From 8f88cb53dd839610195d8bd58ecc790b4cd45728 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Mon, 30 Jan 2017 14:45:20 +0000
Subject: [PATCH] Add TLS 1.3 signing curve check

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
---
 ssl/t1_lib.c | 58 +++++++++++++++++++++++++++++++---------------------
 1 file changed, 35 insertions(+), 23 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 12da585c65..3e2f07c6c4 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -850,35 +850,47 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
     }
 #ifndef OPENSSL_NO_EC
     if (pkeyid == EVP_PKEY_EC) {
-        unsigned char curve_id[2], comp_id;
-        /* Check compression and curve matches extensions */
-        if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
-            return 0;
-        if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
-            SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
-            return 0;
-        }
-        /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
-        if (tls1_suiteb(s)) {
-            if (curve_id[0])
+        EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+        if (SSL_IS_TLS13(s)) {
+            /* For TLS 1.3 check curve matches signature algorithm */
+            int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+            if (curve != lu->curve) {
+                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
+                return 0;
+            }
+        } else {
+            unsigned char curve_id[2], comp_id;
+            /* Check compression and curve matches extensions */
+            if (!tls1_set_ec_id(curve_id, &comp_id, ec))
                 return 0;
-            if (curve_id[1] == TLSEXT_curve_P_256) {
-                if (tls_sigalg_get_hash(sig) != NID_sha256) {
-                    SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
-                           SSL_R_ILLEGAL_SUITEB_DIGEST);
+            if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
+                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
+                return 0;
+            }
+            /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
+            if (tls1_suiteb(s)) {
+                if (curve_id[0])
                     return 0;
-                }
-            } else if (curve_id[1] == TLSEXT_curve_P_384) {
-                if (tls_sigalg_get_hash(sig) != NID_sha384) {
-                    SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
-                           SSL_R_ILLEGAL_SUITEB_DIGEST);
+                if (curve_id[1] == TLSEXT_curve_P_256) {
+                    if (tls_sigalg_get_hash(sig) != NID_sha256) {
+                        SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
+                               SSL_R_ILLEGAL_SUITEB_DIGEST);
+                        return 0;
+                    }
+                } else if (curve_id[1] == TLSEXT_curve_P_384) {
+                    if (tls_sigalg_get_hash(sig) != NID_sha384) {
+                        SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
+                               SSL_R_ILLEGAL_SUITEB_DIGEST);
+                        return 0;
+                    }
+                } else {
                     return 0;
                 }
-            } else
-                return 0;
+            }
         }
-    } else if (tls1_suiteb(s))
+    } else if (tls1_suiteb(s)) {
         return 0;
+    }
 #endif
 
     /* Check signature matches a type we sent */
-- 
2.40.0