Skip to content

TLS 1.2 CertificateVerify: validate sig alg matches peer key #9395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

TLS 1.2 CertificateVerify: validate sig alg matches peer key #9395

wants to merge 2 commits into from
+164 −98

Conversation

@SparkiDev
Copy link
Contributor

@SparkiDev SparkiDev commented Nov 6, 2025
edited
Loading

Description

Don't proceed with parsing CertificateVerify message in TLS 1.2 if the signature algorithm doesn't match the peer's key (key from client certificate).

Fixes zd#20771

Testing

Tested enabling/disabling RSA, ECC, Ed25519 and Ed448 in all combinations.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@SparkiDev SparkiDev self-assigned this Nov 6, 2025
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Nov 6, 2025

🛟 Devin Lifeguard found 1 likely issues in this PR

  • check-return-codes snippet: Inspect SetDigest’s prototype; if it returns an int, capture the result (e.g., ret = SetDigest(...)) and propagate or handle any non-zero return before continuing.

@SparkiDev
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@SparkiDev
Copy link
Contributor Author

SparkiDev commented Nov 6, 2025
edited
Loading

SetDigest is void return.

@SparkiDev SparkiDev force-pushed the tls12_cv_sig_check branch 2 times, most recently from 74399cf to babc5d3 Compare November 6, 2025 02:24
@GSoJC234
Copy link

GSoJC234 commented Nov 6, 2025

Hi Sean,

The updated code correctly prevents the CertificateVerify message that uses the DSA+SHA1 algorithm.
However, when the message contains the ECDSA+SHA1 algorithm, the server still accepts it.

Would it be possible to compare the signature and hash algorithms in the CertificateVerify message against the server-supported algorithms listed in the CertificateRequest message (e.g., ssl->suites->hashSigAlgo)?

According to RFC 5246,

"The hash and signature algorithms used in the signature MUST be one of those present in the supported_signature_algorithms field of the CertificateRequest message."

julek-wolfssl
julek-wolfssl previously approved these changes Nov 6, 2025
View reviewed changes
@julek-wolfssl
Copy link
Member

julek-wolfssl commented Nov 6, 2025

Would be great if there was some tests in place to check that mismatches error out the tls stack.

@SparkiDev SparkiDev added the For This Release Release version 5.8.4 label Nov 7, 2025
@SparkiDev
TLS 1.2 CertificateVerify: validate sig alg matches peer key
58bd6a8 
Don't proceed with parsing CertificateVerify message in TLS 1.2 if the
signature algorithm doesn't match the peer's key (key from client
certificate).
@SparkiDev
TLS 1.2 CertificateVerify: req sig alg to have been in CR
b73e5bf 
The signature algorithm specified in CertificateVerify must have been in
the CertificateRequest. Add check.

The cipher suite test cases, when client auth and RSA are built-in and
use the default client certificate and use the *-ECDSA-* cipher
suites, no longer work. The client certificate must be ECC when the
cipher suite has ECDSA. Don't run them for that build.
@GSoJC234
Copy link

GSoJC234 commented Nov 7, 2025

I’ve reviewed the latest commit, and the server correctly validates that the signature/hash algorithm in the CertificateVerify message matches one of the algorithms listed in the CertificateRequest message.

Thanks for the quick and thorough fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julek-wolfssl julek-wolfssl julek-wolfssl left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@SparkiDev SparkiDev

Labels

For This Release Release version 5.8.4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SparkiDev @GSoJC234 @julek-wolfssl