Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.
It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.
Finally, it adds the corresponding entry to the ChangeLog.
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index bdf793b..87681ad 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -186,15 +186,30 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/*
+ * Status of the implementation of signature-algorithms extension:
+ *
+ * Currently, we are only considering the signature-algorithm extension
+ * to pick a ciphersuite which allows us to send the ServerKeyExchange
+ * message with a signature-hash combination that the user allows.
+ *
+ * We do *not* check whether all certificates in our certificate
+ * chain are signed with an allowed signature-hash pair.
+ * This needs to be done at a later stage.
+ *
+ */
static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
size_t sig_alg_list_size;
+
const unsigned char *p;
const unsigned char *end = buf + len;
- const int *md_cur;
+ mbedtls_md_type_t md_cur;
+ mbedtls_pk_type_t sig_cur;
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( sig_alg_list_size + 2 != len ||
@@ -204,29 +219,48 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
- /*
- * For now, ignore the SignatureAlgorithm part and rely on offered
- * ciphersuites only for that part. To be fixed later.
+ /* Currently we only guarantee signing the ServerKeyExchange message according
+ * to the constraints specified in this extension (see above), so it suffices
+ * to remember only one suitable hash for each possible signature algorithm.
*
- * So, just look at the HashAlgorithm part.
+ * This will change when we also consider certificate signatures,
+ * in which case we will need to remember the whole signature-hash
+ * pair list from the extension.
*/
- for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
- for( p = buf + 2; p < end; p += 2 ) {
- if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
- ssl->handshake->sig_alg = p[0];
- goto have_sig_alg;
- }
+
+ for( p = buf + 2; p < end; p += 2 )
+ {
+ /* Silently ignore unknown signature or hash algorithms. */
+
+ if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: unknown sig alg encoding %d",
+ p[1] ) );
+ continue;
+ }
+
+ /* Check if we support the hash the user proposes */
+ md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
+ if( md_cur == MBEDTLS_MD_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: unknown hash alg encoding %d",
+ p[0] ) );
+ continue;
+ }
+
+ if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
+ {
+ mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: match sig %d and hash %d",
+ sig_cur, md_cur ) );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: hash alg %d not supported",
+ md_cur ) );
}
}
- /* Some key echanges do not need signatures at all */
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
- return( 0 );
-
-have_sig_alg:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
- ssl->handshake->sig_alg ) );
-
return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
@@ -710,6 +744,11 @@
{
const mbedtls_ssl_ciphersuite_t *suite_info;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ mbedtls_pk_type_t sig_type;
+#endif
+
suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
if( suite_info == NULL )
{
@@ -776,6 +815,25 @@
}
#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ /* If the ciphersuite requires signing, check whether
+ * a suitable hash algorithm is present. */
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ {
+ sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
+ if( sig_type != MBEDTLS_PK_NONE &&
+ mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
+ "for signature algorithm %d", sig_type ) );
+ return( 0 );
+ }
+ }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/*
* Final check: if ciphersuite requires us to have a
@@ -1085,6 +1143,15 @@
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
int major, minor;
+ /* If there is no signature-algorithm extension present,
+ * we need to fall back to the default values for allowed
+ * signature-hash pairs. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ int sig_hash_alg_ext_present = 0;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
@@ -1582,10 +1649,11 @@
if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
break;
#endif
-
ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
if( ret != 0 )
return( ret );
+
+ sig_hash_alg_ext_present = 1;
break;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
@@ -1722,6 +1790,26 @@
}
#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+ /*
+ * Try to fall back to default hash SHA1 if the client
+ * hasn't provided any preferred signature-hash combinations.
+ */
+ if( sig_hash_alg_ext_present == 0 )
+ {
+ mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
+
+ if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
+ md_default = MBEDTLS_MD_NONE;
+
+ mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
+ }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
/*
* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/
@@ -1847,6 +1935,28 @@
mbedtls_ssl_recv_flight_completed( ssl );
#endif
+ /* Debugging-only output for testsuite */
+#if defined(MBEDTLS_DEBUG_C) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ {
+ mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
+ if( sig_alg != MBEDTLS_PK_NONE )
+ {
+ mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+ sig_alg );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
+ mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm %d - should not happen",
+ sig_alg ) );
+ }
+ }
+#endif
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
return( 0 );
@@ -2669,7 +2779,7 @@
size_t n = 0;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->transform_negotiate->ciphersuite_info;
-
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
unsigned char *p = ssl->out_msg + 4;
unsigned char *dig_signed = p;
@@ -2736,7 +2846,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
- /*
+ /*
* For DHE key exchanges, add the DH parameters here.
*/
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
@@ -2832,7 +2942,7 @@
return( ret );
}
- dig_signed = p;
+ dig_signed = p;
dig_signed_len = len;
p += len;
@@ -2852,19 +2962,29 @@
size_t signature_len = 0;
unsigned int hashlen = 0;
unsigned char hash[64];
- mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
/*
- * Choose hash algorithm. NONE means MD5 + SHA1 here.
+ * Choose hash algorithm:
+ * - For TLS 1.2, obey signature-hash-algorithm extension to choose appropriate hash.
+ * - For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 (RFC 4492, Sec. 5.4)
+ * - Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
*/
+
+ mbedtls_md_type_t md_alg;
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
+ /* For TLS 1.2, obey signature-hash-algorithm extension
+ * (RFC 5246, Sec. 7.4.1.4.1). */
- if( md_alg == MBEDTLS_MD_NONE )
+ if( sig_alg == MBEDTLS_PK_NONE ||
+ ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_alg ) ) == MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ /* (... because we choose a cipher suite
+ * only if there is a matching hash.) */
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
}
@@ -2884,6 +3004,8 @@
md_alg = MBEDTLS_MD_NONE;
}
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
+
/*
* Compute the hash to be signed
*/
@@ -2971,7 +3093,7 @@
(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
/*
- * Make the signature
+ * Compute and add the signature
*/
if( mbedtls_ssl_own_key( ssl ) == NULL )
{
@@ -2982,8 +3104,23 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- *(p++) = ssl->handshake->sig_alg;
- *(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
+ /* For TLS 1.2, we need to specify signature and hash algorithm
+ * explicitly through a prefix to the signature.
+ *
+ * struct {
+ * HashAlgorithm hash;
+ * SignatureAlgorithm signature;
+ * } SignatureAndHashAlgorithm;
+ *
+ * struct {
+ * SignatureAndHashAlgorithm algorithm;
+ * opaque signature<0..2^16-1>;
+ * } DigitallySigned;
+ *
+ */
+
+ *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
+ *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
n += 2;
}