"Fossies" - the Fresh Open Source Software Archive

Member "openssl-1.1.1g/ssl/t1_lib.c" (21 Apr 2020, 93483 Bytes) of package /linux/misc/openssl-1.1.1g.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "t1_lib.c" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 1.1.1f_vs_1.1.1g.

    1 /*
    2  * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
    3  *
    4  * Licensed under the OpenSSL license (the "License").  You may not use
    5  * this file except in compliance with the License.  You can obtain a copy
    6  * in the file LICENSE in the source distribution or at
    7  * https://www.openssl.org/source/license.html
    8  */
    9 
   10 #include <stdio.h>
   11 #include <stdlib.h>
   12 #include <openssl/objects.h>
   13 #include <openssl/evp.h>
   14 #include <openssl/hmac.h>
   15 #include <openssl/ocsp.h>
   16 #include <openssl/conf.h>
   17 #include <openssl/x509v3.h>
   18 #include <openssl/dh.h>
   19 #include <openssl/bn.h>
   20 #include "internal/nelem.h"
   21 #include "ssl_local.h"
   22 #include <openssl/ct.h>
   23 
   24 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
   25 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
   26 
   27 SSL3_ENC_METHOD const TLSv1_enc_data = {
   28     tls1_enc,
   29     tls1_mac,
   30     tls1_setup_key_block,
   31     tls1_generate_master_secret,
   32     tls1_change_cipher_state,
   33     tls1_final_finish_mac,
   34     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
   35     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
   36     tls1_alert_code,
   37     tls1_export_keying_material,
   38     0,
   39     ssl3_set_handshake_header,
   40     tls_close_construct_packet,
   41     ssl3_handshake_write
   42 };
   43 
   44 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
   45     tls1_enc,
   46     tls1_mac,
   47     tls1_setup_key_block,
   48     tls1_generate_master_secret,
   49     tls1_change_cipher_state,
   50     tls1_final_finish_mac,
   51     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
   52     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
   53     tls1_alert_code,
   54     tls1_export_keying_material,
   55     SSL_ENC_FLAG_EXPLICIT_IV,
   56     ssl3_set_handshake_header,
   57     tls_close_construct_packet,
   58     ssl3_handshake_write
   59 };
   60 
   61 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
   62     tls1_enc,
   63     tls1_mac,
   64     tls1_setup_key_block,
   65     tls1_generate_master_secret,
   66     tls1_change_cipher_state,
   67     tls1_final_finish_mac,
   68     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
   69     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
   70     tls1_alert_code,
   71     tls1_export_keying_material,
   72     SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
   73         | SSL_ENC_FLAG_TLS1_2_CIPHERS,
   74     ssl3_set_handshake_header,
   75     tls_close_construct_packet,
   76     ssl3_handshake_write
   77 };
   78 
   79 SSL3_ENC_METHOD const TLSv1_3_enc_data = {
   80     tls13_enc,
   81     tls1_mac,
   82     tls13_setup_key_block,
   83     tls13_generate_master_secret,
   84     tls13_change_cipher_state,
   85     tls13_final_finish_mac,
   86     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
   87     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
   88     tls13_alert_code,
   89     tls13_export_keying_material,
   90     SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
   91     ssl3_set_handshake_header,
   92     tls_close_construct_packet,
   93     ssl3_handshake_write
   94 };
   95 
   96 long tls1_default_timeout(void)
   97 {
   98     /*
   99      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
  100      * http, the cache would over fill
  101      */
  102     return (60 * 60 * 2);
  103 }
  104 
  105 int tls1_new(SSL *s)
  106 {
  107     if (!ssl3_new(s))
  108         return 0;
  109     if (!s->method->ssl_clear(s))
  110         return 0;
  111 
  112     return 1;
  113 }
  114 
  115 void tls1_free(SSL *s)
  116 {
  117     OPENSSL_free(s->ext.session_ticket);
  118     ssl3_free(s);
  119 }
  120 
  121 int tls1_clear(SSL *s)
  122 {
  123     if (!ssl3_clear(s))
  124         return 0;
  125 
  126     if (s->method->version == TLS_ANY_VERSION)
  127         s->version = TLS_MAX_VERSION;
  128     else
  129         s->version = s->method->version;
  130 
  131     return 1;
  132 }
  133 
  134 #ifndef OPENSSL_NO_EC
  135 
  136 /*
  137  * Table of curve information.
  138  * Do not delete entries or reorder this array! It is used as a lookup
  139  * table: the index of each entry is one less than the TLS curve id.
  140  */
  141 static const TLS_GROUP_INFO nid_list[] = {
  142     {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
  143     {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
  144     {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
  145     {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
  146     {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
  147     {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
  148     {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
  149     {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
  150     {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
  151     {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
  152     {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
  153     {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
  154     {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
  155     {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
  156     {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
  157     {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
  158     {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
  159     {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
  160     {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
  161     {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
  162     {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
  163     {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
  164     {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
  165     {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
  166     {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
  167     {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
  168     {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
  169     {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
  170     {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
  171     {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
  172 };
  173 
  174 static const unsigned char ecformats_default[] = {
  175     TLSEXT_ECPOINTFORMAT_uncompressed,
  176     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
  177     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
  178 };
  179 
  180 /* The default curves */
  181 static const uint16_t eccurves_default[] = {
  182     29,                      /* X25519 (29) */
  183     23,                      /* secp256r1 (23) */
  184     30,                      /* X448 (30) */
  185     25,                      /* secp521r1 (25) */
  186     24,                      /* secp384r1 (24) */
  187 };
  188 
  189 static const uint16_t suiteb_curves[] = {
  190     TLSEXT_curve_P_256,
  191     TLSEXT_curve_P_384
  192 };
  193 
  194 const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
  195 {
  196     /* ECC curves from RFC 4492 and RFC 7027 */
  197     if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
  198         return NULL;
  199     return &nid_list[group_id - 1];
  200 }
  201 
  202 static uint16_t tls1_nid2group_id(int nid)
  203 {
  204     size_t i;
  205     for (i = 0; i < OSSL_NELEM(nid_list); i++) {
  206         if (nid_list[i].nid == nid)
  207             return (uint16_t)(i + 1);
  208     }
  209     return 0;
  210 }
  211 
  212 /*
  213  * Set *pgroups to the supported groups list and *pgroupslen to
  214  * the number of groups supported.
  215  */
  216 void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
  217                                size_t *pgroupslen)
  218 {
  219 
  220     /* For Suite B mode only include P-256, P-384 */
  221     switch (tls1_suiteb(s)) {
  222     case SSL_CERT_FLAG_SUITEB_128_LOS:
  223         *pgroups = suiteb_curves;
  224         *pgroupslen = OSSL_NELEM(suiteb_curves);
  225         break;
  226 
  227     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  228         *pgroups = suiteb_curves;
  229         *pgroupslen = 1;
  230         break;
  231 
  232     case SSL_CERT_FLAG_SUITEB_192_LOS:
  233         *pgroups = suiteb_curves + 1;
  234         *pgroupslen = 1;
  235         break;
  236 
  237     default:
  238         if (s->ext.supportedgroups == NULL) {
  239             *pgroups = eccurves_default;
  240             *pgroupslen = OSSL_NELEM(eccurves_default);
  241         } else {
  242             *pgroups = s->ext.supportedgroups;
  243             *pgroupslen = s->ext.supportedgroups_len;
  244         }
  245         break;
  246     }
  247 }
  248 
  249 /* See if curve is allowed by security callback */
  250 int tls_curve_allowed(SSL *s, uint16_t curve, int op)
  251 {
  252     const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
  253     unsigned char ctmp[2];
  254 
  255     if (cinfo == NULL)
  256         return 0;
  257 # ifdef OPENSSL_NO_EC2M
  258     if (cinfo->flags & TLS_CURVE_CHAR2)
  259         return 0;
  260 # endif
  261     ctmp[0] = curve >> 8;
  262     ctmp[1] = curve & 0xff;
  263     return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
  264 }
  265 
  266 /* Return 1 if "id" is in "list" */
  267 static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
  268 {
  269     size_t i;
  270     for (i = 0; i < listlen; i++)
  271         if (list[i] == id)
  272             return 1;
  273     return 0;
  274 }
  275 
  276 /*-
  277  * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
  278  * if there is no match.
  279  * For nmatch == -1, return number of matches
  280  * For nmatch == -2, return the id of the group to use for
  281  * a tmp key, or 0 if there is no match.
  282  */
  283 uint16_t tls1_shared_group(SSL *s, int nmatch)
  284 {
  285     const uint16_t *pref, *supp;
  286     size_t num_pref, num_supp, i;
  287     int k;
  288 
  289     /* Can't do anything on client side */
  290     if (s->server == 0)
  291         return 0;
  292     if (nmatch == -2) {
  293         if (tls1_suiteb(s)) {
  294             /*
  295              * For Suite B ciphersuite determines curve: we already know
  296              * these are acceptable due to previous checks.
  297              */
  298             unsigned long cid = s->s3->tmp.new_cipher->id;
  299 
  300             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  301                 return TLSEXT_curve_P_256;
  302             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  303                 return TLSEXT_curve_P_384;
  304             /* Should never happen */
  305             return 0;
  306         }
  307         /* If not Suite B just return first preference shared curve */
  308         nmatch = 0;
  309     }
  310     /*
  311      * If server preference set, our groups are the preference order
  312      * otherwise peer decides.
  313      */
  314     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  315         tls1_get_supported_groups(s, &pref, &num_pref);
  316         tls1_get_peer_groups(s, &supp, &num_supp);
  317     } else {
  318         tls1_get_peer_groups(s, &pref, &num_pref);
  319         tls1_get_supported_groups(s, &supp, &num_supp);
  320     }
  321 
  322     for (k = 0, i = 0; i < num_pref; i++) {
  323         uint16_t id = pref[i];
  324 
  325         if (!tls1_in_list(id, supp, num_supp)
  326             || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
  327                     continue;
  328         if (nmatch == k)
  329             return id;
  330          k++;
  331     }
  332     if (nmatch == -1)
  333         return k;
  334     /* Out of range (nmatch > k). */
  335     return 0;
  336 }
  337 
  338 int tls1_set_groups(uint16_t **pext, size_t *pextlen,
  339                     int *groups, size_t ngroups)
  340 {
  341     uint16_t *glist;
  342     size_t i;
  343     /*
  344      * Bitmap of groups included to detect duplicates: only works while group
  345      * ids < 32
  346      */
  347     unsigned long dup_list = 0;
  348 
  349     if (ngroups == 0) {
  350         SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH);
  351         return 0;
  352     }
  353     if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
  354         SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE);
  355         return 0;
  356     }
  357     for (i = 0; i < ngroups; i++) {
  358         unsigned long idmask;
  359         uint16_t id;
  360         /* TODO(TLS1.3): Convert for DH groups */
  361         id = tls1_nid2group_id(groups[i]);
  362         idmask = 1L << id;
  363         if (!id || (dup_list & idmask)) {
  364             OPENSSL_free(glist);
  365             return 0;
  366         }
  367         dup_list |= idmask;
  368         glist[i] = id;
  369     }
  370     OPENSSL_free(*pext);
  371     *pext = glist;
  372     *pextlen = ngroups;
  373     return 1;
  374 }
  375 
  376 # define MAX_CURVELIST   OSSL_NELEM(nid_list)
  377 
  378 typedef struct {
  379     size_t nidcnt;
  380     int nid_arr[MAX_CURVELIST];
  381 } nid_cb_st;
  382 
  383 static int nid_cb(const char *elem, int len, void *arg)
  384 {
  385     nid_cb_st *narg = arg;
  386     size_t i;
  387     int nid;
  388     char etmp[20];
  389     if (elem == NULL)
  390         return 0;
  391     if (narg->nidcnt == MAX_CURVELIST)
  392         return 0;
  393     if (len > (int)(sizeof(etmp) - 1))
  394         return 0;
  395     memcpy(etmp, elem, len);
  396     etmp[len] = 0;
  397     nid = EC_curve_nist2nid(etmp);
  398     if (nid == NID_undef)
  399         nid = OBJ_sn2nid(etmp);
  400     if (nid == NID_undef)
  401         nid = OBJ_ln2nid(etmp);
  402     if (nid == NID_undef)
  403         return 0;
  404     for (i = 0; i < narg->nidcnt; i++)
  405         if (narg->nid_arr[i] == nid)
  406             return 0;
  407     narg->nid_arr[narg->nidcnt++] = nid;
  408     return 1;
  409 }
  410 
  411 /* Set groups based on a colon separate list */
  412 int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
  413 {
  414     nid_cb_st ncb;
  415     ncb.nidcnt = 0;
  416     if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
  417         return 0;
  418     if (pext == NULL)
  419         return 1;
  420     return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
  421 }
  422 /* Return group id of a key */
  423 static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
  424 {
  425     EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
  426     const EC_GROUP *grp;
  427 
  428     if (ec == NULL)
  429         return 0;
  430     grp = EC_KEY_get0_group(ec);
  431     return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
  432 }
  433 
  434 /* Check a key is compatible with compression extension */
  435 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
  436 {
  437     const EC_KEY *ec;
  438     const EC_GROUP *grp;
  439     unsigned char comp_id;
  440     size_t i;
  441 
  442     /* If not an EC key nothing to check */
  443     if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  444         return 1;
  445     ec = EVP_PKEY_get0_EC_KEY(pkey);
  446     grp = EC_KEY_get0_group(ec);
  447 
  448     /* Get required compression id */
  449     if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
  450             comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
  451     } else if (SSL_IS_TLS13(s)) {
  452             /*
  453              * ec_point_formats extension is not used in TLSv1.3 so we ignore
  454              * this check.
  455              */
  456             return 1;
  457     } else {
  458         int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));
  459 
  460         if (field_type == NID_X9_62_prime_field)
  461             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  462         else if (field_type == NID_X9_62_characteristic_two_field)
  463             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  464         else
  465             return 0;
  466     }
  467     /*
  468      * If point formats extension present check it, otherwise everything is
  469      * supported (see RFC4492).
  470      */
  471     if (s->ext.peer_ecpointformats == NULL)
  472         return 1;
  473 
  474     for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
  475         if (s->ext.peer_ecpointformats[i] == comp_id)
  476             return 1;
  477     }
  478     return 0;
  479 }
  480 
  481 /* Check a group id matches preferences */
  482 int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
  483     {
  484     const uint16_t *groups;
  485     size_t groups_len;
  486 
  487     if (group_id == 0)
  488         return 0;
  489 
  490     /* Check for Suite B compliance */
  491     if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) {
  492         unsigned long cid = s->s3->tmp.new_cipher->id;
  493 
  494         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
  495             if (group_id != TLSEXT_curve_P_256)
  496                 return 0;
  497         } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
  498             if (group_id != TLSEXT_curve_P_384)
  499                 return 0;
  500         } else {
  501             /* Should never happen */
  502             return 0;
  503         }
  504     }
  505 
  506     if (check_own_groups) {
  507         /* Check group is one of our preferences */
  508         tls1_get_supported_groups(s, &groups, &groups_len);
  509         if (!tls1_in_list(group_id, groups, groups_len))
  510             return 0;
  511     }
  512 
  513     if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
  514         return 0;
  515 
  516     /* For clients, nothing more to check */
  517     if (!s->server)
  518         return 1;
  519 
  520     /* Check group is one of peers preferences */
  521     tls1_get_peer_groups(s, &groups, &groups_len);
  522 
  523     /*
  524      * RFC 4492 does not require the supported elliptic curves extension
  525      * so if it is not sent we can just choose any curve.
  526      * It is invalid to send an empty list in the supported groups
  527      * extension, so groups_len == 0 always means no extension.
  528      */
  529     if (groups_len == 0)
  530             return 1;
  531     return tls1_in_list(group_id, groups, groups_len);
  532 }
  533 
  534 void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
  535                          size_t *num_formats)
  536 {
  537     /*
  538      * If we have a custom point format list use it otherwise use default
  539      */
  540     if (s->ext.ecpointformats) {
  541         *pformats = s->ext.ecpointformats;
  542         *num_formats = s->ext.ecpointformats_len;
  543     } else {
  544         *pformats = ecformats_default;
  545         /* For Suite B we don't support char2 fields */
  546         if (tls1_suiteb(s))
  547             *num_formats = sizeof(ecformats_default) - 1;
  548         else
  549             *num_formats = sizeof(ecformats_default);
  550     }
  551 }
  552 
  553 /*
  554  * Check cert parameters compatible with extensions: currently just checks EC
  555  * certificates have compatible curves and compression.
  556  */
  557 static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
  558 {
  559     uint16_t group_id;
  560     EVP_PKEY *pkey;
  561     pkey = X509_get0_pubkey(x);
  562     if (pkey == NULL)
  563         return 0;
  564     /* If not EC nothing to do */
  565     if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
  566         return 1;
  567     /* Check compression */
  568     if (!tls1_check_pkey_comp(s, pkey))
  569         return 0;
  570     group_id = tls1_get_group_id(pkey);
  571     /*
  572      * For a server we allow the certificate to not be in our list of supported
  573      * groups.
  574      */
  575     if (!tls1_check_group_id(s, group_id, !s->server))
  576         return 0;
  577     /*
  578      * Special case for suite B. We *MUST* sign using SHA256+P-256 or
  579      * SHA384+P-384.
  580      */
  581     if (check_ee_md && tls1_suiteb(s)) {
  582         int check_md;
  583         size_t i;
  584 
  585         /* Check to see we have necessary signing algorithm */
  586         if (group_id == TLSEXT_curve_P_256)
  587             check_md = NID_ecdsa_with_SHA256;
  588         else if (group_id == TLSEXT_curve_P_384)
  589             check_md = NID_ecdsa_with_SHA384;
  590         else
  591             return 0;           /* Should never happen */
  592         for (i = 0; i < s->shared_sigalgslen; i++) {
  593             if (check_md == s->shared_sigalgs[i]->sigandhash)
  594                 return 1;;
  595         }
  596         return 0;
  597     }
  598     return 1;
  599 }
  600 
  601 /*
  602  * tls1_check_ec_tmp_key - Check EC temporary key compatibility
  603  * @s: SSL connection
  604  * @cid: Cipher ID we're considering using
  605  *
  606  * Checks that the kECDHE cipher suite we're considering using
  607  * is compatible with the client extensions.
  608  *
  609  * Returns 0 when the cipher can't be used or 1 when it can.
  610  */
  611 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
  612 {
  613     /* If not Suite B just need a shared group */
  614     if (!tls1_suiteb(s))
  615         return tls1_shared_group(s, 0) != 0;
  616     /*
  617      * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
  618      * curves permitted.
  619      */
  620     if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  621         return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
  622     if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  623         return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
  624 
  625     return 0;
  626 }
  627 
  628 #else
  629 
  630 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  631 {
  632     return 1;
  633 }
  634 
  635 #endif                          /* OPENSSL_NO_EC */
  636 
  637 /* Default sigalg schemes */
  638 static const uint16_t tls12_sigalgs[] = {
  639 #ifndef OPENSSL_NO_EC
  640     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  641     TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  642     TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  643     TLSEXT_SIGALG_ed25519,
  644     TLSEXT_SIGALG_ed448,
  645 #endif
  646 
  647     TLSEXT_SIGALG_rsa_pss_pss_sha256,
  648     TLSEXT_SIGALG_rsa_pss_pss_sha384,
  649     TLSEXT_SIGALG_rsa_pss_pss_sha512,
  650     TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  651     TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  652     TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  653 
  654     TLSEXT_SIGALG_rsa_pkcs1_sha256,
  655     TLSEXT_SIGALG_rsa_pkcs1_sha384,
  656     TLSEXT_SIGALG_rsa_pkcs1_sha512,
  657 
  658 #ifndef OPENSSL_NO_EC
  659     TLSEXT_SIGALG_ecdsa_sha224,
  660     TLSEXT_SIGALG_ecdsa_sha1,
  661 #endif
  662     TLSEXT_SIGALG_rsa_pkcs1_sha224,
  663     TLSEXT_SIGALG_rsa_pkcs1_sha1,
  664 #ifndef OPENSSL_NO_DSA
  665     TLSEXT_SIGALG_dsa_sha224,
  666     TLSEXT_SIGALG_dsa_sha1,
  667 
  668     TLSEXT_SIGALG_dsa_sha256,
  669     TLSEXT_SIGALG_dsa_sha384,
  670     TLSEXT_SIGALG_dsa_sha512,
  671 #endif
  672 #ifndef OPENSSL_NO_GOST
  673     TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  674     TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  675     TLSEXT_SIGALG_gostr34102001_gostr3411,
  676 #endif
  677 };
  678 
  679 #ifndef OPENSSL_NO_EC
  680 static const uint16_t suiteb_sigalgs[] = {
  681     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  682     TLSEXT_SIGALG_ecdsa_secp384r1_sha384
  683 };
  684 #endif
  685 
  686 static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
  687 #ifndef OPENSSL_NO_EC
  688     {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
  689      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  690      NID_ecdsa_with_SHA256, NID_X9_62_prime256v1},
  691     {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
  692      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  693      NID_ecdsa_with_SHA384, NID_secp384r1},
  694     {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
  695      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  696      NID_ecdsa_with_SHA512, NID_secp521r1},
  697     {"ed25519", TLSEXT_SIGALG_ed25519,
  698      NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
  699      NID_undef, NID_undef},
  700     {"ed448", TLSEXT_SIGALG_ed448,
  701      NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
  702      NID_undef, NID_undef},
  703     {NULL, TLSEXT_SIGALG_ecdsa_sha224,
  704      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  705      NID_ecdsa_with_SHA224, NID_undef},
  706     {NULL, TLSEXT_SIGALG_ecdsa_sha1,
  707      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
  708      NID_ecdsa_with_SHA1, NID_undef},
  709 #endif
  710     {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
  711      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  712      NID_undef, NID_undef},
  713     {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
  714      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  715      NID_undef, NID_undef},
  716     {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
  717      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
  718      NID_undef, NID_undef},
  719     {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
  720      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  721      NID_undef, NID_undef},
  722     {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
  723      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  724      NID_undef, NID_undef},
  725     {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
  726      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
  727      NID_undef, NID_undef},
  728     {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
  729      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  730      NID_sha256WithRSAEncryption, NID_undef},
  731     {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
  732      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  733      NID_sha384WithRSAEncryption, NID_undef},
  734     {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
  735      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  736      NID_sha512WithRSAEncryption, NID_undef},
  737     {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
  738      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  739      NID_sha224WithRSAEncryption, NID_undef},
  740     {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
  741      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
  742      NID_sha1WithRSAEncryption, NID_undef},
  743 #ifndef OPENSSL_NO_DSA
  744     {NULL, TLSEXT_SIGALG_dsa_sha256,
  745      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  746      NID_dsa_with_SHA256, NID_undef},
  747     {NULL, TLSEXT_SIGALG_dsa_sha384,
  748      NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  749      NID_undef, NID_undef},
  750     {NULL, TLSEXT_SIGALG_dsa_sha512,
  751      NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  752      NID_undef, NID_undef},
  753     {NULL, TLSEXT_SIGALG_dsa_sha224,
  754      NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  755      NID_undef, NID_undef},
  756     {NULL, TLSEXT_SIGALG_dsa_sha1,
  757      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
  758      NID_dsaWithSHA1, NID_undef},
  759 #endif
  760 #ifndef OPENSSL_NO_GOST
  761     {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
  762      NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
  763      NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
  764      NID_undef, NID_undef},
  765     {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
  766      NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
  767      NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
  768      NID_undef, NID_undef},
  769     {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
  770      NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
  771      NID_id_GostR3410_2001, SSL_PKEY_GOST01,
  772      NID_undef, NID_undef}
  773 #endif
  774 };
  775 /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
  776 static const SIGALG_LOOKUP legacy_rsa_sigalg = {
  777     "rsa_pkcs1_md5_sha1", 0,
  778      NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
  779      EVP_PKEY_RSA, SSL_PKEY_RSA,
  780      NID_undef, NID_undef
  781 };
  782 
  783 /*
  784  * Default signature algorithm values used if signature algorithms not present.
  785  * From RFC5246. Note: order must match certificate index order.
  786  */
  787 static const uint16_t tls_default_sigalg[] = {
  788     TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
  789     0, /* SSL_PKEY_RSA_PSS_SIGN */
  790     TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
  791     TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
  792     TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
  793     TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */
  794     TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */
  795     0, /* SSL_PKEY_ED25519 */
  796     0, /* SSL_PKEY_ED448 */
  797 };
  798 
  799 /* Lookup TLS signature algorithm */
  800 static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
  801 {
  802     size_t i;
  803     const SIGALG_LOOKUP *s;
  804 
  805     for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
  806          i++, s++) {
  807         if (s->sigalg == sigalg)
  808             return s;
  809     }
  810     return NULL;
  811 }
  812 /* Lookup hash: return 0 if invalid or not enabled */
  813 int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
  814 {
  815     const EVP_MD *md;
  816     if (lu == NULL)
  817         return 0;
  818     /* lu->hash == NID_undef means no associated digest */
  819     if (lu->hash == NID_undef) {
  820         md = NULL;
  821     } else {
  822         md = ssl_md(lu->hash_idx);
  823         if (md == NULL)
  824             return 0;
  825     }
  826     if (pmd)
  827         *pmd = md;
  828     return 1;
  829 }
  830 
  831 /*
  832  * Check if key is large enough to generate RSA-PSS signature.
  833  *
  834  * The key must greater than or equal to 2 * hash length + 2.
  835  * SHA512 has a hash length of 64 bytes, which is incompatible
  836  * with a 128 byte (1024 bit) key.
  837  */
  838 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
  839 static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
  840 {
  841     const EVP_MD *md;
  842 
  843     if (rsa == NULL)
  844         return 0;
  845     if (!tls1_lookup_md(lu, &md) || md == NULL)
  846         return 0;
  847     if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
  848         return 0;
  849     return 1;
  850 }
  851 
  852 /*
  853  * Returns a signature algorithm when the peer did not send a list of supported
  854  * signature algorithms. The signature algorithm is fixed for the certificate
  855  * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
  856  * certificate type from |s| will be used.
  857  * Returns the signature algorithm to use, or NULL on error.
  858  */
  859 static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
  860 {
  861     if (idx == -1) {
  862         if (s->server) {
  863             size_t i;
  864 
  865             /* Work out index corresponding to ciphersuite */
  866             for (i = 0; i < SSL_PKEY_NUM; i++) {
  867                 const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i);
  868 
  869                 if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) {
  870                     idx = i;
  871                     break;
  872                 }
  873             }
  874 
  875             /*
  876              * Some GOST ciphersuites allow more than one signature algorithms
  877              * */
  878             if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
  879                 int real_idx;
  880 
  881                 for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
  882                      real_idx--) {
  883                     if (s->cert->pkeys[real_idx].privatekey != NULL) {
  884                         idx = real_idx;
  885                         break;
  886                     }
  887                 }
  888             }
  889         } else {
  890             idx = s->cert->key - s->cert->pkeys;
  891         }
  892     }
  893     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
  894         return NULL;
  895     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
  896         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
  897 
  898         if (!tls1_lookup_md(lu, NULL))
  899             return NULL;
  900         if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
  901             return NULL;
  902         return lu;
  903     }
  904     if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg))
  905         return NULL;
  906     return &legacy_rsa_sigalg;
  907 }
  908 /* Set peer sigalg based key type */
  909 int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey)
  910 {
  911     size_t idx;
  912     const SIGALG_LOOKUP *lu;
  913 
  914     if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
  915         return 0;
  916     lu = tls1_get_legacy_sigalg(s, idx);
  917     if (lu == NULL)
  918         return 0;
  919     s->s3->tmp.peer_sigalg = lu;
  920     return 1;
  921 }
  922 
  923 size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
  924 {
  925     /*
  926      * If Suite B mode use Suite B sigalgs only, ignore any other
  927      * preferences.
  928      */
  929 #ifndef OPENSSL_NO_EC
  930     switch (tls1_suiteb(s)) {
  931     case SSL_CERT_FLAG_SUITEB_128_LOS:
  932         *psigs = suiteb_sigalgs;
  933         return OSSL_NELEM(suiteb_sigalgs);
  934 
  935     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  936         *psigs = suiteb_sigalgs;
  937         return 1;
  938 
  939     case SSL_CERT_FLAG_SUITEB_192_LOS:
  940         *psigs = suiteb_sigalgs + 1;
  941         return 1;
  942     }
  943 #endif
  944     /*
  945      *  We use client_sigalgs (if not NULL) if we're a server
  946      *  and sending a certificate request or if we're a client and
  947      *  determining which shared algorithm to use.
  948      */
  949     if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
  950         *psigs = s->cert->client_sigalgs;
  951         return s->cert->client_sigalgslen;
  952     } else if (s->cert->conf_sigalgs) {
  953         *psigs = s->cert->conf_sigalgs;
  954         return s->cert->conf_sigalgslen;
  955     } else {
  956         *psigs = tls12_sigalgs;
  957         return OSSL_NELEM(tls12_sigalgs);
  958     }
  959 }
  960 
  961 #ifndef OPENSSL_NO_EC
  962 /*
  963  * Called by servers only. Checks that we have a sig alg that supports the
  964  * specified EC curve.
  965  */
  966 int tls_check_sigalg_curve(const SSL *s, int curve)
  967 {
  968    const uint16_t *sigs;
  969    size_t siglen, i;
  970 
  971     if (s->cert->conf_sigalgs) {
  972         sigs = s->cert->conf_sigalgs;
  973         siglen = s->cert->conf_sigalgslen;
  974     } else {
  975         sigs = tls12_sigalgs;
  976         siglen = OSSL_NELEM(tls12_sigalgs);
  977     }
  978 
  979     for (i = 0; i < siglen; i++) {
  980         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]);
  981 
  982         if (lu == NULL)
  983             continue;
  984         if (lu->sig == EVP_PKEY_EC
  985                 && lu->curve != NID_undef
  986                 && curve == lu->curve)
  987             return 1;
  988     }
  989 
  990     return 0;
  991 }
  992 #endif
  993 
  994 /*
  995  * Return the number of security bits for the signature algorithm, or 0 on
  996  * error.
  997  */
  998 static int sigalg_security_bits(const SIGALG_LOOKUP *lu)
  999 {
 1000     const EVP_MD *md = NULL;
 1001     int secbits = 0;
 1002 
 1003     if (!tls1_lookup_md(lu, &md))
 1004         return 0;
 1005     if (md != NULL)
 1006     {
 1007         /* Security bits: half digest bits */
 1008         secbits = EVP_MD_size(md) * 4;
 1009     } else {
 1010         /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
 1011         if (lu->sigalg == TLSEXT_SIGALG_ed25519)
 1012             secbits = 128;
 1013         else if (lu->sigalg == TLSEXT_SIGALG_ed448)
 1014             secbits = 224;
 1015     }
 1016     return secbits;
 1017 }
 1018 
 1019 /*
 1020  * Check signature algorithm is consistent with sent supported signature
 1021  * algorithms and if so set relevant digest and signature scheme in
 1022  * s.
 1023  */
 1024 int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
 1025 {
 1026     const uint16_t *sent_sigs;
 1027     const EVP_MD *md = NULL;
 1028     char sigalgstr[2];
 1029     size_t sent_sigslen, i, cidx;
 1030     int pkeyid = EVP_PKEY_id(pkey);
 1031     const SIGALG_LOOKUP *lu;
 1032     int secbits = 0;
 1033 
 1034     /* Should never happen */
 1035     if (pkeyid == -1)
 1036         return -1;
 1037     if (SSL_IS_TLS13(s)) {
 1038         /* Disallow DSA for TLS 1.3 */
 1039         if (pkeyid == EVP_PKEY_DSA) {
 1040             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
 1041                      SSL_R_WRONG_SIGNATURE_TYPE);
 1042             return 0;
 1043         }
 1044         /* Only allow PSS for TLS 1.3 */
 1045         if (pkeyid == EVP_PKEY_RSA)
 1046             pkeyid = EVP_PKEY_RSA_PSS;
 1047     }
 1048     lu = tls1_lookup_sigalg(sig);
 1049     /*
 1050      * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
 1051      * is consistent with signature: RSA keys can be used for RSA-PSS
 1052      */
 1053     if (lu == NULL
 1054         || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
 1055         || (pkeyid != lu->sig
 1056         && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
 1057         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
 1058                  SSL_R_WRONG_SIGNATURE_TYPE);
 1059         return 0;
 1060     }
 1061     /* Check the sigalg is consistent with the key OID */
 1062     if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx)
 1063             || lu->sig_idx != (int)cidx) {
 1064         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
 1065                  SSL_R_WRONG_SIGNATURE_TYPE);
 1066         return 0;
 1067     }
 1068 
 1069 #ifndef OPENSSL_NO_EC
 1070     if (pkeyid == EVP_PKEY_EC) {
 1071 
 1072         /* Check point compression is permitted */
 1073         if (!tls1_check_pkey_comp(s, pkey)) {
 1074             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
 1075                      SSL_F_TLS12_CHECK_PEER_SIGALG,
 1076                      SSL_R_ILLEGAL_POINT_COMPRESSION);
 1077             return 0;
 1078         }
 1079 
 1080         /* For TLS 1.3 or Suite B check curve matches signature algorithm */
 1081         if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
 1082             EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
 1083             int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
 1084 
 1085             if (lu->curve != NID_undef && curve != lu->curve) {
 1086                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
 1087                          SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
 1088                 return 0;
 1089             }
 1090         }
 1091         if (!SSL_IS_TLS13(s)) {
 1092             /* Check curve matches extensions */
 1093             if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
 1094                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
 1095                          SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
 1096                 return 0;
 1097             }
 1098             if (tls1_suiteb(s)) {
 1099                 /* Check sigalg matches a permissible Suite B value */
 1100                 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
 1101                     && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
 1102                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
 1103                              SSL_F_TLS12_CHECK_PEER_SIGALG,
 1104                              SSL_R_WRONG_SIGNATURE_TYPE);
 1105                     return 0;
 1106                 }
 1107             }
 1108         }
 1109     } else if (tls1_suiteb(s)) {
 1110         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
 1111                  SSL_R_WRONG_SIGNATURE_TYPE);
 1112         return 0;
 1113     }
 1114 #endif
 1115 
 1116     /* Check signature matches a type we sent */
 1117     sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
 1118     for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
 1119         if (sig == *sent_sigs)
 1120             break;
 1121     }
 1122     /* Allow fallback to SHA1 if not strict mode */
 1123     if (i == sent_sigslen && (lu->hash != NID_sha1
 1124         || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
 1125         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
 1126                  SSL_R_WRONG_SIGNATURE_TYPE);
 1127         return 0;
 1128     }
 1129     if (!tls1_lookup_md(lu, &md)) {
 1130         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
 1131                  SSL_R_UNKNOWN_DIGEST);
 1132         return 0;
 1133     }
 1134     /*
 1135      * Make sure security callback allows algorithm. For historical
 1136      * reasons we have to pass the sigalg as a two byte char array.
 1137      */
 1138     sigalgstr[0] = (sig >> 8) & 0xff;
 1139     sigalgstr[1] = sig & 0xff;
 1140     secbits = sigalg_security_bits(lu);
 1141     if (secbits == 0 ||
 1142         !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
 1143                       md != NULL ? EVP_MD_type(md) : NID_undef,
 1144                       (void *)sigalgstr)) {
 1145         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
 1146                  SSL_R_WRONG_SIGNATURE_TYPE);
 1147         return 0;
 1148     }
 1149     /* Store the sigalg the peer uses */
 1150     s->s3->tmp.peer_sigalg = lu;
 1151     return 1;
 1152 }
 1153 
 1154 int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
 1155 {
 1156     if (s->s3->tmp.peer_sigalg == NULL)
 1157         return 0;
 1158     *pnid = s->s3->tmp.peer_sigalg->sig;
 1159     return 1;
 1160 }
 1161 
 1162 int SSL_get_signature_type_nid(const SSL *s, int *pnid)
 1163 {
 1164     if (s->s3->tmp.sigalg == NULL)
 1165         return 0;
 1166     *pnid = s->s3->tmp.sigalg->sig;
 1167     return 1;
 1168 }
 1169 
 1170 /*
 1171  * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
 1172  * supported, doesn't appear in supported signature algorithms, isn't supported
 1173  * by the enabled protocol versions or by the security level.
 1174  *
 1175  * This function should only be used for checking which ciphers are supported
 1176  * by the client.
 1177  *
 1178  * Call ssl_cipher_disabled() to check that it's enabled or not.
 1179  */
 1180 int ssl_set_client_disabled(SSL *s)
 1181 {
 1182     s->s3->tmp.mask_a = 0;
 1183     s->s3->tmp.mask_k = 0;
 1184     ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
 1185     if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver,
 1186                                 &s->s3->tmp.max_ver, NULL) != 0)
 1187         return 0;
 1188 #ifndef OPENSSL_NO_PSK
 1189     /* with PSK there must be client callback set */
 1190     if (!s->psk_client_callback) {
 1191         s->s3->tmp.mask_a |= SSL_aPSK;
 1192         s->s3->tmp.mask_k |= SSL_PSK;
 1193     }
 1194 #endif                          /* OPENSSL_NO_PSK */
 1195 #ifndef OPENSSL_NO_SRP
 1196     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
 1197         s->s3->tmp.mask_a |= SSL_aSRP;
 1198         s->s3->tmp.mask_k |= SSL_kSRP;
 1199     }
 1200 #endif
 1201     return 1;
 1202 }
 1203 
 1204 /*
 1205  * ssl_cipher_disabled - check that a cipher is disabled or not
 1206  * @s: SSL connection that you want to use the cipher on
 1207  * @c: cipher to check
 1208  * @op: Security check that you want to do
 1209  * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
 1210  *
 1211  * Returns 1 when it's disabled, 0 when enabled.
 1212  */
 1213 int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
 1214 {
 1215     if (c->algorithm_mkey & s->s3->tmp.mask_k
 1216         || c->algorithm_auth & s->s3->tmp.mask_a)
 1217         return 1;
 1218     if (s->s3->tmp.max_ver == 0)
 1219         return 1;
 1220     if (!SSL_IS_DTLS(s)) {
 1221         int min_tls = c->min_tls;
 1222 
 1223         /*
 1224          * For historical reasons we will allow ECHDE to be selected by a server
 1225          * in SSLv3 if we are a client
 1226          */
 1227         if (min_tls == TLS1_VERSION && ecdhe
 1228                 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
 1229             min_tls = SSL3_VERSION;
 1230 
 1231         if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
 1232             return 1;
 1233     }
 1234     if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
 1235                            || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
 1236         return 1;
 1237 
 1238     return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
 1239 }
 1240 
 1241 int tls_use_ticket(SSL *s)
 1242 {
 1243     if ((s->options & SSL_OP_NO_TICKET))
 1244         return 0;
 1245     return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
 1246 }
 1247 
 1248 int tls1_set_server_sigalgs(SSL *s)
 1249 {
 1250     size_t i;
 1251 
 1252     /* Clear any shared signature algorithms */
 1253     OPENSSL_free(s->shared_sigalgs);
 1254     s->shared_sigalgs = NULL;
 1255     s->shared_sigalgslen = 0;
 1256     /* Clear certificate validity flags */
 1257     for (i = 0; i < SSL_PKEY_NUM; i++)
 1258         s->s3->tmp.valid_flags[i] = 0;
 1259     /*
 1260      * If peer sent no signature algorithms check to see if we support
 1261      * the default algorithm for each certificate type
 1262      */
 1263     if (s->s3->tmp.peer_cert_sigalgs == NULL
 1264             && s->s3->tmp.peer_sigalgs == NULL) {
 1265         const uint16_t *sent_sigs;
 1266         size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
 1267 
 1268         for (i = 0; i < SSL_PKEY_NUM; i++) {
 1269             const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
 1270             size_t j;
 1271 
 1272             if (lu == NULL)
 1273                 continue;
 1274             /* Check default matches a type we sent */
 1275             for (j = 0; j < sent_sigslen; j++) {
 1276                 if (lu->sigalg == sent_sigs[j]) {
 1277                         s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN;
 1278                         break;
 1279                 }
 1280             }
 1281         }
 1282         return 1;
 1283     }
 1284 
 1285     if (!tls1_process_sigalgs(s)) {
 1286         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
 1287                  SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
 1288         return 0;
 1289     }
 1290     if (s->shared_sigalgs != NULL)
 1291         return 1;
 1292 
 1293     /* Fatal error if no shared signature algorithms */
 1294     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
 1295              SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
 1296     return 0;
 1297 }
 1298 
 1299 /*-
 1300  * Gets the ticket information supplied by the client if any.
 1301  *
 1302  *   hello: The parsed ClientHello data
 1303  *   ret: (output) on return, if a ticket was decrypted, then this is set to
 1304  *       point to the resulting session.
 1305  */
 1306 SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
 1307                                              SSL_SESSION **ret)
 1308 {
 1309     size_t size;
 1310     RAW_EXTENSION *ticketext;
 1311 
 1312     *ret = NULL;
 1313     s->ext.ticket_expected = 0;
 1314 
 1315     /*
 1316      * If tickets disabled or not supported by the protocol version
 1317      * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
 1318      * resumption.
 1319      */
 1320     if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
 1321         return SSL_TICKET_NONE;
 1322 
 1323     ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
 1324     if (!ticketext->present)
 1325         return SSL_TICKET_NONE;
 1326 
 1327     size = PACKET_remaining(&ticketext->data);
 1328 
 1329     return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
 1330                               hello->session_id, hello->session_id_len, ret);
 1331 }
 1332 
 1333 /*-
 1334  * tls_decrypt_ticket attempts to decrypt a session ticket.
 1335  *
 1336  * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are
 1337  * expecting a pre-shared key ciphersuite, in which case we have no use for
 1338  * session tickets and one will never be decrypted, nor will
 1339  * s->ext.ticket_expected be set to 1.
 1340  *
 1341  * Side effects:
 1342  *   Sets s->ext.ticket_expected to 1 if the server will have to issue
 1343  *   a new session ticket to the client because the client indicated support
 1344  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
 1345  *   a session ticket or we couldn't use the one it gave us, or if
 1346  *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
 1347  *   Otherwise, s->ext.ticket_expected is set to 0.
 1348  *
 1349  *   etick: points to the body of the session ticket extension.
 1350  *   eticklen: the length of the session tickets extension.
 1351  *   sess_id: points at the session ID.
 1352  *   sesslen: the length of the session ID.
 1353  *   psess: (output) on return, if a ticket was decrypted, then this is set to
 1354  *       point to the resulting session.
 1355  */
 1356 SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
 1357                                      size_t eticklen, const unsigned char *sess_id,
 1358                                      size_t sesslen, SSL_SESSION **psess)
 1359 {
 1360     SSL_SESSION *sess = NULL;
 1361     unsigned char *sdec;
 1362     const unsigned char *p;
 1363     int slen, renew_ticket = 0, declen;
 1364     SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
 1365     size_t mlen;
 1366     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
 1367     HMAC_CTX *hctx = NULL;
 1368     EVP_CIPHER_CTX *ctx = NULL;
 1369     SSL_CTX *tctx = s->session_ctx;
 1370 
 1371     if (eticklen == 0) {
 1372         /*
 1373          * The client will accept a ticket but doesn't currently have
 1374          * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3
 1375          */
 1376         ret = SSL_TICKET_EMPTY;
 1377         goto end;
 1378     }
 1379     if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) {
 1380         /*
 1381          * Indicate that the ticket couldn't be decrypted rather than
 1382          * generating the session from ticket now, trigger
 1383          * abbreviated handshake based on external mechanism to
 1384          * calculate the master secret later.
 1385          */
 1386         ret = SSL_TICKET_NO_DECRYPT;
 1387         goto end;
 1388     }
 1389 
 1390     /* Need at least keyname + iv */
 1391     if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
 1392         ret = SSL_TICKET_NO_DECRYPT;
 1393         goto end;
 1394     }
 1395 
 1396     /* Initialize session ticket encryption and HMAC contexts */
 1397     hctx = HMAC_CTX_new();
 1398     if (hctx == NULL) {
 1399         ret = SSL_TICKET_FATAL_ERR_MALLOC;
 1400         goto end;
 1401     }
 1402     ctx = EVP_CIPHER_CTX_new();
 1403     if (ctx == NULL) {
 1404         ret = SSL_TICKET_FATAL_ERR_MALLOC;
 1405         goto end;
 1406     }
 1407     if (tctx->ext.ticket_key_cb) {
 1408         unsigned char *nctick = (unsigned char *)etick;
 1409         int rv = tctx->ext.ticket_key_cb(s, nctick,
 1410                                          nctick + TLSEXT_KEYNAME_LENGTH,
 1411                                          ctx, hctx, 0);
 1412         if (rv < 0) {
 1413             ret = SSL_TICKET_FATAL_ERR_OTHER;
 1414             goto end;
 1415         }
 1416         if (rv == 0) {
 1417             ret = SSL_TICKET_NO_DECRYPT;
 1418             goto end;
 1419         }
 1420         if (rv == 2)
 1421             renew_ticket = 1;
 1422     } else {
 1423         /* Check key name matches */
 1424         if (memcmp(etick, tctx->ext.tick_key_name,
 1425                    TLSEXT_KEYNAME_LENGTH) != 0) {
 1426             ret = SSL_TICKET_NO_DECRYPT;
 1427             goto end;
 1428         }
 1429         if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
 1430                          sizeof(tctx->ext.secure->tick_hmac_key),
 1431                          EVP_sha256(), NULL) <= 0
 1432             || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
 1433                                   tctx->ext.secure->tick_aes_key,
 1434                                   etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
 1435             ret = SSL_TICKET_FATAL_ERR_OTHER;
 1436             goto end;
 1437         }
 1438         if (SSL_IS_TLS13(s))
 1439             renew_ticket = 1;
 1440     }
 1441     /*
 1442      * Attempt to process session ticket, first conduct sanity and integrity
 1443      * checks on ticket.
 1444      */
 1445     mlen = HMAC_size(hctx);
 1446     if (mlen == 0) {
 1447         ret = SSL_TICKET_FATAL_ERR_OTHER;
 1448         goto end;
 1449     }
 1450 
 1451     /* Sanity check ticket length: must exceed keyname + IV + HMAC */
 1452     if (eticklen <=
 1453         TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
 1454         ret = SSL_TICKET_NO_DECRYPT;
 1455         goto end;
 1456     }
 1457     eticklen -= mlen;
 1458     /* Check HMAC of encrypted ticket */
 1459     if (HMAC_Update(hctx, etick, eticklen) <= 0
 1460         || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
 1461         ret = SSL_TICKET_FATAL_ERR_OTHER;
 1462         goto end;
 1463     }
 1464 
 1465     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
 1466         ret = SSL_TICKET_NO_DECRYPT;
 1467         goto end;
 1468     }
 1469     /* Attempt to decrypt session data */
 1470     /* Move p after IV to start of encrypted ticket, update length */
 1471     p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
 1472     eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
 1473     sdec = OPENSSL_malloc(eticklen);
 1474     if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
 1475                                           (int)eticklen) <= 0) {
 1476         OPENSSL_free(sdec);
 1477         ret = SSL_TICKET_FATAL_ERR_OTHER;
 1478         goto end;
 1479     }
 1480     if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
 1481         OPENSSL_free(sdec);
 1482         ret = SSL_TICKET_NO_DECRYPT;
 1483         goto end;
 1484     }
 1485     slen += declen;
 1486     p = sdec;
 1487 
 1488     sess = d2i_SSL_SESSION(NULL, &p, slen);
 1489     slen -= p - sdec;
 1490     OPENSSL_free(sdec);
 1491     if (sess) {
 1492         /* Some additional consistency checks */
 1493         if (slen != 0) {
 1494             SSL_SESSION_free(sess);
 1495             sess = NULL;
 1496             ret = SSL_TICKET_NO_DECRYPT;
 1497             goto end;
 1498         }
 1499         /*
 1500          * The session ID, if non-empty, is used by some clients to detect
 1501          * that the ticket has been accepted. So we copy it to the session
 1502          * structure. If it is empty set length to zero as required by
 1503          * standard.
 1504          */
 1505         if (sesslen) {
 1506             memcpy(sess->session_id, sess_id, sesslen);
 1507             sess->session_id_length = sesslen;
 1508         }
 1509         if (renew_ticket)
 1510             ret = SSL_TICKET_SUCCESS_RENEW;
 1511         else
 1512             ret = SSL_TICKET_SUCCESS;
 1513         goto end;
 1514     }
 1515     ERR_clear_error();
 1516     /*
 1517      * For session parse failure, indicate that we need to send a new ticket.
 1518      */
 1519     ret = SSL_TICKET_NO_DECRYPT;
 1520 
 1521  end:
 1522     EVP_CIPHER_CTX_free(ctx);
 1523     HMAC_CTX_free(hctx);
 1524 
 1525     /*
 1526      * If set, the decrypt_ticket_cb() is called unless a fatal error was
 1527      * detected above. The callback is responsible for checking |ret| before it
 1528      * performs any action
 1529      */
 1530     if (s->session_ctx->decrypt_ticket_cb != NULL
 1531             && (ret == SSL_TICKET_EMPTY
 1532                 || ret == SSL_TICKET_NO_DECRYPT
 1533                 || ret == SSL_TICKET_SUCCESS
 1534                 || ret == SSL_TICKET_SUCCESS_RENEW)) {
 1535         size_t keyname_len = eticklen;
 1536         int retcb;
 1537 
 1538         if (keyname_len > TLSEXT_KEYNAME_LENGTH)
 1539             keyname_len = TLSEXT_KEYNAME_LENGTH;
 1540         retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len,
 1541                                                   ret,
 1542                                                   s->session_ctx->ticket_cb_data);
 1543         switch (retcb) {
 1544         case SSL_TICKET_RETURN_ABORT:
 1545             ret = SSL_TICKET_FATAL_ERR_OTHER;
 1546             break;
 1547 
 1548         case SSL_TICKET_RETURN_IGNORE:
 1549             ret = SSL_TICKET_NONE;
 1550             SSL_SESSION_free(sess);
 1551             sess = NULL;
 1552             break;
 1553 
 1554         case SSL_TICKET_RETURN_IGNORE_RENEW:
 1555             if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT)
 1556                 ret = SSL_TICKET_NO_DECRYPT;
 1557             /* else the value of |ret| will already do the right thing */
 1558             SSL_SESSION_free(sess);
 1559             sess = NULL;
 1560             break;
 1561 
 1562         case SSL_TICKET_RETURN_USE:
 1563         case SSL_TICKET_RETURN_USE_RENEW:
 1564             if (ret != SSL_TICKET_SUCCESS
 1565                     && ret != SSL_TICKET_SUCCESS_RENEW)
 1566                 ret = SSL_TICKET_FATAL_ERR_OTHER;
 1567             else if (retcb == SSL_TICKET_RETURN_USE)
 1568                 ret = SSL_TICKET_SUCCESS;
 1569             else
 1570                 ret = SSL_TICKET_SUCCESS_RENEW;
 1571             break;
 1572 
 1573         default:
 1574             ret = SSL_TICKET_FATAL_ERR_OTHER;
 1575         }
 1576     }
 1577 
 1578     if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
 1579         switch (ret) {
 1580         case SSL_TICKET_NO_DECRYPT:
 1581         case SSL_TICKET_SUCCESS_RENEW:
 1582         case SSL_TICKET_EMPTY:
 1583             s->ext.ticket_expected = 1;
 1584         }
 1585     }
 1586 
 1587     *psess = sess;
 1588 
 1589     return ret;
 1590 }
 1591 
 1592 /* Check to see if a signature algorithm is allowed */
 1593 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
 1594 {
 1595     unsigned char sigalgstr[2];
 1596     int secbits;
 1597 
 1598     /* See if sigalgs is recognised and if hash is enabled */
 1599     if (!tls1_lookup_md(lu, NULL))
 1600         return 0;
 1601     /* DSA is not allowed in TLS 1.3 */
 1602     if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
 1603         return 0;
 1604     /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
 1605     if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
 1606         && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
 1607             || lu->hash_idx == SSL_MD_MD5_IDX
 1608             || lu->hash_idx == SSL_MD_SHA224_IDX))
 1609         return 0;
 1610 
 1611     /* See if public key algorithm allowed */
 1612     if (ssl_cert_is_disabled(lu->sig_idx))
 1613         return 0;
 1614 
 1615     if (lu->sig == NID_id_GostR3410_2012_256
 1616             || lu->sig == NID_id_GostR3410_2012_512
 1617             || lu->sig == NID_id_GostR3410_2001) {
 1618         /* We never allow GOST sig algs on the server with TLSv1.3 */
 1619         if (s->server && SSL_IS_TLS13(s))
 1620             return 0;
 1621         if (!s->server
 1622                 && s->method->version == TLS_ANY_VERSION
 1623                 && s->s3->tmp.max_ver >= TLS1_3_VERSION) {
 1624             int i, num;
 1625             STACK_OF(SSL_CIPHER) *sk;
 1626 
 1627             /*
 1628              * We're a client that could negotiate TLSv1.3. We only allow GOST
 1629              * sig algs if we could negotiate TLSv1.2 or below and we have GOST
 1630              * ciphersuites enabled.
 1631              */
 1632 
 1633             if (s->s3->tmp.min_ver >= TLS1_3_VERSION)
 1634                 return 0;
 1635 
 1636             sk = SSL_get_ciphers(s);
 1637             num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0;
 1638             for (i = 0; i < num; i++) {
 1639                 const SSL_CIPHER *c;
 1640 
 1641                 c = sk_SSL_CIPHER_value(sk, i);
 1642                 /* Skip disabled ciphers */
 1643                 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
 1644                     continue;
 1645 
 1646                 if ((c->algorithm_mkey & SSL_kGOST) != 0)
 1647                     break;
 1648             }
 1649             if (i == num)
 1650                 return 0;
 1651         }
 1652     }
 1653 
 1654     /* Finally see if security callback allows it */
 1655     secbits = sigalg_security_bits(lu);
 1656     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
 1657     sigalgstr[1] = lu->sigalg & 0xff;
 1658     return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
 1659 }
 1660 
 1661 /*
 1662  * Get a mask of disabled public key algorithms based on supported signature
 1663  * algorithms. For example if no signature algorithm supports RSA then RSA is
 1664  * disabled.
 1665  */
 1666 
 1667 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
 1668 {
 1669     const uint16_t *sigalgs;
 1670     size_t i, sigalgslen;
 1671     uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
 1672     /*
 1673      * Go through all signature algorithms seeing if we support any
 1674      * in disabled_mask.
 1675      */
 1676     sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
 1677     for (i = 0; i < sigalgslen; i++, sigalgs++) {
 1678         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
 1679         const SSL_CERT_LOOKUP *clu;
 1680 
 1681         if (lu == NULL)
 1682             continue;
 1683 
 1684         clu = ssl_cert_lookup_by_idx(lu->sig_idx);
 1685     if (clu == NULL)
 1686         continue;
 1687 
 1688         /* If algorithm is disabled see if we can enable it */
 1689         if ((clu->amask & disabled_mask) != 0
 1690                 && tls12_sigalg_allowed(s, op, lu))
 1691             disabled_mask &= ~clu->amask;
 1692     }
 1693     *pmask_a |= disabled_mask;
 1694 }
 1695 
 1696 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
 1697                        const uint16_t *psig, size_t psiglen)
 1698 {
 1699     size_t i;
 1700     int rv = 0;
 1701 
 1702     for (i = 0; i < psiglen; i++, psig++) {
 1703         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig);
 1704 
 1705         if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
 1706             continue;
 1707         if (!WPACKET_put_bytes_u16(pkt, *psig))
 1708             return 0;
 1709         /*
 1710          * If TLS 1.3 must have at least one valid TLS 1.3 message
 1711          * signing algorithm: i.e. neither RSA nor SHA1/SHA224
 1712          */
 1713         if (rv == 0 && (!SSL_IS_TLS13(s)
 1714             || (lu->sig != EVP_PKEY_RSA
 1715                 && lu->hash != NID_sha1
 1716                 && lu->hash != NID_sha224)))
 1717             rv = 1;
 1718     }
 1719     if (rv == 0)
 1720         SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
 1721     return rv;
 1722 }
 1723 
 1724 /* Given preference and allowed sigalgs set shared sigalgs */
 1725 static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig,
 1726                                    const uint16_t *pref, size_t preflen,
 1727                                    const uint16_t *allow, size_t allowlen)
 1728 {
 1729     const uint16_t *ptmp, *atmp;
 1730     size_t i, j, nmatch = 0;
 1731     for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
 1732         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp);
 1733 
 1734         /* Skip disabled hashes or signature algorithms */
 1735         if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
 1736             continue;
 1737         for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
 1738             if (*ptmp == *atmp) {
 1739                 nmatch++;
 1740                 if (shsig)
 1741                     *shsig++ = lu;
 1742                 break;
 1743             }
 1744         }
 1745     }
 1746     return nmatch;
 1747 }
 1748 
 1749 /* Set shared signature algorithms for SSL structures */
 1750 static int tls1_set_shared_sigalgs(SSL *s)
 1751 {
 1752     const uint16_t *pref, *allow, *conf;
 1753     size_t preflen, allowlen, conflen;
 1754     size_t nmatch;
 1755     const SIGALG_LOOKUP **salgs = NULL;
 1756     CERT *c = s->cert;
 1757     unsigned int is_suiteb = tls1_suiteb(s);
 1758 
 1759     OPENSSL_free(s->shared_sigalgs);
 1760     s->shared_sigalgs = NULL;
 1761     s->shared_sigalgslen = 0;
 1762     /* If client use client signature algorithms if not NULL */
 1763     if (!s->server && c->client_sigalgs && !is_suiteb) {
 1764         conf = c->client_sigalgs;
 1765         conflen = c->client_sigalgslen;
 1766     } else if (c->conf_sigalgs && !is_suiteb) {
 1767         conf = c->conf_sigalgs;
 1768         conflen = c->conf_sigalgslen;
 1769     } else
 1770         conflen = tls12_get_psigalgs(s, 0, &conf);
 1771     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
 1772         pref = conf;
 1773         preflen = conflen;
 1774         allow = s->s3->tmp.peer_sigalgs;
 1775         allowlen = s->s3->tmp.peer_sigalgslen;
 1776     } else {
 1777         allow = conf;
 1778         allowlen = conflen;
 1779         pref = s->s3->tmp.peer_sigalgs;
 1780         preflen = s->s3->tmp.peer_sigalgslen;
 1781     }
 1782     nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
 1783     if (nmatch) {
 1784         if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) {
 1785             SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE);
 1786             return 0;
 1787         }
 1788         nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
 1789     } else {
 1790         salgs = NULL;
 1791     }
 1792     s->shared_sigalgs = salgs;
 1793     s->shared_sigalgslen = nmatch;
 1794     return 1;
 1795 }
 1796 
 1797 int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
 1798 {
 1799     unsigned int stmp;
 1800     size_t size, i;
 1801     uint16_t *buf;
 1802 
 1803     size = PACKET_remaining(pkt);
 1804 
 1805     /* Invalid data length */
 1806     if (size == 0 || (size & 1) != 0)
 1807         return 0;
 1808 
 1809     size >>= 1;
 1810 
 1811     if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL)  {
 1812         SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE);
 1813         return 0;
 1814     }
 1815     for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
 1816         buf[i] = stmp;
 1817 
 1818     if (i != size) {
 1819         OPENSSL_free(buf);
 1820         return 0;
 1821     }
 1822 
 1823     OPENSSL_free(*pdest);
 1824     *pdest = buf;
 1825     *pdestlen = size;
 1826 
 1827     return 1;
 1828 }
 1829 
 1830 int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert)
 1831 {
 1832     /* Extension ignored for inappropriate versions */
 1833     if (!SSL_USE_SIGALGS(s))
 1834         return 1;
 1835     /* Should never happen */
 1836     if (s->cert == NULL)
 1837         return 0;
 1838 
 1839     if (cert)
 1840         return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs,
 1841                              &s->s3->tmp.peer_cert_sigalgslen);
 1842     else
 1843         return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs,
 1844                              &s->s3->tmp.peer_sigalgslen);
 1845 
 1846 }
 1847 
 1848 /* Set preferred digest for each key type */
 1849 
 1850 int tls1_process_sigalgs(SSL *s)
 1851 {
 1852     size_t i;
 1853     uint32_t *pvalid = s->s3->tmp.valid_flags;
 1854 
 1855     if (!tls1_set_shared_sigalgs(s))
 1856         return 0;
 1857 
 1858     for (i = 0; i < SSL_PKEY_NUM; i++)
 1859         pvalid[i] = 0;
 1860 
 1861     for (i = 0; i < s->shared_sigalgslen; i++) {
 1862         const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
 1863         int idx = sigptr->sig_idx;
 1864 
 1865         /* Ignore PKCS1 based sig algs in TLSv1.3 */
 1866         if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
 1867             continue;
 1868         /* If not disabled indicate we can explicitly sign */
 1869         if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx))
 1870             pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
 1871     }
 1872     return 1;
 1873 }
 1874 
 1875 int SSL_get_sigalgs(SSL *s, int idx,
 1876                     int *psign, int *phash, int *psignhash,
 1877                     unsigned char *rsig, unsigned char *rhash)
 1878 {
 1879     uint16_t *psig = s->s3->tmp.peer_sigalgs;
 1880     size_t numsigalgs = s->s3->tmp.peer_sigalgslen;
 1881     if (psig == NULL || numsigalgs > INT_MAX)
 1882         return 0;
 1883     if (idx >= 0) {
 1884         const SIGALG_LOOKUP *lu;
 1885 
 1886         if (idx >= (int)numsigalgs)
 1887             return 0;
 1888         psig += idx;
 1889         if (rhash != NULL)
 1890             *rhash = (unsigned char)((*psig >> 8) & 0xff);
 1891         if (rsig != NULL)
 1892             *rsig = (unsigned char)(*psig & 0xff);
 1893         lu = tls1_lookup_sigalg(*psig);
 1894         if (psign != NULL)
 1895             *psign = lu != NULL ? lu->sig : NID_undef;
 1896         if (phash != NULL)
 1897             *phash = lu != NULL ? lu->hash : NID_undef;
 1898         if (psignhash != NULL)
 1899             *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
 1900     }
 1901     return (int)numsigalgs;
 1902 }
 1903 
 1904 int SSL_get_shared_sigalgs(SSL *s, int idx,
 1905                            int *psign, int *phash, int *psignhash,
 1906                            unsigned char *rsig, unsigned char *rhash)
 1907 {
 1908     const SIGALG_LOOKUP *shsigalgs;
 1909     if (s->shared_sigalgs == NULL
 1910         || idx < 0
 1911         || idx >= (int)s->shared_sigalgslen
 1912         || s->shared_sigalgslen > INT_MAX)
 1913         return 0;
 1914     shsigalgs = s->shared_sigalgs[idx];
 1915     if (phash != NULL)
 1916         *phash = shsigalgs->hash;
 1917     if (psign != NULL)
 1918         *psign = shsigalgs->sig;
 1919     if (psignhash != NULL)
 1920         *psignhash = shsigalgs->sigandhash;
 1921     if (rsig != NULL)
 1922         *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
 1923     if (rhash != NULL)
 1924         *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
 1925     return (int)s->shared_sigalgslen;
 1926 }
 1927 
 1928 /* Maximum possible number of unique entries in sigalgs array */
 1929 #define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
 1930 
 1931 typedef struct {
 1932     size_t sigalgcnt;
 1933     /* TLSEXT_SIGALG_XXX values */
 1934     uint16_t sigalgs[TLS_MAX_SIGALGCNT];
 1935 } sig_cb_st;
 1936 
 1937 static void get_sigorhash(int *psig, int *phash, const char *str)
 1938 {
 1939     if (strcmp(str, "RSA") == 0) {
 1940         *psig = EVP_PKEY_RSA;
 1941     } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
 1942         *psig = EVP_PKEY_RSA_PSS;
 1943     } else if (strcmp(str, "DSA") == 0) {
 1944         *psig = EVP_PKEY_DSA;
 1945     } else if (strcmp(str, "ECDSA") == 0) {
 1946         *psig = EVP_PKEY_EC;
 1947     } else {
 1948         *phash = OBJ_sn2nid(str);
 1949         if (*phash == NID_undef)
 1950             *phash = OBJ_ln2nid(str);
 1951     }
 1952 }
 1953 /* Maximum length of a signature algorithm string component */
 1954 #define TLS_MAX_SIGSTRING_LEN   40
 1955 
 1956 static int sig_cb(const char *elem, int len, void *arg)
 1957 {
 1958     sig_cb_st *sarg = arg;
 1959     size_t i;
 1960     const SIGALG_LOOKUP *s;
 1961     char etmp[TLS_MAX_SIGSTRING_LEN], *p;
 1962     int sig_alg = NID_undef, hash_alg = NID_undef;
 1963     if (elem == NULL)
 1964         return 0;
 1965     if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
 1966         return 0;
 1967     if (len > (int)(sizeof(etmp) - 1))
 1968         return 0;
 1969     memcpy(etmp, elem, len);
 1970     etmp[len] = 0;
 1971     p = strchr(etmp, '+');
 1972     /*
 1973      * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
 1974      * if there's no '+' in the provided name, look for the new-style combined
 1975      * name.  If not, match both sig+hash to find the needed SIGALG_LOOKUP.
 1976      * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
 1977      * rsa_pss_rsae_* that differ only by public key OID; in such cases
 1978      * we will pick the _rsae_ variant, by virtue of them appearing earlier
 1979      * in the table.
 1980      */
 1981     if (p == NULL) {
 1982         for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
 1983              i++, s++) {
 1984             if (s->name != NULL && strcmp(etmp, s->name) == 0) {
 1985                 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
 1986                 break;
 1987             }
 1988         }
 1989         if (i == OSSL_NELEM(sigalg_lookup_tbl))
 1990             return 0;
 1991     } else {
 1992         *p = 0;
 1993         p++;
 1994         if (*p == 0)
 1995             return 0;
 1996         get_sigorhash(&sig_alg, &hash_alg, etmp);
 1997         get_sigorhash(&sig_alg, &hash_alg, p);
 1998         if (sig_alg == NID_undef || hash_alg == NID_undef)
 1999             return 0;
 2000         for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
 2001              i++, s++) {
 2002             if (s->hash == hash_alg && s->sig == sig_alg) {
 2003                 sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
 2004                 break;
 2005             }
 2006         }
 2007         if (i == OSSL_NELEM(sigalg_lookup_tbl))
 2008             return 0;
 2009     }
 2010 
 2011     /* Reject duplicates */
 2012     for (i = 0; i < sarg->sigalgcnt - 1; i++) {
 2013         if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
 2014             sarg->sigalgcnt--;
 2015             return 0;
 2016         }
 2017     }
 2018     return 1;
 2019 }
 2020 
 2021 /*
 2022  * Set supported signature algorithms based on a colon separated list of the
 2023  * form sig+hash e.g. RSA+SHA512:DSA+SHA512
 2024  */
 2025 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
 2026 {
 2027     sig_cb_st sig;
 2028     sig.sigalgcnt = 0;
 2029     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
 2030         return 0;
 2031     if (c == NULL)
 2032         return 1;
 2033     return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
 2034 }
 2035 
 2036 int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
 2037                      int client)
 2038 {
 2039     uint16_t *sigalgs;
 2040 
 2041     if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) {
 2042         SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE);
 2043         return 0;
 2044     }
 2045     memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
 2046 
 2047     if (client) {
 2048         OPENSSL_free(c->client_sigalgs);
 2049         c->client_sigalgs = sigalgs;
 2050         c->client_sigalgslen = salglen;
 2051     } else {
 2052         OPENSSL_free(c->conf_sigalgs);
 2053         c->conf_sigalgs = sigalgs;
 2054         c->conf_sigalgslen = salglen;
 2055     }
 2056 
 2057     return 1;
 2058 }
 2059 
 2060 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
 2061 {
 2062     uint16_t *sigalgs, *sptr;
 2063     size_t i;
 2064 
 2065     if (salglen & 1)
 2066         return 0;
 2067     if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) {
 2068         SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE);
 2069         return 0;
 2070     }
 2071     for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
 2072         size_t j;
 2073         const SIGALG_LOOKUP *curr;
 2074         int md_id = *psig_nids++;
 2075         int sig_id = *psig_nids++;
 2076 
 2077         for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
 2078              j++, curr++) {
 2079             if (curr->hash == md_id && curr->sig == sig_id) {
 2080                 *sptr++ = curr->sigalg;
 2081                 break;
 2082             }
 2083         }
 2084 
 2085         if (j == OSSL_NELEM(sigalg_lookup_tbl))
 2086             goto err;
 2087     }
 2088 
 2089     if (client) {
 2090         OPENSSL_free(c->client_sigalgs);
 2091         c->client_sigalgs = sigalgs;
 2092         c->client_sigalgslen = salglen / 2;
 2093     } else {
 2094         OPENSSL_free(c->conf_sigalgs);
 2095         c->conf_sigalgs = sigalgs;
 2096         c->conf_sigalgslen = salglen / 2;
 2097     }
 2098 
 2099     return 1;
 2100 
 2101  err:
 2102     OPENSSL_free(sigalgs);
 2103     return 0;
 2104 }
 2105 
 2106 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
 2107 {
 2108     int sig_nid, use_pc_sigalgs = 0;
 2109     size_t i;
 2110     const SIGALG_LOOKUP *sigalg;
 2111     size_t sigalgslen;
 2112     if (default_nid == -1)
 2113         return 1;
 2114     sig_nid = X509_get_signature_nid(x);
 2115     if (default_nid)
 2116         return sig_nid == default_nid ? 1 : 0;
 2117 
 2118     if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) {
 2119         /*
 2120          * If we're in TLSv1.3 then we only get here if we're checking the
 2121          * chain. If the peer has specified peer_cert_sigalgs then we use them
 2122          * otherwise we default to normal sigalgs.
 2123          */
 2124         sigalgslen = s->s3->tmp.peer_cert_sigalgslen;
 2125         use_pc_sigalgs = 1;
 2126     } else {
 2127         sigalgslen = s->shared_sigalgslen;
 2128     }
 2129     for (i = 0; i < sigalgslen; i++) {
 2130         sigalg = use_pc_sigalgs
 2131                  ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
 2132                  : s->shared_sigalgs[i];
 2133         if (sigalg != NULL && sig_nid == sigalg->sigandhash)
 2134             return 1;
 2135     }
 2136     return 0;
 2137 }
 2138 
 2139 /* Check to see if a certificate issuer name matches list of CA names */
 2140 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
 2141 {
 2142     X509_NAME *nm;
 2143     int i;
 2144     nm = X509_get_issuer_name(x);
 2145     for (i = 0; i < sk_X509_NAME_num(names); i++) {
 2146         if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
 2147             return 1;
 2148     }
 2149     return 0;
 2150 }
 2151 
 2152 /*
 2153  * Check certificate chain is consistent with TLS extensions and is usable by
 2154  * server. This servers two purposes: it allows users to check chains before
 2155  * passing them to the server and it allows the server to check chains before
 2156  * attempting to use them.
 2157  */
 2158 
 2159 /* Flags which need to be set for a certificate when strict mode not set */
 2160 
 2161 #define CERT_PKEY_VALID_FLAGS \
 2162         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
 2163 /* Strict mode flags */
 2164 #define CERT_PKEY_STRICT_FLAGS \
 2165          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
 2166          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
 2167 
 2168 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 2169                      int idx)
 2170 {
 2171     int i;
 2172     int rv = 0;
 2173     int check_flags = 0, strict_mode;
 2174     CERT_PKEY *cpk = NULL;
 2175     CERT *c = s->cert;
 2176     uint32_t *pvalid;
 2177     unsigned int suiteb_flags = tls1_suiteb(s);
 2178     /* idx == -1 means checking server chains */
 2179     if (idx != -1) {
 2180         /* idx == -2 means checking client certificate chains */
 2181         if (idx == -2) {
 2182             cpk = c->key;
 2183             idx = (int)(cpk - c->pkeys);
 2184         } else
 2185             cpk = c->pkeys + idx;
 2186         pvalid = s->s3->tmp.valid_flags + idx;
 2187         x = cpk->x509;
 2188         pk = cpk->privatekey;
 2189         chain = cpk->chain;
 2190         strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
 2191         /* If no cert or key, forget it */
 2192         if (!x || !pk)
 2193             goto end;
 2194     } else {
 2195         size_t certidx;
 2196 
 2197         if (!x || !pk)
 2198             return 0;
 2199 
 2200         if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL)
 2201             return 0;
 2202         idx = certidx;
 2203         pvalid = s->s3->tmp.valid_flags + idx;
 2204 
 2205         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
 2206             check_flags = CERT_PKEY_STRICT_FLAGS;
 2207         else
 2208             check_flags = CERT_PKEY_VALID_FLAGS;
 2209         strict_mode = 1;
 2210     }
 2211 
 2212     if (suiteb_flags) {
 2213         int ok;
 2214         if (check_flags)
 2215             check_flags |= CERT_PKEY_SUITEB;
 2216         ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
 2217         if (ok == X509_V_OK)
 2218             rv |= CERT_PKEY_SUITEB;
 2219         else if (!check_flags)
 2220             goto end;
 2221     }
 2222 
 2223     /*
 2224      * Check all signature algorithms are consistent with signature
 2225      * algorithms extension if TLS 1.2 or later and strict mode.
 2226      */
 2227     if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
 2228         int default_nid;
 2229         int rsign = 0;
 2230         if (s->s3->tmp.peer_cert_sigalgs != NULL
 2231                 || s->s3->tmp.peer_sigalgs != NULL) {
 2232             default_nid = 0;
 2233         /* If no sigalgs extension use defaults from RFC5246 */
 2234         } else {
 2235             switch (idx) {
 2236             case SSL_PKEY_RSA:
 2237                 rsign = EVP_PKEY_RSA;
 2238                 default_nid = NID_sha1WithRSAEncryption;
 2239                 break;
 2240 
 2241             case SSL_PKEY_DSA_SIGN:
 2242                 rsign = EVP_PKEY_DSA;
 2243                 default_nid = NID_dsaWithSHA1;
 2244                 break;
 2245 
 2246             case SSL_PKEY_ECC:
 2247                 rsign = EVP_PKEY_EC;
 2248                 default_nid = NID_ecdsa_with_SHA1;
 2249                 break;
 2250 
 2251             case SSL_PKEY_GOST01:
 2252                 rsign = NID_id_GostR3410_2001;
 2253                 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
 2254                 break;
 2255 
 2256             case SSL_PKEY_GOST12_256:
 2257                 rsign = NID_id_GostR3410_2012_256;
 2258                 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
 2259                 break;
 2260 
 2261             case SSL_PKEY_GOST12_512:
 2262                 rsign = NID_id_GostR3410_2012_512;
 2263                 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
 2264                 break;
 2265 
 2266             default:
 2267                 default_nid = -1;
 2268                 break;
 2269             }
 2270         }
 2271         /*
 2272          * If peer sent no signature algorithms extension and we have set
 2273          * preferred signature algorithms check we support sha1.
 2274          */
 2275         if (default_nid > 0 && c->conf_sigalgs) {
 2276             size_t j;
 2277             const uint16_t *p = c->conf_sigalgs;
 2278             for (j = 0; j < c->conf_sigalgslen; j++, p++) {
 2279                 const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p);
 2280 
 2281                 if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
 2282                     break;
 2283             }
 2284             if (j == c->conf_sigalgslen) {
 2285                 if (check_flags)
 2286                     goto skip_sigs;
 2287                 else
 2288                     goto end;
 2289             }
 2290         }
 2291         /* Check signature algorithm of each cert in chain */
 2292         if (SSL_IS_TLS13(s)) {
 2293             /*
 2294              * We only get here if the application has called SSL_check_chain(),
 2295              * so check_flags is always set.
 2296              */
 2297             if (find_sig_alg(s, x, pk) != NULL)
 2298                 rv |= CERT_PKEY_EE_SIGNATURE;
 2299         } else if (!tls1_check_sig_alg(s, x, default_nid)) {
 2300             if (!check_flags)
 2301                 goto end;
 2302         } else
 2303             rv |= CERT_PKEY_EE_SIGNATURE;
 2304         rv |= CERT_PKEY_CA_SIGNATURE;
 2305         for (i = 0; i < sk_X509_num(chain); i++) {
 2306             if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
 2307                 if (check_flags) {
 2308                     rv &= ~CERT_PKEY_CA_SIGNATURE;
 2309                     break;
 2310                 } else
 2311                     goto end;
 2312             }
 2313         }
 2314     }
 2315     /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
 2316     else if (check_flags)
 2317         rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
 2318  skip_sigs:
 2319     /* Check cert parameters are consistent */
 2320     if (tls1_check_cert_param(s, x, 1))
 2321         rv |= CERT_PKEY_EE_PARAM;
 2322     else if (!check_flags)
 2323         goto end;
 2324     if (!s->server)
 2325         rv |= CERT_PKEY_CA_PARAM;
 2326     /* In strict mode check rest of chain too */
 2327     else if (strict_mode) {
 2328         rv |= CERT_PKEY_CA_PARAM;
 2329         for (i = 0; i < sk_X509_num(chain); i++) {
 2330             X509 *ca = sk_X509_value(chain, i);
 2331             if (!tls1_check_cert_param(s, ca, 0)) {
 2332                 if (check_flags) {
 2333                     rv &= ~CERT_PKEY_CA_PARAM;
 2334                     break;
 2335                 } else
 2336                     goto end;
 2337             }
 2338         }
 2339     }
 2340     if (!s->server && strict_mode) {
 2341         STACK_OF(X509_NAME) *ca_dn;
 2342         int check_type = 0;
 2343         switch (EVP_PKEY_id(pk)) {
 2344         case EVP_PKEY_RSA:
 2345             check_type = TLS_CT_RSA_SIGN;
 2346             break;
 2347         case EVP_PKEY_DSA:
 2348             check_type = TLS_CT_DSS_SIGN;
 2349             break;
 2350         case EVP_PKEY_EC:
 2351             check_type = TLS_CT_ECDSA_SIGN;
 2352             break;
 2353         }
 2354         if (check_type) {
 2355             const uint8_t *ctypes = s->s3->tmp.ctype;
 2356             size_t j;
 2357 
 2358             for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
 2359                 if (*ctypes == check_type) {
 2360                     rv |= CERT_PKEY_CERT_TYPE;
 2361                     break;
 2362                 }
 2363             }
 2364             if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
 2365                 goto end;
 2366         } else {
 2367             rv |= CERT_PKEY_CERT_TYPE;
 2368         }
 2369 
 2370         ca_dn = s->s3->tmp.peer_ca_names;
 2371 
 2372         if (!sk_X509_NAME_num(ca_dn))
 2373             rv |= CERT_PKEY_ISSUER_NAME;
 2374 
 2375         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
 2376             if (ssl_check_ca_name(ca_dn, x))
 2377                 rv |= CERT_PKEY_ISSUER_NAME;
 2378         }
 2379         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
 2380             for (i = 0; i < sk_X509_num(chain); i++) {
 2381                 X509 *xtmp = sk_X509_value(chain, i);
 2382                 if (ssl_check_ca_name(ca_dn, xtmp)) {
 2383                     rv |= CERT_PKEY_ISSUER_NAME;
 2384                     break;
 2385                 }
 2386             }
 2387         }
 2388         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
 2389             goto end;
 2390     } else
 2391         rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
 2392 
 2393     if (!check_flags || (rv & check_flags) == check_flags)
 2394         rv |= CERT_PKEY_VALID;
 2395 
 2396  end:
 2397 
 2398     if (TLS1_get_version(s) >= TLS1_2_VERSION)
 2399         rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
 2400     else
 2401         rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
 2402 
 2403     /*
 2404      * When checking a CERT_PKEY structure all flags are irrelevant if the
 2405      * chain is invalid.
 2406      */
 2407     if (!check_flags) {
 2408         if (rv & CERT_PKEY_VALID) {
 2409             *pvalid = rv;
 2410         } else {
 2411             /* Preserve sign and explicit sign flag, clear rest */
 2412             *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
 2413             return 0;
 2414         }
 2415     }
 2416     return rv;
 2417 }
 2418 
 2419 /* Set validity of certificates in an SSL structure */
 2420 void tls1_set_cert_validity(SSL *s)
 2421 {
 2422     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
 2423     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
 2424     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
 2425     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
 2426     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
 2427     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
 2428     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
 2429     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
 2430     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
 2431 }
 2432 
 2433 /* User level utility function to check a chain is suitable */
 2434 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
 2435 {
 2436     return tls1_check_chain(s, x, pk, chain, -1);
 2437 }
 2438 
 2439 #ifndef OPENSSL_NO_DH
 2440 DH *ssl_get_auto_dh(SSL *s)
 2441 {
 2442     int dh_secbits = 80;
 2443     if (s->cert->dh_tmp_auto == 2)
 2444         return DH_get_1024_160();
 2445     if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
 2446         if (s->s3->tmp.new_cipher->strength_bits == 256)
 2447             dh_secbits = 128;
 2448         else
 2449             dh_secbits = 80;
 2450     } else {
 2451         if (s->s3->tmp.cert == NULL)
 2452             return NULL;
 2453         dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
 2454     }
 2455 
 2456     if (dh_secbits >= 128) {
 2457         DH *dhp = DH_new();
 2458         BIGNUM *p, *g;
 2459         if (dhp == NULL)
 2460             return NULL;
 2461         g = BN_new();
 2462         if (g == NULL || !BN_set_word(g, 2)) {
 2463             DH_free(dhp);
 2464             BN_free(g);
 2465             return NULL;
 2466         }
 2467         if (dh_secbits >= 192)
 2468             p = BN_get_rfc3526_prime_8192(NULL);
 2469         else
 2470             p = BN_get_rfc3526_prime_3072(NULL);
 2471         if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
 2472             DH_free(dhp);
 2473             BN_free(p);
 2474             BN_free(g);
 2475             return NULL;
 2476         }
 2477         return dhp;
 2478     }
 2479     if (dh_secbits >= 112)
 2480         return DH_get_2048_224();
 2481     return DH_get_1024_160();
 2482 }
 2483 #endif
 2484 
 2485 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
 2486 {
 2487     int secbits = -1;
 2488     EVP_PKEY *pkey = X509_get0_pubkey(x);
 2489     if (pkey) {
 2490         /*
 2491          * If no parameters this will return -1 and fail using the default
 2492          * security callback for any non-zero security level. This will
 2493          * reject keys which omit parameters but this only affects DSA and
 2494          * omission of parameters is never (?) done in practice.
 2495          */
 2496         secbits = EVP_PKEY_security_bits(pkey);
 2497     }
 2498     if (s)
 2499         return ssl_security(s, op, secbits, 0, x);
 2500     else
 2501         return ssl_ctx_security(ctx, op, secbits, 0, x);
 2502 }
 2503 
 2504 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
 2505 {
 2506     /* Lookup signature algorithm digest */
 2507     int secbits, nid, pknid;
 2508     /* Don't check signature if self signed */
 2509     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
 2510         return 1;
 2511     if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
 2512         secbits = -1;
 2513     /* If digest NID not defined use signature NID */
 2514     if (nid == NID_undef)
 2515         nid = pknid;
 2516     if (s)
 2517         return ssl_security(s, op, secbits, nid, x);
 2518     else
 2519         return ssl_ctx_security(ctx, op, secbits, nid, x);
 2520 }
 2521 
 2522 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
 2523 {
 2524     if (vfy)
 2525         vfy = SSL_SECOP_PEER;
 2526     if (is_ee) {
 2527         if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
 2528             return SSL_R_EE_KEY_TOO_SMALL;
 2529     } else {
 2530         if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
 2531             return SSL_R_CA_KEY_TOO_SMALL;
 2532     }
 2533     if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
 2534         return SSL_R_CA_MD_TOO_WEAK;
 2535     return 1;
 2536 }
 2537 
 2538 /*
 2539  * Check security of a chain, if |sk| includes the end entity certificate then
 2540  * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
 2541  * one to the peer. Return values: 1 if ok otherwise error code to use
 2542  */
 2543 
 2544 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
 2545 {
 2546     int rv, start_idx, i;
 2547     if (x == NULL) {
 2548         x = sk_X509_value(sk, 0);
 2549         start_idx = 1;
 2550     } else
 2551         start_idx = 0;
 2552 
 2553     rv = ssl_security_cert(s, NULL, x, vfy, 1);
 2554     if (rv != 1)
 2555         return rv;
 2556 
 2557     for (i = start_idx; i < sk_X509_num(sk); i++) {
 2558         x = sk_X509_value(sk, i);
 2559         rv = ssl_security_cert(s, NULL, x, vfy, 0);
 2560         if (rv != 1)
 2561             return rv;
 2562     }
 2563     return 1;
 2564 }
 2565 
 2566 /*
 2567  * For TLS 1.2 servers check if we have a certificate which can be used
 2568  * with the signature algorithm "lu" and return index of certificate.
 2569  */
 2570 
 2571 static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
 2572 {
 2573     int sig_idx = lu->sig_idx;
 2574     const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
 2575 
 2576     /* If not recognised or not supported by cipher mask it is not suitable */
 2577     if (clu == NULL
 2578             || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0
 2579             || (clu->nid == EVP_PKEY_RSA_PSS
 2580                 && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0))
 2581         return -1;
 2582 
 2583     return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
 2584 }
 2585 
 2586 /*
 2587  * Checks the given cert against signature_algorithm_cert restrictions sent by
 2588  * the peer (if any) as well as whether the hash from the sigalg is usable with
 2589  * the key.
 2590  * Returns true if the cert is usable and false otherwise.
 2591  */
 2592 static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
 2593                              EVP_PKEY *pkey)
 2594 {
 2595     const SIGALG_LOOKUP *lu;
 2596     int mdnid, pknid, default_mdnid;
 2597     size_t i;
 2598 
 2599     /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
 2600     ERR_set_mark();
 2601     if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 &&
 2602         sig->hash != default_mdnid)
 2603             return 0;
 2604 
 2605     /* If it didn't report a mandatory NID, for whatever reasons,
 2606      * just clear the error and allow all hashes to be used. */
 2607     ERR_pop_to_mark();
 2608 
 2609     if (s->s3->tmp.peer_cert_sigalgs != NULL) {
 2610         for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
 2611             lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
 2612             if (lu == NULL
 2613                 || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
 2614                 continue;
 2615             /*
 2616              * TODO this does not differentiate between the
 2617              * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
 2618              * have a chain here that lets us look at the key OID in the
 2619              * signing certificate.
 2620              */
 2621             if (mdnid == lu->hash && pknid == lu->sig)
 2622                 return 1;
 2623         }
 2624         return 0;
 2625     }
 2626     return 1;
 2627 }
 2628 
 2629 /*
 2630  * Returns true if |s| has a usable certificate configured for use
 2631  * with signature scheme |sig|.
 2632  * "Usable" includes a check for presence as well as applying
 2633  * the signature_algorithm_cert restrictions sent by the peer (if any).
 2634  * Returns false if no usable certificate is found.
 2635  */
 2636 static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
 2637 {
 2638     /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
 2639     if (idx == -1)
 2640         idx = sig->sig_idx;
 2641     if (!ssl_has_cert(s, idx))
 2642         return 0;
 2643 
 2644     return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
 2645                              s->cert->pkeys[idx].privatekey);
 2646 }
 2647 
 2648 /*
 2649  * Returns true if the supplied cert |x| and key |pkey| is usable with the
 2650  * specified signature scheme |sig|, or false otherwise.
 2651  */
 2652 static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
 2653                           EVP_PKEY *pkey)
 2654 {
 2655     size_t idx;
 2656 
 2657     if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
 2658         return 0;
 2659 
 2660     /* Check the key is consistent with the sig alg */
 2661     if ((int)idx != sig->sig_idx)
 2662         return 0;
 2663 
 2664     return check_cert_usable(s, sig, x, pkey);
 2665 }
 2666 
 2667 /*
 2668  * Find a signature scheme that works with the supplied certificate |x| and key
 2669  * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
 2670  * available certs/keys to find one that works.
 2671  */
 2672 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
 2673 {
 2674     const SIGALG_LOOKUP *lu = NULL;
 2675     size_t i;
 2676 #ifndef OPENSSL_NO_EC
 2677     int curve = -1;
 2678 #endif
 2679     EVP_PKEY *tmppkey;
 2680 
 2681     /* Look for a shared sigalgs matching possible certificates */
 2682     for (i = 0; i < s->shared_sigalgslen; i++) {
 2683         lu = s->shared_sigalgs[i];
 2684 
 2685         /* Skip SHA1, SHA224, DSA and RSA if not PSS */
 2686         if (lu->hash == NID_sha1
 2687             || lu->hash == NID_sha224
 2688             || lu->sig == EVP_PKEY_DSA
 2689             || lu->sig == EVP_PKEY_RSA)
 2690             continue;
 2691         /* Check that we have a cert, and signature_algorithms_cert */
 2692         if (!tls1_lookup_md(lu, NULL))
 2693             continue;
 2694         if ((pkey == NULL && !has_usable_cert(s, lu, -1))
 2695                 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
 2696             continue;
 2697 
 2698         tmppkey = (pkey != NULL) ? pkey
 2699                                  : s->cert->pkeys[lu->sig_idx].privatekey;
 2700 
 2701         if (lu->sig == EVP_PKEY_EC) {
 2702 #ifndef OPENSSL_NO_EC
 2703             if (curve == -1) {
 2704                 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
 2705                 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
 2706             }
 2707             if (lu->curve != NID_undef && curve != lu->curve)
 2708                 continue;
 2709 #else
 2710             continue;
 2711 #endif
 2712         } else if (lu->sig == EVP_PKEY_RSA_PSS) {
 2713             /* validate that key is large enough for the signature algorithm */
 2714             if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
 2715                 continue;
 2716         }
 2717         break;
 2718     }
 2719 
 2720     if (i == s->shared_sigalgslen)
 2721         return NULL;
 2722 
 2723     return lu;
 2724 }
 2725 
 2726 /*
 2727  * Choose an appropriate signature algorithm based on available certificates
 2728  * Sets chosen certificate and signature algorithm.
 2729  *
 2730  * For servers if we fail to find a required certificate it is a fatal error,
 2731  * an appropriate error code is set and a TLS alert is sent.
 2732  *
 2733  * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
 2734  * a fatal error: we will either try another certificate or not present one
 2735  * to the server. In this case no error is set.
 2736  */
 2737 int tls_choose_sigalg(SSL *s, int fatalerrs)
 2738 {
 2739     const SIGALG_LOOKUP *lu = NULL;
 2740     int sig_idx = -1;
 2741 
 2742     s->s3->tmp.cert = NULL;
 2743     s->s3->tmp.sigalg = NULL;
 2744 
 2745     if (SSL_IS_TLS13(s)) {
 2746         lu = find_sig_alg(s, NULL, NULL);
 2747         if (lu == NULL) {
 2748             if (!fatalerrs)
 2749                 return 1;
 2750             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
 2751                      SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
 2752             return 0;
 2753         }
 2754     } else {
 2755         /* If ciphersuite doesn't require a cert nothing to do */
 2756         if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT))
 2757             return 1;
 2758         if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
 2759                 return 1;
 2760 
 2761         if (SSL_USE_SIGALGS(s)) {
 2762             size_t i;
 2763             if (s->s3->tmp.peer_sigalgs != NULL) {
 2764 #ifndef OPENSSL_NO_EC
 2765                 int curve;
 2766 
 2767                 /* For Suite B need to match signature algorithm to curve */
 2768                 if (tls1_suiteb(s)) {
 2769                     EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
 2770                     curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
 2771                 } else {
 2772                     curve = -1;
 2773                 }
 2774 #endif
 2775 
 2776                 /*
 2777                  * Find highest preference signature algorithm matching
 2778                  * cert type
 2779                  */
 2780                 for (i = 0; i < s->shared_sigalgslen; i++) {
 2781                     lu = s->shared_sigalgs[i];
 2782 
 2783                     if (s->server) {
 2784                         if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
 2785                             continue;
 2786                     } else {
 2787                         int cc_idx = s->cert->key - s->cert->pkeys;
 2788 
 2789                         sig_idx = lu->sig_idx;
 2790                         if (cc_idx != sig_idx)
 2791                             continue;
 2792                     }
 2793                     /* Check that we have a cert, and sig_algs_cert */
 2794                     if (!has_usable_cert(s, lu, sig_idx))
 2795                         continue;
 2796                     if (lu->sig == EVP_PKEY_RSA_PSS) {
 2797                         /* validate that key is large enough for the signature algorithm */
 2798                         EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
 2799 
 2800                         if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
 2801                             continue;
 2802                     }
 2803 #ifndef OPENSSL_NO_EC
 2804                     if (curve == -1 || lu->curve == curve)
 2805 #endif
 2806                         break;
 2807                 }
 2808 #ifndef OPENSSL_NO_GOST
 2809                 /*
 2810                  * Some Windows-based implementations do not send GOST algorithms indication
 2811                  * in supported_algorithms extension, so when we have GOST-based ciphersuite,
 2812                  * we have to assume GOST support.
 2813                  */
 2814                 if (i == s->shared_sigalgslen && s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) {
 2815                   if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
 2816                     if (!fatalerrs)
 2817                       return 1;
 2818                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
 2819                              SSL_F_TLS_CHOOSE_SIGALG,
 2820                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
 2821                     return 0;
 2822                   } else {
 2823                     i = 0;
 2824                     sig_idx = lu->sig_idx;
 2825                   }
 2826                 }
 2827 #endif
 2828                 if (i == s->shared_sigalgslen) {
 2829                     if (!fatalerrs)
 2830                         return 1;
 2831                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
 2832                              SSL_F_TLS_CHOOSE_SIGALG,
 2833                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
 2834                     return 0;
 2835                 }
 2836             } else {
 2837                 /*
 2838                  * If we have no sigalg use defaults
 2839                  */
 2840                 const uint16_t *sent_sigs;
 2841                 size_t sent_sigslen;
 2842 
 2843                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
 2844                     if (!fatalerrs)
 2845                         return 1;
 2846                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
 2847                              ERR_R_INTERNAL_ERROR);
 2848                     return 0;
 2849                 }
 2850 
 2851                 /* Check signature matches a type we sent */
 2852                 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
 2853                 for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
 2854                     if (lu->sigalg == *sent_sigs
 2855                             && has_usable_cert(s, lu, lu->sig_idx))
 2856                         break;
 2857                 }
 2858                 if (i == sent_sigslen) {
 2859                     if (!fatalerrs)
 2860                         return 1;
 2861                     SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
 2862                              SSL_F_TLS_CHOOSE_SIGALG,
 2863                              SSL_R_WRONG_SIGNATURE_TYPE);
 2864                     return 0;
 2865                 }
 2866             }
 2867         } else {
 2868             if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
 2869                 if (!fatalerrs)
 2870                     return 1;
 2871                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
 2872                          ERR_R_INTERNAL_ERROR);
 2873                 return 0;
 2874             }
 2875         }
 2876     }
 2877     if (sig_idx == -1)
 2878         sig_idx = lu->sig_idx;
 2879     s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
 2880     s->cert->key = s->s3->tmp.cert;
 2881     s->s3->tmp.sigalg = lu;
 2882     return 1;
 2883 }
 2884 
 2885 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
 2886 {
 2887     if (mode != TLSEXT_max_fragment_length_DISABLED
 2888             && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
 2889         SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
 2890                SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
 2891         return 0;
 2892     }
 2893 
 2894     ctx->ext.max_fragment_len_mode = mode;
 2895     return 1;
 2896 }
 2897 
 2898 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
 2899 {
 2900     if (mode != TLSEXT_max_fragment_length_DISABLED
 2901             && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
 2902         SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH,
 2903                SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
 2904         return 0;
 2905     }
 2906 
 2907     ssl->ext.max_fragment_len_mode = mode;
 2908     return 1;
 2909 }
 2910 
 2911 uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
 2912 {
 2913     return session->ext.max_fragment_len_mode;
 2914 }