1 /* $OpenBSD: ssl_sigalgs.c,v 1.50 2024/07/09 13:43:57 beck Exp $ */
2 /*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <string.h>
20 #include <stdlib.h>
21
22 #include <openssl/evp.h>
23 #include <openssl/opensslconf.h>
24
25 #include "bytestring.h"
26 #include "ssl_local.h"
27 #include "ssl_sigalgs.h"
28 #include "tls13_internal.h"
29
30 const struct ssl_sigalg sigalgs[] = {
31 {
32 .value = SIGALG_RSA_PKCS1_SHA512,
33 .key_type = EVP_PKEY_RSA,
34 .md = EVP_sha512,
35 .security_level = 5,
36 },
37 {
38 .value = SIGALG_ECDSA_SECP521R1_SHA512,
39 .key_type = EVP_PKEY_EC,
40 .md = EVP_sha512,
41 .security_level = 5,
42 .group_nid = NID_secp521r1,
43 },
44 {
45 .value = SIGALG_RSA_PKCS1_SHA384,
46 .key_type = EVP_PKEY_RSA,
47 .md = EVP_sha384,
48 .security_level = 4,
49 },
50 {
51 .value = SIGALG_ECDSA_SECP384R1_SHA384,
52 .key_type = EVP_PKEY_EC,
53 .md = EVP_sha384,
54 .security_level = 4,
55 .group_nid = NID_secp384r1,
56 },
57 {
58 .value = SIGALG_RSA_PKCS1_SHA256,
59 .key_type = EVP_PKEY_RSA,
60 .md = EVP_sha256,
61 .security_level = 3,
62 },
63 {
64 .value = SIGALG_ECDSA_SECP256R1_SHA256,
65 .key_type = EVP_PKEY_EC,
66 .md = EVP_sha256,
67 .security_level = 3,
68 .group_nid = NID_X9_62_prime256v1,
69 },
70 {
71 .value = SIGALG_RSA_PSS_RSAE_SHA256,
72 .key_type = EVP_PKEY_RSA,
73 .md = EVP_sha256,
74 .security_level = 3,
75 .flags = SIGALG_FLAG_RSA_PSS,
76 },
77 {
78 .value = SIGALG_RSA_PSS_RSAE_SHA384,
79 .key_type = EVP_PKEY_RSA,
80 .md = EVP_sha384,
81 .security_level = 4,
82 .flags = SIGALG_FLAG_RSA_PSS,
83 },
84 {
85 .value = SIGALG_RSA_PSS_RSAE_SHA512,
86 .key_type = EVP_PKEY_RSA,
87 .md = EVP_sha512,
88 .security_level = 5,
89 .flags = SIGALG_FLAG_RSA_PSS,
90 },
91 {
92 .value = SIGALG_RSA_PSS_PSS_SHA256,
93 .key_type = EVP_PKEY_RSA,
94 .md = EVP_sha256,
95 .security_level = 3,
96 .flags = SIGALG_FLAG_RSA_PSS,
97 },
98 {
99 .value = SIGALG_RSA_PSS_PSS_SHA384,
100 .key_type = EVP_PKEY_RSA,
101 .md = EVP_sha384,
102 .security_level = 4,
103 .flags = SIGALG_FLAG_RSA_PSS,
104 },
105 {
106 .value = SIGALG_RSA_PSS_PSS_SHA512,
107 .key_type = EVP_PKEY_RSA,
108 .md = EVP_sha512,
109 .security_level = 5,
110 .flags = SIGALG_FLAG_RSA_PSS,
111 },
112 {
113 .value = SIGALG_RSA_PKCS1_SHA224,
114 .key_type = EVP_PKEY_RSA,
115 .md = EVP_sha224,
116 .security_level = 2,
117 },
118 {
119 .value = SIGALG_ECDSA_SECP224R1_SHA224,
120 .key_type = EVP_PKEY_EC,
121 .md = EVP_sha224,
122 .security_level = 2,
123 },
124 {
125 .value = SIGALG_RSA_PKCS1_SHA1,
126 .key_type = EVP_PKEY_RSA,
127 .md = EVP_sha1,
128 .security_level = 1,
129 },
130 {
131 .value = SIGALG_ECDSA_SHA1,
132 .key_type = EVP_PKEY_EC,
133 .md = EVP_sha1,
134 .security_level = 1,
135 },
136 {
137 .value = SIGALG_RSA_PKCS1_MD5_SHA1,
138 .key_type = EVP_PKEY_RSA,
139 .md = EVP_md5_sha1,
140 .security_level = 1,
141 },
142 {
143 .value = SIGALG_NONE,
144 },
145 };
146
147 /* Sigalgs for TLSv1.3, in preference order. */
148 const uint16_t tls13_sigalgs[] = {
149 SIGALG_RSA_PSS_RSAE_SHA512,
150 SIGALG_RSA_PKCS1_SHA512,
151 SIGALG_ECDSA_SECP521R1_SHA512,
152 SIGALG_RSA_PSS_RSAE_SHA384,
153 SIGALG_RSA_PKCS1_SHA384,
154 SIGALG_ECDSA_SECP384R1_SHA384,
155 SIGALG_RSA_PSS_RSAE_SHA256,
156 SIGALG_RSA_PKCS1_SHA256,
157 SIGALG_ECDSA_SECP256R1_SHA256,
158 };
159 const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
160
161 /* Sigalgs for TLSv1.2, in preference order. */
162 const uint16_t tls12_sigalgs[] = {
163 SIGALG_RSA_PSS_RSAE_SHA512,
164 SIGALG_RSA_PKCS1_SHA512,
165 SIGALG_ECDSA_SECP521R1_SHA512,
166 SIGALG_RSA_PSS_RSAE_SHA384,
167 SIGALG_RSA_PKCS1_SHA384,
168 SIGALG_ECDSA_SECP384R1_SHA384,
169 SIGALG_RSA_PSS_RSAE_SHA256,
170 SIGALG_RSA_PKCS1_SHA256,
171 SIGALG_ECDSA_SECP256R1_SHA256,
172 SIGALG_RSA_PKCS1_SHA1, /* XXX */
173 SIGALG_ECDSA_SHA1, /* XXX */
174 };
175 const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
176
177 static void
ssl_sigalgs_for_version(uint16_t tls_version,const uint16_t ** out_values,size_t * out_len)178 ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
179 size_t *out_len)
180 {
181 if (tls_version >= TLS1_3_VERSION) {
182 *out_values = tls13_sigalgs;
183 *out_len = tls13_sigalgs_len;
184 } else {
185 *out_values = tls12_sigalgs;
186 *out_len = tls12_sigalgs_len;
187 }
188 }
189
190 static const struct ssl_sigalg *
ssl_sigalg_lookup(uint16_t value)191 ssl_sigalg_lookup(uint16_t value)
192 {
193 int i;
194
195 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
196 if (sigalgs[i].value == value)
197 return &sigalgs[i];
198 }
199
200 return NULL;
201 }
202
203 static const struct ssl_sigalg *
ssl_sigalg_from_value(SSL * s,uint16_t value)204 ssl_sigalg_from_value(SSL *s, uint16_t value)
205 {
206 const uint16_t *values;
207 size_t len;
208 int i;
209
210 ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
211 &values, &len);
212
213 for (i = 0; i < len; i++) {
214 if (values[i] == value)
215 return ssl_sigalg_lookup(value);
216 }
217
218 return NULL;
219 }
220
221 int
ssl_sigalgs_build(uint16_t tls_version,CBB * cbb,int security_level)222 ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
223 {
224 const struct ssl_sigalg *sigalg;
225 const uint16_t *values;
226 size_t len;
227 size_t i;
228 int ret = 0;
229
230 ssl_sigalgs_for_version(tls_version, &values, &len);
231
232 /* Add values in order as long as they are supported. */
233 for (i = 0; i < len; i++) {
234 /* Do not allow the legacy value for < 1.2 to be used. */
235 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
236 return 0;
237 if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
238 return 0;
239 if (sigalg->security_level < security_level)
240 continue;
241
242 if (!CBB_add_u16(cbb, values[i]))
243 return 0;
244
245 ret = 1;
246 }
247 return ret;
248 }
249
250 static const struct ssl_sigalg *
ssl_sigalg_for_legacy(SSL * s,EVP_PKEY * pkey)251 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
252 {
253 if (SSL_get_security_level(s) > 1)
254 return NULL;
255
256 /* Default signature algorithms used for TLSv1.2 and earlier. */
257 switch (EVP_PKEY_id(pkey)) {
258 case EVP_PKEY_RSA:
259 if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
260 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
261 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
262 case EVP_PKEY_EC:
263 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
264 }
265 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
266 return NULL;
267 }
268
269 static int
ssl_sigalg_pkey_ok(SSL * s,const struct ssl_sigalg * sigalg,EVP_PKEY * pkey)270 ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
271 {
272 if (sigalg == NULL || pkey == NULL)
273 return 0;
274 if (sigalg->key_type != EVP_PKEY_id(pkey))
275 return 0;
276
277 /* RSA PSS must have a sufficiently large RSA key. */
278 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
279 if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
280 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
281 return 0;
282 }
283
284 if (!ssl_security_sigalg_check(s, pkey))
285 return 0;
286
287 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
288 return 1;
289
290 /* RSA cannot be used without PSS in TLSv1.3. */
291 if (sigalg->key_type == EVP_PKEY_RSA &&
292 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
293 return 0;
294
295 /* Ensure that group matches for EC keys. */
296 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
297 if (sigalg->group_nid == 0)
298 return 0;
299 if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
300 EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
301 return 0;
302 }
303
304 return 1;
305 }
306
307 const struct ssl_sigalg *
ssl_sigalg_select(SSL * s,EVP_PKEY * pkey)308 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
309 {
310 CBS cbs;
311
312 if (!SSL_USE_SIGALGS(s))
313 return ssl_sigalg_for_legacy(s, pkey);
314
315 /*
316 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
317 * in which case the server must use the default.
318 */
319 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
320 s->s3->hs.sigalgs == NULL)
321 return ssl_sigalg_for_legacy(s, pkey);
322
323 /*
324 * If we get here, we have client or server sent sigalgs, use one.
325 */
326 CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
327 while (CBS_len(&cbs) > 0) {
328 const struct ssl_sigalg *sigalg;
329 uint16_t sigalg_value;
330
331 if (!CBS_get_u16(&cbs, &sigalg_value))
332 return NULL;
333
334 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
335 continue;
336 if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
337 return sigalg;
338 }
339
340 return NULL;
341 }
342
343 const struct ssl_sigalg *
ssl_sigalg_for_peer(SSL * s,EVP_PKEY * pkey,uint16_t sigalg_value)344 ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
345 {
346 const struct ssl_sigalg *sigalg;
347
348 if (!SSL_USE_SIGALGS(s))
349 return ssl_sigalg_for_legacy(s, pkey);
350
351 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
352 SSLerror(s, SSL_R_UNKNOWN_DIGEST);
353 return NULL;
354 }
355 if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
356 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
357 return NULL;
358 }
359
360 return sigalg;
361 }
362