Google Git
Sign in
boringssl / boringssl / efad2bfc83544bb926921de61baf6f962e685671^! / . / ssl / extensions.cc
commitefad2bfc83544bb926921de61baf6f962e685671[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Feb 23 14:37:10 2024 -0500
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Mar 05 18:03:24 2024 +0000
tree27d6f28485ec0c04bb9eda798e2ebbc7464882dc
parent9f376b0694dfb8528fa2200369b48632563e972f [diff] [blame]
Fix delegated credential signature algorithm handling

https://boringssl-review.googlesource.com/c/34884 tried to update to the
newer DC draft, but didn't quite do so. In that update, DCs
overcomplicated the signature algorithm negotiation so that there are
two different signature algorithm lists, used in different contexts.

The existing signature_algorithms extension is used to verify the
signature *on* the DC, made by the end-entity certificate. On the server
side, we should be using that to decide whether to use the DC, and we
weren't.

The new delegated_credentials extension contains another sigalg list.
That is used to verify the signature *by* the DC, in the
CertificateVerify message. (This means DC changes the operative sigalg
list for the CertificateVerify message, which is quite a mess.) On the
server side, the above CL mixed things up. When deciding whether to use
DCs, it checked the correct list. When actually using DCs, it checked
the wrong one. As a result, any time the DC list wasn't a subset of the
main list, the connection would just break!

Fix both of these, in preparation for redoing DCs over the upcoming
SSL_CREDENTIAL mechanism.

Thankfully we don't support one direction of DC usage (authenticating in
C++ and verifying in Go), so there are fewer places to worry about
mixing this up. Given this overcomplication, I'm now much, much less
inclined to ever support DCs as a client, without an rfc9345bis to redo
this.

Bug: 249
Change-Id: Id5257e89a6c8daf1635757be473c45029492d420
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66550
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index 029533f..e9c38a6 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc

@@ -4119,15 +4119,16 @@
     return true;
   }
 
-  Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
+  Span<const uint16_t> sigalgs, peer_sigalgs;
   if (ssl_signing_with_dc(hs)) {
     sigalgs = MakeConstSpan(&dc->dc_cert_verify_algorithm, 1);
-  } else if (!cert->sigalgs.empty()) {
-    sigalgs = cert->sigalgs;
+    peer_sigalgs = hs->peer_delegated_credential_sigalgs;
+  } else {
+    sigalgs = cert->sigalgs.empty() ? MakeConstSpan(kSignSignatureAlgorithms)
+                                    : cert->sigalgs;
+    peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
   }
 
-  Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
-
   for (uint16_t sigalg : sigalgs) {
     if (!ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
       continue;