* https://www.openssl.org/source/license.html
*/
+/* We need access to the deprecated low level HMAC APIs */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include <stdio.h>
#include <stdlib.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include <openssl/core_names.h>
#include <openssl/ocsp.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
#include "internal/nelem.h"
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/ct.h>
+static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
+static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
+
SSL3_ENC_METHOD const TLSv1_enc_data = {
tls1_enc,
tls1_mac,
/*
* Table of group information.
*/
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
static const TLS_GROUP_INFO nid_list[] = {
-#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
{NID_sect163k1, 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */
{NID_sect163r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */
{NID_sect163r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */
{NID_brainpoolP512r1, 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */
{EVP_PKEY_X25519, 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */
{EVP_PKEY_X448, 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */
-#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_DH
+# endif /* OPENSSL_NO_EC */
+# ifndef OPENSSL_NO_DH
/* Security bit values for FFDHE groups are updated as per RFC 7919 */
{NID_ffdhe2048, 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */
{NID_ffdhe3072, 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */
{NID_ffdhe4096, 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */
{NID_ffdhe6144, 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */
{NID_ffdhe8192, 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */
-#endif /* OPENSSL_NO_DH */
+# endif /* OPENSSL_NO_DH */
};
+#endif
#ifndef OPENSSL_NO_EC
static const unsigned char ecformats_default[] = {
TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
};
-#endif
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
/* The default curves */
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
static const uint16_t supported_groups_default[] = {
-#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
29, /* X25519 (29) */
23, /* secp256r1 (23) */
30, /* X448 (30) */
25, /* secp521r1 (25) */
24, /* secp384r1 (24) */
-#endif
-#ifndef OPENSSL_NO_DH
+# endif
+# ifndef OPENSSL_NO_DH
0x100, /* ffdhe2048 (0x100) */
0x101, /* ffdhe3072 (0x101) */
0x102, /* ffdhe4096 (0x102) */
0x103, /* ffdhe6144 (0x103) */
0x104, /* ffdhe8192 (0x104) */
-#endif
+# endif
};
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
#ifndef OPENSSL_NO_EC
static const uint16_t suiteb_curves[] = {
const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
{
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
size_t i;
/* ECC curves from RFC 4492 and RFC 7027 FFDHE group from RFC 8446 */
if (nid_list[i].group_id == group_id)
return &nid_list[i];
}
+#endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
return NULL;
}
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+int tls1_group_id2nid(uint16_t group_id)
+{
+ const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(group_id);
+
+ return ginf == NULL ? NID_undef : ginf->nid;
+}
+
static uint16_t tls1_nid2group_id(int nid)
{
size_t i;
}
return 0;
}
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
/*
* Set *pgroups to the supported groups list and *pgroupslen to
void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
size_t *pgroupslen)
{
-
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
/* For Suite B mode only include P-256, P-384 */
switch (tls1_suiteb(s)) {
-#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
case SSL_CERT_FLAG_SUITEB_128_LOS:
*pgroups = suiteb_curves;
*pgroupslen = OSSL_NELEM(suiteb_curves);
*pgroups = suiteb_curves + 1;
*pgroupslen = 1;
break;
-#endif
+# endif
default:
if (s->ext.supportedgroups == NULL) {
}
break;
}
+#else
+ *pgroups = NULL;
+ *pgroupslen = 0;
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
}
int tls_valid_group(SSL *s, uint16_t group_id, int version)
int tls1_set_groups(uint16_t **pext, size_t *pextlen,
int *groups, size_t ngroups)
{
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
uint16_t *glist;
size_t i;
/*
err:
OPENSSL_free(glist);
return 0;
+#else
+ return 0;
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
}
-#define MAX_GROUPLIST OSSL_NELEM(nid_list)
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
+# define MAX_GROUPLIST OSSL_NELEM(nid_list)
typedef struct {
size_t nidcnt;
return 0;
memcpy(etmp, elem, len);
etmp[len] = 0;
-#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
nid = EC_curve_nist2nid(etmp);
-#endif
+# endif
if (nid == NID_undef)
nid = OBJ_sn2nid(etmp);
if (nid == NID_undef)
narg->nid_arr[narg->nidcnt++] = nid;
return 1;
}
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
/* Set groups based on a colon separate list */
int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
{
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
nid_cb_st ncb;
ncb.nidcnt = 0;
if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
if (pext == NULL)
return 1;
return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
+#else
+ return 0;
+#endif
}
/* Check a group id matches preferences */
* If point formats extension present check it, otherwise everything is
* supported (see RFC4492).
*/
- if (s->session->ext.ecpointformats == NULL)
+ if (s->ext.peer_ecpointformats == NULL)
return 1;
- for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
- if (s->session->ext.ecpointformats[i] == comp_id)
+ for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
+ if (s->ext.peer_ecpointformats[i] == comp_id)
return 1;
}
return 0;
if (check_ee_md && tls1_suiteb(s)) {
int check_md;
size_t i;
- CERT *c = s->cert;
/* Check to see we have necessary signing algorithm */
if (group_id == TLSEXT_curve_P_256)
check_md = NID_ecdsa_with_SHA384;
else
return 0; /* Should never happen */
- for (i = 0; i < c->shared_sigalgslen; i++) {
- if (check_md == c->shared_sigalgs[i]->sigandhash)
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ if (check_md == s->shared_sigalgs[i]->sigandhash)
return 1;;
}
return 0;
}
/*
- * Return a signature algorithm for TLS < 1.2 where the signature type
- * is fixed by the certificate type.
+ * Returns a signature algorithm when the peer did not send a list of supported
+ * signature algorithms. The signature algorithm is fixed for the certificate
+ * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
+ * certificate type from |s| will be used.
+ * Returns the signature algorithm to use, or NULL on error.
*/
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
{
if (!tls1_lookup_md(lu, NULL))
return NULL;
+ if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
+ return NULL;
return lu;
}
+ if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg))
+ return NULL;
return &legacy_rsa_sigalg;
}
/* Set peer sigalg based key type */
*
* Returns 1 when it's disabled, 0 when enabled.
*/
-int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
+int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
{
if (c->algorithm_mkey & s->s3.tmp.mask_k
|| c->algorithm_auth & s->s3.tmp.mask_a)
size_t i;
/* Clear any shared signature algorithms */
- OPENSSL_free(s->cert->shared_sigalgs);
- s->cert->shared_sigalgs = NULL;
- s->cert->shared_sigalgslen = 0;
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
/* Clear certificate validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++)
s->s3.tmp.valid_flags[i] = 0;
SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
return 0;
}
- if (s->cert->shared_sigalgs != NULL)
+ if (s->shared_sigalgs != NULL)
return 1;
/* Fatal error if no shared signature algorithms */
SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
size_t mlen;
unsigned char tick_hmac[EVP_MAX_MD_SIZE];
- HMAC_CTX *hctx = NULL;
+ SSL_HMAC *hctx = NULL;
EVP_CIPHER_CTX *ctx = NULL;
SSL_CTX *tctx = s->session_ctx;
}
/* Initialize session ticket encryption and HMAC contexts */
- hctx = HMAC_CTX_new();
+ hctx = ssl_hmac_new(tctx);
if (hctx == NULL) {
ret = SSL_TICKET_FATAL_ERR_MALLOC;
goto end;
ret = SSL_TICKET_FATAL_ERR_MALLOC;
goto end;
}
- if (tctx->ext.ticket_key_cb) {
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL)
+#else
+ if (tctx->ext.ticket_key_evp_cb != NULL)
+#endif
+ {
unsigned char *nctick = (unsigned char *)etick;
- int rv = tctx->ext.ticket_key_cb(s, nctick,
+ int rv = 0;
+
+ if (tctx->ext.ticket_key_evp_cb != NULL)
+ rv = tctx->ext.ticket_key_evp_cb(s, nctick,
+ nctick + TLSEXT_KEYNAME_LENGTH,
+ ctx,
+ ssl_hmac_get0_EVP_MAC_CTX(hctx),
+ 0);
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ else if (tctx->ext.ticket_key_cb != NULL)
+ /* if 0 is returned, write an empty ticket */
+ rv = tctx->ext.ticket_key_cb(s, nctick,
nctick + TLSEXT_KEYNAME_LENGTH,
- ctx, hctx, 0);
+ ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0);
+#endif
if (rv < 0) {
ret = SSL_TICKET_FATAL_ERR_OTHER;
goto end;
ret = SSL_TICKET_NO_DECRYPT;
goto end;
}
- if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
- sizeof(tctx->ext.secure->tick_hmac_key),
- EVP_sha256(), NULL) <= 0
+ if (ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
+ sizeof(tctx->ext.secure->tick_hmac_key),
+ "SHA256") <= 0
|| EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
tctx->ext.secure->tick_aes_key,
etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
* Attempt to process session ticket, first conduct sanity and integrity
* checks on ticket.
*/
- mlen = HMAC_size(hctx);
+ mlen = ssl_hmac_size(hctx);
if (mlen == 0) {
ret = SSL_TICKET_FATAL_ERR_OTHER;
goto end;
}
eticklen -= mlen;
/* Check HMAC of encrypted ticket */
- if (HMAC_Update(hctx, etick, eticklen) <= 0
- || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
+ if (ssl_hmac_update(hctx, etick, eticklen) <= 0
+ || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) {
ret = SSL_TICKET_FATAL_ERR_OTHER;
goto end;
}
end:
EVP_CIPHER_CTX_free(ctx);
- HMAC_CTX_free(hctx);
+ ssl_hmac_free(hctx);
/*
* If set, the decrypt_ticket_cb() is called unless a fatal error was
}
/* Check to see if a signature algorithm is allowed */
-static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
+static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
{
unsigned char sigalgstr[2];
int secbits;
continue;
clu = ssl_cert_lookup_by_idx(lu->sig_idx);
- if (clu == NULL)
- continue;
+ if (clu == NULL)
+ continue;
/* If algorithm is disabled see if we can enable it */
if ((clu->amask & disabled_mask) != 0
CERT *c = s->cert;
unsigned int is_suiteb = tls1_suiteb(s);
- OPENSSL_free(c->shared_sigalgs);
- c->shared_sigalgs = NULL;
- c->shared_sigalgslen = 0;
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs && !is_suiteb) {
conf = c->client_sigalgs;
} else {
salgs = NULL;
}
- c->shared_sigalgs = salgs;
- c->shared_sigalgslen = nmatch;
+ s->shared_sigalgs = salgs;
+ s->shared_sigalgslen = nmatch;
return 1;
}
{
size_t i;
uint32_t *pvalid = s->s3.tmp.valid_flags;
- CERT *c = s->cert;
if (!tls1_set_shared_sigalgs(s))
return 0;
for (i = 0; i < SSL_PKEY_NUM; i++)
pvalid[i] = 0;
- for (i = 0; i < c->shared_sigalgslen; i++) {
- const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
int idx = sigptr->sig_idx;
/* Ignore PKCS1 based sig algs in TLSv1.3 */
unsigned char *rsig, unsigned char *rhash)
{
const SIGALG_LOOKUP *shsigalgs;
- if (s->cert->shared_sigalgs == NULL
+ if (s->shared_sigalgs == NULL
|| idx < 0
- || idx >= (int)s->cert->shared_sigalgslen
- || s->cert->shared_sigalgslen > INT_MAX)
+ || idx >= (int)s->shared_sigalgslen
+ || s->shared_sigalgslen > INT_MAX)
return 0;
- shsigalgs = s->cert->shared_sigalgs[idx];
+ shsigalgs = s->shared_sigalgs[idx];
if (phash != NULL)
*phash = shsigalgs->hash;
if (psign != NULL)
*rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
if (rhash != NULL)
*rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
- return (int)s->cert->shared_sigalgslen;
+ return (int)s->shared_sigalgslen;
}
/* Maximum possible number of unique entries in sigalgs array */
return 0;
}
-static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
+static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
{
- int sig_nid;
+ int sig_nid, use_pc_sigalgs = 0;
size_t i;
+ const SIGALG_LOOKUP *sigalg;
+ size_t sigalgslen;
if (default_nid == -1)
return 1;
sig_nid = X509_get_signature_nid(x);
if (default_nid)
return sig_nid == default_nid ? 1 : 0;
- for (i = 0; i < c->shared_sigalgslen; i++)
- if (sig_nid == c->shared_sigalgs[i]->sigandhash)
+
+ if (SSL_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) {
+ /*
+ * If we're in TLSv1.3 then we only get here if we're checking the
+ * chain. If the peer has specified peer_cert_sigalgs then we use them
+ * otherwise we default to normal sigalgs.
+ */
+ sigalgslen = s->s3.tmp.peer_cert_sigalgslen;
+ use_pc_sigalgs = 1;
+ } else {
+ sigalgslen = s->shared_sigalgslen;
+ }
+ for (i = 0; i < sigalgslen; i++) {
+ sigalg = use_pc_sigalgs
+ ? tls1_lookup_sigalg(s->s3.tmp.peer_cert_sigalgs[i])
+ : s->shared_sigalgs[i];
+ if (sig_nid == sigalg->sigandhash)
return 1;
+ }
return 0;
}
}
}
/* Check signature algorithm of each cert in chain */
- if (!tls1_check_sig_alg(c, x, default_nid)) {
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * We only get here if the application has called SSL_check_chain(),
+ * so check_flags is always set.
+ */
+ if (find_sig_alg(s, x, pk) != NULL)
+ rv |= CERT_PKEY_EE_SIGNATURE;
+ } else if (!tls1_check_sig_alg(s, x, default_nid)) {
if (!check_flags)
goto end;
} else
rv |= CERT_PKEY_EE_SIGNATURE;
rv |= CERT_PKEY_CA_SIGNATURE;
for (i = 0; i < sk_X509_num(chain); i++) {
- if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
+ if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
if (check_flags) {
rv &= ~CERT_PKEY_CA_SIGNATURE;
break;
}
/*
- * Returns true if |s| has a usable certificate configured for use
- * with signature scheme |sig|.
- * "Usable" includes a check for presence as well as applying
- * the signature_algorithm_cert restrictions sent by the peer (if any).
- * Returns false if no usable certificate is found.
+ * Checks the given cert against signature_algorithm_cert restrictions sent by
+ * the peer (if any) as well as whether the hash from the sigalg is usable with
+ * the key.
+ * Returns true if the cert is usable and false otherwise.
*/
-static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
+static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
+ EVP_PKEY *pkey)
{
const SIGALG_LOOKUP *lu;
int mdnid, pknid, supported;
size_t i;
- /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
- if (idx == -1)
- idx = sig->sig_idx;
- if (!ssl_has_cert(s, idx))
+ /*
+ * If the given EVP_PKEY cannot supporting signing with this sigalg,
+ * the answer is simply 'no'.
+ */
+ ERR_set_mark();
+ supported = EVP_PKEY_supports_digest_nid(pkey, sig->hash);
+ ERR_pop_to_mark();
+ if (supported == 0)
return 0;
+
+ /*
+ * The TLS 1.3 signature_algorithms_cert extension places restrictions
+ * on the sigalg with which the certificate was signed (by its issuer).
+ */
if (s->s3.tmp.peer_cert_sigalgs != NULL) {
+ if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
+ return 0;
for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) {
lu = tls1_lookup_sigalg(s->s3.tmp.peer_cert_sigalgs[i]);
- if (lu == NULL
- || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
- &pknid, NULL, NULL)
- /*
- * TODO this does not differentiate between the
- * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
- * have a chain here that lets us look at the key OID in the
- * signing certificate.
- */
- || mdnid != lu->hash
- || pknid != lu->sig)
+ if (lu == NULL)
continue;
- ERR_set_mark();
- supported = EVP_PKEY_supports_digest_nid(s->cert->pkeys[idx].privatekey,
- mdnid);
- if (supported == 0)
- continue;
- else if (supported < 0)
- {
- /* If it didn't report a mandatory NID, for whatever reasons,
- * just clear the error and allow all hashes to be used. */
- ERR_pop_to_mark();
- }
- return 1;
+ /*
+ * TODO this does not differentiate between the
+ * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
+ * have a chain here that lets us look at the key OID in the
+ * signing certificate.
+ */
+ if (mdnid == lu->hash && pknid == lu->sig)
+ return 1;
}
return 0;
}
- supported = EVP_PKEY_supports_digest_nid(s->cert->pkeys[idx].privatekey,
- sig->hash);
- if (supported == 0)
- return 0;
- else if (supported < 0)
- ERR_clear_error();
+ /*
+ * Without signat_algorithms_cert, any certificate for which we have
+ * a viable public key is permitted.
+ */
return 1;
}
+/*
+ * Returns true if |s| has a usable certificate configured for use
+ * with signature scheme |sig|.
+ * "Usable" includes a check for presence as well as applying
+ * the signature_algorithm_cert restrictions sent by the peer (if any).
+ * Returns false if no usable certificate is found.
+ */
+static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
+{
+ /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
+ if (idx == -1)
+ idx = sig->sig_idx;
+ if (!ssl_has_cert(s, idx))
+ return 0;
+
+ return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
+ s->cert->pkeys[idx].privatekey);
+}
+
+/*
+ * Returns true if the supplied cert |x| and key |pkey| is usable with the
+ * specified signature scheme |sig|, or false otherwise.
+ */
+static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
+ EVP_PKEY *pkey)
+{
+ size_t idx;
+
+ if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
+ return 0;
+
+ /* Check the key is consistent with the sig alg */
+ if ((int)idx != sig->sig_idx)
+ return 0;
+
+ return check_cert_usable(s, sig, x, pkey);
+}
+
+/*
+ * Find a signature scheme that works with the supplied certificate |x| and key
+ * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
+ * available certs/keys to find one that works.
+ */
+static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
+{
+ const SIGALG_LOOKUP *lu = NULL;
+ size_t i;
+#ifndef OPENSSL_NO_EC
+ int curve = -1;
+#endif
+ EVP_PKEY *tmppkey;
+
+ /* Look for a shared sigalgs matching possible certificates */
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ lu = s->shared_sigalgs[i];
+
+ /* Skip SHA1, SHA224, DSA and RSA if not PSS */
+ if (lu->hash == NID_sha1
+ || lu->hash == NID_sha224
+ || lu->sig == EVP_PKEY_DSA
+ || lu->sig == EVP_PKEY_RSA)
+ continue;
+ /* Check that we have a cert, and signature_algorithms_cert */
+ if (!tls1_lookup_md(lu, NULL))
+ continue;
+ if ((pkey == NULL && !has_usable_cert(s, lu, -1))
+ || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
+ continue;
+
+ tmppkey = (pkey != NULL) ? pkey
+ : s->cert->pkeys[lu->sig_idx].privatekey;
+
+ if (lu->sig == EVP_PKEY_EC) {
+#ifndef OPENSSL_NO_EC
+ if (curve == -1) {
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
+ curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ }
+ if (lu->curve != NID_undef && curve != lu->curve)
+ continue;
+#else
+ continue;
+#endif
+ } else if (lu->sig == EVP_PKEY_RSA_PSS) {
+ /* validate that key is large enough for the signature algorithm */
+ if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
+ continue;
+ }
+ break;
+ }
+
+ if (i == s->shared_sigalgslen)
+ return NULL;
+
+ return lu;
+}
+
/*
* Choose an appropriate signature algorithm based on available certificates
* Sets chosen certificate and signature algorithm.
s->s3.tmp.sigalg = NULL;
if (SSL_IS_TLS13(s)) {
- size_t i;
-#ifndef OPENSSL_NO_EC
- int curve = -1;
-#endif
-
- /* Look for a certificate matching shared sigalgs */
- for (i = 0; i < s->cert->shared_sigalgslen; i++) {
- lu = s->cert->shared_sigalgs[i];
- sig_idx = -1;
-
- /* Skip SHA1, SHA224, DSA and RSA if not PSS */
- if (lu->hash == NID_sha1
- || lu->hash == NID_sha224
- || lu->sig == EVP_PKEY_DSA
- || lu->sig == EVP_PKEY_RSA)
- continue;
- /* Check that we have a cert, and signature_algorithms_cert */
- if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1))
- continue;
- if (lu->sig == EVP_PKEY_EC) {
-#ifndef OPENSSL_NO_EC
- if (curve == -1) {
- EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
-
- curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
- }
- if (lu->curve != NID_undef && curve != lu->curve)
- continue;
-#else
- continue;
-#endif
- } else if (lu->sig == EVP_PKEY_RSA_PSS) {
- /* validate that key is large enough for the signature algorithm */
- EVP_PKEY *pkey;
-
- pkey = s->cert->pkeys[lu->sig_idx].privatekey;
- if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
- continue;
- }
- break;
- }
- if (i == s->cert->shared_sigalgslen) {
+ lu = find_sig_alg(s, NULL, NULL);
+ if (lu == NULL) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
* Find highest preference signature algorithm matching
* cert type
*/
- for (i = 0; i < s->cert->shared_sigalgslen; i++) {
- lu = s->cert->shared_sigalgs[i];
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ lu = s->shared_sigalgs[i];
if (s->server) {
if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
#endif
break;
}
- if (i == s->cert->shared_sigalgslen) {
+#ifndef OPENSSL_NO_GOST
+ /*
+ * Some Windows-based implementations do not send GOST algorithms indication
+ * in supported_algorithms extension, so when we have GOST-based ciphersuite,
+ * we have to assume GOST support.
+ */
+ if (i == s->shared_sigalgslen && s->s3.tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) {
+ if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
+ if (!fatalerrs)
+ return 1;
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+ SSL_F_TLS_CHOOSE_SIGALG,
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+ return 0;
+ } else {
+ i = 0;
+ sig_idx = lu->sig_idx;
+ }
+ }
+#endif
+ if (i == s->shared_sigalgslen) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
{
return session->ext.max_fragment_len_mode;
}
+
+/*
+ * Helper functions for HMAC access with legacy support included.
+ */
+SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx)
+{
+ SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret));
+ EVP_MAC *mac = NULL;
+
+ if (ret == NULL)
+ return NULL;
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (ctx->ext.ticket_key_evp_cb == NULL
+ && ctx->ext.ticket_key_cb != NULL) {
+ ret->old_ctx = HMAC_CTX_new();
+ if (ret->old_ctx == NULL)
+ goto err;
+ return ret;
+ }
+#endif
+ mac = EVP_MAC_fetch(ctx->libctx, "HMAC", NULL);
+ if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL)
+ goto err;
+ EVP_MAC_free(mac);
+ return ret;
+ err:
+ EVP_MAC_CTX_free(ret->ctx);
+ EVP_MAC_free(mac);
+ OPENSSL_free(ret);
+ return NULL;
+}
+
+void ssl_hmac_free(SSL_HMAC *ctx)
+{
+ if (ctx != NULL) {
+ EVP_MAC_CTX_free(ctx->ctx);
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ HMAC_CTX_free(ctx->old_ctx);
+#endif
+ OPENSSL_free(ctx);
+ }
+}
+
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
+{
+ return ctx->old_ctx;
+}
+#endif
+
+EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx)
+{
+ return ctx->ctx;
+}
+
+int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
+{
+ OSSL_PARAM params[3], *p = params;
+
+ if (ctx->ctx != NULL) {
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0);
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key, len);
+ *p = OSSL_PARAM_construct_end();
+ if (EVP_MAC_CTX_set_params(ctx->ctx, params) && EVP_MAC_init(ctx->ctx))
+ return 1;
+ }
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (ctx->old_ctx != NULL)
+ return HMAC_Init_ex(ctx->old_ctx, key, len,
+ EVP_get_digestbyname(md), NULL);
+#endif
+ return 0;
+}
+
+int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
+{
+ if (ctx->ctx != NULL)
+ return EVP_MAC_update(ctx->ctx, data, len);
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (ctx->old_ctx != NULL)
+ return HMAC_Update(ctx->old_ctx, data, len);
+#endif
+ return 0;
+}
+
+int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len,
+ size_t max_size)
+{
+ if (ctx->ctx != NULL)
+ return EVP_MAC_final(ctx->ctx, md, len, max_size);
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (ctx->old_ctx != NULL) {
+ unsigned int l;
+
+ if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
+ if (len != NULL)
+ *len = l;
+ return 1;
+ }
+ }
+#endif
+ return 0;
+}
+
+size_t ssl_hmac_size(const SSL_HMAC *ctx)
+{
+ if (ctx->ctx != NULL)
+ return EVP_MAC_size(ctx->ctx);
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (ctx->old_ctx != NULL)
+ return HMAC_size(ctx->old_ctx);
+#endif
+ return 0;
+}
+
projects / openssl.git / blobdiff