kris
/
boringssl
1
0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
3578 Коміти
12 Гілки
38 MiB
 
 
 
 
 
 
Дерево: 8a55ce4954
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з '8a55ce4954'
${ noResults }
boringssl/ssl/ssl_rsa.c

811 рядки
25 KiB
Неформатований Звинувачення Історія 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/ssl.h>

  58. 

  59. #include <limits.h>

  60. 

  61. #include <openssl/ec.h>

  62. #include <openssl/ec_key.h>

  63. #include <openssl/err.h>

  64. #include <openssl/evp.h>

  65. #include <openssl/mem.h>

  66. #include <openssl/type_check.h>

  67. #include <openssl/x509.h>

  68. #include <openssl/x509v3.h>

  69. 

  70. #include "internal.h"

  71. 

  72. 

  73. static int ssl_set_cert(CERT *c, X509 *x509);

  74. static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);

  75. 

  76. static int is_key_type_supported(int key_type) {

  77.   return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC;

  78. }

  79. 

  80. int SSL_use_certificate(SSL *ssl, X509 *x) {

  81.   if (x == NULL) {

  82.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  83.     return 0;

  84.   }

  85.   return ssl_set_cert(ssl->cert, x);

  86. }

  87. 

  88. int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {

  89.   if (der_len > LONG_MAX) {

  90.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  91.     return 0;

  92.   }

  93. 

  94.   const uint8_t *p = der;

  95.   X509 *x509 = d2i_X509(NULL, &p, (long)der_len);

  96.   if (x509 == NULL || p != der + der_len) {

  97.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  98.     X509_free(x509);

  99.     return 0;

  100.   }

  101. 

  102.   int ret = SSL_use_certificate(ssl, x509);

  103.   X509_free(x509);

  104.   return ret;

  105. }

  106. 

  107. int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {

  108.   EVP_PKEY *pkey;

  109.   int ret;

  110. 

  111.   if (rsa == NULL) {

  112.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  113.     return 0;

  114.   }

  115. 

  116.   pkey = EVP_PKEY_new();

  117.   if (pkey == NULL) {

  118.     OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);

  119.     return 0;

  120.   }

  121. 

  122.   RSA_up_ref(rsa);

  123.   EVP_PKEY_assign_RSA(pkey, rsa);

  124. 

  125.   ret = ssl_set_pkey(ssl->cert, pkey);

  126.   EVP_PKEY_free(pkey);

  127. 

  128.   return ret;

  129. }

  130. 

  131. static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) {

  132.   if (!is_key_type_supported(pkey->type)) {

  133.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  134.     return 0;

  135.   }

  136. 

  137.   X509 *x509_leaf = c->x509_leaf;

  138.   if (x509_leaf != NULL) {

  139.     /* Sanity-check that the private key and the certificate match, unless the

  140.      * key is opaque (in case of, say, a smartcard). */

  141.     if (!EVP_PKEY_is_opaque(pkey) &&

  142.         !X509_check_private_key(x509_leaf, pkey)) {

  143.       X509_free(c->x509_leaf);

  144.       c->x509_leaf = NULL;

  145.       return 0;

  146.     }

  147.   }

  148. 

  149.   EVP_PKEY_free(c->privatekey);

  150.   EVP_PKEY_up_ref(pkey);

  151.   c->privatekey = pkey;

  152. 

  153.   return 1;

  154. }

  155. 

  156. int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {

  157.   RSA *rsa = RSA_private_key_from_bytes(der, der_len);

  158.   if (rsa == NULL) {

  159.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  160.     return 0;

  161.   }

  162. 

  163.   int ret = SSL_use_RSAPrivateKey(ssl, rsa);

  164.   RSA_free(rsa);

  165.   return ret;

  166. }

  167. 

  168. int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {

  169.   int ret;

  170. 

  171.   if (pkey == NULL) {

  172.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  173.     return 0;

  174.   }

  175. 

  176.   ret = ssl_set_pkey(ssl->cert, pkey);

  177.   return ret;

  178. }

  179. 

  180. int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,

  181.                             size_t der_len) {

  182.   if (der_len > LONG_MAX) {

  183.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  184.     return 0;

  185.   }

  186. 

  187.   const uint8_t *p = der;

  188.   EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);

  189.   if (pkey == NULL || p != der + der_len) {

  190.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  191.     EVP_PKEY_free(pkey);

  192.     return 0;

  193.   }

  194. 

  195.   int ret = SSL_use_PrivateKey(ssl, pkey);

  196.   EVP_PKEY_free(pkey);

  197.   return ret;

  198. }

  199. 

  200. int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {

  201.   if (x == NULL) {

  202.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  203.     return 0;

  204.   }

  205. 

  206.   return ssl_set_cert(ctx->cert, x);

  207. }

  208. 

  209. static int ssl_set_cert(CERT *c, X509 *x) {

  210.   EVP_PKEY *pkey = X509_get_pubkey(x);

  211.   if (pkey == NULL) {

  212.     OPENSSL_PUT_ERROR(SSL, SSL_R_X509_LIB);

  213.     return 0;

  214.   }

  215. 

  216.   if (!is_key_type_supported(pkey->type)) {

  217.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  218.     EVP_PKEY_free(pkey);

  219.     return 0;

  220.   }

  221. 

  222.   /* An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA

  223.    * certificates, so sanity-check the key usage extension. */

  224.   if (pkey->type == EVP_PKEY_EC) {

  225.     /* This call populates extension flags (ex_flags). */

  226.     X509_check_purpose(x, -1, 0);

  227.     if ((x->ex_flags & EXFLAG_KUSAGE) &&

  228.         !(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) {

  229.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  230.       EVP_PKEY_free(pkey);

  231.       return 0;

  232.     }

  233.   }

  234. 

  235.   if (c->privatekey != NULL) {

  236.     /* Sanity-check that the private key and the certificate match, unless the

  237.      * key is opaque (in case of, say, a smartcard). */

  238.     if (!EVP_PKEY_is_opaque(c->privatekey) &&

  239.         !X509_check_private_key(x, c->privatekey)) {

  240.       /* don't fail for a cert/key mismatch, just free current private key

  241.        * (when switching to a different cert & key, first this function should

  242.        * be used, then ssl_set_pkey */

  243.       EVP_PKEY_free(c->privatekey);

  244.       c->privatekey = NULL;

  245.       /* clear error queue */

  246.       ERR_clear_error();

  247.     }

  248.   }

  249. 

  250.   EVP_PKEY_free(pkey);

  251. 

  252.   X509_free(c->x509_leaf);

  253.   X509_up_ref(x);

  254.   c->x509_leaf = x;

  255. 

  256.   return 1;

  257. }

  258. 

  259. int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,

  260.                                  const uint8_t *der) {

  261.   if (der_len > LONG_MAX) {

  262.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  263.     return 0;

  264.   }

  265. 

  266.   const uint8_t *p = der;

  267.   X509 *x509 = d2i_X509(NULL, &p, (long)der_len);

  268.   if (x509 == NULL || p != der + der_len) {

  269.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  270.     X509_free(x509);

  271.     return 0;

  272.   }

  273. 

  274.   int ret = SSL_CTX_use_certificate(ctx, x509);

  275.   X509_free(x509);

  276.   return ret;

  277. }

  278. 

  279. int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {

  280.   int ret;

  281.   EVP_PKEY *pkey;

  282. 

  283.   if (rsa == NULL) {

  284.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  285.     return 0;

  286.   }

  287. 

  288.   pkey = EVP_PKEY_new();

  289.   if (pkey == NULL) {

  290.     OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);

  291.     return 0;

  292.   }

  293. 

  294.   RSA_up_ref(rsa);

  295.   EVP_PKEY_assign_RSA(pkey, rsa);

  296. 

  297.   ret = ssl_set_pkey(ctx->cert, pkey);

  298.   EVP_PKEY_free(pkey);

  299.   return ret;

  300. }

  301. 

  302. int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,

  303.                                    size_t der_len) {

  304.   RSA *rsa = RSA_private_key_from_bytes(der, der_len);

  305.   if (rsa == NULL) {

  306.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  307.     return 0;

  308.   }

  309. 

  310.   int ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);

  311.   RSA_free(rsa);

  312.   return ret;

  313. }

  314. 

  315. int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {

  316.   if (pkey == NULL) {

  317.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  318.     return 0;

  319.   }

  320. 

  321.   return ssl_set_pkey(ctx->cert, pkey);

  322. }

  323. 

  324. int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,

  325.                                 size_t der_len) {

  326.   if (der_len > LONG_MAX) {

  327.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  328.     return 0;

  329.   }

  330. 

  331.   const uint8_t *p = der;

  332.   EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);

  333.   if (pkey == NULL || p != der + der_len) {

  334.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  335.     EVP_PKEY_free(pkey);

  336.     return 0;

  337.   }

  338. 

  339.   int ret = SSL_CTX_use_PrivateKey(ctx, pkey);

  340.   EVP_PKEY_free(pkey);

  341.   return ret;

  342. }

  343. 

  344. void SSL_set_private_key_method(SSL *ssl,

  345.                                 const SSL_PRIVATE_KEY_METHOD *key_method) {

  346.   ssl->cert->key_method = key_method;

  347. }

  348. 

  349. void SSL_CTX_set_private_key_method(SSL_CTX *ctx,

  350.                                     const SSL_PRIVATE_KEY_METHOD *key_method) {

  351.   ctx->cert->key_method = key_method;

  352. }

  353. 

  354. static int set_signing_algorithm_prefs(CERT *cert, const uint16_t *prefs,

  355.                                        size_t num_prefs) {

  356.   OPENSSL_free(cert->sigalgs);

  357. 

  358.   cert->num_sigalgs = 0;

  359.   cert->sigalgs = BUF_memdup(prefs, num_prefs * sizeof(prefs[0]));

  360.   if (cert->sigalgs == NULL) {

  361.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  362.     return 0;

  363.   }

  364.   cert->num_sigalgs = num_prefs;

  365. 

  366.   return 1;

  367. }

  368. 

  369. int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,

  370.                                         size_t num_prefs) {

  371.   return set_signing_algorithm_prefs(ctx->cert, prefs, num_prefs);

  372. }

  373. 

  374. 

  375. int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,

  376.                                     size_t num_prefs) {

  377.   return set_signing_algorithm_prefs(ssl->cert, prefs, num_prefs);

  378. }

  379. 

  380. OPENSSL_COMPILE_ASSERT(sizeof(int) >= 2 * sizeof(uint16_t),

  381.                        digest_list_conversion_cannot_overflow);

  382. 

  383. int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids,

  384.                                      size_t num_digests) {

  385.   OPENSSL_free(ssl->cert->sigalgs);

  386. 

  387.   ssl->cert->num_sigalgs = 0;

  388.   ssl->cert->sigalgs = OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests);

  389.   if (ssl->cert->sigalgs == NULL) {

  390.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  391.     return 0;

  392.   }

  393. 

  394.   /* Convert the digest list to a signature algorithms list.

  395.    *

  396.    * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */

  397.   for (size_t i = 0; i < num_digests; i++) {

  398.     switch (digest_nids[i]) {

  399.       case NID_sha1:

  400.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA1;

  401.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = SSL_SIGN_ECDSA_SHA1;

  402.         ssl->cert->num_sigalgs += 2;

  403.         break;

  404.       case NID_sha256:

  405.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA256;

  406.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =

  407.             SSL_SIGN_ECDSA_SECP256R1_SHA256;

  408.         ssl->cert->num_sigalgs += 2;

  409.         break;

  410.       case NID_sha384:

  411.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA384;

  412.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =

  413.             SSL_SIGN_ECDSA_SECP384R1_SHA384;

  414.         ssl->cert->num_sigalgs += 2;

  415.         break;

  416.       case NID_sha512:

  417.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA512;

  418.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =

  419.             SSL_SIGN_ECDSA_SECP521R1_SHA512;

  420.         ssl->cert->num_sigalgs += 2;

  421.         break;

  422.     }

  423.   }

  424. 

  425.   return 1;

  426. }

  427. 

  428. int ssl_has_private_key(const SSL *ssl) {

  429.   return ssl->cert->privatekey != NULL || ssl->cert->key_method != NULL;

  430. }

  431. 

  432. int ssl_is_ecdsa_key_type(int type) {

  433.   switch (type) {

  434.     /* TODO(davidben): Remove support for |EVP_PKEY_EC| key types. */

  435.     case EVP_PKEY_EC:

  436.     case NID_X9_62_prime256v1:

  437.     case NID_secp384r1:

  438.     case NID_secp521r1:

  439.       return 1;

  440.     default:

  441.       return 0;

  442.   }

  443. }

  444. 

  445. int ssl_private_key_type(SSL *ssl) {

  446.   if (ssl->cert->key_method != NULL) {

  447.     return ssl->cert->key_method->type(ssl);

  448.   }

  449.   switch (EVP_PKEY_id(ssl->cert->privatekey)) {

  450.     case EVP_PKEY_RSA:

  451.       return NID_rsaEncryption;

  452.     case EVP_PKEY_EC:

  453.       return EC_GROUP_get_curve_name(

  454.           EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey)));

  455.     default:

  456.       return NID_undef;

  457.   }

  458. }

  459. 

  460. size_t ssl_private_key_max_signature_len(SSL *ssl) {

  461.   if (ssl->cert->key_method != NULL) {

  462.     return ssl->cert->key_method->max_signature_len(ssl);

  463.   }

  464.   return EVP_PKEY_size(ssl->cert->privatekey);

  465. }

  466. 

  467. /* TODO(davidben): Forbid RSA-PKCS1 in TLS 1.3. For now we allow it because NSS

  468.  * has yet to start doing RSA-PSS, so enforcing it would complicate interop

  469.  * testing. */

  470. static int is_rsa_pkcs1(const EVP_MD **out_md, uint16_t sigalg) {

  471.   switch (sigalg) {

  472.     case SSL_SIGN_RSA_PKCS1_MD5_SHA1:

  473.       *out_md = EVP_md5_sha1();

  474.       return 1;

  475.     case SSL_SIGN_RSA_PKCS1_SHA1:

  476.       *out_md = EVP_sha1();

  477.       return 1;

  478.     case SSL_SIGN_RSA_PKCS1_SHA256:

  479.       *out_md = EVP_sha256();

  480.       return 1;

  481.     case SSL_SIGN_RSA_PKCS1_SHA384:

  482.       *out_md = EVP_sha384();

  483.       return 1;

  484.     case SSL_SIGN_RSA_PKCS1_SHA512:

  485.       *out_md = EVP_sha512();

  486.       return 1;

  487.     default:

  488.       return 0;

  489.   }

  490. }

  491. 

  492. static int ssl_sign_rsa_pkcs1(SSL *ssl, uint8_t *out, size_t *out_len,

  493.                               size_t max_out, const EVP_MD *md,

  494.                               const uint8_t *in, size_t in_len) {

  495.   EVP_MD_CTX ctx;

  496.   EVP_MD_CTX_init(&ctx);

  497.   *out_len = max_out;

  498.   int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) &&

  499.             EVP_DigestSignUpdate(&ctx, in, in_len) &&

  500.             EVP_DigestSignFinal(&ctx, out, out_len);

  501.   EVP_MD_CTX_cleanup(&ctx);

  502.   return ret;

  503. }

  504. 

  505. static int ssl_verify_rsa_pkcs1(SSL *ssl, const uint8_t *signature,

  506.                                 size_t signature_len, const EVP_MD *md,

  507.                                 EVP_PKEY *pkey, const uint8_t *in,

  508.                                 size_t in_len) {

  509.   if (pkey->type != EVP_PKEY_RSA) {

  510.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  511.     return 0;

  512.   }

  513. 

  514.   EVP_MD_CTX md_ctx;

  515.   EVP_MD_CTX_init(&md_ctx);

  516.   int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) &&

  517.             EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&

  518.             EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);

  519.   EVP_MD_CTX_cleanup(&md_ctx);

  520.   return ret;

  521. }

  522. 

  523. static int is_ecdsa(int *out_curve, const EVP_MD **out_md, uint16_t sigalg) {

  524.   switch (sigalg) {

  525.     case SSL_SIGN_ECDSA_SHA1:

  526.       *out_curve = NID_undef;

  527.       *out_md = EVP_sha1();

  528.       return 1;

  529.     case SSL_SIGN_ECDSA_SECP256R1_SHA256:

  530.       *out_curve = NID_X9_62_prime256v1;

  531.       *out_md = EVP_sha256();

  532.       return 1;

  533.     case SSL_SIGN_ECDSA_SECP384R1_SHA384:

  534.       *out_curve = NID_secp384r1;

  535.       *out_md = EVP_sha384();

  536.       return 1;

  537.     case SSL_SIGN_ECDSA_SECP521R1_SHA512:

  538.       *out_curve = NID_secp521r1;

  539.       *out_md = EVP_sha512();

  540.       return 1;

  541.     default:

  542.       return 0;

  543.   }

  544. }

  545. 

  546. static int ssl_sign_ecdsa(SSL *ssl, uint8_t *out, size_t *out_len,

  547.                           size_t max_out, int curve, const EVP_MD *md,

  548.                           const uint8_t *in, size_t in_len) {

  549.   EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey);

  550.   if (ec_key == NULL) {

  551.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  552.     return 0;

  553.   }

  554. 

  555.   /* In TLS 1.3, the curve is also specified by the signature algorithm. */

  556.   if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&

  557.       (curve == NID_undef ||

  558.        EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) {

  559.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  560.     return 0;

  561.   }

  562. 

  563.   EVP_MD_CTX ctx;

  564.   EVP_MD_CTX_init(&ctx);

  565.   *out_len = max_out;

  566.   int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) &&

  567.             EVP_DigestSignUpdate(&ctx, in, in_len) &&

  568.             EVP_DigestSignFinal(&ctx, out, out_len);

  569.   EVP_MD_CTX_cleanup(&ctx);

  570.   return ret;

  571. }

  572. 

  573. static int ssl_verify_ecdsa(SSL *ssl, const uint8_t *signature,

  574.                             size_t signature_len, int curve, const EVP_MD *md,

  575.                             EVP_PKEY *pkey, const uint8_t *in, size_t in_len) {

  576.   EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);

  577.   if (ec_key == NULL) {

  578.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  579.     return 0;

  580.   }

  581. 

  582.   /* In TLS 1.3, the curve is also specified by the signature algorithm. */

  583.   if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&

  584.       (curve == NID_undef ||

  585.        EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) {

  586.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  587.     return 0;

  588.   }

  589. 

  590.   EVP_MD_CTX md_ctx;

  591.   EVP_MD_CTX_init(&md_ctx);

  592.   int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) &&

  593.             EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&

  594.             EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);

  595.   EVP_MD_CTX_cleanup(&md_ctx);

  596.   return ret;

  597. }

  598. 

  599. static int is_rsa_pss(const EVP_MD **out_md, uint16_t sigalg) {

  600.   switch (sigalg) {

  601.     case SSL_SIGN_RSA_PSS_SHA256:

  602.       *out_md = EVP_sha256();

  603.       return 1;

  604.     case SSL_SIGN_RSA_PSS_SHA384:

  605.       *out_md = EVP_sha384();

  606.       return 1;

  607.     case SSL_SIGN_RSA_PSS_SHA512:

  608.       *out_md = EVP_sha512();

  609.       return 1;

  610.     default:

  611.       return 0;

  612.   }

  613. }

  614. 

  615. static int ssl_sign_rsa_pss(SSL *ssl, uint8_t *out, size_t *out_len,

  616.                               size_t max_out, const EVP_MD *md,

  617.                               const uint8_t *in, size_t in_len) {

  618.   EVP_MD_CTX ctx;

  619.   EVP_MD_CTX_init(&ctx);

  620.   *out_len = max_out;

  621.   EVP_PKEY_CTX *pctx;

  622.   int ret =

  623.       EVP_DigestSignInit(&ctx, &pctx, md, NULL, ssl->cert->privatekey) &&

  624.       EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&

  625.       EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) &&

  626.       EVP_DigestSignUpdate(&ctx, in, in_len) &&

  627.       EVP_DigestSignFinal(&ctx, out, out_len);

  628.   EVP_MD_CTX_cleanup(&ctx);

  629.   return ret;

  630. }

  631. 

  632. static int ssl_verify_rsa_pss(SSL *ssl, const uint8_t *signature,

  633.                                 size_t signature_len, const EVP_MD *md,

  634.                                 EVP_PKEY *pkey, const uint8_t *in,

  635.                                 size_t in_len) {

  636.   if (pkey->type != EVP_PKEY_RSA) {

  637.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  638.     return 0;

  639.   }

  640. 

  641.   EVP_MD_CTX md_ctx;

  642.   EVP_MD_CTX_init(&md_ctx);

  643.   EVP_PKEY_CTX *pctx;

  644.   int ret =

  645.       EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey) &&

  646.       EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&

  647.       EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) &&

  648.       EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&

  649.       EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);

  650.   EVP_MD_CTX_cleanup(&md_ctx);

  651.   return ret;

  652. }

  653. 

  654. enum ssl_private_key_result_t ssl_private_key_sign(

  655.     SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,

  656.     uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {

  657.   if (ssl->cert->key_method != NULL) {

  658.     if (ssl->cert->key_method->sign != NULL) {

  659.       return ssl->cert->key_method->sign(ssl, out, out_len, max_out,

  660.                                          signature_algorithm, in, in_len);

  661.     }

  662. 

  663.     /* TODO(davidben): Remove support for |sign_digest|-only

  664.      * |SSL_PRIVATE_KEY_METHOD|s. */

  665.     const EVP_MD *md;

  666.     int curve;

  667.     if (!is_rsa_pkcs1(&md, signature_algorithm) &&

  668.         !is_ecdsa(&curve, &md, signature_algorithm)) {

  669.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);

  670.       return ssl_private_key_failure;

  671.     }

  672. 

  673.     uint8_t hash[EVP_MAX_MD_SIZE];

  674.     unsigned hash_len;

  675.     if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) {

  676.       return ssl_private_key_failure;

  677.     }

  678. 

  679.     return ssl->cert->key_method->sign_digest(ssl, out, out_len, max_out, md,

  680.                                               hash, hash_len);

  681.   }

  682. 

  683.   const EVP_MD *md;

  684.   if (is_rsa_pkcs1(&md, signature_algorithm) &&

  685.       ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  686.     return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len)

  687.                ? ssl_private_key_success

  688.                : ssl_private_key_failure;

  689.   }

  690. 

  691.   int curve;

  692.   if (is_ecdsa(&curve, &md, signature_algorithm)) {

  693.     return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len)

  694.                ? ssl_private_key_success

  695.                : ssl_private_key_failure;

  696.   }

  697. 

  698.   if (is_rsa_pss(&md, signature_algorithm)) {

  699.     return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len)

  700.                ? ssl_private_key_success

  701.                : ssl_private_key_failure;

  702.   }

  703. 

  704.   OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  705.   return ssl_private_key_failure;

  706. }

  707. 

  708. int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,

  709.                           size_t signature_len, uint16_t signature_algorithm,

  710.                           EVP_PKEY *pkey, const uint8_t *in, size_t in_len) {

  711.   const EVP_MD *md;

  712.   if (is_rsa_pkcs1(&md, signature_algorithm) &&

  713.       ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  714.     return ssl_verify_rsa_pkcs1(ssl, signature, signature_len, md, pkey, in,

  715.                                 in_len);

  716.   }

  717. 

  718.   int curve;

  719.   if (is_ecdsa(&curve, &md, signature_algorithm)) {

  720.     return ssl_verify_ecdsa(ssl, signature, signature_len, curve, md, pkey, in,

  721.                             in_len);

  722.   }

  723. 

  724.   if (is_rsa_pss(&md, signature_algorithm)) {

  725.     return ssl_verify_rsa_pss(ssl, signature, signature_len, md, pkey, in,

  726.                               in_len);

  727.   }

  728. 

  729.   OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  730.   return 0;

  731. }

  732. 

  733. enum ssl_private_key_result_t ssl_private_key_decrypt(

  734.     SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,

  735.     const uint8_t *in, size_t in_len) {

  736.   if (ssl->cert->key_method != NULL) {

  737.     return ssl->cert->key_method->decrypt(ssl, out, out_len, max_out, in,

  738.                                           in_len);

  739.   }

  740. 

  741.   RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey);

  742.   if (rsa == NULL) {

  743.     /* Decrypt operations are only supported for RSA keys. */

  744.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  745.     return ssl_private_key_failure;

  746.   }

  747. 

  748.   /* Decrypt with no padding. PKCS#1 padding will be removed as part

  749.    * of the timing-sensitive code by the caller. */

  750.   if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {

  751.     return ssl_private_key_failure;

  752.   }

  753.   return ssl_private_key_success;

  754. }

  755. 

  756. enum ssl_private_key_result_t ssl_private_key_complete(SSL *ssl, uint8_t *out,

  757.                                                        size_t *out_len,

  758.                                                        size_t max_out) {

  759.   /* Only custom keys may be asynchronous. */

  760.   return ssl->cert->key_method->complete(ssl, out, out_len, max_out);

  761. }

  762. 

  763. int ssl_private_key_supports_signature_algorithm(SSL *ssl,

  764.                                                  uint16_t signature_algorithm) {

  765.   const EVP_MD *md;

  766.   if (is_rsa_pkcs1(&md, signature_algorithm) &&

  767.       ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  768.     return ssl_private_key_type(ssl) == NID_rsaEncryption;

  769.   }

  770. 

  771.   int curve;

  772.   if (is_ecdsa(&curve, &md, signature_algorithm)) {

  773.     int type = ssl_private_key_type(ssl);

  774.     if (!ssl_is_ecdsa_key_type(type)) {

  775.       return 0;

  776.     }

  777. 

  778.     /* Prior to TLS 1.3, ECDSA curves did not match the signature algorithm. */

  779.     if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  780.       return 1;

  781.     }

  782. 

  783.     return curve != NID_undef && type == curve;

  784.   }

  785. 

  786.   if (is_rsa_pss(&md, signature_algorithm)) {

  787.     if (ssl_private_key_type(ssl) != NID_rsaEncryption) {

  788.       return 0;

  789.     }

  790. 

  791.     /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that

  792.      * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the

  793.      * hash in TLS. Reasonable RSA key sizes are large enough for the largest

  794.      * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too large for

  795.      * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check

  796.      * the size to fall back to another algorithm. */

  797.     if (ssl_private_key_max_signature_len(ssl) < 2 * EVP_MD_size(md) + 2) {

  798.       return 0;

  799.     }

  800. 

  801.     /* RSA-PSS is only supported by message-based private keys. */

  802.     if (ssl->cert->key_method != NULL && ssl->cert->key_method->sign == NULL) {

  803.       return 0;

  804.     }

  805. 

  806.     return 1;

  807.   }

  808. 

  809.   return 0;

  810. }