Check that the public key OID matches the sig alg

Using the rsa_pss_rsae_sha256 sig alg should imply that the key OID is rsaEncryption. Similarly rsa_pss_pss_sha256 implies the key OID is rsassaPss. However we did not check this and incorrectly tolerated a key OID that did not match the sig alg sent by the peer. Fixes #6611 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6732)
2025-04-06 20:20:50 +08:00 · 2018-07-17 16:31:07 +01:00 · 2018-07-17 16:31:07 +01:00 · 11d2641f96
commit 11d2641f96
parent 1a50eedf2a
3 changed files with 32 additions and 10 deletions
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@ -995,22 +995,35 @@ int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
                             ctx->cert->sec_ex);
 }

+int ssl_cert_lookup_by_nid(int nid, size_t *pidx)
+{
+    size_t i;
+
+    for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
+        if (ssl_cert_info[i].nid == nid) {
+            *pidx = i;
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
 const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
 {
    int nid = EVP_PKEY_id(pk);
-    size_t i;
+    size_t tmpidx;

    if (nid == NID_undef)
        return NULL;

-    for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
-        if (ssl_cert_info[i].nid == nid) {
-            if (pidx != NULL)
-                *pidx = i;
-            return &ssl_cert_info[i];
-        }
-    }
-    return NULL;
+    if (!ssl_cert_lookup_by_nid(nid, &tmpidx))
+        return NULL;
+
+    if (pidx != NULL)
+        *pidx = tmpidx;
+
+    return &ssl_cert_info[tmpidx];
 }

 const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -2288,6 +2288,7 @@ __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
 __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
                            void *other);

+__owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx);
 __owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk,
                                                      size_t *pidx);
 __owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx);
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -955,7 +955,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
    const uint16_t *sent_sigs;
    const EVP_MD *md = NULL;
    char sigalgstr[2];
-    size_t sent_sigslen, i;
+    size_t sent_sigslen, i, cidx;
    int pkeyid = EVP_PKEY_id(pkey);
    const SIGALG_LOOKUP *lu;

@ -986,6 +986,14 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
                 SSL_R_WRONG_SIGNATURE_TYPE);
        return 0;
    }
+    /* Check the sigalg is consistent with the key OID */
+    if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx)
+            || lu->sig_idx != (int)cidx) {
+        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
+                 SSL_R_WRONG_SIGNATURE_TYPE);
+        return 0;
+    }
+
 #ifndef OPENSSL_NO_EC
    if (pkeyid == EVP_PKEY_EC) {