1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/ssl.h> 58 59 #include <limits.h> 60 61 #include <openssl/ec.h> 62 #include <openssl/ec_key.h> 63 #include <openssl/err.h> 64 #include <openssl/evp.h> 65 #include <openssl/mem.h> 66 #include <openssl/type_check.h> 67 68 #include "internal.h" 69 70 71 int ssl_is_key_type_supported(int key_type) { 72 return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC; 73 } 74 75 static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) { 76 if (!ssl_is_key_type_supported(pkey->type)) { 77 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 78 return 0; 79 } 80 81 if (cert->chain != NULL && 82 sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL && 83 /* Sanity-check that the private key and the certificate match. */ 84 !ssl_cert_check_private_key(cert, pkey)) { 85 return 0; 86 } 87 88 EVP_PKEY_free(cert->privatekey); 89 EVP_PKEY_up_ref(pkey); 90 cert->privatekey = pkey; 91 92 return 1; 93 } 94 95 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) { 96 EVP_PKEY *pkey; 97 int ret; 98 99 if (rsa == NULL) { 100 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 101 return 0; 102 } 103 104 pkey = EVP_PKEY_new(); 105 if (pkey == NULL) { 106 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB); 107 return 0; 108 } 109 110 RSA_up_ref(rsa); 111 EVP_PKEY_assign_RSA(pkey, rsa); 112 113 ret = ssl_set_pkey(ssl->cert, pkey); 114 EVP_PKEY_free(pkey); 115 116 return ret; 117 } 118 119 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { 120 if (pkey == NULL) { 121 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 122 return 0; 123 } 124 125 return ssl_set_pkey(ssl->cert, pkey); 126 } 127 128 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der, 129 size_t der_len) { 130 if (der_len > LONG_MAX) { 131 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 132 return 0; 133 } 134 135 const uint8_t *p = der; 136 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len); 137 if (pkey == NULL || p != der + der_len) { 138 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB); 139 EVP_PKEY_free(pkey); 140 return 0; 141 } 142 143 int ret = SSL_use_PrivateKey(ssl, pkey); 144 EVP_PKEY_free(pkey); 145 return ret; 146 } 147 148 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) { 149 int ret; 150 EVP_PKEY *pkey; 151 152 if (rsa == NULL) { 153 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 154 return 0; 155 } 156 157 pkey = EVP_PKEY_new(); 158 if (pkey == NULL) { 159 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB); 160 return 0; 161 } 162 163 RSA_up_ref(rsa); 164 EVP_PKEY_assign_RSA(pkey, rsa); 165 166 ret = ssl_set_pkey(ctx->cert, pkey); 167 EVP_PKEY_free(pkey); 168 return ret; 169 } 170 171 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der, 172 size_t der_len) { 173 RSA *rsa = RSA_private_key_from_bytes(der, der_len); 174 if (rsa == NULL) { 175 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB); 176 return 0; 177 } 178 179 int ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 180 RSA_free(rsa); 181 return ret; 182 } 183 184 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { 185 if (pkey == NULL) { 186 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 187 return 0; 188 } 189 190 return ssl_set_pkey(ctx->cert, pkey); 191 } 192 193 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der, 194 size_t der_len) { 195 if (der_len > LONG_MAX) { 196 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 197 return 0; 198 } 199 200 const uint8_t *p = der; 201 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len); 202 if (pkey == NULL || p != der + der_len) { 203 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB); 204 EVP_PKEY_free(pkey); 205 return 0; 206 } 207 208 int ret = SSL_CTX_use_PrivateKey(ctx, pkey); 209 EVP_PKEY_free(pkey); 210 return ret; 211 } 212 213 void SSL_set_private_key_method(SSL *ssl, 214 const SSL_PRIVATE_KEY_METHOD *key_method) { 215 ssl->cert->key_method = key_method; 216 } 217 218 void SSL_CTX_set_private_key_method(SSL_CTX *ctx, 219 const SSL_PRIVATE_KEY_METHOD *key_method) { 220 ctx->cert->key_method = key_method; 221 } 222 223 static int set_signing_algorithm_prefs(CERT *cert, const uint16_t *prefs, 224 size_t num_prefs) { 225 OPENSSL_free(cert->sigalgs); 226 227 cert->num_sigalgs = 0; 228 cert->sigalgs = BUF_memdup(prefs, num_prefs * sizeof(prefs[0])); 229 if (cert->sigalgs == NULL) { 230 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 231 return 0; 232 } 233 cert->num_sigalgs = num_prefs; 234 235 return 1; 236 } 237 238 int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, 239 size_t num_prefs) { 240 return set_signing_algorithm_prefs(ctx->cert, prefs, num_prefs); 241 } 242 243 244 int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs, 245 size_t num_prefs) { 246 return set_signing_algorithm_prefs(ssl->cert, prefs, num_prefs); 247 } 248 249 int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids, 250 size_t num_digests) { 251 OPENSSL_free(ssl->cert->sigalgs); 252 253 OPENSSL_COMPILE_ASSERT(sizeof(int) >= 2 * sizeof(uint16_t), 254 digest_list_conversion_cannot_overflow); 255 256 ssl->cert->num_sigalgs = 0; 257 ssl->cert->sigalgs = OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests); 258 if (ssl->cert->sigalgs == NULL) { 259 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 260 return 0; 261 } 262 263 /* Convert the digest list to a signature algorithms list. 264 * 265 * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */ 266 for (size_t i = 0; i < num_digests; i++) { 267 switch (digest_nids[i]) { 268 case NID_sha1: 269 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA1; 270 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = SSL_SIGN_ECDSA_SHA1; 271 ssl->cert->num_sigalgs += 2; 272 break; 273 case NID_sha256: 274 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA256; 275 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = 276 SSL_SIGN_ECDSA_SECP256R1_SHA256; 277 ssl->cert->num_sigalgs += 2; 278 break; 279 case NID_sha384: 280 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA384; 281 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = 282 SSL_SIGN_ECDSA_SECP384R1_SHA384; 283 ssl->cert->num_sigalgs += 2; 284 break; 285 case NID_sha512: 286 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA512; 287 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = 288 SSL_SIGN_ECDSA_SECP521R1_SHA512; 289 ssl->cert->num_sigalgs += 2; 290 break; 291 } 292 } 293 294 return 1; 295 } 296 297 int ssl_has_private_key(const SSL *ssl) { 298 return ssl->cert->privatekey != NULL || ssl->cert->key_method != NULL; 299 } 300 301 int ssl_is_ecdsa_key_type(int type) { 302 switch (type) { 303 case NID_secp224r1: 304 case NID_X9_62_prime256v1: 305 case NID_secp384r1: 306 case NID_secp521r1: 307 return 1; 308 default: 309 return 0; 310 } 311 } 312 313 int ssl_private_key_type(SSL *ssl) { 314 if (ssl->cert->key_method != NULL) { 315 return ssl->cert->key_method->type(ssl); 316 } 317 switch (EVP_PKEY_id(ssl->cert->privatekey)) { 318 case EVP_PKEY_RSA: 319 return NID_rsaEncryption; 320 case EVP_PKEY_EC: 321 return EC_GROUP_get_curve_name( 322 EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey))); 323 default: 324 return NID_undef; 325 } 326 } 327 328 size_t ssl_private_key_max_signature_len(SSL *ssl) { 329 if (ssl->cert->key_method != NULL) { 330 return ssl->cert->key_method->max_signature_len(ssl); 331 } 332 return EVP_PKEY_size(ssl->cert->privatekey); 333 } 334 335 /* TODO(davidben): Forbid RSA-PKCS1 in TLS 1.3. For now we allow it because NSS 336 * has yet to start doing RSA-PSS, so enforcing it would complicate interop 337 * testing. */ 338 static int is_rsa_pkcs1(const EVP_MD **out_md, uint16_t sigalg) { 339 switch (sigalg) { 340 case SSL_SIGN_RSA_PKCS1_MD5_SHA1: 341 *out_md = EVP_md5_sha1(); 342 return 1; 343 case SSL_SIGN_RSA_PKCS1_SHA1: 344 *out_md = EVP_sha1(); 345 return 1; 346 case SSL_SIGN_RSA_PKCS1_SHA256: 347 *out_md = EVP_sha256(); 348 return 1; 349 case SSL_SIGN_RSA_PKCS1_SHA384: 350 *out_md = EVP_sha384(); 351 return 1; 352 case SSL_SIGN_RSA_PKCS1_SHA512: 353 *out_md = EVP_sha512(); 354 return 1; 355 default: 356 return 0; 357 } 358 } 359 360 static int ssl_sign_rsa_pkcs1(SSL *ssl, uint8_t *out, size_t *out_len, 361 size_t max_out, const EVP_MD *md, 362 const uint8_t *in, size_t in_len) { 363 EVP_MD_CTX ctx; 364 EVP_MD_CTX_init(&ctx); 365 *out_len = max_out; 366 int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) && 367 EVP_DigestSignUpdate(&ctx, in, in_len) && 368 EVP_DigestSignFinal(&ctx, out, out_len); 369 EVP_MD_CTX_cleanup(&ctx); 370 return ret; 371 } 372 373 static int ssl_verify_rsa_pkcs1(SSL *ssl, const uint8_t *signature, 374 size_t signature_len, const EVP_MD *md, 375 EVP_PKEY *pkey, const uint8_t *in, 376 size_t in_len) { 377 if (pkey->type != EVP_PKEY_RSA) { 378 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 379 return 0; 380 } 381 382 EVP_MD_CTX md_ctx; 383 EVP_MD_CTX_init(&md_ctx); 384 int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) && 385 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) && 386 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len); 387 EVP_MD_CTX_cleanup(&md_ctx); 388 return ret; 389 } 390 391 static int is_ecdsa(int *out_curve, const EVP_MD **out_md, uint16_t sigalg) { 392 switch (sigalg) { 393 case SSL_SIGN_ECDSA_SHA1: 394 *out_curve = NID_undef; 395 *out_md = EVP_sha1(); 396 return 1; 397 case SSL_SIGN_ECDSA_SECP256R1_SHA256: 398 *out_curve = NID_X9_62_prime256v1; 399 *out_md = EVP_sha256(); 400 return 1; 401 case SSL_SIGN_ECDSA_SECP384R1_SHA384: 402 *out_curve = NID_secp384r1; 403 *out_md = EVP_sha384(); 404 return 1; 405 case SSL_SIGN_ECDSA_SECP521R1_SHA512: 406 *out_curve = NID_secp521r1; 407 *out_md = EVP_sha512(); 408 return 1; 409 default: 410 return 0; 411 } 412 } 413 414 static int ssl_sign_ecdsa(SSL *ssl, uint8_t *out, size_t *out_len, 415 size_t max_out, int curve, const EVP_MD *md, 416 const uint8_t *in, size_t in_len) { 417 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey); 418 if (ec_key == NULL) { 419 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 420 return 0; 421 } 422 423 /* In TLS 1.3, the curve is also specified by the signature algorithm. */ 424 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION && 425 (curve == NID_undef || 426 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) { 427 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 428 return 0; 429 } 430 431 EVP_MD_CTX ctx; 432 EVP_MD_CTX_init(&ctx); 433 *out_len = max_out; 434 int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) && 435 EVP_DigestSignUpdate(&ctx, in, in_len) && 436 EVP_DigestSignFinal(&ctx, out, out_len); 437 EVP_MD_CTX_cleanup(&ctx); 438 return ret; 439 } 440 441 static int ssl_verify_ecdsa(SSL *ssl, const uint8_t *signature, 442 size_t signature_len, int curve, const EVP_MD *md, 443 EVP_PKEY *pkey, const uint8_t *in, size_t in_len) { 444 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); 445 if (ec_key == NULL) { 446 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 447 return 0; 448 } 449 450 /* In TLS 1.3, the curve is also specified by the signature algorithm. */ 451 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION && 452 (curve == NID_undef || 453 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) { 454 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 455 return 0; 456 } 457 458 EVP_MD_CTX md_ctx; 459 EVP_MD_CTX_init(&md_ctx); 460 int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) && 461 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) && 462 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len); 463 EVP_MD_CTX_cleanup(&md_ctx); 464 return ret; 465 } 466 467 static int is_rsa_pss(const EVP_MD **out_md, uint16_t sigalg) { 468 switch (sigalg) { 469 case SSL_SIGN_RSA_PSS_SHA256: 470 *out_md = EVP_sha256(); 471 return 1; 472 case SSL_SIGN_RSA_PSS_SHA384: 473 *out_md = EVP_sha384(); 474 return 1; 475 case SSL_SIGN_RSA_PSS_SHA512: 476 *out_md = EVP_sha512(); 477 return 1; 478 default: 479 return 0; 480 } 481 } 482 483 static int ssl_sign_rsa_pss(SSL *ssl, uint8_t *out, size_t *out_len, 484 size_t max_out, const EVP_MD *md, 485 const uint8_t *in, size_t in_len) { 486 EVP_MD_CTX ctx; 487 EVP_MD_CTX_init(&ctx); 488 *out_len = max_out; 489 EVP_PKEY_CTX *pctx; 490 int ret = 491 EVP_DigestSignInit(&ctx, &pctx, md, NULL, ssl->cert->privatekey) && 492 EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) && 493 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) && 494 EVP_DigestSignUpdate(&ctx, in, in_len) && 495 EVP_DigestSignFinal(&ctx, out, out_len); 496 EVP_MD_CTX_cleanup(&ctx); 497 return ret; 498 } 499 500 static int ssl_verify_rsa_pss(SSL *ssl, const uint8_t *signature, 501 size_t signature_len, const EVP_MD *md, 502 EVP_PKEY *pkey, const uint8_t *in, 503 size_t in_len) { 504 if (pkey->type != EVP_PKEY_RSA) { 505 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 506 return 0; 507 } 508 509 EVP_MD_CTX md_ctx; 510 EVP_MD_CTX_init(&md_ctx); 511 EVP_PKEY_CTX *pctx; 512 int ret = 513 EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey) && 514 EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) && 515 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) && 516 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) && 517 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len); 518 EVP_MD_CTX_cleanup(&md_ctx); 519 return ret; 520 } 521 522 enum ssl_private_key_result_t ssl_private_key_sign( 523 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 524 uint16_t signature_algorithm, const uint8_t *in, size_t in_len) { 525 if (ssl->cert->key_method != NULL) { 526 if (ssl->cert->key_method->sign != NULL) { 527 return ssl->cert->key_method->sign(ssl, out, out_len, max_out, 528 signature_algorithm, in, in_len); 529 } 530 531 /* TODO(davidben): Remove support for |sign_digest|-only 532 * |SSL_PRIVATE_KEY_METHOD|s. */ 533 const EVP_MD *md; 534 int curve; 535 if (!is_rsa_pkcs1(&md, signature_algorithm) && 536 !is_ecdsa(&curve, &md, signature_algorithm)) { 537 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); 538 return ssl_private_key_failure; 539 } 540 541 uint8_t hash[EVP_MAX_MD_SIZE]; 542 unsigned hash_len; 543 if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) { 544 return ssl_private_key_failure; 545 } 546 547 return ssl->cert->key_method->sign_digest(ssl, out, out_len, max_out, md, 548 hash, hash_len); 549 } 550 551 const EVP_MD *md; 552 if (is_rsa_pkcs1(&md, signature_algorithm) && 553 ssl3_protocol_version(ssl) < TLS1_3_VERSION) { 554 return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len) 555 ? ssl_private_key_success 556 : ssl_private_key_failure; 557 } 558 559 int curve; 560 if (is_ecdsa(&curve, &md, signature_algorithm)) { 561 return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len) 562 ? ssl_private_key_success 563 : ssl_private_key_failure; 564 } 565 566 if (is_rsa_pss(&md, signature_algorithm)) { 567 return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len) 568 ? ssl_private_key_success 569 : ssl_private_key_failure; 570 } 571 572 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 573 return ssl_private_key_failure; 574 } 575 576 int ssl_public_key_verify(SSL *ssl, const uint8_t *signature, 577 size_t signature_len, uint16_t signature_algorithm, 578 EVP_PKEY *pkey, const uint8_t *in, size_t in_len) { 579 const EVP_MD *md; 580 if (is_rsa_pkcs1(&md, signature_algorithm) && 581 ssl3_protocol_version(ssl) < TLS1_3_VERSION) { 582 return ssl_verify_rsa_pkcs1(ssl, signature, signature_len, md, pkey, in, 583 in_len); 584 } 585 586 int curve; 587 if (is_ecdsa(&curve, &md, signature_algorithm)) { 588 return ssl_verify_ecdsa(ssl, signature, signature_len, curve, md, pkey, in, 589 in_len); 590 } 591 592 if (is_rsa_pss(&md, signature_algorithm)) { 593 return ssl_verify_rsa_pss(ssl, signature, signature_len, md, pkey, in, 594 in_len); 595 } 596 597 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 598 return 0; 599 } 600 601 enum ssl_private_key_result_t ssl_private_key_decrypt( 602 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 603 const uint8_t *in, size_t in_len) { 604 if (ssl->cert->key_method != NULL) { 605 return ssl->cert->key_method->decrypt(ssl, out, out_len, max_out, in, 606 in_len); 607 } 608 609 RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey); 610 if (rsa == NULL) { 611 /* Decrypt operations are only supported for RSA keys. */ 612 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 613 return ssl_private_key_failure; 614 } 615 616 /* Decrypt with no padding. PKCS#1 padding will be removed as part 617 * of the timing-sensitive code by the caller. */ 618 if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) { 619 return ssl_private_key_failure; 620 } 621 return ssl_private_key_success; 622 } 623 624 enum ssl_private_key_result_t ssl_private_key_complete(SSL *ssl, uint8_t *out, 625 size_t *out_len, 626 size_t max_out) { 627 /* Only custom keys may be asynchronous. */ 628 return ssl->cert->key_method->complete(ssl, out, out_len, max_out); 629 } 630 631 int ssl_private_key_supports_signature_algorithm(SSL *ssl, 632 uint16_t signature_algorithm) { 633 const EVP_MD *md; 634 if (is_rsa_pkcs1(&md, signature_algorithm) && 635 ssl3_protocol_version(ssl) < TLS1_3_VERSION) { 636 return ssl_private_key_type(ssl) == NID_rsaEncryption; 637 } 638 639 int curve; 640 if (is_ecdsa(&curve, &md, signature_algorithm)) { 641 int type = ssl_private_key_type(ssl); 642 if (!ssl_is_ecdsa_key_type(type)) { 643 return 0; 644 } 645 646 /* Prior to TLS 1.3, ECDSA curves did not match the signature algorithm. */ 647 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { 648 return 1; 649 } 650 651 return curve != NID_undef && type == curve; 652 } 653 654 if (is_rsa_pss(&md, signature_algorithm)) { 655 if (ssl_private_key_type(ssl) != NID_rsaEncryption) { 656 return 0; 657 } 658 659 /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that 660 * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the 661 * hash in TLS. Reasonable RSA key sizes are large enough for the largest 662 * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too large for 663 * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check 664 * the size to fall back to another algorithm. */ 665 if (ssl_private_key_max_signature_len(ssl) < 2 * EVP_MD_size(md) + 2) { 666 return 0; 667 } 668 669 /* RSA-PSS is only supported by message-based private keys. */ 670 if (ssl->cert->key_method != NULL && ssl->cert->key_method->sign == NULL) { 671 return 0; 672 } 673 674 return 1; 675 } 676 677 return 0; 678 } 679