commit 4bd1284f590c5e26e78615af08d03ac6d8ea6494
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Aug 27 13:31:28 2013 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Aug 27 22:21:21 2013 +0200
tree 0b1d984c73dcd2b51e079a162c894f1065819ae5
parent 9c9812a299246b95a9591b6b36d4d8a6dbfa7d65

Fix ECDSA hash selection bug with TLS 1.0 and 1.1

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index ce45898..8efd57e 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1951,9 +1951,33 @@
         size_t signature_len = 0;
 
         /*
+         * Choose hash algorithm. NONE means MD5 + SHA1 here.
+         */
+        if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
+        {
+            md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
+
+            if( md_alg == POLARSSL_MD_NONE )
+            {
+                SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
+            }
+        }
+        else if ( ciphersuite_info->key_exchange ==
+                  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
+        {
+            md_alg = POLARSSL_MD_SHA1;
+        }
+        else
+        {
+            md_alg = POLARSSL_MD_NONE;
+        }
+
+
+        /*
          * Compute the hash to be signed
          */
-        if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
+        if( md_alg == POLARSSL_MD_NONE )
         {
             md5_context md5;
             sha1_context sha1;
@@ -1982,7 +2006,6 @@
             sha1_finish( &sha1, hash + 16 );
 
             hashlen = 36;
-            md_alg = POLARSSL_MD_NONE;
         }
         else
         {
@@ -1998,13 +2021,6 @@
              *     ServerDHParams params;
              * };
              */
-            if( ( md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg ) )
-                         == POLARSSL_MD_NONE )
-            {
-                SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-                return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-            }
-
             if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
             {
                 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
@@ -2498,6 +2514,7 @@
     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
     size_t sa_len, sig_len;
     unsigned char hash[48];
+    unsigned char *hash_start = hash;
     size_t hashlen;
     pk_type_t pk_alg;
     md_type_t md_alg;
@@ -2556,6 +2573,15 @@
 
         md_alg = POLARSSL_MD_NONE;
         hashlen = 36;
+
+        /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
+        if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                        POLARSSL_PK_ECDSA ) )
+        {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = POLARSSL_MD_SHA1;
+        }
     }
     else
     {
@@ -2607,7 +2633,7 @@
     }
 
     if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
-                           md_alg, hash, hashlen,
+                           md_alg, hash_start, hashlen,
                            ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
     {
         SSL_DEBUG_RET( 1, "pk_verify", ret );