1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <limits.h>
19
20 #include <algorithm>
21
22 #include <openssl/ec.h>
23 #include <openssl/ec_key.h>
24 #include <openssl/err.h>
25 #include <openssl/evp.h>
26 #include <openssl/mem.h>
27 #include <openssl/span.h>
28
29 #include "../crypto/internal.h"
30 #include "internal.h"
31
32
33 BSSL_NAMESPACE_BEGIN
34
ssl_is_key_type_supported(int key_type)35 bool ssl_is_key_type_supported(int key_type) {
36 return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC ||
37 key_type == EVP_PKEY_ED25519;
38 }
39
40 typedef struct {
41 uint16_t sigalg;
42 int pkey_type;
43 int curve;
44 const EVP_MD *(*digest_func)(void);
45 bool is_rsa_pss;
46 bool tls12_ok;
47 bool tls13_ok;
48 bool client_only;
49 } SSL_SIGNATURE_ALGORITHM;
50
51 static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {
52 // PKCS#1 v1.5 code points are only allowed in TLS 1.2.
53 {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,
54 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
55 /*client_only=*/false},
56 {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1,
57 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
58 /*client_only=*/false},
59 {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
60 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
61 /*client_only=*/false},
62 {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
63 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
64 /*client_only=*/false},
65 {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
66 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
67 /*client_only=*/false},
68
69 // Legacy PKCS#1 v1.5 code points are only allowed in TLS 1.3 and
70 // client-only. See draft-ietf-tls-tls13-pkcs1-00.
71 {SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
72 /*is_rsa_pss=*/false, /*tls12_ok=*/false, /*tls13_ok=*/true,
73 /*client_only=*/true},
74
75 {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
76 /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
77 /*client_only=*/false},
78 {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
79 /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
80 /*client_only=*/false},
81 {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
82 /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
83 /*client_only=*/false},
84
85 {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1,
86 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
87 /*client_only=*/false},
88 {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,
89 &EVP_sha256, /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
90 /*client_only=*/false},
91 {SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,
92 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
93 /*client_only=*/false},
94 {SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,
95 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
96 /*client_only=*/false},
97
98 {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
99 /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
100 /*client_only=*/false},
101 };
102
get_signature_algorithm(uint16_t sigalg)103 static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
104 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kSignatureAlgorithms); i++) {
105 if (kSignatureAlgorithms[i].sigalg == sigalg) {
106 return &kSignatureAlgorithms[i];
107 }
108 }
109 return NULL;
110 }
111
ssl_pkey_supports_algorithm(const SSL * ssl,EVP_PKEY * pkey,uint16_t sigalg,bool is_verify)112 bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
113 uint16_t sigalg, bool is_verify) {
114 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
115 if (alg == NULL || EVP_PKEY_id(pkey) != alg->pkey_type) {
116 return false;
117 }
118
119 // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
120 // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
121 // hash in TLS. Reasonable RSA key sizes are large enough for the largest
122 // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
123 // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
124 // size so that we can fall back to another algorithm in that case.
125 if (alg->is_rsa_pss &&
126 (size_t)EVP_PKEY_size(pkey) < 2 * EVP_MD_size(alg->digest_func()) + 2) {
127 return false;
128 }
129
130 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
131 // TLS 1.0 and 1.1 do not negotiate algorithms and always sign one of two
132 // hardcoded algorithms.
133 return sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
134 sigalg == SSL_SIGN_ECDSA_SHA1;
135 }
136
137 // |SSL_SIGN_RSA_PKCS1_MD5_SHA1| is not a real SignatureScheme for TLS 1.2 and
138 // higher. It is an internal value we use to represent TLS 1.0/1.1's MD5/SHA1
139 // concatenation.
140 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
141 return false;
142 }
143
144 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
145 if (!alg->tls13_ok) {
146 return false;
147 }
148
149 bool is_client_sign = ssl->server == is_verify;
150 if (alg->client_only && !is_client_sign) {
151 return false;
152 }
153
154 // EC keys have a curve requirement.
155 if (alg->pkey_type == EVP_PKEY_EC &&
156 (alg->curve == NID_undef ||
157 EVP_PKEY_get_ec_curve_nid(pkey) != alg->curve)) {
158 return false;
159 }
160 } else if (!alg->tls12_ok) {
161 return false;
162 }
163
164 return true;
165 }
166
setup_ctx(SSL * ssl,EVP_MD_CTX * ctx,EVP_PKEY * pkey,uint16_t sigalg,bool is_verify)167 static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
168 uint16_t sigalg, bool is_verify) {
169 if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg, is_verify)) {
170 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
171 return false;
172 }
173
174 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
175 const EVP_MD *digest = alg->digest_func != NULL ? alg->digest_func() : NULL;
176 EVP_PKEY_CTX *pctx;
177 if (is_verify) {
178 if (!EVP_DigestVerifyInit(ctx, &pctx, digest, NULL, pkey)) {
179 return false;
180 }
181 } else if (!EVP_DigestSignInit(ctx, &pctx, digest, NULL, pkey)) {
182 return false;
183 }
184
185 if (alg->is_rsa_pss) {
186 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
187 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST)) {
188 return false;
189 }
190 }
191
192 return true;
193 }
194
ssl_private_key_sign(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len,size_t max_out,uint16_t sigalg,Span<const uint8_t> in)195 enum ssl_private_key_result_t ssl_private_key_sign(
196 SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
197 uint16_t sigalg, Span<const uint8_t> in) {
198 SSL *const ssl = hs->ssl;
199 const SSL_CREDENTIAL *const cred = hs->credential.get();
200 SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
201 Array<uint8_t> spki;
202 if (hints) {
203 ScopedCBB spki_cbb;
204 if (!CBB_init(spki_cbb.get(), 64) ||
205 !EVP_marshal_public_key(spki_cbb.get(), cred->pubkey.get()) ||
206 !CBBFinishArray(spki_cbb.get(), &spki)) {
207 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
208 return ssl_private_key_failure;
209 }
210 }
211
212 // Replay the signature from handshake hints if available.
213 if (hints && !hs->hints_requested && //
214 sigalg == hints->signature_algorithm && //
215 in == hints->signature_input && //
216 Span(spki) == hints->signature_spki && //
217 !hints->signature.empty() && //
218 hints->signature.size() <= max_out) {
219 // Signature algorithm and input both match. Reuse the signature from hints.
220 *out_len = hints->signature.size();
221 OPENSSL_memcpy(out, hints->signature.data(), hints->signature.size());
222 return ssl_private_key_success;
223 }
224
225 const SSL_PRIVATE_KEY_METHOD *key_method = cred->key_method;
226 EVP_PKEY *privkey = cred->privkey.get();
227 assert(!hs->can_release_private_key);
228
229 if (key_method != NULL) {
230 enum ssl_private_key_result_t ret;
231 if (hs->pending_private_key_op) {
232 ret = key_method->complete(ssl, out, out_len, max_out);
233 } else {
234 ret = key_method->sign(ssl, out, out_len, max_out, sigalg, in.data(),
235 in.size());
236 }
237 if (ret == ssl_private_key_failure) {
238 OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);
239 }
240 hs->pending_private_key_op = ret == ssl_private_key_retry;
241 if (ret != ssl_private_key_success) {
242 return ret;
243 }
244 } else {
245 *out_len = max_out;
246 ScopedEVP_MD_CTX ctx;
247 if (!setup_ctx(ssl, ctx.get(), privkey, sigalg, false /* sign */) ||
248 !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {
249 return ssl_private_key_failure;
250 }
251 }
252
253 // Save the hint if applicable.
254 if (hints && hs->hints_requested) {
255 hints->signature_algorithm = sigalg;
256 hints->signature_spki = std::move(spki);
257 if (!hints->signature_input.CopyFrom(in) ||
258 !hints->signature.CopyFrom(Span(out, *out_len))) {
259 return ssl_private_key_failure;
260 }
261 }
262 return ssl_private_key_success;
263 }
264
ssl_public_key_verify(SSL * ssl,Span<const uint8_t> signature,uint16_t sigalg,EVP_PKEY * pkey,Span<const uint8_t> in)265 bool ssl_public_key_verify(SSL *ssl, Span<const uint8_t> signature,
266 uint16_t sigalg, EVP_PKEY *pkey,
267 Span<const uint8_t> in) {
268 ScopedEVP_MD_CTX ctx;
269 if (!setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */)) {
270 return false;
271 }
272 bool ok = EVP_DigestVerify(ctx.get(), signature.data(), signature.size(),
273 in.data(), in.size());
274 if (CRYPTO_fuzzer_mode_enabled()) {
275 ok = true;
276 ERR_clear_error();
277 }
278 return ok;
279 }
280
ssl_private_key_decrypt(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len,size_t max_out,Span<const uint8_t> in)281 enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
282 uint8_t *out,
283 size_t *out_len,
284 size_t max_out,
285 Span<const uint8_t> in) {
286 SSL *const ssl = hs->ssl;
287 const SSL_CREDENTIAL *const cred = hs->credential.get();
288 assert(!hs->can_release_private_key);
289 if (cred->key_method != NULL) {
290 enum ssl_private_key_result_t ret;
291 if (hs->pending_private_key_op) {
292 ret = cred->key_method->complete(ssl, out, out_len, max_out);
293 } else {
294 ret = cred->key_method->decrypt(ssl, out, out_len, max_out, in.data(),
295 in.size());
296 }
297 if (ret == ssl_private_key_failure) {
298 OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);
299 }
300 hs->pending_private_key_op = ret == ssl_private_key_retry;
301 return ret;
302 }
303
304 RSA *rsa = EVP_PKEY_get0_RSA(cred->privkey.get());
305 if (rsa == NULL) {
306 // Decrypt operations are only supported for RSA keys.
307 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
308 return ssl_private_key_failure;
309 }
310
311 // Decrypt with no padding. PKCS#1 padding will be removed as part of the
312 // timing-sensitive code by the caller.
313 if (!RSA_decrypt(rsa, out_len, out, max_out, in.data(), in.size(),
314 RSA_NO_PADDING)) {
315 return ssl_private_key_failure;
316 }
317 return ssl_private_key_success;
318 }
319
320 BSSL_NAMESPACE_END
321
322 using namespace bssl;
323
SSL_use_RSAPrivateKey(SSL * ssl,RSA * rsa)324 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {
325 if (rsa == NULL || ssl->config == NULL) {
326 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
327 return 0;
328 }
329
330 UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
331 if (!pkey || //
332 !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {
333 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
334 return 0;
335 }
336
337 return SSL_use_PrivateKey(ssl, pkey.get());
338 }
339
SSL_use_RSAPrivateKey_ASN1(SSL * ssl,const uint8_t * der,size_t der_len)340 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
341 UniquePtr<RSA> rsa(RSA_private_key_from_bytes(der, der_len));
342 if (!rsa) {
343 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
344 return 0;
345 }
346
347 return SSL_use_RSAPrivateKey(ssl, rsa.get());
348 }
349
SSL_use_PrivateKey(SSL * ssl,EVP_PKEY * pkey)350 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {
351 if (pkey == NULL || ssl->config == NULL) {
352 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
353 return 0;
354 }
355
356 return SSL_CREDENTIAL_set1_private_key(
357 ssl->config->cert->legacy_credential.get(), pkey);
358 }
359
SSL_use_PrivateKey_ASN1(int type,SSL * ssl,const uint8_t * der,size_t der_len)360 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,
361 size_t der_len) {
362 if (der_len > LONG_MAX) {
363 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
364 return 0;
365 }
366
367 const uint8_t *p = der;
368 UniquePtr<EVP_PKEY> pkey(d2i_PrivateKey(type, NULL, &p, (long)der_len));
369 if (!pkey || p != der + der_len) {
370 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
371 return 0;
372 }
373
374 return SSL_use_PrivateKey(ssl, pkey.get());
375 }
376
SSL_CTX_use_RSAPrivateKey(SSL_CTX * ctx,RSA * rsa)377 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {
378 if (rsa == NULL) {
379 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
380 return 0;
381 }
382
383 UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
384 if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {
385 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
386 return 0;
387 }
388
389 return SSL_CTX_use_PrivateKey(ctx, pkey.get());
390 }
391
SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX * ctx,const uint8_t * der,size_t der_len)392 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,
393 size_t der_len) {
394 UniquePtr<RSA> rsa(RSA_private_key_from_bytes(der, der_len));
395 if (!rsa) {
396 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
397 return 0;
398 }
399
400 return SSL_CTX_use_RSAPrivateKey(ctx, rsa.get());
401 }
402
SSL_CTX_use_PrivateKey(SSL_CTX * ctx,EVP_PKEY * pkey)403 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {
404 if (pkey == NULL) {
405 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
406 return 0;
407 }
408
409 return SSL_CREDENTIAL_set1_private_key(ctx->cert->legacy_credential.get(),
410 pkey);
411 }
412
SSL_CTX_use_PrivateKey_ASN1(int type,SSL_CTX * ctx,const uint8_t * der,size_t der_len)413 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,
414 size_t der_len) {
415 if (der_len > LONG_MAX) {
416 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
417 return 0;
418 }
419
420 const uint8_t *p = der;
421 UniquePtr<EVP_PKEY> pkey(d2i_PrivateKey(type, NULL, &p, (long)der_len));
422 if (!pkey || p != der + der_len) {
423 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
424 return 0;
425 }
426
427 return SSL_CTX_use_PrivateKey(ctx, pkey.get());
428 }
429
SSL_set_private_key_method(SSL * ssl,const SSL_PRIVATE_KEY_METHOD * key_method)430 void SSL_set_private_key_method(SSL *ssl,
431 const SSL_PRIVATE_KEY_METHOD *key_method) {
432 if (!ssl->config) {
433 return;
434 }
435 BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(
436 ssl->config->cert->legacy_credential.get(), key_method));
437 }
438
SSL_CTX_set_private_key_method(SSL_CTX * ctx,const SSL_PRIVATE_KEY_METHOD * key_method)439 void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
440 const SSL_PRIVATE_KEY_METHOD *key_method) {
441 BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(
442 ctx->cert->legacy_credential.get(), key_method));
443 }
444
445 static constexpr size_t kMaxSignatureAlgorithmNameLen = 24;
446
447 struct SignatureAlgorithmName {
448 uint16_t signature_algorithm;
449 const char name[kMaxSignatureAlgorithmNameLen];
450 };
451
452 // This was "constexpr" rather than "const", but that triggered a bug in MSVC
453 // where it didn't pad the strings to the correct length.
454 static const SignatureAlgorithmName kSignatureAlgorithmNames[] = {
455 {SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
456 {SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
457 {SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
458 {SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, "rsa_pkcs1_sha256_legacy"},
459 {SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"},
460 {SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"},
461 {SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"},
462 {SSL_SIGN_ECDSA_SECP256R1_SHA256, "ecdsa_secp256r1_sha256"},
463 {SSL_SIGN_ECDSA_SECP384R1_SHA384, "ecdsa_secp384r1_sha384"},
464 {SSL_SIGN_ECDSA_SECP521R1_SHA512, "ecdsa_secp521r1_sha512"},
465 {SSL_SIGN_RSA_PSS_RSAE_SHA256, "rsa_pss_rsae_sha256"},
466 {SSL_SIGN_RSA_PSS_RSAE_SHA384, "rsa_pss_rsae_sha384"},
467 {SSL_SIGN_RSA_PSS_RSAE_SHA512, "rsa_pss_rsae_sha512"},
468 {SSL_SIGN_ED25519, "ed25519"},
469 };
470
SSL_get_signature_algorithm_name(uint16_t sigalg,int include_curve)471 const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
472 int include_curve) {
473 if (!include_curve) {
474 switch (sigalg) {
475 case SSL_SIGN_ECDSA_SECP256R1_SHA256:
476 return "ecdsa_sha256";
477 case SSL_SIGN_ECDSA_SECP384R1_SHA384:
478 return "ecdsa_sha384";
479 case SSL_SIGN_ECDSA_SECP521R1_SHA512:
480 return "ecdsa_sha512";
481 // If adding more here, also update
482 // |SSL_get_all_signature_algorithm_names|.
483 }
484 }
485
486 for (const auto &candidate : kSignatureAlgorithmNames) {
487 if (candidate.signature_algorithm == sigalg) {
488 return candidate.name;
489 }
490 }
491
492 return NULL;
493 }
494
SSL_get_all_signature_algorithm_names(const char ** out,size_t max_out)495 size_t SSL_get_all_signature_algorithm_names(const char **out, size_t max_out) {
496 const char *kPredefinedNames[] = {"ecdsa_sha256", "ecdsa_sha384",
497 "ecdsa_sha512"};
498 return GetAllNames(out, max_out, kPredefinedNames,
499 &SignatureAlgorithmName::name,
500 Span(kSignatureAlgorithmNames));
501 }
502
SSL_get_signature_algorithm_key_type(uint16_t sigalg)503 int SSL_get_signature_algorithm_key_type(uint16_t sigalg) {
504 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
505 return alg != nullptr ? alg->pkey_type : EVP_PKEY_NONE;
506 }
507
SSL_get_signature_algorithm_digest(uint16_t sigalg)508 const EVP_MD *SSL_get_signature_algorithm_digest(uint16_t sigalg) {
509 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
510 if (alg == nullptr || alg->digest_func == nullptr) {
511 return nullptr;
512 }
513 return alg->digest_func();
514 }
515
SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg)516 int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg) {
517 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
518 return alg != nullptr && alg->is_rsa_pss;
519 }
520
sigalgs_unique(Span<const uint16_t> in_sigalgs)521 static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
522 if (in_sigalgs.size() < 2) {
523 return true;
524 }
525
526 Array<uint16_t> sigalgs;
527 if (!sigalgs.CopyFrom(in_sigalgs)) {
528 return false;
529 }
530
531 std::sort(sigalgs.begin(), sigalgs.end());
532 for (size_t i = 1; i < sigalgs.size(); i++) {
533 if (sigalgs[i - 1] == sigalgs[i]) {
534 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);
535 return false;
536 }
537 }
538
539 return true;
540 }
541
set_sigalg_prefs(Array<uint16_t> * out,Span<const uint16_t> prefs)542 static bool set_sigalg_prefs(Array<uint16_t> *out, Span<const uint16_t> prefs) {
543 if (!sigalgs_unique(prefs)) {
544 return false;
545 }
546
547 // Check for invalid algorithms, and filter out |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
548 Array<uint16_t> filtered;
549 if (!filtered.InitForOverwrite(prefs.size())) {
550 return false;
551 }
552 size_t added = 0;
553 for (uint16_t pref : prefs) {
554 if (pref == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
555 // Though not intended to be used with this API, we treat
556 // |SSL_SIGN_RSA_PKCS1_MD5_SHA1| as a real signature algorithm in
557 // |SSL_PRIVATE_KEY_METHOD|. Not accepting it here makes for a confusing
558 // abstraction.
559 continue;
560 }
561 if (get_signature_algorithm(pref) == nullptr) {
562 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
563 return false;
564 }
565 filtered[added] = pref;
566 added++;
567 }
568 filtered.Shrink(added);
569
570 // This can happen if |prefs| contained only |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
571 // Leaving it empty would revert to the default, so treat this as an error
572 // condition.
573 if (!prefs.empty() && filtered.empty()) {
574 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
575 return false;
576 }
577
578 *out = std::move(filtered);
579 return true;
580 }
581
SSL_CREDENTIAL_set1_signing_algorithm_prefs(SSL_CREDENTIAL * cred,const uint16_t * prefs,size_t num_prefs)582 int SSL_CREDENTIAL_set1_signing_algorithm_prefs(SSL_CREDENTIAL *cred,
583 const uint16_t *prefs,
584 size_t num_prefs) {
585 if (!cred->UsesPrivateKey()) {
586 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
587 return 0;
588 }
589
590 // Delegated credentials are constrained to a single algorithm, so there is no
591 // need to configure this.
592 if (cred->type == SSLCredentialType::kDelegated) {
593 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
594 return 0;
595 }
596
597 return set_sigalg_prefs(&cred->sigalgs, Span(prefs, num_prefs));
598 }
599
SSL_CTX_set_signing_algorithm_prefs(SSL_CTX * ctx,const uint16_t * prefs,size_t num_prefs)600 int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
601 size_t num_prefs) {
602 return SSL_CREDENTIAL_set1_signing_algorithm_prefs(
603 ctx->cert->legacy_credential.get(), prefs, num_prefs);
604 }
605
SSL_set_signing_algorithm_prefs(SSL * ssl,const uint16_t * prefs,size_t num_prefs)606 int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
607 size_t num_prefs) {
608 if (!ssl->config) {
609 return 0;
610 }
611 return SSL_CREDENTIAL_set1_signing_algorithm_prefs(
612 ssl->config->cert->legacy_credential.get(), prefs, num_prefs);
613 }
614
615 static constexpr struct {
616 int pkey_type;
617 int hash_nid;
618 uint16_t signature_algorithm;
619 } kSignatureAlgorithmsMapping[] = {
620 {EVP_PKEY_RSA, NID_sha1, SSL_SIGN_RSA_PKCS1_SHA1},
621 {EVP_PKEY_RSA, NID_sha256, SSL_SIGN_RSA_PKCS1_SHA256},
622 {EVP_PKEY_RSA, NID_sha384, SSL_SIGN_RSA_PKCS1_SHA384},
623 {EVP_PKEY_RSA, NID_sha512, SSL_SIGN_RSA_PKCS1_SHA512},
624 {EVP_PKEY_RSA_PSS, NID_sha256, SSL_SIGN_RSA_PSS_RSAE_SHA256},
625 {EVP_PKEY_RSA_PSS, NID_sha384, SSL_SIGN_RSA_PSS_RSAE_SHA384},
626 {EVP_PKEY_RSA_PSS, NID_sha512, SSL_SIGN_RSA_PSS_RSAE_SHA512},
627 {EVP_PKEY_EC, NID_sha1, SSL_SIGN_ECDSA_SHA1},
628 {EVP_PKEY_EC, NID_sha256, SSL_SIGN_ECDSA_SECP256R1_SHA256},
629 {EVP_PKEY_EC, NID_sha384, SSL_SIGN_ECDSA_SECP384R1_SHA384},
630 {EVP_PKEY_EC, NID_sha512, SSL_SIGN_ECDSA_SECP521R1_SHA512},
631 {EVP_PKEY_ED25519, NID_undef, SSL_SIGN_ED25519},
632 };
633
parse_sigalg_pairs(Array<uint16_t> * out,const int * values,size_t num_values)634 static bool parse_sigalg_pairs(Array<uint16_t> *out, const int *values,
635 size_t num_values) {
636 if ((num_values & 1) == 1) {
637 return false;
638 }
639
640 const size_t num_pairs = num_values / 2;
641 if (!out->InitForOverwrite(num_pairs)) {
642 return false;
643 }
644
645 for (size_t i = 0; i < num_values; i += 2) {
646 const int hash_nid = values[i];
647 const int pkey_type = values[i + 1];
648
649 bool found = false;
650 for (const auto &candidate : kSignatureAlgorithmsMapping) {
651 if (candidate.pkey_type == pkey_type && candidate.hash_nid == hash_nid) {
652 (*out)[i / 2] = candidate.signature_algorithm;
653 found = true;
654 break;
655 }
656 }
657
658 if (!found) {
659 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
660 ERR_add_error_dataf("unknown hash:%d pkey:%d", hash_nid, pkey_type);
661 return false;
662 }
663 }
664
665 return true;
666 }
667
SSL_CTX_set1_sigalgs(SSL_CTX * ctx,const int * values,size_t num_values)668 int SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *values, size_t num_values) {
669 Array<uint16_t> sigalgs;
670 if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {
671 return 0;
672 }
673
674 if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),
675 sigalgs.size()) ||
676 !SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),
677 sigalgs.size())) {
678 return 0;
679 }
680
681 return 1;
682 }
683
SSL_set1_sigalgs(SSL * ssl,const int * values,size_t num_values)684 int SSL_set1_sigalgs(SSL *ssl, const int *values, size_t num_values) {
685 if (!ssl->config) {
686 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
687 return 0;
688 }
689
690 Array<uint16_t> sigalgs;
691 if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {
692 return 0;
693 }
694
695 if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||
696 !SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {
697 return 0;
698 }
699
700 return 1;
701 }
702
parse_sigalgs_list(Array<uint16_t> * out,const char * str)703 static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {
704 // str looks like "RSA+SHA1:ECDSA+SHA256:ecdsa_secp256r1_sha256".
705
706 // Count colons to give the number of output elements from any successful
707 // parse.
708 size_t num_elements = 1;
709 size_t len = 0;
710 for (const char *p = str; *p; p++) {
711 len++;
712 if (*p == ':') {
713 num_elements++;
714 }
715 }
716
717 if (!out->InitForOverwrite(num_elements)) {
718 return false;
719 }
720 size_t out_i = 0;
721
722 enum {
723 pkey_or_name,
724 hash_name,
725 } state = pkey_or_name;
726
727 char buf[kMaxSignatureAlgorithmNameLen];
728 // buf_used is always < sizeof(buf). I.e. it's always safe to write
729 // buf[buf_used] = 0.
730 size_t buf_used = 0;
731
732 int pkey_type = 0, hash_nid = 0;
733
734 // Note that the loop runs to len+1, i.e. it'll process the terminating NUL.
735 for (size_t offset = 0; offset < len + 1; offset++) {
736 const unsigned char c = str[offset];
737
738 switch (c) {
739 case '+':
740 if (state == hash_name) {
741 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
742 ERR_add_error_dataf("+ found in hash name at offset %zu", offset);
743 return false;
744 }
745 if (buf_used == 0) {
746 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
747 ERR_add_error_dataf("empty public key type at offset %zu", offset);
748 return false;
749 }
750 buf[buf_used] = 0;
751
752 if (strcmp(buf, "RSA") == 0) {
753 pkey_type = EVP_PKEY_RSA;
754 } else if (strcmp(buf, "RSA-PSS") == 0 || //
755 strcmp(buf, "PSS") == 0) {
756 pkey_type = EVP_PKEY_RSA_PSS;
757 } else if (strcmp(buf, "ECDSA") == 0) {
758 pkey_type = EVP_PKEY_EC;
759 } else {
760 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
761 ERR_add_error_dataf("unknown public key type '%s'", buf);
762 return false;
763 }
764
765 state = hash_name;
766 buf_used = 0;
767 break;
768
769 case ':':
770 [[fallthrough]];
771 case 0:
772 if (buf_used == 0) {
773 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
774 ERR_add_error_dataf("empty element at offset %zu", offset);
775 return false;
776 }
777
778 buf[buf_used] = 0;
779
780 if (state == pkey_or_name) {
781 // No '+' was seen thus this is a TLS 1.3-style name.
782 bool found = false;
783 for (const auto &candidate : kSignatureAlgorithmNames) {
784 if (strcmp(candidate.name, buf) == 0) {
785 assert(out_i < num_elements);
786 (*out)[out_i++] = candidate.signature_algorithm;
787 found = true;
788 break;
789 }
790 }
791
792 if (!found) {
793 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
794 ERR_add_error_dataf("unknown signature algorithm '%s'", buf);
795 return false;
796 }
797 } else {
798 if (strcmp(buf, "SHA1") == 0) {
799 hash_nid = NID_sha1;
800 } else if (strcmp(buf, "SHA256") == 0) {
801 hash_nid = NID_sha256;
802 } else if (strcmp(buf, "SHA384") == 0) {
803 hash_nid = NID_sha384;
804 } else if (strcmp(buf, "SHA512") == 0) {
805 hash_nid = NID_sha512;
806 } else {
807 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
808 ERR_add_error_dataf("unknown hash function '%s'", buf);
809 return false;
810 }
811
812 bool found = false;
813 for (const auto &candidate : kSignatureAlgorithmsMapping) {
814 if (candidate.pkey_type == pkey_type &&
815 candidate.hash_nid == hash_nid) {
816 assert(out_i < num_elements);
817 (*out)[out_i++] = candidate.signature_algorithm;
818 found = true;
819 break;
820 }
821 }
822
823 if (!found) {
824 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
825 ERR_add_error_dataf("unknown pkey:%d hash:%s", pkey_type, buf);
826 return false;
827 }
828 }
829
830 state = pkey_or_name;
831 buf_used = 0;
832 break;
833
834 default:
835 if (buf_used == sizeof(buf) - 1) {
836 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
837 ERR_add_error_dataf("substring too long at offset %zu", offset);
838 return false;
839 }
840
841 if (OPENSSL_isalnum(c) || c == '-' || c == '_') {
842 buf[buf_used++] = c;
843 } else {
844 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
845 ERR_add_error_dataf("invalid character 0x%02x at offest %zu", c,
846 offset);
847 return false;
848 }
849 }
850 }
851
852 assert(out_i == out->size());
853 return true;
854 }
855
SSL_CTX_set1_sigalgs_list(SSL_CTX * ctx,const char * str)856 int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str) {
857 Array<uint16_t> sigalgs;
858 if (!parse_sigalgs_list(&sigalgs, str)) {
859 return 0;
860 }
861
862 if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),
863 sigalgs.size()) ||
864 !SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),
865 sigalgs.size())) {
866 return 0;
867 }
868
869 return 1;
870 }
871
SSL_set1_sigalgs_list(SSL * ssl,const char * str)872 int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {
873 if (!ssl->config) {
874 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
875 return 0;
876 }
877
878 Array<uint16_t> sigalgs;
879 if (!parse_sigalgs_list(&sigalgs, str)) {
880 return 0;
881 }
882
883 if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||
884 !SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {
885 return 0;
886 }
887
888 return 1;
889 }
890
SSL_CTX_set_verify_algorithm_prefs(SSL_CTX * ctx,const uint16_t * prefs,size_t num_prefs)891 int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
892 size_t num_prefs) {
893 return set_sigalg_prefs(&ctx->verify_sigalgs, Span(prefs, num_prefs));
894 }
895
SSL_set_verify_algorithm_prefs(SSL * ssl,const uint16_t * prefs,size_t num_prefs)896 int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
897 size_t num_prefs) {
898 if (!ssl->config) {
899 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
900 return 0;
901 }
902
903 return set_sigalg_prefs(&ssl->config->verify_sigalgs, Span(prefs, num_prefs));
904 }
905