;
        return 1;
879
    }
880
#endif
881 882 883 884 885 886
    /*
     *  We use client_sigalgs (if not NULL) if we're a server
     *  and sending a certificate request or if we're a client and
     *  determining which shared algorithm to use.
     */
    if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
887 888 889 890 891 892 893
        *psigs = s->cert->client_sigalgs;
        return s->cert->client_sigalgslen;
    } else if (s->cert->conf_sigalgs) {
        *psigs = s->cert->conf_sigalgs;
        return s->cert->conf_sigalgslen;
    } else {
        *psigs = tls12_sigalgs;
894
        return OSSL_NELEM(tls12_sigalgs);
895 896 897 898 899
    }
}

/*
 * Check signature algorithm is consistent with sent supported signature
D
Dr. Stephen Henson 已提交
900 901
 * algorithms and if so set relevant digest and signature scheme in
 * s.
902
 */
903
int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
904
{
905
    const uint16_t *sent_sigs;
D
Dr. Stephen Henson 已提交
906
    const EVP_MD *md = NULL;
907
    char sigalgstr[2];
908
    size_t sent_sigslen, i;
909
    int pkeyid = EVP_PKEY_id(pkey);
910
    const SIGALG_LOOKUP *lu;
911

912
    /* Should never happen */
913
    if (pkeyid == -1)
914
        return -1;
915 916 917
    if (SSL_IS_TLS13(s)) {
        /* Disallow DSA for TLS 1.3 */
        if (pkeyid == EVP_PKEY_DSA) {
918 919
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
                     SSL_R_WRONG_SIGNATURE_TYPE);
920 921 922 923 924 925
            return 0;
        }
        /* Only allow PSS for TLS 1.3 */
        if (pkeyid == EVP_PKEY_RSA)
            pkeyid = EVP_PKEY_RSA_PSS;
    }
926 927
    lu = tls1_lookup_sigalg(sig);
    /*
928 929
     * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
     * is consistent with signature: RSA keys can be used for RSA-PSS
930
     */
931 932
    if (lu == NULL
        || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
933
        || (pkeyid != lu->sig
934
        && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
935 936
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
                 SSL_R_WRONG_SIGNATURE_TYPE);
937 938
        return 0;
    }
939
#ifndef OPENSSL_NO_EC
940
    if (pkeyid == EVP_PKEY_EC) {
D
Dr. Stephen Henson 已提交
941

942 943
        /* Check point compression is permitted */
        if (!tls1_check_pkey_comp(s, pkey)) {
944 945 946
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS12_CHECK_PEER_SIGALG,
                     SSL_R_ILLEGAL_POINT_COMPRESSION);
947 948 949 950 951 952 953 954
            return 0;
        }

        /* For TLS 1.3 or Suite B check curve matches signature algorithm */
        if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
            EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
            int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));

955
            if (lu->curve != NID_undef && curve != lu->curve) {
956 957
                SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                         SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
958 959
                return 0;
            }
960 961 962 963
        }
        if (!SSL_IS_TLS13(s)) {
            /* Check curve matches extensions */
            if (!tls1_check_group_id(s, tls1_get_group_id(pkey))) {
964 965
                SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                         SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
966 967 968
                return 0;
            }
            if (tls1_suiteb(s)) {
D
Dr. Stephen Henson 已提交
969 970 971
                /* Check sigalg matches a permissible Suite B value */
                if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
                    && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
972 973 974
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                             SSL_F_TLS12_CHECK_PEER_SIGALG,
                             SSL_R_WRONG_SIGNATURE_TYPE);
975
                    return 0;
D
Dr. Stephen Henson 已提交
976
                }
977
            }
978
        }
979
    } else if (tls1_suiteb(s)) {
980 981
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
                 SSL_R_WRONG_SIGNATURE_TYPE);
982
        return 0;
983
    }
984
#endif
985 986

    /* Check signature matches a type we sent */
987
    sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
988
    for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
989
        if (sig == *sent_sigs)
990 991 992
            break;
    }
    /* Allow fallback to SHA1 if not strict mode */
993 994
    if (i == sent_sigslen && (lu->hash != NID_sha1
        || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
995 996
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
                 SSL_R_WRONG_SIGNATURE_TYPE);
997 998
        return 0;
    }
999
    if (!tls1_lookup_md(lu, &md)) {
1000 1001 1002
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
                 SSL_R_UNKNOWN_DIGEST);
        return 0;
1003
    }
1004 1005 1006 1007 1008 1009 1010 1011 1012 1013
    if (md != NULL) {
        /*
         * Make sure security callback allows algorithm. For historical
         * reasons we have to pass the sigalg as a two byte char array.
         */
        sigalgstr[0] = (sig >> 8) & 0xff;
        sigalgstr[1] = sig & 0xff;
        if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
                    EVP_MD_size(md) * 4, EVP_MD_type(md),
                    (void *)sigalgstr)) {
1014 1015
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
                     SSL_R_WRONG_SIGNATURE_TYPE);
1016 1017
            return 0;
        }
1018
    }
1019
    /* Store the sigalg the peer uses */
1020
    s->s3->tmp.peer_sigalg = lu;
1021 1022
    return 1;
}
1023

1024 1025
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
{
1026
    if (s->s3->tmp.peer_sigalg == NULL)
1027
        return 0;
1028
    *pnid = s->s3->tmp.peer_sigalg->sig;
1029 1030 1031
    return 1;
}

1032
/*
1033 1034 1035 1036 1037 1038 1039 1040
 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
 * supported, doesn't appear in supported signature algorithms, isn't supported
 * by the enabled protocol versions or by the security level.
 *
 * This function should only be used for checking which ciphers are supported
 * by the client.
 *
 * Call ssl_cipher_disabled() to check that it's enabled or not.
1041 1042
 */
void ssl_set_client_disabled(SSL *s)
1043
{
1044 1045 1046
    s->s3->tmp.mask_a = 0;
    s->s3->tmp.mask_k = 0;
    ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
1047
    ssl_get_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
E
Emilia Kasper 已提交
1048
#ifndef OPENSSL_NO_PSK
1049 1050
    /* with PSK there must be client callback set */
    if (!s->psk_client_callback) {
1051
        s->s3->tmp.mask_a |= SSL_aPSK;
1052
        s->s3->tmp.mask_k |= SSL_PSK;
1053
    }
E
Emilia Kasper 已提交
1054
#endif                          /* OPENSSL_NO_PSK */
1055
#ifndef OPENSSL_NO_SRP
1056
    if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1057 1058
        s->s3->tmp.mask_a |= SSL_aSRP;
        s->s3->tmp.mask_k |= SSL_kSRP;
1059
    }
1060
#endif
1061
}
1062

1063 1064 1065 1066 1067
/*
 * ssl_cipher_disabled - check that a cipher is disabled or not
 * @s: SSL connection that you want to use the cipher on
 * @c: cipher to check
 * @op: Security check that you want to do
1068
 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
1069 1070 1071
 *
 * Returns 1 when it's disabled, 0 when enabled.
 */
1072
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
1073
{
1074
    if (c->algorithm_mkey & s->s3->tmp.mask_k
1075
        || c->algorithm_auth & s->s3->tmp.mask_a)
1076
        return 1;
1077 1078
    if (s->s3->tmp.max_ver == 0)
        return 1;
1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092
    if (!SSL_IS_DTLS(s)) {
        int min_tls = c->min_tls;

        /*
         * For historical reasons we will allow ECHDE to be selected by a server
         * in SSLv3 if we are a client
         */
        if (min_tls == TLS1_VERSION && ecdhe
                && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
            min_tls = SSL3_VERSION;

        if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
            return 1;
    }
1093
    if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
E
Emilia Kasper 已提交
1094
                           || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
1095 1096
        return 1;

1097 1098
    return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
}
D
Dr. Stephen Henson 已提交
1099

1100
int tls_use_ticket(SSL *s)
1101
{
1102
    if ((s->options & SSL_OP_NO_TICKET))
1103 1104 1105
        return 0;
    return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
}
1106

1107
int tls1_set_server_sigalgs(SSL *s)
1108 1109
{
    size_t i;
F
FdaSilvaYY 已提交
1110 1111

    /* Clear any shared signature algorithms */
R
Rich Salz 已提交
1112 1113 1114
    OPENSSL_free(s->cert->shared_sigalgs);
    s->cert->shared_sigalgs = NULL;
    s->cert->shared_sigalgslen = 0;
1115 1116
    /* Clear certificate validity flags */
    for (i = 0; i < SSL_PKEY_NUM; i++)
1117
        s->s3->tmp.valid_flags[i] = 0;
D
Dr. Stephen Henson 已提交
1118 1119 1120 1121 1122 1123 1124
    /*
     * If peer sent no signature algorithms check to see if we support
     * the default algorithm for each certificate type
     */
    if (s->s3->tmp.peer_sigalgs == NULL) {
        const uint16_t *sent_sigs;
        size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1125

D
Dr. Stephen Henson 已提交
1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139
        for (i = 0; i < SSL_PKEY_NUM; i++) {
            const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
            size_t j;

            if (lu == NULL)
                continue;
            /* Check default matches a type we sent */
            for (j = 0; j < sent_sigslen; j++) {
                if (lu->sigalg == sent_sigs[j]) {
                        s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
                        break;
                }
            }
        }
1140
        return 1;
D
Dr. Stephen Henson 已提交
1141
    }
1142 1143

    if (!tls1_process_sigalgs(s)) {
1144 1145 1146
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
        return 0;
1147
    }
1148 1149
    if (s->cert->shared_sigalgs != NULL)
        return 1;
1150

1151
    /* Fatal error if no shared signature algorithms */
1152 1153
    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
             SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
1154 1155
    return 0;
}
1156

1157
/*-
1158
 * Gets the ticket information supplied by the client if any.
1159
 *
1160
 *   hello: The parsed ClientHello data
B
Bodo Möller 已提交
1161 1162 1163 1164 1165
 *   ret: (output) on return, if a ticket was decrypted, then this is set to
 *       point to the resulting session.
 *
 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
 * ciphersuite, in which case we have no use for session tickets and one will
R
Rich Salz 已提交
1166
 * never be decrypted, nor will s->ext.ticket_expected be set to 1.
B
Bodo Möller 已提交
1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177
 *
 * Returns:
 *   -1: fatal error, either from parsing or decrypting the ticket.
 *    0: no ticket was found (or was ignored, based on settings).
 *    1: a zero length extension was found, indicating that the client supports
 *       session tickets but doesn't currently have one to offer.
 *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
 *       couldn't be decrypted because of a non-fatal error.
 *    3: a ticket was successfully decrypted and *ret was set.
 *
 * Side effects:
R
Rich Salz 已提交
1178
 *   Sets s->ext.ticket_expected to 1 if the server will have to issue
B
Bodo Möller 已提交
1179 1180 1181
 *   a new session ticket to the client because the client indicated support
 *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
 *   a session ticket or we couldn't use the one it gave us, or if
R
Rich Salz 已提交
1182 1183
 *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
 *   Otherwise, s->ext.ticket_expected is set to 0.
1184
 */
1185 1186
TICKET_RETURN tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
                                         SSL_SESSION **ret)
1187
{
1188 1189 1190
    int retv;
    size_t size;
    RAW_EXTENSION *ticketext;
1191

1192
    *ret = NULL;
R
Rich Salz 已提交
1193
    s->ext.ticket_expected = 0;
1194 1195

    /*
1196 1197
     * If tickets disabled or not supported by the protocol version
     * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
1198 1199
     * resumption.
     */
1200
    if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
1201
        return TICKET_NONE;
M
Matt Caswell 已提交
1202

1203 1204
    ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
    if (!ticketext->present)
1205
        return TICKET_NONE;
1206 1207 1208 1209 1210 1211 1212

    size = PACKET_remaining(&ticketext->data);
    if (size == 0) {
        /*
         * The client will accept a ticket but doesn't currently have
         * one.
         */
R
Rich Salz 已提交
1213
        s->ext.ticket_expected = 1;
1214
        return TICKET_EMPTY;
M
Matt Caswell 已提交
1215
    }
R
Rich Salz 已提交
1216
    if (s->ext.session_secret_cb) {
1217 1218 1219 1220 1221 1222
        /*
         * Indicate that the ticket couldn't be decrypted rather than
         * generating the session from ticket now, trigger
         * abbreviated handshake based on external mechanism to
         * calculate the master secret later.
         */
1223
        return TICKET_NO_DECRYPT;
1224
    }
1225 1226 1227

    retv = tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
                              hello->session_id, hello->session_id_len, ret);
1228
    switch (retv) {
M
Matt Caswell 已提交
1229
    case TICKET_NO_DECRYPT:
R
Rich Salz 已提交
1230
        s->ext.ticket_expected = 1;
1231
        return TICKET_NO_DECRYPT;
M
Matt Caswell 已提交
1232

M
Matt Caswell 已提交
1233
    case TICKET_SUCCESS:
1234
        return TICKET_SUCCESS;
M
Matt Caswell 已提交
1235

M
Matt Caswell 已提交
1236
    case TICKET_SUCCESS_RENEW:
R
Rich Salz 已提交
1237
        s->ext.ticket_expected = 1;
1238
        return TICKET_SUCCESS;
1239

M
Matt Caswell 已提交
1240
    default:
1241
        return TICKET_FATAL_ERR_OTHER;
1242
    }
1243 1244
}

1245 1246
/*-
 * tls_decrypt_ticket attempts to decrypt a session ticket.
B
Bodo Möller 已提交
1247 1248
 *
 *   etick: points to the body of the session ticket extension.
F
FdaSilvaYY 已提交
1249
 *   eticklen: the length of the session tickets extension.
B
Bodo Möller 已提交
1250 1251 1252 1253 1254
 *   sess_id: points at the session ID.
 *   sesslen: the length of the session ID.
 *   psess: (output) on return, if a ticket was decrypted, then this is set to
 *       point to the resulting session.
 */
1255 1256 1257
TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
                                 size_t eticklen, const unsigned char *sess_id,
                                 size_t sesslen, SSL_SESSION **psess)
1258 1259 1260 1261
{
    SSL_SESSION *sess;
    unsigned char *sdec;
    const unsigned char *p;
1262 1263
    int slen, renew_ticket = 0, declen;
    TICKET_RETURN ret = TICKET_FATAL_ERR_OTHER;
1264
    size_t mlen;
1265
    unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1266
    HMAC_CTX *hctx = NULL;
1267
    EVP_CIPHER_CTX *ctx;
1268
    SSL_CTX *tctx = s->session_ctx;
D
Dr. Stephen Henson 已提交
1269

1270
    /* Initialize session ticket encryption and HMAC contexts */
1271 1272
    hctx = HMAC_CTX_new();
    if (hctx == NULL)
1273
        return TICKET_FATAL_ERR_MALLOC;
1274
    ctx = EVP_CIPHER_CTX_new();
1275
    if (ctx == NULL) {
1276
        ret = TICKET_FATAL_ERR_MALLOC;
1277 1278
        goto err;
    }
R
Rich Salz 已提交
1279
    if (tctx->ext.ticket_key_cb) {
1280
        unsigned char *nctick = (unsigned char *)etick;
R
Rich Salz 已提交
1281
        int rv = tctx->ext.ticket_key_cb(s, nctick, nctick + 16,
1282
                                            ctx, hctx, 0);
1283
        if (rv < 0)
1284 1285
            goto err;
        if (rv == 0) {
1286
            ret = TICKET_NO_DECRYPT;
1287 1288
            goto err;
        }
1289 1290 1291 1292
        if (rv == 2)
            renew_ticket = 1;
    } else {
        /* Check key name matches */
R
Rich Salz 已提交
1293 1294
        if (memcmp(etick, tctx->ext.tick_key_name,
                   sizeof(tctx->ext.tick_key_name)) != 0) {
1295
            ret = TICKET_NO_DECRYPT;
1296 1297
            goto err;
        }
R
Rich Salz 已提交
1298 1299
        if (HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
                         sizeof(tctx->ext.tick_hmac_key),
1300
                         EVP_sha256(), NULL) <= 0
E
Emilia Kasper 已提交
1301
            || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
R
Rich Salz 已提交
1302
                                  tctx->ext.tick_aes_key,
1303 1304
                                  etick
                                  + sizeof(tctx->ext.tick_key_name)) <= 0) {
1305
            goto err;
E
Emilia Kasper 已提交
1306
        }
1307 1308 1309 1310 1311
    }
    /*
     * Attempt to process session ticket, first conduct sanity and integrity
     * checks on ticket.
     */
1312
    mlen = HMAC_size(hctx);
1313
    if (mlen == 0) {
1314
        goto err;
1315
    }
D
Dr. Stephen Henson 已提交
1316 1317
    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
    if (eticklen <=
1318
        TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
1319
        ret = TICKET_NO_DECRYPT;
D
Dr. Stephen Henson 已提交
1320 1321
        goto err;
    }
1322 1323
    eticklen -= mlen;
    /* Check HMAC of encrypted ticket */
1324
    if (HMAC_Update(hctx, etick, eticklen) <= 0
E
Emilia Kasper 已提交
1325
        || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
1326 1327
        goto err;
    }
1328
    HMAC_CTX_free(hctx);
1329
    if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
1330
        EVP_CIPHER_CTX_free(ctx);
1331
        return TICKET_NO_DECRYPT;
1332 1333 1334
    }
    /* Attempt to decrypt session data */
    /* Move p after IV to start of encrypted ticket, update length */
1335 1336
    p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
    eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
1337
    sdec = OPENSSL_malloc(eticklen);
1338 1339
    if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
                                          (int)eticklen) <= 0) {
1340
        EVP_CIPHER_CTX_free(ctx);
1341
        OPENSSL_free(sdec);
1342
        return TICKET_FATAL_ERR_OTHER;
1343
    }
1344
    if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
1345
        EVP_CIPHER_CTX_free(ctx);
1346
        OPENSSL_free(sdec);
1347
        return TICKET_NO_DECRYPT;
1348
    }
1349
    slen += declen;
1350 1351
    EVP_CIPHER_CTX_free(ctx);
    ctx = NULL;
1352 1353 1354
    p = sdec;

    sess = d2i_SSL_SESSION(NULL, &p, slen);
1355
    slen -= p - sdec;
1356 1357
    OPENSSL_free(sdec);
    if (sess) {
1358
        /* Some additional consistency checks */
1359
        if (slen != 0 || sess->session_id_length != 0) {
1360
            SSL_SESSION_free(sess);
B
Bernd Edlinger 已提交
1361
            return TICKET_NO_DECRYPT;
1362
        }
1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373
        /*
         * The session ID, if non-empty, is used by some clients to detect
         * that the ticket has been accepted. So we copy it to the session
         * structure. If it is empty set length to zero as required by
         * standard.
         */
        if (sesslen)
            memcpy(sess->session_id, sess_id, sesslen);
        sess->session_id_length = sesslen;
        *psess = sess;
        if (renew_ticket)
1374
            return TICKET_SUCCESS_RENEW;
1375
        else
1376
            return TICKET_SUCCESS;
1377 1378 1379 1380 1381
    }
    ERR_clear_error();
    /*
     * For session parse failure, indicate that we need to send a new ticket.
     */
1382
    return TICKET_NO_DECRYPT;
E
Emilia Kasper 已提交
1383
 err:
1384
    EVP_CIPHER_CTX_free(ctx);
1385
    HMAC_CTX_free(hctx);
1386
    return ret;
1387
}
1388

D
Dr. Stephen Henson 已提交
1389
/* Check to see if a signature algorithm is allowed */
1390
static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
1391
{
1392
    unsigned char sigalgstr[2];
D
Dr. Stephen Henson 已提交
1393
    int secbits;
1394

D
Dr. Stephen Henson 已提交
1395
    /* See if sigalgs is recognised and if hash is enabled */
1396
    if (!tls1_lookup_md(lu, NULL))
1397
        return 0;
D
Dr. Stephen Henson 已提交
1398 1399 1400
    /* DSA is not allowed in TLS 1.3 */
    if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
        return 0;
1401 1402 1403 1404 1405 1406
    /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
    if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
        && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
            || lu->hash_idx == SSL_MD_MD5_IDX
            || lu->hash_idx == SSL_MD_SHA224_IDX))
        return 0;
1407
    /* See if public key algorithm allowed */
D
Dr. Stephen Henson 已提交
1408
    if (ssl_cert_is_disabled(lu->sig_idx))
1409
        return 0;
1410 1411
    if (lu->hash == NID_undef)
        return 1;
D
Dr. Stephen Henson 已提交
1412 1413
    /* Security bits: half digest bits */
    secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
1414
    /* Finally see if security callback allows it */
1415 1416
    sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
    sigalgstr[1] = lu->sigalg & 0xff;
D
Dr. Stephen Henson 已提交
1417
    return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
1418 1419 1420 1421 1422 1423
}

/*
 * Get a mask of disabled public key algorithms based on supported signature
 * algorithms. For example if no signature algorithm supports RSA then RSA is
 * disabled.
D
Dr. Stephen Henson 已提交
1424 1425
 */

1426
void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
1427
{
1428
    const uint16_t *sigalgs;
1429
    size_t i, sigalgslen;
1430
    uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
1431
    /*
1432 1433
     * Go through all signature algorithms seeing if we support any
     * in disabled_mask.
1434
     */
1435
    sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
K
KaoruToda 已提交
1436
    for (i = 0; i < sigalgslen; i++, sigalgs++) {
1437
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
1438
        const SSL_CERT_LOOKUP *clu;
1439 1440 1441

        if (lu == NULL)
            continue;
1442 1443

        clu = ssl_cert_lookup_by_idx(lu->sig_idx);
K
KaoruToda 已提交
1444 1445
	if (clu == NULL)
		continue;
1446 1447 1448 1449 1450

        /* If algorithm is disabled see if we can enable it */
        if ((clu->amask & disabled_mask) != 0
                && tls12_sigalg_allowed(s, op, lu))
            disabled_mask &= ~clu->amask;
1451
    }
1452
    *pmask_a |= disabled_mask;
1453
}
D
Dr. Stephen Henson 已提交
1454

M
Matt Caswell 已提交
1455
int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
1456
                       const uint16_t *psig, size_t psiglen)
1457 1458
{
    size_t i;
1459
    int rv = 0;
1460

1461
    for (i = 0; i < psiglen; i++, psig++) {
1462 1463 1464 1465 1466 1467 1468 1469
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);

        if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
            continue;
        if (!WPACKET_put_bytes_u16(pkt, *psig))
            return 0;
        /*
         * If TLS 1.3 must have at least one valid TLS 1.3 message
1470
         * signing algorithm: i.e. neither RSA nor SHA1/SHA224
1471 1472
         */
        if (rv == 0 && (!SSL_IS_TLS13(s)
1473 1474 1475
            || (lu->sig != EVP_PKEY_RSA
                && lu->hash != NID_sha1
                && lu->hash != NID_sha224)))
1476
            rv = 1;
1477
    }
1478 1479
    if (rv == 0)
        SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
1480
    return rv;
1481 1482
}

1483
/* Given preference and allowed sigalgs set shared sigalgs */
1484
static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
1485 1486
                                   const uint16_t *pref, size_t preflen,
                                   const uint16_t *allow, size_t allowlen)
1487
{
1488
    const uint16_t *ptmp, *atmp;
1489
    size_t i, j, nmatch = 0;
1490
    for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
1491 1492
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);

1493
        /* Skip disabled hashes or signature algorithms */
1494
        if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
1495
            continue;
1496 1497
        for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
            if (*ptmp == *atmp) {
1498
                nmatch++;
1499 1500
                if (shsig)
                    *shsig++ = lu;
1501 1502 1503 1504 1505 1506
                break;
            }
        }
    }
    return nmatch;
}
1507 1508 1509

/* Set shared signature algorithms for SSL structures */
static int tls1_set_shared_sigalgs(SSL *s)
1510
{
1511
    const uint16_t *pref, *allow, *conf;
1512 1513
    size_t preflen, allowlen, conflen;
    size_t nmatch;
1514
    const SIGALG_LOOKUP **salgs = NULL;
1515 1516
    CERT *c = s->cert;
    unsigned int is_suiteb = tls1_suiteb(s);
R
Rich Salz 已提交
1517 1518 1519 1520

    OPENSSL_free(c->shared_sigalgs);
    c->shared_sigalgs = NULL;
    c->shared_sigalgslen = 0;
1521 1522 1523 1524 1525 1526 1527 1528
    /* If client use client signature algorithms if not NULL */
    if (!s->server && c->client_sigalgs && !is_suiteb) {
        conf = c->client_sigalgs;
        conflen = c->client_sigalgslen;
    } else if (c->conf_sigalgs && !is_suiteb) {
        conf = c->conf_sigalgs;
        conflen = c->conf_sigalgslen;
    } else
1529
        conflen = tls12_get_psigalgs(s, 0, &conf);
1530 1531 1532
    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
        pref = conf;
        preflen = conflen;
D
Dr. Stephen Henson 已提交
1533 1534
        allow = s->s3->tmp.peer_sigalgs;
        allowlen = s->s3->tmp.peer_sigalgslen;
1535 1536 1537
    } else {
        allow = conf;
        allowlen = conflen;
D
Dr. Stephen Henson 已提交
1538 1539
        pref = s->s3->tmp.peer_sigalgs;
        preflen = s->s3->tmp.peer_sigalgslen;
1540 1541
    }
    nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
D
Dr. Stephen Henson 已提交
1542
    if (nmatch) {
1543
        salgs = OPENSSL_malloc(nmatch * sizeof(*salgs));
1544
        if (salgs == NULL)
D
Dr. Stephen Henson 已提交
1545 1546 1547 1548 1549
            return 0;
        nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
    } else {
        salgs = NULL;
    }
1550 1551 1552 1553
    c->shared_sigalgs = salgs;
    c->shared_sigalgslen = nmatch;
    return 1;
}
1554

D
Dr. Stephen Henson 已提交
1555
int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
1556
{
1557
    unsigned int stmp;
1558
    size_t size, i;
D
Dr. Stephen Henson 已提交
1559
    uint16_t *buf;
1560

1561 1562 1563
    size = PACKET_remaining(pkt);

    /* Invalid data length */
1564
    if (size == 0 || (size & 1) != 0)
1565 1566 1567 1568
        return 0;

    size >>= 1;

D
Dr. Stephen Henson 已提交
1569 1570
    buf = OPENSSL_malloc(size * sizeof(*buf));
    if (buf == NULL)
1571
        return 0;
1572
    for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
D
Dr. Stephen Henson 已提交
1573
        buf[i] = stmp;
1574

D
Dr. Stephen Henson 已提交
1575 1576
    if (i != size) {
        OPENSSL_free(buf);
1577
        return 0;
D
Dr. Stephen Henson 已提交
1578 1579 1580 1581 1582
    }

    OPENSSL_free(*pdest);
    *pdest = buf;
    *pdestlen = size;
1583

1584 1585
    return 1;
}
1586

D
Dr. Stephen Henson 已提交
1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603
int tls1_save_sigalgs(SSL *s, PACKET *pkt)
{
    /* Extension ignored for inappropriate versions */
    if (!SSL_USE_SIGALGS(s))
        return 1;
    /* Should never happen */
    if (s->cert == NULL)
        return 0;

    return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
                         &s->s3->tmp.peer_sigalgslen);

    return 1;
}

/* Set preferred digest for each key type */

1604
int tls1_process_sigalgs(SSL *s)
1605 1606
{
    size_t i;
1607
    uint32_t *pvalid = s->s3->tmp.valid_flags;
1608
    CERT *c = s->cert;
1609

1610 1611 1612
    if (!tls1_set_shared_sigalgs(s))
        return 0;

1613 1614 1615
    for (i = 0; i < SSL_PKEY_NUM; i++)
        pvalid[i] = 0;

1616 1617
    for (i = 0; i < c->shared_sigalgslen; i++) {
        const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
1618
        int idx = sigptr->sig_idx;
1619

1620
        /* Ignore PKCS1 based sig algs in TLSv1.3 */
1621
        if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
1622
            continue;
1623
        /* If not disabled indicate we can explicitly sign */
D
Dr. Stephen Henson 已提交
1624 1625
        if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
            pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
1626 1627 1628
    }
    return 1;
}
D
Dr. Stephen Henson 已提交
1629

1630
int SSL_get_sigalgs(SSL *s, int idx,
1631 1632 1633
                    int *psign, int *phash, int *psignhash,
                    unsigned char *rsig, unsigned char *rhash)
{
1634
    uint16_t *psig = s->s3->tmp.peer_sigalgs;
1635
    size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
1636
    if (psig == NULL || numsigalgs > INT_MAX)
1637 1638
        return 0;
    if (idx >= 0) {
1639 1640
        const SIGALG_LOOKUP *lu;

1641
        if (idx >= (int)numsigalgs)
1642 1643
            return 0;
        psig += idx;
1644
        if (rhash != NULL)
1645
            *rhash = (unsigned char)((*psig >> 8) & 0xff);
1646
        if (rsig != NULL)
1647
            *rsig = (unsigned char)(*psig & 0xff);
1648 1649 1650 1651 1652 1653 1654
        lu = tls1_lookup_sigalg(*psig);
        if (psign != NULL)
            *psign = lu != NULL ? lu->sig : NID_undef;
        if (phash != NULL)
            *phash = lu != NULL ? lu->hash : NID_undef;
        if (psignhash != NULL)
            *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
1655
    }
1656
    return (int)numsigalgs;
1657
}
1658 1659

int SSL_get_shared_sigalgs(SSL *s, int idx,
1660 1661 1662
                           int *psign, int *phash, int *psignhash,
                           unsigned char *rsig, unsigned char *rhash)
{
1663 1664
    const SIGALG_LOOKUP *shsigalgs;
    if (s->cert->shared_sigalgs == NULL
1665
        || idx < 0
1666 1667
        || idx >= (int)s->cert->shared_sigalgslen
        || s->cert->shared_sigalgslen > INT_MAX)
1668
        return 0;
1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679
    shsigalgs = s->cert->shared_sigalgs[idx];
    if (phash != NULL)
        *phash = shsigalgs->hash;
    if (psign != NULL)
        *psign = shsigalgs->sig;
    if (psignhash != NULL)
        *psignhash = shsigalgs->sigandhash;
    if (rsig != NULL)
        *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
    if (rhash != NULL)
        *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
1680
    return (int)s->cert->shared_sigalgslen;
1681 1682
}

D
Dr. Stephen Henson 已提交
1683 1684
/* Maximum possible number of unique entries in sigalgs array */
#define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
1685

1686 1687
typedef struct {
    size_t sigalgcnt;
D
Dr. Stephen Henson 已提交
1688
    int sigalgs[TLS_MAX_SIGALGCNT];
1689
} sig_cb_st;
1690

1691 1692 1693 1694
static void get_sigorhash(int *psig, int *phash, const char *str)
{
    if (strcmp(str, "RSA") == 0) {
        *psig = EVP_PKEY_RSA;
D
Dr. Stephen Henson 已提交
1695 1696
    } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
        *psig = EVP_PKEY_RSA_PSS;
1697 1698 1699 1700 1701 1702 1703 1704 1705 1706
    } else if (strcmp(str, "DSA") == 0) {
        *psig = EVP_PKEY_DSA;
    } else if (strcmp(str, "ECDSA") == 0) {
        *psig = EVP_PKEY_EC;
    } else {
        *phash = OBJ_sn2nid(str);
        if (*phash == NID_undef)
            *phash = OBJ_ln2nid(str);
    }
}
D
Dr. Stephen Henson 已提交
1707 1708
/* Maximum length of a signature algorithm string component */
#define TLS_MAX_SIGSTRING_LEN   40
1709

1710
static int sig_cb(const char *elem, int len, void *arg)
1711 1712 1713
{
    sig_cb_st *sarg = arg;
    size_t i;
D
Dr. Stephen Henson 已提交
1714
    char etmp[TLS_MAX_SIGSTRING_LEN], *p;
1715
    int sig_alg = NID_undef, hash_alg = NID_undef;
1716 1717
    if (elem == NULL)
        return 0;
D
Dr. Stephen Henson 已提交
1718
    if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
1719 1720 1721 1722 1723 1724
        return 0;
    if (len > (int)(sizeof(etmp) - 1))
        return 0;
    memcpy(etmp, elem, len);
    etmp[len] = 0;
    p = strchr(etmp, '+');
1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744
    /* See if we have a match for TLS 1.3 names */
    if (p == NULL) {
        const SIGALG_LOOKUP *s;

        for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
             i++, s++) {
            if (s->name != NULL && strcmp(etmp, s->name) == 0) {
                sig_alg = s->sig;
                hash_alg = s->hash;
                break;
            }
        }
    } else {
        *p = 0;
        p++;
        if (*p == 0)
            return 0;
        get_sigorhash(&sig_alg, &hash_alg, etmp);
        get_sigorhash(&sig_alg, &hash_alg, p);
    }
1745

1746
    if (sig_alg == NID_undef || (p != NULL && hash_alg == NID_undef))
1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758
        return 0;

    for (i = 0; i < sarg->sigalgcnt; i += 2) {
        if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
            return 0;
    }
    sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
    sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
    return 1;
}

/*
F
FdaSilvaYY 已提交
1759
 * Set supported signature algorithms based on a colon separated list of the
1760 1761
 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
 */
1762
int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
1763 1764 1765 1766 1767 1768 1769 1770 1771 1772
{
    sig_cb_st sig;
    sig.sigalgcnt = 0;
    if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
        return 0;
    if (c == NULL)
        return 1;
    return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
}

E
Emilia Kasper 已提交
1773
int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
1774
{
1775
    uint16_t *sigalgs, *sptr;
1776
    size_t i;
M
Matt Caswell 已提交
1777

1778 1779
    if (salglen & 1)
        return 0;
1780
    sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs));
1781 1782 1783
    if (sigalgs == NULL)
        return 0;
    for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
M
Matt Caswell 已提交
1784
        size_t j;
1785
        const SIGALG_LOOKUP *curr;
M
Matt Caswell 已提交
1786 1787 1788 1789 1790
        int md_id = *psig_nids++;
        int sig_id = *psig_nids++;

        for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
             j++, curr++) {
1791
            if (curr->hash == md_id && curr->sig == sig_id) {
M
Matt Caswell 已提交
1792 1793 1794 1795
                *sptr++ = curr->sigalg;
                break;
            }
        }
1796

M
Matt Caswell 已提交
1797
        if (j == OSSL_NELEM(sigalg_lookup_tbl))
1798 1799 1800 1801
            goto err;
    }

    if (client) {
R
Rich Salz 已提交
1802
        OPENSSL_free(c->client_sigalgs);
1803
        c->client_sigalgs = sigalgs;
1804
        c->client_sigalgslen = salglen / 2;
1805
    } else {
R
Rich Salz 已提交
1806
        OPENSSL_free(c->conf_sigalgs);
1807
        c->conf_sigalgs = sigalgs;
1808
        c->conf_sigalgslen = salglen / 2;
1809 1810 1811 1812 1813 1814 1815 1816
    }

    return 1;

 err:
    OPENSSL_free(sigalgs);
    return 0;
}
1817

1818
static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
1819 1820 1821 1822 1823 1824 1825 1826 1827
{
    int sig_nid;
    size_t i;
    if (default_nid == -1)
        return 1;
    sig_nid = X509_get_signature_nid(x);
    if (default_nid)
        return sig_nid == default_nid ? 1 : 0;
    for (i = 0; i < c->shared_sigalgslen; i++)
1828
        if (sig_nid == c->shared_sigalgs[i]->sigandhash)
1829 1830 1831 1832
            return 1;
    return 0;
}

1833 1834
/* Check to see if a certificate issuer name matches list of CA names */
static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850
{
    X509_NAME *nm;
    int i;
    nm = X509_get_issuer_name(x);
    for (i = 0; i < sk_X509_NAME_num(names); i++) {
        if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
            return 1;
    }
    return 0;
}

/*
 * Check certificate chain is consistent with TLS extensions and is usable by
 * server. This servers two purposes: it allows users to check chains before
 * passing them to the server and it allows the server to check chains before
 * attempting to use them.
1851
 */
1852

F
FdaSilvaYY 已提交
1853
/* Flags which need to be set for a certificate when strict mode not set */
1854

1855
#define CERT_PKEY_VALID_FLAGS \
1856
        (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
1857
/* Strict mode flags */
1858
#define CERT_PKEY_STRICT_FLAGS \
1859 1860
         (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
         | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
1861

1862
int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
1863 1864 1865 1866 1867 1868 1869
                     int idx)
{
    int i;
    int rv = 0;
    int check_flags = 0, strict_mode;
    CERT_PKEY *cpk = NULL;
    CERT *c = s->cert;
1870
    uint32_t *pvalid;
1871 1872 1873 1874 1875 1876
    unsigned int suiteb_flags = tls1_suiteb(s);
    /* idx == -1 means checking server chains */
    if (idx != -1) {
        /* idx == -2 means checking client certificate chains */
        if (idx == -2) {
            cpk = c->key;
1877
            idx = (int)(cpk - c->pkeys);
1878 1879
        } else
            cpk = c->pkeys + idx;
1880
        pvalid = s->s3->tmp.valid_flags + idx;
1881 1882 1883 1884 1885 1886 1887 1888
        x = cpk->x509;
        pk = cpk->privatekey;
        chain = cpk->chain;
        strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
        /* If no cert or key, forget it */
        if (!x || !pk)
            goto end;
    } else {
1889 1890
        size_t certidx;

1891
        if (!x || !pk)
M
Matt Caswell 已提交
1892
            return 0;
1893 1894

        if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
M
Matt Caswell 已提交
1895
            return 0;
1896
        idx = certidx;
1897 1898
        pvalid = s->s3->tmp.valid_flags + idx;

1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922
        if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
            check_flags = CERT_PKEY_STRICT_FLAGS;
        else
            check_flags = CERT_PKEY_VALID_FLAGS;
        strict_mode = 1;
    }

    if (suiteb_flags) {
        int ok;
        if (check_flags)
            check_flags |= CERT_PKEY_SUITEB;
        ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
        if (ok == X509_V_OK)
            rv |= CERT_PKEY_SUITEB;
        else if (!check_flags)
            goto end;
    }

    /*
     * Check all signature algorithms are consistent with signature
     * algorithms extension if TLS 1.2 or later and strict mode.
     */
    if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
        int default_nid;
1923
        int rsign = 0;
D
Dr. Stephen Henson 已提交
1924
        if (s->s3->tmp.peer_sigalgs)
1925 1926 1927 1928
            default_nid = 0;
        /* If no sigalgs extension use defaults from RFC5246 */
        else {
            switch (idx) {
1929
            case SSL_PKEY_RSA:
1930
                rsign = EVP_PKEY_RSA;
1931 1932 1933 1934
                default_nid = NID_sha1WithRSAEncryption;
                break;

            case SSL_PKEY_DSA_SIGN:
1935
                rsign = EVP_PKEY_DSA;
1936 1937 1938 1939
                default_nid = NID_dsaWithSHA1;
                break;

            case SSL_PKEY_ECC:
1940
                rsign = EVP_PKEY_EC;
1941 1942 1943
                default_nid = NID_ecdsa_with_SHA1;
                break;

1944
            case SSL_PKEY_GOST01:
1945
                rsign = NID_id_GostR3410_2001;
1946 1947 1948 1949
                default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
                break;

            case SSL_PKEY_GOST12_256:
1950
                rsign = NID_id_GostR3410_2012_256;
1951 1952 1953 1954
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
                break;

            case SSL_PKEY_GOST12_512:
1955
                rsign = NID_id_GostR3410_2012_512;
1956 1957 1958
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
                break;

1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969
            default:
                default_nid = -1;
                break;
            }
        }
        /*
         * If peer sent no signature algorithms extension and we have set
         * preferred signature algorithms check we support sha1.
         */
        if (default_nid > 0 && c->conf_sigalgs) {
            size_t j;
1970
            const uint16_t *p = c->conf_sigalgs;
1971
            for (j = 0; j < c->conf_sigalgslen; j++, p++) {
D
Dr. Stephen Henson 已提交
1972 1973 1974
                const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);

                if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
                    break;
            }
            if (j == c->conf_sigalgslen) {
                if (check_flags)
                    goto skip_sigs;
                else
                    goto end;
            }
        }
        /* Check signature algorithm of each cert in chain */
        if (!tls1_check_sig_alg(c, x, default_nid)) {
            if (!check_flags)
                goto end;
        } else
            rv |= CERT_PKEY_EE_SIGNATURE;
        rv |= CERT_PKEY_CA_SIGNATURE;
        for (i = 0; i < sk_X509_num(chain); i++) {
            if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
                if (check_flags) {
                    rv &= ~CERT_PKEY_CA_SIGNATURE;
                    break;
                } else
                    goto end;
            }
        }
    }
    /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
    else if (check_flags)
        rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
 skip_sigs:
    /* Check cert parameters are consistent */
2006
    if (tls1_check_cert_param(s, x, 1))
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028
        rv |= CERT_PKEY_EE_PARAM;
    else if (!check_flags)
        goto end;
    if (!s->server)
        rv |= CERT_PKEY_CA_PARAM;
    /* In strict mode check rest of chain too */
    else if (strict_mode) {
        rv |= CERT_PKEY_CA_PARAM;
        for (i = 0; i < sk_X509_num(chain); i++) {
            X509 *ca = sk_X509_value(chain, i);
            if (!tls1_check_cert_param(s, ca, 0)) {
                if (check_flags) {
                    rv &= ~CERT_PKEY_CA_PARAM;
                    break;
                } else
                    goto end;
            }
        }
    }
    if (!s->server && strict_mode) {
        STACK_OF(X509_NAME) *ca_dn;
        int check_type = 0;
D
Dr. Stephen Henson 已提交
2029
        switch (EVP_PKEY_id(pk)) {
2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040
        case EVP_PKEY_RSA:
            check_type = TLS_CT_RSA_SIGN;
            break;
        case EVP_PKEY_DSA:
            check_type = TLS_CT_DSS_SIGN;
            break;
        case EVP_PKEY_EC:
            check_type = TLS_CT_ECDSA_SIGN;
            break;
        }
        if (check_type) {
2041 2042 2043 2044 2045
            const uint8_t *ctypes = s->s3->tmp.ctype;
            size_t j;

            for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
                if (*ctypes == check_type) {
2046 2047 2048 2049 2050 2051
                    rv |= CERT_PKEY_CERT_TYPE;
                    break;
                }
            }
            if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
                goto end;
2052
        } else {
2053
            rv |= CERT_PKEY_CERT_TYPE;
2054
        }
2055

2056
        ca_dn = s->s3->tmp.peer_ca_names;
2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083

        if (!sk_X509_NAME_num(ca_dn))
            rv |= CERT_PKEY_ISSUER_NAME;

        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
            if (ssl_check_ca_name(ca_dn, x))
                rv |= CERT_PKEY_ISSUER_NAME;
        }
        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
            for (i = 0; i < sk_X509_num(chain); i++) {
                X509 *xtmp = sk_X509_value(chain, i);
                if (ssl_check_ca_name(ca_dn, xtmp)) {
                    rv |= CERT_PKEY_ISSUER_NAME;
                    break;
                }
            }
        }
        if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
            goto end;
    } else
        rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;

    if (!check_flags || (rv & check_flags) == check_flags)
        rv |= CERT_PKEY_VALID;

 end:

D
Dr. Stephen Henson 已提交
2084 2085 2086
    if (TLS1_get_version(s) >= TLS1_2_VERSION)
        rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
    else
2087 2088 2089 2090 2091 2092 2093
        rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;

    /*
     * When checking a CERT_PKEY structure all flags are irrelevant if the
     * chain is invalid.
     */
    if (!check_flags) {
D
Dr. Stephen Henson 已提交
2094
        if (rv & CERT_PKEY_VALID) {
2095
            *pvalid = rv;
D
Dr. Stephen Henson 已提交
2096 2097 2098
        } else {
            /* Preserve sign and explicit sign flag, clear rest */
            *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2099 2100 2101 2102 2103
            return 0;
        }
    }
    return rv;
}
2104 2105 2106

/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
2107
{
2108
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
2109
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
M
Matt Caswell 已提交
2110 2111
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
2112 2113 2114
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
2115
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
2116 2117
}

F
FdaSilvaYY 已提交
2118
/* User level utility function to check a chain is suitable */
2119
int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
2120 2121 2122
{
    return tls1_check_chain(s, x, pk, chain, -1);
}
2123

D
Dr. Stephen Henson 已提交
2124 2125
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
2126 2127 2128 2129
{
    int dh_secbits = 80;
    if (s->cert->dh_tmp_auto == 2)
        return DH_get_1024_160();
2130
    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
2131 2132 2133 2134 2135
        if (s->s3->tmp.new_cipher->strength_bits == 256)
            dh_secbits = 128;
        else
            dh_secbits = 80;
    } else {
2136
        if (s->s3->tmp.cert == NULL)
D
Dr. Stephen Henson 已提交
2137
            return NULL;
2138
        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
2139 2140 2141 2142
    }

    if (dh_secbits >= 128) {
        DH *dhp = DH_new();
M
Matt Caswell 已提交
2143
        BIGNUM *p, *g;
2144
        if (dhp == NULL)
2145
            return NULL;
M
Matt Caswell 已提交
2146 2147 2148
        g = BN_new();
        if (g != NULL)
            BN_set_word(g, 2);
2149
        if (dh_secbits >= 192)
R
Rich Salz 已提交
2150
            p = BN_get_rfc3526_prime_8192(NULL);
2151
        else
R
Rich Salz 已提交
2152
            p = BN_get_rfc3526_prime_3072(NULL);
M
Matt Caswell 已提交
2153
        if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
2154
            DH_free(dhp);
M
Matt Caswell 已提交
2155 2156
            BN_free(p);
            BN_free(g);
2157 2158 2159 2160 2161 2162 2163 2164
            return NULL;
        }
        return dhp;
    }
    if (dh_secbits >= 112)
        return DH_get_2048_224();
    return DH_get_1024_160();
}
D
Dr. Stephen Henson 已提交
2165
#endif
D
Dr. Stephen Henson 已提交
2166 2167

static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2168
{
2169
    int secbits = -1;
2170
    EVP_PKEY *pkey = X509_get0_pubkey(x);
2171
    if (pkey) {
2172 2173 2174 2175 2176 2177
        /*
         * If no parameters this will return -1 and fail using the default
         * security callback for any non-zero security level. This will
         * reject keys which omit parameters but this only affects DSA and
         * omission of parameters is never (?) done in practice.
         */
2178
        secbits = EVP_PKEY_security_bits(pkey);
2179
    }
2180 2181 2182 2183 2184
    if (s)
        return ssl_security(s, op, secbits, 0, x);
    else
        return ssl_ctx_security(ctx, op, secbits, 0, x);
}
D
Dr. Stephen Henson 已提交
2185 2186

static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2187 2188
{
    /* Lookup signature algorithm digest */
2189
    int secbits, nid, pknid;
2190 2191 2192
    /* Don't check signature if self signed */
    if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
        return 1;
2193 2194 2195 2196 2197
    if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
        secbits = -1;
    /* If digest NID not defined use signature NID */
    if (nid == NID_undef)
        nid = pknid;
2198
    if (s)
2199
        return ssl_security(s, op, secbits, nid, x);
2200
    else
2201
        return ssl_ctx_security(ctx, op, secbits, nid, x);
2202
}
D
Dr. Stephen Henson 已提交
2203 2204

int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220
{
    if (vfy)
        vfy = SSL_SECOP_PEER;
    if (is_ee) {
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
            return SSL_R_EE_KEY_TOO_SMALL;
    } else {
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
            return SSL_R_CA_KEY_TOO_SMALL;
    }
    if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
        return SSL_R_CA_MD_TOO_WEAK;
    return 1;
}

/*
F
FdaSilvaYY 已提交
2221 2222
 * Check security of a chain, if |sk| includes the end entity certificate then
 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
2223
 * one to the peer. Return values: 1 if ok otherwise error code to use
D
Dr. Stephen Henson 已提交
2224 2225 2226
 */

int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246
{
    int rv, start_idx, i;
    if (x == NULL) {
        x = sk_X509_value(sk, 0);
        start_idx = 1;
    } else
        start_idx = 0;

    rv = ssl_security_cert(s, NULL, x, vfy, 1);
    if (rv != 1)
        return rv;

    for (i = start_idx; i < sk_X509_num(sk); i++) {
        x = sk_X509_value(sk, i);
        rv = ssl_security_cert(s, NULL, x, vfy, 0);
        if (rv != 1)
            return rv;
    }
    return 1;
}
2247

2248 2249
/*
 * For TLS 1.2 servers check if we have a certificate which can be used
2250
 * with the signature algorithm "lu" and return index of certificate.
2251 2252
 */

2253
static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
2254
{
2255 2256
    int sig_idx = lu->sig_idx;
    const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
2257 2258 2259

    /* If not recognised or not supported by cipher mask it is not suitable */
    if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
2260 2261 2262 2263 2264
        return -1;

    /* If PSS and we have no PSS cert use RSA */
    if (sig_idx == SSL_PKEY_RSA_PSS_SIGN && !ssl_has_cert(s, sig_idx))
        sig_idx = SSL_PKEY_RSA;
2265

2266
    return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
2267 2268
}

2269 2270
/*
 * Choose an appropriate signature algorithm based on available certificates
2271 2272
 * Sets chosen certificate and signature algorithm.
 *
2273 2274
 * For servers if we fail to find a required certificate it is a fatal error,
 * an appropriate error code is set and a TLS alert is sent.
2275
 *
2276
 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
2277 2278
 * a fatal error: we will either try another certificate or not present one
 * to the server. In this case no error is set.
2279
 */
2280
int tls_choose_sigalg(SSL *s, int fatalerrs)
2281
{
2282
    const SIGALG_LOOKUP *lu = NULL;
2283
    int sig_idx = -1;
2284

2285 2286 2287
    s->s3->tmp.cert = NULL;
    s->s3->tmp.sigalg = NULL;

2288 2289
    if (SSL_IS_TLS13(s)) {
        size_t i;
R
Richard Levitte 已提交
2290
#ifndef OPENSSL_NO_EC
2291
        int curve = -1, skip_ec = 0;
R
Richard Levitte 已提交
2292
#endif
2293

F
FdaSilvaYY 已提交
2294
        /* Look for a certificate matching shared sigalgs */
2295
        for (i = 0; i < s->cert->shared_sigalgslen; i++) {
2296
            lu = s->cert->shared_sigalgs[i];
2297

2298 2299 2300 2301
            /* Skip SHA1, SHA224, DSA and RSA if not PSS */
            if (lu->hash == NID_sha1
                || lu->hash == NID_sha224
                || lu->sig == EVP_PKEY_DSA
2302
                || lu->sig == EVP_PKEY_RSA)
2303
                continue;
2304
            if (!tls1_lookup_md(lu, NULL))
2305
                continue;
2306 2307 2308
            if (!ssl_has_cert(s, lu->sig_idx)) {
                if (lu->sig_idx != SSL_PKEY_RSA_PSS_SIGN
                        || !ssl_has_cert(s, SSL_PKEY_RSA))
2309
                    continue;
P
Patrick Steuer 已提交
2310
                sig_idx = SSL_PKEY_RSA;
2311
            }
2312
            if (lu->sig == EVP_PKEY_EC) {
R
Richard Levitte 已提交
2313
#ifndef OPENSSL_NO_EC
2314
                if (curve == -1) {
2315
                    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2316 2317

                    curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
2318 2319 2320
                    if (EC_KEY_get_conv_form(ec)
                        != POINT_CONVERSION_UNCOMPRESSED)
                        skip_ec = 1;
2321
                }
2322
                if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
2323
                    continue;
R
Richard Levitte 已提交
2324 2325 2326
#else
                continue;
#endif
2327 2328 2329 2330 2331 2332
            } else if (lu->sig == EVP_PKEY_RSA_PSS) {
                /* validate that key is large enough for the signature algorithm */
                const RSA *rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_PSS_SIGN].privatekey);

                if (!rsa_pss_check_min_key_size(rsa, lu))
                    continue;
2333
            }
2334 2335 2336
            break;
        }
        if (i == s->cert->shared_sigalgslen) {
2337
            if (!fatalerrs)
2338
                return 1;
2339 2340
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
                     SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
2341 2342 2343
            return 0;
        }
    } else {
2344 2345 2346 2347
        /* If ciphersuite doesn't require a cert nothing to do */
        if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
            return 1;
        if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
2348
                return 1;
2349 2350 2351 2352

        if (SSL_USE_SIGALGS(s)) {
            if (s->s3->tmp.peer_sigalgs != NULL) {
                size_t i;
2353 2354 2355 2356 2357
#ifndef OPENSSL_NO_EC
                int curve;

                /* For Suite B need to match signature algorithm to curve */
                if (tls1_suiteb(s)) {
2358
                    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2359 2360 2361 2362 2363
                    curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
                } else {
                    curve = -1;
                }
#endif
2364 2365 2366 2367 2368 2369 2370

                /*
                 * Find highest preference signature algorithm matching
                 * cert type
                 */
                for (i = 0; i < s->cert->shared_sigalgslen; i++) {
                    lu = s->cert->shared_sigalgs[i];
2371 2372

                    if (s->server) {
2373
                        if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
2374
                            continue;
2375 2376 2377 2378 2379 2380 2381 2382 2383 2384
                    } else {
                        int cc_idx = s->cert->key - s->cert->pkeys;

                        sig_idx = lu->sig_idx;
                        if (cc_idx != sig_idx) {
                            if (sig_idx != SSL_PKEY_RSA_PSS_SIGN
                                || cc_idx != SSL_PKEY_RSA)
                                continue;
                            sig_idx = SSL_PKEY_RSA;
                        }
D
Dr. Stephen Henson 已提交
2385
                    }
2386 2387 2388 2389 2390 2391 2392
                    if (lu->sig == EVP_PKEY_RSA_PSS) {
                        /* validate that key is large enough for the signature algorithm */
                        const RSA *rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_PSS_SIGN].privatekey);

                        if (!rsa_pss_check_min_key_size(rsa, lu))
                            continue;
                    }
2393 2394
#ifndef OPENSSL_NO_EC
                    if (curve == -1 || lu->curve == curve)
2395
#endif
2396 2397 2398
                        break;
                }
                if (i == s->cert->shared_sigalgslen) {
2399
                    if (!fatalerrs)
2400
                        return 1;
2401 2402
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
                             ERR_R_INTERNAL_ERROR);
2403 2404 2405 2406 2407 2408 2409 2410 2411
                    return 0;
                }
            } else {
                /*
                 * If we have no sigalg use defaults
                 */
                const uint16_t *sent_sigs;
                size_t sent_sigslen, i;

2412
                if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2413
                    if (!fatalerrs)
2414
                        return 1;
2415 2416
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
                             ERR_R_INTERNAL_ERROR);
2417 2418 2419 2420 2421 2422 2423 2424 2425 2426
                    return 0;
                }

                /* Check signature matches a type we sent */
                sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
                for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
                    if (lu->sigalg == *sent_sigs)
                        break;
                }
                if (i == sent_sigslen) {
2427
                    if (!fatalerrs)
2428
                        return 1;
2429 2430 2431
                    SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                             SSL_F_TLS_CHOOSE_SIGALG,
                             SSL_R_WRONG_SIGNATURE_TYPE);
2432 2433 2434 2435
                    return 0;
                }
            }
        } else {
2436
            if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2437
                if (!fatalerrs)
2438
                    return 1;
2439 2440
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
                         ERR_R_INTERNAL_ERROR);
2441 2442 2443
                return 0;
            }
        }
2444
    }
2445 2446 2447
    if (sig_idx == -1)
        sig_idx = lu->sig_idx;
    s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
2448
    s->cert->key = s->s3->tmp.cert;
2449
    s->s3->tmp.sigalg = lu;
2450 2451
    return 1;
}
2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482

int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
{
    if (mode != TLSEXT_max_fragment_length_DISABLED
            && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
        SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
               SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
        return 0;
    }

    ctx->ext.max_fragment_len_mode = mode;
    return 1;
}

int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
{
    if (mode != TLSEXT_max_fragment_length_DISABLED
            && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
        SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
               SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
        return 0;
    }

    ssl->ext.max_fragment_len_mode = mode;
    return 1;
}

uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
{
    return session->ext.max_fragment_len_mode;
}