static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
#ifndef OPENSSL_NO_EC
{"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
- NID_sha256, EVP_PKEY_EC, NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
+ NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+ NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
{"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
- NID_sha384, EVP_PKEY_EC, NID_ecdsa_with_SHA384, NID_secp384r1},
+ NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+ NID_ecdsa_with_SHA384, NID_secp384r1},
{"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
- NID_sha512, EVP_PKEY_EC, NID_ecdsa_with_SHA512, NID_secp521r1},
+ NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+ NID_ecdsa_with_SHA512, NID_secp521r1},
{NULL, TLSEXT_SIGALG_ecdsa_sha1,
- NID_sha1, EVP_PKEY_EC, NID_ecdsa_with_SHA1, NID_undef},
+ NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+ NID_ecdsa_with_SHA1, NID_undef},
#endif
{"rsa_pss_sha256", TLSEXT_SIGALG_rsa_pss_sha256,
- NID_sha256, EVP_PKEY_RSA_PSS, NID_undef, NID_undef},
+ NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
+ NID_undef, NID_undef},
{"rsa_pss_sha384", TLSEXT_SIGALG_rsa_pss_sha384,
- NID_sha384, EVP_PKEY_RSA_PSS, NID_undef, NID_undef},
+ NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
+ NID_undef, NID_undef},
{"rsa_pss_sha512", TLSEXT_SIGALG_rsa_pss_sha512,
- NID_sha512, EVP_PKEY_RSA_PSS, NID_undef, NID_undef},
+ NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
+ NID_undef, NID_undef},
{"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
- NID_sha256, EVP_PKEY_RSA, NID_sha256WithRSAEncryption, NID_undef},
+ NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
+ NID_sha256WithRSAEncryption, NID_undef},
{"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
- NID_sha384, EVP_PKEY_RSA, NID_sha384WithRSAEncryption, NID_undef},
+ NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
+ NID_sha384WithRSAEncryption, NID_undef},
{"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
- NID_sha512, EVP_PKEY_RSA, NID_sha512WithRSAEncryption, NID_undef},
+ NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
+ NID_sha512WithRSAEncryption, NID_undef},
{"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
- NID_sha1, EVP_PKEY_RSA, NID_sha1WithRSAEncryption, NID_undef},
+ NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
+ NID_sha1WithRSAEncryption, NID_undef},
#ifndef OPENSSL_NO_DSA
{NULL, TLSEXT_SIGALG_dsa_sha256,
- NID_sha256, EVP_PKEY_DSA, NID_dsa_with_SHA256, NID_undef},
+ NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
+ NID_dsa_with_SHA256, NID_undef},
{NULL, TLSEXT_SIGALG_dsa_sha384,
- NID_sha384, EVP_PKEY_DSA, NID_undef, NID_undef},
+ NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
+ NID_undef, NID_undef},
{NULL, TLSEXT_SIGALG_dsa_sha512,
- NID_sha512, EVP_PKEY_DSA, NID_undef, NID_undef},
+ NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
+ NID_undef, NID_undef},
{NULL, TLSEXT_SIGALG_dsa_sha1,
- NID_sha1, EVP_PKEY_DSA, NID_dsaWithSHA1, NID_undef},
+ NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
+ NID_dsaWithSHA1, NID_undef},
#endif
#ifndef OPENSSL_NO_GOST
{NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
- NID_id_GostR3411_2012_256, NID_id_GostR3410_2012_256, NID_undef,
- NID_undef},
+ NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
+ NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
+ NID_undef, NID_undef},
{NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
- NID_id_GostR3411_2012_512, NID_id_GostR3410_2012_512, NID_undef,
- NID_undef},
+ NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
+ NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
+ NID_undef, NID_undef},
{NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
- NID_id_GostR3411_94, NID_id_GostR3410_2001, NID_undef, NID_undef}
+ NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
+ NID_id_GostR3410_2001, SSL_PKEY_GOST01,
+ NID_undef, NID_undef}
#endif
};
+/* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
+static const SIGALG_LOOKUP legacy_rsa_sigalg = {
+ "rsa_pkcs1_md5_sha1", 0,
+ NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
+ EVP_PKEY_RSA, SSL_PKEY_RSA,
+ NID_undef, NID_undef
+};
+
+/*
+ * Default signature algorithm values used if signature algorithms not present.
+ * From RFC5246. Note: order must match certificate index order.
+ */
+static const uint16_t tls_default_sigalg[] = {
+ TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
+ TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
+ TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
+ TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
+ TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
+ TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 /* SSL_PKEY_GOST12_512 */
+};
/* Lookup TLS signature algorithm */
static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
}
return NULL;
}
+/*
+ * Return a signature algorithm for TLS < 1.2 where the signature type
+ * is fixed by the certificate type.
+ */
+static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
+{
+ if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
+ return NULL;
+ if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
-static int tls_sigalg_get_hash(uint16_t sigalg)
+ if (lu == NULL || ssl_md(lu->hash_idx) == NULL) {
+ return NULL;
+ }
+ return lu;
+ }
+ return &legacy_rsa_sigalg;
+}
+/* Set peer sigalg based key type */
+int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
{
- const SIGALG_LOOKUP *r = tls1_lookup_sigalg(sigalg);
+ int idx = ssl_cert_type(NULL, pkey);
- return r != NULL ? r->hash : 0;
+ const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, idx);
+ if (lu == NULL)
+ return 0;
+ s->s3->tmp.peer_sigalg = lu;
+ return 1;
}
static int tls_sigalg_get_sig(uint16_t sigalg)
* algorithms and if so set relevant digest and signature scheme in
* s.
*/
-int tls12_check_peer_sigalg(SSL *s, unsigned int sig, EVP_PKEY *pkey)
+int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
{
const uint16_t *sent_sigs;
const EVP_MD *md = NULL;
char sigalgstr[2];
size_t sent_sigslen, i;
int pkeyid = EVP_PKEY_id(pkey);
- int peer_sigtype;
+ const SIGALG_LOOKUP *lu;
/* Should never happen */
if (pkeyid == -1)
return -1;
- /* Check key type is consistent with signature */
- peer_sigtype = tls_sigalg_get_sig(sig);
- /* RSA keys can be used for RSA-PSS */
- if (pkeyid != peer_sigtype
- && (peer_sigtype != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA)) {
+ /* Only allow PSS for TLS 1.3 */
+ if (SSL_IS_TLS13(s) && pkeyid == EVP_PKEY_RSA)
+ pkeyid = EVP_PKEY_RSA_PSS;
+ lu = tls1_lookup_sigalg(sig);
+ /*
+ * Check sigalgs is known and key type is consistent with signature:
+ * RSA keys can be used for RSA-PSS
+ */
+ if (lu == NULL || (pkeyid != lu->sig
+ && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
#ifndef OPENSSL_NO_EC
if (pkeyid == EVP_PKEY_EC) {
- unsigned char curve_id[2], comp_id;
- /* Check compression and curve matches extensions */
- if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
- return 0;
- if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
- SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
- return 0;
- }
- /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
- if (tls1_suiteb(s)) {
- if (curve_id[0])
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+
+ if (SSL_IS_TLS13(s)) {
+ /* For TLS 1.3 check curve matches signature algorithm */
+
+ if (lu->curve != NID_undef && curve != lu->curve) {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
return 0;
- if (curve_id[1] == TLSEXT_curve_P_256) {
- if (tls_sigalg_get_hash(sig) != NID_sha256) {
+ }
+ } else {
+ unsigned char curve_id[2], comp_id;
+
+ /* Check compression and curve matches extensions */
+ if (!tls1_set_ec_id(curve_id, &comp_id, ec))
+ return 0;
+ if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
+ return 0;
+ }
+ if (tls1_suiteb(s)) {
+ /* Check sigalg matches a permissible Suite B value */
+ if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
+ && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
- SSL_R_ILLEGAL_SUITEB_DIGEST);
+ SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
- } else if (curve_id[1] == TLSEXT_curve_P_384) {
- if (tls_sigalg_get_hash(sig) != NID_sha384) {
+ /*
+ * Suite B also requires P-256+SHA256 and P-384+SHA384:
+ * this matches the TLS 1.3 requirements so we can just
+ * check the curve is the expected TLS 1.3 value.
+ * If this fails an inappropriate digest is being used.
+ */
+ if (curve != lu->curve) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_ILLEGAL_SUITEB_DIGEST);
return 0;
}
- } else
- return 0;
+ }
}
- } else if (tls1_suiteb(s))
+ } else if (tls1_suiteb(s)) {
return 0;
+ }
#endif
/* Check signature matches a type we sent */
break;
}
/* Allow fallback to SHA1 if not strict mode */
- if (i == sent_sigslen
- && (tls_sigalg_get_hash(sig) != NID_sha1
- || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
+ if (i == sent_sigslen && (lu->hash != NID_sha1
+ || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
- md = tls12_get_hash(tls_sigalg_get_hash(sig));
+ md = ssl_md(lu->hash_idx);
if (md == NULL) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
return 0;
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
- /*
- * Store the digest used so applications can retrieve it if they wish.
- */
- s->s3->tmp.peer_md = md;
- s->s3->tmp.peer_sigtype = peer_sigtype;
+ /* Store the sigalg the peer uses */
+ s->s3->tmp.peer_sigalg = lu;
return 1;
}
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
{
- if (s->s3->tmp.peer_sigtype == NID_undef)
+ if (s->s3->tmp.peer_sigalg == NULL)
return 0;
- *pnid = s->s3->tmp.peer_sigtype;
+ *pnid = s->s3->tmp.peer_sigalg->sig;
return 1;
}
#endif
#ifndef OPENSSL_NO_RSA
if (SSL_USE_SIGALGS(s))
- pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
+ pmd[SSL_PKEY_RSA] = ssl_md(SSL_MD_SHA1_IDX);
else
- pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
- pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
+ pmd[SSL_PKEY_RSA] = ssl_md(SSL_MD_MD5_SHA1_IDX);
#endif
#ifndef OPENSSL_NO_EC
pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
unsigned char tick_hmac[EVP_MAX_MD_SIZE];
HMAC_CTX *hctx = NULL;
EVP_CIPHER_CTX *ctx;
- SSL_CTX *tctx = s->initial_ctx;
+ SSL_CTX *tctx = s->session_ctx;
/* Initialize session ticket encryption and HMAC contexts */
hctx = HMAC_CTX_new();
}
/* Attempt to decrypt session data */
/* Move p after IV to start of encrypted ticket, update length */
- p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
- eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
+ p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
+ eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
sdec = OPENSSL_malloc(eticklen);
if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
(int)eticklen) <= 0) {
{
int md_id, sig_id;
size_t i;
+ const SIGALG_LOOKUP *curr;
if (md == NULL)
return 0;
if (SSL_IS_TLS13(s) && sig_id == EVP_PKEY_RSA)
sig_id = EVP_PKEY_RSA_PSS;
+ if (s->s3->tmp.peer_sigalgs == NULL) {
+ /* Should never happen: we abort if no sigalgs extension and TLS 1.3 */
+ if (SSL_IS_TLS13(s))
+ return 0;
+ /* For TLS 1.2 and no sigalgs lookup using complete table */
+ for (i = 0, curr = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
+ i++, curr++) {
+ if (curr->hash == md_id && curr->sig == sig_id) {
+ if (!WPACKET_put_bytes_u16(pkt, curr->sigalg))
+ return 0;
+ *ispss = curr->sig == EVP_PKEY_RSA_PSS;
+ return 1;
+ }
+ }
+ return 0;
+ }
+
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
- const SIGALG_LOOKUP *curr = s->cert->shared_sigalgs[i];
+ curr = s->cert->shared_sigalgs[i];
/*
* Look for matching key and hash. If key type is RSA also match PSS
return 0;
}
-typedef struct {
- int nid;
- int secbits;
- int md_idx;
-} tls12_hash_info;
-
-static const tls12_hash_info tls12_md_info[] = {
- {NID_md5, 64, SSL_MD_MD5_IDX},
- {NID_sha1, 80, SSL_MD_SHA1_IDX},
- {NID_sha224, 112, SSL_MD_SHA224_IDX},
- {NID_sha256, 128, SSL_MD_SHA256_IDX},
- {NID_sha384, 192, SSL_MD_SHA384_IDX},
- {NID_sha512, 256, SSL_MD_SHA512_IDX},
- {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX},
- {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX},
- {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX},
-};
-
-static const tls12_hash_info *tls12_get_hash_info(int hash_nid)
-{
- unsigned int i;
- if (hash_nid == NID_undef)
- return NULL;
-
- for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
- if (tls12_md_info[i].nid == hash_nid)
- return tls12_md_info + i;
- }
-
- return NULL;
-}
-
-const EVP_MD *tls12_get_hash(int hash_nid)
-{
- const tls12_hash_info *inf;
- if (hash_nid == NID_md5 && FIPS_mode())
- return NULL;
- inf = tls12_get_hash_info(hash_nid);
- if (!inf)
- return NULL;
- return ssl_md(inf->md_idx);
-}
-
static int tls12_get_pkey_idx(int sig_nid)
{
switch (sig_nid) {
#ifndef OPENSSL_NO_RSA
case EVP_PKEY_RSA:
- return SSL_PKEY_RSA_SIGN;
+ return SSL_PKEY_RSA;
/*
* For now return RSA key for PSS. When we support PSS only keys
* this will need to be updated.
*/
case EVP_PKEY_RSA_PSS:
- return SSL_PKEY_RSA_SIGN;
+ return SSL_PKEY_RSA;
#endif
#ifndef OPENSSL_NO_DSA
case EVP_PKEY_DSA:
}
/* Check to see if a signature algorithm is allowed */
-static int tls12_sigalg_allowed(SSL *s, int op, unsigned int ptmp)
+static int tls12_sigalg_allowed(SSL *s, int op, uint16_t ptmp)
{
- /* See if we have an entry in the hash table and it is enabled */
- const tls12_hash_info *hinf
- = tls12_get_hash_info(tls_sigalg_get_hash(ptmp));
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(ptmp);
unsigned char sigalgstr[2];
+ int secbits;
- if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
+ /* See if sigalgs is recognised and if hash is enabled */
+ if (lu == NULL || ssl_md(lu->hash_idx) == NULL)
return 0;
/* See if public key algorithm allowed */
- if (tls12_get_pkey_idx(tls_sigalg_get_sig(ptmp)) == -1)
+ if (tls12_get_pkey_idx(lu->sig) == -1)
return 0;
+ /* Security bits: half digest bits */
+ secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
/* Finally see if security callback allows it */
sigalgstr[0] = (ptmp >> 8) & 0xff;
sigalgstr[1] = ptmp & 0xff;
- return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)sigalgstr);
+ return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
}
/*
if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
continue;
idx = tls12_get_pkey_idx(sigptr->sig);
- if (idx > 0 && pmd[idx] == NULL) {
- md = tls12_get_hash(sigptr->hash);
+ if (idx >= 0 && pmd[idx] == NULL) {
+ md = ssl_md(sigptr->hash_idx);
pmd[idx] = md;
pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
- if (idx == SSL_PKEY_RSA_SIGN) {
- pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
- pmd[SSL_PKEY_RSA_ENC] = md;
- }
}
-
}
/*
* In strict mode or TLS1.3 leave unset digests as NULL to indicate we can't
pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
#endif
#ifndef OPENSSL_NO_RSA
- if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
- pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
- pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
+ if (pmd[SSL_PKEY_RSA] == NULL) {
+ pmd[SSL_PKEY_RSA] = EVP_sha1();
}
#endif
#ifndef OPENSSL_NO_EC
{
const SIGALG_LOOKUP *shsigalgs;
if (s->cert->shared_sigalgs == NULL
+ || idx < 0
|| idx >= (int)s->cert->shared_sigalgslen
|| s->cert->shared_sigalgslen > INT_MAX)
return 0;
return (int)s->cert->shared_sigalgslen;
}
-#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
+/* Maximum possible number of unique entries in sigalgs array */
+#define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
typedef struct {
size_t sigalgcnt;
- int sigalgs[MAX_SIGALGLEN];
+ int sigalgs[TLS_MAX_SIGALGCNT];
} sig_cb_st;
static void get_sigorhash(int *psig, int *phash, const char *str)
*phash = OBJ_ln2nid(str);
}
}
+/* Maximum length of a signature algorithm string component */
+#define TLS_MAX_SIGSTRING_LEN 40
static int sig_cb(const char *elem, int len, void *arg)
{
sig_cb_st *sarg = arg;
size_t i;
- char etmp[40], *p;
+ char etmp[TLS_MAX_SIGSTRING_LEN], *p;
int sig_alg = NID_undef, hash_alg = NID_undef;
if (elem == NULL)
return 0;
- if (sarg->sigalgcnt == MAX_SIGALGLEN)
+ if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
return 0;
if (len > (int)(sizeof(etmp) - 1))
return 0;
/* If no sigalgs extension use defaults from RFC5246 */
else {
switch (idx) {
- case SSL_PKEY_RSA_ENC:
- case SSL_PKEY_RSA_SIGN:
+ case SSL_PKEY_RSA:
rsign = EVP_PKEY_RSA;
default_nid = NID_sha1WithRSAEncryption;
break;
size_t j;
const uint16_t *p = c->conf_sigalgs;
for (j = 0; j < c->conf_sigalgslen; j++, p++) {
- if (tls_sigalg_get_hash(*p) == NID_sha1
- && tls_sigalg_get_sig(*p) == rsign)
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);
+
+ if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
break;
}
if (j == c->conf_sigalgslen) {
/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
{
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
else
dh_secbits = 80;
} else {
- CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
- dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
+ if (s->s3->tmp.cert == NULL)
+ return NULL;
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
}
if (dh_secbits >= 128) {
}
return 1;
}
+
+/*
+ * Choose an appropriate signature algorithm based on available certificates
+ * Set current certificate and digest to match chosen algorithm.
+ */
+int tls_choose_sigalg(SSL *s, int *al)
+{
+ int idx = -1;
+ const SIGALG_LOOKUP *lu = NULL;
+
+ if (SSL_IS_TLS13(s)) {
+ size_t i;
+#ifndef OPENSSL_NO_EC
+ int curve = -1;
+#endif
+
+ /* Look for a certificate matching shared sigaglgs */
+ for (i = 0; i < s->cert->shared_sigalgslen; i++) {
+ lu = s->cert->shared_sigalgs[i];
+
+ /* Skip RSA if not PSS */
+ if (lu->sig == EVP_PKEY_RSA)
+ continue;
+ if (ssl_md(lu->hash_idx) == NULL)
+ continue;
+ idx = lu->sig_idx;
+ if (!ssl_has_cert(s, idx))
+ continue;
+ if (lu->sig == EVP_PKEY_EC) {
+#ifndef OPENSSL_NO_EC
+ if (curve == -1) {
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[idx].privatekey);
+
+ curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ }
+ if (lu->curve != NID_undef && curve != lu->curve)
+ continue;
+#else
+ continue;
+#endif
+ }
+ break;
+ }
+ if (i == s->cert->shared_sigalgslen) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG,
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+ return 0;
+ }
+ } else {
+ /* Find index corresponding to ciphersuite */
+ idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
+ /* If no certificate for ciphersuite return */
+ if (idx == -1) {
+ s->s3->tmp.cert = NULL;
+ s->s3->tmp.sigalg = NULL;
+ return 1;
+ }
+ if (idx == SSL_PKEY_GOST_EC) {
+ /* Work out which GOST certificate is avaiable */
+ if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
+ idx = SSL_PKEY_GOST12_512;
+ } else if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
+ idx = SSL_PKEY_GOST12_256;
+ } else if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
+ idx = SSL_PKEY_GOST01;
+ } else {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ } else if (!ssl_has_cert(s, idx)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ if (SSL_USE_SIGALGS(s)) {
+ if (s->s3->tmp.peer_sigalgs != NULL) {
+ size_t i;
+
+ /*
+ * Find highest preference signature algorithm matching
+ * cert type
+ */
+ for (i = 0; i < s->cert->shared_sigalgslen; i++) {
+ lu = s->cert->shared_sigalgs[i];
+ if (lu->sig_idx == idx)
+ break;
+ if (idx == SSL_PKEY_RSA && lu->sig == EVP_PKEY_RSA_PSS)
+ break;
+ }
+ if (i == s->cert->shared_sigalgslen) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ } else {
+ /*
+ * If we have no sigalg use defaults
+ */
+ const uint16_t *sent_sigs;
+ size_t sent_sigslen, i;
+
+ if ((lu = tls1_get_legacy_sigalg(s, idx)) == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ /* Check signature matches a type we sent */
+ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
+ for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
+ if (lu->sigalg == *sent_sigs)
+ break;
+ }
+ if (i == sent_sigslen) {
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ return 0;
+ }
+ }
+ } else {
+ if ((lu = tls1_get_legacy_sigalg(s, idx)) == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ }
+ if (idx == -1) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ s->s3->tmp.cert = &s->cert->pkeys[idx];
+ s->cert->key = s->s3->tmp.cert;
+ s->s3->tmp.sigalg = lu;
+ return 1;
+}