wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 20:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixes ZD 18204: check hashsigalgo matches ssl suites.

Browse Source
This commit is contained in:
jordan
2024-06-27 10:45:02 -05:00
parent 38335f4947
commit 107cc82a06
2 changed files with 50 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
src/internal.c
View File

@@ -27368,7 +27368,45 @@ static byte MinHashAlgo(WOLFSSL* ssl)
return sha_mac; return sha_mac;
} }
/* Check if a given peer hashSigAlgo is supported in our ssl->suites or
* ssl->ctx->suites.
*
* Returns 1 on match.
* Returns 0 otherwise.
* */
static int SupportedHashSigAlgo(WOLFSSL* ssl, const byte * hashSigAlgo)
{
const Suites * suites = NULL;
word32 i = 0;
if (ssl == NULL || hashSigAlgo == NULL) {
return 0;
}
suites = WOLFSSL_SUITES(ssl);
if (suites == NULL || suites->hashSigAlgoSz == 0) {
return 0;
}
for (i = 0; (i+1) < suites->hashSigAlgoSz; i += HELLO_EXT_SIGALGO_SZ) {
if (XMEMCMP(&suites->hashSigAlgo[i], hashSigAlgo,
HELLO_EXT_SIGALGO_SZ) == 0) {
/* Match found. */
return 1;
}
}
return 0;
}
int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
{
return PickHashSigAlgo_ex(ssl, hashSigAlgo, hashSigAlgoSz, 0);
}
int PickHashSigAlgo_ex(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz,
int matchSuites)
{ {
word32 i; word32 i;
int ret = WC_NO_ERR_TRACE(MATCH_SUITE_ERROR); int ret = WC_NO_ERR_TRACE(MATCH_SUITE_ERROR);
@@ -27409,6 +27447,14 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
if (!MatchSigAlgo(ssl, sigAlgo)) if (!MatchSigAlgo(ssl, sigAlgo))
continue; continue;
if (matchSuites) {
/* Keep looking if peer algorithm isn't supported in our ssl->suites
* or ssl->ctx->suites. */
if (!SupportedHashSigAlgo(ssl, &hashSigAlgo[i])) {
continue;
}
}
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
if (ssl->pkCurveOID == ECC_ED25519_OID) { if (ssl->pkCurveOID == ECC_ED25519_OID) {
/* Matched Ed25519 - set chosen and finished. */ /* Matched Ed25519 - set chosen and finished. */
@@ -35913,8 +35959,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ret = SetCipherSpecs(ssl); ret = SetCipherSpecs(ssl);
if (ret != 0) if (ret != 0)
return ret; return ret;
ret = PickHashSigAlgo(ssl, peerSuites->hashSigAlgo, ret = PickHashSigAlgo_ex(ssl, peerSuites->hashSigAlgo,
peerSuites->hashSigAlgoSz); peerSuites->hashSigAlgoSz, 1);
if (ret != 0) if (ret != 0)
return ret; return ret;

2
wolfssl/internal.h
View File

@@ -2181,6 +2181,8 @@ WOLFSSL_LOCAL int CompleteServerHello(WOLFSSL *ssl);
WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv); WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv);
WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
word32 hashSigAlgoSz); word32 hashSigAlgoSz);
WOLFSSL_LOCAL int PickHashSigAlgo_ex(WOLFSSL* ssl, const byte* hashSigAlgo,
word32 hashSigAlgoSz, int matchSuites);
#if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY) #if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length, WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length,
int hsType, int label, int id, int hsType, int label, int id,