Skip to content

Commit 2db1c7a

Browse files
dgarskedgarske
authored
Merge pull request #9395 from SparkiDev/tls12_cv_sig_check
TLS 1.2 CertificateVerify: validate sig alg matches peer key
2 parents 4da3652 + f54ca0d commit 2db1c7a

5 files changed

Lines changed: 517 additions & 104 deletions

File tree

src/internal.c

Lines changed: 111 additions & 79 deletions
Original file line numberDiff line numberDiff line change
@@ -37354,11 +37354,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
3735437354
XMEMCPY(outSuites->suites, &suites, sizeof(suites));
3735537355
#ifdef WOLFSSL_DEBUG_TLS
3735637356
{
37357-
int ii;
37357+
word16 ii;
3735837358
WOLFSSL_MSG("Refined Ciphers:");
37359-
for (ii = 0 ; ii < suites->suiteSz; ii += 2) {
37360-
WOLFSSL_MSG(GetCipherNameInternal(suites->suites[ii+0],
37361-
suites->suites[ii+1]));
37359+
for (ii = 0 ; ii < outSuites->suiteSz; ii += 2) {
37360+
WOLFSSL_MSG(GetCipherNameInternal(outSuites->suites[ii+0],
37361+
outSuites->suites[ii+1]));
3736237362
}
3736337363
}
3736437364
#endif
@@ -38584,58 +38584,86 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
3858438584
case TLS_ASYNC_BUILD:
3858538585
{
3858638586
if (IsAtLeastTLSv1_2(ssl)) {
38587-
if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > size) {
38587+
if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN >
38588+
size) {
3858838589
ERROR_OUT(BUFFER_ERROR, exit_dcv);
3858938590
}
3859038591

38592+
/* Check if hashSigAlgo in CertificateVerify is supported
38593+
* in our ssl->suites or ssl->ctx->suites. */
38594+
if (!SupportedHashSigAlgo(ssl, &input[args->idx])) {
38595+
WOLFSSL_MSG("Signature algorithm was not in "
38596+
"CertificateRequest");
38597+
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
38598+
}
38599+
3859138600
DecodeSigAlg(&input[args->idx], &ssl->options.peerHashAlgo,
3859238601
&ssl->options.peerSigAlgo);
3859338602
args->idx += 2;
38594-
}
38595-
#ifndef NO_RSA
38596-
else if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0)
38597-
ssl->options.peerSigAlgo = rsa_sa_algo;
38598-
#endif
38599-
#ifdef HAVE_ECC
38600-
else if (ssl->peerEccDsaKeyPresent) {
38601-
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
38602-
if (ssl->peerEccDsaKey->dp->id == ECC_SM2P256V1) {
38603-
ssl->options.peerSigAlgo = sm2_sa_algo;
38603+
38604+
#ifndef NO_RSA
38605+
if (ssl->peerRsaKeyPresent) {
38606+
if (ssl->options.peerSigAlgo != rsa_sa_algo
38607+
#ifdef WC_RSA_PSS
38608+
&& ssl->options.peerSigAlgo != rsa_pss_sa_algo
38609+
#endif
38610+
) {
38611+
WOLFSSL_MSG("Oops, peer sent RSA key but not in "
38612+
"verify");
38613+
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
38614+
}
38615+
}
38616+
else
38617+
#endif
38618+
#ifdef HAVE_ECC
38619+
if (ssl->peerEccDsaKeyPresent) {
38620+
if (ssl->options.peerSigAlgo != ecc_dsa_sa_algo
38621+
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
38622+
&& ssl->options.peerSigAlgo != sm2_sa_algo
38623+
#endif
38624+
) {
38625+
WOLFSSL_MSG("Oops, peer sent ECC key but not in "
38626+
"verify");
38627+
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
38628+
}
38629+
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
38630+
if (ssl->options.peerSigAlgo == sm2_sa_algo &&
38631+
ssl->options.peerHashAlgo != sm3_mac) {
38632+
WOLFSSL_MSG("SM2 with SM3 only");
38633+
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
38634+
}
38635+
#endif
3860438636
}
3860538637
else
3860638638
#endif
38639+
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
38640+
if (ssl->peerEd25519KeyPresent) {
38641+
if (ssl->options.peerSigAlgo != ed25519_sa_algo) {
38642+
WOLFSSL_MSG("Oops, peer sent Ed25519 key but not "
38643+
"in verify");
38644+
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
38645+
}
38646+
}
38647+
else
38648+
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
38649+
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
38650+
if (ssl->peerEd448KeyPresent) {
38651+
if (ssl->options.peerSigAlgo != ed448_sa_algo) {
38652+
WOLFSSL_MSG("Oops, peer sent Ed448 key but not in "
38653+
"verify");
38654+
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
38655+
}
38656+
}
38657+
else
38658+
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
3860738659
{
38608-
ssl->options.peerSigAlgo = ecc_dsa_sa_algo;
38660+
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
3860938661
}
38610-
}
38611-
#endif
38612-
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
38613-
else if (ssl->peerEd25519KeyPresent)
38614-
ssl->options.peerSigAlgo = ed25519_sa_algo;
38615-
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
38616-
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
38617-
else if (ssl->peerEd448KeyPresent)
38618-
ssl->options.peerSigAlgo = ed448_sa_algo;
38619-
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
3862038662

38621-
if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
38622-
ERROR_OUT(BUFFER_ERROR, exit_dcv);
38623-
}
38624-
38625-
ato16(input + args->idx, &args->sz);
38626-
args->idx += OPAQUE16_LEN;
38627-
38628-
if ((args->idx - args->begin) + args->sz > size ||
38629-
args->sz > ENCRYPT_LEN) {
38630-
ERROR_OUT(BUFFER_ERROR, exit_dcv);
38663+
SetDigest(ssl, ssl->options.peerHashAlgo);
3863138664
}
38632-
38633-
#ifdef HAVE_ECC
38634-
if (ssl->peerEccDsaKeyPresent) {
38635-
38636-
WOLFSSL_MSG("Doing ECC peer cert verify");
38637-
38638-
/* make sure a default is defined */
38665+
else {
38666+
/* make sure a default is defined */
3863938667
#if !defined(NO_SHA)
3864038668
SetDigest(ssl, sha_mac);
3864138669
#elif !defined(NO_SHA256)
@@ -38650,39 +38678,51 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
3865038678
#error No digest enabled for ECC sig verify
3865138679
#endif
3865238680

38653-
if (IsAtLeastTLSv1_2(ssl)) {
38654-
if (ssl->options.peerSigAlgo != ecc_dsa_sa_algo
38655-
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
38656-
&& ssl->options.peerSigAlgo != sm2_sa_algo
38657-
#endif
38658-
) {
38659-
WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
38681+
#ifndef NO_RSA
38682+
if (ssl->peerRsaKeyPresent)
38683+
ssl->options.peerSigAlgo = rsa_sa_algo;
38684+
else
38685+
#endif
38686+
#ifdef HAVE_ECC
38687+
if (ssl->peerEccDsaKeyPresent) {
38688+
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
38689+
if (ssl->peerEccDsaKey->dp->id == ECC_SM2P256V1) {
38690+
ssl->options.peerSigAlgo = sm2_sa_algo;
38691+
}
38692+
else
38693+
#endif
38694+
{
38695+
ssl->options.peerSigAlgo = ecc_dsa_sa_algo;
3866038696
}
38661-
38662-
SetDigest(ssl, ssl->options.peerHashAlgo);
3866338697
}
38664-
}
38665-
#endif /* HAVE_ECC */
38666-
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
38667-
if (ssl->peerEd25519KeyPresent) {
38668-
WOLFSSL_MSG("Doing ED25519 peer cert verify");
38669-
if (IsAtLeastTLSv1_2(ssl) &&
38670-
ssl->options.peerSigAlgo != ed25519_sa_algo) {
38671-
WOLFSSL_MSG(
38672-
"Oops, peer sent ED25519 key but not in verify");
38698+
else
38699+
#endif
38700+
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
38701+
if (ssl->peerEd25519KeyPresent)
38702+
ssl->options.peerSigAlgo = ed25519_sa_algo;
38703+
else
38704+
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
38705+
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
38706+
if (ssl->peerEd448KeyPresent)
38707+
ssl->options.peerSigAlgo = ed448_sa_algo;
38708+
else
38709+
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
38710+
{
38711+
ERROR_OUT(NO_PEER_KEY, exit_dcv);
3867338712
}
3867438713
}
38675-
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
38676-
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
38677-
if (ssl->peerEd448KeyPresent) {
38678-
WOLFSSL_MSG("Doing ED448 peer cert verify");
38679-
if (IsAtLeastTLSv1_2(ssl) &&
38680-
ssl->options.peerSigAlgo != ed448_sa_algo) {
38681-
WOLFSSL_MSG(
38682-
"Oops, peer sent ED448 key but not in verify");
38683-
}
38714+
38715+
if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
38716+
ERROR_OUT(BUFFER_ERROR, exit_dcv);
38717+
}
38718+
38719+
ato16(input + args->idx, &args->sz);
38720+
args->idx += OPAQUE16_LEN;
38721+
38722+
if ((args->idx - args->begin) + args->sz > size ||
38723+
args->sz > ENCRYPT_LEN) {
38724+
ERROR_OUT(BUFFER_ERROR, exit_dcv);
3868438725
}
38685-
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
3868638726

3868738727
/* Advance state and proceed */
3868838728
ssl->options.asyncState = TLS_ASYNC_DO;
@@ -38819,8 +38859,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
3881938859
if (IsAtLeastTLSv1_2(ssl)) {
3882038860
#ifdef WC_RSA_PSS
3882138861
if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) {
38822-
SetDigest(ssl, ssl->options.peerHashAlgo);
38823-
3882438862
#ifdef HAVE_SELFTEST
3882538863
ret = wc_RsaPSS_CheckPadding(
3882638864
ssl->buffers.digest.buffer,
@@ -38853,12 +38891,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
3885338891
}
3885438892
#endif
3885538893

38856-
if (ssl->options.peerSigAlgo != rsa_sa_algo) {
38857-
WOLFSSL_MSG("Oops, peer sent RSA key but not "
38858-
"in verify");
38859-
}
38860-
38861-
SetDigest(ssl, ssl->options.peerHashAlgo);
3886238894

3886338895
args->sigSz = wc_EncodeSignature(encodedSig,
3886438896
ssl->buffers.digest.buffer,

0 commit comments

Comments
 (0)