Tolerate a Certificate using a non-supported group on server side If a server has been configured to use an ECDSA certificate, we should allow it regardless of whether the server's own supported groups list includes the certificate's group. Fixes #2033 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5601)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index eae5788..1c3ee35 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h
@@ -2453,7 +2453,7 @@ # ifndef OPENSSL_NO_EC __owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id); -__owur int tls1_check_group_id(SSL *s, uint16_t group_id); +__owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves); __owur uint16_t tls1_shared_group(SSL *s, int nmatch); __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen, int *curves, size_t ncurves);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index e940fc8..29db4bc 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c
@@ -2192,7 +2192,8 @@ * Check curve is named curve type and one of our preferences, if not * server has sent an invalid curve. */ - if (curve_type != NAMED_CURVE_TYPE || !tls1_check_group_id(s, curve_id)) { + if (curve_type != NAMED_CURVE_TYPE + || !tls1_check_group_id(s, curve_id, 1)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE); return 0;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 174d7de..cf5f783 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c
@@ -467,7 +467,7 @@ } /* Check a group id matches preferences */ -int tls1_check_group_id(SSL *s, uint16_t group_id) +int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) { const uint16_t *groups; size_t groups_len; @@ -491,10 +491,12 @@ } } - /* Check group is one of our preferences */ - tls1_get_supported_groups(s, &groups, &groups_len); - if (!tls1_in_list(group_id, groups, groups_len)) - return 0; + if (check_own_groups) { + /* Check group is one of our preferences */ + tls1_get_supported_groups(s, &groups, &groups_len); + if (!tls1_in_list(group_id, groups, groups_len)) + return 0; + } if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) return 0; @@ -554,7 +556,11 @@ if (!tls1_check_pkey_comp(s, pkey)) return 0; group_id = tls1_get_group_id(pkey); - if (!tls1_check_group_id(s, group_id)) + /* + * For a server we allow the certificate to not be in our list of supported + * groups. + */ + if (!tls1_check_group_id(s, group_id, !s->server)) return 0; /* * Special case for suite B. We *MUST* sign using SHA256+P-256 or @@ -601,9 +607,9 @@ * curves permitted. */ if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) - return tls1_check_group_id(s, TLSEXT_curve_P_256); + return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) - return tls1_check_group_id(s, TLSEXT_curve_P_384); + return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); return 0; } @@ -979,7 +985,7 @@ } if (!SSL_IS_TLS13(s)) { /* Check curve matches extensions */ - if (!tls1_check_group_id(s, tls1_get_group_id(pkey))) { + if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); return 0;