1 /* $OpenBSD: ssl_sigalgs.c,v 1.21 2020/05/09 16:52:15 beck Exp $ */ 2 /* 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and/or distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 12 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 14 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 15 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #include <string.h> 18 #include <stdlib.h> 19 20 #include <openssl/evp.h> 21 22 #include "bytestring.h" 23 #include "ssl_locl.h" 24 #include "ssl_sigalgs.h" 25 #include "tls13_internal.h" 26 27 const struct ssl_sigalg sigalgs[] = { 28 { 29 .value = SIGALG_RSA_PKCS1_SHA512, 30 .md = EVP_sha512, 31 .key_type = EVP_PKEY_RSA, 32 }, 33 { 34 .value = SIGALG_ECDSA_SECP521R1_SHA512, 35 .md = EVP_sha512, 36 .key_type = EVP_PKEY_EC, 37 .curve_nid = NID_secp521r1, 38 }, 39 #ifndef OPENSSL_NO_GOST 40 { 41 .value = SIGALG_GOSTR12_512_STREEBOG_512, 42 .md = EVP_streebog512, 43 .key_type = EVP_PKEY_GOSTR12_512, 44 }, 45 #endif 46 { 47 .value = SIGALG_RSA_PKCS1_SHA384, 48 .md = EVP_sha384, 49 .key_type = EVP_PKEY_RSA, 50 }, 51 { 52 .value = SIGALG_ECDSA_SECP384R1_SHA384, 53 .md = EVP_sha384, 54 .key_type = EVP_PKEY_EC, 55 .curve_nid = NID_secp384r1, 56 }, 57 { 58 .value = SIGALG_RSA_PKCS1_SHA256, 59 .md = EVP_sha256, 60 .key_type = EVP_PKEY_RSA, 61 }, 62 { 63 .value = SIGALG_ECDSA_SECP256R1_SHA256, 64 .md = EVP_sha256, 65 .key_type = EVP_PKEY_EC, 66 .curve_nid = NID_X9_62_prime256v1, 67 }, 68 #ifndef OPENSSL_NO_GOST 69 { 70 .value = SIGALG_GOSTR12_256_STREEBOG_256, 71 .md = EVP_streebog256, 72 .key_type = EVP_PKEY_GOSTR12_256, 73 }, 74 { 75 .value = SIGALG_GOSTR01_GOST94, 76 .md = EVP_gostr341194, 77 .key_type = EVP_PKEY_GOSTR01, 78 }, 79 #endif 80 { 81 .value = SIGALG_RSA_PSS_RSAE_SHA256, 82 .md = EVP_sha256, 83 .key_type = EVP_PKEY_RSA, 84 .flags = SIGALG_FLAG_RSA_PSS, 85 }, 86 { 87 .value = SIGALG_RSA_PSS_RSAE_SHA384, 88 .md = EVP_sha384, 89 .key_type = EVP_PKEY_RSA, 90 .flags = SIGALG_FLAG_RSA_PSS, 91 }, 92 { 93 .value = SIGALG_RSA_PSS_RSAE_SHA512, 94 .md = EVP_sha512, 95 .key_type = EVP_PKEY_RSA, 96 .flags = SIGALG_FLAG_RSA_PSS, 97 }, 98 { 99 .value = SIGALG_RSA_PSS_PSS_SHA256, 100 .md = EVP_sha256, 101 .key_type = EVP_PKEY_RSA, 102 .flags = SIGALG_FLAG_RSA_PSS, 103 }, 104 { 105 .value = SIGALG_RSA_PSS_PSS_SHA384, 106 .md = EVP_sha384, 107 .key_type = EVP_PKEY_RSA, 108 .flags = SIGALG_FLAG_RSA_PSS, 109 }, 110 { 111 .value = SIGALG_RSA_PSS_PSS_SHA512, 112 .md = EVP_sha512, 113 .key_type = EVP_PKEY_RSA, 114 .flags = SIGALG_FLAG_RSA_PSS, 115 }, 116 { 117 .value = SIGALG_RSA_PKCS1_SHA224, 118 .md = EVP_sha224, 119 .key_type = EVP_PKEY_RSA, 120 }, 121 { 122 .value = SIGALG_ECDSA_SECP224R1_SHA224, 123 .md = EVP_sha224, 124 .key_type = EVP_PKEY_EC, 125 }, 126 { 127 .value = SIGALG_RSA_PKCS1_SHA1, 128 .key_type = EVP_PKEY_RSA, 129 .md = EVP_sha1, 130 }, 131 { 132 .value = SIGALG_ECDSA_SHA1, 133 .key_type = EVP_PKEY_EC, 134 .md = EVP_sha1, 135 }, 136 { 137 .value = SIGALG_RSA_PKCS1_MD5_SHA1, 138 .key_type = EVP_PKEY_RSA, 139 .md = EVP_md5_sha1, 140 }, 141 { 142 .value = SIGALG_NONE, 143 }, 144 }; 145 146 /* Sigalgs for tls 1.3, in preference order, */ 147 uint16_t tls13_sigalgs[] = { 148 SIGALG_RSA_PSS_RSAE_SHA512, 149 SIGALG_RSA_PKCS1_SHA512, 150 SIGALG_ECDSA_SECP521R1_SHA512, 151 SIGALG_RSA_PSS_RSAE_SHA384, 152 SIGALG_RSA_PKCS1_SHA384, 153 SIGALG_ECDSA_SECP384R1_SHA384, 154 SIGALG_RSA_PSS_RSAE_SHA256, 155 SIGALG_RSA_PKCS1_SHA256, 156 SIGALG_ECDSA_SECP256R1_SHA256, 157 }; 158 size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); 159 160 /* Sigalgs for tls 1.2, in preference order, */ 161 uint16_t tls12_sigalgs[] = { 162 SIGALG_RSA_PSS_RSAE_SHA512, 163 SIGALG_RSA_PKCS1_SHA512, 164 SIGALG_ECDSA_SECP521R1_SHA512, 165 SIGALG_RSA_PSS_RSAE_SHA384, 166 SIGALG_RSA_PKCS1_SHA384, 167 SIGALG_ECDSA_SECP384R1_SHA384, 168 SIGALG_RSA_PSS_RSAE_SHA256, 169 SIGALG_RSA_PKCS1_SHA256, 170 SIGALG_ECDSA_SECP256R1_SHA256, 171 SIGALG_RSA_PKCS1_SHA1, /* XXX */ 172 SIGALG_ECDSA_SHA1, /* XXX */ 173 }; 174 size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); 175 176 const struct ssl_sigalg * 177 ssl_sigalg_lookup(uint16_t sigalg) 178 { 179 int i; 180 181 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { 182 if (sigalgs[i].value == sigalg) 183 return &sigalgs[i]; 184 } 185 186 return NULL; 187 } 188 189 const struct ssl_sigalg * 190 ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len) 191 { 192 int i; 193 194 for (i = 0; i < len; i++) { 195 if (values[i] == sigalg) 196 return ssl_sigalg_lookup(sigalg); 197 } 198 199 return NULL; 200 } 201 202 int 203 ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) 204 { 205 size_t i; 206 207 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++); 208 if (len > i) 209 return 0; 210 211 /* XXX check for duplicates and other sanity BS? */ 212 213 /* Add values in order as long as they are supported. */ 214 for (i = 0; i < len; i++) { 215 /* Do not allow the legacy value for < 1.2 to be used */ 216 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) 217 return 0; 218 219 if (ssl_sigalg_lookup(values[i]) != NULL) { 220 if (!CBB_add_u16(cbb, values[i])) 221 return 0; 222 } else 223 return 0; 224 } 225 return 1; 226 } 227 228 int 229 ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, 230 int check_curve) 231 { 232 if (sigalg == NULL || pkey == NULL) 233 return 0; 234 if (sigalg->key_type != pkey->type) 235 return 0; 236 237 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) { 238 /* 239 * RSA PSS Must have an RSA key that needs to be at 240 * least as big as twice the size of the hash + 2 241 */ 242 if (pkey->type != EVP_PKEY_RSA || 243 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) 244 return 0; 245 } 246 247 if (pkey->type == EVP_PKEY_EC && check_curve) { 248 /* Curve must match for EC keys. */ 249 if (sigalg->curve_nid == 0) 250 return 0; 251 if (EC_GROUP_get_curve_name(EC_KEY_get0_group 252 (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) { 253 return 0; 254 } 255 } 256 257 return 1; 258 } 259 260 const struct ssl_sigalg * 261 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) 262 { 263 uint16_t *tls_sigalgs = tls12_sigalgs; 264 size_t tls_sigalgs_len = tls12_sigalgs_len; 265 int check_curve = 0; 266 CBS cbs; 267 268 if (TLS1_get_version(s) >= TLS1_3_VERSION) { 269 tls_sigalgs = tls13_sigalgs; 270 tls_sigalgs_len = tls13_sigalgs_len; 271 check_curve = 1; 272 } 273 274 /* Pre TLS 1.2 defaults */ 275 if (!SSL_USE_SIGALGS(s)) { 276 switch (pkey->type) { 277 case EVP_PKEY_RSA: 278 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); 279 case EVP_PKEY_EC: 280 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); 281 #ifndef OPENSSL_NO_GOST 282 case EVP_PKEY_GOSTR01: 283 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); 284 #endif 285 } 286 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 287 return (NULL); 288 } 289 290 /* 291 * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in 292 * which case the server must use the the default. 293 */ 294 if (TLS1_get_version(s) < TLS1_3_VERSION && 295 S3I(s)->hs.sigalgs == NULL) { 296 switch (pkey->type) { 297 case EVP_PKEY_RSA: 298 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 299 case EVP_PKEY_EC: 300 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); 301 #ifndef OPENSSL_NO_GOST 302 case EVP_PKEY_GOSTR01: 303 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); 304 #endif 305 } 306 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 307 return (NULL); 308 } 309 310 /* 311 * If we get here, we have client or server sent sigalgs, use one. 312 */ 313 CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 314 while (CBS_len(&cbs) > 0) { 315 uint16_t sig_alg; 316 const struct ssl_sigalg *sigalg; 317 318 if (!CBS_get_u16(&cbs, &sig_alg)) 319 return 0; 320 321 if ((sigalg = ssl_sigalg(sig_alg, tls_sigalgs, 322 tls_sigalgs_len)) == NULL) 323 continue; 324 325 /* RSA cannot be used without PSS in TLSv1.3. */ 326 if (TLS1_get_version(s) >= TLS1_3_VERSION && 327 sigalg->key_type == EVP_PKEY_RSA && 328 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) 329 continue; 330 331 if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve)) 332 return sigalg; 333 } 334 335 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 336 return NULL; 337 } 338