From e892e3255858b6b8bb79bee9972aa9700a38903b Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Fri, 24 Feb 2017 20:43:02 +0000
Subject: [PATCH] Reject compressed point format with TLS 1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)
---
 include/openssl/ssl.h |  1 +
 ssl/ssl_err.c         |  2 ++
 ssl/t1_lib.c          | 13 ++++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 40c58c5094..51dbca4ee9 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2508,6 +2508,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_R_GOT_A_FIN_BEFORE_A_CCS                     154
 # define SSL_R_HTTPS_PROXY_REQUEST                        155
 # define SSL_R_HTTP_REQUEST                               156
+# define SSL_R_ILLEGAL_POINT_COMPRESSION                  162
 # define SSL_R_ILLEGAL_SUITEB_DIGEST                      380
 # define SSL_R_INAPPROPRIATE_FALLBACK                     373
 # define SSL_R_INCONSISTENT_COMPRESSION                   340
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index addc3de3f8..444de8ebc5 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -570,6 +570,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS), "got a fin before a ccs"},
     {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST), "https proxy request"},
     {ERR_REASON(SSL_R_HTTP_REQUEST), "http request"},
+    {ERR_REASON(SSL_R_ILLEGAL_POINT_COMPRESSION),
+     "illegal point compression"},
     {ERR_REASON(SSL_R_ILLEGAL_SUITEB_DIGEST), "illegal Suite B digest"},
     {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
     {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 100c97c792..a7b467973e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -916,8 +916,12 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
         int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
 
         if (SSL_IS_TLS13(s)) {
+            if (EC_KEY_get_conv_form(ec) != POINT_CONVERSION_UNCOMPRESSED) {
+                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
+                       SSL_R_ILLEGAL_POINT_COMPRESSION);
+                return 0;
+            }
             /* For TLS 1.3 check curve matches signature algorithm */
-
             if (lu->curve != NID_undef && curve != lu->curve) {
                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
                 return 0;
@@ -2237,7 +2241,7 @@ int tls_choose_sigalg(SSL *s, int *al)
     if (SSL_IS_TLS13(s)) {
         size_t i;
 #ifndef OPENSSL_NO_EC
-        int curve = -1;
+        int curve = -1, skip_ec = 0;
 #endif
 
         /* Look for a certificate matching shared sigaglgs */
@@ -2258,8 +2262,11 @@ int tls_choose_sigalg(SSL *s, int *al)
                     EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[idx].privatekey);
 
                     curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+                    if (EC_KEY_get_conv_form(ec)
+                        != POINT_CONVERSION_UNCOMPRESSED)
+                        skip_ec = 1;
                 }
-                if (lu->curve != NID_undef && curve != lu->curve)
+                if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
                     continue;
 #else
                 continue;
-- 
2.25.1