tls13_final_finish_mac,
TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
- tls1_alert_code,
+ tls13_alert_code,
tls1_export_keying_material,
SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
ssl3_set_handshake_header,
0, 24, /* secp384r1 (24) */
};
-static const unsigned char eccurves_all[] = {
- 0, 29, /* X25519 (29) */
- 0, 23, /* secp256r1 (23) */
- 0, 25, /* secp521r1 (25) */
- 0, 24, /* secp384r1 (24) */
- 0, 26, /* brainpoolP256r1 (26) */
- 0, 27, /* brainpoolP384r1 (27) */
- 0, 28, /* brainpool512r1 (28) */
-
- /*
- * Remaining curves disabled by default but still permitted if set
- * via an explicit callback or parameters.
- */
- 0, 22, /* secp256k1 (22) */
- 0, 14, /* sect571r1 (14) */
- 0, 13, /* sect571k1 (13) */
- 0, 11, /* sect409k1 (11) */
- 0, 12, /* sect409r1 (12) */
- 0, 9, /* sect283k1 (9) */
- 0, 10, /* sect283r1 (10) */
- 0, 20, /* secp224k1 (20) */
- 0, 21, /* secp224r1 (21) */
- 0, 18, /* secp192k1 (18) */
- 0, 19, /* secp192r1 (19) */
- 0, 15, /* secp160k1 (15) */
- 0, 16, /* secp160r1 (16) */
- 0, 17, /* secp160r2 (17) */
- 0, 8, /* sect239k1 (8) */
- 0, 6, /* sect233k1 (6) */
- 0, 7, /* sect233r1 (7) */
- 0, 4, /* sect193r1 (4) */
- 0, 5, /* sect193r2 (5) */
- 0, 1, /* sect163k1 (1) */
- 0, 2, /* sect163r1 (2) */
- 0, 3, /* sect163r2 (3) */
-};
-
static const unsigned char suiteb_curves[] = {
0, TLSEXT_curve_P_256,
0, TLSEXT_curve_P_384
size_t *num_curves)
{
size_t pcurveslen = 0;
+
if (sess) {
*pcurves = s->session->ext.supportedgroups;
pcurveslen = s->session->ext.supportedgroups_len;
SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
*num_curves = 0;
return 0;
- } else {
- *num_curves = pcurveslen / 2;
- return 1;
}
+ *num_curves = pcurveslen / 2;
+ return 1;
}
/* See if curve is allowed by security callback */
const unsigned char *pref, *supp;
size_t num_pref, num_supp, i, j;
int k;
+
/* Can't do anything on client side */
if (s->server == 0)
return -1;
* these are acceptable due to previous checks.
*/
unsigned long cid = s->s3->tmp.new_cipher->id;
+
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
return NID_X9_62_prime256v1; /* P-256 */
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
* Avoid truncation. tls1_get_curvelist takes an int
* but s->options is a long...
*/
- if (!tls1_get_curvelist
- (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
- &num_supp))
+ if (!tls1_get_curvelist(s,
+ (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
+ &supp, &num_supp))
/* In practice, NID_undef == 0 but let's be precise. */
return nmatch == -1 ? 0 : NID_undef;
- if (!tls1_get_curvelist
- (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
+ if (!tls1_get_curvelist(s,
+ (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
+ &pref, &num_pref))
return nmatch == -1 ? 0 : NID_undef;
- /*
- * If the client didn't send the elliptic_curves extension all of them
- * are allowed.
- */
- if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
- supp = eccurves_all;
- num_supp = sizeof(eccurves_all) / 2;
- } else if (num_pref == 0 &&
- (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
- pref = eccurves_all;
- num_pref = sizeof(eccurves_all) / 2;
- }
-
- k = 0;
- for (i = 0; i < num_pref; i++, pref += 2) {
+ for (k = 0, i = 0; i < num_pref; i++, pref += 2) {
const unsigned char *tsupp = supp;
+
for (j = 0; j < num_supp; j++, tsupp += 2) {
if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
continue;
if (nmatch == k) {
int id = (pref[0] << 8) | pref[1];
+
return tls1_ec_curve_id2nid(id, NULL);
}
k++;
TLSEXT_SIGALG_rsa_pkcs1_sha384,
TLSEXT_SIGALG_rsa_pkcs1_sha512,
+#ifndef OPENSSL_NO_EC
+ TLSEXT_SIGALG_ecdsa_sha1,
+#endif
+ TLSEXT_SIGALG_rsa_pkcs1_sha1,
+#ifndef OPENSSL_NO_DSA
+ TLSEXT_SIGALG_dsa_sha1,
+
TLSEXT_SIGALG_dsa_sha256,
TLSEXT_SIGALG_dsa_sha384,
TLSEXT_SIGALG_dsa_sha512
+#endif
};
#ifndef OPENSSL_NO_EC
unsigned int sigalg;
int hash;
int sig;
- int notls12;
} SIGALG_LOOKUP;
-SIGALG_LOOKUP sigalg_lookup_tbl[] = {
- {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, NID_sha256, EVP_PKEY_EC, 0},
- {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, NID_sha384, EVP_PKEY_EC, 0},
- {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, NID_sha512, EVP_PKEY_EC, 0},
- {TLSEXT_SIGALG_ecdsa_sha1, NID_sha1, EVP_PKEY_EC, 0},
+static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
+#ifndef OPENSSL_NO_EC
+ {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, NID_sha256, EVP_PKEY_EC},
+ {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, NID_sha384, EVP_PKEY_EC},
+ {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, NID_sha512, EVP_PKEY_EC},
+ {TLSEXT_SIGALG_ecdsa_sha1, NID_sha1, EVP_PKEY_EC},
+#endif
/*
* PSS must appear before PKCS1 so that we prefer that when signing where
* possible
*/
- {TLSEXT_SIGALG_rsa_pss_sha256, NID_sha256, EVP_PKEY_RSA, 1},
- {TLSEXT_SIGALG_rsa_pss_sha384, NID_sha384, EVP_PKEY_RSA, 1},
- {TLSEXT_SIGALG_rsa_pss_sha512, NID_sha512, EVP_PKEY_RSA, 1},
- {TLSEXT_SIGALG_rsa_pkcs1_sha256, NID_sha256, EVP_PKEY_RSA, 0},
- {TLSEXT_SIGALG_rsa_pkcs1_sha384, NID_sha384, EVP_PKEY_RSA, 0},
- {TLSEXT_SIGALG_rsa_pkcs1_sha512, NID_sha512, EVP_PKEY_RSA, 0},
- {TLSEXT_SIGALG_rsa_pkcs1_sha1, NID_sha1, EVP_PKEY_RSA, 0},
- {TLSEXT_SIGALG_dsa_sha256, NID_sha256, EVP_PKEY_DSA, 0},
- {TLSEXT_SIGALG_dsa_sha384, NID_sha384, EVP_PKEY_DSA, 0},
- {TLSEXT_SIGALG_dsa_sha512, NID_sha512, EVP_PKEY_DSA, 0},
- {TLSEXT_SIGALG_dsa_sha1, NID_sha1, EVP_PKEY_DSA, 0},
- {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, NID_id_GostR3411_2012_256, NID_id_GostR3410_2012_256, 0},
- {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, NID_id_GostR3411_2012_512, NID_id_GostR3410_2012_512, 0},
- {TLSEXT_SIGALG_gostr34102001_gostr3411, NID_id_GostR3411_94, NID_id_GostR3410_2001, 0}
+ {TLSEXT_SIGALG_rsa_pss_sha256, NID_sha256, EVP_PKEY_RSA},
+ {TLSEXT_SIGALG_rsa_pss_sha384, NID_sha384, EVP_PKEY_RSA},
+ {TLSEXT_SIGALG_rsa_pss_sha512, NID_sha512, EVP_PKEY_RSA},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha256, NID_sha256, EVP_PKEY_RSA},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha384, NID_sha384, EVP_PKEY_RSA},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha512, NID_sha512, EVP_PKEY_RSA},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha1, NID_sha1, EVP_PKEY_RSA},
+#ifndef OPENSSL_NO_DSA
+ {TLSEXT_SIGALG_dsa_sha256, NID_sha256, EVP_PKEY_DSA},
+ {TLSEXT_SIGALG_dsa_sha384, NID_sha384, EVP_PKEY_DSA},
+ {TLSEXT_SIGALG_dsa_sha512, NID_sha512, EVP_PKEY_DSA},
+ {TLSEXT_SIGALG_dsa_sha1, NID_sha1, EVP_PKEY_DSA},
+#endif
+#ifndef OPENSSL_NO_GOST
+ {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, NID_id_GostR3411_2012_256, NID_id_GostR3410_2012_256},
+ {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, NID_id_GostR3411_2012_512, NID_id_GostR3410_2012_512},
+ {TLSEXT_SIGALG_gostr34102001_gostr3411, NID_id_GostR3411_94, NID_id_GostR3410_2001}
+#endif
};
static int tls_sigalg_get_hash(unsigned int sigalg)
{
size_t i;
- SIGALG_LOOKUP *curr;
+ const SIGALG_LOOKUP *curr;
for (i = 0, curr = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
i++, curr++) {
static int tls_sigalg_get_sig(unsigned int sigalg)
{
size_t i;
- SIGALG_LOOKUP *curr;
+ const SIGALG_LOOKUP *curr;
for (i = 0, curr = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
i++, curr++) {
return 0;
}
-
-size_t tls12_get_psigalgs(SSL *s, const unsigned int **psigs)
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned int **psigs)
{
/*
* If Suite B mode use Suite B sigalgs only, ignore any other
switch (tls1_suiteb(s)) {
case SSL_CERT_FLAG_SUITEB_128_LOS:
*psigs = suiteb_sigalgs;
- return sizeof(suiteb_sigalgs);
+ return OSSL_NELEM(suiteb_sigalgs);
case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
*psigs = suiteb_sigalgs;
- return 2;
+ return 1;
case SSL_CERT_FLAG_SUITEB_192_LOS:
- *psigs = suiteb_sigalgs + 2;
- return 2;
+ *psigs = suiteb_sigalgs + 1;
+ return 1;
}
#endif
- /* If server use client authentication sigalgs if not NULL */
- if (s->server && s->cert->client_sigalgs) {
+ /*
+ * We use client_sigalgs (if not NULL) if we're a server
+ * and sending a certificate request or if we're a client and
+ * determining which shared algorithm to use.
+ */
+ if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
*psigs = s->cert->client_sigalgs;
return s->cert->client_sigalgslen;
} else if (s->cert->conf_sigalgs) {
return 0;
}
#ifndef OPENSSL_NO_EC
- if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+ if (pkeyid == EVP_PKEY_EC) {
unsigned char curve_id[2], comp_id;
/* Check compression and curve matches extensions */
if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
#endif
/* Check signature matches a type we sent */
- sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
+ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
if (sig == *sent_sigs)
break;
}
int tls12_get_sigandhash(SSL *s, WPACKET *pkt, const EVP_PKEY *pk,
- const EVP_MD *md)
+ const EVP_MD *md, int *ispss)
{
- int md_id, sig_id;
+ int md_id, sig_id, tmpispss = 0;
size_t i;
- SIGALG_LOOKUP *curr;
+ const SIGALG_LOOKUP *curr;
if (md == NULL)
return 0;
for (i = 0, curr = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
i++, curr++) {
- if (curr->hash == md_id && curr->sig == sig_id
- && (!curr->notls12 || SSL_IS_TLS13(s))) {
+ if (curr->hash == md_id && curr->sig == sig_id) {
+ if (sig_id == EVP_PKEY_RSA) {
+ tmpispss = SIGID_IS_PSS(curr->sigalg);
+ if (!SSL_IS_TLS13(s) && tmpispss) {
+ size_t j;
+
+ /*
+ * Check peer actually sent a PSS sig id - it could have
+ * been a PKCS1 sig id instead.
+ */
+ for (j = 0; j < s->cert->shared_sigalgslen; j++)
+ if (s->cert->shared_sigalgs[j].rsigalg == curr->sigalg)
+ break;
+
+ if (j == s->cert->shared_sigalgslen)
+ continue;
+ }
+ }
if (!WPACKET_put_bytes_u16(pkt, curr->sigalg))
return 0;
+ *ispss = tmpispss;
return 1;
}
}
* RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
* down calls to security callback only check if we have to.
*/
- sigalgslen = tls12_get_psigalgs(s, &sigalgs);
+ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
for (i = 0; i < sigalgslen; i ++, sigalgs++) {
switch (tls_sigalg_get_sig(*sigalgs)) {
#ifndef OPENSSL_NO_RSA
conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
} else
- conflen = tls12_get_psigalgs(s, &conf);
+ conflen = tls12_get_psigalgs(s, 0, &conf);
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
pref = conf;
preflen = conflen;
for (i = 0, sigptr = c->shared_sigalgs;
i < c->shared_sigalgslen; i++, sigptr++) {
+ /* Ignore PKCS1 based sig algs in TLSv1.3 */
+ if (SSL_IS_TLS13(s)
+ && (sigptr->rsigalg == TLSEXT_SIGALG_rsa_pkcs1_sha1
+ || sigptr->rsigalg == TLSEXT_SIGALG_rsa_pkcs1_sha256
+ || sigptr->rsigalg == TLSEXT_SIGALG_rsa_pkcs1_sha384
+ || sigptr->rsigalg == TLSEXT_SIGALG_rsa_pkcs1_sha512))
+ continue;
idx = tls12_get_pkey_idx(sigptr->sign_nid);
if (idx > 0 && pmd[idx] == NULL) {
md = tls12_get_hash(sigptr->hash_nid);
}
/*
- * In strict mode leave unset digests as NULL to indicate we can't use
- * the certificate for signing.
+ * In strict mode or TLS1.3 leave unset digests as NULL to indicate we can't
+ * use the certificate for signing.
*/
- if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
+ if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
+ && !SSL_IS_TLS13(s)) {
/*
* Set any remaining keys to default values. NOTE: if alg is not
* supported it stays as NULL.
return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
}
+/* TODO(TLS1.3): Needs updating to allow setting of TLS1.3 sig algs */
int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
{
unsigned int *sigalgs, *sptr;
if (salglen & 1)
return 0;
- sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs));
+ sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs));
if (sigalgs == NULL)
return 0;
/*
*/
for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
size_t j;
- SIGALG_LOOKUP *curr;
+ const SIGALG_LOOKUP *curr;
int md_id = *psig_nids++;
int sig_id = *psig_nids++;
for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
j++, curr++) {
- if (curr->hash == md_id && curr->sig == sig_id && !curr->notls12) {
+ /* Skip setting PSS so we get PKCS1 by default */
+ if (SIGID_IS_PSS(curr->sigalg))
+ continue;
+ if (curr->hash == md_id && curr->sig == sig_id) {
*sptr++ = curr->sigalg;
break;
}
if (client) {
OPENSSL_free(c->client_sigalgs);
c->client_sigalgs = sigalgs;
- c->client_sigalgslen = salglen;
+ c->client_sigalgslen = salglen / 2;
} else {
OPENSSL_free(c->conf_sigalgs);
c->conf_sigalgs = sigalgs;
- c->conf_sigalgslen = salglen;
+ c->conf_sigalgslen = salglen / 2;
}
return 1;