1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 * Copyright (C) 2017 Red Hat, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <https://www.gnu.org/licenses/>
21 *
22 */
23
24 #ifndef GNUTLS_LIB_ALGORITHMS_H
25 #define GNUTLS_LIB_ALGORITHMS_H
26
27 #include "auth.h"
28
29 #ifdef DISABLE_SYSTEM_CONFIG
30 # define SYSTEM_CONFIG_OR_CONST const
31 #else
32 # define SYSTEM_CONFIG_OR_CONST
33 #endif
34
35 #define version_to_entry _gnutls_version_to_entry
36
37 #define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00
38 #define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF
39
40 #define GNUTLS_FALLBACK_SCSV_MAJOR 0x56
41 #define GNUTLS_FALLBACK_SCSV_MINOR 0x00
42
43 #define IS_GOSTEC(x) (((x)==GNUTLS_PK_GOST_01) || \
44 ((x)==GNUTLS_PK_GOST_12_256)|| \
45 ((x)==GNUTLS_PK_GOST_12_512))
46
47 #define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)|| \
48 ((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519)|| \
49 ((x)==GNUTLS_PK_ECDH_X448)||((x)==GNUTLS_PK_EDDSA_ED448))
50
51 #define SIG_SEM_PRE_TLS12 (1<<1)
52 #define SIG_SEM_TLS13 (1<<2)
53 #define SIG_SEM_DEFAULT (SIG_SEM_PRE_TLS12|SIG_SEM_TLS13)
54
55 #define TLS_SIGN_AID_UNKNOWN {{255, 255}, 0}
56 #define HAVE_UNKNOWN_SIGAID(aid) ((aid)->id[0] == 255 && (aid)->id[1] == 255)
57
58 #define CS_INVALID_MAJOR 0x00
59 #define CS_INVALID_MINOR 0x00
60
61 /* Functions for version handling. */
62 const version_entry_st *version_to_entry(gnutls_protocol_t version);
63 const version_entry_st *nversion_to_entry(uint8_t major, uint8_t minor);
64 const version_entry_st *_gnutls_version_lowest(gnutls_session_t session);
65
66 const version_entry_st *_gnutls_legacy_version_max(gnutls_session_t session);
67 const version_entry_st *_gnutls_version_max(gnutls_session_t session);
68 int _gnutls_version_priority(gnutls_session_t session,
69 gnutls_protocol_t version);
70 int _gnutls_nversion_is_supported(gnutls_session_t session,
71 unsigned char major, unsigned char minor);
72 gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor);
73 unsigned _gnutls_version_is_too_high(gnutls_session_t session, uint8_t major, uint8_t minor);
74
75 int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t *buffer, ssize_t buffer_size);
76
77 /* Functions for feature checks */
78 int
79 _gnutls_figure_common_ciphersuite(gnutls_session_t session,
80 const ciphersuite_list_st *peer_clist,
81 const gnutls_cipher_suite_entry_st **ce);
82
83 inline static int
_gnutls_version_has_selectable_prf(const version_entry_st * ver)84 _gnutls_version_has_selectable_prf(const version_entry_st * ver)
85 {
86 if (unlikely(ver == NULL))
87 return 0;
88 return ver->selectable_prf;
89 }
90
91 inline static int
_gnutls_version_has_selectable_sighash(const version_entry_st * ver)92 _gnutls_version_has_selectable_sighash(const version_entry_st * ver)
93 {
94 if (unlikely(ver == NULL))
95 return 0;
96 return ver->selectable_sighash;
97 }
98
99 inline static
_gnutls_version_has_extensions(const version_entry_st * ver)100 int _gnutls_version_has_extensions(const version_entry_st * ver)
101 {
102 if (unlikely(ver == NULL))
103 return 0;
104 return ver->extensions;
105 }
106
107 inline static
_gnutls_version_has_explicit_iv(const version_entry_st * ver)108 int _gnutls_version_has_explicit_iv(const version_entry_st * ver)
109 {
110 if (unlikely(ver == NULL))
111 return 0;
112 return ver->explicit_iv;
113 }
114
115 /* Functions for MACs. */
116 const mac_entry_st *_gnutls_mac_to_entry(gnutls_mac_algorithm_t c);
117 #define mac_to_entry(x) _gnutls_mac_to_entry(x)
118 #define hash_to_entry(x) mac_to_entry((gnutls_mac_algorithm_t)(x))
119
_gnutls_mac_is_ok(const mac_entry_st * e)120 inline static int _gnutls_mac_is_ok(const mac_entry_st * e)
121 {
122 if (unlikely(e == NULL) || e->id == 0)
123 return 0;
124 else
125 return 1;
126 }
127
128 /*-
129 * _gnutls_mac_get_algo_len:
130 * @algorithm: is an encryption algorithm
131 *
132 * Get size of MAC key.
133 *
134 * Returns: length (in bytes) of the MAC output size, or 0 if the
135 * given MAC algorithm is invalid.
136 -*/
_gnutls_mac_get_algo_len(const mac_entry_st * e)137 inline static size_t _gnutls_mac_get_algo_len(const mac_entry_st * e)
138 {
139 if (unlikely(e == NULL))
140 return 0;
141 else
142 return e->output_size;
143 }
144
_gnutls_x509_mac_to_oid(const mac_entry_st * e)145 inline static const char *_gnutls_x509_mac_to_oid(const mac_entry_st * e)
146 {
147 if (unlikely(e == NULL))
148 return NULL;
149 else
150 return e->oid;
151 }
152
_gnutls_mac_get_name(const mac_entry_st * e)153 inline static const char *_gnutls_mac_get_name(const mac_entry_st * e)
154 {
155 if (unlikely(e == NULL))
156 return NULL;
157 else
158 return e->name;
159 }
160
_gnutls_mac_block_size(const mac_entry_st * e)161 inline static int _gnutls_mac_block_size(const mac_entry_st * e)
162 {
163 if (unlikely(e == NULL))
164 return 0;
165 else
166 return e->block_size;
167 }
168
_gnutls_mac_get_key_size(const mac_entry_st * e)169 inline static int _gnutls_mac_get_key_size(const mac_entry_st * e)
170 {
171 if (unlikely(e == NULL))
172 return 0;
173 else
174 return e->key_size;
175 }
176
177 inline static gnutls_digest_algorithm_t
_gnutls_mac_to_dig(gnutls_mac_algorithm_t mac)178 _gnutls_mac_to_dig(gnutls_mac_algorithm_t mac)
179 {
180 if (unlikely(mac >= GNUTLS_MAC_AEAD))
181 return GNUTLS_DIG_UNKNOWN;
182
183 return (gnutls_digest_algorithm_t)mac;
184 }
185
186 #define MAC_TO_DIG(mac) _gnutls_mac_to_dig(mac)
187
188 /* Functions for digests. */
189 #define _gnutls_x509_digest_to_oid _gnutls_x509_mac_to_oid
190 #define _gnutls_digest_get_name _gnutls_mac_get_name
191 #define _gnutls_hash_get_algo_len _gnutls_mac_get_algo_len
192
193 #define DIG_TO_MAC(dig) (gnutls_mac_algorithm_t)(dig)
194
195 /* Security against pre-image attacks */
_gnutls_digest_is_secure(const mac_entry_st * e)196 inline static int _gnutls_digest_is_secure(const mac_entry_st * e)
197 {
198 if (unlikely(e == NULL))
199 return 0;
200 else
201 return !(e->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE);
202 }
203
204 /* Functions for cipher suites. */
205 int _gnutls_get_client_ciphersuites(gnutls_session_t session,
206 gnutls_buffer_st * cdata, const version_entry_st *minver,
207 unsigned add_scsv);
208
209 int _gnutls_supported_ciphersuites(gnutls_session_t session,
210 uint8_t * cipher_suites,
211 unsigned int max_cipher_suite_size);
212
213 const gnutls_cipher_suite_entry_st
214 *cipher_suite_get(gnutls_kx_algorithm_t kx_algorithm,
215 gnutls_cipher_algorithm_t cipher_algorithm,
216 gnutls_mac_algorithm_t mac_algorithm);
217
218 const char *_gnutls_cipher_suite_get_name(const uint8_t suite[2]);
219 gnutls_kx_algorithm_t _gnutls_cipher_suite_get_kx_algo(const uint8_t
220 suite[2]);
221
222 int
223 _gnutls_cipher_suite_get_id(gnutls_kx_algorithm_t kx_algorithm,
224 gnutls_cipher_algorithm_t cipher_algorithm,
225 gnutls_mac_algorithm_t mac_algorithm,
226 uint8_t suite[2]);
227
228 const gnutls_cipher_suite_entry_st *ciphersuite_to_entry(const uint8_t suite[2]);
229
230 /* Functions for ciphers. */
231 const cipher_entry_st *_gnutls_cipher_to_entry(gnutls_cipher_algorithm_t c);
232 #define cipher_to_entry(x) _gnutls_cipher_to_entry(x)
233 const cipher_entry_st *cipher_name_to_entry(const char *name);
234
_gnutls_cipher_type(const cipher_entry_st * e)235 inline static cipher_type_t _gnutls_cipher_type(const cipher_entry_st * e)
236 {
237 if (unlikely(e == NULL))
238 return CIPHER_AEAD; /* doesn't matter */
239 return e->type;
240 }
241
_gnutls_cipher_get_block_size(const cipher_entry_st * e)242 inline static int _gnutls_cipher_get_block_size(const cipher_entry_st * e)
243 {
244 if (unlikely(e == NULL))
245 return 0;
246 return e->blocksize;
247 }
248
249 inline static int
_gnutls_cipher_get_implicit_iv_size(const cipher_entry_st * e)250 _gnutls_cipher_get_implicit_iv_size(const cipher_entry_st * e)
251 {
252 if (unlikely(e == NULL))
253 return 0;
254 return e->implicit_iv;
255 }
256
257 inline static int
_gnutls_cipher_get_iv_size(const cipher_entry_st * e)258 _gnutls_cipher_get_iv_size(const cipher_entry_st * e)
259 {
260 if (unlikely(e == NULL))
261 return 0;
262 return e->cipher_iv;
263 }
264
265 inline static int
_gnutls_cipher_get_explicit_iv_size(const cipher_entry_st * e)266 _gnutls_cipher_get_explicit_iv_size(const cipher_entry_st * e)
267 {
268 if (unlikely(e == NULL))
269 return 0;
270 return e->explicit_iv;
271 }
272
_gnutls_cipher_get_key_size(const cipher_entry_st * e)273 inline static int _gnutls_cipher_get_key_size(const cipher_entry_st * e)
274 {
275 if (unlikely(e == NULL))
276 return 0;
277 return e->keysize;
278 }
279
_gnutls_cipher_get_name(const cipher_entry_st * e)280 inline static const char *_gnutls_cipher_get_name(const cipher_entry_st *
281 e)
282 {
283 if (unlikely(e == NULL))
284 return NULL;
285 return e->name;
286 }
287
_gnutls_cipher_algo_is_aead(const cipher_entry_st * e)288 inline static int _gnutls_cipher_algo_is_aead(const cipher_entry_st * e)
289 {
290 if (unlikely(e == NULL))
291 return 0;
292 return (e->type == CIPHER_AEAD)?1:0;
293 }
294
_gnutls_cipher_is_ok(const cipher_entry_st * e)295 inline static int _gnutls_cipher_is_ok(const cipher_entry_st * e)
296 {
297 if (unlikely(e == NULL) || e->id == 0)
298 return 0;
299 else
300 return 1;
301 }
302
_gnutls_cipher_get_tag_size(const cipher_entry_st * e)303 inline static int _gnutls_cipher_get_tag_size(const cipher_entry_st * e)
304 {
305 size_t ret = 0;
306
307 if (unlikely(e == NULL))
308 return ret;
309
310 /* non-AEAD have 0 as tag size */
311 return e->tagsize;
312 }
313
314 /* Functions for key exchange. */
315 bool _gnutls_kx_needs_dh_params(gnutls_kx_algorithm_t algorithm);
316 bool _gnutls_kx_allows_false_start(gnutls_session_t session);
317 mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm);
318 int _gnutls_kx_is_ok(gnutls_kx_algorithm_t algorithm);
319
320 int _gnutls_kx_get_id(const char *name);
321
322 gnutls_credentials_type_t _gnutls_map_kx_get_cred(gnutls_kx_algorithm_t
323 algorithm, int server);
324
325 /* KX to PK mapping. */
326 unsigned
327 _gnutls_kx_supports_pk(gnutls_kx_algorithm_t kx_algorithm,
328 gnutls_pk_algorithm_t pk_algorithm);
329
330 unsigned
331 _gnutls_kx_supports_pk_usage(gnutls_kx_algorithm_t kx_algorithm,
332 gnutls_pk_algorithm_t pk_algorithm,
333 unsigned key_usage);
334
335 enum encipher_type { CIPHER_ENCRYPT = 0, CIPHER_SIGN = 1, CIPHER_IGN };
336
337 enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm_t
338 kx_algorithm);
339
340 /* Functions for sign algorithms. */
341
342 typedef enum hash_security_level_t {
343 _SECURE,
344 _INSECURE_FOR_CERTS,
345 _INSECURE
346 } hash_security_level_t;
347
348 int _gnutls_ecc_curve_mark_disabled(const char *name);
349 int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t);
350 int _gnutls_digest_mark_insecure(const char *name);
351 unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig);
352 int _gnutls_version_mark_disabled(const char *name);
353 gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name);
354
355 #define GNUTLS_SIGN_FLAG_TLS13_OK 1 /* if it is ok to use under TLS1.3 */
356 #define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */
357 struct gnutls_sign_entry_st {
358 const char *name;
359 const char *oid;
360 gnutls_sign_algorithm_t id;
361 gnutls_pk_algorithm_t pk;
362 gnutls_digest_algorithm_t hash;
363
364 /* if non-zero it must be the algorithm of the
365 * private key used or certificate. This is for algorithms
366 * which can have a different public key type than the
367 * private key (e.g., RSA PKCS#1 1.5 certificate, but
368 * an RSA-PSS private key, or an RSA private key and
369 * an RSA-PSS certificate). */
370 gnutls_pk_algorithm_t priv_pk;
371 gnutls_pk_algorithm_t cert_pk;
372
373 unsigned flags;
374
375 /* if this signature algorithm is restricted to a curve
376 * under TLS 1.3. */
377 gnutls_ecc_curve_t curve;
378
379 /* See RFC 5246 HashAlgorithm and SignatureAlgorithm
380 for values to use in aid struct. */
381 const sign_algorithm_st aid;
382 hash_security_level_t slevel; /* contains values of hash_security_level_t */
383
384 /* 0 if it matches the predefined hash output size, otherwise
385 * it is truncated or expanded (with XOF) */
386 unsigned hash_output_size;
387 };
388 typedef struct gnutls_sign_entry_st gnutls_sign_entry_st;
389
390 const gnutls_sign_entry_st *_gnutls_sign_to_entry(gnutls_sign_algorithm_t sign);
391 const gnutls_sign_entry_st *_gnutls_pk_to_sign_entry(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash);
392 const gnutls_sign_entry_st *_gnutls_oid_to_sign_entry(const char *oid);
393
394 /* returns true if that signature can be generated
395 * from the given private key algorithm. */
396 inline static unsigned
sign_supports_priv_pk_algorithm(const gnutls_sign_entry_st * se,gnutls_pk_algorithm_t pk)397 sign_supports_priv_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algorithm_t pk)
398 {
399 if (pk == se->pk || (se->priv_pk && se->priv_pk == pk))
400 return 1;
401
402 return 0;
403 }
404
405 /* returns true if that signature can be verified with
406 * the given public key algorithm. */
407 inline static unsigned
sign_supports_cert_pk_algorithm(const gnutls_sign_entry_st * se,gnutls_pk_algorithm_t pk)408 sign_supports_cert_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algorithm_t pk)
409 {
410 if ((!se->cert_pk && pk == se->pk) || (se->cert_pk && se->cert_pk == pk))
411 return 1;
412
413 return 0;
414 }
415
416 bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags);
417
418 gnutls_pk_algorithm_t _gnutls_x509_sign_to_pk(gnutls_sign_algorithm_t
419 sign);
420 const char *_gnutls_x509_sign_to_oid(gnutls_pk_algorithm_t,
421 gnutls_digest_algorithm_t mac);
422
423 const gnutls_sign_entry_st *
424 _gnutls_tls_aid_to_sign_entry(uint8_t id0, uint8_t id1, const version_entry_st *ver);
425
426 gnutls_sign_algorithm_t
427 _gnutls_tls_aid_to_sign(uint8_t id0, uint8_t id1, const version_entry_st *ver);
428 const sign_algorithm_st *_gnutls_sign_to_tls_aid(gnutls_sign_algorithm_t
429 sign);
430
431 const gnutls_sign_entry_st *
432 _gnutls13_sign_get_compatible_with_privkey(gnutls_privkey_t privkey);
433
434 unsigned int _gnutls_pk_bits_to_subgroup_bits(unsigned int pk_bits);
435 gnutls_digest_algorithm_t _gnutls_pk_bits_to_sha_hash(unsigned int pk_bits);
436
437 gnutls_digest_algorithm_t _gnutls_hash_size_to_sha_hash(unsigned int size);
438
439 bool _gnutls_pk_is_not_prehashed(gnutls_pk_algorithm_t algorithm);
440
441 /* ECC */
442 typedef struct gnutls_ecc_curve_entry_st {
443 const char *name;
444 const char *oid;
445 gnutls_ecc_curve_t id;
446 gnutls_pk_algorithm_t pk;
447 unsigned size; /* the size in bytes */
448 unsigned sig_size; /* the size of curve signatures in bytes (EdDSA) */
449 unsigned gost_curve;
450 bool supported;
451 gnutls_group_t group;
452 } gnutls_ecc_curve_entry_st;
453
454 const gnutls_ecc_curve_entry_st
455 *_gnutls_ecc_curve_get_params(gnutls_ecc_curve_t curve);
456
457 unsigned _gnutls_ecc_curve_is_supported(gnutls_ecc_curve_t);
458
459 gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t);
460 const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
461 const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id);
462
463 gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits);
464 #define MAX_ECC_CURVE_SIZE 66
465
466 gnutls_pk_algorithm_t _gnutls_oid_to_pk_and_curve(const char *oid, gnutls_ecc_curve_t *curve);
467
_curve_is_eddsa(const gnutls_ecc_curve_entry_st * e)468 inline static int _curve_is_eddsa(const gnutls_ecc_curve_entry_st * e)
469 {
470 if (unlikely(e == NULL))
471 return 0;
472 if (e->pk == GNUTLS_PK_EDDSA_ED25519 ||
473 e->pk == GNUTLS_PK_EDDSA_ED448)
474 return 1;
475 return 0;
476 }
477
curve_is_eddsa(gnutls_ecc_curve_t id)478 inline static int curve_is_eddsa(gnutls_ecc_curve_t id)
479 {
480 const gnutls_ecc_curve_entry_st *e = _gnutls_ecc_curve_get_params(id);
481 return _curve_is_eddsa(e);
482 }
483
_gnutls_kx_is_ecc(gnutls_kx_algorithm_t kx)484 static inline int _gnutls_kx_is_ecc(gnutls_kx_algorithm_t kx)
485 {
486 if (kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA ||
487 kx == GNUTLS_KX_ANON_ECDH || kx == GNUTLS_KX_ECDHE_PSK)
488 return 1;
489
490 return 0;
491 }
492
_gnutls_kx_is_psk(gnutls_kx_algorithm_t kx)493 static inline int _gnutls_kx_is_psk(gnutls_kx_algorithm_t kx)
494 {
495 if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK ||
496 kx == GNUTLS_KX_ECDHE_PSK || kx == GNUTLS_KX_RSA_PSK)
497 return 1;
498
499 return 0;
500 }
501
_gnutls_kx_is_dhe(gnutls_kx_algorithm_t kx)502 static inline int _gnutls_kx_is_dhe(gnutls_kx_algorithm_t kx)
503 {
504 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS ||
505 kx == GNUTLS_KX_ANON_DH || kx == GNUTLS_KX_DHE_PSK)
506 return 1;
507
508 return 0;
509 }
510
_gnutls_kx_is_vko_gost(gnutls_kx_algorithm_t kx)511 static inline unsigned _gnutls_kx_is_vko_gost(gnutls_kx_algorithm_t kx)
512 {
513 if (kx == GNUTLS_KX_VKO_GOST_12)
514 return 1;
515
516 return 0;
517 }
518
519 static inline bool
_sign_is_gost(const gnutls_sign_entry_st * se)520 _sign_is_gost(const gnutls_sign_entry_st *se)
521 {
522 gnutls_pk_algorithm_t pk = se->pk;
523
524 return (pk == GNUTLS_PK_GOST_01) ||
525 (pk == GNUTLS_PK_GOST_12_256) ||
526 (pk == GNUTLS_PK_GOST_12_512);
527 }
528
_sig_is_ecdsa(gnutls_sign_algorithm_t sig)529 static inline int _sig_is_ecdsa(gnutls_sign_algorithm_t sig)
530 {
531 if (sig == GNUTLS_SIGN_ECDSA_SHA1 || sig == GNUTLS_SIGN_ECDSA_SHA224 ||
532 sig == GNUTLS_SIGN_ECDSA_SHA256 || sig == GNUTLS_SIGN_ECDSA_SHA384 ||
533 sig == GNUTLS_SIGN_ECDSA_SHA512)
534 return 1;
535
536 return 0;
537 }
538
539 bool _gnutls_pk_are_compat(gnutls_pk_algorithm_t pk1, gnutls_pk_algorithm_t pk2);
540
541 unsigned _gnutls_sign_get_hash_strength(gnutls_sign_algorithm_t sign);
542
543 #endif /* GNUTLS_LIB_ALGORITHMS_H */
544