Disallow DSA/SHA1/etc. for pure TLS 1.3 ClientHellos

In draft-ietf-tls-tls13-20 Appendix B we find that: This section describes protocol types and constants. Values listed as _RESERVED were used in previous versions of TLS and are listed here for completeness. TLS 1.3 implementations MUST NOT send them but might receive them from older TLS implementations. Similarly, in section 4.2.3 we see: Legacy algorithms Indicates algorithms which are being deprecated because they use algorithms with known weaknesses, specifically SHA-1 which is used in this context with either with RSA using RSASSA-PKCS1-v1_5 or ECDSA. These values refer solely to signatures which appear in certificates (see Section 4.4.2.2) and are not defined for use in signed TLS handshake messages. Endpoints SHOULD NOT negotiate these algorithms but are permitted to do so solely for backward compatibility. Clients offering these values MUST list them as the lowest priority (listed after all other algorithms in SignatureSchemeList). TLS 1.3 servers MUST NOT offer a SHA-1 signed certificate unless no valid certificate chain can be produced without it (see Section 4.4.2.2). However, we are currently sending the SHA2-based DSA signature schemes and many SHA1-based schemes, which is in contradiction with the specification. Because TLS 1.3 support will appear in OpenSSL 1.1, we are bound by stability requirements to continue to offer the DSA signature schemes and the deprecated hash algorithms. at least until OpenSSL 1.2. However, for pure TLS 1.3 clients that do not offer lower TLS versions, we can be compliant. Do so, and leave a note to revisit the issue when we are permitted to break with sacred historical tradition. Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3326)

Disallow DSA/SHA1/etc. for pure TLS 1.3 ClientHellos
In draft-ietf-tls-tls13-20 Appendix B we find that: This section describes protocol types and constants. Values listed as _RESERVED were used in previous versions of TLS and are listed here for completeness. TLS 1.3 implementations MUST NOT send them but might receive them from older TLS implementations. Similarly, in section 4.2.3 we see: Legacy algorithms Indicates algorithms which are being deprecated because they use algorithms with known weaknesses, specifically SHA-1 which is used in this context with either with RSA using RSASSA-PKCS1-v1_5 or ECDSA. These values refer solely to signatures which appear in certificates (see Section 4.4.2.2) and are not defined for use in signed TLS handshake messages. Endpoints SHOULD NOT negotiate these algorithms but are permitted to do so solely for backward compatibility. Clients offering these values MUST list them as the lowest priority (listed after all other algorithms in SignatureSchemeList). TLS 1.3 servers MUST NOT offer a SHA-1 signed certificate unless no valid certificate chain can be produced without it (see Section 4.4.2.2). However, we are currently sending the SHA2-based DSA signature schemes and many SHA1-based schemes, which is in contradiction with the specification. Because TLS 1.3 support will appear in OpenSSL 1.1, we are bound by stability requirements to continue to offer the DSA signature schemes and the deprecated hash algorithms. at least until OpenSSL 1.2. However, for pure TLS 1.3 clients that do not offer lower TLS versions, we can be compliant. Do so, and leave a note to revisit the issue when we are permitted to break with sacred historical tradition. Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3326)
6ffeb269 · Benjamin Kaduk · Benjamin Kaduk · a163e60d · 6ffeb269
显示空白变更内容
内联并排

Showing with 6 addition and 0 deletion

ssl/t1_lib.c ssl/t1_lib.c +6 -0

未找到文件。
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1447,6 +1447,12 @@ static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
    /* DSA is not allowed in TLS 1.3 */
    if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
        return 0;
+    /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
+    if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION
+        && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
+            || lu->hash_idx == SSL_MD_MD5_IDX
+            || lu->hash_idx == SSL_MD_SHA224_IDX))
+        return 0;
    /* See if public key algorithm allowed */
    if (tls12_get_pkey_idx(lu->sig) == -1)
        return 0;