Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 0ee2e1107e6e59021b2e26ec83382010190e9f3c / . / ssl / ssl_rsa.c
blob: 3e0894e475ff5b163cd07db1f2cdd76ac69185d0 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
David Benjamin443a1f62015-09-04 15:05:05 -0400[diff] [blame]57#include <openssl/ssl.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]58
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]59#include <limits.h>
60
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]61#include <openssl/ec.h>
62#include <openssl/ec_key.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]63#include <openssl/err.h>
64#include <openssl/evp.h>
65#include <openssl/mem.h>
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]66#include <openssl/type_check.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]67#include <openssl/x509.h>
68
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]69#include "internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
David Benjamin443a1f62015-09-04 15:05:05 -0400[diff] [blame]71
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]72static int ssl_set_cert(CERT *c, X509 *x509);
73static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]74
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]75static int is_key_type_supported(int key_type) {
76 return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC;
77}
78
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]79int SSL_use_certificate(SSL *ssl, X509 *x) {
80 if (x == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]81 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]82 return 0;
83 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]84 return ssl_set_cert(ssl->cert, x);
85}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]86
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]87int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
88 if (der_len > LONG_MAX) {
89 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]90 return 0;
91 }
92
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]93 const uint8_t *p = der;
94 X509 *x509 = d2i_X509(NULL, &p, (long)der_len);
95 if (x509 == NULL || p != der + der_len) {
96 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
97 X509_free(x509);
98 return 0;
99 }
100
101 int ret = SSL_use_certificate(ssl, x509);
102 X509_free(x509);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]103 return ret;
104}
105
106int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {
107 EVP_PKEY *pkey;
108 int ret;
109
110 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]111 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]112 return 0;
113 }
114
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]115 pkey = EVP_PKEY_new();
116 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]117 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]118 return 0;
119 }
120
121 RSA_up_ref(rsa);
122 EVP_PKEY_assign_RSA(pkey, rsa);
123
124 ret = ssl_set_pkey(ssl->cert, pkey);
125 EVP_PKEY_free(pkey);
126
127 return ret;
128}
129
130static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]131 if (!is_key_type_supported(pkey->type)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]132 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]133 return 0;
134 }
135
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]136 if (c->x509 != NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]137 /* Sanity-check that the private key and the certificate match, unless the
138 * key is opaque (in case of, say, a smartcard). */
139 if (!EVP_PKEY_is_opaque(pkey) &&
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]140 !X509_check_private_key(c->x509, pkey)) {
141 X509_free(c->x509);
142 c->x509 = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]143 return 0;
144 }
145 }
146
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]147 EVP_PKEY_free(c->privatekey);
Adam Langley310d3f62016-07-12 10:39:20 -0700[diff] [blame]148 EVP_PKEY_up_ref(pkey);
149 c->privatekey = pkey;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]150
151 return 1;
152}
153
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]154int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
155 RSA *rsa = RSA_private_key_from_bytes(der, der_len);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]156 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]157 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]158 return 0;
159 }
160
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]161 int ret = SSL_use_RSAPrivateKey(ssl, rsa);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]162 RSA_free(rsa);
163 return ret;
164}
165
166int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {
167 int ret;
168
169 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]170 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]171 return 0;
172 }
173
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]174 ret = ssl_set_pkey(ssl->cert, pkey);
175 return ret;
176}
177
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]178int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,
179 size_t der_len) {
180 if (der_len > LONG_MAX) {
181 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]182 return 0;
183 }
184
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]185 const uint8_t *p = der;
186 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);
187 if (pkey == NULL || p != der + der_len) {
188 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
189 EVP_PKEY_free(pkey);
190 return 0;
191 }
192
193 int ret = SSL_use_PrivateKey(ssl, pkey);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]194 EVP_PKEY_free(pkey);
195 return ret;
196}
197
198int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {
199 if (x == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]200 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]201 return 0;
202 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]203
204 return ssl_set_cert(ctx->cert, x);
205}
206
207static int ssl_set_cert(CERT *c, X509 *x) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]208 EVP_PKEY *pkey = X509_get_pubkey(x);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]209 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]210 OPENSSL_PUT_ERROR(SSL, SSL_R_X509_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]211 return 0;
212 }
213
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]214 if (!is_key_type_supported(pkey->type)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]215 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]216 EVP_PKEY_free(pkey);
217 return 0;
218 }
219
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]220 if (c->privatekey != NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]221 /* Sanity-check that the private key and the certificate match, unless the
222 * key is opaque (in case of, say, a smartcard). */
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]223 if (!EVP_PKEY_is_opaque(c->privatekey) &&
224 !X509_check_private_key(x, c->privatekey)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]225 /* don't fail for a cert/key mismatch, just free current private key
226 * (when switching to a different cert & key, first this function should
227 * be used, then ssl_set_pkey */
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]228 EVP_PKEY_free(c->privatekey);
229 c->privatekey = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]230 /* clear error queue */
231 ERR_clear_error();
232 }
233 }
234
235 EVP_PKEY_free(pkey);
236
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]237 X509_free(c->x509);
238 c->x509 = X509_up_ref(x);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]239
240 return 1;
241}
242
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]243int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
244 const uint8_t *der) {
245 if (der_len > LONG_MAX) {
246 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]247 return 0;
248 }
249
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]250 const uint8_t *p = der;
251 X509 *x509 = d2i_X509(NULL, &p, (long)der_len);
252 if (x509 == NULL || p != der + der_len) {
253 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
254 X509_free(x509);
255 return 0;
256 }
257
258 int ret = SSL_CTX_use_certificate(ctx, x509);
259 X509_free(x509);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]260 return ret;
261}
262
263int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {
264 int ret;
265 EVP_PKEY *pkey;
266
267 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]268 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]269 return 0;
270 }
271
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]272 pkey = EVP_PKEY_new();
273 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]274 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]275 return 0;
276 }
277
278 RSA_up_ref(rsa);
279 EVP_PKEY_assign_RSA(pkey, rsa);
280
281 ret = ssl_set_pkey(ctx->cert, pkey);
282 EVP_PKEY_free(pkey);
283 return ret;
284}
285
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]286int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,
287 size_t der_len) {
288 RSA *rsa = RSA_private_key_from_bytes(der, der_len);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]289 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]290 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]291 return 0;
292 }
293
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]294 int ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]295 RSA_free(rsa);
296 return ret;
297}
298
299int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {
300 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]301 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]302 return 0;
303 }
304
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]305 return ssl_set_pkey(ctx->cert, pkey);
306}
307
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]308int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,
309 size_t der_len) {
310 if (der_len > LONG_MAX) {
311 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]312 return 0;
313 }
314
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]315 const uint8_t *p = der;
316 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);
317 if (pkey == NULL || p != der + der_len) {
318 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
319 EVP_PKEY_free(pkey);
320 return 0;
321 }
322
323 int ret = SSL_CTX_use_PrivateKey(ctx, pkey);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]324 EVP_PKEY_free(pkey);
325 return ret;
326}
327
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]328void SSL_set_private_key_method(SSL *ssl,
329 const SSL_PRIVATE_KEY_METHOD *key_method) {
330 ssl->cert->key_method = key_method;
331}
332
Tom Thorogood66b2fe82016-03-06 20:08:38 +1030[diff] [blame]333void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
334 const SSL_PRIVATE_KEY_METHOD *key_method) {
335 ctx->cert->key_method = key_method;
336}
337
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]338OPENSSL_COMPILE_ASSERT(sizeof(int) >= 2 * sizeof(uint16_t),
339 digest_list_conversion_cannot_overflow);
340
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]341int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids,
342 size_t num_digests) {
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]343 OPENSSL_free(ssl->cert->sigalgs);
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]344
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]345 ssl->cert->sigalgs_len = 0;
346 ssl->cert->sigalgs = OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests);
347 if (ssl->cert->sigalgs == NULL) {
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]348 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
349 return 0;
350 }
351
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]352 /* Convert the digest list to a signature algorithms list.
353 *
354 * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */
355 for (size_t i = 0; i < num_digests; i++) {
356 switch (digest_nids[i]) {
357 case NID_sha1:
358 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA1;
359 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] = SSL_SIGN_ECDSA_SHA1;
360 ssl->cert->sigalgs_len += 2;
361 break;
362 case NID_sha256:
363 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA256;
364 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] =
365 SSL_SIGN_ECDSA_SECP256R1_SHA256;
366 ssl->cert->sigalgs_len += 2;
367 break;
368 case NID_sha384:
369 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA384;
370 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] =
371 SSL_SIGN_ECDSA_SECP384R1_SHA384;
372 ssl->cert->sigalgs_len += 2;
373 break;
374 case NID_sha512:
375 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA512;
376 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] =
377 SSL_SIGN_ECDSA_SECP521R1_SHA512;
378 ssl->cert->sigalgs_len += 2;
379 break;
380 }
381 }
382
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]383 return 1;
384}
385
David Benjamin32a66d52016-07-13 22:03:11 -0400[diff] [blame]386int ssl_has_private_key(const SSL *ssl) {
nagendra modadugu601448a2015-07-24 09:31:31 -0700[diff] [blame]387 return ssl->cert->privatekey != NULL || ssl->cert->key_method != NULL;
388}
389
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]390int ssl_private_key_type(SSL *ssl) {
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]391 if (ssl->cert->key_method != NULL) {
392 return ssl->cert->key_method->type(ssl);
393 }
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]394 return EVP_PKEY_id(ssl->cert->privatekey);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]395}
396
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]397size_t ssl_private_key_max_signature_len(SSL *ssl) {
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]398 if (ssl->cert->key_method != NULL) {
399 return ssl->cert->key_method->max_signature_len(ssl);
400 }
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]401 return EVP_PKEY_size(ssl->cert->privatekey);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]402}
403
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]404/* TODO(davidben): Forbid RSA-PKCS1 in TLS 1.3. For now we allow it because NSS
405 * has yet to start doing RSA-PSS, so enforcing it would complicate interop
406 * testing. */
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]407static int is_rsa_pkcs1(const EVP_MD **out_md, uint16_t sigalg) {
408 switch (sigalg) {
409 case SSL_SIGN_RSA_PKCS1_MD5_SHA1:
410 *out_md = EVP_md5_sha1();
411 return 1;
412 case SSL_SIGN_RSA_PKCS1_SHA1:
413 *out_md = EVP_sha1();
414 return 1;
415 case SSL_SIGN_RSA_PKCS1_SHA256:
416 *out_md = EVP_sha256();
417 return 1;
418 case SSL_SIGN_RSA_PKCS1_SHA384:
419 *out_md = EVP_sha384();
420 return 1;
421 case SSL_SIGN_RSA_PKCS1_SHA512:
422 *out_md = EVP_sha512();
423 return 1;
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]424 default:
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]425 return 0;
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]426 }
427}
428
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]429static int ssl_sign_rsa_pkcs1(SSL *ssl, uint8_t *out, size_t *out_len,
430 size_t max_out, const EVP_MD *md,
431 const uint8_t *in, size_t in_len) {
432 EVP_MD_CTX ctx;
433 EVP_MD_CTX_init(&ctx);
434 *out_len = max_out;
435 int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) &&
436 EVP_DigestSignUpdate(&ctx, in, in_len) &&
437 EVP_DigestSignFinal(&ctx, out, out_len);
438 EVP_MD_CTX_cleanup(&ctx);
439 return ret;
440}
441
442static int ssl_verify_rsa_pkcs1(SSL *ssl, const uint8_t *signature,
443 size_t signature_len, const EVP_MD *md,
444 EVP_PKEY *pkey, const uint8_t *in,
445 size_t in_len) {
David Benjamin887c3002016-07-08 16:15:32 -0700[diff] [blame]446 if (pkey->type != EVP_PKEY_RSA) {
447 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
448 return 0;
449 }
450
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]451 EVP_MD_CTX md_ctx;
452 EVP_MD_CTX_init(&md_ctx);
453 int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) &&
454 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&
455 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);
456 EVP_MD_CTX_cleanup(&md_ctx);
457 return ret;
458}
459
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]460static int is_ecdsa(int *out_curve, const EVP_MD **out_md, uint16_t sigalg) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]461 switch (sigalg) {
462 case SSL_SIGN_ECDSA_SHA1:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]463 *out_curve = NID_undef;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]464 *out_md = EVP_sha1();
465 return 1;
466 case SSL_SIGN_ECDSA_SECP256R1_SHA256:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]467 *out_curve = NID_X9_62_prime256v1;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]468 *out_md = EVP_sha256();
469 return 1;
470 case SSL_SIGN_ECDSA_SECP384R1_SHA384:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]471 *out_curve = NID_secp384r1;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]472 *out_md = EVP_sha384();
473 return 1;
474 case SSL_SIGN_ECDSA_SECP521R1_SHA512:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]475 *out_curve = NID_secp521r1;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]476 *out_md = EVP_sha512();
477 return 1;
478 default:
479 return 0;
480 }
481}
482
483static int ssl_sign_ecdsa(SSL *ssl, uint8_t *out, size_t *out_len,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]484 size_t max_out, int curve, const EVP_MD *md,
485 const uint8_t *in, size_t in_len) {
486 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey);
487 if (ec_key == NULL) {
488 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
489 return 0;
490 }
491
492 /* In TLS 1.3, the curve is also specified by the signature algorithm. */
493 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
494 (curve == NID_undef ||
495 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) {
496 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
497 return 0;
498 }
499
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]500 EVP_MD_CTX ctx;
501 EVP_MD_CTX_init(&ctx);
502 *out_len = max_out;
503 int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) &&
504 EVP_DigestSignUpdate(&ctx, in, in_len) &&
505 EVP_DigestSignFinal(&ctx, out, out_len);
506 EVP_MD_CTX_cleanup(&ctx);
507 return ret;
508}
509
510static int ssl_verify_ecdsa(SSL *ssl, const uint8_t *signature,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]511 size_t signature_len, int curve, const EVP_MD *md,
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]512 EVP_PKEY *pkey, const uint8_t *in, size_t in_len) {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]513 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
514 if (ec_key == NULL) {
515 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
516 return 0;
517 }
518
519 /* In TLS 1.3, the curve is also specified by the signature algorithm. */
520 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
521 (curve == NID_undef ||
522 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) {
David Benjamin887c3002016-07-08 16:15:32 -0700[diff] [blame]523 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
524 return 0;
525 }
526
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]527 EVP_MD_CTX md_ctx;
528 EVP_MD_CTX_init(&md_ctx);
529 int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) &&
530 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&
531 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);
532 EVP_MD_CTX_cleanup(&md_ctx);
533 return ret;
534}
535
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]536static int is_rsa_pss(const EVP_MD **out_md, uint16_t sigalg) {
537 switch (sigalg) {
538 case SSL_SIGN_RSA_PSS_SHA256:
539 *out_md = EVP_sha256();
540 return 1;
541 case SSL_SIGN_RSA_PSS_SHA384:
542 *out_md = EVP_sha384();
543 return 1;
544 case SSL_SIGN_RSA_PSS_SHA512:
545 *out_md = EVP_sha512();
546 return 1;
547 default:
548 return 0;
549 }
550}
551
552static int ssl_sign_rsa_pss(SSL *ssl, uint8_t *out, size_t *out_len,
553 size_t max_out, const EVP_MD *md,
554 const uint8_t *in, size_t in_len) {
555 EVP_MD_CTX ctx;
556 EVP_MD_CTX_init(&ctx);
557 *out_len = max_out;
558 EVP_PKEY_CTX *pctx;
559 int ret =
560 EVP_DigestSignInit(&ctx, &pctx, md, NULL, ssl->cert->privatekey) &&
561 EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
562 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) &&
563 EVP_DigestSignUpdate(&ctx, in, in_len) &&
564 EVP_DigestSignFinal(&ctx, out, out_len);
565 EVP_MD_CTX_cleanup(&ctx);
566 return ret;
567}
568
569static int ssl_verify_rsa_pss(SSL *ssl, const uint8_t *signature,
570 size_t signature_len, const EVP_MD *md,
571 EVP_PKEY *pkey, const uint8_t *in,
572 size_t in_len) {
573 if (pkey->type != EVP_PKEY_RSA) {
574 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
575 return 0;
576 }
577
578 EVP_MD_CTX md_ctx;
579 EVP_MD_CTX_init(&md_ctx);
580 EVP_PKEY_CTX *pctx;
581 int ret =
582 EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey) &&
583 EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
584 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) &&
585 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&
586 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);
587 EVP_MD_CTX_cleanup(&md_ctx);
588 return ret;
589}
590
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]591enum ssl_private_key_result_t ssl_private_key_sign(
Steven Valdezf0451ca2016-06-29 13:16:27 -0400[diff] [blame]592 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
593 uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]594 if (ssl->cert->key_method != NULL) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]595 /* For now, custom private keys can only handle pre-TLS-1.3 signature
596 * algorithms.
597 *
598 * TODO(davidben): Switch SSL_PRIVATE_KEY_METHOD to message-based APIs. */
599 const EVP_MD *md;
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]600 int curve;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]601 if (!is_rsa_pkcs1(&md, signature_algorithm) &&
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]602 !is_ecdsa(&curve, &md, signature_algorithm)) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]603 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
604 return ssl_private_key_failure;
605 }
606
607 uint8_t hash[EVP_MAX_MD_SIZE];
608 unsigned hash_len;
609 if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) {
610 return ssl_private_key_failure;
611 }
612
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]613 return ssl->cert->key_method->sign(ssl, out, out_len, max_out, md, hash,
614 hash_len);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]615 }
616
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]617 const EVP_MD *md;
618 if (is_rsa_pkcs1(&md, signature_algorithm)) {
619 return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len)
620 ? ssl_private_key_success
621 : ssl_private_key_failure;
622 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]623
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]624 int curve;
625 if (is_ecdsa(&curve, &md, signature_algorithm)) {
626 return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len)
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]627 ? ssl_private_key_success
628 : ssl_private_key_failure;
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]629 }
630
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]631 if (is_rsa_pss(&md, signature_algorithm) &&
632 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
633 return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len)
634 ? ssl_private_key_success
635 : ssl_private_key_failure;
636 }
637
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]638 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
639 return ssl_private_key_failure;
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]640}
641
642enum ssl_private_key_result_t ssl_private_key_sign_complete(
643 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) {
644 /* Only custom keys may be asynchronous. */
645 return ssl->cert->key_method->sign_complete(ssl, out, out_len, max_out);
646}
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]647
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]648int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,
649 size_t signature_len, uint16_t signature_algorithm,
650 EVP_PKEY *pkey, const uint8_t *in, size_t in_len) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]651 const EVP_MD *md;
652 if (is_rsa_pkcs1(&md, signature_algorithm)) {
653 return ssl_verify_rsa_pkcs1(ssl, signature, signature_len, md, pkey, in,
654 in_len);
655 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]656
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]657 int curve;
658 if (is_ecdsa(&curve, &md, signature_algorithm)) {
659 return ssl_verify_ecdsa(ssl, signature, signature_len, curve, md, pkey, in,
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]660 in_len);
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]661 }
662
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]663 if (is_rsa_pss(&md, signature_algorithm) &&
664 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
665 return ssl_verify_rsa_pss(ssl, signature, signature_len, md, pkey, in,
666 in_len);
667 }
668
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]669 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
670 return 0;
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]671}
672
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]673enum ssl_private_key_result_t ssl_private_key_decrypt(
674 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
675 const uint8_t *in, size_t in_len) {
676 if (ssl->cert->key_method != NULL) {
677 return ssl->cert->key_method->decrypt(ssl, out, out_len, max_out, in,
678 in_len);
679 }
680
David Benjamin758d1272015-11-20 17:47:25 -0500[diff] [blame]681 RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey);
682 if (rsa == NULL) {
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]683 /* Decrypt operations are only supported for RSA keys. */
684 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
685 return ssl_private_key_failure;
686 }
687
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]688 /* Decrypt with no padding. PKCS#1 padding will be removed as part
689 * of the timing-sensitive code by the caller. */
David Benjamin758d1272015-11-20 17:47:25 -0500[diff] [blame]690 if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {
691 return ssl_private_key_failure;
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]692 }
David Benjamin758d1272015-11-20 17:47:25 -0500[diff] [blame]693 return ssl_private_key_success;
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]694}
695
696enum ssl_private_key_result_t ssl_private_key_decrypt_complete(
697 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) {
698 /* Only custom keys may be asynchronous. */
699 return ssl->cert->key_method->decrypt_complete(ssl, out, out_len, max_out);
700}
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]701
702int ssl_private_key_supports_signature_algorithm(SSL *ssl,
703 uint16_t signature_algorithm) {
704 const EVP_MD *md;
705 if (is_rsa_pkcs1(&md, signature_algorithm)) {
706 return ssl_private_key_type(ssl) == EVP_PKEY_RSA;
707 }
708
709 int curve;
710 if (is_ecdsa(&curve, &md, signature_algorithm)) {
711 if (ssl_private_key_type(ssl) != EVP_PKEY_EC) {
712 return 0;
713 }
714
715 /* For non-custom keys, also check the curve matches. Custom private keys
716 * must instead configure the signature algorithms accordingly. */
717 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
718 ssl->cert->key_method == NULL) {
719 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey);
720 if (curve == NID_undef ||
721 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve) {
722 return 0;
723 }
724 }
725 return 1;
726 }
727
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]728 if (is_rsa_pss(&md, signature_algorithm)) {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]729 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION ||
730 ssl_private_key_type(ssl) != EVP_PKEY_RSA) {
731 return 0;
732 }
733
734 /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
735 * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
736 * hash in TLS. Reasonable RSA key sizes are large enough for the largest
737 * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too large for
738 * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check
739 * the size to fall back to another algorithm. */
740 if (ssl_private_key_max_signature_len(ssl) < 2 * EVP_MD_size(md) + 2) {
741 return 0;
742 }
743
744 return 1;
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]745 }
746
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]747 return 0;
748}