The bug manifests only on 1.2 and only on the server side. It is exposed when providing to dimpl an ECDSA P-384 cert/key . Here's what happens:
- Server has a P-384 key
- select_ske_signature_algorithm() negotiates SHA-256 + ECDSA
- Server writes {hash: SHA256, sig: ECDSA} into the signed header of the ServerKeyExchange message
- Server calls sign(data) on its P-384 key using SHA-384 instead of the negotiated SHA-256 [BUG]
- Client reads the header, sees "SHA-256 + ECDSA", so it computes SHA-256(data), but verification of course fails.
Looks like there are two possible solutions: either sign with the negotiated SHA-256 in step 4 or negotiate the hash based on the provided cert, SHA-384 as per P-384, steps 2,3. The related PR implements the latter.
The bug manifests only on 1.2 and only on the server side. It is exposed when providing to dimpl an ECDSA P-384 cert/key . Here's what happens:
Looks like there are two possible solutions: either sign with the negotiated SHA-256 in step 4 or negotiate the hash based on the provided cert, SHA-384 as per P-384, steps 2,3. The related PR implements the latter.