Forcibly ensure that only PSS may be used with RSA in TLS 1.3.

This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@

1 files changed, 8 insertions, 2 deletions

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 37fdcfa73f..6378ec8c07 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.20 2019/04/01 02:09:21 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.21 2020/05/09 16:52:15 beck Exp $ */
 /*
- * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -322,6 +322,12 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
                     tls_sigalgs_len)) == NULL)
                         continue;
 
+                /* RSA cannot be used without PSS in TLSv1.3. */
+                if (TLS1_get_version(s) >= TLS1_3_VERSION &&
+                    sigalg->key_type == EVP_PKEY_RSA &&
+                    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
+                        continue;
+
                 if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
                         return sigalg;
         }