diff options
author | Matt Caswell <matt@openssl.org> | 2018-07-17 16:31:07 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-07-18 09:58:56 +0100 |
commit | 11d2641f96ead76deb5b8fac638a3ad36a971a66 (patch) | |
tree | 7268fce6dcd0dd6f6993d746cc46045323a301e3 /ssl/t1_lib.c | |
parent | 1a50eedf2a1fbb1e0e009ad616d8be678e4c6340 (diff) | |
download | openssl-11d2641f96ead76deb5b8fac638a3ad36a971a66.tar.gz |
Check that the public key OID matches the sig alg
Using the rsa_pss_rsae_sha256 sig alg should imply that the key OID is
rsaEncryption. Similarly rsa_pss_pss_sha256 implies the key OID is
rsassaPss. However we did not check this and incorrectly tolerated a key
OID that did not match the sig alg sent by the peer.
Fixes #6611
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6732)
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r-- | ssl/t1_lib.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 3c7590c31f..df27ba6b7b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -955,7 +955,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) const uint16_t *sent_sigs; const EVP_MD *md = NULL; char sigalgstr[2]; - size_t sent_sigslen, i; + size_t sent_sigslen, i, cidx; int pkeyid = EVP_PKEY_id(pkey); const SIGALG_LOOKUP *lu; @@ -986,6 +986,14 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) SSL_R_WRONG_SIGNATURE_TYPE); return 0; } + /* Check the sigalg is consistent with the key OID */ + if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) + || lu->sig_idx != (int)cidx) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + #ifndef OPENSSL_NO_EC if (pkeyid == EVP_PKEY_EC) { |