diff options
| author | tb <> | 2022-06-29 07:53:58 +0000 |
|---|---|---|
| committer | tb <> | 2022-06-29 07:53:58 +0000 |
| commit | 4971137ca5f4d3de0801bec3fdc944bc625b0211 (patch) | |
| tree | 594c4dd3136308d7d86b9e285e5fb25707f9d3f1 | |
| parent | 5a8ebcd55cb4d2f98af3f413f2ae8601241f0891 (diff) | |
| download | openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.tar.gz openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.tar.bz2 openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.zip | |
Check the security level when building sigalgs
ok beck jsing
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.c | 15 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 7 |
4 files changed, 20 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index 79239ef597..8a1b5f5198 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.42 2022/06/29 07:53:00 tb Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> |
| 4 | * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> |
| @@ -241,11 +241,13 @@ ssl_sigalg_from_value(SSL *s, uint16_t value) | |||
| 241 | } | 241 | } |
| 242 | 242 | ||
| 243 | int | 243 | int |
| 244 | ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) | 244 | ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level) |
| 245 | { | 245 | { |
| 246 | const struct ssl_sigalg *sigalg; | ||
| 246 | const uint16_t *values; | 247 | const uint16_t *values; |
| 247 | size_t len; | 248 | size_t len; |
| 248 | size_t i; | 249 | size_t i; |
| 250 | int ret = 0; | ||
| 249 | 251 | ||
| 250 | ssl_sigalgs_for_version(tls_version, &values, &len); | 252 | ssl_sigalgs_for_version(tls_version, &values, &len); |
| 251 | 253 | ||
| @@ -254,12 +256,17 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) | |||
| 254 | /* Do not allow the legacy value for < 1.2 to be used. */ | 256 | /* Do not allow the legacy value for < 1.2 to be used. */ |
| 255 | if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) | 257 | if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) |
| 256 | return 0; | 258 | return 0; |
| 257 | if (ssl_sigalg_lookup(values[i]) == NULL) | 259 | if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL) |
| 258 | return 0; | 260 | return 0; |
| 261 | if (sigalg->security_level < security_level) | ||
| 262 | continue; | ||
| 263 | |||
| 259 | if (!CBB_add_u16(cbb, values[i])) | 264 | if (!CBB_add_u16(cbb, values[i])) |
| 260 | return 0; | 265 | return 0; |
| 266 | |||
| 267 | ret = 1; | ||
| 261 | } | 268 | } |
| 262 | return 1; | 269 | return ret; |
| 263 | } | 270 | } |
| 264 | 271 | ||
| 265 | static const struct ssl_sigalg * | 272 | static const struct ssl_sigalg * |
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h index 9f4a3a3c33..5be2122906 100644 --- a/src/lib/libssl/ssl_sigalgs.h +++ b/src/lib/libssl/ssl_sigalgs.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.h,v 1.24 2022/06/29 07:53:00 tb Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.h,v 1.25 2022/06/29 07:53:58 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -69,7 +69,7 @@ struct ssl_sigalg { | |||
| 69 | int flags; | 69 | int flags; |
| 70 | }; | 70 | }; |
| 71 | 71 | ||
| 72 | int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb); | 72 | int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level); |
| 73 | const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); | 73 | const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); |
| 74 | const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, | 74 | const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, |
| 75 | uint16_t sigalg_value); | 75 | uint16_t sigalg_value); |
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 20660cbf27..97077a3380 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.143 2022/06/28 14:51:37 tb Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.144 2022/06/29 07:53:58 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1567,8 +1567,8 @@ ssl3_send_certificate_request(SSL *s) | |||
| 1567 | if (!CBB_add_u16_length_prefixed(&cert_request, | 1567 | if (!CBB_add_u16_length_prefixed(&cert_request, |
| 1568 | &sigalgs)) | 1568 | &sigalgs)) |
| 1569 | goto err; | 1569 | goto err; |
| 1570 | if (!ssl_sigalgs_build( | 1570 | if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, |
| 1571 | s->s3->hs.negotiated_tls_version, &sigalgs)) | 1571 | &sigalgs, SSL_get_security_level(s))) |
| 1572 | goto err; | 1572 | goto err; |
| 1573 | } | 1573 | } |
| 1574 | 1574 | ||
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 53d40157e9..8faf90fde0 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.113 2022/06/04 07:55:44 tb Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.114 2022/06/29 07:53:58 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -587,7 +587,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
| 587 | 587 | ||
| 588 | if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) | 588 | if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) |
| 589 | return 0; | 589 | return 0; |
| 590 | if (!ssl_sigalgs_build(tls_version, &sigalgs)) | 590 | if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) |
| 591 | return 0; | 591 | return 0; |
| 592 | if (!CBB_flush(cbb)) | 592 | if (!CBB_flush(cbb)) |
| 593 | return 0; | 593 | return 0; |
| @@ -623,7 +623,8 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
| 623 | 623 | ||
| 624 | if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) | 624 | if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) |
| 625 | return 0; | 625 | return 0; |
| 626 | if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs)) | 626 | if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, |
| 627 | SSL_get_security_level(s))) | ||
| 627 | return 0; | 628 | return 0; |
| 628 | if (!CBB_flush(cbb)) | 629 | if (!CBB_flush(cbb)) |
| 629 | return 0; | 630 | return 0; |