From: Noah Robbin <noah_robbin@symantec.com>
Date: Tue, 19 Sep 2017 16:15:42 +0000 (-0400)
Subject: Use size of server key when selecting signature algorithm.
X-Git-Tag: OpenSSL_1_1_1-pre1~215
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=0fe3db251a49b11cafdc3e4a25fdac947f3bdf3b

Use size of server key when selecting signature algorithm.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4389)
---

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 9dfbb8ed3c..a2be135e44 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -787,6 +787,27 @@ int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
     return 1;
 }
 
+/*
+ * Check if key is large enough to generate RSA-PSS signature.
+ *
+ * The key must greater than or equal to 2 * hash length + 2.
+ * SHA512 has a hash length of 64 bytes, which is incompatible
+ * with a 128 byte (1024 bit) key.
+ */
+#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
+static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
+{
+    const EVP_MD *md;
+
+    if (rsa == NULL)
+        return 0;
+    if (!tls1_lookup_md(lu, &md) || md == NULL)
+        return 0;
+    if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
+        return 0;
+    return 1;
+}
+
 /*
  * Return a signature algorithm for TLS < 1.2 where the signature type
  * is fixed by the certificate type.
@@ -2303,6 +2324,12 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
 #else
                 continue;
 #endif
+            } else if (lu->sig == EVP_PKEY_RSA_PSS) {
+                /* validate that key is large enough for the signature algorithm */
+                const RSA *rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_PSS_SIGN].privatekey);
+
+                if (!rsa_pss_check_min_key_size(rsa, lu))
+                    continue;
             }
             break;
         }
@@ -2356,6 +2383,13 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
                             sig_idx = SSL_PKEY_RSA;
                         }
                     }
+                    if (lu->sig == EVP_PKEY_RSA_PSS) {
+                        /* validate that key is large enough for the signature algorithm */
+                        const RSA *rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_PSS_SIGN].privatekey);
+
+                        if (!rsa_pss_check_min_key_size(rsa, lu))
+                            continue;
+                    }
 #ifndef OPENSSL_NO_EC
                     if (curve == -1 || lu->curve == curve)
 #endif