}
lu = tls1_lookup_sigalg(sig);
/*
- * Check sigalgs is known and key type is consistent with signature:
- * RSA keys can be used for RSA-PSS
+ * Check sigalgs is known. Disallow SHA1 with TLS 1.3. Check key type is
+ * consistent with signature: RSA keys can be used for RSA-PSS
*/
- if (lu == NULL || (pkeyid != lu->sig
+ if (lu == NULL || (SSL_IS_TLS13(s) && lu->hash == NID_sha1)
+ || (pkeyid != lu->sig
&& (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
if (SSL_IS_TLS13(s)) {
+ if (EC_KEY_get_conv_form(ec) != POINT_CONVERSION_UNCOMPRESSED) {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
+ SSL_R_ILLEGAL_POINT_COMPRESSION);
+ return 0;
+ }
/* For TLS 1.3 check curve matches signature algorithm */
-
if (lu->curve != NID_undef && curve != lu->curve) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
return 0;
break;
}
if (check_type) {
- const unsigned char *ctypes;
- int ctypelen;
- if (c->ctypes) {
- ctypes = c->ctypes;
- ctypelen = (int)c->ctype_num;
- } else {
- ctypes = (unsigned char *)s->s3->tmp.ctype;
- ctypelen = s->s3->tmp.ctype_num;
- }
- for (i = 0; i < ctypelen; i++) {
- if (ctypes[i] == check_type) {
+ const uint8_t *ctypes = s->s3->tmp.ctype;
+ size_t j;
+
+ for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) {
+ if (*ctypes == check_type) {
rv |= CERT_PKEY_CERT_TYPE;
break;
}
}
if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
goto end;
- } else
+ } else {
rv |= CERT_PKEY_CERT_TYPE;
+ }
ca_dn = s->s3->tmp.ca_names;
if (SSL_IS_TLS13(s)) {
size_t i;
#ifndef OPENSSL_NO_EC
- int curve = -1;
+ int curve = -1, skip_ec = 0;
#endif
/* Look for a certificate matching shared sigaglgs */
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
- /* Skip DSA and RSA if not PSS */
- if (lu->sig == EVP_PKEY_DSA || lu->sig == EVP_PKEY_RSA)
+ /* Skip SHA1, DSA and RSA if not PSS */
+ if (lu->hash == NID_sha1 || lu->sig == EVP_PKEY_DSA
+ || lu->sig == EVP_PKEY_RSA)
continue;
if (ssl_md(lu->hash_idx) == NULL)
continue;
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[idx].privatekey);
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ if (EC_KEY_get_conv_form(ec)
+ != POINT_CONVERSION_UNCOMPRESSED)
+ skip_ec = 1;
}
- if (lu->curve != NID_undef && curve != lu->curve)
+ if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
continue;
#else
continue;
if (SSL_USE_SIGALGS(s)) {
if (s->s3->tmp.peer_sigalgs != NULL) {
size_t i;
+#ifndef OPENSSL_NO_EC
+ int curve;
+
+ /* For Suite B need to match signature algorithm to curve */
+ if (tls1_suiteb(s)) {
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[idx].privatekey);
+ curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ } else {
+ curve = -1;
+ }
+#endif
/*
* Find highest preference signature algorithm matching
*/
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
+#ifdef OPENSSL_NO_EC
if (lu->sig_idx == idx)
break;
+#else
+ if (lu->sig_idx == idx
+ && (curve == -1 || lu->curve == curve))
+ break;
+#endif
if (idx == SSL_PKEY_RSA && lu->sig == EVP_PKEY_RSA_PSS)
break;
}