Google Git
Sign in
boringssl / boringssl.git / efad2bfc83544bb926921de61baf6f962e685671^! / . / ssl / internal.h
commitefad2bfc83544bb926921de61baf6f962e685671[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Feb 23 14:37:10 2024 -0500
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Mar 05 18:03:24 2024 +0000
tree27d6f28485ec0c04bb9eda798e2ebbc7464882dc
parent9f376b0694dfb8528fa2200369b48632563e972f [diff] [blame]
Fix delegated credential signature algorithm handling

https://boringssl-review.googlesource.com/c/34884 tried to update to the
newer DC draft, but didn't quite do so. In that update, DCs
overcomplicated the signature algorithm negotiation so that there are
two different signature algorithm lists, used in different contexts.

The existing signature_algorithms extension is used to verify the
signature *on* the DC, made by the end-entity certificate. On the server
side, we should be using that to decide whether to use the DC, and we
weren't.

The new delegated_credentials extension contains another sigalg list.
That is used to verify the signature *by* the DC, in the
CertificateVerify message. (This means DC changes the operative sigalg
list for the CertificateVerify message, which is quite a mess.) On the
server side, the above CL mixed things up. When deciding whether to use
DCs, it checked the correct list. When actually using DCs, it checked
the wrong one. As a result, any time the DC list wasn't a subset of the
main list, the connection would just break!

Fix both of these, in preparation for redoing DCs over the upcoming
SSL_CREDENTIAL mechanism.

Thankfully we don't support one direction of DC usage (authenticating in
C++ and verifying in Go), so there are fewer places to worry about
mixing this up. Given this overcomplication, I'm now much, much less
inclined to ever support DCs as a client, without an rfc9345bis to redo
this.

Bug: 249
Change-Id: Id5257e89a6c8daf1635757be473c45029492d420
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66550
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/internal.h b/ssl/internal.h
index 2dd7859..d64f6c4 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1630,9 +1630,14 @@
   // raw is the delegated credential encoded as specified in RFC 9345.
   UniquePtr<CRYPTO_BUFFER> raw;
 
-  // dc_cert_verify_algorithm is the signature scheme of the DC public key.
+  // dc_cert_verify_algorithm is the signature scheme of the DC public key. This
+  // is used for the CertificateVerify message.
   uint16_t dc_cert_verify_algorithm = 0;
 
+  // algorithm is the signature scheme of the signature over the delegated
+  // credential itself, made by the end-entity certificate's public key.
+  uint16_t algorithm = 0;
+
   // pkey is the public key parsed from |public_key|.
   UniquePtr<EVP_PKEY> pkey;