xref: /dragonfly/crypto/libressl/ssl/ssl_sigalgs.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */
2 /*
3  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5  *
6  * Permission to use, copy, modify, and/or distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <string.h>
20 #include <stdlib.h>
21 
22 #include <openssl/evp.h>
23 #include <openssl/opensslconf.h>
24 
25 #include "bytestring.h"
26 #include "ssl_locl.h"
27 #include "ssl_sigalgs.h"
28 #include "tls13_internal.h"
29 
30 const struct ssl_sigalg sigalgs[] = {
31           {
32                     .value = SIGALG_RSA_PKCS1_SHA512,
33                     .key_type = EVP_PKEY_RSA,
34                     .md = EVP_sha512,
35                     .security_level = 5,
36           },
37           {
38                     .value = SIGALG_ECDSA_SECP521R1_SHA512,
39                     .key_type = EVP_PKEY_EC,
40                     .md = EVP_sha512,
41                     .security_level = 5,
42                     .group_nid = NID_secp521r1,
43           },
44 #ifndef OPENSSL_NO_GOST
45           {
46                     .value = SIGALG_GOSTR12_512_STREEBOG_512,
47                     .key_type = EVP_PKEY_GOSTR12_512,
48                     .md = EVP_streebog512,
49                     .security_level = 0,
50           },
51 #endif
52           {
53                     .value = SIGALG_RSA_PKCS1_SHA384,
54                     .key_type = EVP_PKEY_RSA,
55                     .md = EVP_sha384,
56                     .security_level = 4,
57           },
58           {
59                     .value = SIGALG_ECDSA_SECP384R1_SHA384,
60                     .key_type = EVP_PKEY_EC,
61                     .md = EVP_sha384,
62                     .security_level = 4,
63                     .group_nid = NID_secp384r1,
64           },
65           {
66                     .value = SIGALG_RSA_PKCS1_SHA256,
67                     .key_type = EVP_PKEY_RSA,
68                     .md = EVP_sha256,
69                     .security_level = 3,
70           },
71           {
72                     .value = SIGALG_ECDSA_SECP256R1_SHA256,
73                     .key_type = EVP_PKEY_EC,
74                     .md = EVP_sha256,
75                     .security_level = 3,
76                     .group_nid = NID_X9_62_prime256v1,
77           },
78 #ifndef OPENSSL_NO_GOST
79           {
80                     .value = SIGALG_GOSTR12_256_STREEBOG_256,
81                     .key_type = EVP_PKEY_GOSTR12_256,
82                     .md = EVP_streebog256,
83                     .security_level = 0,
84           },
85           {
86                     .value = SIGALG_GOSTR01_GOST94,
87                     .key_type = EVP_PKEY_GOSTR01,
88                     .md = EVP_gostr341194,
89                     .security_level = 0, /* XXX */
90           },
91 #endif
92           {
93                     .value = SIGALG_RSA_PSS_RSAE_SHA256,
94                     .key_type = EVP_PKEY_RSA,
95                     .md = EVP_sha256,
96                     .security_level = 3,
97                     .flags = SIGALG_FLAG_RSA_PSS,
98           },
99           {
100                     .value = SIGALG_RSA_PSS_RSAE_SHA384,
101                     .key_type = EVP_PKEY_RSA,
102                     .md = EVP_sha384,
103                     .security_level = 4,
104                     .flags = SIGALG_FLAG_RSA_PSS,
105           },
106           {
107                     .value = SIGALG_RSA_PSS_RSAE_SHA512,
108                     .key_type = EVP_PKEY_RSA,
109                     .md = EVP_sha512,
110                     .security_level = 5,
111                     .flags = SIGALG_FLAG_RSA_PSS,
112           },
113           {
114                     .value = SIGALG_RSA_PSS_PSS_SHA256,
115                     .key_type = EVP_PKEY_RSA,
116                     .md = EVP_sha256,
117                     .security_level = 3,
118                     .flags = SIGALG_FLAG_RSA_PSS,
119           },
120           {
121                     .value = SIGALG_RSA_PSS_PSS_SHA384,
122                     .key_type = EVP_PKEY_RSA,
123                     .md = EVP_sha384,
124                     .security_level = 4,
125                     .flags = SIGALG_FLAG_RSA_PSS,
126           },
127           {
128                     .value = SIGALG_RSA_PSS_PSS_SHA512,
129                     .key_type = EVP_PKEY_RSA,
130                     .md = EVP_sha512,
131                     .security_level = 5,
132                     .flags = SIGALG_FLAG_RSA_PSS,
133           },
134           {
135                     .value = SIGALG_RSA_PKCS1_SHA224,
136                     .key_type = EVP_PKEY_RSA,
137                     .md = EVP_sha224,
138                     .security_level = 2,
139           },
140           {
141                     .value = SIGALG_ECDSA_SECP224R1_SHA224,
142                     .key_type = EVP_PKEY_EC,
143                     .md = EVP_sha224,
144                     .security_level = 2,
145           },
146           {
147                     .value = SIGALG_RSA_PKCS1_SHA1,
148                     .key_type = EVP_PKEY_RSA,
149                     .md = EVP_sha1,
150                     .security_level = 1,
151           },
152           {
153                     .value = SIGALG_ECDSA_SHA1,
154                     .key_type = EVP_PKEY_EC,
155                     .md = EVP_sha1,
156                     .security_level = 1,
157           },
158           {
159                     .value = SIGALG_RSA_PKCS1_MD5_SHA1,
160                     .key_type = EVP_PKEY_RSA,
161                     .md = EVP_md5_sha1,
162                     .security_level = 1,
163           },
164           {
165                     .value = SIGALG_NONE,
166           },
167 };
168 
169 /* Sigalgs for TLSv1.3, in preference order. */
170 const uint16_t tls13_sigalgs[] = {
171           SIGALG_RSA_PSS_RSAE_SHA512,
172           SIGALG_RSA_PKCS1_SHA512,
173           SIGALG_ECDSA_SECP521R1_SHA512,
174           SIGALG_RSA_PSS_RSAE_SHA384,
175           SIGALG_RSA_PKCS1_SHA384,
176           SIGALG_ECDSA_SECP384R1_SHA384,
177           SIGALG_RSA_PSS_RSAE_SHA256,
178           SIGALG_RSA_PKCS1_SHA256,
179           SIGALG_ECDSA_SECP256R1_SHA256,
180 };
181 const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
182 
183 /* Sigalgs for TLSv1.2, in preference order. */
184 const uint16_t tls12_sigalgs[] = {
185           SIGALG_RSA_PSS_RSAE_SHA512,
186           SIGALG_RSA_PKCS1_SHA512,
187           SIGALG_ECDSA_SECP521R1_SHA512,
188           SIGALG_RSA_PSS_RSAE_SHA384,
189           SIGALG_RSA_PKCS1_SHA384,
190           SIGALG_ECDSA_SECP384R1_SHA384,
191           SIGALG_RSA_PSS_RSAE_SHA256,
192           SIGALG_RSA_PKCS1_SHA256,
193           SIGALG_ECDSA_SECP256R1_SHA256,
194           SIGALG_RSA_PKCS1_SHA1, /* XXX */
195           SIGALG_ECDSA_SHA1,     /* XXX */
196 };
197 const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
198 
199 static void
ssl_sigalgs_for_version(uint16_t tls_version,const uint16_t ** out_values,size_t * out_len)200 ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
201     size_t *out_len)
202 {
203           if (tls_version >= TLS1_3_VERSION) {
204                     *out_values = tls13_sigalgs;
205                     *out_len = tls13_sigalgs_len;
206           } else {
207                     *out_values = tls12_sigalgs;
208                     *out_len = tls12_sigalgs_len;
209           }
210 }
211 
212 static const struct ssl_sigalg *
ssl_sigalg_lookup(uint16_t value)213 ssl_sigalg_lookup(uint16_t value)
214 {
215           int i;
216 
217           for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
218                     if (sigalgs[i].value == value)
219                               return &sigalgs[i];
220           }
221 
222           return NULL;
223 }
224 
225 static const struct ssl_sigalg *
ssl_sigalg_from_value(SSL * s,uint16_t value)226 ssl_sigalg_from_value(SSL *s, uint16_t value)
227 {
228           const uint16_t *values;
229           size_t len;
230           int i;
231 
232           ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
233               &values, &len);
234 
235           for (i = 0; i < len; i++) {
236                     if (values[i] == value)
237                               return ssl_sigalg_lookup(value);
238           }
239 
240           return NULL;
241 }
242 
243 int
ssl_sigalgs_build(uint16_t tls_version,CBB * cbb,int security_level)244 ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
245 {
246           const struct ssl_sigalg *sigalg;
247           const uint16_t *values;
248           size_t len;
249           size_t i;
250           int ret = 0;
251 
252           ssl_sigalgs_for_version(tls_version, &values, &len);
253 
254           /* Add values in order as long as they are supported. */
255           for (i = 0; i < len; i++) {
256                     /* Do not allow the legacy value for < 1.2 to be used. */
257                     if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
258                               return 0;
259                     if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
260                               return 0;
261                     if (sigalg->security_level < security_level)
262                               continue;
263 
264                     if (!CBB_add_u16(cbb, values[i]))
265                               return 0;
266 
267                     ret = 1;
268           }
269           return ret;
270 }
271 
272 static const struct ssl_sigalg *
ssl_sigalg_for_legacy(SSL * s,EVP_PKEY * pkey)273 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
274 {
275           if (SSL_get_security_level(s) > 1)
276                     return NULL;
277 
278           /* Default signature algorithms used for TLSv1.2 and earlier. */
279           switch (EVP_PKEY_id(pkey)) {
280           case EVP_PKEY_RSA:
281                     if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
282                               return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
283                     return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
284           case EVP_PKEY_EC:
285                     return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
286 #ifndef OPENSSL_NO_GOST
287           case EVP_PKEY_GOSTR01:
288                     return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
289 #endif
290           }
291           SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
292           return NULL;
293 }
294 
295 static int
ssl_sigalg_pkey_ok(SSL * s,const struct ssl_sigalg * sigalg,EVP_PKEY * pkey)296 ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
297 {
298           if (sigalg == NULL || pkey == NULL)
299                     return 0;
300           if (sigalg->key_type != EVP_PKEY_id(pkey))
301                     return 0;
302 
303           /* RSA PSS must have a sufficiently large RSA key. */
304           if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
305                     if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
306                         EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
307                               return 0;
308           }
309 
310           if (!ssl_security_sigalg_check(s, pkey))
311                     return 0;
312 
313           if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
314                     return 1;
315 
316           /* RSA cannot be used without PSS in TLSv1.3. */
317           if (sigalg->key_type == EVP_PKEY_RSA &&
318               (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
319                     return 0;
320 
321           /* Ensure that group matches for EC keys. */
322           if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
323                     if (sigalg->group_nid == 0)
324                               return 0;
325                     if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
326                         EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
327                               return 0;
328           }
329 
330           return 1;
331 }
332 
333 const struct ssl_sigalg *
ssl_sigalg_select(SSL * s,EVP_PKEY * pkey)334 ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
335 {
336           CBS cbs;
337 
338           if (!SSL_USE_SIGALGS(s))
339                     return ssl_sigalg_for_legacy(s, pkey);
340 
341           /*
342            * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
343            * in which case the server must use the default.
344            */
345           if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
346               s->s3->hs.sigalgs == NULL)
347                     return ssl_sigalg_for_legacy(s, pkey);
348 
349           /*
350            * If we get here, we have client or server sent sigalgs, use one.
351            */
352           CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
353           while (CBS_len(&cbs) > 0) {
354                     const struct ssl_sigalg *sigalg;
355                     uint16_t sigalg_value;
356 
357                     if (!CBS_get_u16(&cbs, &sigalg_value))
358                               return NULL;
359 
360                     if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
361                               continue;
362                     if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
363                               return sigalg;
364           }
365 
366           SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
367           return NULL;
368 }
369 
370 const struct ssl_sigalg *
ssl_sigalg_for_peer(SSL * s,EVP_PKEY * pkey,uint16_t sigalg_value)371 ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
372 {
373           const struct ssl_sigalg *sigalg;
374 
375           if (!SSL_USE_SIGALGS(s))
376                     return ssl_sigalg_for_legacy(s, pkey);
377 
378           if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
379                     SSLerror(s, SSL_R_UNKNOWN_DIGEST);
380                     return NULL;
381           }
382           if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
383                     SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
384                     return NULL;
385           }
386 
387           return sigalg;
388 }
389