xref: /openbsd/lib/libssl/ssl_sigalgs.c (revision 5c273ab3) 
1 /* $OpenBSD: ssl_sigalgs.c,v 1.38 2021/11/26 16:41:42 tb Exp $ */
2 /*
3  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5  *
6  * Permission to use, copy, modify, and/or distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <string.h>
20 #include <stdlib.h>
21 
22 #include <openssl/evp.h>
23 #include <openssl/opensslconf.h>
24 
25 #include "bytestring.h"
26 #include "ssl_locl.h"
27 #include "ssl_sigalgs.h"
28 #include "tls13_internal.h"
29 
30 const struct ssl_sigalg sigalgs[] = {
31 	{
32 		.value = SIGALG_RSA_PKCS1_SHA512,
33 		.key_type = EVP_PKEY_RSA,
34 		.md = EVP_sha512,
35 	},
36 	{
37 		.value = SIGALG_ECDSA_SECP521R1_SHA512,
38 		.key_type = EVP_PKEY_EC,
39 		.md = EVP_sha512,
40 		.curve_nid = NID_secp521r1,
41 	},
42 #ifndef OPENSSL_NO_GOST
43 	{
44 		.value = SIGALG_GOSTR12_512_STREEBOG_512,
45 		.key_type = EVP_PKEY_GOSTR12_512,
46 		.md = EVP_streebog512,
47 	},
48 #endif
49 	{
50 		.value = SIGALG_RSA_PKCS1_SHA384,
51 		.key_type = EVP_PKEY_RSA,
52 		.md = EVP_sha384,
53 	},
54 	{
55 		.value = SIGALG_ECDSA_SECP384R1_SHA384,
56 		.key_type = EVP_PKEY_EC,
57 		.md = EVP_sha384,
58 		.curve_nid = NID_secp384r1,
59 	},
60 	{
61 		.value = SIGALG_RSA_PKCS1_SHA256,
62 		.key_type = EVP_PKEY_RSA,
63 		.md = EVP_sha256,
64 	},
65 	{
66 		.value = SIGALG_ECDSA_SECP256R1_SHA256,
67 		.key_type = EVP_PKEY_EC,
68 		.md = EVP_sha256,
69 		.curve_nid = NID_X9_62_prime256v1,
70 	},
71 #ifndef OPENSSL_NO_GOST
72 	{
73 		.value = SIGALG_GOSTR12_256_STREEBOG_256,
74 		.key_type = EVP_PKEY_GOSTR12_256,
75 		.md = EVP_streebog256,
76 	},
77 	{
78 		.value = SIGALG_GOSTR01_GOST94,
79 		.key_type = EVP_PKEY_GOSTR01,
80 		.md = EVP_gostr341194,
81 	},
82 #endif
83 	{
84 		.value = SIGALG_RSA_PSS_RSAE_SHA256,
85 		.key_type = EVP_PKEY_RSA,
86 		.md = EVP_sha256,
87 		.flags = SIGALG_FLAG_RSA_PSS,
88 	},
89 	{
90 		.value = SIGALG_RSA_PSS_RSAE_SHA384,
91 		.key_type = EVP_PKEY_RSA,
92 		.md = EVP_sha384,
93 		.flags = SIGALG_FLAG_RSA_PSS,
94 	},
95 	{
96 		.value = SIGALG_RSA_PSS_RSAE_SHA512,
97 		.key_type = EVP_PKEY_RSA,
98 		.md = EVP_sha512,
99 		.flags = SIGALG_FLAG_RSA_PSS,
100 	},
101 	{
102 		.value = SIGALG_RSA_PSS_PSS_SHA256,
103 		.key_type = EVP_PKEY_RSA,
104 		.md = EVP_sha256,
105 		.flags = SIGALG_FLAG_RSA_PSS,
106 	},
107 	{
108 		.value = SIGALG_RSA_PSS_PSS_SHA384,
109 		.key_type = EVP_PKEY_RSA,
110 		.md = EVP_sha384,
111 		.flags = SIGALG_FLAG_RSA_PSS,
112 	},
113 	{
114 		.value = SIGALG_RSA_PSS_PSS_SHA512,
115 		.key_type = EVP_PKEY_RSA,
116 		.md = EVP_sha512,
117 		.flags = SIGALG_FLAG_RSA_PSS,
118 	},
119 	{
120 		.value = SIGALG_RSA_PKCS1_SHA224,
121 		.key_type = EVP_PKEY_RSA,
122 		.md = EVP_sha224,
123 	},
124 	{
125 		.value = SIGALG_ECDSA_SECP224R1_SHA224,
126 		.key_type = EVP_PKEY_EC,
127 		.md = EVP_sha224,
128 	},
129 	{
130 		.value = SIGALG_RSA_PKCS1_SHA1,
131 		.key_type = EVP_PKEY_RSA,
132 		.md = EVP_sha1,
133 	},
134 	{
135 		.value = SIGALG_ECDSA_SHA1,
136 		.key_type = EVP_PKEY_EC,
137 		.md = EVP_sha1,
138 	},
139 	{
140 		.value = SIGALG_RSA_PKCS1_MD5_SHA1,
141 		.key_type = EVP_PKEY_RSA,
142 		.md = EVP_md5_sha1,
143 	},
144 	{
145 		.value = SIGALG_NONE,
146 	},
147 };
148 
149 /* Sigalgs for TLSv1.3, in preference order. */
150 const uint16_t tls13_sigalgs[] = {
151 	SIGALG_RSA_PSS_RSAE_SHA512,
152 	SIGALG_RSA_PKCS1_SHA512,
153 	SIGALG_ECDSA_SECP521R1_SHA512,
154 	SIGALG_RSA_PSS_RSAE_SHA384,
155 	SIGALG_RSA_PKCS1_SHA384,
156 	SIGALG_ECDSA_SECP384R1_SHA384,
157 	SIGALG_RSA_PSS_RSAE_SHA256,
158 	SIGALG_RSA_PKCS1_SHA256,
159 	SIGALG_ECDSA_SECP256R1_SHA256,
160 };
161 const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
162 
163 /* Sigalgs for TLSv1.2, in preference order. */
164 const uint16_t tls12_sigalgs[] = {
165 	SIGALG_RSA_PSS_RSAE_SHA512,
166 	SIGALG_RSA_PKCS1_SHA512,
167 	SIGALG_ECDSA_SECP521R1_SHA512,
168 	SIGALG_RSA_PSS_RSAE_SHA384,
169 	SIGALG_RSA_PKCS1_SHA384,
170 	SIGALG_ECDSA_SECP384R1_SHA384,
171 	SIGALG_RSA_PSS_RSAE_SHA256,
172 	SIGALG_RSA_PKCS1_SHA256,
173 	SIGALG_ECDSA_SECP256R1_SHA256,
174 	SIGALG_RSA_PKCS1_SHA1, /* XXX */
175 	SIGALG_ECDSA_SHA1,     /* XXX */
176 };
177 const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
178 
179 static void
180 ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
181     size_t *out_len)
182 {
183 	if (tls_version >= TLS1_3_VERSION) {
184 		*out_values = tls13_sigalgs;
185 		*out_len = tls13_sigalgs_len;
186 	} else {
187 		*out_values = tls12_sigalgs;
188 		*out_len = tls12_sigalgs_len;
189 	}
190 }
191 
192 static const struct ssl_sigalg *
193 ssl_sigalg_lookup(uint16_t value)
194 {
195 	int i;
196 
197 	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
198 		if (sigalgs[i].value == value)
199 			return &sigalgs[i];
200 	}
201 
202 	return NULL;
203 }
204 
205 static const struct ssl_sigalg *
206 ssl_sigalg_from_value(SSL *s, uint16_t value)
207 {
208 	const uint16_t *values;
209 	size_t len;
210 	int i;
211 
212 	ssl_sigalgs_for_version(S3I(s)->hs.negotiated_tls_version,
213 	    &values, &len);
214 
215 	for (i = 0; i < len; i++) {
216 		if (values[i] == value)
217 			return ssl_sigalg_lookup(value);
218 	}
219 
220 	return NULL;
221 }
222 
223 int
224 ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
225 {
226 	const uint16_t *values;
227 	size_t len;
228 	size_t i;
229 
230 	ssl_sigalgs_for_version(tls_version, &values, &len);
231 
232 	/* Add values in order as long as they are supported. */
233 	for (i = 0; i < len; i++) {
234 		/* Do not allow the legacy value for < 1.2 to be used. */
235 		if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
236 			return 0;
237 		if (ssl_sigalg_lookup(values[i]) == NULL)
238 			return 0;
239 		if (!CBB_add_u16(cbb, values[i]))
240 			return 0;
241 	}
242 	return 1;
243 }
244 
245 static const struct ssl_sigalg *
246 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
247 {
248 	/* Default signature algorithms used for TLSv1.2 and earlier. */
249 	switch (EVP_PKEY_id(pkey)) {
250 	case EVP_PKEY_RSA:
251 		if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION)
252 			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
253 		return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
254 	case EVP_PKEY_EC:
255 		return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
256 #ifndef OPENSSL_NO_GOST
257 	case EVP_PKEY_GOSTR01:
258 		return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
259 #endif
260 	}
261 	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
262 	return (NULL);
263 }
264 
265 static int
266 ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
267 {
268 	if (sigalg == NULL || pkey == NULL)
269 		return 0;
270 	if (sigalg->key_type != EVP_PKEY_id(pkey))
271 		return 0;
272 
273 	/* RSA PSS must have a sufficiently large RSA key. */
274 	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
275 		if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
276 		    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
277 			return 0;
278 	}
279 
280 	if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION)
281 		return 1;
282 
283 	/* RSA cannot be used without PSS in TLSv1.3. */
284 	if (sigalg->key_type == EVP_PKEY_RSA &&
285 	    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
286 		return 0;
287 
288 	/* Ensure that curve matches for EC keys. */
289 	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
290 		if (sigalg->curve_nid == 0)
291 			return 0;
292 		if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
293 		    EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid)
294 			return 0;
295 	}
296 
297 	return 1;
298 }
299 
300 const struct ssl_sigalg *
301 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
302 {
303 	CBS cbs;
304 
305 	if (!SSL_USE_SIGALGS(s))
306 		return ssl_sigalg_for_legacy(s, pkey);
307 
308 	/*
309 	 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
310 	 * in which case the server must use the default.
311 	 */
312 	if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
313 	    S3I(s)->hs.sigalgs == NULL)
314 		return ssl_sigalg_for_legacy(s, pkey);
315 
316 	/*
317 	 * If we get here, we have client or server sent sigalgs, use one.
318 	 */
319 	CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
320 	while (CBS_len(&cbs) > 0) {
321 		const struct ssl_sigalg *sigalg;
322 		uint16_t sigalg_value;
323 
324 		if (!CBS_get_u16(&cbs, &sigalg_value))
325 			return 0;
326 
327 		if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
328 			continue;
329 		if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
330 			return sigalg;
331 	}
332 
333 	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
334 	return NULL;
335 }
336 
337 const struct ssl_sigalg *
338 ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
339 {
340 	const struct ssl_sigalg *sigalg;
341 
342 	if (!SSL_USE_SIGALGS(s))
343 		return ssl_sigalg_for_legacy(s, pkey);
344 
345 	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
346 		SSLerror(s, SSL_R_UNKNOWN_DIGEST);
347 		return (NULL);
348 	}
349 	if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
350 		SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
351 		return (NULL);
352 	}
353 
354 	return sigalg;
355 }
356