Allow TLSv1.3 EC certs to use compressed points
authorMatt Caswell <matt@openssl.org>
Mon, 23 Apr 2018 13:02:23 +0000 (14:02 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 24 Apr 2018 08:28:17 +0000 (09:28 +0100)
The spec does not prohib certs form using compressed points. It only
requires that points in a key share are uncompressed. It says nothing
about point compression for certs, so we should not fail if a cert uses a
compressed point.

Fixes #5743

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6055)

ssl/t1_lib.c
test/ssl-tests/20-cert-select.conf
test/ssl-tests/20-cert-select.conf.in

index b698e2b..b777b3a 100644 (file)
@@ -442,8 +442,11 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
     if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
             comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
     } else if (SSL_IS_TLS13(s)) {
-            /* Compression not allowed in TLS 1.3 */
-            return 0;
+            /*
+             * ec_point_formats extension is not used in TLSv1.3 so we ignore
+             * this check.
+             */
+            return 1;
     } else {
         int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp));
 
@@ -2435,7 +2438,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
     if (SSL_IS_TLS13(s)) {
         size_t i;
 #ifndef OPENSSL_NO_EC
-        int curve = -1, skip_ec = 0;
+        int curve = -1;
 #endif
 
         /* Look for a certificate matching shared sigalgs */
@@ -2458,11 +2461,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
                     EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
 
                     curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
-                    if (EC_KEY_get_conv_form(ec)
-                        != POINT_CONVERSION_UNCOMPRESSED)
-                        skip_ec = 1;
                 }
-                if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
+                if (lu->curve != NID_undef && curve != lu->curve)
                     continue;
 #else
                 continue;
index 26da1c0..0a92bf8 100644 (file)
@@ -971,7 +971,11 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-28]
-ExpectedResult = ServerFail
+ExpectedResult = Success
+ExpectedServerCANames = empty
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
 
 
 # ===========================================================
index 62dfc52..51a158d 100644 (file)
@@ -511,7 +511,11 @@ my @tests_tls_1_3 = (
             "SignatureAlgorithms" => "ECDSA+SHA256",
         },
         test   => {
-            "ExpectedResult" => "ServerFail"
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedServerCANames" => "empty",
+            "ExpectedResult" => "Success"
         },
     },
     {