Explicitly disallow DSA for TLS 1.3

author Dr. Stephen Henson <steve@openssl.org>

Fri, 17 Feb 2017 16:08:19 +0000 (16:08 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 17 Feb 2017 16:33:12 +0000 (16:33 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 17 Feb 2017 16:08:19 +0000 (16:08 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 17 Feb 2017 16:33:12 +0000 (16:33 +0000)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index fc9ae687f605152794bcde22e678e106cec9b20a..243cef5ad0e86ead49ace0ffbfa49859ce2691de 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -896,9 +896,16 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
      /* Should never happen */
      if (pkeyid == -1)
          return -1;
-    /* Only allow PSS for TLS 1.3 */
-    if (SSL_IS_TLS13(s) && pkeyid == EVP_PKEY_RSA)
-        pkeyid = EVP_PKEY_RSA_PSS;
+    if (SSL_IS_TLS13(s)) {
+        /* Disallow DSA for TLS 1.3 */
+        if (pkeyid == EVP_PKEY_DSA) {
+            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
+            return 0;
+        }
+        /* Only allow PSS for TLS 1.3 */
+        if (pkeyid == EVP_PKEY_RSA)
+            pkeyid = EVP_PKEY_RSA_PSS;
+    }
      lu = tls1_lookup_sigalg(sig);
      /*
       * Check sigalgs is known and key type is consistent with signature:
@@ -2291,8 +2298,8 @@ int tls_choose_sigalg(SSL *s, int *al)
          for (i = 0; i < s->cert->shared_sigalgslen; i++) {
              lu = s->cert->shared_sigalgs[i];
  
-            /* Skip RSA if not PSS */
-            if (lu->sig == EVP_PKEY_RSA)
+            /* Skip DSA and RSA if not PSS */
+            if (lu->sig == EVP_PKEY_DSA || lu->sig == EVP_PKEY_RSA)
                  continue;
              if (ssl_md(lu->hash_idx) == NULL)
                  continue;
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 17 Feb 2017 16:08:19 +0000 (16:08 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 17 Feb 2017 16:33:12 +0000 (16:33 +0000)