kris
/
boringssl
1
0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
5667 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tag: 9978f0a865
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 9978f0a865
${ noResults }
boringssl/ssl/ssl_privkey.cc

818 linhas
26 KiB
Original Anotar Histórico 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/ssl.h>

  58. 

  59. #include <assert.h>

  60. #include <limits.h>

  61. 

  62. #include <openssl/ec.h>

  63. #include <openssl/ec_key.h>

  64. #include <openssl/err.h>

  65. #include <openssl/evp.h>

  66. #include <openssl/mem.h>

  67. 

  68. #include "internal.h"

  69. #include "../crypto/internal.h"

  70. 

  71. 

  72. BSSL_NAMESPACE_BEGIN

  73. 

  74. bool ssl_is_key_type_supported(int key_type) {

  75.   return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC ||

  76.          key_type == EVP_PKEY_ED25519;

  77. }

  78. 

  79. static bool ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {

  80.   if (!ssl_is_key_type_supported(pkey->type)) {

  81.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  82.     return false;

  83.   }

  84. 

  85.   if (cert->chain != nullptr &&

  86.       sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) != nullptr &&

  87.       // Sanity-check that the private key and the certificate match.

  88.       !ssl_cert_check_private_key(cert, pkey)) {

  89.     return false;

  90.   }

  91. 

  92.   cert->privatekey = UpRef(pkey);

  93.   return true;

  94. }

  95. 

  96. typedef struct {

  97.   uint16_t sigalg;

  98.   int pkey_type;

  99.   int curve;

  100.   const EVP_MD *(*digest_func)(void);

  101.   bool is_rsa_pss;

  102. } SSL_SIGNATURE_ALGORITHM;

  103. 

  104. static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {

  105.     {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,

  106.      false},

  107.     {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, false},

  108.     {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, false},

  109.     {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, false},

  110.     {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, false},

  111. 

  112.     {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, true},

  113.     {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, true},

  114.     {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, true},

  115. 

  116.     {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, false},

  117.     {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,

  118.      &EVP_sha256, false},

  119.     {SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,

  120.      false},

  121.     {SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,

  122.      false},

  123. 

  124.     {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr, false},

  125. };

  126. 

  127. static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {

  128.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kSignatureAlgorithms); i++) {

  129.     if (kSignatureAlgorithms[i].sigalg == sigalg) {

  130.       return &kSignatureAlgorithms[i];

  131.     }

  132.   }

  133.   return NULL;

  134. }

  135. 

  136. bool ssl_has_private_key(const SSL_HANDSHAKE *hs) {

  137.   if (hs->config->cert->privatekey != nullptr ||

  138.       hs->config->cert->key_method != nullptr ||

  139.       ssl_signing_with_dc(hs)) {

  140.     return true;

  141.   }

  142. 

  143.   return false;

  144. }

  145. 

  146. static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,

  147.                                     uint16_t sigalg) {

  148.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  149.   if (alg == NULL ||

  150.       EVP_PKEY_id(pkey) != alg->pkey_type) {

  151.     return false;

  152.   }

  153. 

  154.   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {

  155.     // RSA keys may only be used with RSA-PSS.

  156.     if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {

  157.       return false;

  158.     }

  159. 

  160.     // EC keys have a curve requirement.

  161.     if (alg->pkey_type == EVP_PKEY_EC &&

  162.         (alg->curve == NID_undef ||

  163.          EC_GROUP_get_curve_name(

  164.              EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {

  165.       return false;

  166.     }

  167.   }

  168. 

  169.   return true;

  170. }

  171. 

  172. static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,

  173.                       uint16_t sigalg, bool is_verify) {

  174.   if (!pkey_supports_algorithm(ssl, pkey, sigalg)) {

  175.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  176.     return false;

  177.   }

  178. 

  179.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  180.   const EVP_MD *digest = alg->digest_func != NULL ? alg->digest_func() : NULL;

  181.   EVP_PKEY_CTX *pctx;

  182.   if (is_verify) {

  183.     if (!EVP_DigestVerifyInit(ctx, &pctx, digest, NULL, pkey)) {

  184.       return false;

  185.     }

  186.   } else if (!EVP_DigestSignInit(ctx, &pctx, digest, NULL, pkey)) {

  187.     return false;

  188.   }

  189. 

  190.   if (alg->is_rsa_pss) {

  191.     if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||

  192.         !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) {

  193.       return false;

  194.     }

  195.   }

  196. 

  197.   return true;

  198. }

  199. 

  200. enum ssl_private_key_result_t ssl_private_key_sign(

  201.     SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,

  202.     uint16_t sigalg, Span<const uint8_t> in) {

  203.   SSL *const ssl = hs->ssl;

  204.   const SSL_PRIVATE_KEY_METHOD *key_method = hs->config->cert->key_method;

  205.   EVP_PKEY *privatekey = hs->config->cert->privatekey.get();

  206.   if (ssl_signing_with_dc(hs)) {

  207.     key_method = hs->config->cert->dc_key_method;

  208.     privatekey = hs->config->cert->dc_privatekey.get();

  209.   }

  210. 

  211.   if (key_method != NULL) {

  212.     enum ssl_private_key_result_t ret;

  213.     if (hs->pending_private_key_op) {

  214.       ret = key_method->complete(ssl, out, out_len, max_out);

  215.     } else {

  216.       ret = key_method->sign(ssl, out, out_len, max_out,

  217.                              sigalg, in.data(), in.size());

  218.     }

  219.     if (ret == ssl_private_key_failure) {

  220.       OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);

  221.     }

  222.     hs->pending_private_key_op = ret == ssl_private_key_retry;

  223.     return ret;

  224.   }

  225. 

  226.   *out_len = max_out;

  227.   ScopedEVP_MD_CTX ctx;

  228.   if (!setup_ctx(ssl, ctx.get(), privatekey, sigalg, false /* sign */) ||

  229.       !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {

  230.     return ssl_private_key_failure;

  231.   }

  232.   return ssl_private_key_success;

  233. }

  234. 

  235. bool ssl_public_key_verify(SSL *ssl, Span<const uint8_t> signature,

  236.                            uint16_t sigalg, EVP_PKEY *pkey,

  237.                            Span<const uint8_t> in) {

  238.   ScopedEVP_MD_CTX ctx;

  239.   return setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */) &&

  240.          EVP_DigestVerify(ctx.get(), signature.data(), signature.size(),

  241.                           in.data(), in.size());

  242. }

  243. 

  244. enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,

  245.                                                       uint8_t *out,

  246.                                                       size_t *out_len,

  247.                                                       size_t max_out,

  248.                                                       Span<const uint8_t> in) {

  249.   SSL *const ssl = hs->ssl;

  250.   if (hs->config->cert->key_method != NULL) {

  251.     enum ssl_private_key_result_t ret;

  252.     if (hs->pending_private_key_op) {

  253.       ret = hs->config->cert->key_method->complete(ssl, out, out_len, max_out);

  254.     } else {

  255.       ret = hs->config->cert->key_method->decrypt(ssl, out, out_len, max_out,

  256.                                                   in.data(), in.size());

  257.     }

  258.     if (ret == ssl_private_key_failure) {

  259.       OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);

  260.     }

  261.     hs->pending_private_key_op = ret == ssl_private_key_retry;

  262.     return ret;

  263.   }

  264. 

  265.   RSA *rsa = EVP_PKEY_get0_RSA(hs->config->cert->privatekey.get());

  266.   if (rsa == NULL) {

  267.     // Decrypt operations are only supported for RSA keys.

  268.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  269.     return ssl_private_key_failure;

  270.   }

  271. 

  272.   // Decrypt with no padding. PKCS#1 padding will be removed as part of the

  273.   // timing-sensitive code by the caller.

  274.   if (!RSA_decrypt(rsa, out_len, out, max_out, in.data(), in.size(),

  275.                    RSA_NO_PADDING)) {

  276.     return ssl_private_key_failure;

  277.   }

  278.   return ssl_private_key_success;

  279. }

  280. 

  281. bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,

  282.                                                   uint16_t sigalg) {

  283.   SSL *const ssl = hs->ssl;

  284.   if (!pkey_supports_algorithm(ssl, hs->local_pubkey.get(), sigalg)) {

  285.     return false;

  286.   }

  287. 

  288.   // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that

  289.   // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the

  290.   // hash in TLS. Reasonable RSA key sizes are large enough for the largest

  291.   // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for

  292.   // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the

  293.   // size so that we can fall back to another algorithm in that case.

  294.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  295.   if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) <

  296.                              2 * EVP_MD_size(alg->digest_func()) + 2) {

  297.     return false;

  298.   }

  299. 

  300.   return true;

  301. }

  302. 

  303. BSSL_NAMESPACE_END

  304. 

  305. using namespace bssl;

  306. 

  307. int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {

  308.   if (rsa == NULL || ssl->config == NULL) {

  309.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  310.     return 0;

  311.   }

  312. 

  313.   UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());

  314.   if (!pkey ||

  315.       !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {

  316.     OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);

  317.     return 0;

  318.   }

  319. 

  320.   return ssl_set_pkey(ssl->config->cert.get(), pkey.get());

  321. }

  322. 

  323. int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {

  324.   UniquePtr<RSA> rsa(RSA_private_key_from_bytes(der, der_len));

  325.   if (!rsa) {

  326.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  327.     return 0;

  328.   }

  329. 

  330.   return SSL_use_RSAPrivateKey(ssl, rsa.get());

  331. }

  332. 

  333. int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {

  334.   if (pkey == NULL || ssl->config == NULL) {

  335.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  336.     return 0;

  337.   }

  338. 

  339.   return ssl_set_pkey(ssl->config->cert.get(), pkey);

  340. }

  341. 

  342. int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,

  343.                             size_t der_len) {

  344.   if (der_len > LONG_MAX) {

  345.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  346.     return 0;

  347.   }

  348. 

  349.   const uint8_t *p = der;

  350.   UniquePtr<EVP_PKEY> pkey(d2i_PrivateKey(type, NULL, &p, (long)der_len));

  351.   if (!pkey || p != der + der_len) {

  352.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  353.     return 0;

  354.   }

  355. 

  356.   return SSL_use_PrivateKey(ssl, pkey.get());

  357. }

  358. 

  359. int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {

  360.   if (rsa == NULL) {

  361.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  362.     return 0;

  363.   }

  364. 

  365.   UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());

  366.   if (!pkey ||

  367.       !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {

  368.     OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);

  369.     return 0;

  370.   }

  371. 

  372.   return ssl_set_pkey(ctx->cert.get(), pkey.get());

  373. }

  374. 

  375. int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,

  376.                                    size_t der_len) {

  377.   UniquePtr<RSA> rsa(RSA_private_key_from_bytes(der, der_len));

  378.   if (!rsa) {

  379.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  380.     return 0;

  381.   }

  382. 

  383.   return SSL_CTX_use_RSAPrivateKey(ctx, rsa.get());

  384. }

  385. 

  386. int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {

  387.   if (pkey == NULL) {

  388.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  389.     return 0;

  390.   }

  391. 

  392.   return ssl_set_pkey(ctx->cert.get(), pkey);

  393. }

  394. 

  395. int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,

  396.                                 size_t der_len) {

  397.   if (der_len > LONG_MAX) {

  398.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  399.     return 0;

  400.   }

  401. 

  402.   const uint8_t *p = der;

  403.   UniquePtr<EVP_PKEY> pkey(d2i_PrivateKey(type, NULL, &p, (long)der_len));

  404.   if (!pkey || p != der + der_len) {

  405.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  406.     return 0;

  407.   }

  408. 

  409.   return SSL_CTX_use_PrivateKey(ctx, pkey.get());

  410. }

  411. 

  412. void SSL_set_private_key_method(SSL *ssl,

  413.                                 const SSL_PRIVATE_KEY_METHOD *key_method) {

  414.   if (!ssl->config) {

  415.     return;

  416.   }

  417.   ssl->config->cert->key_method = key_method;

  418. }

  419. 

  420. void SSL_CTX_set_private_key_method(SSL_CTX *ctx,

  421.                                     const SSL_PRIVATE_KEY_METHOD *key_method) {

  422.   ctx->cert->key_method = key_method;

  423. }

  424. 

  425. static constexpr size_t kMaxSignatureAlgorithmNameLen = 23;

  426. 

  427. // This was "constexpr" rather than "const", but that triggered a bug in MSVC

  428. // where it didn't pad the strings to the correct length.

  429. static const struct {

  430.   uint16_t signature_algorithm;

  431.   const char name[kMaxSignatureAlgorithmNameLen];

  432. } kSignatureAlgorithmNames[] = {

  433.     {SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},

  434.     {SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},

  435.     {SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},

  436.     {SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"},

  437.     {SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"},

  438.     {SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"},

  439.     {SSL_SIGN_ECDSA_SECP256R1_SHA256, "ecdsa_secp256r1_sha256"},

  440.     {SSL_SIGN_ECDSA_SECP384R1_SHA384, "ecdsa_secp384r1_sha384"},

  441.     {SSL_SIGN_ECDSA_SECP521R1_SHA512, "ecdsa_secp521r1_sha512"},

  442.     {SSL_SIGN_RSA_PSS_RSAE_SHA256, "rsa_pss_rsae_sha256"},

  443.     {SSL_SIGN_RSA_PSS_RSAE_SHA384, "rsa_pss_rsae_sha384"},

  444.     {SSL_SIGN_RSA_PSS_RSAE_SHA512, "rsa_pss_rsae_sha512"},

  445.     {SSL_SIGN_ED25519, "ed25519"},

  446. };

  447. 

  448. const char *SSL_get_signature_algorithm_name(uint16_t sigalg,

  449.                                              int include_curve) {

  450.   if (!include_curve) {

  451.     switch (sigalg) {

  452.       case SSL_SIGN_ECDSA_SECP256R1_SHA256:

  453.         return "ecdsa_sha256";

  454.       case SSL_SIGN_ECDSA_SECP384R1_SHA384:

  455.         return "ecdsa_sha384";

  456.       case SSL_SIGN_ECDSA_SECP521R1_SHA512:

  457.         return "ecdsa_sha512";

  458.     }

  459.   }

  460. 

  461.   for (const auto &candidate : kSignatureAlgorithmNames) {

  462.     if (candidate.signature_algorithm == sigalg) {

  463.       return candidate.name;

  464.     }

  465.   }

  466. 

  467.   return NULL;

  468. }

  469. 

  470. int SSL_get_signature_algorithm_key_type(uint16_t sigalg) {

  471.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  472.   return alg != nullptr ? alg->pkey_type : EVP_PKEY_NONE;

  473. }

  474. 

  475. const EVP_MD *SSL_get_signature_algorithm_digest(uint16_t sigalg) {

  476.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  477.   if (alg == nullptr || alg->digest_func == nullptr) {

  478.     return nullptr;

  479.   }

  480.   return alg->digest_func();

  481. }

  482. 

  483. int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg) {

  484.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  485.   return alg != nullptr && alg->is_rsa_pss;

  486. }

  487. 

  488. int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,

  489.                                         size_t num_prefs) {

  490.   return ctx->cert->sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));

  491. }

  492. 

  493. int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,

  494.                                     size_t num_prefs) {

  495.   if (!ssl->config) {

  496.     return 0;

  497.   }

  498.   return ssl->config->cert->sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));

  499. }

  500. 

  501. static constexpr struct {

  502.   int pkey_type;

  503.   int hash_nid;

  504.   uint16_t signature_algorithm;

  505. } kSignatureAlgorithmsMapping[] = {

  506.     {EVP_PKEY_RSA, NID_sha1, SSL_SIGN_RSA_PKCS1_SHA1},

  507.     {EVP_PKEY_RSA, NID_sha256, SSL_SIGN_RSA_PKCS1_SHA256},

  508.     {EVP_PKEY_RSA, NID_sha384, SSL_SIGN_RSA_PKCS1_SHA384},

  509.     {EVP_PKEY_RSA, NID_sha512, SSL_SIGN_RSA_PKCS1_SHA512},

  510.     {EVP_PKEY_RSA_PSS, NID_sha256, SSL_SIGN_RSA_PSS_RSAE_SHA256},

  511.     {EVP_PKEY_RSA_PSS, NID_sha384, SSL_SIGN_RSA_PSS_RSAE_SHA384},

  512.     {EVP_PKEY_RSA_PSS, NID_sha512, SSL_SIGN_RSA_PSS_RSAE_SHA512},

  513.     {EVP_PKEY_EC, NID_sha1, SSL_SIGN_ECDSA_SHA1},

  514.     {EVP_PKEY_EC, NID_sha256, SSL_SIGN_ECDSA_SECP256R1_SHA256},

  515.     {EVP_PKEY_EC, NID_sha384, SSL_SIGN_ECDSA_SECP384R1_SHA384},

  516.     {EVP_PKEY_EC, NID_sha512, SSL_SIGN_ECDSA_SECP521R1_SHA512},

  517.     {EVP_PKEY_ED25519, NID_undef, SSL_SIGN_ED25519},

  518. };

  519. 

  520. static bool parse_sigalg_pairs(Array<uint16_t> *out, const int *values,

  521.                                size_t num_values) {

  522.   if ((num_values & 1) == 1) {

  523.     return false;

  524.   }

  525. 

  526.   const size_t num_pairs = num_values / 2;

  527.   if (!out->Init(num_pairs)) {

  528.     return false;

  529.   }

  530. 

  531.   for (size_t i = 0; i < num_values; i += 2) {

  532.     const int hash_nid = values[i];

  533.     const int pkey_type = values[i+1];

  534. 

  535.     bool found = false;

  536.     for (const auto &candidate : kSignatureAlgorithmsMapping) {

  537.       if (candidate.pkey_type == pkey_type && candidate.hash_nid == hash_nid) {

  538.         (*out)[i / 2] = candidate.signature_algorithm;

  539.         found = true;

  540.         break;

  541.       }

  542.     }

  543. 

  544.     if (!found) {

  545.       OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  546.       ERR_add_error_dataf("unknown hash:%d pkey:%d", hash_nid, pkey_type);

  547.       return false;

  548.     }

  549.   }

  550. 

  551.   return true;

  552. }

  553. 

  554. static int compare_uint16_t(const void *p1, const void *p2) {

  555.   uint16_t u1 = *((const uint16_t *)p1);

  556.   uint16_t u2 = *((const uint16_t *)p2);

  557.   if (u1 < u2) {

  558.     return -1;

  559.   } else if (u1 > u2) {

  560.     return 1;

  561.   } else {

  562.     return 0;

  563.   }

  564. }

  565. 

  566. static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {

  567.   if (in_sigalgs.size() < 2) {

  568.     return true;

  569.   }

  570. 

  571.   Array<uint16_t> sigalgs;

  572.   if (!sigalgs.CopyFrom(in_sigalgs)) {

  573.     return false;

  574.   }

  575. 

  576.   qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);

  577. 

  578.   for (size_t i = 1; i < sigalgs.size(); i++) {

  579.     if (sigalgs[i - 1] == sigalgs[i]) {

  580.       OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);

  581.       return false;

  582.     }

  583.   }

  584. 

  585.   return true;

  586. }

  587. 

  588. int SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *values, size_t num_values) {

  589.   Array<uint16_t> sigalgs;

  590.   if (!parse_sigalg_pairs(&sigalgs, values, num_values) ||

  591.       !sigalgs_unique(sigalgs)) {

  592.     return 0;

  593.   }

  594. 

  595.   if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),

  596.                                            sigalgs.size()) ||

  597.       !ctx->verify_sigalgs.CopyFrom(sigalgs)) {

  598.     return 0;

  599.   }

  600. 

  601.   return 1;

  602. }

  603. 

  604. int SSL_set1_sigalgs(SSL *ssl, const int *values, size_t num_values) {

  605.   if (!ssl->config) {

  606.     OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  607.     return 0;

  608.   }

  609. 

  610.   Array<uint16_t> sigalgs;

  611.   if (!parse_sigalg_pairs(&sigalgs, values, num_values) ||

  612.       !sigalgs_unique(sigalgs)) {

  613.     return 0;

  614.   }

  615. 

  616.   if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||

  617.       !ssl->config->verify_sigalgs.CopyFrom(sigalgs)) {

  618.     return 0;

  619.   }

  620. 

  621.   return 1;

  622. }

  623. 

  624. static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {

  625.   // str looks like "RSA+SHA1:ECDSA+SHA256:ecdsa_secp256r1_sha256".

  626. 

  627.   // Count colons to give the number of output elements from any successful

  628.   // parse.

  629.   size_t num_elements = 1;

  630.   size_t len = 0;

  631.   for (const char *p = str; *p; p++) {

  632.     len++;

  633.     if (*p == ':') {

  634.       num_elements++;

  635.     }

  636.   }

  637. 

  638.   if (!out->Init(num_elements)) {

  639.     return false;

  640.   }

  641.   size_t out_i = 0;

  642. 

  643.   enum {

  644.     pkey_or_name,

  645.     hash_name,

  646.   } state = pkey_or_name;

  647. 

  648.   char buf[kMaxSignatureAlgorithmNameLen];

  649.   // buf_used is always < sizeof(buf). I.e. it's always safe to write

  650.   // buf[buf_used] = 0.

  651.   size_t buf_used = 0;

  652. 

  653.   int pkey_type = 0, hash_nid = 0;

  654. 

  655.   // Note that the loop runs to len+1, i.e. it'll process the terminating NUL.

  656.   for (size_t offset = 0; offset < len+1; offset++) {

  657.     const char c = str[offset];

  658. 

  659.     switch (c) {

  660.       case '+':

  661.         if (state == hash_name) {

  662.           OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  663.           ERR_add_error_dataf("+ found in hash name at offset %zu", offset);

  664.           return false;

  665.         }

  666.         if (buf_used == 0) {

  667.           OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  668.           ERR_add_error_dataf("empty public key type at offset %zu", offset);

  669.           return false;

  670.         }

  671.         buf[buf_used] = 0;

  672. 

  673.         if (strcmp(buf, "RSA") == 0) {

  674.           pkey_type = EVP_PKEY_RSA;

  675.         } else if (strcmp(buf, "RSA-PSS") == 0 ||

  676.                    strcmp(buf, "PSS") == 0) {

  677.           pkey_type = EVP_PKEY_RSA_PSS;

  678.         } else if (strcmp(buf, "ECDSA") == 0) {

  679.           pkey_type = EVP_PKEY_EC;

  680.         } else {

  681.           OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  682.           ERR_add_error_dataf("unknown public key type '%s'", buf);

  683.           return false;

  684.         }

  685. 

  686.         state = hash_name;

  687.         buf_used = 0;

  688.         break;

  689. 

  690.       case ':':

  691.         OPENSSL_FALLTHROUGH;

  692.       case 0:

  693.         if (buf_used == 0) {

  694.           OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  695.           ERR_add_error_dataf("empty element at offset %zu", offset);

  696.           return false;

  697.         }

  698. 

  699.         buf[buf_used] = 0;

  700. 

  701.         if (state == pkey_or_name) {

  702.           // No '+' was seen thus this is a TLS 1.3-style name.

  703.           bool found = false;

  704.           for (const auto &candidate : kSignatureAlgorithmNames) {

  705.             if (strcmp(candidate.name, buf) == 0) {

  706.               assert(out_i < num_elements);

  707.               (*out)[out_i++] = candidate.signature_algorithm;

  708.               found = true;

  709.               break;

  710.             }

  711.           }

  712. 

  713.           if (!found) {

  714.             OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  715.             ERR_add_error_dataf("unknown signature algorithm '%s'", buf);

  716.             return false;

  717.           }

  718.         } else {

  719.           if (strcmp(buf, "SHA1") == 0) {

  720.             hash_nid = NID_sha1;

  721.           } else if (strcmp(buf, "SHA256") == 0) {

  722.             hash_nid = NID_sha256;

  723.           } else if (strcmp(buf, "SHA384") == 0) {

  724.             hash_nid = NID_sha384;

  725.           } else if (strcmp(buf, "SHA512") == 0) {

  726.             hash_nid = NID_sha512;

  727.           } else {

  728.             OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  729.             ERR_add_error_dataf("unknown hash function '%s'", buf);

  730.             return false;

  731.           }

  732. 

  733.           bool found = false;

  734.           for (const auto &candidate : kSignatureAlgorithmsMapping) {

  735.             if (candidate.pkey_type == pkey_type &&

  736.                 candidate.hash_nid == hash_nid) {

  737.               assert(out_i < num_elements);

  738.               (*out)[out_i++] = candidate.signature_algorithm;

  739.               found = true;

  740.               break;

  741.             }

  742.           }

  743. 

  744.           if (!found) {

  745.             OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  746.             ERR_add_error_dataf("unknown pkey:%d hash:%s", pkey_type, buf);

  747.             return false;

  748.           }

  749.         }

  750. 

  751.         state = pkey_or_name;

  752.         buf_used = 0;

  753.         break;

  754. 

  755.       default:

  756.         if (buf_used == sizeof(buf) - 1) {

  757.           OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  758.           ERR_add_error_dataf("substring too long at offset %zu", offset);

  759.           return false;

  760.         }

  761. 

  762.         if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'z') ||

  763.             (c >= 'A' && c <= 'Z') || c == '-' || c == '_') {

  764.           buf[buf_used++] = c;

  765.         } else {

  766.           OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);

  767.           ERR_add_error_dataf("invalid character 0x%02x at offest %zu", c,

  768.                               offset);

  769.           return false;

  770.         }

  771.     }

  772.   }

  773. 

  774.   assert(out_i == out->size());

  775.   return true;

  776. }

  777. 

  778. int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str) {

  779.   Array<uint16_t> sigalgs;

  780.   if (!parse_sigalgs_list(&sigalgs, str) ||

  781.       !sigalgs_unique(sigalgs)) {

  782.     return 0;

  783.   }

  784. 

  785.   if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),

  786.                                            sigalgs.size()) ||

  787.       !ctx->verify_sigalgs.CopyFrom(sigalgs)) {

  788.     return 0;

  789.   }

  790. 

  791.   return 1;

  792. }

  793. 

  794. int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {

  795.   if (!ssl->config) {

  796.     OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  797.     return 0;

  798.   }

  799. 

  800.   Array<uint16_t> sigalgs;

  801.   if (!parse_sigalgs_list(&sigalgs, str) ||

  802.       !sigalgs_unique(sigalgs)) {

  803.     return 0;

  804.   }

  805. 

  806.   if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||

  807.       !ssl->config->verify_sigalgs.CopyFrom(sigalgs)) {

  808.     return 0;

  809.   }

  810. 

  811.   return 1;

  812. }

  813. 

  814. int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,

  815.                                        size_t num_prefs) {

  816.   return ctx->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));

  817. }