From 5cf175c49b5aa2320c4062f808a092b0e3c66a03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 30 Oct 2017 23:02:36 -0300 Subject: [PATCH] adds check for server side sig-algo extension --- src/tls.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/tls.c b/src/tls.c index da0b47571..fdc3cf191 100644 --- a/src/tls.c +++ b/src/tls.c @@ -4791,7 +4791,7 @@ static word16 TLSX_SignatureAlgorithms_GetSize(void* data) * returns 0 on success, BUFFER_ERROR when the length is not even. */ static int TLSX_SignatureAlgorithms_MapPss(WOLFSSL *ssl, byte* input, - word16 length) + word16 length) { word16 i; @@ -4835,11 +4835,12 @@ static word16 TLSX_SignatureAlgorithms_Write(void* data, byte* output) * returns 0 on success, otherwise failure. */ static int TLSX_SignatureAlgorithms_Parse(WOLFSSL *ssl, byte* input, - word16 length, Suites* suites) + word16 length, byte isRequest, Suites* suites) { word16 len; - (void)ssl; + if (!isRequest) + return BUFFER_ERROR; /* Must contain a length and at least algorithm. */ if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0) @@ -8243,6 +8244,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, word16 offset = 0; byte isRequest = (msgType == client_hello || msgType == certificate_request); + #ifdef HAVE_EXTENDED_MASTER byte pendingEMS = 0; #endif @@ -8420,12 +8422,14 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, if (!IsAtLeastTLSv1_2(ssl)) break; +#ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version) && msgType != client_hello && msgType != certificate_request) { return EXT_NOT_ALLOWED; } - ret = SA_PARSE(ssl, input + offset, size, suites); +#endif + ret = SA_PARSE(ssl, input + offset, size, isRequest, suites); break; #ifdef WOLFSSL_TLS13