Skip to content

TLS 1.2 CertificateVerify: validate sig alg matches peer key #9395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgarske merged 2 commits into from
Nov 11, 2025
+517 −104
Merged

TLS 1.2 CertificateVerify: validate sig alg matches peer key #9395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
58bd6a8
TLS 1.2 CertificateVerify: validate sig alg matches peer key
SparkiDev Nov 6, 2025
f54ca0d
TLS 1.2 CertificateVerify: req sig alg to have been in CR
SparkiDev Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
190 changes: 111 additions & 79 deletions src/internal.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37338,11 +37338,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
XMEMCPY(outSuites->suites, &suites, sizeof(suites));
#ifdef WOLFSSL_DEBUG_TLS
{
int ii;
word16 ii;
WOLFSSL_MSG("Refined Ciphers:");
for (ii = 0 ; ii < suites->suiteSz; ii += 2) {
WOLFSSL_MSG(GetCipherNameInternal(suites->suites[ii+0],
suites->suites[ii+1]));
for (ii = 0 ; ii < outSuites->suiteSz; ii += 2) {
WOLFSSL_MSG(GetCipherNameInternal(outSuites->suites[ii+0],
outSuites->suites[ii+1]));
}
}
#endif
Expand Down Expand Up @@ -38568,58 +38568,86 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
case TLS_ASYNC_BUILD:
{
if (IsAtLeastTLSv1_2(ssl)) {
if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > size) {
if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN >
size) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}

/* Check if hashSigAlgo in CertificateVerify is supported
* in our ssl->suites or ssl->ctx->suites. */
if (!SupportedHashSigAlgo(ssl, &input[args->idx])) {
WOLFSSL_MSG("Signature algorithm was not in "
"CertificateRequest");
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}

DecodeSigAlg(&input[args->idx], &ssl->options.peerHashAlgo,
&ssl->options.peerSigAlgo);
args->idx += 2;
}
#ifndef NO_RSA
else if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0)
ssl->options.peerSigAlgo = rsa_sa_algo;
#endif
#ifdef HAVE_ECC
else if (ssl->peerEccDsaKeyPresent) {
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->peerEccDsaKey->dp->id == ECC_SM2P256V1) {
ssl->options.peerSigAlgo = sm2_sa_algo;

#ifndef NO_RSA
if (ssl->peerRsaKeyPresent) {
if (ssl->options.peerSigAlgo != rsa_sa_algo
#ifdef WC_RSA_PSS
&& ssl->options.peerSigAlgo != rsa_pss_sa_algo
#endif
) {
WOLFSSL_MSG("Oops, peer sent RSA key but not in "
"verify");
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
}
else
#endif
#ifdef HAVE_ECC
if (ssl->peerEccDsaKeyPresent) {
if (ssl->options.peerSigAlgo != ecc_dsa_sa_algo
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
&& ssl->options.peerSigAlgo != sm2_sa_algo
#endif
) {
WOLFSSL_MSG("Oops, peer sent ECC key but not in "
"verify");
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->options.peerSigAlgo == sm2_sa_algo &&
ssl->options.peerHashAlgo != sm3_mac) {
WOLFSSL_MSG("SM2 with SM3 only");
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
#endif
}
else
#endif
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
if (ssl->peerEd25519KeyPresent) {
if (ssl->options.peerSigAlgo != ed25519_sa_algo) {
WOLFSSL_MSG("Oops, peer sent Ed25519 key but not "
"in verify");
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
}
else
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
if (ssl->peerEd448KeyPresent) {
if (ssl->options.peerSigAlgo != ed448_sa_algo) {
WOLFSSL_MSG("Oops, peer sent Ed448 key but not in "
"verify");
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
}
else
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
{
ssl->options.peerSigAlgo = ecc_dsa_sa_algo;
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
}
#endif
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
else if (ssl->peerEd25519KeyPresent)
ssl->options.peerSigAlgo = ed25519_sa_algo;
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
else if (ssl->peerEd448KeyPresent)
ssl->options.peerSigAlgo = ed448_sa_algo;
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */

if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}

ato16(input + args->idx, &args->sz);
args->idx += OPAQUE16_LEN;

if ((args->idx - args->begin) + args->sz > size ||
args->sz > ENCRYPT_LEN) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
SetDigest(ssl, ssl->options.peerHashAlgo);
}

#ifdef HAVE_ECC
if (ssl->peerEccDsaKeyPresent) {

WOLFSSL_MSG("Doing ECC peer cert verify");

/* make sure a default is defined */
else {
/* make sure a default is defined */
#if !defined(NO_SHA)
SetDigest(ssl, sha_mac);
#elif !defined(NO_SHA256)
Expand All @@ -38634,39 +38662,51 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#error No digest enabled for ECC sig verify
#endif

if (IsAtLeastTLSv1_2(ssl)) {
if (ssl->options.peerSigAlgo != ecc_dsa_sa_algo
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
&& ssl->options.peerSigAlgo != sm2_sa_algo
#endif
) {
WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
#ifndef NO_RSA
if (ssl->peerRsaKeyPresent)
ssl->options.peerSigAlgo = rsa_sa_algo;
else
#endif
#ifdef HAVE_ECC
if (ssl->peerEccDsaKeyPresent) {
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->peerEccDsaKey->dp->id == ECC_SM2P256V1) {
ssl->options.peerSigAlgo = sm2_sa_algo;
}
else
#endif
{
ssl->options.peerSigAlgo = ecc_dsa_sa_algo;
}

SetDigest(ssl, ssl->options.peerHashAlgo);
}
}
#endif /* HAVE_ECC */
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
if (ssl->peerEd25519KeyPresent) {
WOLFSSL_MSG("Doing ED25519 peer cert verify");
if (IsAtLeastTLSv1_2(ssl) &&
ssl->options.peerSigAlgo != ed25519_sa_algo) {
WOLFSSL_MSG(
"Oops, peer sent ED25519 key but not in verify");
else
#endif
#if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
if (ssl->peerEd25519KeyPresent)
ssl->options.peerSigAlgo = ed25519_sa_algo;
else
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
if (ssl->peerEd448KeyPresent)
ssl->options.peerSigAlgo = ed448_sa_algo;
else
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
{
ERROR_OUT(NO_PEER_KEY, exit_dcv);
}
}
#endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
#if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
if (ssl->peerEd448KeyPresent) {
WOLFSSL_MSG("Doing ED448 peer cert verify");
if (IsAtLeastTLSv1_2(ssl) &&
ssl->options.peerSigAlgo != ed448_sa_algo) {
WOLFSSL_MSG(
"Oops, peer sent ED448 key but not in verify");
}

if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}

ato16(input + args->idx, &args->sz);
args->idx += OPAQUE16_LEN;

if ((args->idx - args->begin) + args->sz > size ||
args->sz > ENCRYPT_LEN) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
#endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */

/* Advance state and proceed */
ssl->options.asyncState = TLS_ASYNC_DO;
Expand Down Expand Up @@ -38803,8 +38843,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (IsAtLeastTLSv1_2(ssl)) {
#ifdef WC_RSA_PSS
if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) {
SetDigest(ssl, ssl->options.peerHashAlgo);

#ifdef HAVE_SELFTEST
ret = wc_RsaPSS_CheckPadding(
ssl->buffers.digest.buffer,
Expand Down Expand Up @@ -38837,12 +38875,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
#endif

if (ssl->options.peerSigAlgo != rsa_sa_algo) {
WOLFSSL_MSG("Oops, peer sent RSA key but not "
"in verify");
}

SetDigest(ssl, ssl->options.peerHashAlgo);

args->sigSz = wc_EncodeSignature(encodedSig,
ssl->buffers.digest.buffer,
Expand Down
Loading