xref: /dragonfly/crypto/libressl/ssl/ssl_sigalgs.c (revision f015dc58) 
1 /* $OpenBSD: ssl_sigalgs.c,v 1.20.8.1 2020/08/10 18:59:47 tb Exp $ */
2 /*
3  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4  *
5  * Permission to use, copy, modify, and/or distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
12  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
14  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
15  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 #include <string.h>
18 #include <stdlib.h>
19 
20 #include <openssl/evp.h>
21 
22 #include "bytestring.h"
23 #include "ssl_locl.h"
24 #include "ssl_sigalgs.h"
25 #include "tls13_internal.h"
26 
27 const struct ssl_sigalg sigalgs[] = {
28 	{
29 		.value = SIGALG_RSA_PKCS1_SHA512,
30 		.md = EVP_sha512,
31 		.key_type = EVP_PKEY_RSA,
32 	},
33 	{
34 		.value = SIGALG_ECDSA_SECP521R1_SHA512,
35 		.md = EVP_sha512,
36 		.key_type = EVP_PKEY_EC,
37 		.curve_nid = NID_secp521r1,
38 	},
39 #ifndef OPENSSL_NO_GOST
40 	{
41 		.value = SIGALG_GOSTR12_512_STREEBOG_512,
42 		.md = EVP_streebog512,
43 		.key_type = EVP_PKEY_GOSTR12_512,
44 	},
45 #endif
46 	{
47 		.value = SIGALG_RSA_PKCS1_SHA384,
48 		.md = EVP_sha384,
49 		.key_type = EVP_PKEY_RSA,
50 	},
51 	{
52 		.value = SIGALG_ECDSA_SECP384R1_SHA384,
53 		.md = EVP_sha384,
54 		.key_type = EVP_PKEY_EC,
55 		.curve_nid = NID_secp384r1,
56 	},
57 	{
58 		.value = SIGALG_RSA_PKCS1_SHA256,
59 		.md = EVP_sha256,
60 		.key_type = EVP_PKEY_RSA,
61 	},
62 	{
63 		.value = SIGALG_ECDSA_SECP256R1_SHA256,
64 		.md = EVP_sha256,
65 		.key_type = EVP_PKEY_EC,
66 		.curve_nid = NID_X9_62_prime256v1,
67 	},
68 #ifndef OPENSSL_NO_GOST
69 	{
70 		.value = SIGALG_GOSTR12_256_STREEBOG_256,
71 		.md = EVP_streebog256,
72 		.key_type = EVP_PKEY_GOSTR12_256,
73 	},
74 	{
75 		.value = SIGALG_GOSTR01_GOST94,
76 		.md = EVP_gostr341194,
77 		.key_type = EVP_PKEY_GOSTR01,
78 	},
79 #endif
80 	{
81 		.value = SIGALG_RSA_PSS_RSAE_SHA256,
82 		.md = EVP_sha256,
83 		.key_type = EVP_PKEY_RSA,
84 		.flags = SIGALG_FLAG_RSA_PSS,
85 	},
86 	{
87 		.value = SIGALG_RSA_PSS_RSAE_SHA384,
88 		.md = EVP_sha384,
89 		.key_type = EVP_PKEY_RSA,
90 		.flags = SIGALG_FLAG_RSA_PSS,
91 	},
92 	{
93 		.value = SIGALG_RSA_PSS_RSAE_SHA512,
94 		.md = EVP_sha512,
95 		.key_type = EVP_PKEY_RSA,
96 		.flags = SIGALG_FLAG_RSA_PSS,
97 	},
98 	{
99 		.value = SIGALG_RSA_PSS_PSS_SHA256,
100 		.md = EVP_sha256,
101 		.key_type = EVP_PKEY_RSA,
102 		.flags = SIGALG_FLAG_RSA_PSS,
103 	},
104 	{
105 		.value = SIGALG_RSA_PSS_PSS_SHA384,
106 		.md = EVP_sha384,
107 		.key_type = EVP_PKEY_RSA,
108 		.flags = SIGALG_FLAG_RSA_PSS,
109 	},
110 	{
111 		.value = SIGALG_RSA_PSS_PSS_SHA512,
112 		.md = EVP_sha512,
113 		.key_type = EVP_PKEY_RSA,
114 		.flags = SIGALG_FLAG_RSA_PSS,
115 	},
116 	{
117 		.value = SIGALG_RSA_PKCS1_SHA224,
118 		.md = EVP_sha224,
119 		.key_type = EVP_PKEY_RSA,
120 	},
121 	{
122 		.value = SIGALG_ECDSA_SECP224R1_SHA224,
123 		.md = EVP_sha224,
124 		.key_type = EVP_PKEY_EC,
125 	},
126 	{
127 		.value = SIGALG_RSA_PKCS1_SHA1,
128 		.key_type = EVP_PKEY_RSA,
129 		.md = EVP_sha1,
130 	},
131 	{
132 		.value = SIGALG_ECDSA_SHA1,
133 		.key_type = EVP_PKEY_EC,
134 		.md = EVP_sha1,
135 	},
136 	{
137 		.value = SIGALG_RSA_PKCS1_MD5_SHA1,
138 		.key_type = EVP_PKEY_RSA,
139 		.md = EVP_md5_sha1,
140 	},
141 	{
142 		.value = SIGALG_NONE,
143 	},
144 };
145 
146 /* Sigalgs for tls 1.3, in preference order, */
147 uint16_t tls13_sigalgs[] = {
148 	SIGALG_RSA_PSS_RSAE_SHA512,
149 	SIGALG_RSA_PKCS1_SHA512,
150 	SIGALG_ECDSA_SECP521R1_SHA512,
151 	SIGALG_RSA_PSS_RSAE_SHA384,
152 	SIGALG_RSA_PKCS1_SHA384,
153 	SIGALG_ECDSA_SECP384R1_SHA384,
154 	SIGALG_RSA_PSS_RSAE_SHA256,
155 	SIGALG_RSA_PKCS1_SHA256,
156 	SIGALG_ECDSA_SECP256R1_SHA256,
157 };
158 size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
159 
160 /* Sigalgs for tls 1.2, in preference order, */
161 uint16_t tls12_sigalgs[] = {
162 	SIGALG_RSA_PSS_RSAE_SHA512,
163 	SIGALG_RSA_PKCS1_SHA512,
164 	SIGALG_ECDSA_SECP521R1_SHA512,
165 	SIGALG_RSA_PSS_RSAE_SHA384,
166 	SIGALG_RSA_PKCS1_SHA384,
167 	SIGALG_ECDSA_SECP384R1_SHA384,
168 	SIGALG_RSA_PSS_RSAE_SHA256,
169 	SIGALG_RSA_PKCS1_SHA256,
170 	SIGALG_ECDSA_SECP256R1_SHA256,
171 	SIGALG_RSA_PKCS1_SHA1, /* XXX */
172 	SIGALG_ECDSA_SHA1,     /* XXX */
173 };
174 size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
175 
176 const struct ssl_sigalg *
177 ssl_sigalg_lookup(uint16_t sigalg)
178 {
179 	int i;
180 
181 	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
182 		if (sigalgs[i].value == sigalg)
183 			return &sigalgs[i];
184 	}
185 
186 	return NULL;
187 }
188 
189 const struct ssl_sigalg *
190 ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len)
191 {
192 	int i;
193 
194 	for (i = 0; i < len; i++) {
195 		if (values[i] == sigalg)
196 			return ssl_sigalg_lookup(sigalg);
197 	}
198 
199 	return NULL;
200 }
201 
202 int
203 ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len)
204 {
205 	size_t i;
206 
207 	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++);
208 	if (len > i)
209 		return 0;
210 
211 	/* XXX check for duplicates and other sanity BS? */
212 
213 	/* Add values in order as long as they are supported. */
214 	for (i = 0; i < len; i++) {
215 		/* Do not allow the legacy value for < 1.2 to be used */
216 		if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
217 			return 0;
218 
219 		if (ssl_sigalg_lookup(values[i]) != NULL) {
220 			if (!CBB_add_u16(cbb, values[i]))
221 				return 0;
222 		} else
223 			return 0;
224 	}
225 	return 1;
226 }
227 
228 int
229 ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
230     int check_curve)
231 {
232 	if (sigalg == NULL || pkey == NULL)
233 		return 0;
234 	if (sigalg->key_type != pkey->type)
235 		return 0;
236 
237 	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
238 		/*
239 		 * RSA PSS Must have an RSA key that needs to be at
240 		 * least as big as twice the size of the hash + 2
241 		 */
242 		if (pkey->type != EVP_PKEY_RSA ||
243 		    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
244 			return 0;
245 	}
246 
247 	if (pkey->type == EVP_PKEY_EC && check_curve) {
248 		/* Curve must match for EC keys. */
249 		if (sigalg->curve_nid == 0)
250 			return 0;
251 		if (EC_GROUP_get_curve_name(EC_KEY_get0_group
252 		    (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) {
253 			return 0;
254 		}
255 	}
256 
257 	return 1;
258 }
259 
260 const struct ssl_sigalg *
261 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
262 {
263 	uint16_t *tls_sigalgs = tls12_sigalgs;
264 	size_t tls_sigalgs_len = tls12_sigalgs_len;
265 	int check_curve = 0;
266 	CBS cbs;
267 
268 	if (TLS1_get_version(s) >= TLS1_3_VERSION) {
269 		tls_sigalgs = tls13_sigalgs;
270 		tls_sigalgs_len = tls13_sigalgs_len;
271 		check_curve = 1;
272 	}
273 
274 	/* Pre TLS 1.2 defaults */
275 	if (!SSL_USE_SIGALGS(s)) {
276 		switch (pkey->type) {
277 		case EVP_PKEY_RSA:
278 			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
279 		case EVP_PKEY_EC:
280 			return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
281 #ifndef OPENSSL_NO_GOST
282 		case EVP_PKEY_GOSTR01:
283 			return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
284 #endif
285 		}
286 		SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
287 		return (NULL);
288 	}
289 
290 	/*
291 	 * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in
292 	 * which case the server must use the the default.
293 	 */
294 	if (TLS1_get_version(s) < TLS1_3_VERSION &&
295 	    S3I(s)->hs.sigalgs == NULL) {
296 		switch (pkey->type) {
297 		case EVP_PKEY_RSA:
298 			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
299 		case EVP_PKEY_EC:
300 			return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
301 #ifndef OPENSSL_NO_GOST
302 		case EVP_PKEY_GOSTR01:
303 			return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
304 #endif
305 		}
306 		SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
307 		return (NULL);
308 	}
309 
310 	/*
311 	 * If we get here, we have client or server sent sigalgs, use one.
312 	 */
313 	CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
314 	while (CBS_len(&cbs) > 0) {
315 		uint16_t sig_alg;
316 		const struct ssl_sigalg *sigalg;
317 
318 		if (!CBS_get_u16(&cbs, &sig_alg))
319 			return 0;
320 
321 		if ((sigalg = ssl_sigalg(sig_alg, tls_sigalgs,
322 		    tls_sigalgs_len)) == NULL)
323 			continue;
324 
325 		/* RSA cannot be used without PSS in TLSv1.3. */
326 		if (TLS1_get_version(s) >= TLS1_3_VERSION &&
327 		    sigalg->key_type == EVP_PKEY_RSA &&
328 		    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
329 			continue;
330 
331 		if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
332 			return sigalg;
333 	}
334 
335 	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
336 	return NULL;
337 }
338