1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/ssl.h> 58 59 #include <assert.h> 60 #include <limits.h> 61 62 #include <openssl/ec.h> 63 #include <openssl/ec_key.h> 64 #include <openssl/err.h> 65 #include <openssl/evp.h> 66 #include <openssl/mem.h> 67 68 #include "internal.h" 69 #include "../crypto/internal.h" 70 71 72 int ssl_is_key_type_supported(int key_type) { 73 return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC || 74 key_type == EVP_PKEY_ED25519; 75 } 76 77 static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) { 78 if (!ssl_is_key_type_supported(pkey->type)) { 79 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 80 return 0; 81 } 82 83 if (cert->chain != NULL && 84 sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL && 85 /* Sanity-check that the private key and the certificate match. */ 86 !ssl_cert_check_private_key(cert, pkey)) { 87 return 0; 88 } 89 90 EVP_PKEY_free(cert->privatekey); 91 EVP_PKEY_up_ref(pkey); 92 cert->privatekey = pkey; 93 94 return 1; 95 } 96 97 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) { 98 EVP_PKEY *pkey; 99 int ret; 100 101 if (rsa == NULL) { 102 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 103 return 0; 104 } 105 106 pkey = EVP_PKEY_new(); 107 if (pkey == NULL) { 108 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB); 109 return 0; 110 } 111 112 RSA_up_ref(rsa); 113 EVP_PKEY_assign_RSA(pkey, rsa); 114 115 ret = ssl_set_pkey(ssl->cert, pkey); 116 EVP_PKEY_free(pkey); 117 118 return ret; 119 } 120 121 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) { 122 bssl::UniquePtr<RSA> rsa(RSA_private_key_from_bytes(der, der_len)); 123 if (!rsa) { 124 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB); 125 return 0; 126 } 127 128 return SSL_use_RSAPrivateKey(ssl, rsa.get()); 129 } 130 131 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { 132 if (pkey == NULL) { 133 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 134 return 0; 135 } 136 137 return ssl_set_pkey(ssl->cert, pkey); 138 } 139 140 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der, 141 size_t der_len) { 142 if (der_len > LONG_MAX) { 143 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 144 return 0; 145 } 146 147 const uint8_t *p = der; 148 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len); 149 if (pkey == NULL || p != der + der_len) { 150 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB); 151 EVP_PKEY_free(pkey); 152 return 0; 153 } 154 155 int ret = SSL_use_PrivateKey(ssl, pkey); 156 EVP_PKEY_free(pkey); 157 return ret; 158 } 159 160 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) { 161 int ret; 162 EVP_PKEY *pkey; 163 164 if (rsa == NULL) { 165 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 166 return 0; 167 } 168 169 pkey = EVP_PKEY_new(); 170 if (pkey == NULL) { 171 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB); 172 return 0; 173 } 174 175 RSA_up_ref(rsa); 176 EVP_PKEY_assign_RSA(pkey, rsa); 177 178 ret = ssl_set_pkey(ctx->cert, pkey); 179 EVP_PKEY_free(pkey); 180 return ret; 181 } 182 183 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der, 184 size_t der_len) { 185 RSA *rsa = RSA_private_key_from_bytes(der, der_len); 186 if (rsa == NULL) { 187 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB); 188 return 0; 189 } 190 191 int ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 192 RSA_free(rsa); 193 return ret; 194 } 195 196 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { 197 if (pkey == NULL) { 198 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 199 return 0; 200 } 201 202 return ssl_set_pkey(ctx->cert, pkey); 203 } 204 205 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der, 206 size_t der_len) { 207 if (der_len > LONG_MAX) { 208 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 209 return 0; 210 } 211 212 const uint8_t *p = der; 213 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len); 214 if (pkey == NULL || p != der + der_len) { 215 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB); 216 EVP_PKEY_free(pkey); 217 return 0; 218 } 219 220 int ret = SSL_CTX_use_PrivateKey(ctx, pkey); 221 EVP_PKEY_free(pkey); 222 return ret; 223 } 224 225 void SSL_set_private_key_method(SSL *ssl, 226 const SSL_PRIVATE_KEY_METHOD *key_method) { 227 ssl->cert->key_method = key_method; 228 } 229 230 void SSL_CTX_set_private_key_method(SSL_CTX *ctx, 231 const SSL_PRIVATE_KEY_METHOD *key_method) { 232 ctx->cert->key_method = key_method; 233 } 234 235 static int set_algorithm_prefs(uint16_t **out_prefs, size_t *out_num_prefs, 236 const uint16_t *prefs, size_t num_prefs) { 237 OPENSSL_free(*out_prefs); 238 239 *out_num_prefs = 0; 240 *out_prefs = (uint16_t *)BUF_memdup(prefs, num_prefs * sizeof(prefs[0])); 241 if (*out_prefs == NULL) { 242 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 243 return 0; 244 } 245 *out_num_prefs = num_prefs; 246 247 return 1; 248 } 249 250 int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, 251 size_t num_prefs) { 252 return set_algorithm_prefs(&ctx->cert->sigalgs, &ctx->cert->num_sigalgs, 253 prefs, num_prefs); 254 } 255 256 257 int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs, 258 size_t num_prefs) { 259 return set_algorithm_prefs(&ssl->cert->sigalgs, &ssl->cert->num_sigalgs, 260 prefs, num_prefs); 261 } 262 263 int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, 264 size_t num_prefs) { 265 return set_algorithm_prefs(&ctx->verify_sigalgs, &ctx->num_verify_sigalgs, 266 prefs, num_prefs); 267 } 268 269 int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids, 270 size_t num_digests) { 271 OPENSSL_free(ssl->cert->sigalgs); 272 273 static_assert(sizeof(int) >= 2 * sizeof(uint16_t), 274 "sigalgs allocation may overflow"); 275 276 ssl->cert->num_sigalgs = 0; 277 ssl->cert->sigalgs = 278 (uint16_t *)OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests); 279 if (ssl->cert->sigalgs == NULL) { 280 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 281 return 0; 282 } 283 284 /* Convert the digest list to a signature algorithms list. 285 * 286 * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */ 287 for (size_t i = 0; i < num_digests; i++) { 288 switch (digest_nids[i]) { 289 case NID_sha1: 290 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA1; 291 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = SSL_SIGN_ECDSA_SHA1; 292 ssl->cert->num_sigalgs += 2; 293 break; 294 case NID_sha256: 295 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA256; 296 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = 297 SSL_SIGN_ECDSA_SECP256R1_SHA256; 298 ssl->cert->num_sigalgs += 2; 299 break; 300 case NID_sha384: 301 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA384; 302 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = 303 SSL_SIGN_ECDSA_SECP384R1_SHA384; 304 ssl->cert->num_sigalgs += 2; 305 break; 306 case NID_sha512: 307 ssl->cert->sigalgs[ssl->cert->num_sigalgs] = SSL_SIGN_RSA_PKCS1_SHA512; 308 ssl->cert->sigalgs[ssl->cert->num_sigalgs + 1] = 309 SSL_SIGN_ECDSA_SECP521R1_SHA512; 310 ssl->cert->num_sigalgs += 2; 311 break; 312 } 313 } 314 315 return 1; 316 } 317 318 typedef struct { 319 uint16_t sigalg; 320 int pkey_type; 321 int curve; 322 const EVP_MD *(*digest_func)(void); 323 char is_rsa_pss; 324 } SSL_SIGNATURE_ALGORITHM; 325 326 static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = { 327 {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1, 0}, 328 {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, 0}, 329 {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 0}, 330 {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 0}, 331 {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 0}, 332 333 {SSL_SIGN_RSA_PSS_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 1}, 334 {SSL_SIGN_RSA_PSS_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 1}, 335 {SSL_SIGN_RSA_PSS_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 1}, 336 337 {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, 0}, 338 {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1, 339 &EVP_sha256, 0}, 340 {SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384, 341 0}, 342 {SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512, 343 0}, 344 345 {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, NULL, 0}, 346 }; 347 348 static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) { 349 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kSignatureAlgorithms); i++) { 350 if (kSignatureAlgorithms[i].sigalg == sigalg) { 351 return &kSignatureAlgorithms[i]; 352 } 353 } 354 return NULL; 355 } 356 357 int ssl_has_private_key(const SSL *ssl) { 358 return ssl->cert->privatekey != NULL || ssl->cert->key_method != NULL; 359 } 360 361 static int pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, 362 uint16_t sigalg) { 363 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); 364 if (alg == NULL || 365 EVP_PKEY_id(pkey) != alg->pkey_type) { 366 return 0; 367 } 368 369 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { 370 /* RSA keys may only be used with RSA-PSS. */ 371 if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) { 372 return 0; 373 } 374 375 /* EC keys have a curve requirement. */ 376 if (alg->pkey_type == EVP_PKEY_EC && 377 (alg->curve == NID_undef || 378 EC_GROUP_get_curve_name( 379 EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) { 380 return 0; 381 } 382 } 383 384 return 1; 385 } 386 387 static int setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey, uint16_t sigalg, 388 int is_verify) { 389 if (!pkey_supports_algorithm(ssl, pkey, sigalg)) { 390 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 391 return 0; 392 } 393 394 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); 395 const EVP_MD *digest = alg->digest_func != NULL ? alg->digest_func() : NULL; 396 EVP_PKEY_CTX *pctx; 397 if (is_verify) { 398 if (!EVP_DigestVerifyInit(ctx, &pctx, digest, NULL, pkey)) { 399 return 0; 400 } 401 } else if (!EVP_DigestSignInit(ctx, &pctx, digest, NULL, pkey)) { 402 return 0; 403 } 404 405 if (alg->is_rsa_pss) { 406 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || 407 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) { 408 return 0; 409 } 410 } 411 412 return 1; 413 } 414 415 static int legacy_sign_digest_supported(const SSL_SIGNATURE_ALGORITHM *alg) { 416 return (alg->pkey_type == EVP_PKEY_EC || alg->pkey_type == EVP_PKEY_RSA) && 417 !alg->is_rsa_pss; 418 } 419 420 static enum ssl_private_key_result_t legacy_sign( 421 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg, 422 const uint8_t *in, size_t in_len) { 423 /* TODO(davidben): Remove support for |sign_digest|-only 424 * |SSL_PRIVATE_KEY_METHOD|s. */ 425 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); 426 if (alg == NULL || !legacy_sign_digest_supported(alg)) { 427 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); 428 return ssl_private_key_failure; 429 } 430 431 const EVP_MD *md = alg->digest_func(); 432 uint8_t hash[EVP_MAX_MD_SIZE]; 433 unsigned hash_len; 434 if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) { 435 return ssl_private_key_failure; 436 } 437 438 return ssl->cert->key_method->sign_digest(ssl, out, out_len, max_out, md, 439 hash, hash_len); 440 } 441 442 enum ssl_private_key_result_t ssl_private_key_sign( 443 SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out, 444 uint16_t sigalg, const uint8_t *in, size_t in_len) { 445 SSL *const ssl = hs->ssl; 446 if (ssl->cert->key_method != NULL) { 447 enum ssl_private_key_result_t ret; 448 if (hs->pending_private_key_op) { 449 ret = ssl->cert->key_method->complete(ssl, out, out_len, max_out); 450 } else { 451 ret = (ssl->cert->key_method->sign != NULL 452 ? ssl->cert->key_method->sign 453 : legacy_sign)(ssl, out, out_len, max_out, sigalg, in, in_len); 454 } 455 hs->pending_private_key_op = ret == ssl_private_key_retry; 456 return ret; 457 } 458 459 *out_len = max_out; 460 EVP_MD_CTX ctx; 461 EVP_MD_CTX_init(&ctx); 462 int ret = setup_ctx(ssl, &ctx, ssl->cert->privatekey, sigalg, 0 /* sign */) && 463 EVP_DigestSign(&ctx, out, out_len, in, in_len); 464 EVP_MD_CTX_cleanup(&ctx); 465 return ret ? ssl_private_key_success : ssl_private_key_failure; 466 } 467 468 int ssl_public_key_verify(SSL *ssl, const uint8_t *signature, 469 size_t signature_len, uint16_t sigalg, EVP_PKEY *pkey, 470 const uint8_t *in, size_t in_len) { 471 EVP_MD_CTX ctx; 472 EVP_MD_CTX_init(&ctx); 473 int ret = setup_ctx(ssl, &ctx, pkey, sigalg, 1 /* verify */) && 474 EVP_DigestVerify(&ctx, signature, signature_len, in, in_len); 475 EVP_MD_CTX_cleanup(&ctx); 476 return ret; 477 } 478 479 enum ssl_private_key_result_t ssl_private_key_decrypt( 480 SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out, 481 const uint8_t *in, size_t in_len) { 482 SSL *const ssl = hs->ssl; 483 if (ssl->cert->key_method != NULL) { 484 enum ssl_private_key_result_t ret; 485 if (hs->pending_private_key_op) { 486 ret = ssl->cert->key_method->complete(ssl, out, out_len, max_out); 487 } else { 488 ret = ssl->cert->key_method->decrypt(ssl, out, out_len, max_out, in, 489 in_len); 490 } 491 hs->pending_private_key_op = ret == ssl_private_key_retry; 492 return ret; 493 } 494 495 RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey); 496 if (rsa == NULL) { 497 /* Decrypt operations are only supported for RSA keys. */ 498 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 499 return ssl_private_key_failure; 500 } 501 502 /* Decrypt with no padding. PKCS#1 padding will be removed as part 503 * of the timing-sensitive code by the caller. */ 504 if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) { 505 return ssl_private_key_failure; 506 } 507 return ssl_private_key_success; 508 } 509 510 int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs, 511 uint16_t sigalg) { 512 SSL *const ssl = hs->ssl; 513 if (!pkey_supports_algorithm(ssl, hs->local_pubkey, sigalg)) { 514 return 0; 515 } 516 517 /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that 518 * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the 519 * hash in TLS. Reasonable RSA key sizes are large enough for the largest 520 * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for 521 * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the 522 * size so that we can fall back to another algorithm in that case. */ 523 const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); 524 if (alg->is_rsa_pss && 525 (size_t)EVP_PKEY_size(hs->local_pubkey) < 526 2 * EVP_MD_size(alg->digest_func()) + 2) { 527 return 0; 528 } 529 530 /* Newer algorithms require message-based private keys. 531 * TODO(davidben): Remove this check when sign_digest is gone. */ 532 if (ssl->cert->key_method != NULL && 533 ssl->cert->key_method->sign == NULL && 534 !legacy_sign_digest_supported(alg)) { 535 return 0; 536 } 537 538 return 1; 539 } 540