*/
unsigned long dup_list = 0;
+ if (ngroups == 0) {
+ SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH);
+ return 0;
+ }
if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE);
return 0;
TLSEXT_SIGALG_dsa_sha256,
TLSEXT_SIGALG_dsa_sha384,
- TLSEXT_SIGALG_dsa_sha512
+ TLSEXT_SIGALG_dsa_sha512,
+#endif
+#ifndef OPENSSL_NO_GOST
+ TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
+ TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
+ TLSEXT_SIGALG_gostr34102001_gostr3411,
#endif
};
const uint16_t *sent_sigs;
const EVP_MD *md = NULL;
char sigalgstr[2];
- size_t sent_sigslen, i;
+ size_t sent_sigslen, i, cidx;
int pkeyid = EVP_PKEY_id(pkey);
const SIGALG_LOOKUP *lu;
SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
+ /* Check the sigalg is consistent with the key OID */
+ if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx)
+ || lu->sig_idx != (int)cidx) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
+ SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
+
#ifndef OPENSSL_NO_EC
if (pkeyid == EVP_PKEY_EC) {
s->s3->tmp.mask_k = 0;
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver,
- &s->s3->tmp.max_ver) != 0)
+ &s->s3->tmp.max_ver, NULL) != 0)
return 0;
#ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */
}
}
- switch (ret) {
- case SSL_TICKET_NO_DECRYPT:
- case SSL_TICKET_SUCCESS_RENEW:
- case SSL_TICKET_EMPTY:
- s->ext.ticket_expected = 1;
+ if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
+ switch (ret) {
+ case SSL_TICKET_NO_DECRYPT:
+ case SSL_TICKET_SUCCESS_RENEW:
+ case SSL_TICKET_EMPTY:
+ s->ext.ticket_expected = 1;
+ }
}
*psess = sess;
|| lu->hash_idx == SSL_MD_MD5_IDX
|| lu->hash_idx == SSL_MD_SHA224_IDX))
return 0;
+
/* See if public key algorithm allowed */
if (ssl_cert_is_disabled(lu->sig_idx))
return 0;
+
+ if (lu->sig == NID_id_GostR3410_2012_256
+ || lu->sig == NID_id_GostR3410_2012_512
+ || lu->sig == NID_id_GostR3410_2001) {
+ /* We never allow GOST sig algs on the server with TLSv1.3 */
+ if (s->server && SSL_IS_TLS13(s))
+ return 0;
+ if (!s->server
+ && s->method->version == TLS_ANY_VERSION
+ && s->s3->tmp.max_ver >= TLS1_3_VERSION) {
+ int i, num;
+ STACK_OF(SSL_CIPHER) *sk;
+
+ /*
+ * We're a client that could negotiate TLSv1.3. We only allow GOST
+ * sig algs if we could negotiate TLSv1.2 or below and we have GOST
+ * ciphersuites enabled.
+ */
+
+ if (s->s3->tmp.min_ver >= TLS1_3_VERSION)
+ return 0;
+
+ sk = SSL_get_ciphers(s);
+ num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0;
+ for (i = 0; i < num; i++) {
+ const SSL_CIPHER *c;
+
+ c = sk_SSL_CIPHER_value(sk, i);
+ /* Skip disabled ciphers */
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
+ continue;
+
+ if ((c->algorithm_mkey & SSL_kGOST) != 0)
+ break;
+ }
+ if (i == num)
+ return 0;
+ }
+ }
+
if (lu->hash == NID_undef)
return 1;
/* Security bits: half digest bits */
if (dhp == NULL)
return NULL;
g = BN_new();
- if (g != NULL)
- BN_set_word(g, 2);
+ if (g == NULL || !BN_set_word(g, 2)) {
+ DH_free(dhp);
+ BN_free(g);
+ return NULL;
+ }
if (dh_secbits >= 192)
p = BN_get_rfc3526_prime_8192(NULL);
else
p = BN_get_rfc3526_prime_3072(NULL);
- if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
DH_free(dhp);
BN_free(p);
BN_free(g);
const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
/* If not recognised or not supported by cipher mask it is not suitable */
- if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
+ if (clu == NULL
+ || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0
+ || (clu->nid == EVP_PKEY_RSA_PSS
+ && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0))
return -1;
return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
{
const SIGALG_LOOKUP *lu;
- int mdnid, pknid;
+ int mdnid, pknid, supported;
size_t i;
/* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
if (lu == NULL
|| !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
- &pknid, NULL, NULL))
+ &pknid, NULL, NULL)
+ /*
+ * TODO this does not differentiate between the
+ * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
+ * have a chain here that lets us look at the key OID in the
+ * signing certificate.
+ */
+ || mdnid != lu->hash
+ || pknid != lu->sig)
continue;
- /*
- * TODO this does not differentiate between the
- * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
- * have a chain here that lets us look at the key OID in the
- * signing certificate.
- */
- if (mdnid == lu->hash && pknid == lu->sig)
- return 1;
+
+ ERR_set_mark();
+ supported = EVP_PKEY_supports_digest_nid(s->cert->pkeys[idx].privatekey,
+ mdnid);
+ if (supported == 0)
+ continue;
+ else if (supported < 0)
+ {
+ /* If it didn't report a mandatory NID, for whatever reasons,
+ * just clear the error and allow all hashes to be used. */
+ ERR_pop_to_mark();
+ }
+ return 1;
}
return 0;
}
+ supported = EVP_PKEY_supports_digest_nid(s->cert->pkeys[idx].privatekey,
+ sig->hash);
+ if (supported == 0)
+ return 0;
+ else if (supported < 0)
+ ERR_clear_error();
+
return 1;
}
if (i == s->cert->shared_sigalgslen) {
if (!fatalerrs)
return 1;
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
- ERR_R_INTERNAL_ERROR);
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+ SSL_F_TLS_CHOOSE_SIGALG,
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
return 0;
}
} else {