1 /* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */
2 /*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <string.h>
20 #include <stdlib.h>
21
22 #include <openssl/evp.h>
23 #include <openssl/opensslconf.h>
24
25 #include "bytestring.h"
26 #include "ssl_locl.h"
27 #include "ssl_sigalgs.h"
28 #include "tls13_internal.h"
29
30 const struct ssl_sigalg sigalgs[] = {
31 {
32 .value = SIGALG_RSA_PKCS1_SHA512,
33 .key_type = EVP_PKEY_RSA,
34 .md = EVP_sha512,
35 .security_level = 5,
36 },
37 {
38 .value = SIGALG_ECDSA_SECP521R1_SHA512,
39 .key_type = EVP_PKEY_EC,
40 .md = EVP_sha512,
41 .security_level = 5,
42 .group_nid = NID_secp521r1,
43 },
44 #ifndef OPENSSL_NO_GOST
45 {
46 .value = SIGALG_GOSTR12_512_STREEBOG_512,
47 .key_type = EVP_PKEY_GOSTR12_512,
48 .md = EVP_streebog512,
49 .security_level = 0,
50 },
51 #endif
52 {
53 .value = SIGALG_RSA_PKCS1_SHA384,
54 .key_type = EVP_PKEY_RSA,
55 .md = EVP_sha384,
56 .security_level = 4,
57 },
58 {
59 .value = SIGALG_ECDSA_SECP384R1_SHA384,
60 .key_type = EVP_PKEY_EC,
61 .md = EVP_sha384,
62 .security_level = 4,
63 .group_nid = NID_secp384r1,
64 },
65 {
66 .value = SIGALG_RSA_PKCS1_SHA256,
67 .key_type = EVP_PKEY_RSA,
68 .md = EVP_sha256,
69 .security_level = 3,
70 },
71 {
72 .value = SIGALG_ECDSA_SECP256R1_SHA256,
73 .key_type = EVP_PKEY_EC,
74 .md = EVP_sha256,
75 .security_level = 3,
76 .group_nid = NID_X9_62_prime256v1,
77 },
78 #ifndef OPENSSL_NO_GOST
79 {
80 .value = SIGALG_GOSTR12_256_STREEBOG_256,
81 .key_type = EVP_PKEY_GOSTR12_256,
82 .md = EVP_streebog256,
83 .security_level = 0,
84 },
85 {
86 .value = SIGALG_GOSTR01_GOST94,
87 .key_type = EVP_PKEY_GOSTR01,
88 .md = EVP_gostr341194,
89 .security_level = 0, /* XXX */
90 },
91 #endif
92 {
93 .value = SIGALG_RSA_PSS_RSAE_SHA256,
94 .key_type = EVP_PKEY_RSA,
95 .md = EVP_sha256,
96 .security_level = 3,
97 .flags = SIGALG_FLAG_RSA_PSS,
98 },
99 {
100 .value = SIGALG_RSA_PSS_RSAE_SHA384,
101 .key_type = EVP_PKEY_RSA,
102 .md = EVP_sha384,
103 .security_level = 4,
104 .flags = SIGALG_FLAG_RSA_PSS,
105 },
106 {
107 .value = SIGALG_RSA_PSS_RSAE_SHA512,
108 .key_type = EVP_PKEY_RSA,
109 .md = EVP_sha512,
110 .security_level = 5,
111 .flags = SIGALG_FLAG_RSA_PSS,
112 },
113 {
114 .value = SIGALG_RSA_PSS_PSS_SHA256,
115 .key_type = EVP_PKEY_RSA,
116 .md = EVP_sha256,
117 .security_level = 3,
118 .flags = SIGALG_FLAG_RSA_PSS,
119 },
120 {
121 .value = SIGALG_RSA_PSS_PSS_SHA384,
122 .key_type = EVP_PKEY_RSA,
123 .md = EVP_sha384,
124 .security_level = 4,
125 .flags = SIGALG_FLAG_RSA_PSS,
126 },
127 {
128 .value = SIGALG_RSA_PSS_PSS_SHA512,
129 .key_type = EVP_PKEY_RSA,
130 .md = EVP_sha512,
131 .security_level = 5,
132 .flags = SIGALG_FLAG_RSA_PSS,
133 },
134 {
135 .value = SIGALG_RSA_PKCS1_SHA224,
136 .key_type = EVP_PKEY_RSA,
137 .md = EVP_sha224,
138 .security_level = 2,
139 },
140 {
141 .value = SIGALG_ECDSA_SECP224R1_SHA224,
142 .key_type = EVP_PKEY_EC,
143 .md = EVP_sha224,
144 .security_level = 2,
145 },
146 {
147 .value = SIGALG_RSA_PKCS1_SHA1,
148 .key_type = EVP_PKEY_RSA,
149 .md = EVP_sha1,
150 .security_level = 1,
151 },
152 {
153 .value = SIGALG_ECDSA_SHA1,
154 .key_type = EVP_PKEY_EC,
155 .md = EVP_sha1,
156 .security_level = 1,
157 },
158 {
159 .value = SIGALG_RSA_PKCS1_MD5_SHA1,
160 .key_type = EVP_PKEY_RSA,
161 .md = EVP_md5_sha1,
162 .security_level = 1,
163 },
164 {
165 .value = SIGALG_NONE,
166 },
167 };
168
169 /* Sigalgs for TLSv1.3, in preference order. */
170 const uint16_t tls13_sigalgs[] = {
171 SIGALG_RSA_PSS_RSAE_SHA512,
172 SIGALG_RSA_PKCS1_SHA512,
173 SIGALG_ECDSA_SECP521R1_SHA512,
174 SIGALG_RSA_PSS_RSAE_SHA384,
175 SIGALG_RSA_PKCS1_SHA384,
176 SIGALG_ECDSA_SECP384R1_SHA384,
177 SIGALG_RSA_PSS_RSAE_SHA256,
178 SIGALG_RSA_PKCS1_SHA256,
179 SIGALG_ECDSA_SECP256R1_SHA256,
180 };
181 const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
182
183 /* Sigalgs for TLSv1.2, in preference order. */
184 const uint16_t tls12_sigalgs[] = {
185 SIGALG_RSA_PSS_RSAE_SHA512,
186 SIGALG_RSA_PKCS1_SHA512,
187 SIGALG_ECDSA_SECP521R1_SHA512,
188 SIGALG_RSA_PSS_RSAE_SHA384,
189 SIGALG_RSA_PKCS1_SHA384,
190 SIGALG_ECDSA_SECP384R1_SHA384,
191 SIGALG_RSA_PSS_RSAE_SHA256,
192 SIGALG_RSA_PKCS1_SHA256,
193 SIGALG_ECDSA_SECP256R1_SHA256,
194 SIGALG_RSA_PKCS1_SHA1, /* XXX */
195 SIGALG_ECDSA_SHA1, /* XXX */
196 };
197 const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
198
199 static void
ssl_sigalgs_for_version(uint16_t tls_version,const uint16_t ** out_values,size_t * out_len)200 ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
201 size_t *out_len)
202 {
203 if (tls_version >= TLS1_3_VERSION) {
204 *out_values = tls13_sigalgs;
205 *out_len = tls13_sigalgs_len;
206 } else {
207 *out_values = tls12_sigalgs;
208 *out_len = tls12_sigalgs_len;
209 }
210 }
211
212 static const struct ssl_sigalg *
ssl_sigalg_lookup(uint16_t value)213 ssl_sigalg_lookup(uint16_t value)
214 {
215 int i;
216
217 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
218 if (sigalgs[i].value == value)
219 return &sigalgs[i];
220 }
221
222 return NULL;
223 }
224
225 static const struct ssl_sigalg *
ssl_sigalg_from_value(SSL * s,uint16_t value)226 ssl_sigalg_from_value(SSL *s, uint16_t value)
227 {
228 const uint16_t *values;
229 size_t len;
230 int i;
231
232 ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
233 &values, &len);
234
235 for (i = 0; i < len; i++) {
236 if (values[i] == value)
237 return ssl_sigalg_lookup(value);
238 }
239
240 return NULL;
241 }
242
243 int
ssl_sigalgs_build(uint16_t tls_version,CBB * cbb,int security_level)244 ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
245 {
246 const struct ssl_sigalg *sigalg;
247 const uint16_t *values;
248 size_t len;
249 size_t i;
250 int ret = 0;
251
252 ssl_sigalgs_for_version(tls_version, &values, &len);
253
254 /* Add values in order as long as they are supported. */
255 for (i = 0; i < len; i++) {
256 /* Do not allow the legacy value for < 1.2 to be used. */
257 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
258 return 0;
259 if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
260 return 0;
261 if (sigalg->security_level < security_level)
262 continue;
263
264 if (!CBB_add_u16(cbb, values[i]))
265 return 0;
266
267 ret = 1;
268 }
269 return ret;
270 }
271
272 static const struct ssl_sigalg *
ssl_sigalg_for_legacy(SSL * s,EVP_PKEY * pkey)273 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
274 {
275 if (SSL_get_security_level(s) > 1)
276 return NULL;
277
278 /* Default signature algorithms used for TLSv1.2 and earlier. */
279 switch (EVP_PKEY_id(pkey)) {
280 case EVP_PKEY_RSA:
281 if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
282 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
283 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
284 case EVP_PKEY_EC:
285 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
286 #ifndef OPENSSL_NO_GOST
287 case EVP_PKEY_GOSTR01:
288 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
289 #endif
290 }
291 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
292 return NULL;
293 }
294
295 static int
ssl_sigalg_pkey_ok(SSL * s,const struct ssl_sigalg * sigalg,EVP_PKEY * pkey)296 ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
297 {
298 if (sigalg == NULL || pkey == NULL)
299 return 0;
300 if (sigalg->key_type != EVP_PKEY_id(pkey))
301 return 0;
302
303 /* RSA PSS must have a sufficiently large RSA key. */
304 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
305 if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
306 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
307 return 0;
308 }
309
310 if (!ssl_security_sigalg_check(s, pkey))
311 return 0;
312
313 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
314 return 1;
315
316 /* RSA cannot be used without PSS in TLSv1.3. */
317 if (sigalg->key_type == EVP_PKEY_RSA &&
318 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
319 return 0;
320
321 /* Ensure that group matches for EC keys. */
322 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
323 if (sigalg->group_nid == 0)
324 return 0;
325 if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
326 EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
327 return 0;
328 }
329
330 return 1;
331 }
332
333 const struct ssl_sigalg *
ssl_sigalg_select(SSL * s,EVP_PKEY * pkey)334 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
335 {
336 CBS cbs;
337
338 if (!SSL_USE_SIGALGS(s))
339 return ssl_sigalg_for_legacy(s, pkey);
340
341 /*
342 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
343 * in which case the server must use the default.
344 */
345 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
346 s->s3->hs.sigalgs == NULL)
347 return ssl_sigalg_for_legacy(s, pkey);
348
349 /*
350 * If we get here, we have client or server sent sigalgs, use one.
351 */
352 CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
353 while (CBS_len(&cbs) > 0) {
354 const struct ssl_sigalg *sigalg;
355 uint16_t sigalg_value;
356
357 if (!CBS_get_u16(&cbs, &sigalg_value))
358 return NULL;
359
360 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
361 continue;
362 if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
363 return sigalg;
364 }
365
366 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
367 return NULL;
368 }
369
370 const struct ssl_sigalg *
ssl_sigalg_for_peer(SSL * s,EVP_PKEY * pkey,uint16_t sigalg_value)371 ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
372 {
373 const struct ssl_sigalg *sigalg;
374
375 if (!SSL_USE_SIGALGS(s))
376 return ssl_sigalg_for_legacy(s, pkey);
377
378 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
379 SSLerror(s, SSL_R_UNKNOWN_DIGEST);
380 return NULL;
381 }
382 if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
383 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
384 return NULL;
385 }
386
387 return sigalg;
388 }
389