t1_lib.c 75.3 KB
Newer Older
R
Rich Salz 已提交
1
/*
2
 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
9 10

#include <stdio.h>
E
Emilia Kasper 已提交
11
#include <stdlib.h>
12
#include <openssl/objects.h>
13 14
#include <openssl/evp.h>
#include <openssl/hmac.h>
15
#include <openssl/ocsp.h>
16 17
#include <openssl/conf.h>
#include <openssl/x509v3.h>
R
Rich Salz 已提交
18 19
#include <openssl/dh.h>
#include <openssl/bn.h>
20
#include "internal/nelem.h"
21
#include "ssl_locl.h"
R
Rich Salz 已提交
22
#include <openssl/ct.h>
23

24 25 26 27 28 29 30 31 32 33 34 35
SSL3_ENC_METHOD const TLSv1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    0,
M
Matt Caswell 已提交
36
    ssl3_set_handshake_header,
37
    tls_close_construct_packet,
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
    ssl3_handshake_write
};

SSL3_ENC_METHOD const TLSv1_1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_EXPLICIT_IV,
M
Matt Caswell 已提交
53
    ssl3_set_handshake_header,
54
    tls_close_construct_packet,
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
    ssl3_handshake_write
};

SSL3_ENC_METHOD const TLSv1_2_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
        | SSL_ENC_FLAG_TLS1_2_CIPHERS,
M
Matt Caswell 已提交
71
    ssl3_set_handshake_header,
72
    tls_close_construct_packet,
73 74
    ssl3_handshake_write
};
75

76
SSL3_ENC_METHOD const TLSv1_3_enc_data = {
M
Matt Caswell 已提交
77
    tls13_enc,
78
    tls1_mac,
79 80 81 82
    tls13_setup_key_block,
    tls13_generate_master_secret,
    tls13_change_cipher_state,
    tls13_final_finish_mac,
83 84
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
85
    tls13_alert_code,
86
    tls13_export_keying_material,
M
Matt Caswell 已提交
87
    SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
88 89 90 91 92
    ssl3_set_handshake_header,
    tls_close_construct_packet,
    ssl3_handshake_write
};

93
long tls1_default_timeout(void)
94 95 96 97 98 99 100
{
    /*
     * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
     * http, the cache would over fill
     */
    return (60 * 60 * 2);
}
101

U
Ulf Möller 已提交
102
int tls1_new(SSL *s)
103 104
{
    if (!ssl3_new(s))
105 106 107 108 109
        return 0;
    if (!s->method->ssl_clear(s))
        return 0;

    return 1;
110
}
111

U
Ulf Möller 已提交
112
void tls1_free(SSL *s)
113
{
R
Rich Salz 已提交
114
    OPENSSL_free(s->ext.session_ticket);
115 116
    ssl3_free(s);
}
117

118
int tls1_clear(SSL *s)
119
{
120 121 122
    if (!ssl3_clear(s))
        return 0;

123 124 125 126
    if (s->method->version == TLS_ANY_VERSION)
        s->version = TLS_MAX_VERSION;
    else
        s->version = s->method->version;
127 128

    return 1;
129
}
130

131
#ifndef OPENSSL_NO_EC
132

133 134
/*
 * Table of curve information.
R
Rich Salz 已提交
135
 * Do not delete entries or reorder this array! It is used as a lookup
136 137
 * table: the index of each entry is one less than the TLS curve id.
 */
138
static const TLS_GROUP_INFO nid_list[] = {
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166
    {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
    {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
    {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
    {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
    {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
    {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
    {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
    {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
    {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
    {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
    {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
    {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
    {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
    {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
    {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
    {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
    {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
    {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
    {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
    {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
    {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
    {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
    {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
    {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
    {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
    {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
    {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
167
    {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
168 169 170 171 172 173 174 175
};

static const unsigned char ecformats_default[] = {
    TLSEXT_ECPOINTFORMAT_uncompressed,
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
};

176
/* The default curves */
D
Dr. Stephen Henson 已提交
177 178 179 180 181
static const uint16_t eccurves_default[] = {
    29,                      /* X25519 (29) */
    23,                      /* secp256r1 (23) */
    25,                      /* secp521r1 (25) */
    24,                      /* secp384r1 (24) */
182 183
};

D
Dr. Stephen Henson 已提交
184 185 186
static const uint16_t suiteb_curves[] = {
    TLSEXT_curve_P_256,
    TLSEXT_curve_P_384
187
};
188

189
const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
190 191
{
    /* ECC curves from RFC 4492 and RFC 7027 */
192
    if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
193
        return NULL;
194
    return &nid_list[group_id - 1];
195
}
196

197
static uint16_t tls1_nid2group_id(int nid)
198
{
199 200 201
    size_t i;
    for (i = 0; i < OSSL_NELEM(nid_list); i++) {
        if (nid_list[i].nid == nid)
D
Dr. Stephen Henson 已提交
202
            return i + 1;
203
    }
204
    return 0;
205 206
}

207
/*
208 209
 * Set *pgroups to the supported groups list and *pgroupslen to
 * the number of groups supported.
210
 */
211 212
void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
                               size_t *pgroupslen)
213
{
214

D
Dr. Stephen Henson 已提交
215 216 217
    /* For Suite B mode only include P-256, P-384 */
    switch (tls1_suiteb(s)) {
    case SSL_CERT_FLAG_SUITEB_128_LOS:
218 219
        *pgroups = suiteb_curves;
        *pgroupslen = OSSL_NELEM(suiteb_curves);
D
Dr. Stephen Henson 已提交
220 221 222
        break;

    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
223 224
        *pgroups = suiteb_curves;
        *pgroupslen = 1;
D
Dr. Stephen Henson 已提交
225 226 227
        break;

    case SSL_CERT_FLAG_SUITEB_192_LOS:
228 229
        *pgroups = suiteb_curves + 1;
        *pgroupslen = 1;
D
Dr. Stephen Henson 已提交
230 231 232 233
        break;

    default:
        if (s->ext.supportedgroups == NULL) {
234 235
            *pgroups = eccurves_default;
            *pgroupslen = OSSL_NELEM(eccurves_default);
D
Dr. Stephen Henson 已提交
236
        } else {
237 238
            *pgroups = s->ext.supportedgroups;
            *pgroupslen = s->ext.supportedgroups_len;
239
        }
D
Dr. Stephen Henson 已提交
240
        break;
241 242
    }
}
D
Dr. Stephen Henson 已提交
243 244

/* See if curve is allowed by security callback */
D
Dr. Stephen Henson 已提交
245
int tls_curve_allowed(SSL *s, uint16_t curve, int op)
246
{
247
    const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
D
Dr. Stephen Henson 已提交
248
    unsigned char ctmp[2];
249 250

    if (cinfo == NULL)
251 252 253 254 255
        return 0;
# ifdef OPENSSL_NO_EC2M
    if (cinfo->flags & TLS_CURVE_CHAR2)
        return 0;
# endif
D
Dr. Stephen Henson 已提交
256 257 258
    ctmp[0] = curve >> 8;
    ctmp[1] = curve & 0xff;
    return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
259
}
D
Dr. Stephen Henson 已提交
260

261 262 263 264 265 266 267 268 269 270
/* Return 1 if "id" is in "list" */
static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
{
    size_t i;
    for (i = 0; i < listlen; i++)
        if (list[i] == id)
            return 1;
    return 0;
}

271
/*-
272
 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
273 274
 * if there is no match.
 * For nmatch == -1, return number of matches
275
 * For nmatch == -2, return the id of the group to use for
276
 * a tmp key, or 0 if there is no match.
277
 */
278
uint16_t tls1_shared_group(SSL *s, int nmatch)
279
{
D
Dr. Stephen Henson 已提交
280
    const uint16_t *pref, *supp;
281
    size_t num_pref, num_supp, i;
282
    int k;
283

284 285
    /* Can't do anything on client side */
    if (s->server == 0)
286
        return 0;
287 288 289 290 291 292 293
    if (nmatch == -2) {
        if (tls1_suiteb(s)) {
            /*
             * For Suite B ciphersuite determines curve: we already know
             * these are acceptable due to previous checks.
             */
            unsigned long cid = s->s3->tmp.new_cipher->id;
294

295
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
296
                return TLSEXT_curve_P_256;
297
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
298
                return TLSEXT_curve_P_384;
299
            /* Should never happen */
300
            return 0;
301 302 303 304 305
        }
        /* If not Suite B just return first preference shared curve */
        nmatch = 0;
    }
    /*
306 307
     * If server preference set, our groups are the preference order
     * otherwise peer decides.
308
     */
309 310 311 312 313 314 315
    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
        tls1_get_supported_groups(s, &pref, &num_pref);
        tls1_get_peer_groups(s, &supp, &num_supp);
    } else {
        tls1_get_peer_groups(s, &pref, &num_pref);
        tls1_get_supported_groups(s, &supp, &num_supp);
    }
316

D
Dr. Stephen Henson 已提交
317 318
    for (k = 0, i = 0; i < num_pref; i++) {
        uint16_t id = pref[i];
319

320 321
        if (!tls1_in_list(id, supp, num_supp)
            || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
322
                    continue;
323 324 325
        if (nmatch == k)
            return id;
         k++;
326 327 328 329
    }
    if (nmatch == -1)
        return k;
    /* Out of range (nmatch > k). */
330
    return 0;
331
}
332

D
Dr. Stephen Henson 已提交
333
int tls1_set_groups(uint16_t **pext, size_t *pextlen,
334
                    int *groups, size_t ngroups)
335
{
D
Dr. Stephen Henson 已提交
336
    uint16_t *glist;
337 338
    size_t i;
    /*
339
     * Bitmap of groups included to detect duplicates: only works while group
340 341 342
     * ids < 32
     */
    unsigned long dup_list = 0;
D
Dr. Stephen Henson 已提交
343
    glist = OPENSSL_malloc(ngroups * sizeof(*glist));
344
    if (glist == NULL)
345
        return 0;
D
Dr. Stephen Henson 已提交
346
    for (i = 0; i < ngroups; i++) {
347
        unsigned long idmask;
D
Dr. Stephen Henson 已提交
348
        uint16_t id;
349
        /* TODO(TLS1.3): Convert for DH groups */
350
        id = tls1_nid2group_id(groups[i]);
351 352
        idmask = 1L << id;
        if (!id || (dup_list & idmask)) {
353
            OPENSSL_free(glist);
354 355 356
            return 0;
        }
        dup_list |= idmask;
D
Dr. Stephen Henson 已提交
357
        glist[i] = id;
358
    }
R
Rich Salz 已提交
359
    OPENSSL_free(*pext);
360
    *pext = glist;
D
Dr. Stephen Henson 已提交
361
    *pextlen = ngroups;
362 363 364 365 366 367 368 369 370
    return 1;
}

# define MAX_CURVELIST   28

typedef struct {
    size_t nidcnt;
    int nid_arr[MAX_CURVELIST];
} nid_cb_st;
371 372

static int nid_cb(const char *elem, int len, void *arg)
373 374 375 376 377
{
    nid_cb_st *narg = arg;
    size_t i;
    int nid;
    char etmp[20];
378 379
    if (elem == NULL)
        return 0;
380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
    if (narg->nidcnt == MAX_CURVELIST)
        return 0;
    if (len > (int)(sizeof(etmp) - 1))
        return 0;
    memcpy(etmp, elem, len);
    etmp[len] = 0;
    nid = EC_curve_nist2nid(etmp);
    if (nid == NID_undef)
        nid = OBJ_sn2nid(etmp);
    if (nid == NID_undef)
        nid = OBJ_ln2nid(etmp);
    if (nid == NID_undef)
        return 0;
    for (i = 0; i < narg->nidcnt; i++)
        if (narg->nid_arr[i] == nid)
            return 0;
    narg->nid_arr[narg->nidcnt++] = nid;
    return 1;
}

400
/* Set groups based on a colon separate list */
D
Dr. Stephen Henson 已提交
401
int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
402 403 404 405 406 407 408
{
    nid_cb_st ncb;
    ncb.nidcnt = 0;
    if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
        return 0;
    if (pext == NULL)
        return 1;
409
    return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
410
}
411 412
/* Return group id of a key */
static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
413
{
414
    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
415
    const EC_GROUP *grp;
416 417

    if (ec == NULL)
418 419
        return 0;
    grp = EC_KEY_get0_group(ec);
420
    return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
421 422
}

423 424
/* Check a key is compatible with compression extension */
static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
425
{
426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447
    const EC_KEY *ec;
    const EC_GROUP *grp;
    unsigned char comp_id;
    size_t i;

    /* If not an EC key nothing to check */
    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
        return 1;
    ec = EVP_PKEY_get0_EC_KEY(pkey);
    grp = EC_KEY_get0_group(ec);

    /* Get required compression id */
    if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
            comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
    } else if (SSL_IS_TLS13(s)) {
            /* Compression not allowed in TLS 1.3 */
            return 0;
    } else {
        int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));

        if (field_type == NID_X9_62_prime_field)
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
K
KaoruToda 已提交
448
        else if (field_type == NID_X9_62_characteristic_two_field)
449 450 451 452
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
        else
            return 0;
    }
453 454 455 456
    /*
     * If point formats extension present check it, otherwise everything is
     * supported (see RFC4492).
     */
457
    if (s->session->ext.ecpointformats == NULL)
458
        return 1;
459 460 461 462 463 464 465

    for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
        if (s->session->ext.ecpointformats[i] == comp_id)
            return 1;
    }
    return 0;
}
466

467
/* Check a group id matches preferences */
468
int tls1_check_group_id(SSL *s, uint16_t group_id)
469 470
    {
    const uint16_t *groups;
471
    size_t groups_len;
472 473 474 475

    if (group_id == 0)
        return 0;

476 477 478 479 480 481 482 483 484 485 486 487 488 489 490
    /* Check for Suite B compliance */
    if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
        unsigned long cid = s->s3->tmp.new_cipher->id;

        if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
            if (group_id != TLSEXT_curve_P_256)
                return 0;
        } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
            if (group_id != TLSEXT_curve_P_384)
                return 0;
        } else {
            /* Should never happen */
            return 0;
        }
    }
491

492
    /* Check group is one of our preferences */
493
    tls1_get_supported_groups(s, &groups, &groups_len);
494
    if (!tls1_in_list(group_id, groups, groups_len))
495 496
        return 0;

497 498 499
    if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
        return 0;

500 501 502 503 504
    /* For clients, nothing more to check */
    if (!s->server)
        return 1;

    /* Check group is one of peers preferences */
505
    tls1_get_peer_groups(s, &groups, &groups_len);
506 507 508 509 510 511 512 513 514

    /*
     * RFC 4492 does not require the supported elliptic curves extension
     * so if it is not sent we can just choose any curve.
     * It is invalid to send an empty list in the supported groups
     * extension, so groups_len == 0 always means no extension.
     */
    if (groups_len == 0)
            return 1;
515
    return tls1_in_list(group_id, groups, groups_len);
516
}
517

518 519
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
                         size_t *num_formats)
520 521 522 523
{
    /*
     * If we have a custom point format list use it otherwise use default
     */
R
Rich Salz 已提交
524 525 526
    if (s->ext.ecpointformats) {
        *pformats = s->ext.ecpointformats;
        *num_formats = s->ext.ecpointformats_len;
527 528 529 530 531 532 533 534 535 536 537 538 539
    } else {
        *pformats = ecformats_default;
        /* For Suite B we don't support char2 fields */
        if (tls1_suiteb(s))
            *num_formats = sizeof(ecformats_default) - 1;
        else
            *num_formats = sizeof(ecformats_default);
    }
}

/*
 * Check cert parameters compatible with extensions: currently just checks EC
 * certificates have compatible curves and compression.
540
 */
541
static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
542
{
543
    uint16_t group_id;
544
    EVP_PKEY *pkey;
545
    pkey = X509_get0_pubkey(x);
546
    if (pkey == NULL)
547 548
        return 0;
    /* If not EC nothing to do */
D
Dr. Stephen Henson 已提交
549
    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
550
        return 1;
551 552
    /* Check compression */
    if (!tls1_check_pkey_comp(s, pkey))
553
        return 0;
554 555
    group_id = tls1_get_group_id(pkey);
    if (!tls1_check_group_id(s, group_id))
556 557 558
        return 0;
    /*
     * Special case for suite B. We *MUST* sign using SHA256+P-256 or
559
     * SHA384+P-384.
560
     */
561
    if (check_ee_md && tls1_suiteb(s)) {
562 563 564
        int check_md;
        size_t i;
        CERT *c = s->cert;
D
Dr. Stephen Henson 已提交
565

566
        /* Check to see we have necessary signing algorithm */
567
        if (group_id == TLSEXT_curve_P_256)
568
            check_md = NID_ecdsa_with_SHA256;
569
        else if (group_id == TLSEXT_curve_P_384)
570 571 572
            check_md = NID_ecdsa_with_SHA384;
        else
            return 0;           /* Should never happen */
573
        for (i = 0; i < c->shared_sigalgslen; i++) {
574
            if (check_md == c->shared_sigalgs[i]->sigandhash)
575 576 577
                return 1;;
        }
        return 0;
578
    }
579
    return 1;
580 581
}

582
/*
F
FdaSilvaYY 已提交
583
 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
584 585 586 587 588 589 590 591
 * @s: SSL connection
 * @cid: Cipher ID we're considering using
 *
 * Checks that the kECDHE cipher suite we're considering using
 * is compatible with the client extensions.
 *
 * Returns 0 when the cipher can't be used or 1 when it can.
 */
592
int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
593
{
594 595 596
    /* If not Suite B just need a shared group */
    if (!tls1_suiteb(s))
        return tls1_shared_group(s, 0) != 0;
597 598 599 600
    /*
     * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
     * curves permitted.
     */
601 602 603 604 605 606
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
        return tls1_check_group_id(s, TLSEXT_curve_P_256);
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
        return tls1_check_group_id(s, TLSEXT_curve_P_384);

    return 0;
607
}
608

609 610 611
#else

static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
612 613 614
{
    return 1;
}
615

616
#endif                          /* OPENSSL_NO_EC */
617

618
/* Default sigalg schemes */
619
static const uint16_t tls12_sigalgs[] = {
620 621 622 623
#ifndef OPENSSL_NO_EC
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
624
    TLSEXT_SIGALG_ed25519,
625
#endif
626

627 628 629 630
    TLSEXT_SIGALG_rsa_pss_sha256,
    TLSEXT_SIGALG_rsa_pss_sha384,
    TLSEXT_SIGALG_rsa_pss_sha512,

631 632 633
    TLSEXT_SIGALG_rsa_pkcs1_sha256,
    TLSEXT_SIGALG_rsa_pkcs1_sha384,
    TLSEXT_SIGALG_rsa_pkcs1_sha512,
634

635
#ifndef OPENSSL_NO_EC
636
    TLSEXT_SIGALG_ecdsa_sha224,
M
Matt Caswell 已提交
637
    TLSEXT_SIGALG_ecdsa_sha1,
638
#endif
639
    TLSEXT_SIGALG_rsa_pkcs1_sha224,
M
Matt Caswell 已提交
640
    TLSEXT_SIGALG_rsa_pkcs1_sha1,
641
#ifndef OPENSSL_NO_DSA
642
    TLSEXT_SIGALG_dsa_sha224,
M
Matt Caswell 已提交
643 644
    TLSEXT_SIGALG_dsa_sha1,

645 646 647
    TLSEXT_SIGALG_dsa_sha256,
    TLSEXT_SIGALG_dsa_sha384,
    TLSEXT_SIGALG_dsa_sha512
648
#endif
649
};
650

651
#ifndef OPENSSL_NO_EC
652
static const uint16_t suiteb_sigalgs[] = {
653 654
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384
655
};
656
#endif
R
Rich Salz 已提交
657

658
static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
659
#ifndef OPENSSL_NO_EC
660
    {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
661 662
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
663
    {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
664 665
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA384, NID_secp384r1},
666
    {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
667 668
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA512, NID_secp521r1},
669
    {"ed25519", TLSEXT_SIGALG_ed25519,
670
     NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
671
     NID_undef, NID_undef},
672 673 674
    {NULL, TLSEXT_SIGALG_ecdsa_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA224, NID_undef},
675
    {NULL, TLSEXT_SIGALG_ecdsa_sha1,
676 677
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
     NID_ecdsa_with_SHA1, NID_undef},
678
#endif
679
    {"rsa_pss_sha256", TLSEXT_SIGALG_rsa_pss_sha256,
680 681
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
682
    {"rsa_pss_sha384", TLSEXT_SIGALG_rsa_pss_sha384,
683 684
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
685
    {"rsa_pss_sha512", TLSEXT_SIGALG_rsa_pss_sha512,
686 687
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
     NID_undef, NID_undef},
688
    {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
689
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
690
     NID_sha256WithRSAEncryption, NID_undef},
691
    {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
692
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
693
     NID_sha384WithRSAEncryption, NID_undef},
694
    {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
695
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
696
     NID_sha512WithRSAEncryption, NID_undef},
697 698 699
    {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
     NID_sha224WithRSAEncryption, NID_undef},
700
    {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
701
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
702
     NID_sha1WithRSAEncryption, NID_undef},
703
#ifndef OPENSSL_NO_DSA
704
    {NULL, TLSEXT_SIGALG_dsa_sha256,
705 706
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_dsa_with_SHA256, NID_undef},
707
    {NULL, TLSEXT_SIGALG_dsa_sha384,
708 709
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
710
    {NULL, TLSEXT_SIGALG_dsa_sha512,
711 712
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
713 714 715
    {NULL, TLSEXT_SIGALG_dsa_sha224,
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_undef, NID_undef},
716
    {NULL, TLSEXT_SIGALG_dsa_sha1,
717 718
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
     NID_dsaWithSHA1, NID_undef},
719 720
#endif
#ifndef OPENSSL_NO_GOST
721
    {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
722 723 724
     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
     NID_undef, NID_undef},
725
    {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
726 727 728
     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
     NID_undef, NID_undef},
729
    {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
730 731 732
     NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
     NID_id_GostR3410_2001, SSL_PKEY_GOST01,
     NID_undef, NID_undef}
733
#endif
734
};
735 736 737 738 739 740 741 742 743 744 745 746 747 748
/* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
static const SIGALG_LOOKUP legacy_rsa_sigalg = {
    "rsa_pkcs1_md5_sha1", 0,
     NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
     EVP_PKEY_RSA, SSL_PKEY_RSA,
     NID_undef, NID_undef
};

/*
 * Default signature algorithm values used if signature algorithms not present.
 * From RFC5246. Note: order must match certificate index order.
 */
static const uint16_t tls_default_sigalg[] = {
    TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
749
    0, /* SSL_PKEY_RSA_PSS_SIGN */
750 751 752 753
    TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
    TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
    TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
    TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
D
Dr. Stephen Henson 已提交
754 755
    TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
    0 /* SSL_PKEY_ED25519 */
756
};
757

758 759
/* Lookup TLS signature algorithm */
static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
760 761
{
    size_t i;
762
    const SIGALG_LOOKUP *s;
763

764 765 766 767
    for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
         i++, s++) {
        if (s->sigalg == sigalg)
            return s;
768
    }
769 770
    return NULL;
}
771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789
/* Lookup hash: return 0 if invalid or not enabled */
int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
{
    const EVP_MD *md;
    if (lu == NULL)
        return 0;
    /* lu->hash == NID_undef means no associated digest */
    if (lu->hash == NID_undef) {
        md = NULL;
    } else {
        md = ssl_md(lu->hash_idx);
        if (md == NULL)
            return 0;
    }
    if (pmd)
        *pmd = md;
    return 1;
}

790 791 792 793 794 795
/*
 * Return a signature algorithm for TLS < 1.2 where the signature type
 * is fixed by the certificate type.
 */
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
{
796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812
    if (idx == -1) {
        if (s->server) {
            size_t i;

            /* Work out index corresponding to ciphersuite */
            for (i = 0; i < SSL_PKEY_NUM; i++) {
                const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);

                if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
                    idx = i;
                    break;
                }
            }
        } else {
            idx = s->cert->key - s->cert->pkeys;
        }
    }
813 814 815 816 817
    if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
        return NULL;
    if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);

818
        if (!tls1_lookup_md(lu, NULL))
819 820 821 822 823 824 825 826
            return NULL;
        return lu;
    }
    return &legacy_rsa_sigalg;
}
/* Set peer sigalg based key type */
int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
{
827 828
    size_t idx;
    const SIGALG_LOOKUP *lu;
829

830 831 832
    if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
        return 0;
    lu = tls1_get_legacy_sigalg(s, idx);
833 834 835 836 837
    if (lu == NULL)
        return 0;
    s->s3->tmp.peer_sigalg = lu;
    return 1;
}
838

839
size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
840 841 842 843 844
{
    /*
     * If Suite B mode use Suite B sigalgs only, ignore any other
     * preferences.
     */
845
#ifndef OPENSSL_NO_EC
846 847 848
    switch (tls1_suiteb(s)) {
    case SSL_CERT_FLAG_SUITEB_128_LOS:
        *psigs = suiteb_sigalgs;
849
        return OSSL_NELEM(suiteb_sigalgs);
850 851 852

    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
        *psigs = suiteb_sigalgs;
853
        return 1;
854 855

    case SSL_CERT_FLAG_SUITEB_192_LOS:
856 857
        *psigs = suiteb_sigalgs + 1;
        return 1;
858
    }
859
#endif
860 861 862 863 864 865
    /*
     *  We use client_sigalgs (if not NULL) if we're a server
     *  and sending a certificate request or if we're a client and
     *  determining which shared algorithm to use.
     */
    if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
866 867 868 869 870 871 872
        *psigs = s->cert->client_sigalgs;
        return s->cert->client_sigalgslen;
    } else if (s->cert->conf_sigalgs) {
        *psigs = s->cert->conf_sigalgs;
        return s->cert->conf_sigalgslen;
    } else {
        *psigs = tls12_sigalgs;
873
        return OSSL_NELEM(tls12_sigalgs);
874 875 876 877 878
    }
}

/*
 * Check signature algorithm is consistent with sent supported signature
D
Dr. Stephen Henson 已提交
879 880
 * algorithms and if so set relevant digest and signature scheme in
 * s.
881
 */
882
int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
883
{
884
    const uint16_t *sent_sigs;
D
Dr. Stephen Henson 已提交
885
    const EVP_MD *md = NULL;
886
    char sigalgstr[2];
887
    size_t sent_sigslen, i;
888
    int pkeyid = EVP_PKEY_id(pkey);
889
    const SIGALG_LOOKUP *lu;
890

891
    /* Should never happen */
892
    if (pkeyid == -1)
893
        return -1;
894 895 896 897 898 899 900 901 902 903
    if (SSL_IS_TLS13(s)) {
        /* Disallow DSA for TLS 1.3 */
        if (pkeyid == EVP_PKEY_DSA) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
            return 0;
        }
        /* Only allow PSS for TLS 1.3 */
        if (pkeyid == EVP_PKEY_RSA)
            pkeyid = EVP_PKEY_RSA_PSS;
    }
904 905
    lu = tls1_lookup_sigalg(sig);
    /*
906 907
     * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
     * is consistent with signature: RSA keys can be used for RSA-PSS
908
     */
909 910
    if (lu == NULL
        || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
911
        || (pkeyid != lu->sig
912
        && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
913 914 915
        SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
        return 0;
    }
916
#ifndef OPENSSL_NO_EC
917
    if (pkeyid == EVP_PKEY_EC) {
D
Dr. Stephen Henson 已提交
918

919 920 921 922 923 924 925 926 927 928 929 930
        /* Check point compression is permitted */
        if (!tls1_check_pkey_comp(s, pkey)) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
                   SSL_R_ILLEGAL_POINT_COMPRESSION);
            return 0;
        }

        /* For TLS 1.3 or Suite B check curve matches signature algorithm */
        if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
            EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
            int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));

931
            if (lu->curve != NID_undef && curve != lu->curve) {
932 933 934
                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
                return 0;
            }
935 936 937 938
        }
        if (!SSL_IS_TLS13(s)) {
            /* Check curve matches extensions */
            if (!tls1_check_group_id(s, tls1_get_group_id(pkey))) {
939 940 941 942
                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
                return 0;
            }
            if (tls1_suiteb(s)) {
D
Dr. Stephen Henson 已提交
943 944 945 946 947
                /* Check sigalg matches a permissible Suite B value */
                if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
                    && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
                    SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
                           SSL_R_WRONG_SIGNATURE_TYPE);
948
                    return 0;
D
Dr. Stephen Henson 已提交
949
                }
950
            }
951
        }
952
    } else if (tls1_suiteb(s)) {
953
        return 0;
954
    }
955
#endif
956 957

    /* Check signature matches a type we sent */
958
    sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
959
    for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
960
        if (sig == *sent_sigs)
961 962 963
            break;
    }
    /* Allow fallback to SHA1 if not strict mode */
964 965
    if (i == sent_sigslen && (lu->hash != NID_sha1
        || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
966 967 968
        SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
        return 0;
    }
969 970 971
    if (!tls1_lookup_md(lu, &md)) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
            return 0;
972
    }
973 974 975 976 977 978 979 980 981 982 983 984 985
    if (md != NULL) {
        /*
         * Make sure security callback allows algorithm. For historical
         * reasons we have to pass the sigalg as a two byte char array.
         */
        sigalgstr[0] = (sig >> 8) & 0xff;
        sigalgstr[1] = sig & 0xff;
        if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
                    EVP_MD_size(md) * 4, EVP_MD_type(md),
                    (void *)sigalgstr)) {
            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
            return 0;
        }
986
    }
987
    /* Store the sigalg the peer uses */
988
    s->s3->tmp.peer_sigalg = lu;
989 990
    return 1;
}
991

992 993
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
{
994
    if (s->s3->tmp.peer_sigalg == NULL)
995
        return 0;
996
    *pnid = s->s3->tmp.peer_sigalg->sig;
997 998 999
    return 1;
}

1000
/*
1001 1002 1003 1004 1005 1006 1007 1008
 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
 * supported, doesn't appear in supported signature algorithms, isn't supported
 * by the enabled protocol versions or by the security level.
 *
 * This function should only be used for checking which ciphers are supported
 * by the client.
 *
 * Call ssl_cipher_disabled() to check that it's enabled or not.
1009 1010
 */
void ssl_set_client_disabled(SSL *s)
1011
{
1012 1013 1014
    s->s3->tmp.mask_a = 0;
    s->s3->tmp.mask_k = 0;
    ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
1015
    ssl_get_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
E
Emilia Kasper 已提交
1016
#ifndef OPENSSL_NO_PSK
1017 1018
    /* with PSK there must be client callback set */
    if (!s->psk_client_callback) {
1019
        s->s3->tmp.mask_a |= SSL_aPSK;
1020
        s->s3->tmp.mask_k |= SSL_PSK;
1021
    }
E
Emilia Kasper 已提交
1022
#endif                          /* OPENSSL_NO_PSK */
1023
#ifndef OPENSSL_NO_SRP
1024
    if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1025 1026
        s->s3->tmp.mask_a |= SSL_aSRP;
        s->s3->tmp.mask_k |= SSL_kSRP;
1027
    }
1028
#endif
1029
}
1030

1031 1032 1033 1034 1035
/*
 * ssl_cipher_disabled - check that a cipher is disabled or not
 * @s: SSL connection that you want to use the cipher on
 * @c: cipher to check
 * @op: Security check that you want to do
1036
 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
1037 1038 1039
 *
 * Returns 1 when it's disabled, 0 when enabled.
 */
1040
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
1041
{
1042
    if (c->algorithm_mkey & s->s3->tmp.mask_k
1043
        || c->algorithm_auth & s->s3->tmp.mask_a)
1044
        return 1;
1045 1046
    if (s->s3->tmp.max_ver == 0)
        return 1;
1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060
    if (!SSL_IS_DTLS(s)) {
        int min_tls = c->min_tls;

        /*
         * For historical reasons we will allow ECHDE to be selected by a server
         * in SSLv3 if we are a client
         */
        if (min_tls == TLS1_VERSION && ecdhe
                && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
            min_tls = SSL3_VERSION;

        if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
            return 1;
    }
1061
    if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
E
Emilia Kasper 已提交
1062
                           || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
1063 1064
        return 1;

1065 1066
    return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
}
D
Dr. Stephen Henson 已提交
1067

1068
int tls_use_ticket(SSL *s)
1069
{
1070
    if ((s->options & SSL_OP_NO_TICKET))
1071 1072 1073
        return 0;
    return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
}
1074

1075
int tls1_set_server_sigalgs(SSL *s)
1076 1077 1078
{
    int al;
    size_t i;
F
FdaSilvaYY 已提交
1079 1080

    /* Clear any shared signature algorithms */
R
Rich Salz 已提交
1081 1082 1083
    OPENSSL_free(s->cert->shared_sigalgs);
    s->cert->shared_sigalgs = NULL;
    s->cert->shared_sigalgslen = 0;
1084 1085
    /* Clear certificate validity flags */
    for (i = 0; i < SSL_PKEY_NUM; i++)
1086
        s->s3->tmp.valid_flags[i] = 0;
D
Dr. Stephen Henson 已提交
1087 1088 1089 1090 1091 1092 1093
    /*
     * If peer sent no signature algorithms check to see if we support
     * the default algorithm for each certificate type
     */
    if (s->s3->tmp.peer_sigalgs == NULL) {
        const uint16_t *sent_sigs;
        size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1094

D
Dr. Stephen Henson 已提交
1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108
        for (i = 0; i < SSL_PKEY_NUM; i++) {
            const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
            size_t j;

            if (lu == NULL)
                continue;
            /* Check default matches a type we sent */
            for (j = 0; j < sent_sigslen; j++) {
                if (lu->sigalg == sent_sigs[j]) {
                        s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
                        break;
                }
            }
        }
1109
        return 1;
D
Dr. Stephen Henson 已提交
1110
    }
1111 1112 1113 1114 1115

    if (!tls1_process_sigalgs(s)) {
        SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto err;
1116
    }
1117 1118
    if (s->cert->shared_sigalgs != NULL)
        return 1;
1119
    /* Fatal error if no shared signature algorithms */
1120
    SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
1121
    al = SSL_AD_HANDSHAKE_FAILURE;
1122 1123 1124 1125
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
    return 0;
}
1126

1127
/*-
1128
 * Gets the ticket information supplied by the client if any.
1129
 *
1130
 *   hello: The parsed ClientHello data
B
Bodo Möller 已提交
1131 1132 1133 1134 1135
 *   ret: (output) on return, if a ticket was decrypted, then this is set to
 *       point to the resulting session.
 *
 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
 * ciphersuite, in which case we have no use for session tickets and one will
R
Rich Salz 已提交
1136
 * never be decrypted, nor will s->ext.ticket_expected be set to 1.
B
Bodo Möller 已提交
1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147
 *
 * Returns:
 *   -1: fatal error, either from parsing or decrypting the ticket.
 *    0: no ticket was found (or was ignored, based on settings).
 *    1: a zero length extension was found, indicating that the client supports
 *       session tickets but doesn't currently have one to offer.
 *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
 *       couldn't be decrypted because of a non-fatal error.
 *    3: a ticket was successfully decrypted and *ret was set.
 *
 * Side effects:
R
Rich Salz 已提交
1148
 *   Sets s->ext.ticket_expected to 1 if the server will have to issue
B
Bodo Möller 已提交
1149 1150 1151
 *   a new session ticket to the client because the client indicated support
 *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
 *   a session ticket or we couldn't use the one it gave us, or if
R
Rich Salz 已提交
1152 1153
 *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
 *   Otherwise, s->ext.ticket_expected is set to 0.
1154
 */
1155 1156
TICKET_RETURN tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
                                         SSL_SESSION **ret)
1157
{
1158 1159 1160
    int retv;
    size_t size;
    RAW_EXTENSION *ticketext;
1161

1162
    *ret = NULL;
R
Rich Salz 已提交
1163
    s->ext.ticket_expected = 0;
1164 1165

    /*
1166 1167
     * If tickets disabled or not supported by the protocol version
     * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
1168 1169
     * resumption.
     */
1170
    if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
1171
        return TICKET_NONE;
M
Matt Caswell 已提交
1172

1173 1174
    ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
    if (!ticketext->present)
1175
        return TICKET_NONE;
1176 1177 1178 1179 1180 1181 1182

    size = PACKET_remaining(&ticketext->data);
    if (size == 0) {
        /*
         * The client will accept a ticket but doesn't currently have
         * one.
         */
R
Rich Salz 已提交
1183
        s->ext.ticket_expected = 1;
1184
        return TICKET_EMPTY;
M
Matt Caswell 已提交
1185
    }
R
Rich Salz 已提交
1186
    if (s->ext.session_secret_cb) {
1187 1188 1189 1190 1191 1192
        /*
         * Indicate that the ticket couldn't be decrypted rather than
         * generating the session from ticket now, trigger
         * abbreviated handshake based on external mechanism to
         * calculate the master secret later.
         */
1193
        return TICKET_NO_DECRYPT;
1194
    }
1195 1196 1197

    retv = tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
                              hello->session_id, hello->session_id_len, ret);
1198
    switch (retv) {
M
Matt Caswell 已提交
1199
    case TICKET_NO_DECRYPT:
R
Rich Salz 已提交
1200
        s->ext.ticket_expected = 1;
1201
        return TICKET_NO_DECRYPT;
M
Matt Caswell 已提交
1202

M
Matt Caswell 已提交
1203
    case TICKET_SUCCESS:
1204
        return TICKET_SUCCESS;
M
Matt Caswell 已提交
1205

M
Matt Caswell 已提交
1206
    case TICKET_SUCCESS_RENEW:
R
Rich Salz 已提交
1207
        s->ext.ticket_expected = 1;
1208
        return TICKET_SUCCESS;
1209

M
Matt Caswell 已提交
1210
    default:
1211
        return TICKET_FATAL_ERR_OTHER;
1212
    }
1213 1214
}

1215 1216
/*-
 * tls_decrypt_ticket attempts to decrypt a session ticket.
B
Bodo Möller 已提交
1217 1218
 *
 *   etick: points to the body of the session ticket extension.
F
FdaSilvaYY 已提交
1219
 *   eticklen: the length of the session tickets extension.
B
Bodo Möller 已提交
1220 1221 1222 1223 1224
 *   sess_id: points at the session ID.
 *   sesslen: the length of the session ID.
 *   psess: (output) on return, if a ticket was decrypted, then this is set to
 *       point to the resulting session.
 */
1225 1226 1227
TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
                                 size_t eticklen, const unsigned char *sess_id,
                                 size_t sesslen, SSL_SESSION **psess)
1228 1229 1230 1231
{
    SSL_SESSION *sess;
    unsigned char *sdec;
    const unsigned char *p;
1232 1233
    int slen, renew_ticket = 0, declen;
    TICKET_RETURN ret = TICKET_FATAL_ERR_OTHER;
1234
    size_t mlen;
1235
    unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1236
    HMAC_CTX *hctx = NULL;
1237
    EVP_CIPHER_CTX *ctx;
1238
    SSL_CTX *tctx = s->session_ctx;
D
Dr. Stephen Henson 已提交
1239

1240
    /* Initialize session ticket encryption and HMAC contexts */
1241 1242
    hctx = HMAC_CTX_new();
    if (hctx == NULL)
1243
        return TICKET_FATAL_ERR_MALLOC;
1244
    ctx = EVP_CIPHER_CTX_new();
1245
    if (ctx == NULL) {
1246
        ret = TICKET_FATAL_ERR_MALLOC;
1247 1248
        goto err;
    }
R
Rich Salz 已提交
1249
    if (tctx->ext.ticket_key_cb) {
1250
        unsigned char *nctick = (unsigned char *)etick;
R
Rich Salz 已提交
1251
        int rv = tctx->ext.ticket_key_cb(s, nctick, nctick + 16,
1252
                                            ctx, hctx, 0);
1253
        if (rv < 0)
1254 1255
            goto err;
        if (rv == 0) {
1256
            ret = TICKET_NO_DECRYPT;
1257 1258
            goto err;
        }
1259 1260 1261 1262
        if (rv == 2)
            renew_ticket = 1;
    } else {
        /* Check key name matches */
R
Rich Salz 已提交
1263 1264
        if (memcmp(etick, tctx->ext.tick_key_name,
                   sizeof(tctx->ext.tick_key_name)) != 0) {
1265
            ret = TICKET_NO_DECRYPT;
1266 1267
            goto err;
        }
R
Rich Salz 已提交
1268 1269
        if (HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
                         sizeof(tctx->ext.tick_hmac_key),
1270
                         EVP_sha256(), NULL) <= 0
E
Emilia Kasper 已提交
1271
            || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
R
Rich Salz 已提交
1272
                                  tctx->ext.tick_aes_key,
1273 1274
                                  etick
                                  + sizeof(tctx->ext.tick_key_name)) <= 0) {
1275
            goto err;
E
Emilia Kasper 已提交
1276
        }
1277 1278 1279 1280 1281
    }
    /*
     * Attempt to process session ticket, first conduct sanity and integrity
     * checks on ticket.
     */
1282
    mlen = HMAC_size(hctx);
1283
    if (mlen == 0) {
1284
        goto err;
1285
    }
D
Dr. Stephen Henson 已提交
1286 1287
    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
    if (eticklen <=
1288
        TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
1289
        ret = TICKET_NO_DECRYPT;
D
Dr. Stephen Henson 已提交
1290 1291
        goto err;
    }
1292 1293
    eticklen -= mlen;
    /* Check HMAC of encrypted ticket */
1294
    if (HMAC_Update(hctx, etick, eticklen) <= 0
E
Emilia Kasper 已提交
1295
        || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
1296 1297
        goto err;
    }
1298
    HMAC_CTX_free(hctx);
1299
    if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
1300
        EVP_CIPHER_CTX_free(ctx);
1301
        return TICKET_NO_DECRYPT;
1302 1303 1304
    }
    /* Attempt to decrypt session data */
    /* Move p after IV to start of encrypted ticket, update length */
1305 1306
    p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
    eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
1307
    sdec = OPENSSL_malloc(eticklen);
1308 1309
    if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
                                          (int)eticklen) <= 0) {
1310
        EVP_CIPHER_CTX_free(ctx);
1311
        OPENSSL_free(sdec);
1312
        return TICKET_FATAL_ERR_OTHER;
1313
    }
1314
    if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
1315
        EVP_CIPHER_CTX_free(ctx);
1316
        OPENSSL_free(sdec);
1317
        return TICKET_NO_DECRYPT;
1318
    }
1319
    slen += declen;
1320 1321
    EVP_CIPHER_CTX_free(ctx);
    ctx = NULL;
1322 1323 1324
    p = sdec;

    sess = d2i_SSL_SESSION(NULL, &p, slen);
1325
    slen -= p - sdec;
1326 1327
    OPENSSL_free(sdec);
    if (sess) {
1328
        /* Some additional consistency checks */
1329
        if (slen != 0 || sess->session_id_length != 0) {
1330
            SSL_SESSION_free(sess);
B
Bernd Edlinger 已提交
1331
            return TICKET_NO_DECRYPT;
1332
        }
1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343
        /*
         * The session ID, if non-empty, is used by some clients to detect
         * that the ticket has been accepted. So we copy it to the session
         * structure. If it is empty set length to zero as required by
         * standard.
         */
        if (sesslen)
            memcpy(sess->session_id, sess_id, sesslen);
        sess->session_id_length = sesslen;
        *psess = sess;
        if (renew_ticket)
1344
            return TICKET_SUCCESS_RENEW;
1345
        else
1346
            return TICKET_SUCCESS;
1347 1348 1349 1350 1351
    }
    ERR_clear_error();
    /*
     * For session parse failure, indicate that we need to send a new ticket.
     */
1352
    return TICKET_NO_DECRYPT;
E
Emilia Kasper 已提交
1353
 err:
1354
    EVP_CIPHER_CTX_free(ctx);
1355
    HMAC_CTX_free(hctx);
1356
    return ret;
1357
}
1358

D
Dr. Stephen Henson 已提交
1359
/* Check to see if a signature algorithm is allowed */
1360
static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
1361
{
1362
    unsigned char sigalgstr[2];
D
Dr. Stephen Henson 已提交
1363
    int secbits;
1364

D
Dr. Stephen Henson 已提交
1365
    /* See if sigalgs is recognised and if hash is enabled */
1366
    if (!tls1_lookup_md(lu, NULL))
1367
        return 0;
D
Dr. Stephen Henson 已提交
1368 1369 1370
    /* DSA is not allowed in TLS 1.3 */
    if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
        return 0;
1371 1372 1373 1374 1375 1376
    /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
    if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
        && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
            || lu->hash_idx == SSL_MD_MD5_IDX
            || lu->hash_idx == SSL_MD_SHA224_IDX))
        return 0;
1377
    /* See if public key algorithm allowed */
D
Dr. Stephen Henson 已提交
1378
    if (ssl_cert_is_disabled(lu->sig_idx))
1379
        return 0;
1380 1381
    if (lu->hash == NID_undef)
        return 1;
D
Dr. Stephen Henson 已提交
1382 1383
    /* Security bits: half digest bits */
    secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
1384
    /* Finally see if security callback allows it */
1385 1386
    sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
    sigalgstr[1] = lu->sigalg & 0xff;
D
Dr. Stephen Henson 已提交
1387
    return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
1388 1389 1390 1391 1392 1393
}

/*
 * Get a mask of disabled public key algorithms based on supported signature
 * algorithms. For example if no signature algorithm supports RSA then RSA is
 * disabled.
D
Dr. Stephen Henson 已提交
1394 1395
 */

1396
void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
1397
{
1398
    const uint16_t *sigalgs;
1399
    size_t i, sigalgslen;
1400
    uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
1401
    /*
1402 1403
     * Go through all signature algorithms seeing if we support any
     * in disabled_mask.
1404
     */
1405
    sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
K
KaoruToda 已提交
1406
    for (i = 0; i < sigalgslen; i++, sigalgs++) {
1407
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
1408
        const SSL_CERT_LOOKUP *clu;
1409 1410 1411

        if (lu == NULL)
            continue;
1412 1413

        clu = ssl_cert_lookup_by_idx(lu->sig_idx);
K
KaoruToda 已提交
1414 1415
	if (clu == NULL)
		continue;
1416 1417 1418 1419 1420

        /* If algorithm is disabled see if we can enable it */
        if ((clu->amask & disabled_mask) != 0
                && tls12_sigalg_allowed(s, op, lu))
            disabled_mask &= ~clu->amask;
1421
    }
1422
    *pmask_a |= disabled_mask;
1423
}
D
Dr. Stephen Henson 已提交
1424

M
Matt Caswell 已提交
1425
int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
1426
                       const uint16_t *psig, size_t psiglen)
1427 1428
{
    size_t i;
1429
    int rv = 0;
1430

1431
    for (i = 0; i < psiglen; i++, psig++) {
1432 1433 1434 1435 1436 1437 1438 1439
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);

        if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
            continue;
        if (!WPACKET_put_bytes_u16(pkt, *psig))
            return 0;
        /*
         * If TLS 1.3 must have at least one valid TLS 1.3 message
1440
         * signing algorithm: i.e. neither RSA nor SHA1/SHA224
1441 1442
         */
        if (rv == 0 && (!SSL_IS_TLS13(s)
1443 1444 1445
            || (lu->sig != EVP_PKEY_RSA
                && lu->hash != NID_sha1
                && lu->hash != NID_sha224)))
1446
            rv = 1;
1447
    }
1448 1449
    if (rv == 0)
        SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
1450
    return rv;
1451 1452
}

1453
/* Given preference and allowed sigalgs set shared sigalgs */
1454
static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
1455 1456
                                   const uint16_t *pref, size_t preflen,
                                   const uint16_t *allow, size_t allowlen)
1457
{
1458
    const uint16_t *ptmp, *atmp;
1459
    size_t i, j, nmatch = 0;
1460
    for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
1461 1462
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);

1463
        /* Skip disabled hashes or signature algorithms */
1464
        if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
1465
            continue;
1466 1467
        for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
            if (*ptmp == *atmp) {
1468
                nmatch++;
1469 1470
                if (shsig)
                    *shsig++ = lu;
1471 1472 1473 1474 1475 1476
                break;
            }
        }
    }
    return nmatch;
}
1477 1478 1479

/* Set shared signature algorithms for SSL structures */
static int tls1_set_shared_sigalgs(SSL *s)
1480
{
1481
    const uint16_t *pref, *allow, *conf;
1482 1483
    size_t preflen, allowlen, conflen;
    size_t nmatch;
1484
    const SIGALG_LOOKUP **salgs = NULL;
1485 1486
    CERT *c = s->cert;
    unsigned int is_suiteb = tls1_suiteb(s);
R
Rich Salz 已提交
1487 1488 1489 1490

    OPENSSL_free(c->shared_sigalgs);
    c->shared_sigalgs = NULL;
    c->shared_sigalgslen = 0;
1491 1492 1493 1494 1495 1496 1497 1498
    /* If client use client signature algorithms if not NULL */
    if (!s->server && c->client_sigalgs && !is_suiteb) {
        conf = c->client_sigalgs;
        conflen = c->client_sigalgslen;
    } else if (c->conf_sigalgs && !is_suiteb) {
        conf = c->conf_sigalgs;
        conflen = c->conf_sigalgslen;
    } else
1499
        conflen = tls12_get_psigalgs(s, 0, &conf);
1500 1501 1502
    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
        pref = conf;
        preflen = conflen;
D
Dr. Stephen Henson 已提交
1503 1504
        allow = s->s3->tmp.peer_sigalgs;
        allowlen = s->s3->tmp.peer_sigalgslen;
1505 1506 1507
    } else {
        allow = conf;
        allowlen = conflen;
D
Dr. Stephen Henson 已提交
1508 1509
        pref = s->s3->tmp.peer_sigalgs;
        preflen = s->s3->tmp.peer_sigalgslen;
1510 1511
    }
    nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
D
Dr. Stephen Henson 已提交
1512
    if (nmatch) {
1513
        salgs = OPENSSL_malloc(nmatch * sizeof(*salgs));
1514
        if (salgs == NULL)
D
Dr. Stephen Henson 已提交
1515 1516 1517 1518 1519
            return 0;
        nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
    } else {
        salgs = NULL;
    }
1520 1521 1522 1523
    c->shared_sigalgs = salgs;
    c->shared_sigalgslen = nmatch;
    return 1;
}
1524

D
Dr. Stephen Henson 已提交
1525
int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
1526
{
1527
    unsigned int stmp;
1528
    size_t size, i;
D
Dr. Stephen Henson 已提交
1529
    uint16_t *buf;
1530

1531 1532 1533
    size = PACKET_remaining(pkt);

    /* Invalid data length */
1534
    if (size == 0 || (size & 1) != 0)
1535 1536 1537 1538
        return 0;

    size >>= 1;

D
Dr. Stephen Henson 已提交
1539 1540
    buf = OPENSSL_malloc(size * sizeof(*buf));
    if (buf == NULL)
1541
        return 0;
1542
    for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
D
Dr. Stephen Henson 已提交
1543
        buf[i] = stmp;
1544

D
Dr. Stephen Henson 已提交
1545 1546
    if (i != size) {
        OPENSSL_free(buf);
1547
        return 0;
D
Dr. Stephen Henson 已提交
1548 1549 1550 1551 1552
    }

    OPENSSL_free(*pdest);
    *pdest = buf;
    *pdestlen = size;
1553

1554 1555
    return 1;
}
1556

D
Dr. Stephen Henson 已提交
1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573
int tls1_save_sigalgs(SSL *s, PACKET *pkt)
{
    /* Extension ignored for inappropriate versions */
    if (!SSL_USE_SIGALGS(s))
        return 1;
    /* Should never happen */
    if (s->cert == NULL)
        return 0;

    return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
                         &s->s3->tmp.peer_sigalgslen);

    return 1;
}

/* Set preferred digest for each key type */

1574
int tls1_process_sigalgs(SSL *s)
1575 1576
{
    size_t i;
1577
    uint32_t *pvalid = s->s3->tmp.valid_flags;
1578
    CERT *c = s->cert;
1579

1580 1581 1582
    if (!tls1_set_shared_sigalgs(s))
        return 0;

1583 1584 1585
    for (i = 0; i < SSL_PKEY_NUM; i++)
        pvalid[i] = 0;

1586 1587
    for (i = 0; i < c->shared_sigalgslen; i++) {
        const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
1588
        int idx = sigptr->sig_idx;
1589

1590
        /* Ignore PKCS1 based sig algs in TLSv1.3 */
1591
        if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
1592
            continue;
1593
        /* If not disabled indicate we can explicitly sign */
D
Dr. Stephen Henson 已提交
1594 1595
        if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
            pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
1596 1597 1598
    }
    return 1;
}
D
Dr. Stephen Henson 已提交
1599

1600
int SSL_get_sigalgs(SSL *s, int idx,
1601 1602 1603
                    int *psign, int *phash, int *psignhash,
                    unsigned char *rsig, unsigned char *rhash)
{
1604
    uint16_t *psig = s->s3->tmp.peer_sigalgs;
1605
    size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
1606
    if (psig == NULL || numsigalgs > INT_MAX)
1607 1608
        return 0;
    if (idx >= 0) {
1609 1610
        const SIGALG_LOOKUP *lu;

1611
        if (idx >= (int)numsigalgs)
1612 1613
            return 0;
        psig += idx;
1614
        if (rhash != NULL)
1615
            *rhash = (unsigned char)((*psig >> 8) & 0xff);
1616
        if (rsig != NULL)
1617
            *rsig = (unsigned char)(*psig & 0xff);
1618 1619 1620 1621 1622 1623 1624
        lu = tls1_lookup_sigalg(*psig);
        if (psign != NULL)
            *psign = lu != NULL ? lu->sig : NID_undef;
        if (phash != NULL)
            *phash = lu != NULL ? lu->hash : NID_undef;
        if (psignhash != NULL)
            *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
1625
    }
1626
    return (int)numsigalgs;
1627
}
1628 1629

int SSL_get_shared_sigalgs(SSL *s, int idx,
1630 1631 1632
                           int *psign, int *phash, int *psignhash,
                           unsigned char *rsig, unsigned char *rhash)
{
1633 1634
    const SIGALG_LOOKUP *shsigalgs;
    if (s->cert->shared_sigalgs == NULL
1635
        || idx < 0
1636 1637
        || idx >= (int)s->cert->shared_sigalgslen
        || s->cert->shared_sigalgslen > INT_MAX)
1638
        return 0;
1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649
    shsigalgs = s->cert->shared_sigalgs[idx];
    if (phash != NULL)
        *phash = shsigalgs->hash;
    if (psign != NULL)
        *psign = shsigalgs->sig;
    if (psignhash != NULL)
        *psignhash = shsigalgs->sigandhash;
    if (rsig != NULL)
        *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
    if (rhash != NULL)
        *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
1650
    return (int)s->cert->shared_sigalgslen;
1651 1652
}

D
Dr. Stephen Henson 已提交
1653 1654
/* Maximum possible number of unique entries in sigalgs array */
#define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
1655

1656 1657
typedef struct {
    size_t sigalgcnt;
D
Dr. Stephen Henson 已提交
1658
    int sigalgs[TLS_MAX_SIGALGCNT];
1659
} sig_cb_st;
1660

1661 1662 1663 1664
static void get_sigorhash(int *psig, int *phash, const char *str)
{
    if (strcmp(str, "RSA") == 0) {
        *psig = EVP_PKEY_RSA;
D
Dr. Stephen Henson 已提交
1665 1666
    } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
        *psig = EVP_PKEY_RSA_PSS;
1667 1668 1669 1670 1671 1672 1673 1674 1675 1676
    } else if (strcmp(str, "DSA") == 0) {
        *psig = EVP_PKEY_DSA;
    } else if (strcmp(str, "ECDSA") == 0) {
        *psig = EVP_PKEY_EC;
    } else {
        *phash = OBJ_sn2nid(str);
        if (*phash == NID_undef)
            *phash = OBJ_ln2nid(str);
    }
}
D
Dr. Stephen Henson 已提交
1677 1678
/* Maximum length of a signature algorithm string component */
#define TLS_MAX_SIGSTRING_LEN   40
1679

1680
static int sig_cb(const char *elem, int len, void *arg)
1681 1682 1683
{
    sig_cb_st *sarg = arg;
    size_t i;
D
Dr. Stephen Henson 已提交
1684
    char etmp[TLS_MAX_SIGSTRING_LEN], *p;
1685
    int sig_alg = NID_undef, hash_alg = NID_undef;
1686 1687
    if (elem == NULL)
        return 0;
D
Dr. Stephen Henson 已提交
1688
    if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
1689 1690 1691 1692 1693 1694
        return 0;
    if (len > (int)(sizeof(etmp) - 1))
        return 0;
    memcpy(etmp, elem, len);
    etmp[len] = 0;
    p = strchr(etmp, '+');
1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714
    /* See if we have a match for TLS 1.3 names */
    if (p == NULL) {
        const SIGALG_LOOKUP *s;

        for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
             i++, s++) {
            if (s->name != NULL && strcmp(etmp, s->name) == 0) {
                sig_alg = s->sig;
                hash_alg = s->hash;
                break;
            }
        }
    } else {
        *p = 0;
        p++;
        if (*p == 0)
            return 0;
        get_sigorhash(&sig_alg, &hash_alg, etmp);
        get_sigorhash(&sig_alg, &hash_alg, p);
    }
1715

1716
    if (sig_alg == NID_undef || (p != NULL && hash_alg == NID_undef))
1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728
        return 0;

    for (i = 0; i < sarg->sigalgcnt; i += 2) {
        if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
            return 0;
    }
    sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
    sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
    return 1;
}

/*
F
FdaSilvaYY 已提交
1729
 * Set supported signature algorithms based on a colon separated list of the
1730 1731
 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
 */
1732
int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
1733 1734 1735 1736 1737 1738 1739 1740 1741 1742
{
    sig_cb_st sig;
    sig.sigalgcnt = 0;
    if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
        return 0;
    if (c == NULL)
        return 1;
    return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
}

E
Emilia Kasper 已提交
1743
int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
1744
{
1745
    uint16_t *sigalgs, *sptr;
1746
    size_t i;
M
Matt Caswell 已提交
1747

1748 1749
    if (salglen & 1)
        return 0;
1750
    sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs));
1751 1752 1753
    if (sigalgs == NULL)
        return 0;
    for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
M
Matt Caswell 已提交
1754
        size_t j;
1755
        const SIGALG_LOOKUP *curr;
M
Matt Caswell 已提交
1756 1757 1758 1759 1760
        int md_id = *psig_nids++;
        int sig_id = *psig_nids++;

        for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
             j++, curr++) {
1761
            if (curr->hash == md_id && curr->sig == sig_id) {
M
Matt Caswell 已提交
1762 1763 1764 1765
                *sptr++ = curr->sigalg;
                break;
            }
        }
1766

M
Matt Caswell 已提交
1767
        if (j == OSSL_NELEM(sigalg_lookup_tbl))
1768 1769 1770 1771
            goto err;
    }

    if (client) {
R
Rich Salz 已提交
1772
        OPENSSL_free(c->client_sigalgs);
1773
        c->client_sigalgs = sigalgs;
1774
        c->client_sigalgslen = salglen / 2;
1775
    } else {
R
Rich Salz 已提交
1776
        OPENSSL_free(c->conf_sigalgs);
1777
        c->conf_sigalgs = sigalgs;
1778
        c->conf_sigalgslen = salglen / 2;
1779 1780 1781 1782 1783 1784 1785 1786
    }

    return 1;

 err:
    OPENSSL_free(sigalgs);
    return 0;
}
1787

1788
static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
1789 1790 1791 1792 1793 1794 1795 1796 1797
{
    int sig_nid;
    size_t i;
    if (default_nid == -1)
        return 1;
    sig_nid = X509_get_signature_nid(x);
    if (default_nid)
        return sig_nid == default_nid ? 1 : 0;
    for (i = 0; i < c->shared_sigalgslen; i++)
1798
        if (sig_nid == c->shared_sigalgs[i]->sigandhash)
1799 1800 1801 1802
            return 1;
    return 0;
}

1803 1804
/* Check to see if a certificate issuer name matches list of CA names */
static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820
{
    X509_NAME *nm;
    int i;
    nm = X509_get_issuer_name(x);
    for (i = 0; i < sk_X509_NAME_num(names); i++) {
        if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
            return 1;
    }
    return 0;
}

/*
 * Check certificate chain is consistent with TLS extensions and is usable by
 * server. This servers two purposes: it allows users to check chains before
 * passing them to the server and it allows the server to check chains before
 * attempting to use them.
1821
 */
1822

F
FdaSilvaYY 已提交
1823
/* Flags which need to be set for a certificate when strict mode not set */
1824

1825
#define CERT_PKEY_VALID_FLAGS \
1826
        (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
1827
/* Strict mode flags */
1828
#define CERT_PKEY_STRICT_FLAGS \
1829 1830
         (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
         | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
1831

1832
int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
1833 1834 1835 1836 1837 1838 1839
                     int idx)
{
    int i;
    int rv = 0;
    int check_flags = 0, strict_mode;
    CERT_PKEY *cpk = NULL;
    CERT *c = s->cert;
1840
    uint32_t *pvalid;
1841 1842 1843 1844 1845 1846
    unsigned int suiteb_flags = tls1_suiteb(s);
    /* idx == -1 means checking server chains */
    if (idx != -1) {
        /* idx == -2 means checking client certificate chains */
        if (idx == -2) {
            cpk = c->key;
1847
            idx = (int)(cpk - c->pkeys);
1848 1849
        } else
            cpk = c->pkeys + idx;
1850
        pvalid = s->s3->tmp.valid_flags + idx;
1851 1852 1853 1854 1855 1856 1857 1858
        x = cpk->x509;
        pk = cpk->privatekey;
        chain = cpk->chain;
        strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
        /* If no cert or key, forget it */
        if (!x || !pk)
            goto end;
    } else {
1859 1860
        size_t certidx;

1861
        if (!x || !pk)
M
Matt Caswell 已提交
1862
            return 0;
1863 1864

        if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
M
Matt Caswell 已提交
1865
            return 0;
1866
        idx = certidx;
1867 1868
        pvalid = s->s3->tmp.valid_flags + idx;

1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892
        if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
            check_flags = CERT_PKEY_STRICT_FLAGS;
        else
            check_flags = CERT_PKEY_VALID_FLAGS;
        strict_mode = 1;
    }

    if (suiteb_flags) {
        int ok;
        if (check_flags)
            check_flags |= CERT_PKEY_SUITEB;
        ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
        if (ok == X509_V_OK)
            rv |= CERT_PKEY_SUITEB;
        else if (!check_flags)
            goto end;
    }

    /*
     * Check all signature algorithms are consistent with signature
     * algorithms extension if TLS 1.2 or later and strict mode.
     */
    if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
        int default_nid;
1893
        int rsign = 0;
D
Dr. Stephen Henson 已提交
1894
        if (s->s3->tmp.peer_sigalgs)
1895 1896 1897 1898
            default_nid = 0;
        /* If no sigalgs extension use defaults from RFC5246 */
        else {
            switch (idx) {
1899
            case SSL_PKEY_RSA:
1900
                rsign = EVP_PKEY_RSA;
1901 1902 1903 1904
                default_nid = NID_sha1WithRSAEncryption;
                break;

            case SSL_PKEY_DSA_SIGN:
1905
                rsign = EVP_PKEY_DSA;
1906 1907 1908 1909
                default_nid = NID_dsaWithSHA1;
                break;

            case SSL_PKEY_ECC:
1910
                rsign = EVP_PKEY_EC;
1911 1912 1913
                default_nid = NID_ecdsa_with_SHA1;
                break;

1914
            case SSL_PKEY_GOST01:
1915
                rsign = NID_id_GostR3410_2001;
1916 1917 1918 1919
                default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
                break;

            case SSL_PKEY_GOST12_256:
1920
                rsign = NID_id_GostR3410_2012_256;
1921 1922 1923 1924
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
                break;

            case SSL_PKEY_GOST12_512:
1925
                rsign = NID_id_GostR3410_2012_512;
1926 1927 1928
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
                break;

1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939
            default:
                default_nid = -1;
                break;
            }
        }
        /*
         * If peer sent no signature algorithms extension and we have set
         * preferred signature algorithms check we support sha1.
         */
        if (default_nid > 0 && c->conf_sigalgs) {
            size_t j;
1940
            const uint16_t *p = c->conf_sigalgs;
1941
            for (j = 0; j < c->conf_sigalgslen; j++, p++) {
D
Dr. Stephen Henson 已提交
1942 1943 1944
                const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);

                if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975
                    break;
            }
            if (j == c->conf_sigalgslen) {
                if (check_flags)
                    goto skip_sigs;
                else
                    goto end;
            }
        }
        /* Check signature algorithm of each cert in chain */
        if (!tls1_check_sig_alg(c, x, default_nid)) {
            if (!check_flags)
                goto end;
        } else
            rv |= CERT_PKEY_EE_SIGNATURE;
        rv |= CERT_PKEY_CA_SIGNATURE;
        for (i = 0; i < sk_X509_num(chain); i++) {
            if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
                if (check_flags) {
                    rv &= ~CERT_PKEY_CA_SIGNATURE;
                    break;
                } else
                    goto end;
            }
        }
    }
    /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
    else if (check_flags)
        rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
 skip_sigs:
    /* Check cert parameters are consistent */
1976
    if (tls1_check_cert_param(s, x, 1))
1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998
        rv |= CERT_PKEY_EE_PARAM;
    else if (!check_flags)
        goto end;
    if (!s->server)
        rv |= CERT_PKEY_CA_PARAM;
    /* In strict mode check rest of chain too */
    else if (strict_mode) {
        rv |= CERT_PKEY_CA_PARAM;
        for (i = 0; i < sk_X509_num(chain); i++) {
            X509 *ca = sk_X509_value(chain, i);
            if (!tls1_check_cert_param(s, ca, 0)) {
                if (check_flags) {
                    rv &= ~CERT_PKEY_CA_PARAM;
                    break;
                } else
                    goto end;
            }
        }
    }
    if (!s->server && strict_mode) {
        STACK_OF(X509_NAME) *ca_dn;
        int check_type = 0;
D
Dr. Stephen Henson 已提交
1999
        switch (EVP_PKEY_id(pk)) {
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
        case EVP_PKEY_RSA:
            check_type = TLS_CT_RSA_SIGN;
            break;
        case EVP_PKEY_DSA:
            check_type = TLS_CT_DSS_SIGN;
            break;
        case EVP_PKEY_EC:
            check_type = TLS_CT_ECDSA_SIGN;
            break;
        }
        if (check_type) {
2011 2012 2013 2014 2015
            const uint8_t *ctypes = s->s3->tmp.ctype;
            size_t j;

            for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
                if (*ctypes == check_type) {
2016 2017 2018 2019 2020 2021
                    rv |= CERT_PKEY_CERT_TYPE;
                    break;
                }
            }
            if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
                goto end;
2022
        } else {
2023
            rv |= CERT_PKEY_CERT_TYPE;
2024
        }
2025

2026
        ca_dn = s->s3->tmp.peer_ca_names;
2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053

        if (!sk_X509_NAME_num(ca_dn))
            rv |= CERT_PKEY_ISSUER_NAME;

        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
            if (ssl_check_ca_name(ca_dn, x))
                rv |= CERT_PKEY_ISSUER_NAME;
        }
        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
            for (i = 0; i < sk_X509_num(chain); i++) {
                X509 *xtmp = sk_X509_value(chain, i);
                if (ssl_check_ca_name(ca_dn, xtmp)) {
                    rv |= CERT_PKEY_ISSUER_NAME;
                    break;
                }
            }
        }
        if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
            goto end;
    } else
        rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;

    if (!check_flags || (rv & check_flags) == check_flags)
        rv |= CERT_PKEY_VALID;

 end:

D
Dr. Stephen Henson 已提交
2054 2055 2056
    if (TLS1_get_version(s) >= TLS1_2_VERSION)
        rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
    else
2057 2058 2059 2060 2061 2062 2063
        rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;

    /*
     * When checking a CERT_PKEY structure all flags are irrelevant if the
     * chain is invalid.
     */
    if (!check_flags) {
D
Dr. Stephen Henson 已提交
2064
        if (rv & CERT_PKEY_VALID) {
2065
            *pvalid = rv;
D
Dr. Stephen Henson 已提交
2066 2067 2068
        } else {
            /* Preserve sign and explicit sign flag, clear rest */
            *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2069 2070 2071 2072 2073
            return 0;
        }
    }
    return rv;
}
2074 2075 2076

/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
2077
{
2078
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
2079
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
M
Matt Caswell 已提交
2080 2081
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
2082 2083 2084
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
2085
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
2086 2087
}

F
FdaSilvaYY 已提交
2088
/* User level utility function to check a chain is suitable */
2089
int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
2090 2091 2092
{
    return tls1_check_chain(s, x, pk, chain, -1);
}
2093

D
Dr. Stephen Henson 已提交
2094 2095
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
2096 2097 2098 2099
{
    int dh_secbits = 80;
    if (s->cert->dh_tmp_auto == 2)
        return DH_get_1024_160();
2100
    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
2101 2102 2103 2104 2105
        if (s->s3->tmp.new_cipher->strength_bits == 256)
            dh_secbits = 128;
        else
            dh_secbits = 80;
    } else {
2106
        if (s->s3->tmp.cert == NULL)
D
Dr. Stephen Henson 已提交
2107
            return NULL;
2108
        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
2109 2110 2111 2112
    }

    if (dh_secbits >= 128) {
        DH *dhp = DH_new();
M
Matt Caswell 已提交
2113
        BIGNUM *p, *g;
2114
        if (dhp == NULL)
2115
            return NULL;
M
Matt Caswell 已提交
2116 2117 2118
        g = BN_new();
        if (g != NULL)
            BN_set_word(g, 2);
2119
        if (dh_secbits >= 192)
R
Rich Salz 已提交
2120
            p = BN_get_rfc3526_prime_8192(NULL);
2121
        else
R
Rich Salz 已提交
2122
            p = BN_get_rfc3526_prime_3072(NULL);
M
Matt Caswell 已提交
2123
        if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
2124
            DH_free(dhp);
M
Matt Caswell 已提交
2125 2126
            BN_free(p);
            BN_free(g);
2127 2128 2129 2130 2131 2132 2133 2134
            return NULL;
        }
        return dhp;
    }
    if (dh_secbits >= 112)
        return DH_get_2048_224();
    return DH_get_1024_160();
}
D
Dr. Stephen Henson 已提交
2135
#endif
D
Dr. Stephen Henson 已提交
2136 2137

static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2138
{
2139
    int secbits = -1;
2140
    EVP_PKEY *pkey = X509_get0_pubkey(x);
2141
    if (pkey) {
2142 2143 2144 2145 2146 2147
        /*
         * If no parameters this will return -1 and fail using the default
         * security callback for any non-zero security level. This will
         * reject keys which omit parameters but this only affects DSA and
         * omission of parameters is never (?) done in practice.
         */
2148
        secbits = EVP_PKEY_security_bits(pkey);
2149
    }
2150 2151 2152 2153 2154
    if (s)
        return ssl_security(s, op, secbits, 0, x);
    else
        return ssl_ctx_security(ctx, op, secbits, 0, x);
}
D
Dr. Stephen Henson 已提交
2155 2156

static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
2157 2158
{
    /* Lookup signature algorithm digest */
2159
    int secbits, nid, pknid;
2160 2161 2162
    /* Don't check signature if self signed */
    if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
        return 1;
2163 2164 2165 2166 2167
    if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
        secbits = -1;
    /* If digest NID not defined use signature NID */
    if (nid == NID_undef)
        nid = pknid;
2168
    if (s)
2169
        return ssl_security(s, op, secbits, nid, x);
2170
    else
2171
        return ssl_ctx_security(ctx, op, secbits, nid, x);
2172
}
D
Dr. Stephen Henson 已提交
2173 2174

int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190
{
    if (vfy)
        vfy = SSL_SECOP_PEER;
    if (is_ee) {
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
            return SSL_R_EE_KEY_TOO_SMALL;
    } else {
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
            return SSL_R_CA_KEY_TOO_SMALL;
    }
    if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
        return SSL_R_CA_MD_TOO_WEAK;
    return 1;
}

/*
F
FdaSilvaYY 已提交
2191 2192
 * Check security of a chain, if |sk| includes the end entity certificate then
 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
2193
 * one to the peer. Return values: 1 if ok otherwise error code to use
D
Dr. Stephen Henson 已提交
2194 2195 2196
 */

int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216
{
    int rv, start_idx, i;
    if (x == NULL) {
        x = sk_X509_value(sk, 0);
        start_idx = 1;
    } else
        start_idx = 0;

    rv = ssl_security_cert(s, NULL, x, vfy, 1);
    if (rv != 1)
        return rv;

    for (i = start_idx; i < sk_X509_num(sk); i++) {
        x = sk_X509_value(sk, i);
        rv = ssl_security_cert(s, NULL, x, vfy, 0);
        if (rv != 1)
            return rv;
    }
    return 1;
}
2217

2218 2219
/*
 * For TLS 1.2 servers check if we have a certificate which can be used
2220
 * with the signature algorithm "lu" and return index of certificate.
2221 2222
 */

2223
static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
2224
{
2225 2226
    int sig_idx = lu->sig_idx;
    const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
2227 2228 2229

    /* If not recognised or not supported by cipher mask it is not suitable */
    if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
2230 2231 2232 2233 2234
        return -1;

    /* If PSS and we have no PSS cert use RSA */
    if (sig_idx == SSL_PKEY_RSA_PSS_SIGN && !ssl_has_cert(s, sig_idx))
        sig_idx = SSL_PKEY_RSA;
2235

2236
    return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
2237 2238
}

2239 2240
/*
 * Choose an appropriate signature algorithm based on available certificates
2241 2242 2243 2244 2245 2246 2247 2248
 * Sets chosen certificate and signature algorithm.
 *
 * For servers if we fail to find a required certificate it is a fatal error
 * and an appropriate error code is set and the TLS alert set in *al.
 *
 * For clients al is set to NULL. If a certificate is not suitable it is not
 * a fatal error: we will either try another certificate or not present one
 * to the server. In this case no error is set.
2249
 */
2250
int tls_choose_sigalg(SSL *s, int *al)
2251
{
2252
    const SIGALG_LOOKUP *lu = NULL;
2253
    int sig_idx = -1;
2254

2255 2256 2257
    s->s3->tmp.cert = NULL;
    s->s3->tmp.sigalg = NULL;

2258 2259
    if (SSL_IS_TLS13(s)) {
        size_t i;
R
Richard Levitte 已提交
2260
#ifndef OPENSSL_NO_EC
2261
        int curve = -1, skip_ec = 0;
R
Richard Levitte 已提交
2262
#endif
2263

F
FdaSilvaYY 已提交
2264
        /* Look for a certificate matching shared sigalgs */
2265
        for (i = 0; i < s->cert->shared_sigalgslen; i++) {
2266
            lu = s->cert->shared_sigalgs[i];
2267

2268 2269 2270 2271
            /* Skip SHA1, SHA224, DSA and RSA if not PSS */
            if (lu->hash == NID_sha1
                || lu->hash == NID_sha224
                || lu->sig == EVP_PKEY_DSA
2272
                || lu->sig == EVP_PKEY_RSA)
2273
                continue;
2274
            if (!tls1_lookup_md(lu, NULL))
2275
                continue;
2276 2277 2278
            if (!ssl_has_cert(s, lu->sig_idx)) {
                if (lu->sig_idx != SSL_PKEY_RSA_PSS_SIGN
                        || !ssl_has_cert(s, SSL_PKEY_RSA))
2279
                    continue;
P
Patrick Steuer 已提交
2280
                sig_idx = SSL_PKEY_RSA;
2281
            }
2282
            if (lu->sig == EVP_PKEY_EC) {
R
Richard Levitte 已提交
2283
#ifndef OPENSSL_NO_EC
2284
                if (curve == -1) {
2285
                    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2286 2287

                    curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
2288 2289 2290
                    if (EC_KEY_get_conv_form(ec)
                        != POINT_CONVERSION_UNCOMPRESSED)
                        skip_ec = 1;
2291
                }
2292
                if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
2293
                    continue;
R
Richard Levitte 已提交
2294 2295 2296
#else
                continue;
#endif
2297
            }
2298 2299 2300
            break;
        }
        if (i == s->cert->shared_sigalgslen) {
2301 2302
            if (al == NULL)
                return 1;
2303 2304 2305 2306 2307 2308
            *al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CHOOSE_SIGALG,
                   SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
            return 0;
        }
    } else {
2309 2310 2311 2312
        /* If ciphersuite doesn't require a cert nothing to do */
        if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
            return 1;
        if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
2313
                return 1;
2314 2315 2316 2317

        if (SSL_USE_SIGALGS(s)) {
            if (s->s3->tmp.peer_sigalgs != NULL) {
                size_t i;
2318 2319 2320 2321 2322
#ifndef OPENSSL_NO_EC
                int curve;

                /* For Suite B need to match signature algorithm to curve */
                if (tls1_suiteb(s)) {
2323
                    EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
2324 2325 2326 2327 2328
                    curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
                } else {
                    curve = -1;
                }
#endif
2329 2330 2331 2332 2333 2334 2335

                /*
                 * Find highest preference signature algorithm matching
                 * cert type
                 */
                for (i = 0; i < s->cert->shared_sigalgslen; i++) {
                    lu = s->cert->shared_sigalgs[i];
2336 2337

                    if (s->server) {
2338
                        if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
2339
                            continue;
2340 2341 2342 2343 2344 2345 2346 2347 2348 2349
                    } else {
                        int cc_idx = s->cert->key - s->cert->pkeys;

                        sig_idx = lu->sig_idx;
                        if (cc_idx != sig_idx) {
                            if (sig_idx != SSL_PKEY_RSA_PSS_SIGN
                                || cc_idx != SSL_PKEY_RSA)
                                continue;
                            sig_idx = SSL_PKEY_RSA;
                        }
D
Dr. Stephen Henson 已提交
2350
                    }
2351 2352
#ifndef OPENSSL_NO_EC
                    if (curve == -1 || lu->curve == curve)
2353
#endif
2354 2355 2356
                        break;
                }
                if (i == s->cert->shared_sigalgslen) {
2357 2358
                    if (al == NULL)
                        return 1;
2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369
                    *al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
                    return 0;
                }
            } else {
                /*
                 * If we have no sigalg use defaults
                 */
                const uint16_t *sent_sigs;
                size_t sent_sigslen, i;

2370
                if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2371 2372
                    if (al == NULL)
                        return 1;
2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384
                    *al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
                    return 0;
                }

                /* Check signature matches a type we sent */
                sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
                for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
                    if (lu->sigalg == *sent_sigs)
                        break;
                }
                if (i == sent_sigslen) {
2385 2386
                    if (al == NULL)
                        return 1;
2387
                    SSLerr(SSL_F_TLS_CHOOSE_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
2388
                    *al = SSL_AD_ILLEGAL_PARAMETER;
2389 2390 2391 2392
                    return 0;
                }
            }
        } else {
2393
            if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
2394 2395
                if (al == NULL)
                    return 1;
2396 2397 2398 2399 2400
                *al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
                return 0;
            }
        }
2401
    }
2402 2403 2404
    if (sig_idx == -1)
        sig_idx = lu->sig_idx;
    s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
2405
    s->cert->key = s->s3->tmp.cert;
2406
    s->s3->tmp.sigalg = lu;
2407 2408
    return 1;
}
2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439

int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
{
    if (mode != TLSEXT_max_fragment_length_DISABLED
            && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
        SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
               SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
        return 0;
    }

    ctx->ext.max_fragment_len_mode = mode;
    return 1;
}

int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
{
    if (mode != TLSEXT_max_fragment_length_DISABLED
            && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
        SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
               SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
        return 0;
    }

    ssl->ext.max_fragment_len_mode = mode;
    return 1;
}

uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
{
    return session->ext.max_fragment_len_mode;
}