diff options
author | Matt Caswell <matt@openssl.org> | 2018-10-19 14:01:22 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-11-12 11:08:51 +0000 |
commit | de4dc598024fd0a9c2b7a466fd5323755d369522 (patch) | |
tree | b8a5c1e2c789ef5acd9d63e552b34ced40a7e586 /ssl/statem/statem_lib.c | |
parent | 425036130dfb3cfbef5937772f7526ce60133264 (diff) |
Don't negotiate TLSv1.3 if our EC cert isn't TLSv1.3 capable
TLSv1.3 is more restrictive about the curve used. There must be a matching
sig alg defined for that curve. Therefore if we are using some other curve
in our certificate then we should not negotiate TLSv1.3.
Fixes #7435
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7442)
Diffstat (limited to 'ssl/statem/statem_lib.c')
-rw-r--r-- | ssl/statem/statem_lib.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 75cf321b98..dc2bd20e93 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1506,7 +1506,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) */ static int is_tls13_capable(const SSL *s) { - int i; + int i, curve; + EC_KEY *eckey; #ifndef OPENSSL_NO_PSK if (s->psk_server_callback != NULL) @@ -1527,7 +1528,20 @@ static int is_tls13_capable(const SSL *s) default: break; } - if (ssl_has_cert(s, i)) + if (!ssl_has_cert(s, i)) + continue; + if (i != SSL_PKEY_ECC) + return 1; + /* + * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is + * more restrictive so check that our sig algs are consistent with this + * EC cert. See section 4.2.3 of RFC8446. + */ + eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); + if (eckey == NULL) + continue; + curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); + if (tls_check_sigalg_curve(s, curve)) return 1; } |