t1_lib.c 75.2 KB
Newer Older
R
Rich Salz 已提交
1
/*
2
 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
9 10

#include <stdio.h>
E
Emilia Kasper 已提交
11
#include <stdlib.h>
12
#include <openssl/objects.h>
13 14
#include <openssl/evp.h>
#include <openssl/hmac.h>
15
#include <openssl/ocsp.h>
16 17
#include <openssl/conf.h>
#include <openssl/x509v3.h>
R
Rich Salz 已提交
18 19
#include <openssl/dh.h>
#include <openssl/bn.h>
20
#include "internal/nelem.h"
21
#include "ssl_locl.h"
R
Rich Salz 已提交
22
#include <openssl/ct.h>
23

24 25 26 27 28 29 30 31 32 33 34 35
SSL3_ENC_METHOD const TLSv1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    0,
M
Matt Caswell 已提交
36
    ssl3_set_handshake_header,
37
    tls_close_construct_packet,
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
    ssl3_handshake_write
};

SSL3_ENC_METHOD const TLSv1_1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_EXPLICIT_IV,
M
Matt Caswell 已提交
53
    ssl3_set_handshake_header,
54
    tls_close_construct_packet,
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
    ssl3_handshake_write
};

SSL3_ENC_METHOD const TLSv1_2_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
        | SSL_ENC_FLAG_TLS1_2_CIPHERS,
M
Matt Caswell 已提交
71
    ssl3_set_handshake_header,
72
    tls_close_construct_packet,
73 74
    ssl3_handshake_write
};
75

76
SSL3_ENC_METHOD const TLSv1_3_enc_data = {
M
Matt Caswell 已提交
77
    tls13_enc,
78
    tls1_mac,
79 80 81 82
    tls13_setup_key_block,
    tls13_generate_master_secret,
    tls13_change_cipher_state,
    tls13_final_finish_mac,
83 84
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
85
    tls13_alert_code,
86
    tls13_export_keying_material,
M
Matt Caswell 已提交
87
    SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
88 89 90 91 92
    ssl3_set_handshake_header,
    tls_close_construct_packet,
    ssl3_handshake_write
};

93
long tls1_default_timeout(void)
94 95 96 97 98 99 100
{
    /*
     * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
     * http, the cache would over fill
     */
    return (60 * 60 * 2);
}
101

U
Ulf Möller 已提交
102
int tls1_new(SSL *s)
103 104
{
    if (!ssl3_new(s))
105 106 107 108 109
        return 0;
    if (!s->method->ssl_clear(s))
        return 0;

    return 1;
110
}
111

U
Ulf Möller 已提交
112
void tls1_free(SSL *s)
113
{
R
Rich Salz 已提交
114
    OPENSSL_free(s->ext.session_ticket);
115 116
    ssl3_free(s);
}
117

118
int tls1_clear(SSL *s)
119
{
120 121 122
    if (!ssl3_clear(s))
        return 0;

123 124 125 126
    if (s->method->version == TLS_ANY_VERSION)
        s->version = TLS_MAX_VERSION;
    else
        s->version = s->method->version;
127 128

    return 1;
129
}
130

131
#ifndef OPENSSL_NO_EC
132

133 134
/*
 * Table of curve information.
R
Rich Salz 已提交
135
 * Do not delete entries or reorder this array! It is used as a lookup
136 137
 * table: the index of each entry is one less than the TLS curve id.
 */
138
static const TLS_GROUP_INFO nid_list[] = {
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166
    {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
    {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
    {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
    {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
    {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
    {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
    {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
    {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
    {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
    {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
    {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
    {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
    {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
    {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
    {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
    {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
    {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
    {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
    {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
    {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
    {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
    {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
    {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
    {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
    {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
    {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
    {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
167
    {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
168 169 170 171 172 173 174 175
};

static const unsigned char ecformats_default[] = {
    TLSEXT_ECPOINTFORMAT_uncompressed,
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
};

176
/* The default curves */
D
Dr. Stephen Henson 已提交
177 178 179 180 181
static const uint16_t eccurves_default[] = {
    29,                      /* X25519 (29) */
    23,                      /* secp256r1 (23) */
    25,                      /* secp521r1 (25) */
    24,                      /* secp384r1 (24) */
182 183
};

D
Dr. Stephen Henson 已提交
184 185 186
static const uint16_t suiteb_curves[] = {
    TLSEXT_curve_P_256,
    TLSEXT_curve_P_384
187
};
188

189
const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id)
190 191
{
    /* ECC curves from RFC 4492 and RFC 7027 */
D
Dr. Stephen Henson 已提交
192
    if (curve_id < 1 || curve_id > OSSL_NELEM(nid_list))
193 194
        return NULL;
    return &nid_list[curve_id - 1];
195
}
196

197
static uint16_t tls1_nid2group_id(int nid)
198
{
199 200 201
    size_t i;
    for (i = 0; i < OSSL_NELEM(nid_list); i++) {
        if (nid_list[i].nid == nid)
D
Dr. Stephen Henson 已提交
202
            return i + 1;
203
    }
204
    return 0;
205 206
}

207 208 209 210
/*
 * Get curves list, if "sess" is set return client curves otherwise
 * preferred list.
 * Sets |num_curves| to the number of curves in the list, i.e.,
211
 * the length of |pcurves| is num_curves.
212 213 214
 * Returns 1 on success and 0 if the client curves list has invalid format.
 * The latter indicates an internal error: we should not be accepting such
 * lists in the first place.
215
 */
D
Dr. Stephen Henson 已提交
216 217
void tls1_get_grouplist(SSL *s, int sess, const uint16_t **pcurves,
                        size_t *pcurveslen)
218
{
219

220
    if (sess) {
R
Rich Salz 已提交
221
        *pcurves = s->session->ext.supportedgroups;
D
Dr. Stephen Henson 已提交
222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243
        *pcurveslen = s->session->ext.supportedgroups_len;
        return;
    }
    /* For Suite B mode only include P-256, P-384 */
    switch (tls1_suiteb(s)) {
    case SSL_CERT_FLAG_SUITEB_128_LOS:
        *pcurves = suiteb_curves;
        *pcurveslen = OSSL_NELEM(suiteb_curves);
        break;

    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
        *pcurves = suiteb_curves;
        *pcurveslen = 1;
        break;

    case SSL_CERT_FLAG_SUITEB_192_LOS:
        *pcurves = suiteb_curves + 1;
        *pcurveslen = 1;
        break;

    default:
        if (s->ext.supportedgroups == NULL) {
244
            *pcurves = eccurves_default;
D
Dr. Stephen Henson 已提交
245 246 247 248
            *pcurveslen = OSSL_NELEM(eccurves_default);
        } else {
            *pcurves = s->ext.supportedgroups;
            *pcurveslen = s->ext.supportedgroups_len;
249
        }
D
Dr. Stephen Henson 已提交
250
        break;
251 252
    }
}
D
Dr. Stephen Henson 已提交
253 254

/* See if curve is allowed by security callback */
D
Dr. Stephen Henson 已提交
255
int tls_curve_allowed(SSL *s, uint16_t curve, int op)
256
{
257
    const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
D
Dr. Stephen Henson 已提交
258
    unsigned char ctmp[2];
259 260

    if (cinfo == NULL)
261 262 263 264 265
        return 0;
# ifdef OPENSSL_NO_EC2M
    if (cinfo->flags & TLS_CURVE_CHAR2)
        return 0;
# endif
D
Dr. Stephen Henson 已提交
266 267 268
    ctmp[0] = curve >> 8;
    ctmp[1] = curve & 0xff;
    return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
269
}
D
Dr. Stephen Henson 已提交
270

271 272
/* Check a curve is one of our preferences */
int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
273
{
D
Dr. Stephen Henson 已提交
274 275
    const uint16_t *curves;
    uint16_t curve_id;
276 277 278 279
    size_t num_curves, i;
    unsigned int suiteb_flags = tls1_suiteb(s);
    if (len != 3 || p[0] != NAMED_CURVE_TYPE)
        return 0;
D
Dr. Stephen Henson 已提交
280
    curve_id = (p[1] << 8) | p[2];
281 282 283 284
    /* Check curve matches Suite B preferences */
    if (suiteb_flags) {
        unsigned long cid = s->s3->tmp.new_cipher->id;
        if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
D
Dr. Stephen Henson 已提交
285
            if (curve_id != TLSEXT_curve_P_256)
286 287
                return 0;
        } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
D
Dr. Stephen Henson 已提交
288
            if (curve_id != TLSEXT_curve_P_384)
289 290 291 292
                return 0;
        } else                  /* Should never happen */
            return 0;
    }
D
Dr. Stephen Henson 已提交
293
    tls1_get_grouplist(s, 0, &curves, &num_curves);
D
Dr. Stephen Henson 已提交
294 295 296
    for (i = 0; i < num_curves; i++) {
        if (curve_id == curves[i])
            return tls_curve_allowed(s, curve_id, SSL_SECOP_CURVE_CHECK);
297 298 299
    }
    return 0;
}
300

301
/*-
302
 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
303 304
 * if there is no match.
 * For nmatch == -1, return number of matches
305 306
 * For nmatch == -2, return the id of the group to use for
 * an tmp key, or 0 if there is no match.
307
 */
308
uint16_t tls1_shared_group(SSL *s, int nmatch)
309
{
D
Dr. Stephen Henson 已提交
310
    const uint16_t *pref, *supp;
311 312
    size_t num_pref, num_supp, i, j;
    int k;
313

314 315
    /* Can't do anything on client side */
    if (s->server == 0)
316
        return 0;
317 318 319 320 321 322 323
    if (nmatch == -2) {
        if (tls1_suiteb(s)) {
            /*
             * For Suite B ciphersuite determines curve: we already know
             * these are acceptable due to previous checks.
             */
            unsigned long cid = s->s3->tmp.new_cipher->id;
324

325
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
326
                return TLSEXT_curve_P_256;
327
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
328
                return TLSEXT_curve_P_384;
329
            /* Should never happen */
330
            return 0;
331 332 333 334 335
        }
        /* If not Suite B just return first preference shared curve */
        nmatch = 0;
    }
    /*
D
Dr. Stephen Henson 已提交
336
     * Avoid truncation. tls1_get_grouplist takes an int
337 338
     * but s->options is a long...
     */
D
Dr. Stephen Henson 已提交
339
    tls1_get_grouplist(s,
340
            (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
D
Dr. Stephen Henson 已提交
341 342
            &supp, &num_supp);
    tls1_get_grouplist(s,
343
            (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
D
Dr. Stephen Henson 已提交
344
            &pref, &num_pref);
345

D
Dr. Stephen Henson 已提交
346 347
    for (k = 0, i = 0; i < num_pref; i++) {
        uint16_t id = pref[i];
348

D
Dr. Stephen Henson 已提交
349 350 351
        for (j = 0; j < num_supp; j++) {
            if (id == supp[j]) {
                if (!tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
352
                    continue;
D
Dr. Stephen Henson 已提交
353
                if (nmatch == k)
354
                    return id;
355 356 357 358 359 360 361
                k++;
            }
        }
    }
    if (nmatch == -1)
        return k;
    /* Out of range (nmatch > k). */
362
    return 0;
363
}
364

D
Dr. Stephen Henson 已提交
365
int tls1_set_groups(uint16_t **pext, size_t *pextlen,
366
                    int *groups, size_t ngroups)
367
{
D
Dr. Stephen Henson 已提交
368
    uint16_t *glist;
369 370
    size_t i;
    /*
371
     * Bitmap of groups included to detect duplicates: only works while group
372 373 374
     * ids < 32
     */
    unsigned long dup_list = 0;
D
Dr. Stephen Henson 已提交
375
    glist = OPENSSL_malloc(ngroups * sizeof(*glist));
376
    if (glist == NULL)
377
        return 0;
D
Dr. Stephen Henson 已提交
378
    for (i = 0; i < ngroups; i++) {
379
        unsigned long idmask;
D
Dr. Stephen Henson 已提交
380
        uint16_t id;
381
        /* TODO(TLS1.3): Convert for DH groups */
382
        id = tls1_nid2group_id(groups[i]);
383 384
        idmask = 1L << id;
        if (!id || (dup_list & idmask)) {
385
            OPENSSL_free(glist);
386 387 388
            return 0;
        }
        dup_list |= idmask;
D
Dr. Stephen Henson 已提交
389
        glist[i] = id;
390
    }
R
Rich Salz 已提交
391
    OPENSSL_free(*pext);
392
    *pext = glist;
D
Dr. Stephen Henson 已提交
393
    *pextlen = ngroups;
394 395 396 397 398 399 400 401 402
    return 1;
}

# define MAX_CURVELIST   28

typedef struct {
    size_t nidcnt;
    int nid_arr[MAX_CURVELIST];
} nid_cb_st;
403 404

static int nid_cb(const char *elem, int len, void *arg)
405 406 407 408 409
{
    nid_cb_st *narg = arg;
    size_t i;
    int nid;
    char etmp[20];
410 411
    if (elem == NULL)
        return 0;
412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431
    if (narg->nidcnt == MAX_CURVELIST)
        return 0;
    if (len > (int)(sizeof(etmp) - 1))
        return 0;
    memcpy(etmp, elem, len);
    etmp[len] = 0;
    nid = EC_curve_nist2nid(etmp);
    if (nid == NID_undef)
        nid = OBJ_sn2nid(etmp);
    if (nid == NID_undef)
        nid = OBJ_ln2nid(etmp);
    if (nid == NID_undef)
        return 0;
    for (i = 0; i < narg->nidcnt; i++)
        if (narg->nid_arr[i] == nid)
            return 0;
    narg->nid_arr[narg->nidcnt++] = nid;
    return 1;
}

432
/* Set groups based on a colon separate list */
D
Dr. Stephen Henson 已提交
433
int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
434 435 436 437 438 439 440
{
    nid_cb_st ncb;
    ncb.nidcnt = 0;
    if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
        return 0;
    if (pext == NULL)
        return 1;
441
    return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
442
}
443 444
/* Return group id of a key */
static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
445
{
446
    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
447
    const EC_GROUP *grp;
448 449

    if (ec == NULL)
450 451
        return 0;
    grp = EC_KEY_get0_group(ec);
452
    return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
453 454
}

455 456
/* Check a key is compatible with compression extension */
static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
457
{
458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484
    const EC_KEY *ec;
    const EC_GROUP *grp;
    unsigned char comp_id;
    size_t i;

    /* If not an EC key nothing to check */
    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
        return 1;
    ec = EVP_PKEY_get0_EC_KEY(pkey);
    grp = EC_KEY_get0_group(ec);

    /* Get required compression id */
    if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
            comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
    } else if (SSL_IS_TLS13(s)) {
            /* Compression not allowed in TLS 1.3 */
            return 0;
    } else {
        int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));

        if (field_type == NID_X9_62_prime_field)
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
        else if (field_type == NID_X9_62_prime_field)
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
        else
            return 0;
    }
485 486 487 488
    /*
     * If point formats extension present check it, otherwise everything is
     * supported (see RFC4492).
     */
489
    if (s->session->ext.ecpointformats == NULL)
490
        return 1;
491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507

    for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
        if (s->session->ext.ecpointformats[i] == comp_id)
            return 1;
    }
    return 0;
}
/* Check a group id matches preferences */
static int tls1_check_group_id(SSL *s, uint16_t group_id)
    {
    const uint16_t *groups;
    size_t i, groups_len;

    if (group_id == 0)
        return 0;

    /* Check group is one of our preferences */
D
Dr. Stephen Henson 已提交
508
    tls1_get_grouplist(s, 0, &groups, &groups_len);
509 510
    for (i = 0; i < groups_len; i++) {
        if (groups[i] == group_id)
511 512
            break;
    }
513 514 515 516 517 518 519 520
    if (i == groups_len)
        return 0;

    /* For clients, nothing more to check */
    if (!s->server)
        return 1;

    /* Check group is one of peers preferences */
D
Dr. Stephen Henson 已提交
521
    tls1_get_grouplist(s, 1, &groups, &groups_len);
522 523 524 525 526 527 528 529 530 531 532 533 534 535 536

    /*
     * RFC 4492 does not require the supported elliptic curves extension
     * so if it is not sent we can just choose any curve.
     * It is invalid to send an empty list in the supported groups
     * extension, so groups_len == 0 always means no extension.
     */
    if (groups_len == 0)
            return 1;

    for (i = 0; i < groups_len; i++) {
        if (groups[i] == group_id)
            return 1;
    }
    return 0;
537
}
538

539 540
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
                         size_t *num_formats)
541 542 543 544
{
    /*
     * If we have a custom point format list use it otherwise use default
     */
R
Rich Salz 已提交
545 546 547
    if (s->ext.ecpointformats) {
        *pformats = s->ext.ecpointformats;
        *num_formats = s->ext.ecpointformats_len;
548 549 550 551 552 553 554 555 556 557 558 559 560
    } else {
        *pformats = ecformats_default;
        /* For Suite B we don't support char2 fields */
        if (tls1_suiteb(s))
            *num_formats = sizeof(ecformats_default) - 1;
        else
            *num_formats = sizeof(ecformats_default);
    }
}

/*
 * Check cert parameters compatible with extensions: currently just checks EC
 * certificates have compatible curves and compression.
561
 */
562
static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
563
{
564
    uint16_t group_id;
565
    EVP_PKEY *pkey;
566
    pkey = X509_get0_pubkey(x);
567
    if (pkey == NULL)
568 569
        return 0;
    /* If not EC nothing to do */
D
Dr. Stephen Henson 已提交
570
    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
571
        return 1;
572 573
    /* Check compression */
    if (!tls1_check_pkey_comp(s, pkey))
574
        return 0;
575 576
    group_id = tls1_get_group_id(pkey);
    if (!tls1_check_group_id(s, group_id))
577 578 579
        return 0;
    /*
     * Special case for suite B. We *MUST* sign using SHA256+P-256 or
580
     * SHA384+P-384.
581
     */
582
    if (check_ee_md && tls1_suiteb(s)) {
583 584 585
        int check_md;
        size_t i;
        CERT *c = s->cert;
D
Dr. Stephen Henson 已提交
586

587
        /* Check to see we have necessary signing algorithm */
588
        if (group_id == TLSEXT_curve_P_256)
589
            check_md = NID_ecdsa_with_SHA256;
590
        else if (group_id == TLSEXT_curve_P_384)
591 592 593
            check_md = NID_ecdsa_with_SHA384;
        else
            return 0;           /* Should never happen */
594
        for (i = 0; i < c->shared_sigalgslen; i++) {
595
            if (check_md == c->shared_sigalgs[i]->sigandhash)
596 597 598
                return 1;;
        }
        return 0;
599
    }
600
    return 1;
601 602
}

603
/*
F
FdaSilvaYY 已提交
604
 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
605 606 607 608 609 610 611 612
 * @s: SSL connection
 * @cid: Cipher ID we're considering using
 *
 * Checks that the kECDHE cipher suite we're considering using
 * is compatible with the client extensions.
 *
 * Returns 0 when the cipher can't be used or 1 when it can.
 */
613
int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
614
{
615 616 617
    /* If not Suite B just need a shared group */
    if (!tls1_suiteb(s))
        return tls1_shared_group(s, 0) != 0;
618 619 620 621
    /*
     * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
     * curves permitted.
     */
622 623 624 625 626 627
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
        return tls1_check_group_id(s, TLSEXT_curve_P_256);
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
        return tls1_check_group_id(s, TLSEXT_curve_P_384);

    return 0;
628
}
629

630 631 632
#else

static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
633 634 635
{
    return 1;
}
636

637
#endif                          /* OPENSSL_NO_EC */
638

639
/* Default sigalg schemes */
640
static const uint16_t tls12_sigalgs[] = {
641 642 643 644
#ifndef OPENSSL_NO_EC
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
645
    TLSEXT_SIGALG_ed25519,
646
#endif
647

648 649 650 651
    TLSEXT_SIGALG_rsa_pss_sha256,
    TLSEXT_SIGALG_rsa_pss_sha384,
    TLSEXT_SIGALG_rsa_pss_sha512,

652 653 654
    TLSEXT_SIGALG_rsa_pkcs1_sha256,
    TLSEXT_SIGALG_rsa_pkcs1_sha384,
    TLSEXT_SIGALG_rsa_pkcs1_sha512,
655

656
#ifndef OPENSSL_NO_EC
657
    TLSEXT_SIGALG_ecdsa_sha224,
M
Matt Caswell 已提交
658
    TLSEXT_SIGALG_ecdsa_sha1,
659
#endif
660
    TLSEXT_SIGALG_rsa_pkcs1_sha224,
M
Matt Caswell 已提交
661
    TLSEXT_SIGALG_rsa_pkcs1_sha1,
662
#ifndef OPENSSL_NO_DSA
663
    TLSEXT_SIGALG_dsa_sha224,
M
Matt Caswell 已提交
664 665
    TLSEXT_SIGALG_dsa_sha1,

666 667 668
    TLSEXT_SIGALG_dsa_sha256,
    TLSEXT_SIGALG_dsa_sha384,
    TLSEXT_SIGALG_dsa_sha512
669
#endif
670
};
671

672
#ifndef OPENSSL_NO_EC
673
static const uint16_t suiteb_sigalgs[] = {
674 675
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384
676
};
677
#endif
R
Rich Salz 已提交
678

679
static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
680
#ifndef OPENSSL_NO_EC
681
    {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
682 683
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
684
    {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
685 686
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA384, NID_secp384r1},
687
    {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
688 689
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA512, NID_secp521r1},
690
    {"ed25519", TLSEXT_SIGALG_ed25519,
691
     NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
692
     NID_undef, NID_undef},
693 694 695
    {NULL, TLSEXT_SIGALG_ecdsa_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA224, NID_undef},
696
    {NULL, TLSEXT_SIGALG_ecdsa_sha1,
697 698
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA1, NID_undef},
699
#endif
700
    {"rsa_pss_sha256", TLSEXT_SIGALG_rsa_pss_sha256,
701 702
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
703
    {"rsa_pss_sha384", TLSEXT_SIGALG_rsa_pss_sha384,
704 705
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
706
    {"rsa_pss_sha512", TLSEXT_SIGALG_rsa_pss_sha512,
707 708
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
709
    {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
710
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
711
     NID_sha256WithRSAEncryption, NID_undef},
712
    {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
713
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
714
     NID_sha384WithRSAEncryption, NID_undef},
715
    {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
716
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
717
     NID_sha512WithRSAEncryption, NID_undef},
718 719 720
    {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
     NID_sha224WithRSAEncryption, NID_undef},
721
    {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
722
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
723
     NID_sha1WithRSAEncryption, NID_undef},
724
#ifndef OPENSSL_NO_DSA
725
    {NULL, TLSEXT_SIGALG_dsa_sha256,
726 727
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_dsa_with_SHA256, NID_undef},
728
    {NULL, TLSEXT_SIGALG_dsa_sha384,
729 730
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
731
    {NULL, TLSEXT_SIGALG_dsa_sha512,
732 733
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
734 735 736
    {NULL, TLSEXT_SIGALG_dsa_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
737
    {NULL, TLSEXT_SIGALG_dsa_sha1,
738 739
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_dsaWithSHA1, NID_undef},
740 741
#endif
#ifndef OPENSSL_NO_GOST
742
    {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
743 744 745
     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
     NID_undef, NID_undef},
746
    {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
747 748 749
     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
     NID_undef, NID_undef},
750
    {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
751 752 753
     NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
     NID_id_GostR3410_2001, SSL_PKEY_GOST01,
     NID_undef, NID_undef}
754
#endif
755
};
756 757 758 759 760 761 762 763 764 765 766 767 768 769
/* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
static const SIGALG_LOOKUP legacy_rsa_sigalg = {
    "rsa_pkcs1_md5_sha1", 0,
     NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
     EVP_PKEY_RSA, SSL_PKEY_RSA,
     NID_undef, NID_undef
};

/*
 * Default signature algorithm values used if signature algorithms not present.
 * From RFC5246. Note: order must match certificate index order.
 */
static const uint16_t tls_default_sigalg[] = {
    TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
770
    0, /* SSL_PKEY_RSA_PSS_SIGN */
771 772 773 774
    TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
    TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
    TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
    TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
D
Dr. Stephen Henson 已提交
775 776
    TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
    0 /* SSL_PKEY_ED25519 */
777
};
778

779 780
/* Lookup TLS signature algorithm */
static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
781 782
{
    size_t i;
783
    const SIGALG_LOOKUP *s;
784

785 786 787 788
    for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
         i++, s++) {
        if (s->sigalg == sigalg)
            return s;
789
    }
790 791
    return NULL;
}
792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810
/* Lookup hash: return 0 if invalid or not enabled */
int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
{
    const EVP_MD *md;
    if (lu == NULL)
        return 0;
    /* lu->hash == NID_undef means no associated digest */
    if (lu->hash == NID_undef) {
        md = NULL;
    } else {
        md = ssl_md(lu->hash_idx);
        if (md == NULL)
            return 0;
    }
    if (pmd)
        *pmd = md;
    return 1;
}

811 812 813 814 815 816
/*
 * Return a signature algorithm for TLS < 1.2 where the signature type
 * is fixed by the certificate type.
 */
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
{
817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833
    if (idx == -1) {
        if (s->server) {
            size_t i;

            /* Work out index corresponding to ciphersuite */
            for (i = 0; i < SSL_PKEY_NUM; i++) {
                const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);

                if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
                    idx = i;
                    break;
                }
            }
        } else {
            idx = s->cert->key - s->cert->pkeys;
        }
    }
834 835 836 837 838
    if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
        return NULL;
    if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);

839
        if (!tls1_lookup_md(lu, NULL))
840 841 842 843 844 845 846 847
            return NULL;
        return lu;
    }
    return &legacy_rsa_sigalg;
}
/* Set peer sigalg based key type */
int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
{
848 849
    size_t idx;
    const SIGALG_LOOKUP *lu;
850

851 852 853
    if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
        return 0;
    lu = tls1_get_legacy_sigalg(s, idx);
854 855 856 857 858
    if (lu == NULL)
        return 0;
    s->s3->tmp.peer_sigalg = lu;
    return 1;
}
859

860
size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
861 862 863 864 865
{
    /*
     * If Suite B mode use Suite B sigalgs only, ignore any other
     * preferences.
     */
866
#ifndef OPENSSL_NO_EC
867 868 869
    switch (tls1_suiteb(s)) {
    case SSL_CERT_FLAG_SUITEB_128_LOS:
        *psigs = suiteb_sigalgs;
870
        return OSSL_NELEM(suiteb_sigalgs);
871 872 873

    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
        *psigs = suiteb_sigalgs;
874
        return 1;
875 876

    case SSL_CERT_FLAG_SUITEB_192_LOS:
877 878
        *psigs = suiteb_sigalgs + 1;
        return 1;
879
    }
880
#endif
881 882 883 884 885 886
    /*
     *  We use client_sigalgs (if not NULL) if we're a server
     *  and sending a certificate request or if we're a client and
     *  determining which shared algorithm to use.
     */
    if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
887 888 889 890 891 892 893
        *psigs = s->cert->client_sigalgs;
        return s->cert->client_sigalgslen;
    } else if (s->cert->conf_sigalgs) {
        *psigs = s->cert->conf_sigalgs;
        return s->cert->conf_sigalgslen;
    } else {
        *psigs = tls12_sigalgs;
894
        return OSSL_NELEM(tls12_sigalgs);
895 896 897 898 899
    }
}

/*
 * Check signature algorithm is consistent with sent supported signature
D
Dr. Stephen Henson 已提交
900 901
 * algorithms and if so set relevant digest and signature scheme in
 * s.
902
 */
903
int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
904
{
905
    const uint16_t *sent_sigs;
D
Dr. Stephen Henson 已提交
906
    const EVP_MD *md = NULL;
907
    char sigalgstr[2];
908
    size_t sent_sigslen, i;
909
    int pkeyid = EVP_PKEY_id(pkey);
910
    const SIGALG_LOOKUP *lu;
911

912
    /* Should never happen */
913
    if (pkeyid == -1)
914
        return -1;
915 916 917 918 919 920 921 922 923 924
    if (SSL_IS_TLS13(s)) {
        /* Disallow DSA for TLS 1.3 */
        if (pkeyid == EVP_PKEY_DSA) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
            return 0;
        }
        /* Only allow PSS for TLS 1.3 */
        if (pkeyid == EVP_PKEY_RSA)
            pkeyid = EVP_PKEY_RSA_PSS;
    }
925 926
    lu = tls1_lookup_sigalg(sig);
    /*
927 928
     * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
     * is consistent with signature: RSA keys can be used for RSA-PSS
929
     */
930 931
    if (lu == NULL
        || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
932
        || (pkeyid != lu->sig
933
        && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
934 935 936
        SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
        return 0;
    }
937
#ifndef OPENSSL_NO_EC
938
    if (pkeyid == EVP_PKEY_EC) {
D
Dr. Stephen Henson 已提交
939

940 941 942 943 944 945 946 947 948 949 950 951
        /* Check point compression is permitted */
        if (!tls1_check_pkey_comp(s, pkey)) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
                   SSL_R_ILLEGAL_POINT_COMPRESSION);
            return 0;
        }

        /* For TLS 1.3 or Suite B check curve matches signature algorithm */
        if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
            EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
            int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));

952
            if (lu->curve != NID_undef && curve != lu->curve) {
953 954 955
                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
                return 0;
            }
956 957 958 959
        }
        if (!SSL_IS_TLS13(s)) {
            /* Check curve matches extensions */
            if (!tls1_check_group_id(s, tls1_get_group_id(pkey))) {
960 961 962 963
                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
                return 0;
            }
            if (tls1_suiteb(s)) {
D
Dr. Stephen Henson 已提交
964 965 966 967 968
                /* Check sigalg matches a permissible Suite B value */
                if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
                    && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
                    SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
                           SSL_R_WRONG_SIGNATURE_TYPE);
969
                    return 0;
D
Dr. Stephen Henson 已提交
970
                }
971
            }
972
        }
973
    } else if (tls1_suiteb(s)) {
974
        return 0;
975
    }
976
#endif
977 978

    /* Check signature matches a type we sent */
979
    sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
980
    for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
981
        if (sig == *sent_sigs)
982 983 984
            break;
    }
    /* Allow fallback to SHA1 if not strict mode */
985 986
    if (i == sent_sigslen && (lu->hash != NID_sha1
        || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
987 988 989
        SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
        return 0;
    }
990 991 992
    if (!tls1_lookup_md(lu, &md)) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
            return 0;
993
    }
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006
    if (md != NULL) {
        /*
         * Make sure security callback allows algorithm. For historical
         * reasons we have to pass the sigalg as a two byte char array.
         */
        sigalgstr[0] = (sig >> 8) & 0xff;
        sigalgstr[1] = sig & 0xff;
        if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
                    EVP_MD_size(md) * 4, EVP_MD_type(md),
                    (void *)sigalgstr)) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
            return 0;
        }
1007
    }
1008
    /* Store the sigalg the peer uses */
1009
    s->s3->tmp.peer_sigalg = lu;
1010 1011
    return 1;
}
1012

1013 1014
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
{
1015
    if (s->s3->tmp.peer_sigalg == NULL)
1016
        return 0;
1017
    *pnid = s->s3->tmp.peer_sigalg->sig;
1018 1019 1020
    return 1;
}

1021
/*
1022 1023 1024 1025 1026 1027 1028 1029
 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
 * supported, doesn't appear in supported signature algorithms, isn't supported
 * by the enabled protocol versions or by the security level.
 *
 * This function should only be used for checking which ciphers are supported
 * by the client.
 *
 * Call ssl_cipher_disabled() to check that it's enabled or not.
1030 1031
 */
void ssl_set_client_disabled(SSL *s)
1032
{
1033 1034 1035
    s->s3->tmp.mask_a = 0;
    s->s3->tmp.mask_k = 0;
    ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
1036
    ssl_get_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
E
Emilia Kasper 已提交
1037
#ifndef OPENSSL_NO_PSK
1038 1039
    /* with PSK there must be client callback set */
    if (!s->psk_client_callback) {
1040
        s->s3->tmp.mask_a |= SSL_aPSK;
1041
        s->s3->tmp.mask_k |= SSL_PSK;
1042
    }
E
Emilia Kasper 已提交
1043
#endif                          /* OPENSSL_NO_PSK */
1044
#ifndef OPENSSL_NO_SRP
1045
    if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1046 1047
        s->s3->tmp.mask_a |= SSL_aSRP;
        s->s3->tmp.mask_k |= SSL_kSRP;
1048
    }
1049
#endif
1050
}
1051

1052 1053 1054 1055 1056
/*
 * ssl_cipher_disabled - check that a cipher is disabled or not
 * @s: SSL connection that you want to use the cipher on
 * @c: cipher to check
 * @op: Security check that you want to do
1057
 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
1058 1059 1060
 *
 * Returns 1 when it's disabled, 0 when enabled.
 */
1061
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
1062
{
1063
    if (c->algorithm_mkey & s->s3->tmp.mask_k
1064
        || c->algorithm_auth & s->s3->tmp.mask_a)
1065
        return 1;
1066 1067
    if (s->s3->tmp.max_ver == 0)
        return 1;
1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081
    if (!SSL_IS_DTLS(s)) {
        int min_tls = c->min_tls;

        /*
         * For historical reasons we will allow ECHDE to be selected by a server
         * in SSLv3 if we are a client
         */
        if (min_tls == TLS1_VERSION && ecdhe
                && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
            min_tls = SSL3_VERSION;

        if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
            return 1;
    }
1082
    if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
E
Emilia Kasper 已提交
1083
                           || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
1084 1085
        return 1;

1086 1087
    return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
}
D
Dr. Stephen Henson 已提交
1088

1089
int tls_use_ticket(SSL *s)
1090
{
1091
    if ((s->options & SSL_OP_NO_TICKET))
1092 1093 1094
        return 0;
    return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
}
1095

1096
int tls1_set_server_sigalgs(SSL *s)
1097 1098 1099
{
    int al;
    size_t i;
F
FdaSilvaYY 已提交
1100 1101

    /* Clear any shared signature algorithms */
R
Rich Salz 已提交
1102 1103 1104
    OPENSSL_free(s->cert->shared_sigalgs);
    s->cert->shared_sigalgs = NULL;
    s->cert->shared_sigalgslen = 0;
1105 1106
    /* Clear certificate validity flags */
    for (i = 0; i < SSL_PKEY_NUM; i++)
1107
        s->s3->tmp.valid_flags[i] = 0;
D
Dr. Stephen Henson 已提交
1108 1109 1110 1111 1112 1113 1114
    /*
     * If peer sent no signature algorithms check to see if we support
     * the default algorithm for each certificate type
     */
    if (s->s3->tmp.peer_sigalgs == NULL) {
        const uint16_t *sent_sigs;
        size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1115

D
Dr. Stephen Henson 已提交
1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129
        for (i = 0; i < SSL_PKEY_NUM; i++) {
            const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
            size_t j;

            if (lu == NULL)
                continue;
            /* Check default matches a type we sent */
            for (j = 0; j < sent_sigslen; j++) {
                if (lu->sigalg == sent_sigs[j]) {
                        s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
                        break;
                }
            }
        }
1130
        return 1;
D
Dr. Stephen Henson 已提交
1131
    }
1132 1133 1134 1135 1136

    if (!tls1_process_sigalgs(s)) {
        SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto err;
1137
    }
1138 1139
    if (s->cert->shared_sigalgs != NULL)
        return 1;
1140
    /* Fatal error if no shared signature algorithms */
1141
    SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
1142
    al = SSL_AD_HANDSHAKE_FAILURE;
1143 1144 1145 1146
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
    return 0;
}
1147

1148
/*-
1149
 * Gets the ticket information supplied by the client if any.
1150
 *
1151
 *   hello: The parsed ClientHello data
B
Bodo Möller 已提交
1152 1153 1154 1155 1156
 *   ret: (output) on return, if a ticket was decrypted, then this is set to
 *       point to the resulting session.
 *
 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
 * ciphersuite, in which case we have no use for session tickets and one will
R
Rich Salz 已提交
1157
 * never be decrypted, nor will s->ext.ticket_expected be set to 1.
B
Bodo Möller 已提交
1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168
 *
 * Returns:
 *   -1: fatal error, either from parsing or decrypting the ticket.
 *    0: no ticket was found (or was ignored, based on settings).
 *    1: a zero length extension was found, indicating that the client supports
 *       session tickets but doesn't currently have one to offer.
 *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
 *       couldn't be decrypted because of a non-fatal error.
 *    3: a ticket was successfully decrypted and *ret was set.
 *
 * Side effects:
R
Rich Salz 已提交
1169
 *   Sets s->ext.ticket_expected to 1 if the server will have to issue
B
Bodo Möller 已提交
1170 1171 1172
 *   a new session ticket to the client because the client indicated support
 *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
 *   a session ticket or we couldn't use the one it gave us, or if
R
Rich Salz 已提交
1173 1174
 *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
 *   Otherwise, s->ext.ticket_expected is set to 0.
1175
 */
1176 1177
TICKET_RETURN tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
                                         SSL_SESSION **ret)
1178
{
1179 1180 1181
    int retv;
    size_t size;
    RAW_EXTENSION *ticketext;
1182

1183
    *ret = NULL;
R
Rich Salz 已提交
1184
    s->ext.ticket_expected = 0;
1185 1186

    /*
1187 1188
     * If tickets disabled or not supported by the protocol version
     * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
1189 1190
     * resumption.
     */
1191
    if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
1192
        return TICKET_NONE;
M
Matt Caswell 已提交
1193

1194 1195
    ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
    if (!ticketext->present)
1196
        return TICKET_NONE;
1197 1198 1199 1200 1201 1202 1203

    size = PACKET_remaining(&ticketext->data);
    if (size == 0) {
        /*
         * The client will accept a ticket but doesn't currently have
         * one.
         */
R
Rich Salz 已提交
1204
        s->ext.ticket_expected = 1;
1205
        return TICKET_EMPTY;
M
Matt Caswell 已提交
1206
    }
R
Rich Salz 已提交
1207
    if (s->ext.session_secret_cb) {
1208 1209 1210 1211 1212 1213
        /*
         * Indicate that the ticket couldn't be decrypted rather than
         * generating the session from ticket now, trigger
         * abbreviated handshake based on external mechanism to
         * calculate the master secret later.
         */
1214
        return TICKET_NO_DECRYPT;
1215
    }
1216 1217 1218

    retv = tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
                              hello->session_id, hello->session_id_len, ret);
1219
    switch (retv) {
M
Matt Caswell 已提交
1220
    case TICKET_NO_DECRYPT:
R
Rich Salz 已提交
1221
        s->ext.ticket_expected = 1;
1222
        return TICKET_NO_DECRYPT;
M
Matt Caswell 已提交
1223

M
Matt Caswell 已提交
1224
    case TICKET_SUCCESS:
1225
        return TICKET_SUCCESS;
M
Matt Caswell 已提交
1226

M
Matt Caswell 已提交
1227
    case TICKET_SUCCESS_RENEW:
R
Rich Salz 已提交
1228
        s->ext.ticket_expected = 1;
1229
        return TICKET_SUCCESS;
1230

M
Matt Caswell 已提交
1231
    default:
1232
        return TICKET_FATAL_ERR_OTHER;
1233
    }
1234 1235
}

1236 1237
/*-
 * tls_decrypt_ticket attempts to decrypt a session ticket.
B
Bodo Möller 已提交
1238 1239
 *
 *   etick: points to the body of the session ticket extension.
F
FdaSilvaYY 已提交
1240
 *   eticklen: the length of the session tickets extension.
B
Bodo Möller 已提交
1241 1242 1243 1244 1245
 *   sess_id: points at the session ID.
 *   sesslen: the length of the session ID.
 *   psess: (output) on return, if a ticket was decrypted, then this is set to
 *       point to the resulting session.
 */
1246 1247 1248
TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
                                 size_t eticklen, const unsigned char *sess_id,
                                 size_t sesslen, SSL_SESSION **psess)
1249 1250 1251 1252
{
    SSL_SESSION *sess;
    unsigned char *sdec;
    const unsigned char *p;
1253 1254
    int slen, renew_ticket = 0, declen;
    TICKET_RETURN ret = TICKET_FATAL_ERR_OTHER;
1255
    size_t mlen;
1256
    unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1257
    HMAC_CTX *hctx = NULL;
1258
    EVP_CIPHER_CTX *ctx;
1259
    SSL_CTX *tctx = s->session_ctx;
D
Dr. Stephen Henson 已提交
1260

1261
    /* Initialize session ticket encryption and HMAC contexts */
1262 1263
    hctx = HMAC_CTX_new();
    if (hctx == NULL)
1264
        return TICKET_FATAL_ERR_MALLOC;
1265
    ctx = EVP_CIPHER_CTX_new();
1266
    if (ctx == NULL) {
1267
        ret = TICKET_FATAL_ERR_MALLOC;
1268 1269
        goto err;
    }
R
Rich Salz 已提交
1270
    if (tctx->ext.ticket_key_cb) {
1271
        unsigned char *nctick = (unsigned char *)etick;
R
Rich Salz 已提交
1272
        int rv = tctx->ext.ticket_key_cb(s, nctick, nctick + 16,
1273
                                            ctx, hctx, 0);
1274
        if (rv < 0)
1275 1276
            goto err;
        if (rv == 0) {
1277
            ret = TICKET_NO_DECRYPT;
1278 1279
            goto err;
        }
1280 1281 1282 1283
        if (rv == 2)
            renew_ticket = 1;
    } else {
        /* Check key name matches */
R
Rich Salz 已提交
1284 1285
        if (memcmp(etick, tctx->ext.tick_key_name,
                   sizeof(tctx->ext.tick_key_name)) != 0) {
1286
            ret = TICKET_NO_DECRYPT;
1287 1288
            goto err;
        }
R
Rich Salz 已提交
1289 1290
        if (HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
                         sizeof(tctx->ext.tick_hmac_key),
1291
                         EVP_sha256(), NULL) <= 0
E
Emilia Kasper 已提交
1292
            || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
R
Rich Salz 已提交
1293
                                  tctx->ext.tick_aes_key,
1294 1295
                                  etick
                                  + sizeof(tctx->ext.tick_key_name)) <= 0) {
1296
            goto err;
E
Emilia Kasper 已提交
1297
        }
1298 1299 1300 1301 1302
    }
    /*
     * Attempt to process session ticket, first conduct sanity and integrity
     * checks on ticket.
     */
1303
    mlen = HMAC_size(hctx);
1304
    if (mlen == 0) {
1305
        goto err;
1306
    }
D
Dr. Stephen Henson 已提交
1307 1308
    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
    if (eticklen <=
1309
        TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
1310
        ret = TICKET_NO_DECRYPT;
D
Dr. Stephen Henson 已提交
1311 1312
        goto err;
    }
1313 1314
    eticklen -= mlen;
    /* Check HMAC of encrypted ticket */
1315
    if (HMAC_Update(hctx, etick, eticklen) <= 0
E
Emilia Kasper 已提交
1316
        || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
1317 1318
        goto err;
    }
1319
    HMAC_CTX_free(hctx);
1320
    if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
1321
        EVP_CIPHER_CTX_free(ctx);
1322
        return TICKET_NO_DECRYPT;
1323 1324 1325
    }
    /* Attempt to decrypt session data */
    /* Move p after IV to start of encrypted ticket, update length */
1326 1327
    p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
    eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
1328
    sdec = OPENSSL_malloc(eticklen);
1329 1330
    if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
                                          (int)eticklen) <= 0) {
1331
        EVP_CIPHER_CTX_free(ctx);
1332
        OPENSSL_free(sdec);
1333
        return TICKET_FATAL_ERR_OTHER;
1334
    }
1335
    if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
1336
        EVP_CIPHER_CTX_free(ctx);
1337
        OPENSSL_free(sdec);
1338
        return TICKET_NO_DECRYPT;
1339
    }
1340
    slen += declen;
1341 1342
    EVP_CIPHER_CTX_free(ctx);
    ctx = NULL;
1343 1344 1345
    p = sdec;

    sess = d2i_SSL_SESSION(NULL, &p, slen);
1346
    slen -= p - sdec;
1347 1348
    OPENSSL_free(sdec);
    if (sess) {
1349
        /* Some additional consistency checks */
1350
        if (slen != 0 || sess->session_id_length != 0) {
1351
            SSL_SESSION_free(sess);
B
Bernd Edlinger 已提交
1352
            return TICKET_NO_DECRYPT;
1353
        }
1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364
        /*
         * The session ID, if non-empty, is used by some clients to detect
         * that the ticket has been accepted. So we copy it to the session
         * structure. If it is empty set length to zero as required by
         * standard.
         */
        if (sesslen)
            memcpy(sess->session_id, sess_id, sesslen);
        sess->session_id_length = sesslen;
        *psess = sess;
        if (renew_ticket)
1365
            return TICKET_SUCCESS_RENEW;
1366
        else
1367
            return TICKET_SUCCESS;
1368 1369 1370 1371 1372
    }
    ERR_clear_error();
    /*
     * For session parse failure, indicate that we need to send a new ticket.
     */
1373
    return TICKET_NO_DECRYPT;
E
Emilia Kasper 已提交
1374
 err:
1375
    EVP_CIPHER_CTX_free(ctx);
1376
    HMAC_CTX_free(hctx);
1377
    return ret;
1378
}
1379

D
Dr. Stephen Henson 已提交
1380
/* Check to see if a signature algorithm is allowed */
1381
static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
1382
{
1383
    unsigned char sigalgstr[2];
D
Dr. Stephen Henson 已提交
1384
    int secbits;
1385

D
Dr. Stephen Henson 已提交
1386
    /* See if sigalgs is recognised and if hash is enabled */
1387
    if (!tls1_lookup_md(lu, NULL))
1388
        return 0;
D
Dr. Stephen Henson 已提交
1389 1390 1391
    /* DSA is not allowed in TLS 1.3 */
    if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
        return 0;
1392 1393 1394 1395 1396 1397
    /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
    if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
        && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
            || lu->hash_idx == SSL_MD_MD5_IDX
            || lu->hash_idx == SSL_MD_SHA224_IDX))
        return 0;
1398
    /* See if public key algorithm allowed */
D
Dr. Stephen Henson 已提交
1399
    if (ssl_cert_is_disabled(lu->sig_idx))
1400
        return 0;
1401 1402
    if (lu->hash == NID_undef)
        return 1;
D
Dr. Stephen Henson 已提交
1403 1404
    /* Security bits: half digest bits */
    secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
1405
    /* Finally see if security callback allows it */
1406 1407
    sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
    sigalgstr[1] = lu->sigalg & 0xff;
D
Dr. Stephen Henson 已提交
1408
    return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
1409 1410 1411 1412 1413 1414
}

/*
 * Get a mask of disabled public key algorithms based on supported signature
 * algorithms. For example if no signature algorithm supports RSA then RSA is
 * disabled.
D
Dr. Stephen Henson 已提交
1415 1416
 */

1417
void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
1418
{
1419
    const uint16_t *sigalgs;
1420
    size_t i, sigalgslen;
1421
    uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
1422
    /*
1423 1424
     * Go through all signature algorithms seeing if we support any
     * in disabled_mask.
1425
     */
1426
    sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
1427
    for (i = 0; i < sigalgslen; i ++, sigalgs++) {
1428
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
1429
        const SSL_CERT_LOOKUP *clu;
1430 1431 1432

        if (lu == NULL)
            continue;
1433 1434 1435 1436 1437 1438 1439

        clu = ssl_cert_lookup_by_idx(lu->sig_idx);

        /* If algorithm is disabled see if we can enable it */
        if ((clu->amask & disabled_mask) != 0
                && tls12_sigalg_allowed(s, op, lu))
            disabled_mask &= ~clu->amask;
1440
    }
1441
    *pmask_a |= disabled_mask;
1442
}
D
Dr. Stephen Henson 已提交
1443

M
Matt Caswell 已提交
1444
int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
1445
                       const uint16_t *psig, size_t psiglen)
1446 1447
{
    size_t i;
1448
    int rv = 0;
1449

1450
    for (i = 0; i < psiglen; i++, psig++) {
1451 1452 1453 1454 1455 1456 1457 1458
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);

        if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
            continue;
        if (!WPACKET_put_bytes_u16(pkt, *psig))
            return 0;
        /*
         * If TLS 1.3 must have at least one valid TLS 1.3 message
1459
         * signing algorithm: i.e. neither RSA nor SHA1/SHA224
1460 1461
         */
        if (rv == 0 && (!SSL_IS_TLS13(s)
1462 1463 1464
            || (lu->sig != EVP_PKEY_RSA
                && lu->hash != NID_sha1
                && lu->hash != NID_sha224)))
1465
            rv = 1;
1466
    }
1467 1468
    if (rv == 0)
        SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
1469
    return rv;
1470 1471
}

1472
/* Given preference and allowed sigalgs set shared sigalgs */
1473
static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
1474 1475
                                   const uint16_t *pref, size_t preflen,
                                   const uint16_t *allow, size_t allowlen)
1476
{
1477
    const uint16_t *ptmp, *atmp;
1478
    size_t i, j, nmatch = 0;
1479
    for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
1480 1481
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);

1482
        /* Skip disabled hashes or signature algorithms */
1483
        if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
1484
            continue;
1485 1486
        for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
            if (*ptmp == *atmp) {
1487
                nmatch++;
1488 1489
                if (shsig)
                    *shsig++ = lu;
1490 1491 1492 1493 1494 1495
                break;
            }
        }
    }
    return nmatch;
}
1496 1497 1498

/* Set shared signature algorithms for SSL structures */
static int tls1_set_shared_sigalgs(SSL *s)
1499
{
1500
    const uint16_t *pref, *allow, *conf;
1501 1502
    size_t preflen, allowlen, conflen;
    size_t nmatch;
1503
    const SIGALG_LOOKUP **salgs = NULL;
1504 1505
    CERT *c = s->cert;
    unsigned int is_suiteb = tls1_suiteb(s);
R
Rich Salz 已提交
1506 1507 1508 1509

    OPENSSL_free(c->shared_sigalgs);
    c->shared_sigalgs = NULL;
    c->shared_sigalgslen = 0;
1510 1511 1512 1513 1514 1515 1516 1517
    /* If client use client signature algorithms if not NULL */
    if (!s->server && c->client_sigalgs && !is_suiteb) {
        conf = c->client_sigalgs;
        conflen = c->client_sigalgslen;
    } else if (c->conf_sigalgs && !is_suiteb) {
        conf = c->conf_sigalgs;
        conflen = c->conf_sigalgslen;
    } else
1518
        conflen = tls12_get_psigalgs(s, 0, &conf);
1519 1520 1521
    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
        pref = conf;
        preflen = conflen;
D
Dr. Stephen Henson 已提交
1522 1523
        allow = s->s3->tmp.peer_sigalgs;
        allowlen = s->s3->tmp.peer_sigalgslen;
1524 1525 1526
    } else {
        allow = conf;
        allowlen = conflen;
D
Dr. Stephen Henson 已提交
1527 1528
        pref = s->s3->tmp.peer_sigalgs;
        preflen = s->s3->tmp.peer_sigalgslen;
1529 1530
    }
    nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
D
Dr. Stephen Henson 已提交
1531
    if (nmatch) {
1532
        salgs = OPENSSL_malloc(nmatch * sizeof(*salgs));
1533
        if (salgs == NULL)
D
Dr. Stephen Henson 已提交
1534 1535 1536 1537 1538
            return 0;
        nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
    } else {
        salgs = NULL;
    }
1539 1540 1541 1542
    c->shared_sigalgs = salgs;
    c->shared_sigalgslen = nmatch;
    return 1;
}
1543

D
Dr. Stephen Henson 已提交
1544
int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
1545
{
1546
    unsigned int stmp;
1547
    size_t size, i;
D
Dr. Stephen Henson 已提交
1548
    uint16_t *buf;
1549

1550 1551 1552
    size = PACKET_remaining(pkt);

    /* Invalid data length */
1553
    if (size == 0 || (size & 1) != 0)
1554 1555 1556 1557
        return 0;

    size >>= 1;

D
Dr. Stephen Henson 已提交
1558 1559
    buf = OPENSSL_malloc(size * sizeof(*buf));
    if (buf == NULL)
1560
        return 0;
1561
    for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
D
Dr. Stephen Henson 已提交
1562
        buf[i] = stmp;
1563

D
Dr. Stephen Henson 已提交
1564 1565
    if (i != size) {
        OPENSSL_free(buf);
1566
        return 0;
D
Dr. Stephen Henson 已提交
1567 1568 1569 1570 1571
    }

    OPENSSL_free(*pdest);
    *pdest = buf;
    *pdestlen = size;
1572

1573 1574
    return 1;
}
1575

D
Dr. Stephen Henson 已提交
1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592
int tls1_save_sigalgs(SSL *s, PACKET *pkt)
{
    /* Extension ignored for inappropriate versions */
    if (!SSL_USE_SIGALGS(s))
        return 1;
    /* Should never happen */
    if (s->cert == NULL)
        return 0;

    return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
                         &s->s3->tmp.peer_sigalgslen);

    return 1;
}

/* Set preferred digest for each key type */

1593
int tls1_process_sigalgs(SSL *s)
1594 1595
{
    size_t i;
1596
    uint32_t *pvalid = s->s3->tmp.valid_flags;
1597
    CERT *c = s->cert;
1598

1599 1600 1601
    if (!tls1_set_shared_sigalgs(s))
        return 0;

1602 1603 1604
    for (i = 0; i < SSL_PKEY_NUM; i++)
        pvalid[i] = 0;

1605 1606
    for (i = 0; i < c->shared_sigalgslen; i++) {
        const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
1607
        int idx = sigptr->sig_idx;
1608

1609
        /* Ignore PKCS1 based sig algs in TLSv1.3 */
1610
        if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
1611
            continue;
1612
        /* If not disabled indicate we can explicitly sign */
D
Dr. Stephen Henson 已提交
1613 1614
        if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
            pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
1615 1616 1617
    }
    return 1;
}
D
Dr. Stephen Henson 已提交
1618

1619
int SSL_get_sigalgs(SSL *s, int idx,
1620 1621 1622
                    int *psign, int *phash, int *psignhash,
                    unsigned char *rsig, unsigned char *rhash)
{
1623
    uint16_t *psig = s->s3->tmp.peer_sigalgs;
1624
    size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
1625
    if (psig == NULL || numsigalgs > INT_MAX)
1626 1627
        return 0;
    if (idx >= 0) {
1628 1629
        const SIGALG_LOOKUP *lu;

1630
        if (idx >= (int)numsigalgs)
1631 1632
            return 0;
        psig += idx;
1633
        if (rhash != NULL)
1634
            *rhash = (unsigned char)((*psig >> 8) & 0xff);
1635
        if (rsig != NULL)
1636
            *rsig = (unsigned char)(*psig & 0xff);
1637 1638 1639 1640 1641 1642 1643
        lu = tls1_lookup_sigalg(*psig);
        if (psign != NULL)
            *psign = lu != NULL ? lu->sig : NID_undef;
        if (phash != NULL)
            *phash = lu != NULL ? lu->hash : NID_undef;
        if (psignhash != NULL)
            *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
1644
    }
1645
    return (int)numsigalgs;
1646
}
1647 1648

int SSL_get_shared_sigalgs(SSL *s, int idx,
1649 1650 1651
                           int *psign, int *phash, int *psignhash,
                           unsigned char *rsig, unsigned char *rhash)
{
1652 1653
    const SIGALG_LOOKUP *shsigalgs;
    if (s->cert->shared_sigalgs == NULL
1654
        || idx < 0
1655 1656
        || idx >= (int)s->cert->shared_sigalgslen
        || s->cert->shared_sigalgslen > INT_MAX)
1657
        return 0;
1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668
    shsigalgs = s->cert->shared_sigalgs[idx];
    if (phash != NULL)
        *phash = shsigalgs->hash;
    if (psign != NULL)
        *psign = shsigalgs->sig;
    if (psignhash != NULL)
        *psignhash = shsigalgs->sigandhash;
    if (rsig != NULL)
        *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
    if (rhash != NULL)
        *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
1669
    return (int)s->cert->shared_sigalgslen;
1670 1671
}

D
Dr. Stephen Henson 已提交
1672 1673
/* Maximum possible number of unique entries in sigalgs array */
#define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
1674

1675 1676
typedef struct {
    size_t sigalgcnt;
D
Dr. Stephen Henson 已提交
1677
    int sigalgs[TLS_MAX_SIGALGCNT];
1678
} sig_cb_st;
1679

1680 1681 1682 1683
static void get_sigorhash(int *psig, int *phash, const char *str)
{
    if (strcmp(str, "RSA") == 0) {
        *psig = EVP_PKEY_RSA;
D
Dr. Stephen Henson 已提交
1684 1685
    } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
        *psig = EVP_PKEY_RSA_PSS;
1686 1687 1688 1689 1690 1691 1692 1693 1694 1695
    } else if (strcmp(str, "DSA") == 0) {
        *psig = EVP_PKEY_DSA;
    } else if (strcmp(str, "ECDSA") == 0) {
        *psig = EVP_PKEY_EC;
    } else {
        *phash = OBJ_sn2nid(str);
        if (*phash == NID_undef)
            *phash = OBJ_ln2nid(str);
    }
}
D
Dr. Stephen Henson 已提交
1696 1697
/* Maximum length of a signature algorithm string component */
#define TLS_MAX_SIGSTRING_LEN   40
1698

1699
static int sig_cb(const char *elem, int len, void *arg)
1700 1701 1702
{
    sig_cb_st *sarg = arg;
    size_t i;
D
Dr. Stephen Henson 已提交
1703
    char etmp[TLS_MAX_SIGSTRING_LEN], *p;
1704
    int sig_alg = NID_undef, hash_alg = NID_undef;
1705 1706
    if (elem == NULL)
        return 0;
D
Dr. Stephen Henson 已提交
1707
    if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
1708 1709 1710 1711 1712 1713
        return 0;
    if (len > (int)(sizeof(etmp) - 1))
        return 0;
    memcpy(etmp, elem, len);
    etmp[len] = 0;
    p = strchr(etmp, '+');
1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733
    /* See if we have a match for TLS 1.3 names */
    if (p == NULL) {
        const SIGALG_LOOKUP *s;

        for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
             i++, s++) {
            if (s->name != NULL && strcmp(etmp, s->name) == 0) {
                sig_alg = s->sig;
                hash_alg = s->hash;
                break;
            }
        }
    } else {
        *p = 0;
        p++;
        if (*p == 0)
            return 0;
        get_sigorhash(&sig_alg, &hash_alg, etmp);
        get_sigorhash(&sig_alg, &hash_alg, p);
    }
1734

1735
    if (sig_alg == NID_undef || (p != NULL && hash_alg == NID_undef))
1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747
        return 0;

    for (i = 0; i < sarg->sigalgcnt; i += 2) {
        if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
            return 0;
    }
    sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
    sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
    return 1;
}

/*
F
FdaSilvaYY 已提交
1748
 * Set supported signature algorithms based on a colon separated list of the
1749 1750
 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
 */
1751
int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
1752 1753 1754 1755 1756 1757 1758 1759 1760 1761
{
    sig_cb_st sig;
    sig.sigalgcnt = 0;
    if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
        return 0;
    if (c == NULL)
        return 1;
    return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
}

E
Emilia Kasper 已提交
1762
int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
1763
{
1764
    uint16_t *sigalgs, *sptr;
1765
    size_t i;
M
Matt Caswell 已提交
1766

1767 1768
    if (salglen & 1)
        return 0;
1769
    sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs));
1770 1771 1772
    if (sigalgs == NULL)
        return 0;
    for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
M
Matt Caswell 已提交
1773
        size_t j;
1774
        const SIGALG_LOOKUP *curr;
M
Matt Caswell 已提交
1775 1776 1777 1778 1779
        int md_id = *psig_nids++;
        int sig_id = *psig_nids++;

        for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
             j++, curr++) {
1780
            if (curr->hash == md_id && curr->sig == sig_id) {
M
Matt Caswell 已提交
1781 1782 1783 1784
                *sptr++ = curr->sigalg;
                break;
            }
        }
1785

M
Matt Caswell 已提交
1786
        if (j == OSSL_NELEM(sigalg_lookup_tbl))
1787 1788 1789 1790
            goto err;
    }

    if (client) {
R
Rich Salz 已提交
1791
        OPENSSL_free(c->client_sigalgs);
1792
        c->client_sigalgs = sigalgs;
1793
        c->client_sigalgslen = salglen / 2;
1794
    } else {
R
Rich Salz 已提交
1795
        OPENSSL_free(c->conf_sigalgs);
1796
        c->conf_sigalgs = sigalgs;
1797
        c->conf_sigalgslen = salglen / 2;
1798 1799 1800 1801 1802 1803 1804 1805
    }

    return 1;

 err:
    OPENSSL_free(sigalgs);
    return 0;
}
1806

1807
static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
1808 1809 1810 1811 1812 1813 1814 1815 1816
{
    int sig_nid;
    size_t i;
    if (default_nid == -1)
        return 1;
    sig_nid = X509_get_signature_nid(x);
    if (default_nid)
        return sig_nid == default_nid ? 1 : 0;
    for (i = 0; i < c->shared_sigalgslen; i++)
1817
        if (sig_nid == c->shared_sigalgs[i]->sigandhash)
1818 1819 1820 1821
            return 1;
    return 0;
}

1822 1823
/* Check to see if a certificate issuer name matches list of CA names */
static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839
{
    X509_NAME *nm;
    int i;
    nm = X509_get_issuer_name(x);
    for (i = 0; i < sk_X509_NAME_num(names); i++) {
        if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
            return 1;
    }
    return 0;
}

/*
 * Check certificate chain is consistent with TLS extensions and is usable by
 * server. This servers two purposes: it allows users to check chains before
 * passing them to the server and it allows the server to check chains before
 * attempting to use them.
1840
 */
1841

F
FdaSilvaYY 已提交
1842
/* Flags which need to be set for a certificate when strict mode not set */
1843

1844
#define CERT_PKEY_VALID_FLAGS \
1845
        (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
1846
/* Strict mode flags */
1847
#define CERT_PKEY_STRICT_FLAGS \
1848 1849
         (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
         | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
1850

1851
int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
1852 1853 1854 1855 1856 1857 1858
                     int idx)
{
    int i;
    int rv = 0;
    int check_flags = 0, strict_mode;
    CERT_PKEY *cpk = NULL;
    CERT *c = s->cert;
1859
    uint32_t *pvalid;
1860 1861 1862 1863 1864 1865
    unsigned int suiteb_flags = tls1_suiteb(s);
    /* idx == -1 means checking server chains */
    if (idx != -1) {
        /* idx == -2 means checking client certificate chains */
        if (idx == -2) {
            cpk = c->key;
1866
            idx = (int)(cpk - c->pkeys);
1867 1868
        } else
            cpk = c->pkeys + idx;
1869
        pvalid = s->s3->tmp.valid_flags + idx;
1870 1871 1872 1873 1874 1875 1876 1877
        x = cpk->x509;
        pk = cpk->privatekey;
        chain = cpk->chain;
        strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
        /* If no cert or key, forget it */
        if (!x || !pk)
            goto end;
    } else {
1878 1879
        size_t certidx;

1880
        if (!x || !pk)
M
Matt Caswell 已提交
1881
            return 0;
1882 1883

        if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
M
Matt Caswell 已提交
1884
            return 0;
1885
        idx = certidx;
1886 1887
        pvalid = s->s3->tmp.valid_flags + idx;

1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911
        if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
            check_flags = CERT_PKEY_STRICT_FLAGS;
        else
            check_flags = CERT_PKEY_VALID_FLAGS;
        strict_mode = 1;
    }

    if (suiteb_flags) {
        int ok;
        if (check_flags)
            check_flags |= CERT_PKEY_SUITEB;
        ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
        if (ok == X509_V_OK)
            rv |= CERT_PKEY_SUITEB;
        else if (!check_flags)
            goto end;
    }

    /*
     * Check all signature algorithms are consistent with signature
     * algorithms extension if TLS 1.2 or later and strict mode.
     */
    if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
        int default_nid;
1912
        int rsign = 0;
D
Dr. Stephen Henson 已提交
1913
        if (s->s3->tmp.peer_sigalgs)
1914 1915 1916 1917
            default_nid = 0;
        /* If no sigalgs extension use defaults from RFC5246 */
        else {
            switch (idx) {
1918
            case SSL_PKEY_RSA:
1919
                rsign = EVP_PKEY_RSA;
1920 1921 1922 1923
                default_nid = NID_sha1WithRSAEncryption;
                break;

            case SSL_PKEY_DSA_SIGN:
1924
                rsign = EVP_PKEY_DSA;
1925 1926 1927 1928
                default_nid = NID_dsaWithSHA1;
                break;

            case SSL_PKEY_ECC:
1929
                rsign = EVP_PKEY_EC;
1930 1931 1932
                default_nid = NID_ecdsa_with_SHA1;
                break;

1933
            case SSL_PKEY_GOST01:
1934
                rsign = NID_id_GostR3410_2001;
1935 1936 1937 1938
                default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
                break;

            case SSL_PKEY_GOST12_256:
1939
                rsign = NID_id_GostR3410_2012_256;
1940 1941 1942 1943
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
                break;

            case SSL_PKEY_GOST12_512:
1944
                rsign = NID_id_GostR3410_2012_512;
1945 1946 1947
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
                break;

1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958
            default:
                default_nid = -1;
                break;
            }
        }
        /*
         * If peer sent no signature algorithms extension and we have set
         * preferred signature algorithms check we support sha1.
         */
        if (default_nid > 0 && c->conf_sigalgs) {
            size_t j;
1959
            const uint16_t *p = c->conf_sigalgs;
1960
            for (j = 0; j < c->conf_sigalgslen; j++, p++) {
D
Dr. Stephen Henson 已提交
1961 1962 1963
                const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);

                if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994
                    break;
            }
            if (j == c->conf_sigalgslen) {
                if (check_flags)
                    goto skip_sigs;
                else
                    goto end;
            }
        }
        /* Check signature algorithm of each cert in chain */
        if (!tls1_check_sig_alg(c, x, default_nid)) {
            if (!check_flags)
                goto end;
        } else
            rv |= CERT_PKEY_EE_SIGNATURE;
        rv |= CERT_PKEY_CA_SIGNATURE;
        for (i = 0; i < sk_X509_num(chain); i++) {
            if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
                if (check_flags) {
                    rv &= ~CERT_PKEY_CA_SIGNATURE;
                    break;
                } else
                    goto end;
            }
        }
    }
    /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
    else if (check_flags)
        rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
 skip_sigs:
    /* Check cert parameters are consistent */
1995
    if (tls1_check_cert_param(s, x, 1))
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
        rv |= CERT_PKEY_EE_PARAM;
    else if (!check_flags)
        goto end;
    if (!s->server)
        rv |= CERT_PKEY_CA_PARAM;
    /* In strict mode check rest of chain too */
    else if (strict_mode) {
        rv |= CERT_PKEY_CA_PARAM;
        for (i = 0; i < sk_X509_num(chain); i++) {
            X509 *ca = sk_X509_value(chain, i);
            if (!tls1_check_cert_param(s, ca, 0)) {
                if (check_flags) {
                    rv &= ~CERT_PKEY_CA_PARAM;
                    break;
                } else
                    goto end;
            }
        }
    }
    if (!s->server && strict_mode) {
        STACK_OF(X509_NAME) *ca_dn;
        int check_type = 0;
D
Dr. Stephen Henson 已提交
2018
        switch (EVP_PKEY_id(pk)) {
2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029
        case EVP_PKEY_RSA:
            check_type = TLS_CT_RSA_SIGN;
            break;
        case EVP_PKEY_DSA:
            check_type = TLS_CT_DSS_SIGN;
            break;
        case EVP_PKEY_EC:
            check_type = TLS_CT_ECDSA_SIGN;
            break;
        }
        if (check_type) {
2030 2031 2032 2033 2034
            const uint8_t *ctypes = s->s3->tmp.ctype;
            size_t j;

            for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
                if (*ctypes == check_type) {
2035 2036 2037 2038 2039 2040
                    rv |= CERT_PKEY_CERT_TYPE;
                    break;
                }
            }
            if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
                goto end;
2041
        } else {
2042
            rv |= CERT_PKEY_CERT_TYPE;
2043
        }
2044

2045
        ca_dn = s->s3->tmp.peer_ca_names;
2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072

        if (!sk_X509_NAME_num(ca_dn))
            rv |= CERT_PKEY_ISSUER_NAME;

        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
            if (ssl_check_ca_name(ca_dn, x))
                rv |= CERT_PKEY_ISSUER_NAME;
        }
        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
            for (i = 0; i < sk_X509_num(chain); i++) {
                X509 *xtmp = sk_X509_value(chain, i);
                if (ssl_check_ca_name(ca_dn, xtmp)) {
                    rv |= CERT_PKEY_ISSUER_NAME;
                    break;
                }
            }
        }
        if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
            goto end;
    } else
        rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;

    if (!check_flags || (rv & check_flags) == check_flags)
        rv |= CERT_PKEY_VALID;

 end:

D
Dr. Stephen Henson 已提交
2073 2074 2075
    if (TLS1_get_version(s) >= TLS1_2_VERSION)
        rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
    else
2076 2077 2078 2079 2080 2081 2082
        rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;

    /*
     * When checking a CERT_PKEY structure all flags are irrelevant if the
     * chain is invalid.
     */
    if (!check_flags) {
D
Dr. Stephen Henson 已提交
2083
        if (rv & CERT_PKEY_VALID) {
2084
            *pvalid = rv;
D
Dr. Stephen Henson 已提交
2085 2086 2087
        } else {
            /* Preserve sign and explicit sign flag, clear rest */
            *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2088 2089 2090 2091 2092
            return 0;
        }
    }
    return rv;
}
2093 2094 2095

/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
2096
{
2097
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
2098
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
M
Matt Caswell 已提交
2099 2100
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
2101 2102 2103
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
2104
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
2105 2106
}

F
FdaSilvaYY 已提交
2107
/* User level utility function to check a chain is suitable */
2108
int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
2109 2110 2111
{
    return tls1_check_chain(s, x, pk, chain, -1);
}
2112

D
Dr. Stephen Henson 已提交
2113 2114
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
2115 2116 2117 2118
{
    int dh_secbits = 80;
    if (s->cert->dh_tmp_auto == 2)
        return DH_get_1024_160();
2119
    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
2120 2121 2122 2123 2124
        if (s->s3->tmp.new_cipher->strength_bits == 256)
            dh_secbits = 128;
        else
            dh_secbits = 80;
    } else {
2125
        if (s->s3->tmp.cert == NULL)
D
Dr. Stephen Henson 已提交
2126
            return NULL;
2127
        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
2128 2129 2130 2131
    }

    if (dh_secbits >= 128) {
        DH *dhp = DH_new();
M
Matt Caswell 已提交
2132
        BIGNUM *p, *g;
2133
        if (dhp == NULL)
2134
            return NULL;
M
Matt Caswell 已提交
2135 2136 2137
        g = BN_new();
        if (g != NULL)
            BN_set_word(g, 2);
2138
        if (dh_secbits >= 192)
R
Rich Salz 已提交
2139
            p = BN_get_rfc3526_prime_8192(NULL);
2140
        else
R
Rich Salz 已提交
2141
            p = BN_get_rfc3526_prime_3072(NULL);
M
Matt Caswell 已提交
2142
        if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
2143
            DH_free(dhp);
M
Matt Caswell 已提交
2144 2145
            BN_free(p);
            BN_free(g);
2146 2147 2148 2149 2150 2151 2152 2153
            return NULL;
        }
        return dhp;
    }
    if (dh_secbits >= 112)
        return DH_get_2048_224();
    return DH_get_1024_160();
}
D
Dr. Stephen Henson 已提交
2154
#endif
D
Dr. Stephen Henson 已提交
2155 2156

static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2157
{
2158
    int secbits = -1;
2159
    EVP_PKEY *pkey = X509_get0_pubkey(x);
2160
    if (pkey) {
2161 2162 2163 2164 2165 2166
        /*
         * If no parameters this will return -1 and fail using the default
         * security callback for any non-zero security level. This will
         * reject keys which omit parameters but this only affects DSA and
         * omission of parameters is never (?) done in practice.
         */
2167
        secbits = EVP_PKEY_security_bits(pkey);
2168
    }
2169 2170 2171 2172 2173
    if (s)
        return ssl_security(s, op, secbits, 0, x);
    else
        return ssl_ctx_security(ctx, op, secbits, 0, x);
}
D
Dr. Stephen Henson 已提交
2174 2175

static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2176 2177
{
    /* Lookup signature algorithm digest */
2178
    int secbits, nid, pknid;
2179 2180 2181
    /* Don't check signature if self signed */
    if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
        return 1;
2182 2183 2184 2185 2186
    if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
        secbits = -1;
    /* If digest NID not defined use signature NID */
    if (nid == NID_undef)
        nid = pknid;
2187
    if (s)
2188
        return ssl_security(s, op, secbits, nid, x);
2189
    else
2190
        return ssl_ctx_security(ctx, op, secbits, nid, x);
2191
}
D
Dr. Stephen Henson 已提交
2192 2193

int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209
{
    if (vfy)
        vfy = SSL_SECOP_PEER;
    if (is_ee) {
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
            return SSL_R_EE_KEY_TOO_SMALL;
    } else {
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
            return SSL_R_CA_KEY_TOO_SMALL;
    }
    if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
        return SSL_R_CA_MD_TOO_WEAK;
    return 1;
}

/*
F
FdaSilvaYY 已提交
2210 2211
 * Check security of a chain, if |sk| includes the end entity certificate then
 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
2212
 * one to the peer. Return values: 1 if ok otherwise error code to use
D
Dr. Stephen Henson 已提交
2213 2214 2215
 */

int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235
{
    int rv, start_idx, i;
    if (x == NULL) {
        x = sk_X509_value(sk, 0);
        start_idx = 1;
    } else
        start_idx = 0;

    rv = ssl_security_cert(s, NULL, x, vfy, 1);
    if (rv != 1)
        return rv;

    for (i = start_idx; i < sk_X509_num(sk); i++) {
        x = sk_X509_value(sk, i);
        rv = ssl_security_cert(s, NULL, x, vfy, 0);
        if (rv != 1)
            return rv;
    }
    return 1;
}
2236

2237 2238
/*
 * For TLS 1.2 servers check if we have a certificate which can be used
2239
 * with the signature algorithm "lu" and return index of certificate.
2240 2241
 */

2242
static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
2243
{
2244 2245
    int sig_idx = lu->sig_idx;
    const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
2246 2247 2248

    /* If not recognised or not supported by cipher mask it is not suitable */
    if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
2249 2250 2251 2252 2253
        return -1;

    /* If PSS and we have no PSS cert use RSA */
    if (sig_idx == SSL_PKEY_RSA_PSS_SIGN && !ssl_has_cert(s, sig_idx))
        sig_idx = SSL_PKEY_RSA;
2254

2255
    return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
2256 2257
}

2258 2259
/*
 * Choose an appropriate signature algorithm based on available certificates
2260 2261 2262 2263 2264 2265 2266 2267
 * Sets chosen certificate and signature algorithm.
 *
 * For servers if we fail to find a required certificate it is a fatal error
 * and an appropriate error code is set and the TLS alert set in *al.
 *
 * For clients al is set to NULL. If a certificate is not suitable it is not
 * a fatal error: we will either try another certificate or not present one
 * to the server. In this case no error is set.
2268
 */
2269
int tls_choose_sigalg(SSL *s, int *al)
2270
{
2271
    const SIGALG_LOOKUP *lu = NULL;
2272
    int sig_idx = -1;
2273

2274 2275 2276
    s->s3->tmp.cert = NULL;
    s->s3->tmp.sigalg = NULL;

2277 2278
    if (SSL_IS_TLS13(s)) {
        size_t i;
R
Richard Levitte 已提交
2279
#ifndef OPENSSL_NO_EC
2280
        int curve = -1, skip_ec = 0;
R
Richard Levitte 已提交
2281
#endif
2282

F
FdaSilvaYY 已提交
2283
        /* Look for a certificate matching shared sigalgs */
2284
        for (i = 0; i < s->cert->shared_sigalgslen; i++) {
2285
            lu = s->cert->shared_sigalgs[i];
2286

2287 2288 2289 2290
            /* Skip SHA1, SHA224, DSA and RSA if not PSS */
            if (lu->hash == NID_sha1
                || lu->hash == NID_sha224
                || lu->sig == EVP_PKEY_DSA
2291
                || lu->sig == EVP_PKEY_RSA)
2292
                continue;
2293
            if (!tls1_lookup_md(lu, NULL))
2294
                continue;
2295 2296 2297
            if (!ssl_has_cert(s, lu->sig_idx)) {
                if (lu->sig_idx != SSL_PKEY_RSA_PSS_SIGN
                        || !ssl_has_cert(s, SSL_PKEY_RSA))
2298
                    continue;
P
Patrick Steuer 已提交
2299
                sig_idx = SSL_PKEY_RSA;
2300
            }
2301
            if (lu->sig == EVP_PKEY_EC) {
R
Richard Levitte 已提交
2302
#ifndef OPENSSL_NO_EC
2303
                if (curve == -1) {
2304
                    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2305 2306

                    curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
2307 2308 2309
                    if (EC_KEY_get_conv_form(ec)
                        != POINT_CONVERSION_UNCOMPRESSED)
                        skip_ec = 1;
2310
                }
2311
                if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
2312
                    continue;
R
Richard Levitte 已提交
2313 2314 2315
#else
                continue;
#endif
2316
            }
2317 2318 2319
            break;
        }
        if (i == s->cert->shared_sigalgslen) {
2320 2321
            if (al == NULL)
                return 1;
2322 2323 2324 2325 2326 2327
            *al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CHOOSE_SIGALG,
                   SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
            return 0;
        }
    } else {
2328 2329 2330 2331
        /* If ciphersuite doesn't require a cert nothing to do */
        if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
            return 1;
        if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
2332
                return 1;
2333 2334 2335 2336

        if (SSL_USE_SIGALGS(s)) {
            if (s->s3->tmp.peer_sigalgs != NULL) {
                size_t i;
2337 2338 2339 2340 2341
#ifndef OPENSSL_NO_EC
                int curve;

                /* For Suite B need to match signature algorithm to curve */
                if (tls1_suiteb(s)) {
2342
                    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2343 2344 2345 2346 2347
                    curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
                } else {
                    curve = -1;
                }
#endif
2348 2349 2350 2351 2352 2353 2354

                /*
                 * Find highest preference signature algorithm matching
                 * cert type
                 */
                for (i = 0; i < s->cert->shared_sigalgslen; i++) {
                    lu = s->cert->shared_sigalgs[i];
2355 2356

                    if (s->server) {
2357
                        if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
2358
                            continue;
2359 2360 2361 2362 2363 2364 2365 2366 2367 2368
                    } else {
                        int cc_idx = s->cert->key - s->cert->pkeys;

                        sig_idx = lu->sig_idx;
                        if (cc_idx != sig_idx) {
                            if (sig_idx != SSL_PKEY_RSA_PSS_SIGN
                                || cc_idx != SSL_PKEY_RSA)
                                continue;
                            sig_idx = SSL_PKEY_RSA;
                        }
D
Dr. Stephen Henson 已提交
2369
                    }
2370 2371
#ifndef OPENSSL_NO_EC
                    if (curve == -1 || lu->curve == curve)
2372
#endif
2373 2374 2375
                        break;
                }
                if (i == s->cert->shared_sigalgslen) {
2376 2377
                    if (al == NULL)
                        return 1;
2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388
                    *al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
                    return 0;
                }
            } else {
                /*
                 * If we have no sigalg use defaults
                 */
                const uint16_t *sent_sigs;
                size_t sent_sigslen, i;

2389
                if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2390 2391
                    if (al == NULL)
                        return 1;
2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403
                    *al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
                    return 0;
                }

                /* Check signature matches a type we sent */
                sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
                for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
                    if (lu->sigalg == *sent_sigs)
                        break;
                }
                if (i == sent_sigslen) {
2404 2405
                    if (al == NULL)
                        return 1;
2406
                    SSLerr(SSL_F_TLS_CHOOSE_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
2407
                    *al = SSL_AD_ILLEGAL_PARAMETER;
2408 2409 2410 2411
                    return 0;
                }
            }
        } else {
2412
            if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2413 2414
                if (al == NULL)
                    return 1;
2415 2416 2417 2418 2419
                *al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
                return 0;
            }
        }
2420
    }
2421 2422 2423
    if (sig_idx == -1)
        sig_idx = lu->sig_idx;
    s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
2424
    s->cert->key = s->s3->tmp.cert;
2425
    s->s3->tmp.sigalg = lu;
2426 2427
    return 1;
}