Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / ca3d545d7f34d67c8fb05265a0f1cf7f88076776 / . / ssl / ssl_rsa.c
blob: fec5d46718cb3848f9406aeefe3d38cb1f1e5278 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
David Benjamin443a1f62015-09-04 15:05:05 -0400[diff] [blame]57#include <openssl/ssl.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]58
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]59#include <limits.h>
60
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]61#include <openssl/ec.h>
62#include <openssl/ec_key.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]63#include <openssl/err.h>
64#include <openssl/evp.h>
65#include <openssl/mem.h>
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]66#include <openssl/type_check.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]67#include <openssl/x509.h>
68
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]69#include "internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
David Benjamin443a1f62015-09-04 15:05:05 -0400[diff] [blame]71
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]72static int ssl_set_cert(CERT *c, X509 *x509);
73static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]74
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]75static int is_key_type_supported(int key_type) {
76 return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC;
77}
78
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]79int SSL_use_certificate(SSL *ssl, X509 *x) {
80 if (x == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]81 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]82 return 0;
83 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]84 return ssl_set_cert(ssl->cert, x);
85}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]86
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]87int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
88 if (der_len > LONG_MAX) {
89 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]90 return 0;
91 }
92
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]93 const uint8_t *p = der;
94 X509 *x509 = d2i_X509(NULL, &p, (long)der_len);
95 if (x509 == NULL || p != der + der_len) {
96 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
97 X509_free(x509);
98 return 0;
99 }
100
101 int ret = SSL_use_certificate(ssl, x509);
102 X509_free(x509);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]103 return ret;
104}
105
106int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {
107 EVP_PKEY *pkey;
108 int ret;
109
110 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]111 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]112 return 0;
113 }
114
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]115 pkey = EVP_PKEY_new();
116 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]117 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]118 return 0;
119 }
120
121 RSA_up_ref(rsa);
122 EVP_PKEY_assign_RSA(pkey, rsa);
123
124 ret = ssl_set_pkey(ssl->cert, pkey);
125 EVP_PKEY_free(pkey);
126
127 return ret;
128}
129
130static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]131 if (!is_key_type_supported(pkey->type)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]132 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]133 return 0;
134 }
135
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]136 if (c->x509 != NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]137 /* Sanity-check that the private key and the certificate match, unless the
138 * key is opaque (in case of, say, a smartcard). */
139 if (!EVP_PKEY_is_opaque(pkey) &&
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]140 !X509_check_private_key(c->x509, pkey)) {
141 X509_free(c->x509);
142 c->x509 = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]143 return 0;
144 }
145 }
146
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]147 EVP_PKEY_free(c->privatekey);
Adam Langley310d3f62016-07-12 10:39:20 -0700[diff] [blame]148 EVP_PKEY_up_ref(pkey);
149 c->privatekey = pkey;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]150
151 return 1;
152}
153
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]154int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
155 RSA *rsa = RSA_private_key_from_bytes(der, der_len);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]156 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]157 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]158 return 0;
159 }
160
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]161 int ret = SSL_use_RSAPrivateKey(ssl, rsa);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]162 RSA_free(rsa);
163 return ret;
164}
165
166int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {
167 int ret;
168
169 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]170 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]171 return 0;
172 }
173
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]174 ret = ssl_set_pkey(ssl->cert, pkey);
175 return ret;
176}
177
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]178int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,
179 size_t der_len) {
180 if (der_len > LONG_MAX) {
181 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]182 return 0;
183 }
184
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]185 const uint8_t *p = der;
186 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);
187 if (pkey == NULL || p != der + der_len) {
188 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
189 EVP_PKEY_free(pkey);
190 return 0;
191 }
192
193 int ret = SSL_use_PrivateKey(ssl, pkey);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]194 EVP_PKEY_free(pkey);
195 return ret;
196}
197
198int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {
199 if (x == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]200 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]201 return 0;
202 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]203
204 return ssl_set_cert(ctx->cert, x);
205}
206
207static int ssl_set_cert(CERT *c, X509 *x) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]208 EVP_PKEY *pkey = X509_get_pubkey(x);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]209 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]210 OPENSSL_PUT_ERROR(SSL, SSL_R_X509_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]211 return 0;
212 }
213
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]214 if (!is_key_type_supported(pkey->type)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]215 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]216 EVP_PKEY_free(pkey);
217 return 0;
218 }
219
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]220 if (c->privatekey != NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]221 /* Sanity-check that the private key and the certificate match, unless the
222 * key is opaque (in case of, say, a smartcard). */
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]223 if (!EVP_PKEY_is_opaque(c->privatekey) &&
224 !X509_check_private_key(x, c->privatekey)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]225 /* don't fail for a cert/key mismatch, just free current private key
226 * (when switching to a different cert & key, first this function should
227 * be used, then ssl_set_pkey */
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]228 EVP_PKEY_free(c->privatekey);
229 c->privatekey = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]230 /* clear error queue */
231 ERR_clear_error();
232 }
233 }
234
235 EVP_PKEY_free(pkey);
236
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]237 X509_free(c->x509);
238 c->x509 = X509_up_ref(x);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]239
240 return 1;
241}
242
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]243int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
244 const uint8_t *der) {
245 if (der_len > LONG_MAX) {
246 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]247 return 0;
248 }
249
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]250 const uint8_t *p = der;
251 X509 *x509 = d2i_X509(NULL, &p, (long)der_len);
252 if (x509 == NULL || p != der + der_len) {
253 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
254 X509_free(x509);
255 return 0;
256 }
257
258 int ret = SSL_CTX_use_certificate(ctx, x509);
259 X509_free(x509);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]260 return ret;
261}
262
263int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {
264 int ret;
265 EVP_PKEY *pkey;
266
267 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]268 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]269 return 0;
270 }
271
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]272 pkey = EVP_PKEY_new();
273 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]274 OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]275 return 0;
276 }
277
278 RSA_up_ref(rsa);
279 EVP_PKEY_assign_RSA(pkey, rsa);
280
281 ret = ssl_set_pkey(ctx->cert, pkey);
282 EVP_PKEY_free(pkey);
283 return ret;
284}
285
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]286int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,
287 size_t der_len) {
288 RSA *rsa = RSA_private_key_from_bytes(der, der_len);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]289 if (rsa == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]290 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]291 return 0;
292 }
293
David Benjamin74f71102015-06-27 14:56:25 -0400[diff] [blame]294 int ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]295 RSA_free(rsa);
296 return ret;
297}
298
299int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {
300 if (pkey == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]301 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]302 return 0;
303 }
304
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]305 return ssl_set_pkey(ctx->cert, pkey);
306}
307
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]308int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,
309 size_t der_len) {
310 if (der_len > LONG_MAX) {
311 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]312 return 0;
313 }
314
David Benjamin3a596112015-11-12 09:25:30 -0800[diff] [blame]315 const uint8_t *p = der;
316 EVP_PKEY *pkey = d2i_PrivateKey(type, NULL, &p, (long)der_len);
317 if (pkey == NULL || p != der + der_len) {
318 OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
319 EVP_PKEY_free(pkey);
320 return 0;
321 }
322
323 int ret = SSL_CTX_use_PrivateKey(ctx, pkey);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]324 EVP_PKEY_free(pkey);
325 return ret;
326}
327
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]328void SSL_set_private_key_method(SSL *ssl,
329 const SSL_PRIVATE_KEY_METHOD *key_method) {
330 ssl->cert->key_method = key_method;
331}
332
Tom Thorogood66b2fe82016-03-06 20:08:38 +1030[diff] [blame]333void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
334 const SSL_PRIVATE_KEY_METHOD *key_method) {
335 ctx->cert->key_method = key_method;
336}
337
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame^]338int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
339 size_t prefs_len) {
340 ssl->cert->sigalgs_len = 0;
341 ssl->cert->sigalgs = BUF_memdup(prefs, prefs_len * sizeof(prefs[0]));
342 if (ssl->cert->sigalgs == NULL) {
343 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
344 return 0;
345 }
346 ssl->cert->sigalgs_len = prefs_len;
347
348 return 1;
349}
350
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]351OPENSSL_COMPILE_ASSERT(sizeof(int) >= 2 * sizeof(uint16_t),
352 digest_list_conversion_cannot_overflow);
353
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]354int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids,
355 size_t num_digests) {
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]356 OPENSSL_free(ssl->cert->sigalgs);
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]357
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]358 ssl->cert->sigalgs_len = 0;
359 ssl->cert->sigalgs = OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests);
360 if (ssl->cert->sigalgs == NULL) {
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]361 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
362 return 0;
363 }
364
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]365 /* Convert the digest list to a signature algorithms list.
366 *
367 * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */
368 for (size_t i = 0; i < num_digests; i++) {
369 switch (digest_nids[i]) {
370 case NID_sha1:
371 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA1;
372 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] = SSL_SIGN_ECDSA_SHA1;
373 ssl->cert->sigalgs_len += 2;
374 break;
375 case NID_sha256:
376 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA256;
377 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] =
378 SSL_SIGN_ECDSA_SECP256R1_SHA256;
379 ssl->cert->sigalgs_len += 2;
380 break;
381 case NID_sha384:
382 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA384;
383 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] =
384 SSL_SIGN_ECDSA_SECP384R1_SHA384;
385 ssl->cert->sigalgs_len += 2;
386 break;
387 case NID_sha512:
388 ssl->cert->sigalgs[ssl->cert->sigalgs_len] = SSL_SIGN_RSA_PKCS1_SHA512;
389 ssl->cert->sigalgs[ssl->cert->sigalgs_len + 1] =
390 SSL_SIGN_ECDSA_SECP521R1_SHA512;
391 ssl->cert->sigalgs_len += 2;
392 break;
393 }
394 }
395
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]396 return 1;
397}
398
David Benjamin32a66d52016-07-13 22:03:11 -0400[diff] [blame]399int ssl_has_private_key(const SSL *ssl) {
nagendra modadugu601448a2015-07-24 09:31:31 -0700[diff] [blame]400 return ssl->cert->privatekey != NULL || ssl->cert->key_method != NULL;
401}
402
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]403int ssl_private_key_type(SSL *ssl) {
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]404 if (ssl->cert->key_method != NULL) {
405 return ssl->cert->key_method->type(ssl);
406 }
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]407 return EVP_PKEY_id(ssl->cert->privatekey);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]408}
409
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]410size_t ssl_private_key_max_signature_len(SSL *ssl) {
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]411 if (ssl->cert->key_method != NULL) {
412 return ssl->cert->key_method->max_signature_len(ssl);
413 }
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]414 return EVP_PKEY_size(ssl->cert->privatekey);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]415}
416
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]417/* TODO(davidben): Forbid RSA-PKCS1 in TLS 1.3. For now we allow it because NSS
418 * has yet to start doing RSA-PSS, so enforcing it would complicate interop
419 * testing. */
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]420static int is_rsa_pkcs1(const EVP_MD **out_md, uint16_t sigalg) {
421 switch (sigalg) {
422 case SSL_SIGN_RSA_PKCS1_MD5_SHA1:
423 *out_md = EVP_md5_sha1();
424 return 1;
425 case SSL_SIGN_RSA_PKCS1_SHA1:
426 *out_md = EVP_sha1();
427 return 1;
428 case SSL_SIGN_RSA_PKCS1_SHA256:
429 *out_md = EVP_sha256();
430 return 1;
431 case SSL_SIGN_RSA_PKCS1_SHA384:
432 *out_md = EVP_sha384();
433 return 1;
434 case SSL_SIGN_RSA_PKCS1_SHA512:
435 *out_md = EVP_sha512();
436 return 1;
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]437 default:
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]438 return 0;
David Benjamind246b812016-07-08 15:07:02 -0700[diff] [blame]439 }
440}
441
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]442static int ssl_sign_rsa_pkcs1(SSL *ssl, uint8_t *out, size_t *out_len,
443 size_t max_out, const EVP_MD *md,
444 const uint8_t *in, size_t in_len) {
445 EVP_MD_CTX ctx;
446 EVP_MD_CTX_init(&ctx);
447 *out_len = max_out;
448 int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) &&
449 EVP_DigestSignUpdate(&ctx, in, in_len) &&
450 EVP_DigestSignFinal(&ctx, out, out_len);
451 EVP_MD_CTX_cleanup(&ctx);
452 return ret;
453}
454
455static int ssl_verify_rsa_pkcs1(SSL *ssl, const uint8_t *signature,
456 size_t signature_len, const EVP_MD *md,
457 EVP_PKEY *pkey, const uint8_t *in,
458 size_t in_len) {
David Benjamin887c3002016-07-08 16:15:32 -0700[diff] [blame]459 if (pkey->type != EVP_PKEY_RSA) {
460 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
461 return 0;
462 }
463
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]464 EVP_MD_CTX md_ctx;
465 EVP_MD_CTX_init(&md_ctx);
466 int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) &&
467 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&
468 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);
469 EVP_MD_CTX_cleanup(&md_ctx);
470 return ret;
471}
472
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]473static int is_ecdsa(int *out_curve, const EVP_MD **out_md, uint16_t sigalg) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]474 switch (sigalg) {
475 case SSL_SIGN_ECDSA_SHA1:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]476 *out_curve = NID_undef;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]477 *out_md = EVP_sha1();
478 return 1;
479 case SSL_SIGN_ECDSA_SECP256R1_SHA256:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]480 *out_curve = NID_X9_62_prime256v1;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]481 *out_md = EVP_sha256();
482 return 1;
483 case SSL_SIGN_ECDSA_SECP384R1_SHA384:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]484 *out_curve = NID_secp384r1;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]485 *out_md = EVP_sha384();
486 return 1;
487 case SSL_SIGN_ECDSA_SECP521R1_SHA512:
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]488 *out_curve = NID_secp521r1;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]489 *out_md = EVP_sha512();
490 return 1;
491 default:
492 return 0;
493 }
494}
495
496static int ssl_sign_ecdsa(SSL *ssl, uint8_t *out, size_t *out_len,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]497 size_t max_out, int curve, const EVP_MD *md,
498 const uint8_t *in, size_t in_len) {
499 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey);
500 if (ec_key == NULL) {
501 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
502 return 0;
503 }
504
505 /* In TLS 1.3, the curve is also specified by the signature algorithm. */
506 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
507 (curve == NID_undef ||
508 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) {
509 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
510 return 0;
511 }
512
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]513 EVP_MD_CTX ctx;
514 EVP_MD_CTX_init(&ctx);
515 *out_len = max_out;
516 int ret = EVP_DigestSignInit(&ctx, NULL, md, NULL, ssl->cert->privatekey) &&
517 EVP_DigestSignUpdate(&ctx, in, in_len) &&
518 EVP_DigestSignFinal(&ctx, out, out_len);
519 EVP_MD_CTX_cleanup(&ctx);
520 return ret;
521}
522
523static int ssl_verify_ecdsa(SSL *ssl, const uint8_t *signature,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]524 size_t signature_len, int curve, const EVP_MD *md,
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]525 EVP_PKEY *pkey, const uint8_t *in, size_t in_len) {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]526 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
527 if (ec_key == NULL) {
528 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
529 return 0;
530 }
531
532 /* In TLS 1.3, the curve is also specified by the signature algorithm. */
533 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
534 (curve == NID_undef ||
535 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve)) {
David Benjamin887c3002016-07-08 16:15:32 -0700[diff] [blame]536 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
537 return 0;
538 }
539
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]540 EVP_MD_CTX md_ctx;
541 EVP_MD_CTX_init(&md_ctx);
542 int ret = EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) &&
543 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&
544 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);
545 EVP_MD_CTX_cleanup(&md_ctx);
546 return ret;
547}
548
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]549static int is_rsa_pss(const EVP_MD **out_md, uint16_t sigalg) {
550 switch (sigalg) {
551 case SSL_SIGN_RSA_PSS_SHA256:
552 *out_md = EVP_sha256();
553 return 1;
554 case SSL_SIGN_RSA_PSS_SHA384:
555 *out_md = EVP_sha384();
556 return 1;
557 case SSL_SIGN_RSA_PSS_SHA512:
558 *out_md = EVP_sha512();
559 return 1;
560 default:
561 return 0;
562 }
563}
564
565static int ssl_sign_rsa_pss(SSL *ssl, uint8_t *out, size_t *out_len,
566 size_t max_out, const EVP_MD *md,
567 const uint8_t *in, size_t in_len) {
568 EVP_MD_CTX ctx;
569 EVP_MD_CTX_init(&ctx);
570 *out_len = max_out;
571 EVP_PKEY_CTX *pctx;
572 int ret =
573 EVP_DigestSignInit(&ctx, &pctx, md, NULL, ssl->cert->privatekey) &&
574 EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
575 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) &&
576 EVP_DigestSignUpdate(&ctx, in, in_len) &&
577 EVP_DigestSignFinal(&ctx, out, out_len);
578 EVP_MD_CTX_cleanup(&ctx);
579 return ret;
580}
581
582static int ssl_verify_rsa_pss(SSL *ssl, const uint8_t *signature,
583 size_t signature_len, const EVP_MD *md,
584 EVP_PKEY *pkey, const uint8_t *in,
585 size_t in_len) {
586 if (pkey->type != EVP_PKEY_RSA) {
587 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
588 return 0;
589 }
590
591 EVP_MD_CTX md_ctx;
592 EVP_MD_CTX_init(&md_ctx);
593 EVP_PKEY_CTX *pctx;
594 int ret =
595 EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey) &&
596 EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
597 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */) &&
598 EVP_DigestVerifyUpdate(&md_ctx, in, in_len) &&
599 EVP_DigestVerifyFinal(&md_ctx, signature, signature_len);
600 EVP_MD_CTX_cleanup(&md_ctx);
601 return ret;
602}
603
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]604enum ssl_private_key_result_t ssl_private_key_sign(
Steven Valdezf0451ca2016-06-29 13:16:27 -0400[diff] [blame]605 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
606 uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]607 if (ssl->cert->key_method != NULL) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]608 /* For now, custom private keys can only handle pre-TLS-1.3 signature
609 * algorithms.
610 *
611 * TODO(davidben): Switch SSL_PRIVATE_KEY_METHOD to message-based APIs. */
612 const EVP_MD *md;
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]613 int curve;
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]614 if (!is_rsa_pkcs1(&md, signature_algorithm) &&
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]615 !is_ecdsa(&curve, &md, signature_algorithm)) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]616 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
617 return ssl_private_key_failure;
618 }
619
620 uint8_t hash[EVP_MAX_MD_SIZE];
621 unsigned hash_len;
622 if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) {
623 return ssl_private_key_failure;
624 }
625
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]626 return ssl->cert->key_method->sign(ssl, out, out_len, max_out, md, hash,
627 hash_len);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]628 }
629
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]630 const EVP_MD *md;
631 if (is_rsa_pkcs1(&md, signature_algorithm)) {
632 return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len)
633 ? ssl_private_key_success
634 : ssl_private_key_failure;
635 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]636
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]637 int curve;
638 if (is_ecdsa(&curve, &md, signature_algorithm)) {
639 return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len)
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]640 ? ssl_private_key_success
641 : ssl_private_key_failure;
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]642 }
643
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]644 if (is_rsa_pss(&md, signature_algorithm) &&
645 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
646 return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len)
647 ? ssl_private_key_success
648 : ssl_private_key_failure;
649 }
650
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]651 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
652 return ssl_private_key_failure;
David Benjaminb4d65fd2015-05-29 17:11:21 -0400[diff] [blame]653}
654
655enum ssl_private_key_result_t ssl_private_key_sign_complete(
656 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) {
657 /* Only custom keys may be asynchronous. */
658 return ssl->cert->key_method->sign_complete(ssl, out, out_len, max_out);
659}
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]660
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]661int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,
662 size_t signature_len, uint16_t signature_algorithm,
663 EVP_PKEY *pkey, const uint8_t *in, size_t in_len) {
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]664 const EVP_MD *md;
665 if (is_rsa_pkcs1(&md, signature_algorithm)) {
666 return ssl_verify_rsa_pkcs1(ssl, signature, signature_len, md, pkey, in,
667 in_len);
668 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]669
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]670 int curve;
671 if (is_ecdsa(&curve, &md, signature_algorithm)) {
672 return ssl_verify_ecdsa(ssl, signature, signature_len, curve, md, pkey, in,
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]673 in_len);
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]674 }
675
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]676 if (is_rsa_pss(&md, signature_algorithm) &&
677 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
678 return ssl_verify_rsa_pss(ssl, signature, signature_len, md, pkey, in,
679 in_len);
680 }
681
David Benjamina2d81f12016-07-08 15:42:16 -0700[diff] [blame]682 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
683 return 0;
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]684}
685
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]686enum ssl_private_key_result_t ssl_private_key_decrypt(
687 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
688 const uint8_t *in, size_t in_len) {
689 if (ssl->cert->key_method != NULL) {
690 return ssl->cert->key_method->decrypt(ssl, out, out_len, max_out, in,
691 in_len);
692 }
693
David Benjamin758d1272015-11-20 17:47:25 -0500[diff] [blame]694 RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey);
695 if (rsa == NULL) {
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]696 /* Decrypt operations are only supported for RSA keys. */
697 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
698 return ssl_private_key_failure;
699 }
700
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]701 /* Decrypt with no padding. PKCS#1 padding will be removed as part
702 * of the timing-sensitive code by the caller. */
David Benjamin758d1272015-11-20 17:47:25 -0500[diff] [blame]703 if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {
704 return ssl_private_key_failure;
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]705 }
David Benjamin758d1272015-11-20 17:47:25 -0500[diff] [blame]706 return ssl_private_key_success;
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]707}
708
709enum ssl_private_key_result_t ssl_private_key_decrypt_complete(
710 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) {
711 /* Only custom keys may be asynchronous. */
712 return ssl->cert->key_method->decrypt_complete(ssl, out, out_len, max_out);
713}
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]714
715int ssl_private_key_supports_signature_algorithm(SSL *ssl,
716 uint16_t signature_algorithm) {
717 const EVP_MD *md;
718 if (is_rsa_pkcs1(&md, signature_algorithm)) {
719 return ssl_private_key_type(ssl) == EVP_PKEY_RSA;
720 }
721
722 int curve;
723 if (is_ecdsa(&curve, &md, signature_algorithm)) {
724 if (ssl_private_key_type(ssl) != EVP_PKEY_EC) {
725 return 0;
726 }
727
728 /* For non-custom keys, also check the curve matches. Custom private keys
729 * must instead configure the signature algorithms accordingly. */
730 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
731 ssl->cert->key_method == NULL) {
732 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->cert->privatekey);
733 if (curve == NID_undef ||
734 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) != curve) {
735 return 0;
736 }
737 }
738 return 1;
739 }
740
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]741 if (is_rsa_pss(&md, signature_algorithm)) {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]742 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION ||
743 ssl_private_key_type(ssl) != EVP_PKEY_RSA) {
744 return 0;
745 }
746
747 /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
748 * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
749 * hash in TLS. Reasonable RSA key sizes are large enough for the largest
750 * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too large for
751 * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check
752 * the size to fall back to another algorithm. */
753 if (ssl_private_key_max_signature_len(ssl) < 2 * EVP_MD_size(md) + 2) {
754 return 0;
755 }
756
757 return 1;
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]758 }
759
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]760 return 0;
761}