[openssl-dev] [openssl.org #4496] [PATCH] ssl_cert: use the recommended minimum hash from RFC 5480 for EC

Sebastian Andrzej Siewior via RT rt at openssl.org
Sat Apr 2 14:05:51 UTC 2016 

A TLS1.2 connetion with openssl server and gnutls-cli using a SECP384R1
key ends up with SHA256 as the hash algorithm for signing the key exchange.
This is because gnutls sends the hash algorithms from weak to strong
and by default client's preference is used.

gnutls complains about this situation:
|<1>| The hash size used in signature (32) is less than the expected (48)

The complaint is based on the recommendation in RFC 5480, section 4.
Security Considerations. There two ways to fix it:
- Using
  -sigalgs "ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA256:ECDSA+SHA224:ECDSA+SHA1"
  -serverpref
 The weaker algorithms

- The following patch which eliminates SHA256+SHA224 from the list of
  possible candidates. SHA1 is still available if left out in -sigalgs
  and nothing else matches.

Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
---
 ssl/ssl_cert.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4081ebe4ffbd..7d00ad3182f5 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1135,6 +1135,25 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int o
         if (level >= 3)
             return 0;
         break;
+#ifndef OPENSSL_NO_EC
+    case SSL_SECOP_SIGALG_SHARED:
+	if (s && s->cert && s->cert->key && s->cert->key->privatekey) {
+		EVP_PKEY *skey = s->cert->key->privatekey;
+
+		/*
+		 * RFC 5480 Section 4, Security Considerations.
+		 * For a curve with keysize of 384 bits (secp384r1) we
+		 * allow SHA-384 and higher
+		 */
+		if (EVP_PKEY_id(skey) == EVP_PKEY_EC) {
+			if (EVP_PKEY_bits(skey) > (bits * 2))
+				return 0;
+		}
+	}
+	if (bits < minbits)
+		return 0;
+	break;
+#endif
     default:
         if (bits < minbits)
             return 0;
-- 
2.8.0.rc3


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4496
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list