kris
/
boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
4415 Revize
12 Větve
38 MiB
 
 
 
 
 
 
Strom: c386440683
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „c386440683“
${ noResults }
boringssl/ssl/ssl_privkey.cc

541 řádky
18 KiB
Surový Blame Historie 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/ssl.h>

  58. 

  59. #include <assert.h>

  60. #include <limits.h>

  61. 

  62. #include <openssl/ec.h>

  63. #include <openssl/ec_key.h>

  64. #include <openssl/err.h>

  65. #include <openssl/evp.h>

  66. #include <openssl/mem.h>

  67. #include <openssl/type_check.h>

  68. 

  69. #include "internal.h"

  70. #include "../crypto/internal.h"

  71. 

  72. 

  73. int ssl_is_key_type_supported(int key_type) {

  74.   return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC ||

  75.          key_type == EVP_PKEY_ED25519;

  76. }

  77. 

  78. static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {

  79.   if (!ssl_is_key_type_supported(pkey->type)) {

  80.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  81.     return 0;

  82.   }

  83. 

  84.   if (cert->chain != NULL &&

  85.       sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL &&

  86.       /* Sanity-check that the private key and the certificate match. */

  87.       !ssl_cert_check_private_key(cert, pkey)) {

  88.     return 0;

  89.   }

  90. 

  91.   EVP_PKEY_free(cert->privatekey);

  92.   EVP_PKEY_up_ref(pkey);

  93.   cert->privatekey = pkey;

  94. 

  95.   return 1;

  96. }

  97. 

  98. int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {

  99.   EVP_PKEY *pkey;

  100.   int ret;

  101. 

  102.   if (rsa == NULL) {

  103.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  104.     return 0;

  105.   }

  106. 

  107.   pkey = EVP_PKEY_new();

  108.   if (pkey == NULL) {

  109.     OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);

  110.     return 0;

  111.   }

  112. 

  113.   RSA_up_ref(rsa);

  114.   EVP_PKEY_assign_RSA(pkey, rsa);

  115. 

  116.   ret = ssl_set_pkey(ssl->cert, pkey);

  117.   EVP_PKEY_free(pkey);

  118. 

  119.   return ret;

  120. }

  121. 

  122. int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {

  123.   bssl::UniquePtr<RSA> rsa(RSA_private_key_from_bytes(der, der_len));

  124.   if (!rsa) {

  125.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  126.     return 0;

  127.   }

  128. 

  129.   return SSL_use_RSAPrivateKey(ssl, rsa.get());

  130. }

  131. 

  132. int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {

  133.   if (pkey == NULL) {

  134.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  135.     return 0;

  136.   }

  137. 

  138.   return ssl_set_pkey(ssl->cert, pkey);

  139. }

  140. 

  141. int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,

  142.                             size_t der_len) {

  143.   if (der_len > LONG_MAX) {

  144.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  145.     return 0;

  146.   }

  147. 

  148.   const uint8_t *p = der;

  149.   EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);

  150.   if (pkey == NULL || p != der + der_len) {

  151.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  152.     EVP_PKEY_free(pkey);

  153.     return 0;

  154.   }

  155. 

  156.   int ret = SSL_use_PrivateKey(ssl, pkey);

  157.   EVP_PKEY_free(pkey);

  158.   return ret;

  159. }

  160. 

  161. int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {

  162.   int ret;

  163.   EVP_PKEY *pkey;

  164. 

  165.   if (rsa == NULL) {

  166.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  167.     return 0;

  168.   }

  169. 

  170.   pkey = EVP_PKEY_new();

  171.   if (pkey == NULL) {

  172.     OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);

  173.     return 0;

  174.   }

  175. 

  176.   RSA_up_ref(rsa);

  177.   EVP_PKEY_assign_RSA(pkey, rsa);

  178. 

  179.   ret = ssl_set_pkey(ctx->cert, pkey);

  180.   EVP_PKEY_free(pkey);

  181.   return ret;

  182. }

  183. 

  184. int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,

  185.                                    size_t der_len) {

  186.   RSA *rsa = RSA_private_key_from_bytes(der, der_len);

  187.   if (rsa == NULL) {

  188.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  189.     return 0;

  190.   }

  191. 

  192.   int ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);

  193.   RSA_free(rsa);

  194.   return ret;

  195. }

  196. 

  197. int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {

  198.   if (pkey == NULL) {

  199.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  200.     return 0;

  201.   }

  202. 

  203.   return ssl_set_pkey(ctx->cert, pkey);

  204. }

  205. 

  206. int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,

  207.                                 size_t der_len) {

  208.   if (der_len > LONG_MAX) {

  209.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  210.     return 0;

  211.   }

  212. 

  213.   const uint8_t *p = der;

  214.   EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);

  215.   if (pkey == NULL || p != der + der_len) {

  216.     OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);

  217.     EVP_PKEY_free(pkey);

  218.     return 0;

  219.   }

  220. 

  221.   int ret = SSL_CTX_use_PrivateKey(ctx, pkey);

  222.   EVP_PKEY_free(pkey);

  223.   return ret;

  224. }

  225. 

  226. void SSL_set_private_key_method(SSL *ssl,

  227.                                 const SSL_PRIVATE_KEY_METHOD *key_method) {

  228.   ssl->cert->key_method = key_method;

  229. }

  230. 

  231. void SSL_CTX_set_private_key_method(SSL_CTX *ctx,

  232.                                     const SSL_PRIVATE_KEY_METHOD *key_method) {

  233.   ctx->cert->key_method = key_method;

  234. }

  235. 

  236. static int set_algorithm_prefs(uint16_t **out_prefs, size_t *out_num_prefs,

  237.                                const uint16_t *prefs, size_t num_prefs) {

  238.   OPENSSL_free(*out_prefs);

  239. 

  240.   *out_num_prefs = 0;

  241.   *out_prefs = (uint16_t *)BUF_memdup(prefs, num_prefs * sizeof(prefs[0]));

  242.   if (*out_prefs == NULL) {

  243.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  244.     return 0;

  245.   }

  246.   *out_num_prefs = num_prefs;

  247. 

  248.   return 1;

  249. }

  250. 

  251. int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,

  252.                                         size_t num_prefs) {

  253.   return set_algorithm_prefs(&ctx->cert->sigalgs, &ctx->cert->num_sigalgs,

  254.                              prefs, num_prefs);

  255. }

  256. 

  257. 

  258. int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,

  259.                                     size_t num_prefs) {

  260.   return set_algorithm_prefs(&ssl->cert->sigalgs, &ssl->cert->num_sigalgs,

  261.                              prefs, num_prefs);

  262. }

  263. 

  264. int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,

  265.                                        size_t num_prefs) {

  266.   return set_algorithm_prefs(&ctx->verify_sigalgs, &ctx->num_verify_sigalgs,

  267.                              prefs, num_prefs);

  268. }

  269. 

  270. int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids,

  271.                                      size_t num_digests) {

  272.   OPENSSL_free(ssl->cert->sigalgs);

  273. 

  274.   OPENSSL_COMPILE_ASSERT(sizeof(int) >= 2 * sizeof(uint16_t),

  275.                          digest_list_conversion_cannot_overflow);

  276. 

  277.   ssl->cert->num_sigalgs = 0;

  278.   ssl->cert->sigalgs =

  279.       (uint16_t *)OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests);

  280.   if (ssl->cert->sigalgs == NULL) {

  281.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  282.     return 0;

  283.   }

  284. 

  285.   /* Convert the digest list to a signature algorithms list.

  286.    *

  287.    * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */

  288.   for (size_t i = 0; i < num_digests; i++) {

  289.     switch (digest_nids[i]) {

  290.       case NID_sha1:

  291.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA1;

  292.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = SSL_SIGN_ECDSA_SHA1;

  293.         ssl->cert->num_sigalgs += 2;

  294.         break;

  295.       case NID_sha256:

  296.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA256;

  297.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =

  298.             SSL_SIGN_ECDSA_SECP256R1_SHA256;

  299.         ssl->cert->num_sigalgs += 2;

  300.         break;

  301.       case NID_sha384:

  302.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA384;

  303.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =

  304.             SSL_SIGN_ECDSA_SECP384R1_SHA384;

  305.         ssl->cert->num_sigalgs += 2;

  306.         break;

  307.       case NID_sha512:

  308.         ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA512;

  309.         ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] =

  310.             SSL_SIGN_ECDSA_SECP521R1_SHA512;

  311.         ssl->cert->num_sigalgs += 2;

  312.         break;

  313.     }

  314.   }

  315. 

  316.   return 1;

  317. }

  318. 

  319. typedef struct {

  320.   uint16_t sigalg;

  321.   int pkey_type;

  322.   int curve;

  323.   const EVP_MD *(*digest_func)(void);

  324.   char is_rsa_pss;

  325. } SSL_SIGNATURE_ALGORITHM;

  326. 

  327. static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {

  328.     {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1, 0},

  329.     {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, 0},

  330.     {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 0},

  331.     {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 0},

  332.     {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 0},

  333. 

  334.     {SSL_SIGN_RSA_PSS_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 1},

  335.     {SSL_SIGN_RSA_PSS_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 1},

  336.     {SSL_SIGN_RSA_PSS_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 1},

  337. 

  338.     {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, 0},

  339.     {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,

  340.      &EVP_sha256, 0},

  341.     {SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,

  342.      0},

  343.     {SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,

  344.      0},

  345. 

  346.     {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, NULL, 0},

  347. };

  348. 

  349. static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {

  350.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kSignatureAlgorithms); i++) {

  351.     if (kSignatureAlgorithms[i].sigalg == sigalg) {

  352.       return &kSignatureAlgorithms[i];

  353.     }

  354.   }

  355.   return NULL;

  356. }

  357. 

  358. int ssl_has_private_key(const SSL *ssl) {

  359.   return ssl->cert->privatekey != NULL || ssl->cert->key_method != NULL;

  360. }

  361. 

  362. static int pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,

  363.                                    uint16_t sigalg) {

  364.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  365.   if (alg == NULL ||

  366.       EVP_PKEY_id(pkey) != alg->pkey_type) {

  367.     return 0;

  368.   }

  369. 

  370.   if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {

  371.     /* RSA keys may only be used with RSA-PSS. */

  372.     if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {

  373.       return 0;

  374.     }

  375. 

  376.     /* EC keys have a curve requirement. */

  377.     if (alg->pkey_type == EVP_PKEY_EC &&

  378.         (alg->curve == NID_undef ||

  379.          EC_GROUP_get_curve_name(

  380.              EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {

  381.       return 0;

  382.     }

  383.   }

  384. 

  385.   return 1;

  386. }

  387. 

  388. static int setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey, uint16_t sigalg,

  389.                      int is_verify) {

  390.   if (!pkey_supports_algorithm(ssl, pkey, sigalg)) {

  391.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);

  392.     return 0;

  393.   }

  394. 

  395.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  396.   const EVP_MD *digest = alg->digest_func != NULL ? alg->digest_func() : NULL;

  397.   EVP_PKEY_CTX *pctx;

  398.   if (is_verify) {

  399.     if (!EVP_DigestVerifyInit(ctx, &pctx, digest, NULL, pkey)) {

  400.       return 0;

  401.     }

  402.   } else if (!EVP_DigestSignInit(ctx, &pctx, digest, NULL, pkey)) {

  403.     return 0;

  404.   }

  405. 

  406.   if (alg->is_rsa_pss) {

  407.     if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||

  408.         !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) {

  409.       return 0;

  410.     }

  411.   }

  412. 

  413.   return 1;

  414. }

  415. 

  416. static int legacy_sign_digest_supported(const SSL_SIGNATURE_ALGORITHM *alg) {

  417.   return (alg->pkey_type == EVP_PKEY_EC || alg->pkey_type == EVP_PKEY_RSA) &&

  418.          !alg->is_rsa_pss;

  419. }

  420. 

  421. static enum ssl_private_key_result_t legacy_sign(

  422.     SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg,

  423.     const uint8_t *in, size_t in_len) {

  424.   /* TODO(davidben): Remove support for |sign_digest|-only

  425.    * |SSL_PRIVATE_KEY_METHOD|s. */

  426.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  427.   if (alg == NULL || !legacy_sign_digest_supported(alg)) {

  428.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);

  429.     return ssl_private_key_failure;

  430.   }

  431. 

  432.   const EVP_MD *md = alg->digest_func();

  433.   uint8_t hash[EVP_MAX_MD_SIZE];

  434.   unsigned hash_len;

  435.   if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) {

  436.     return ssl_private_key_failure;

  437.   }

  438. 

  439.   return ssl->cert->key_method->sign_digest(ssl, out, out_len, max_out, md,

  440.                                             hash, hash_len);

  441. }

  442. 

  443. enum ssl_private_key_result_t ssl_private_key_sign(

  444.     SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,

  445.     uint16_t sigalg, const uint8_t *in, size_t in_len) {

  446.   SSL *const ssl = hs->ssl;

  447.   if (ssl->cert->key_method != NULL) {

  448.     enum ssl_private_key_result_t ret;

  449.     if (hs->pending_private_key_op) {

  450.       ret = ssl->cert->key_method->complete(ssl, out, out_len, max_out);

  451.     } else {

  452.       ret = (ssl->cert->key_method->sign != NULL

  453.                  ? ssl->cert->key_method->sign

  454.                  : legacy_sign)(ssl, out, out_len, max_out, sigalg, in, in_len);

  455.     }

  456.     hs->pending_private_key_op = ret == ssl_private_key_retry;

  457.     return ret;

  458.   }

  459. 

  460.   *out_len = max_out;

  461.   EVP_MD_CTX ctx;

  462.   EVP_MD_CTX_init(&ctx);

  463.   int ret = setup_ctx(ssl, &ctx, ssl->cert->privatekey, sigalg, 0 /* sign */) &&

  464.             EVP_DigestSign(&ctx, out, out_len, in, in_len);

  465.   EVP_MD_CTX_cleanup(&ctx);

  466.   return ret ? ssl_private_key_success : ssl_private_key_failure;

  467. }

  468. 

  469. int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,

  470.                           size_t signature_len, uint16_t sigalg, EVP_PKEY *pkey,

  471.                           const uint8_t *in, size_t in_len) {

  472.   EVP_MD_CTX ctx;

  473.   EVP_MD_CTX_init(&ctx);

  474.   int ret = setup_ctx(ssl, &ctx, pkey, sigalg, 1 /* verify */) &&

  475.             EVP_DigestVerify(&ctx, signature, signature_len, in, in_len);

  476.   EVP_MD_CTX_cleanup(&ctx);

  477.   return ret;

  478. }

  479. 

  480. enum ssl_private_key_result_t ssl_private_key_decrypt(

  481.     SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,

  482.     const uint8_t *in, size_t in_len) {

  483.   SSL *const ssl = hs->ssl;

  484.   if (ssl->cert->key_method != NULL) {

  485.     enum ssl_private_key_result_t ret;

  486.     if (hs->pending_private_key_op) {

  487.       ret = ssl->cert->key_method->complete(ssl, out, out_len, max_out);

  488.     } else {

  489.       ret = ssl->cert->key_method->decrypt(ssl, out, out_len, max_out, in,

  490.                                            in_len);

  491.     }

  492.     hs->pending_private_key_op = ret == ssl_private_key_retry;

  493.     return ret;

  494.   }

  495. 

  496.   RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey);

  497.   if (rsa == NULL) {

  498.     /* Decrypt operations are only supported for RSA keys. */

  499.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  500.     return ssl_private_key_failure;

  501.   }

  502. 

  503.   /* Decrypt with no padding. PKCS#1 padding will be removed as part

  504.    * of the timing-sensitive code by the caller. */

  505.   if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {

  506.     return ssl_private_key_failure;

  507.   }

  508.   return ssl_private_key_success;

  509. }

  510. 

  511. int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,

  512.                                                  uint16_t sigalg) {

  513.   SSL *const ssl = hs->ssl;

  514.   if (!pkey_supports_algorithm(ssl, hs->local_pubkey, sigalg)) {

  515.     return 0;

  516.   }

  517. 

  518.   /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that

  519.    * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the

  520.    * hash in TLS. Reasonable RSA key sizes are large enough for the largest

  521.    * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for

  522.    * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the

  523.    * size so that we can fall back to another algorithm in that case. */

  524.   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);

  525.   if (alg->is_rsa_pss &&

  526.       (size_t)EVP_PKEY_size(hs->local_pubkey) <

  527.           2 * EVP_MD_size(alg->digest_func()) + 2) {

  528.     return 0;

  529.   }

  530. 

  531.   /* Newer algorithms require message-based private keys.

  532.    * TODO(davidben): Remove this check when sign_digest is gone. */

  533.   if (ssl->cert->key_method != NULL &&

  534.       ssl->cert->key_method->sign == NULL &&

  535.       !legacy_sign_digest_supported(alg)) {

  536.     return 0;

  537.   }

  538. 

  539.   return 1;

  540. }