1 /* $OpenBSD: ssl_sigalgs.c,v 1.20.8.1 2020/08/10 18:59:47 tb Exp $ */
3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
12 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
14 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
15 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 #include <openssl/evp.h>
22 #include "bytestring.h"
24 #include "ssl_sigalgs.h"
25 #include "tls13_internal.h"
27 const struct ssl_sigalg sigalgs[] = {
29 .value = SIGALG_RSA_PKCS1_SHA512,
31 .key_type = EVP_PKEY_RSA,
34 .value = SIGALG_ECDSA_SECP521R1_SHA512,
36 .key_type = EVP_PKEY_EC,
37 .curve_nid = NID_secp521r1,
39 #ifndef OPENSSL_NO_GOST
41 .value = SIGALG_GOSTR12_512_STREEBOG_512,
42 .md = EVP_streebog512,
43 .key_type = EVP_PKEY_GOSTR12_512,
47 .value = SIGALG_RSA_PKCS1_SHA384,
49 .key_type = EVP_PKEY_RSA,
52 .value = SIGALG_ECDSA_SECP384R1_SHA384,
54 .key_type = EVP_PKEY_EC,
55 .curve_nid = NID_secp384r1,
58 .value = SIGALG_RSA_PKCS1_SHA256,
60 .key_type = EVP_PKEY_RSA,
63 .value = SIGALG_ECDSA_SECP256R1_SHA256,
65 .key_type = EVP_PKEY_EC,
66 .curve_nid = NID_X9_62_prime256v1,
68 #ifndef OPENSSL_NO_GOST
70 .value = SIGALG_GOSTR12_256_STREEBOG_256,
71 .md = EVP_streebog256,
72 .key_type = EVP_PKEY_GOSTR12_256,
75 .value = SIGALG_GOSTR01_GOST94,
76 .md = EVP_gostr341194,
77 .key_type = EVP_PKEY_GOSTR01,
81 .value = SIGALG_RSA_PSS_RSAE_SHA256,
83 .key_type = EVP_PKEY_RSA,
84 .flags = SIGALG_FLAG_RSA_PSS,
87 .value = SIGALG_RSA_PSS_RSAE_SHA384,
89 .key_type = EVP_PKEY_RSA,
90 .flags = SIGALG_FLAG_RSA_PSS,
93 .value = SIGALG_RSA_PSS_RSAE_SHA512,
95 .key_type = EVP_PKEY_RSA,
96 .flags = SIGALG_FLAG_RSA_PSS,
99 .value = SIGALG_RSA_PSS_PSS_SHA256,
101 .key_type = EVP_PKEY_RSA,
102 .flags = SIGALG_FLAG_RSA_PSS,
105 .value = SIGALG_RSA_PSS_PSS_SHA384,
107 .key_type = EVP_PKEY_RSA,
108 .flags = SIGALG_FLAG_RSA_PSS,
111 .value = SIGALG_RSA_PSS_PSS_SHA512,
113 .key_type = EVP_PKEY_RSA,
114 .flags = SIGALG_FLAG_RSA_PSS,
117 .value = SIGALG_RSA_PKCS1_SHA224,
119 .key_type = EVP_PKEY_RSA,
122 .value = SIGALG_ECDSA_SECP224R1_SHA224,
124 .key_type = EVP_PKEY_EC,
127 .value = SIGALG_RSA_PKCS1_SHA1,
128 .key_type = EVP_PKEY_RSA,
132 .value = SIGALG_ECDSA_SHA1,
133 .key_type = EVP_PKEY_EC,
137 .value = SIGALG_RSA_PKCS1_MD5_SHA1,
138 .key_type = EVP_PKEY_RSA,
142 .value = SIGALG_NONE,
146 /* Sigalgs for tls 1.3, in preference order, */
147 uint16_t tls13_sigalgs[] = {
148 SIGALG_RSA_PSS_RSAE_SHA512,
149 SIGALG_RSA_PKCS1_SHA512,
150 SIGALG_ECDSA_SECP521R1_SHA512,
151 SIGALG_RSA_PSS_RSAE_SHA384,
152 SIGALG_RSA_PKCS1_SHA384,
153 SIGALG_ECDSA_SECP384R1_SHA384,
154 SIGALG_RSA_PSS_RSAE_SHA256,
155 SIGALG_RSA_PKCS1_SHA256,
156 SIGALG_ECDSA_SECP256R1_SHA256,
158 size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
160 /* Sigalgs for tls 1.2, in preference order, */
161 uint16_t tls12_sigalgs[] = {
162 SIGALG_RSA_PSS_RSAE_SHA512,
163 SIGALG_RSA_PKCS1_SHA512,
164 SIGALG_ECDSA_SECP521R1_SHA512,
165 SIGALG_RSA_PSS_RSAE_SHA384,
166 SIGALG_RSA_PKCS1_SHA384,
167 SIGALG_ECDSA_SECP384R1_SHA384,
168 SIGALG_RSA_PSS_RSAE_SHA256,
169 SIGALG_RSA_PKCS1_SHA256,
170 SIGALG_ECDSA_SECP256R1_SHA256,
171 SIGALG_RSA_PKCS1_SHA1, /* XXX */
172 SIGALG_ECDSA_SHA1, /* XXX */
174 size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
176 const struct ssl_sigalg *
177 ssl_sigalg_lookup(uint16_t sigalg)
181 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
182 if (sigalgs[i].value == sigalg)
189 const struct ssl_sigalg *
190 ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len)
194 for (i = 0; i < len; i++) {
195 if (values[i] == sigalg)
196 return ssl_sigalg_lookup(sigalg);
203 ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len)
207 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++);
211 /* XXX check for duplicates and other sanity BS? */
213 /* Add values in order as long as they are supported. */
214 for (i = 0; i < len; i++) {
215 /* Do not allow the legacy value for < 1.2 to be used */
216 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
219 if (ssl_sigalg_lookup(values[i]) != NULL) {
220 if (!CBB_add_u16(cbb, values[i]))
229 ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
232 if (sigalg == NULL || pkey == NULL)
234 if (sigalg->key_type != pkey->type)
237 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
239 * RSA PSS Must have an RSA key that needs to be at
240 * least as big as twice the size of the hash + 2
242 if (pkey->type != EVP_PKEY_RSA ||
243 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
247 if (pkey->type == EVP_PKEY_EC && check_curve) {
248 /* Curve must match for EC keys. */
249 if (sigalg->curve_nid == 0)
251 if (EC_GROUP_get_curve_name(EC_KEY_get0_group
252 (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) {
260 const struct ssl_sigalg *
261 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
263 uint16_t *tls_sigalgs = tls12_sigalgs;
264 size_t tls_sigalgs_len = tls12_sigalgs_len;
268 if (TLS1_get_version(s) >= TLS1_3_VERSION) {
269 tls_sigalgs = tls13_sigalgs;
270 tls_sigalgs_len = tls13_sigalgs_len;
274 /* Pre TLS 1.2 defaults */
275 if (!SSL_USE_SIGALGS(s)) {
276 switch (pkey->type) {
278 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
280 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
281 #ifndef OPENSSL_NO_GOST
282 case EVP_PKEY_GOSTR01:
283 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
286 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
291 * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in
292 * which case the server must use the the default.
294 if (TLS1_get_version(s) < TLS1_3_VERSION &&
295 S3I(s)->hs.sigalgs == NULL) {
296 switch (pkey->type) {
298 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
300 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
301 #ifndef OPENSSL_NO_GOST
302 case EVP_PKEY_GOSTR01:
303 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
306 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
311 * If we get here, we have client or server sent sigalgs, use one.
313 CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
314 while (CBS_len(&cbs) > 0) {
316 const struct ssl_sigalg *sigalg;
318 if (!CBS_get_u16(&cbs, &sig_alg))
321 if ((sigalg = ssl_sigalg(sig_alg, tls_sigalgs,
322 tls_sigalgs_len)) == NULL)
325 /* RSA cannot be used without PSS in TLSv1.3. */
326 if (TLS1_get_version(s) >= TLS1_3_VERSION &&
327 sigalg->key_type == EVP_PKEY_RSA &&
328 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
331 if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
335 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);