From 339bef12f478b3a12c59571c53645e31280baf7e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 14 May 2021 15:59:37 +0200
Subject: [PATCH] cert auth: filter out unsupported cert types from TLS 1.2 CR

When the server is advertising signature algorithms in TLS 1.2
CertificateRequest, it shouldn't send certificate_types not backed by
any of those algorithms.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/auth/cert.c                         | 76 +++++++++++++++++++++++--
 tests/suite/tls-fuzzer/gnutls-cert.json | 19 +++++++
 2 files changed, 89 insertions(+), 6 deletions(-)

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 3073a33d3..0b0f04b2b 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -64,6 +64,16 @@ typedef enum CertificateSigType { RSA_SIGN = 1, DSA_SIGN = 2, ECDSA_SIGN = 64,
 #endif
 } CertificateSigType;
 
+enum CertificateSigTypeFlags {
+	RSA_SIGN_FLAG = 1,
+	DSA_SIGN_FLAG = 1 << 1,
+	ECDSA_SIGN_FLAG = 1 << 2,
+#ifdef ENABLE_GOST
+	GOSTR34102012_256_SIGN_FLAG = 1 << 3,
+	GOSTR34102012_512_SIGN_FLAG = 1 << 4
+#endif
+};
+
 /* Moves data from an internal certificate struct (gnutls_pcert_st) to
  * another internal certificate struct (cert_auth_info_t), and deinitializes
  * the former.
@@ -1281,6 +1291,7 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
 	uint8_t tmp_data[CERTTYPE_SIZE];
 	const version_entry_st *ver = get_version(session);
 	unsigned init_pos = data->length;
+	enum CertificateSigTypeFlags flags;
 
 	if (unlikely(ver == NULL))
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -1297,18 +1308,71 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
 		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 	}
 
-	i = 1;
+	if (_gnutls_version_has_selectable_sighash(ver)) {
+		size_t j;
+
+		flags = 0;
+		for (j = 0; j < session->internals.priorities->sigalg.size; j++) {
+			const gnutls_sign_entry_st *se =
+				session->internals.priorities->sigalg.entry[j];
+			switch (se->pk) {
+			case GNUTLS_PK_RSA:
+			case GNUTLS_PK_RSA_PSS:
+				flags |= RSA_SIGN_FLAG;
+				break;
+			case GNUTLS_PK_DSA:
+				flags |= DSA_SIGN_FLAG;
+				break;
+			case GNUTLS_PK_ECDSA:
+				flags |= ECDSA_SIGN_FLAG;
+				break;
 #ifdef ENABLE_GOST
-	if (_gnutls_kx_is_vko_gost(session->security_parameters.cs->kx_algorithm)) {
-		tmp_data[i++] = GOSTR34102012_256_SIGN;
-		tmp_data[i++] = GOSTR34102012_512_SIGN;
-	} else
+			case GNUTLS_PK_GOST_12_256:
+				flags |= GOSTR34102012_256_SIGN_FLAG;
+				break;
+			case GNUTLS_PK_GOST_12_512:
+				flags |= GOSTR34102012_512_SIGN_FLAG;
+				break;
+#endif
+			default:
+				gnutls_assert();
+				_gnutls_debug_log(
+					"%s is unsupported for cert request\n",
+					gnutls_pk_get_name(se->pk));
+			}
+		}
+
+	} else {
+#ifdef ENABLE_GOST
+		if (_gnutls_kx_is_vko_gost(session->security_parameters.
+					   cs->kx_algorithm)) {
+			flags = GOSTR34102012_256_SIGN_FLAG |
+				GOSTR34102012_512_SIGN_FLAG;
+		} else
 #endif
-	{
+		{
+			flags = RSA_SIGN_FLAG | DSA_SIGN_FLAG | ECDSA_SIGN_FLAG;
+		}
+	}
+
+	i = 1;
+	if (flags & RSA_SIGN_FLAG) {
 		tmp_data[i++] = RSA_SIGN;
+	}
+	if (flags & DSA_SIGN_FLAG) {
 		tmp_data[i++] = DSA_SIGN;
+	}
+	if (flags & ECDSA_SIGN_FLAG) {
 		tmp_data[i++] = ECDSA_SIGN;
 	}
+#ifdef ENABLE_GOST
+	if (flags & GOSTR34102012_256_SIGN_FLAG) {
+		tmp_data[i++] = GOSTR34102012_256_SIGN;
+	}
+	if (flags & GOSTR34102012_512_SIGN_FLAG) {
+		tmp_data[i++] = GOSTR34102012_512_SIGN;
+	}
+#endif
 	tmp_data[0] = i - 1;
 
 	ret = _gnutls_buffer_append_data(data, tmp_data, i);
-- 
2.31.1