From 678f38802f4393bfba9de9bff44117613f9e1590 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 29 Jun 2022 07:53:58 +0000 Subject: [PATCH] Check the security level when building sigalgs ok beck jsing --- lib/libssl/ssl_sigalgs.c | 15 +++++++++++---- lib/libssl/ssl_sigalgs.h | 4 ++-- lib/libssl/ssl_srvr.c | 6 +++--- lib/libssl/ssl_tlsext.c | 7 ++++--- 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index 79239ef597c..8a1b5f51983 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.42 2022/06/29 07:53:00 tb Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck * Copyright (c) 2021 Joel Sing @@ -241,11 +241,13 @@ ssl_sigalg_from_value(SSL *s, uint16_t value) } int -ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) +ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level) { + const struct ssl_sigalg *sigalg; const uint16_t *values; size_t len; size_t i; + int ret = 0; ssl_sigalgs_for_version(tls_version, &values, &len); @@ -254,12 +256,17 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) /* Do not allow the legacy value for < 1.2 to be used. */ if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) return 0; - if (ssl_sigalg_lookup(values[i]) == NULL) + if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL) return 0; + if (sigalg->security_level < security_level) + continue; + if (!CBB_add_u16(cbb, values[i])) return 0; + + ret = 1; } - return 1; + return ret; } static const struct ssl_sigalg * diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h index 9f4a3a3c33d..5be2122906a 100644 --- a/lib/libssl/ssl_sigalgs.h +++ b/lib/libssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.24 2022/06/29 07:53:00 tb Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.25 2022/06/29 07:53:58 tb Exp $ */ /* * Copyright (c) 2018-2019 Bob Beck * @@ -69,7 +69,7 @@ struct ssl_sigalg { int flags; }; -int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb); +int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level); const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value); diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 20660cbf27a..97077a3380f 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.143 2022/06/28 14:51:37 tb Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.144 2022/06/29 07:53:58 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1567,8 +1567,8 @@ ssl3_send_certificate_request(SSL *s) if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) goto err; - if (!ssl_sigalgs_build( - s->s3->hs.negotiated_tls_version, &sigalgs)) + if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, + &sigalgs, SSL_get_security_level(s))) goto err; } diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 53d40157e93..8faf90fde0e 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.113 2022/06/04 07:55:44 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.114 2022/06/29 07:53:58 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -587,7 +587,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - if (!ssl_sigalgs_build(tls_version, &sigalgs)) + if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) return 0; if (!CBB_flush(cbb)) return 0; @@ -623,7 +623,8 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs)) + if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, + SSL_get_security_level(s))) return 0; if (!CBB_flush(cbb)) return 0; -- 2.20.1