Skip to content

Commit

Permalink
Fix ABI breakage due to TLS1.3-brainpool sigalgs
Browse files Browse the repository at this point in the history 
If a server using a brainpool certificate could try to negotiate
either TLS1.2 or TLS1.3, but it is configured in a way that is
most likely intended to be used with TLS1.2, this disables TLS1.3
for this server.
The server can explicitly set the sigalgs to override this heuristic.

Fixes openssl#25697
  • Loading branch information
@bernd-edlinger
bernd-edlinger committed Oct 18, 2024
1 parent f4c4674 commit a0fc2c3
Showing 1 changed file with 29 additions and 1 deletion.
30 changes: 29 additions & 1 deletion ssl/t1_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1884,8 +1884,36 @@ int tls_check_sigalg_curve(const SSL_CONNECTION *s, int curve)
continue;
if (lu->sig == EVP_PKEY_EC
&& lu->curve != NID_undef
&& curve == lu->curve)
&& curve == lu->curve) {
/*
* In case of a brainpool curves, if TLS1.2 is not disabled,
* and the supported groups contain only the TLS1.2 brainpool id,
* but the TLS1.3 brainpool sigalg is only from the default sigalgs list,
* and was not explicitly specified, it is clear that this configuration
* is intended to be useful for TLS1.2, so don't try to negotiate TLS1.3,
* which might fail.
*/
#ifndef OPENSSL_NO_TLS1_2
if (s->cert->conf_sigalgs == NULL
&& (curve == NID_brainpoolP256r1
|| curve == NID_brainpoolP384r1
|| curve == NID_brainpoolP512r1)
&& SSL_CONNECTION_GET_SSL(s)->method->version == TLS_ANY_VERSION
&& s->s3.tmp.min_ver <= TLS1_2_VERSION) {
const uint16_t id = tls1_nid2group_id(curve);
const uint16_t tls13_id = id + 5; /* TLS1.2: 26..28 TLS1.3: 31..33 */
size_t j;

for (j = 0; j < s->ext.supportedgroups_len; j++)
if (s->ext.supportedgroups[j] == tls13_id)
return 1;
for (j = 0; j < s->ext.supportedgroups_len; j++)
if (s->ext.supportedgroups[j] == id)
return 0;
}
#endif
return 1;
}
}

return 0;
Expand Down

0 comments on commit a0fc2c3

Please sign in to comment.