diff options
| author | Kurt Roeckx <kurt@roeckx.be> | 2020-01-02 22:53:32 +0100 |
|---|---|---|
| committer | Kurt Roeckx <kurt@roeckx.be> | 2020-01-25 14:10:40 +0100 |
| commit | b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a5 (patch) | |
| tree | da10e34e905255c2db09f07aa8bd321e52c1a45e /ssl | |
| parent | 5fd72d96a592c3c4ef28ff11c6ef334a856b0cd1 (diff) | |
Check that the default signature type is allowed
TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the
others. TLS 1.2 sends a list of supported ciphers, but allows not sending
it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory.
When we didn't receive a list from the client, we always used the
defaults without checking that they are allowed by the configuration.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #10784
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_local.h | 2 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 16 |
2 files changed, 13 insertions, 5 deletions
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 14515cadfe..43b0623a0b 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2606,7 +2606,7 @@ __owur int tls_check_sigalg_curve(const SSL *s, int curve); # endif __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); __owur int ssl_set_client_disabled(SSL *s); -__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde); +__owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int echde); __owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, size_t *hashlen); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index afb72857e5..0504f6bba1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -22,6 +22,7 @@ #include <openssl/ct.h> static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); +static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); SSL3_ENC_METHOD const TLSv1_enc_data = { tls1_enc, @@ -928,8 +929,11 @@ static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu) } /* - * Return a signature algorithm for TLS < 1.2 where the signature type - * is fixed by the certificate type. + * Returns a signature algorithm when the peer did not send a list of supported + * signature algorithms. The signature algorithm is fixed for the certificate + * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the + * certificate type from |s| will be used. + * Returns the signature algorithm to use, or NULL on error. */ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) { @@ -972,8 +976,12 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) if (!tls1_lookup_md(lu, NULL)) return NULL; + if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) + return NULL; return lu; } + if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) + return NULL; return &legacy_rsa_sigalg; } /* Set peer sigalg based key type */ @@ -1255,7 +1263,7 @@ int ssl_set_client_disabled(SSL *s) * * Returns 1 when it's disabled, 0 when enabled. */ -int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe) +int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) { if (c->algorithm_mkey & s->s3.tmp.mask_k || c->algorithm_auth & s->s3.tmp.mask_a) @@ -1635,7 +1643,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, } /* Check to see if a signature algorithm is allowed */ -static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) +static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) { unsigned char sigalgstr[2]; int secbits; |