1 /* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */ 2 /* 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 13 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 15 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 16 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <string.h> 20 #include <stdlib.h> 21 22 #include <openssl/evp.h> 23 #include <openssl/opensslconf.h> 24 25 #include "bytestring.h" 26 #include "ssl_locl.h" 27 #include "ssl_sigalgs.h" 28 #include "tls13_internal.h" 29 30 const struct ssl_sigalg sigalgs[] = { 31 { 32 .value = SIGALG_RSA_PKCS1_SHA512, 33 .key_type = EVP_PKEY_RSA, 34 .md = EVP_sha512, 35 .security_level = 5, 36 }, 37 { 38 .value = SIGALG_ECDSA_SECP521R1_SHA512, 39 .key_type = EVP_PKEY_EC, 40 .md = EVP_sha512, 41 .security_level = 5, 42 .group_nid = NID_secp521r1, 43 }, 44 #ifndef OPENSSL_NO_GOST 45 { 46 .value = SIGALG_GOSTR12_512_STREEBOG_512, 47 .key_type = EVP_PKEY_GOSTR12_512, 48 .md = EVP_streebog512, 49 .security_level = 0, 50 }, 51 #endif 52 { 53 .value = SIGALG_RSA_PKCS1_SHA384, 54 .key_type = EVP_PKEY_RSA, 55 .md = EVP_sha384, 56 .security_level = 4, 57 }, 58 { 59 .value = SIGALG_ECDSA_SECP384R1_SHA384, 60 .key_type = EVP_PKEY_EC, 61 .md = EVP_sha384, 62 .security_level = 4, 63 .group_nid = NID_secp384r1, 64 }, 65 { 66 .value = SIGALG_RSA_PKCS1_SHA256, 67 .key_type = EVP_PKEY_RSA, 68 .md = EVP_sha256, 69 .security_level = 3, 70 }, 71 { 72 .value = SIGALG_ECDSA_SECP256R1_SHA256, 73 .key_type = EVP_PKEY_EC, 74 .md = EVP_sha256, 75 .security_level = 3, 76 .group_nid = NID_X9_62_prime256v1, 77 }, 78 #ifndef OPENSSL_NO_GOST 79 { 80 .value = SIGALG_GOSTR12_256_STREEBOG_256, 81 .key_type = EVP_PKEY_GOSTR12_256, 82 .md = EVP_streebog256, 83 .security_level = 0, 84 }, 85 { 86 .value = SIGALG_GOSTR01_GOST94, 87 .key_type = EVP_PKEY_GOSTR01, 88 .md = EVP_gostr341194, 89 .security_level = 0, /* XXX */ 90 }, 91 #endif 92 { 93 .value = SIGALG_RSA_PSS_RSAE_SHA256, 94 .key_type = EVP_PKEY_RSA, 95 .md = EVP_sha256, 96 .security_level = 3, 97 .flags = SIGALG_FLAG_RSA_PSS, 98 }, 99 { 100 .value = SIGALG_RSA_PSS_RSAE_SHA384, 101 .key_type = EVP_PKEY_RSA, 102 .md = EVP_sha384, 103 .security_level = 4, 104 .flags = SIGALG_FLAG_RSA_PSS, 105 }, 106 { 107 .value = SIGALG_RSA_PSS_RSAE_SHA512, 108 .key_type = EVP_PKEY_RSA, 109 .md = EVP_sha512, 110 .security_level = 5, 111 .flags = SIGALG_FLAG_RSA_PSS, 112 }, 113 { 114 .value = SIGALG_RSA_PSS_PSS_SHA256, 115 .key_type = EVP_PKEY_RSA, 116 .md = EVP_sha256, 117 .security_level = 3, 118 .flags = SIGALG_FLAG_RSA_PSS, 119 }, 120 { 121 .value = SIGALG_RSA_PSS_PSS_SHA384, 122 .key_type = EVP_PKEY_RSA, 123 .md = EVP_sha384, 124 .security_level = 4, 125 .flags = SIGALG_FLAG_RSA_PSS, 126 }, 127 { 128 .value = SIGALG_RSA_PSS_PSS_SHA512, 129 .key_type = EVP_PKEY_RSA, 130 .md = EVP_sha512, 131 .security_level = 5, 132 .flags = SIGALG_FLAG_RSA_PSS, 133 }, 134 { 135 .value = SIGALG_RSA_PKCS1_SHA224, 136 .key_type = EVP_PKEY_RSA, 137 .md = EVP_sha224, 138 .security_level = 2, 139 }, 140 { 141 .value = SIGALG_ECDSA_SECP224R1_SHA224, 142 .key_type = EVP_PKEY_EC, 143 .md = EVP_sha224, 144 .security_level = 2, 145 }, 146 { 147 .value = SIGALG_RSA_PKCS1_SHA1, 148 .key_type = EVP_PKEY_RSA, 149 .md = EVP_sha1, 150 .security_level = 1, 151 }, 152 { 153 .value = SIGALG_ECDSA_SHA1, 154 .key_type = EVP_PKEY_EC, 155 .md = EVP_sha1, 156 .security_level = 1, 157 }, 158 { 159 .value = SIGALG_RSA_PKCS1_MD5_SHA1, 160 .key_type = EVP_PKEY_RSA, 161 .md = EVP_md5_sha1, 162 .security_level = 1, 163 }, 164 { 165 .value = SIGALG_NONE, 166 }, 167 }; 168 169 /* Sigalgs for TLSv1.3, in preference order. */ 170 const uint16_t tls13_sigalgs[] = { 171 SIGALG_RSA_PSS_RSAE_SHA512, 172 SIGALG_RSA_PKCS1_SHA512, 173 SIGALG_ECDSA_SECP521R1_SHA512, 174 SIGALG_RSA_PSS_RSAE_SHA384, 175 SIGALG_RSA_PKCS1_SHA384, 176 SIGALG_ECDSA_SECP384R1_SHA384, 177 SIGALG_RSA_PSS_RSAE_SHA256, 178 SIGALG_RSA_PKCS1_SHA256, 179 SIGALG_ECDSA_SECP256R1_SHA256, 180 }; 181 const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); 182 183 /* Sigalgs for TLSv1.2, in preference order. */ 184 const uint16_t tls12_sigalgs[] = { 185 SIGALG_RSA_PSS_RSAE_SHA512, 186 SIGALG_RSA_PKCS1_SHA512, 187 SIGALG_ECDSA_SECP521R1_SHA512, 188 SIGALG_RSA_PSS_RSAE_SHA384, 189 SIGALG_RSA_PKCS1_SHA384, 190 SIGALG_ECDSA_SECP384R1_SHA384, 191 SIGALG_RSA_PSS_RSAE_SHA256, 192 SIGALG_RSA_PKCS1_SHA256, 193 SIGALG_ECDSA_SECP256R1_SHA256, 194 SIGALG_RSA_PKCS1_SHA1, /* XXX */ 195 SIGALG_ECDSA_SHA1, /* XXX */ 196 }; 197 const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); 198 199 static void 200 ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values, 201 size_t *out_len) 202 { 203 if (tls_version >= TLS1_3_VERSION) { 204 *out_values = tls13_sigalgs; 205 *out_len = tls13_sigalgs_len; 206 } else { 207 *out_values = tls12_sigalgs; 208 *out_len = tls12_sigalgs_len; 209 } 210 } 211 212 static const struct ssl_sigalg * 213 ssl_sigalg_lookup(uint16_t value) 214 { 215 int i; 216 217 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { 218 if (sigalgs[i].value == value) 219 return &sigalgs[i]; 220 } 221 222 return NULL; 223 } 224 225 static const struct ssl_sigalg * 226 ssl_sigalg_from_value(SSL *s, uint16_t value) 227 { 228 const uint16_t *values; 229 size_t len; 230 int i; 231 232 ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version, 233 &values, &len); 234 235 for (i = 0; i < len; i++) { 236 if (values[i] == value) 237 return ssl_sigalg_lookup(value); 238 } 239 240 return NULL; 241 } 242 243 int 244 ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level) 245 { 246 const struct ssl_sigalg *sigalg; 247 const uint16_t *values; 248 size_t len; 249 size_t i; 250 int ret = 0; 251 252 ssl_sigalgs_for_version(tls_version, &values, &len); 253 254 /* Add values in order as long as they are supported. */ 255 for (i = 0; i < len; i++) { 256 /* Do not allow the legacy value for < 1.2 to be used. */ 257 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) 258 return 0; 259 if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL) 260 return 0; 261 if (sigalg->security_level < security_level) 262 continue; 263 264 if (!CBB_add_u16(cbb, values[i])) 265 return 0; 266 267 ret = 1; 268 } 269 return ret; 270 } 271 272 static const struct ssl_sigalg * 273 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey) 274 { 275 if (SSL_get_security_level(s) > 1) 276 return NULL; 277 278 /* Default signature algorithms used for TLSv1.2 and earlier. */ 279 switch (EVP_PKEY_id(pkey)) { 280 case EVP_PKEY_RSA: 281 if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) 282 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); 283 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 284 case EVP_PKEY_EC: 285 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); 286 #ifndef OPENSSL_NO_GOST 287 case EVP_PKEY_GOSTR01: 288 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); 289 #endif 290 } 291 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 292 return NULL; 293 } 294 295 static int 296 ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey) 297 { 298 if (sigalg == NULL || pkey == NULL) 299 return 0; 300 if (sigalg->key_type != EVP_PKEY_id(pkey)) 301 return 0; 302 303 /* RSA PSS must have a sufficiently large RSA key. */ 304 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) { 305 if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA || 306 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) 307 return 0; 308 } 309 310 if (!ssl_security_sigalg_check(s, pkey)) 311 return 0; 312 313 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION) 314 return 1; 315 316 /* RSA cannot be used without PSS in TLSv1.3. */ 317 if (sigalg->key_type == EVP_PKEY_RSA && 318 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) 319 return 0; 320 321 /* Ensure that group matches for EC keys. */ 322 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { 323 if (sigalg->group_nid == 0) 324 return 0; 325 if (EC_GROUP_get_curve_name(EC_KEY_get0_group( 326 EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid) 327 return 0; 328 } 329 330 return 1; 331 } 332 333 const struct ssl_sigalg * 334 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) 335 { 336 CBS cbs; 337 338 if (!SSL_USE_SIGALGS(s)) 339 return ssl_sigalg_for_legacy(s, pkey); 340 341 /* 342 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension, 343 * in which case the server must use the default. 344 */ 345 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 346 s->s3->hs.sigalgs == NULL) 347 return ssl_sigalg_for_legacy(s, pkey); 348 349 /* 350 * If we get here, we have client or server sent sigalgs, use one. 351 */ 352 CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 353 while (CBS_len(&cbs) > 0) { 354 const struct ssl_sigalg *sigalg; 355 uint16_t sigalg_value; 356 357 if (!CBS_get_u16(&cbs, &sigalg_value)) 358 return NULL; 359 360 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) 361 continue; 362 if (ssl_sigalg_pkey_ok(s, sigalg, pkey)) 363 return sigalg; 364 } 365 366 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 367 return NULL; 368 } 369 370 const struct ssl_sigalg * 371 ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value) 372 { 373 const struct ssl_sigalg *sigalg; 374 375 if (!SSL_USE_SIGALGS(s)) 376 return ssl_sigalg_for_legacy(s, pkey); 377 378 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) { 379 SSLerror(s, SSL_R_UNKNOWN_DIGEST); 380 return NULL; 381 } 382 if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) { 383 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); 384 return NULL; 385 } 386 387 return sigalg; 388 } 389